1 files changed, 1779 insertions, 1964 deletions
diff --git a/ChangeLog b/ChangeLog
index f283a8b3f..bcaa38f94 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,10 +1,1675 @@
-commit 9ca7e9c861775dd6c6312bc8aaab687403d24676
+commit 279261e1ea8150c7c64ab5fe7cb4a4ea17acbb29
 Author: Damien Miller <djm@mindrot.org>
-Date:   Wed May 27 10:38:00 2020 +1000
+Date:   Sun Sep 27 17:25:01 2020 +1000
+    update version numbers
+commit 58ca6ab6ff035ed12b5078e3e9c7199fe72c8587
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Sep 27 07:22:05 2020 +0000
+    upstream: openssh 8.4
+    
+    OpenBSD-Commit-ID: a29e5b372d2c00e297da8a35a3b87c9beb3b4a58
+commit 9bb8a303ce05ff13fb421de991b495930be103c3
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Sep 22 10:07:43 2020 +1000
+    sync with upstream ssh-copy-id rev f0da1a1b7
+commit 0a4a5571ada76b1b012bec9cf6ad1203fc19ec8d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Sep 21 07:29:09 2020 +0000
+    upstream: close stdin when forking after authentication too; ok markus
+    
+    OpenBSD-Commit-ID: 43db17e4abc3e6b4a7b033aa8cdab326a7cb6c24
+commit d14fe25e6c3b89f8af17e2894046164ac3b45688
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Sep 20 23:31:46 2020 +0000
+    upstream: close stdout/stderr after "ssh -f ..." forking
+    
+    bz#3137, ok markus
+    
+    OpenBSD-Commit-ID: e2d83cc4dea1665651a7aa924ad1ed6bcaaab3e2
+commit 53a33a0d745179c02108589e1722457ca8ae4372
+Author: Damien Miller <djm@mindrot.org>
+Date:   Sun Sep 20 15:57:09 2020 +1000
+    .depend
+commit 107eb3eeafcd390e1fa7cc7672a05e994d14013e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Sep 20 05:47:25 2020 +0000
+    upstream: cap channel input buffer size at 16MB; avoids high memory use
+    
+    when peer advertises a large window but is slow to consume the data we send
+    (e.g. because of a slow network)
+    
+    reported by Pierre-Yves David
+    
+    fix with & ok markus@
+    
+    OpenBSD-Commit-ID: 1452771f5e5e768876d3bfe2544e3866d6ade216
+commit acfe2ac5fe033e227ad3a56624fbbe4af8b5da04
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Sep 18 22:02:53 2020 +1000
+    libfido2 1.5.0 is recommended
+commit 52a03e9fca2d74eef953ddd4709250f365ca3975
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Sep 18 08:16:38 2020 +0000
+    upstream: handle multiple messages in a single read()
+    
+    PR#183 by Dennis Kaarsemaker; feedback and ok markus@
+    
+    OpenBSD-Commit-ID: 8570bb4d02d00cf70b98590716ea6a7d1cce68d1
+commit dc098405b2939146e17567a25b08fc6122893cdf
+Author: pedro martelletto <pedro@ambientworks.net>
+Date:   Fri Sep 18 08:57:29 2020 +0200
+    configure.ac: add missing includes
+    
+    when testing, make sure to include the relevant header files that
+    declare the types of the functions used by the test:
+    
+    - stdio.h for printf();
+    - stdlib.h for exit();
+    - string.h for strcmp();
+    - unistd.h for unlink(), _exit(), fork(), getppid(), sleep().
+commit b3855ff053f5078ec3d3c653cdaedefaa5fc362d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Sep 18 05:23:03 2020 +0000
+    upstream: tweak the client hostkey preference ordering algorithm to
+    
+    prefer the default ordering if the user has a key that matches the
+    best-preference default algorithm.
+    
+    feedback and ok markus@
+    
+    OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
+commit f93b187ab900c7d12875952cc63350fe4de8a0a8
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Sep 18 14:55:48 2020 +1000
+    control over the colours in gnome-ssh-askpass[23]
+    
+    Optionally set the textarea colours via $GNOME_SSH_ASKPASS_FG_COLOR and
+    $GNOME_SSH_ASKPASS_BG_COLOR. These accept the usual three or six digit
+    hex colours.
+commit 9d3d36bdb10b66abd1af42e8655502487b6ba1fa
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Sep 18 14:50:38 2020 +1000
+    focus improvement for gnome-ssh-askpass[23]
+    
+    When serving a SSH_ASKPASS_PROMPT=none information dialog, ensure
+    then <enter> doesn't immediately close the dialog. Instead, require an
+    explicit <tab> to reach the close button, or <esc>.
+commit d6f507f37e6c75a899db0ef8224e72797c5563b6
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Wed Sep 16 03:07:31 2020 +0000
+    upstream: Remove unused buf, last user was removed when switching
+    
+    to the sshbuf API. Patch from Sebastian Andrzej Siewior.
+    
+    OpenBSD-Commit-ID: 250fa17f0cec01039cc4abd95917d9746e24c889
+commit c3c786c3a0973331ee0922b2c51832a3b8d7f20f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Sep 9 21:57:27 2020 +0000
+    upstream: For the hostkey confirmation message:
+    
+    > Are you sure you want to continue connecting (yes/no/[fingerprint])?
+    
+    compare the fingerprint case sensitively; spotted Patrik Lundin
+    ok dtucker
+    
+    OpenBSD-Commit-ID: 73097afee1b3a5929324e345ba4a4a42347409f2
+commit f2950baf0bafe6aa20dfe2e8d1ca4b23528df617
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Fri Sep 11 14:45:23 2020 +1000
+    New config-build-time dependency on automake.
+commit 600c1c27abd496372bd0cf83d21a1c119dfdf9a5
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Sun Sep 6 21:56:36 2020 +1000
+    Add aclocal.m4 and config.h.in~ to .gitignore.
+    
+    aclocal.m4 is now generated by autoreconf.
+commit 4bf7e1d00b1dcd3a6b3239f77465c019e61c6715
+Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Date:   Sat Sep 5 17:50:03 2020 +0200
+    Quote the definition of OSSH_CHECK_HEADER_FOR_FIELD
+    
+    autoreconf complains about underquoted definition of
+    OSSH_CHECK_HEADER_FOR_FIELD after aclocal.m4 has been and now is beeing
+    recreated.
+    
+    Quote OSSH_CHECK_HEADER_FOR_FIELD as suggested.
+    
+    Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+commit a2f3ae386b5f7938ed3c565ad71f30c4f7f010f1
+Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Date:   Sat Sep 5 17:50:02 2020 +0200
+    Move the local m4 macros
+    
+    The `aclocal' step is skipped during `autoreconf' because aclocal.m4 is
+    present.
+    Move the current aclocal.m4 which contains local macros into the m4/
+    folder. With this change the aclocal.m4 will be re-created during
+    changes to the m4/ macro.
+    This is needed so the `aclocal' can fetch m4 macros from the system if
+    they are references in the configure script. This is a prerequisite to
+    use PKG_CHECK_MODULES.
+    
+    Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+commit 8372bff3a895b84fd78a81dc39da10928b662f5a
+Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Date:   Sat Sep 5 17:50:01 2020 +0200
+    Remove HAVE_MMAP and BROKEN_MMAP
+    
+    BROKEN_MMAP is no longer defined since commit
+       1cfd5c06efb12 ("Remove portability support for mmap")
+    
+    this commit also removed other HAVE_MMAP user. I didn't find anything
+    that defines HAVE_MMAP. The check does not trigger because compression
+    on server side is by default COMP_DELAYED (2) so it never triggers.
+    
+    Remove remaining HAVE_MMAP and BROKEN_MMAP bits.
+    
+    Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+commit bbf20ac8065905f9cb9aeb8f1df57fcab52ee2fb
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Sep 9 03:10:21 2020 +0000
+    upstream: adapt to SSH_SK_VERSION_MAJOR crank
+    
+    OpenBSD-Regress-ID: 0f3e76bdc8f9dbd9d22707c7bdd86051d5112ab8
+commit 9afe2a150893b20bdf9eab764978d817b9a7b783
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Aug 28 03:17:13 2020 +0000
+    upstream: Ensure that address/mask mismatches are flagged at
+    
+    config-check time. ok djm@
+    
+    OpenBSD-Regress-ID: 8f5f4c2c0bf00e6ceae7a1755a444666de0ea5c2
+commit c76773524179cb654ff838dd43ba1ddb155bafaa
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Sep 9 03:08:01 2020 +0000
+    upstream: when writing an attestation blob for a FIDO key, record all
+    
+    the data needed to verify the attestation. Previously we were missing the
+    "authenticator data" that is included in the signature.
+    
+    spotted by Ian Haken
+    feedback Pedro Martelletto and Ian Haken; ok markus@
+    
+    OpenBSD-Commit-ID: 8439896e63792b2db99c6065dd9a45eabbdb7e0a
+commit c1c44eeecddf093a7983bd91e70b446de789b363
+Author: pedro martelletto <pedro@ambientworks.net>
+Date:   Tue Sep 1 17:01:55 2020 +0200
+    configure.ac: fix libfido2 back-compat
+    
+    - HAVE_FIDO_CRED_PROD -> HAVE_FIDO_CRED_PROT;
+    - check for fido_dev_get_touch_begin(), so that
+      HAVE_FIDO_DEV_GET_TOUCH_BEGIN gets defined.
+commit 785f0f315bf7ac5909e988bb1ac3e019fb5e1594
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Aug 31 04:33:17 2020 +0000
+    upstream: refuse to add verify-required (PINful) FIDO keys to
+    
+    ssh-agent until the agent supports them properly
+    
+    OpenBSD-Commit-ID: 125bd55a8df32c87c3ec33c6ebe437673a3d037e
+commit 39e88aeff9c7cb6862b37ad1a87a03ebbb38c233
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Aug 31 00:17:41 2020 +0000
+    upstream: Add RCS IDs to the few files that are missing them; from
+    
+    Pedro Martelletto
+    
+    OpenBSD-Commit-ID: 39aa37a43d0c75ec87f1659f573d3b5867e4a3b3
+commit 72730249b38a676da94a1366b54a6e96e6928bcb
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Aug 28 03:15:52 2020 +0000
+    upstream: Check that the addresses supplied to Match Address and
+    
+    Match LocalAddress are valid when parsing in config-test mode.  This will
+    catch address/mask mismatches before they cause problems at runtime. Found by
+    Daniel Stocker, ok djm@
+    
+    OpenBSD-Commit-ID: 2d0b10c69fad5d8fda4c703e7c6804935289378b
+commit 2a3a9822311a565a9df48ed3b6a3c972f462bd7d
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Thu Aug 27 12:34:00 2020 +0000
+    upstream: sentence fix; from pedro martelletto
+    
+    OpenBSD-Commit-ID: f95b84a1e94e9913173229f3787448eea2f8a575
+commit ce178be0d954b210c958bc2b9e998cd6a7aa73a9
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Aug 27 20:01:52 2020 +1000
+    tweak back-compat for older libfido2
+commit d6f45cdde031acdf434bbb27235a1055621915f4
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Aug 27 09:46:04 2020 +0000
+    upstream: debug()-print a little info about FIDO-specific key
+    
+    fields via "ssh-keygen -vyf /path/key"
+    
+    OpenBSD-Commit-ID: cf315c4fe77db43947d111b00155165cb6b577cf
+commit b969072cc3d62d05cb41bc6d6f3c22c764ed932f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Aug 27 09:43:28 2020 +0000
+    upstream: skip a bit more FIDO token selection logic when only a
+    
+    single token is attached.
+    
+    with Pedro Martelletto
+    
+    OpenBSD-Commit-ID: e4a324bd9814227ec1faa8cb619580e661cca9ac
+commit 744df42a129d7d7db26947b7561be32edac89f88
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Thu Aug 27 06:15:22 2020 +0000
+    upstream: tweak previous;
+    
+    OpenBSD-Commit-ID: 92714b6531e244e4da401b2defaa376374e24be7
+commit e32479645ce649b444ba5c6e7151304306a09654
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Aug 27 03:55:22 2020 +0000
+    upstream: adapt to API changes
+    
+    OpenBSD-Regress-ID: 5f147990cb67094fe554333782ab268a572bb2dd
+commit bbcc858ded3fbc46abfa7760e40389e3ca93884c
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Aug 27 12:37:12 2020 +1000
+    degrade semi-gracefully when libfido2 is too old
+commit 9cbbdc12cb6a2ab1e9ffe9974cca91d213c185c2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Aug 27 01:15:36 2020 +0000
+    upstream: dummy firmware needs to match API version numner crank (for
+    
+    verify-required resident keys) even though it doesn't implement this feature
+    
+    OpenBSD-Regress-ID: 86579ea2891e18e822e204413d011b2ae0e59657
+commit c1e76c64956b424ba260fd4eec9970e5b5859039
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Aug 27 02:11:09 2020 +0000
+    upstream: remove unreachable code I forgot to delete in r1.334
+    
+    OpenBSD-Commit-ID: 9ed6078251a0959ee8deda443b9ae42484fd8b18
+commit 0caff05350bd5fc635674c9e051a0322faba5ae3
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Aug 27 01:08:45 2020 +0000
+    upstream: Request PIN ahead of time for certain FIDO actions
+    
+    When we know that a particular action will require a PIN, such as
+    downloading resident keys or generating a verify-required key, request
+    the PIN before attempting it.
+    
+    joint work with Pedro Martelletto; ok markus@
+    
+    OpenBSD-Commit-ID: 863182d38ef075bad1f7d20ca485752a05edb727
+commit b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Aug 27 01:08:19 2020 +0000
+    upstream: preserve verify-required for resident FIDO keys
+    
+    When downloading a resident, verify-required key from a FIDO token,
+    preserve the verify-required in the private key that is written to
+    disk. Previously we weren't doing that because of lack of support
+    in the middleware API.
+    
+    from Pedro Martelletto; ok markus@ and myself
+    
+    OpenBSD-Commit-ID: 201c46ccdd227cddba3d64e1bdbd082afa956517
+commit 642e06d0df983fa2af85126cf4b23440bb2985bf
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Aug 27 01:07:51 2020 +0000
+    upstream: major rework of FIDO token selection logic
+    
+    When PINs are in use and multiple FIDO tokens are attached to a host, we
+    cannot just blast requests at all attached tokens with the PIN specified
+    as this will cause the per-token PIN failure counter to increment. If
+    this retry counter hits the token's limit (usually 3 attempts), then the
+    token will lock itself and render all (web and SSH) of its keys invalid.
+    We don't want this.
+    
+    So this reworks the key selection logic for the specific case of
+    multiple keys being attached. When multiple keys are attached and the
+    operation requires a PIN, then the user must touch the key that they
+    wish to use first in order to identify it.
+    
+    This may require multiple touches, but only if there are multiple keys
+    attached AND (usually) the operation requires a PIN. The usual case of a
+    single key attached should be unaffected.
+    
+    Work by Pedro Martelletto; ok myself and markus@
+    
+    OpenBSD-Commit-ID: 637d3049ced61b7a9ee796914bbc4843d999a864
+commit 801c9f095e6d8b7b91aefd98f5001c652ea13488
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Aug 27 01:07:09 2020 +0000
+    upstream: support for requiring user verified FIDO keys in sshd
+    
+    This adds a "verify-required" authorized_keys flag and a corresponding
+    sshd_config option that tells sshd to require that FIDO keys verify the
+    user identity before completing the signing/authentication attempt.
+    Whether or not user verification was performed is already baked into the
+    signature made on the FIDO token, so this is just plumbing that flag
+    through and adding ways to require it.
+    
+    feedback and ok markus@
+    
+    OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6
+commit 9b8ad93824c682ce841f53f3b5762cef4e7cc4dc
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Aug 27 01:06:18 2020 +0000
+    upstream: support for user-verified FIDO keys
+    
+    FIDO2 supports a notion of "user verification" where the user is
+    required to demonstrate their identity to the token before particular
+    operations (e.g. signing). Typically this is done by authenticating
+    themselves using a PIN that has been set on the token.
+    
+    This adds support for generating and using user verified keys where
+    the verification happens via PIN (other options might be added in the
+    future, but none are in common use now). Practically, this adds
+    another key generation option "verify-required" that yields a key that
+    requires a PIN before each authentication.
