32 files changed, 78 insertions, 87 deletions

diff --git a/debian/.git-dpm b/debian/.git-dpm
index c71386717..b6e38a18d 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-1f715c783abc11e805d9fd8af4847c3514fcb296
-1f715c783abc11e805d9fd8af4847c3514fcb296
+31cc76b587fe2305eab8f7788c5dc6c876aff60e
+31cc76b587fe2305eab8f7788c5dc6c876aff60e
 651211fd4a199b299540c00c54a46e27fadb04be
 651211fd4a199b299540c00c54a46e27fadb04be
 openssh_7.1p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index e8be5c12b..e93229b6a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,8 @@ openssh (1:7.1p1-6) UNRELEASED; urgency=medium
     debian/tests/control.
   * Allow authenticating as root using gssapi-keyex even with
     "PermitRootLogin prohibit-password" (closes: #809695).
+  * Shuffle PROPOSAL_KEX_ALGS mangling for GSSAPI key exchange a little
+    later in ssh_kex2 so that it's actually effective (closes: #809696).
 
   [ Michael Biebl ]
   * Don't call sd_notify when sshd is re-execed (closes: #809035).
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index bde6dfb45..dc82a6085 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
-From b7921aa4a2b83b247ca13651d061ab2eaa527f65 Mon Sep 17 00:00:00 2001
+From bede2f8c8a352b57ae5188fe6d3e45c5a57892eb Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:02 +0000
 Subject: Quieten logs when multiple from= restrictions are used
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 8bddf00ce..694b8e584 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
-From a003be3d6aca1aa78e23da80ae53b35afb0094f1 Mon Sep 17 00:00:00 2001
+From efc61f37910b46ad2ac920aca7eefce909ef2555 Mon Sep 17 00:00:00 2001
 From: Tomas Pospisek <tpo_deb@sourcepole.ch>
 Date: Sun, 9 Feb 2014 16:10:07 +0000
 Subject: Install authorized_keys(5) as a symlink to sshd(8)
diff --git a/debian/patches/backport-fix-first-kex-follows.patch b/debian/patches/backport-fix-first-kex-follows.patch
index 928349824..0039a55a6 100644
--- a/debian/patches/backport-fix-first-kex-follows.patch
+++ b/debian/patches/backport-fix-first-kex-follows.patch
@@ -1,4 +1,4 @@
-From 1f715c783abc11e805d9fd8af4847c3514fcb296 Mon Sep 17 00:00:00 2001
+From 31cc76b587fe2305eab8f7788c5dc6c876aff60e Mon Sep 17 00:00:00 2001
 From: Damien Miller <djm@mindrot.org>
 Date: Tue, 15 Dec 2015 15:25:04 +0000
 Subject: upstream commit
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 07dad44b4..0ca73053b 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
-From 464ae832806fca916694b51c0bc996af1cac7057 Mon Sep 17 00:00:00 2001
+From e35768a64e1ca5a6ad2a5df3ebbe6806ffb8afa2 Mon Sep 17 00:00:00 2001
 From: Kees Cook <kees@debian.org>
 Date: Sun, 9 Feb 2014 16:10:06 +0000
 Subject: Add DebianBanner server configuration option
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index f5e0b51c5..0a2b1c58d 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 382ac29bbd28f2344df323244d9ed6e90306046c Mon Sep 17 00:00:00 2001
+From 966fde291d530349c427da5c98e4f1869cb4e0bb Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 34717b065..16c4d61b9 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
-From 05e44a7f55ca499d7e7f433152e066b256a1bb79 Mon Sep 17 00:00:00 2001
+From c35c5d9e775ad138661f3c4ef797060be53a4bd8 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:01 +0000
 Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 596c7a5cc..ec2878845 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
-From 6563989dd56d8f4fd80142dd2c56344c374cde82 Mon Sep 17 00:00:00 2001
+From a6edf4df120a78aefe39b44d07c89e13340c9ac8 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:11 +0000
 Subject: Document that HashKnownHosts may break tab-completion
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index 645182f38..1f3d7bf08 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
-From 1deb3f4df2dd7e4ea2e19c65a285b0e9e075551f Mon Sep 17 00:00:00 2001
+From 5e6ecf32f56fa0c7d102239b74ae09bd4186c5a3 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:12 +0000
 Subject: Refer to ssh's Upstart job as well as its init script
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index b7e8075f0..4fce0733d 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
-From 076e887b9a9804b03bc4915bf7044bbbc46553b6 Mon Sep 17 00:00:00 2001
+From a9bfb2fba2b1ec9ebeca20550cbccf2499d42461 Mon Sep 17 00:00:00 2001
 From: Vincent Untz <vuntz@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:16 +0000
 Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 2c8d04268..8c96afbb0 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From d6cfd64ea0a567d88152270a94be6bb2a78daeb9 Mon Sep 17 00:00:00 2001
+From 48424483cbf2232ba849038e02675b2db1ea3a88 Mon Sep 17 00:00:00 2001
 From: Simon Wilkinson <simon@sxw.org.uk>
 Date: Sun, 9 Feb 2014 16:09:48 +0000
 Subject: GSSAPI key exchange support
@@ -48,13 +48,13 @@ Patch-Name: gssapi.patch
  ssh-gss.h        |  41 ++++++-
  ssh_config       |   2 +
  ssh_config.5     |  36 +++++-
- sshconnect2.c    | 124 +++++++++++++++++++-
+ sshconnect2.c    | 120 +++++++++++++++++++-
  sshd.c           | 110 ++++++++++++++++++
  sshd_config      |   2 +
  sshd_config.5    |  11 ++
  sshkey.c         |   3 +-
  sshkey.h         |   1 +
- 33 files changed, 1959 insertions(+), 47 deletions(-)
+ 33 files changed, 1955 insertions(+), 47 deletions(-)
  create mode 100644 ChangeLog.gssapi
  create mode 100644 kexgssc.c
  create mode 100644 kexgsss.c
@@ -2606,10 +2606,10 @@ index a47f3ca..cac8cda 100644
  Indicates that
  .Xr ssh 1
 diff --git a/sshconnect2.c b/sshconnect2.c
-index 7751031..e2ea826 100644
+index 7751031..32e9b0d 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -160,6 +160,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
         struct kex *kex;
         int r;
  
