1 files changed, 100 insertions, 81 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 4bf1d3f73..685923e47 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From 34aff3aa136e5a65f441b25811dd466488fda087 Mon Sep 17 00:00:00 2001
+From 79f9d21b406c172878896ef41cdc2502fc2f84a7 Mon Sep 17 00:00:00 2001
 From: Simon Wilkinson <simon@sxw.org.uk>
 Date: Sun, 9 Feb 2014 16:09:48 +0000
 Subject: GSSAPI key exchange support
@@ -16,9 +16,12 @@ have it merged into the main openssh package rather than having separate
 -krb5 packages (as we used to have).  It seems to have a generally good
 security history.
+Author: Simon Wilkinson <simon@sxw.org.uk>
+Author: Colin Watson <cjwatson@debian.org>
+Author: Jakub Jelen <jjelen@redhat.com>
 Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
-Last-Updated: 2020-02-21
+Last-Updated: 2020-06-07
 Patch-Name: gssapi.patch
 ---
@@ -49,23 +52,23 @@ Patch-Name: gssapi.patch
 servconf.c      |  47 ++++
 servconf.h      |   3 +
 session.c       |  10 +-
- ssh-gss.h       |  50 +++-
+ ssh-gss.h       |  54 ++++-
 ssh.1           |   8 +
 ssh.c           |   6 +-
 ssh_config      |   2 +
 ssh_config.5    |  57 +++++
- sshconnect2.c   | 142 +++++++++++-
+ sshconnect2.c   | 154 +++++++++++-
 sshd.c          |  62 ++++-
 sshd_config     |   2 +
 sshd_config.5   |  30 +++
 sshkey.c        |   3 +-
 sshkey.h        |   1 +
- 38 files changed, 2624 insertions(+), 160 deletions(-)
+ 38 files changed, 2640 insertions(+), 160 deletions(-)
 create mode 100644 kexgssc.c
 create mode 100644 kexgsss.c
 diff --git a/Makefile.in b/Makefile.in
-index e7549470c..b68c1710f 100644
+index c9e4294d3..bf1e1de47 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@@ -336,7 +339,7 @@ index 9351e0428..d6446c0cf 100644
        "gssapi-with-mic",
        userauth_gssapi,
 diff --git a/auth2.c b/auth2.c
-index 0e7762242..1c217268c 100644
+index 91aaf34a6..a4a5e0069 100644
 --- a/auth2.c
 +++ b/auth2.c
 @@ -73,6 +73,7 @@ extern Authmethod method_passwd;
@@ -474,7 +477,7 @@ index 26d62855a..0cadc9f18 100644
 int             get_peer_port(int);
 char           *get_local_ipaddr(int);
 diff --git a/clientloop.c b/clientloop.c
-index ebd0dbca1..1bdac6a46 100644
+index da396c72a..42ace7789 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 @@ -112,6 +112,10 @@
@@ -488,7 +491,7 @@ index ebd0dbca1..1bdac6a46 100644
 /* import options */
 extern Options options;
 
-@@ -1379,9 +1383,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
+@@ -1361,9 +1365,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
                        break;
 
                /* Do channel operations unless rekeying in progress. */
@@ -509,10 +512,10 @@ index ebd0dbca1..1bdac6a46 100644
                client_process_net_input(ssh, readset);
 
 diff --git a/configure.ac b/configure.ac
-index b689db4b5..efafb6bd8 100644
+index 460383757..d98e6f74a 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -674,6 +674,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+@@ -676,6 +676,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
            [Use tunnel device compatibility to OpenBSD])
        AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
            [Prepend the address family to IP tunnel traffic])
@@ -1053,11 +1056,11 @@ index a151bc1e4..ef9beb67c 100644
 
 #endif /* KRB5 */
 diff --git a/gss-serv.c b/gss-serv.c
-index ab3a15f0f..1d47870e7 100644
+index b5d4bb2d1..55f4d4bda 100644
 --- a/gss-serv.c
 +++ b/gss-serv.c
 @@ -1,7 +1,7 @@
- /* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */
+ /* $OpenBSD: gss-serv.c,v 1.32 2020/03/13 03:17:07 djm Exp $ */
 
 /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1327,7 +1330,7 @@ index ab3a15f0f..1d47870e7 100644
 