+    
+    feedback markus@ and Pedro Martelletto; ok markus@
+    
+    OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15
+commit 1196d7f49d4fbc90f37e550de3056561613b0960
+Author: cheloha@openbsd.org <cheloha@openbsd.org>
+Date:   Wed Aug 12 01:23:45 2020 +0000
+    upstream: ssh-keyscan(1): simplify conloop() with timercmp(3),
+    
+    timersub(3); ok djm@
+    
+    OpenBSD-Commit-ID: a102acb544f840d33ad73d40088adab4a687fa27
+commit d0a195c89e26766d3eb8f3e4e2a00ebc98b57795
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Aug 11 09:49:57 2020 +0000
+    upstream: let ssh_config(5)'s AddKeysToAgent keyword accept a time
+    
+    limit for keys in addition to its current flag options. Time-limited keys
+    will automatically be removed from ssh-agent after their expiry time has
+    passed; ok markus@
+    
+    OpenBSD-Commit-ID: 792e71cacbbc25faab5424cf80bee4a006119f94
+commit e9c2002891a7b8e66f4140557a982978f372e5a3
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Aug 11 09:45:54 2020 +0000
+    upstream: let the "Confirm user presence for key ..." ssh-askpass
+    
+    notification respect $SSH_ASKPASS_REQUIRE; ok markus@
+    
+    OpenBSD-Commit-ID: 7c1a616b348779bda3b9ad46bf592741f8e206c1
+commit eaf8672b1b52db2815a229745f4e4b08681bed6d
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Fri Aug 21 00:04:13 2020 +1000
+    Remove check for 'ent' command.
+    
+    It was added in 8d1fd57a9 for measuring entropy of ssh_prng_cmds which
+    has long since been removed and there are no other references to it.
+commit 05c215de8d224e094a872d97d45f37f60c06206b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Mon Aug 17 21:34:32 2020 +1000
+    Wrap stdint.h include in ifdef HAVE_STDINT_H.
+commit eaf2765efe8bc74feba85c34295d067637fc6635
+Author: Damien Miller <djm@mindrot.org>
+Date:   Mon Aug 10 13:24:09 2020 +1000
+    sync memmem.c with OpenBSD
+commit ed6bef77f5bb5b8f9ca2914478949e29f2f0a780
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Fri Aug 7 17:12:16 2020 +1000
+    Always send any PAM account messages.
+    
+    If the PAM account stack reaturns any messages, send them to the user
+    not just if the check succeeds.  bz#2049, ok djm@
+commit a09e98dcae1e26f026029b7142b0e0d10130056f
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Fri Aug 7 15:37:37 2020 +1000
+    Output test debug logs on failure.
+commit eb122b1eebe58b29a83a507ee814cbcf8aeded1b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Fri Aug 7 15:11:42 2020 +1000
+    Add ability to specify exact test target.
+commit c2ec7a07f8caabb4d8e00c66e7cd46bf2cd1e922
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Fri Aug 7 14:21:15 2020 +1000
+    Document --without-openssl and --without-zlib.
+commit 651bb3a31949bbdc3a78b2ede95a77bce0c72984
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Fri Aug 7 14:15:11 2020 +1000
+    Add without-openssl without-zlib test target.
+commit 9499f2bb01dc1032ae155999b2d7764b9491341f
+Author: Stefan Schindler <dns2utf8@estada.ch>
+Date:   Wed Aug 5 19:00:52 2020 +0200
+    Add CI with prepare script
+    
+    * Only use heimdal kerberos implementation
+    * Fetch yubico/libfido2 (see: https://github.com/Yubico/libfido2)
+    * Add one target for
+        * all features
+        * each feature alone
+        * no features
+commit ea1f649046546a860f68b97ddc3015b7e44346ca
+Author: Damien Miller <djm@mindrot.org>
+Date:   Wed Aug 5 08:58:57 2020 +1000
+    support NetBSD's utmpx.ut_ss address field
+    
+    bz#960, ok dtucker
+commit 32c63e75a70a0ed9d6887a55fcb0e4531a6ad617
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Aug 4 14:59:21 2020 +1000
+    wrap a declaration in the same ifdefs as its use
+    
+    avoids warnings on NetBSD
+commit c9e3be9f4b41fda32a2a0138d54c7a6b563bc94d
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Aug 4 14:58:46 2020 +1000
+    undef TAILQ_CONCAT and friends
+    
+    Needed for NetBSD. etc that supply these macros
+commit 2d8a3b7e8b0408dfeb933ac5cfd3a58f5bac49af
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Aug 3 02:53:51 2020 +0000
+    upstream: ensure that certificate extensions are lexically sorted.
+    
+    Previously if the user specified a custom extension then the everything would
+    be in order except the custom ones. bz3198 ok dtucker markus
+    
+    OpenBSD-Commit-ID: d97deb90587b06cb227c66ffebb2d9667bf886f0
+commit a8732d74cb8e72f0c6366015687f1e649f60be87
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Aug 3 02:43:41 2020 +0000
+    upstream: allow -A to explicitly enable agent forwarding in scp and
+    
+    sftp. The default remains to not forward an agent, even when ssh_config
+    enables it. ok jmc dtucker markus
+    
+    OpenBSD-Commit-ID: 36cc526aa3b0f94e4704b8d7b969dd63e8576822
+commit ab9105470a83ed5d8197959a1b1f367399958ba1
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date:   Mon Aug 3 02:42:49 2020 +0000
+    upstream: clang -Wimplicit-fallthrough does not recognise /*
+    
+    FALLTHROUGH */ comments, which is the style we currently use, and gives too
+    many boring warnings. ok djm
+    
+    OpenBSD-Commit-ID: 07b5031e9f49f2b69ac5e85b8da4fc9e393992a0
+commit ced327b9fb78c94d143879ef4b2a02cbc5d38690
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jul 31 04:19:37 2020 +0000
+    upstream: Also compare username when checking for JumpHost loops.
+    
+    bz#3057, ok djm@
+    
+    OpenBSD-Commit-ID: 9bbc1d138adb34c54f3c03a15a91f75dbf418782
+commit ae7527010c44b3376b85d036a498f136597b2099
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Fri Jul 31 15:19:04 2020 +1000
+    Remove AC_REVISION.
+    
+    It hasn't been useful since we switched to git in 2014.  ok djm@
+commit 89fc3f414be0ce4e8008332a9739a7d721269e50
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Tue Jul 28 19:40:30 2020 +1000
+    Use argv in OSSH_CHECK_CFLAG_COMPILE test.
+    
+    configure.ac is not detecting -Wextra in compilers that implement the
+    option. The problem is that -Wextra implies -Wunused-parameter, and the
+    C excerpt used by aclocal.m4 does not use argv.  Patch from pedro at
+    ambientworks.net, ok djm@
+commit 62c81ef531b0cc7ff655455dd34f5f0c94f48e82
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Mon Jul 20 22:12:07 2020 +1000
+    Skip ECDSA-SK webauthn test when built w/out ECC
+commit 3ec9a6d7317236a9994887d8bd5d246af403a00d
+Author: Damien Miller <djm@mindrot.org>
+Date:   Mon Jul 20 13:09:25 2020 +1000
+    Add ssh-sk-helper and manpage to RPM spec file
+    
+    Based on patch from Fabio Pedretti
+commit a2855c048b3f4b17d8787bd3f24232ec0cd79abe
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jul 17 07:09:24 2020 +0000
+    upstream: Add %k to the TOKENs for Match Exec for consistency with
+    
+    the other keywords that recently got %k.
+    
+    OpenBSD-Commit-ID: 1857d1c40f270cbc254fca91e66110641dddcfdb
+commit 69860769fa9f4529d8612ec055ae11912f7344cf
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Fri Jul 17 05:59:05 2020 +0000
+    upstream: fix macro slip in previous;
+    
+    OpenBSD-Commit-ID: 624e47ab209450ad9ad5c69f54fa69244de5ed9a
+commit 40649bd0822883b684183854b16d0b8461d5697b
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jul 17 07:10:24 2020 +0000
+    upstream: Add test for '%k' (HostKeyAlias) TOKEN.
+    
+    OpenBSD-Regress-ID: 8ed1ba1a811790031aad3fcea860a34ad7910456
+commit 6736fe680704a3518cb4f3f8f6723b00433bd3dd
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jul 17 03:26:58 2020 +0000
+    upstream: Add tests for expansions on UserKnownHostsFile.
+    
+    OpenBSD-Regress-ID: bccf8060306c841bbcceb1392644f906a4d6ca51
+commit 287dc6396e0f9cb2393f901816dbd7f2a7dfbb5f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jul 17 03:51:32 2020 +0000
+    upstream: log error message for process_write() write failures
+    
+    OpenBSD-Commit-ID: f733d7b3b05e3c68967dc18dfe39b9e8fad29851
+commit 8df5774a42d2eaffe057bd7f293fc6a4b1aa411c
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jul 17 03:43:42 2020 +0000
+    upstream: Add a '%k' TOKEN that expands to the effective HostKey of
+    
+    the destination.  This allows, eg, keeping host keys in individual files
+    using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654, ok djm@, jmc@
+    (man page bits)
+    
+    OpenBSD-Commit-ID: 7084d723c9cc987a5c47194219efd099af5beadc
+commit c4f239944a4351810fd317edf408bdcd5c0102d9
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jul 17 03:23:10 2020 +0000
+    upstream: Add %-TOKEN, environment variable and tilde expansion to
+    
+    UserKnownHostsFile, allowing the file to be automagically split up in the
+    configuration (eg bz#1654).  ok djm@, man page parts jmc@
+    
+    OpenBSD-Commit-ID: 7e1b406caf147638bb51558836a72d6cc0bd1b18
+commit dbaaa01daedb423c38124a72c471982fb08a16fb
+Author: solene@openbsd.org <solene@openbsd.org>
+Date:   Wed Jul 15 07:50:46 2020 +0000
+    upstream: - Add [-a rounds] in ssh-keygen man page and usage() -
+    
+    Reorder parameters list in the first usage() case - Sentence rewording
+    
+    ok dtucker@
+    jmc@ noticed usage() missed -a flag too
+    
+    OpenBSD-Commit-ID: f06b9afe91cc96f260b929a56e9930caecbde246
+commit 69924a92c3af7b99a7541aa544a2334ec0fb092c
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Wed Jul 15 05:40:05 2020 +0000
+    upstream: start sentence with capital letter;
+    
+    OpenBSD-Commit-ID: ab06581d51b2b4cc1b4aab781f7f3cfa56cad973
+commit 5b56bd0affea7b02b540bdbc4d1d271b0e4fc885
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Jul 17 13:15:50 2020 +1000
+    detect Linux/X32 systems
+    
+    This is a frankenstein monster of AMD64 instructions/calling conventions
+    but with a 4GB address space. Allegedly deprecated but people still run
+    into it causing weird sandbox failures, e.g. bz#3085
+commit 9c9ddc1391d6af8d09580a2424ab467d0a5df3c7
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Wed Jul 15 06:43:16 2020 +0000
+    upstream: Fix previous by calling the correct function.
+    
+    OpenBSD-Regress-ID: 821cdd1dff9c502cceff4518b6afcb81767cad5a
+commit f1a4798941b4372bfe5e46f1c0f8672fe692d9e4
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Wed Jul 15 05:36:50 2020 +0000
+    upstream: Update test to match recent change in match.c
+    
+    OpenBSD-Regress-ID: 965bda1f95f09a765050707340c73ad755f41167
+commit d7e71be4fd57b7c7e620d733cdf2333b27bfa924
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Wed Jul 15 15:30:43 2020 +1000
+    Adjust portable code to match changes in 939d787d,
+commit fec89f32a84fd0aa1afc81deec80a460cbaf451a
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Wed Jul 15 04:27:34 2020 +0000
+    upstream: Add default for number of rounds (-a). ok djm@
+    
+    OpenBSD-Commit-ID: cb7e9aa04ace01a98e63e4bd77f34a42ab169b15
+commit aaa8b609a7b332be836cd9a3b782422254972777
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Jul 14 23:57:01 2020 +0000
+    upstream: allow some additional control over the use of ssh-askpass
+    
+    via $SSH_ASKPASS_REQUIRE, including force-enable/disable. bz#69 ok markus@
+    
+    OpenBSD-Commit-ID: 3a1e6cbbf6241ddc4405c4246caa2c249f149eb2
+commit 6368022cd4dd508671c4999a59ec5826df098530
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date:   Tue Jul 7 02:47:21 2020 +0000
+    upstream: correct recently broken comments
+    
+    OpenBSD-Commit-ID: 964d9a88f7de1d0eedd3f8070b43fb6e426351f1
+commit 6d755706a0059eb9e2d63517f288b75cbc3b4701
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Jul 5 23:59:45 2020 +0000
+    upstream: some language improvements; ok markus
+    
+    OpenBSD-Commit-ID: 939d787d571b4d5da50b3b721fd0b2ac236acaa8
+commit b0c1e8384d5e136ebdf895d1434aea7dd8661a1c
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Fri Jul 3 10:12:26 2020 +0000
+    upstream: update setproctitle after re-exec; ok djm
+    
+    OpenBSD-Commit-ID: bc92d122f9184ec2a9471ade754b80edd034ce8b
+commit cd119a5ec2bf0ed5df4daff3bd14f8f7566dafd3
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Fri Jul 3 10:11:33 2020 +0000
+    upstream: keep ignoring HUP after fork+exec; ok djm
+    
+    OpenBSD-Commit-ID: 7679985a84ee5ceb09839905bb6f3ddd568749a2
+commit 8af4a743693ccbea3e15fc9e93edbeb610fa94f4
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Fri Jul 3 10:10:17 2020 +0000
+    upstream: don't exit the listener on send_rexec_state errors; ok
+    
+    djm
+    
+    OpenBSD-Commit-ID: 57cbd757d130d3f45b7d41310b3a15eeec137d5c
+commit 03da4c2b70468f04ed1c08518ea0a70e67232739
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Wed Jul 15 04:55:47 2020 +0000
+    upstream: Use $OBJ to find key files. Fixes test when run on an obj
+    
+    directory (on OpenBSD) or out of tree (in Portable).
+    
+    OpenBSD-Regress-ID: 938fa8ac86adaa527d64a305bd2135cfbb1c0a17
+commit 73f20f195ad18f1cf633eb7d8be95dc1b6111eea
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Sat Jul 4 23:11:23 2020 +1000
+    Wrap stdint.h in ifdef HAVE_STDINT_H.
+commit aa6fa4bf3023fa0e5761cd8f4b2cd015d2de74dd
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jul 3 07:25:18 2020 +0000
+    upstream: put back the mux_ctx memleak fix, but only for channels of
+    
+    type SSH_CHANNEL_MUX_LISTENER; Specifically SSH_CHANNEL_MUX_PROXY channels
+    should not have this structure freed.
