1 files changed, 3321 insertions, 0 deletions

diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
new file mode 100644
index 000000000..25edd5cbe
--- /dev/null
+++ b/debian/patches/gssapi.patch
@@ -0,0 +1,3321 @@
+From e6c7c11ac2576ac62334616bd4408bf64140bba7 Mon Sep 17 00:00:00 2001
+From: Simon Wilkinson <simon@sxw.org.uk>
+Date: Sun, 9 Feb 2014 16:09:48 +0000
+Subject: GSSAPI key exchange support
+
+This patch has been rejected upstream: "None of the OpenSSH developers are
+in favour of adding this, and this situation has not changed for several
+years.  This is not a slight on Simon's patch, which is of fine quality, but
+just that a) we don't trust GSSAPI implementations that much and b) we don't
+like adding new KEX since they are pre-auth attack surface.  This one is
+particularly scary, since it requires hooks out to typically root-owned
+system resources."
+
+However, quite a lot of people rely on this in Debian, and it's better to
+have it merged into the main openssh package rather than having separate
+-krb5 packages (as we used to have).  It seems to have a generally good
+security history.
+
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
+Last-Updated: 2018-08-24
+
+Patch-Name: gssapi.patch
+---
+ ChangeLog.gssapi | 113 ++++++++++++++++
+ Makefile.in      |   3 +-
+ auth-krb5.c      |  17 ++-
+ auth.c           |  96 +-------------
+ auth2-gss.c      |  54 +++++++-
+ auth2.c          |   2 +
+ canohost.c       |  93 +++++++++++++
+ canohost.h       |   3 +
+ clientloop.c     |  15 ++-
+ config.h.in      |   6 +
+ configure.ac     |  24 ++++
+ gss-genr.c       | 277 +++++++++++++++++++++++++++++++++++++-
+ gss-serv-krb5.c  |  85 +++++++++++-
+ gss-serv.c       | 184 ++++++++++++++++++++++++--
+ kex.c            |  19 +++
+ kex.h            |  14 ++
+ kexgssc.c        | 338 +++++++++++++++++++++++++++++++++++++++++++++++
+ kexgsss.c        | 295 +++++++++++++++++++++++++++++++++++++++++
+ monitor.c        | 122 +++++++++++++++--
+ monitor.h        |   3 +
+ monitor_wrap.c   |  53 +++++++-
+ monitor_wrap.h   |   4 +-
+ readconf.c       |  43 ++++++
+ readconf.h       |   5 +
+ servconf.c       |  26 ++++
+ servconf.h       |   2 +
+ ssh-gss.h        |  41 +++++-
+ ssh_config       |   2 +
+ ssh_config.5     |  32 +++++
+ sshconnect2.c    | 133 ++++++++++++++++++-
+ sshd.c           | 112 +++++++++++++++-
+ sshd_config      |   2 +
+ sshd_config.5    |  10 ++
+ sshkey.c         |   3 +-
+ sshkey.h         |   1 +
+ 35 files changed, 2087 insertions(+), 145 deletions(-)
+ create mode 100644 ChangeLog.gssapi
+ create mode 100644 kexgssc.c
+ create mode 100644 kexgsss.c
+
+diff --git a/ChangeLog.gssapi b/ChangeLog.gssapi
+new file mode 100644
+index 000000000..f117a336a
+--- /dev/null
++++ b/ChangeLog.gssapi
+@@ -0,0 +1,113 @@
++20110101
++  - Finally update for OpenSSH 5.6p1
++  - Add GSSAPIServerIdentity option from Jim Basney
++ 
++20100308
++  - [ Makefile.in, key.c, key.h ]
++    Updates for OpenSSH 5.4p1
++  - [ servconf.c ]
++    Include GSSAPI options in the sshd -T configuration dump, and flag
++    some older configuration options as being unsupported. Thanks to Colin 
++    Watson.
++  -
++
++20100124
++  - [ sshconnect2.c ]
++    Adapt to deal with additional element in Authmethod structure. Thanks to
++    Colin Watson
++
++20090615
++  - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
++      sshd.c ]
++    Fix issues identified by Greg Hudson following a code review
++       Check return value of gss_indicate_mechs
++       Protect GSSAPI calls in monitor, so they can only be used if enabled
++       Check return values of bignum functions in key exchange
++       Use BN_clear_free to clear other side's DH value
++       Make ssh_gssapi_id_kex more robust
++       Only configure kex table pointers if GSSAPI is enabled
++       Don't leak mechanism list, or gss mechanism list
++       Cast data.length before printing
++       If serverkey isn't provided, use an empty string, rather than NULL
++
++20090201
++  - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h
++      ssh_config.5 sshconnet2.c ]
++    Add support for the GSSAPIClientIdentity option, which allows the user
++    to specify which GSSAPI identity to use to contact a given server
++
++20080404
++  - [ gss-serv.c ]
++    Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow
++    been omitted from a previous version of this patch. Reported by Borislav
++    Stoichkov
++
++20070317
++  - [ gss-serv-krb5.c ]
++    Remove C99ism, where new_ccname was being declared in the middle of a 
++    function
++
++20061220
++  - [ servconf.c ]
++    Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and 
++    documented, behaviour. Reported by Dan Watson.
++
++20060910
++  - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c
++      ssh-gss.h ]
++    add support for gss-group14-sha1 key exchange mechanisms
++  - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]
++    Add GSSAPIStrictAcceptorCheck option to allow the disabling of
++    acceptor principal checking on multi-homed machines.
++    <Bugzilla #928>
++  - [ sshd_config ssh_config ]
++    Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample
++    configuration files
++  - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]
++    Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()
++    Limit length of error messages displayed by client
++
++20060909
++  - [ gss-genr.c gss-serv.c ]
++    move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
++    only, where they belong 
++    <Bugzilla #1225>
++
++20060829
++  - [ gss-serv-krb5.c ]
++    Fix CCAPI credentials cache name when creating KRB5CCNAME environment 
++    variable
++
++20060828
++  - [ gss-genr.c ]
++    Avoid Heimdal context freeing problem
++    <Fixed upstream 20060829>
++
++20060818
++  - [ gss-genr.c ssh-gss.h sshconnect2.c ]
++    Make sure that SPENGO is disabled 
++    <Bugzilla #1218 - Fixed upstream 20060818>
++
++20060421
++  - [ gssgenr.c, sshconnect2.c ]
++    a few type changes (signed versus unsigned, int versus size_t) to
++    fix compiler errors/warnings 
++    (from jbasney AT ncsa.uiuc.edu)
++  - [ kexgssc.c, sshconnect2.c ]
++    fix uninitialized variable warnings
++    (from jbasney AT ncsa.uiuc.edu)
++  - [ gssgenr.c ]
++    pass oid to gss_display_status (helpful when using GSSAPI mechglue)
++    (from jbasney AT ncsa.uiuc.edu)
++    <Bugzilla #1220 >
++  - [ gss-serv-krb5.c ]
++    #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
++    (from jbasney AT ncsa.uiuc.edu)
++    <Fixed upstream 20060304>
++  - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c 
++    add client-side GssapiKeyExchange option
++    (from jbasney AT ncsa.uiuc.edu)
++  - [ sshconnect2.c ]
++    add support for GssapiTrustDns option for gssapi-with-mic
++    (from jbasney AT ncsa.uiuc.edu)
++    <gssapi-with-mic support is Bugzilla #1008>
+diff --git a/Makefile.in b/Makefile.in
+index 2385c62a8..6175c6063 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+        kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
+        kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
+        kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
++       kexgssc.o \
+        platform-pledge.o platform-tracing.o platform-misc.o
+ 
+ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
+@@ -113,7 +114,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
+        auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
+        auth2-none.o auth2-passwd.o auth2-pubkey.o \
+        monitor.o monitor_wrap.o auth-krb5.o \
+-       auth2-gss.o gss-serv.o gss-serv-krb5.o \
++       auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
+        loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
+        sftp-server.o sftp-common.o \
+        sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
+diff --git a/auth-krb5.c b/auth-krb5.c
+index 3096f1c8e..204752e1b 100644
+--- a/auth-krb5.c
++++ b/auth-krb5.c
+@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
+ 
+        len = strlen(authctxt->krb5_ticket_file) + 6;
+        authctxt->krb5_ccname = xmalloc(len);
++#ifdef USE_CCAPI
++       snprintf(authctxt->krb5_ccname, len, "API:%s",
++           authctxt->krb5_ticket_file);
++#else
+        snprintf(authctxt->krb5_ccname, len, "FILE:%s",
+            authctxt->krb5_ticket_file);
++#endif
+ 
+ #ifdef USE_PAM
+        if (options.use_pam)
+@@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
+ #ifndef HEIMDAL
+ krb5_error_code
+ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
+-       int tmpfd, ret, oerrno;
++       int ret, oerrno;
+        char ccname[40];
+        mode_t old_umask;
++#ifdef USE_CCAPI
++       char cctemplate[] = "API:krb5cc_%d";
++#else
++       char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX";
++       int tmpfd;
++#endif
+ 
+        ret = snprintf(ccname, sizeof(ccname),
+-           "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
++           cctemplate, geteuid());
+        if (ret < 0 || (size_t)ret >= sizeof(ccname))
+                return ENOMEM;
+ 
++#ifndef USE_CCAPI
+        old_umask = umask(0177);
+        tmpfd = mkstemp(ccname + strlen("FILE:"));
+        oerrno = errno;
+@@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
+                return oerrno;
+        }
+        close(tmpfd);
++#endif
+ 
+        return (krb5_cc_resolve(ctx, ccname, ccache));
+ }
+diff --git a/auth.c b/auth.c
+index 9a3bc96f1..80eb78c48 100644
+--- a/auth.c
++++ b/auth.c
+@@ -395,7 +395,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
+        case PERMIT_NO_PASSWD:
+                if (strcmp(method, "publickey") == 0 ||
+                    strcmp(method, "hostbased") == 0 ||
+-                   strcmp(method, "gssapi-with-mic") == 0)
++                   strcmp(method, "gssapi-with-mic") == 0 ||
++                   strcmp(method, "gssapi-keyex") == 0)
+                        return 1;
+                break;
+        case PERMIT_FORCED_ONLY:
+@@ -733,99 +734,6 @@ fakepw(void)
+        return (&fake);
+ }
+ 
+-/*
+- * Returns the remote DNS hostname as a string. The returned string must not
+- * be freed. NB. this will usually trigger a DNS query the first time it is
+- * called.
+- * This function does additional checks on the hostname to mitigate some
+- * attacks on legacy rhosts-style authentication.
+- * XXX is RhostsRSAAuthentication vulnerable to these?
+- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
+- */
+-
+-static char *
+-remote_hostname(struct ssh *ssh)
+-{
+-       struct sockaddr_storage from;
+-       socklen_t fromlen;
+-       struct addrinfo hints, *ai, *aitop;
+-       char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+-       const char *ntop = ssh_remote_ipaddr(ssh);
+-
+-       /* Get IP address of client. */
+-       fromlen = sizeof(from);
+-       memset(&from, 0, sizeof(from));
+-       if (getpeername(ssh_packet_get_connection_in(ssh),
+-           (struct sockaddr *)&from, &fromlen) < 0) {
+-               debug("getpeername failed: %.100s", strerror(errno));
+-               return strdup(ntop);
+-       }
+-
+-       ipv64_normalise_mapped(&from, &fromlen);
+-       if (from.ss_family == AF_INET6)
+-               fromlen = sizeof(struct sockaddr_in6);
+-
+-       debug3("Trying to reverse map address %.100s.", ntop);
+-       /* Map the IP address to a host name. */
+-       if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+-           NULL, 0, NI_NAMEREQD) != 0) {
+-               /* Host name not found.  Use ip address. */
+-               return strdup(ntop);
+-       }
+-
+-       /*
+-        * if reverse lookup result looks like a numeric hostname,
+-        * someone is trying to trick us by PTR record like following:
+-        *      1.1.1.10.in-addr.arpa.  IN PTR  2.3.4.5
+-        */
+-       memset(&hints, 0, sizeof(hints));
+-       hints.ai_socktype = SOCK_DGRAM; /*dummy*/
+-       hints.ai_flags = AI_NUMERICHOST;
+-       if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+-               logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+-                   name, ntop);
+-               freeaddrinfo(ai);
+-               return strdup(ntop);
+-       }
+-
+-       /* Names are stored in lowercase. */
+-       lowercase(name);
+-
+-       /*
+-        * Map it back to an IP address and check that the given
+-        * address actually is an address of this host.  This is
+-        * necessary because anyone with access to a name server can
+-        * define arbitrary names for an IP address. Mapping from
+-        * name to IP address can be trusted better (but can still be
+-        * fooled if the intruder has access to the name server of
+-        * the domain).
+-        */
+-       memset(&hints, 0, sizeof(hints));
+-       hints.ai_family = from.ss_family;
+-       hints.ai_socktype = SOCK_STREAM;
+-       if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+-               logit("reverse mapping checking getaddrinfo for %.700s "
+-                   "[%s] failed.", name, ntop);
+-               return strdup(ntop);
+-       }
+-       /* Look for the address from the list of addresses. */
+-       for (ai = aitop; ai; ai = ai->ai_next) {
+-               if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+-                   sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+-                   (strcmp(ntop, ntop2) == 0))
+-                               break;
+-       }
+-       freeaddrinfo(aitop);
+-       /* If we reached the end of the list, the address was not there. */
+-       if (ai == NULL) {
+-               /* Address not found for the host name. */
+-               logit("Address %.100s maps to %.600s, but this does not "
+-                   "map back to the address.", ntop, name);
+-               return strdup(ntop);
+-       }
+-       return strdup(name);
+-}
+-
+ /*
+  * Return the canonical name of the host in the other side of the current
+  * connection.  The host name is cached, so it is efficient to call this
+diff --git a/auth2-gss.c b/auth2-gss.c
+index 9351e0428..1f12bb113 100644
+--- a/auth2-gss.c
++++ b/auth2-gss.c
+@@ -1,7 +1,7 @@
+ /* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */
+ 
+ /*
+- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
++ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
+  *
+  * Redistribution and use in source and binary forms, with or without
+  * modification, are permitted provided that the following conditions
+@@ -54,6 +54,46 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh);
+ static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh);
+ static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
+ 
++/* 
++ * The 'gssapi_keyex' userauth mechanism.