 /* Privileged */
 diff --git a/kex.c b/kex.c
-index ce85f0439..574c76093 100644
+index 09c7258e0..144dee512 100644
 --- a/kex.c
 +++ b/kex.c
 @@ -57,11 +57,16 @@
@@ -1439,7 +1442,7 @@ index ce85f0439..574c76093 100644
 /* put algorithm proposal into buffer */
 int
 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
-@@ -698,6 +755,9 @@ kex_free(struct kex *kex)
+@@ -697,6 +754,9 @@ kex_free(struct kex *kex)
        sshbuf_free(kex->server_version);
        sshbuf_free(kex->client_pub);
        free(kex->session_id);
@@ -2653,7 +2656,7 @@ index 000000000..60bc02deb
 +}
 +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
 diff --git a/monitor.c b/monitor.c
-index 2ce89fe90..ebf76c7f9 100644
+index b6e855d5d..5347e900d 100644
 --- a/monitor.c
 +++ b/monitor.c
 @@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
@@ -2706,7 +2709,7 @@ index 2ce89fe90..ebf76c7f9 100644
 
        if (auth_opts->permit_pty_flag) {
                monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
-@@ -1713,6 +1730,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
+@@ -1712,6 +1729,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
 # ifdef OPENSSL_HAS_ECC
                kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
 # endif
@@ -2724,7 +2727,7 @@ index 2ce89fe90..ebf76c7f9 100644
 #endif /* WITH_OPENSSL */
                kex->kex[KEX_C25519_SHA256] = kex_gen_server;
                kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
-@@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1805,8 +1833,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
        u_char *p;
        int r;
 
@@ -2735,7 +2738,7 @@ index 2ce89fe90..ebf76c7f9 100644
 
        if ((r = sshbuf_get_string(m, &p, &len)) != 0)
                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-@@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1838,8 +1866,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
        OM_uint32 flags = 0; /* GSI needs this */
        int r;
 
@@ -2746,7 +2749,7 @@ index 2ce89fe90..ebf76c7f9 100644
 
        if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-@@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1859,6 +1887,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2754,7 +2757,7 @@ index 2ce89fe90..ebf76c7f9 100644
        }
        return (0);
 }
-@@ -1871,8 +1900,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1870,8 +1899,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
        OM_uint32 ret;
        int r;
 
@@ -2765,7 +2768,7 @@ index 2ce89fe90..ebf76c7f9 100644
 
        if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
            (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
-@@ -1898,13 +1927,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1897,13 +1926,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
 int
 mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
 {
@@ -2787,7 +2790,7 @@ index 2ce89fe90..ebf76c7f9 100644
 
        sshbuf_reset(m);
        if ((r = sshbuf_put_u32(m, authenticated)) != 0)
-@@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1912,7 +1945,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
        debug3("%s: sending result %d", __func__, authenticated);
        mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
 
@@ -2800,7 +2803,7 @@ index 2ce89fe90..ebf76c7f9 100644
 
        if ((displayname = ssh_gssapi_displayname()) != NULL)
                auth2_record_info(authctxt, "%s", displayname);
-@@ -1921,5 +1958,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1920,5 +1957,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
@@ -2995,7 +2998,7 @@ index 23ab096aa..485590c18 100644
 
