33 files changed, 1169 insertions, 1045 deletions

diff --git a/debian/.git-dpm b/debian/.git-dpm
new file mode 100644
index 000000000..e19ae3f8a
--- /dev/null
+++ b/debian/.git-dpm
@@ -0,0 +1,8 @@
+# see git-dpm(1) from git-dpm package
+bb5616c94d6d6b97890e90dd01a7ad07c663dc0b
+bb5616c94d6d6b97890e90dd01a7ad07c663dc0b
+ee196dab7c5f97f0b80c8099343a375bead92010
+ee196dab7c5f97f0b80c8099343a375bead92010
+openssh_6.4p1.orig.tar.gz
+cf5fe0eb118d7e4f9296fbc5d6884965885fc55d
+1201402
diff --git a/debian/README.source b/debian/README.source
deleted file mode 100644
index cf28fbd48..000000000
--- a/debian/README.source
+++ /dev/null
@@ -1,223 +0,0 @@
-Debian OpenSSH source package handling
-======================================
-
-The Debian package of OpenSSH is maintained in Bazaar
-(http://bazaar-vcs.org/, or the 'bzr' package in Debian). You will need at
-least version 1.16.1; the version in Debian testing as of the time of
-writing (2009-12-21) is fine, or you can use the version in lenny-backports.
-URLs are as follows:
-
-  Anonymous branch: http://anonscm.debian.org/bzr/pkg-ssh/openssh/trunk
-  Web browsing:     http://anonscm.debian.org/loggerhead/pkg-ssh/openssh/trunk
-  Authenticated, for developers with commit access only:
-                    bzr+ssh://bzr.debian.org/bzr/pkg-ssh/openssh/trunk
-
-Although it's possible that I may use something like bzr-loom in the future
-to better manage things like the Kerberos/GSSAPI patch, right now there's no
-funny business and all that developers need to do is:
-
-  # To check out:
-  bzr co bzr+ssh://bzr.debian.org/bzr/pkg-ssh/openssh/trunk openssh
-
-  # To update:
-  bzr up
-
-  # To edit:
-  # hack hack hack, and 'bzr add' any new files
-  debcommit # or bzr commit
-  # note that this pushes automatically; you can use 'bzr unbind' to
-  # temporarily prevent this, or 'bzr branch' to create a local branch which
-  # you can merge later
-
-  # To release:
-  dch -r && debcommit -r
-
-If you have lots of branches, you'll probably want to use a shared
-repository to save space. Run 'bzr init-repo .' in an ancestor directory of
-all your OpenSSH working directories. For example, I have a shared
-repository in ~/src/debian/openssh/, upstream checkouts in
-~/src/debian/openssh/upstream/, and my own working trees in
-~/src/debian/openssh/trunk/.
-
-Patch handling
---------------
-
-This package uses quilt to manage all modifications to the upstream source.
-Changes are stored in the source package as diffs in debian/patches and
-applied automatically by dpkg-source when the source package is extracted.
-
-To configure quilt to use debian/patches instead of patches, you want either
-to export QUILT_PATCHES=debian/patches in your environment or use this
-snippet in your ~/.quiltrc:
-
-    for where in ./ ../ ../../ ../../../ ../../../../ ../../../../../; do
-        if [ -e ${where}debian/rules -a -d ${where}debian/patches ]; then
-                export QUILT_PATCHES=debian/patches
-                break
-        fi
-    done
-
-After unpacking the source package, all patches will be applied, and you can
-use quilt normally.
-
-If you check out the source code from bzr, then all patches will be applied,
-but you will need to inform quilt of this manually.  Do this by running:
-
-    debian/rules quilt-setup
-
-To add a new set of changes, first run quilt push -a, and then run:
-
-    quilt new <patch>
-
-where <patch> is a descriptive name for the patch, used as the filename in
-debian/patches.  Then, for every file that will be modified by this patch,
-run:
-
-    quilt add <file>
-
-before editing those files.  You must tell quilt with quilt add what files
-will be part of the patch before making changes or quilt will not work
-properly.  After editing the files, run:
-
-    quilt refresh
-
-to save the results as a patch.
-
-Alternately, if you already have an external patch and you just want to add
-it to the build system, run quilt push -a and then:
-
-    quilt import -P <patch> /path/to/patch
-    quilt push -a
-
-(add -p 0 to quilt import if needed). <patch> as above is the filename to
-use in debian/patches.  The last quilt push -a will apply the patch to make
-sure it works properly.
-
-To remove an existing patch from the list of patches that will be applied,
-run:
-
-    quilt delete <patch>
-
-You may need to run quilt pop -a to unapply patches first before running
-this command.
-
-You should only commit changes to bzr with all patches applied, i.e. after
-'quilt push -a'.
-
-Merging new upstream releases
------------------------------
-
-(Most developers will not need to read this section.)
-
-Thanks to the import from Portable OpenSSH CVS provided by Launchpad
-(https://code.launchpad.net/~vcs-imports/openssh/main, accessible by the
-shortcut 'lp:openssh' from the bzr client), the Debian branch is a true DVCS
-branch from upstream. This is a worthwhile property, but preserving it does
-take a little bit of work.
-
-Launchpad only imports CVS HEAD, but upstream sometimes produces releases
-from a branch. We use the same software used by Launchpad to import the
-branch as well, but a few small hacks are necessary to do good branch
-imports. In Bazaar, it's important that the same file in different branches
-should have the same file-id, otherwise merge attempts will try to delete
-and re-add the file which usually doesn't work out very well. Occasionally a
-file is added to CVS HEAD and then also added to a branch, and cscvs isn't
-quite smart enough to spot this and copy over the file-id. We need to help
-it out.
-
-To fetch the necessary code:
-
-  bzr branch lp:~cjwatson/launchpad-cscvs/openssh-branch-imports
-  # or 'bzr pull' in the appropriate directory to update this, if you
-  # already have a copy
-
-To import a branch, V_5_3 in this example:
-
-  export PATH="/path/to/cscvs/openssh-branch-imports:$PATH"
-  export PYTHONPATH=/path/to/cscvs/openssh-branch-imports/modules:/path/to/cscvs/openssh-branch-imports
-  # in a CVS checkout of :ext:anoncvs@anoncvs.mindrot.org:/cvs module
-  # openssh:
-  cscvs cache -b
-  # or 'cscvs cache -u' if you've done this before and want to update
-  cvs up -rV_5_3
-
-  # Now we need to get a few bits of information from cscvs' cache.
-  sqlite CVS/Catalog.sqlite
-  sqlite> select csnum,log from changeset where branch = 'V_5_3' order by startdate;
-  # There will be a solid block of "Creation of branch V_5_3" changesets at
-  # the start; look for the first revision *after* this. Substitute this in
-  # the following wherever you see "CSX".
-  sqlite> select revision,filename from revision where branch = 'V_5_3' and csnum >= CSX and revision not like '%.%.%' order by filename;
-  # Anything listed here will need to be added to the openssh_ids dictionary
-  # in modules/CVS/StorageLayer.py in cscvs. Please send Colin Watson a
-  # patch if you do this.
-
-  # Next, look up the branchpoint revision in the main bzr import (bzr
-  # branch lp:openssh). It's usually easiest to just look it up by commit
-  # message and double-check the timestamp. Substitute this revision number
-  # for "BPR" in the following. /path/to/openssh/main is wherever you've
-  # checked out lp:openssh.
-  bzr branch -rBPR /path/to/openssh/main /path/to/openssh/5.3
-  # If you're using Bazaar signed commits with a GPG agent, make sure that
-  # your agent has seen your passphrase recently. Now you can start the
-  # actual import!
-  cscvs -D4 totla -SC V_5_3.CSX: /path/to/openssh/5.3
-  # If this fails at the end with a "directories differ" message, you may
-  # have forgotten to switch your CVS checkout to the appropriate branch
-  # with 'cvs up -r...' above. Otherwise you'll have to debug this for
-  # yourself. It's also worth double-checking that any files added to the
-  # branch have file-ids matching those on the trunk, using 'bzr ls -R
-  # --show-ids'.
-
-Now we have a Bazaar branch corresponding to what's in CVS. Previous such
-branches are available from Launchpad, for reference purposes:
-
-  https://code.launchpad.net/openssh
-
-However, upstream releases involve a 'make distprep' step as well to
-construct the tarball, and we need to import the results of this as well to
-get a clean package.
-
-Start by unpacking the upstream tarball (remember to check its GPG signature
-first!). Copy the .bzr directory from the upstream branch you prepared
-earlier. Now we have another branch, but with a working tree corresponding
-to the upstream tarball. Modifications and deletions are handled
-automatically, but we need to handle additions explicitly to make sure
-file-ids are correct (see above). Run:
-
-  bzr add --file-ids-from=/path/to/openssh/debian/trunk
-  bzr st --show-ids
-  # compare this with 'bzr ls --show-ids' in the Debian trunk to make sure
-  # the result will be mergeable
-  bzr ci -m 'Import 5.3p1 tarball'
-
-Add a parent revision for the previous tarball branch, to make it easier for
-bzr to compute accurate merges.
-
-  bzr log -n0 /path/to/openssh/debian/trunk | less
-  # find revision number for previous tarball import, hence 'PREVIOUS'
-  bzr merge -rPREVIOUS /path/to/openssh/debian/trunk
-  # merge history only, no file changes
-  bzr revert .
-  bzr ci -m 'add 5.2p1 tarball parent revision'
-  bzr tag upstream-5.3p1
-
-Next, merge this into the gssapi branch
-(bzr+ssh://bzr.debian.org/bzr/pkg-ssh/openssh/gssapi/). For this branch, we
-want to ignore the normal results of merging and take only the patch from
-http://www.sxw.org.uk/computing/patches/openssh.html; of course such a patch
-needs to exist first! To do this, run this in the gssapi branch:
-
-  bzr merge /path/to/openssh/tarball/branch
-  bzr revert -rrevno:-1:/path/to/openssh/tarball/branch .
-  patch -p1 </path/to/openssh/gssapi/patch
-  bzr add --file-ids-from=/path/to/openssh/debian/trunk
-  # you may need to deal with applying configure.ac changes to configure
-  # here
-  bzr ci -m 'import openssh-5.3p1-gsskex-all-20100124.patch'
-
-You should now be able to 'bzr merge' from the gssapi branch into the Debian
-trunk, resolve conflicts, and commit. If you see lots of "Contents conflict"
-messages, you may have got the file-ids wrong. Once you've committed the
-merge, you can throw away the tarball branch, as all its history will have
-been incorporated.
diff --git a/debian/changelog b/debian/changelog
index 61ff5147a..188f17070 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
 openssh (1:6.4p1-3) UNRELEASED; urgency=medium
 
   * Switch to git; adjust Vcs-* fields.
+  * Convert to git-dpm, and drop source package documentation associated
+    with the old bzr/quilt patch handling workflow.
 
  -- Colin Watson <cjwatson@debian.org>  Sun, 09 Feb 2014 15:52:14 +0000
 
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index a6a842ecd..5d98b81a2 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,14 +1,25 @@
-Description: Quieten logs when multiple from= restrictions are used
-Author: Colin Watson <cjwatson@debian.org>
+From ec5991d73abdc0b3c43ea9f8a0e99da045e7beb1 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:10:02 +0000
+Subject: Quieten logs when multiple from= restrictions are used
+
 Bug-Debian: http://bugs.debian.org/630606
 Forwarded: no
 Last-Update: 2013-09-14
 
-Index: b/auth-options.c
-===================================================================
+Patch-Name: auth-log-verbosity.patch
+---
+ auth-options.c | 35 ++++++++++++++++++++++++++---------
+ auth-options.h |  1 +
+ auth-rsa.c     |  2 ++
+ auth2-pubkey.c |  3 +++
+ 4 files changed, 32 insertions(+), 9 deletions(-)
+
+diff --git a/auth-options.c b/auth-options.c
+index 12e2e1d..15c00d0 100644
 --- a/auth-options.c
 +++ b/auth-options.c
-@@ -58,9 +58,20 @@
+@@ -58,9 +58,20 @@ int forced_tun_device = -1;
  /* "principals=" option. */
  char *authorized_principals = NULL;
  
@@ -29,7 +40,7 @@ Index: b/auth-options.c
  auth_clear_options(void)
  {
         no_agent_forwarding_flag = 0;
-@@ -288,10 +299,13 @@
+@@ -288,10 +299,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                                 /* FALLTHROUGH */
                         case 0:
                                 free(patterns);
@@ -47,7 +58,7 @@ Index: b/auth-options.c
                                 auth_debug_add("Your host '%.200s' is not "
                                     "permitted to use this key for login.",
                                     remote_host);
-@@ -513,11 +527,14 @@
+@@ -513,11 +527,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
                                         break;
                                 case 0:
                                         /* no match */
@@ -67,11 +78,11 @@ Index: b/auth-options.c
                                         auth_debug_add("Your address '%.200s' "
                                             "is not permitted to use this "
                                             "certificate for login.",
-Index: b/auth-options.h
-===================================================================
+diff --git a/auth-options.h b/auth-options.h
+index 7455c94..a3f0a02 100644
 --- a/auth-options.h
 +++ b/auth-options.h
-@@ -33,6 +33,7 @@
+@@ -33,6 +33,7 @@ extern int forced_tun_device;
  extern int key_is_cert_authority;
  extern char *authorized_principals;
  
@@ -79,11 +90,11 @@ Index: b/auth-options.h
  int    auth_parse_options(struct passwd *, char *, char *, u_long);
  void   auth_clear_options(void);
  int    auth_cert_options(Key *, struct passwd *);
-Index: b/auth-rsa.c
-===================================================================
+diff --git a/auth-rsa.c b/auth-rsa.c
+index 6ed152c..9b139c9 100644
 --- a/auth-rsa.c
 +++ b/auth-rsa.c
-@@ -174,6 +174,8 @@
+@@ -174,6 +174,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
         if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
                 return 0;
  
@@ -92,11 +103,11 @@ Index: b/auth-rsa.c
         /*
          * Go though the accepted keys, looking for the current key.  If
          * found, perform a challenge-response dialog to verify that the
-Index: b/auth2-pubkey.c
-===================================================================
+diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+index 12eb8a6..7c0ceee 100644
 --- a/auth2-pubkey.c
 +++ b/auth2-pubkey.c
-@@ -257,6 +257,7 @@
+@@ -257,6 +257,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
                 restore_uid();
                 return 0;
         }
@@ -104,7 +115,7 @@ Index: b/auth2-pubkey.c
         while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                 /* Skip leading whitespace. */
                 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-@@ -318,6 +319,7 @@
+@@ -318,6 +319,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
         found_key = 0;
  
         found = NULL;
@@ -112,7 +123,7 @@ Index: b/auth2-pubkey.c
         while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                 char *cp, *key_options = NULL;
                 if (found != NULL)
-@@ -453,6 +455,7 @@
+@@ -453,6 +455,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
         if (key_cert_check_authority(key, 0, 1,
             principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
                 goto fail_reason;
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index e48a3cb3e..751ba841c 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,14 +1,22 @@
-Description: Install authorized_keys(5) as a symlink to sshd(8)
-Author: Tomas Pospisek <tpo_deb@sourcepole.ch>
+From 6342b4c70310da7f73e1d54ddae0edde990d95d8 Mon Sep 17 00:00:00 2001
+From: Tomas Pospisek <tpo_deb@sourcepole.ch>
+Date: Sun, 9 Feb 2014 16:10:07 +0000
+Subject: Install authorized_keys(5) as a symlink to sshd(8)
+
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
 Bug-Debian: http://bugs.debian.org/441817
 Last-Update: 2013-09-14
 
-Index: b/Makefile.in
-===================================================================
+Patch-Name: authorized-keys-man-symlink.patch
+---
+ Makefile.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Makefile.in b/Makefile.in
+index ca6eee5..7cd3a08 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -289,6 +289,7 @@
+@@ -289,6 +289,7 @@ install-files:
         $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
         $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
         $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch
index fd064a848..f43e78500 100644
--- a/debian/patches/consolekit.patch
+++ b/debian/patches/consolekit.patch
@@ -1,13 +1,33 @@
-Description: Add support for registering ConsoleKit sessions on login
-Author: Colin Watson <cjwatson@ubuntu.com>
+From cfae2bfa1e95cbb6c7a9799f13b82e8e804ca869 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@ubuntu.com>
+Date: Sun, 9 Feb 2014 16:09:57 +0000
+Subject: Add support for registering ConsoleKit sessions on login
+
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450
 Last-Updated: 2013-09-14
 
-Index: b/Makefile.in
-===================================================================
+Patch-Name: consolekit.patch
+---
+ Makefile.in    |   3 +-
+ configure      | 132 +++++++++++++++++++++++++++++++
+ configure.ac   |  25 ++++++
+ consolekit.c   | 240 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ consolekit.h   |  24 ++++++
+ monitor.c      |  43 +++++++++++
+ monitor.h      |   2 +
+ monitor_wrap.c |  31 ++++++++
+ monitor_wrap.h |   4 +
+ session.c      |  13 ++++
+ session.h      |   6 ++
+ 11 files changed, 522 insertions(+), 1 deletion(-)
+ create mode 100644 consolekit.c
+ create mode 100644 consolekit.h
+
+diff --git a/Makefile.in b/Makefile.in
+index b8f5099..ca6eee5 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -96,7 +96,8 @@
+@@ -96,7 +96,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
         sftp-server.o sftp-common.o \
         roaming_common.o roaming_serv.o \
         sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
@@ -17,54 +37,11 @@ Index: b/Makefile.in
  
  MANPAGES       = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out
  MANPAGES_IN    = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5
-Index: b/configure.ac
-===================================================================
---- a/configure.ac
-+++ b/configure.ac
-@@ -3841,6 +3841,30 @@
- AC_SUBST([GSSLIBS])
- AC_SUBST([K5LIBS])
- 
-+# Check whether user wants ConsoleKit support
-+CONSOLEKIT_MSG="no"
-+LIBCK_CONNECTOR=""
-+AC_ARG_WITH(consolekit,
-+       [  --with-consolekit       Enable ConsoleKit support],
-+       [ if test "x$withval" != "xno" ; then
-+               AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
-+               if test "$PKGCONFIG" != "no"; then
-+                       AC_MSG_CHECKING([for ck-connector])
-+                       if $PKGCONFIG --exists ck-connector; then
-+                               CKCON_CFLAGS=`$PKGCONFIG --cflags ck-connector`
-+                               CKCON_LIBS=`$PKGCONFIG --libs ck-connector`
-+                               CPPFLAGS="$CPPFLAGS $CKCON_CFLAGS"
-+                               SSHDLIBS="$SSHDLIBS $CKCON_LIBS"
-+                               AC_MSG_RESULT([yes])
-+                               AC_DEFINE(USE_CONSOLEKIT, 1, [Define if you want ConsoleKit support.])
-+                               CONSOLEKIT_MSG="yes"
-+                       else
-+                               AC_MSG_RESULT([no])
-+                       fi
-+               fi
-+       fi ]
-+)
-+
- # Looking for programs, paths and files
- 
- PRIVSEP_PATH=/var/empty
-@@ -4641,6 +4665,7 @@
- echo "                   libedit support: $LIBEDIT_MSG"
- echo "  Solaris process contract support: $SPC_MSG"
- echo "           Solaris project support: $SP_MSG"
-+echo "                ConsoleKit support: $CONSOLEKIT_MSG"
- echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
- echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
- echo "                  BSD Auth support: $BSD_AUTH_MSG"
-Index: b/configure
-===================================================================
+diff --git a/configure b/configure
+index ceb1b5d..78bbcd0 100755
 --- a/configure
 +++ b/configure
-@@ -738,6 +738,7 @@
+@@ -738,6 +738,7 @@ with_privsep_user
  with_sandbox
  with_selinux
  with_kerberos5
@@ -72,7 +49,7 @@ Index: b/configure
  with_privsep_path
  with_xauth
  enable_strip
-@@ -1428,6 +1429,7 @@
+@@ -1428,6 +1429,7 @@ Optional Packages:
    --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)
    --with-selinux          Enable SELinux support
    --with-kerberos5=PATH   Enable Kerberos 5 support
@@ -80,7 +57,7 @@ Index: b/configure
    --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
    --with-xauth=PATH       Specify path to xauth program
    --with-maildir=/path/to/mail    Specify your system mail directory
-@@ -16375,6 +16377,135 @@
+@@ -16375,6 +16377,135 @@ fi
  
