19 files changed, 113 insertions, 140 deletions
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index e608bd20d..b0761420e 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -10,15 +10,15 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -135,6 +135,7 @@
+@@ -136,6 +136,7 @@
-        options->zero_knowledge_password_authentication = -1;
        options->revoked_keys_file = NULL;
        options->trusted_user_ca_keys = NULL;
+        options->authorized_principals_file = NULL;
 +       options->debian_banner = -1;
 }
 
 void
-@@ -277,6 +278,8 @@
+@@ -278,6 +279,8 @@
                options->permit_tun = SSH_TUNMODE_NO;
        if (options->zero_knowledge_password_authentication == -1)
                options->zero_knowledge_password_authentication = 0;
@@ -27,23 +27,23 @@ Index: b/servconf.c
 
        /* Turn privilege separation on by default */
        if (use_privsep == -1)
-@@ -325,6 +328,7 @@
+@@ -326,6 +329,7 @@
        sUsePrivilegeSeparation, sAllowAgentForwarding,
        sZeroKnowledgePasswordAuthentication, sHostCertificate,
-        sRevokedKeys, sTrustedUserCAKeys,
+        sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
 +       sDebianBanner,
        sDeprecated, sUnsupported
 } ServerOpCodes;
 
-@@ -457,6 +461,7 @@
+@@ -459,6 +463,7 @@
-        { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
        { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
        { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
+        { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
 +       { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
        { NULL, sBadOption, 0 }
 };
 
-@@ -1386,6 +1391,10 @@
+@@ -1392,6 +1397,10 @@
                charptr = &options->revoked_keys_file;
                goto parse_filename;
 
@@ -85,7 +85,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -295,6 +295,11 @@
+@@ -340,6 +340,11 @@
 .Dq no .
 The default is
 .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index ac77919e6..2fe365639 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -24,15 +24,15 @@ Index: b/readconf.c
 ===================================================================
 --- a/readconf.c
 +++ b/readconf.c
-@@ -1132,7 +1132,7 @@
+@@ -1179,7 +1179,7 @@
        if (options->forward_x11 == -1)
                options->forward_x11 = 0;
        if (options->forward_x11_trusted == -1)
 -               options->forward_x11_trusted = 0;
 +               options->forward_x11_trusted = 1;
+        if (options->forward_x11_timeout == -1)
+                options->forward_x11_timeout = 1200;
        if (options->exit_on_forward_failure == -1)
-                options->exit_on_forward_failure = 0;
-        if (options->xauth_location == NULL)
 Index: b/ssh_config
 ===================================================================
 --- a/ssh_config
@@ -84,7 +84,7 @@ Index: b/ssh_config.5
 The configuration file has the following format:
 .Pp
 Empty lines and lines starting with
-@@ -452,7 +468,8 @@
+@@ -483,7 +499,8 @@
 Remote clients will be refused access after this time.
 .Pp
 The default is
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 4c555799f..fb522013c 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -8,7 +8,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -531,6 +531,9 @@
+@@ -562,6 +562,9 @@
 will not be converted automatically,
 but may be manually hashed using
 .Xr ssh-keygen 1 .
diff --git a/debian/patches/gssapi-autoconf.patch b/debian/patches/gssapi-autoconf.patch
index 3ea221834..d88382dcb 100644
--- a/debian/patches/gssapi-autoconf.patch
+++ b/debian/patches/gssapi-autoconf.patch
@@ -7,7 +7,7 @@ Index: b/config.h.in
 ===================================================================
 --- a/config.h.in
 +++ b/config.h.in
-@@ -1384,6 +1384,9 @@
+@@ -1387,6 +1387,9 @@
 /* Use btmp to log bad logins */
 #undef USE_BTMP
 
@@ -17,7 +17,7 @@ Index: b/config.h.in
 /* Use libedit for sftp */
 #undef USE_LIBEDIT
 