@@ -2621,9 +2621,13 @@ index 7751031..e2ea826 100644
         xxx_host = host;
         xxx_hostaddr = hostaddr;
  
+@@ -193,6 +198,33 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+                    order_hostkeyalgs(host, hostaddr, port));
+        }
+ 
 +#ifdef GSSAPI
 +       if (options.gss_keyex) {
-+               /* Add the GSSAPI mechanisms currently supported on this 
++               /* Add the GSSAPI mechanisms currently supported on this
 +                * client to the key exchange algorithm proposal */
 +               orig = myproposal[PROPOSAL_KEX_ALGS];
 +
@@ -2637,32 +2641,21 @@ index 7751031..e2ea826 100644
 +                       debug("Offering GSSAPI proposal: %s", gss);
 +                       xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
 +                           "%s,%s", gss, orig);
-+               }
-+       }
-+#endif
 +
-        myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
-            options.kex_algorithms);
-        myproposal[PROPOSAL_ENC_ALGS_CTOS] =
-@@ -193,6 +218,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
-                    order_hostkeyalgs(host, hostaddr, port));
-        }
- 
-+#ifdef GSSAPI
-+       /* If we've got GSSAPI algorithms, then we also support the
-+        * 'null' hostkey, as a last resort */
-+       if (options.gss_keyex && gss) {
-+               orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
-+               xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], 
-+                   "%s,null", orig);
-+               free(gss);
++                       /* If we've got GSSAPI algorithms, then we also
++                        * support the 'null' hostkey, as a last resort */
++                       orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
++                       xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
++                           "%s,null", orig);
++                       free(gss);
++               }
 +       }
 +#endif
 +
         if (options.rekey_limit || options.rekey_interval)
                 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
                     (time_t)options.rekey_interval);
-@@ -211,10 +247,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -211,10 +243,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
  # endif
  #endif
         kex->kex[KEX_C25519_SHA256] = kexc25519_client;
@@ -2693,7 +2686,7 @@ index 7751031..e2ea826 100644
         dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
  
         if (options.use_roaming && !kex->roaming) {
-@@ -306,6 +362,7 @@ int input_gssapi_token(int type, u_int32_t, void *);
+@@ -306,6 +358,7 @@ int input_gssapi_token(int type, u_int32_t, void *);
  int    input_gssapi_hash(int type, u_int32_t, void *);
  int    input_gssapi_error(int, u_int32_t, void *);
  int    input_gssapi_errtok(int, u_int32_t, void *);
@@ -2701,7 +2694,7 @@ index 7751031..e2ea826 100644
  #endif
  
  void   userauth(Authctxt *, char *);
-@@ -321,6 +378,11 @@ static char *authmethods_get(void);
+@@ -321,6 +374,11 @@ static char *authmethods_get(void);
  