++ */
++static int
++userauth_gsskeyex(struct ssh *ssh)
++{
++       Authctxt *authctxt = ssh->authctxt;
++       int r, authenticated = 0;
++       struct sshbuf *b;
++       gss_buffer_desc mic, gssbuf;
++       u_char *p;
++       size_t len;
++
++       if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
++           (r = sshpkt_get_end(ssh)) != 0)
++               fatal("%s: %s", __func__, ssh_err(r));
++       if ((b = sshbuf_new()) == NULL)
++               fatal("%s: sshbuf_new failed", __func__);
++       mic.value = p;
++       mic.length = len;
++
++       ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
++           "gssapi-keyex");
++
++       if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
++               fatal("%s: sshbuf_mutable_ptr failed", __func__);
++       gssbuf.length = sshbuf_len(b);
++
++       /* gss_kex_context is NULL with privsep, so we can't check it here */
++       if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 
++           &gssbuf, &mic))))
++               authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
++                   authctxt->pw));
++       
++       sshbuf_free(b);
++       free(mic.value);
++
++       return (authenticated);
++}
++
+ /*
+  * We only support those mechanisms that we know about (ie ones that we know
+  * how to check local user kuserok and the like)
+@@ -260,7 +300,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
+        if ((r = sshpkt_get_end(ssh)) != 0)
+                fatal("%s: %s", __func__, ssh_err(r));
+ 
+-       authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
++       authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
++           authctxt->pw));
+ 
+        if ((!use_privsep || mm_is_monitor()) &&
+            (displayname = ssh_gssapi_displayname()) != NULL)
+@@ -306,7 +347,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
+        gssbuf.length = sshbuf_len(b);
+ 
+        if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
+-               authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
++               authenticated = 
++                   PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
+        else
+                logit("GSSAPI MIC check failed");
+ 
+@@ -326,6 +368,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
+        return 0;
+ }
+ 
++Authmethod method_gsskeyex = {
++       "gssapi-keyex",
++       userauth_gsskeyex,
++       &options.gss_authentication
++};
++
+ Authmethod method_gssapi = {
+        "gssapi-with-mic",
+        userauth_gssapi,
+diff --git a/auth2.c b/auth2.c
+index ab8795895..96efe164c 100644
+--- a/auth2.c
++++ b/auth2.c
+@@ -74,6 +74,7 @@ extern Authmethod method_passwd;
+ extern Authmethod method_kbdint;
+ extern Authmethod method_hostbased;
+ #ifdef GSSAPI
++extern Authmethod method_gsskeyex;
+ extern Authmethod method_gssapi;
+ #endif
+ 
+@@ -81,6 +82,7 @@ Authmethod *authmethods[] = {
+        &method_none,
+        &method_pubkey,
+ #ifdef GSSAPI
++       &method_gsskeyex,
+        &method_gssapi,
+ #endif
+        &method_passwd,
+diff --git a/canohost.c b/canohost.c
+index f71a08568..404731d24 100644
+--- a/canohost.c
++++ b/canohost.c
+@@ -35,6 +35,99 @@
+ #include "canohost.h"
+ #include "misc.h"
+ 
++/*
++ * Returns the remote DNS hostname as a string. The returned string must not
++ * be freed. NB. this will usually trigger a DNS query the first time it is
++ * called.
++ * This function does additional checks on the hostname to mitigate some
++ * attacks on legacy rhosts-style authentication.
++ * XXX is RhostsRSAAuthentication vulnerable to these?
++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
++ */
++
++char *
++remote_hostname(struct ssh *ssh)
++{
++       struct sockaddr_storage from;
++       socklen_t fromlen;
++       struct addrinfo hints, *ai, *aitop;
++       char name[NI_MAXHOST], ntop2[NI_MAXHOST];
++       const char *ntop = ssh_remote_ipaddr(ssh);
++
++       /* Get IP address of client. */
++       fromlen = sizeof(from);
++       memset(&from, 0, sizeof(from));
++       if (getpeername(ssh_packet_get_connection_in(ssh),
++           (struct sockaddr *)&from, &fromlen) < 0) {
++               debug("getpeername failed: %.100s", strerror(errno));
++               return strdup(ntop);
++       }
++
++       ipv64_normalise_mapped(&from, &fromlen);
++       if (from.ss_family == AF_INET6)
++               fromlen = sizeof(struct sockaddr_in6);
++
++       debug3("Trying to reverse map address %.100s.", ntop);
++       /* Map the IP address to a host name. */
++       if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
++           NULL, 0, NI_NAMEREQD) != 0) {
++               /* Host name not found.  Use ip address. */
++               return strdup(ntop);
++       }
++
++       /*
++        * if reverse lookup result looks like a numeric hostname,
++        * someone is trying to trick us by PTR record like following:
++        *      1.1.1.10.in-addr.arpa.  IN PTR  2.3.4.5
++        */
++       memset(&hints, 0, sizeof(hints));
++       hints.ai_socktype = SOCK_DGRAM; /*dummy*/
++       hints.ai_flags = AI_NUMERICHOST;
++       if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
++               logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
++                   name, ntop);
++               freeaddrinfo(ai);
++               return strdup(ntop);
++       }
++
++       /* Names are stored in lowercase. */
++       lowercase(name);
++
++       /*
++        * Map it back to an IP address and check that the given
++        * address actually is an address of this host.  This is
++        * necessary because anyone with access to a name server can
++        * define arbitrary names for an IP address. Mapping from
++        * name to IP address can be trusted better (but can still be
++        * fooled if the intruder has access to the name server of
++        * the domain).
++        */
++       memset(&hints, 0, sizeof(hints));
++       hints.ai_family = from.ss_family;
++       hints.ai_socktype = SOCK_STREAM;
++       if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
++               logit("reverse mapping checking getaddrinfo for %.700s "
++                   "[%s] failed.", name, ntop);
++               return strdup(ntop);
++       }
++       /* Look for the address from the list of addresses. */
++       for (ai = aitop; ai; ai = ai->ai_next) {
++               if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
++                   sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
++                   (strcmp(ntop, ntop2) == 0))
++                               break;
++       }
++       freeaddrinfo(aitop);
++       /* If we reached the end of the list, the address was not there. */
++       if (ai == NULL) {
++               /* Address not found for the host name. */
++               logit("Address %.100s maps to %.600s, but this does not "
++                   "map back to the address.", ntop, name);
++               return strdup(ntop);
++       }
++       return strdup(name);
++}
++
+ void
+ ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
+ {
+diff --git a/canohost.h b/canohost.h
+index 26d62855a..0cadc9f18 100644
+--- a/canohost.h
++++ b/canohost.h
+@@ -15,6 +15,9 @@
+ #ifndef _CANOHOST_H
+ #define _CANOHOST_H
+ 
++struct ssh;
++
++char           *remote_hostname(struct ssh *);
+ char           *get_peer_ipaddr(int);
+ int             get_peer_port(int);
+ char           *get_local_ipaddr(int);
+diff --git a/clientloop.c b/clientloop.c
+index ad35cb7ba..e69c5141f 100644
+--- a/clientloop.c
++++ b/clientloop.c
+@@ -112,6 +112,10 @@
+ #include "ssherr.h"
+ #include "hostfile.h"
+ 
++#ifdef GSSAPI
++#include "ssh-gss.h"
++#endif
++
+ /* import options */
+ extern Options options;
+ 
+@@ -1357,9 +1361,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
+                        break;
+ 
+                /* Do channel operations unless rekeying in progress. */
+-               if (!ssh_packet_is_rekeying(ssh))
++               if (!ssh_packet_is_rekeying(ssh)) {
+                        channel_after_select(ssh, readset, writeset);
+ 
++#ifdef GSSAPI
++                       if (options.gss_renewal_rekey &&
++                           ssh_gssapi_credentials_updated(NULL)) {
++                               debug("credentials updated - forcing rekey");
++                               need_rekeying = 1;
++                       }
++#endif
++               }
++
+                /* Buffer input from the connection.  */
+                client_process_net_input(readset);
+ 
+diff --git a/config.h.in b/config.h.in
+index 7940b4c86..93295da07 100644
+--- a/config.h.in
++++ b/config.h.in
+@@ -1749,6 +1749,9 @@
+ /* Use btmp to log bad logins */
+ #undef USE_BTMP
+ 
++/* platform uses an in-memory credentials cache */
++#undef USE_CCAPI
++
+ /* Use libedit for sftp */
+ #undef USE_LIBEDIT
+ 
+@@ -1764,6 +1767,9 @@
+ /* Use PIPES instead of a socketpair() */
+ #undef USE_PIPES
+ 
++/* platform has the Security Authorization Session API */
++#undef USE_SECURITY_SESSION_API
++
+ /* Define if you have Solaris privileges */
+ #undef USE_SOLARIS_PRIVS
+ 
+diff --git a/configure.ac b/configure.ac
+index 83e530750..82428b241 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -673,6 +673,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+            [Use tunnel device compatibility to OpenBSD])
+        AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
+            [Prepend the address family to IP tunnel traffic])
++       AC_MSG_CHECKING([if we have the Security Authorization Session API])
++       AC_TRY_COMPILE([#include <Security/AuthSession.h>],
++               [SessionCreate(0, 0);],
++               [ac_cv_use_security_session_api="yes"
++                AC_DEFINE([USE_SECURITY_SESSION_API], [1], 
++                       [platform has the Security Authorization Session API])
++                LIBS="$LIBS -framework Security"
++                AC_MSG_RESULT([yes])],
++               [ac_cv_use_security_session_api="no"
++                AC_MSG_RESULT([no])])
++       AC_MSG_CHECKING([if we have an in-memory credentials cache])
++       AC_TRY_COMPILE(
++               [#include <Kerberos/Kerberos.h>],
++               [cc_context_t c;
++                (void) cc_initialize (&c, 0, NULL, NULL);],
++               [AC_DEFINE([USE_CCAPI], [1], 
++                       [platform uses an in-memory credentials cache])
++                LIBS="$LIBS -framework Security"
++                AC_MSG_RESULT([yes])
++                if test "x$ac_cv_use_security_session_api" = "xno"; then
++                       AC_MSG_ERROR([*** Need a security framework to use the credentials cache API ***])
++               fi],
++               [AC_MSG_RESULT([no])]
++       )
+        m4_pattern_allow([AU_IPv])
+        AC_CHECK_DECL([AU_IPv4], [],
+            AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
+diff --git a/gss-genr.c b/gss-genr.c
+index d56257b4a..285fc29a5 100644
+--- a/gss-genr.c
++++ b/gss-genr.c
+@@ -1,7 +1,7 @@
+ /* $OpenBSD: gss-genr.c,v 1.26 2018/07/10 09:13:30 djm Exp $ */
+ 
+ /*
+- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+  *
+  * Redistribution and use in source and binary forms, with or without
+  * modification, are permitted provided that the following conditions
+@@ -41,12 +41,34 @@
+ #include "sshbuf.h"
+ #include "log.h"
+ #include "ssh2.h"
++#include "cipher.h"
++#include "kex.h"
++#include <openssl/evp.h>
+ 
+ #include "ssh-gss.h"
+ 
+ extern u_char *session_id2;
+ extern u_int session_id2_len;
+ 
++typedef struct {
++       char *encoded;
++       gss_OID oid;
++} ssh_gss_kex_mapping;
++
++/*
++ * XXX - It would be nice to find a more elegant way of handling the
++ * XXX   passing of the key exchange context to the userauth routines
++ */
++
++Gssctxt *gss_kex_context = NULL;
++
++static ssh_gss_kex_mapping *gss_enc2oid = NULL;
++
++int 
++ssh_gssapi_oid_table_ok(void) {
++       return (gss_enc2oid != NULL);
++}
++
+ /* sshbuf_get for gss_buffer_desc */
+ int
+ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
+@@ -62,6 +84,141 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
+        return 0;
+ }
+ 
++/*
++ * Return a list of the gss-group1-sha1 mechanisms supported by this program
++ *
++ * We test mechanisms to ensure that we can use them, to avoid starting
++ * a key exchange with a bad mechanism
++ */
++
++char *
++ssh_gssapi_client_mechanisms(const char *host, const char *client) {
++       gss_OID_set gss_supported;
++       OM_uint32 min_status;
++
++       if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported)))
++               return NULL;
++
++       return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
++           host, client));
++}
++
++char *
++ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
++    const char *host, const char *client) {
++       struct sshbuf *buf;
++       size_t i;
++       int r, oidpos, enclen;
++       char *mechs, *encoded;
++       u_char digest[EVP_MAX_MD_SIZE];
++       char deroid[2];
++       const EVP_MD *evp_md = EVP_md5();
++       EVP_MD_CTX md;
++
++       if (gss_enc2oid != NULL) {
++               for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
++                       free(gss_enc2oid[i].encoded);
++               free(gss_enc2oid);
++       }
++
++       gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
++           (gss_supported->count + 1));
++
++       if ((buf = sshbuf_new()) == NULL)
++               fatal("%s: sshbuf_new failed", __func__);
++
++       oidpos = 0;
++       for (i = 0; i < gss_supported->count; i++) {
++               if (gss_supported->elements[i].length < 128 &&
++                   (*check)(NULL, &(gss_supported->elements[i]), host, client)) {
++
++                       deroid[0] = SSH_GSS_OIDTYPE;
++                       deroid[1] = gss_supported->elements[i].length;
++
++                       EVP_DigestInit(&md, evp_md);
++                       EVP_DigestUpdate(&md, deroid, 2);
++                       EVP_DigestUpdate(&md,
++                           gss_supported->elements[i].elements,
++                           gss_supported->elements[i].length);
++                       EVP_DigestFinal(&md, digest, NULL);
++
++                       encoded = xmalloc(EVP_MD_size(evp_md) * 2);
++                       enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
++                           encoded, EVP_MD_size(evp_md) * 2);
++
++                       if (oidpos != 0) {
++                               if ((r = sshbuf_put_u8(buf, ',')) != 0)
++                                       fatal("%s: buffer error: %s",
