28 files changed, 286 insertions, 286 deletions
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index f1db2dbdf..c91cdbd68 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
-From 490aadd108dc4bf7f4b5084e3336d88ec23f6b19 Mon Sep 17 00:00:00 2001
+From 493e37552aa05b38cf69b5f1bc4b717fd4a1a285 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:02 +0000
 Subject: Quieten logs when multiple from= restrictions are used
@@ -16,10 +16,10 @@ Patch-Name: auth-log-verbosity.patch
 4 files changed, 32 insertions(+), 9 deletions(-)
 diff --git a/auth-options.c b/auth-options.c
-index 12e2e1d..15c00d0 100644
+index fa209ea..df61330 100644
 --- a/auth-options.c
 +++ b/auth-options.c
-@@ -58,9 +58,20 @@ int forced_tun_device = -1;
+@@ -54,9 +54,20 @@ int forced_tun_device = -1;
 /* "principals=" option. */
 char *authorized_principals = NULL;
 
@@ -40,7 +40,7 @@ index 12e2e1d..15c00d0 100644
 auth_clear_options(void)
 {
        no_agent_forwarding_flag = 0;
-@@ -288,10 +299,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
+@@ -284,10 +295,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                                /* FALLTHROUGH */
                        case 0:
                                free(patterns);
@@ -58,7 +58,7 @@ index 12e2e1d..15c00d0 100644
                                auth_debug_add("Your host '%.200s' is not "
                                    "permitted to use this key for login.",
                                    remote_host);
-@@ -513,11 +527,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
+@@ -510,11 +524,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
                                        break;
                                case 0:
                                        /* no match */
@@ -104,10 +104,10 @@ index 545aa49..4624c15 100644
         * Go though the accepted keys, looking for the current key.  If
         * found, perform a challenge-response dialog to verify that the
 diff --git a/auth2-pubkey.c b/auth2-pubkey.c
-index 2b3ecb1..4d87f48 100644
+index 0fd27bb..7c56927 100644
 --- a/auth2-pubkey.c
 +++ b/auth2-pubkey.c
-@@ -257,6 +257,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
+@@ -263,6 +263,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
                restore_uid();
                return 0;
        }
@@ -115,7 +115,7 @@ index 2b3ecb1..4d87f48 100644
        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                /* Skip leading whitespace. */
                for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-@@ -318,6 +319,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
+@@ -324,6 +325,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
        found_key = 0;
 
        found = NULL;
@@ -123,7 +123,7 @@ index 2b3ecb1..4d87f48 100644
        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                char *cp, *key_options = NULL;
                if (found != NULL)
-@@ -453,6 +455,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
+@@ -459,6 +461,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
        if (key_cert_check_authority(key, 0, 1,
            principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
                goto fail_reason;
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index f59df61bd..ce1b72d60 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
-From d5b4a3617c50cbe9526582979797248af5cbd9d5 Mon Sep 17 00:00:00 2001
+From cf559d6c8b4616022f5bedcf3b3b85387a4d1559 Mon Sep 17 00:00:00 2001
 From: Tomas Pospisek <tpo_deb@sourcepole.ch>
 Date: Sun, 9 Feb 2014 16:10:07 +0000
 Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
 1 file changed, 1 insertion(+)
 diff --git a/Makefile.in b/Makefile.in
-index b2dbead..7849979 100644
+index 598d55a..5cf8100 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -283,6 +283,7 @@ install-files:
+@@ -287,6 +287,7 @@ install-files:
        $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
        $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
        $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch
index b97bf0cd5..65b6feb71 100644
--- a/debian/patches/consolekit.patch
+++ b/debian/patches/consolekit.patch
@@ -1,4 +1,4 @@
-From 05609b1cb381eafb999214bf4a95138e63abdbf2 Mon Sep 17 00:00:00 2001
+From efe70e315cfcc70e765ebd070e83528a6be6c125 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:57 +0000
 Subject: Add support for registering ConsoleKit sessions on login
@@ -24,24 +24,24 @@ Patch-Name: consolekit.patch
 create mode 100644 consolekit.h
 diff --git a/Makefile.in b/Makefile.in
-index f979926..b2dbead 100644
+index 35c6fd6..598d55a 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -94,7 +94,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
+@@ -97,7 +97,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
        sftp-server.o sftp-common.o \
        roaming_common.o roaming_serv.o \
        sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
-       sandbox-seccomp-filter.o
+-       sandbox-seccomp-filter.o sandbox-capsicum.o
-+       sandbox-seccomp-filter.o \
+       sandbox-seccomp-filter.o sandbox-capsicum.o \
 +       consolekit.o
 