+    
+    OpenBSD-Commit-ID: f3b213ae60405f77439e2b06262f054760c9d325
+commit d8195914eb43b20b13381f4e5a74f9f8a14f0ded
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jul 3 07:17:35 2020 +0000
+    upstream: revert r1.399 - the lifetime of c->mux_ctx is more complex;
+    
+    simply freeing it here causes other problems
+    
+    OpenBSD-Commit-ID: c6fee8ca94e2485faa783839541962be2834c5ed
+commit 20b5fab9f773b3d3c7f06cb15b8f69a2c081ee80
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jul 3 07:02:37 2020 +0000
+    upstream: avoid tilde_expand_filename() in expanding ~/.ssh/rc - if
+    
+    sshd is in chroot mode, the likely absence of a password database will cause
+    tilde_expand_filename() to fatal; ok dtucker@
+    
+    OpenBSD-Commit-ID: e20aee6159e8b79190d18dba1513fc1b7c8b7ee1
+commit c8935081db35d73ee6355999142fa0776a2af912
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jul 3 06:46:41 2020 +0000
+    upstream: when redirecting sshd's log output to a file, undo this
+    
+    redirection after the session child process is forked(); ok dtucker@
+    
+    OpenBSD-Commit-ID: 6df86dd653c91f5bc8ac1916e7680d9d24690865
+commit 183c4aaef944af3a1a909ffa01058c65bac55748
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jul 3 06:29:57 2020 +0000
+    upstream: start ClientAliveInterval bookkeeping before first pass
+    
+    through select() loop; fixed theoretical case where busy sshd may ignore
+    timeouts from client; inspired by and ok dtucker
+    
+    OpenBSD-Commit-ID: 96bfc4b1f86c7da313882a84755b2b47eb31957f
+commit 6fcfd303d67f16695198cf23d109a988e40eefb6
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Jul 3 15:28:27 2020 +1000
+    add check for fido_cred_set_prot() to configure
+commit f11b23346309e4d5138e733a49321aedd6eeaa2f
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jul 3 05:09:06 2020 +0000
+    upstream: Only reset the serveralive check when we receive traffic from
+    
+    the server and ignore traffic from a port forwarding client, preventing a
+    client from keeping a connection alive when it should be terminated.  Based
+    on a patch from jxraynor at gmail.com via openssh-unix-dev and bz#2265, ok
+    djm@
+    
+    OpenBSD-Commit-ID: a941a575a5cbc244c0ef5d7abd0422bbf02c2dcd
+commit adfdbf1211914b631c038f0867a447db7b519937
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Jul 3 15:15:15 2020 +1000
+    sync sys-queue.h with OpenBSD upstream
+    
+    needed for TAILQ_CONCAT
+commit 1b90ddde49e2ff377204082b6eb130a096411dc1
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jul 3 05:08:41 2020 +0000
+    upstream: fix memory leak of mux_ctx; patch from Sergiy Lozovsky
+    
+    via bz3189 ok dtucker
+    
+    OpenBSD-Commit-ID: db249bd4526fd42d0f4f43f72f7b8b7705253bde
+commit 55ef3e9cbd5b336bd0f89205716924886fcf86de
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Wed Jul 1 16:28:31 2020 +0000
+    upstream: free kex in ssh_packet_close; ok djm semarie
+    
+    OpenBSD-Commit-ID: dbc181e90d3d32fd97b10d75e68e374270e070a2
+commit e1c401109b61f7dbc199b5099933d579e7fc5dc9
+Author: bket@openbsd.org <bket@openbsd.org>
+Date:   Sat Jun 27 13:39:09 2020 +0000
+    upstream: Replace TAILQ concatenation loops with TAILQ_CONCAT
+    
+    OK djm@
+    
+    OpenBSD-Commit-ID: 454b40e09a117ddb833794358970a65b14c431ef
+commit 14beca57ac92d62830c42444c26ba861812dc837
+Author: semarie@openbsd.org <semarie@openbsd.org>
+Date:   Fri Jun 26 11:26:01 2020 +0000
+    upstream: backout 1.293 fix kex mem-leak in ssh_packet_close at markus
+    
+    request
+    
+    the change introduced a NULL deref in sshpkt_vfatal() (uses of ssh->kex after
+    calling ssh_packet_clear_keys())
+    
+    OpenBSD-Commit-ID: 9c9a6721411461b0b1c28dc00930d7251a798484
+commit 598c3a5e3885080ced0d7c40fde00f1d5cdbb32b
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Jun 26 16:07:12 2020 +1000
+    document a PAM spec problem in a frustrated comment
+commit 976c4f86286d52a0cb2aadf4a095d379c0da752e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jun 26 05:42:16 2020 +0000
+    upstream: avoid spurious error message when ssh-keygen creates files
+    
+    outside ~/.ssh; with dtucker@
+    
+    OpenBSD-Commit-ID: ac0c662d44607e00ec78c266ee60752beb1c7e08
+commit 32b2502a9dfdfded1ccdc1fd6dc2b3fe41bfc205
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Jun 26 15:30:06 2020 +1000
+    missing ifdef SELINUX; spotted by dtucker
+commit e073106f370cdd2679e41f6f55a37b491f0e82fe
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jun 26 05:12:21 2020 +0000
+    upstream: regress test for ssh-add -d; ok dtucker@
+    
+    OpenBSD-Regress-ID: 3a2e044be616afc7dd4f56c100179e83b33d8abf
+commit c809daaa1bad6b1c305b0e0b5440360f32546c84
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Wed Jun 24 15:16:23 2020 +0000
+    upstream: add test for mux w/-Oproxy; ok djm
+    
+    OpenBSD-Regress-ID: 764d5c696e2a259f1316a056e225e50023abb027
+commit 3d06ff4bbd3dca8054c238d2a94c0da563ef7eee
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jun 26 05:16:38 2020 +0000
+    upstream: handle EINTR in waitfd() and timeout_connect() helpers;
+    
+    bz#3071; ok dtucker@
+    
+    OpenBSD-Commit-ID: 08fa87be50070bd8b754d9b1ebb1138d7bc9d8ee
+commit fe2ec0b9c19adeab0cd9f04b8152dc17f31c31e5
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jun 26 05:04:07 2020 +0000
+    upstream: allow "ssh-add -d -" to read keys to be deleted from
+    
+    stdin bz#3180; ok dtucker@
+    
+    OpenBSD-Commit-ID: 15c7f10289511eb19fce7905c9cae8954e3857ff
+commit a3e0c376ffc11862fa3568b28188bd12965973e1
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jun 26 05:03:36 2020 +0000
+    upstream: constify a few things; ok dtucker (as part of another
+    
+    diff)
+    
+    OpenBSD-Commit-ID: 7c17fc987085994d752304bd20b1ae267a9bcdf6
+commit 74344c3ca42c3f53b00b025daf09ae7f6aa38076
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jun 26 05:02:03 2020 +0000
+    upstream: Defer creation of ~/.ssh by ssh(1) until we attempt to
+    
+    write to it so we don't leave an empty .ssh directory when it's not needed.
+    Use the same function to replace the code in ssh-keygen that does the same
+    thing. bz#3156, ok djm@
+    
+    OpenBSD-Commit-ID: 59c073b569be1a60f4de36f491a4339bc4ae870f
+commit c9e24daac6324fcbdba171392c325bf9ccc3c768
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jun 26 04:45:11 2020 +0000
+    upstream: Expand path to ~/.ssh/rc rather than relying on it
+    
+    being relative to the current directory, so that it'll still be found if the
+    shell startup changes its directory.  Since the path is potentially longer,
+    make the cmd buffer that uses it dynamically sized.  bz#3185, with & ok djm@
+    
+    OpenBSD-Commit-ID: 36e33ff01497af3dc8226d0c4c1526fc3a1e46bf
+commit 07f5f369a25e228a7357ef6c57205f191f073d99
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Wed Jun 24 15:12:09 2020 +0000
+    upstream: fix kex mem-leak in ssh_packet_close; ok djm
+    
+    OpenBSD-Commit-ID: e2e9533f393620383afd0b68ef435de8d5e8abe4
+commit e35995088cd6691a712bfd586bae8084a3a922ba
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Wed Jun 24 15:10:38 2020 +0000
+    upstream: fix ssh -O proxy w/mux which got broken by no longer
+    
+    making ssh->kex optional in packet.c revision 1.278 ok djm@
+    
+    OpenBSD-Commit-ID: 2b65df04a064c2c6277359921d2320c90ab7d917
+commit 250246fef22b87a54a63211c60a2def9be431fbd
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Wed Jun 24 15:09:53 2020 +0000
+    upstream: support loading big sshd_config files w/o realloc; ok
+    
+    djm
+    
+    OpenBSD-Commit-ID: ba9238e810074ac907f0cf8cee1737ac04983171
+commit 89b54900ac61986760452f132bbe3fb7249cfdac
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Wed Jun 24 15:08:53 2020 +0000
+    upstream: allow sshd_config longer than 256k; ok djm
+    
+    OpenBSD-Commit-ID: 83f40dd5457a64c1d3928eb4364461b22766beb3
+commit e3fa6249e6d9ceb57c14b04dd4c0cfab12fa7cd5
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Wed Jun 24 15:07:33 2020 +0000
+    upstream: only call sshkey_xmss_init() once for KEY_XMSS_CERT; ok
+    
+    djm
+    
+    OpenBSD-Commit-ID: d0002ffb7f20f538b014d1d0735facd5a81ff096
+commit 37f2da069c0619f2947fb92785051d82882876d7
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Jun 22 23:44:27 2020 +0000
+    upstream: some clarifying comments
+    
+    OpenBSD-Commit-ID: 5268479000fd97bfa30ab819f3517139daa054a2
+commit b659319a5bc9e8adf3c4facc51f37b670d2a7426
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Mon Jun 22 06:37:38 2020 +0000
+    upstream: updated argument name for -P in first synopsis was
+    
+    missed in previous;
+    
+    OpenBSD-Commit-ID: 8d84dc3050469884ea91e29ee06a371713f2d0b7
+commit 02a9222cbce7131d639984c2f6c71d1551fc3333
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Mon Jun 22 06:36:40 2020 +0000
+    upstream: supply word missing in previous;
+    
+    OpenBSD-Commit-ID: 16a38b049f216108f66c8b699aa046063381bd23
+commit 5098b3b6230852a80ac6cef5d53a785c789a5a56
+Author: Damien Miller <djm@mindrot.org>
+Date:   Mon Jun 22 16:54:02 2020 +1000
+    missing files for webauthn/sshsig unit test
+commit 354535ff79380237924ac8fdc98f8cdf83e67da6
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Jun 22 06:00:06 2020 +0000
+    upstream: add support for verification of webauthn sshsig signature,
+    
+    and example HTML/JS to generate webauthn signatures in SSH formats (also used
+    to generate the testdata/* for the test).
+    
+    OpenBSD-Regress-ID: dc575be5bb1796fdf4b8aaee0ef52a6671a0f6fb
+commit bb52e70fa5330070ec9a23069c311d9e277bbd6f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Jun 22 05:58:35 2020 +0000
+    upstream: Add support for FIDO webauthn (verification only).
+    
+    webauthn is a standard for using FIDO keys in web browsers. webauthn
+    signatures are a slightly different format to plain FIDO signatures - this
+    support allows verification of these. Feedback and ok markus@
+    
+    OpenBSD-Commit-ID: ab7e3a9fb5782d99d574f408614d833379e564ad
+commit 64bc121097f377142f1387ffb2df7592c49935af
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Jun 22 05:56:23 2020 +0000
+    upstream: refactor ECDSA-SK verification a little ahead of adding
+    
+    support for FIDO webauthn signature verification support; ok markus@
+    
+    OpenBSD-Commit-ID: c9f478fd8e0c1bd17e511ce8694f010d8e32043e
+commit 12848191f8fe725af4485d3600e0842d92f8637f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Jun 22 05:54:10 2020 +0000
+    upstream: support for RFC4648 base64url encoding; ok markus
+    
+    OpenBSD-Commit-ID: 0ef22c55e772dda05c112c88412c0797fec66eb4
+commit 473b4af43db12127137c7fc1a10928313f5a16d2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Jun 22 05:53:26 2020 +0000
+    upstream: better terminology for permissions; feedback & ok markus@
+    
+    OpenBSD-Commit-ID: ff2a71803b5ea57b83cc3fa9b3be42b70e462fb9
+commit fc270baf264248c3ee3050b13a6c8c0919e6559f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Jun 22 05:52:05 2020 +0000
+    upstream: better terminology for permissions; feedback & ok markus@
+    
+    OpenBSD-Commit-ID: ffb220b435610741dcb4de0e7fc68cbbdc876d2c
+commit 00531bb42f1af17ddabea59c3d9c4b0629000d27
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jun 19 07:21:42 2020 +0000
+    upstream: Correct synopsis and usage for the options accepted when
+    
+    passing a command to ssh-agent.  ok jmc@
+    
+    OpenBSD-Commit-ID: b36f0679cb0cac0e33b361051b3406ade82ea846
+commit b4556c8ad7177e379f0b60305a0cd70f12180e7c
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Fri Jun 19 19:22:00 2020 +1000
+    Add OPENBSD ORIGINAL marker to bcrypt_pbkdf.
+commit 1babb8bb14c423011ca34c2f563bb1c51c8fbf1d
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Fri Jun 19 19:10:47 2020 +1000
+    Extra brackets around sizeof() in bcrypt.
+    
+    Prevents following warning from clang 10:
+    bcrypt_pbkdf.c:94:40: error: expression does not compute the number of
+      elements in this array; element type is ´uint32_tÂ[...]
+      place parentheses around the ´sizeof(uint64_t)´ expression to
+      silence this warning
+commit 9e065729592633290e5ddb6852792913b2286545
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Fri Jun 19 18:47:56 2020 +1000
+    Add includes.h to new test.
+    
+    Fixes warnings eg "´bounded´ attribute directive ignor" from gcc.
+commit e684b1ea365e070433f282a3c1dabc3e2311ce49
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Fri Jun 19 18:38:39 2020 +1000
+    Skip OpenSSL specific tests w/out OpenSSL.
+    
+    Allows unit tests to pass when configure'ed --without-openssl.
+commit 80610e97a76407ca982e62fd051c9be03622fe7b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Fri Jun 19 17:15:27 2020 +1000
+    Hook sshsig tests up to Portable Makefiles.
+commit 5dba1fcabacaab46693338ec829b42a1293d1f52
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jun 19 05:07:09 2020 +0000
+    upstream: Test that ssh-agent exits when running as as subprocess
+    
+    of a specified command (ie "ssh-agent command").  Would have caught bz#3181.
+    
+    OpenBSD-Regress-ID: 895b4765ba5153eefaea3160a7fe08ac0b6db8b3
+commit 68e8294f6b04f9590ea227e63d3e129398a49e27
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jun 19 04:34:21 2020 +0000
+    upstream: run sshsig unit tests
+    
+    OpenBSD-Regress-ID: 706ef17e2b545b64873626e0e35553da7c06052a
+commit 5edfa1690e9a75048971fd8775f7c16d153779db
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jun 19 04:32:09 2020 +0000
+    upstream: basic unit test for sshsig.[ch], including FIDO keys
+    
+    verification only so far
+    
+    OpenBSD-Regress-ID: fb1f946c8fc59206bc6a6666e577b5d5d7e45896
+commit e95c0a0e964827722d29b4bc00d5c0ff4afe0ed2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jun 19 03:48:49 2020 +0000
+    upstream: basic unit test for FIDO kep parsing
+    
+    OpenBSD-Regress-ID: 8089b88393dd916d7c95422b442a6fd4cfe00c82
+commit 7775819c6de3e9547ac57b87c7dd2bfd28cefcc5
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Jun 18 23:34:19 2020 +0000
+    upstream: check public host key matches private; ok markus@ (as
+    
+    part of previous diff)
+    
+    OpenBSD-Commit-ID: 65a4f66436028748b59fb88b264cb8c94ce2ba63
+commit c514f3c0522855b4d548286eaa113e209051a6d2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Jun 18 23:33:38 2020 +0000
+    upstream: avoid spurious "Unable to load host key" message when
+    
+    sshd can load a private key but no public counterpart; with & ok markus@
+    
+    OpenBSD-Commit-ID: 0713cbdf9aa1ff8ac7b1f78b09ac911af510f81b
+commit 7fafaeb5da365f4a408fec355dac04a774f27193
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jun 12 05:26:37 2020 +0000
+    upstream: correct RFC number; from HARUYAMA Seigo via GH PR191
+    
+    OpenBSD-Commit-ID: 8d03b6c96ca98bfbc23d3754c3c33e1fe0852e10
+commit 3a7f654d5bcb20df24a134b6581b0d235da4564a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jun 5 06:18:07 2020 +0000
+    upstream: unbreak "sshd -ddd" - close of config passing fd happened too
+    
+    early. ok markus@
+    
+    OpenBSD-Commit-ID: 49346e945c6447aca3e904e65fc400128d2f8ed0
+commit 3de02be39e5c0c2208d9682a3844991651620fcc
+Author: Andreas Schwab <schwab@suse.de>
+Date:   Mon May 25 11:10:44 2020 +0200
+    Add support for AUDIT_ARCH_RISCV64
+commit ea547eb0329c2f8da77a4ac05f6c330bd49bdaab
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jun 5 03:25:35 2020 +0000
+    upstream: make sshbuf_putb(b, NULL) a no-op
+    
+    OpenBSD-Commit-ID: 976fdc99b500e347023d430df372f31c1dd128f7
+commit 69796297c812640415c6cea074ea61afc899cbaa
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jun 5 03:24:36 2020 +0000
+    upstream: make sshbuf_dump() args const
+    
+    OpenBSD-Commit-ID: b4a5accae750875d665b862504169769bcf663bd
+commit 670428895739d1f79894bdb2457891c3afa60a59
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jun 5 03:24:16 2020 +0000
+    upstream: wrap long line
+    
+    OpenBSD-Commit-ID: ed405a12bd27bdc9c52e169bc5ff3529b4ebbbb2
+commit 2f648cf222882719040906722b3593b01df4ad1a
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Jun 5 03:15:26 2020 +0000
+    upstream: Correct historical comment: provos@ modified OpenSSH to
+    
+    work with SSLeay (very quickly replaced by OpenSSL) not SSL in general.  ok
+    deraadt, historical context markus@
+    
+    OpenBSD-Commit-ID: 7209e07a2984b50411ed8ca5a4932da5030d2b90
+commit 56548e4efcc3e3e8093c2eba30c75b23e561b172
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Wed Jun 3 08:23:18 2020 +0000
+    upstream: Import regenerated moduli file.
+    
+    OpenBSD-Commit-ID: 52ff0e3205036147b2499889353ac082e505ea54
+commit 8da801f585dd9c534c0cbe487a3b1648036bf2fb
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Fri Jun 5 13:20:10 2020 +1000
+    Test fallthrough in OSSH_CHECK_CFLAG_COMPILE.
+    
+    clang 10's -Wimplicit-fallthrough does not understand /* FALLTHROUGH */
+    comments and we don't use the __attribute__((fallthrough)) that it's
+    looking for.  This has the effect of turning off -Wimplicit-fallthrough
+    where it does not currently help (particularly with -Werror).  ok djm@
+commit 049297de975b92adcc2db77e3fb7046c0e3c695d
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Wed Jun 3 08:23:18 2020 +0000
+    upstream: Import regenerated moduli file.
+    
+    OpenBSD-Commit-ID: 52ff0e3205036147b2499889353ac082e505ea54
+commit b458423a38a3140ac022ffcffcb332609faccfe3
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Mon Jun 1 07:11:38 2020 +0000
+    upstream: Remove now-unused proto_spec and associated definitions.