++                                           __func__, ssh_err(r));
++                       }
++
++                       if ((r = sshbuf_put(buf, KEX_GSS_GEX_SHA1_ID,
++                           sizeof(KEX_GSS_GEX_SHA1_ID) - 1)) != 0 ||
++                           (r = sshbuf_put(buf, encoded, enclen)) != 0 ||
++                           (r = sshbuf_put_u8(buf, ',')) != 0 ||
++                           (r = sshbuf_put(buf, KEX_GSS_GRP1_SHA1_ID,
++                           sizeof(KEX_GSS_GRP1_SHA1_ID) - 1)) != 0 ||
++                           (r = sshbuf_put(buf, encoded, enclen)) != 0 ||
++                           (r = sshbuf_put_u8(buf, ',')) != 0 ||
++                           (r = sshbuf_put(buf, KEX_GSS_GRP14_SHA1_ID,
++                           sizeof(KEX_GSS_GRP14_SHA1_ID) - 1)) != 0 ||
++                           (r = sshbuf_put(buf, encoded, enclen)) != 0)
++                               fatal("%s: buffer error: %s",
++                                   __func__, ssh_err(r));
++
++                       gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
++                       gss_enc2oid[oidpos].encoded = encoded;
++                       oidpos++;
++               }
++       }
++       gss_enc2oid[oidpos].oid = NULL;
++       gss_enc2oid[oidpos].encoded = NULL;
++
++       if ((mechs = sshbuf_dup_string(buf)) == NULL)
++               fatal("%s: sshbuf_dup_string failed", __func__);
++
++       if (strlen(mechs) == 0) {
++               free(mechs);
++               mechs = NULL;
++       }
++       
++       return (mechs);
++}
++
++gss_OID
++ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {
++       int i = 0;
++       
++       switch (kex_type) {
++       case KEX_GSS_GRP1_SHA1:
++               if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID))
++                       return GSS_C_NO_OID;
++               name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;
++               break;
++       case KEX_GSS_GRP14_SHA1:
++               if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID))
++                       return GSS_C_NO_OID;
++               name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;
++               break;
++       case KEX_GSS_GEX_SHA1:
++               if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))
++                       return GSS_C_NO_OID;
++               name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;
++               break;
++       default:
++               return GSS_C_NO_OID;
++       }
++
++       while (gss_enc2oid[i].encoded != NULL &&
++           strcmp(name, gss_enc2oid[i].encoded) != 0)
++               i++;
++
++       if (gss_enc2oid[i].oid != NULL && ctx != NULL)
++               ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);
++
++       return gss_enc2oid[i].oid;
++}
++
+ /* Check that the OID in a data stream matches that in the context */
+ int
+ ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
+@@ -218,7 +375,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
+        }
+ 
+        ctx->major = gss_init_sec_context(&ctx->minor,
+-           GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid,
++           ctx->client_creds, &ctx->context, ctx->name, ctx->oid,
+            GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
+            0, NULL, recv_tok, NULL, send_tok, flags, NULL);
+ 
+@@ -247,9 +404,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
+        return (ctx->major);
+ }
+ 
++OM_uint32
++ssh_gssapi_client_identity(Gssctxt *ctx, const char *name)
++{
++       gss_buffer_desc gssbuf;
++       gss_name_t gssname;
++       OM_uint32 status;
++       gss_OID_set oidset;
++
++       gssbuf.value = (void *) name;
++       gssbuf.length = strlen(gssbuf.value);
++
++       gss_create_empty_oid_set(&status, &oidset);
++       gss_add_oid_set_member(&status, ctx->oid, &oidset);
++
++       ctx->major = gss_import_name(&ctx->minor, &gssbuf,
++           GSS_C_NT_USER_NAME, &gssname);
++
++       if (!ctx->major)
++               ctx->major = gss_acquire_cred(&ctx->minor, 
++                   gssname, 0, oidset, GSS_C_INITIATE, 
++                   &ctx->client_creds, NULL, NULL);
++
++       gss_release_name(&status, &gssname);
++       gss_release_oid_set(&status, &oidset);
++
++       if (ctx->major)
++               ssh_gssapi_error(ctx);
++
++       return(ctx->major);
++}
++
+ OM_uint32
+ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
+ {
++       if (ctx == NULL) 
++               return -1;
++
+        if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
+            GSS_C_QOP_DEFAULT, buffer, hash)))
+                ssh_gssapi_error(ctx);
+@@ -257,6 +448,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
+        return (ctx->major);
+ }
+ 
++/* Priviledged when used by server */
++OM_uint32
++ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
++{
++       if (ctx == NULL)
++               return -1;
++
++       ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
++           gssbuf, gssmic, NULL);
++
++       return (ctx->major);
++}
++
+ void
+ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
+     const char *context)
+@@ -273,11 +477,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
+ }
+ 
+ int
+-ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
++ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host, 
++    const char *client)
+ {
+        gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
+        OM_uint32 major, minor;
+        gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
++       Gssctxt *intctx = NULL;
++
++       if (ctx == NULL)
++               ctx = &intctx;
+ 
+        /* RFC 4462 says we MUST NOT do SPNEGO */
+        if (oid->length == spnego_oid.length && 
+@@ -287,6 +496,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
+        ssh_gssapi_build_ctx(ctx);
+        ssh_gssapi_set_oid(*ctx, oid);
+        major = ssh_gssapi_import_name(*ctx, host);
++
++       if (!GSS_ERROR(major) && client)
++               major = ssh_gssapi_client_identity(*ctx, client);
++
+        if (!GSS_ERROR(major)) {
+                major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 
+                    NULL);
+@@ -296,10 +509,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
+                            GSS_C_NO_BUFFER);
+        }
+ 
+-       if (GSS_ERROR(major)) 
++       if (GSS_ERROR(major) || intctx != NULL) 
+                ssh_gssapi_delete_ctx(ctx);
+ 
+        return (!GSS_ERROR(major));
+ }
+ 
++int
++ssh_gssapi_credentials_updated(Gssctxt *ctxt) {
++       static gss_name_t saved_name = GSS_C_NO_NAME;
++       static OM_uint32 saved_lifetime = 0;
++       static gss_OID saved_mech = GSS_C_NO_OID;
++       static gss_name_t name;
++       static OM_uint32 last_call = 0;
++       OM_uint32 lifetime, now, major, minor;
++       int equal;
++       
++       now = time(NULL);
++
++       if (ctxt) {
++               debug("Rekey has happened - updating saved versions");
++
++               if (saved_name != GSS_C_NO_NAME)
++                       gss_release_name(&minor, &saved_name);
++
++               major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,
++                   &saved_name, &saved_lifetime, NULL, NULL);
++
++               if (!GSS_ERROR(major)) {
++                       saved_mech = ctxt->oid;
++                       saved_lifetime+= now;
++               } else {
++                       /* Handle the error */
++               }
++               return 0;
++       }
++
++       if (now - last_call < 10)
++               return 0;
++
++       last_call = now;
++
++       if (saved_mech == GSS_C_NO_OID)
++               return 0;
++       
++       major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL, 
++           &name, &lifetime, NULL, NULL);
++       if (major == GSS_S_CREDENTIALS_EXPIRED)
++               return 0;
++       else if (GSS_ERROR(major))
++               return 0;
++
++       major = gss_compare_name(&minor, saved_name, name, &equal);
++       gss_release_name(&minor, &name);
++       if (GSS_ERROR(major))
++               return 0;
++
++       if (equal && (saved_lifetime < lifetime + now - 10))
++               return 1;
++
++       return 0;
++}
++
+ #endif /* GSSAPI */
+diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
+index a151bc1e4..90f8692f5 100644
+--- a/gss-serv-krb5.c
++++ b/gss-serv-krb5.c
+@@ -1,7 +1,7 @@
+ /* $OpenBSD: gss-serv-krb5.c,v 1.9 2018/07/09 21:37:55 markus Exp $ */
+ 
+ /*
+- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
++ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
+  *
+  * Redistribution and use in source and binary forms, with or without
+  * modification, are permitted provided that the following conditions
+@@ -120,8 +120,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+        krb5_error_code problem;
+        krb5_principal princ;
+        OM_uint32 maj_status, min_status;
+-       int len;
+        const char *errmsg;
++       const char *new_ccname;
+ 
+        if (client->creds == NULL) {
+                debug("No credentials stored");
+@@ -180,11 +180,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+                return;
+        }
+ 
+-       client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
++       new_ccname = krb5_cc_get_name(krb_context, ccache);
++
+        client->store.envvar = "KRB5CCNAME";
+-       len = strlen(client->store.filename) + 6;
+-       client->store.envval = xmalloc(len);
+-       snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
++#ifdef USE_CCAPI
++       xasprintf(&client->store.envval, "API:%s", new_ccname);
++       client->store.filename = NULL;
++#else
++       xasprintf(&client->store.envval, "FILE:%s", new_ccname);
++       client->store.filename = xstrdup(new_ccname);
++#endif
+ 
+ #ifdef USE_PAM
+        if (options.use_pam)
+@@ -196,6 +201,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+        return;
+ }
+ 
++int
++ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, 
++    ssh_gssapi_client *client)
++{
++       krb5_ccache ccache = NULL;
++       krb5_principal principal = NULL;
++       char *name = NULL;
++       krb5_error_code problem;
++       OM_uint32 maj_status, min_status;
++
++       if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
++                logit("krb5_cc_resolve(): %.100s",
++                    krb5_get_err_text(krb_context, problem));
++                return 0;
++               }
++       
++       /* Find out who the principal in this cache is */
++       if ((problem = krb5_cc_get_principal(krb_context, ccache, 
++           &principal))) {
++               logit("krb5_cc_get_principal(): %.100s",
++                   krb5_get_err_text(krb_context, problem));
++               krb5_cc_close(krb_context, ccache);
++               return 0;
++       }
++
++       if ((problem = krb5_unparse_name(krb_context, principal, &name))) {
++               logit("krb5_unparse_name(): %.100s",
++                   krb5_get_err_text(krb_context, problem));
++               krb5_free_principal(krb_context, principal);
++               krb5_cc_close(krb_context, ccache);
++               return 0;
++       }
++
++
++       if (strcmp(name,client->exportedname.value)!=0) {
++               debug("Name in local credentials cache differs. Not storing");
++               krb5_free_principal(krb_context, principal);
++               krb5_cc_close(krb_context, ccache);
++               krb5_free_unparsed_name(krb_context, name);
++               return 0;
++       }
++       krb5_free_unparsed_name(krb_context, name);
++
++       /* Name matches, so lets get on with it! */
++
++       if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {
++               logit("krb5_cc_initialize(): %.100s",
++                   krb5_get_err_text(krb_context, problem));
++               krb5_free_principal(krb_context, principal);
++               krb5_cc_close(krb_context, ccache);
++               return 0;
++       }
++
++       krb5_free_principal(krb_context, principal);
++
++       if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds,
++           ccache))) {
++               logit("gss_krb5_copy_ccache() failed. Sorry!");
++               krb5_cc_close(krb_context, ccache);
++               return 0;
++       }
++
++       return 1;
++}
++
+ ssh_gssapi_mech gssapi_kerberos_mech = {
+        "toWM5Slw5Ew8Mqkay+al2g==",
+        "Kerberos",
+@@ -203,7 +273,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
+        NULL,
+        &ssh_gssapi_krb5_userok,
+        NULL,
+-       &ssh_gssapi_krb5_storecreds
++       &ssh_gssapi_krb5_storecreds,
++       &ssh_gssapi_krb5_updatecreds
+ };
+ 
+ #endif /* KRB5 */
+diff --git a/gss-serv.c b/gss-serv.c
+index ab3a15f0f..6c087a1b1 100644
+--- a/gss-serv.c
++++ b/gss-serv.c
+@@ -1,7 +1,7 @@
+ /* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */
+ 
+ /*
+- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+  *
+  * Redistribution and use in source and binary forms, with or without
+  * modification, are permitted provided that the following conditions
+@@ -44,17 +44,22 @@
+ #include "session.h"
+ #include "misc.h"
+ #include "servconf.h"
++#include "uidswap.h"
+ 
+ #include "ssh-gss.h"
++#include "monitor_wrap.h"
++
++extern ServerOptions options;
+ 
+ extern ServerOptions options;
+ 
+ static ssh_gssapi_client gssapi_client =
+     { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
+-    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
++    GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,  NULL,
++    {NULL, NULL, NULL, NULL, NULL}, 0, 0};
+ 
+ ssh_gssapi_mech gssapi_null_mech =
+-    { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
++    { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL};
+ 
+ #ifdef KRB5
+ extern ssh_gssapi_mech gssapi_kerberos_mech;
+@@ -140,6 +145,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
+        return (ssh_gssapi_acquire_cred(*ctx));
+ }
+ 
++/* Unprivileged */
++char *
++ssh_gssapi_server_mechanisms(void) {
++       if (supported_oids == NULL)
++               ssh_gssapi_prepare_supported_oids();
++       return (ssh_gssapi_kex_mechs(supported_oids,
++           &ssh_gssapi_server_check_mech, NULL, NULL));
++}
++
++/* Unprivileged */
++int
++ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data,
++    const char *dummy) {
++       Gssctxt *ctx = NULL;
++       int res;
++ 
++       res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));
++       ssh_gssapi_delete_ctx(&ctx);
++
++       return (res);
++}
++
+ /* Unprivileged */
+ void
+ ssh_gssapi_supported_oids(gss_OID_set *oidset)