 MANPAGES       = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
 MANPAGES_IN    = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
 diff --git a/configure b/configure
-index ceb1b5d..78bbcd0 100755
+index 5a9db2d..57b68e2 100755
 --- a/configure
 +++ b/configure
-@@ -738,6 +738,7 @@ with_privsep_user
+@@ -740,6 +740,7 @@ with_privsep_user
 with_sandbox
 with_selinux
 with_kerberos5
@@ -49,15 +49,15 @@ index ceb1b5d..78bbcd0 100755
 with_privsep_path
 with_xauth
 enable_strip
-@@ -1428,6 +1429,7 @@ Optional Packages:
+@@ -1432,6 +1433,7 @@ Optional Packages:
-   --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)
+   --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)
   --with-selinux          Enable SELinux support
   --with-kerberos5=PATH   Enable Kerberos 5 support
 +  --with-consolekit       Enable ConsoleKit support
   --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
   --with-xauth=PATH       Specify path to xauth program
   --with-maildir=/path/to/mail    Specify your system mail directory
-@@ -16375,6 +16377,135 @@ fi
+@@ -17215,6 +17217,135 @@ fi
 
 
 
@@ -193,7 +193,7 @@ index ceb1b5d..78bbcd0 100755
 # Looking for programs, paths and files
 
 PRIVSEP_PATH=/var/empty
-@@ -18902,6 +19033,7 @@ echo "              MD5 password support: $MD5_MSG"
+@@ -19744,6 +19875,7 @@ echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
 echo "           Solaris project support: $SP_MSG"
@@ -202,10 +202,10 @@ index ceb1b5d..78bbcd0 100755
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 diff --git a/configure.ac b/configure.ac
-index 4c1a658..d7d500a 100644
+index 90eebf5..e2289cd 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -3841,6 +3841,30 @@ AC_ARG_WITH([kerberos5],
+@@ -4070,6 +4070,30 @@ AC_ARG_WITH([kerberos5],
 AC_SUBST([GSSLIBS])
 AC_SUBST([K5LIBS])
 
@@ -236,7 +236,7 @@ index 4c1a658..d7d500a 100644
 # Looking for programs, paths and files
 
 PRIVSEP_PATH=/var/empty
-@@ -4641,6 +4665,7 @@ echo "              MD5 password support: $MD5_MSG"
+@@ -4871,6 +4895,7 @@ echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
 echo "           Solaris project support: $SP_MSG"
@@ -521,7 +521,7 @@ index 0000000..8ce3716
 +
 +#endif /* USE_CONSOLEKIT */
 diff --git a/monitor.c b/monitor.c
-index e8d63eb..9bc4f0b 100644
+index 88f472e..8ffea4f 100644
 --- a/monitor.c
 +++ b/monitor.c
 @@ -98,6 +98,9 @@
@@ -575,7 +575,7 @@ index e8d63eb..9bc4f0b 100644
 
        for (;;)
                monitor_read(pmonitor, mon_dispatch, NULL);
-@@ -2492,3 +2508,30 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m)
+@@ -2493,3 +2509,30 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m)
 }
 
 #endif /* JPAKE */
@@ -672,7 +672,7 @@ index 4d12e29..360fb9f 100644
 +
 #endif /* _MM_WRAP_H_ */
 diff --git a/session.c b/session.c
-index b4d74d9..15bdb1b 100644
+index 5ddd82a..14df226 100644
 --- a/session.c
 +++ b/session.c
 @@ -92,6 +92,7 @@
@@ -683,7 +683,7 @@ index b4d74d9..15bdb1b 100644
 