+    
+    ok djm@
+    
+    OpenBSD-Commit-ID: 2e2b18e3aa6ee22a7b69c39f2d3bd679ec35c362
+commit 5ad3c3a33ef038b55a14ebd31faeeec46073db2c
+Author: millert@openbsd.org <millert@openbsd.org>
+Date:   Fri May 29 21:22:02 2020 +0000
+    upstream: Fix error message on close(2) and add printf format
+    
+    attributes. From Christos Zoulas, OK markus@
+    
+    OpenBSD-Commit-ID: 41523c999a9e3561fcc7082fd38ea2e0629ee07e
+commit 712ac1efb687a945a89db6aa3e998c1a17b38653
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri May 29 11:17:56 2020 +0000
+    upstream: Make dollar_expand variadic and pass a real va_list to
+    
+    vdollar_percent_expand. Fixes build error on arm64 spotted by otto@.
+    
+    OpenBSD-Commit-ID: 181910d7ae489f40ad609b4cf4a20f3d068a7279
+commit 837ffa9699a9cba47ae7921d2876afaccc027133
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Fri May 29 20:39:00 2020 +1000
+    Omit ToS setting if we don't have IPV6_TCLASS too.
+    
+    Fixes tests on old BSDs.
+commit f85b118d2150847cc333895296bc230e367be6b5
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri May 29 09:02:44 2020 +0000
+    upstream: Pass a NULL instead of zeroed out va_list from
+    
+    dollar_expand.  The original intent was in case there's some platform where
+    va_list is not a pointer equivalent, but on i386 this chokes on the memset.
+    This unbreaks that build, but will require further consideration.
+    
+    OpenBSD-Commit-ID: 7b90afcd8e1137a1d863204060052aef415baaf7
+commit ec1d50b01c84ff667240ed525f669454c4ebc8e9
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Fri May 29 05:48:39 2020 +0000
+    upstream: remove a stray .El;
+    
+    OpenBSD-Commit-ID: 58ddfe6f8a15fe10209db6664ecbe7896f1d167c
+commit 058674a62ffe33f01d871d46e624bc2a2c22d91f
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri May 29 04:32:26 2020 +0000
+    upstream: Add regression and unit tests for ${ENV} style
+    
+    environment variable expansion in various keywords (bz#3140).  ok djm@
+    
+    OpenBSD-Regress-ID: 4d9ceb95d89365b7b674bc26cf064c15a5bbb197
+commit 0b15892fc47d6840eba1291a6be9be1a70bc8972
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri May 29 01:21:35 2020 +0000
+    upstream: Unit test for convtime. ok djm@
+    
+    OpenBSD-Regress-ID: cec4239efa2fc4c7062064f07a847e1cbdbcd5dd
+commit 188e332d1c8f9f24e5b6659e9680bf083f837df9
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri May 29 05:37:03 2020 +0000
+    upstream: mention that wildcards are processed in lexical order;
+    
+    bz#3165
+    
+    OpenBSD-Commit-ID: 8856f3d1612bd42e9ee606d89386cae456dd165c
+commit 4a1b46e6d032608b7ec00ae51c4e25b82f460b05
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri May 29 04:25:40 2020 +0000
+    upstream: Allow some keywords to expand shell-style ${ENV}
+    
+    environment variables on the client side.  The supported keywords are
+    CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus
+    LocalForward and RemoteForward when used for Unix domain socket paths.  This
+    would for example allow forwarding of Unix domain socket paths that change at
+    runtime.  bz#3140, ok djm@
+    
+    OpenBSD-Commit-ID: a4a2e801fc2d4df2fe0e58f50d9c81b03822dffa
+commit c9bab1d3a9e183cef3a3412f57880a0374cc8cb2
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri May 29 14:49:16 2020 +1000
    depend
-commit b6d251ed9af90e16c08a72c4aac2cb8ace8f94b1
+commit 0b0d219313bf9239ca043f20b1a095db0245588f
+Author: sobrado <sobrado@openbsd.org>
+Date:   Thu Sep 3 23:06:28 2015 +0000
+    partial sync of regress/netcat.c with upstream
+    
+    synchronize synopsis and usage.
+commit 0f04c8467f589f85a523e19fd684c4f6c4ed9482
+Author: chl <chl@openbsd.org>
+Date:   Sun Jul 26 19:12:28 2015 +0000
+    partial sync of regress/netcat.c with upstream
+    
+    remove unused variable
+    
+    ok tedu@
+commit d6a81050ace2630b06c3c6dd39bb4eef5d1043f8
+Author: tobias <tobias@openbsd.org>
+Date:   Thu Mar 26 21:22:50 2015 +0000
+    partial sync of regress/netcat.c with upstream
+    
+    The code in socks.c writes multiple times in a row to a socket. If the socket becomes invalid between these calls (e.g. connection closed), write will throw SIGPIPE. With this patch, SIGPIPE is ignored so we can handle write's -1 return value (errno will be EPIPE). Ultimately, it leads to program exit, too -- but with nicer error message. :)
+    
+    with input by and ok djm
+commit bf3893dddd35e16def04bf48ed2ee1ad695b8f82
+Author: tobias <tobias@openbsd.org>
+Date:   Thu Mar 26 10:36:03 2015 +0000
+    partial sync of regress/netcat.c with upstream
+    
+    Check for short writes in fdpass(). Clean up while at it.
+    
+    ok djm
+commit e18435fec124b4c08eb6bbbbee9693dc04f4befb
+Author: jca <jca@openbsd.org>
+Date:   Sat Feb 14 22:40:22 2015 +0000
+    partial sync of regress/netcat.c with upstream
+    
+    Support for nc -T on IPv6 addresses.
+    
+    ok sthen@
+commit 4c607244054a036ad3b2449a6cb4c15feb846a76
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri May 29 03:14:02 2020 +0000
+    upstream: fix compilation on !HAVE_DLOPEN platforms; stub function
+    
+    was not updated to match API change. From Dale Rahn via beck@ ok markus@
+    
+    OpenBSD-Commit-ID: 2b8d054afe34c9ac85e417dae702ef981917b836
+commit 224418cf55611869a4ace1b8b07bba0dff77a9c3
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri May 29 03:11:54 2020 +0000
+    upstream: fix exit status for downloading of FIDO resident keys;
+    
+    from Pedro Martelletto, ok markus@
+    
+    OpenBSD-Commit-ID: 0da77dc24a1084798eedd83c39a002a9d231faef
+commit 1001dd148ed7c57bccf56afb40cb77482ea343a6
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri May 29 01:20:46 2020 +0000
+    upstream: Fix multiplier in convtime when handling seconds after
+    
+    other units. bz#3171, spotted by ronf at timeheart.net, ok djm@.
+    
+    OpenBSD-Commit-ID: 95b7a848e1083974a65fbb6ccb381d438e1dd5be
+commit 7af1e92cd289b7eaa9a683e9a6f2fddd98f37a01
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed May 27 22:37:53 2020 +0000
+    upstream: fix Include before Match in sshd_config; bz#3122 patch
+    
+    from Jakub Jelen
+    
+    OpenBSD-Commit-ID: 1b0aaf135fe6732b5d326946042665dd3beba5f4
+commit 0a9a611619b0a1fecd0195ec86a9885f5d681c84
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed May 27 21:59:11 2020 +0000
+    upstream: Do not call process_queued_listen_addrs() for every
+    
+    included file from sshd_config; patch from Jakub Jelen
+    
+    OpenBSD-Commit-ID: 0ff603d6f06a7fab4881f12503b53024799d0a49
+commit 16ea1fdbe736648f79a827219134331f8d9844fb
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed May 27 21:25:18 2020 +0000
+    upstream: fix crash in recallocarray when deleting SendEnv
+    
+    variables; spotted by & ok sthen@
+    
+    OpenBSD-Commit-ID: b881e8e849edeec5082b5c0a87d8d7cff091a8fd
+commit 47adfdc07f4f8ea0064a1495500244de08d311ed
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed May 27 22:35:19 2020 +0000
+    upstream: two new tests for Include in sshd_config, checking whether
+    
+    Port directives are processed correctly and handling of Include directives
+    that appear before Match. Both tests currently fail. bz#3122 and bz#3169 -
+    patch from Jakub Jelen
+    
+    OpenBSD-Regress-ID: 8ad5a4a385a63f0a1c59c59c763ff029b45715df
+commit 47faad8f794516c33864d866aa1b55d88416f94c
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Wed May 27 23:26:23 2020 +1000
+    Document that libfido2 >= 1.4.0 is needed.
+commit 4be563994c0cbe9856e7dd3078909f41beae4a9c
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue May 26 01:59:46 2020 +0000
+    upstream: fix memleak of signature; from Pedro Martelletto
+    
+    OpenBSD-Commit-ID: d0a6eb07e77c001427d738b220dd024ddc64b2bb
+commit 0c111eb84efba7c2a38b2cc3278901a0123161b9
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue May 26 01:26:58 2020 +0000
+    upstream: Restrict ssh-agent from signing web challenges for FIDO
+    
+    keys.
+    
+    When signing messages in ssh-agent using a FIDO key that has an
+    application string that does not start with "ssh:", ensure that the
+    message being signed is one of the forms expected for the SSH protocol
+    (currently pubkey authentication and sshsig signatures).
+    
+    This prevents ssh-agent forwarding on a host that has FIDO keys
+    attached granting the ability for the remote side to sign challenges
+    for web authentication using those keys too.
+    
+    Note that the converse case of web browsers signing SSH challenges is
+    already precluded because no web RP can have the "ssh:" prefix in the
+    application string that we require.
+    
+    ok markus@
+    
+    OpenBSD-Commit-ID: 9ab6012574ed0352d2f097d307f4a988222d1b19
+commit 9c5f64b6cb3a68b99915202d318b842c6c76cf14
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue May 26 01:09:05 2020 +0000
+    upstream: improve logging for MaxStartups connection throttling:
+    
+    have sshd log when it starts and stops throttling and periodically while in
+    this state. bz#3055 ok markus@
+    
+    OpenBSD-Commit-ID: 2e07a09a62ab45d790d3d2d714f8cc09a9ac7ab9
+commit 756c6f66aee83a5862a6f936a316f761532f3320
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue May 26 01:06:52 2020 +0000
+    upstream: add fmt_timeframe() (from bgpd) to format a time
+    
+    interval in a human- friendly format. Switch copyright for this file from BSD
+    to MIT to make it easier to add Henning's copyright for this function. ok
+    markus@
+    
+    OpenBSD-Commit-ID: 414a831c662df7e68893e5233e86f2cac081ccf9
+commit 2a63ce5cd6d0e782783bf721462239b03757dd49
 Author: djm@openbsd.org <djm@openbsd.org>
 Date:   Mon May 18 04:29:35 2020 +0000
@@ -12,6 +1677,117 @@ Date:   Mon May 18 04:29:35 2020 +0000
    
    OpenBSD-Commit-ID: e6099c3fbb70aa67eb106e84d8b43f1fa919b721
+commit 4b307faf2fb0e63e51a550b37652f7f972df9676
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Fri May 15 08:34:03 2020 +0000
+    upstream: sshd listener must not block if reexecd sshd exits
+    
+    in write(2) on config_s[0] if the forked child exits early before finishing
+    recv_rexec_state (e.g. with fatal()) because config_s[1] stays open in the
+    parent. this prevents the parent from accepting new connections. ok djm,
+    deraadt
+    
+    OpenBSD-Commit-ID: 92ccfeb939ccd55bda914dc3fe84582158c4a9ef
+commit af8b16fb2cce880341c0ee570ceb0d84104bdcc0
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri May 15 03:57:33 2020 +0000
+    upstream: fix off-by-one error that caused sftp downloads to make
+    
+    one more concurrent request that desired. This prevented using sftp(1) in
+    unpipelined request/response mode, which is useful when debugging. Patch from
+    Stephen Goetze in bz#3054
+    
+    OpenBSD-Commit-ID: 41b394ebe57037dbc43bdd0eef21ff0511191f28
+commit d7d753e2979f2d3c904b03a08d30856cd2a6e892
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date:   Wed May 13 22:38:41 2020 +0000
+    upstream: we are still aiming for pre-C99 ...
+    
+    OpenBSD-Commit-ID: a240fc9cbe60bc4e6c3d24d022eb4ab01fe1cb38
+commit 2ad7b7e46408dbebf2a4efc4efd75a9544197d57
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed May 13 10:08:02 2020 +0000
+    upstream: Enable credProtect extension when generating a resident
+    
+    key.
+    
+    The FIDO 2.1 Client to Authenticator Protocol introduced a "credProtect"
+    feature to better protect resident keys. This option allows (amone other
+    possibilities) requiring a PIN prior to all operations that may retrieve
+    the key handle.
+    
+    Patch by Pedro Martelletto; ok djm and markus
+    
+    OpenBSD-Commit-ID: 013bc06a577dcaa66be3913b7f183eb8cad87e73
+commit 1e70dc3285fc9b4f6454975acb81e8702c23dd89
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed May 13 09:57:17 2020 +0000
+    upstream: always call fido_init(); previous behaviour only called
+    
+    fido_init() when SK_DEBUG was defined. Harmless with current libfido2, but
+    this isn't guaranteed in the future.
+    
+    OpenBSD-Commit-ID: c7ea20ff2bcd98dd12015d748d3672d4f01f0864
+commit f2d84f1b3fa68d77c99238d4c645d0266fae2a74
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed May 13 09:55:57 2020 +0000
+    upstream: preserve group/world read permission on known_hosts
+    
+    file across runs of "ssh-keygen -Rf /path". The old behaviour was to remove
+    all rights for group/other. bz#3146 ok dtucker@
+    
+    OpenBSD-Commit-ID: dc369d0e0b5dd826430c63fd5f4b269953448a8a
+commit 05a651400da6fbe12296c34e3d3bcf09f034fbbf
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed May 13 09:52:41 2020 +0000
+    upstream: when ordering the hostkey algorithms to request from a
+    
+    server, prefer certificate types if the known_hosts files contain a key
+    marked as a @cert-authority; bz#3157 ok markus@
+    
+    OpenBSD-Commit-ID: 8f194573e5bb7c01b69bbfaabc68f27c9fa5e0db
+commit 829451815ec207e14bd54ff5cf7e22046816f042
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue May 12 01:41:32 2020 +0000
+    upstream: fix non-ASCII quote that snuck in; spotted by Gabriel
+    
+    Kihlman
+    
+    OpenBSD-Commit-ID: 04bcde311de2325d9e45730c744c8de079b49800
+commit 5a442cec92c0efd6fffb4af84bf99c70af248ef3
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon May 11 02:11:29 2020 +0000
+    upstream: clarify role of FIDO tokens in multi-factor
+    
+    authentictation; mostly from Pedro Martelletto
+    
+    OpenBSD-Commit-ID: fbe05685a1f99c74b1baca7130c5a03c2df7c0ac
+commit ecb2c02d994b3e21994f31a70ff911667c262f1f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri May 8 05:13:14 2020 +0000
+    upstream: fix compilation with DEBUG_KEXDH; bz#3160 ok dtucker@
+    
+    OpenBSD-Commit-ID: 832e771948fb45f2270e8b8895aac36d176ba17a
 commit 3ab6fccc3935e9b778ff52f9c8d40f215d58e01d
 Author: Damien Miller <djm@mindrot.org>
 Date:   Thu May 14 12:22:09 2020 +1000
@@ -10714,1964 +12490,3 @@ Date:   Tue Oct 2 12:40:07 2018 +0000
    ok markus@ dtucker@
    
    OpenBSD-Commit-ID: 4bea826f575862eaac569c4bedd1056a268be1c3
-commit dba50258333f2604a87848762af07ba2cc40407a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 26 07:32:44 2018 +0000
-    upstream: remove big ugly TODO comment from start of file. Some of
-    
-    the mentioned tasks are obsolete and, of the remainder, most are already
-    captured in PROTOCOL.mux where they better belong
-    
-    OpenBSD-Commit-ID: 16d9d76dee42a5bb651c9d6740f7f0ef68aeb407
-commit 92b61a38ee9b765f5049f03cd1143e13f3878905
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 26 07:30:05 2018 +0000
-    upstream: Document mux proxy mode; added by Markus in openssh-7.4
-    
-    Also add a little bit of information about the overall packet format
-    
-    OpenBSD-Commit-ID: bdb6f6ea8580ef96792e270cae7857786ad84a95
-commit 9d883a1ce4f89b175fd77405ff32674620703fb2
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 26 01:48:57 2018 +0000
-    upstream: s/process_mux_master/mux_master_process/ in mux master
-    
-    function names,
-    
-    Gives better symmetry with the existing mux_client_*() names and makes
-    it more obvious when a message comes from the master vs client (they
-    are interleved in ControlMaster=auto mode).
-    
-    no functional change beyond prefixing a could of log messages with
-    __func__ where they were previously lacking.
-    
-    OpenBSD-Commit-ID: b01f7c3fdf92692e1713a822a89dc499333daf75
-commit c2fa53cd6462da82d3a851dc3a4a3f6b920337c8
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sat Sep 22 14:41:24 2018 +1000
-    Remove unused variable in _ssh_compat_fflush.
-commit d1b3540c21212624af907488960d703c7d987b42
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu Sep 20 18:08:43 2018 +1000
-    Import updated moduli.
