summaryrefslogtreecommitdiff
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/auth-log-verbosity.patch26
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch6
-rw-r--r--debian/patches/consolekit.patch221
-rw-r--r--debian/patches/debian-banner.patch48
-rw-r--r--debian/patches/debian-config.patch18
-rw-r--r--debian/patches/dnssec-sshfp.patch8
-rw-r--r--debian/patches/doc-hash-tab-completion.patch6
-rw-r--r--debian/patches/doc-upstart.patch4
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch2
-rw-r--r--debian/patches/gssapi.patch536
-rw-r--r--debian/patches/helpful-wait-terminate.patch4
-rw-r--r--debian/patches/keepalive-extensions.patch34
-rw-r--r--debian/patches/lintian-symlink-pickiness.patch6
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch8
-rw-r--r--debian/patches/no-openssl-version-status.patch8
-rw-r--r--debian/patches/openbsd-docs.patch22
-rw-r--r--debian/patches/package-versioning.patch14
-rw-r--r--debian/patches/quieter-signals.patch6
-rw-r--r--debian/patches/restore-tcp-wrappers.patch16
-rw-r--r--debian/patches/scp-quoting.patch6
-rw-r--r--debian/patches/selinux-role.patch66
-rw-r--r--debian/patches/shell-path.patch8
-rw-r--r--debian/patches/sigstop.patch6
-rw-r--r--debian/patches/ssh-agent-setgid.patch6
-rw-r--r--debian/patches/ssh-argv0.patch6
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch10
-rw-r--r--debian/patches/ssh1-keepalive.patch12
-rw-r--r--debian/patches/syslog-level-silent.patch6
-rw-r--r--debian/patches/user-group-modes.patch32
29 files changed, 464 insertions, 687 deletions
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index 84a14cfb8..491656be2 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
1From 1ecd5db58295874d8b9a7ce98fe1880ab08fbcaf Mon Sep 17 00:00:00 2001 1From c9c2ebb4680ea6872218b1e4519fe31a2043a27a Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:02 +0000 3Date: Sun, 9 Feb 2014 16:10:02 +0000
4Subject: Quieten logs when multiple from= restrictions are used 4Subject: Quieten logs when multiple from= restrictions are used
@@ -16,10 +16,10 @@ Patch-Name: auth-log-verbosity.patch
16 4 files changed, 32 insertions(+), 9 deletions(-) 16 4 files changed, 32 insertions(+), 9 deletions(-)
17 17
18diff --git a/auth-options.c b/auth-options.c 18diff --git a/auth-options.c b/auth-options.c
19index f3d9c9d..d4d22d7 100644 19index 4f0da9c..3fa236e 100644
20--- a/auth-options.c 20--- a/auth-options.c
21+++ b/auth-options.c 21+++ b/auth-options.c
22@@ -54,9 +54,20 @@ int forced_tun_device = -1; 22@@ -58,9 +58,20 @@ int forced_tun_device = -1;
23 /* "principals=" option. */ 23 /* "principals=" option. */
24 char *authorized_principals = NULL; 24 char *authorized_principals = NULL;
25 25
@@ -40,7 +40,7 @@ index f3d9c9d..d4d22d7 100644
40 auth_clear_options(void) 40 auth_clear_options(void)
41 { 41 {
42 no_agent_forwarding_flag = 0; 42 no_agent_forwarding_flag = 0;
43@@ -284,10 +295,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) 43@@ -288,10 +299,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
44 /* FALLTHROUGH */ 44 /* FALLTHROUGH */
45 case 0: 45 case 0:
46 free(patterns); 46 free(patterns);
@@ -58,7 +58,7 @@ index f3d9c9d..d4d22d7 100644
58 auth_debug_add("Your host '%.200s' is not " 58 auth_debug_add("Your host '%.200s' is not "
59 "permitted to use this key for login.", 59 "permitted to use this key for login.",
60 remote_host); 60 remote_host);
61@@ -511,11 +525,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, 61@@ -514,11 +528,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
62 break; 62 break;
63 case 0: 63 case 0:
64 /* no match */ 64 /* no match */
@@ -79,7 +79,7 @@ index f3d9c9d..d4d22d7 100644
79 "is not permitted to use this " 79 "is not permitted to use this "
80 "certificate for login.", 80 "certificate for login.",
81diff --git a/auth-options.h b/auth-options.h 81diff --git a/auth-options.h b/auth-options.h
82index 7455c94..a3f0a02 100644 82index 34852e5..1653855 100644
83--- a/auth-options.h 83--- a/auth-options.h
84+++ b/auth-options.h 84+++ b/auth-options.h
85@@ -33,6 +33,7 @@ extern int forced_tun_device; 85@@ -33,6 +33,7 @@ extern int forced_tun_device;
@@ -89,12 +89,12 @@ index 7455c94..a3f0a02 100644
89+void auth_start_parse_options(void); 89+void auth_start_parse_options(void);
90 int auth_parse_options(struct passwd *, char *, char *, u_long); 90 int auth_parse_options(struct passwd *, char *, char *, u_long);
91 void auth_clear_options(void); 91 void auth_clear_options(void);
92 int auth_cert_options(Key *, struct passwd *); 92 int auth_cert_options(struct sshkey *, struct passwd *);
93diff --git a/auth-rsa.c b/auth-rsa.c 93diff --git a/auth-rsa.c b/auth-rsa.c
94index e9f4ede..5d7bdcb 100644 94index cbd971b..4cf2163 100644
95--- a/auth-rsa.c 95--- a/auth-rsa.c
96+++ b/auth-rsa.c 96+++ b/auth-rsa.c
97@@ -179,6 +179,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, 97@@ -181,6 +181,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
98 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) 98 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
99 return 0; 99 return 0;
100 100
@@ -104,10 +104,10 @@ index e9f4ede..5d7bdcb 100644
104 * Go though the accepted keys, looking for the current key. If 104 * Go though the accepted keys, looking for the current key. If
105 * found, perform a challenge-response dialog to verify that the 105 * found, perform a challenge-response dialog to verify that the
106diff --git a/auth2-pubkey.c b/auth2-pubkey.c 106diff --git a/auth2-pubkey.c b/auth2-pubkey.c
107index f3ca965..f78b046 100644 107index d943efa..0bda5c9 100644
108--- a/auth2-pubkey.c 108--- a/auth2-pubkey.c
109+++ b/auth2-pubkey.c 109+++ b/auth2-pubkey.c
110@@ -263,6 +263,7 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert) 110@@ -282,6 +282,7 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert)
111 restore_uid(); 111 restore_uid();
112 return 0; 112 return 0;
113 } 113 }
@@ -115,7 +115,7 @@ index f3ca965..f78b046 100644
115 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 115 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
116 /* Skip leading whitespace. */ 116 /* Skip leading whitespace. */
117 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 117 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
118@@ -324,6 +325,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) 118@@ -343,6 +344,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
119 found_key = 0; 119 found_key = 0;
120 120
121 found = NULL; 121 found = NULL;
@@ -123,7 +123,7 @@ index f3ca965..f78b046 100644
123 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 123 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
124 char *cp, *key_options = NULL; 124 char *cp, *key_options = NULL;
125 if (found != NULL) 125 if (found != NULL)
126@@ -459,6 +461,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) 126@@ -482,6 +484,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
127 if (key_cert_check_authority(key, 0, 1, 127 if (key_cert_check_authority(key, 0, 1,
128 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) 128 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
129 goto fail_reason; 129 goto fail_reason;
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 6afb0420b..eb398f6a4 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
1From 19b0441502c07401dd6d418f8f81cc7f1a44ccb1 Mon Sep 17 00:00:00 2001 1From 8a1a563ee326222155c74454e11e6ed62297c403 Mon Sep 17 00:00:00 2001
2From: Tomas Pospisek <tpo_deb@sourcepole.ch> 2From: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Date: Sun, 9 Feb 2014 16:10:07 +0000 3Date: Sun, 9 Feb 2014 16:10:07 +0000
4Subject: Install authorized_keys(5) as a symlink to sshd(8) 4Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
13 1 file changed, 1 insertion(+) 13 1 file changed, 1 insertion(+)
14 14
15diff --git a/Makefile.in b/Makefile.in 15diff --git a/Makefile.in b/Makefile.in
16index c4cb8ea..a4402e9 100644 16index c406aec..37cb023 100644
17--- a/Makefile.in 17--- a/Makefile.in
18+++ b/Makefile.in 18+++ b/Makefile.in
19@@ -309,6 +309,7 @@ install-files: 19@@ -325,6 +325,7 @@ install-files:
20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch
index e50c77f62..0438b8f74 100644
--- a/debian/patches/consolekit.patch
+++ b/debian/patches/consolekit.patch
@@ -1,15 +1,14 @@
1From f51fe0c55e54c12db952624e980d18f39c41e581 Mon Sep 17 00:00:00 2001 1From 8b3111d597316954caaf8ddf2e7746491976c248 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:57 +0000 3Date: Sun, 9 Feb 2014 16:09:57 +0000
4Subject: Add support for registering ConsoleKit sessions on login 4Subject: Add support for registering ConsoleKit sessions on login
5 5
6Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 6Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450
7Last-Updated: 2014-10-07 7Last-Updated: 2015-08-19
8 8
9Patch-Name: consolekit.patch 9Patch-Name: consolekit.patch
10--- 10---
11 Makefile.in | 3 +- 11 Makefile.in | 3 +-
12 configure | 132 +++++++++++++++++++++++++++++++
13 configure.ac | 25 ++++++ 12 configure.ac | 25 ++++++
14 consolekit.c | 241 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 13 consolekit.c | 241 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
15 consolekit.h | 24 ++++++ 14 consolekit.h | 24 ++++++
@@ -19,15 +18,15 @@ Patch-Name: consolekit.patch
19 monitor_wrap.h | 4 + 18 monitor_wrap.h | 4 +
20 session.c | 13 ++++ 19 session.c | 13 ++++
21 session.h | 6 ++ 20 session.h | 6 ++
22 11 files changed, 521 insertions(+), 1 deletion(-) 21 10 files changed, 389 insertions(+), 1 deletion(-)
23 create mode 100644 consolekit.c 22 create mode 100644 consolekit.c
24 create mode 100644 consolekit.h 23 create mode 100644 consolekit.h
25 24
26diff --git a/Makefile.in b/Makefile.in 25diff --git a/Makefile.in b/Makefile.in
27index 086d8dd..c4cb8ea 100644 26index 3d2a328..c406aec 100644
28--- a/Makefile.in 27--- a/Makefile.in
29+++ b/Makefile.in 28+++ b/Makefile.in
30@@ -107,7 +107,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ 29@@ -111,7 +111,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
31 sftp-server.o sftp-common.o \ 30 sftp-server.o sftp-common.o \
32 roaming_common.o roaming_serv.o \ 31 roaming_common.o roaming_serv.o \
33 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ 32 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
@@ -37,175 +36,11 @@ index 086d8dd..c4cb8ea 100644
37 36
38 MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out 37 MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
39 MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 38 MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
40diff --git a/configure b/configure
41index ea5f200..7be478a 100755
42--- a/configure
43+++ b/configure
44@@ -739,6 +739,7 @@ with_privsep_user
45 with_sandbox
46 with_selinux
47 with_kerberos5
48+with_consolekit
49 with_privsep_path
50 with_xauth
51 enable_strip
52@@ -1430,6 +1431,7 @@ Optional Packages:
53 --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)
54 --with-selinux Enable SELinux support
55 --with-kerberos5=PATH Enable Kerberos 5 support
56+ --with-consolekit Enable ConsoleKit support
57 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
58 --with-xauth=PATH Specify path to xauth program
59 --with-maildir=/path/to/mail Specify your system mail directory
60@@ -17211,6 +17213,135 @@ fi
61
62
63
64+# Check whether user wants ConsoleKit support
65+CONSOLEKIT_MSG="no"
66+LIBCK_CONNECTOR=""
67+
68+# Check whether --with-consolekit was given.
69+if test "${with_consolekit+set}" = set; then :
70+ withval=$with_consolekit; if test "x$withval" != "xno" ; then
71+ if test -n "$ac_tool_prefix"; then
72+ # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
73+set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
74+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
75+$as_echo_n "checking for $ac_word... " >&6; }
76+if ${ac_cv_path_PKGCONFIG+:} false; then :
77+ $as_echo_n "(cached) " >&6
78+else
79+ case $PKGCONFIG in
80+ [\\/]* | ?:[\\/]*)
81+ ac_cv_path_PKGCONFIG="$PKGCONFIG" # Let the user override the test with a path.
82+ ;;
83+ *)
84+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
85+for as_dir in $PATH
86+do
87+ IFS=$as_save_IFS
88+ test -z "$as_dir" && as_dir=.
89+ for ac_exec_ext in '' $ac_executable_extensions; do
90+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
91+ ac_cv_path_PKGCONFIG="$as_dir/$ac_word$ac_exec_ext"
92+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
93+ break 2
94+ fi
95+done
96+ done
97+IFS=$as_save_IFS
98+
99+ ;;
100+esac
101+fi
102+PKGCONFIG=$ac_cv_path_PKGCONFIG
103+if test -n "$PKGCONFIG"; then
104+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKGCONFIG" >&5
105+$as_echo "$PKGCONFIG" >&6; }
106+else
107+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
108+$as_echo "no" >&6; }
109+fi
110+
111+
112+fi
113+if test -z "$ac_cv_path_PKGCONFIG"; then
114+ ac_pt_PKGCONFIG=$PKGCONFIG
115+ # Extract the first word of "pkg-config", so it can be a program name with args.
116+set dummy pkg-config; ac_word=$2
117+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
118+$as_echo_n "checking for $ac_word... " >&6; }
119+if ${ac_cv_path_ac_pt_PKGCONFIG+:} false; then :
120+ $as_echo_n "(cached) " >&6
121+else
122+ case $ac_pt_PKGCONFIG in
123+ [\\/]* | ?:[\\/]*)
124+ ac_cv_path_ac_pt_PKGCONFIG="$ac_pt_PKGCONFIG" # Let the user override the test with a path.
125+ ;;
126+ *)
127+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
128+for as_dir in $PATH
129+do
130+ IFS=$as_save_IFS
131+ test -z "$as_dir" && as_dir=.
132+ for ac_exec_ext in '' $ac_executable_extensions; do
133+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
134+ ac_cv_path_ac_pt_PKGCONFIG="$as_dir/$ac_word$ac_exec_ext"
135+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
136+ break 2
137+ fi
138+done
139+ done
140+IFS=$as_save_IFS
141+
142+ ;;
143+esac
144+fi
145+ac_pt_PKGCONFIG=$ac_cv_path_ac_pt_PKGCONFIG
146+if test -n "$ac_pt_PKGCONFIG"; then
147+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKGCONFIG" >&5
148+$as_echo "$ac_pt_PKGCONFIG" >&6; }
149+else
150+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
151+$as_echo "no" >&6; }
152+fi
153+
154+ if test "x$ac_pt_PKGCONFIG" = x; then
155+ PKGCONFIG="no"
156+ else
157+ case $cross_compiling:$ac_tool_warned in
158+yes:)
159+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
160+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
161+ac_tool_warned=yes ;;
162+esac
163+ PKGCONFIG=$ac_pt_PKGCONFIG
164+ fi
165+else
166+ PKGCONFIG="$ac_cv_path_PKGCONFIG"
167+fi
168+
169+ if test "$PKGCONFIG" != "no"; then
170+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ck-connector" >&5
171+$as_echo_n "checking for ck-connector... " >&6; }
172+ if $PKGCONFIG --exists ck-connector; then
173+ CKCON_CFLAGS=`$PKGCONFIG --cflags ck-connector`
174+ CKCON_LIBS=`$PKGCONFIG --libs ck-connector`
175+ CPPFLAGS="$CPPFLAGS $CKCON_CFLAGS"
176+ SSHDLIBS="$SSHDLIBS $CKCON_LIBS"
177+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
178+$as_echo "yes" >&6; }
179+
180+$as_echo "#define USE_CONSOLEKIT 1" >>confdefs.h
181+
182+ CONSOLEKIT_MSG="yes"
183+ else
184+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
185+$as_echo "no" >&6; }
186+ fi
187+ fi
188+ fi
189+
190+fi
191+
192+
193 # Looking for programs, paths and files
194
195 PRIVSEP_PATH=/var/empty
196@@ -19739,6 +19870,7 @@ echo " MD5 password support: $MD5_MSG"
197 echo " libedit support: $LIBEDIT_MSG"
198 echo " Solaris process contract support: $SPC_MSG"
199 echo " Solaris project support: $SP_MSG"
200+echo " ConsoleKit support: $CONSOLEKIT_MSG"
201 echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
202 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
203 echo " BSD Auth support: $BSD_AUTH_MSG"
204diff --git a/configure.ac b/configure.ac 39diff --git a/configure.ac b/configure.ac
205index 7f160f1..f5c65c5 100644 40index 5f606ea..f7ce777 100644
206--- a/configure.ac 41--- a/configure.ac
207+++ b/configure.ac 42+++ b/configure.ac
208@@ -4113,6 +4113,30 @@ AC_ARG_WITH([kerberos5], 43@@ -4180,6 +4180,30 @@ AC_ARG_WITH([kerberos5],
209 AC_SUBST([GSSLIBS]) 44 AC_SUBST([GSSLIBS])
210 AC_SUBST([K5LIBS]) 45 AC_SUBST([K5LIBS])
211 46
@@ -236,7 +71,7 @@ index 7f160f1..f5c65c5 100644
236 # Looking for programs, paths and files 71 # Looking for programs, paths and files
237 72
238 PRIVSEP_PATH=/var/empty 73 PRIVSEP_PATH=/var/empty
239@@ -4914,6 +4938,7 @@ echo " MD5 password support: $MD5_MSG" 74@@ -4981,6 +5005,7 @@ echo " MD5 password support: $MD5_MSG"
240 echo " libedit support: $LIBEDIT_MSG" 75 echo " libedit support: $LIBEDIT_MSG"
241 echo " Solaris process contract support: $SPC_MSG" 76 echo " Solaris process contract support: $SPC_MSG"
242 echo " Solaris project support: $SP_MSG" 77 echo " Solaris project support: $SP_MSG"
@@ -522,20 +357,20 @@ index 0000000..8ce3716
522+ 357+
523+#endif /* USE_CONSOLEKIT */ 358+#endif /* USE_CONSOLEKIT */
524diff --git a/monitor.c b/monitor.c 359diff --git a/monitor.c b/monitor.c
525index 94b194d..cc15ce4 100644 360index 6ff05e4..ce7ba07 100644
526--- a/monitor.c 361--- a/monitor.c
527+++ b/monitor.c 362+++ b/monitor.c
528@@ -100,6 +100,9 @@ 363@@ -104,6 +104,9 @@
529 #include "ssh2.h"
530 #include "roaming.h"
531 #include "authfd.h" 364 #include "authfd.h"
365 #include "match.h"
366 #include "ssherr.h"
532+#ifdef USE_CONSOLEKIT 367+#ifdef USE_CONSOLEKIT
533+#include "consolekit.h" 368+#include "consolekit.h"
534+#endif 369+#endif
535 370
536 #ifdef GSSAPI 371 #ifdef GSSAPI
537 static Gssctxt *gsscontext = NULL; 372 static Gssctxt *gsscontext = NULL;
538@@ -190,6 +193,10 @@ int mm_answer_audit_command(int, Buffer *); 373@@ -169,6 +172,10 @@ int mm_answer_audit_command(int, Buffer *);
539 374
540 static int monitor_read_log(struct monitor *); 375 static int monitor_read_log(struct monitor *);
541 376
@@ -546,7 +381,7 @@ index 94b194d..cc15ce4 100644
546 static Authctxt *authctxt; 381 static Authctxt *authctxt;
547 382
548 #ifdef WITH_SSH1 383 #ifdef WITH_SSH1
549@@ -282,6 +289,9 @@ struct mon_table mon_dispatch_postauth20[] = { 384@@ -261,6 +268,9 @@ struct mon_table mon_dispatch_postauth20[] = {
550 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 385 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
551 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, 386 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
552 #endif 387 #endif
@@ -556,7 +391,7 @@ index 94b194d..cc15ce4 100644
556 {0, 0, NULL} 391 {0, 0, NULL}
557 }; 392 };
558 393
559@@ -327,6 +337,9 @@ struct mon_table mon_dispatch_postauth15[] = { 394@@ -306,6 +316,9 @@ struct mon_table mon_dispatch_postauth15[] = {
560 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 395 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
561 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, 396 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
562 #endif 397 #endif
@@ -566,7 +401,7 @@ index 94b194d..cc15ce4 100644
566 #endif /* WITH_SSH1 */ 401 #endif /* WITH_SSH1 */
567 {0, 0, NULL} 402 {0, 0, NULL}
568 }; 403 };
569@@ -509,6 +522,9 @@ monitor_child_postauth(struct monitor *pmonitor) 404@@ -488,6 +501,9 @@ monitor_child_postauth(struct monitor *pmonitor)
570 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); 405 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
571 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); 406 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
572 } 407 }
@@ -576,7 +411,7 @@ index 94b194d..cc15ce4 100644
576 411
577 for (;;) 412 for (;;)
578 monitor_read(pmonitor, mon_dispatch, NULL); 413 monitor_read(pmonitor, mon_dispatch, NULL);
579@@ -2296,3 +2312,29 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) { 414@@ -2187,3 +2203,29 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
580 415
581 #endif /* GSSAPI */ 416 #endif /* GSSAPI */
582 417
@@ -607,7 +442,7 @@ index 94b194d..cc15ce4 100644
607+} 442+}
608+#endif /* USE_CONSOLEKIT */ 443+#endif /* USE_CONSOLEKIT */
609diff --git a/monitor.h b/monitor.h 444diff --git a/monitor.h b/monitor.h
610index 4d5e8fa..10ba59e 100644 445index 2d82b8b..fd8d92c 100644
611--- a/monitor.h 446--- a/monitor.h
612+++ b/monitor.h 447+++ b/monitor.h
613@@ -70,6 +70,8 @@ enum monitor_reqtype { 448@@ -70,6 +70,8 @@ enum monitor_reqtype {
@@ -620,10 +455,10 @@ index 4d5e8fa..10ba59e 100644
620 455
621 struct mm_master; 456 struct mm_master;
622diff --git a/monitor_wrap.c b/monitor_wrap.c 457diff --git a/monitor_wrap.c b/monitor_wrap.c
623index 6dc890a..4c57d4d 100644 458index 5aa9c47..a5f4e9d 100644
624--- a/monitor_wrap.c 459--- a/monitor_wrap.c
625+++ b/monitor_wrap.c 460+++ b/monitor_wrap.c
626@@ -1363,3 +1363,33 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) 461@@ -1150,3 +1150,33 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
627 462
628 #endif /* GSSAPI */ 463 #endif /* GSSAPI */
629 464
@@ -658,11 +493,11 @@ index 6dc890a..4c57d4d 100644
658+} 493+}
659+#endif /* USE_CONSOLEKIT */ 494+#endif /* USE_CONSOLEKIT */
660diff --git a/monitor_wrap.h b/monitor_wrap.h 495diff --git a/monitor_wrap.h b/monitor_wrap.h
661index 9c2ee49..00e93fe 100644 496index 4d1e899..f99c31c 100644
662--- a/monitor_wrap.h 497--- a/monitor_wrap.h
663+++ b/monitor_wrap.h 498+++ b/monitor_wrap.h
664@@ -111,4 +111,8 @@ void *mm_zalloc(struct mm_master *, u_int, u_int); 499@@ -108,4 +108,8 @@ int mm_skey_respond(void *, u_int, char **);
665 void mm_zfree(struct mm_master *, void *); 500 /* zlib allocation hooks */
666 void mm_init_compression(struct mm_master *); 501 void mm_init_compression(struct mm_master *);
667 502
668+#ifdef USE_CONSOLEKIT 503+#ifdef USE_CONSOLEKIT
@@ -671,10 +506,10 @@ index 9c2ee49..00e93fe 100644
671+ 506+
672 #endif /* _MM_WRAP_H_ */ 507 #endif /* _MM_WRAP_H_ */
673diff --git a/session.c b/session.c 508diff --git a/session.c b/session.c
674index 6f389ac..6250c20 100644 509index d4b7725..785833f 100644
675--- a/session.c 510--- a/session.c
676+++ b/session.c 511+++ b/session.c
677@@ -93,6 +93,7 @@ 512@@ -94,6 +94,7 @@
678 #include "kex.h" 513 #include "kex.h"
679 #include "monitor_wrap.h" 514 #include "monitor_wrap.h"
680 #include "sftp.h" 515 #include "sftp.h"
@@ -682,7 +517,7 @@ index 6f389ac..6250c20 100644
682 517
683 #if defined(KRB5) && defined(USE_AFS) 518 #if defined(KRB5) && defined(USE_AFS)
684 #include <kafs.h> 519 #include <kafs.h>
685@@ -1143,6 +1144,9 @@ do_setup_env(Session *s, const char *shell) 520@@ -1144,6 +1145,9 @@ do_setup_env(Session *s, const char *shell)
686 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) 521 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
687 char *path = NULL; 522 char *path = NULL;
688 #endif 523 #endif
@@ -692,7 +527,7 @@ index 6f389ac..6250c20 100644
692 527
693 /* Initialize the environment. */ 528 /* Initialize the environment. */
694 envsize = 100; 529 envsize = 100;
695@@ -1287,6 +1291,11 @@ do_setup_env(Session *s, const char *shell) 530@@ -1288,6 +1292,11 @@ do_setup_env(Session *s, const char *shell)
696 child_set_env(&env, &envsize, "KRB5CCNAME", 531 child_set_env(&env, &envsize, "KRB5CCNAME",
697 s->authctxt->krb5_ccname); 532 s->authctxt->krb5_ccname);
698 #endif 533 #endif
@@ -704,7 +539,7 @@ index 6f389ac..6250c20 100644
704 #ifdef USE_PAM 539 #ifdef USE_PAM
705 /* 540 /*
706 * Pull in any environment variables that may have 541 * Pull in any environment variables that may have
707@@ -2350,6 +2359,10 @@ session_pty_cleanup2(Session *s) 542@@ -2351,6 +2360,10 @@ session_pty_cleanup2(Session *s)
708 543
709 debug("session_pty_cleanup: session %d release %s", s->self, s->tty); 544 debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
710 545
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index ab64cbed5..5bc70a566 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
1From 114c8a8fb488cbe39507edb75c51198a4b9e8b24 Mon Sep 17 00:00:00 2001 1From 2c31a85436f1eac46e185382c2aa15406ae6c0ac Mon Sep 17 00:00:00 2001
2From: Kees Cook <kees@debian.org> 2From: Kees Cook <kees@debian.org>
3Date: Sun, 9 Feb 2014 16:10:06 +0000 3Date: Sun, 9 Feb 2014 16:10:06 +0000
4Subject: Add DebianBanner server configuration option 4Subject: Add DebianBanner server configuration option
@@ -8,7 +8,7 @@ initial protocol handshake, for those scared by package-versioning.patch.