 #if defined(KRB5) && defined(USE_AFS)
 #include <kafs.h>
-@@ -1132,6 +1133,9 @@ do_setup_env(Session *s, const char *shell)
+@@ -1155,6 +1156,9 @@ do_setup_env(Session *s, const char *shell)
 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
        char *path = NULL;
 #endif
@@ -693,7 +693,7 @@ index b4d74d9..15bdb1b 100644
 
        /* Initialize the environment. */
        envsize = 100;
-@@ -1276,6 +1280,11 @@ do_setup_env(Session *s, const char *shell)
+@@ -1299,6 +1303,11 @@ do_setup_env(Session *s, const char *shell)
                child_set_env(&env, &envsize, "KRB5CCNAME",
                    s->authctxt->krb5_ccname);
 #endif
@@ -705,7 +705,7 @@ index b4d74d9..15bdb1b 100644
 #ifdef USE_PAM
        /*
         * Pull in any environment variables that may have
-@@ -2320,6 +2329,10 @@ session_pty_cleanup2(Session *s)
+@@ -2348,6 +2357,10 @@ session_pty_cleanup2(Session *s)
 
        debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
 
@@ -717,7 +717,7 @@ index b4d74d9..15bdb1b 100644
        if (s->pid != 0)
                record_logout(s->pid, s->tty, s->pw->pw_name);
 diff --git a/session.h b/session.h
-index cb4f196..7e51b6a 100644
+index ef6593c..a6b6983 100644
 --- a/session.h
 +++ b/session.h
 @@ -26,6 +26,8 @@
@@ -729,7 +729,7 @@ index cb4f196..7e51b6a 100644
 #define TTYSZ 64
 typedef struct Session Session;
 struct Session {
-@@ -60,6 +62,10 @@ struct Session {
+@@ -61,6 +63,10 @@ struct Session {
                char    *name;
                char    *val;
        } *env;
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 8edc27f70..4cae13961 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
-From e1e1e23ca98c59a031217da0ea50b70de5427683 Mon Sep 17 00:00:00 2001
+From 68ebfc0e90ceb0f7b24dfb38979df6a80b7ec9e4 Mon Sep 17 00:00:00 2001
 From: Kees Cook <kees@debian.org>
 Date: Sun, 9 Feb 2014 16:10:06 +0000
 Subject: Add DebianBanner server configuration option
@@ -19,10 +19,10 @@ Patch-Name: debian-banner.patch
 4 files changed, 18 insertions(+), 1 deletion(-)
 diff --git a/servconf.c b/servconf.c
-index dcb8caf..802db1d 100644
+index 65f71ad..63ff4ff 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -156,6 +156,7 @@ initialize_server_options(ServerOptions *options)
+@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions *options)
        options->ip_qos_interactive = -1;
        options->ip_qos_bulk = -1;
        options->version_addendum = NULL;
@@ -30,7 +30,7 @@ index dcb8caf..802db1d 100644
 }
 
 void
-@@ -307,6 +308,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -312,6 +313,8 @@ fill_default_server_options(ServerOptions *options)
                options->ip_qos_bulk = IPTOS_THROUGHPUT;
        if (options->version_addendum == NULL)
                options->version_addendum = xstrdup("");
@@ -39,7 +39,7 @@ index dcb8caf..802db1d 100644
        /* Turn privilege separation on by default */
        if (use_privsep == -1)
                use_privsep = PRIVSEP_NOSANDBOX;
-@@ -357,6 +360,7 @@ typedef enum {
+@@ -362,6 +365,7 @@ typedef enum {
        sKexAlgorithms, sIPQoS, sVersionAddendum,
        sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
        sAuthenticationMethods, sHostKeyAgent,
@@ -47,7 +47,7 @@ index dcb8caf..802db1d 100644
        sDeprecated, sUnsupported
 } ServerOpCodes;
 
-@@ -498,6 +502,7 @@ static struct {
+@@ -504,6 +508,7 @@ static struct {
        { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
        { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
        { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
@@ -55,7 +55,7 @@ index dcb8caf..802db1d 100644
        { NULL, sBadOption, 0 }
 };
 