-@@ -1396,6 +1399,9 @@
+@@ -1399,6 +1402,9 @@
 /* Use PIPES instead of a socketpair() */
 #undef USE_PIPES
 
diff --git a/debian/patches/gssapi-compat.patch b/debian/patches/gssapi-compat.patch
index 369a23360..b93134933 100644
--- a/debian/patches/gssapi-compat.patch
+++ b/debian/patches/gssapi-compat.patch
@@ -10,7 +10,7 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -380,16 +380,20 @@
+@@ -381,16 +381,20 @@
 #ifdef GSSAPI
        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
diff --git a/debian/patches/gssapi-dump.patch b/debian/patches/gssapi-dump.patch
index 6e09df484..0969c59b4 100644
--- a/debian/patches/gssapi-dump.patch
+++ b/debian/patches/gssapi-dump.patch
@@ -11,7 +11,7 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -1677,7 +1677,10 @@
+@@ -1688,7 +1688,10 @@
 #endif
 #ifdef GSSAPI
        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index e39239fbd..778c23023 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -364,7 +364,7 @@ Index: b/clientloop.c
 /* import options */
 extern Options options;
 
-@@ -1431,6 +1435,15 @@
+@@ -1483,6 +1487,15 @@
                /* Do channel operations unless rekeying in progress. */
                if (!rekeying) {
                        channel_after_select(readset, writeset);
@@ -1918,9 +1918,9 @@ Index: b/key.c
 ===================================================================
 --- a/key.c
 +++ b/key.c
-@@ -982,6 +982,8 @@
+@@ -1020,6 +1020,8 @@
                return KEY_RSA_CERT;
-        } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) {
+        } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
                return KEY_DSA_CERT;
 +       } else if (strcmp(name, "null") == 0) {
 +               return KEY_NULL;
@@ -1931,10 +1931,10 @@ Index: b/key.h
 ===================================================================
 --- a/key.h
 +++ b/key.h
-@@ -37,6 +37,7 @@
+@@ -39,6 +39,7 @@
-        KEY_DSA,
-        KEY_RSA_CERT,
        KEY_DSA_CERT,
+        KEY_RSA_CERT_V00,
+        KEY_DSA_CERT_V00,
 +       KEY_NULL,
        KEY_UNSPEC
 };
@@ -2239,9 +2239,9 @@ Index: b/readconf.c
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
 +       oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
-        oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
+        oSendEnv, oControlPath, oControlMaster, oControlPersist,
-        oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
+        oHashKnownHosts,
-@@ -164,10 +165,18 @@
+@@ -166,10 +167,18 @@
        { "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
@@ -2260,7 +2260,7 @@ Index: b/readconf.c
 #endif
        { "fallbacktorsh", oDeprecated },
        { "usersh", oDeprecated },
-@@ -456,10 +465,26 @@
+@@ -474,10 +483,26 @@
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -2287,7 +2287,7 @@ Index: b/readconf.c
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
-@@ -1015,7 +1040,11 @@
+@@ -1058,7 +1083,11 @@
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
@@ -2299,7 +2299,7 @@ Index: b/readconf.c
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
-@@ -1107,8 +1136,14 @@
+@@ -1156,8 +1185,14 @@
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -2318,7 +2318,7 @@ Index: b/readconf.h
 ===================================================================
 --- a/readconf.h
 +++ b/readconf.h
-@@ -44,7 +44,11 @@
+@@ -46,7 +46,11 @@
        int     challenge_response_authentication;
                                        /* Try S/Key or TIS, authentication. */
        int     gss_authentication;     /* Try GSS authentication */
@@ -2345,7 +2345,7 @@ Index: b/servconf.c
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
-@@ -214,8 +217,14 @@
+@@ -215,8 +218,14 @@
                options->kerberos_get_afs_token = 0;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -2360,7 +2360,7 @@ Index: b/servconf.c
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
-@@ -306,7 +315,9 @@
+@@ -307,7 +316,9 @@
        sBanner, sUseDNS, sHostbasedAuthentication,
        sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
        sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@@ -2371,7 +2371,7 @@ Index: b/servconf.c
        sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
        sUsePrivilegeSeparation, sAllowAgentForwarding,
        sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -369,9 +380,15 @@
+@@ -370,9 +381,15 @@
 #ifdef GSSAPI
        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2387,7 +2387,7 @@ Index: b/servconf.c
 #endif
        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -924,10 +941,22 @@
+@@ -926,10 +943,22 @@
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -2543,7 +2543,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -478,11 +478,38 @@
+@@ -509,11 +509,38 @@
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
@@ -2794,7 +2794,7 @@ Index: b/sshd.c
 #ifdef LIBWRAP
 #include <tcpd.h>
 #include <syslog.h>
-@@ -1577,10 +1581,13 @@
+@@ -1586,10 +1590,13 @@
                logit("Disabling protocol version 1. Could not load host key");
                options.protocol &= ~SSH_PROTO_1;
        }
@@ -2808,7 +2808,7 @@ Index: b/sshd.c
        if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
                logit("sshd: no hostkeys available -- exiting.");
                exit(1);
-@@ -1909,6 +1916,60 @@
+@@ -1918,6 +1925,60 @@
        /* Log the connection. */
        verbose("Connection from %.500s port %d", remote_ip, remote_port);
 