8 8
9Bug-Debian: http://bugs.debian.org/562048 9Bug-Debian: http://bugs.debian.org/562048
10Forwarded: not-needed 10Forwarded: not-needed
11Last-Update: 2014-10-07 11Last-Update: 2015-08-19
12 12
13Patch-Name: debian-banner.patch 13Patch-Name: debian-banner.patch
14--- 14---
@@ -19,45 +19,45 @@ Patch-Name: debian-banner.patch
19 4 files changed, 18 insertions(+), 1 deletion(-) 19 4 files changed, 18 insertions(+), 1 deletion(-)
20 20
21diff --git a/servconf.c b/servconf.c 21diff --git a/servconf.c b/servconf.c
22index a252487..6c7741a 100644 22index b3a2841..bec53e0 100644
23--- a/servconf.c 23--- a/servconf.c
24+++ b/servconf.c 24+++ b/servconf.c
25@@ -160,6 +160,7 @@ initialize_server_options(ServerOptions *options) 25@@ -166,6 +166,7 @@ initialize_server_options(ServerOptions *options)
26 options->ip_qos_interactive = -1;
27 options->ip_qos_bulk = -1; 26 options->ip_qos_bulk = -1;
28 options->version_addendum = NULL; 27 options->version_addendum = NULL;
28 options->fingerprint_hash = -1;
29+ options->debian_banner = -1; 29+ options->debian_banner = -1;
30 } 30 }
31 31
32 void 32 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
33@@ -321,6 +322,8 @@ fill_default_server_options(ServerOptions *options) 33@@ -342,6 +343,8 @@ fill_default_server_options(ServerOptions *options)
34 options->fwd_opts.streamlocal_bind_mask = 0177;
35 if (options->fwd_opts.streamlocal_bind_unlink == -1)
36 options->fwd_opts.streamlocal_bind_unlink = 0; 34 options->fwd_opts.streamlocal_bind_unlink = 0;
35 if (options->fingerprint_hash == -1)
36 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
37+ if (options->debian_banner == -1) 37+ if (options->debian_banner == -1)
38+ options->debian_banner = 1; 38+ options->debian_banner = 1;
39 /* Turn privilege separation on by default */ 39 /* Turn privilege separation on by default */
40 if (use_privsep == -1) 40 if (use_privsep == -1)
41 use_privsep = PRIVSEP_NOSANDBOX; 41 use_privsep = PRIVSEP_NOSANDBOX;
42@@ -373,6 +376,7 @@ typedef enum { 42@@ -412,6 +415,7 @@ typedef enum {
43 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, 43 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
44 sStreamLocalBindMask, sStreamLocalBindUnlink, 44 sStreamLocalBindMask, sStreamLocalBindUnlink,
45 sAllowStreamLocalForwarding, 45 sAllowStreamLocalForwarding, sFingerprintHash,
46+ sDebianBanner, 46+ sDebianBanner,
47 sDeprecated, sUnsupported 47 sDeprecated, sUnsupported
48 } ServerOpCodes; 48 } ServerOpCodes;
49 49
50@@ -514,6 +518,7 @@ static struct { 50@@ -556,6 +560,7 @@ static struct {
51 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
52 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, 51 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
53 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, 52 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
53 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
54+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, 54+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
55 { NULL, sBadOption, 0 } 55 { NULL, sBadOption, 0 }
56 }; 56 };
57 57
58@@ -1697,6 +1702,10 @@ process_server_config_line(ServerOptions *options, char *line, 58@@ -1777,6 +1782,10 @@ process_server_config_line(ServerOptions *options, char *line,
59 intptr = &options->fwd_opts.streamlocal_bind_unlink; 59 options->fingerprint_hash = value;
60 goto parse_flag; 60 break;
61 61
62+ case sDebianBanner: 62+ case sDebianBanner:
63+ intptr = &options->debian_banner; 63+ intptr = &options->debian_banner;
@@ -67,23 +67,23 @@ index a252487..6c7741a 100644
67 logit("%s line %d: Deprecated option %s", 67 logit("%s line %d: Deprecated option %s",
68 filename, linenum, arg); 68 filename, linenum, arg);
69diff --git a/servconf.h b/servconf.h 69diff --git a/servconf.h b/servconf.h
70index f8265a8..fa48804 100644 70index d2ed4d7..ed0f171 100644
71--- a/servconf.h 71--- a/servconf.h
72+++ b/servconf.h 72+++ b/servconf.h
73@@ -188,6 +188,8 @@ typedef struct { 73@@ -192,6 +192,8 @@ typedef struct {
74
75 u_int num_auth_methods;
76 char *auth_methods[MAX_AUTH_METHODS]; 74 char *auth_methods[MAX_AUTH_METHODS];
75
76 int fingerprint_hash;
77+ 77+
78+ int debian_banner; 78+ int debian_banner;
79 } ServerOptions; 79 } ServerOptions;
80 80
81 /* Information about the incoming connection as used by Match */ 81 /* Information about the incoming connection as used by Match */
82diff --git a/sshd.c b/sshd.c 82diff --git a/sshd.c b/sshd.c
83index 1710e71..87331c1 100644 83index c362209..5435968 100644
84--- a/sshd.c 84--- a/sshd.c
85+++ b/sshd.c 85+++ b/sshd.c
86@@ -443,7 +443,8 @@ sshd_exchange_identification(int sock_in, int sock_out) 86@@ -442,7 +442,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
87 } 87 }
88 88
89 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 89 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -94,10 +94,10 @@ index 1710e71..87331c1 100644
94 options.version_addendum, newline); 94 options.version_addendum, newline);
95 95
96diff --git a/sshd_config.5 b/sshd_config.5 96diff --git a/sshd_config.5 b/sshd_config.5
97index 2843048..58997d3 100644 97index d14576e..ec58635 100644
98--- a/sshd_config.5 98--- a/sshd_config.5
99+++ b/sshd_config.5 99+++ b/sshd_config.5
100@@ -447,6 +447,11 @@ or 100@@ -476,6 +476,11 @@ or
101 .Dq no . 101 .Dq no .
102 The default is 102 The default is
103 .Dq delayed . 103 .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index f995717fa..a346ba678 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
1From 581424965d2d722a991c3247d4c0bb5950cb4fc5 Mon Sep 17 00:00:00 2001 1From 8698446b972003b63dfe5dcbdb86acfe986afb85 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:18 +0000 3Date: Sun, 9 Feb 2014 16:10:18 +0000
4Subject: Various Debian-specific configuration changes 4Subject: Various Debian-specific configuration changes
@@ -22,7 +22,7 @@ debian/openssh-server.postinst.
22 22
23Author: Russ Allbery <rra@debian.org> 23Author: Russ Allbery <rra@debian.org>
24Forwarded: not-needed 24Forwarded: not-needed
25Last-Update: 2015-03-22 25Last-Update: 2015-08-19
26 26
27Patch-Name: debian-config.patch 27Patch-Name: debian-config.patch
28--- 28---
@@ -34,10 +34,10 @@ Patch-Name: debian-config.patch
34 5 files changed, 51 insertions(+), 3 deletions(-) 34 5 files changed, 51 insertions(+), 3 deletions(-)
35 35
36diff --git a/readconf.c b/readconf.c 36diff --git a/readconf.c b/readconf.c
37index 0648867..29338b6 100644 37index 2ef8d7b..66a62f2 100644
38--- a/readconf.c 38--- a/readconf.c
39+++ b/readconf.c 39+++ b/readconf.c
40@@ -1681,7 +1681,7 @@ fill_default_options(Options * options) 40@@ -1748,7 +1748,7 @@ fill_default_options(Options * options)
41 if (options->forward_x11 == -1) 41 if (options->forward_x11 == -1)
42 options->forward_x11 = 0; 42 options->forward_x11 = 0;
43 if (options->forward_x11_trusted == -1) 43 if (options->forward_x11_trusted == -1)
@@ -71,10 +71,10 @@ index 228e5ab..c9386aa 100644
71+ GSSAPIAuthentication yes 71+ GSSAPIAuthentication yes
72+ GSSAPIDelegateCredentials no 72+ GSSAPIDelegateCredentials no
73diff --git a/ssh_config.5 b/ssh_config.5 73diff --git a/ssh_config.5 b/ssh_config.5
74index a1005ba..da3c177 100644 74index 3bd80fd..da8e544 100644
75--- a/ssh_config.5 75--- a/ssh_config.5
76+++ b/ssh_config.5 76+++ b/ssh_config.5
77@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more 77@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
78 host-specific declarations should be given near the beginning of the 78 host-specific declarations should be given near the beginning of the
79 file, and general defaults at the end. 79 file, and general defaults at the end.
80 .Pp 80 .Pp
@@ -97,7 +97,7 @@ index a1005ba..da3c177 100644
97 The configuration file has the following format: 97 The configuration file has the following format:
98 .Pp 98 .Pp
99 Empty lines and lines starting with 99 Empty lines and lines starting with
100@@ -673,7 +689,8 @@ token used for the session will be set to expire after 20 minutes. 100@@ -715,7 +731,8 @@ token used for the session will be set to expire after 20 minutes.
101 Remote clients will be refused access after this time. 101 Remote clients will be refused access after this time.
102 .Pp 102 .Pp
103 The default is 103 The default is
@@ -108,7 +108,7 @@ index a1005ba..da3c177 100644
108 See the X11 SECURITY extension specification for full details on 108 See the X11 SECURITY extension specification for full details on
109 the restrictions imposed on untrusted clients. 109 the restrictions imposed on untrusted clients.
110diff --git a/sshd_config b/sshd_config 110diff --git a/sshd_config b/sshd_config
111index d9b8594..4db32f5 100644 111index a71ad19..3391233 100644
112--- a/sshd_config 112--- a/sshd_config
113+++ b/sshd_config 113+++ b/sshd_config
114@@ -41,6 +41,7 @@ 114@@ -41,6 +41,7 @@
@@ -120,7 +120,7 @@ index d9b8594..4db32f5 100644
120 #StrictModes yes 120 #StrictModes yes
121 #MaxAuthTries 6 121 #MaxAuthTries 6
122diff --git a/sshd_config.5 b/sshd_config.5 122diff --git a/sshd_config.5 b/sshd_config.5
123index 7396b23..7aa7b47 100644 123index 453d741..db1f2fd 100644
124--- a/sshd_config.5 124--- a/sshd_config.5
125+++ b/sshd_config.5 125+++ b/sshd_config.5
126@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes 126@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 0212ea841..97fe79aef 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
1From 4ac9937c1d9f1901ab0694114d76e59a138aae96 Mon Sep 17 00:00:00 2001 1From 5cbcc7353649b84b5a7528e583458ee9473fd527 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:01 +0000 3Date: Sun, 9 Feb 2014 16:10:01 +0000
4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf 4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
@@ -18,10 +18,10 @@ Patch-Name: dnssec-sshfp.patch
18 3 files changed, 21 insertions(+), 6 deletions(-) 18 3 files changed, 21 insertions(+), 6 deletions(-)
19 19
20diff --git a/dns.c b/dns.c 20diff --git a/dns.c b/dns.c
21index c4d073c..e5872c1 100644 21index f201b60..a406f58 100644
22--- a/dns.c 22--- a/dns.c
23+++ b/dns.c 23+++ b/dns.c
24@@ -203,6 +203,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, 24@@ -206,6 +206,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
25 { 25 {
26 u_int counter; 26 u_int counter;
27 int result; 27 int result;
@@ -29,7 +29,7 @@ index c4d073c..e5872c1 100644
29 struct rrsetinfo *fingerprints = NULL; 29 struct rrsetinfo *fingerprints = NULL;
30 30
31 u_int8_t hostkey_algorithm; 31 u_int8_t hostkey_algorithm;
32@@ -226,8 +227,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, 32@@ -229,8 +230,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
33 return -1; 33 return -1;
34 } 34 }
35 35
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 8e6cfa575..35d589353 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
1From 2fd0b3814e27d584efa6df92845a7354e7c2de6c Mon Sep 17 00:00:00 2001 1From b0146d5a8c1b9d87f4255cbee40b31c938fea2f8 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:11 +0000 3Date: Sun, 9 Feb 2014 16:10:11 +0000
4Subject: Document that HashKnownHosts may break tab-completion 4Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
13 1 file changed, 3 insertions(+) 13 1 file changed, 3 insertions(+)
14 14
15diff --git a/ssh_config.5 b/ssh_config.5 15diff --git a/ssh_config.5 b/ssh_config.5
16index d68b45a..a1005ba 100644 16index 8abcf40..3bd80fd 100644
17--- a/ssh_config.5 17--- a/ssh_config.5
18+++ b/ssh_config.5 18+++ b/ssh_config.5
19@@ -759,6 +759,9 @@ Note that existing names and addresses in known hosts files 19@@ -801,6 +801,9 @@ Note that existing names and addresses in known hosts files
20 will not be converted automatically, 20 will not be converted automatically,
21 but may be manually hashed using 21 but may be manually hashed using
22 .Xr ssh-keygen 1 . 22 .Xr ssh-keygen 1 .
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index c1ce1bcae..8002929ab 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
1From 252e76b3ad6e83a798e479a2beba5be7000ff85e Mon Sep 17 00:00:00 2001 1From c679bacbff13edaa44255c4f4c32ef5bc0f4ccbc Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:12 +0000 3Date: Sun, 9 Feb 2014 16:10:12 +0000
4Subject: Refer to ssh's Upstart job as well as its init script 4Subject: Refer to ssh's Upstart job as well as its init script
@@ -12,7 +12,7 @@ Patch-Name: doc-upstart.patch
12 1 file changed, 4 insertions(+), 1 deletion(-) 12 1 file changed, 4 insertions(+), 1 deletion(-)
13 13
14diff --git a/sshd.8 b/sshd.8 14diff --git a/sshd.8 b/sshd.8
15index 3538208..f8f9eac 100644 15index 8dba6cf..e198017 100644
16--- a/sshd.8 16--- a/sshd.8
17+++ b/sshd.8 17+++ b/sshd.8
18@@ -67,7 +67,10 @@ over an insecure network. 18@@ -67,7 +67,10 @@ over an insecure network.
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 84fe03acc..79efb8971 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
1From 1195b028cb9f402633cfdcae6ec34bf63b4ab771 Mon Sep 17 00:00:00 2001 1From 02662744e60e6bbe532ff22c7f563026a7424b6c Mon Sep 17 00:00:00 2001
2From: Vincent Untz <vuntz@ubuntu.com> 2From: Vincent Untz <vuntz@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:16 +0000 3Date: Sun, 9 Feb 2014 16:10:16 +0000
4Subject: Give the ssh-askpass-gnome window a default icon 4Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index e8cbc1083..b3c437194 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From 1c1b6fa17982eb622e2c4e8f4a279f2113f57413 Mon Sep 17 00:00:00 2001 1From 06879e71614170580ffa7568ec5c009f60a9d084 Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -17,26 +17,25 @@ have it merged into the main openssh package rather than having separate
17security history. 17security history.
18 18
19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
20Last-Updated: 2014-10-07 20Last-Updated: 2015-08-19
21 21
22Patch-Name: gssapi.patch 22Patch-Name: gssapi.patch
23--- 23---
24 ChangeLog.gssapi | 113 +++++++++++++++++++ 24 ChangeLog.gssapi | 113 +++++++++++++++++++
25 Makefile.in | 3 +- 25 Makefile.in | 5 +-
26 auth-krb5.c | 17 ++- 26 auth-krb5.c | 17 ++-
27 auth2-gss.c | 48 +++++++- 27 auth2-gss.c | 48 +++++++-
28 auth2.c | 2 + 28 auth2.c | 2 +
29 clientloop.c | 13 +++ 29 clientloop.c | 13 +++
30 config.h.in | 6 + 30 config.h.in | 6 +
31 configure | 57 ++++++++++
32 configure.ac | 24 ++++ 31 configure.ac | 24 ++++
33 gss-genr.c | 275 ++++++++++++++++++++++++++++++++++++++++++++- 32 gss-genr.c | 275 ++++++++++++++++++++++++++++++++++++++++++++-
34 gss-serv-krb5.c | 85 ++++++++++++-- 33 gss-serv-krb5.c | 85 ++++++++++++--
35 gss-serv.c | 221 +++++++++++++++++++++++++++++++----- 34 gss-serv.c | 221 +++++++++++++++++++++++++++++++-----
36 kex.c | 16 +++ 35 kex.c | 16 +++
37 kex.h | 14 +++ 36 kex.h | 14 +++
38 kexgssc.c | 332 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 37 kexgssc.c | 336 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
39 kexgsss.c | 290 ++++++++++++++++++++++++++++++++++++++++++++++++ 38 kexgsss.c | 295 ++++++++++++++++++++++++++++++++++++++++++++++++
40 monitor.c | 108 +++++++++++++++++- 39 monitor.c | 108 +++++++++++++++++-
41 monitor.h | 3 + 40 monitor.h | 3 +
42 monitor_wrap.c | 47 +++++++- 41 monitor_wrap.c | 47 +++++++-
@@ -48,13 +47,13 @@ Patch-Name: gssapi.patch
48 ssh-gss.h | 41 ++++++- 47 ssh-gss.h | 41 ++++++-
49 ssh_config | 2 + 48 ssh_config | 2 +
50 ssh_config.5 | 34 +++++- 49 ssh_config.5 | 34 +++++-
51 sshconnect2.c | 124 ++++++++++++++++++++- 50 sshconnect2.c | 124 +++++++++++++++++++-
52 sshd.c | 110 ++++++++++++++++++ 51 sshd.c | 110 ++++++++++++++++++
53 sshd_config | 2 + 52 sshd_config | 2 +
54 sshd_config.5 | 28 +++++ 53 sshd_config.5 | 28 +++++
55 sshkey.c | 3 +- 54 sshkey.c | 3 +-
56 sshkey.h | 1 + 55 sshkey.h | 1 +
57 33 files changed, 2052 insertions(+), 59 deletions(-) 56 32 files changed, 2005 insertions(+), 60 deletions(-)
58 create mode 100644 ChangeLog.gssapi 57 create mode 100644 ChangeLog.gssapi
59 create mode 100644 kexgssc.c 58 create mode 100644 kexgssc.c
60 create mode 100644 kexgsss.c 59 create mode 100644 kexgsss.c
@@ -179,21 +178,23 @@ index 0000000..f117a33
179+ (from jbasney AT ncsa.uiuc.edu) 178+ (from jbasney AT ncsa.uiuc.edu)
180+ <gssapi-with-mic support is Bugzilla #1008> 179+ <gssapi-with-mic support is Bugzilla #1008>
181diff --git a/Makefile.in b/Makefile.in 180diff --git a/Makefile.in b/Makefile.in
182index 06be3d5..086d8dd 100644 181index 40cc7aa..3d2a328 100644
183--- a/Makefile.in 182--- a/Makefile.in
184+++ b/Makefile.in 183+++ b/Makefile.in
185@@ -82,6 +82,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ 184@@ -91,7 +91,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
186 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ 185 sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
187 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ 186 kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
188 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ 187 kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
189+ kexgssc.o \ 188- kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o
190 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ 189+ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
191 ssh-pkcs11.o krl.o smult_curve25519_ref.o \ 190+ kexgssc.o
192 kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ 191
193@@ -101,7 +102,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ 192 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
193 sshconnect.o sshconnect1.o sshconnect2.o mux.o \
194@@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
195 auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
194 auth2-none.o auth2-passwd.o auth2-pubkey.o \ 196 auth2-none.o auth2-passwd.o auth2-pubkey.o \
195 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ 197 monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
196 kexc25519s.o auth-krb5.o \
197- auth2-gss.o gss-serv.o gss-serv-krb5.o \ 198- auth2-gss.o gss-serv.o gss-serv-krb5.o \
198+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ 199+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
199 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ 200 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
@@ -251,11 +252,11 @@ index 0089b18..ec47869 100644
251 return (krb5_cc_resolve(ctx, ccname, ccache)); 252 return (krb5_cc_resolve(ctx, ccname, ccache));
252 } 253 }
253diff --git a/auth2-gss.c b/auth2-gss.c 254diff --git a/auth2-gss.c b/auth2-gss.c
254index 447f896..284f364 100644 255index 1ca8357..3b5036d 100644
255--- a/auth2-gss.c 256--- a/auth2-gss.c
256+++ b/auth2-gss.c 257+++ b/auth2-gss.c
257@@ -1,7 +1,7 @@ 258@@ -1,7 +1,7 @@
258 /* $OpenBSD: auth2-gss.c,v 1.21 2014/02/26 20:28:44 djm Exp $ */ 259 /* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */
259 260
260 /* 261 /*
261- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 262- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -263,9 +264,9 @@ index 447f896..284f364 100644
263 * 264 *
264 * Redistribution and use in source and binary forms, with or without 265 * Redistribution and use in source and binary forms, with or without
265 * modification, are permitted provided that the following conditions 266 * modification, are permitted provided that the following conditions
266@@ -53,6 +53,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); 267@@ -53,6 +53,40 @@ static int input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
267 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); 268 static int input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
268 static void input_gssapi_errtok(int, u_int32_t, void *); 269 static int input_gssapi_errtok(int, u_int32_t, void *);
269 270
270+/* 271+/*
271+ * The 'gssapi_keyex' userauth mechanism. 272+ * The 'gssapi_keyex' userauth mechanism.