  
  
@@ -216,7 +193,50 @@ Index: b/configure
  # Looking for programs, paths and files
  
  PRIVSEP_PATH=/var/empty
-@@ -18902,6 +19033,7 @@
+@@ -18902,6 +19033,7 @@ echo "              MD5 password support: $MD5_MSG"
+ echo "                   libedit support: $LIBEDIT_MSG"
+ echo "  Solaris process contract support: $SPC_MSG"
+ echo "           Solaris project support: $SP_MSG"
++echo "                ConsoleKit support: $CONSOLEKIT_MSG"
+ echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
+ echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
+ echo "                  BSD Auth support: $BSD_AUTH_MSG"
+diff --git a/configure.ac b/configure.ac
+index 4c1a658..d7d500a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -3841,6 +3841,30 @@ AC_ARG_WITH([kerberos5],
+ AC_SUBST([GSSLIBS])
+ AC_SUBST([K5LIBS])
+ 
++# Check whether user wants ConsoleKit support
++CONSOLEKIT_MSG="no"
++LIBCK_CONNECTOR=""
++AC_ARG_WITH(consolekit,
++       [  --with-consolekit       Enable ConsoleKit support],
++       [ if test "x$withval" != "xno" ; then
++               AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
++               if test "$PKGCONFIG" != "no"; then
++                       AC_MSG_CHECKING([for ck-connector])
++                       if $PKGCONFIG --exists ck-connector; then
++                               CKCON_CFLAGS=`$PKGCONFIG --cflags ck-connector`
++                               CKCON_LIBS=`$PKGCONFIG --libs ck-connector`
++                               CPPFLAGS="$CPPFLAGS $CKCON_CFLAGS"
++                               SSHDLIBS="$SSHDLIBS $CKCON_LIBS"
++                               AC_MSG_RESULT([yes])
++                               AC_DEFINE(USE_CONSOLEKIT, 1, [Define if you want ConsoleKit support.])
++                               CONSOLEKIT_MSG="yes"
++                       else
++                               AC_MSG_RESULT([no])
++                       fi
++               fi
++       fi ]
++)
++
+ # Looking for programs, paths and files
+ 
+ PRIVSEP_PATH=/var/empty
+@@ -4641,6 +4665,7 @@ echo "              MD5 password support: $MD5_MSG"
  echo "                   libedit support: $LIBEDIT_MSG"
  echo "  Solaris process contract support: $SPC_MSG"
  echo "           Solaris project support: $SP_MSG"
@@ -224,8 +244,9 @@ Index: b/configure
  echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
  echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
  echo "                  BSD Auth support: $BSD_AUTH_MSG"
-Index: b/consolekit.c
-===================================================================
+diff --git a/consolekit.c b/consolekit.c
+new file mode 100644
+index 0000000..f1039e6
 --- /dev/null
 +++ b/consolekit.c
 @@ -0,0 +1,240 @@
@@ -469,8 +490,9 @@ Index: b/consolekit.c
 +}
 +
 +#endif /* USE_CONSOLEKIT */
-Index: b/consolekit.h
-===================================================================
+diff --git a/consolekit.h b/consolekit.h
+new file mode 100644
+index 0000000..8ce3716
 --- /dev/null
 +++ b/consolekit.h
 @@ -0,0 +1,24 @@
@@ -498,8 +520,8 @@ Index: b/consolekit.h
 +void    consolekit_unregister(struct Session *);
 +
 +#endif /* USE_CONSOLEKIT */
-Index: b/monitor.c
-===================================================================
+diff --git a/monitor.c b/monitor.c
+index e8d63eb..9bc4f0b 100644
 --- a/monitor.c
 +++ b/monitor.c
 @@ -98,6 +98,9 @@
@@ -512,7 +534,7 @@ Index: b/monitor.c
  
  #ifdef GSSAPI
  static Gssctxt *gsscontext = NULL;
-@@ -193,6 +196,10 @@
+@@ -193,6 +196,10 @@ int mm_answer_audit_command(int, Buffer *);
  
  static int monitor_read_log(struct monitor *);
  
@@ -523,7 +545,7 @@ Index: b/monitor.c
  static Authctxt *authctxt;
  static BIGNUM *ssh1_challenge = NULL;  /* used for ssh1 rsa auth */
  
-@@ -285,6 +292,9 @@
+@@ -285,6 +292,9 @@ struct mon_table mon_dispatch_postauth20[] = {
      {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
      {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
  #endif
@@ -533,7 +555,7 @@ Index: b/monitor.c
      {0, 0, NULL}
  };
  
-@@ -327,6 +337,9 @@
+@@ -327,6 +337,9 @@ struct mon_table mon_dispatch_postauth15[] = {
      {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
      {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
  #endif
@@ -543,7 +565,7 @@ Index: b/monitor.c
      {0, 0, NULL}
  };
  
-@@ -514,6 +527,9 @@
+@@ -514,6 +527,9 @@ monitor_child_postauth(struct monitor *pmonitor)
                 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
         }
@@ -553,7 +575,7 @@ Index: b/monitor.c
  
         for (;;)
                 monitor_read(pmonitor, mon_dispatch, NULL);
-@@ -2492,3 +2508,30 @@
+@@ -2492,3 +2508,30 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m)
  }
  
  #endif /* JPAKE */
@@ -584,11 +606,11 @@ Index: b/monitor.c
 +       return (0);
 +}
 +#endif /* USE_CONSOLEKIT */
-Index: b/monitor.h
-===================================================================
+diff --git a/monitor.h b/monitor.h
+index 3c13706..cd83428 100644
 --- a/monitor.h
 +++ b/monitor.h
-@@ -75,6 +75,8 @@
+@@ -75,6 +75,8 @@ enum monitor_reqtype {
  
         MONITOR_REQ_AUTHROLE = 154,
  
@@ -597,11 +619,11 @@ Index: b/monitor.h
  };
  
  struct mm_master;
-Index: b/monitor_wrap.c
-===================================================================
+diff --git a/monitor_wrap.c b/monitor_wrap.c
+index 69bc324..670b62d 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -1516,3 +1516,34 @@
+@@ -1516,3 +1516,34 @@ mm_jpake_check_confirm(const BIGNUM *k,
         return success;
  }
  #endif /* JPAKE */
@@ -636,11 +658,11 @@ Index: b/monitor_wrap.c
 +       return (cookie);
 +}
 +#endif /* USE_CONSOLEKIT */
-Index: b/monitor_wrap.h
-===================================================================
+diff --git a/monitor_wrap.h b/monitor_wrap.h
+index 4d12e29..360fb9f 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
-@@ -131,4 +131,8 @@
+@@ -131,4 +131,8 @@ void *mm_zalloc(struct mm_master *, u_int, u_int);
  void mm_zfree(struct mm_master *, void *);
  void mm_init_compression(struct mm_master *);
  
@@ -649,8 +671,8 @@ Index: b/monitor_wrap.h
 +#endif /* USE_CONSOLEKIT */
 +
  #endif /* _MM_WRAP_H_ */
-Index: b/session.c
-===================================================================
+diff --git a/session.c b/session.c
+index b4d74d9..15bdb1b 100644
 --- a/session.c
 +++ b/session.c
 @@ -92,6 +92,7 @@
@@ -661,7 +683,7 @@ Index: b/session.c
  
  #if defined(KRB5) && defined(USE_AFS)
  #include <kafs.h>
-@@ -1132,6 +1133,9 @@
+@@ -1132,6 +1133,9 @@ do_setup_env(Session *s, const char *shell)
  #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
         char *path = NULL;
  #endif
@@ -671,7 +693,7 @@ Index: b/session.c
  
         /* Initialize the environment. */
         envsize = 100;
-@@ -1276,6 +1280,11 @@
+@@ -1276,6 +1280,11 @@ do_setup_env(Session *s, const char *shell)
                 child_set_env(&env, &envsize, "KRB5CCNAME",
                     s->authctxt->krb5_ccname);
  #endif
@@ -683,7 +705,7 @@ Index: b/session.c
  #ifdef USE_PAM
         /*
          * Pull in any environment variables that may have
-@@ -2320,6 +2329,10 @@
+@@ -2320,6 +2329,10 @@ session_pty_cleanup2(Session *s)
  
         debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
  
@@ -694,8 +716,8 @@ Index: b/session.c
         /* Record that the user has logged out. */
         if (s->pid != 0)
                 record_logout(s->pid, s->tty, s->pw->pw_name);
-Index: b/session.h
-===================================================================
+diff --git a/session.h b/session.h
+index cb4f196..7e51b6a 100644
 --- a/session.h
 +++ b/session.h
 @@ -26,6 +26,8 @@
@@ -707,7 +729,7 @@ Index: b/session.h
  #define TTYSZ 64
  typedef struct Session Session;
  struct Session {
-@@ -60,6 +62,10 @@
+@@ -60,6 +62,10 @@ struct Session {
                 char    *name;
                 char    *val;
         } *env;
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 981cdd697..d02e8ffcb 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,16 +1,28 @@
-Description: Add DebianBanner server configuration option
- Setting this to "no" causes sshd to omit the Debian revision from its
- initial protocol handshake, for those scared by package-versioning.patch.
-Author: Kees Cook <kees@debian.org>
+From 8a75df792931443e868e574408ed1666208a28c2 Mon Sep 17 00:00:00 2001
+From: Kees Cook <kees@debian.org>
+Date: Sun, 9 Feb 2014 16:10:06 +0000
+Subject: Add DebianBanner server configuration option
+
+Setting this to "no" causes sshd to omit the Debian revision from its
+initial protocol handshake, for those scared by package-versioning.patch.
+
 Bug-Debian: http://bugs.debian.org/562048
 Forwarded: not-needed
 Last-Update: 2013-09-14
 
-Index: b/servconf.c
-===================================================================
+Patch-Name: debian-banner.patch
+---
+ servconf.c    | 9 +++++++++
+ servconf.h    | 2 ++
+ sshd.c        | 3 ++-
+ sshd_config.5 | 5 +++++
+ 4 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/servconf.c b/servconf.c
+index 9155a8b..a2928ff 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -157,6 +157,7 @@
+@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions *options)
         options->ip_qos_interactive = -1;
         options->ip_qos_bulk = -1;
         options->version_addendum = NULL;
@@ -18,7 +30,7 @@ Index: b/servconf.c
  }
  
  void
-@@ -310,6 +311,8 @@
+@@ -310,6 +311,8 @@ fill_default_server_options(ServerOptions *options)
                 options->ip_qos_bulk = IPTOS_THROUGHPUT;
         if (options->version_addendum == NULL)
                 options->version_addendum = xstrdup("");
@@ -27,7 +39,7 @@ Index: b/servconf.c
         /* Turn privilege separation on by default */
         if (use_privsep == -1)
                 use_privsep = PRIVSEP_NOSANDBOX;
-@@ -360,6 +363,7 @@
+@@ -360,6 +363,7 @@ typedef enum {
         sKexAlgorithms, sIPQoS, sVersionAddendum,
         sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
         sAuthenticationMethods, sHostKeyAgent,
@@ -35,7 +47,7 @@ Index: b/servconf.c
         sDeprecated, sUnsupported
  } ServerOpCodes;
  
-@@ -501,6 +505,7 @@
+@@ -501,6 +505,7 @@ static struct {
         { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
         { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
         { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
@@ -43,7 +55,7 @@ Index: b/servconf.c
         { NULL, sBadOption, 0 }
  };
  
-@@ -1648,6 +1653,10 @@
+@@ -1648,6 +1653,10 @@ process_server_config_line(ServerOptions *options, char *line,
                 }
                 return 0;
  
@@ -54,11 +66,11 @@ Index: b/servconf.c
         case sDeprecated:
                 logit("%s line %d: Deprecated option %s",
                     filename, linenum, arg);
-Index: b/servconf.h
-===================================================================
+diff --git a/servconf.h b/servconf.h
+index f655c5b..fd72ce2 100644
 --- a/servconf.h
 +++ b/servconf.h
-@@ -188,6 +188,8 @@
+@@ -188,6 +188,8 @@ typedef struct {
  
         u_int   num_auth_methods;
         char   *auth_methods[MAX_AUTH_METHODS];
@@ -67,11 +79,11 @@ Index: b/servconf.h
  }       ServerOptions;
  
  /* Information about the incoming connection as used by Match */
-Index: b/sshd.c
-===================================================================
+diff --git a/sshd.c b/sshd.c
+index 7efa7ef..6b988fe 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -440,7 +440,8 @@
+@@ -440,7 +440,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
         }
  
         xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -81,11 +93,11 @@ Index: b/sshd.c
             *options.version_addendum == '\0' ? "" : " ",
             options.version_addendum, newline);
  
-Index: b/sshd_config.5
-===================================================================
+diff --git a/sshd_config.5 b/sshd_config.5
+index 510cc7c..eaf8d01 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -404,6 +404,11 @@
+@@ -404,6 +404,11 @@ or
  .Dq no .
  The default is
  .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index d005bdc2e..e706b4a02 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,30 +1,43 @@
-Description: Various Debian-specific configuration changes
- ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
- fewer problems with existing setups (http://bugs.debian.org/237021).
- .
- ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
- .
- ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
- worms.
- .
- ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
- default.
- .
- sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
- PermitRootLogin default.
- .
- Document all of this, along with several sshd defaults set in
- debian/openssh-server.postinst.
-Author: Colin Watson <cjwatson@debian.org>
+From bb5616c94d6d6b97890e90dd01a7ad07c663dc0b Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:10:18 +0000
+Subject: Various Debian-specific configuration changes
+
+ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
+fewer problems with existing setups (http://bugs.debian.org/237021).
+
+ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
+
+ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
+worms.
+
+ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
+default.
+
+sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
+PermitRootLogin default.
+
+Document all of this, along with several sshd defaults set in
+debian/openssh-server.postinst.
+
 Author: Russ Allbery <rra@debian.org>
 Forwarded: not-needed
 Last-Update: 2013-09-14
 
-Index: b/readconf.c
-===================================================================
+Patch-Name: debian-config.patch
+---
+ readconf.c    |  2 +-
+ ssh_config    |  7 ++++++-
+ ssh_config.5  | 19 ++++++++++++++++++-
+ sshd_config   |  1 +
+ sshd_config.5 | 27 +++++++++++++++++++++++++++
+ 5 files changed, 53 insertions(+), 3 deletions(-)
+
+diff --git a/readconf.c b/readconf.c
+index 389de7d..2778176 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -1298,7 +1298,7 @@
+@@ -1298,7 +1298,7 @@ fill_default_options(Options * options)
         if (options->forward_x11 == -1)
                 options->forward_x11 = 0;
         if (options->forward_x11_trusted == -1)
@@ -33,8 +46,8 @@ Index: b/readconf.c
         if (options->forward_x11_timeout == -1)
                 options->forward_x11_timeout = 1200;
         if (options->exit_on_forward_failure == -1)
-Index: b/ssh_config
-===================================================================
+diff --git a/ssh_config b/ssh_config
+index 3234321..064b593 100644
 --- a/ssh_config
 +++ b/ssh_config
 @@ -17,9 +17,10 @@
@@ -57,11 +70,11 @@ Index: b/ssh_config
 +    HashKnownHosts yes
 +    GSSAPIAuthentication yes
 +    GSSAPIDelegateCredentials no
-Index: b/ssh_config.5
-===================================================================
+diff --git a/ssh_config.5 b/ssh_config.5
+index 5bca932..127540a 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -71,6 +71,22 @@
+@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
  host-specific declarations should be given near the beginning of the
  file, and general defaults at the end.
  .Pp
@@ -84,7 +97,7 @@ Index: b/ssh_config.5
  The configuration file has the following format:
  .Pp
  Empty lines and lines starting with
-@@ -501,7 +517,8 @@
+@@ -501,7 +517,8 @@ token used for the session will be set to expire after 20 minutes.
  Remote clients will be refused access after this time.
  .Pp
  The default is
@@ -94,8 +107,8 @@ Index: b/ssh_config.5
  .Pp
  See the X11 SECURITY extension specification for full details on
  the restrictions imposed on untrusted clients.
-Index: b/sshd_config
-===================================================================
+diff --git a/sshd_config b/sshd_config
+index 9450141..9cfe28d 100644
 --- a/sshd_config
 +++ b/sshd_config
 @@ -40,6 +40,7 @@
@@ -106,11 +119,11 @@ Index: b/sshd_config
  #PermitRootLogin yes
  #StrictModes yes
  #MaxAuthTries 6
-Index: b/sshd_config.5
-===================================================================
+diff --git a/sshd_config.5 b/sshd_config.5
+index ec4851a..faf93fc 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -57,6 +57,33 @@
+@@ -57,6 +57,33 @@ Arguments may optionally be enclosed in double quotes
  .Pq \&"
  in order to represent arguments containing spaces.
  .Pp
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 0615de097..3cb291e97 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,15 +1,27 @@
-Description: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
- This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
+From 145099bdca1b959e2ef3555cd6ce0bc44fb69ce8 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:10:01 +0000
+Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
+
+This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
+
 Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
 Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
 Last-Update: 2010-04-06
 
-Index: b/dns.c
-===================================================================
+Patch-Name: dnssec-sshfp.patch
+---
+ dns.c                           | 14 +++++++++++++-
+ openbsd-compat/getrrsetbyname.c | 10 +++++-----
+ openbsd-compat/getrrsetbyname.h |  3 +++
+ 3 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/dns.c b/dns.c
+index 630b97a..478c3d9 100644
 --- a/dns.c
 +++ b/dns.c
-@@ -196,6 +196,7 @@
+@@ -196,6 +196,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
  {
         u_int counter;
         int result;
@@ -17,7 +29,7 @@ Index: b/dns.c
         struct rrsetinfo *fingerprints = NULL;
  
         u_int8_t hostkey_algorithm;
-@@ -219,8 +220,19 @@
+@@ -219,8 +220,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
                 return -1;
         }
  
@@ -38,11 +50,11 @@ Index: b/dns.c
         if (result) {
                 verbose("DNS lookup error: %s", dns_result_totext(result));
                 return -1;
-Index: b/openbsd-compat/getrrsetbyname.c
-===================================================================
+diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
+index dc6fe05..e061a29 100644
 --- a/openbsd-compat/getrrsetbyname.c
 +++ b/openbsd-compat/getrrsetbyname.c
-@@ -209,8 +209,8 @@
+@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
                 goto fail;
         }
  
@@ -53,7 +65,7 @@ Index: b/openbsd-compat/getrrsetbyname.c
                 result = ERRSET_INVAL;
                 goto fail;
         }
-@@ -226,9 +226,9 @@
+@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
  #endif /* DEBUG */
  
  #ifdef RES_USE_DNSSEC
@@ -66,8 +78,8 @@ Index: b/openbsd-compat/getrrsetbyname.c
  #endif /* RES_USE_DNSEC */
  
         /* make query */
-Index: b/openbsd-compat/getrrsetbyname.h
-===================================================================
+diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
+index 1283f55..dbbc85a 100644
 --- a/openbsd-compat/getrrsetbyname.h
 +++ b/openbsd-compat/getrrsetbyname.h
 @@ -72,6 +72,9 @@
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 4c197323c..4f9de88ec 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,14 +1,22 @@
-Description: Document that HashKnownHosts may break tab-completion
-Author: Colin Watson <cjwatson@debian.org>
+From cee45b00a94730c9a49a52a967ec08b9c29b9ca2 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:10:11 +0000
+Subject: Document that HashKnownHosts may break tab-completion
+
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
 Bug-Debian: http://bugs.debian.org/430154
 Last-Update: 2013-09-14
 
-Index: b/ssh_config.5
-===================================================================
+Patch-Name: doc-hash-tab-completion.patch
+---
+ ssh_config.5 | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/ssh_config.5 b/ssh_config.5
+index 1497cfc..5bca932 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -587,6 +587,9 @@
+@@ -587,6 +587,9 @@ Note that existing names and addresses in known hosts files
  will not be converted automatically,
  but may be manually hashed using
  .Xr ssh-keygen 1 .
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index a471f9c4c..cb24998a2 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,13 +1,21 @@
-Description: Refer to ssh's Upstart job as well as its init script
-Author: Colin Watson <cjwatson@ubuntu.com>
+From c1e7260fe4ed36dddc317655a69a7d4a69b3170a Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@ubuntu.com>
+Date: Sun, 9 Feb 2014 16:10:12 +0000
+Subject: Refer to ssh's Upstart job as well as its init script
+
 Forwarded: not-needed
 Last-Update: 2013-09-14
 