+@@ -150,7 +177,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
+        gss_OID_set supported;
+ 
+        gss_create_empty_oid_set(&min_status, oidset);
+-       gss_indicate_mechs(&min_status, &supported);
++
++       if (GSS_ERROR(gss_indicate_mechs(&min_status, &supported)))
++               return;
+ 
+        while (supported_mechs[i]->name != NULL) {
+                if (GSS_ERROR(gss_test_oid_set_member(&min_status,
+@@ -276,8 +305,48 @@ OM_uint32
+ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
+ {
+        int i = 0;
++       int equal = 0;
++       gss_name_t new_name = GSS_C_NO_NAME;
++       gss_buffer_desc ename = GSS_C_EMPTY_BUFFER;
++
++       if (options.gss_store_rekey && client->used && ctx->client_creds) {
++               if (client->mech->oid.length != ctx->oid->length ||
++                   (memcmp(client->mech->oid.elements,
++                    ctx->oid->elements, ctx->oid->length) !=0)) {
++                       debug("Rekeyed credentials have different mechanism");
++                       return GSS_S_COMPLETE;
++               }
++
++               if ((ctx->major = gss_inquire_cred_by_mech(&ctx->minor, 
++                   ctx->client_creds, ctx->oid, &new_name, 
++                   NULL, NULL, NULL))) {
++                       ssh_gssapi_error(ctx);
++                       return (ctx->major);
++               }
++
++               ctx->major = gss_compare_name(&ctx->minor, client->name, 
++                   new_name, &equal);
++
++               if (GSS_ERROR(ctx->major)) {
++                       ssh_gssapi_error(ctx);
++                       return (ctx->major);
++               }
++ 
++               if (!equal) {
++                       debug("Rekeyed credentials have different name");
++                       return GSS_S_COMPLETE;
++               }
+ 
+-       gss_buffer_desc ename;
++               debug("Marking rekeyed credentials for export");
++
++               gss_release_name(&ctx->minor, &client->name);
++               gss_release_cred(&ctx->minor, &client->creds);
++               client->name = new_name;
++               client->creds = ctx->client_creds;
++               ctx->client_creds = GSS_C_NO_CREDENTIAL;
++               client->updated = 1;
++               return GSS_S_COMPLETE;
++       }
+ 
+        client->mech = NULL;
+ 
+@@ -292,6 +361,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
+        if (client->mech == NULL)
+                return GSS_S_FAILURE;
+ 
++       if (ctx->client_creds &&
++           (ctx->major = gss_inquire_cred_by_mech(&ctx->minor,
++            ctx->client_creds, ctx->oid, &client->name, NULL, NULL, NULL))) {
++               ssh_gssapi_error(ctx);
++               return (ctx->major);
++       }
++
+        if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
+            &client->displayname, NULL))) {
+                ssh_gssapi_error(ctx);
+@@ -309,6 +385,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
+                return (ctx->major);
+        }
+ 
++       gss_release_buffer(&ctx->minor, &ename);
++
+        /* We can't copy this structure, so we just move the pointer to it */
+        client->creds = ctx->client_creds;
+        ctx->client_creds = GSS_C_NO_CREDENTIAL;
+@@ -356,7 +434,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
+ 
+ /* Privileged */
+ int
+-ssh_gssapi_userok(char *user)
++ssh_gssapi_userok(char *user, struct passwd *pw)
+ {
+        OM_uint32 lmin;
+ 
+@@ -366,9 +444,11 @@ ssh_gssapi_userok(char *user)
+                return 0;
+        }
+        if (gssapi_client.mech && gssapi_client.mech->userok)
+-               if ((*gssapi_client.mech->userok)(&gssapi_client, user))
++               if ((*gssapi_client.mech->userok)(&gssapi_client, user)) {
++                       gssapi_client.used = 1;
++                       gssapi_client.store.owner = pw;
+                        return 1;
+-               else {
++               } else {
+                        /* Destroy delegated credentials if userok fails */
+                        gss_release_buffer(&lmin, &gssapi_client.displayname);
+                        gss_release_buffer(&lmin, &gssapi_client.exportedname);
+@@ -382,14 +462,90 @@ ssh_gssapi_userok(char *user)
+        return (0);
+ }
+ 
+-/* Privileged */
+-OM_uint32
+-ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
++/* These bits are only used for rekeying. The unpriviledged child is running 
++ * as the user, the monitor is root.
++ *
++ * In the child, we want to :
++ *    *) Ask the monitor to store our credentials into the store we specify
++ *    *) If it succeeds, maybe do a PAM update
++ */
++
++/* Stuff for PAM */
++
++#ifdef USE_PAM
++static int ssh_gssapi_simple_conv(int n, const struct pam_message **msg, 
++    struct pam_response **resp, void *data)
+ {
+-       ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
+-           gssbuf, gssmic, NULL);
++       return (PAM_CONV_ERR);
++}
++#endif
+ 
+-       return (ctx->major);
++void
++ssh_gssapi_rekey_creds(void) {
++       int ok;
++       int ret;
++#ifdef USE_PAM
++       pam_handle_t *pamh = NULL;
++       struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL};
++       char *envstr;
++#endif
++
++       if (gssapi_client.store.filename == NULL && 
++           gssapi_client.store.envval == NULL &&
++           gssapi_client.store.envvar == NULL)
++               return;
++ 
++       ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
++
++       if (!ok)
++               return;
++
++       debug("Rekeyed credentials stored successfully");
++
++       /* Actually managing to play with the ssh pam stack from here will
++        * be next to impossible. In any case, we may want different options
++        * for rekeying. So, use our own :)
++        */
++#ifdef USE_PAM 
++       if (!use_privsep) {
++               debug("Not even going to try and do PAM with privsep disabled");
++               return;
++       }
++
++       ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name,
++           &pamconv, &pamh);
++       if (ret)
++               return;
++
++       xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar, 
++           gssapi_client.store.envval);
++
++       ret = pam_putenv(pamh, envstr);
++       if (!ret)
++               pam_setcred(pamh, PAM_REINITIALIZE_CRED);
++       pam_end(pamh, PAM_SUCCESS);
++#endif
++}
++
++int 
++ssh_gssapi_update_creds(ssh_gssapi_ccache *store) {
++       int ok = 0;
++
++       /* Check we've got credentials to store */
++       if (!gssapi_client.updated)
++               return 0;
++
++       gssapi_client.updated = 0;
++
++       temporarily_use_uid(gssapi_client.store.owner);
++       if (gssapi_client.mech && gssapi_client.mech->updatecreds)
++               ok = (*gssapi_client.mech->updatecreds)(store, &gssapi_client);
++       else
++               debug("No update function for this mechanism");
++
++       restore_uid();
++
++       return ok;
+ }
+ 
+ /* Privileged */
+diff --git a/kex.c b/kex.c
+index 25f9f66f6..fb5bfaea5 100644
+--- a/kex.c
++++ b/kex.c
+@@ -54,6 +54,10 @@
+ #include "sshbuf.h"
+ #include "digest.h"
+ 
++#ifdef GSSAPI
++#include "ssh-gss.h"
++#endif
++
+ /* prototype */
+ static int kex_choose_conf(struct ssh *);
+ static int kex_input_newkeys(int, u_int32_t, struct ssh *);
+@@ -105,6 +109,14 @@ static const struct kexalg kexalgs[] = {
+ #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
+        { NULL, -1, -1, -1},
+ };
++static const struct kexalg kexalg_prefixes[] = {
++#ifdef GSSAPI
++       { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
++       { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
++       { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
++#endif
++       { NULL, -1, -1, -1 },
++};
+ 
+ char *
+ kex_alg_list(char sep)
+@@ -137,6 +149,10 @@ kex_alg_by_name(const char *name)
+                if (strcmp(k->name, name) == 0)
+                        return k;
+        }
++       for (k = kexalg_prefixes; k->name != NULL; k++) {
++               if (strncmp(k->name, name, strlen(k->name)) == 0)
++                       return k;
++       }
+        return NULL;
+ }
+ 
+@@ -653,6 +669,9 @@ kex_free(struct kex *kex)
+        sshbuf_free(kex->peer);
+        sshbuf_free(kex->my);
+        free(kex->session_id);
++#ifdef GSSAPI
++       free(kex->gss_host);
++#endif /* GSSAPI */
+        free(kex->client_version_string);
+        free(kex->server_version_string);
+        free(kex->failed_choice);
+diff --git a/kex.h b/kex.h
+index 593de1208..4e5ead839 100644
+--- a/kex.h
++++ b/kex.h
+@@ -100,6 +100,9 @@ enum kex_exchange {
+        KEX_DH_GEX_SHA256,
+        KEX_ECDH_SHA2,
+        KEX_C25519_SHA256,
++       KEX_GSS_GRP1_SHA1,
++       KEX_GSS_GRP14_SHA1,
++       KEX_GSS_GEX_SHA1,
+        KEX_MAX
+ };
+ 
+@@ -148,6 +151,12 @@ struct kex {
+        u_int   flags;
+        int     hash_alg;
+        int     ec_nid;
++#ifdef GSSAPI
++       int     gss_deleg_creds;
++       int     gss_trust_dns;
++       char    *gss_host;
++       char    *gss_client;
++#endif
+        char    *client_version_string;
+        char    *server_version_string;
+        char    *failed_choice;
+@@ -198,6 +207,11 @@ int         kexecdh_server(struct ssh *);
+ int     kexc25519_client(struct ssh *);
+ int     kexc25519_server(struct ssh *);
+ 
++#ifdef GSSAPI
++int     kexgss_client(struct ssh *);
++int     kexgss_server(struct ssh *);
++#endif
++
+ int     kex_dh_hash(int, const char *, const char *,
+     const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
+     const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
+diff --git a/kexgssc.c b/kexgssc.c
+new file mode 100644
+index 000000000..953c0a248
+--- /dev/null
++++ b/kexgssc.c
+@@ -0,0 +1,338 @@
++/*
++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "includes.h"
++
++#ifdef GSSAPI
++
++#include "includes.h"
++
++#include <openssl/crypto.h>
++#include <openssl/bn.h>
++
++#include <string.h>
++
++#include "xmalloc.h"
++#include "sshbuf.h"
++#include "ssh2.h"
++#include "sshkey.h"
++#include "cipher.h"
++#include "kex.h"
++#include "log.h"
++#include "packet.h"
++#include "dh.h"
++#include "digest.h"
++
++#include "ssh-gss.h"
++
++int
++kexgss_client(struct ssh *ssh) {
++       gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
++       gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
++       Gssctxt *ctxt;
++       OM_uint32 maj_status, min_status, ret_flags;
++       u_int klen, kout, slen = 0, strlen;
++       DH *dh; 
++       BIGNUM *dh_server_pub = NULL;
++       BIGNUM *shared_secret = NULL;
++       BIGNUM *p = NULL;
++       BIGNUM *g = NULL;       
++       u_char *kbuf;
++       u_char *serverhostkey = NULL;
++       u_char *empty = "";
++       char *msg;
++       int type = 0;
++       int first = 1;
++       int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
++       u_char hash[SSH_DIGEST_MAX_LENGTH];
++       size_t hashlen;
++
++       /* Initialise our GSSAPI world */       
++       ssh_gssapi_build_ctx(&ctxt);
++       if (ssh_gssapi_id_kex(ctxt, ssh->kex->name, ssh->kex->kex_type) 
++           == GSS_C_NO_OID)
++               fatal("Couldn't identify host exchange");
++
++       if (ssh_gssapi_import_name(ctxt, ssh->kex->gss_host))
++               fatal("Couldn't import hostname");
++
++       if (ssh->kex->gss_client && 
++           ssh_gssapi_client_identity(ctxt, ssh->kex->gss_client))
++               fatal("Couldn't acquire client credentials");
++
++       switch (ssh->kex->kex_type) {
++       case KEX_GSS_GRP1_SHA1:
++               dh = dh_new_group1();
++               break;
++       case KEX_GSS_GRP14_SHA1:
++               dh = dh_new_group14();
++               break;
++       case KEX_GSS_GEX_SHA1:
++               debug("Doing group exchange\n");
++               nbits = dh_estimate(ssh->kex->we_need * 8);
++               packet_start(SSH2_MSG_KEXGSS_GROUPREQ);
++               packet_put_int(min);
++               packet_put_int(nbits);
++               packet_put_int(max);
++
++               packet_send();
++
++               packet_read_expect(SSH2_MSG_KEXGSS_GROUP);
++
++               if ((p = BN_new()) == NULL)
++                       fatal("BN_new() failed");
++               packet_get_bignum2(p);
++               if ((g = BN_new()) == NULL)
++                       fatal("BN_new() failed");
++               packet_get_bignum2(g);
++               packet_check_eom();
++
++               if (BN_num_bits(p) < min || BN_num_bits(p) > max)
++                       fatal("GSSGRP_GEX group out of range: %d !< %d !< %d",
++                           min, BN_num_bits(p), max);
++
++               dh = dh_new_group(g, p);
++               break;
++       default:
++               fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
++       }
++       
++       /* Step 1 - e is dh->pub_key */
++       dh_gen_key(dh, ssh->kex->we_need * 8);
++
++       /* This is f, we initialise it now to make life easier */
++       dh_server_pub = BN_new();
++       if (dh_server_pub == NULL)
++               fatal("dh_server_pub == NULL");
++
++       token_ptr = GSS_C_NO_BUFFER;
++                        
++       do {
++               debug("Calling gss_init_sec_context");
++               
++               maj_status = ssh_gssapi_init_ctx(ctxt,
++                   ssh->kex->gss_deleg_creds, token_ptr, &send_tok,
++                   &ret_flags);
++
++               if (GSS_ERROR(maj_status)) {
++                       if (send_tok.length != 0) {
++                               packet_start(SSH2_MSG_KEXGSS_CONTINUE);
++                               packet_put_string(send_tok.value,
++                                   send_tok.length);
++                       }
++                       fatal("gss_init_context failed");
++               }
++
++               /* If we've got an old receive buffer get rid of it */
++               if (token_ptr != GSS_C_NO_BUFFER)
++                       free(recv_tok.value);
++
++               if (maj_status == GSS_S_COMPLETE) {
++                       /* If mutual state flag is not true, kex fails */
++                       if (!(ret_flags & GSS_C_MUTUAL_FLAG))
++                               fatal("Mutual authentication failed");
++
++                       /* If integ avail flag is not true kex fails */
++                       if (!(ret_flags & GSS_C_INTEG_FLAG))
++                               fatal("Integrity check failed");
++               }
++
++               /* 
++                * If we have data to send, then the last message that we
++                * received cannot have been a 'complete'. 