@@ -304,7 +305,7 @@ index 447f896..284f364 100644
304 /* 305 /*
305 * We only support those mechanisms that we know about (ie ones that we know 306 * We only support those mechanisms that we know about (ie ones that we know
306 * how to check local user kuserok and the like) 307 * how to check local user kuserok and the like)
307@@ -236,7 +270,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) 308@@ -238,7 +272,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
308 309
309 packet_check_eom(); 310 packet_check_eom();
310 311
@@ -314,7 +315,7 @@ index 447f896..284f364 100644
314 315
315 authctxt->postponed = 0; 316 authctxt->postponed = 0;
316 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 317 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
317@@ -271,7 +306,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) 318@@ -274,7 +309,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
318 gssbuf.length = buffer_len(&b); 319 gssbuf.length = buffer_len(&b);
319 320
320 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) 321 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@@ -324,8 +325,8 @@ index 447f896..284f364 100644
324 else 325 else
325 logit("GSSAPI MIC check failed"); 326 logit("GSSAPI MIC check failed");
326 327
327@@ -286,6 +322,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) 328@@ -290,6 +326,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
328 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); 329 return 0;
329 } 330 }
330 331
331+Authmethod method_gsskeyex = { 332+Authmethod method_gsskeyex = {
@@ -338,7 +339,7 @@ index 447f896..284f364 100644
338 "gssapi-with-mic", 339 "gssapi-with-mic",
339 userauth_gssapi, 340 userauth_gssapi,
340diff --git a/auth2.c b/auth2.c 341diff --git a/auth2.c b/auth2.c
341index d9b440a..2f0d565 100644 342index 7177962..3f49bdc 100644
342--- a/auth2.c 343--- a/auth2.c
343+++ b/auth2.c 344+++ b/auth2.c
344@@ -70,6 +70,7 @@ extern Authmethod method_passwd; 345@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
@@ -358,12 +359,12 @@ index d9b440a..2f0d565 100644
358 #endif 359 #endif
359 &method_passwd, 360 &method_passwd,
360diff --git a/clientloop.c b/clientloop.c 361diff --git a/clientloop.c b/clientloop.c
361index 397c965..f9175e3 100644 362index a9c8a90..7df9413 100644
362--- a/clientloop.c 363--- a/clientloop.c
363+++ b/clientloop.c 364+++ b/clientloop.c
364@@ -111,6 +111,10 @@ 365@@ -114,6 +114,10 @@
365 #include "msg.h" 366 #include "ssherr.h"
366 #include "roaming.h" 367 #include "hostfile.h"
367 368
368+#ifdef GSSAPI 369+#ifdef GSSAPI
369+#include "ssh-gss.h" 370+#include "ssh-gss.h"
@@ -387,12 +388,12 @@ index 397c965..f9175e3 100644
387+ 388+
388 if (need_rekeying || packet_need_rekeying()) { 389 if (need_rekeying || packet_need_rekeying()) {
389 debug("need rekeying"); 390 debug("need rekeying");
390 xxx_kex->done = 0; 391 active_state->kex->done = 0;
391diff --git a/config.h.in b/config.h.in 392diff --git a/config.h.in b/config.h.in
392index 16d6206..a9a8b7a 100644 393index 7e7e38e..6c7de98 100644
393--- a/config.h.in 394--- a/config.h.in
394+++ b/config.h.in 395+++ b/config.h.in
395@@ -1622,6 +1622,9 @@ 396@@ -1623,6 +1623,9 @@
396 /* Use btmp to log bad logins */ 397 /* Use btmp to log bad logins */
397 #undef USE_BTMP 398 #undef USE_BTMP
398 399
@@ -402,7 +403,7 @@ index 16d6206..a9a8b7a 100644
402 /* Use libedit for sftp */ 403 /* Use libedit for sftp */
403 #undef USE_LIBEDIT 404 #undef USE_LIBEDIT
404 405
405@@ -1637,6 +1640,9 @@ 406@@ -1638,6 +1641,9 @@
406 /* Use PIPES instead of a socketpair() */ 407 /* Use PIPES instead of a socketpair() */
407 #undef USE_PIPES 408 #undef USE_PIPES
408 409
@@ -412,79 +413,11 @@ index 16d6206..a9a8b7a 100644
412 /* Define if you have Solaris process contracts */ 413 /* Define if you have Solaris process contracts */
413 #undef USE_SOLARIS_PROCESS_CONTRACTS 414 #undef USE_SOLARIS_PROCESS_CONTRACTS
414 415
415diff --git a/configure b/configure
416index 6815388..ea5f200 100755
417--- a/configure
418+++ b/configure
419@@ -7168,6 +7168,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h
420
421 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
422
423+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have the Security Authorization Session API" >&5
424+$as_echo_n "checking if we have the Security Authorization Session API... " >&6; }
425+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
426+/* end confdefs.h. */
427+#include <Security/AuthSession.h>
428+int
429+main ()
430+{
431+SessionCreate(0, 0);
432+ ;
433+ return 0;
434+}
435+_ACEOF
436+if ac_fn_c_try_compile "$LINENO"; then :
437+ ac_cv_use_security_session_api="yes"
438+
439+$as_echo "#define USE_SECURITY_SESSION_API 1" >>confdefs.h
440+
441+ LIBS="$LIBS -framework Security"
442+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
443+$as_echo "yes" >&6; }
444+else
445+ ac_cv_use_security_session_api="no"
446+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
447+$as_echo "no" >&6; }
448+fi
449+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
450+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have an in-memory credentials cache" >&5
451+$as_echo_n "checking if we have an in-memory credentials cache... " >&6; }
452+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
453+/* end confdefs.h. */
454+#include <Kerberos/Kerberos.h>
455+int
456+main ()
457+{
458+cc_context_t c;
459+ (void) cc_initialize (&c, 0, NULL, NULL);
460+ ;
461+ return 0;
462+}
463+_ACEOF
464+if ac_fn_c_try_compile "$LINENO"; then :
465+
466+$as_echo "#define USE_CCAPI 1" >>confdefs.h
467+
468+ LIBS="$LIBS -framework Security"
469+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
470+$as_echo "yes" >&6; }
471+ if test "x$ac_cv_use_security_session_api" = "xno"; then
472+ as_fn_error $? "*** Need a security framework to use the credentials cache API ***" "$LINENO" 5
473+ fi
474+else
475+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
476+$as_echo "no" >&6; }
477+
478+fi
479+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
480
481 ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default"
482 if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then :
483diff --git a/configure.ac b/configure.ac 416diff --git a/configure.ac b/configure.ac
484index 67c4486..90e81e1 100644 417index b4d6598..216a9fd 100644
485--- a/configure.ac 418--- a/configure.ac
486+++ b/configure.ac 419+++ b/configure.ac
487@@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 420@@ -620,6 +620,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
488 [Use tunnel device compatibility to OpenBSD]) 421 [Use tunnel device compatibility to OpenBSD])
489 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 422 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
490 [Prepend the address family to IP tunnel traffic]) 423 [Prepend the address family to IP tunnel traffic])
@@ -516,11 +449,11 @@ index 67c4486..90e81e1 100644
516 AC_CHECK_DECL([AU_IPv4], [], 449 AC_CHECK_DECL([AU_IPv4], [],
517 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) 450 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
518diff --git a/gss-genr.c b/gss-genr.c 451diff --git a/gss-genr.c b/gss-genr.c
519index b39281b..1e569ad 100644 452index 60ac65f..5610f0b 100644
520--- a/gss-genr.c 453--- a/gss-genr.c
521+++ b/gss-genr.c 454+++ b/gss-genr.c
522@@ -1,7 +1,7 @@ 455@@ -1,7 +1,7 @@
523 /* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */ 456 /* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */
524 457
525 /* 458 /*
526- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. 459- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -528,7 +461,7 @@ index b39281b..1e569ad 100644
528 * 461 *
529 * Redistribution and use in source and binary forms, with or without 462 * Redistribution and use in source and binary forms, with or without
530 * modification, are permitted provided that the following conditions 463 * modification, are permitted provided that the following conditions
531@@ -39,12 +39,167 @@ 464@@ -40,12 +40,167 @@
532 #include "buffer.h" 465 #include "buffer.h"
533 #include "log.h" 466 #include "log.h"
534 #include "ssh2.h" 467 #include "ssh2.h"
@@ -696,7 +629,7 @@ index b39281b..1e569ad 100644
696 /* Check that the OID in a data stream matches that in the context */ 629 /* Check that the OID in a data stream matches that in the context */
697 int 630 int
698 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) 631 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
699@@ -197,7 +352,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, 632@@ -198,7 +353,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
700 } 633 }
701 634
702 ctx->major = gss_init_sec_context(&ctx->minor, 635 ctx->major = gss_init_sec_context(&ctx->minor,
@@ -705,7 +638,7 @@ index b39281b..1e569ad 100644
705 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, 638 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
706 0, NULL, recv_tok, NULL, send_tok, flags, NULL); 639 0, NULL, recv_tok, NULL, send_tok, flags, NULL);
707 640
708@@ -227,8 +382,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) 641@@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
709 } 642 }
710 643
711 OM_uint32 644 OM_uint32
@@ -748,7 +681,7 @@ index b39281b..1e569ad 100644
748 if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, 681 if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
749 GSS_C_QOP_DEFAULT, buffer, hash))) 682 GSS_C_QOP_DEFAULT, buffer, hash)))
750 ssh_gssapi_error(ctx); 683 ssh_gssapi_error(ctx);
751@@ -236,6 +425,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) 684@@ -237,6 +426,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
752 return (ctx->major); 685 return (ctx->major);
753 } 686 }
754 687
@@ -768,7 +701,7 @@ index b39281b..1e569ad 100644
768 void 701 void
769 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, 702 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
770 const char *context) 703 const char *context)
771@@ -249,11 +451,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, 704@@ -250,11 +452,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
772 } 705 }
773 706
774 int 707 int
@@ -786,7 +719,7 @@ index b39281b..1e569ad 100644
786 719
787 /* RFC 4462 says we MUST NOT do SPNEGO */ 720 /* RFC 4462 says we MUST NOT do SPNEGO */
788 if (oid->length == spnego_oid.length && 721 if (oid->length == spnego_oid.length &&
789@@ -263,6 +470,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) 722@@ -264,6 +471,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
790 ssh_gssapi_build_ctx(ctx); 723 ssh_gssapi_build_ctx(ctx);
791 ssh_gssapi_set_oid(*ctx, oid); 724 ssh_gssapi_set_oid(*ctx, oid);
792 major = ssh_gssapi_import_name(*ctx, host); 725 major = ssh_gssapi_import_name(*ctx, host);
@@ -797,7 +730,7 @@ index b39281b..1e569ad 100644
797 if (!GSS_ERROR(major)) { 730 if (!GSS_ERROR(major)) {
798 major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 731 major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
799 NULL); 732 NULL);
800@@ -272,10 +483,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) 733@@ -273,10 +484,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
801 GSS_C_NO_BUFFER); 734 GSS_C_NO_BUFFER);
802 } 735 }
803 736
@@ -992,11 +925,11 @@ index 795992d..fd8b371 100644
992 925
993 #endif /* KRB5 */ 926 #endif /* KRB5 */
994diff --git a/gss-serv.c b/gss-serv.c 927diff --git a/gss-serv.c b/gss-serv.c
995index 5c59924..50fa438 100644 928index e7b8c52..539862d 100644
996--- a/gss-serv.c 929--- a/gss-serv.c
997+++ b/gss-serv.c 930+++ b/gss-serv.c
998@@ -1,7 +1,7 @@ 931@@ -1,7 +1,7 @@
999 /* $OpenBSD: gss-serv.c,v 1.27 2014/07/03 03:34:09 djm Exp $ */ 932 /* $OpenBSD: gss-serv.c,v 1.28 2015/01/20 23:14:00 deraadt Exp $ */
1000 933
1001 /* 934 /*
1002- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 935- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1004,7 +937,7 @@ index 5c59924..50fa438 100644
1004 * 937 *
1005 * Redistribution and use in source and binary forms, with or without 938 * Redistribution and use in source and binary forms, with or without
1006 * modification, are permitted provided that the following conditions 939 * modification, are permitted provided that the following conditions
1007@@ -45,15 +45,21 @@ 940@@ -44,15 +44,21 @@
1008 #include "channels.h" 941 #include "channels.h"
1009 #include "session.h" 942 #include "session.h"
1010 #include "misc.h" 943 #include "misc.h"
@@ -1028,7 +961,7 @@ index 5c59924..50fa438 100644
1028 961
1029 #ifdef KRB5 962 #ifdef KRB5
1030 extern ssh_gssapi_mech gssapi_kerberos_mech; 963 extern ssh_gssapi_mech gssapi_kerberos_mech;
1031@@ -100,25 +106,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) 964@@ -99,25 +105,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
1032 char lname[NI_MAXHOST]; 965 char lname[NI_MAXHOST];
1033 gss_OID_set oidset; 966 gss_OID_set oidset;
1034 967
@@ -1075,7 +1008,7 @@ index 5c59924..50fa438 100644
1075 } 1008 }
1076 1009
1077 /* Privileged */ 1010 /* Privileged */
1078@@ -133,6 +146,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) 1011@@ -132,6 +145,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
1079 } 1012 }
1080 1013
1081 /* Unprivileged */ 1014 /* Unprivileged */
@@ -1105,7 +1038,7 @@ index 5c59924..50fa438 100644
1105 void 1038 void
1106 ssh_gssapi_supported_oids(gss_OID_set *oidset) 1039 ssh_gssapi_supported_oids(gss_OID_set *oidset)
1107 { 1040 {
1108@@ -142,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) 1041@@ -141,7 +177,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
1109 gss_OID_set supported; 1042 gss_OID_set supported;
1110 1043
1111 gss_create_empty_oid_set(&min_status, oidset); 1044 gss_create_empty_oid_set(&min_status, oidset);
@@ -1116,7 +1049,7 @@ index 5c59924..50fa438 100644
1116 1049
1117 while (supported_mechs[i]->name != NULL) { 1050 while (supported_mechs[i]->name != NULL) {
1118 if (GSS_ERROR(gss_test_oid_set_member(&min_status, 1051 if (GSS_ERROR(gss_test_oid_set_member(&min_status,
1119@@ -268,8 +306,48 @@ OM_uint32 1052@@ -267,8 +305,48 @@ OM_uint32
1120 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1053 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1121 { 1054 {
1122 int i = 0; 1055 int i = 0;
@@ -1166,7 +1099,7 @@ index 5c59924..50fa438 100644
1166 1099
1167 client->mech = NULL; 1100 client->mech = NULL;
1168 1101
1169@@ -284,6 +362,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1102@@ -283,6 +361,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1170 if (client->mech == NULL) 1103 if (client->mech == NULL)
1171 return GSS_S_FAILURE; 1104 return GSS_S_FAILURE;
1172 1105
@@ -1180,7 +1113,7 @@ index 5c59924..50fa438 100644
1180 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, 1113 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
1181 &client->displayname, NULL))) { 1114 &client->displayname, NULL))) {
1182 ssh_gssapi_error(ctx); 1115 ssh_gssapi_error(ctx);
1183@@ -301,6 +386,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1116@@ -300,6 +385,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1184 return (ctx->major); 1117 return (ctx->major);
1185 } 1118 }
1186 1119
@@ -1189,7 +1122,7 @@ index 5c59924..50fa438 100644
1189 /* We can't copy this structure, so we just move the pointer to it */ 1122 /* We can't copy this structure, so we just move the pointer to it */
1190 client->creds = ctx->client_creds; 1123 client->creds = ctx->client_creds;
1191 ctx->client_creds = GSS_C_NO_CREDENTIAL; 1124 ctx->client_creds = GSS_C_NO_CREDENTIAL;
1192@@ -348,7 +435,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) 1125@@ -347,7 +434,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
1193 1126
1194 /* Privileged */ 1127 /* Privileged */
1195 int 1128 int
@@ -1198,7 +1131,7 @@ index 5c59924..50fa438 100644
1198 { 1131 {
1199 OM_uint32 lmin; 1132 OM_uint32 lmin;
1200 1133
1201@@ -358,9 +445,11 @@ ssh_gssapi_userok(char *user) 1134@@ -357,9 +444,11 @@ ssh_gssapi_userok(char *user)
1202 return 0; 1135 return 0;
1203 } 1136 }
1204 if (gssapi_client.mech && gssapi_client.mech->userok) 1137 if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -1212,7 +1145,7 @@ index 5c59924..50fa438 100644
1212 /* Destroy delegated credentials if userok fails */ 1145 /* Destroy delegated credentials if userok fails */
1213 gss_release_buffer(&lmin, &gssapi_client.displayname); 1146 gss_release_buffer(&lmin, &gssapi_client.displayname);
1214 gss_release_buffer(&lmin, &gssapi_client.exportedname); 1147 gss_release_buffer(&lmin, &gssapi_client.exportedname);
1215@@ -374,14 +463,90 @@ ssh_gssapi_userok(char *user) 1148@@ -373,14 +462,90 @@ ssh_gssapi_userok(char *user)
1216 return (0); 1149 return (0);
1217 } 1150 }
1218 1151
@@ -1310,11 +1243,11 @@ index 5c59924..50fa438 100644
1310 1243
1311 #endif 1244 #endif
1312diff --git a/kex.c b/kex.c 1245diff --git a/kex.c b/kex.c
1313index a173e70..891852b 100644 1246index 8c2b001..be938ad 100644
1314--- a/kex.c 1247--- a/kex.c
1315+++ b/kex.c 1248+++ b/kex.c
1316@@ -53,6 +53,10 @@ 1249@@ -55,6 +55,10 @@
1317 #include "roaming.h" 1250 #include "sshbuf.h"
1318 #include "digest.h" 1251 #include "digest.h"
1319 1252
1320+#ifdef GSSAPI 1253+#ifdef GSSAPI
@@ -1324,8 +1257,8 @@ index a173e70..891852b 100644
1324 #if OPENSSL_VERSION_NUMBER >= 0x00907000L 1257 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
1325 # if defined(HAVE_EVP_SHA256) 1258 # if defined(HAVE_EVP_SHA256)
1326 # define evp_ssh_sha256 EVP_sha256 1259 # define evp_ssh_sha256 EVP_sha256
1327@@ -96,6 +100,14 @@ static const struct kexalg kexalgs[] = { 1260@@ -97,6 +101,14 @@ static const struct kexalg kexalgs[] = {
1328 #endif /* HAVE_EVP_SHA256 */ 1261 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
1329 { NULL, -1, -1, -1}, 1262 { NULL, -1, -1, -1},
1330 }; 1263 };
1331+static const struct kexalg kexalg_prefixes[] = { 1264+static const struct kexalg kexalg_prefixes[] = {
@@ -1339,7 +1272,7 @@ index a173e70..891852b 100644
1339 1272
1340 char * 1273 char *
1341 kex_alg_list(char sep) 1274 kex_alg_list(char sep)
1342@@ -124,6 +136,10 @@ kex_alg_by_name(const char *name) 1275@@ -129,6 +141,10 @@ kex_alg_by_name(const char *name)
1343 if (strcmp(k->name, name) == 0) 1276 if (strcmp(k->name, name) == 0)
1344 return k; 1277 return k;
1345 } 1278 }
@@ -1351,10 +1284,10 @@ index a173e70..891852b 100644
1351 } 1284 }
1352 1285
1353diff --git a/kex.h b/kex.h 1286diff --git a/kex.h b/kex.h
1354index 4c40ec8..c179a4d 100644 1287index f70b81f..7194b14 100644
1355--- a/kex.h 1288--- a/kex.h
1356+++ b/kex.h 1289+++ b/kex.h
1357@@ -76,6 +76,9 @@ enum kex_exchange { 1290@@ -93,6 +93,9 @@ enum kex_exchange {
1358 KEX_DH_GEX_SHA256, 1291 KEX_DH_GEX_SHA256,
1359 KEX_ECDH_SHA2, 1292 KEX_ECDH_SHA2,
1360 KEX_C25519_SHA256, 1293 KEX_C25519_SHA256,
@@ -1364,8 +1297,8 @@ index 4c40ec8..c179a4d 100644
1364 KEX_MAX 1297 KEX_MAX
1365 }; 1298 };
1366 1299
1367@@ -135,6 +138,12 @@ struct Kex { 1300@@ -139,6 +142,12 @@ struct kex {
1368 int flags; 1301 u_int flags;
1369 int hash_alg; 1302 int hash_alg;
1370 int ec_nid; 1303 int ec_nid;
1371+#ifdef GSSAPI 1304+#ifdef GSSAPI
@@ -1376,25 +1309,25 @@ index 4c40ec8..c179a4d 100644
1376+#endif 1309+#endif
1377 char *client_version_string; 1310 char *client_version_string;
1378 char *server_version_string; 1311 char *server_version_string;
1379 int (*verify_host_key)(Key *); 1312 int (*verify_host_key)(struct sshkey *, struct ssh *);
1380@@ -167,6 +176,11 @@ void kexecdh_server(Kex *); 1313@@ -184,6 +193,11 @@ int kexecdh_server(struct ssh *);
1381 void kexc25519_client(Kex *); 1314 int kexc25519_client(struct ssh *);
1382 void kexc25519_server(Kex *); 1315 int kexc25519_server(struct ssh *);
1383 1316
1384+#ifdef GSSAPI 1317+#ifdef GSSAPI
1385+void kexgss_client(Kex *); 1318+int kexgss_client(struct ssh *);
1386+void kexgss_server(Kex *); 1319+int kexgss_server(struct ssh *);
1387+#endif 1320+#endif
1388+ 1321+
1389 void 1322 int kex_dh_hash(const char *, const char *,
1390 kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, 1323 const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
1391 BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); 1324 const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
1392diff --git a/kexgssc.c b/kexgssc.c 1325diff --git a/kexgssc.c b/kexgssc.c
1393new file mode 100644 1326new file mode 100644
1394index 0000000..92a31c5 1327index 0000000..a49bac2
1395--- /dev/null 1328--- /dev/null
1396+++ b/kexgssc.c 1329+++ b/kexgssc.c
1397@@ -0,0 +1,332 @@ 1330@@ -0,0 +1,336 @@
1398+/* 1331+/*
1399+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 1332+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
1400+ * 1333+ *
@@ -1439,43 +1372,46 @@ index 0000000..92a31c5
1439+#include "log.h" 1372+#include "log.h"
1440+#include "packet.h" 1373+#include "packet.h"
1441+#include "dh.h" 1374+#include "dh.h"
1375+#include "digest.h"
1442+ 1376+
1443+#include "ssh-gss.h" 1377+#include "ssh-gss.h"
1444+ 1378+
1445+void 1379+int
1446+kexgss_client(Kex *kex) { 1380+kexgss_client(struct ssh *ssh) {
1447+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 1381+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
1448+ gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr; 1382+ gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