 #ifdef USE_PAM
 diff --git a/readconf.c b/readconf.c
-index f3cac6b3a..da8022dd0 100644
+index 2afcbaeca..fb585e248 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -67,6 +67,7 @@
@@ -3038,7 +3041,7 @@ index f3cac6b3a..da8022dd0 100644
 #endif
 #ifdef ENABLE_PKCS11
        { "pkcs11provider", oPKCS11Provider },
-@@ -1029,10 +1044,42 @@ parse_time:
+@@ -1053,10 +1068,42 @@ parse_time:
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -3081,7 +3084,7 @@ index f3cac6b3a..da8022dd0 100644
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
-@@ -1911,7 +1958,13 @@ initialize_options(Options * options)
+@@ -1935,7 +1982,13 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
@@ -3095,7 +3098,7 @@ index f3cac6b3a..da8022dd0 100644
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
-@@ -2059,8 +2112,18 @@ fill_default_options(Options * options)
+@@ -2083,8 +2136,18 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -3114,7 +3117,7 @@ index f3cac6b3a..da8022dd0 100644
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
-@@ -2702,7 +2765,14 @@ dump_client_config(Options *o, const char *host)
+@@ -2726,7 +2789,14 @@ dump_client_config(Options *o, const char *host)
        dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
 #ifdef GSSAPI
        dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
@@ -3130,7 +3133,7 @@ index f3cac6b3a..da8022dd0 100644
        dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
        dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
 diff --git a/readconf.h b/readconf.h
-index feedb3d20..a8a8870d7 100644
+index e143a1082..c405b837f 100644
 --- a/readconf.h
 +++ b/readconf.h
 @@ -41,7 +41,13 @@ typedef struct {
@@ -3148,7 +3151,7 @@ index feedb3d20..a8a8870d7 100644
                                                 * authentication. */
        int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
 diff --git a/servconf.c b/servconf.c
-index 70f5f73f0..191575a16 100644
+index ba0a92c7b..f38ba9e44 100644
 --- a/servconf.c
 +++ b/servconf.c
 @@ -69,6 +69,7 @@
@@ -3221,7 +3224,7 @@ index 70f5f73f0..191575a16 100644
        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1548,6 +1571,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -1555,6 +1578,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -3232,7 +3235,7 @@ index 70f5f73f0..191575a16 100644
        case sGssCleanupCreds:
                intptr = &options->gss_cleanup_creds;
                goto parse_flag;
-@@ -1556,6 +1583,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -1563,6 +1590,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
                intptr = &options->gss_strict_acceptor;
                goto parse_flag;
 
@@ -3255,7 +3258,7 @@ index 70f5f73f0..191575a16 100644
        case sPasswordAuthentication:
                intptr = &options->password_authentication;
                goto parse_flag;
-@@ -2777,6 +2820,10 @@ dump_config(ServerOptions *o)
+@@ -2791,6 +2834,10 @@ dump_config(ServerOptions *o)
 #ifdef GSSAPI
        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
        dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@@ -3267,10 +3270,10 @@ index 70f5f73f0..191575a16 100644
        dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
        dump_cfg_fmtint(sKbdInteractiveAuthentication,
 diff --git a/servconf.h b/servconf.h
-index 4202a2d02..3f47ea25e 100644
+index a420f398d..253cad97e 100644
 --- a/servconf.h
 +++ b/servconf.h
-@@ -132,8 +132,11 @@ typedef struct {
+@@ -137,8 +137,11 @@ typedef struct {
        int     kerberos_get_afs_token;         /* If true, try to get AFS token if
                                                 * authenticated with Kerberos. */
        int     gss_authentication;     /* If true, permit GSSAPI authentication */
@@ -3283,7 +3286,7 @@ index 4202a2d02..3f47ea25e 100644
                                                 * authentication. */
        int     kbd_interactive_authentication; /* If true, permit */
 diff --git a/session.c b/session.c
-index 8c0e54f79..06a33442a 100644
+index 18cdfa8cf..f9c2c866e 100644
 --- a/session.c
 +++ b/session.c
 @@ -2678,13 +2678,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
@@ -3309,7 +3312,7 @@ index 8c0e54f79..06a33442a 100644
 
        /* remove agent socket */
 diff --git a/ssh-gss.h b/ssh-gss.h
-index 36180d07a..70dd36658 100644
+index 36180d07a..50d80bbca 100644
 --- a/ssh-gss.h
 +++ b/ssh-gss.h
 @@ -1,6 +1,6 @@
@@ -3320,7 +3323,7 @@ index 36180d07a..70dd36658 100644
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
-@@ -61,10 +61,30 @@
+@@ -61,10 +61,34 @@
 
 #define SSH_GSS_OIDTYPE 0x06
 
@@ -3340,8 +3343,12 @@ index 36180d07a..70dd36658 100644
 +#define KEX_GSS_C25519_SHA256_ID                       "gss-curve25519-sha256-"
 +
 +#define        GSS_KEX_DEFAULT_KEX \
-+       KEX_GSS_GEX_SHA1_ID "," \
+       KEX_GSS_GRP14_SHA256_ID "," \
-+       KEX_GSS_GRP14_SHA1_ID
+       KEX_GSS_GRP16_SHA512_ID "," \
+       KEX_GSS_NISTP256_SHA256_ID "," \
+       KEX_GSS_C25519_SHA256_ID "," \
+       KEX_GSS_GRP14_SHA1_ID "," \
+       KEX_GSS_GEX_SHA1_ID
 +
 typedef struct {
        char *filename;
@@ -3351,7 +3358,7 @@ index 36180d07a..70dd36658 100644
        void *data;
 } ssh_gssapi_ccache;
 