-Index: b/sshd.8
-===================================================================
+Patch-Name: doc-upstart.patch
+---
+ sshd.8 | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/sshd.8 b/sshd.8
+index 6bdd219..b91f08c 100644
 --- a/sshd.8
 +++ b/sshd.8
-@@ -70,7 +70,10 @@
+@@ -70,7 +70,10 @@ over an insecure network.
  .Nm
  listens for connections from clients.
  It is normally started at boot from
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 96bbf3a09..58966dd74 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,13 +1,21 @@
-Description: Give the ssh-askpass-gnome window a default icon
-Author: Vincent Untz <vuntz@ubuntu.com>
+From 52e810085e196c457dfda9cad08ce76191d11fe7 Mon Sep 17 00:00:00 2001
+From: Vincent Untz <vuntz@ubuntu.com>
+Date: Sun, 9 Feb 2014 16:10:16 +0000
+Subject: Give the ssh-askpass-gnome window a default icon
+
 Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152
 Last-Update: 2010-02-28
 
-Index: b/contrib/gnome-ssh-askpass2.c
-===================================================================
+Patch-Name: gnome-ssh-askpass2-icon.patch
+---
+ contrib/gnome-ssh-askpass2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c
+index 9d97c30..04b3a11 100644
 --- a/contrib/gnome-ssh-askpass2.c
 +++ b/contrib/gnome-ssh-askpass2.c
-@@ -209,6 +209,8 @@
+@@ -209,6 +209,8 @@ main(int argc, char **argv)
  
         gtk_init(&argc, &argv);
  
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index b9221f94f..8a919382e 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,22 +1,67 @@
-Description: GSSAPI key exchange support
- This patch has been rejected upstream: "None of the OpenSSH developers are
- in favour of adding this, and this situation has not changed for several
- years.  This is not a slight on Simon's patch, which is of fine quality,
- but just that a) we don't trust GSSAPI implementations that much and b) we
- don't like adding new KEX since they are pre-auth attack surface.  This one
- is particularly scary, since it requires hooks out to typically root-owned
- system resources."
- .
- However, quite a lot of people rely on this in Debian, and it's better to
- have it merged into the main openssh package rather than having separate
- -krb5 packages (as we used to have).  It seems to have a generally good
- security history.
-Author: Simon Wilkinson <simon@sxw.org.uk>
+From 950be7e1b1a01ee9b25e2a72726a6370b8acacb6 Mon Sep 17 00:00:00 2001
+From: Simon Wilkinson <simon@sxw.org.uk>
+Date: Sun, 9 Feb 2014 16:09:48 +0000
+Subject: GSSAPI key exchange support
+
+This patch has been rejected upstream: "None of the OpenSSH developers are
+in favour of adding this, and this situation has not changed for several
+years.  This is not a slight on Simon's patch, which is of fine quality, but
+just that a) we don't trust GSSAPI implementations that much and b) we don't
+like adding new KEX since they are pre-auth attack surface.  This one is
+particularly scary, since it requires hooks out to typically root-owned
+system resources."
+
+However, quite a lot of people rely on this in Debian, and it's better to
+have it merged into the main openssh package rather than having separate
+-krb5 packages (as we used to have).  It seems to have a generally good
+security history.
+
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
 Last-Updated: 2013-11-09
 
-Index: b/ChangeLog.gssapi
-===================================================================
+Patch-Name: gssapi.patch
+---
+ ChangeLog.gssapi | 113 +++++++++++++++++++
+ Makefile.in      |   3 +-
+ auth-krb5.c      |  17 ++-
+ auth2-gss.c      |  48 +++++++-
+ auth2.c          |   2 +
+ clientloop.c     |  13 +++
+ config.h.in      |   6 +
+ configure        |  57 ++++++++++
+ configure.ac     |  24 ++++
+ gss-genr.c       | 276 ++++++++++++++++++++++++++++++++++++++++++++-
+ gss-serv-krb5.c  |  84 +++++++++++++-
+ gss-serv.c       | 221 +++++++++++++++++++++++++++++++-----
+ kex.c            |  16 +++
+ kex.h            |  14 +++
+ kexgssc.c        | 333 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ kexgsss.c        | 289 +++++++++++++++++++++++++++++++++++++++++++++++
+ key.c            |   1 +
+ key.h            |   1 +
+ monitor.c        | 108 +++++++++++++++++-
+ monitor.h        |   3 +
+ monitor_wrap.c   |  47 +++++++-
+ monitor_wrap.h   |   4 +-
+ readconf.c       |  42 +++++++
+ readconf.h       |   5 +
+ servconf.c       |  38 ++++++-
+ servconf.h       |   3 +
+ ssh-gss.h        |  39 ++++++-
+ ssh_config       |   2 +
+ ssh_config.5     |  34 +++++-
+ sshconnect2.c    | 124 ++++++++++++++++++++-
+ sshd.c           | 110 ++++++++++++++++++
+ sshd_config      |   2 +
+ sshd_config.5    |  28 +++++
+ 33 files changed, 2050 insertions(+), 57 deletions(-)
+ create mode 100644 ChangeLog.gssapi
+ create mode 100644 kexgssc.c
+ create mode 100644 kexgsss.c
+
+diff --git a/ChangeLog.gssapi b/ChangeLog.gssapi
+new file mode 100644
+index 0000000..f117a33
 --- /dev/null
 +++ b/ChangeLog.gssapi
 @@ -0,0 +1,113 @@
@@ -133,11 +178,11 @@ Index: b/ChangeLog.gssapi
 +    add support for GssapiTrustDns option for gssapi-with-mic
 +    (from jbasney AT ncsa.uiuc.edu)
 +    <gssapi-with-mic support is Bugzilla #1008>
-Index: b/Makefile.in
-===================================================================
+diff --git a/Makefile.in b/Makefile.in
+index 92c95a9..f979926 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -72,6 +72,7 @@
+@@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
         atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
         monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
         kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
@@ -145,7 +190,7 @@ Index: b/Makefile.in
         msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
         jpake.o schnorr.o ssh-pkcs11.o krl.o
  
-@@ -88,7 +89,7 @@
+@@ -88,7 +89,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
         auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
         monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
         auth-krb5.o \
@@ -154,11 +199,11 @@ Index: b/Makefile.in
         loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
         sftp-server.o sftp-common.o \
         roaming_common.o roaming_serv.o \
-Index: b/auth-krb5.c
-===================================================================
+diff --git a/auth-krb5.c b/auth-krb5.c
+index 7c83f59..5613b57 100644
 --- a/auth-krb5.c
 +++ b/auth-krb5.c
-@@ -181,8 +181,13 @@
+@@ -181,8 +181,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
  
         len = strlen(authctxt->krb5_ticket_file) + 6;
         authctxt->krb5_ccname = xmalloc(len);
@@ -172,7 +217,7 @@ Index: b/auth-krb5.c
  
  #ifdef USE_PAM
         if (options.use_pam)
-@@ -239,15 +244,22 @@
+@@ -239,15 +244,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
  #ifndef HEIMDAL
  krb5_error_code
  ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@@ -197,7 +242,7 @@ Index: b/auth-krb5.c
         old_umask = umask(0177);
         tmpfd = mkstemp(ccname + strlen("FILE:"));
         oerrno = errno;
-@@ -264,6 +276,7 @@
+@@ -264,6 +276,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
                 return oerrno;
         }
         close(tmpfd);
@@ -205,8 +250,8 @@ Index: b/auth-krb5.c
  
         return (krb5_cc_resolve(ctx, ccname, ccache));
  }
-Index: b/auth2-gss.c
-===================================================================
+diff --git a/auth2-gss.c b/auth2-gss.c
+index 638d8f8..b8db820 100644
 --- a/auth2-gss.c
 +++ b/auth2-gss.c
 @@ -1,7 +1,7 @@
@@ -218,7 +263,7 @@ Index: b/auth2-gss.c
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
-@@ -52,6 +52,40 @@
+@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
  static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
  static void input_gssapi_errtok(int, u_int32_t, void *);
  
@@ -259,7 +304,7 @@ Index: b/auth2-gss.c
  /*
   * We only support those mechanisms that we know about (ie ones that we know
   * how to check local user kuserok and the like)
-@@ -240,7 +274,8 @@
+@@ -240,7 +274,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
  
         packet_check_eom();
  
@@ -269,7 +314,7 @@ Index: b/auth2-gss.c
  
         authctxt->postponed = 0;
         dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-@@ -275,7 +310,8 @@
+@@ -275,7 +310,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
         gssbuf.length = buffer_len(&b);
  
         if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@@ -279,7 +324,7 @@ Index: b/auth2-gss.c
         else
                 logit("GSSAPI MIC check failed");
  
-@@ -290,6 +326,12 @@
+@@ -290,6 +326,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
         userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
  }
  
@@ -292,11 +337,11 @@ Index: b/auth2-gss.c
  Authmethod method_gssapi = {
         "gssapi-with-mic",
         userauth_gssapi,
-Index: b/auth2.c
-===================================================================
+diff --git a/auth2.c b/auth2.c
+index f0cab8c..6ed8f04 100644
 --- a/auth2.c
 +++ b/auth2.c
-@@ -69,6 +69,7 @@
+@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
  extern Authmethod method_kbdint;
  extern Authmethod method_hostbased;
  #ifdef GSSAPI
@@ -304,7 +349,7 @@ Index: b/auth2.c
  extern Authmethod method_gssapi;
  #endif
  #ifdef JPAKE
-@@ -79,6 +80,7 @@
+@@ -79,6 +80,7 @@ Authmethod *authmethods[] = {
         &method_none,
         &method_pubkey,
  #ifdef GSSAPI
@@ -312,8 +357,8 @@ Index: b/auth2.c
         &method_gssapi,
  #endif
  #ifdef JPAKE
-Index: b/clientloop.c
-===================================================================
+diff --git a/clientloop.c b/clientloop.c
+index 23c2f23..311dc13 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 @@ -111,6 +111,10 @@
@@ -327,7 +372,7 @@ Index: b/clientloop.c
  /* import options */
  extern Options options;
  
-@@ -1608,6 +1612,15 @@
+@@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
                 /* Do channel operations unless rekeying in progress. */
                 if (!rekeying) {
                         channel_after_select(readset, writeset);
@@ -343,8 +388,8 @@ Index: b/clientloop.c
                         if (need_rekeying || packet_need_rekeying()) {
                                 debug("need rekeying");
                                 xxx_kex->done = 0;
-Index: b/config.h.in
-===================================================================
+diff --git a/config.h.in b/config.h.in
+index b75e501..34f1c9c 100644
 --- a/config.h.in
 +++ b/config.h.in
 @@ -1546,6 +1546,9 @@
@@ -367,11 +412,11 @@ Index: b/config.h.in
  /* Define if you have Solaris process contracts */
  #undef USE_SOLARIS_PROCESS_CONTRACTS
  
-Index: b/configure
-===================================================================
+diff --git a/configure b/configure
+index 0d6fad5..ceb1b5d 100755
 --- a/configure
 +++ b/configure
-@@ -6780,6 +6780,63 @@
+@@ -6780,6 +6780,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h
  
  $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
  
@@ -435,11 +480,11 @@ Index: b/configure
  
         ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default"
  if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then :
-Index: b/configure.ac
-===================================================================
+diff --git a/configure.ac b/configure.ac
+index 4a1b503..4c1a658 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -548,6 +548,30 @@
+@@ -548,6 +548,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
             [Use tunnel device compatibility to OpenBSD])
         AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
             [Prepend the address family to IP tunnel traffic])
@@ -470,8 +515,8 @@ Index: b/configure.ac
         m4_pattern_allow([AU_IPv])
         AC_CHECK_DECL([AU_IPv4], [], 
             AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
-Index: b/gss-genr.c
-===================================================================
+diff --git a/gss-genr.c b/gss-genr.c
+index b39281b..b7d1b7d 100644
 --- a/gss-genr.c
 +++ b/gss-genr.c
 @@ -1,7 +1,7 @@
@@ -651,7 +696,7 @@ Index: b/gss-genr.c
  /* Check that the OID in a data stream matches that in the context */
  int
  ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
-@@ -197,7 +352,7 @@
+@@ -197,7 +352,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
         }
  
         ctx->major = gss_init_sec_context(&ctx->minor,
@@ -660,7 +705,7 @@ Index: b/gss-genr.c
             GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
             0, NULL, recv_tok, NULL, send_tok, flags, NULL);
  
-@@ -227,8 +382,42 @@
+@@ -227,8 +382,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
  }
  
  OM_uint32
@@ -703,7 +748,7 @@ Index: b/gss-genr.c
         if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
             GSS_C_QOP_DEFAULT, buffer, hash)))
                 ssh_gssapi_error(ctx);
-@@ -236,6 +425,19 @@
+@@ -236,6 +425,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
         return (ctx->major);
  }
  
@@ -723,7 +768,7 @@ Index: b/gss-genr.c
  void
  ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
      const char *context)
-@@ -249,11 +451,16 @@
+@@ -249,11 +451,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
  }
  
  int
@@ -741,7 +786,7 @@ Index: b/gss-genr.c
  
         /* RFC 4462 says we MUST NOT do SPNEGO */
         if (oid->length == spnego_oid.length && 
-@@ -263,6 +470,10 @@
+@@ -263,6 +470,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
         ssh_gssapi_build_ctx(ctx);
         ssh_gssapi_set_oid(*ctx, oid);
         major = ssh_gssapi_import_name(*ctx, host);
@@ -752,7 +797,7 @@ Index: b/gss-genr.c
         if (!GSS_ERROR(major)) {
                 major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 
                     NULL);
-@@ -272,10 +483,67 @@
+@@ -272,10 +483,67 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
                             GSS_C_NO_BUFFER);
         }
  
@@ -821,8 +866,8 @@ Index: b/gss-genr.c
 +}
 +
  #endif /* GSSAPI */
-Index: b/gss-serv-krb5.c
-===================================================================
+diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
+index 87f2683..c55446a 100644
 --- a/gss-serv-krb5.c
 +++ b/gss-serv-krb5.c
 @@ -1,7 +1,7 @@
@@ -834,7 +879,7 @@ Index: b/gss-serv-krb5.c
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
-@@ -122,6 +122,7 @@
+@@ -122,6 +122,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
         OM_uint32 maj_status, min_status;
         int len;
         const char *errmsg;
@@ -842,7 +887,7 @@ Index: b/gss-serv-krb5.c
  
         if (client->creds == NULL) {
                 debug("No credentials stored");
-@@ -174,11 +175,16 @@
+@@ -174,11 +175,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
                 return;
         }
  
@@ -863,7 +908,7 @@ Index: b/gss-serv-krb5.c
  
  #ifdef USE_PAM
         if (options.use_pam)
-@@ -190,6 +196,71 @@
+@@ -190,6 +196,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
         return;
  }
  
@@ -935,7 +980,7 @@ Index: b/gss-serv-krb5.c
  ssh_gssapi_mech gssapi_kerberos_mech = {
         "toWM5Slw5Ew8Mqkay+al2g==",
         "Kerberos",
-@@ -197,7 +268,8 @@
+@@ -197,7 +268,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
         NULL,
         &ssh_gssapi_krb5_userok,
         NULL,
@@ -945,8 +990,8 @@ Index: b/gss-serv-krb5.c
  };
  
  #endif /* KRB5 */
-Index: b/gss-serv.c
-===================================================================
+diff --git a/gss-serv.c b/gss-serv.c
+index 95348e2..97f366f 100644
 --- a/gss-serv.c
 +++ b/gss-serv.c
 @@ -1,7 +1,7 @@
@@ -982,7 +1027,7 @@ Index: b/gss-serv.c
  
  #ifdef KRB5
  extern ssh_gssapi_mech gssapi_kerberos_mech;
-@@ -81,25 +87,32 @@
+@@ -81,25 +87,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
         char lname[MAXHOSTNAMELEN];
         gss_OID_set oidset;
  
@@ -991,16 +1036,16 @@ Index: b/gss-serv.c
 +       if (options.gss_strict_acceptor) {
 +               gss_create_empty_oid_set(&status, &oidset);
 +               gss_add_oid_set_member(&status, ctx->oid, &oidset);
-+
-+               if (gethostname(lname, MAXHOSTNAMELEN)) {
-+                       gss_release_oid_set(&status, &oidset);
-+                       return (-1);
-+               }
  
 -       if (gethostname(lname, MAXHOSTNAMELEN)) {
 -               gss_release_oid_set(&status, &oidset);
 -               return (-1);
 -       }
++               if (gethostname(lname, MAXHOSTNAMELEN)) {
++                       gss_release_oid_set(&status, &oidset);
++                       return (-1);
++               }
++
 +               if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
 +                       gss_release_oid_set(&status, &oidset);
 +                       return (ctx->major);
@@ -1029,7 +1074,7 @@ Index: b/gss-serv.c
  }
  
  /* Privileged */
-@@ -114,6 +127,29 @@
+@@ -114,6 +127,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
  }
  
  /* Unprivileged */
@@ -1059,7 +1104,7 @@ Index: b/gss-serv.c
  void
  ssh_gssapi_supported_oids(gss_OID_set *oidset)
  {
-@@ -123,7 +159,9 @@
+@@ -123,7 +159,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
         gss_OID_set supported;
  
         gss_create_empty_oid_set(&min_status, oidset);
@@ -1070,7 +1115,7 @@ Index: b/gss-serv.c
  
         while (supported_mechs[i]->name != NULL) {
                 if (GSS_ERROR(gss_test_oid_set_member(&min_status,
-@@ -249,8 +287,48 @@
+@@ -249,8 +287,48 @@ OM_uint32
  ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
  {
         int i = 0;
@@ -1120,7 +1165,7 @@ Index: b/gss-serv.c
  
         client->mech = NULL;
  
-@@ -265,6 +343,13 @@
+@@ -265,6 +343,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
         if (client->mech == NULL)
                 return GSS_S_FAILURE;
  
@@ -1134,7 +1179,7 @@ Index: b/gss-serv.c
         if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
             &client->displayname, NULL))) {
                 ssh_gssapi_error(ctx);
-@@ -282,6 +367,8 @@
+@@ -282,6 +367,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
                 return (ctx->major);
         }
  
@@ -1143,7 +1188,7 @@ Index: b/gss-serv.c
         /* We can't copy this structure, so we just move the pointer to it */
         client->creds = ctx->client_creds;
         ctx->client_creds = GSS_C_NO_CREDENTIAL;
-@@ -329,7 +416,7 @@
+@@ -329,7 +416,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
  
  /* Privileged */
  int
@@ -1152,7 +1197,7 @@ Index: b/gss-serv.c
  {
         OM_uint32 lmin;
  
-@@ -339,9 +426,11 @@
+@@ -339,9 +426,11 @@ ssh_gssapi_userok(char *user)
                 return 0;
         }
         if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -1166,7 +1211,7 @@ Index: b/gss-serv.c
                         /* Destroy delegated credentials if userok fails */
                         gss_release_buffer(&lmin, &gssapi_client.displayname);
                         gss_release_buffer(&lmin, &gssapi_client.exportedname);
-@@ -354,14 +443,90 @@
+@@ -354,14 +443,90 @@ ssh_gssapi_userok(char *user)
         return (0);
  }
  
@@ -1263,8 +1308,8 @@ Index: b/gss-serv.c
  }
  
  #endif
-Index: b/kex.c
-===================================================================
+diff --git a/kex.c b/kex.c
+index 54bd1a4..1ec2782 100644
 --- a/kex.c
 +++ b/kex.c
 @@ -50,6 +50,10 @@
@@ -1278,7 +1323,7 @@ Index: b/kex.c
  #if OPENSSL_VERSION_NUMBER >= 0x00907000L
  # if defined(HAVE_EVP_SHA256)
  # define evp_ssh_sha256 EVP_sha256
-@@ -82,6 +86,14 @@
+@@ -82,6 +86,14 @@ static const struct kexalg kexalgs[] = {
  #endif
         { NULL, -1, -1, NULL},
  };
@@ -1293,7 +1338,7 @@ Index: b/kex.c
  
  char *
  kex_alg_list(void)
-@@ -110,6 +122,10 @@
+@@ -110,6 +122,10 @@ kex_alg_by_name(const char *name)
                 if (strcmp(k->name, name) == 0)
                         return k;
         }
@@ -1304,11 +1349,11 @@ Index: b/kex.c
         return NULL;
  }
  