1449+ Gssctxt *ctxt; 1383+ Gssctxt *ctxt;
1450+ OM_uint32 maj_status, min_status, ret_flags; 1384+ OM_uint32 maj_status, min_status, ret_flags;
1451+ u_int klen, kout, slen = 0, hashlen, strlen; 1385+ u_int klen, kout, slen = 0, strlen;
1452+ DH *dh; 1386+ DH *dh;
1453+ BIGNUM *dh_server_pub = NULL; 1387+ BIGNUM *dh_server_pub = NULL;
1454+ BIGNUM *shared_secret = NULL; 1388+ BIGNUM *shared_secret = NULL;
1455+ BIGNUM *p = NULL; 1389+ BIGNUM *p = NULL;
1456+ BIGNUM *g = NULL; 1390+ BIGNUM *g = NULL;
1457+ u_char *kbuf, *hash; 1391+ u_char *kbuf;
1458+ u_char *serverhostkey = NULL; 1392+ u_char *serverhostkey = NULL;
1459+ u_char *empty = ""; 1393+ u_char *empty = "";
1460+ char *msg; 1394+ char *msg;
1461+ int type = 0; 1395+ int type = 0;
1462+ int first = 1; 1396+ int first = 1;
1463+ int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX; 1397+ int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
1398+ u_char hash[SSH_DIGEST_MAX_LENGTH];
1399+ size_t hashlen;
1464+ 1400+
1465+ /* Initialise our GSSAPI world */ 1401+ /* Initialise our GSSAPI world */
1466+ ssh_gssapi_build_ctx(&ctxt); 1402+ ssh_gssapi_build_ctx(&ctxt);
1467+ if (ssh_gssapi_id_kex(ctxt, kex->name, kex->kex_type) 1403+ if (ssh_gssapi_id_kex(ctxt, ssh->kex->name, ssh->kex->kex_type)
1468+ == GSS_C_NO_OID) 1404+ == GSS_C_NO_OID)
1469+ fatal("Couldn't identify host exchange"); 1405+ fatal("Couldn't identify host exchange");
1470+ 1406+
1471+ if (ssh_gssapi_import_name(ctxt, kex->gss_host)) 1407+ if (ssh_gssapi_import_name(ctxt, ssh->kex->gss_host))
1472+ fatal("Couldn't import hostname"); 1408+ fatal("Couldn't import hostname");
1473+ 1409+
1474+ if (kex->gss_client && 1410+ if (ssh->kex->gss_client &&
1475+ ssh_gssapi_client_identity(ctxt, kex->gss_client)) 1411+ ssh_gssapi_client_identity(ctxt, ssh->kex->gss_client))
1476+ fatal("Couldn't acquire client credentials"); 1412+ fatal("Couldn't acquire client credentials");
1477+ 1413+
1478+ switch (kex->kex_type) { 1414+ switch (ssh->kex->kex_type) {
1479+ case KEX_GSS_GRP1_SHA1: 1415+ case KEX_GSS_GRP1_SHA1:
1480+ dh = dh_new_group1(); 1416+ dh = dh_new_group1();
1481+ break; 1417+ break;
@@ -1484,7 +1420,7 @@ index 0000000..92a31c5
1484+ break; 1420+ break;
1485+ case KEX_GSS_GEX_SHA1: 1421+ case KEX_GSS_GEX_SHA1:
1486+ debug("Doing group exchange\n"); 1422+ debug("Doing group exchange\n");
1487+ nbits = dh_estimate(kex->we_need * 8); 1423+ nbits = dh_estimate(ssh->kex->we_need * 8);
1488+ packet_start(SSH2_MSG_KEXGSS_GROUPREQ); 1424+ packet_start(SSH2_MSG_KEXGSS_GROUPREQ);
1489+ packet_put_int(min); 1425+ packet_put_int(min);
1490+ packet_put_int(nbits); 1426+ packet_put_int(nbits);
@@ -1509,11 +1445,11 @@ index 0000000..92a31c5
1509+ dh = dh_new_group(g, p); 1445+ dh = dh_new_group(g, p);
1510+ break; 1446+ break;
1511+ default: 1447+ default:
1512+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); 1448+ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
1513+ } 1449+ }
1514+ 1450+
1515+ /* Step 1 - e is dh->pub_key */ 1451+ /* Step 1 - e is dh->pub_key */
1516+ dh_gen_key(dh, kex->we_need * 8); 1452+ dh_gen_key(dh, ssh->kex->we_need * 8);
1517+ 1453+
1518+ /* This is f, we initialise it now to make life easier */ 1454+ /* This is f, we initialise it now to make life easier */
1519+ dh_server_pub = BN_new(); 1455+ dh_server_pub = BN_new();
@@ -1526,7 +1462,7 @@ index 0000000..92a31c5
1526+ debug("Calling gss_init_sec_context"); 1462+ debug("Calling gss_init_sec_context");
1527+ 1463+
1528+ maj_status = ssh_gssapi_init_ctx(ctxt, 1464+ maj_status = ssh_gssapi_init_ctx(ctxt,
1529+ kex->gss_deleg_creds, token_ptr, &send_tok, 1465+ ssh->kex->gss_deleg_creds, token_ptr, &send_tok,
1530+ &ret_flags); 1466+ &ret_flags);
1531+ 1467+
1532+ if (GSS_ERROR(maj_status)) { 1468+ if (GSS_ERROR(maj_status)) {
@@ -1659,38 +1595,39 @@ index 0000000..92a31c5
1659+ memset(kbuf, 0, klen); 1595+ memset(kbuf, 0, klen);
1660+ free(kbuf); 1596+ free(kbuf);
1661+ 1597+
1662+ switch (kex->kex_type) { 1598+ hashlen = sizeof(hash);
1599+ switch (ssh->kex->kex_type) {
1663+ case KEX_GSS_GRP1_SHA1: 1600+ case KEX_GSS_GRP1_SHA1:
1664+ case KEX_GSS_GRP14_SHA1: 1601+ case KEX_GSS_GRP14_SHA1:
1665+ kex_dh_hash( kex->client_version_string, 1602+ kex_dh_hash( ssh->kex->client_version_string,
1666+ kex->server_version_string, 1603+ ssh->kex->server_version_string,
1667+ buffer_ptr(&kex->my), buffer_len(&kex->my), 1604+ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
1668+ buffer_ptr(&kex->peer), buffer_len(&kex->peer), 1605+ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
1669+ (serverhostkey ? serverhostkey : empty), slen, 1606+ (serverhostkey ? serverhostkey : empty), slen,
1670+ dh->pub_key, /* e */ 1607+ dh->pub_key, /* e */
1671+ dh_server_pub, /* f */ 1608+ dh_server_pub, /* f */
1672+ shared_secret, /* K */ 1609+ shared_secret, /* K */
1673+ &hash, &hashlen 1610+ hash, &hashlen
1674+ ); 1611+ );
1675+ break; 1612+ break;
1676+ case KEX_GSS_GEX_SHA1: 1613+ case KEX_GSS_GEX_SHA1:
1677+ kexgex_hash( 1614+ kexgex_hash(
1678+ kex->hash_alg, 1615+ ssh->kex->hash_alg,
1679+ kex->client_version_string, 1616+ ssh->kex->client_version_string,
1680+ kex->server_version_string, 1617+ ssh->kex->server_version_string,
1681+ buffer_ptr(&kex->my), buffer_len(&kex->my), 1618+ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
1682+ buffer_ptr(&kex->peer), buffer_len(&kex->peer), 1619+ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
1683+ (serverhostkey ? serverhostkey : empty), slen, 1620+ (serverhostkey ? serverhostkey : empty), slen,
1684+ min, nbits, max, 1621+ min, nbits, max,
1685+ dh->p, dh->g, 1622+ dh->p, dh->g,
1686+ dh->pub_key, 1623+ dh->pub_key,
1687+ dh_server_pub, 1624+ dh_server_pub,
1688+ shared_secret, 1625+ shared_secret,
1689+ &hash, &hashlen 1626+ hash, &hashlen
1690+ ); 1627+ );
1691+ break; 1628+ break;
1692+ default: 1629+ default:
1693+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); 1630+ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
1694+ } 1631+ }
1695+ 1632+
1696+ gssbuf.value = hash; 1633+ gssbuf.value = hash;
@@ -1707,13 +1644,13 @@ index 0000000..92a31c5
1707+ BN_clear_free(dh_server_pub); 1644+ BN_clear_free(dh_server_pub);
1708+ 1645+
1709+ /* save session id */ 1646+ /* save session id */
1710+ if (kex->session_id == NULL) { 1647+ if (ssh->kex->session_id == NULL) {
1711+ kex->session_id_len = hashlen; 1648+ ssh->kex->session_id_len = hashlen;
1712+ kex->session_id = xmalloc(kex->session_id_len); 1649+ ssh->kex->session_id = xmalloc(ssh->kex->session_id_len);
1713+ memcpy(kex->session_id, hash, kex->session_id_len); 1650+ memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len);
1714+ } 1651+ }
1715+ 1652+
1716+ if (kex->gss_deleg_creds) 1653+ if (ssh->kex->gss_deleg_creds)
1717+ ssh_gssapi_credentials_updated(ctxt); 1654+ ssh_gssapi_credentials_updated(ctxt);
1718+ 1655+
1719+ if (gss_kex_context == NULL) 1656+ if (gss_kex_context == NULL)
@@ -1721,18 +1658,18 @@ index 0000000..92a31c5
1721+ else 1658+ else
1722+ ssh_gssapi_delete_ctx(&ctxt); 1659+ ssh_gssapi_delete_ctx(&ctxt);
1723+ 1660+
1724+ kex_derive_keys_bn(kex, hash, hashlen, shared_secret); 1661+ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
1725+ BN_clear_free(shared_secret); 1662+ BN_clear_free(shared_secret);
1726+ kex_finish(kex); 1663+ return kex_send_newkeys(ssh);
1727+} 1664+}
1728+ 1665+
1729+#endif /* GSSAPI */ 1666+#endif /* GSSAPI */
1730diff --git a/kexgsss.c b/kexgsss.c 1667diff --git a/kexgsss.c b/kexgsss.c
1731new file mode 100644 1668new file mode 100644
1732index 0000000..6a0ece8 1669index 0000000..0847469
1733--- /dev/null 1670--- /dev/null
1734+++ b/kexgsss.c 1671+++ b/kexgsss.c
1735@@ -0,0 +1,290 @@ 1672@@ -0,0 +1,295 @@
1736+/* 1673+/*
1737+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 1674+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
1738+ * 1675+ *
@@ -1779,11 +1716,12 @@ index 0000000..6a0ece8
1779+#include "monitor_wrap.h" 1716+#include "monitor_wrap.h"
1780+#include "misc.h" 1717+#include "misc.h"
1781+#include "servconf.h" 1718+#include "servconf.h"
1719+#include "digest.h"
1782+ 1720+
1783+extern ServerOptions options; 1721+extern ServerOptions options;
1784+ 1722+
1785+void 1723+int
1786+kexgss_server(Kex *kex) 1724+kexgss_server(struct ssh *ssh)
1787+{ 1725+{
1788+ OM_uint32 maj_status, min_status; 1726+ OM_uint32 maj_status, min_status;
1789+ 1727+
@@ -1798,8 +1736,8 @@ index 0000000..6a0ece8
1798+ gss_buffer_desc gssbuf, recv_tok, msg_tok; 1736+ gss_buffer_desc gssbuf, recv_tok, msg_tok;
1799+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 1737+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
1800+ Gssctxt *ctxt = NULL; 1738+ Gssctxt *ctxt = NULL;
1801+ u_int slen, klen, kout, hashlen; 1739+ u_int slen, klen, kout;
1802+ u_char *kbuf, *hash; 1740+ u_char *kbuf;
1803+ DH *dh; 1741+ DH *dh;
1804+ int min = -1, max = -1, nbits = -1; 1742+ int min = -1, max = -1, nbits = -1;
1805+ BIGNUM *shared_secret = NULL; 1743+ BIGNUM *shared_secret = NULL;
@@ -1807,6 +1745,8 @@ index 0000000..6a0ece8
1807+ int type = 0; 1745+ int type = 0;
1808+ gss_OID oid; 1746+ gss_OID oid;
1809+ char *mechs; 1747+ char *mechs;
1748+ u_char hash[SSH_DIGEST_MAX_LENGTH];
1749+ size_t hashlen;
1810+ 1750+
1811+ /* Initialise GSSAPI */ 1751+ /* Initialise GSSAPI */
1812+ 1752+
@@ -1819,8 +1759,8 @@ index 0000000..6a0ece8
1819+ free(mechs); 1759+ free(mechs);
1820+ } 1760+ }
1821+ 1761+
1822+ debug2("%s: Identifying %s", __func__, kex->name); 1762+ debug2("%s: Identifying %s", __func__, ssh->kex->name);
1823+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); 1763+ oid = ssh_gssapi_id_kex(NULL, ssh->kex->name, ssh->kex->kex_type);
1824+ if (oid == GSS_C_NO_OID) 1764+ if (oid == GSS_C_NO_OID)
1825+ fatal("Unknown gssapi mechanism"); 1765+ fatal("Unknown gssapi mechanism");
1826+ 1766+
@@ -1829,7 +1769,7 @@ index 0000000..6a0ece8
1829+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) 1769+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
1830+ fatal("Unable to acquire credentials for the server"); 1770+ fatal("Unable to acquire credentials for the server");
1831+ 1771+
1832+ switch (kex->kex_type) { 1772+ switch (ssh->kex->kex_type) {
1833+ case KEX_GSS_GRP1_SHA1: 1773+ case KEX_GSS_GRP1_SHA1:
1834+ dh = dh_new_group1(); 1774+ dh = dh_new_group1();
1835+ break; 1775+ break;
@@ -1860,10 +1800,10 @@ index 0000000..6a0ece8
1860+ packet_write_wait(); 1800+ packet_write_wait();
1861+ break; 1801+ break;
1862+ default: 1802+ default:
1863+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); 1803+ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
1864+ } 1804+ }
1865+ 1805+
1866+ dh_gen_key(dh, kex->we_need * 8); 1806+ dh_gen_key(dh, ssh->kex->we_need * 8);
1867+ 1807+
1868+ do { 1808+ do {
1869+ debug("Wait SSH2_MSG_GSSAPI_INIT"); 1809+ debug("Wait SSH2_MSG_GSSAPI_INIT");
@@ -1946,43 +1886,44 @@ index 0000000..6a0ece8
1946+ memset(kbuf, 0, klen); 1886+ memset(kbuf, 0, klen);
1947+ free(kbuf); 1887+ free(kbuf);
1948+ 1888+
1949+ switch (kex->kex_type) { 1889+ hashlen = sizeof(hash);
1890+ switch (ssh->kex->kex_type) {
1950+ case KEX_GSS_GRP1_SHA1: 1891+ case KEX_GSS_GRP1_SHA1:
1951+ case KEX_GSS_GRP14_SHA1: 1892+ case KEX_GSS_GRP14_SHA1:
1952+ kex_dh_hash( 1893+ kex_dh_hash(
1953+ kex->client_version_string, kex->server_version_string, 1894+ ssh->kex->client_version_string, ssh->kex->server_version_string,
1954+ buffer_ptr(&kex->peer), buffer_len(&kex->peer), 1895+ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
1955+ buffer_ptr(&kex->my), buffer_len(&kex->my), 1896+ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
1956+ NULL, 0, /* Change this if we start sending host keys */ 1897+ NULL, 0, /* Change this if we start sending host keys */
1957+ dh_client_pub, dh->pub_key, shared_secret, 1898+ dh_client_pub, dh->pub_key, shared_secret,
1958+ &hash, &hashlen 1899+ hash, &hashlen
1959+ ); 1900+ );
1960+ break; 1901+ break;
1961+ case KEX_GSS_GEX_SHA1: 1902+ case KEX_GSS_GEX_SHA1:
1962+ kexgex_hash( 1903+ kexgex_hash(
1963+ kex->hash_alg, 1904+ ssh->kex->hash_alg,
1964+ kex->client_version_string, kex->server_version_string, 1905+ ssh->kex->client_version_string, ssh->kex->server_version_string,
1965+ buffer_ptr(&kex->peer), buffer_len(&kex->peer), 1906+ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
1966+ buffer_ptr(&kex->my), buffer_len(&kex->my), 1907+ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
1967+ NULL, 0, 1908+ NULL, 0,
1968+ min, nbits, max, 1909+ min, nbits, max,
1969+ dh->p, dh->g, 1910+ dh->p, dh->g,
1970+ dh_client_pub, 1911+ dh_client_pub,
1971+ dh->pub_key, 1912+ dh->pub_key,
1972+ shared_secret, 1913+ shared_secret,
1973+ &hash, &hashlen 1914+ hash, &hashlen
1974+ ); 1915+ );
1975+ break; 1916+ break;
1976+ default: 1917+ default:
1977+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); 1918+ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
1978+ } 1919+ }
1979+ 1920+
1980+ BN_clear_free(dh_client_pub); 1921+ BN_clear_free(dh_client_pub);
1981+ 1922+
1982+ if (kex->session_id == NULL) { 1923+ if (ssh->kex->session_id == NULL) {
1983+ kex->session_id_len = hashlen; 1924+ ssh->kex->session_id_len = hashlen;
1984+ kex->session_id = xmalloc(kex->session_id_len); 1925+ ssh->kex->session_id = xmalloc(ssh->kex->session_id_len);
1985+ memcpy(kex->session_id, hash, kex->session_id_len); 1926+ memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len);
1986+ } 1927+ }
1987+ 1928+
1988+ gssbuf.value = hash; 1929+ gssbuf.value = hash;
@@ -2013,21 +1954,22 @@ index 0000000..6a0ece8
2013+ 1954+
2014+ DH_free(dh); 1955+ DH_free(dh);
2015+ 1956+
2016+ kex_derive_keys_bn(kex, hash, hashlen, shared_secret); 1957+ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
2017+ BN_clear_free(shared_secret); 1958+ BN_clear_free(shared_secret);
2018+ kex_finish(kex); 1959+ kex_send_newkeys(ssh);
2019+ 1960+
2020+ /* If this was a rekey, then save out any delegated credentials we 1961+ /* If this was a rekey, then save out any delegated credentials we
2021+ * just exchanged. */ 1962+ * just exchanged. */
2022+ if (options.gss_store_rekey) 1963+ if (options.gss_store_rekey)
2023+ ssh_gssapi_rekey_creds(); 1964+ ssh_gssapi_rekey_creds();
1965+ return 0;
2024+} 1966+}
2025+#endif /* GSSAPI */ 1967+#endif /* GSSAPI */
2026diff --git a/monitor.c b/monitor.c 1968diff --git a/monitor.c b/monitor.c
2027index dbe29f1..b0896ef 100644 1969index bab6ce8..a2027e5 100644
2028--- a/monitor.c 1970--- a/monitor.c
2029+++ b/monitor.c 1971+++ b/monitor.c
2030@@ -178,6 +178,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); 1972@@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
2031 int mm_answer_gss_accept_ctx(int, Buffer *); 1973 int mm_answer_gss_accept_ctx(int, Buffer *);
2032 int mm_answer_gss_userok(int, Buffer *); 1974 int mm_answer_gss_userok(int, Buffer *);
2033 int mm_answer_gss_checkmic(int, Buffer *); 1975 int mm_answer_gss_checkmic(int, Buffer *);
@@ -2036,7 +1978,7 @@ index dbe29f1..b0896ef 100644
2036 #endif 1978 #endif
2037 1979
2038 #ifdef SSH_AUDIT_EVENTS 1980 #ifdef SSH_AUDIT_EVENTS
2039@@ -255,11 +257,18 @@ struct mon_table mon_dispatch_proto20[] = { 1981@@ -234,11 +236,18 @@ struct mon_table mon_dispatch_proto20[] = {
2040 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 1982 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
2041 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, 1983 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
2042 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, 1984 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -2055,7 +1997,7 @@ index dbe29f1..b0896ef 100644
2055 #ifdef WITH_OPENSSL 1997 #ifdef WITH_OPENSSL
2056 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 1998 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
2057 #endif 1999 #endif
2058@@ -374,6 +383,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) 2000@@ -353,6 +362,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
2059 /* Permit requests for moduli and signatures */ 2001 /* Permit requests for moduli and signatures */
2060 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2002 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2061 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2003 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2066,7 +2008,7 @@ index dbe29f1..b0896ef 100644
2066 } else { 2008 } else {
2067 mon_dispatch = mon_dispatch_proto15; 2009 mon_dispatch = mon_dispatch_proto15;
2068 2010
2069@@ -482,6 +495,10 @@ monitor_child_postauth(struct monitor *pmonitor) 2011@@ -461,6 +474,10 @@ monitor_child_postauth(struct monitor *pmonitor)
2070 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2012 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2071 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2013 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
2072 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2014 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2077,21 +2019,21 @@ index dbe29f1..b0896ef 100644
2077 } else { 2019 } else {
2078 mon_dispatch = mon_dispatch_postauth15; 2020 mon_dispatch = mon_dispatch_postauth15;
2079 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2021 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
2080@@ -1861,6 +1878,13 @@ mm_get_kex(Buffer *m) 2022@@ -1860,6 +1877,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
2081 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 2023 # endif
2082 #endif 2024 #endif /* WITH_OPENSSL */
2083 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 2025 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
2084+#ifdef GSSAPI 2026+#ifdef GSSAPI
2085+ if (options.gss_keyex) { 2027+ if (options.gss_keyex) {
2086+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; 2028+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
2087+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; 2029+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
2088+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; 2030+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
2089+ } 2031+ }
2090+#endif 2032+#endif
2091 kex->server = 1; 2033 kex->load_host_public_key=&get_hostkey_public_by_type;
2092 kex->hostkey_type = buffer_get_int(m); 2034 kex->load_host_private_key=&get_hostkey_private_by_type;
2093 kex->kex_type = buffer_get_int(m); 2035 kex->host_key_index=&get_hostkey_index;
2094@@ -2068,6 +2092,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) 2036@@ -1959,6 +1983,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2095 OM_uint32 major; 2037 OM_uint32 major;
2096 u_int len; 2038 u_int len;
2097 2039
@@ -2101,7 +2043,7 @@ index dbe29f1..b0896ef 100644
2101 goid.elements = buffer_get_string(m, &len); 2043 goid.elements = buffer_get_string(m, &len);
2102 goid.length = len; 2044 goid.length = len;
2103 2045
2104@@ -2095,6 +2122,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2046@@ -1986,6 +2013,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2105 OM_uint32 flags = 0; /* GSI needs this */ 2047 OM_uint32 flags = 0; /* GSI needs this */
2106 u_int len; 2048 u_int len;
2107 2049
@@ -2111,7 +2053,7 @@ index dbe29f1..b0896ef 100644
2111 in.value = buffer_get_string(m, &len); 2053 in.value = buffer_get_string(m, &len);
2112 in.length = len; 2054 in.length = len;
2113 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2055 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2114@@ -2112,6 +2142,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2056@@ -2003,6 +2033,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2115 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2057 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2116 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2058 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2117 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2059 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2119,7 +2061,7 @@ index dbe29f1..b0896ef 100644
2119 } 2061 }
2120 return (0); 2062 return (0);
2121 } 2063 }
2122@@ -2123,6 +2154,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) 2064@@ -2014,6 +2045,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2123 OM_uint32 ret; 2065 OM_uint32 ret;
2124 u_int len; 2066 u_int len;
2125 2067
@@ -2129,7 +2071,7 @@ index dbe29f1..b0896ef 100644
2129 gssbuf.value = buffer_get_string(m, &len); 2071 gssbuf.value = buffer_get_string(m, &len);
2130 gssbuf.length = len; 2072 gssbuf.length = len;
2131 mic.value = buffer_get_string(m, &len); 2073 mic.value = buffer_get_string(m, &len);
2132@@ -2149,7 +2183,11 @@ mm_answer_gss_userok(int sock, Buffer *m) 2074@@ -2040,7 +2074,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
2133 { 2075 {
2134 int authenticated; 2076 int authenticated;
2135 2077
@@ -2142,7 +2084,7 @@ index dbe29f1..b0896ef 100644
2142 2084
2143 buffer_clear(m); 2085 buffer_clear(m);
2144 buffer_put_int(m, authenticated); 2086 buffer_put_int(m, authenticated);
2145@@ -2162,5 +2200,73 @@ mm_answer_gss_userok(int sock, Buffer *m) 2087@@ -2053,5 +2091,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
2146 /* Monitor loop will terminate if authenticated */ 2088 /* Monitor loop will terminate if authenticated */
2147 return (authenticated); 2089 return (authenticated);
2148 } 2090 }