@@ -2869,7 +2869,7 @@ Index: b/sshd.c
        /*
         * We don't want to listen forever unless the other side
         * successfully authenticates itself.  So we set up an alarm which is
-@@ -2287,12 +2348,61 @@
+@@ -2296,12 +2357,61 @@
 
        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
 
@@ -2948,7 +2948,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -379,12 +379,40 @@
+@@ -424,12 +424,40 @@
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 36335f475..9e1705719 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -18,15 +18,15 @@ Index: b/readconf.c
 ===================================================================
 --- a/readconf.c
 +++ b/readconf.c
-@@ -133,6 +133,7 @@
+@@ -134,6 +134,7 @@
-        oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
+        oHashKnownHosts,
        oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
        oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
 +       oProtocolKeepAlives, oSetupTimeOut,
        oDeprecated, oUnsupported
 } OpCodes;
 
-@@ -248,6 +249,8 @@
+@@ -251,6 +252,8 @@
 #else
        { "zeroknowledgepasswordauthentication", oUnsupported },
 #endif
@@ -35,7 +35,7 @@ Index: b/readconf.c
 
        { NULL, oBadOption }
 };
-@@ -847,6 +850,8 @@
+@@ -865,6 +868,8 @@
                goto parse_flag;
 
        case oServerAliveInterval:
@@ -44,7 +44,7 @@ Index: b/readconf.c
                intptr = &options->server_alive_interval;
                goto parse_time;
 
-@@ -1235,8 +1240,13 @@
+@@ -1284,8 +1289,13 @@
                options->rekey_limit = 0;
        if (options->verify_host_key_dns == -1)
                options->verify_host_key_dns = 0;
@@ -78,7 +78,7 @@ Index: b/ssh_config.5
 The argument must be
 .Dq yes
 or
-@@ -963,8 +967,15 @@
+@@ -994,8 +998,15 @@
 will send a message through the encrypted
 channel to request a response from the server.
 The default
@@ -95,7 +95,7 @@ Index: b/ssh_config.5
 .It Cm StrictHostKeyChecking
 If this flag is set to
 .Dq yes ,
-@@ -1003,6 +1014,12 @@
+@@ -1034,6 +1045,12 @@
 other side.
 If they are sent, death of the connection or crash of one
 of the machines will be properly noticed.
@@ -112,7 +112,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -936,6 +936,9 @@
+@@ -985,6 +985,9 @@
 .Pp
 To disable TCP keepalive messages, the value should be set to
 .Dq no .
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index dea370a1b..de63e46f8 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -34,7 +34,7 @@ Index: b/ssh-keygen.1
 ===================================================================
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -145,9 +145,7 @@
+@@ -148,9 +148,7 @@
 .Pa ~/.ssh/id_dsa
 or
 .Pa ~/.ssh/id_rsa .
@@ -45,7 +45,7 @@ Index: b/ssh-keygen.1
 .Pp
 Normally this program generates the key and asks for a file in which
 to store the private key.
-@@ -367,9 +365,7 @@
+@@ -394,9 +392,7 @@
 .It Fl q
 Silence
 .Nm ssh-keygen .
@@ -60,7 +60,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -762,6 +762,10 @@
+@@ -728,6 +728,10 @@
 .Sx HISTORY
 section of
 .Xr ssl 8
@@ -84,7 +84,7 @@ Index: b/sshd.8
 It forks a new
 daemon for each incoming connection.
 The forked daemons handle
-@@ -835,7 +835,7 @@
+@@ -845,7 +845,7 @@
 .Xr ssh 1 ) .
 It should only be writable by root.
 .Pp
@@ -93,7 +93,7 @@ Index: b/sshd.8
 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
 The file format is described in
 .Xr moduli 5 .
-@@ -931,7 +931,6 @@
+@@ -941,7 +941,6 @@
 .Xr ssh-vulnkey 1 ,
 .Xr chroot 2 ,
 .Xr hosts_access 5 ,
@@ -105,7 +105,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -177,8 +177,7 @@
+@@ -222,8 +222,7 @@
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index f45cc6968..67e014002 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -38,7 +38,7 @@ Index: b/version.h
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_5.5"
+ #define SSH_VERSION    "OpenSSH_5.6"
 