-commit b5e412a8993ad17b9e1141c78408df15d3d987e1
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 21 12:46:22 2018 +0000
-    upstream: Allow ssh_config ForwardX11Timeout=0 to disable the
-    
-    timeout and allow X11 connections in untrusted mode indefinitely. ok dtucker@
-    
-    OpenBSD-Commit-ID: ea1ceed3f540b48e5803f933e59a03b20db10c69
-commit cb24d9fcc901429d77211f274031653476864ec6
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 21 12:23:17 2018 +0000
-    upstream: when compiled with GSSAPI support, cache supported method
-    
-    OIDs by calling ssh_gssapi_prepare_supported_oids() regardless of whether
-    GSSAPI authentication is enabled in the main config.
-    
-    This avoids sandbox violations for configurations that enable GSSAPI
-    auth later, e.g.
-    
-    Match user djm
-            GSSAPIAuthentication yes
-    
-    bz#2107; ok dtucker@
-    
-    OpenBSD-Commit-ID: a5dd42d87c74e27cfb712b15b0f97ab20e0afd1d
-commit bbc8af72ba68da014d4de6e21a85eb5123384226
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 21 12:20:12 2018 +0000
-    upstream: In sshkey_in_file(), ignore keys that are considered for
-    
-    being too short (i.e. SSH_ERR_KEY_LENGTH). These keys will not be considered
-    to be "in the file". This allows key revocation lists to contain short keys
-    without the entire revocation list being considered invalid.
-    
-    bz#2897; ok dtucker
-    
-    OpenBSD-Commit-ID: d9f3d857d07194a42ad7e62889a74dc3f9d9924b
-commit 383a33d160cefbfd1b40fef81f72eadbf9303a66
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 21 03:11:36 2018 +0000
-    upstream: Treat connections with ProxyJump specified the same as ones
-    
-    with a ProxyCommand set with regards to hostname canonicalisation (i.e. don't
-    try to canonicalise the hostname unless CanonicalizeHostname is set to
-    'always').
-    
-    Patch from Sven Wegener via bz#2896
-    
-    OpenBSD-Commit-ID: 527ff501cf98bf65fb4b29ed0cb847dda10f4d37
-commit 0cbed248ed81584129b67c348dbb801660f25a6a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Sep 20 23:40:16 2018 +0000
-    upstream: actually make CASignatureAlgorithms available as a config
-    
-    option
-    
-    OpenBSD-Commit-ID: 93fa7ff58314ed7b1ab7744090a6a91232e6ae52
-commit 62528870c0ec48cd86a37dd7320fb85886c3e6ee
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Thu Sep 20 08:07:03 2018 +0000
-    upstream: Import updated moduli.
-    
-    OpenBSD-Commit-ID: 04431e8e7872f49a2129bf080a6b73c19d576d40
-commit e6933a2ffa0659d57f3c7b7c457b2c62b2a84613
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Thu Sep 20 06:58:48 2018 +0000
-    upstream: reorder CASignatureAlgorithms, and add them to the
-    
-    various -o lists; ok djm
-    
-    OpenBSD-Commit-ID: ecb88baecc3c54988b4d1654446ea033da359288
-commit aa083aa9624ea7b764d5a81c4c676719a1a3e42b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Sep 20 03:31:49 2018 +0000
-    upstream: fix "ssh -Q sig" to show correct signature algorithm list
-    
-    (it was erroneously showing certificate algorithms); prompted by markus@
-    
-    OpenBSD-Commit-ID: 1cdee002f2f0c21456979deeb887fc889afb154d
-commit ecac7e1f7add6b28874959a11f2238d149dc2c07
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Sep 20 03:30:44 2018 +0000
-    upstream: add CASignatureAlgorithms option for the client, allowing
-    
-    it to specify which signature algorithms may be used by CAs when signing
-    certificates. Useful if you want to ban RSA/SHA1; ok markus@
-    
-    OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f
-commit 86e5737c39153af134158f24d0cab5827cbd5852
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Sep 20 03:28:06 2018 +0000
-    upstream: Add sshd_config CASignatureAlgorithms option to allow
-    
-    control over which signature algorithms a CA may use when signing
-    certificates. In particular, this allows a sshd to ban certificates signed
-    with RSA/SHA1.
-    
-    ok markus@
-    
-    OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
-commit f80e68ea7d62e2dfafc12f1a60ab544ae4033a0f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 19 02:03:02 2018 +0000
-    upstream: Make "ssh-add -q" do what it says on the tin: silence
-    
-    output from successful operations.
-    
-    Based on patch from Thijs van Dijk; ok dtucker@ deraadt@
-    
-    OpenBSD-Commit-ID: c4f754ecc055c10af166116ce7515104aa8522e1
-commit 5e532320e9e51de720d5f3cc2596e95d29f6e98f
-Author: millert@openbsd.org <millert@openbsd.org>
-Date:   Mon Sep 17 15:40:14 2018 +0000
-    upstream: When choosing a prime from the moduli file, avoid
-    
-    re-using the linenum variable for something that is not a line number to
-    avoid the confusion that resulted in the bug in rev. 1.64.  This also lets us
-    pass the actual linenum to parse_prime() so the error messages include the
-    correct line number.  OK markus@ some time ago.
-    
-    OpenBSD-Commit-ID: 4d8e5d3e924d6e8eb70053e3defa23c151a00084
-commit cce8cbe0ed7d1ba3a575310e0b63c193326ae616
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sat Sep 15 19:44:06 2018 +1000
-    Fix openssl-1.1 fallout for --without-openssl.
-    
-    ok djm@
-commit 149519b9f201dac755f3cba4789f4d76fecf0ee1
-Author: Damien Miller <djm@mindrot.org>
-Date:   Sat Sep 15 19:37:48 2018 +1000
-    add futex(2) syscall to seccomp sandbox
-    
-    Apparently needed for some glibc/openssl combinations.
-    
-    Patch from Arkadiusz Miśkiewicz
-commit 4488ae1a6940af704c4dbf70f55bf2f756a16536
-Author: Damien Miller <djm@mindrot.org>
-Date:   Sat Sep 15 19:36:55 2018 +1000
-    really add source for authopt_fuzz this time
-commit 9201784b4a257c8345fbd740bcbdd70054885707
-Author: Damien Miller <djm@mindrot.org>
-Date:   Sat Sep 15 19:35:40 2018 +1000
-    remove accidentally checked-in authopt_fuzz binary
-commit beb9e522dc7717df08179f9e59f36b361bfa14ab
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 14 05:26:27 2018 +0000
-    upstream: second try, deals properly with missing and private-only
-    
-    Use consistent format in debug log for keys readied, offered and
-    received during public key authentication.
-    
-    This makes it a little easier to see what is going on, as each message
-    now contains (where available) the key filename, its type and fingerprint,
-    and whether the key is hosted in an agent or a token.
-    
-    OpenBSD-Commit-ID: f1c6a8e9cfc4e108c359db77f24f9a40e1e25ea7
-commit 6bc5a24ac867bfdc3ed615589d69ac640f51674b
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri Sep 14 15:16:34 2018 +1000
-    fuzzer harness for authorized_keys option parsing
-commit 6c8b82fc6929b6a9a3f645151b6ec26c5507d9ef
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 14 04:44:04 2018 +0000
-    upstream: revert following; deals badly with agent keys
-    
-    revision 1.285
-    date: 2018/09/14 04:17:12;  author: djm;  state: Exp;  lines: +47 -26;  commitid: lflGFcNb2X2HebaK;
-    Use consistent format in debug log for keys readied, offered and
-    received during public key authentication.
-    
-    This makes it a little easier to see what is going on, as each message
-    now contains the key filename, its type and fingerprint, and whether
-    the key is hosted in an agent or a token.
-    
-    OpenBSD-Commit-ID: e496bd004e452d4b051f33ed9ae6a54ab918f56d
-commit 6da046f9c3374ce7e269ded15d8ff8bc45017301
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 14 04:17:44 2018 +0000
-    upstream: garbage-collect moribund ssh_new_private() API.
-    
-    OpenBSD-Commit-ID: 7c05bf13b094093dfa01848a9306c82eb6e95f6c
-commit 1f24ac5fc05252ceb1c1d0e8cab6a283b883c780
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 14 04:17:12 2018 +0000
-    upstream: Use consistent format in debug log for keys readied,
-    
-    offered and received during public key authentication.
-    
-    This makes it a little easier to see what is going on, as each message
-    now contains the key filename, its type and fingerprint, and whether
-    the key is hosted in an agent or a token.
-    
-    OpenBSD-Commit-ID: 2a01d59285a8a7e01185bb0a43316084b4f06a1f
-commit 488c9325bb7233e975dbfbf89fa055edc3d3eddc
-Author: millert@openbsd.org <millert@openbsd.org>
-Date:   Thu Sep 13 15:23:32 2018 +0000
-    upstream: Fix warnings caused by user_from_uid() and group_from_gid()
-    
-    now returning const char *.
-    
-    OpenBSD-Commit-ID: b5fe571ea77cfa7b9035062829ab05eb87d7cc6f
-commit 0aa1f230846ebce698e52051a107f3127024a05a
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri Sep 14 10:31:47 2018 +1000
-    allow SIGUSR1 as synonym for SIGINFO
-    
-    Lets users on those unfortunate operating systems that lack SIGINFO
-    still be able to obtain progress information from unit tests :)
-commit d64e78526596f098096113fcf148216798c327ff
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Sep 13 19:05:48 2018 +1000
-    add compat header
-commit a3fd8074e2e2f06602e25618721f9556c731312c
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Sep 13 09:03:20 2018 +0000
-    upstream: missed a bit of openssl-1.0.x API in this unittest
-    
-    OpenBSD-Regress-ID: a73a54d7f7381856a3f3a2d25947bee7a9a5dbc9
-commit 86e0a9f3d249d5580390daf58e015e68b01cef10
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Sep 13 05:06:51 2018 +0000
-    upstream: use only openssl-1.1.x API here too
-    
-    OpenBSD-Regress-ID: ae877064597c349954b1b443769723563cecbc8f
-commit 48f54b9d12c1c79fba333bc86d455d8f4cda8cfc
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Sep 13 12:13:50 2018 +1000
-    adapt -portable to OpenSSL 1.1x API
-    
-    Polyfill missing API with replacement functions extracted from LibreSSL
-commit 86112951d63d48839f035b5795be62635a463f99
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Sep 13 12:12:42 2018 +1000
-    forgot to stage these test files in commit d70d061
-commit 482d23bcacdd3664f21cc82a5135f66fc598275f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Sep 13 02:08:33 2018 +0000
-    upstream: hold our collective noses and use the openssl-1.1.x API in
-    
-    OpenSSH; feedback and ok tb@ jsing@ markus@
-    
-    OpenBSD-Commit-ID: cacbcac87ce5da0d3ca7ef1b38a6f7fb349e4417
-commit d70d061828730a56636ab6f1f24fe4a8ccefcfc1
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 12 01:36:45 2018 +0000
-    upstream: Include certs with multiple RSA signature variants in
-    
-    test data Ensure that cert->signature_key is populated correctly
-    
-    OpenBSD-Regress-ID: 56e68f70fe46cb3a193ca207385bdb301fd6603a
-commit f803b2682992cfededd40c91818b653b5d923ef5
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 12 01:23:48 2018 +0000
-    upstream: test revocation by explicit hash and by fingerprint
-    
-    OpenBSD-Regress-ID: 079c18a9ab9663f4af419327c759fc1e2bc78fd8
-commit 2de78bc7da70e1338b32feeefcc6045cf49efcd4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 12 01:22:43 2018 +0000
-    upstream: s/sshkey_demote/sshkey_from_private/g
-    
-    OpenBSD-Regress-ID: 782bde7407d94a87aa8d1db7c23750e09d4443c4
-commit 41c115a5ea1cb79a6a3182773c58a23f760e8076
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Sep 12 16:50:01 2018 +1000
-    delete the correct thing; kexfuzz binary
-commit f0fcd7e65087db8c2496f13ed39d772f8e38b088
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 12 06:18:59 2018 +0000
-    upstream: fix edit mistake; spotted by jmc@
-    
-    OpenBSD-Commit-ID: dd724e1c52c9d6084f4cd260ec7e1b2b138261c6
-commit 4cc259bac699f4d2a5c52b92230f9e488c88a223
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 12 01:34:02 2018 +0000
-    upstream: add SSH_ALLOWED_CA_SIGALGS - the default list of
-    
-    signature algorithms that are allowed for CA signatures. Notably excludes
-    ssh-dsa.
-    
-    ok markus@
-    
-    OpenBSD-Commit-ID: 1628e4181dc8ab71909378eafe5d06159a22deb4
-commit ba9e788315b1f6a350f910cb2a9e95b2ce584e89
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 12 01:32:54 2018 +0000
-    upstream: add sshkey_check_cert_sigtype() that checks a
-    
-    cert->signature_type against a supplied whitelist; ok markus
-    
-    OpenBSD-Commit-ID: caadb8073292ed7a9535e5adc067d11d356d9302
-commit a70fd4ad7bd9f2ed223ff635a3d41e483057f23b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 12 01:31:30 2018 +0000
-    upstream: add cert->signature_type field and keep it in sync with
-    
-    certificate signature wrt loading and certification operations; ok markus@
-    
-    OpenBSD-Commit-ID: e8b8b9f76b66707a0cd926109c4383db8f664df3
-commit 357128ac48630a9970e3af0e6ff820300a28da47
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 12 01:30:10 2018 +0000
-    upstream: Add "ssh -Q sig" to allow listing supported signature
-    
-    algorithms ok markus@
-    
-    OpenBSD-Commit-ID: 7a8c6eb6c249dc37823ba5081fce64876d10fe2b
-commit 9405c6214f667be604a820c6823b27d0ea77937d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 12 01:21:34 2018 +0000
-    upstream: allow key revocation by SHA256 hash and allow ssh-keygen
-    
-    to create KRLs using SHA256/base64 key fingerprints; ok markus@
-    
-    OpenBSD-Commit-ID: a0590fd34e7f1141f2873ab3acc57442560e6a94
-commit 50e2687ee0941c0ea216d6ffea370ffd2c1f14b9
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 12 01:19:12 2018 +0000
-    upstream: log certificate fingerprint in authentication
-    
-    success/failure message (previously we logged only key ID and CA key
-    fingerprint).
-    
-    ok markus@
-    
-    OpenBSD-Commit-ID: a8ef2d172b7f1ddbcce26d6434b2de6d94f6c05d
-commit de37ca909487d23e5844aca289b3f5e75d3f1e1f
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri Sep 7 04:26:56 2018 +0000
-    upstream: Add FALLTHROUGH comments where appropriate. Patch from
-    
-    jjelen at redhat via bz#2687.
-    
-    OpenBSD-Commit-ID: c48eb457be697a19d6d2950c6d0879f3ccc851d3
-commit 247766cd3111d5d8c6ea39833a3257ca8fb820f2
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 7 01:42:54 2018 +0000
-    upstream: ssh -MM requires confirmation for all operations that
-    
-    change the multiplexing state, not just new sessions.
-    
-    mention that confirmation is checked via ssh-askpass
-    
-    OpenBSD-Commit-ID: 0f1b45551ebb9cc5c9a4fe54ad3b23ce90f1f5c2
-commit db8bb80e3ac1bcb3e1305d846cd98c6b869bf03f
-Author: mestre@openbsd.org <mestre@openbsd.org>
-Date:   Tue Aug 28 12:25:53 2018 +0000
-    upstream: fix misplaced parenthesis inside if-clause. it's harmless
-    
-    and the only issue is showing an unknown error (since it's not defined)
-    during fatal(), if it ever an error occurs inside that condition.
-    
-    OK deraadt@ markus@ djm@
-    
-    OpenBSD-Commit-ID: acb0a8e6936bfbe590504752d01d1d251a7101d8
-commit 086cc614f550b7d4f100c95e472a6b6b823938ab
-Author: mestre@openbsd.org <mestre@openbsd.org>
-Date:   Tue Aug 28 12:17:45 2018 +0000
-    upstream: fix build with DEBUG_PK enabled
-    
-    OK dtucker@
-    
-    OpenBSD-Commit-ID: ec1568cf27726e9638a0415481c20c406e7b441c
-commit 2678833013e97f8b18f09779b7f70bcbf5eb2ab2
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Sep 7 14:41:53 2018 +1000
-    Handle ngroups>_SC_NGROUPS_MAX.
-    
-    Based on github pull request #99 from Darren Maffat at Oracle: Solaris'
-    getgrouplist considers _SC_NGROUPS_MAX more of a guideline and can return
-    a larger number of groups.  In this case, retry getgrouplist with a
-    larger array and defer allocating groups_byname.  ok djm@
-commit 039bf2a81797b8f3af6058d34005a4896a363221
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Sep 7 14:06:57 2018 +1000
-    Initial len for the fmt=NULL case.
-    
-    Patch from jjelen at redhat via bz#2687.  (OpenSSH never calls
-    setproctitle with a null format so len is always initialized).
-commit ea9c06e11d2e8fb2f4d5e02f8a41e23d2bd31ca9
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Sep 7 14:01:39 2018 +1000
-    Include stdlib.h.