@@ -2217,7 +2159,7 @@ index dbe29f1..b0896ef 100644
2217 #endif /* GSSAPI */ 2159 #endif /* GSSAPI */
2218 2160
2219diff --git a/monitor.h b/monitor.h 2161diff --git a/monitor.h b/monitor.h
2220index 5bc41b5..7f32b0c 100644 2162index 93b8b66..bc50ade 100644
2221--- a/monitor.h 2163--- a/monitor.h
2222+++ b/monitor.h 2164+++ b/monitor.h
2223@@ -65,6 +65,9 @@ enum monitor_reqtype { 2165@@ -65,6 +65,9 @@ enum monitor_reqtype {
@@ -2231,10 +2173,10 @@ index 5bc41b5..7f32b0c 100644
2231 2173
2232 struct mm_master; 2174 struct mm_master;
2233diff --git a/monitor_wrap.c b/monitor_wrap.c 2175diff --git a/monitor_wrap.c b/monitor_wrap.c
2234index 45dc169..e476f0d 100644 2176index b379f05..b667218 100644
2235--- a/monitor_wrap.c 2177--- a/monitor_wrap.c
2236+++ b/monitor_wrap.c 2178+++ b/monitor_wrap.c
2237@@ -1281,7 +1281,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 2179@@ -1068,7 +1068,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
2238 } 2180 }
2239 2181
2240 int 2182 int
@@ -2243,7 +2185,7 @@ index 45dc169..e476f0d 100644
2243 { 2185 {
2244 Buffer m; 2186 Buffer m;
2245 int authenticated = 0; 2187 int authenticated = 0;
2246@@ -1298,5 +1298,50 @@ mm_ssh_gssapi_userok(char *user) 2188@@ -1085,5 +1085,50 @@ mm_ssh_gssapi_userok(char *user)
2247 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2189 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2248 return (authenticated); 2190 return (authenticated);
2249 } 2191 }
@@ -2295,7 +2237,7 @@ index 45dc169..e476f0d 100644
2295 #endif /* GSSAPI */ 2237 #endif /* GSSAPI */
2296 2238
2297diff --git a/monitor_wrap.h b/monitor_wrap.h 2239diff --git a/monitor_wrap.h b/monitor_wrap.h
2298index 18c2501..a4e9d24 100644 2240index e18784a..0c770e8 100644
2299--- a/monitor_wrap.h 2241--- a/monitor_wrap.h
2300+++ b/monitor_wrap.h 2242+++ b/monitor_wrap.h
2301@@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); 2243@@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *);
@@ -2311,10 +2253,10 @@ index 18c2501..a4e9d24 100644
2311 2253
2312 #ifdef USE_PAM 2254 #ifdef USE_PAM
2313diff --git a/readconf.c b/readconf.c 2255diff --git a/readconf.c b/readconf.c
2314index 7948ce1..9127e93 100644 2256index 42a2961..254dbce 100644
2315--- a/readconf.c 2257--- a/readconf.c
2316+++ b/readconf.c 2258+++ b/readconf.c
2317@@ -142,6 +142,8 @@ typedef enum { 2259@@ -147,6 +147,8 @@ typedef enum {
2318 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 2260 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
2319 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 2261 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
2320 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 2262 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2323,7 +2265,7 @@ index 7948ce1..9127e93 100644
2323 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2265 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
2324 oSendEnv, oControlPath, oControlMaster, oControlPersist, 2266 oSendEnv, oControlPath, oControlMaster, oControlPersist,
2325 oHashKnownHosts, 2267 oHashKnownHosts,
2326@@ -185,10 +187,19 @@ static struct { 2268@@ -191,10 +193,19 @@ static struct {
2327 { "afstokenpassing", oUnsupported }, 2269 { "afstokenpassing", oUnsupported },
2328 #if defined(GSSAPI) 2270 #if defined(GSSAPI)
2329 { "gssapiauthentication", oGssAuthentication }, 2271 { "gssapiauthentication", oGssAuthentication },
@@ -2343,7 +2285,7 @@ index 7948ce1..9127e93 100644
2343 #endif 2285 #endif
2344 { "fallbacktorsh", oDeprecated }, 2286 { "fallbacktorsh", oDeprecated },
2345 { "usersh", oDeprecated }, 2287 { "usersh", oDeprecated },
2346@@ -865,10 +876,30 @@ parse_time: 2288@@ -892,10 +903,30 @@ parse_time:
2347 intptr = &options->gss_authentication; 2289 intptr = &options->gss_authentication;
2348 goto parse_flag; 2290 goto parse_flag;
2349 2291
@@ -2374,7 +2316,7 @@ index 7948ce1..9127e93 100644
2374 case oBatchMode: 2316 case oBatchMode:
2375 intptr = &options->batch_mode; 2317 intptr = &options->batch_mode;
2376 goto parse_flag; 2318 goto parse_flag;
2377@@ -1538,7 +1569,12 @@ initialize_options(Options * options) 2319@@ -1601,7 +1632,12 @@ initialize_options(Options * options)
2378 options->pubkey_authentication = -1; 2320 options->pubkey_authentication = -1;
2379 options->challenge_response_authentication = -1; 2321 options->challenge_response_authentication = -1;
2380 options->gss_authentication = -1; 2322 options->gss_authentication = -1;
@@ -2387,7 +2329,7 @@ index 7948ce1..9127e93 100644
2387 options->password_authentication = -1; 2329 options->password_authentication = -1;
2388 options->kbd_interactive_authentication = -1; 2330 options->kbd_interactive_authentication = -1;
2389 options->kbd_interactive_devices = NULL; 2331 options->kbd_interactive_devices = NULL;
2390@@ -1661,8 +1697,14 @@ fill_default_options(Options * options) 2332@@ -1728,8 +1764,14 @@ fill_default_options(Options * options)
2391 options->challenge_response_authentication = 1; 2333 options->challenge_response_authentication = 1;
2392 if (options->gss_authentication == -1) 2334 if (options->gss_authentication == -1)
2393 options->gss_authentication = 0; 2335 options->gss_authentication = 0;
@@ -2403,7 +2345,7 @@ index 7948ce1..9127e93 100644
2403 options->password_authentication = 1; 2345 options->password_authentication = 1;
2404 if (options->kbd_interactive_authentication == -1) 2346 if (options->kbd_interactive_authentication == -1)
2405diff --git a/readconf.h b/readconf.h 2347diff --git a/readconf.h b/readconf.h
2406index 0b9cb77..0e29889 100644 2348index 576b9e3..ef39c4c 100644
2407--- a/readconf.h 2349--- a/readconf.h
2408+++ b/readconf.h 2350+++ b/readconf.h
2409@@ -45,7 +45,12 @@ typedef struct { 2351@@ -45,7 +45,12 @@ typedef struct {
@@ -2420,10 +2362,10 @@ index 0b9cb77..0e29889 100644
2420 * authentication. */ 2362 * authentication. */
2421 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2363 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
2422diff --git a/servconf.c b/servconf.c 2364diff --git a/servconf.c b/servconf.c
2423index b7f3294..cb3c831 100644 2365index 3185462..f68c0d0 100644
2424--- a/servconf.c 2366--- a/servconf.c
2425+++ b/servconf.c 2367+++ b/servconf.c
2426@@ -109,7 +109,10 @@ initialize_server_options(ServerOptions *options) 2368@@ -114,7 +114,10 @@ initialize_server_options(ServerOptions *options)
2427 options->kerberos_ticket_cleanup = -1; 2369 options->kerberos_ticket_cleanup = -1;
2428 options->kerberos_get_afs_token = -1; 2370 options->kerberos_get_afs_token = -1;
2429 options->gss_authentication=-1; 2371 options->gss_authentication=-1;
@@ -2434,7 +2376,7 @@ index b7f3294..cb3c831 100644
2434 options->password_authentication = -1; 2376 options->password_authentication = -1;
2435 options->kbd_interactive_authentication = -1; 2377 options->kbd_interactive_authentication = -1;
2436 options->challenge_response_authentication = -1; 2378 options->challenge_response_authentication = -1;
2437@@ -250,8 +253,14 @@ fill_default_server_options(ServerOptions *options) 2379@@ -269,8 +272,14 @@ fill_default_server_options(ServerOptions *options)
2438 options->kerberos_get_afs_token = 0; 2380 options->kerberos_get_afs_token = 0;
2439 if (options->gss_authentication == -1) 2381 if (options->gss_authentication == -1)
2440 options->gss_authentication = 0; 2382 options->gss_authentication = 0;
@@ -2449,10 +2391,10 @@ index b7f3294..cb3c831 100644
2449 if (options->password_authentication == -1) 2391 if (options->password_authentication == -1)
2450 options->password_authentication = 1; 2392 options->password_authentication = 1;
2451 if (options->kbd_interactive_authentication == -1) 2393 if (options->kbd_interactive_authentication == -1)
2452@@ -352,7 +361,9 @@ typedef enum { 2394@@ -391,7 +400,9 @@ typedef enum {
2453 sBanner, sUseDNS, sHostbasedAuthentication, 2395 sBanner, sUseDNS, sHostbasedAuthentication,
2454 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 2396 sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
2455 sClientAliveCountMax, sAuthorizedKeysFile, 2397 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
2456- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, 2398- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
2457+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 2399+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
2458+ sGssKeyEx, sGssStoreRekey, 2400+ sGssKeyEx, sGssStoreRekey,
@@ -2460,7 +2402,7 @@ index b7f3294..cb3c831 100644
2460 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2402 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2461 sUsePrivilegeSeparation, sAllowAgentForwarding, 2403 sUsePrivilegeSeparation, sAllowAgentForwarding,
2462 sHostCertificate, 2404 sHostCertificate,
2463@@ -421,10 +432,20 @@ static struct { 2405@@ -462,10 +473,20 @@ static struct {
2464 #ifdef GSSAPI 2406 #ifdef GSSAPI
2465 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2407 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2466 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2408 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2481,7 +2423,7 @@ index b7f3294..cb3c831 100644
2481 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2423 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2482 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2424 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2483 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2425 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2484@@ -1104,10 +1125,22 @@ process_server_config_line(ServerOptions *options, char *line, 2426@@ -1166,10 +1187,22 @@ process_server_config_line(ServerOptions *options, char *line,
2485 intptr = &options->gss_authentication; 2427 intptr = &options->gss_authentication;
2486 goto parse_flag; 2428 goto parse_flag;
2487 2429
@@ -2504,7 +2446,7 @@ index b7f3294..cb3c831 100644
2504 case sPasswordAuthentication: 2446 case sPasswordAuthentication:
2505 intptr = &options->password_authentication; 2447 intptr = &options->password_authentication;
2506 goto parse_flag; 2448 goto parse_flag;
2507@@ -2042,7 +2075,10 @@ dump_config(ServerOptions *o) 2449@@ -2125,7 +2158,10 @@ dump_config(ServerOptions *o)
2508 #endif 2450 #endif
2509 #ifdef GSSAPI 2451 #ifdef GSSAPI
2510 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2452 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2516,10 +2458,10 @@ index b7f3294..cb3c831 100644
2516 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2458 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2517 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2459 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2518diff --git a/servconf.h b/servconf.h 2460diff --git a/servconf.h b/servconf.h
2519index 766db3a..f8265a8 100644 2461index 9922f0c..d2ed4d7 100644
2520--- a/servconf.h 2462--- a/servconf.h
2521+++ b/servconf.h 2463+++ b/servconf.h
2522@@ -113,7 +113,10 @@ typedef struct { 2464@@ -115,7 +115,10 @@ typedef struct {
2523 int kerberos_get_afs_token; /* If true, try to get AFS token if 2465 int kerberos_get_afs_token; /* If true, try to get AFS token if
2524 * authenticated with Kerberos. */ 2466 * authenticated with Kerberos. */
2525 int gss_authentication; /* If true, permit GSSAPI authentication */ 2467 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2647,10 +2589,10 @@ index 03a228f..228e5ab 100644
2647 # CheckHostIP yes 2589 # CheckHostIP yes
2648 # AddressFamily any 2590 # AddressFamily any
2649diff --git a/ssh_config.5 b/ssh_config.5 2591diff --git a/ssh_config.5 b/ssh_config.5
2650index f9ede7a..e6649ac 100644 2592index 140d0ba..4476171 100644
2651--- a/ssh_config.5 2593--- a/ssh_config.5
2652+++ b/ssh_config.5 2594+++ b/ssh_config.5
2653@@ -701,11 +701,43 @@ Specifies whether user authentication based on GSSAPI is allowed. 2595@@ -743,11 +743,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
2654 The default is 2596 The default is
2655 .Dq no . 2597 .Dq no .
2656 Note that this option applies to protocol version 2 only. 2598 Note that this option applies to protocol version 2 only.
@@ -2696,12 +2638,12 @@ index f9ede7a..e6649ac 100644
2696 Indicates that 2638 Indicates that
2697 .Xr ssh 1 2639 .Xr ssh 1
2698diff --git a/sshconnect2.c b/sshconnect2.c 2640diff --git a/sshconnect2.c b/sshconnect2.c
2699index 68f7f4f..7b478f1 100644 2641index ba56f64..faa8ec5 100644
2700--- a/sshconnect2.c 2642--- a/sshconnect2.c
2701+++ b/sshconnect2.c 2643+++ b/sshconnect2.c
2702@@ -159,9 +159,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2644@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2703 char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; 2645 struct kex *kex;
2704 Kex *kex; 2646 int r;
2705 2647
2706+#ifdef GSSAPI 2648+#ifdef GSSAPI
2707+ char *orig = NULL, *gss = NULL; 2649+ char *orig = NULL, *gss = NULL;
@@ -2734,7 +2676,7 @@ index 68f7f4f..7b478f1 100644
2734 if (options.ciphers == (char *)-1) { 2676 if (options.ciphers == (char *)-1) {
2735 logit("No valid ciphers for protocol version 2 given, using defaults."); 2677 logit("No valid ciphers for protocol version 2 given, using defaults.");
2736 options.ciphers = NULL; 2678 options.ciphers = NULL;
2737@@ -199,6 +224,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2679@@ -200,6 +225,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2738 myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( 2680 myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
2739 myproposal[PROPOSAL_KEX_ALGS]); 2681 myproposal[PROPOSAL_KEX_ALGS]);
2740 2682
@@ -2752,8 +2694,8 @@ index 68f7f4f..7b478f1 100644
2752 if (options.rekey_limit || options.rekey_interval) 2694 if (options.rekey_limit || options.rekey_interval)
2753 packet_set_rekey_limits((u_int32_t)options.rekey_limit, 2695 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
2754 (time_t)options.rekey_interval); 2696 (time_t)options.rekey_interval);
2755@@ -213,10 +249,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2697@@ -218,10 +254,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2756 kex->kex[KEX_ECDH_SHA2] = kexecdh_client; 2698 # endif
2757 #endif 2699 #endif
2758 kex->kex[KEX_C25519_SHA256] = kexc25519_client; 2700 kex->kex[KEX_C25519_SHA256] = kexc25519_client;
2759+#ifdef GSSAPI 2701+#ifdef GSSAPI
@@ -2780,18 +2722,18 @@ index 68f7f4f..7b478f1 100644
2780+ } 2722+ }
2781+#endif 2723+#endif
2782+ 2724+
2783 xxx_kex = kex; 2725 dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
2784 2726
2785 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 2727 if (options.use_roaming && !kex->roaming) {
2786@@ -306,6 +362,7 @@ void input_gssapi_token(int type, u_int32_t, void *); 2728@@ -313,6 +369,7 @@ int input_gssapi_token(int type, u_int32_t, void *);
2787 void input_gssapi_hash(int type, u_int32_t, void *); 2729 int input_gssapi_hash(int type, u_int32_t, void *);
2788 void input_gssapi_error(int, u_int32_t, void *); 2730 int input_gssapi_error(int, u_int32_t, void *);
2789 void input_gssapi_errtok(int, u_int32_t, void *); 2731 int input_gssapi_errtok(int, u_int32_t, void *);
2790+int userauth_gsskeyex(Authctxt *authctxt); 2732+int userauth_gsskeyex(Authctxt *authctxt);
2791 #endif 2733 #endif
2792 2734
2793 void userauth(Authctxt *, char *); 2735 void userauth(Authctxt *, char *);
2794@@ -321,6 +378,11 @@ static char *authmethods_get(void); 2736@@ -328,6 +385,11 @@ static char *authmethods_get(void);
2795 2737
2796 Authmethod authmethods[] = { 2738 Authmethod authmethods[] = {
2797 #ifdef GSSAPI 2739 #ifdef GSSAPI
@@ -2803,7 +2745,7 @@ index 68f7f4f..7b478f1 100644
2803 {"gssapi-with-mic", 2745 {"gssapi-with-mic",
2804 userauth_gssapi, 2746 userauth_gssapi,
2805 NULL, 2747 NULL,
2806@@ -617,19 +679,31 @@ userauth_gssapi(Authctxt *authctxt) 2748@@ -634,19 +696,31 @@ userauth_gssapi(Authctxt *authctxt)
2807 static u_int mech = 0; 2749 static u_int mech = 0;
2808 OM_uint32 min; 2750 OM_uint32 min;
2809 int ok = 0; 2751 int ok = 0;
@@ -2837,7 +2779,7 @@ index 68f7f4f..7b478f1 100644
2837 ok = 1; /* Mechanism works */ 2779 ok = 1; /* Mechanism works */
2838 } else { 2780 } else {
2839 mech++; 2781 mech++;
2840@@ -726,8 +800,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) 2782@@ -743,8 +817,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
2841 { 2783 {
2842 Authctxt *authctxt = ctxt; 2784 Authctxt *authctxt = ctxt;
2843 Gssctxt *gssctxt; 2785 Gssctxt *gssctxt;
@@ -2848,9 +2790,9 @@ index 68f7f4f..7b478f1 100644
2848 2790
2849 if (authctxt == NULL) 2791 if (authctxt == NULL)
2850 fatal("input_gssapi_response: no authentication context"); 2792 fatal("input_gssapi_response: no authentication context");
2851@@ -836,6 +910,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) 2793@@ -857,6 +931,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
2852 free(msg);
2853 free(lang); 2794 free(lang);
2795 return 0;
2854 } 2796 }
2855+ 2797+
2856+int 2798+int
@@ -2898,12 +2840,12 @@ index 68f7f4f..7b478f1 100644
2898 2840
2899 int 2841 int
2900diff --git a/sshd.c b/sshd.c 2842diff --git a/sshd.c b/sshd.c
2901index 481d001..e6706a8 100644 2843index e1c767c..cf38bae 100644
2902--- a/sshd.c 2844--- a/sshd.c
2903+++ b/sshd.c 2845+++ b/sshd.c
2904@@ -123,6 +123,10 @@ 2846@@ -125,6 +125,10 @@
2905 #include "ssh-sandbox.h"
2906 #include "version.h" 2847 #include "version.h"
2848 #include "ssherr.h"
2907 2849
2908+#ifdef USE_SECURITY_SESSION_API 2850+#ifdef USE_SECURITY_SESSION_API
2909+#include <Security/AuthSession.h> 2851+#include <Security/AuthSession.h>
@@ -2912,7 +2854,7 @@ index 481d001..e6706a8 100644
2912 #ifndef O_NOCTTY 2854 #ifndef O_NOCTTY
2913 #define O_NOCTTY 0 2855 #define O_NOCTTY 0
2914 #endif 2856 #endif
2915@@ -1745,10 +1749,13 @@ main(int ac, char **av) 2857@@ -1815,10 +1819,13 @@ main(int ac, char **av)
2916 logit("Disabling protocol version 1. Could not load host key"); 2858 logit("Disabling protocol version 1. Could not load host key");
2917 options.protocol &= ~SSH_PROTO_1; 2859 options.protocol &= ~SSH_PROTO_1;
2918 } 2860 }
@@ -2926,7 +2868,7 @@ index 481d001..e6706a8 100644
2926 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2868 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2927 logit("sshd: no hostkeys available -- exiting."); 2869 logit("sshd: no hostkeys available -- exiting.");
2928 exit(1); 2870 exit(1);
2929@@ -2060,6 +2067,60 @@ main(int ac, char **av) 2871@@ -2132,6 +2139,60 @@ main(int ac, char **av)
2930 remote_ip, remote_port, 2872 remote_ip, remote_port,
2931 get_local_ipaddr(sock_in), get_local_port()); 2873 get_local_ipaddr(sock_in), get_local_port());
2932 2874
@@ -2987,7 +2929,7 @@ index 481d001..e6706a8 100644
2987 /* 2929 /*
2988 * We don't want to listen forever unless the other side 2930 * We don't want to listen forever unless the other side
2989 * successfully authenticates itself. So we set up an alarm which is 2931 * successfully authenticates itself. So we set up an alarm which is
2990@@ -2482,6 +2543,48 @@ do_ssh2_kex(void) 2932@@ -2561,6 +2622,48 @@ do_ssh2_kex(void)
2991 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 2933 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
2992 list_hostkey_types()); 2934 list_hostkey_types());
2993 2935
@@ -3034,10 +2976,10 @@ index 481d001..e6706a8 100644
3034+#endif 2976+#endif
3035+ 2977+
3036 /* start key exchange */ 2978 /* start key exchange */
3037 kex = kex_setup(myproposal); 2979 if ((r = kex_setup(active_state, myproposal)) != 0)
3038 #ifdef WITH_OPENSSL 2980 fatal("kex_setup: %s", ssh_err(r));
3039@@ -2492,6 +2595,13 @@ do_ssh2_kex(void) 2981@@ -2575,6 +2678,13 @@ do_ssh2_kex(void)
3040 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 2982 # endif
3041 #endif 2983 #endif
3042 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 2984 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
3043+#ifdef GSSAPI 2985+#ifdef GSSAPI
@@ -3051,7 +2993,7 @@ index 481d001..e6706a8 100644
3051 kex->client_version_string=client_version_string; 2993 kex->client_version_string=client_version_string;
3052 kex->server_version_string=server_version_string; 2994 kex->server_version_string=server_version_string;
3053diff --git a/sshd_config b/sshd_config 2995diff --git a/sshd_config b/sshd_config
3054index e9045bc..d9b8594 100644 2996index c9042ac..a71ad19 100644
3055--- a/sshd_config 2997--- a/sshd_config
3056+++ b/sshd_config 2998+++ b/sshd_config
3057@@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys 2999@@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys
@@ -3064,10 +3006,10 @@ index e9045bc..d9b8594 100644
3064 # Set this to 'yes' to enable PAM authentication, account processing, 3006 # Set this to 'yes' to enable PAM authentication, account processing,
3065 # and session processing. If this is enabled, PAM authentication will 3007 # and session processing. If this is enabled, PAM authentication will
3066diff --git a/sshd_config.5 b/sshd_config.5 3008diff --git a/sshd_config.5 b/sshd_config.5
3067index fd44abe..c8b43da 100644 3009index 6dce0c7..0331496 100644
3068--- a/sshd_config.5 3010--- a/sshd_config.5
3069+++ b/sshd_config.5 3011+++ b/sshd_config.5
3070@@ -527,12 +527,40 @@ Specifies whether user authentication based on GSSAPI is allowed. 3012@@ -564,12 +564,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
3071 The default is 3013 The default is
3072 .Dq no . 3014 .Dq no .