++                */
++               if (send_tok.length != 0) {
++                       if (first) {
++                               packet_start(SSH2_MSG_KEXGSS_INIT);
++                               packet_put_string(send_tok.value,
++                                   send_tok.length);
++                               packet_put_bignum2(dh->pub_key);
++                               first = 0;
++                       } else {
++                               packet_start(SSH2_MSG_KEXGSS_CONTINUE);
++                               packet_put_string(send_tok.value,
++                                   send_tok.length);
++                       }
++                       packet_send();
++                       gss_release_buffer(&min_status, &send_tok);
++
++                       /* If we've sent them data, they should reply */
++                       do {    
++                               type = packet_read();
++                               if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
++                                       debug("Received KEXGSS_HOSTKEY");
++                                       if (serverhostkey)
++                                               fatal("Server host key received more than once");
++                                       serverhostkey = 
++                                           packet_get_string(&slen);
++                               }
++                       } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
++
++                       switch (type) {
++                       case SSH2_MSG_KEXGSS_CONTINUE:
++                               debug("Received GSSAPI_CONTINUE");
++                               if (maj_status == GSS_S_COMPLETE) 
++                                       fatal("GSSAPI Continue received from server when complete");
++                               recv_tok.value = packet_get_string(&strlen);
++                               recv_tok.length = strlen; 
++                               break;
++                       case SSH2_MSG_KEXGSS_COMPLETE:
++                               debug("Received GSSAPI_COMPLETE");
++                               packet_get_bignum2(dh_server_pub);
++                               msg_tok.value =  packet_get_string(&strlen);
++                               msg_tok.length = strlen; 
++
++                               /* Is there a token included? */
++                               if (packet_get_char()) {
++                                       recv_tok.value=
++                                           packet_get_string(&strlen);
++                                       recv_tok.length = strlen;
++                                       /* If we're already complete - protocol error */
++                                       if (maj_status == GSS_S_COMPLETE)
++                                               packet_disconnect("Protocol error: received token when complete");
++                                       } else {
++                                               /* No token included */
++                                               if (maj_status != GSS_S_COMPLETE)
++                                                       packet_disconnect("Protocol error: did not receive final token");
++                               }
++                               break;
++                       case SSH2_MSG_KEXGSS_ERROR:
++                               debug("Received Error");
++                               maj_status = packet_get_int();
++                               min_status = packet_get_int();
++                               msg = packet_get_string(NULL);
++                               (void) packet_get_string_ptr(NULL);
++                               fatal("GSSAPI Error: \n%.400s",msg);
++                       default:
++                               packet_disconnect("Protocol error: didn't expect packet type %d",
++                               type);
++                       }
++                       token_ptr = &recv_tok;
++               } else {
++                       /* No data, and not complete */
++                       if (maj_status != GSS_S_COMPLETE)
++                               fatal("Not complete, and no token output");
++               }
++       } while (maj_status & GSS_S_CONTINUE_NEEDED);
++
++       /* 
++        * We _must_ have received a COMPLETE message in reply from the 
++        * server, which will have set dh_server_pub and msg_tok 
++        */
++
++       if (type != SSH2_MSG_KEXGSS_COMPLETE)
++               fatal("Didn't receive a SSH2_MSG_KEXGSS_COMPLETE when I expected it");
++
++       /* Check f in range [1, p-1] */
++       if (!dh_pub_is_valid(dh, dh_server_pub))
++               packet_disconnect("bad server public DH value");
++
++       /* compute K=f^x mod p */
++       klen = DH_size(dh);
++       kbuf = xmalloc(klen);
++       kout = DH_compute_key(kbuf, dh_server_pub, dh);
++       if (kout < 0)
++               fatal("DH_compute_key: failed");
++
++       shared_secret = BN_new();
++       if (shared_secret == NULL)
++               fatal("kexgss_client: BN_new failed");
++
++       if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
++               fatal("kexdh_client: BN_bin2bn failed");
++
++       memset(kbuf, 0, klen);
++       free(kbuf);
++
++       hashlen = sizeof(hash);
++       switch (ssh->kex->kex_type) {
++       case KEX_GSS_GRP1_SHA1:
++       case KEX_GSS_GRP14_SHA1:
++               kex_dh_hash(
++                   ssh->kex->hash_alg,
++                   ssh->kex->client_version_string,
++                   ssh->kex->server_version_string,
++                   sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
++                   sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
++                   (serverhostkey ? serverhostkey : empty), slen,
++                   dh->pub_key,        /* e */
++                   dh_server_pub,      /* f */
++                   shared_secret,      /* K */
++                   hash, &hashlen
++               );
++               break;
++       case KEX_GSS_GEX_SHA1:
++               kexgex_hash(
++                   ssh->kex->hash_alg,
++                   ssh->kex->client_version_string,
++                   ssh->kex->server_version_string,
++                   sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
++                   sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
++                   (serverhostkey ? serverhostkey : empty), slen,
++                   min, nbits, max,
++                   dh->p, dh->g,
++                   dh->pub_key,
++                   dh_server_pub,
++                   shared_secret,
++                   hash, &hashlen
++               );
++               break;
++       default:
++               fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
++       }
++
++       gssbuf.value = hash;
++       gssbuf.length = hashlen;
++
++       /* Verify that the hash matches the MIC we just got. */
++       if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
++               packet_disconnect("Hash's MIC didn't verify");
++
++       free(msg_tok.value);
++
++       DH_free(dh);
++       free(serverhostkey);
++       BN_clear_free(dh_server_pub);
++
++       /* save session id */
++       if (ssh->kex->session_id == NULL) {
++               ssh->kex->session_id_len = hashlen;
++               ssh->kex->session_id = xmalloc(ssh->kex->session_id_len);
++               memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len);
++       }
++
++       if (ssh->kex->gss_deleg_creds)
++               ssh_gssapi_credentials_updated(ctxt);
++
++       if (gss_kex_context == NULL)
++               gss_kex_context = ctxt;
++       else
++               ssh_gssapi_delete_ctx(&ctxt);
++
++       kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
++       BN_clear_free(shared_secret);
++       return kex_send_newkeys(ssh);
++}
++
++#endif /* GSSAPI */
+diff --git a/kexgsss.c b/kexgsss.c
+new file mode 100644
+index 000000000..31ec6a890
+--- /dev/null
++++ b/kexgsss.c
+@@ -0,0 +1,295 @@
++/*
++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "includes.h"
++
++#ifdef GSSAPI
++
++#include <string.h>
++
++#include <openssl/crypto.h>
++#include <openssl/bn.h>
++
++#include "xmalloc.h"
++#include "sshbuf.h"
++#include "ssh2.h"
++#include "sshkey.h"
++#include "cipher.h"
++#include "kex.h"
++#include "log.h"
++#include "packet.h"
++#include "dh.h"
++#include "ssh-gss.h"
++#include "monitor_wrap.h"
++#include "misc.h"
++#include "servconf.h"
++#include "digest.h"
++
++extern ServerOptions options;
++
++int
++kexgss_server(struct ssh *ssh)
++{
++       OM_uint32 maj_status, min_status;
++       
++       /* 
++        * Some GSSAPI implementations use the input value of ret_flags (an
++        * output variable) as a means of triggering mechanism specific 
++        * features. Initializing it to zero avoids inadvertently 
++        * activating this non-standard behaviour.
++        */
++
++       OM_uint32 ret_flags = 0;
++       gss_buffer_desc gssbuf, recv_tok, msg_tok;
++       gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
++       Gssctxt *ctxt = NULL;
++       u_int slen, klen, kout;
++       u_char *kbuf;
++       DH *dh;
++       int min = -1, max = -1, nbits = -1;
++       BIGNUM *shared_secret = NULL;
++       BIGNUM *dh_client_pub = NULL;
++       int type = 0;
++       gss_OID oid;
++       char *mechs;
++       u_char hash[SSH_DIGEST_MAX_LENGTH];
++       size_t hashlen;
++
++       /* Initialise GSSAPI */
++
++       /* If we're rekeying, privsep means that some of the private structures
++        * in the GSSAPI code are no longer available. This kludges them back
++        * into life
++        */
++       if (!ssh_gssapi_oid_table_ok()) {
++               mechs = ssh_gssapi_server_mechanisms();
++               free(mechs);
++       }
++
++       debug2("%s: Identifying %s", __func__, ssh->kex->name);
++       oid = ssh_gssapi_id_kex(NULL, ssh->kex->name, ssh->kex->kex_type);
++       if (oid == GSS_C_NO_OID)
++          fatal("Unknown gssapi mechanism");
++
++       debug2("%s: Acquiring credentials", __func__);
++
++       if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
++               fatal("Unable to acquire credentials for the server");
++
++       switch (ssh->kex->kex_type) {
++       case KEX_GSS_GRP1_SHA1:
++               dh = dh_new_group1();
++               break;
++       case KEX_GSS_GRP14_SHA1:
++               dh = dh_new_group14();
++               break;
++       case KEX_GSS_GEX_SHA1:
++               debug("Doing group exchange");
++               packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
++               min = packet_get_int();
++               nbits = packet_get_int();
++               max = packet_get_int();
++               packet_check_eom();
++               if (max < min || nbits < min || max < nbits)
++                       fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
++                           min, nbits, max);
++               dh = PRIVSEP(choose_dh(MAX(DH_GRP_MIN, min),
++                   nbits, MIN(DH_GRP_MAX, max)));
++               if (dh == NULL)
++                       packet_disconnect("Protocol error: no matching group found");
++
++               packet_start(SSH2_MSG_KEXGSS_GROUP);
++               packet_put_bignum2(dh->p);
++               packet_put_bignum2(dh->g);
++               packet_send();
++
++               packet_write_wait();
++               break;
++       default:
++               fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
++       }
++
++       dh_gen_key(dh, ssh->kex->we_need * 8);
++
++       do {
++               debug("Wait SSH2_MSG_GSSAPI_INIT");
++               type = packet_read();
++               switch(type) {
++               case SSH2_MSG_KEXGSS_INIT:
++                       if (dh_client_pub != NULL) 
++                               fatal("Received KEXGSS_INIT after initialising");
++                       recv_tok.value = packet_get_string(&slen);
++                       recv_tok.length = slen; 
++
++                       if ((dh_client_pub = BN_new()) == NULL)
++                               fatal("dh_client_pub == NULL");
++
++                       packet_get_bignum2(dh_client_pub);
++
++                       /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
++                       break;
++               case SSH2_MSG_KEXGSS_CONTINUE:
++                       recv_tok.value = packet_get_string(&slen);
++                       recv_tok.length = slen; 
++                       break;
++               default:
++                       packet_disconnect(
++                           "Protocol error: didn't expect packet type %d",
++                           type);
++               }
++
++               maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok, 
++                   &send_tok, &ret_flags));
++
++               free(recv_tok.value);
++
++               if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
++                       fatal("Zero length token output when incomplete");
++
++               if (dh_client_pub == NULL)
++                       fatal("No client public key");
++               
++               if (maj_status & GSS_S_CONTINUE_NEEDED) {
++                       debug("Sending GSSAPI_CONTINUE");
++                       packet_start(SSH2_MSG_KEXGSS_CONTINUE);
++                       packet_put_string(send_tok.value, send_tok.length);
++                       packet_send();
++                       gss_release_buffer(&min_status, &send_tok);
++               }
++       } while (maj_status & GSS_S_CONTINUE_NEEDED);
++
++       if (GSS_ERROR(maj_status)) {
++               if (send_tok.length > 0) {
++                       packet_start(SSH2_MSG_KEXGSS_CONTINUE);
++                       packet_put_string(send_tok.value, send_tok.length);
++                       packet_send();
++               }
++               fatal("accept_ctx died");
++       }
++
++       if (!(ret_flags & GSS_C_MUTUAL_FLAG))
++               fatal("Mutual Authentication flag wasn't set");
++
++       if (!(ret_flags & GSS_C_INTEG_FLAG))
++               fatal("Integrity flag wasn't set");
++       
++       if (!dh_pub_is_valid(dh, dh_client_pub))
++               packet_disconnect("bad client public DH value");
++
++       klen = DH_size(dh);
++       kbuf = xmalloc(klen); 
++       kout = DH_compute_key(kbuf, dh_client_pub, dh);
++       if (kout < 0)
++               fatal("DH_compute_key: failed");
++
++       shared_secret = BN_new();
++       if (shared_secret == NULL)
++               fatal("kexgss_server: BN_new failed");
++
++       if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
++               fatal("kexgss_server: BN_bin2bn failed");
++
++       memset(kbuf, 0, klen);
++       free(kbuf);
++
++       hashlen = sizeof(hash);
++       switch (ssh->kex->kex_type) {