-@@ -72,8 +92,11 @@ typedef struct {
+@@ -72,8 +96,11 @@ typedef struct {
        gss_buffer_desc displayname;
        gss_buffer_desc exportedname;
        gss_cred_id_t creds;
@@ -3363,7 +3370,7 @@ index 36180d07a..70dd36658 100644
 } ssh_gssapi_client;
 
 typedef struct ssh_gssapi_mech_struct {
-@@ -84,6 +107,7 @@ typedef struct ssh_gssapi_mech_struct {
+@@ -84,6 +111,7 @@ typedef struct ssh_gssapi_mech_struct {
        int (*userok) (ssh_gssapi_client *, char *);
        int (*localname) (ssh_gssapi_client *, char **);
        void (*storecreds) (ssh_gssapi_client *);
@@ -3371,7 +3378,7 @@ index 36180d07a..70dd36658 100644
 } ssh_gssapi_mech;
 
 typedef struct {
-@@ -94,10 +118,11 @@ typedef struct {
+@@ -94,10 +122,11 @@ typedef struct {
        gss_OID         oid; /* client */
        gss_cred_id_t   creds; /* server */
        gss_name_t      client; /* server */
@@ -3384,7 +3391,7 @@ index 36180d07a..70dd36658 100644
 
 int  ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
-@@ -109,6 +134,7 @@ OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *);
+@@ -109,6 +138,7 @@ OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *);
 
 struct sshbuf;
 int ssh_gssapi_get_buffer_desc(struct sshbuf *, gss_buffer_desc *);
@@ -3392,7 +3399,7 @@ index 36180d07a..70dd36658 100644
 
 OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
 OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int,
-@@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
+@@ -123,17 +153,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
 void ssh_gssapi_buildmic(struct sshbuf *, const char *,
     const char *, const char *);
@@ -3429,10 +3436,10 @@ index 36180d07a..70dd36658 100644
 
 #endif /* _SSH_GSS_H */
 diff --git a/ssh.1 b/ssh.1
-index 60de6087a..db5c65bc7 100644
+index dce5f404b..7a3ba31ab 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -503,7 +503,13 @@ For full details of the options listed below, and their possible values, see
+@@ -506,7 +506,13 @@ For full details of the options listed below, and their possible values, see
 .It GatewayPorts
 .It GlobalKnownHostsFile
 .It GSSAPIAuthentication
@@ -3446,7 +3453,7 @@ index 60de6087a..db5c65bc7 100644
 .It HashKnownHosts
 .It Host
 .It HostbasedAuthentication
-@@ -579,6 +585,8 @@ flag),
+@@ -582,6 +588,8 @@ flag),
 (supported message integrity codes),
 .Ar kex
 (key exchange algorithms),
@@ -3456,10 +3463,10 @@ index 60de6087a..db5c65bc7 100644
 (key types),
 .Ar key-cert
 diff --git a/ssh.c b/ssh.c
-index 15aee569e..110cf9c19 100644
+index 98b6ce788..4a81ef810 100644
 --- a/ssh.c
 +++ b/ssh.c
-@@ -747,6 +747,8 @@ main(int ac, char **av)
+@@ -773,6 +773,8 @@ main(int ac, char **av)
                        else if (strcmp(optarg, "kex") == 0 ||
                            strcasecmp(optarg, "KexAlgorithms") == 0)
                                cp = kex_alg_list('\n');
@@ -3468,7 +3475,7 @@ index 15aee569e..110cf9c19 100644
                        else if (strcmp(optarg, "key") == 0)
                                cp = sshkey_alg_list(0, 0, 0, '\n');
                        else if (strcmp(optarg, "key-cert") == 0)
-@@ -772,8 +774,8 @@ main(int ac, char **av)
+@@ -798,8 +800,8 @@ main(int ac, char **av)
                        } else if (strcmp(optarg, "help") == 0) {
                                cp = xstrdup(
                                    "cipher\ncipher-auth\ncompression\nkex\n"
@@ -3493,7 +3500,7 @@ index 5e8ef548b..1ff999b68 100644
 #   CheckHostIP yes
 #   AddressFamily any
 diff --git a/ssh_config.5 b/ssh_config.5
-index 06a32d314..3f4906972 100644
+index dc010ccbd..e2a2359f9 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -766,10 +766,67 @@ The default is
@@ -3559,13 +3566,13 @@ index 06a32d314..3f4906972 100644
 +.Ed
 +.Pp
 +The default is
-+.Dq gss-gex-sha1-,gss-group14-sha1- .
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- .
-+This option only applies to protocol version 2 connections using GSSAPI.
+This option only applies to connections using GSSAPI.
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
 diff --git a/sshconnect2.c b/sshconnect2.c
-index af00fb30c..03bc87eb4 100644
+index 1a6545edf..79a22e600 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
 @@ -80,8 +80,6 @@
@@ -3589,7 +3596,7 @@ index af00fb30c..03bc87eb4 100644
        xxx_host = host;
        xxx_hostaddr = hostaddr;
 