3073 Note that this option applies to protocol version 2 only. 3015 Note that this option applies to protocol version 2 only.
@@ -3105,14 +3047,14 @@ index fd44abe..c8b43da 100644
3105+successful connection rekeying. This option can be used to accepted renewed 3047+successful connection rekeying. This option can be used to accepted renewed
3106+or updated credentials from a compatible client. The default is 3048+or updated credentials from a compatible client. The default is
3107+.Dq no . 3049+.Dq no .
3108 .It Cm HostbasedAuthentication 3050 .It Cm HostbasedAcceptedKeyTypes
3109 Specifies whether rhosts or /etc/hosts.equiv authentication together 3051 Specifies the key types that will be accepted for hostbased authentication
3110 with successful public key client host authentication is allowed 3052 as a comma-separated pattern list.
3111diff --git a/sshkey.c b/sshkey.c 3053diff --git a/sshkey.c b/sshkey.c
3112index fdd0c8a..1a96eae 100644 3054index 4768790..cd5992e 100644
3113--- a/sshkey.c 3055--- a/sshkey.c
3114+++ b/sshkey.c 3056+++ b/sshkey.c
3115@@ -110,6 +110,7 @@ static const struct keytype keytypes[] = { 3057@@ -116,6 +116,7 @@ static const struct keytype keytypes[] = {
3116 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", 3058 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
3117 KEY_DSA_CERT_V00, 0, 1 }, 3059 KEY_DSA_CERT_V00, 0, 1 },
3118 #endif /* WITH_OPENSSL */ 3060 #endif /* WITH_OPENSSL */
@@ -3120,7 +3062,7 @@ index fdd0c8a..1a96eae 100644
3120 { NULL, NULL, -1, -1, 0 } 3062 { NULL, NULL, -1, -1, 0 }
3121 }; 3063 };
3122 3064
3123@@ -198,7 +199,7 @@ key_alg_list(int certs_only, int plain_only) 3065@@ -204,7 +205,7 @@ key_alg_list(int certs_only, int plain_only)
3124 const struct keytype *kt; 3066 const struct keytype *kt;
3125 3067
3126 for (kt = keytypes; kt->type != -1; kt++) { 3068 for (kt = keytypes; kt->type != -1; kt++) {
@@ -3130,7 +3072,7 @@ index fdd0c8a..1a96eae 100644
3130 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 3072 if ((certs_only && !kt->cert) || (plain_only && kt->cert))
3131 continue; 3073 continue;
3132diff --git a/sshkey.h b/sshkey.h 3074diff --git a/sshkey.h b/sshkey.h
3133index 450b30c..b573e7f 100644 3075index 62c1c3e..9314e85 100644
3134--- a/sshkey.h 3076--- a/sshkey.h
3135+++ b/sshkey.h 3077+++ b/sshkey.h
3136@@ -64,6 +64,7 @@ enum sshkey_types { 3078@@ -64,6 +64,7 @@ enum sshkey_types {
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index de43f2a80..6ea643210 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -1,4 +1,4 @@
1From aca34215fc0e85d6b49e04f0a3cd0db79732125e Mon Sep 17 00:00:00 2001 1From 9a440da8025dbc120803ee09c2a7ac8c638d31c2 Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:09:56 +0000 3Date: Sun, 9 Feb 2014 16:09:56 +0000
4Subject: Mention ~& when waiting for forwarded connections to terminate 4Subject: Mention ~& when waiting for forwarded connections to terminate
@@ -12,7 +12,7 @@ Patch-Name: helpful-wait-terminate.patch
12 1 file changed, 1 insertion(+), 1 deletion(-) 12 1 file changed, 1 insertion(+), 1 deletion(-)
13 13
14diff --git a/serverloop.c b/serverloop.c 14diff --git a/serverloop.c b/serverloop.c
15index e92f9e2..813e5bf 100644 15index 306ac36..68f0251 100644
16--- a/serverloop.c 16--- a/serverloop.c
17+++ b/serverloop.c 17+++ b/serverloop.c
18@@ -687,7 +687,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) 18@@ -687,7 +687,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 15acabc0e..0adfbd2b5 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
1From bd3abc2f732da3a61e4158b915480808957a4357 Mon Sep 17 00:00:00 2001 1From 7efad61f1e562f504a5ff3fb0ae90ac05a208e66 Mon Sep 17 00:00:00 2001
2From: Richard Kettlewell <rjk@greenend.org.uk> 2From: Richard Kettlewell <rjk@greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:52 +0000 3Date: Sun, 9 Feb 2014 16:09:52 +0000
4Subject: Various keepalive extensions 4Subject: Various keepalive extensions
@@ -16,7 +16,7 @@ keepalives.
16Author: Ian Jackson <ian@chiark.greenend.org.uk> 16Author: Ian Jackson <ian@chiark.greenend.org.uk>
17Author: Matthew Vernon <matthew@debian.org> 17Author: Matthew Vernon <matthew@debian.org>
18Author: Colin Watson <cjwatson@debian.org> 18Author: Colin Watson <cjwatson@debian.org>
19Last-Update: 2014-10-07 19Last-Update: 2015-08-19
20 20
21Patch-Name: keepalive-extensions.patch 21Patch-Name: keepalive-extensions.patch
22--- 22---
@@ -26,27 +26,27 @@ Patch-Name: keepalive-extensions.patch
26 3 files changed, 34 insertions(+), 4 deletions(-) 26 3 files changed, 34 insertions(+), 4 deletions(-)
27 27
28diff --git a/readconf.c b/readconf.c 28diff --git a/readconf.c b/readconf.c
29index bc879eb..337818c 100644 29index 278fe15..1d2d596 100644
30--- a/readconf.c 30--- a/readconf.c
31+++ b/readconf.c 31+++ b/readconf.c
32@@ -153,6 +153,7 @@ typedef enum { 32@@ -159,6 +159,7 @@ typedef enum {
33 oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
34 oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, 33 oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
35 oStreamLocalBindMask, oStreamLocalBindUnlink, 34 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
35 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
36+ oProtocolKeepAlives, oSetupTimeOut, 36+ oProtocolKeepAlives, oSetupTimeOut,
37 oIgnoredUnknownOption, oDeprecated, oUnsupported 37 oIgnoredUnknownOption, oDeprecated, oUnsupported
38 } OpCodes; 38 } OpCodes;
39 39
40@@ -278,6 +279,8 @@ static struct { 40@@ -288,6 +289,8 @@ static struct {
41 { "streamlocalbindmask", oStreamLocalBindMask }, 41 { "updatehostkeys", oUpdateHostkeys },
42 { "streamlocalbindunlink", oStreamLocalBindUnlink }, 42 { "hostbasedkeytypes", oHostbasedKeyTypes },
43 { "ignoreunknown", oIgnoreUnknown }, 43 { "ignoreunknown", oIgnoreUnknown },
44+ { "protocolkeepalives", oProtocolKeepAlives }, 44+ { "protocolkeepalives", oProtocolKeepAlives },
45+ { "setuptimeout", oSetupTimeOut }, 45+ { "setuptimeout", oSetupTimeOut },
46 46
47 { NULL, oBadOption } 47 { NULL, oBadOption }
48 }; 48 };
49@@ -1271,6 +1274,8 @@ parse_int: 49@@ -1299,6 +1302,8 @@ parse_int:
50 goto parse_flag; 50 goto parse_flag;
51 51
52 case oServerAliveInterval: 52 case oServerAliveInterval:
@@ -55,7 +55,7 @@ index bc879eb..337818c 100644
55 intptr = &options->server_alive_interval; 55 intptr = &options->server_alive_interval;
56 goto parse_time; 56 goto parse_time;
57 57
58@@ -1791,8 +1796,13 @@ fill_default_options(Options * options) 58@@ -1858,8 +1863,13 @@ fill_default_options(Options * options)
59 options->rekey_interval = 0; 59 options->rekey_interval = 0;
60 if (options->verify_host_key_dns == -1) 60 if (options->verify_host_key_dns == -1)
61 options->verify_host_key_dns = 0; 61 options->verify_host_key_dns = 0;
@@ -72,10 +72,10 @@ index bc879eb..337818c 100644
72 options->server_alive_count_max = 3; 72 options->server_alive_count_max = 3;
73 if (options->control_master == -1) 73 if (options->control_master == -1)
74diff --git a/ssh_config.5 b/ssh_config.5 74diff --git a/ssh_config.5 b/ssh_config.5
75index 01f1f7f..ea92ea8 100644 75index dd35dd8..250c0d1 100644
76--- a/ssh_config.5 76--- a/ssh_config.5
77+++ b/ssh_config.5 77+++ b/ssh_config.5
78@@ -205,8 +205,12 @@ Valid arguments are 78@@ -233,8 +233,12 @@ Valid arguments are
79 If set to 79 If set to
80 .Dq yes , 80 .Dq yes ,
81 passphrase/password querying will be disabled. 81 passphrase/password querying will be disabled.
@@ -89,7 +89,7 @@ index 01f1f7f..ea92ea8 100644
89 The argument must be 89 The argument must be
90 .Dq yes 90 .Dq yes
91 or 91 or
92@@ -1336,8 +1340,15 @@ from the server, 92@@ -1420,8 +1424,15 @@ from the server,
93 will send a message through the encrypted 93 will send a message through the encrypted
94 channel to request a response from the server. 94 channel to request a response from the server.
95 The default 95 The default
@@ -106,7 +106,7 @@ index 01f1f7f..ea92ea8 100644
106 .It Cm StreamLocalBindMask 106 .It Cm StreamLocalBindMask
107 Sets the octal file creation mode mask 107 Sets the octal file creation mode mask
108 .Pq umask 108 .Pq umask
109@@ -1403,6 +1414,12 @@ Specifies whether the system should send TCP keepalive messages to the 109@@ -1487,6 +1498,12 @@ Specifies whether the system should send TCP keepalive messages to the
110 other side. 110 other side.
111 If they are sent, death of the connection or crash of one 111 If they are sent, death of the connection or crash of one
112 of the machines will be properly noticed. 112 of the machines will be properly noticed.
@@ -120,10 +120,10 @@ index 01f1f7f..ea92ea8 100644
120 connections will die if the route is down temporarily, and some people 120 connections will die if the route is down temporarily, and some people
121 find it annoying. 121 find it annoying.
122diff --git a/sshd_config.5 b/sshd_config.5 122diff --git a/sshd_config.5 b/sshd_config.5
123index c8b43da..2843048 100644 123index 0331496..d14576e 100644
124--- a/sshd_config.5 124--- a/sshd_config.5
125+++ b/sshd_config.5 125+++ b/sshd_config.5
126@@ -1307,6 +1307,9 @@ This avoids infinitely hanging sessions. 126@@ -1392,6 +1392,9 @@ This avoids infinitely hanging sessions.
127 .Pp 127 .Pp
128 To disable TCP keepalive messages, the value should be set to 128 To disable TCP keepalive messages, the value should be set to
129 .Dq no . 129 .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index 81b924e35..7aa035726 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -1,4 +1,4 @@
1From 248d3bb8de371b55aaf3a8f544c15f3a25eb7339 Mon Sep 17 00:00:00 2001 1From 90fc009420a03c598d6f003df5466191ab4d12b2 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:08 +0000 3Date: Sun, 9 Feb 2014 16:10:08 +0000
4Subject: Fix picky lintian errors about slogin symlinks 4Subject: Fix picky lintian errors about slogin symlinks
@@ -15,10 +15,10 @@ Patch-Name: lintian-symlink-pickiness.patch
15 1 file changed, 2 insertions(+), 2 deletions(-) 15 1 file changed, 2 insertions(+), 2 deletions(-)
16 16
17diff --git a/Makefile.in b/Makefile.in 17diff --git a/Makefile.in b/Makefile.in
18index a4402e9..4eab574 100644 18index 37cb023..f52f903 100644
19--- a/Makefile.in 19--- a/Makefile.in
20+++ b/Makefile.in 20+++ b/Makefile.in
21@@ -315,9 +315,9 @@ install-files: 21@@ -331,9 +331,9 @@ install-files:
22 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 22 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
23 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 23 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
24 -rm -f $(DESTDIR)$(bindir)/slogin 24 -rm -f $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index f90c7e2b1..127ed9f9e 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
1From 064453886f4c3d8ac0b0c8d015ad614c8bce3b42 Mon Sep 17 00:00:00 2001 1From aedcf9cb37f512b929ce895ba1fccc9ca39166b0 Mon Sep 17 00:00:00 2001
2From: Scott Moser <smoser@ubuntu.com> 2From: Scott Moser <smoser@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:03 +0000 3Date: Sun, 9 Feb 2014 16:10:03 +0000
4Subject: Mention ssh-keygen in ssh fingerprint changed warning 4Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -13,10 +13,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
13 1 file changed, 6 insertions(+), 1 deletion(-) 13 1 file changed, 6 insertions(+), 1 deletion(-)
14 14
15diff --git a/sshconnect.c b/sshconnect.c 15diff --git a/sshconnect.c b/sshconnect.c
16index 26116d2..ab83d0c 100644 16index 0073c6e..6065dff 100644
17--- a/sshconnect.c 17--- a/sshconnect.c
18+++ b/sshconnect.c 18+++ b/sshconnect.c
19@@ -1066,9 +1066,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 19@@ -1078,9 +1078,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
20 error("%s. This could either mean that", key_msg); 20 error("%s. This could either mean that", key_msg);
21 error("DNS SPOOFING is happening or the IP address for the host"); 21 error("DNS SPOOFING is happening or the IP address for the host");
22 error("and its host key have changed at the same time."); 22 error("and its host key have changed at the same time.");
@@ -30,7 +30,7 @@ index 26116d2..ab83d0c 100644
30 } 30 }
31 /* The host key has changed. */ 31 /* The host key has changed. */
32 warn_changed_key(host_key); 32 warn_changed_key(host_key);
33@@ -1076,6 +1079,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 33@@ -1088,6 +1091,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
34 user_hostfiles[0]); 34 user_hostfiles[0]);
35 error("Offending %s key in %s:%lu", key_type(host_found->key), 35 error("Offending %s key in %s:%lu", key_type(host_found->key),
36 host_found->file, host_found->line); 36 host_found->file, host_found->line);
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index dfcef83b0..f4d8bca66 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
1From 37fd625165d0df302e441d9cad9bcc742378eef5 Mon Sep 17 00:00:00 2001 1From 6b85aa42144010401906754b98f9876651669163 Mon Sep 17 00:00:00 2001
2From: Kurt Roeckx <kurt@roeckx.be> 2From: Kurt Roeckx <kurt@roeckx.be>
3Date: Sun, 9 Feb 2014 16:10:14 +0000 3Date: Sun, 9 Feb 2014 16:10:14 +0000
4Subject: Don't check the status field of the OpenSSL version 4Subject: Don't check the status field of the OpenSSL version
@@ -23,10 +23,10 @@ Patch-Name: no-openssl-version-status.patch
23 2 files changed, 4 insertions(+), 3 deletions(-) 23 2 files changed, 4 insertions(+), 3 deletions(-)
24 24
25diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c 25diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
26index 36570e4..defd5fb 100644 26index 63a660c..3f62403 100644
27--- a/openbsd-compat/openssl-compat.c 27--- a/openbsd-compat/openssl-compat.c
28+++ b/openbsd-compat/openssl-compat.c 28+++ b/openbsd-compat/openssl-compat.c
29@@ -34,7 +34,7 @@ 29@@ -36,7 +36,7 @@
30 /* 30 /*
31 * OpenSSL version numbers: MNNFFPPS: major minor fix patch status 31 * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
32 * We match major, minor, fix and status (not patch) for <1.0.0. 32 * We match major, minor, fix and status (not patch) for <1.0.0.
@@ -35,7 +35,7 @@ index 36570e4..defd5fb 100644
35 * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed 35 * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
36 * within a patch series. 36 * within a patch series.
37 */ 37 */
38@@ -55,10 +55,10 @@ ssh_compatible_openssl(long headerver, long libver) 38@@ -57,10 +57,10 @@ ssh_compatible_openssl(long headerver, long libver)
39 } 39 }
40 40
41 /* 41 /*
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 37ad675d4..f5b96f4a1 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
1From 0b9407d3023938b02bccf7dd1874a871d0cc8eb5 Mon Sep 17 00:00:00 2001 1From 96c2797aaa79d687e75dc56f40f7102131d87fb1 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:09 +0000 3Date: Sun, 9 Feb 2014 16:10:09 +0000
4Subject: Adjust various OpenBSD-specific references in manual pages 4Subject: Adjust various OpenBSD-specific references in manual pages
@@ -44,10 +44,10 @@ index ef0de08..149846c 100644
44 .Sh SEE ALSO 44 .Sh SEE ALSO
45 .Xr ssh-keygen 1 , 45 .Xr ssh-keygen 1 ,
46diff --git a/ssh-keygen.1 b/ssh-keygen.1 46diff --git a/ssh-keygen.1 b/ssh-keygen.1
47index 723a016..79b948c 100644 47index 9b93666..19bed1e 100644
48--- a/ssh-keygen.1 48--- a/ssh-keygen.1
49+++ b/ssh-keygen.1 49+++ b/ssh-keygen.1
50@@ -172,9 +172,7 @@ key in 50@@ -174,9 +174,7 @@ key in
51 .Pa ~/.ssh/id_ed25519 51 .Pa ~/.ssh/id_ed25519
52 or 52 or
53 .Pa ~/.ssh/id_rsa . 53 .Pa ~/.ssh/id_rsa .
@@ -58,7 +58,7 @@ index 723a016..79b948c 100644
58 .Pp 58 .Pp
59 Normally this program generates the key and asks for a file in which 59 Normally this program generates the key and asks for a file in which
60 to store the private key. 60 to store the private key.
61@@ -221,9 +219,7 @@ For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) 61@@ -223,9 +221,7 @@ For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
62 for which host keys 62 for which host keys
63 do not exist, generate the host keys with the default key file path, 63 do not exist, generate the host keys with the default key file path,
64 an empty passphrase, default bits for the key type, and default comment. 64 an empty passphrase, default bits for the key type, and default comment.
@@ -69,7 +69,7 @@ index 723a016..79b948c 100644
69 .It Fl a Ar rounds 69 .It Fl a Ar rounds
70 When saving a new-format private key (i.e. an ed25519 key or any SSH protocol 70 When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
71 2 key when the 71 2 key when the
72@@ -628,7 +624,7 @@ option. 72@@ -638,7 +634,7 @@ option.
73 Valid generator values are 2, 3, and 5. 73 Valid generator values are 2, 3, and 5.
74 .Pp 74 .Pp
75 Screened DH groups may be installed in 75 Screened DH groups may be installed in
@@ -78,7 +78,7 @@ index 723a016..79b948c 100644
78 It is important that this file contains moduli of a range of bit lengths and 78 It is important that this file contains moduli of a range of bit lengths and
79 that both ends of a connection share common moduli. 79 that both ends of a connection share common moduli.
80 .Sh CERTIFICATES 80 .Sh CERTIFICATES
81@@ -827,7 +823,7 @@ on all machines 81@@ -837,7 +833,7 @@ on all machines
82 where the user wishes to log in using public key authentication. 82 where the user wishes to log in using public key authentication.
83 There is no need to keep the contents of this file secret. 83 There is no need to keep the contents of this file secret.
84 .Pp 84 .Pp
@@ -88,10 +88,10 @@ index 723a016..79b948c 100644
88 The file format is described in 88 The file format is described in
89 .Xr moduli 5 . 89 .Xr moduli 5 .