-Index: b/kex.h
-===================================================================
+diff --git a/kex.h b/kex.h
+index 9f1e1ad..d5046c6 100644
 --- a/kex.h
 +++ b/kex.h
-@@ -74,6 +74,9 @@
+@@ -74,6 +74,9 @@ enum kex_exchange {
         KEX_DH_GEX_SHA1,
         KEX_DH_GEX_SHA256,
         KEX_ECDH_SHA2,
@@ -1318,7 +1363,7 @@ Index: b/kex.h
         KEX_MAX
  };
  
-@@ -133,6 +136,12 @@
+@@ -133,6 +136,12 @@ struct Kex {
         int     flags;
         const EVP_MD *evp_md;
         int     ec_nid;
@@ -1331,7 +1376,7 @@ Index: b/kex.h
         char    *client_version_string;
         char    *server_version_string;
         int     (*verify_host_key)(Key *);
-@@ -162,6 +171,11 @@
+@@ -162,6 +171,11 @@ void        kexgex_server(Kex *);
  void    kexecdh_client(Kex *);
  void    kexecdh_server(Kex *);
  
@@ -1343,8 +1388,9 @@ Index: b/kex.h
  void
  kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
      BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
-Index: b/kexgssc.c
-===================================================================
+diff --git a/kexgssc.c b/kexgssc.c
+new file mode 100644
+index 0000000..616893c
 --- /dev/null
 +++ b/kexgssc.c
 @@ -0,0 +1,333 @@
@@ -1681,8 +1727,9 @@ Index: b/kexgssc.c
 +}
 +
 +#endif /* GSSAPI */
-Index: b/kexgsss.c
-===================================================================
+diff --git a/kexgsss.c b/kexgsss.c
+new file mode 100644
+index 0000000..18b065b
 --- /dev/null
 +++ b/kexgsss.c
 @@ -0,0 +1,289 @@
@@ -1975,11 +2022,11 @@ Index: b/kexgsss.c
 +               ssh_gssapi_rekey_creds();
 +}
 +#endif /* GSSAPI */
-Index: b/key.c
-===================================================================
+diff --git a/key.c b/key.c
+index 55ee789..2591635 100644
 --- a/key.c
 +++ b/key.c
-@@ -933,6 +933,7 @@
+@@ -933,6 +933,7 @@ static const struct keytype keytypes[] = {
             KEY_RSA_CERT_V00, 0, 1 },
         { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
             KEY_DSA_CERT_V00, 0, 1 },
@@ -1987,11 +2034,11 @@ Index: b/key.c
         { NULL, NULL, -1, -1, 0 }
  };
  
-Index: b/key.h
-===================================================================
+diff --git a/key.h b/key.h
+index 17358ae..b57d6a4 100644
 --- a/key.h
 +++ b/key.h
-@@ -44,6 +44,7 @@
+@@ -44,6 +44,7 @@ enum types {
         KEY_ECDSA_CERT,
         KEY_RSA_CERT_V00,
         KEY_DSA_CERT_V00,
@@ -1999,11 +2046,11 @@ Index: b/key.h
         KEY_UNSPEC
  };
  enum fp_type {
-Index: b/monitor.c
-===================================================================
+diff --git a/monitor.c b/monitor.c
+index 44dff98..9079c97 100644
 --- a/monitor.c
 +++ b/monitor.c
-@@ -181,6 +181,8 @@
+@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
  int mm_answer_gss_accept_ctx(int, Buffer *);
  int mm_answer_gss_userok(int, Buffer *);
  int mm_answer_gss_checkmic(int, Buffer *);
@@ -2012,7 +2059,7 @@ Index: b/monitor.c
  #endif
  
  #ifdef SSH_AUDIT_EVENTS
-@@ -253,6 +255,7 @@
+@@ -253,6 +255,7 @@ struct mon_table mon_dispatch_proto20[] = {
      {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
      {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
      {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -2020,7 +2067,7 @@ Index: b/monitor.c
  #endif
  #ifdef JPAKE
      {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
-@@ -265,6 +268,12 @@
+@@ -265,6 +268,12 @@ struct mon_table mon_dispatch_proto20[] = {
  };
  
  struct mon_table mon_dispatch_postauth20[] = {
@@ -2033,7 +2080,7 @@ Index: b/monitor.c
      {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
      {MONITOR_REQ_SIGN, 0, mm_answer_sign},
      {MONITOR_REQ_PTY, 0, mm_answer_pty},
-@@ -373,6 +382,10 @@
+@@ -373,6 +382,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                 /* Permit requests for moduli and signatures */
                 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2044,7 +2091,7 @@ Index: b/monitor.c
         } else {
                 mon_dispatch = mon_dispatch_proto15;
  
-@@ -487,6 +500,10 @@
+@@ -487,6 +500,10 @@ monitor_child_postauth(struct monitor *pmonitor)
                 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2055,7 +2102,7 @@ Index: b/monitor.c
         } else {
                 mon_dispatch = mon_dispatch_postauth15;
                 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1855,6 +1872,13 @@
+@@ -1855,6 +1872,13 @@ mm_get_kex(Buffer *m)
         kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
         kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
         kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2069,7 +2116,7 @@ Index: b/monitor.c
         kex->server = 1;
         kex->hostkey_type = buffer_get_int(m);
         kex->kex_type = buffer_get_int(m);
-@@ -2062,6 +2086,9 @@
+@@ -2062,6 +2086,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
         OM_uint32 major;
         u_int len;
  
@@ -2079,7 +2126,7 @@ Index: b/monitor.c
         goid.elements = buffer_get_string(m, &len);
         goid.length = len;
  
-@@ -2089,6 +2116,9 @@
+@@ -2089,6 +2116,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
         OM_uint32 flags = 0; /* GSI needs this */
         u_int len;
  
@@ -2089,7 +2136,7 @@ Index: b/monitor.c
         in.value = buffer_get_string(m, &len);
         in.length = len;
         major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2106,6 +2136,7 @@
+@@ -2106,6 +2136,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2097,7 +2144,7 @@ Index: b/monitor.c
         }
         return (0);
  }
-@@ -2117,6 +2148,9 @@
+@@ -2117,6 +2148,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
         OM_uint32 ret;
         u_int len;
  
@@ -2107,7 +2154,7 @@ Index: b/monitor.c
         gssbuf.value = buffer_get_string(m, &len);
         gssbuf.length = len;
         mic.value = buffer_get_string(m, &len);
-@@ -2143,7 +2177,11 @@
+@@ -2143,7 +2177,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
  {
         int authenticated;
  
@@ -2120,7 +2167,7 @@ Index: b/monitor.c
  
         buffer_clear(m);
         buffer_put_int(m, authenticated);
-@@ -2156,6 +2194,74 @@
+@@ -2156,6 +2194,74 @@ mm_answer_gss_userok(int sock, Buffer *m)
         /* Monitor loop will terminate if authenticated */
         return (authenticated);
  }
@@ -2195,11 +2242,11 @@ Index: b/monitor.c
  #endif /* GSSAPI */
  
  #ifdef JPAKE
-Index: b/monitor.h
-===================================================================
+diff --git a/monitor.h b/monitor.h
+index 2caa469..315ef99 100644
 --- a/monitor.h
 +++ b/monitor.h
-@@ -70,6 +70,9 @@
+@@ -70,6 +70,9 @@ enum monitor_reqtype {
         MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
         MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
  
@@ -2209,11 +2256,11 @@ Index: b/monitor.h
  };
  
  struct mm_master;
-Index: b/monitor_wrap.c
-===================================================================
+diff --git a/monitor_wrap.c b/monitor_wrap.c
+index 4ce4696..44019f3 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -1273,7 +1273,7 @@
+@@ -1273,7 +1273,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
  }
  
  int
@@ -2222,7 +2269,7 @@ Index: b/monitor_wrap.c
  {
         Buffer m;
         int authenticated = 0;
-@@ -1290,6 +1290,51 @@
+@@ -1290,6 +1290,51 @@ mm_ssh_gssapi_userok(char *user)
         debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
         return (authenticated);
  }
@@ -2274,11 +2321,11 @@ Index: b/monitor_wrap.c
  #endif /* GSSAPI */
  
  #ifdef JPAKE
-Index: b/monitor_wrap.h
-===================================================================
+diff --git a/monitor_wrap.h b/monitor_wrap.h
+index 0c7f2e3..ec9b9b1 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
-@@ -58,8 +58,10 @@
+@@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *);
  OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
  OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
     gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -2290,11 +2337,11 @@ Index: b/monitor_wrap.h
  #endif
  
  #ifdef USE_PAM
-Index: b/readconf.c
-===================================================================
+diff --git a/readconf.c b/readconf.c
+index 1464430..2695fd6 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -132,6 +132,8 @@
+@@ -132,6 +132,8 @@ typedef enum {
         oClearAllForwardings, oNoHostAuthenticationForLocalhost,
         oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
         oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2303,7 +2350,7 @@ Index: b/readconf.c
         oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
         oSendEnv, oControlPath, oControlMaster, oControlPersist,
         oHashKnownHosts,
-@@ -172,10 +174,19 @@
+@@ -172,10 +174,19 @@ static struct {
         { "afstokenpassing", oUnsupported },
  #if defined(GSSAPI)
         { "gssapiauthentication", oGssAuthentication },
@@ -2323,7 +2370,7 @@ Index: b/readconf.c
  #endif
         { "fallbacktorsh", oDeprecated },
         { "usersh", oDeprecated },
-@@ -516,10 +527,30 @@
+@@ -516,10 +527,30 @@ parse_flag:
                 intptr = &options->gss_authentication;
                 goto parse_flag;
  
@@ -2354,7 +2401,7 @@ Index: b/readconf.c
         case oBatchMode:
                 intptr = &options->batch_mode;
                 goto parse_flag;
-@@ -1168,7 +1199,12 @@
+@@ -1168,7 +1199,12 @@ initialize_options(Options * options)
         options->pubkey_authentication = -1;
         options->challenge_response_authentication = -1;
         options->gss_authentication = -1;
@@ -2367,7 +2414,7 @@ Index: b/readconf.c
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->kbd_interactive_devices = NULL;
-@@ -1268,8 +1304,14 @@
+@@ -1268,8 +1304,14 @@ fill_default_options(Options * options)
                 options->challenge_response_authentication = 1;
         if (options->gss_authentication == -1)
                 options->gss_authentication = 0;
@@ -2382,11 +2429,11 @@ Index: b/readconf.c
         if (options->password_authentication == -1)
                 options->password_authentication = 1;
         if (options->kbd_interactive_authentication == -1)
-Index: b/readconf.h
-===================================================================
+diff --git a/readconf.h b/readconf.h
+index 23fc500..675b35d 100644
 --- a/readconf.h
 +++ b/readconf.h
-@@ -48,7 +48,12 @@
+@@ -48,7 +48,12 @@ typedef struct {
         int     challenge_response_authentication;
                                         /* Try S/Key or TIS, authentication. */
         int     gss_authentication;     /* Try GSS authentication */
@@ -2399,11 +2446,11 @@ Index: b/readconf.h
         int     password_authentication;        /* Try password
                                                  * authentication. */
         int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-Index: b/servconf.c
-===================================================================
+diff --git a/servconf.c b/servconf.c
+index 747edde..c938ae3 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -107,7 +107,10 @@
+@@ -107,7 +107,10 @@ initialize_server_options(ServerOptions *options)
         options->kerberos_ticket_cleanup = -1;
         options->kerberos_get_afs_token = -1;
         options->gss_authentication=-1;
@@ -2414,7 +2461,7 @@ Index: b/servconf.c
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->challenge_response_authentication = -1;
-@@ -240,8 +243,14 @@
+@@ -240,8 +243,14 @@ fill_default_server_options(ServerOptions *options)
                 options->kerberos_get_afs_token = 0;
         if (options->gss_authentication == -1)
                 options->gss_authentication = 0;
@@ -2429,7 +2476,7 @@ Index: b/servconf.c
         if (options->password_authentication == -1)
                 options->password_authentication = 1;
         if (options->kbd_interactive_authentication == -1)
-@@ -338,7 +347,9 @@
+@@ -338,7 +347,9 @@ typedef enum {
         sBanner, sUseDNS, sHostbasedAuthentication,
         sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
         sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2440,7 +2487,7 @@ Index: b/servconf.c
         sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
         sUsePrivilegeSeparation, sAllowAgentForwarding,
         sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -405,10 +416,20 @@
+@@ -405,10 +416,20 @@ static struct {
  #ifdef GSSAPI
         { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
         { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2461,7 +2508,7 @@ Index: b/servconf.c
         { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
         { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
         { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1073,10 +1094,22 @@
+@@ -1073,10 +1094,22 @@ process_server_config_line(ServerOptions *options, char *line,
                 intptr = &options->gss_authentication;
                 goto parse_flag;
  
@@ -2484,7 +2531,7 @@ Index: b/servconf.c
         case sPasswordAuthentication:
                 intptr = &options->password_authentication;
                 goto parse_flag;
-@@ -1983,7 +2016,10 @@
+@@ -1983,7 +2016,10 @@ dump_config(ServerOptions *o)
  #endif
  #ifdef GSSAPI
         dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2495,11 +2542,11 @@ Index: b/servconf.c
  #endif
  #ifdef JPAKE
         dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
-Index: b/servconf.h
-===================================================================
+diff --git a/servconf.h b/servconf.h
+index 98aad8b..ab6e346 100644
 --- a/servconf.h
 +++ b/servconf.h
-@@ -111,7 +111,10 @@
+@@ -111,7 +111,10 @@ typedef struct {
         int     kerberos_get_afs_token;         /* If true, try to get AFS token if
                                                  * authenticated with Kerberos. */
         int     gss_authentication;     /* If true, permit GSSAPI authentication */
@@ -2510,8 +2557,8 @@ Index: b/servconf.h
         int     password_authentication;        /* If true, permit password
                                                  * authentication. */
         int     kbd_interactive_authentication; /* If true, permit */
-Index: b/ssh-gss.h
-===================================================================
+diff --git a/ssh-gss.h b/ssh-gss.h
+index 077e13c..bc6e8f9 100644
 --- a/ssh-gss.h
 +++ b/ssh-gss.h
 @@ -1,6 +1,6 @@
@@ -2545,7 +2592,7 @@ Index: b/ssh-gss.h
         void *data;
  } ssh_gssapi_ccache;
  
-@@ -72,8 +84,11 @@
+@@ -72,8 +84,11 @@ typedef struct {
         gss_buffer_desc displayname;
         gss_buffer_desc exportedname;
         gss_cred_id_t creds;
@@ -2557,7 +2604,7 @@ Index: b/ssh-gss.h
  } ssh_gssapi_client;
  
  typedef struct ssh_gssapi_mech_struct {
-@@ -84,6 +99,7 @@
+@@ -84,6 +99,7 @@ typedef struct ssh_gssapi_mech_struct {
         int (*userok) (ssh_gssapi_client *, char *);
         int (*localname) (ssh_gssapi_client *, char **);
         void (*storecreds) (ssh_gssapi_client *);
@@ -2565,7 +2612,7 @@ Index: b/ssh-gss.h
  } ssh_gssapi_mech;
  
  typedef struct {
-@@ -94,10 +110,11 @@
+@@ -94,10 +110,11 @@ typedef struct {
         gss_OID         oid; /* client */
         gss_cred_id_t   creds; /* server */
         gss_name_t      client; /* server */
@@ -2578,7 +2625,7 @@ Index: b/ssh-gss.h
  
  int  ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
  void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
-@@ -117,16 +134,30 @@
+@@ -117,16 +134,30 @@ void ssh_gssapi_build_ctx(Gssctxt **);
  void ssh_gssapi_delete_ctx(Gssctxt **);
  OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
  void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
@@ -2611,8 +2658,8 @@ Index: b/ssh-gss.h
  #endif /* GSSAPI */
  
  #endif /* _SSH_GSS_H */
-Index: b/ssh_config
-===================================================================
+diff --git a/ssh_config b/ssh_config
+index bb40819..3234321 100644
 --- a/ssh_config
 +++ b/ssh_config
 @@ -26,6 +26,8 @@
@@ -2624,11 +2671,11 @@ Index: b/ssh_config
  #   BatchMode no
  #   CheckHostIP yes
  #   AddressFamily any
-Index: b/ssh_config.5
-===================================================================
+diff --git a/ssh_config.5 b/ssh_config.5
+index 5d76c6d..e72919a 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -529,11 +529,43 @@
+@@ -529,11 +529,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
  The default is
  .Dq no .
  Note that this option applies to protocol version 2 only.
@@ -2673,11 +2720,11 @@ Index: b/ssh_config.5
  .It Cm HashKnownHosts
  Indicates that
  .Xr ssh 1
-Index: b/sshconnect2.c
-===================================================================
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 70e3cd8..0b13530 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -160,9 +160,34 @@
+@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
  {
         Kex *kex;
  
@@ -2712,7 +2759,7 @@ Index: b/sshconnect2.c
         if (options.ciphers == (char *)-1) {
                 logit("No valid ciphers for protocol version 2 given, using defaults.");
                 options.ciphers = NULL;
-@@ -197,6 +222,17 @@
+@@ -197,6 +222,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
         if (options.kex_algorithms != NULL)
                 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
  
@@ -2730,7 +2777,7 @@ Index: b/sshconnect2.c
         if (options.rekey_limit || options.rekey_interval)
                 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
                     (time_t)options.rekey_interval);
-@@ -208,10 +244,30 @@
+@@ -208,10 +244,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
         kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
         kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
         kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
@@ -2761,7 +2808,7 @@ Index: b/sshconnect2.c
         xxx_kex = kex;
  
         dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
-@@ -307,6 +363,7 @@
+@@ -307,6 +363,7 @@ void        input_gssapi_token(int type, u_int32_t, void *);
  void   input_gssapi_hash(int type, u_int32_t, void *);
  void   input_gssapi_error(int, u_int32_t, void *);
  void   input_gssapi_errtok(int, u_int32_t, void *);
@@ -2769,7 +2816,7 @@ Index: b/sshconnect2.c
  #endif
  
  void   userauth(Authctxt *, char *);
-@@ -322,6 +379,11 @@
+@@ -322,6 +379,11 @@ static char *authmethods_get(void);
  
  Authmethod authmethods[] = {
  #ifdef GSSAPI
@@ -2781,7 +2828,7 @@ Index: b/sshconnect2.c
         {"gssapi-with-mic",
                 userauth_gssapi,
                 NULL,
-@@ -625,19 +687,31 @@
+@@ -625,19 +687,31 @@ userauth_gssapi(Authctxt *authctxt)
         static u_int mech = 0;
         OM_uint32 min;
         int ok = 0;
@@ -2815,7 +2862,7 @@ Index: b/sshconnect2.c
                         ok = 1; /* Mechanism works */
                 } else {
                         mech++;
-@@ -734,8 +808,8 @@
+@@ -734,8 +808,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
  {
         Authctxt *authctxt = ctxt;
         Gssctxt *gssctxt;
@@ -2826,7 +2873,7 @@ Index: b/sshconnect2.c
  
         if (authctxt == NULL)
                 fatal("input_gssapi_response: no authentication context");
-@@ -844,6 +918,48 @@
+@@ -844,6 +918,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
         free(msg);
         free(lang);
  }
@@ -2875,8 +2922,8 @@ Index: b/sshconnect2.c
  #endif /* GSSAPI */
  
  int
-Index: b/sshd.c
-===================================================================
+diff --git a/sshd.c b/sshd.c
+index 174cc7a..4eddeb8 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -122,6 +122,10 @@
@@ -2890,7 +2937,7 @@ Index: b/sshd.c
  #ifdef LIBWRAP
  #include <tcpd.h>
  #include <syslog.h>
-@@ -1703,10 +1707,13 @@
+@@ -1703,10 +1707,13 @@ main(int ac, char **av)
                 logit("Disabling protocol version 1. Could not load host key");
                 options.protocol &= ~SSH_PROTO_1;
         }
@@ -2904,7 +2951,7 @@ Index: b/sshd.c
         if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
                 logit("sshd: no hostkeys available -- exiting.");
                 exit(1);
-@@ -2035,6 +2042,60 @@
+@@ -2035,6 +2042,60 @@ main(int ac, char **av)
         /* Log the connection. */
         verbose("Connection from %.500s port %d", remote_ip, remote_port);
  