 #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 96a26cf7e..f8bc5fd4e 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -16,7 +16,7 @@ Index: b/clientloop.c
 ===================================================================
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -1530,8 +1530,10 @@
+@@ -1594,8 +1594,10 @@
                exit_status = 0;
        }
 
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index 99702c317..3f06225ad 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -11,7 +11,7 @@ Index: b/scp.c
 ===================================================================
 --- a/scp.c
 +++ b/scp.c
-@@ -168,8 +168,16 @@
+@@ -182,8 +182,16 @@
 
        if (verbose_mode) {
                fprintf(stderr, "Executing:");
diff --git a/debian/patches/series b/debian/patches/series
index 699dbaa98..fe14d7a8d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,7 +23,6 @@ helpful-wait-terminate.patch
 user-group-modes.patch
 scp-quoting.patch
 shell-path.patch
-ssh-copy-id-trailing-colons.patch
 dnssec-sshfp.patch
 # Versioning
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 851687dfd..4a651bfa1 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -11,7 +11,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1430,6 +1430,7 @@
+@@ -1396,6 +1396,7 @@
 .Xr sftp 1 ,
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-copy-id-trailing-colons.patch b/debian/patches/ssh-copy-id-trailing-colons.patch
deleted file mode 100644
index 1063fc6bb..000000000
--- a/debian/patches/ssh-copy-id-trailing-colons.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Description: ssh-copy-id: Strip trailing colons from hostname
-Author: Karl Goetz <karl@kgoetz.id.au>
-Author: Colin Watson <cjwatson@debian.org>
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1530
-Bug-Debian: http://bugs.debian.org/226172
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/249706
-Last-Update: 2010-02-27
-Index: b/contrib/ssh-copy-id
-===================================================================
--- a/contrib/ssh-copy-id
-+++ b/contrib/ssh-copy-id
-@@ -38,10 +38,10 @@
-   exit 1
- fi
- 
-{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1
-+{ eval "$GET_ID" ; } | ssh ${1%:} "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1
- 
- cat <<EOF
-Now try logging into the machine, with "ssh '$1'", and check in:
-+Now try logging into the machine, with "ssh '${1%:}'", and check in:
- 
-   .ssh/authorized_keys
- 
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index af56dc031..ecb6e0c64 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -132,7 +132,7 @@ Index: b/auth.c
 #include "auth.h"
 #include "auth-options.h"
 #include "canohost.h"
-@@ -593,10 +594,34 @@
+@@ -615,10 +616,34 @@
 
 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
 int
@@ -172,10 +172,10 @@ Index: b/auth.h
 ===================================================================
 --- a/auth.h
 +++ b/auth.h
-@@ -173,7 +173,7 @@
+@@ -175,7 +175,7 @@
- char   *authorized_keys_file2(struct passwd *);
 
 FILE   *auth_openkeyfile(const char *, struct passwd *, int);
+ FILE   *auth_openprincipals(const char *, struct passwd *, int);
 -int     auth_key_is_revoked(Key *);
 +int     auth_key_is_revoked(Key *, int);
 