-    
-    Patch from jjelen at redhat via bz#2687.
-commit 9617816dbe73ec4d65075f4d897443f63a97c87f
-Author: Damien Miller <djm@mindrot.org>
-Date:   Mon Aug 27 13:08:01 2018 +1000
-    document some more regress control env variables
-    
-    Specifically SKIP_UNIT, USE_VALGRING and LTESTS. Sort the list of
-    environment variables.
-    
-    Based on patch from Jakub Jelen
-commit 71508e06fab14bc415a79a08f5535ad7bffa93d9
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Aug 23 15:41:42 2018 +1000
-    shorten temporary SSH_REGRESS_TMP path
-    
-    Previous path was exceeding max socket length on at least one platform (OSX)
-commit 26739cf5bdc9030a583b41ae5261dedd862060f0
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Aug 23 13:06:02 2018 +1000
-    rebuild dependencies
-commit ff729025c7463cf5d0a8d1ca1823306e48c6d4cf
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Aug 23 13:03:32 2018 +1000
-    fix path in distclean target
-    
-    Patch from Jakub Jelen
-commit 7fef173c28f7462dcd8ee017fdf12b5073f54c02
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Aug 23 03:01:08 2018 +0000
-    upstream: memleak introduced in r1.83; from Colin Watson
-    
-    OpenBSD-Commit-ID: 5c019104c280cbd549a264a7217b67665e5732dc
-commit b8ae02a2896778b8984c7f51566c7f0f56fa8b56
-Author: schwarze@openbsd.org <schwarze@openbsd.org>
-Date:   Tue Aug 21 13:56:27 2018 +0000
-    upstream: AIX reports the CODESET as "ISO8859-1" in the POSIX locale.
-    
-    Treating that as a safe encoding is OK because even when other systems return
-    that string for real ISO8859-1, it is still safe in the sense that it is
-    ASCII-compatible and stateless.
-    
-    Issue reported by Val dot Baranov at duke dot edu.  Additional
-    information provided by Michael dot Felt at felt dot demon dot nl.
-    Tested by Michael Felt on AIX 6.1 and by Val Baranov on AIX 7.1.
-    Tweak and OK djm@.
-    
-    OpenBSD-Commit-ID: 36f1210e0b229817d10eb490d6038f507b8256a7
-commit bc44ee088ad269d232e514f037c87ada4c2fd3f0
-Author: Tim Rice <tim@multitalents.net>
-Date:   Tue Aug 21 08:57:24 2018 -0700
-            modified:   openbsd-compat/port-uw.c
-            remove obsolete and un-needed include
-commit 829fc28a9c54e3f812ee7248c7a3e31eeb4f0b3a
-Author: Damien Miller <djm@mindrot.org>
-Date:   Mon Aug 20 15:57:29 2018 +1000
-    Missing unistd.h for regress/mkdtemp.c
-commit c8313e492355a368a91799131520d92743d8d16c
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri Aug 17 05:45:20 2018 +1000
-    update version numbers in anticipation of release
-commit 477b49a34b89f506f4794b35e3c70b3e2e83cd38
-Author: Corinna Vinschen <vinschen@redhat.com>
-Date:   Mon Aug 13 17:08:51 2018 +0200
-    configure: work around GCC shortcoming on Cygwin
-    
-    Cygwin's latest 7.x GCC allows to specify -mfunction-return=thunk
-    as well as -mindirect-branch=thunk on the command line, albeit
-    producing invalid code, leading to an error at link stage.
-    
-    The check in configure.ac only checks if the option is present,
-    but not if it produces valid code.
-    
-    This patch fixes it by special-casing Cygwin.  Another solution
-    may be to change these to linker checks.
-    
-    Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
-commit b0917945efa374be7648d67dbbaaff323ab39edc
-Author: Corinna Vinschen <vinschen@redhat.com>
-Date:   Mon Aug 13 17:05:05 2018 +0200
-    cygwin: add missing stdarg.h include
-    
-    Further header file standarization in Cygwin uncovered a lazy
-    indirect include in bsd-cygwin_util.c
-    
-    Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
-commit c3903c38b0fd168ab3d925c2b129d1a599593426
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Aug 13 02:41:05 2018 +0000
-    upstream: revert compat.[ch] section of the following change. It
-    
-    causes double-free under some circumstances.
-    
-    --
-    
-    date: 2018/07/31 03:07:24;  author: djm;  state: Exp;  lines: +33 -18;  commitid: f7g4UI8eeOXReTPh;
-    fix some memory leaks spotted by Coverity via Jakub Jelen in bz#2366
-    feedback and ok dtucker@
-    
-    OpenBSD-Commit-ID: 1e77547f60fdb5e2ffe23e2e4733c54d8d2d1137
-commit 1b9dd4aa15208100fbc3650f33ea052255578282
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sun Aug 12 20:19:13 2018 +0000
-    upstream: better diagnosics on alg list assembly errors; ok
-    
-    deraadt@ markus@
-    
-    OpenBSD-Commit-ID: 5a557e74b839daf13cc105924d2af06a1560faee
-commit e36a5f61b0f5bebf6d49c215d228cd99dfe86e28
-Author: Damien Miller <djm@mindrot.org>
-Date:   Sat Aug 11 18:08:45 2018 -0700
-    Some AIX fixes; report from Michael Felt
-commit 2f4766ceefe6657c5ad5fe92d13c411872acae0e
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri Aug 10 01:35:49 2018 +0000
-    upstream: The script that cooks up PuTTY format host keys does not
-    
-    understand the new key format so convert back to old format to create the
-    PuTTY key and remove it once done.
-    
-    OpenBSD-Regress-ID: 2a449a18846c3a144bc645135b551ba6177e38d3
-commit e1b26ce504662a5d5b991091228984ccfd25f280
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Aug 10 00:44:01 2018 +0000
-    upstream: improve
-    
-    OpenBSD-Commit-ID: 40d839db0977b4e7ac8b647b16d5411d4faf2f60
-commit 7c712966a3139622f7fb55045368d05de4e6782c
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Aug 10 00:42:29 2018 +0000
-    upstream: Describe pubkey format, prompted by bz#2853
-    
-    While I'm here, describe and link to the remaining local PROTOCOL.*
-    docs that weren't already mentioned (PROTOCOL.key, PROTOCOL.krl and
-    PROTOCOL.mux)
-    
-    OpenBSD-Commit-ID: 2a900f9b994ba4d53e7aeb467d44d75829fd1231
-commit ef100a2c5a8ed83afac0b8f36520815803da227a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Aug 10 00:27:15 2018 +0000
-    upstream: fix numbering
-    
-    OpenBSD-Commit-ID: bc7a1764dff23fa4c5ff0e3379c9c4d5b63c9596
-commit ed7bd5d93fe14c7bd90febd29b858ea985d14d45
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Aug 8 01:16:01 2018 +0000
-    upstream: Use new private key format by default. This format is
-    
-    suported by OpenSSH >= 6.5 (released January 2014), so it should be supported
-    by most OpenSSH versions in active use.
-    
-    It is possible to convert new-format private keys to the older
-    format using "ssh-keygen -f /path/key -pm PEM".
-    
-    ok deraadt dtucker
-    
-    OpenBSD-Commit-ID: e3bd4f2509a2103bfa2f710733426af3ad6d8ab8
-commit 967226a1bdde59ea137e8f0df871854ff7b91366
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Aug 4 00:55:06 2018 +0000
-    upstream: invalidate dh->priv_key after freeing it in error path;
-    
-    avoids unlikely double-free later. Reported by Viktor Dukhovni via
-    https://github.com/openssh/openssh-portable/pull/96 feedback jsing@ tb@
-    
-    OpenBSD-Commit-ID: e317eb17c3e05500ae851f279ef6486f0457c805
-commit 74287f5df9966a0648b4a68417451dd18f079ab8
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jul 31 03:10:27 2018 +0000
-    upstream: delay bailout for invalid authentic
-    
-    =?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?=
-    =?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?=
-    =?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
-    MIME-Version: 1.0
-    Content-Type: text/plain; charset=UTF-8
-    Content-Transfer-Encoding: 8bit
-    
-    OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d
-commit 1a66079c0669813306cc69e5776a4acd9fb49015
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jul 31 03:07:24 2018 +0000
-    upstream: fix some memory leaks spotted by Coverity via Jakub Jelen
-    
-    in bz#2366 feedback and ok dtucker@
-    
-    OpenBSD-Commit-ID: 8402bbae67d578bedbadb0ce68ff7c5a136ef563
-commit 87f08be054b7eeadbb9cdeb3fb4872be79ccf218
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri Jul 20 13:18:28 2018 +1000
-    Remove support for S/Key
-    
-    Most people will 1) be using modern multi-factor authentication methods
-    like TOTP/OATH etc and 2) be getting support for multi-factor
-    authentication via PAM or BSD Auth.
-commit 5d14019ba2ff54acbfd20a6b9b96bb860a8c7c31
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Fri Jul 27 12:03:17 2018 +0000
-    upstream: avoid expensive channel_open_message() calls; ok djm@
-    
-    OpenBSD-Commit-ID: aea3b5512ad681cd8710367d743e8a753d4425d9
-commit e655ee04a3cb7999dbf9641b25192353e2b69418
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri Jul 27 05:34:42 2018 +0000
-    upstream: Now that ssh can't be setuid, remove the
-    
-    original_real_uid and original_effective_uid globals and replace with calls
-    to plain getuid(). ok djm@
-    
-    OpenBSD-Commit-ID: 92561c0cd418d34e6841e20ba09160583e27b68c
-commit 73ddb25bae4c33a0db361ac13f2e3a60d7c6c4a5
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri Jul 27 05:13:02 2018 +0000
-    upstream: Remove uid checks from low port binds. Now that ssh
-    
-    cannot be setuid and sshd always has privsep on, we can remove the uid checks
-    for low port binds and just let the system do the check. We leave a sanity
-    check for the !privsep case so long as the code is stil there.  with & ok
-    djm@
-    
-    OpenBSD-Commit-ID: 9535cfdbd1cd54486fdbedfaee44ce4367ec7ca0
-commit c12033e102760d043bc5c98e6c8180e4d331b0df
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri Jul 27 03:55:22 2018 +0000
-    upstream: ssh(1) no longer supports being setuid root. Remove reference
-    
-    to crc32 which went with protocol 1.  Pointed out by deraadt@.
-    
-    OpenBSD-Commit-ID: f8763c25fd96ed91dd1abdab5667fd2e27e377b6
-commit 4492e2ec4e1956a277ef507f51d66e5c2aafaaf8
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri Jul 27 14:15:28 2018 +1000
-    correct snprintf truncation check in closefrom()
-    
-    Truncation cannot happen unless the system has set PATH_MAX to some
-    nonsensically low value.
-    
-    bz#2862, patch from Daniel Le
-commit 149cab325a8599a003364ed833f878449c15f259
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Jul 27 13:46:06 2018 +1000
-    Include stdarg.h in mkdtemp for va_list.
-commit 6728f31bdfdc864d192773c32465b1860e23f556
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date:   Wed Jul 25 17:12:35 2018 +0000
-    upstream: Don't redefine Makefile choices which come correct from
-    
-    bsd.*.mk ok markus
-    
-    OpenBSD-Commit-ID: 814b2f670df75759e1581ecef530980b2b3d7e0f
-commit 21fd477a855753c1a8e450963669e28e39c3b5d2
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date:   Wed Jul 25 13:56:23 2018 +0000
-    upstream: fix indent; Clemens Goessnitzer
-    
-    OpenBSD-Commit-ID: b5149a6d92b264d35f879d24608087b254857a83
-commit 8e433c2083db8664c41499ee146448ea7ebe7dbf
-Author: beck@openbsd.org <beck@openbsd.org>
-Date:   Wed Jul 25 13:10:56 2018 +0000
-    upstream: Use the caller provided (copied) pwent struct in
-    
-    load_public_identity_files instead of calling getpwuid() again and discarding
-    the argument. This prevents a client crash where tilde_expand_filename calls
-    getpwuid() again before the pwent pointer is used. Issue noticed and reported
-    by Pierre-Olivier Martel <pom@apple.com> ok djm@ deraadt@
-    
-    OpenBSD-Commit-ID: a067d74b5b098763736c94cc1368de8ea3f0b157
-commit e2127abb105ae72b6fda64fff150e6b24b3f1317
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Mon Jul 23 19:53:55 2018 +0000
-    upstream: oops, failed to notice that SEE ALSO got messed up;
-    
-    OpenBSD-Commit-ID: 61c1306542cefdc6e59ac331751afe961557427d
-commit ddf1b797c2d26bbbc9d410aa4f484cbe94673587
-Author: kn@openbsd.org <kn@openbsd.org>
-Date:   Mon Jul 23 19:02:49 2018 +0000
-    upstream: Point to glob in section 7 for the actual list of special
-    
-    characters instead the C API in section 3.
-    
-    OK millert jmc nicm, "the right idea" deraadt
-    
-    OpenBSD-Commit-ID: a74fd215488c382809e4d041613aeba4a4b1ffc6
-commit 01c98d9661d0ed6156e8602b650f72eed9fc4d12
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Sun Jul 22 12:16:59 2018 +0000
-    upstream: Switch authorized_keys example from ssh-dss to ssh-rsa
-    
-    since the former is no longer enabled by default.  Pointed out by Daniel A.
-    Maierhofer, ok jmc
-    
-    OpenBSD-Commit-ID: 6a196cef53d7524e0c9b58cdbc1b5609debaf8c7
-commit 472269f8fe19343971c2d08f504ab5cbb8234b33
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 20 05:01:10 2018 +0000
-    upstream: slightly-clearer description for AuthenticationMethods - the
-    
-    lists have comma-separated elements; bz#2663 from Hans Meier
-    
-    OpenBSD-Commit-ID: 931c983d0fde4764d0942fb2c2b5017635993b5a
-commit c59aca8adbdf7f5597084ad360a19bedb3f80970
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri Jul 20 14:53:42 2018 +1000
-    Create control sockets in clean temp directories
-    
-    Adds a regress/mkdtemp tool and uses it to create empty temp
-    directories for tests needing control sockets.
-    
-    Patch from Colin Watson via bz#2660; ok dtucker
-commit 6ad8648e83e4f4ace37b742a05c2a6b6b872514e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 20 03:46:34 2018 +0000
-    upstream: remove unused zlib.h
-    
-    OpenBSD-Commit-ID: 8d274a9b467c7958df12668b49144056819f79f1
-commit 3ba6e6883527fe517b6e4a824876e2fe62af22fc
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Thu Jul 19 23:03:16 2018 +0000
-    upstream: Fix typo in comment. From Alexandru Iacob via github.
-    
-    OpenBSD-Commit-ID: eff4ec07c6c8c5483533da43a4dda37d72ef7f1d
-commit c77bc73c91bc656e343a1961756e09dd1b170820
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Jul 20 13:48:51 2018 +1000
-    Explicitly include openssl before zlib.
-    
-    Some versions of OpenSSL have "free_func" in their headers, which zlib
-    typedefs.  Including openssl after zlib (eg via sshkey.h) results in
-    "syntax error before `free_func'", which this fixes.
-commit 95d41e90eafcd1286a901e8e361e4a37b98aeb52
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Thu Jul 19 10:28:47 2018 +0000
-    upstream: Deprecate UsePrivilegedPort now that support for running
-    
-    ssh(1) setuid has been removed, remove supporting code and clean up
-    references to it in the man pages
-    
-    We have not shipped ssh(1) the setuid bit since 2002.  If ayone
-    really needs to make connections from a low port number this can
-    be implemented via a small setuid ProxyCommand.