++       case KEX_GSS_GRP1_SHA1:
++       case KEX_GSS_GRP14_SHA1:
++               kex_dh_hash(
++                   ssh->kex->hash_alg,
++                   ssh->kex->client_version_string, ssh->kex->server_version_string,
++                   sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
++                   sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
++                   NULL, 0, /* Change this if we start sending host keys */
++                   dh_client_pub, dh->pub_key, shared_secret,
++                   hash, &hashlen
++               );
++               break;
++       case KEX_GSS_GEX_SHA1:
++               kexgex_hash(
++                   ssh->kex->hash_alg,
++                   ssh->kex->client_version_string, ssh->kex->server_version_string,
++                   sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
++                   sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
++                   NULL, 0,
++                   min, nbits, max,
++                   dh->p, dh->g,
++                   dh_client_pub,
++                   dh->pub_key,
++                   shared_secret,
++                   hash, &hashlen
++               );
++               break;
++       default:
++               fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
++       }
++
++       BN_clear_free(dh_client_pub);
++
++       if (ssh->kex->session_id == NULL) {
++               ssh->kex->session_id_len = hashlen;
++               ssh->kex->session_id = xmalloc(ssh->kex->session_id_len);
++               memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len);
++       }
++
++       gssbuf.value = hash;
++       gssbuf.length = hashlen;
++
++       if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt,&gssbuf,&msg_tok))))
++               fatal("Couldn't get MIC");
++
++       packet_start(SSH2_MSG_KEXGSS_COMPLETE);
++       packet_put_bignum2(dh->pub_key);
++       packet_put_string(msg_tok.value,msg_tok.length);
++
++       if (send_tok.length != 0) {
++               packet_put_char(1); /* true */
++               packet_put_string(send_tok.value, send_tok.length);
++       } else {
++               packet_put_char(0); /* false */
++       }
++       packet_send();
++
++       gss_release_buffer(&min_status, &send_tok);
++       gss_release_buffer(&min_status, &msg_tok);
++
++       if (gss_kex_context == NULL)
++               gss_kex_context = ctxt;
++       else 
++               ssh_gssapi_delete_ctx(&ctxt);
++
++       DH_free(dh);
++
++       kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
++       BN_clear_free(shared_secret);
++       kex_send_newkeys(ssh);
++
++       /* If this was a rekey, then save out any delegated credentials we
++        * just exchanged.  */
++       if (options.gss_store_rekey)
++               ssh_gssapi_rekey_creds();
++       return 0;
++}
++#endif /* GSSAPI */
+diff --git a/monitor.c b/monitor.c
+index d4b4b0471..4e574a2ae 100644
+--- a/monitor.c
++++ b/monitor.c
+@@ -143,6 +143,8 @@ int mm_answer_gss_setup_ctx(int, struct sshbuf *);
+ int mm_answer_gss_accept_ctx(int, struct sshbuf *);
+ int mm_answer_gss_userok(int, struct sshbuf *);
+ int mm_answer_gss_checkmic(int, struct sshbuf *);
++int mm_answer_gss_sign(int, struct sshbuf *);
++int mm_answer_gss_updatecreds(int, struct sshbuf *);
+ #endif
+ 
+ #ifdef SSH_AUDIT_EVENTS
+@@ -213,11 +215,18 @@ struct mon_table mon_dispatch_proto20[] = {
+     {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
+     {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
+     {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
++    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
+ #endif
+     {0, 0, NULL}
+ };
+ 
+ struct mon_table mon_dispatch_postauth20[] = {
++#ifdef GSSAPI
++    {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
++    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
++    {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
++    {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
++#endif
+ #ifdef WITH_OPENSSL
+     {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
+ #endif
+@@ -287,6 +296,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
+        /* Permit requests for moduli and signatures */
+        monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
+        monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
++#ifdef GSSAPI
++       /* and for the GSSAPI key exchange */
++       monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
++#endif
+ 
+        /* The first few requests do not require asynchronous access */
+        while (!authenticated) {
+@@ -399,6 +412,10 @@ monitor_child_postauth(struct monitor *pmonitor)
+        monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
+        monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+        monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
++#ifdef GSSAPI
++       /* and for the GSSAPI key exchange */
++       monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
++#endif         
+ 
+        if (auth_opts->permit_pty_flag) {
+                monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
+@@ -1662,6 +1679,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
+ # endif
+ #endif /* WITH_OPENSSL */
+                kex->kex[KEX_C25519_SHA256] = kexc25519_server;
++#ifdef GSSAPI
++               if (options.gss_keyex) {
++                       kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
++                       kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
++                       kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
++               }
++#endif
+                kex->load_host_public_key=&get_hostkey_public_by_type;
+                kex->load_host_private_key=&get_hostkey_private_by_type;
+                kex->host_key_index=&get_hostkey_index;
+@@ -1752,8 +1776,8 @@ mm_answer_gss_setup_ctx(int sock, struct sshbuf *m)
+        u_char *p;
+        int r;
+ 
+-       if (!options.gss_authentication)
+-               fatal("%s: GSSAPI authentication not enabled", __func__);
++       if (!options.gss_authentication && !options.gss_keyex)
++               fatal("%s: GSSAPI not enabled", __func__);
+ 
+        if ((r = sshbuf_get_string(m, &p, &len)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+@@ -1785,8 +1809,8 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m)
+        OM_uint32 flags = 0; /* GSI needs this */
+        int r;
+ 
+-       if (!options.gss_authentication)
+-               fatal("%s: GSSAPI authentication not enabled", __func__);
++       if (!options.gss_authentication && !options.gss_keyex)
++               fatal("%s: GSSAPI not enabled", __func__);
+ 
+        if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+@@ -1806,6 +1830,7 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m)
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
++               monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
+        }
+        return (0);
+ }
+@@ -1817,8 +1842,8 @@ mm_answer_gss_checkmic(int sock, struct sshbuf *m)
+        OM_uint32 ret;
+        int r;
+ 
+-       if (!options.gss_authentication)
+-               fatal("%s: GSSAPI authentication not enabled", __func__);
++       if (!options.gss_authentication && !options.gss_keyex)
++               fatal("%s: GSSAPI not enabled", __func__);
+ 
+        if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
+            (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
+@@ -1847,10 +1872,11 @@ mm_answer_gss_userok(int sock, struct sshbuf *m)
+        int r, authenticated;
+        const char *displayname;
+ 
+-       if (!options.gss_authentication)
+-               fatal("%s: GSSAPI authentication not enabled", __func__);
++       if (!options.gss_authentication && !options.gss_keyex)
++               fatal("%s: GSSAPI not enabled", __func__);
+ 
+-       authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
++       authenticated = authctxt->valid && 
++           ssh_gssapi_userok(authctxt->user, authctxt->pw);
+ 
+        sshbuf_reset(m);
+        if ((r = sshbuf_put_u32(m, authenticated)) != 0)
+@@ -1867,5 +1893,83 @@ mm_answer_gss_userok(int sock, struct sshbuf *m)
+        /* Monitor loop will terminate if authenticated */
+        return (authenticated);
+ }
++
++int 
++mm_answer_gss_sign(int socket, struct sshbuf *m)
++{
++       gss_buffer_desc data;
++       gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
++       OM_uint32 major, minor;
++       size_t len;
++       u_char *p;
++       int r;
++
++       if (!options.gss_authentication && !options.gss_keyex)
++               fatal("%s: GSSAPI not enabled", __func__);
++
++       if ((r = sshbuf_get_string(m, &p, &len)) != 0)
++               fatal("%s: buffer error: %s", __func__, ssh_err(r));
++       data.value = p;
++       data.length = len;
++       if (data.length != 20) 
++               fatal("%s: data length incorrect: %d", __func__, 
++                   (int) data.length);
++
++       /* Save the session ID on the first time around */
++       if (session_id2_len == 0) {
++               session_id2_len = data.length;
++               session_id2 = xmalloc(session_id2_len);
++               memcpy(session_id2, data.value, session_id2_len);
++       }
++       major = ssh_gssapi_sign(gsscontext, &data, &hash);
++
++       free(data.value);
++
++       sshbuf_reset(m);
++       if ((r = sshbuf_put_u32(m, major)) != 0 ||
++           (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
++               fatal("%s: buffer error: %s", __func__, ssh_err(r));
++
++       mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
++
++       gss_release_buffer(&minor, &hash);
++
++       /* Turn on getpwnam permissions */
++       monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
++       
++       /* And credential updating, for when rekeying */
++       monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
++
++       return (0);
++}
++
++int
++mm_answer_gss_updatecreds(int socket, struct sshbuf *m) {
++       ssh_gssapi_ccache store;
++       int r, ok;
++
++       if (!options.gss_authentication && !options.gss_keyex)
++               fatal("%s: GSSAPI not enabled", __func__);
++
++       if ((r = sshbuf_get_cstring(m, &store.filename, NULL)) != 0 ||
++           (r = sshbuf_get_cstring(m, &store.envvar, NULL)) != 0 ||
++           (r = sshbuf_get_cstring(m, &store.envval, NULL)) != 0)
++               fatal("%s: buffer error: %s", __func__, ssh_err(r));
++
++       ok = ssh_gssapi_update_creds(&store);
++
++       free(store.filename);
++       free(store.envvar);
++       free(store.envval);
++
++       sshbuf_reset(m);
++       if ((r = sshbuf_put_u32(m, ok)) != 0)
++               fatal("%s: buffer error: %s", __func__, ssh_err(r));
++
++       mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
++
++       return(0);
++}
++
+ #endif /* GSSAPI */
+ 
+diff --git a/monitor.h b/monitor.h
+index 16047299f..44fbed589 100644
+--- a/monitor.h
++++ b/monitor.h
+@@ -63,6 +63,9 @@ enum monitor_reqtype {
+        MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
+        MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
+ 
++       MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
++       MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
++
+ };
+ 
+ struct monitor {
+diff --git a/monitor_wrap.c b/monitor_wrap.c
+index 732fb3476..1865a122a 100644
+--- a/monitor_wrap.c
++++ b/monitor_wrap.c
+@@ -984,7 +984,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+ }
+ 
+ int
+-mm_ssh_gssapi_userok(char *user)
++mm_ssh_gssapi_userok(char *user, struct passwd *pw)
+ {
+        struct sshbuf *m;
+        int r, authenticated = 0;
+@@ -1003,4 +1003,55 @@ mm_ssh_gssapi_userok(char *user)
+        debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
+        return (authenticated);
+ }
++
++OM_uint32
++mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
++{
++       struct sshbuf *m;
++       OM_uint32 major;
++       int r;
++
++       if ((m = sshbuf_new()) == NULL)
++               fatal("%s: sshbuf_new failed", __func__);
++       if ((r = sshbuf_put_string(m, data->value, data->length)) != 0)
++               fatal("%s: buffer error: %s", __func__, ssh_err(r));
++
++       mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m);
++       mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m);
++
++       if ((r = sshbuf_get_u32(m, &major)) != 0 ||
++           (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0)
++               fatal("%s: buffer error: %s", __func__, ssh_err(r));
++
++       sshbuf_free(m);
++
++       return(major);
++}
++
++int
++mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
++{
++       struct sshbuf *m;
++       int r, ok;
++
++       if ((m = sshbuf_new()) == NULL)
++               fatal("%s: sshbuf_new failed", __func__);
++       if ((r = sshbuf_put_cstring(m,
++           store->filename ? store->filename : "")) != 0 ||
++           (r = sshbuf_put_cstring(m,
++           store->envvar ? store->envvar : "")) != 0 ||
++           (r = sshbuf_put_cstring(m,
++           store->envval ? store->envval : "")) != 0)
++               fatal("%s: buffer error: %s", __func__, ssh_err(r));
++
++       mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m);
++       mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m);
++
++       if ((r = sshbuf_get_u32(m, &ok)) != 0)
++               fatal("%s: buffer error: %s", __func__, ssh_err(r));
++       sshbuf_free(m);
++
++       return (ok);
++}
++
+ #endif /* GSSAPI */
+diff --git a/monitor_wrap.h b/monitor_wrap.h
+index 644da081d..7f93144ff 100644
+--- a/monitor_wrap.h
++++ b/monitor_wrap.h
+@@ -60,8 +60,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
+ OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
+ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
+    gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
+-int mm_ssh_gssapi_userok(char *user);
++int mm_ssh_gssapi_userok(char *user, struct passwd *);
+ OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
++OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
++int mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *);
+ #endif
+ 
+ #ifdef USE_PAM
+diff --git a/readconf.c b/readconf.c
+index db5f2d547..4ad3c75fe 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -161,6 +161,8 @@ typedef enum {
+        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++       oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
++       oGssServerIdentity, 
+        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+        oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
+        oHashKnownHosts,
+@@ -201,10 +203,20 @@ static struct {
+        /* Sometimes-unsupported options */
+ #if defined(GSSAPI)
+        { "gssapiauthentication", oGssAuthentication },
++       { "gssapikeyexchange", oGssKeyEx },
+        { "gssapidelegatecredentials", oGssDelegateCreds },