@@ -185,9 +185,9 @@ Index: b/auth2-hostbased.c
 ===================================================================
 --- a/auth2-hostbased.c
 +++ b/auth2-hostbased.c
-@@ -145,7 +145,7 @@
+@@ -146,7 +146,7 @@
-        HostStatus host_status;
        int len;
+        char *fp;
 
 -       if (auth_key_is_revoked(key))
 +       if (auth_key_is_revoked(key, 0))
@@ -198,7 +198,7 @@ Index: b/auth2-pubkey.c
 ===================================================================
 --- a/auth2-pubkey.c
 +++ b/auth2-pubkey.c
-@@ -328,9 +328,10 @@
+@@ -439,9 +439,10 @@
        int success;
        char *file;
 
@@ -223,7 +223,7 @@ Index: b/authfile.c
 
 /* Version identification string for SSH v1 identity files. */
 static const char authfile_id_string[] =
-@@ -754,3 +755,140 @@
+@@ -814,3 +815,140 @@
        return ret;
 }
 
@@ -368,7 +368,7 @@ Index: b/authfile.h
 ===================================================================
 --- a/authfile.h
 +++ b/authfile.h
-@@ -24,4 +24,6 @@
+@@ -26,4 +26,6 @@
 int     key_perm_ok(int, const char *);
 int     key_in_file(Key *, const char *, int);
 
@@ -412,7 +412,7 @@ Index: b/readconf.c
        oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
-@@ -152,6 +153,7 @@
+@@ -154,6 +155,7 @@
        { "passwordauthentication", oPasswordAuthentication },
        { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
        { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -420,7 +420,7 @@ Index: b/readconf.c
        { "rsaauthentication", oRSAAuthentication },
        { "pubkeyauthentication", oPubkeyAuthentication },
        { "dsaauthentication", oPubkeyAuthentication },             /* alias */
-@@ -461,6 +463,10 @@
+@@ -479,6 +481,10 @@
                intptr = &options->challenge_response_authentication;
                goto parse_flag;
 
@@ -431,7 +431,7 @@ Index: b/readconf.c
        case oGssAuthentication:
                intptr = &options->gss_authentication;
                goto parse_flag;
-@@ -1050,6 +1056,7 @@
+@@ -1093,6 +1099,7 @@
        options->kbd_interactive_devices = NULL;
        options->rhosts_rsa_authentication = -1;
        options->hostbased_authentication = -1;
@@ -439,7 +439,7 @@ Index: b/readconf.c
        options->batch_mode = -1;
        options->check_host_ip = -1;
        options->strict_host_key_checking = -1;
-@@ -1152,6 +1159,8 @@
+@@ -1201,6 +1208,8 @@
                options->rhosts_rsa_authentication = 0;
        if (options->hostbased_authentication == -1)
                options->hostbased_authentication = 0;
@@ -452,7 +452,7 @@ Index: b/readconf.h
 ===================================================================
 --- a/readconf.h
 +++ b/readconf.h
-@@ -54,6 +54,7 @@
+@@ -56,6 +56,7 @@
        int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
        char    *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
        int     zero_knowledge_password_authentication; /* Try jpake */
@@ -472,7 +472,7 @@ Index: b/servconf.c
        options->permit_empty_passwd = -1;
        options->permit_user_env = -1;
        options->use_login = -1;
-@@ -231,6 +232,8 @@
+@@ -232,6 +233,8 @@
                options->kbd_interactive_authentication = 0;
        if (options->challenge_response_authentication == -1)
                options->challenge_response_authentication = 1;
@@ -481,7 +481,7 @@ Index: b/servconf.c
        if (options->permit_empty_passwd == -1)
                options->permit_empty_passwd = 0;
        if (options->permit_user_env == -1)
-@@ -306,7 +309,7 @@
+@@ -307,7 +310,7 @@
        sListenAddress, sAddressFamily,
        sPrintMotd, sPrintLastLog, sIgnoreRhosts,
        sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -490,7 +490,7 @@ Index: b/servconf.c
        sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
        sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
        sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
-@@ -415,6 +418,7 @@
+@@ -416,6 +419,7 @@
        { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
        { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
        { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -498,7 +498,7 @@ Index: b/servconf.c
        { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
        { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
        { "uselogin", sUseLogin, SSHCFG_GLOBAL },
-@@ -1009,6 +1013,10 @@
+@@ -1011,6 +1015,10 @@
                intptr = &options->tcp_keep_alive;
                goto parse_flag;
 