-@@ -206,6 +209,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
+@@ -206,6 +209,41 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
                    compat_pkalg_proposal(options.hostkeyalgorithms);
        }
 
@@ -3599,12 +3606,18 @@ index af00fb30c..03bc87eb4 100644
 +                * client to the key exchange algorithm proposal */
 +               orig = myproposal[PROPOSAL_KEX_ALGS];
 +
-+               if (options.gss_server_identity)
+               if (options.gss_server_identity) {
 +                       gss_host = xstrdup(options.gss_server_identity);
-+               else if (options.gss_trust_dns)
+               } else if (options.gss_trust_dns) {
 +                       gss_host = remote_hostname(ssh);
-+               else
+                       /* Fall back to specified host if we are using proxy command
+                        * and can not use DNS on that socket */
+                       if (strcmp(gss_host, "UNKNOWN") == 0) {
+                               gss_host = xstrdup(host);
+                       }
+               } else {
 +                       gss_host = xstrdup(host);
+               }
 +
 +               gss = ssh_gssapi_client_mechanisms(gss_host,
 +                   options.gss_client_identity, options.gss_kex_algorithms);
@@ -3625,7 +3638,7 @@ index af00fb30c..03bc87eb4 100644
        if (options.rekey_limit || options.rekey_interval)
                ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
                    options.rekey_interval);
-@@ -224,16 +256,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
+@@ -224,16 +262,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
 # ifdef OPENSSL_HAS_ECC
        ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
 # endif
@@ -3673,7 +3686,7 @@ index af00fb30c..03bc87eb4 100644
        if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
                fatal("kex_prop2buf: %s", ssh_err(r));
 
-@@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
+@@ -330,6 +398,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
 static int input_gssapi_token(int type, u_int32_t, struct ssh *);
 static int input_gssapi_error(int, u_int32_t, struct ssh *);
 static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
@@ -3681,7 +3694,7 @@ index af00fb30c..03bc87eb4 100644
 #endif
 
 void   userauth(struct ssh *, char *);
-@@ -346,6 +409,11 @@ static char *authmethods_get(void);
+@@ -346,6 +415,11 @@ static char *authmethods_get(void);
 
 Authmethod authmethods[] = {
 #ifdef GSSAPI
@@ -3693,18 +3706,24 @@ index af00fb30c..03bc87eb4 100644
        {"gssapi-with-mic",
                userauth_gssapi,
                userauth_gssapi_cleanup,
-@@ -716,12 +784,25 @@ userauth_gssapi(struct ssh *ssh)
+@@ -716,12 +790,31 @@ userauth_gssapi(struct ssh *ssh)
        OM_uint32 min;
        int r, ok = 0;
        gss_OID mech = NULL;
 +       char *gss_host;
 +
-+       if (options.gss_server_identity)
+       if (options.gss_server_identity) {
 +               gss_host = xstrdup(options.gss_server_identity);
-+       else if (options.gss_trust_dns)
+       } else if (options.gss_trust_dns) {
 +               gss_host = remote_hostname(ssh);
-+       else
+               /* Fall back to specified host if we are using proxy command
+                * and can not use DNS on that socket */
+               if (strcmp(gss_host, "UNKNOWN") == 0) {
+                       gss_host = authctxt->host;
+               }
+       } else {
 +               gss_host = xstrdup(authctxt->host);
+       }
 
        /* Try one GSSAPI method at a time, rather than sending them all at
         * once. */
@@ -3720,7 +3739,7 @@ index af00fb30c..03bc87eb4 100644
 