-@@ -1641,6 +1646,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1666,6 +1671,10 @@ process_server_config_line(ServerOptions *options, char *line,
                }
                return 0;
 
@@ -67,10 +67,10 @@ index dcb8caf..802db1d 100644
                logit("%s line %d: Deprecated option %s",
                    filename, linenum, arg);
 diff --git a/servconf.h b/servconf.h
-index ab6e346..1891a95 100644
+index eba76ee..98d68ce 100644
 --- a/servconf.h
 +++ b/servconf.h
-@@ -187,6 +187,8 @@ typedef struct {
+@@ -188,6 +188,8 @@ typedef struct {
 
        u_int   num_auth_methods;
        char   *auth_methods[MAX_AUTH_METHODS];
@@ -80,7 +80,7 @@ index ab6e346..1891a95 100644
 
 /* Information about the incoming connection as used by Match */
 diff --git a/sshd.c b/sshd.c
-index 46ec1a7..63b9357 100644
+index 82168a1..c49a877 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -440,7 +440,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
@@ -94,10 +94,10 @@ index 46ec1a7..63b9357 100644
            options.version_addendum, newline);
 
 diff --git a/sshd_config.5 b/sshd_config.5
-index e29604a..50eec53 100644
+index 39643de..bdca797 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -404,6 +404,11 @@ or
+@@ -413,6 +413,11 @@ or
 .Dq no .
 The default is
 .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 3c5af97c3..5d24b22b8 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From b65a0ded7a8cfe7d351e28266d7851216d679e05 Mon Sep 17 00:00:00 2001
+From ee8d8b97cc2c6081df3af453a228992b87309ec4 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
@@ -34,10 +34,10 @@ Patch-Name: debian-config.patch
 5 files changed, 53 insertions(+), 3 deletions(-)
 diff --git a/readconf.c b/readconf.c
-index c741934..e1e82c5 100644
+index 273552d..6ac8bea 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -1292,7 +1292,7 @@ fill_default_options(Options * options)
+@@ -1618,7 +1618,7 @@ fill_default_options(Options * options)
        if (options->forward_x11 == -1)
                options->forward_x11 = 0;
        if (options->forward_x11_trusted == -1)
@@ -47,7 +47,7 @@ index c741934..e1e82c5 100644
                options->forward_x11_timeout = 1200;
        if (options->exit_on_forward_failure == -1)
 diff --git a/ssh_config b/ssh_config
-index 3234321..064b593 100644
+index 228e5ab..c9386aa 100644
 --- a/ssh_config
 +++ b/ssh_config
 @@ -17,9 +17,10 @@
@@ -71,7 +71,7 @@ index 3234321..064b593 100644
 +    GSSAPIAuthentication yes
 +    GSSAPIDelegateCredentials no
 diff --git a/ssh_config.5 b/ssh_config.5
-index 7b05e5f..01e7b6f 100644
+index 85f306c..cc91a5c 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
@@ -97,7 +97,7 @@ index 7b05e5f..01e7b6f 100644
 The configuration file has the following format:
 .Pp
 Empty lines and lines starting with
-@@ -501,7 +517,8 @@ token used for the session will be set to expire after 20 minutes.
+@@ -648,7 +664,8 @@ token used for the session will be set to expire after 20 minutes.
 Remote clients will be refused access after this time.
 .Pp
 The default is
@@ -108,10 +108,10 @@ index 7b05e5f..01e7b6f 100644
 See the X11 SECURITY extension specification for full details on
 the restrictions imposed on untrusted clients.
 diff --git a/sshd_config b/sshd_config
-index 9450141..9cfe28d 100644
+index d9b8594..4db32f5 100644
 --- a/sshd_config
 +++ b/sshd_config
-@@ -40,6 +40,7 @@
+@@ -41,6 +41,7 @@
 # Authentication:
 