  Authmethod authmethods[] = {
  #ifdef GSSAPI
@@ -2713,7 +2706,7 @@ index 7751031..e2ea826 100644
         {"gssapi-with-mic",
                 userauth_gssapi,
                 NULL,
-@@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -627,19 +685,31 @@ userauth_gssapi(Authctxt *authctxt)
         static u_int mech = 0;
         OM_uint32 min;
         int ok = 0;
@@ -2747,7 +2740,7 @@ index 7751031..e2ea826 100644
                         ok = 1; /* Mechanism works */
                 } else {
                         mech++;
-@@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
+@@ -736,8 +806,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
  {
         Authctxt *authctxt = ctxt;
         Gssctxt *gssctxt;
@@ -2758,7 +2751,7 @@ index 7751031..e2ea826 100644
  
         if (authctxt == NULL)
                 fatal("input_gssapi_response: no authentication context");
-@@ -850,6 +924,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
+@@ -850,6 +920,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
         free(lang);
         return 0;
  }
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index 9ef03d36d..0dc5bafbf 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -1,4 +1,4 @@
-From 0488e67b6971cf1ee55a27b03d85864b744b69de Mon Sep 17 00:00:00 2001
+From 86d7bcd53809aacc75344386bd8b88bf5fcb2fce Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:09:56 +0000
 Subject: Mention ~& when waiting for forwarded connections to terminate
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 629eaf551..bbb3ef86f 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
-From dd6040ff883e51af62dcbb9594c65b27b925c40b Mon Sep 17 00:00:00 2001
+From 8f53616f872acf853b52e94f5b0668c78bf0cb76 Mon Sep 17 00:00:00 2001
 From: Richard Kettlewell <rjk@greenend.org.uk>
 Date: Sun, 9 Feb 2014 16:09:52 +0000
 Subject: Various keepalive extensions
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index a6de6085d..252cd99b8 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -1,4 +1,4 @@
-From 3ed90e9c89cdbbf79ffcb79255bd445a63ee8e5f Mon Sep 17 00:00:00 2001
+From ca06409500b9f4f3a43fa61526a4c0654761e009 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:08 +0000
 Subject: Fix picky lintian errors about slogin symlinks
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 922d3c341..79c984179 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
-From ad56699201698bc53a9690d025e0a074f7cf1f72 Mon Sep 17 00:00:00 2001
+From 9f59e8a3ddd28351126a5b26d2dd3d9f24442c09 Mon Sep 17 00:00:00 2001
 From: Scott Moser <smoser@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:03 +0000
 Subject: Mention ssh-keygen in ssh fingerprint changed warning
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index 364b789dc..14ec01dbf 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
-From 4469135282e99143eb3dfe5f36eb1441b9bdbc3a Mon Sep 17 00:00:00 2001
+From e5908e70f9a105f725d9884fba1a68bfb3ba664f Mon Sep 17 00:00:00 2001
 From: Kurt Roeckx <kurt@roeckx.be>
 Date: Sun, 9 Feb 2014 16:10:14 +0000
 Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 0bf68265a..4ce6c79e0 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
-From f9e8c3b7f235170b913337631fc7c1decb69433e Mon Sep 17 00:00:00 2001
+From 70ef4add88e4f6adc7f9f0e9521567dcd80a12e6 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:09 +0000
 Subject: Adjust various OpenBSD-specific references in manual pages
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 416541846..51e14b07a 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
-From 83ae676c1f711bcdd7cd243d677c7eb6e91d84ac Mon Sep 17 00:00:00 2001
+From 3b79d6bcaf9405b878496c9107855ebe8906a60a Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:10:05 +0000
 Subject: Include the Debian version in our identification
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 2d864b87f..4d9267c19 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
-From 92763d936f746e4ba6aad19c5f35231b4a9df1b2 Mon Sep 17 00:00:00 2001
+From de340b1ef1920a34e8c640a571a88a3f58121c6a Mon Sep 17 00:00:00 2001
 From: Peter Samuelson <peter@p12n.org>
 Date: Sun, 9 Feb 2014 16:09:55 +0000
 Subject: Reduce severity of "Killed by signal %d"
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index 283574c0b..0bda03255 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
-From e1a1a7a55002d4e88c055e495203fea4acc387db Mon Sep 17 00:00:00 2001
+From c538473bc1958b99bb26283752f287df5934045a Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Tue, 7 Oct 2014 13:22:41 +0100
 Subject: Restore TCP wrappers support
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index dad148e10..c6568cf1e 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
-From f28d43071d1416aee81eb058799dfc205e033d18 Mon Sep 17 00:00:00 2001
+From bad235ddc7e9cb8fa83ccefac7640fe456bcf993 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:59 +0000
 Subject: Adjust scp quoting in verbose mode
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index b74351209..f479c4635 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From f9e312495dd3e453bfd6b3ff5bffd06e8dd90a7f Mon Sep 17 00:00:00 2001
+From 5f583693723b0f56608a9a91e58b248219a668c9 Mon Sep 17 00:00:00 2001
 From: Manoj Srivastava <srivasta@debian.org>
 Date: Sun, 9 Feb 2014 16:09:49 +0000
 Subject: Handle SELinux authorisation roles
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 5062b7ce1..3a98343cc 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
-From beb218cfc3afbb5068eb222cf62878a54d3bb06c Mon Sep 17 00:00:00 2001
+From bf28735236933b0a1f011d73d7cbb948e197c4cc Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:00 +0000
 Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index 62c521aef..7db2557a0 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
-From 707e1569fb7f883d9a7ad7a70ce4125581969136 Mon Sep 17 00:00:00 2001
+From bf533d857451efe2f9abc6fb96e1c9c93ff1a7ee Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:17 +0000
 Subject: Support synchronisation with service supervisor using SIGSTOP
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index f9213042d..11ecc5c42 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
-From 9e9ee52b4c420d334cdd7fc286746feb1df90066 Mon Sep 17 00:00:00 2001
+From 0f29b62fb2529bd6341dae7bea1271f5b967ece0 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:13 +0000
 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index aa2c11cf7..3c22db5cf 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
-From 76d462b84f57126b84ac4275575deda215d3d5a3 Mon Sep 17 00:00:00 2001
+From 11e3509a4baa45a988598b937ea16e6ed3949d44 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:10 +0000
 Subject: ssh(1): Refer to ssh-argv0(1)
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 68e22c6f6..59b0983f9 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
-From 1fd91310e580ae1723fc250ce77710f97e37ad15 Mon Sep 17 00:00:00 2001
+From 6b1e8291597ff151b913c470f4af4b04ddec5c7d Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:50 +0000
 Subject: Accept obsolete ssh-vulnkey configuration options
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 9edb57064..d591c1a70 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
-From 3a9dd9fe28f775dd712d89135ef6fb1e28ff2e5f Mon Sep 17 00:00:00 2001
+From 2b9216f2931cfe880a7ea85750730579f8da4465 Mon Sep 17 00:00:00 2001
 From: Jonathan David Amery <jdamery@ysolde.ucam.org>
 Date: Sun, 9 Feb 2014 16:09:54 +0000
 Subject: "LogLevel SILENT" compatibility
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index b23d30034..4914cd6f5 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
-From 2bb85b3c756967d72efbf895a8908858ee4c2441 Mon Sep 17 00:00:00 2001
+From 0aff7ca980bc54be68f7479a016d7779f99cf06e Mon Sep 17 00:00:00 2001
 From: Michael Biebl <biebl@debian.org>
 Date: Mon, 21 Dec 2015 16:08:47 +0000
 Subject: Add systemd readiness notification support
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 2e1be8dd3..70d5275aa 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
-From 628e08e8a589dff2178a6725d32c5699f11b2405 Mon Sep 17 00:00:00 2001
+From c60b1066b877429b723b351f44efb9e84bc64252 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:09:58 +0000
 Subject: Allow harmless group-writability
diff --git a/sshconnect2.c b/sshconnect2.c
index e2ea82656..32e9b0df2 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -168,26 +168,6 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
         xxx_host = host;
         xxx_hostaddr = hostaddr;
 