90diff --git a/ssh.1 b/ssh.1 90diff --git a/ssh.1 b/ssh.1
91index 7f6ab77..de178cd 100644 91index 53c711a..04de6cf 100644
92--- a/ssh.1 92--- a/ssh.1
93+++ b/ssh.1 93+++ b/ssh.1
94@@ -753,6 +753,10 @@ Protocol 1 is restricted to using only RSA keys, 94@@ -766,6 +766,10 @@ Protocol 1 is restricted to using only RSA keys,
95 but protocol 2 may use any. 95 but protocol 2 may use any.
96 The HISTORY section of 96 The HISTORY section of
97 .Xr ssl 8 97 .Xr ssl 8
@@ -103,7 +103,7 @@ index 7f6ab77..de178cd 100644
103 .Pp 103 .Pp
104 The file 104 The file
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index eaeac45..3538208 100644 106index fc2154c..8dba6cf 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -67,7 +67,7 @@ over an insecure network. 109@@ -67,7 +67,7 @@ over an insecure network.
@@ -133,10 +133,10 @@ index eaeac45..3538208 100644
133 .Xr sshd_config 5 , 133 .Xr sshd_config 5 ,
134 .Xr inetd 8 , 134 .Xr inetd 8 ,
135diff --git a/sshd_config.5 b/sshd_config.5 135diff --git a/sshd_config.5 b/sshd_config.5
136index 58997d3..7396b23 100644 136index ec58635..453d741 100644
137--- a/sshd_config.5 137--- a/sshd_config.5
138+++ b/sshd_config.5 138+++ b/sshd_config.5
139@@ -303,8 +303,7 @@ This option is only available for protocol version 2. 139@@ -322,8 +322,7 @@ This option is only available for protocol version 2.
140 By default, no banner is displayed. 140 By default, no banner is displayed.
141 .It Cm ChallengeResponseAuthentication 141 .It Cm ChallengeResponseAuthentication
142 Specifies whether challenge-response authentication is allowed (e.g. via 142 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 07a28af9a..11674a915 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
1From 8679c96f74ee7dbea6c15c764b036fbab7372740 Mon Sep 17 00:00:00 2001 1From 9f6aded97671ee8b9164f0524b3ac622d827dcde Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:10:05 +0000 3Date: Sun, 9 Feb 2014 16:10:05 +0000
4Subject: Include the Debian version in our identification 4Subject: Include the Debian version in our identification
@@ -19,10 +19,10 @@ Patch-Name: package-versioning.patch
19 3 files changed, 9 insertions(+), 4 deletions(-) 19 3 files changed, 9 insertions(+), 4 deletions(-)
20 20
21diff --git a/sshconnect.c b/sshconnect.c 21diff --git a/sshconnect.c b/sshconnect.c
22index ab83d0c..563405e 100644 22index 6065dff..a6c9e20 100644
23--- a/sshconnect.c 23--- a/sshconnect.c
24+++ b/sshconnect.c 24+++ b/sshconnect.c
25@@ -521,10 +521,10 @@ send_client_banner(int connection_out, int minor1) 25@@ -524,10 +524,10 @@ send_client_banner(int connection_out, int minor1)
26 /* Send our own protocol version identification. */ 26 /* Send our own protocol version identification. */
27 if (compat20) { 27 if (compat20) {
28 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", 28 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
@@ -36,10 +36,10 @@ index ab83d0c..563405e 100644
36 if (roaming_atomicio(vwrite, connection_out, client_version_string, 36 if (roaming_atomicio(vwrite, connection_out, client_version_string,
37 strlen(client_version_string)) != strlen(client_version_string)) 37 strlen(client_version_string)) != strlen(client_version_string))
38diff --git a/sshd.c b/sshd.c 38diff --git a/sshd.c b/sshd.c
39index 48a14dd..1710e71 100644 39index 3b4e97c..c362209 100644
40--- a/sshd.c 40--- a/sshd.c
41+++ b/sshd.c 41+++ b/sshd.c
42@@ -443,7 +443,7 @@ sshd_exchange_identification(int sock_in, int sock_out) 42@@ -442,7 +442,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
43 } 43 }
44 44
45 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 45 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -49,11 +49,11 @@ index 48a14dd..1710e71 100644
49 options.version_addendum, newline); 49 options.version_addendum, newline);
50 50
51diff --git a/version.h b/version.h 51diff --git a/version.h b/version.h
52index cc8a079..0fee7c3 100644 52index dfe3ee9..94569ac 100644
53--- a/version.h 53--- a/version.h
54+++ b/version.h 54+++ b/version.h
55@@ -3,4 +3,9 @@ 55@@ -3,4 +3,9 @@
56 #define SSH_VERSION "OpenSSH_6.7" 56 #define SSH_VERSION "OpenSSH_6.8"
57 57
58 #define SSH_PORTABLE "p1" 58 #define SSH_PORTABLE "p1"
59-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 59-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 6d9a2f9c0..ff16b9850 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
1From dc028c5992b4b14cca380b6ad2115fcc6907a8b7 Mon Sep 17 00:00:00 2001 1From 34592a434851697537873eed1eb83ba0a640c5c8 Mon Sep 17 00:00:00 2001
2From: Peter Samuelson <peter@p12n.org> 2From: Peter Samuelson <peter@p12n.org>
3Date: Sun, 9 Feb 2014 16:09:55 +0000 3Date: Sun, 9 Feb 2014 16:09:55 +0000
4Subject: Reduce severity of "Killed by signal %d" 4Subject: Reduce severity of "Killed by signal %d"
@@ -22,10 +22,10 @@ Patch-Name: quieter-signals.patch
22 1 file changed, 4 insertions(+), 2 deletions(-) 22 1 file changed, 4 insertions(+), 2 deletions(-)
23 23
24diff --git a/clientloop.c b/clientloop.c 24diff --git a/clientloop.c b/clientloop.c
25index 046ca8b..0180774 100644 25index 156a196..45cef88 100644
26--- a/clientloop.c 26--- a/clientloop.c
27+++ b/clientloop.c 27+++ b/clientloop.c
28@@ -1705,8 +1705,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) 28@@ -1707,8 +1707,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
29 exit_status = 0; 29 exit_status = 0;
30 } 30 }
31 31
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index c590f52ce..c9da26f7d 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
1From b25d6dd3b6b5a2cb93723586c56d6fa0277ea56a Mon Sep 17 00:00:00 2001 1From 7df209aed8ded9a6cab34e704576998786bdc890 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Tue, 7 Oct 2014 13:22:41 +0100 3Date: Tue, 7 Oct 2014 13:22:41 +0100
4Subject: Restore TCP wrappers support 4Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
28 3 files changed, 89 insertions(+) 28 3 files changed, 89 insertions(+)
29 29
30diff --git a/configure.ac b/configure.ac 30diff --git a/configure.ac b/configure.ac
31index 90e81e1..7f160f1 100644 31index 216a9fd..5f606ea 100644
32--- a/configure.ac 32--- a/configure.ac
33+++ b/configure.ac 33+++ b/configure.ac
34@@ -1404,6 +1404,62 @@ AC_ARG_WITH([skey], 34@@ -1440,6 +1440,62 @@ AC_ARG_WITH([skey],
35 ] 35 ]
36 ) 36 )
37 37
@@ -94,7 +94,7 @@ index 90e81e1..7f160f1 100644
94 # Check whether user wants to use ldns 94 # Check whether user wants to use ldns
95 LDNS_MSG="no" 95 LDNS_MSG="no"
96 AC_ARG_WITH(ldns, 96 AC_ARG_WITH(ldns,
97@@ -4853,6 +4909,7 @@ echo " KerberosV support: $KRB5_MSG" 97@@ -4920,6 +4976,7 @@ echo " KerberosV support: $KRB5_MSG"
98 echo " SELinux support: $SELINUX_MSG" 98 echo " SELinux support: $SELINUX_MSG"
99 echo " Smartcard support: $SCARD_MSG" 99 echo " Smartcard support: $SCARD_MSG"
100 echo " S/KEY support: $SKEY_MSG" 100 echo " S/KEY support: $SKEY_MSG"
@@ -103,7 +103,7 @@ index 90e81e1..7f160f1 100644
103 echo " libedit support: $LIBEDIT_MSG" 103 echo " libedit support: $LIBEDIT_MSG"
104 echo " Solaris process contract support: $SPC_MSG" 104 echo " Solaris process contract support: $SPC_MSG"
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index 01459d6..eaeac45 100644 106index 3c53f7c..fc2154c 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -851,6 +851,12 @@ the user's home directory becomes accessible. 109@@ -851,6 +851,12 @@ the user's home directory becomes accessible.
@@ -128,10 +128,10 @@ index 01459d6..eaeac45 100644
128 .Xr moduli 5 , 128 .Xr moduli 5 ,
129 .Xr sshd_config 5 , 129 .Xr sshd_config 5 ,
130diff --git a/sshd.c b/sshd.c 130diff --git a/sshd.c b/sshd.c
131index e6706a8..3a6be65 100644 131index cf38bae..9cbe8c4 100644
132--- a/sshd.c 132--- a/sshd.c
133+++ b/sshd.c 133+++ b/sshd.c
134@@ -127,6 +127,13 @@ 134@@ -129,6 +129,13 @@
135 #include <Security/AuthSession.h> 135 #include <Security/AuthSession.h>
136 #endif 136 #endif
137 137
@@ -145,7 +145,7 @@ index e6706a8..3a6be65 100644
145 #ifndef O_NOCTTY 145 #ifndef O_NOCTTY
146 #define O_NOCTTY 0 146 #define O_NOCTTY 0
147 #endif 147 #endif
148@@ -2061,6 +2068,24 @@ main(int ac, char **av) 148@@ -2133,6 +2140,24 @@ main(int ac, char **av)
149 #ifdef SSH_AUDIT_EVENTS 149 #ifdef SSH_AUDIT_EVENTS
150 audit_connection_from(remote_ip, remote_port); 150 audit_connection_from(remote_ip, remote_port);
151 #endif 151 #endif
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index ee006da93..52e709112 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
1From fd174c13c46191abdb33c0a45545573a8e06b061 Mon Sep 17 00:00:00 2001 1From 4f55e60d2296feba17b473b2146a75debe29993a Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> 2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:59 +0000 3Date: Sun, 9 Feb 2014 16:09:59 +0000
4Subject: Adjust scp quoting in verbose mode 4Subject: Adjust scp quoting in verbose mode
@@ -17,10 +17,10 @@ Patch-Name: scp-quoting.patch
17 1 file changed, 10 insertions(+), 2 deletions(-) 17 1 file changed, 10 insertions(+), 2 deletions(-)
18 18
19diff --git a/scp.c b/scp.c 19diff --git a/scp.c b/scp.c
20index 1ec3b70..a1b318b 100644 20index 887b014..afa4a2f 100644
21--- a/scp.c 21--- a/scp.c
22+++ b/scp.c 22+++ b/scp.c
23@@ -189,8 +189,16 @@ do_local_cmd(arglist *a) 23@@ -190,8 +190,16 @@ do_local_cmd(arglist *a)
24 24
25 if (verbose_mode) { 25 if (verbose_mode) {
26 fprintf(stderr, "Executing:"); 26 fprintf(stderr, "Executing:");
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 1fa0bf928..da53671e3 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1From c9638aa44d787849cea1ae273f0908c6313fd19b Mon Sep 17 00:00:00 2001 1From b9e97e15e25e4c836cb550213e3ee59b19096f9d Mon Sep 17 00:00:00 2001
2From: Manoj Srivastava <srivasta@debian.org> 2From: Manoj Srivastava <srivasta@debian.org>
3Date: Sun, 9 Feb 2014 16:09:49 +0000 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4Subject: Handle SELinux authorisation roles 4Subject: Handle SELinux authorisation roles
@@ -9,7 +9,7 @@ SELinux maintainer, so we'll keep it until we have something better.
9 9
10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
11Bug-Debian: http://bugs.debian.org/394795 11Bug-Debian: http://bugs.debian.org/394795
12Last-Update: 2013-09-14 12Last-Update: 2015-08-19
13 13
14Patch-Name: selinux-role.patch 14Patch-Name: selinux-role.patch
15--- 15---
@@ -32,10 +32,10 @@ Patch-Name: selinux-role.patch
32 16 files changed, 104 insertions(+), 31 deletions(-) 32 16 files changed, 104 insertions(+), 31 deletions(-)
33 33
34diff --git a/auth.h b/auth.h 34diff --git a/auth.h b/auth.h
35index d081c94..f099e98 100644 35index db86037..4985cd8 100644
36--- a/auth.h 36--- a/auth.h
37+++ b/auth.h 37+++ b/auth.h
38@@ -59,6 +59,7 @@ struct Authctxt { 38@@ -62,6 +62,7 @@ struct Authctxt {
39 char *service; 39 char *service;
40 struct passwd *pw; /* set if 'valid' */ 40 struct passwd *pw; /* set if 'valid' */
41 char *style; 41 char *style;
@@ -44,10 +44,10 @@ index d081c94..f099e98 100644
44 char *info; /* Extra info for next auth_log */ 44 char *info; /* Extra info for next auth_log */
45 #ifdef BSD_AUTH 45 #ifdef BSD_AUTH
46diff --git a/auth1.c b/auth1.c 46diff --git a/auth1.c b/auth1.c
47index 5038828..52b17db 100644 47index 5073c49..dd00648 100644
48--- a/auth1.c 48--- a/auth1.c
49+++ b/auth1.c 49+++ b/auth1.c
50@@ -381,7 +381,7 @@ void 50@@ -383,7 +383,7 @@ void
51 do_authentication(Authctxt *authctxt) 51 do_authentication(Authctxt *authctxt)
52 { 52 {
53 u_int ulen; 53 u_int ulen;
@@ -56,7 +56,7 @@ index 5038828..52b17db 100644
56 56
57 /* Get the name of the user that we wish to log in as. */ 57 /* Get the name of the user that we wish to log in as. */
58 packet_read_expect(SSH_CMSG_USER); 58 packet_read_expect(SSH_CMSG_USER);
59@@ -390,11 +390,17 @@ do_authentication(Authctxt *authctxt) 59@@ -392,11 +392,17 @@ do_authentication(Authctxt *authctxt)
60 user = packet_get_cstring(&ulen); 60 user = packet_get_cstring(&ulen);
61 packet_check_eom(); 61 packet_check_eom();
62 62
@@ -75,10 +75,10 @@ index 5038828..52b17db 100644
75 /* Verify that the user is a valid user. */ 75 /* Verify that the user is a valid user. */
76 if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) 76 if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
77diff --git a/auth2.c b/auth2.c 77diff --git a/auth2.c b/auth2.c
78index 2f0d565..fa1a588 100644 78index 3f49bdc..6eb3cc7 100644
79--- a/auth2.c 79--- a/auth2.c
80+++ b/auth2.c 80+++ b/auth2.c
81@@ -217,7 +217,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) 81@@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
82 { 82 {
83 Authctxt *authctxt = ctxt; 83 Authctxt *authctxt = ctxt;
84 Authmethod *m = NULL; 84 Authmethod *m = NULL;
@@ -87,7 +87,7 @@ index 2f0d565..fa1a588 100644
87 int authenticated = 0; 87 int authenticated = 0;
88 88
89 if (authctxt == NULL) 89 if (authctxt == NULL)
90@@ -229,8 +229,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) 90@@ -228,8 +228,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
91 debug("userauth-request for user %s service %s method %s", user, service, method); 91 debug("userauth-request for user %s service %s method %s", user, service, method);
92 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 92 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
93 93
@@ -101,7 +101,7 @@ index 2f0d565..fa1a588 100644
101 101
102 if (authctxt->attempt++ == 0) { 102 if (authctxt->attempt++ == 0) {
103 /* setup auth context */ 103 /* setup auth context */
104@@ -254,8 +259,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) 104@@ -253,8 +258,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
105 use_privsep ? " [net]" : ""); 105 use_privsep ? " [net]" : "");
106 authctxt->service = xstrdup(service); 106 authctxt->service = xstrdup(service);
107 authctxt->style = style ? xstrdup(style) : NULL; 107 authctxt->style = style ? xstrdup(style) : NULL;
@@ -113,10 +113,10 @@ index 2f0d565..fa1a588 100644
113 if (auth2_setup_methods_lists(authctxt) != 0) 113 if (auth2_setup_methods_lists(authctxt) != 0)
114 packet_disconnect("no authentication methods enabled"); 114 packet_disconnect("no authentication methods enabled");
115diff --git a/monitor.c b/monitor.c 115diff --git a/monitor.c b/monitor.c
116index b0896ef..94b194d 100644 116index a2027e5..6ff05e4 100644
117--- a/monitor.c 117--- a/monitor.c
118+++ b/monitor.c 118+++ b/monitor.c
119@@ -148,6 +148,7 @@ int mm_answer_sign(int, Buffer *); 119@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);
120 int mm_answer_pwnamallow(int, Buffer *); 120 int mm_answer_pwnamallow(int, Buffer *);
121 int mm_answer_auth2_read_banner(int, Buffer *); 121 int mm_answer_auth2_read_banner(int, Buffer *);
122 int mm_answer_authserv(int, Buffer *); 122 int mm_answer_authserv(int, Buffer *);
@@ -124,7 +124,7 @@ index b0896ef..94b194d 100644
124 int mm_answer_authpassword(int, Buffer *); 124 int mm_answer_authpassword(int, Buffer *);
125 int mm_answer_bsdauthquery(int, Buffer *); 125 int mm_answer_bsdauthquery(int, Buffer *);
126 int mm_answer_bsdauthrespond(int, Buffer *); 126 int mm_answer_bsdauthrespond(int, Buffer *);
127@@ -229,6 +230,7 @@ struct mon_table mon_dispatch_proto20[] = { 127@@ -208,6 +209,7 @@ struct mon_table mon_dispatch_proto20[] = {
128 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 128 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
129 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 129 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
130 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 130 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -132,7 +132,7 @@ index b0896ef..94b194d 100644
132 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 132 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
133 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 133 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
134 #ifdef USE_PAM 134 #ifdef USE_PAM
135@@ -841,6 +843,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) 135@@ -879,6 +881,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
136 else { 136 else {
137 /* Allow service/style information on the auth context */ 137 /* Allow service/style information on the auth context */
138 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 138 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -140,7 +140,7 @@ index b0896ef..94b194d 100644
140 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 140 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
141 } 141 }
142 #ifdef USE_PAM 142 #ifdef USE_PAM
143@@ -871,14 +874,37 @@ mm_answer_authserv(int sock, Buffer *m) 143@@ -909,14 +912,37 @@ mm_answer_authserv(int sock, Buffer *m)
144 144
145 authctxt->service = buffer_get_string(m, NULL); 145 authctxt->service = buffer_get_string(m, NULL);
146 authctxt->style = buffer_get_string(m, NULL); 146 authctxt->style = buffer_get_string(m, NULL);
@@ -180,7 +180,7 @@ index b0896ef..94b194d 100644
180 return (0); 180 return (0);
181 } 181 }
182 182
183@@ -1485,7 +1511,7 @@ mm_answer_pty(int sock, Buffer *m) 183@@ -1540,7 +1566,7 @@ mm_answer_pty(int sock, Buffer *m)
184 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 184 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
185 if (res == 0) 185 if (res == 0)
186 goto error; 186 goto error;
@@ -190,7 +190,7 @@ index b0896ef..94b194d 100644
190 buffer_put_int(m, 1); 190 buffer_put_int(m, 1);
191 buffer_put_cstring(m, s->tty); 191 buffer_put_cstring(m, s->tty);
192diff --git a/monitor.h b/monitor.h 192diff --git a/monitor.h b/monitor.h
193index 7f32b0c..4d5e8fa 100644 193index bc50ade..2d82b8b 100644
194--- a/monitor.h 194--- a/monitor.h
195+++ b/monitor.h 195+++ b/monitor.h
196@@ -68,6 +68,8 @@ enum monitor_reqtype { 196@@ -68,6 +68,8 @@ enum monitor_reqtype {
@@ -203,10 +203,10 @@ index 7f32b0c..4d5e8fa 100644
203 203
204 struct mm_master; 204 struct mm_master;
205diff --git a/monitor_wrap.c b/monitor_wrap.c 205diff --git a/monitor_wrap.c b/monitor_wrap.c
206index e476f0d..6dc890a 100644 206index b667218..5aa9c47 100644
207--- a/monitor_wrap.c 207--- a/monitor_wrap.c
208+++ b/monitor_wrap.c 208+++ b/monitor_wrap.c
209@@ -324,10 +324,10 @@ mm_auth2_read_banner(void) 209@@ -329,10 +329,10 @@ mm_auth2_read_banner(void)
210 return (banner); 210 return (banner);
211 } 211 }
212 212
@@ -219,7 +219,7 @@ index e476f0d..6dc890a 100644
219 { 219 {
220 Buffer m; 220 Buffer m;
221 221
222@@ -336,12 +336,30 @@ mm_inform_authserv(char *service, char *style) 222@@ -341,12 +341,30 @@ mm_inform_authserv(char *service, char *style)
223 buffer_init(&m); 223 buffer_init(&m);
224 buffer_put_cstring(&m, service); 224 buffer_put_cstring(&m, service);
225 buffer_put_cstring(&m, style ? style : ""); 225 buffer_put_cstring(&m, style ? style : "");
@@ -251,13 +251,13 @@ index e476f0d..6dc890a 100644
251 int 251 int
252 mm_auth_password(Authctxt *authctxt, char *password) 252 mm_auth_password(Authctxt *authctxt, char *password)
253diff --git a/monitor_wrap.h b/monitor_wrap.h 253diff --git a/monitor_wrap.h b/monitor_wrap.h
254index a4e9d24..9c2ee49 100644 254index 0c770e8..4d1e899 100644
255--- a/monitor_wrap.h 255--- a/monitor_wrap.h
256+++ b/monitor_wrap.h 256+++ b/monitor_wrap.h
257@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *); 257@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *);
258 int mm_is_monitor(void); 258 int mm_is_monitor(void);
259 DH *mm_choose_dh(int, int, int); 259 DH *mm_choose_dh(int, int, int);
260 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); 260 int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int);
261-void mm_inform_authserv(char *, char *); 261-void mm_inform_authserv(char *, char *);
262+void mm_inform_authserv(char *, char *, char *); 262+void mm_inform_authserv(char *, char *, char *);
263+void mm_inform_authrole(char *); 263+void mm_inform_authrole(char *);
@@ -396,10 +396,10 @@ index 1c7a45d..436ae7c 100644
396 char *platform_krb5_get_principal_name(const char *); 396 char *platform_krb5_get_principal_name(const char *);
397 int platform_sys_dir_uid(uid_t); 397 int platform_sys_dir_uid(uid_t);
398diff --git a/session.c b/session.c 398diff --git a/session.c b/session.c
399index 3e96557..6f389ac 100644 399index 54bac36..d4b7725 100644
400--- a/session.c 400--- a/session.c
401+++ b/session.c 401+++ b/session.c