 #LoginGraceTime 2m
@@ -120,7 +120,7 @@ index 9450141..9cfe28d 100644
 #StrictModes yes
 #MaxAuthTries 6
 diff --git a/sshd_config.5 b/sshd_config.5
-index 04b5f1a..ca4cb19 100644
+index 9fa6086..e7ac846 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -57,6 +57,33 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 4349df707..ccedef08f 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
-From d77a569da1afcb73c6ddfc934092461eeb4edb53 Mon Sep 17 00:00:00 2001
+From a3e8cef2bae563fe8c87cf9f32511a0808dd47eb Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:01 +0000
 Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index a6408c21f..6b21b2e93 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
-From 6a3efad36a54be8fa4de750cd7a555fe925f21cc Mon Sep 17 00:00:00 2001
+From 5e0540a17ace7dbbcec332ad3828d09dfa69dc6f Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:11 +0000
 Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
 1 file changed, 3 insertions(+)
 diff --git a/ssh_config.5 b/ssh_config.5
-index a1e18d2..7b05e5f 100644
+index 3c6b9d4..85f306c 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -587,6 +587,9 @@ Note that existing names and addresses in known hosts files
+@@ -734,6 +734,9 @@ Note that existing names and addresses in known hosts files
 will not be converted automatically,
 but may be manually hashed using
 .Xr ssh-keygen 1 .
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index 0fa00a883..a813eb0ab 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
-From 5093448a615dcbab13bbbd3765ac353b827f21aa Mon Sep 17 00:00:00 2001
+From 61466f681be917753b4ae82f3b6b16cbb44047ae Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:12 +0000
 Subject: Refer to ssh's Upstart job as well as its init script
@@ -12,7 +12,7 @@ Patch-Name: doc-upstart.patch
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/sshd.8 b/sshd.8
-index 95c1845..8e4017b 100644
+index b016e90..cba168a 100644
 --- a/sshd.8
 +++ b/sshd.8
 @@ -70,7 +70,10 @@ over an insecure network.
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 1cbb93436..c0ee03c3f 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
-From 797d4dfd543b9d3fe96db6396e902a40b868d5c0 Mon Sep 17 00:00:00 2001
+From 1a6c95a5c5c82664f18bab6159e16cd64b07d870 Mon Sep 17 00:00:00 2001
 From: Vincent Untz <vuntz@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:16 +0000
 Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 8a919382e..3f6fccfff 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From 950be7e1b1a01ee9b25e2a72726a6370b8acacb6 Mon Sep 17 00:00:00 2001
+From cd404114ded78fc51d5d9cbd458d55c9b2f67daa Mon Sep 17 00:00:00 2001
 From: Simon Wilkinson <simon@sxw.org.uk>
 Date: Sun, 9 Feb 2014 16:09:48 +0000
 Subject: GSSAPI key exchange support
@@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate
 security history.
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
-Last-Updated: 2013-11-09
+Last-Updated: 2014-02-10
 Patch-Name: gssapi.patch
 ---
@@ -179,7 +179,7 @@ index 0000000..f117a33
 +    (from jbasney AT ncsa.uiuc.edu)
 +    <gssapi-with-mic support is Bugzilla #1008>
 diff --git a/Makefile.in b/Makefile.in
-index 92c95a9..f979926 100644
+index a8aa127..35c6fd6 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
@@ -188,22 +188,22 @@ index 92c95a9..f979926 100644
        kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
 +       kexgssc.o \
        msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
-        jpake.o schnorr.o ssh-pkcs11.o krl.o
+        jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
- 
+        kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
-@@ -88,7 +89,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
+@@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
        auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
        monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
-        auth-krb5.o \
+        kexc25519s.o auth-krb5.o \
 -       auth2-gss.o gss-serv.o gss-serv-krb5.o \
-+       auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
+       auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
        loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
        sftp-server.o sftp-common.o \
        roaming_common.o roaming_serv.o \
 diff --git a/auth-krb5.c b/auth-krb5.c
-index 7c83f59..5613b57 100644
+index 6c62bdf..69a1a53 100644
 --- a/auth-krb5.c
 +++ b/auth-krb5.c
-@@ -181,8 +181,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
+@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 
        len = strlen(authctxt->krb5_ticket_file) + 6;
        authctxt->krb5_ccname = xmalloc(len);
@@ -217,7 +217,7 @@ index 7c83f59..5613b57 100644
 