-#ifdef GSSAPI
-        if (options.gss_keyex) {
-                /* Add the GSSAPI mechanisms currently supported on this 
-                 * client to the key exchange algorithm proposal */
-                orig = myproposal[PROPOSAL_KEX_ALGS];
-
-                if (options.gss_trust_dns)
-                        gss_host = (char *)get_canonical_hostname(1);
-                else
-                        gss_host = host;
-
-                gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
-                if (gss) {
-                        debug("Offering GSSAPI proposal: %s", gss);
-                        xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
-                            "%s,%s", gss, orig);
-                }
-        }
-#endif
-
         myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
             options.kex_algorithms);
         myproposal[PROPOSAL_ENC_ALGS_CTOS] =
@@ -219,13 +199,29 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
         }
 
 #ifdef GSSAPI
-        /* If we've got GSSAPI algorithms, then we also support the
-         * 'null' hostkey, as a last resort */
-        if (options.gss_keyex && gss) {
-                orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
-                xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], 
-                    "%s,null", orig);
-                free(gss);
+        if (options.gss_keyex) {
+                /* Add the GSSAPI mechanisms currently supported on this
+                 * client to the key exchange algorithm proposal */
+                orig = myproposal[PROPOSAL_KEX_ALGS];
+
+                if (options.gss_trust_dns)
+                        gss_host = (char *)get_canonical_hostname(1);
+                else
+                        gss_host = host;
+
+                gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
+                if (gss) {
+                        debug("Offering GSSAPI proposal: %s", gss);
+                        xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
+                            "%s,%s", gss, orig);
+
+                        /* If we've got GSSAPI algorithms, then we also
+                         * support the 'null' hostkey, as a last resort */
+                        orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
+                        xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
+                            "%s,null", orig);
+                        free(gss);
+                }
         }
 #endif