@@ -2965,7 +3012,7 @@ Index: b/sshd.c
         /*
          * We don't want to listen forever unless the other side
          * successfully authenticates itself.  So we set up an alarm which is
-@@ -2439,6 +2500,48 @@
+@@ -2439,6 +2500,48 @@ do_ssh2_kex(void)
  
         myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
  
@@ -3014,7 +3061,7 @@ Index: b/sshd.c
         /* start key exchange */
         kex = kex_setup(myproposal);
         kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
-@@ -2446,6 +2549,13 @@
+@@ -2446,6 +2549,13 @@ do_ssh2_kex(void)
         kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
         kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
         kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -3028,11 +3075,11 @@ Index: b/sshd.c
         kex->server = 1;
         kex->client_version_string=client_version_string;
         kex->server_version_string=server_version_string;
-Index: b/sshd_config
-===================================================================
+diff --git a/sshd_config b/sshd_config
+index b786361..9450141 100644
 --- a/sshd_config
 +++ b/sshd_config
-@@ -83,6 +83,8 @@
+@@ -83,6 +83,8 @@ AuthorizedKeysFile    .ssh/authorized_keys
  # GSSAPI options
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
@@ -3041,11 +3088,11 @@ Index: b/sshd_config
  
  # Set this to 'yes' to enable PAM authentication, account processing, 
  # and session processing. If this is enabled, PAM authentication will 
-Index: b/sshd_config.5
-===================================================================
+diff --git a/sshd_config.5 b/sshd_config.5
+index 3abac6c..525d9c8 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -484,12 +484,40 @@
+@@ -484,12 +484,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
  The default is
  .Dq no .
  Note that this option applies to protocol version 2 only.
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index 298e8e216..66a59a053 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -1,13 +1,21 @@
-Description: Mention ~& when waiting for forwarded connections to terminate
-Author: Matthew Vernon <matthew@debian.org>
+From ea2e0af0bc3a683edb32b508c03eb793617f6f31 Mon Sep 17 00:00:00 2001
+From: Matthew Vernon <matthew@debian.org>
+Date: Sun, 9 Feb 2014 16:09:56 +0000
+Subject: Mention ~& when waiting for forwarded connections to terminate
+
 Bug-Debian: http://bugs.debian.org/50308
 Last-Update: 2010-02-27
 
-Index: b/serverloop.c
-===================================================================
+Patch-Name: helpful-wait-terminate.patch
+---
+ serverloop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/serverloop.c b/serverloop.c
+index ccbad61..5f22df3 100644
 --- a/serverloop.c
 +++ b/serverloop.c
-@@ -686,7 +686,7 @@
+@@ -686,7 +686,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
                         if (!channel_still_open())
                                 break;
                         if (!waiting_termination) {
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index a851a91bf..61389cc44 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,24 +1,35 @@
-Description: Various keepalive extensions
- Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut,
- supported in previous versions of Debian's OpenSSH package but since
- superseded by ServerAliveInterval.  (We're probably stuck with this bit for
- compatibility.)
- .
- In batch mode, default ServerAliveInterval to five minutes.
- .
- Adjust documentation to match and to give some more advice on use of
- keepalives.
-Author: Richard Kettlewell <rjk@greenend.org.uk>
+From affb41e3cf23b79a3d165ae0d97689a46a965b6f Mon Sep 17 00:00:00 2001
+From: Richard Kettlewell <rjk@greenend.org.uk>
+Date: Sun, 9 Feb 2014 16:09:52 +0000
+Subject: Various keepalive extensions
+
+Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
+in previous versions of Debian's OpenSSH package but since superseded by
+ServerAliveInterval.  (We're probably stuck with this bit for
+compatibility.)
+
+In batch mode, default ServerAliveInterval to five minutes.
+
+Adjust documentation to match and to give some more advice on use of
+keepalives.
+
 Author: Ian Jackson <ian@chiark.greenend.org.uk>
 Author: Matthew Vernon <matthew@debian.org>
 Author: Colin Watson <cjwatson@debian.org>
 Last-Update: 2013-09-14
 
-Index: b/readconf.c
-===================================================================
+Patch-Name: keepalive-extensions.patch
+---
+ readconf.c    | 14 ++++++++++++--
+ ssh_config.5  | 21 +++++++++++++++++++--
+ sshd_config.5 |  3 +++
+ 3 files changed, 34 insertions(+), 4 deletions(-)
+
+diff --git a/readconf.c b/readconf.c
+index 22e5a3a..2dcbf31 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -141,6 +141,7 @@
+@@ -141,6 +141,7 @@ typedef enum {
         oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
         oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
         oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
@@ -26,7 +37,7 @@ Index: b/readconf.c
         oIgnoredUnknownOption, oDeprecated, oUnsupported
  } OpCodes;
  
-@@ -263,6 +264,8 @@
+@@ -263,6 +264,8 @@ static struct {
         { "ipqos", oIPQoS },
         { "requesttty", oRequestTTY },
         { "ignoreunknown", oIgnoreUnknown },
@@ -35,7 +46,7 @@ Index: b/readconf.c
  
         { NULL, oBadOption }
  };
-@@ -939,6 +942,8 @@
+@@ -939,6 +942,8 @@ parse_int:
                 goto parse_flag;
  
         case oServerAliveInterval:
@@ -44,7 +55,7 @@ Index: b/readconf.c
                 intptr = &options->server_alive_interval;
                 goto parse_time;
  
-@@ -1404,8 +1409,13 @@
+@@ -1404,8 +1409,13 @@ fill_default_options(Options * options)
                 options->rekey_interval = 0;
         if (options->verify_host_key_dns == -1)
                 options->verify_host_key_dns = 0;
@@ -60,11 +71,11 @@ Index: b/readconf.c
         if (options->server_alive_count_max == -1)
                 options->server_alive_count_max = 3;
         if (options->control_master == -1)
-Index: b/ssh_config.5
-===================================================================
+diff --git a/ssh_config.5 b/ssh_config.5
+index 89b25cd..135d833 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -136,8 +136,12 @@
+@@ -136,8 +136,12 @@ Valid arguments are
  If set to
  .Dq yes ,
  passphrase/password querying will be disabled.
@@ -78,7 +89,7 @@ Index: b/ssh_config.5
  The argument must be
  .Dq yes
  or
-@@ -1141,8 +1145,15 @@
+@@ -1141,8 +1145,15 @@ from the server,
  will send a message through the encrypted
  channel to request a response from the server.
  The default
@@ -95,7 +106,7 @@ Index: b/ssh_config.5
  .It Cm StrictHostKeyChecking
  If this flag is set to
  .Dq yes ,
-@@ -1181,6 +1192,12 @@
+@@ -1181,6 +1192,12 @@ Specifies whether the system should send TCP keepalive messages to the
  other side.
  If they are sent, death of the connection or crash of one
  of the machines will be properly noticed.
@@ -108,11 +119,11 @@ Index: b/ssh_config.5
  However, this means that
  connections will die if the route is down temporarily, and some people
  find it annoying.
-Index: b/sshd_config.5
-===================================================================
+diff --git a/sshd_config.5 b/sshd_config.5
+index 18ec81f..510cc7c 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -1161,6 +1161,9 @@
+@@ -1161,6 +1161,9 @@ This avoids infinitely hanging sessions.
  .Pp
  To disable TCP keepalive messages, the value should be set to
  .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index 19ae33b22..b3b549cc8 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -1,15 +1,24 @@
-Description: Fix picky lintian errors about slogin symlinks
- Apparently this breaks some SVR4 packaging systems, so upstream can't win
- either way and opted to keep the status quo.  We need this patch anyway.
-Author: Colin Watson <cjwatson@debian.org>
+From 6d50dc6d561af1bcf41eaf1dc69e7920abe5aa4b Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:10:08 +0000
+Subject: Fix picky lintian errors about slogin symlinks
+
+Apparently this breaks some SVR4 packaging systems, so upstream can't win
+either way and opted to keep the status quo.  We need this patch anyway.
+
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728
 Last-Update: 2013-09-14
 
-Index: b/Makefile.in
-===================================================================
+Patch-Name: lintian-symlink-pickiness.patch
+---
+ Makefile.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index 7cd3a08..839abbd 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -296,9 +296,9 @@
+@@ -296,9 +296,9 @@ install-files:
         $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
         $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
         -rm -f $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 55c277031..07682155c 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,14 +1,22 @@
-Description: Mention ssh-keygen in ssh fingerprint changed warning
-Author: Scott Moser <smoser@ubuntu.com>
+From 7a20ce0712e7b7174a0c079e84568a9e8321c42b Mon Sep 17 00:00:00 2001
+From: Scott Moser <smoser@ubuntu.com>
+Date: Sun, 9 Feb 2014 16:10:03 +0000
+Subject: Mention ssh-keygen in ssh fingerprint changed warning
+
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
 Last-Update: 2013-09-14
 
-Index: b/sshconnect.c
-===================================================================
+Patch-Name: mention-ssh-keygen-on-keychange.patch
+---
+ sshconnect.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/sshconnect.c b/sshconnect.c
+index 91fd59a..bda83b2 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -981,9 +981,12 @@
+@@ -981,9 +981,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
                         error("%s. This could either mean that", key_msg);
                         error("DNS SPOOFING is happening or the IP address for the host");
                         error("and its host key have changed at the same time.");
@@ -22,7 +30,7 @@ Index: b/sshconnect.c
                 }
                 /* The host key has changed. */
                 warn_changed_key(host_key);
-@@ -991,6 +994,8 @@
+@@ -991,6 +994,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
                     user_hostfiles[0]);
                 error("Offending %s key in %s:%lu", key_type(host_found->key),
                     host_found->file, host_found->line);
diff --git a/debian/patches/no-openssl-version-check.patch b/debian/patches/no-openssl-version-check.patch
index 8c7b6538e..f45e2b959 100644
--- a/debian/patches/no-openssl-version-check.patch
+++ b/debian/patches/no-openssl-version-check.patch
@@ -1,17 +1,26 @@
-Description: Disable OpenSSL version check
- OpenSSL's SONAME is sufficient nowadays.
-Author: Philip Hands <phil@hands.com>
+From bc87a22e258193138419d6615c0e92e4124dbe90 Mon Sep 17 00:00:00 2001
+From: Philip Hands <phil@hands.com>
+Date: Sun, 9 Feb 2014 16:10:14 +0000
+Subject: Disable OpenSSL version check
+
+OpenSSL's SONAME is sufficient nowadays.
+
 Author: Colin Watson <cjwatson@debian.org>
 Bug-Debian: http://bugs.debian.org/93581
 Bug-Debian: http://bugs.debian.org/664383
 Forwarded: not-needed
 Last-Update: 2013-12-23
 
-Index: b/entropy.c
-===================================================================
+Patch-Name: no-openssl-version-check.patch
+---
+ entropy.c | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+diff --git a/entropy.c b/entropy.c
+index 2d483b3..2aee2d9 100644
 --- a/entropy.c
 +++ b/entropy.c
-@@ -209,18 +209,6 @@
+@@ -209,18 +209,6 @@ seed_rng(void)
  #ifndef OPENSSL_PRNG_ONLY
         unsigned char buf[RANDOM_SEED_SIZE];
  #endif
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index d4eeee6e8..afc1fe306 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,15 +1,28 @@
-Description: Adjust various OpenBSD-specific references in manual pages
- No single bug reference for this patch, but history includes:
-  http://bugs.debian.org/154434 (login.conf(5))
-  http://bugs.debian.org/513417 (/etc/rc)
-  http://bugs.debian.org/530692 (ssl(8))
-  https://bugs.launchpad.net/bugs/456660 (ssl(8))
-Author: Colin Watson <cjwatson@debian.org>
+From 98517b1b99dceff74e4a1e50d5a345f5b569ad6f Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:10:09 +0000
+Subject: Adjust various OpenBSD-specific references in manual pages
+
+No single bug reference for this patch, but history includes:
+ http://bugs.debian.org/154434 (login.conf(5))
+ http://bugs.debian.org/513417 (/etc/rc)
+ http://bugs.debian.org/530692 (ssl(8))
+ https://bugs.launchpad.net/bugs/456660 (ssl(8))
+
 Forwarded: not-needed
 Last-Update: 2013-09-14
 
-Index: b/moduli.5
-===================================================================
+Patch-Name: openbsd-docs.patch
+---
+ moduli.5      |  4 ++--
+ ssh-keygen.1  | 12 ++++--------
+ ssh.1         |  4 ++++
+ sshd.8        |  5 ++---
+ sshd_config.5 |  3 +--
+ 5 files changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/moduli.5 b/moduli.5
+index ef0de08..149846c 100644
 --- a/moduli.5
 +++ b/moduli.5
 @@ -21,7 +21,7 @@
@@ -21,7 +34,7 @@ Index: b/moduli.5
  file contains prime numbers and generators for use by
  .Xr sshd 8
  in the Diffie-Hellman Group Exchange key exchange method.
-@@ -110,7 +110,7 @@
+@@ -110,7 +110,7 @@ first estimates the size of the modulus required to produce enough
  Diffie-Hellman output to sufficiently key the selected symmetric cipher.
  .Xr sshd 8
  then randomly selects a modulus from
@@ -30,11 +43,11 @@ Index: b/moduli.5
  that best meets the size requirement.
  .Sh SEE ALSO
  .Xr ssh-keygen 1 ,
-Index: b/ssh-keygen.1
-===================================================================
+diff --git a/ssh-keygen.1 b/ssh-keygen.1
+index 144be7d..753cc62 100644
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -171,9 +171,7 @@
+@@ -171,9 +171,7 @@ key in
  .Pa ~/.ssh/id_dsa
  or
  .Pa ~/.ssh/id_rsa .
@@ -45,7 +58,7 @@ Index: b/ssh-keygen.1
  .Pp
  Normally this program generates the key and asks for a file in which
  to store the private key.
-@@ -219,9 +217,7 @@
+@@ -219,9 +217,7 @@ The options are as follows:
  For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys
  do not exist, generate the host keys with the default key file path,
  an empty passphrase, default bits for the key type, and default comment.
@@ -56,7 +69,7 @@ Index: b/ssh-keygen.1
  .It Fl a Ar trials
  Specifies the number of primality tests to perform when screening DH-GEX
  candidates using the
-@@ -605,7 +601,7 @@
+@@ -605,7 +601,7 @@ option.
  Valid generator values are 2, 3, and 5.
  .Pp
  Screened DH groups may be installed in
@@ -65,7 +78,7 @@ Index: b/ssh-keygen.1
  It is important that this file contains moduli of a range of bit lengths and
  that both ends of a connection share common moduli.
  .Sh CERTIFICATES
-@@ -800,7 +796,7 @@
+@@ -800,7 +796,7 @@ on all machines
  where the user wishes to log in using public key authentication.
  There is no need to keep the contents of this file secret.
  .Pp
@@ -74,11 +87,11 @@ Index: b/ssh-keygen.1
  Contains Diffie-Hellman groups used for DH-GEX.
  The file format is described in
  .Xr moduli 5 .
-Index: b/ssh.1
-===================================================================
+diff --git a/ssh.1 b/ssh.1
+index 0b38ae1..b3c3924 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -756,6 +756,10 @@
+@@ -756,6 +756,10 @@ Protocol 1 is restricted to using only RSA keys,
  but protocol 2 may use any.
  The HISTORY section of
  .Xr ssl 8
@@ -89,11 +102,11 @@ Index: b/ssh.1
  contains a brief discussion of the DSA and RSA algorithms.
  .Pp
  The file
-Index: b/sshd.8
-===================================================================
+diff --git a/sshd.8 b/sshd.8
+index a604429..6bdd219 100644
 --- a/sshd.8
 +++ b/sshd.8
-@@ -70,7 +70,7 @@
+@@ -70,7 +70,7 @@ over an insecure network.
  .Nm
  listens for connections from clients.
  It is normally started at boot from
@@ -102,7 +115,7 @@ Index: b/sshd.8
  It forks a new
  daemon for each incoming connection.
  The forked daemons handle
-@@ -859,7 +859,7 @@
+@@ -859,7 +859,7 @@ This file is for host-based authentication (see
  .Xr ssh 1 ) .
  It should only be writable by root.
  .Pp
@@ -111,7 +124,7 @@ Index: b/sshd.8
  Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
  The file format is described in
  .Xr moduli 5 .
-@@ -957,7 +957,6 @@
+@@ -957,7 +957,6 @@ The content of this file is not sensitive; it can be world-readable.
  .Xr ssh-vulnkey 1 ,
  .Xr chroot 2 ,
  .Xr hosts_access 5 ,
@@ -119,11 +132,11 @@ Index: b/sshd.8
  .Xr moduli 5 ,
  .Xr sshd_config 5 ,
  .Xr inetd 8 ,
-Index: b/sshd_config.5
-===================================================================
+diff --git a/sshd_config.5 b/sshd_config.5
+index eaf8d01..ec4851a 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -283,8 +283,7 @@
+@@ -283,8 +283,7 @@ This option is only available for protocol version 2.
  By default, no banner is displayed.
  .It Cm ChallengeResponseAuthentication
  Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 392afc073..df97fa40f 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,17 +1,28 @@
-Description: Include the Debian version in our identification
- This makes it easier to audit networks for versions patched against
- security vulnerabilities.  It has little detrimental effect, as attackers
- will generally just try attacks rather than bothering to scan for
- vulnerable-looking version strings.  (However, see debian-banner.patch.)
-Author: Matthew Vernon <matthew@debian.org>
+From da3ff9786c4c03b2aac4936b28f06b3c152e230d Mon Sep 17 00:00:00 2001
+From: Matthew Vernon <matthew@debian.org>
+Date: Sun, 9 Feb 2014 16:10:05 +0000
+Subject: Include the Debian version in our identification
+
+This makes it easier to audit networks for versions patched against security
+vulnerabilities.  It has little detrimental effect, as attackers will
+generally just try attacks rather than bothering to scan for
+vulnerable-looking version strings.  (However, see debian-banner.patch.)
+
 Forwarded: not-needed
 Last-Update: 2013-09-14
 
-Index: b/sshconnect.c
-===================================================================
+Patch-Name: package-versioning.patch
+---
+ sshconnect.c | 4 ++--
+ sshd.c       | 2 +-
+ version.h    | 7 ++++++-
+ 3 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/sshconnect.c b/sshconnect.c
+index bda83b2..ad960fd 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -442,10 +442,10 @@
+@@ -442,10 +442,10 @@ send_client_banner(int connection_out, int minor1)
         /* Send our own protocol version identification. */
         if (compat20) {
                 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
@@ -24,11 +35,11 @@ Index: b/sshconnect.c
         }
         if (roaming_atomicio(vwrite, connection_out, client_version_string,
             strlen(client_version_string)) != strlen(client_version_string))
-Index: b/sshd.c
-===================================================================
+diff --git a/sshd.c b/sshd.c
+index fbe3284..7efa7ef 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -440,7 +440,7 @@
+@@ -440,7 +440,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
         }
  
         xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -37,8 +48,8 @@ Index: b/sshd.c
             *options.version_addendum == '\0' ? "" : " ",
             options.version_addendum, newline);
  
-Index: b/version.h
-===================================================================
+diff --git a/version.h b/version.h
+index 39033ed..036277d 100644
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 32f4cfc67..5cb0146d8 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,22 +1,31 @@
-Description: Reduce severity of "Killed by signal %d"
- This produces irritating messages when using ProxyCommand or other programs
- that use ssh under the covers (e.g. Subversion).  These messages are more
- normally printed by the calling program, such as the shell.
- .
- According to the upstream bug, the right way to avoid this is to use the -q
- option, so we may drop this patch after further investigation into whether
- any software in Debian is still relying on it.
-Author: Peter Samuelson <peter@p12n.org>
+From da5b4ce7296ada332d70133a9ec02ba71c742b7d Mon Sep 17 00:00:00 2001
+From: Peter Samuelson <peter@p12n.org>
+Date: Sun, 9 Feb 2014 16:09:55 +0000
+Subject: Reduce severity of "Killed by signal %d"
+
+This produces irritating messages when using ProxyCommand or other programs
+that use ssh under the covers (e.g. Subversion).  These messages are more
+normally printed by the calling program, such as the shell.
+
+According to the upstream bug, the right way to avoid this is to use the -q
+option, so we may drop this patch after further investigation into whether
+any software in Debian is still relying on it.
+
 Author: Colin Watson <cjwatson@debian.org>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118
 Bug-Debian: http://bugs.debian.org/313371
 Last-Update: 2013-09-14
 