++       { "gssapitrustdns", oGssTrustDns },
++       { "gssapiclientidentity", oGssClientIdentity },
++       { "gssapiserveridentity", oGssServerIdentity },
++       { "gssapirenewalforcesrekey", oGssRenewalRekey },
+ # else
+        { "gssapiauthentication", oUnsupported },
++       { "gssapikeyexchange", oUnsupported },
+        { "gssapidelegatecredentials", oUnsupported },
++       { "gssapitrustdns", oUnsupported },
++       { "gssapiclientidentity", oUnsupported },
++       { "gssapiserveridentity", oUnsupported },
++       { "gssapirenewalforcesrekey", oUnsupported },
+ #endif
+ #ifdef ENABLE_PKCS11
+        { "smartcarddevice", oPKCS11Provider },
+@@ -973,10 +985,30 @@ parse_time:
+                intptr = &options->gss_authentication;
+                goto parse_flag;
+ 
++       case oGssKeyEx:
++               intptr = &options->gss_keyex;
++               goto parse_flag;
++
+        case oGssDelegateCreds:
+                intptr = &options->gss_deleg_creds;
+                goto parse_flag;
+ 
++       case oGssTrustDns:
++               intptr = &options->gss_trust_dns;
++               goto parse_flag;
++
++       case oGssClientIdentity:
++               charptr = &options->gss_client_identity;
++               goto parse_string;
++
++       case oGssServerIdentity:
++               charptr = &options->gss_server_identity;
++               goto parse_string;
++
++       case oGssRenewalRekey:
++               intptr = &options->gss_renewal_rekey;
++               goto parse_flag;
++
+        case oBatchMode:
+                intptr = &options->batch_mode;
+                goto parse_flag;
+@@ -1817,7 +1849,12 @@ initialize_options(Options * options)
+        options->pubkey_authentication = -1;
+        options->challenge_response_authentication = -1;
+        options->gss_authentication = -1;
++       options->gss_keyex = -1;
+        options->gss_deleg_creds = -1;
++       options->gss_trust_dns = -1;
++       options->gss_renewal_rekey = -1;
++       options->gss_client_identity = NULL;
++       options->gss_server_identity = NULL;
+        options->password_authentication = -1;
+        options->kbd_interactive_authentication = -1;
+        options->kbd_interactive_devices = NULL;
+@@ -1962,8 +1999,14 @@ fill_default_options(Options * options)
+                options->challenge_response_authentication = 1;
+        if (options->gss_authentication == -1)
+                options->gss_authentication = 0;
++       if (options->gss_keyex == -1)
++               options->gss_keyex = 0;
+        if (options->gss_deleg_creds == -1)
+                options->gss_deleg_creds = 0;
++       if (options->gss_trust_dns == -1)
++               options->gss_trust_dns = 0;
++       if (options->gss_renewal_rekey == -1)
++               options->gss_renewal_rekey = 0;
+        if (options->password_authentication == -1)
+                options->password_authentication = 1;
+        if (options->kbd_interactive_authentication == -1)
+diff --git a/readconf.h b/readconf.h
+index c56887816..5ea0c296b 100644
+--- a/readconf.h
++++ b/readconf.h
+@@ -40,7 +40,12 @@ typedef struct {
+        int     challenge_response_authentication;
+                                        /* Try S/Key or TIS, authentication. */
+        int     gss_authentication;     /* Try GSS authentication */
++       int     gss_keyex;              /* Try GSS key exchange */
+        int     gss_deleg_creds;        /* Delegate GSS credentials */
++       int     gss_trust_dns;          /* Trust DNS for GSS canonicalization */
++       int     gss_renewal_rekey;      /* Credential renewal forces rekey */
++       char    *gss_client_identity;   /* Principal to initiate GSSAPI with */
++       char    *gss_server_identity;   /* GSSAPI target principal */
+        int     password_authentication;        /* Try password
+                                                 * authentication. */
+        int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+diff --git a/servconf.c b/servconf.c
+index c0f6af0be..e1ae07fb7 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -124,8 +124,10 @@ initialize_server_options(ServerOptions *options)
+        options->kerberos_ticket_cleanup = -1;
+        options->kerberos_get_afs_token = -1;
+        options->gss_authentication=-1;
++       options->gss_keyex = -1;
+        options->gss_cleanup_creds = -1;
+        options->gss_strict_acceptor = -1;
++       options->gss_store_rekey = -1;
+        options->password_authentication = -1;
+        options->kbd_interactive_authentication = -1;
+        options->challenge_response_authentication = -1;
+@@ -333,10 +335,14 @@ fill_default_server_options(ServerOptions *options)
+                options->kerberos_get_afs_token = 0;
+        if (options->gss_authentication == -1)
+                options->gss_authentication = 0;
++       if (options->gss_keyex == -1)
++               options->gss_keyex = 0;
+        if (options->gss_cleanup_creds == -1)
+                options->gss_cleanup_creds = 1;
+        if (options->gss_strict_acceptor == -1)
+                options->gss_strict_acceptor = 1;
++       if (options->gss_store_rekey == -1)
++               options->gss_store_rekey = 0;
+        if (options->password_authentication == -1)
+                options->password_authentication = 1;
+        if (options->kbd_interactive_authentication == -1)
+@@ -481,6 +487,7 @@ typedef enum {
+        sHostKeyAlgorithms,
+        sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
+        sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
++       sGssKeyEx, sGssStoreRekey,
+        sAcceptEnv, sSetEnv, sPermitTunnel,
+        sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
+        sUsePrivilegeSeparation, sAllowAgentForwarding,
+@@ -555,12 +562,20 @@ static struct {
+ #ifdef GSSAPI
+        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
+        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
++       { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
+        { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
++       { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
++       { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
+ #else
+        { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+        { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
++       { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
++       { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
++       { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
+ #endif
++       { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
++       { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
+        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
+        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
+        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
+@@ -1459,6 +1474,10 @@ process_server_config_line(ServerOptions *options, char *line,
+                intptr = &options->gss_authentication;
+                goto parse_flag;
+ 
++       case sGssKeyEx:
++               intptr = &options->gss_keyex;
++               goto parse_flag;
++
+        case sGssCleanupCreds:
+                intptr = &options->gss_cleanup_creds;
+                goto parse_flag;
+@@ -1467,6 +1486,10 @@ process_server_config_line(ServerOptions *options, char *line,
+                intptr = &options->gss_strict_acceptor;
+                goto parse_flag;
+ 
++       case sGssStoreRekey:
++               intptr = &options->gss_store_rekey;
++               goto parse_flag;
++
+        case sPasswordAuthentication:
+                intptr = &options->password_authentication;
+                goto parse_flag;
+@@ -2551,7 +2574,10 @@ dump_config(ServerOptions *o)
+ #endif
+ #ifdef GSSAPI
+        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
++       dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
+        dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
++       dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
++       dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
+ #endif
+        dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
+        dump_cfg_fmtint(sKbdInteractiveAuthentication,
+diff --git a/servconf.h b/servconf.h
+index 557521d73..9b117fe27 100644
+--- a/servconf.h
++++ b/servconf.h
+@@ -124,8 +124,10 @@ typedef struct {
+        int     kerberos_get_afs_token;         /* If true, try to get AFS token if
+                                                 * authenticated with Kerberos. */
+        int     gss_authentication;     /* If true, permit GSSAPI authentication */
++       int     gss_keyex;              /* If true, permit GSSAPI key exchange */
+        int     gss_cleanup_creds;      /* If true, destroy cred cache on logout */
+        int     gss_strict_acceptor;    /* If true, restrict the GSSAPI acceptor name */
++       int     gss_store_rekey;
+        int     password_authentication;        /* If true, permit password
+                                                 * authentication. */
+        int     kbd_interactive_authentication; /* If true, permit */
+diff --git a/ssh-gss.h b/ssh-gss.h
+index 36180d07a..350ce7882 100644
+--- a/ssh-gss.h
++++ b/ssh-gss.h
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: ssh-gss.h,v 1.14 2018/07/10 09:13:30 djm Exp $ */
+ /*
+- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+  *
+  * Redistribution and use in source and binary forms, with or without
+  * modification, are permitted provided that the following conditions
+@@ -61,10 +61,22 @@
+ 
+ #define SSH_GSS_OIDTYPE 0x06
+ 
++#define SSH2_MSG_KEXGSS_INIT                            30
++#define SSH2_MSG_KEXGSS_CONTINUE                        31
++#define SSH2_MSG_KEXGSS_COMPLETE                        32
++#define SSH2_MSG_KEXGSS_HOSTKEY                         33
++#define SSH2_MSG_KEXGSS_ERROR                           34
++#define SSH2_MSG_KEXGSS_GROUPREQ                       40
++#define SSH2_MSG_KEXGSS_GROUP                          41
++#define KEX_GSS_GRP1_SHA1_ID                           "gss-group1-sha1-"
++#define KEX_GSS_GRP14_SHA1_ID                          "gss-group14-sha1-"
++#define KEX_GSS_GEX_SHA1_ID                            "gss-gex-sha1-"
++
+ typedef struct {
+        char *filename;
+        char *envvar;
+        char *envval;
++       struct passwd *owner;
+        void *data;
+ } ssh_gssapi_ccache;
+ 
+@@ -72,8 +84,11 @@ typedef struct {
+        gss_buffer_desc displayname;
+        gss_buffer_desc exportedname;
+        gss_cred_id_t creds;
++       gss_name_t name;
+        struct ssh_gssapi_mech_struct *mech;
+        ssh_gssapi_ccache store;
++       int used;
++       int updated;
+ } ssh_gssapi_client;
+ 
+ typedef struct ssh_gssapi_mech_struct {
+@@ -84,6 +99,7 @@ typedef struct ssh_gssapi_mech_struct {
+        int (*userok) (ssh_gssapi_client *, char *);
+        int (*localname) (ssh_gssapi_client *, char **);
+        void (*storecreds) (ssh_gssapi_client *);
++       int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
+ } ssh_gssapi_mech;
+ 
+ typedef struct {
+@@ -94,10 +110,11 @@ typedef struct {
+        gss_OID         oid; /* client */
+        gss_cred_id_t   creds; /* server */
+        gss_name_t      client; /* server */
+-       gss_cred_id_t   client_creds; /* server */
++       gss_cred_id_t   client_creds; /* both */
+ } Gssctxt;
+ 
+ extern ssh_gssapi_mech *supported_mechs[];
++extern Gssctxt *gss_kex_context;
+ 
+ int  ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
+ void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
+@@ -123,17 +140,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
+ OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
+ void ssh_gssapi_buildmic(struct sshbuf *, const char *,
+     const char *, const char *);
+-int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
++int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
++OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
++int ssh_gssapi_credentials_updated(Gssctxt *);
+ 
+ /* In the server */
++typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *, 
++    const char *);
++char *ssh_gssapi_client_mechanisms(const char *, const char *);
++char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
++    const char *);
++gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
++int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *, 
++    const char *);
+ OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
+-int ssh_gssapi_userok(char *name);
++int ssh_gssapi_userok(char *name, struct passwd *);
+ OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
+ void ssh_gssapi_do_child(char ***, u_int *);
+ void ssh_gssapi_cleanup_creds(void);
+ void ssh_gssapi_storecreds(void);
+ const char *ssh_gssapi_displayname(void);
+ 
++char *ssh_gssapi_server_mechanisms(void);
++int ssh_gssapi_oid_table_ok(void);
++
++int ssh_gssapi_update_creds(ssh_gssapi_ccache *store);
++void ssh_gssapi_rekey_creds(void);
++
+ #endif /* GSSAPI */
+ 
+ #endif /* _SSH_GSS_H */
+diff --git a/ssh_config b/ssh_config
+index c12f5ef52..bcb9f153d 100644
+--- a/ssh_config
++++ b/ssh_config
+@@ -24,6 +24,8 @@
+ #   HostbasedAuthentication no
+ #   GSSAPIAuthentication no
+ #   GSSAPIDelegateCredentials no
++#   GSSAPIKeyExchange no
++#   GSSAPITrustDNS no
+ #   BatchMode no
+ #   CheckHostIP yes
+ #   AddressFamily any
+diff --git a/ssh_config.5 b/ssh_config.5
+index f499396a3..5b99921b4 100644
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -718,10 +718,42 @@ The default is
+ Specifies whether user authentication based on GSSAPI is allowed.
+ The default is
+ .Cm no .
++.It Cm GSSAPIKeyExchange
++Specifies whether key exchange based on GSSAPI may be used. When using
++GSSAPI key exchange the server need not have a host key.
++The default is
++.Cm no .
++.It Cm GSSAPIClientIdentity
++If set, specifies the GSSAPI client identity that ssh should use when 
++connecting to the server. The default is unset, which means that the default 
++identity will be used.
++.It Cm GSSAPIServerIdentity
++If set, specifies the GSSAPI server identity that ssh should expect when 
++connecting to the server. The default is unset, which means that the
++expected GSSAPI server identity will be determined from the target
++hostname.
+ .It Cm GSSAPIDelegateCredentials
+ Forward (delegate) credentials to the server.
+ The default is
+ .Cm no .
++.It Cm GSSAPIRenewalForcesRekey
++If set to 
++.Cm yes
++then renewal of the client's GSSAPI credentials will force the rekeying of the
++ssh connection. With a compatible server, this can delegate the renewed 
++credentials to a session on the server.
++The default is
++.Cm no .
++.It Cm GSSAPITrustDns
++Set to 
++.Cm yes
++to indicate that the DNS is trusted to securely canonicalize
++the name of the host being connected to. If 
++.Cm no ,
++the hostname entered on the
++command line will be passed untouched to the GSSAPI library.
++The default is
++.Cm no .