-    
-    ok markus@ jmc@ djm@
-    
-    OpenBSD-Commit-ID: d03364610b7123ae4c6792f5274bd147b6de717e
-commit 258dc8bb07dfb35a46e52b0822a2c5b7027df60a
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Wed Jul 18 11:34:04 2018 +0000
-    upstream: Remove support for running ssh(1) setuid and fatal if
-    
-    attempted. Do not link uidwap.c into ssh any more.  Neuters
-    UsePrivilegedPort, which will be marked as deprecated shortly. ok markus@
-    djm@
-    
-    OpenBSD-Commit-ID: c4ba5bf9c096f57a6ed15b713a1d7e9e2e373c42
-commit ac590760b251506b0a152551abbf8e8d6dc2f527
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon Jul 16 22:25:01 2018 +0000
-    upstream: Slot 0 in the hostbased key array was previously RSA1,
-    
-    but that is now gone and the slot is unused so remove it.  Remove two
-    now-unused macros, and add an array bounds check to the two remaining ones
-    (array is statically sized, so mostly a safety check on future changes). ok
-    markus@
-    
-    OpenBSD-Commit-ID: 2e4c0ca6cc1d8daeccead2aa56192a3f9d5e1e7a
-commit 26efc2f5df0e3bcf6a6bbdd0506fd682d60c2145
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon Jul 16 11:05:41 2018 +0000
-    upstream: Remove support for loading HostBasedAuthentication keys
-    
-    directly in ssh(1) and always use ssh-keysign.  This removes one of the few
-    remaining reasons why ssh(1) might be setuid.  ok markus@
-    
-    OpenBSD-Commit-ID: 97f01e1448707129a20d75f86bad5d27c3cf0b7d
-commit 3eb7f1038d17af7aea3c2c62d1e30cd545607640
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Jul 16 07:06:50 2018 +0000
-    upstream: keep options.identity_file_userprovided array in sync when we
-    
-    load keys, fixing some spurious error messages; ok markus
-    
-    OpenBSD-Commit-ID: c63e3d5200ee2cf9e35bda98de847302566c6a00
-commit 2f131e1b34502aa19f345e89cabf6fa3fc097f09
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Jul 16 03:09:59 2018 +0000
-    upstream: memleak in unittest; found by valgrind
-    
-    OpenBSD-Regress-ID: 168c23b0fb09fc3d0b438628990d3fd9260a8a5e
-commit de2997a4cf22ca0a524f0e5b451693c583e2fd89
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Jul 16 03:09:13 2018 +0000
-    upstream: memleaks; found by valgrind
-    
-    OpenBSD-Commit-ID: 6c3ba22be53e753c899545f771e8399fc93cd844
-commit 61cc0003eb37fa07603c969c12b7c795caa498f3
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sat Jul 14 16:49:01 2018 +1000
-    Undef a few new macros in sys-queue.h.
-    
-    Prevents macro redefinition warnings on OSX.
-commit 30a2c213877a54a44dfdffb6ca8db70be5b457e0
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Jul 13 13:40:20 2018 +1000
-    Include unistd.h for geteuid declaration.
-commit 1dd32c23f2a85714dfafe2a9cc516971d187caa4
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Jul 13 13:38:10 2018 +1000
-    Fallout from buffer conversion in AUDIT_EVENTS.
-    
-    Supply missing "int r" and fix error path for sshbuf_new().
-commit 7449c178e943e5c4f6c8416a4e41d93b70c11c9e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 13 02:13:50 2018 +0000
-    upstream: make this use ssh_proxy rather than starting/stopping a
-    
-    daemon for each testcase
-    
-    OpenBSD-Regress-ID: 608b7655ea65b1ba8fff5a13ce9caa60ef0c8166
-commit dbab02f9208d9baa134cec1d007054ec82b96ca9
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 13 02:13:19 2018 +0000
-    upstream: fix leaks in unit test; with this, all unit tests are
-    
-    leak free (as far as valgrind can spot anyway)
-    
-    OpenBSD-Regress-ID: b824d8b27998365379963440e5d18b95ca03aa17
-commit 2f6accff5085eb79b0dbe262d8b85ed017d1a51c
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri Jul 13 11:39:25 2018 +1000
-    Enable leak checks for unit tests with valgrind
-    
-    Leave the leak checking on unconditionally when running with valgrind.
-    The unit tests are leak-free and I want them to stay that way.
-commit e46cfbd9db5e907b821bf4fd0184d4dab99815ee
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri Jul 13 11:38:59 2018 +1000
-    increase timeout to match cfgmatch.sh
-    
-    lets test pass under valgrind (on my workstation at least)
-commit 6aa1bf475cf3e7a2149acc5a1e80e904749f064c
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 12 14:54:18 2018 +1000
-    rm regress/misc/kexfuzz/*.o in distclean target
-commit eef1447ddb559c03725a23d4aa6d03f40e8b0049
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 12 14:49:26 2018 +1000
-    repair !WITH_OPENSSL build
-commit 4d3b2f36fd831941d1627ac587faae37b6d3570f
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 12 14:49:14 2018 +1000
-    missing headers
-commit 3f420a692b293921216549c1099c2e46ff284eae
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu Jul 12 14:57:46 2018 +1000
-    Remove key.h from portable files too.
-    
-    Commit 5467fbcb removed key.h so stop including it in portable files
-    too.  Fixes builds on lots of platforms.
-commit e2c4af311543093f16005c10044f7e06af0426f0
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Jul 12 04:35:25 2018 +0000
-    upstream: remove prototype to long-gone function
-    
-    OpenBSD-Commit-ID: 0414642ac7ce01d176b9f359091a66a8bbb640bd
-commit 394a842e60674bf8ee5130b9f15b01452a0b0285
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Wed Jul 11 18:55:11 2018 +0000
-    upstream: treat ssh_packet_write_wait() errors as fatal; ok djm@
-    
-    OpenBSD-Commit-ID: f88ba43c9d54ed2d911218aa8d3f6285430629c3
-commit 5467fbcb09528ecdcb914f4f2452216c24796790
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Wed Jul 11 18:53:29 2018 +0000
-    upstream: remove legacy key emulation layer; ok djm@
-    
-    OpenBSD-Commit-ID: 2b1f9619259e222bbd4fe9a8d3a0973eafb9dd8d
-commit 5dc4c59d5441a19c99e7945779f7ec9051126c25
-Author: martijn@openbsd.org <martijn@openbsd.org>
-Date:   Wed Jul 11 08:19:35 2018 +0000
-    upstream: s/wuth/with/ in comment
-    
-    OpenBSD-Commit-ID: 9de41468afd75f54a7f47809d2ad664aa577902c
-commit 1c688801e9dd7f9889fb2a29bc2b6fbfbc35a11f
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Jul 11 12:12:38 2018 +1000
-    Include stdlib.h for declaration of free.
-    
-    Fixes build with -Werror on at least Fedora and probably others.
-commit fccfa239def497615f92ed28acc57cfe63da3666
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Jul 11 10:19:56 2018 +1000
-    VALGRIND_CHECK_LEAKS logic was backwards :(
-commit 416287d45fcde0a8e66eee8b99aa73bd58607588
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Jul 11 10:10:26 2018 +1000
-    Fix sshbuf_new error path in skey.
-commit 7aab109b8b90a353c1af780524f1ac0d3af47bab
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Jul 11 10:06:18 2018 +1000
-    Supply missing third arg in skey.
-    
-    During the change to the new buffer api the third arg to
-    sshbuf_get_cstring was ommitted.  Fixes build when configured with skey.
-commit 380320bb72cc353a901790ab04b6287fd335dc4a
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Jul 11 10:03:34 2018 +1000
-    Supply some more missing "int r" in skey
-commit d20720d373d8563ee737d1a45dc5e0804d622dbc
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Jul 11 09:56:36 2018 +1000
-    disable valgrind memleak checking by default
-    
-    Add VALGRIND_CHECK_LEAKS knob to turn it back on.
-commit 79c9d35018f3a5e30ae437880b669aa8636cd3cd
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Jul 11 09:54:00 2018 +1000
-    Supply missing "int r" in skey code.
-commit 984bacfaacbbe31c35191b828fb5b5b2f0362c36
-Author: sf@openbsd.org <sf@openbsd.org>
-Date:   Tue Jul 10 09:36:58 2018 +0000
-    upstream: re-remove some pre-auth compression bits
-    
-    This time, make sure to not remove things that are necessary for
-    pre-auth compression on the client. Add a comment that pre-auth
-    compression is still supported in the client.
-    
-    ok markus@
-    
-    OpenBSD-Commit-ID: 282c6fec7201f18a5c333bbb68d9339734d2f784
-commit 120a1ec74e8d9d29f4eb9a27972ddd22351ddef9
-Author: Damien Miller <djm@mindrot.org>
-Date:   Tue Jul 10 19:39:52 2018 +1000
-    Adapt portable to legacy buffer API removal
-commit 0f3958c1e6ffb8ea4ba27e2a97a00326fce23246
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jul 10 09:13:30 2018 +0000
-    upstream: kerberos/gssapi fixes for buffer removal
-    
-    OpenBSD-Commit-ID: 1cdf56fec95801e4563c47f21696f04cd8b60c4c
-commit c74ae8e7c45f325f3387abd48fa7dfef07a08069
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jul 10 06:45:29 2018 +0000
-    upstream: buffer.[ch] and bufaux.c are no more
-    
-    OpenBSD-Commit-ID: d1a1852284e554f39525eb4d4891b207cfb3d3a0
-commit a881e5a133d661eca923fb0633a03152ab2b70b2
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jul 10 06:43:52 2018 +0000
-    upstream: one mention of Buffer that almost got away :)
-    
-    OpenBSD-Commit-ID: 30d7c27a90b4544ad5dfacf654595710cd499f02
-commit 49f47e656b60bcd1d1db98d88105295f4b4e600d
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Mon Jul 9 21:59:10 2018 +0000
-    upstream: replace cast with call to sshbuf_mutable_ptr(); ok djm@
-    
-    OpenBSD-Commit-ID: 4dfe9d29fa93d9231645c89084f7217304f7ba29
-commit cb30cd47041edb03476be1c8ef7bc1f4b69d1555
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Mon Jul 9 21:56:06 2018 +0000
-    upstream: remove legacy buffer API emulation layer; ok djm@
-    
-    OpenBSD-Commit-ID: 2dd5dc17cbc23195be4299fa93be2707a0e08ad9
-commit 235c7c4e3bf046982c2d8242f30aacffa01073d1
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Mon Jul 9 21:53:45 2018 +0000
-    upstream: sshd: switch monitor to sshbuf API; lots of help & ok
-    
-    djm@
-    
-    OpenBSD-Commit-ID: d89bd02d33974fd35ca0b8940d88572227b34a48
-commit b8d9214d969775e409e1408ecdf0d58fad99b344
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Mon Jul 9 21:37:55 2018 +0000
-    upstream: sshd: switch GSSAPI to sshbuf API; ok djm@
-    
-    OpenBSD-Commit-ID: e48449ab4be3f006f7ba33c66241b7d652973e30
-commit c7d39ac8dc3587c5f05bdd5bcd098eb5c201c0c8
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Mon Jul 9 21:35:50 2018 +0000
-    upstream: sshd: switch authentication to sshbuf API; ok djm@
-    
-    OpenBSD-Commit-ID: 880aa06bce4b140781e836bb56bec34873290641
-commit c3cb7790e9efb14ba74b2d9f543ad593b3d55b31
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Mon Jul 9 21:29:36 2018 +0000
-    upstream: sshd: switch config to sshbuf API; ok djm@
-    
-    OpenBSD-Commit-ID: 72b02017bac7feac48c9dceff8355056bea300bd
-commit 2808d18ca47ad3d251836c555f0e22aaca03d15c
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Mon Jul 9 21:26:02 2018 +0000
-    upstream: sshd: switch loginmsg to sshbuf API; ok djm@
-    
-    OpenBSD-Commit-ID: f3cb4e54bff15c593602d95cc43e32ee1a4bac42
-commit 89dd615b8b531979be63f05f9d5624367c9b28e6
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Mon Jul 9 21:20:26 2018 +0000
-    upstream: ttymodes: switch to sshbuf API; ok djm@
-    
-    OpenBSD-Commit-ID: 5df340c5965e822c9da21e19579d08dea3cbe429
-commit f4608a7065480516ab46214f554e5f853fb7870f
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Mon Jul 9 21:18:10 2018 +0000
-    upstream: client: switch mux to sshbuf API; with & ok djm@
-    
-    OpenBSD-Commit-ID: 5948fb98d704f9c4e075b92edda64e0290b5feb2
-commit cecee2d607099a7bba0a84803e2325d15be4277b
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Mon Jul 9 21:03:30 2018 +0000
-    upstream: client: switch to sshbuf API; ok djm@
-    
-    OpenBSD-Commit-ID: 60cb0356114acc7625ab85105f6f6a7cd44a8d05
-commit ff55f4ad898137d4703e7a2bcc81167dfe8e9324
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Mon Jul 9 20:39:28 2018 +0000
-    upstream: pkcs11: switch to sshbuf API; ok djm@
-    
-    OpenBSD-Commit-ID: 98cc4e800f1617c51caf59a6cb3006f14492db79
-commit 168b46f405d6736960ba7930389eecb9b6710b7e
-Author: sf@openbsd.org <sf@openbsd.org>
-Date:   Mon Jul 9 13:37:10 2018 +0000
-    upstream: Revert previous two commits
-    
-    It turns out we still support pre-auth compression on the client.
-    Therefore revert the previous two commits:
-    
-    date: 2018/07/06 09:06:14;  author: sf;  commitid: yZVYKIRtUZWD9CmE;
-     Rename COMP_DELAYED to COMP_ZLIB
-    
-     Only delayed compression is supported nowadays.
-    
-     ok markus@
-    
-    date: 2018/07/06 09:05:01;  author: sf;  commitid: rEGuT5UgI9f6kddP;
-     Remove leftovers from pre-authentication compression
-    
-     Support for this has been removed in 2016.
-     COMP_DELAYED will be renamed in a later commit.
-    
-     ok markus@
-    
-    OpenBSD-Commit-ID: cdfef526357e4e1483c86cf599491b2dafb77772
-commit ab39267fa1243d02b6c330615539fc4b21e17dc4
-Author: sf@openbsd.org <sf@openbsd.org>
-Date:   Fri Jul 6 09:06:14 2018 +0000
-    upstream: Rename COMP_DELAYED to COMP_ZLIB
-    
-    Only delayed compression is supported nowadays.
-    
-    ok markus@
-    
-    OpenBSD-Commit-ID: 5b1dbaf3d9a4085aaa10fec0b7a4364396561821
-commit 95db395d2e56a6f868193aead6cadb2493f036c6
-Author: sf@openbsd.org <sf@openbsd.org>
-Date:   Fri Jul 6 09:05:01 2018 +0000
-    upstream: Remove leftovers from pre-authentication compression
-    
-    Support for this has been removed in 2016.
-    COMP_DELAYED will be renamed in a later commit.
-    
-    ok markus@
-    
-    OpenBSD-Commit-ID: 6a99616c832627157113fcb0cf5a752daf2e6b58
-commit f28a4d5cd24c4aa177e96b4f96957991e552cb70
-Author: sf@openbsd.org <sf@openbsd.org>
-Date:   Fri Jul 6 09:03:02 2018 +0000
-    upstream: Remove unused ssh_packet_start_compression()
-    
-    ok markus@
-    
-    OpenBSD-Commit-ID: 9d34cf2f59aca5422021ae2857190578187dc2b4
-commit 872517ddbb72deaff31d4760f28f2b0a1c16358f
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Jul 6 13:32:02 2018 +1000
-    Defer setting bufsiz in getdelim.
-    
-    Do not write to bufsiz until we are sure the malloc has succeeded,
-    in case any callers rely on it (which they shouldn't).  ok djm@
-commit 3deb56f7190a414dc264e21e087a934fa1847283
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu Jul 5 13:32:01 2018 +1000
-    Fix other callers of read_environment_file.
-    
-    read_environment_file recently gained an extra argument   Some platform
-    specific code also calls it so add the argument to those too.  Fixes
-    build on Solaris and AIX.
-commit 314908f451e6b2d4ccf6212ad246fa4619c721d3
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 4 13:51:45 2018 +0000
-    upstream: deal with API rename: match_filter_list() =>
-    
-    match_filter_blacklist()
-    
-    OpenBSD-Regress-ID: 2da342be913efeb51806351af906fab01ba4367f
-commit 89f54cdf6b9cf1cf5528fd33897f1443913ddfb4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 4 13:51:12 2018 +0000
-    upstream: exercise new expansion behaviour of
-    
-    PubkeyAcceptedKeyTypes and, by proxy, test kex_assemble_names()
-    
-    ok markus@
-    
-    OpenBSD-Regress-ID: 292978902e14d5729aa87e492dd166c842f72736
-commit 187633f24c71564e970681c8906df5a6017dcccf
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jul 3 13:53:26 2018 +0000
-    upstream: add a comment that could have saved me 45 minutes of wild
-    
-    goose chasing
-    
-    OpenBSD-Regress-ID: d469b29ffadd3402c090e21b792d627d46fa5297
-commit 312d2f2861a2598ed08587cb6c45c0e98a85408f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jul 4 13:49:31 2018 +0000
-    upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA
-    
-    signature work - returns ability to add/remove/specify algorithms by
-    wildcard.
-    
-    Algorithm lists are now fully expanded when the server/client configs
-    are finalised, so errors are reported early and the config dumps
-    (e.g. "ssh -G ...") now list the actual algorithms selected.
-    
-    Clarify that, while wildcards are accepted in algorithm lists, they
-    aren't full pattern-lists that support negation.