-Index: b/clientloop.c
-===================================================================
+Patch-Name: quieter-signals.patch
+---
+ clientloop.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/clientloop.c b/clientloop.c
+index dc76d69..f2f474e 100644
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -1717,8 +1717,10 @@
+@@ -1717,8 +1717,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
                 exit_status = 0;
         }
  
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index 239c1b599..887164beb 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,17 +1,26 @@
-Description: Adjust scp quoting in verbose mode
- Tweak scp's reporting of filenames in verbose mode to be a bit less
- confusing with spaces.
- .
- This should be revised to mimic real shell quoting.
-Author: Nicolas Valcárcel <nvalcarcel@ubuntu.com>
+From 7531f41888f9e40be95a319fb325f6f05dd50751 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
+Date: Sun, 9 Feb 2014 16:09:59 +0000
+Subject: Adjust scp quoting in verbose mode
+
+Tweak scp's reporting of filenames in verbose mode to be a bit less
+confusing with spaces.
+
+This should be revised to mimic real shell quoting.
+
 Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945
 Last-Update: 2010-02-27
 
-Index: b/scp.c
-===================================================================
+Patch-Name: scp-quoting.patch
+---
+ scp.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/scp.c b/scp.c
+index 28ded5e..b7a17ab 100644
 --- a/scp.c
 +++ b/scp.c
-@@ -189,8 +189,16 @@
+@@ -189,8 +189,16 @@ do_local_cmd(arglist *a)
  
         if (verbose_mode) {
                 fprintf(stderr, "Executing:");
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index f3376c20a..8aa8f614e 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,17 +1,41 @@
-Description: Handle SELinux authorisation roles
- Rejected upstream due to discomfort with magic usernames; a better approach
- will need an SSH protocol change.  In the meantime, this came from Debian's
- SELinux maintainer, so we'll keep it until we have something better.
-Author: Manoj Srivastava <srivasta@debian.org>
+From 07f2a771c490bd68cd5c5ea9c535705e93bd94f3 Mon Sep 17 00:00:00 2001
+From: Manoj Srivastava <srivasta@debian.org>
+Date: Sun, 9 Feb 2014 16:09:49 +0000
+Subject: Handle SELinux authorisation roles
+
+Rejected upstream due to discomfort with magic usernames; a better approach
+will need an SSH protocol change.  In the meantime, this came from Debian's
+SELinux maintainer, so we'll keep it until we have something better.
+
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
 Bug-Debian: http://bugs.debian.org/394795
 Last-Update: 2013-09-14
 
-Index: b/auth.h
-===================================================================
+Patch-Name: selinux-role.patch
+---
+ auth.h                      |  1 +
+ auth1.c                     |  8 +++++++-
+ auth2.c                     | 10 ++++++++--
+ monitor.c                   | 32 +++++++++++++++++++++++++++++---
+ monitor.h                   |  2 ++
+ monitor_wrap.c              | 22 ++++++++++++++++++++--
+ monitor_wrap.h              |  3 ++-
+ openbsd-compat/port-linux.c | 27 ++++++++++++++++++++-------
+ openbsd-compat/port-linux.h |  4 ++--
+ platform.c                  |  4 ++--
+ platform.h                  |  2 +-
+ session.c                   | 10 +++++-----
+ session.h                   |  2 +-
+ sshd.c                      |  2 +-
+ sshpty.c                    |  4 ++--
+ sshpty.h                    |  2 +-
+ 16 files changed, 104 insertions(+), 31 deletions(-)
+
+diff --git a/auth.h b/auth.h
+index 80f0898..5b6824f 100644
 --- a/auth.h
 +++ b/auth.h
-@@ -59,6 +59,7 @@
+@@ -59,6 +59,7 @@ struct Authctxt {
         char            *service;
         struct passwd   *pw;            /* set if 'valid' */
         char            *style;
@@ -19,11 +43,11 @@ Index: b/auth.h
         void            *kbdintctxt;
         char            *info;          /* Extra info for next auth_log */
         void            *jpake_ctx;
-Index: b/auth1.c
-===================================================================
+diff --git a/auth1.c b/auth1.c
+index f1ac598..2803a3c 100644
 --- a/auth1.c
 +++ b/auth1.c
-@@ -380,7 +380,7 @@
+@@ -380,7 +380,7 @@ void
  do_authentication(Authctxt *authctxt)
  {
         u_int ulen;
@@ -32,7 +56,7 @@ Index: b/auth1.c
  
         /* Get the name of the user that we wish to log in as. */
         packet_read_expect(SSH_CMSG_USER);
-@@ -389,11 +389,17 @@
+@@ -389,11 +389,17 @@ do_authentication(Authctxt *authctxt)
         user = packet_get_cstring(&ulen);
         packet_check_eom();
  
@@ -50,11 +74,11 @@ Index: b/auth1.c
  
         /* Verify that the user is a valid user. */
         if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
-Index: b/auth2.c
-===================================================================
+diff --git a/auth2.c b/auth2.c
+index 6ed8f04..b55bbcd 100644
 --- a/auth2.c
 +++ b/auth2.c
-@@ -222,7 +222,7 @@
+@@ -222,7 +222,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
  {
         Authctxt *authctxt = ctxt;
         Authmethod *m = NULL;
@@ -63,7 +87,7 @@ Index: b/auth2.c
         int authenticated = 0;
  
         if (authctxt == NULL)
-@@ -234,8 +234,13 @@
+@@ -234,8 +234,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
         debug("userauth-request for user %s service %s method %s", user, service, method);
         debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
  
@@ -77,7 +101,7 @@ Index: b/auth2.c
  
         if (authctxt->attempt++ == 0) {
                 /* setup auth context */
-@@ -259,8 +264,9 @@
+@@ -259,8 +264,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                     use_privsep ? " [net]" : "");
                 authctxt->service = xstrdup(service);
                 authctxt->style = style ? xstrdup(style) : NULL;
@@ -88,11 +112,11 @@ Index: b/auth2.c
                 userauth_banner();
                 if (auth2_setup_methods_lists(authctxt) != 0)
                         packet_disconnect("no authentication methods enabled");
-Index: b/monitor.c
-===================================================================
+diff --git a/monitor.c b/monitor.c
+index 9079c97..e8d63eb 100644
 --- a/monitor.c
 +++ b/monitor.c
-@@ -146,6 +146,7 @@
+@@ -146,6 +146,7 @@ int mm_answer_sign(int, Buffer *);
  int mm_answer_pwnamallow(int, Buffer *);
  int mm_answer_auth2_read_banner(int, Buffer *);
  int mm_answer_authserv(int, Buffer *);
@@ -100,7 +124,7 @@ Index: b/monitor.c
  int mm_answer_authpassword(int, Buffer *);
  int mm_answer_bsdauthquery(int, Buffer *);
  int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -227,6 +228,7 @@
+@@ -227,6 +228,7 @@ struct mon_table mon_dispatch_proto20[] = {
      {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
      {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
      {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -108,7 +132,7 @@ Index: b/monitor.c
      {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
      {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
  #ifdef USE_PAM
-@@ -844,6 +846,7 @@
+@@ -844,6 +846,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
         else {
                 /* Allow service/style information on the auth context */
                 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -116,7 +140,7 @@ Index: b/monitor.c
                 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
         }
  #ifdef USE_PAM
-@@ -874,14 +877,37 @@
+@@ -874,14 +877,37 @@ mm_answer_authserv(int sock, Buffer *m)
  
         authctxt->service = buffer_get_string(m, NULL);
         authctxt->style = buffer_get_string(m, NULL);
@@ -156,7 +180,7 @@ Index: b/monitor.c
         return (0);
  }
  
-@@ -1486,7 +1512,7 @@
+@@ -1486,7 +1512,7 @@ mm_answer_pty(int sock, Buffer *m)
         res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
         if (res == 0)
                 goto error;
@@ -165,11 +189,11 @@ Index: b/monitor.c
  
         buffer_put_int(m, 1);
         buffer_put_cstring(m, s->tty);
-Index: b/monitor.h
-===================================================================
+diff --git a/monitor.h b/monitor.h
+index 315ef99..3c13706 100644
 --- a/monitor.h
 +++ b/monitor.h
-@@ -73,6 +73,8 @@
+@@ -73,6 +73,8 @@ enum monitor_reqtype {
         MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
         MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
  
@@ -178,11 +202,11 @@ Index: b/monitor.h
  };
  
  struct mm_master;
-Index: b/monitor_wrap.c
-===================================================================
+diff --git a/monitor_wrap.c b/monitor_wrap.c
+index 44019f3..69bc324 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -320,10 +320,10 @@
+@@ -320,10 +320,10 @@ mm_auth2_read_banner(void)
         return (banner);
  }
  
@@ -195,7 +219,7 @@ Index: b/monitor_wrap.c
  {
         Buffer m;
  
-@@ -332,11 +332,29 @@
+@@ -332,12 +332,30 @@ mm_inform_authserv(char *service, char *style)
         buffer_init(&m);
         buffer_put_cstring(&m, service);
         buffer_put_cstring(&m, style ? style : "");
@@ -205,7 +229,7 @@ Index: b/monitor_wrap.c
  
         buffer_free(&m);
  }
-+
+ 
 +/* Inform the privileged process about role */
 +
 +void
@@ -222,14 +246,15 @@ Index: b/monitor_wrap.c
 +
 +       buffer_free(&m);
 +}
- 
++
  /* Do the password authentication */
  int
-Index: b/monitor_wrap.h
-===================================================================
+ mm_auth_password(Authctxt *authctxt, char *password)
+diff --git a/monitor_wrap.h b/monitor_wrap.h
+index ec9b9b1..4d12e29 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
-@@ -41,7 +41,8 @@
+@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *);
  int mm_is_monitor(void);
  DH *mm_choose_dh(int, int, int);
  int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
@@ -239,8 +264,8 @@ Index: b/monitor_wrap.h
  struct passwd *mm_getpwnamallow(const char *);
  char *mm_auth2_read_banner(void);
  int mm_auth_password(struct Authctxt *, char *);
-Index: b/openbsd-compat/port-linux.c
-===================================================================
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index 4637a7a..de6ad3f 100644
 --- a/openbsd-compat/port-linux.c
 +++ b/openbsd-compat/port-linux.c
 @@ -29,6 +29,12 @@
@@ -256,7 +281,7 @@ Index: b/openbsd-compat/port-linux.c
  #include "log.h"
  #include "xmalloc.h"
  #include "port-linux.h"
-@@ -58,7 +64,7 @@
+@@ -58,7 +64,7 @@ ssh_selinux_enabled(void)
  
  /* Return the default security context for the given username */
  static security_context_t
@@ -265,7 +290,7 @@ Index: b/openbsd-compat/port-linux.c
  {
         security_context_t sc = NULL;
         char *sename = NULL, *lvl = NULL;
-@@ -73,9 +79,16 @@
+@@ -73,9 +79,16 @@ ssh_selinux_getctxbyname(char *pwname)
  #endif
  
  #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
@@ -284,7 +309,7 @@ Index: b/openbsd-compat/port-linux.c
  #endif
  
         if (r != 0) {
-@@ -105,7 +118,7 @@
+@@ -105,7 +118,7 @@ ssh_selinux_getctxbyname(char *pwname)
  
  /* Set the execution context to the default for the specified user */
  void
@@ -293,7 +318,7 @@ Index: b/openbsd-compat/port-linux.c
  {
         security_context_t user_ctx = NULL;
  
-@@ -114,7 +127,7 @@
+@@ -114,7 +127,7 @@ ssh_selinux_setup_exec_context(char *pwname)
  
         debug3("%s: setting execution context", __func__);
  
@@ -302,7 +327,7 @@ Index: b/openbsd-compat/port-linux.c
         if (setexeccon(user_ctx) != 0) {
                 switch (security_getenforce()) {
                 case -1:
-@@ -136,7 +149,7 @@
+@@ -136,7 +149,7 @@ ssh_selinux_setup_exec_context(char *pwname)
  
  /* Set the TTY context for the specified user */
  void
@@ -311,7 +336,7 @@ Index: b/openbsd-compat/port-linux.c
  {
         security_context_t new_tty_ctx = NULL;
         security_context_t user_ctx = NULL;
-@@ -147,7 +160,7 @@
+@@ -147,7 +160,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
  
         debug3("%s: setting TTY context on %s", __func__, tty);
  
@@ -320,8 +345,8 @@ Index: b/openbsd-compat/port-linux.c
  
         /* XXX: should these calls fatal() upon failure in enforcing mode? */
  
-Index: b/openbsd-compat/port-linux.h
-===================================================================
+diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+index e3d1004..80ce13a 100644
 --- a/openbsd-compat/port-linux.h
 +++ b/openbsd-compat/port-linux.h
 @@ -21,8 +21,8 @@
@@ -335,11 +360,11 @@ Index: b/openbsd-compat/port-linux.h
  void ssh_selinux_change_context(const char *);
  void ssh_selinux_setfscreatecon(const char *);
  #endif
-Index: b/platform.c
-===================================================================
+diff --git a/platform.c b/platform.c
+index 3262b24..a962f15 100644
 --- a/platform.c
 +++ b/platform.c
-@@ -134,7 +134,7 @@
+@@ -134,7 +134,7 @@ platform_setusercontext(struct passwd *pw)
   * called if sshd is running as root.
   */
  void
@@ -348,7 +373,7 @@ Index: b/platform.c
  {
  #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
         /*
-@@ -181,7 +181,7 @@
+@@ -181,7 +181,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
         }
  #endif /* HAVE_SETPCRED */
  #ifdef WITH_SELINUX
@@ -357,11 +382,11 @@ Index: b/platform.c
  #endif
  }
  
-Index: b/platform.h
-===================================================================
+diff --git a/platform.h b/platform.h
+index 19f6bfd..3188a3d 100644
 --- a/platform.h
 +++ b/platform.h
-@@ -26,7 +26,7 @@
+@@ -26,7 +26,7 @@ void platform_post_fork_parent(pid_t child_pid);
  void platform_post_fork_child(void);
  int  platform_privileged_uidswap(void);
  void platform_setusercontext(struct passwd *);
@@ -370,11 +395,11 @@ Index: b/platform.h
  char *platform_get_krb5_client(const char *);
  char *platform_krb5_get_principal_name(const char *);
  int platform_sys_dir_uid(uid_t);
-Index: b/session.c
-===================================================================
+diff --git a/session.c b/session.c
+index d4b57bd..b4d74d9 100644
 --- a/session.c
 +++ b/session.c
-@@ -1474,7 +1474,7 @@
+@@ -1474,7 +1474,7 @@ safely_chroot(const char *path, uid_t uid)
  
  /* Set login name, uid, gid, and groups. */
  void
@@ -383,7 +408,7 @@ Index: b/session.c
  {
         char *chroot_path, *tmp;
  
-@@ -1502,7 +1502,7 @@
+@@ -1502,7 +1502,7 @@ do_setusercontext(struct passwd *pw)
                 endgrent();
  #endif
  
@@ -392,7 +417,7 @@ Index: b/session.c
  
                 if (options.chroot_directory != NULL &&
                     strcasecmp(options.chroot_directory, "none") != 0) {
-@@ -1646,7 +1646,7 @@
+@@ -1646,7 +1646,7 @@ do_child(Session *s, const char *command)
  
         /* Force a password change */
         if (s->authctxt->force_pwchange) {
@@ -401,7 +426,7 @@ Index: b/session.c
                 child_close_fds();
                 do_pwchange(s);
                 exit(1);
-@@ -1673,7 +1673,7 @@
+@@ -1673,7 +1673,7 @@ do_child(Session *s, const char *command)
                 /* When PAM is enabled we rely on it to do the nologin check */
                 if (!options.use_pam)
                         do_nologin(pw);
@@ -410,7 +435,7 @@ Index: b/session.c
                 /*
                  * PAM session modules in do_setusercontext may have
                  * generated messages, so if this in an interactive
-@@ -2084,7 +2084,7 @@
+@@ -2084,7 +2084,7 @@ session_pty_req(Session *s)
         tty_parse_modes(s->ttyfd, &n_bytes);
  
         if (!use_privsep)
@@ -419,11 +444,11 @@ Index: b/session.c
  
         /* Set window size from the packet. */
         pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
-Index: b/session.h
-===================================================================
+diff --git a/session.h b/session.h
+index cbb8e3a..cb4f196 100644
 --- a/session.h
 +++ b/session.h
-@@ -76,7 +76,7 @@
+@@ -76,7 +76,7 @@ void   session_pty_cleanup2(Session *);
  Session        *session_new(void);
  Session        *session_by_tty(char *);
  void    session_close(Session *);
@@ -432,11 +457,11 @@ Index: b/session.h
  void    child_set_env(char ***envp, u_int *envsizep, const char *name,
                        const char *value);
  
-Index: b/sshd.c
-===================================================================
+diff --git a/sshd.c b/sshd.c
+index 4eddeb8..e5c9835 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -753,7 +753,7 @@
+@@ -753,7 +753,7 @@ privsep_postauth(Authctxt *authctxt)
         RAND_seed(rnd, sizeof(rnd));
  
         /* Drop privileges */
@@ -445,11 +470,11 @@ Index: b/sshd.c
  
   skip:
         /* It is safe now to apply the key state */
-Index: b/sshpty.c
-===================================================================
+diff --git a/sshpty.c b/sshpty.c
+index bbbc0fe..8cc26a2 100644
 --- a/sshpty.c
 +++ b/sshpty.c
-@@ -200,7 +200,7 @@
+@@ -200,7 +200,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
  }
  
  void
@@ -458,7 +483,7 @@ Index: b/sshpty.c
  {
         struct group *grp;
         gid_t gid;
-@@ -227,7 +227,7 @@
+@@ -227,7 +227,7 @@ pty_setowner(struct passwd *pw, const char *tty)
                     strerror(errno));
  
  #ifdef WITH_SELINUX
@@ -467,11 +492,11 @@ Index: b/sshpty.c
  #endif
  
         if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
-Index: b/sshpty.h
-===================================================================
+diff --git a/sshpty.h b/sshpty.h
+index cfa3224..edf2436 100644
 --- a/sshpty.h
 +++ b/sshpty.h
-@@ -24,4 +24,4 @@
+@@ -24,4 +24,4 @@ int    pty_allocate(int *, int *, char *, size_t);
  void    pty_release(const char *);
  void    pty_make_controlling_tty(int *, const char *);
  void    pty_change_window_size(int, u_int, u_int, u_int, u_int);
diff --git a/debian/patches/series b/debian/patches/series
index 4d2080a37..ced2bbd1e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,48 +1,27 @@
-# GSSAPI
 gssapi.patch
-
-# SELinux
 selinux-role.patch
-
-# Key blacklisting
 ssh-vulnkey.patch
-
-# Keepalive handling
 ssh1-keepalive.patch
 keepalive-extensions.patch
-
-# Message adjustments
 syslog-level-silent.patch
 quieter-signals.patch
 helpful-wait-terminate.patch
-
-# ConsoleKit
 consolekit.patch
-
-# Miscellaneous bug fixes
 user-group-modes.patch
 scp-quoting.patch
 shell-path.patch
 dnssec-sshfp.patch
 auth-log-verbosity.patch
 mention-ssh-keygen-on-keychange.patch
-
-# Versioning
 package-versioning.patch
 debian-banner.patch
-
-# File system layout
 authorized-keys-man-symlink.patch
 lintian-symlink-pickiness.patch
-
-# Documentation
 openbsd-docs.patch
 ssh-argv0.patch
 doc-hash-tab-completion.patch
 doc-upstart.patch
 ssh-agent-setgid.patch
-
-# Debian-specific configuration
 no-openssl-version-check.patch
 gnome-ssh-askpass2-icon.patch
 sigstop.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index a1c6efc8d..8f09b936a 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,16 +1,25 @@
-Description: Look for $SHELL on the path for ProxyCommand/LocalCommand
- There's some debate on the upstream bug about whether POSIX requires this.
- I (Colin Watson) agree with Vincent and think it does.
-Author: Colin Watson <cjwatson@debian.org>
+From b5f3be892e6d7150e7885133228fd03af69a11bc Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:10:00 +0000
+Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
+
+There's some debate on the upstream bug about whether POSIX requires this.
+I (Colin Watson) agree with Vincent and think it does.
+
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
 Bug-Debian: http://bugs.debian.org/492728
 Last-Update: 2013-09-14
 