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 10e4f0a08..c6a1b1271 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+        struct kex *kex;
+        int r;
+ 
++#ifdef GSSAPI
++       char *orig = NULL, *gss = NULL;
++       char *gss_host = NULL;
++#endif
++
+        xxx_host = host;
+        xxx_hostaddr = hostaddr;
+ 
+@@ -194,6 +199,35 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+                    order_hostkeyalgs(host, hostaddr, port));
+        }
+ 
++#ifdef GSSAPI
++       if (options.gss_keyex) {
++               /* Add the GSSAPI mechanisms currently supported on this
++                * client to the key exchange algorithm proposal */
++               orig = myproposal[PROPOSAL_KEX_ALGS];
++
++               if (options.gss_server_identity)
++                       gss_host = xstrdup(options.gss_server_identity);
++               else if (options.gss_trust_dns)
++                       gss_host = remote_hostname(active_state);
++               else
++                       gss_host = xstrdup(host);
++
++               gss = ssh_gssapi_client_mechanisms(gss_host,
++                   options.gss_client_identity);
++               if (gss) {
++                       debug("Offering GSSAPI proposal: %s", gss);
++                       xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
++                           "%s,%s", gss, orig);
++
++                       /* If we've got GSSAPI algorithms, then we also
++                        * support the 'null' hostkey, as a last resort */
++                       orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
++                       xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
++                           "%s,null", orig);
++               }
++       }
++#endif
++
+        if (options.rekey_limit || options.rekey_interval)
+                packet_set_rekey_limits(options.rekey_limit,
+                    options.rekey_interval);
+@@ -215,15 +249,41 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+ # endif
+ #endif
+        kex->kex[KEX_C25519_SHA256] = kexc25519_client;
++#ifdef GSSAPI
++       if (options.gss_keyex) {
++               kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
++               kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
++               kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
++       }
++#endif
+        kex->client_version_string=client_version_string;
+        kex->server_version_string=server_version_string;
+        kex->verify_host_key=&verify_host_key_callback;
+ 
++#ifdef GSSAPI
++       if (options.gss_keyex) {
++               kex->gss_deleg_creds = options.gss_deleg_creds;
++               kex->gss_trust_dns = options.gss_trust_dns;
++               kex->gss_client = options.gss_client_identity;
++               kex->gss_host = gss_host;
++       }
++#endif
++
+        ssh_dispatch_run_fatal(active_state, DISPATCH_BLOCK, &kex->done);
+ 
+        /* remove ext-info from the KEX proposals for rekeying */
+        myproposal[PROPOSAL_KEX_ALGS] =
+            compat_kex_proposal(options.kex_algorithms);
++#ifdef GSSAPI
++       /* repair myproposal after it was crumpled by the */
++       /* ext-info removal above */
++       if (gss) {
++               orig = myproposal[PROPOSAL_KEX_ALGS];
++               xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
++                   "%s,%s", gss, orig);
++               free(gss);
++       }
++#endif
+        if ((r = kex_prop2buf(kex->my, myproposal)) != 0)
+                fatal("kex_prop2buf: %s", ssh_err(r));
+ 
+@@ -314,6 +374,7 @@ int input_gssapi_token(int type, u_int32_t, struct ssh *);
+ int    input_gssapi_hash(int type, u_int32_t, struct ssh *);
+ int    input_gssapi_error(int, u_int32_t, struct ssh *);
+ int    input_gssapi_errtok(int, u_int32_t, struct ssh *);
++int    userauth_gsskeyex(Authctxt *authctxt);
+ #endif
+ 
+ void   userauth(Authctxt *, char *);
+@@ -330,6 +391,11 @@ static char *authmethods_get(void);
+ 
+ Authmethod authmethods[] = {
+ #ifdef GSSAPI
++       {"gssapi-keyex",
++               userauth_gsskeyex,
++               NULL,
++               &options.gss_authentication,
++               NULL},
+        {"gssapi-with-mic",
+                userauth_gssapi,
+                NULL,
+@@ -657,25 +723,40 @@ userauth_gssapi(Authctxt *authctxt)
+        static u_int mech = 0;
+        OM_uint32 min;
+        int r, ok = 0;
++       char *gss_host;
++
++       if (options.gss_server_identity)
++               gss_host = xstrdup(options.gss_server_identity);
++       else if (options.gss_trust_dns)
++               gss_host = remote_hostname(active_state);
++       else
++               gss_host = xstrdup(authctxt->host);
+ 
+        /* Try one GSSAPI method at a time, rather than sending them all at
+         * once. */
+ 
+        if (gss_supported == NULL)
+-               gss_indicate_mechs(&min, &gss_supported);
++               if (GSS_ERROR(gss_indicate_mechs(&min, &gss_supported))) {
++                       gss_supported = NULL;
++                       free(gss_host);
++                       return 0;
++               }
+ 
+        /* Check to see if the mechanism is usable before we offer it */
+        while (mech < gss_supported->count && !ok) {
+                /* My DER encoding requires length<128 */
+                if (gss_supported->elements[mech].length < 128 &&
+                    ssh_gssapi_check_mechanism(&gssctxt,
+-                   &gss_supported->elements[mech], authctxt->host)) {
++                   &gss_supported->elements[mech], gss_host,
++                    options.gss_client_identity)) {
+                        ok = 1; /* Mechanism works */
+                } else {
+                        mech++;
+                }
+        }
+ 
++       free(gss_host);
++
+        if (!ok)
+                return 0;
+ 
+@@ -906,6 +987,54 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
+        free(lang);
+        return r;
+ }
++
++int
++userauth_gsskeyex(Authctxt *authctxt)
++{
++       struct ssh *ssh = active_state; /* XXX */
++       struct sshbuf *b;
++       gss_buffer_desc gssbuf;
++       gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
++       OM_uint32 ms;
++       int r;
++
++       static int attempt = 0;
++       if (attempt++ >= 1)
++               return (0);
++
++       if (gss_kex_context == NULL) {
++               debug("No valid Key exchange context"); 
++               return (0);
++       }
++
++       if ((b = sshbuf_new()) == NULL)
++               fatal("%s: sshbuf_new failed", __func__);
++       ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service,
++           "gssapi-keyex");
++
++       if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
++               fatal("%s: sshbuf_mutable_ptr failed", __func__);
++       gssbuf.length = sshbuf_len(b);
++
++       if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
++               sshbuf_free(b);
++               return (0);
++       }
++
++       if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
++           (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
++           (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
++           (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
++           (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 ||
++           (r = sshpkt_send(ssh)) != 0)
++               fatal("%s: %s", __func__, ssh_err(r));
++
++       sshbuf_free(b);
++       gss_release_buffer(&ms, &mic);
++
++       return (1);
++}
++
+ #endif /* GSSAPI */
+ 
+ int
+diff --git a/sshd.c b/sshd.c
+index a738c3ab6..2e453cdf8 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -123,6 +123,10 @@
+ #include "version.h"
+ #include "ssherr.h"
+ 
++#ifdef USE_SECURITY_SESSION_API
++#include <Security/AuthSession.h>
++#endif
++
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD   (STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD         (STDERR_FILENO + 2)
+@@ -536,7 +540,7 @@ privsep_preauth_child(void)
+ 
+ #ifdef GSSAPI
+        /* Cache supported mechanism OIDs for later use */
+-       if (options.gss_authentication)
++       if (options.gss_authentication || options.gss_keyex)
+                ssh_gssapi_prepare_supported_oids();
+ #endif
+ 
+@@ -1811,10 +1815,13 @@ main(int ac, char **av)
+                free(fp);
+        }
+        accumulate_host_timing_secret(cfg, NULL);
++#ifndef GSSAPI
++       /* The GSSAPI key exchange can run without a host key */
+        if (!sensitive_data.have_ssh2_key) {
+                logit("sshd: no hostkeys available -- exiting.");
+                exit(1);
+        }
++#endif
+ 
+        /*
+         * Load certificates. They are stored in an array at identical
+@@ -2105,6 +2112,60 @@ main(int ac, char **av)
+            rdomain == NULL ? "" : "\"");
+        free(laddr);
+ 
++#ifdef USE_SECURITY_SESSION_API
++       /*
++        * Create a new security session for use by the new user login if
++        * the current session is the root session or we are not launched
++        * by inetd (eg: debugging mode or server mode).  We do not
++        * necessarily need to create a session if we are launched from
++        * inetd because Panther xinetd will create a session for us.
++        *
++        * The only case where this logic will fail is if there is an
++        * inetd running in a non-root session which is not creating
++        * new sessions for us.  Then all the users will end up in the
++        * same session (bad).
++        *
++        * When the client exits, the session will be destroyed for us
++        * automatically.
++        *
++        * We must create the session before any credentials are stored
++        * (including AFS pags, which happens a few lines below).
++        */
++       {
++               OSStatus err = 0;
++               SecuritySessionId sid = 0;
++               SessionAttributeBits sattrs = 0;
++
++               err = SessionGetInfo(callerSecuritySession, &sid, &sattrs);
++               if (err)
++                       error("SessionGetInfo() failed with error %.8X",
++                           (unsigned) err);
++               else
++                       debug("Current Session ID is %.8X / Session Attributes are %.8X",
++                           (unsigned) sid, (unsigned) sattrs);
++
++               if (inetd_flag && !(sattrs & sessionIsRoot))
++                       debug("Running in inetd mode in a non-root session... "
++                           "assuming inetd created the session for us.");
++               else {
++                       debug("Creating new security session...");
++                       err = SessionCreate(0, sessionHasTTY | sessionIsRemote);
++                       if (err)
++                               error("SessionCreate() failed with error %.8X",
++                                   (unsigned) err);
++
++                       err = SessionGetInfo(callerSecuritySession, &sid, 
++                           &sattrs);
++                       if (err)
++                               error("SessionGetInfo() failed with error %.8X",
++                                   (unsigned) err);
++                       else
++                               debug("New Session ID is %.8X / Session Attributes are %.8X",
++                                   (unsigned) sid, (unsigned) sattrs);
++               }
++       }
++#endif
++
+        /*
+         * We don't want to listen forever unless the other side
+         * successfully authenticates itself.  So we set up an alarm which is
+@@ -2288,6 +2349,48 @@ do_ssh2_kex(void)
+        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
+            list_hostkey_types());
+ 
++#ifdef GSSAPI
++       {
++       char *orig;
++       char *gss = NULL;
++       char *newstr = NULL;
++       orig = myproposal[PROPOSAL_KEX_ALGS];
++
++       /* 
++        * If we don't have a host key, then there's no point advertising
++        * the other key exchange algorithms
++        */
++
++       if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
++               orig = NULL;
++
++       if (options.gss_keyex)
++               gss = ssh_gssapi_server_mechanisms();
++       else
++               gss = NULL;
++
++       if (gss && orig)
++               xasprintf(&newstr, "%s,%s", gss, orig);
++       else if (gss)
++               newstr = gss;
++       else if (orig)
++               newstr = orig;
++
++       /* 
++        * If we've got GSSAPI mechanisms, then we've got the 'null' host
++        * key alg, but we can't tell people about it unless its the only
++        * host key algorithm we support
++        */
++       if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0)
++               myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null";
++
++       if (newstr)
++               myproposal[PROPOSAL_KEX_ALGS] = newstr;
++       else
++               fatal("No supported key exchange algorithms");
++       }
++#endif
++
+        /* start key exchange */
+        if ((r = kex_setup(active_state, myproposal)) != 0)
+                fatal("kex_setup: %s", ssh_err(r));
+@@ -2305,6 +2408,13 @@ do_ssh2_kex(void)
+ # endif
+ #endif
+        kex->kex[KEX_C25519_SHA256] = kexc25519_server;
++#ifdef GSSAPI
++       if (options.gss_keyex) {
++               kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
++               kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
++               kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
++       }
++#endif
+        kex->server = 1;
+        kex->client_version_string=client_version_string;
+        kex->server_version_string=server_version_string;
+diff --git a/sshd_config b/sshd_config
+index 19b7c91a1..2c48105f8 100644
+--- a/sshd_config
++++ b/sshd_config
+@@ -69,6 +69,8 @@ AuthorizedKeysFile    .ssh/authorized_keys
+ # GSSAPI options
+ #GSSAPIAuthentication no
+ #GSSAPICleanupCredentials yes
++#GSSAPIStrictAcceptorCheck yes
++#GSSAPIKeyExchange no
+ 
+ # Set this to 'yes' to enable PAM authentication, account processing,
+ # and session processing. If this is enabled, PAM authentication will
+diff --git a/sshd_config.5 b/sshd_config.5
+index e1b54ba20..a0ac717c7 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -637,6 +637,11 @@ The default is
+ Specifies whether user authentication based on GSSAPI is allowed.
+ The default is
+ .Cm no .
++.It Cm GSSAPIKeyExchange
++Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
++doesn't rely on ssh keys to verify host identity.
++The default is
++.Cm no .
+ .It Cm GSSAPICleanupCredentials
+ Specifies whether to automatically destroy the user's credentials cache
+ on logout.
+@@ -656,6 +661,11 @@ machine's default store.
+ This facility is provided to assist with operation on multi homed machines.
+ The default is
+ .Cm yes .
++.It Cm GSSAPIStoreCredentialsOnRekey
++Controls whether the user's GSSAPI credentials should be updated following a 
++successful connection rekeying. This option can be used to accepted renewed 
++or updated credentials from a compatible client. The default is
++.Cm no .
+ .It Cm HostbasedAcceptedKeyTypes
+ Specifies the key types that will be accepted for hostbased authentication
+ as a list of comma-separated patterns.
+diff --git a/sshkey.c b/sshkey.c
+index 72c08c7e0..91e99a262 100644
+--- a/sshkey.c
++++ b/sshkey.c
+@@ -140,6 +140,7 @@ static const struct keytype keytypes[] = {
+ #  endif /* OPENSSL_HAS_NISTP521 */
+ # endif /* OPENSSL_HAS_ECC */
+ #endif /* WITH_OPENSSL */
++       { "null", "null", NULL, KEY_NULL, 0, 0, 0 },
+        { NULL, NULL, NULL, -1, -1, 0, 0 }
+ };
+ 
+@@ -228,7 +229,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
+        const struct keytype *kt;
+ 
+        for (kt = keytypes; kt->type != -1; kt++) {
+-               if (kt->name == NULL)
++               if (kt->name == NULL || kt->type == KEY_NULL)
+                        continue;
+                if (!include_sigonly && kt->sigonly)
+                        continue;
+diff --git a/sshkey.h b/sshkey.h
+index 9060b2ecb..0cbdcfd74 100644
+--- a/sshkey.h
++++ b/sshkey.h
+@@ -63,6 +63,7 @@ enum sshkey_types {
+        KEY_ED25519_CERT,
+        KEY_XMSS,
+        KEY_XMSS_CERT,
++       KEY_NULL,
+        KEY_UNSPEC
+ };
+