@@ -509,7 +509,7 @@ Index: b/servconf.c
        case sEmptyPasswd:
                intptr = &options->permit_empty_passwd;
                goto parse_flag;
-@@ -1697,6 +1705,7 @@
+@@ -1708,6 +1716,7 @@
        dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
        dump_cfg_fmtint(sStrictModes, o->strict_modes);
        dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -584,7 +584,7 @@ Index: b/ssh-keygen.1
 ===================================================================
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -628,6 +628,7 @@
+@@ -669,6 +669,7 @@
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
@@ -1236,7 +1236,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1426,6 +1426,7 @@
+@@ -1392,6 +1392,7 @@
 .Xr ssh-agent 1 ,
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
@@ -1248,7 +1248,7 @@ Index: b/ssh.c
 ===================================================================
 --- a/ssh.c
 +++ b/ssh.c
-@@ -1301,7 +1301,7 @@
+@@ -1422,7 +1422,7 @@
 static void
 load_public_identity_files(void)
 {
@@ -1257,7 +1257,7 @@ Index: b/ssh.c
        char *pwdir = NULL, *pwname = NULL;
        int i = 0;
        Key *public;
-@@ -1358,6 +1358,22 @@
+@@ -1479,6 +1479,22 @@
                public = key_load_public(filename, NULL);
                debug("identity file %s type %d", filename,
                    public ? public->type : -1);
@@ -1284,7 +1284,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1051,6 +1051,23 @@
+@@ -1082,6 +1082,23 @@
 .Dq any .
 The default is
 .Dq any:any .
@@ -1312,7 +1312,7 @@ Index: b/sshconnect2.c
 ===================================================================
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -1418,6 +1418,8 @@
+@@ -1421,6 +1421,8 @@
 
        /* list of keys stored in the filesystem */
        for (i = 0; i < options.num_identity_files; i++) {
@@ -1321,9 +1321,9 @@ Index: b/sshconnect2.c
                key = options.identity_keys[i];
                if (key && key->type == KEY_RSA1)
                        continue;
-@@ -1510,7 +1512,7 @@
+@@ -1514,7 +1516,7 @@
-                if (id->key && id->key->type != KEY_RSA1) {
+                        debug("Offering %s public key: %s", key_type(id->key),
-                        debug("Offering public key: %s", id->filename);
+                            id->filename);
                        sent = send_pubkey_test(authctxt, id);
 -               } else if (id->key == NULL) {
 +               } else if (id->key == NULL && id->filename) {
@@ -1334,7 +1334,7 @@ Index: b/sshd.8
 ===================================================================
 --- a/sshd.8
 +++ b/sshd.8
-@@ -928,6 +928,7 @@
+@@ -938,6 +938,7 @@
 .Xr ssh-agent 1 ,
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
@@ -1346,7 +1346,7 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1564,6 +1564,11 @@
+@@ -1573,6 +1573,11 @@
                        sensitive_data.host_keys[i] = NULL;
                        continue;
                }
@@ -1362,7 +1362,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -694,6 +694,20 @@
+@@ -743,6 +743,20 @@
 Specifies whether password authentication is allowed.
 The default is
 .Dq yes .
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index 7682c0761..dac1ca1cc 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -7,20 +7,13 @@ Index: b/clientloop.c
 ===================================================================
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -507,16 +507,21 @@
+@@ -547,16 +547,21 @@
 static void
 server_alive_check(void)
 {
 -       if (packet_inc_alive_timeouts() > options.server_alive_count_max) {
 -               logit("Timeout, server not responding.");
 -               cleanup_exit(255);
-       }
-       packet_start(SSH2_MSG_GLOBAL_REQUEST);
-       packet_put_cstring("keepalive@openssh.com");
-       packet_put_char(1);     /* boolean: want reply */
-       packet_send();
-       /* Insert an empty placeholder to maintain ordering */
-       client_register_global_confirm(NULL, NULL);
 +       if (compat20) {
 +               if (packet_inc_alive_timeouts() > options.server_alive_count_max) {
 +                       logit("Timeout, server not responding.");
@@ -35,24 +28,30 @@ Index: b/clientloop.c
 +       } else {
 +               packet_send_ignore(0);
 +               packet_send();
-+       }
+        }
+-       packet_start(SSH2_MSG_GLOBAL_REQUEST);
+-       packet_put_cstring("keepalive@openssh.com");
+-       packet_put_char(1);     /* boolean: want reply */
+-       packet_send();
+-       /* Insert an empty placeholder to maintain ordering */
+-       client_register_global_confirm(NULL, NULL);
 }
 