-Index: b/sshconnect.c
-===================================================================
+Patch-Name: shell-path.patch
+---
+ sshconnect.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sshconnect.c b/sshconnect.c
+index 483eb85..91fd59a 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -151,7 +151,7 @@
+@@ -151,7 +151,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
                 /* Execute the proxy command.  Note that we gave up any
                    extra privileges above. */
                 signal(SIGPIPE, SIG_DFL);
@@ -19,7 +28,7 @@ Index: b/sshconnect.c
                 perror(argv[0]);
                 exit(1);
         }
-@@ -1298,7 +1298,7 @@
+@@ -1298,7 +1298,7 @@ ssh_local_cmd(const char *args)
         if (pid == 0) {
                 signal(SIGPIPE, SIG_DFL);
                 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index 3311a797c..febcbc86a 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,13 +1,21 @@
-Description: Support synchronisation with service supervisor using SIGSTOP
-Author: Colin Watson <cjwatson@debian.org>
+From 6fba9b85d3529fd3e1ca03dff3e457f04b3e39dd Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:10:17 +0000
+Subject: Support synchronisation with service supervisor using SIGSTOP
+
 Forwarded: no
 Last-Update: 2013-09-14
 
-Index: b/sshd.c
-===================================================================
+Patch-Name: sigstop.patch
+---
+ sshd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sshd.c b/sshd.c
+index 6b988fe..72e9eaf 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1914,6 +1914,10 @@
+@@ -1914,6 +1914,10 @@ main(int ac, char **av)
                         }
                 }
  
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 7e909a165..3760e8c14 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,14 +1,22 @@
-Description: Document consequences of ssh-agent being setgid in ssh-agent(1)
-Author: Colin Watson <cjwatson@debian.org>
+From 92a81c0caf44c15d3a07cf1f36470ca05c11ff1e Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:10:13 +0000
+Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
+
 Bug-Debian: http://bugs.debian.org/711623
 Forwarded: no
 Last-Update: 2013-06-08
 
-Index: b/ssh-agent.1
-===================================================================
+Patch-Name: ssh-agent-setgid.patch
+---
+ ssh-agent.1 | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/ssh-agent.1 b/ssh-agent.1
+index bb801c9..d370531 100644
 --- a/ssh-agent.1
 +++ b/ssh-agent.1
-@@ -182,6 +182,21 @@
+@@ -182,6 +182,21 @@ environment variable holds the agent's process ID.
  .Pp
  The agent exits automatically when the command given on the command
  line terminates.
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 28d144221..b15f251ef 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,17 +1,27 @@
-Description: ssh(1): Refer to ssh-argv0(1)
- Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating
- symlinks to ssh with the name of the host you want to connect to.  Debian
- ships an ssh-argv0 script restoring this feature; this patch refers to its
- manual page from ssh(1).
+From b339802cbe8c304541273029a1c9c3c639725643 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:10:10 +0000
+Subject: ssh(1): Refer to ssh-argv0(1)
+
+Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
+to ssh with the name of the host you want to connect to.  Debian ships an
+ssh-argv0 script restoring this feature; this patch refers to its manual
+page from ssh(1).
+
 Bug-Debian: http://bugs.debian.org/111341
 Forwarded: not-needed
 Last-Update: 2013-09-14
 
-Index: b/ssh.1
-===================================================================
+Patch-Name: ssh-argv0.patch
+---
+ ssh.1 | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ssh.1 b/ssh.1
+index b3c3924..c0cc12f 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1451,6 +1451,7 @@
+@@ -1451,6 +1451,7 @@ if an error occurred.
  .Xr sftp 1 ,
  .Xr ssh-add 1 ,
  .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index a1e8c20f9..ae262083d 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -1,20 +1,56 @@
-Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw
- In 2008, Debian (and derived distributions such as Ubuntu) shipped an
- OpenSSL package with a flawed random number generator, causing OpenSSH to
- generate only a very limited set of keys which were subject to private half
- precomputation.  To mitigate this, this patch checks key authentications
- against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey
- program which can be used to explicitly check keys against that blacklist.
- See CVE-2008-0166.
-Author: Colin Watson <cjwatson@ubuntu.com>
+From 8909ff0e3cd07d1b042d1be1c8b8828dbf6c9a83 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@ubuntu.com>
+Date: Sun, 9 Feb 2014 16:09:50 +0000
+Subject: Reject vulnerable keys to mitigate Debian OpenSSL flaw
+
+In 2008, Debian (and derived distributions such as Ubuntu) shipped an
+OpenSSL package with a flawed random number generator, causing OpenSSH to
+generate only a very limited set of keys which were subject to private half
+precomputation.  To mitigate this, this patch checks key authentications
+against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey
+program which can be used to explicitly check keys against that blacklist.
+See CVE-2008-0166.
+
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
 Last-Update: 2013-09-14
 
-Index: b/Makefile.in
-===================================================================
+Patch-Name: ssh-vulnkey.patch
+---
+ Makefile.in       |  17 ++-
+ auth-rh-rsa.c     |   2 +-
+ auth-rsa.c        |   2 +-
+ auth.c            |  27 +++-
+ auth.h            |   2 +-
+ auth2-hostbased.c |   2 +-
+ auth2-pubkey.c    |   5 +-
+ authfile.c        | 136 +++++++++++++++++++
+ authfile.h        |   2 +
+ pathnames.h       |   7 +
+ readconf.c        |   9 ++
+ readconf.h        |   1 +
+ servconf.c        |  11 +-
+ servconf.h        |   1 +
+ ssh-add.1         |   5 +
+ ssh-add.c         |  10 +-
+ ssh-keygen.1      |   1 +
+ ssh-vulnkey.1     | 242 ++++++++++++++++++++++++++++++++++
+ ssh-vulnkey.c     | 386 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ ssh.1             |   1 +
+ ssh.c             |  18 ++-
+ ssh_config.5      |  17 +++
+ sshconnect2.c     |   4 +-
+ sshd.8            |   1 +
+ sshd.c            |   5 +
+ sshd_config.5     |  14 ++
+ 26 files changed, 913 insertions(+), 15 deletions(-)
+ create mode 100644 ssh-vulnkey.1
+ create mode 100644 ssh-vulnkey.c
+
+diff --git a/Makefile.in b/Makefile.in
+index f979926..b8f5099 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -26,6 +26,7 @@
+@@ -26,6 +26,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
  SFTP_SERVER=$(libexecdir)/sftp-server
  SSH_KEYSIGN=$(libexecdir)/ssh-keysign
  SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@@ -22,7 +58,7 @@ Index: b/Makefile.in
  PRIVSEP_PATH=@PRIVSEP_PATH@
  SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
  STRIP_OPT=@STRIP_OPT@
-@@ -37,7 +38,8 @@
+@@ -37,7 +38,8 @@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \
         -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
         -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
         -D_PATH_SSH_PIDDIR=\"$(piddir)\" \
@@ -32,7 +68,7 @@ Index: b/Makefile.in
  
  CC=@CC@
  LD=@LD@
-@@ -61,7 +63,7 @@
+@@ -61,7 +63,7 @@ LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
  EXEEXT=@EXEEXT@
  MANFMT=@MANFMT@
  
@@ -41,7 +77,7 @@ Index: b/Makefile.in
  
  LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
         canohost.o channels.o cipher.o cipher-aes.o \
-@@ -96,8 +98,8 @@
+@@ -96,8 +98,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
         sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
         sandbox-seccomp-filter.o
  
@@ -52,7 +88,7 @@ Index: b/Makefile.in
  MANTYPE                = @MANTYPE@
  
  CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -176,6 +178,9 @@
+@@ -176,6 +178,9 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o s
  sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
         $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
  
@@ -62,7 +98,7 @@ Index: b/Makefile.in
  # test driver for the loginrec code - not built by default
  logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
         $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
-@@ -272,6 +277,7 @@
+@@ -272,6 +277,7 @@ install-files:
         $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
         $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
         $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -70,7 +106,7 @@ Index: b/Makefile.in
         $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
         $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
         $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -286,6 +292,7 @@
+@@ -286,6 +292,7 @@ install-files:
         $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
         $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
         $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -78,7 +114,7 @@ Index: b/Makefile.in
         -rm -f $(DESTDIR)$(bindir)/slogin
         ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
         -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-@@ -367,6 +374,7 @@
+@@ -367,6 +374,7 @@ uninstall:
         -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
         -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
         -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@@ -86,7 +122,7 @@ Index: b/Makefile.in
         -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
         -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
         -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-@@ -379,6 +387,7 @@
+@@ -379,6 +387,7 @@ uninstall:
         -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
         -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
         -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
@@ -94,11 +130,11 @@ Index: b/Makefile.in
         -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
         -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
         -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-Index: b/auth-rh-rsa.c
-===================================================================
+diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c
+index b21a0f4..891ec32 100644
 --- a/auth-rh-rsa.c
 +++ b/auth-rh-rsa.c
-@@ -44,7 +44,7 @@
+@@ -44,7 +44,7 @@ auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost,
  {
         HostStatus host_status;
  
@@ -107,11 +143,11 @@ Index: b/auth-rh-rsa.c
                 return 0;
  
         /* Check if we would accept it using rhosts authentication. */
-Index: b/auth-rsa.c
-===================================================================
+diff --git a/auth-rsa.c b/auth-rsa.c
+index 545aa49..6ed152c 100644
 --- a/auth-rsa.c
 +++ b/auth-rsa.c
-@@ -237,7 +237,7 @@
+@@ -237,7 +237,7 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
                 free(fp);
  
                 /* Never accept a revoked key */
@@ -120,8 +156,8 @@ Index: b/auth-rsa.c
                         break;
  
                 /* We have found the desired key. */
-Index: b/auth.c
-===================================================================
+diff --git a/auth.c b/auth.c
+index 9a36f1d..6662e9a 100644
 --- a/auth.c
 +++ b/auth.c
 @@ -59,6 +59,7 @@
@@ -132,7 +168,7 @@ Index: b/auth.c
  #include "auth.h"
  #include "auth-options.h"
  #include "canohost.h"
-@@ -657,10 +658,34 @@
+@@ -657,10 +658,34 @@ getpwnamallow(const char *user)
  
  /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
  int
@@ -168,11 +204,11 @@ Index: b/auth.c
         if (options.revoked_keys_file == NULL)
                 return 0;
         switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) {
-Index: b/auth.h
-===================================================================
+diff --git a/auth.h b/auth.h
+index 5b6824f..ec95460 100644
 --- a/auth.h
 +++ b/auth.h
-@@ -191,7 +191,7 @@
+@@ -191,7 +191,7 @@ char        *authorized_principals_file(struct passwd *);
  
  FILE   *auth_openkeyfile(const char *, struct passwd *, int);
  FILE   *auth_openprincipals(const char *, struct passwd *, int);
@@ -181,11 +217,11 @@ Index: b/auth.h
  
  HostStatus
  check_key_in_hostfiles(struct passwd *, Key *, const char *,
-Index: b/auth2-hostbased.c
-===================================================================
+diff --git a/auth2-hostbased.c b/auth2-hostbased.c
+index a344dcc..3a17f1b 100644
 --- a/auth2-hostbased.c
 +++ b/auth2-hostbased.c
-@@ -150,7 +150,7 @@
+@@ -150,7 +150,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
         int len;
         char *fp;
  
@@ -194,11 +230,11 @@ Index: b/auth2-hostbased.c
                 return 0;
  
         resolvedname = get_canonical_hostname(options.use_dns);
-Index: b/auth2-pubkey.c
-===================================================================
+diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+index 2b3ecb1..12eb8a6 100644
 --- a/auth2-pubkey.c
 +++ b/auth2-pubkey.c
-@@ -647,9 +647,10 @@
+@@ -647,9 +647,10 @@ user_key_allowed(struct passwd *pw, Key *key)
         u_int success, i;
         char *file;
  
@@ -211,8 +247,8 @@ Index: b/auth2-pubkey.c
                 return 0;
  
         success = user_cert_trusted_ca(pw, key);
-Index: b/authfile.c
-===================================================================
+diff --git a/authfile.c b/authfile.c
+index 63ae16b..9833591 100644
 --- a/authfile.c
 +++ b/authfile.c
 @@ -68,6 +68,7 @@
@@ -223,7 +259,7 @@ Index: b/authfile.c
  
  #define MAX_KEY_FILE_SIZE      (1024 * 1024)
  
-@@ -944,3 +945,138 @@
+@@ -944,3 +945,138 @@ key_in_file(Key *key, const char *filename, int strict_type)
         return ret;
  }
  
@@ -362,19 +398,19 @@ Index: b/authfile.c
 +       key_free(public);
 +       return ret;
 +}
-Index: b/authfile.h
-===================================================================
+diff --git a/authfile.h b/authfile.h
+index 78349be..3f2bdcb 100644
 --- a/authfile.h
 +++ b/authfile.h
-@@ -28,4 +28,6 @@
+@@ -28,4 +28,6 @@ Key   *key_load_private_pem(int, int, const char *, char **);
  int     key_perm_ok(int, const char *);
  int     key_in_file(Key *, const char *, int);
  
 +int     blacklisted_key(Key *key, char **fp);
 +
  #endif
-Index: b/pathnames.h
-===================================================================
+diff --git a/pathnames.h b/pathnames.h
+index 5027fba..47f7867 100644
 --- a/pathnames.h
 +++ b/pathnames.h
 @@ -18,6 +18,10 @@
@@ -398,11 +434,11 @@ Index: b/pathnames.h
  #ifndef _PATH_SSH_PROGRAM
  #define _PATH_SSH_PROGRAM              "/usr/bin/ssh"
  #endif
-Index: b/readconf.c
-===================================================================
+diff --git a/readconf.c b/readconf.c
+index 2695fd6..22e5a3a 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -128,6 +128,7 @@
+@@ -128,6 +128,7 @@ typedef enum {
         oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
         oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
         oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
@@ -410,7 +446,7 @@ Index: b/readconf.c
         oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
         oClearAllForwardings, oNoHostAuthenticationForLocalhost,
         oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
-@@ -161,6 +162,7 @@
+@@ -161,6 +162,7 @@ static struct {
         { "passwordauthentication", oPasswordAuthentication },
         { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
         { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -418,7 +454,7 @@ Index: b/readconf.c
         { "rsaauthentication", oRSAAuthentication },
         { "pubkeyauthentication", oPubkeyAuthentication },
         { "dsaauthentication", oPubkeyAuthentication },             /* alias */
-@@ -523,6 +525,10 @@
+@@ -523,6 +525,10 @@ parse_flag:
                 intptr = &options->challenge_response_authentication;
                 goto parse_flag;
  
@@ -429,7 +465,7 @@ Index: b/readconf.c
         case oGssAuthentication:
                 intptr = &options->gss_authentication;
                 goto parse_flag;
-@@ -1210,6 +1216,7 @@
+@@ -1210,6 +1216,7 @@ initialize_options(Options * options)
         options->kbd_interactive_devices = NULL;
         options->rhosts_rsa_authentication = -1;
         options->hostbased_authentication = -1;
@@ -437,7 +473,7 @@ Index: b/readconf.c
         options->batch_mode = -1;
         options->check_host_ip = -1;
         options->strict_host_key_checking = -1;
-@@ -1320,6 +1327,8 @@
+@@ -1320,6 +1327,8 @@ fill_default_options(Options * options)
                 options->rhosts_rsa_authentication = 0;
         if (options->hostbased_authentication == -1)
                 options->hostbased_authentication = 0;
@@ -446,11 +482,11 @@ Index: b/readconf.c
         if (options->batch_mode == -1)
                 options->batch_mode = 0;
         if (options->check_host_ip == -1)
-Index: b/readconf.h
-===================================================================
+diff --git a/readconf.h b/readconf.h
+index 675b35d..a508151 100644
 --- a/readconf.h
 +++ b/readconf.h
-@@ -59,6 +59,7 @@
+@@ -59,6 +59,7 @@ typedef struct {
         int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
         char    *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
         int     zero_knowledge_password_authentication; /* Try jpake */
@@ -458,11 +494,11 @@ Index: b/readconf.h
         int     batch_mode;     /* Batch mode: do not ask for passwords. */
         int     check_host_ip;  /* Also keep track of keys for IP address */
         int     strict_host_key_checking;       /* Strict host key checking. */
-Index: b/servconf.c
-===================================================================
+diff --git a/servconf.c b/servconf.c
+index c938ae3..9155a8b 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -114,6 +114,7 @@
+@@ -114,6 +114,7 @@ initialize_server_options(ServerOptions *options)
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->challenge_response_authentication = -1;
@@ -470,7 +506,7 @@ Index: b/servconf.c
         options->permit_empty_passwd = -1;
         options->permit_user_env = -1;
         options->use_login = -1;
-@@ -257,6 +258,8 @@
+@@ -257,6 +258,8 @@ fill_default_server_options(ServerOptions *options)
                 options->kbd_interactive_authentication = 0;
         if (options->challenge_response_authentication == -1)
                 options->challenge_response_authentication = 1;
@@ -479,7 +515,7 @@ Index: b/servconf.c
         if (options->permit_empty_passwd == -1)
                 options->permit_empty_passwd = 0;
         if (options->permit_user_env == -1)
-@@ -338,7 +341,7 @@
+@@ -338,7 +341,7 @@ typedef enum {
         sListenAddress, sAddressFamily,
         sPrintMotd, sPrintLastLog, sIgnoreRhosts,
         sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -488,7 +524,7 @@ Index: b/servconf.c
         sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
         sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
         sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
-@@ -451,6 +454,7 @@
+@@ -451,6 +454,7 @@ static struct {
         { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
         { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
         { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -496,7 +532,7 @@ Index: b/servconf.c
         { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
         { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
         { "uselogin", sUseLogin, SSHCFG_GLOBAL },
-@@ -1158,6 +1162,10 @@
+@@ -1158,6 +1162,10 @@ process_server_config_line(ServerOptions *options, char *line,
                 intptr = &options->tcp_keep_alive;
                 goto parse_flag;
  
@@ -507,7 +543,7 @@ Index: b/servconf.c
         case sEmptyPasswd:
                 intptr = &options->permit_empty_passwd;
                 goto parse_flag;
-@@ -2036,6 +2044,7 @@
+@@ -2036,6 +2044,7 @@ dump_config(ServerOptions *o)
         dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
         dump_cfg_fmtint(sStrictModes, o->strict_modes);
         dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -515,11 +551,11 @@ Index: b/servconf.c
         dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
         dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
         dump_cfg_fmtint(sUseLogin, o->use_login);
-Index: b/servconf.h
-===================================================================
+diff --git a/servconf.h b/servconf.h
+index ab6e346..f655c5b 100644
 --- a/servconf.h
 +++ b/servconf.h
-@@ -121,6 +121,7 @@
+@@ -121,6 +121,7 @@ typedef struct {
         int     challenge_response_authentication;
         int     zero_knowledge_password_authentication;
                                         /* If true, permit jpake auth */
@@ -527,11 +563,11 @@ Index: b/servconf.h
         int     permit_empty_passwd;    /* If false, do not permit empty
                                          * passwords. */
         int     permit_user_env;        /* If true, read ~/.ssh/environment */
-Index: b/ssh-add.1
-===================================================================
+diff --git a/ssh-add.1 b/ssh-add.1
+index 44846b6..d394b26 100644
 --- a/ssh-add.1
 +++ b/ssh-add.1
-@@ -81,6 +81,10 @@
+@@ -81,6 +81,10 @@ environment variable must contain the name of its socket for
  .Nm
  to work.
  .Pp
@@ -542,7 +578,7 @@ Index: b/ssh-add.1
  The options are as follows:
  .Bl -tag -width Ds
  .It Fl c
-@@ -186,6 +190,7 @@
+@@ -186,6 +190,7 @@ is unable to contact the authentication agent.
  .Xr ssh 1 ,
  .Xr ssh-agent 1 ,
  .Xr ssh-keygen 1 ,
@@ -550,11 +586,11 @@ Index: b/ssh-add.1
  .Xr sshd 8
  .Sh AUTHORS
  OpenSSH is a derivative of the original and free
-Index: b/ssh-add.c
-===================================================================
+diff --git a/ssh-add.c b/ssh-add.c
+index 5e8166f..b309582 100644
 --- a/ssh-add.c
 +++ b/ssh-add.c
-@@ -167,7 +167,7 @@
+@@ -167,7 +167,7 @@ static int
  add_file(AuthenticationConnection *ac, const char *filename, int key_only)
  {
         Key *private, *cert;
@@ -563,7 +599,7 @@ Index: b/ssh-add.c
         char msg[1024], *certpath = NULL;
         int fd, perms_ok, ret = -1;
         Buffer keyblob;
-@@ -243,6 +243,14 @@
+@@ -243,6 +243,14 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only)
         } else {
                 fprintf(stderr, "Could not add identity: %s\n", filename);
         }
@@ -578,11 +614,11 @@ Index: b/ssh-add.c
  