        /* Check to see whether the mechanism is usable before we offer it */
        while (authctxt->mech_tried < authctxt->gss_supported_mechs->count &&
-@@ -730,13 +811,15 @@ userauth_gssapi(struct ssh *ssh)
+@@ -730,13 +823,15 @@ userauth_gssapi(struct ssh *ssh)
                    elements[authctxt->mech_tried];
                /* My DER encoding requires length<128 */
                if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
@@ -3737,7 +3756,7 @@ index af00fb30c..03bc87eb4 100644
        if (!ok || mech == NULL)
                return 0;
 
-@@ -976,6 +1059,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
+@@ -976,6 +1071,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
        free(lang);
        return r;
 }
@@ -3794,10 +3813,10 @@ index af00fb30c..03bc87eb4 100644
 
 static int
 diff --git a/sshd.c b/sshd.c
-index 60b2aaf73..d92f03aaf 100644
+index 6f8f11a3b..02fca5c28 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh)
+@@ -816,8 +816,8 @@ notify_hostkeys(struct ssh *ssh)
        }
        debug3("%s: sent %u hostkeys", __func__, nkeys);
        if (nkeys == 0)
@@ -3808,7 +3827,7 @@ index 60b2aaf73..d92f03aaf 100644
                sshpkt_fatal(ssh, r, "%s: send", __func__);
        sshbuf_free(buf);
 }
-@@ -1852,7 +1852,8 @@ main(int ac, char **av)
+@@ -1851,7 +1851,8 @@ main(int ac, char **av)
                free(fp);
        }
        accumulate_host_timing_secret(cfg, NULL);
@@ -3818,7 +3837,7 @@ index 60b2aaf73..d92f03aaf 100644
                logit("sshd: no hostkeys available -- exiting.");
                exit(1);
        }
-@@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2342,6 +2343,48 @@ do_ssh2_kex(struct ssh *ssh)
        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
            list_hostkey_types());
 
@@ -3867,7 +3886,7 @@ index 60b2aaf73..d92f03aaf 100644
        /* start key exchange */
        if ((r = kex_setup(ssh, myproposal)) != 0)
                fatal("kex_setup: %s", ssh_err(r));
-@@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2357,7 +2400,18 @@ do_ssh2_kex(struct ssh *ssh)
 # ifdef OPENSSL_HAS_ECC
        kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
 # endif
@@ -3901,10 +3920,10 @@ index 19b7c91a1..2c48105f8 100644
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 diff --git a/sshd_config.5 b/sshd_config.5
-index 70ccea449..f6b41a2f8 100644
+index b294efc2d..360e5fb1a 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -646,6 +646,11 @@ Specifies whether to automatically destroy the user's credentials cache
+@@ -644,6 +644,11 @@ Specifies whether to automatically destroy the user's credentials cache
 on logout.
 The default is
 .Cm yes .
@@ -3916,7 +3935,7 @@ index 70ccea449..f6b41a2f8 100644
 .It Cm GSSAPIStrictAcceptorCheck
 Determines whether to be strict about the identity of the GSSAPI acceptor
 a client authenticates against.
-@@ -660,6 +665,31 @@ machine's default store.
+@@ -658,6 +663,31 @@ machine's default store.
 This facility is provided to assist with operation on multi homed machines.
 The default is
 .Cm yes .
@@ -3943,13 +3962,13 @@ index 70ccea449..f6b41a2f8 100644
 +.Ed
 +.Pp
 +The default is
-+.Dq gss-gex-sha1-,gss-group14-sha1- .
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- .
-+This option only applies to protocol version 2 connections using GSSAPI.
+This option only applies to connections using GSSAPI.
 .It Cm HostbasedAcceptedKeyTypes
 Specifies the key types that will be accepted for hostbased authentication
 as a list of comma-separated patterns.
 diff --git a/sshkey.c b/sshkey.c
-index 57995ee68..fd5b77246 100644
+index 1571e3d93..1ac32a0ec 100644
 --- a/sshkey.c
 +++ b/sshkey.c
 @@ -154,6 +154,7 @@ static const struct keytype keytypes[] = {
@@ -3970,7 +3989,7 @@ index 57995ee68..fd5b77246 100644
                if (!include_sigonly && kt->sigonly)
                        continue;
 diff --git a/sshkey.h b/sshkey.h
-index 71a3fddcb..37a43a67a 100644
+index 9c1d4f637..f586e8967 100644
 --- a/sshkey.h
 +++ b/sshkey.h
 @@ -69,6 +69,7 @@ enum sshkey_types {