 /*
-@@ -574,7 +579,7 @@
+@@ -616,7 +621,7 @@
-         * event pending.
         */
 
-       if (options.server_alive_interval == 0 || !compat20)
+        timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */
-+       if (options.server_alive_interval == 0)
+-       if (options.server_alive_interval > 0 && compat20)
-                tvp = NULL;
+       if (options.server_alive_interval > 0)
-        else {
+                timeout_secs = options.server_alive_interval;
-                tv.tv_sec = options.server_alive_interval;
+        set_control_persist_exit_time();
+        if (control_persist_exit_time > 0) {
 Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -952,7 +952,10 @@
+@@ -983,7 +983,10 @@
 .Cm ServerAliveCountMax
 is left at the default, if the server becomes unresponsive,
 ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 2dc912b8e..3cb9fdc65 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -26,7 +26,7 @@ Index: b/ssh.c
 ===================================================================
 --- a/ssh.c
 +++ b/ssh.c
-@@ -624,7 +624,7 @@
+@@ -642,7 +642,7 @@
                tty_flag = 0;
        /* Do not allocate a tty if stdin is not a tty. */
        if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) {
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 164b8ec81..69700e592 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -24,7 +24,7 @@ Index: b/readconf.c
 
 #include "xmalloc.h"
 #include "ssh.h"
-@@ -1003,8 +1005,7 @@
+@@ -1045,8 +1047,7 @@
 
                if (fstat(fileno(f), &sb) == -1)
                        fatal("fstat %s: %s", filename, strerror(errno));
@@ -38,7 +38,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1324,6 +1324,8 @@
+@@ -1290,6 +1290,8 @@
 .Xr ssh_config 5 .
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.
@@ -51,7 +51,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1204,6 +1204,8 @@
+@@ -1235,6 +1235,8 @@
 This file is used by the SSH client.
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.
@@ -64,7 +64,7 @@ Index: b/auth.c
 ===================================================================
 --- a/auth.c
 +++ b/auth.c
-@@ -385,8 +385,7 @@
+@@ -393,8 +393,7 @@
                user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
                if (options.strict_modes &&
                    (stat(user_hostfile, &st) == 0) &&
@@ -74,7 +74,7 @@ Index: b/auth.c
                        logit("Authentication refused for %.100s: "
                            "bad owner or modes for %.200s",
                            pw->pw_name, user_hostfile);
-@@ -438,8 +437,7 @@
+@@ -448,8 +447,7 @@
 
        /* check the open file to avoid races */
        if (fstat(fileno(f), &st) < 0 ||
@@ -84,7 +84,7 @@ Index: b/auth.c
                snprintf(err, errlen, "bad ownership or modes for file %s",
                    buf);
                return -1;
-@@ -455,8 +453,7 @@
+@@ -465,8 +463,7 @@
 
                debug3("secure_filename: checking '%s'", buf);
                if (stat(buf, &st) < 0 ||
@@ -109,7 +109,7 @@ Index: b/misc.c
 #ifdef SSH_TUN_OPENBSD
 #include <net/if.h>
 #endif
-@@ -638,6 +639,55 @@
+@@ -639,6 +640,55 @@
 }
 
 int
@@ -169,7 +169,7 @@ Index: b/misc.h
 ===================================================================
 --- a/misc.h
 +++ b/misc.h
-@@ -91,4 +91,6 @@
+@@ -92,4 +92,6 @@
 int     ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
 int     read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);