         /* Skip trying to load the cert if requested */
         if (key_only)
-Index: b/ssh-keygen.1
-===================================================================
+diff --git a/ssh-keygen.1 b/ssh-keygen.1
+index 0d55854..144be7d 100644
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -809,6 +809,7 @@
+@@ -809,6 +809,7 @@ The file format is described in
  .Xr ssh 1 ,
  .Xr ssh-add 1 ,
  .Xr ssh-agent 1 ,
@@ -590,8 +626,9 @@ Index: b/ssh-keygen.1
  .Xr moduli 5 ,
  .Xr sshd 8
  .Rs
-Index: b/ssh-vulnkey.1
-===================================================================
+diff --git a/ssh-vulnkey.1 b/ssh-vulnkey.1
+new file mode 100644
+index 0000000..bcb9d31
 --- /dev/null
 +++ b/ssh-vulnkey.1
 @@ -0,0 +1,242 @@
@@ -837,8 +874,9 @@ Index: b/ssh-vulnkey.1
 +of processing
 +.Xr ssh-keyscan 1
 +output.
-Index: b/ssh-vulnkey.c
-===================================================================
+diff --git a/ssh-vulnkey.c b/ssh-vulnkey.c
+new file mode 100644
+index 0000000..ca1a5be
 --- /dev/null
 +++ b/ssh-vulnkey.c
 @@ -0,0 +1,386 @@
@@ -1228,11 +1266,11 @@ Index: b/ssh-vulnkey.c
 +
 +       return ret;
 +}
-Index: b/ssh.1
-===================================================================
+diff --git a/ssh.1 b/ssh.1
+index 62292cc..66a7007 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1447,6 +1447,7 @@
+@@ -1447,6 +1447,7 @@ if an error occurred.
  .Xr ssh-agent 1 ,
  .Xr ssh-keygen 1 ,
  .Xr ssh-keyscan 1 ,
@@ -1240,11 +1278,11 @@ Index: b/ssh.1
  .Xr tun 4 ,
  .Xr hosts.equiv 5 ,
  .Xr ssh_config 5 ,
-Index: b/ssh.c
-===================================================================
+diff --git a/ssh.c b/ssh.c
+index 87233bc..567248d 100644
 --- a/ssh.c
 +++ b/ssh.c
-@@ -1525,7 +1525,7 @@
+@@ -1525,7 +1525,7 @@ ssh_session2(void)
  static void
  load_public_identity_files(void)
  {
@@ -1253,7 +1291,7 @@ Index: b/ssh.c
         char *pwdir = NULL, *pwname = NULL;
         int i = 0;
         Key *public;
-@@ -1583,6 +1583,22 @@
+@@ -1583,6 +1583,22 @@ load_public_identity_files(void)
                 public = key_load_public(filename, NULL);
                 debug("identity file %s type %d", filename,
                     public ? public->type : -1);
@@ -1276,11 +1314,11 @@ Index: b/ssh.c
                 free(options.identity_files[i]);
                 identity_files[n_ids] = filename;
                 identity_keys[n_ids] = public;
-Index: b/ssh_config.5
-===================================================================
+diff --git a/ssh_config.5 b/ssh_config.5
+index e72919a..8d806c7 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1229,6 +1229,23 @@
+@@ -1229,6 +1229,23 @@ is not specified, it defaults to
  .Dq any .
  The default is
  .Dq any:any .
@@ -1304,11 +1342,11 @@ Index: b/ssh_config.5
  .It Cm UsePrivilegedPort
  Specifies whether to use a privileged port for outgoing connections.
  The argument must be
-Index: b/sshconnect2.c
-===================================================================
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 0b13530..93818c9 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -1491,6 +1491,8 @@
+@@ -1491,6 +1491,8 @@ pubkey_prepare(Authctxt *authctxt)
  
         /* list of keys stored in the filesystem and PKCS#11 */
         for (i = 0; i < options.num_identity_files; i++) {
@@ -1317,7 +1355,7 @@ Index: b/sshconnect2.c
                 key = options.identity_keys[i];
                 if (key && key->type == KEY_RSA1)
                         continue;
-@@ -1608,7 +1610,7 @@
+@@ -1608,7 +1610,7 @@ userauth_pubkey(Authctxt *authctxt)
                         debug("Offering %s public key: %s", key_type(id->key),
                             id->filename);
                         sent = send_pubkey_test(authctxt, id);
@@ -1326,11 +1364,11 @@ Index: b/sshconnect2.c
                         debug("Trying private key: %s", id->filename);
                         id->key = load_identity_file(id->filename,
                             id->userprovided);
-Index: b/sshd.8
-===================================================================
+diff --git a/sshd.8 b/sshd.8
+index b0c7ab6..a604429 100644
 --- a/sshd.8
 +++ b/sshd.8
-@@ -954,6 +954,7 @@
+@@ -954,6 +954,7 @@ The content of this file is not sensitive; it can be world-readable.
  .Xr ssh-agent 1 ,
  .Xr ssh-keygen 1 ,
  .Xr ssh-keyscan 1 ,
@@ -1338,11 +1376,11 @@ Index: b/sshd.8
  .Xr chroot 2 ,
  .Xr hosts_access 5 ,
  .Xr login.conf 5 ,
-Index: b/sshd.c
-===================================================================
+diff --git a/sshd.c b/sshd.c
+index e5c9835..fbe3284 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1688,6 +1688,11 @@
+@@ -1688,6 +1688,11 @@ main(int ac, char **av)
                         sensitive_data.host_pubkeys[i] = NULL;
                         continue;
                 }
@@ -1354,11 +1392,11 @@ Index: b/sshd.c
  
                 switch (keytype) {
                 case KEY_RSA1:
-Index: b/sshd_config.5
-===================================================================
+diff --git a/sshd_config.5 b/sshd_config.5
+index 525d9c8..18ec81f 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -885,6 +885,20 @@
+@@ -885,6 +885,20 @@ are refused if the number of unauthenticated connections reaches
  Specifies whether password authentication is allowed.
  The default is
  .Dq yes .
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index de61e1dd9..e563bda7c 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -1,13 +1,22 @@
-Description: Partial server keep-alive implementation for SSH1
-Author: Colin Watson <cjwatson@debian.org>
+From 4c7ed5c80e5f67277620ac973317cc516b67d0e7 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:09:51 +0000
+Subject: Partial server keep-alive implementation for SSH1
+
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712
 Last-Update: 2013-09-14
 
-Index: b/clientloop.c
-===================================================================
+Patch-Name: ssh1-keepalive.patch
+---
+ clientloop.c | 25 +++++++++++++++----------
+ ssh_config.5 |  5 ++++-
+ 2 files changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/clientloop.c b/clientloop.c
+index 311dc13..dc76d69 100644
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -563,16 +563,21 @@
+@@ -563,16 +563,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
  static void
  server_alive_check(void)
  {
@@ -38,7 +47,7 @@ Index: b/clientloop.c
  }
  
  /*
-@@ -634,7 +639,7 @@
+@@ -634,7 +639,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
          */
  
         timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */
@@ -47,11 +56,11 @@ Index: b/clientloop.c
                 timeout_secs = options.server_alive_interval;
                 server_alive_time = now + options.server_alive_interval;
         }
-Index: b/ssh_config.5
-===================================================================
+diff --git a/ssh_config.5 b/ssh_config.5
+index 8d806c7..89b25cd 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1130,7 +1130,10 @@
+@@ -1130,7 +1130,10 @@ If, for example,
  .Cm ServerAliveCountMax
  is left at the default, if the server becomes unresponsive,
  ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index f8be76c89..a1eaa7513 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,20 +1,30 @@
-Description: "LogLevel SILENT" compatibility
- "LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to
- match the behaviour of non-free SSH, in which -q does not suppress fatal
- errors.  However, this was unintentionally broken in 1:4.6p1-2 and nobody
- complained, so we've dropped most of it.  The parts that remain are basic
- configuration file compatibility, and an adjustment to "Pseudo-terminal
- will not be allocated ..." which should be split out into a separate patch.
-Author: Jonathan David Amery <jdamery@ysolde.ucam.org>
+From bbddcd71a027a33919f859f35dae800335a2de6a Mon Sep 17 00:00:00 2001
+From: Jonathan David Amery <jdamery@ysolde.ucam.org>
+Date: Sun, 9 Feb 2014 16:09:54 +0000
+Subject: "LogLevel SILENT" compatibility
+
+"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to
+match the behaviour of non-free SSH, in which -q does not suppress fatal
+errors.  However, this was unintentionally broken in 1:4.6p1-2 and nobody
+complained, so we've dropped most of it.  The parts that remain are basic
+configuration file compatibility, and an adjustment to "Pseudo-terminal will
+not be allocated ..." which should be split out into a separate patch.
+
 Author: Matthew Vernon <matthew@debian.org>
 Author: Colin Watson <cjwatson@debian.org>
 Last-Update: 2013-09-14
 
-Index: b/log.c
-===================================================================
+Patch-Name: syslog-level-silent.patch
+---
+ log.c | 1 +
+ ssh.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/log.c b/log.c
+index 32e1d2e..53e7b65 100644
 --- a/log.c
 +++ b/log.c
-@@ -94,6 +94,7 @@
+@@ -94,6 +94,7 @@ static struct {
         LogLevel val;
  } log_levels[] =
  {
@@ -22,11 +32,11 @@ Index: b/log.c
         { "QUIET",      SYSLOG_LEVEL_QUIET },
         { "FATAL",      SYSLOG_LEVEL_FATAL },
         { "ERROR",      SYSLOG_LEVEL_ERROR },
-Index: b/ssh.c
-===================================================================
+diff --git a/ssh.c b/ssh.c
+index 567248d..219a466 100644
 --- a/ssh.c
 +++ b/ssh.c
-@@ -740,7 +740,7 @@
+@@ -740,7 +740,7 @@ main(int ac, char **av)
         /* Do not allocate a tty if stdin is not a tty. */
         if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
             options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index ac00edac6..9382d5086 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,70 +1,61 @@
-Description: Allow harmless group-writability
- Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
- group-writable, provided that the group in question contains only the
- file's owner.  Rejected upstream for IMO incorrect reasons (e.g. a
- misunderstanding about the contents of gr->gr_mem).  Given that
- per-user groups and umask 002 are the default setup in Debian (for good
- reasons - this makes operating in setgid directories with other groups
- much easier), we need to permit this by default.
-Author: Colin Watson <cjwatson@debian.org>
+From 7016a7e8a6b854833132db253fd5e392984bd4ea Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:09:58 +0000
+Subject: Allow harmless group-writability
+
+Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
+group-writable, provided that the group in question contains only the file's
+owner.  Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
+about the contents of gr->gr_mem).  Given that per-user groups and umask 002
+are the default setup in Debian (for good reasons - this makes operating in
+setgid directories with other groups much easier), we need to permit this by
+default.
+
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
 Last-Update: 2013-09-14
 
-Index: b/readconf.c
-===================================================================
---- a/readconf.c
-+++ b/readconf.c
-@@ -30,6 +30,8 @@
- #include <stdio.h>
- #include <string.h>
- #include <unistd.h>
-+#include <pwd.h>
-+#include <grp.h>
- #ifdef HAVE_UTIL_H
- #include <util.h>
- #endif
-@@ -1160,8 +1162,7 @@
- 
-                if (fstat(fileno(f), &sb) == -1)
-                        fatal("fstat %s: %s", filename, strerror(errno));
--               if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
--                   (sb.st_mode & 022) != 0))
-+               if (!secure_permissions(&sb, getuid()))
-                        fatal("Bad owner or permissions on %s", filename);
+Patch-Name: user-group-modes.patch
+---
+ auth-rhosts.c |  6 ++----
+ auth.c        |  9 +++-----
+ misc.c        | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ misc.h        |  2 ++
+ platform.c    | 16 --------------
+ readconf.c    |  5 +++--
+ ssh.1         |  2 ++
+ ssh_config.5  |  2 ++
+ 8 files changed, 82 insertions(+), 29 deletions(-)
+
+diff --git a/auth-rhosts.c b/auth-rhosts.c
+index 06ae7f0..f202787 100644
+--- a/auth-rhosts.c
++++ b/auth-rhosts.c
+@@ -256,8 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
+                return 0;
         }
- 
-Index: b/ssh.1
-===================================================================
---- a/ssh.1
-+++ b/ssh.1
-@@ -1338,6 +1338,8 @@
- .Xr ssh_config 5 .
- Because of the potential for abuse, this file must have strict permissions:
- read/write for the user, and not writable by others.
-+It may be group-writable provided that the group in question contains only
-+the user.
- .Pp
- .It Pa ~/.ssh/environment
- Contains additional definitions for environment variables; see
-Index: b/ssh_config.5
-===================================================================
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -1382,6 +1382,8 @@
- This file is used by the SSH client.
- Because of the potential for abuse, this file must have strict permissions:
- read/write for the user, and not accessible by others.
-+It may be group-writable provided that the group in question contains only
-+the user.
- .It Pa /etc/ssh/ssh_config
- Systemwide configuration file.
- This file provides defaults for those
-Index: b/auth.c
-===================================================================
+        if (options.strict_modes &&
+-           ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+-           (st.st_mode & 022) != 0)) {
++           !secure_permissions(&st, pw->pw_uid)) {
+                logit("Rhosts authentication refused for %.100s: "
+                    "bad ownership or modes for home directory.", pw->pw_name);
+                auth_debug_add("Rhosts authentication refused for %.100s: "
+@@ -283,8 +282,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
+                 * allowing access to their account by anyone.
+                 */
+                if (options.strict_modes &&
+-                   ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+-                   (st.st_mode & 022) != 0)) {
++                   !secure_permissions(&st, pw->pw_uid)) {
+                        logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
+                            pw->pw_name, buf);
+                        auth_debug_add("Bad file modes for %.200s", buf);
+diff --git a/auth.c b/auth.c
+index 6662e9a..7f6c6c8 100644
 --- a/auth.c
 +++ b/auth.c
-@@ -408,8 +408,7 @@
+@@ -408,8 +408,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
                 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
                 if (options.strict_modes &&
                     (stat(user_hostfile, &st) == 0) &&
@@ -74,7 +65,7 @@ Index: b/auth.c
                         logit("Authentication refused for %.100s: "
                             "bad owner or modes for %.200s",
                             pw->pw_name, user_hostfile);
-@@ -471,8 +470,7 @@
+@@ -471,8 +470,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
                 snprintf(err, errlen, "%s is not a regular file", buf);
                 return -1;
         }
@@ -84,7 +75,7 @@ Index: b/auth.c
                 snprintf(err, errlen, "bad ownership or modes for file %s",
                     buf);
                 return -1;
-@@ -487,8 +485,7 @@
+@@ -487,8 +485,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
                 strlcpy(buf, cp, sizeof(buf));
  
                 if (stat(buf, &st) < 0 ||
@@ -94,8 +85,8 @@ Index: b/auth.c
                         snprintf(err, errlen,
                             "bad ownership or modes for directory %s", buf);
                         return -1;
-Index: b/misc.c
-===================================================================
+diff --git a/misc.c b/misc.c
+index c3c8099..eb57bfc 100644
 --- a/misc.c
 +++ b/misc.c
 @@ -48,8 +48,9 @@
@@ -117,7 +108,7 @@ Index: b/misc.c
  
  /* remove newline at end of string */
  char *
-@@ -642,6 +644,71 @@
+@@ -642,6 +644,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
         return -1;
  }
  
@@ -189,46 +180,22 @@ Index: b/misc.c
  int
  tun_open(int tun, int mode)
  {
-Index: b/misc.h
-===================================================================
+diff --git a/misc.h b/misc.h
+index fceb306..51ba182 100644
 --- a/misc.h
 +++ b/misc.h
-@@ -104,4 +104,6 @@
+@@ -104,4 +104,6 @@ char        *read_passphrase(const char *, int);
  int     ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
  int     read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
  
 +int     secure_permissions(struct stat *st, uid_t uid);
 +
  #endif /* _MISC_H */
-Index: b/auth-rhosts.c
-===================================================================
---- a/auth-rhosts.c
-+++ b/auth-rhosts.c
-@@ -256,8 +256,7 @@
-                return 0;
-        }
-        if (options.strict_modes &&
--           ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
--           (st.st_mode & 022) != 0)) {
-+           !secure_permissions(&st, pw->pw_uid)) {
-                logit("Rhosts authentication refused for %.100s: "
-                    "bad ownership or modes for home directory.", pw->pw_name);
-                auth_debug_add("Rhosts authentication refused for %.100s: "
-@@ -283,8 +282,7 @@
-                 * allowing access to their account by anyone.
-                 */
-                if (options.strict_modes &&
--                   ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
--                   (st.st_mode & 022) != 0)) {
-+                   !secure_permissions(&st, pw->pw_uid)) {
-                        logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
-                            pw->pw_name, buf);
-                        auth_debug_add("Bad file modes for %.200s", buf);
-Index: b/platform.c
-===================================================================
+diff --git a/platform.c b/platform.c
+index a962f15..0b3bee1 100644
 --- a/platform.c
 +++ b/platform.c
-@@ -194,19 +194,3 @@
+@@ -194,19 +194,3 @@ platform_krb5_get_principal_name(const char *pw_name)
         return NULL;
  #endif
  }
@@ -248,3 +215,52 @@ Index: b/platform.c
 -#endif
 -       return 0;
 -}
+diff --git a/readconf.c b/readconf.c
+index 2dcbf31..389de7d 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -30,6 +30,8 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <pwd.h>
++#include <grp.h>
+ #ifdef HAVE_UTIL_H
+ #include <util.h>
+ #endif
+@@ -1160,8 +1162,7 @@ read_config_file(const char *filename, const char *host, Options *options,
+ 
+                if (fstat(fileno(f), &sb) == -1)
+                        fatal("fstat %s: %s", filename, strerror(errno));
+-               if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
+-                   (sb.st_mode & 022) != 0))
++               if (!secure_permissions(&sb, getuid()))
+                        fatal("Bad owner or permissions on %s", filename);
+        }
+ 
+diff --git a/ssh.1 b/ssh.1
+index 66a7007..0b38ae1 100644
+--- a/ssh.1
++++ b/ssh.1
+@@ -1338,6 +1338,8 @@ The file format and configuration options are described in
+ .Xr ssh_config 5 .
+ Because of the potential for abuse, this file must have strict permissions:
+ read/write for the user, and not writable by others.
++It may be group-writable provided that the group in question contains only
++the user.
+ .Pp
+ .It Pa ~/.ssh/environment
+ Contains additional definitions for environment variables; see
+diff --git a/ssh_config.5 b/ssh_config.5
+index 135d833..1497cfc 100644
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -1382,6 +1382,8 @@ The format of this file is described above.
+ This file is used by the SSH client.
+ Because of the potential for abuse, this file must have strict permissions:
+ read/write for the user, and not accessible by others.
++It may be group-writable provided that the group in question contains only
++the user.
+ .It Pa /etc/ssh/ssh_config
+ Systemwide configuration file.
+ This file provides defaults for those
diff --git a/debian/rules b/debian/rules
index d53bafa4c..1b1e2d456 100755
--- a/debian/rules
+++ b/debian/rules
@@ -215,14 +215,3 @@ debian/faq.html:
         wget -O - http://www.openssh.org/faq.html | \
                 sed 's,\(href="\)\(txt/\|[^":]*\.html\),\1http://www.openssh.org/\2,g' \
                 > debian/faq.html
-
-# You only need to run this immediately after checking out the package from
-# revision control.
-quilt-setup:
-        [ ! -d .pc ]
-        set -e; for patch in $$(quilt series | tac); do \
-                patch -p1 -R --no-backup-if-mismatch <"debian/patches/$$patch"; \
-        done
-        quilt push -a
-
-.PHONY: quilt-setup