-    
-    (lots of) feedback, ok markus@
-    
-    OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
-commit 303af5803bd74bf05d375c04e1a83b40c30b2be5
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jul 3 11:43:49 2018 +0000
-    upstream: some magic for RSA-SHA2 checks
-    
-    OpenBSD-Regress-ID: e5a9b11368ff6d86e7b25ad10ebe43359b471cd4
-commit 7d68e262944c1fff1574600fe0e5e92ec8b398f5
-Author: Damien Miller <djm@mindrot.org>
-Date:   Tue Jul 3 23:27:11 2018 +1000
-    depend
-commit b4d4eda633af433d20232cbf7e855ceac8b83fe5
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jul 3 13:20:25 2018 +0000
-    upstream: some finesse to fix RSA-SHA2 certificate authentication
-    
-    for certs hosted in ssh-agent
-    
-    OpenBSD-Commit-ID: e5fd5edd726137dda2d020e1cdebc464110a010f
-commit d78b75df4a57e0f92295f24298e5f2930e71c172
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jul 3 13:07:58 2018 +0000
-    upstream: check correct variable; unbreak agent keys
-    
-    OpenBSD-Commit-ID: c36981fdf1f3ce04966d3310826a3e1e6233d93e
-commit 2f30300c5e15929d0e34013f38d73e857f445e12
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jul 3 11:42:12 2018 +0000
-    upstream: crank version number to 7.8; needed for new compat flag
-    
-    for prior version; part of RSA-SHA2 strictification, ok markus@
-    
-    OpenBSD-Commit-ID: 84a11fc0efd2674c050712336b5093f5d408e32b
-commit 4ba0d54794814ec0de1ec87987d0c3b89379b436
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jul 3 11:39:54 2018 +0000
-    upstream: Improve strictness and control over RSA-SHA2 signature
-    
-    In ssh, when an agent fails to return a RSA-SHA2 signature when
-    requested and falls back to RSA-SHA1 instead, retry the signature to
-    ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
-    matches the one in the signature itself.
-    
-    In sshd, strictly enforce that the public key algorithm sent in the
-    SSH_MSG_USERAUTH message matches what appears in the signature.
-    
-    Make the sshd_config PubkeyAcceptedKeyTypes and
-    HostbasedAcceptedKeyTypes options control accepted signature algorithms
-    (previously they selected supported key types). This allows these
-    options to ban RSA-SHA1 in favour of RSA-SHA2.
-    
-    Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
-    "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
-    with certificate keys.
-    
-    feedback and ok markus@
-    
-    OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
-commit 95344c257412b51199ead18d54eaed5bafb75617
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jul 3 10:59:35 2018 +0000
-    upstream: allow sshd_config PermitUserEnvironment to accept a
-    
-    pattern-list of whitelisted environment variable names in addition to yes|no.
-    
-    bz#1800, feedback and ok markus@
-    
-    OpenBSD-Commit-ID: 77dc2b468e0bf04b53f333434ba257008a1fdf24
-commit 6f56fe4b9578b0627667f8bce69d4d938a88324c
-Author: millert@openbsd.org <millert@openbsd.org>
-Date:   Tue Jun 26 11:23:59 2018 +0000
-    upstream: Fix "WARNING: line 6 disappeared in /etc/moduli, giving up"
-    
-    when choosing a prime.  An extra increment of linenum snuck in as part of the
-    conversion to getline().  OK djm@ markus@
-    
-    OpenBSD-Commit-ID: 0019225cb52ed621b71cd9f19ee2e78e57e3dd38
-commit 1eee79a11c1b3594f055b01e387c49c9a6e80005
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon Jul 2 14:13:30 2018 +0000
-    upstream: One ampersand is enough to backgroud an process. OpenBSD
-    
-    doesn't seem to mind, but some platforms in -portable object to the second.
-    
-    OpenBSD-Regress-ID: d6c3e404871764343761dc25c3bbe29c2621ff74
-commit 6301e6c787d4e26bfae1119ab4f747bbcaa94e44
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Mon Jul 2 21:16:58 2018 +1000
-    Add implementation of getline.
-    
-    Add getline for the benefit of platforms that don't have it.  Sourced
-    from NetBSD (OpenBSD's implementation is a little too chummy with the
-    internals of FILE).
-commit 84623e0037628f9992839063151f7a9f5f13099a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jun 26 02:02:36 2018 +0000
-    upstream: whitespace
-    
-    OpenBSD-Commit-ID: 9276951caf4daf555f6d262e95720e7f79244572
-commit 90e51d672711c19a36573be1785caf35019ae7a8
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Jun 25 22:28:33 2018 +0000
-    upstream: fix NULL dereference in open_listen_match_tcpip()
-    
-    OpenBSD-Commit-ID: c968c1d29e392352383c0f9681fcc1e93620c4a9
-commit f535ff922a67d9fcc5ee69d060d1b21c8bb01d14
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Tue Jun 19 05:36:57 2018 +0000
-    upstream: spelling;
-    
-    OpenBSD-Commit-ID: db542918185243bea17202383a581851736553cc
-commit 80e199d6175904152aafc5c297096c3e18297691
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jun 19 03:02:17 2018 +0000
-    upstream: test PermitListen with bare port numbers
-    
-    OpenBSD-Regress-ID: 4b50a02dfb0ccaca08247f3877c444126ba901b3
-commit 87ddd676da0f3abd08b778b12b53b91b670dc93c
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jun 19 02:59:41 2018 +0000
-    upstream: allow bare port numbers to appear in PermitListen directives,
-    
-    e.g.
-    
-    PermitListen 2222 8080
-    
-    is equivalent to:
-    
-    PermitListen *:2222 *:8080
-    
-    Some bonus manpage improvements, mostly from markus@
-    
-    "looks fine" markus@
-    
-    OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
-commit 26f96ca10ad0ec5da9b05b99de1e1ccea15a11be
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jun 15 07:01:11 2018 +0000
-    upstream: invalidate supplemental group cache used by
-    
-    temporarily_use_uid() when the target uid differs; could cause failure to
-    read authorized_keys under some configurations. patch by Jakub Jelen via
-    bz2873; ok dtucker, markus
-    
-    OpenBSD-Commit-ID: 48a345f0ee90f6c465a078eb5e89566b23abd8a1
-commit 89a85d724765b6b82e0135ee5a1181fdcccea9c6
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sun Jun 10 23:45:41 2018 +0000
-    upstream: unbreak SendEnv; patch from tb@
-    
-    OpenBSD-Commit-ID: fc808daced813242563b80976e1478de95940056
-commit acf4260f0951f89c64e1ebbc4c92f451768871ad
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Sat Jun 9 06:36:31 2018 +0000
-    upstream: sort previous;
-    
-    OpenBSD-Commit-ID: 27d80d8b8ca99bc33971dee905e8ffd0053ec411
-commit 1678d4236451060b735cb242d2e26e1ac99f0947
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Jun 9 03:18:11 2018 +0000
-    upstream: slightly better wording re handing of $TERM, from Jakub
-    
-    Jelen via bz2386
-    
-    OpenBSD-Commit-ID: 14bea3f069a93c8be66a7b97794255a91fece964
-commit 28013759f09ed3ebf7e8335e83a62936bd7a7f47
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Jun 9 03:03:10 2018 +0000
-    upstream: add a SetEnv directive for sshd_config to allow an
-    
-    administrator to explicitly specify environment variables set in sessions
-    started by sshd. These override the default environment and any variables set
-    by user configuration (PermitUserEnvironment, etc), but not the SSH_*
-    variables set by sshd itself.
-    
-    ok markus@
-    
-    OpenBSD-Commit-ID: b6a96c0001ccd7dd211df6cae9e961c20fd718c0
-commit 7082bb58a2eb878d23ec674587c742e5e9673c36
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Jun 9 03:01:12 2018 +0000
-    upstream: add a SetEnv directive to ssh_config that allows setting
-    
-    environment variables for the remote session (subject to the server accepting
-    them)
-    
-    refactor SendEnv to remove the arbitrary limit of variable names.
-    
-    ok markus@
-    
-    OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
-commit 3b9798bda15bd3f598f5ef07595d64e23504da91
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Jun 9 02:58:02 2018 +0000
-    upstream: reorder child environment preparation so that variables
-    
-    read from ~/.ssh/environment (if enabled) do not override SSH_* variables set
-    by the server.
-    
-    OpenBSD-Commit-ID: 59f9d4c213cdcef2ef21f4b4ae006594dcf2aa7a
-commit 0368889f82f63c82ff8db9f8c944d89e7c657db4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jun 8 03:35:36 2018 +0000
-    upstream: fix incorrect expansion of %i in
-    
-    load_public_identity_files(); reported by Roumen Petrov
-    
-    OpenBSD-Commit-ID: a827289e77149b5e0850d72a350c8b0300e7ef25
-commit 027607fc2db6a0475a3380f8d95c635482714cb0
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jun 8 01:55:40 2018 +0000
-    upstream: fix some over-long lines and __func__ up some debug
-    
-    messages
-    
-    OpenBSD-Commit-ID: c70a60b4c8207d9f242fc2351941ba50916bb267
-commit 6ff6fda705bc204456a5fa12518dde6e8790bb02
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Thu Jun 7 11:26:14 2018 +0000
-    upstream: tweak previous;
-    
-    OpenBSD-Commit-ID: f98f16af10b28e24bcecb806cb71ea994b648fd6
-commit f2c06ab8dd90582030991f631a2715216bf45e5a
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Jun 8 17:43:36 2018 +1000
-    Remove ability to override $LD.
-    
-    Since autoconf always uses $CC to link C programs, allowing users to
-    override LD caused mismatches between what LD_LINK_IFELSE thought worked
-    and what ld thought worked.  If you do need to do this kind of thing you
-    need to set a compiler flag such as gcc's -fuse-ld in LDFLAGS.
-commit e1542a80797b4ea40a91d2896efdcc76a57056d2
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Jun 8 13:55:59 2018 +1000
-    Better detection of unsupported compiler options.
-    
-    Should prevent "unsupported -Wl,-z,retpoline" warnings during linking.
-    ok djm@
-commit 57379dbd013ad32ee3f9989bf5f5741065428360
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Jun 7 14:29:43 2018 +0000
-    upstream: test the correct configuration option name
-    
-    OpenBSD-Regress-ID: 492279ea9f65657f97a970e0e7c7fd0b339fee23
-commit 6d41815e202fbd6182c79780b6cc90e1ec1c9981
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Jun 7 09:26:42 2018 +0000
-    upstream: some permitlisten fixes from markus@ that I missed in my
-    
-    insomnia-fueled commits last night
-    
-    OpenBSD-Commit-ID: 26f23622e928996086e85b1419cc1c0f136e359c
-commit 4319f7a868d86d435fa07112fcb6153895d03a7f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Jun 7 04:46:34 2018 +0000
-    upstream: permitlisten/PermitListen unit test from Markus
-    
-    OpenBSD-Regress-ID: ab12eb42f0e14926980441cf7c058a6d1d832ea5
-commit fa09076410ffc2d34d454145af23c790d728921e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Jun 7 04:31:51 2018 +0000
-    upstream: fix regression caused by recent permitlisten option commit:
-    
-    authorized_keys lines that contained permitopen/permitlisten were being
-    treated as invalid.
-    
-    OpenBSD-Commit-ID: 7ef41d63a5a477b405d142dc925b67d9e7aaa31b
-commit 7f90635216851f6cb4bf3999e98b825f85d604f8
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Wed Jun 6 18:29:18 2018 +0000
-    upstream: switch config file parsing to getline(3) as this avoids
-    
-    static limits noted by gerhard@; ok dtucker@, djm@
-    
-    OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c
-commit 392db2bc83215986a91c0b65feb0e40e7619ce7e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jun 6 18:25:33 2018 +0000
-    upstream: regress test for PermitOpen
-    
-    OpenBSD-Regress-ID: ce8b5f28fc039f09bb297fc4a92319e65982ddaf
-commit 803d896ef30758135e2f438bdd1a0be27989e018
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jun 6 18:24:15 2018 +0000
-    upstream: man bits for permitlisten authorized_keys option
-    
-    OpenBSD-Commit-ID: 86910af8f781a4ac5980fea125442eb25466dd78
-commit 04df43208b5b460d7360e1598f876b92a32f5922
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jun 6 18:24:00 2018 +0000
-    upstream: man bits for PermitListen
-    
-    OpenBSD-Commit-ID: 35b200cba4e46a16a4db6a80ef11838ab0fad67c
-commit 93c06ab6b77514e0447fe4f1d822afcbb2a9be08
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jun 6 18:23:32 2018 +0000
-    upstream: permitlisten option for authorized_keys; ok markus@
-    
-    OpenBSD-Commit-ID: 8650883018d7aa893173d703379e4456a222c672
-commit 115063a6647007286cc8ca70abfd2a7585f26ccc
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Jun 6 18:22:41 2018 +0000
-    upstream: Add a PermitListen directive to control which server-side
-    
-    addresses may be listened on when the client requests remote forwarding (ssh
-    -R).
-    
-    This is the converse of the existing PermitOpen directive and this
-    includes some refactoring to share much of its implementation.
-    
-    feedback and ok markus@
-    
-    OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f
-commit 7703ae5f5d42eb302ded51705166ff6e19c92892
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Jun 6 16:04:29 2018 +1000
-    Use ssh-keygen -A to generate missing host keys.
-    
-    Instead of testing for each specific key type, use ssh-keygen -A to
-    generate any missing host key types.
-commit e8d59fef1098e24f408248dc64e5c8efa5d01f3c
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Fri Jun 1 06:23:10 2018 +0000
-    upstream: add missing punctuation after %i in ssh_config.5, and
-    
-    make the grammatical format in sshd_config.5 match that in ssh_config.5;
-    
-    OpenBSD-Commit-ID: e325663b9342f3d556e223e5306e0d5fa1a74fa0
-commit a1f737d6a99314e291a87856122cb4dbaf64c641
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Fri Jun 1 05:52:26 2018 +0000
-    upstream: oops - further adjustment to text neccessary;
-    
-    OpenBSD-Commit-ID: 23585576c807743112ab956be0fb3c786bdef025
-commit 294028493471e0bd0c7ffe55dc0c0a67cba6ec41
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Fri Jun 1 05:50:18 2018 +0000
-    upstream: %U needs to be escaped; tweak text;
-    
-    OpenBSD-Commit-ID: 30887b73ece257273fb619ab6f4e86dc92ddc15e
-commit e5019da3c5a31e6e729a565f2b886a80c4be96cc
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri Jun 1 04:31:48 2018 +0000
-    upstream: Apply umask to all incoming files and directories not
-    
-    just files. This makes sure it gets applied to directories too, and prevents
-    a race where files get chmodded after creation.  bz#2839, ok djm@
-    
-    OpenBSD-Commit-ID: 3168ee6c7c39093adac4fd71039600cfa296203b
-commit a1dcafc41c376332493b9385ee39f9754dc145ec
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jun 1 03:52:37 2018 +0000
-    upstream: Adapt to extra default verboisity from ssh-keygen when
-    
-    searching for and hashing known_hosts entries in a single operation
-    (ssh-keygen -HF ...) Patch from Anton Kremenetsky
-    
-    OpenBSD-Regress-ID: 519585a4de35c4611285bd6a7272766c229b19dd
-commit 76f314c75dffd4a55839d50ee23622edad52c168
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue May 22 00:22:49 2018 +0000
-    upstream: Add TEST_SSH_FAIL_FATAL variable, to force all failures
-    
-    to instantly abort the test. Useful in capturing clean logs for individual
-    failure cases.
-    
-    OpenBSD-Regress-ID: feba18cf338c2328b9601bd4093cabdd9baa3af1
-commit 065c8c055df8d83ae7c92e5e524a579d87668aab
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri May 11 03:51:06 2018 +0000
-    upstream: Clean up comment.
-    
-    OpenBSD-Regress-ID: 6adb35f384d447e7dcb9f170d4f0d546d3973e10
-commit 01b048c8eba3b021701bd0ab26257fc82903cba8
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jun 1 04:21:29 2018 +0000
-    upstream: whitespace
-    
-    OpenBSD-Commit-ID: e5edb5e843ddc9b73a8e46518899be41d5709add
-commit 854ae209f992465a276de0b5f10ef770510c2418
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jun 1 04:05:29 2018 +0000
-    upstream: make ssh_remote_ipaddr() capable of being called after
-    
-    the ssh->state has been torn down; bz#2773
-    
-    OpenBSD-Commit-ID: 167f12523613ca3d16d7716a690e7afa307dc7eb
-commit 3e088aaf236ef35beeef3c9be93fd53700df5861
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jun 1 03:51:34 2018 +0000
-    upstream: return correct exit code when searching for and hashing
-    
-    known_hosts entries in a single operation (ssh-keygen -HF hostname); bz2772
-    Report and fix from Anton Kremenetsky
-    
-    OpenBSD-Commit-ID: ac10ca13eb9bb0bc50fcd42ad11c56c317437b58
-commit 9c935dd9bf05628826ad2495d3e8bdf3d3271c21
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jun 1 03:33:53 2018 +0000
-    upstream: make UID available as a %-expansion everywhere that the
-    
-    username is available currently. In the client this is via %i, in the server
-    %U (since %i was already used in the client in some places for this, but used
-    for something different in the server); bz#2870, ok dtucker@
-    
-    OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95
-commit d8748b91d1d6c108c0c260ed41fa55f37b9ef34b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jun 1 03:11:49 2018 +0000
-    upstream: prefer argv0 to "ssh" when re-executing ssh for ProxyJump
-    
-    directive; bz2831, feedback and ok dtucker@
-    
-    OpenBSD-Commit-ID: 3cec709a131499fbb0c1ea8a0a9e0b0915ce769e