402@@ -1486,7 +1486,7 @@ safely_chroot(const char *path, uid_t uid) 402@@ -1487,7 +1487,7 @@ safely_chroot(const char *path, uid_t uid)
403 403
404 /* Set login name, uid, gid, and groups. */ 404 /* Set login name, uid, gid, and groups. */
405 void 405 void
@@ -408,7 +408,7 @@ index 3e96557..6f389ac 100644
408 { 408 {
409 char *chroot_path, *tmp; 409 char *chroot_path, *tmp;
410 #ifdef USE_LIBIAF 410 #ifdef USE_LIBIAF
411@@ -1517,7 +1517,7 @@ do_setusercontext(struct passwd *pw) 411@@ -1518,7 +1518,7 @@ do_setusercontext(struct passwd *pw)
412 endgrent(); 412 endgrent();
413 #endif 413 #endif
414 414
@@ -417,7 +417,7 @@ index 3e96557..6f389ac 100644
417 417
418 if (options.chroot_directory != NULL && 418 if (options.chroot_directory != NULL &&
419 strcasecmp(options.chroot_directory, "none") != 0) { 419 strcasecmp(options.chroot_directory, "none") != 0) {
420@@ -1676,7 +1676,7 @@ do_child(Session *s, const char *command) 420@@ -1677,7 +1677,7 @@ do_child(Session *s, const char *command)
421 421
422 /* Force a password change */ 422 /* Force a password change */
423 if (s->authctxt->force_pwchange) { 423 if (s->authctxt->force_pwchange) {
@@ -426,7 +426,7 @@ index 3e96557..6f389ac 100644
426 child_close_fds(); 426 child_close_fds();
427 do_pwchange(s); 427 do_pwchange(s);
428 exit(1); 428 exit(1);
429@@ -1703,7 +1703,7 @@ do_child(Session *s, const char *command) 429@@ -1704,7 +1704,7 @@ do_child(Session *s, const char *command)
430 /* When PAM is enabled we rely on it to do the nologin check */ 430 /* When PAM is enabled we rely on it to do the nologin check */
431 if (!options.use_pam) 431 if (!options.use_pam)
432 do_nologin(pw); 432 do_nologin(pw);
@@ -435,7 +435,7 @@ index 3e96557..6f389ac 100644
435 /* 435 /*
436 * PAM session modules in do_setusercontext may have 436 * PAM session modules in do_setusercontext may have
437 * generated messages, so if this in an interactive 437 * generated messages, so if this in an interactive
438@@ -2114,7 +2114,7 @@ session_pty_req(Session *s) 438@@ -2115,7 +2115,7 @@ session_pty_req(Session *s)
439 tty_parse_modes(s->ttyfd, &n_bytes); 439 tty_parse_modes(s->ttyfd, &n_bytes);
440 440
441 if (!use_privsep) 441 if (!use_privsep)
@@ -458,10 +458,10 @@ index 6a2f35e..ef6593c 100644
458 const char *value); 458 const char *value);
459 459
460diff --git a/sshd.c b/sshd.c 460diff --git a/sshd.c b/sshd.c
461index 3a6be65..48a14dd 100644 461index 9cbe8c4..3b4e97c 100644
462--- a/sshd.c 462--- a/sshd.c
463+++ b/sshd.c 463+++ b/sshd.c
464@@ -772,7 +772,7 @@ privsep_postauth(Authctxt *authctxt) 464@@ -781,7 +781,7 @@ privsep_postauth(Authctxt *authctxt)
465 explicit_bzero(rnd, sizeof(rnd)); 465 explicit_bzero(rnd, sizeof(rnd));
466 466
467 /* Drop privileges */ 467 /* Drop privileges */
@@ -471,7 +471,7 @@ index 3a6be65..48a14dd 100644
471 skip: 471 skip:
472 /* It is safe now to apply the key state */ 472 /* It is safe now to apply the key state */
473diff --git a/sshpty.c b/sshpty.c 473diff --git a/sshpty.c b/sshpty.c
474index a2059b7..3512ec8 100644 474index d2ff8c1..f7b1f6d 100644
475--- a/sshpty.c 475--- a/sshpty.c
476+++ b/sshpty.c 476+++ b/sshpty.c
477@@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, 477@@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
@@ -483,7 +483,7 @@ index a2059b7..3512ec8 100644
483 { 483 {
484 struct group *grp; 484 struct group *grp;
485 gid_t gid; 485 gid_t gid;
486@@ -214,7 +214,7 @@ pty_setowner(struct passwd *pw, const char *tty) 486@@ -209,7 +209,7 @@ pty_setowner(struct passwd *pw, const char *tty)
487 strerror(errno)); 487 strerror(errno));
488 488
489 #ifdef WITH_SELINUX 489 #ifdef WITH_SELINUX
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 07e20f03d..549ef38dd 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
1From 66377fbb52584b41bd7f6f19116107fbbad41058 Mon Sep 17 00:00:00 2001 1From 8a8bbc66b8eefd7c679d5769f087209188deafe7 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:00 +0000 3Date: Sun, 9 Feb 2014 16:10:00 +0000
4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand 4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch
16 1 file changed, 2 insertions(+), 2 deletions(-) 16 1 file changed, 2 insertions(+), 2 deletions(-)
17 17
18diff --git a/sshconnect.c b/sshconnect.c 18diff --git a/sshconnect.c b/sshconnect.c
19index ac09eae..26116d2 100644 19index 9e51506..0073c6e 100644
20--- a/sshconnect.c 20--- a/sshconnect.c
21+++ b/sshconnect.c 21+++ b/sshconnect.c
22@@ -228,7 +228,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) 22@@ -231,7 +231,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
23 /* Execute the proxy command. Note that we gave up any 23 /* Execute the proxy command. Note that we gave up any
24 extra privileges above. */ 24 extra privileges above. */
25 signal(SIGPIPE, SIG_DFL); 25 signal(SIGPIPE, SIG_DFL);
@@ -28,7 +28,7 @@ index ac09eae..26116d2 100644
28 perror(argv[0]); 28 perror(argv[0]);
29 exit(1); 29 exit(1);
30 } 30 }
31@@ -1416,7 +1416,7 @@ ssh_local_cmd(const char *args) 31@@ -1470,7 +1470,7 @@ ssh_local_cmd(const char *args)
32 if (pid == 0) { 32 if (pid == 0) {
33 signal(SIGPIPE, SIG_DFL); 33 signal(SIGPIPE, SIG_DFL);
34 debug3("Executing %s -c \"%s\"", shell, args); 34 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index 1eaa7758b..80e775dc1 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
1From 689f465c66059e527974c6d4ea8e95f04d5abab7 Mon Sep 17 00:00:00 2001 1From a8e779107942d044d281461c609ec29129dec51e Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:17 +0000 3Date: Sun, 9 Feb 2014 16:10:17 +0000
4Subject: Support synchronisation with service supervisor using SIGSTOP 4Subject: Support synchronisation with service supervisor using SIGSTOP
@@ -13,10 +13,10 @@ Patch-Name: sigstop.patch
13 1 file changed, 10 insertions(+) 13 1 file changed, 10 insertions(+)
14 14
15diff --git a/sshd.c b/sshd.c 15diff --git a/sshd.c b/sshd.c
16index 87331c1..23d5a64 100644 16index 5435968..f8db3ae 100644
17--- a/sshd.c 17--- a/sshd.c
18+++ b/sshd.c 18+++ b/sshd.c
19@@ -1958,6 +1958,16 @@ main(int ac, char **av) 19@@ -2030,6 +2030,16 @@ main(int ac, char **av)
20 } 20 }
21 } 21 }
22 22
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 9c3ddc86e..b382252a3 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
1From 78dd041bb6ad29ceb35f05b539b09ccf761eaee2 Mon Sep 17 00:00:00 2001 1From 101d1dd7f95d75f1862c541a5b8d4032d4623d53 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:13 +0000 3Date: Sun, 9 Feb 2014 16:10:13 +0000
4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) 4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
@@ -13,10 +13,10 @@ Patch-Name: ssh-agent-setgid.patch
13 1 file changed, 15 insertions(+) 13 1 file changed, 15 insertions(+)
14 14
15diff --git a/ssh-agent.1 b/ssh-agent.1 15diff --git a/ssh-agent.1 b/ssh-agent.1
16index a1e634f..f2c4080 100644 16index 6759afe..25de326 100644
17--- a/ssh-agent.1 17--- a/ssh-agent.1
18+++ b/ssh-agent.1 18+++ b/ssh-agent.1
19@@ -172,6 +172,21 @@ environment variable holds the agent's process ID. 19@@ -181,6 +181,21 @@ environment variable holds the agent's process ID.
20 .Pp 20 .Pp
21 The agent exits automatically when the command given on the command 21 The agent exits automatically when the command given on the command
22 line terminates. 22 line terminates.
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 0ccf7c42b..0fe3b6da4 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
1From cbd5cb03866f6df50c82d26588b73135d05bf245 Mon Sep 17 00:00:00 2001 1From fac628fd57d3d357b86d77987f896d6289240345 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:10 +0000 3Date: Sun, 9 Feb 2014 16:10:10 +0000
4Subject: ssh(1): Refer to ssh-argv0(1) 4Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
18 1 file changed, 1 insertion(+) 18 1 file changed, 1 insertion(+)
19 19
20diff --git a/ssh.1 b/ssh.1 20diff --git a/ssh.1 b/ssh.1
21index de178cd..2606b15 100644 21index 04de6cf..c8892fe 100644
22--- a/ssh.1 22--- a/ssh.1
23+++ b/ssh.1 23+++ b/ssh.1
24@@ -1458,6 +1458,7 @@ if an error occurred. 24@@ -1471,6 +1471,7 @@ if an error occurred.
25 .Xr sftp 1 , 25 .Xr sftp 1 ,
26 .Xr ssh-add 1 , 26 .Xr ssh-add 1 ,
27 .Xr ssh-agent 1 , 27 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 427ee6be1..28b98f527 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
1From e6836d7c98c75d3252de56c2f3ea07e12c817e00 Mon Sep 17 00:00:00 2001 1From d027dea6b4b659a7ad537e452db563763302eabd Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:50 +0000 3Date: Sun, 9 Feb 2014 16:09:50 +0000
4Subject: Accept obsolete ssh-vulnkey configuration options 4Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,10 +17,10 @@ Patch-Name: ssh-vulnkey-compat.patch
17 2 files changed, 2 insertions(+) 17 2 files changed, 2 insertions(+)
18 18
19diff --git a/readconf.c b/readconf.c 19diff --git a/readconf.c b/readconf.c
20index 9127e93..bc879eb 100644 20index 254dbce..278fe15 100644
21--- a/readconf.c 21--- a/readconf.c
22+++ b/readconf.c 22+++ b/readconf.c
23@@ -174,6 +174,7 @@ static struct { 23@@ -180,6 +180,7 @@ static struct {
24 { "passwordauthentication", oPasswordAuthentication }, 24 { "passwordauthentication", oPasswordAuthentication },
25 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 25 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
26 { "kbdinteractivedevices", oKbdInteractiveDevices }, 26 { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -29,10 +29,10 @@ index 9127e93..bc879eb 100644
29 { "pubkeyauthentication", oPubkeyAuthentication }, 29 { "pubkeyauthentication", oPubkeyAuthentication },
30 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 30 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
31diff --git a/servconf.c b/servconf.c 31diff --git a/servconf.c b/servconf.c
32index cb3c831..a252487 100644 32index f68c0d0..b3a2841 100644
33--- a/servconf.c 33--- a/servconf.c
34+++ b/servconf.c 34+++ b/servconf.c
35@@ -462,6 +462,7 @@ static struct { 35@@ -503,6 +503,7 @@ static struct {
36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index 2e5fa306d..e6bc72440 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -1,4 +1,4 @@
1From cbbc8577950b93090171c7394bcdeb68b7c3cd0c Mon Sep 17 00:00:00 2001 1From 396f7d932b391fc92ac7ccdf8813f49564e2bbab Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:51 +0000 3Date: Sun, 9 Feb 2014 16:09:51 +0000
4Subject: Partial server keep-alive implementation for SSH1 4Subject: Partial server keep-alive implementation for SSH1
@@ -13,10 +13,10 @@ Patch-Name: ssh1-keepalive.patch
13 2 files changed, 19 insertions(+), 11 deletions(-) 13 2 files changed, 19 insertions(+), 11 deletions(-)
14 14
15diff --git a/clientloop.c b/clientloop.c 15diff --git a/clientloop.c b/clientloop.c
16index f9175e3..046ca8b 100644 16index 7df9413..156a196 100644
17--- a/clientloop.c 17--- a/clientloop.c
18+++ b/clientloop.c 18+++ b/clientloop.c
19@@ -563,16 +563,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) 19@@ -564,16 +564,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
20 static void 20 static void
21 server_alive_check(void) 21 server_alive_check(void)
22 { 22 {
@@ -47,7 +47,7 @@ index f9175e3..046ca8b 100644
47 } 47 }
48 48
49 /* 49 /*
50@@ -634,7 +639,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, 50@@ -635,7 +640,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
51 */ 51 */
52 52
53 timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */ 53 timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */
@@ -57,10 +57,10 @@ index f9175e3..046ca8b 100644
57 server_alive_time = now + options.server_alive_interval; 57 server_alive_time = now + options.server_alive_interval;
58 } 58 }
59diff --git a/ssh_config.5 b/ssh_config.5 59diff --git a/ssh_config.5 b/ssh_config.5
60index e6649ac..01f1f7f 100644 60index 4476171..dd35dd8 100644
61--- a/ssh_config.5 61--- a/ssh_config.5
62+++ b/ssh_config.5 62+++ b/ssh_config.5
63@@ -1325,7 +1325,10 @@ If, for example, 63@@ -1409,7 +1409,10 @@ If, for example,
64 .Cm ServerAliveCountMax 64 .Cm ServerAliveCountMax
65 is left at the default, if the server becomes unresponsive, 65 is left at the default, if the server becomes unresponsive,
66 ssh will disconnect after approximately 45 seconds. 66 ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index bfc236927..d760e6c19 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
1From 69f7c00e04d1baa01a9038eeb764cfed0830fb19 Mon Sep 17 00:00:00 2001 1From fbe5bd9e957ea90404158b3a3c11a6b91fe6f010 Mon Sep 17 00:00:00 2001
2From: Jonathan David Amery <jdamery@ysolde.ucam.org> 2From: Jonathan David Amery <jdamery@ysolde.ucam.org>
3Date: Sun, 9 Feb 2014 16:09:54 +0000 3Date: Sun, 9 Feb 2014 16:09:54 +0000
4Subject: "LogLevel SILENT" compatibility 4Subject: "LogLevel SILENT" compatibility
@@ -33,10 +33,10 @@ index 32e1d2e..53e7b65 100644
33 { "FATAL", SYSLOG_LEVEL_FATAL }, 33 { "FATAL", SYSLOG_LEVEL_FATAL },
34 { "ERROR", SYSLOG_LEVEL_ERROR }, 34 { "ERROR", SYSLOG_LEVEL_ERROR },
35diff --git a/ssh.c b/ssh.c 35diff --git a/ssh.c b/ssh.c
36index 26e9681..5bce695 100644 36index 0ad82f0..e8be6fe 100644
37--- a/ssh.c 37--- a/ssh.c
38+++ b/ssh.c 38+++ b/ssh.c
39@@ -989,7 +989,7 @@ main(int ac, char **av) 39@@ -1107,7 +1107,7 @@ main(int ac, char **av)
40 /* Do not allocate a tty if stdin is not a tty. */ 40 /* Do not allocate a tty if stdin is not a tty. */
41 if ((!isatty(fileno(stdin)) || stdin_null_flag) && 41 if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
42 options.request_tty != REQUEST_TTY_FORCE) { 42 options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index e4e4657f3..8ce3d1f71 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
1From 28ea747089f695e58a476a2849133402d4f86b92 Mon Sep 17 00:00:00 2001 1From 39b2121148a0aa016a648446823c8f02c5fd95b3 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:58 +0000 3Date: Sun, 9 Feb 2014 16:09:58 +0000
4Subject: Allow harmless group-writability 4Subject: Allow harmless group-writability
@@ -28,10 +28,10 @@ Patch-Name: user-group-modes.patch
28 8 files changed, 82 insertions(+), 29 deletions(-) 28 8 files changed, 82 insertions(+), 29 deletions(-)
29 29
30diff --git a/auth-rhosts.c b/auth-rhosts.c 30diff --git a/auth-rhosts.c b/auth-rhosts.c
31index b5bedee..11fcca6 100644 31index ee9e827..2ff2cff 100644
32--- a/auth-rhosts.c 32--- a/auth-rhosts.c
33+++ b/auth-rhosts.c 33+++ b/auth-rhosts.c
34@@ -256,8 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam 34@@ -271,8 +271,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
35 return 0; 35 return 0;
36 } 36 }
37 if (options.strict_modes && 37 if (options.strict_modes &&
@@ -41,7 +41,7 @@ index b5bedee..11fcca6 100644
41 logit("Rhosts authentication refused for %.100s: " 41 logit("Rhosts authentication refused for %.100s: "
42 "bad ownership or modes for home directory.", pw->pw_name); 42 "bad ownership or modes for home directory.", pw->pw_name);
43 auth_debug_add("Rhosts authentication refused for %.100s: " 43 auth_debug_add("Rhosts authentication refused for %.100s: "
44@@ -283,8 +282,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam 44@@ -298,8 +297,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
45 * allowing access to their account by anyone. 45 * allowing access to their account by anyone.
46 */ 46 */
47 if (options.strict_modes && 47 if (options.strict_modes &&
@@ -52,10 +52,10 @@ index b5bedee..11fcca6 100644
52 pw->pw_name, buf); 52 pw->pw_name, buf);
53 auth_debug_add("Bad file modes for %.200s", buf); 53 auth_debug_add("Bad file modes for %.200s", buf);
54diff --git a/auth.c b/auth.c 54diff --git a/auth.c b/auth.c
55index 5e60682..18de51a 100644 55index f9b7673..41e3876 100644
56--- a/auth.c 56--- a/auth.c
57+++ b/auth.c 57+++ b/auth.c
58@@ -421,8 +421,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, 58@@ -423,8 +423,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
59 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); 59 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
60 if (options.strict_modes && 60 if (options.strict_modes &&
61 (stat(user_hostfile, &st) == 0) && 61 (stat(user_hostfile, &st) == 0) &&
@@ -65,7 +65,7 @@ index 5e60682..18de51a 100644
65 logit("Authentication refused for %.100s: " 65 logit("Authentication refused for %.100s: "
66 "bad owner or modes for %.200s", 66 "bad owner or modes for %.200s",
67 pw->pw_name, user_hostfile); 67 pw->pw_name, user_hostfile);
68@@ -484,8 +483,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, 68@@ -486,8 +485,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
69 snprintf(err, errlen, "%s is not a regular file", buf); 69 snprintf(err, errlen, "%s is not a regular file", buf);
70 return -1; 70 return -1;
71 } 71 }
@@ -75,7 +75,7 @@ index 5e60682..18de51a 100644
75 snprintf(err, errlen, "bad ownership or modes for file %s", 75 snprintf(err, errlen, "bad ownership or modes for file %s",
76 buf); 76 buf);
77 return -1; 77 return -1;
78@@ -500,8 +498,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, 78@@ -502,8 +500,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
79 strlcpy(buf, cp, sizeof(buf)); 79 strlcpy(buf, cp, sizeof(buf));
80 80
81 if (stat(buf, &st) < 0 || 81 if (stat(buf, &st) < 0 ||
@@ -86,7 +86,7 @@ index 5e60682..18de51a 100644
86 "bad ownership or modes for directory %s", buf); 86 "bad ownership or modes for directory %s", buf);
87 return -1; 87 return -1;
88diff --git a/misc.c b/misc.c 88diff --git a/misc.c b/misc.c
89index 94b05b0..c25ccd8 100644 89index 38af3df..d745480 100644
90--- a/misc.c 90--- a/misc.c
91+++ b/misc.c 91+++ b/misc.c
92@@ -50,8 +50,9 @@ 92@@ -50,8 +50,9 @@
@@ -216,10 +216,10 @@ index f35ec39..9a23e6e 100644
216- return 0; 216- return 0;
217-} 217-}
218diff --git a/readconf.c b/readconf.c 218diff --git a/readconf.c b/readconf.c
219index 337818c..0648867 100644 219index 1d2d596..2ef8d7b 100644
220--- a/readconf.c 220--- a/readconf.c
221+++ b/readconf.c 221+++ b/readconf.c
222@@ -38,6 +38,8 @@ 222@@ -39,6 +39,8 @@
223 #include <stdio.h> 223 #include <stdio.h>
224 #include <string.h> 224 #include <string.h>
225 #include <unistd.h> 225 #include <unistd.h>
@@ -228,7 +228,7 @@ index 337818c..0648867 100644
228 #ifdef HAVE_UTIL_H 228 #ifdef HAVE_UTIL_H
229 #include <util.h> 229 #include <util.h>
230 #endif 230 #endif
231@@ -1516,8 +1518,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host, 231@@ -1579,8 +1581,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host,
232 232
233 if (fstat(fileno(f), &sb) == -1) 233 if (fstat(fileno(f), &sb) == -1)
234 fatal("fstat %s: %s", filename, strerror(errno)); 234 fatal("fstat %s: %s", filename, strerror(errno));
@@ -239,10 +239,10 @@ index 337818c..0648867 100644
239 } 239 }
240 240
241diff --git a/ssh.1 b/ssh.1 241diff --git a/ssh.1 b/ssh.1
242index fa5cfb2..7f6ab77 100644 242index da64b71..53c711a 100644
243--- a/ssh.1 243--- a/ssh.1
244+++ b/ssh.1 244+++ b/ssh.1
245@@ -1342,6 +1342,8 @@ The file format and configuration options are described in 245@@ -1355,6 +1355,8 @@ The file format and configuration options are described in
246 .Xr ssh_config 5 . 246 .Xr ssh_config 5 .
247 Because of the potential for abuse, this file must have strict permissions: 247 Because of the potential for abuse, this file must have strict permissions:
248 read/write for the user, and not writable by others. 248 read/write for the user, and not writable by others.
@@ -252,10 +252,10 @@ index fa5cfb2..7f6ab77 100644
252 .It Pa ~/.ssh/environment 252 .It Pa ~/.ssh/environment
253 Contains additional definitions for environment variables; see 253 Contains additional definitions for environment variables; see
254diff --git a/ssh_config.5 b/ssh_config.5 254diff --git a/ssh_config.5 b/ssh_config.5
255index ea92ea8..d68b45a 100644 255index 250c0d1..8abcf40 100644
256--- a/ssh_config.5 256--- a/ssh_config.5
257+++ b/ssh_config.5 257+++ b/ssh_config.5
258@@ -1587,6 +1587,8 @@ The format of this file is described above. 258@@ -1701,6 +1701,8 @@ The format of this file is described above.
259 This file is used by the SSH client. 259 This file is used by the SSH client.
260 Because of the potential for abuse, this file must have strict permissions: 260 Because of the potential for abuse, this file must have strict permissions:
261 read/write for the user, and not accessible by others. 261 read/write for the user, and not accessible by others.