 #ifdef USE_PAM
        if (options.use_pam)
-@@ -239,15 +244,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
+@@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
 #ifndef HEIMDAL
 krb5_error_code
 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@@ -242,7 +242,7 @@ index 7c83f59..5613b57 100644
        old_umask = umask(0177);
        tmpfd = mkstemp(ccname + strlen("FILE:"));
        oerrno = errno;
-@@ -264,6 +276,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
+@@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
                return oerrno;
        }
        close(tmpfd);
@@ -358,7 +358,7 @@ index f0cab8c..6ed8f04 100644
 #endif
 #ifdef JPAKE
 diff --git a/clientloop.c b/clientloop.c
-index 23c2f23..311dc13 100644
+index f30c8b6..6d02b0b 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 @@ -111,6 +111,10 @@
@@ -389,10 +389,10 @@ index 23c2f23..311dc13 100644
                                debug("need rekeying");
                                xxx_kex->done = 0;
 diff --git a/config.h.in b/config.h.in
-index b75e501..34f1c9c 100644
+index 075c619..906e549 100644
 --- a/config.h.in
 +++ b/config.h.in
-@@ -1546,6 +1546,9 @@
+@@ -1616,6 +1616,9 @@
 /* Use btmp to log bad logins */
 #undef USE_BTMP
 
@@ -402,7 +402,7 @@ index b75e501..34f1c9c 100644
 /* Use libedit for sftp */
 #undef USE_LIBEDIT
 
-@@ -1561,6 +1564,9 @@
+@@ -1631,6 +1634,9 @@
 /* Use PIPES instead of a socketpair() */
 #undef USE_PIPES
 
@@ -413,10 +413,10 @@ index b75e501..34f1c9c 100644
 #undef USE_SOLARIS_PROCESS_CONTRACTS
 
 diff --git a/configure b/configure
-index 0d6fad5..ceb1b5d 100755
+index 2d714ac..5a9db2d 100755
 --- a/configure
 +++ b/configure
-@@ -6780,6 +6780,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h
+@@ -7170,6 +7170,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h
 
 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
 
@@ -481,10 +481,10 @@ index 0d6fad5..ceb1b5d 100755
        ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default"
 if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then :
 diff --git a/configure.ac b/configure.ac
-index 4a1b503..4c1a658 100644
+index dfd32cd..90eebf5 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -548,6 +548,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+@@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
            [Use tunnel device compatibility to OpenBSD])
        AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
            [Prepend the address family to IP tunnel traffic])
@@ -867,7 +867,7 @@ index b39281b..b7d1b7d 100644
 +
 #endif /* GSSAPI */
 diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
-index 87f2683..c55446a 100644
+index 759fa10..959a77e 100644
 --- a/gss-serv-krb5.c
 +++ b/gss-serv-krb5.c
 @@ -1,7 +1,7 @@
@@ -887,7 +887,7 @@ index 87f2683..c55446a 100644
 
        if (client->creds == NULL) {
                debug("No credentials stored");
-@@ -174,11 +175,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+@@ -180,11 +181,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
                return;
        }
 
@@ -908,7 +908,7 @@ index 87f2683..c55446a 100644
 
 #ifdef USE_PAM
        if (options.use_pam)
-@@ -190,6 +196,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+@@ -196,6 +202,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
        return;
 }
 
@@ -980,7 +980,7 @@ index 87f2683..c55446a 100644
 ssh_gssapi_mech gssapi_kerberos_mech = {
        "toWM5Slw5Ew8Mqkay+al2g==",
        "Kerberos",
-@@ -197,7 +268,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
+@@ -203,7 +274,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
        NULL,
        &ssh_gssapi_krb5_userok,
        NULL,
@@ -1309,12 +1309,12 @@ index 95348e2..97f366f 100644
 
 #endif
 diff --git a/kex.c b/kex.c
-index 54bd1a4..1ec2782 100644
+index 616484b..49d0fc8 100644
 --- a/kex.c
 +++ b/kex.c
-@@ -50,6 +50,10 @@
+@@ -51,6 +51,10 @@
- #include "monitor.h"
 #include "roaming.h"
+ #include "digest.h"
 
 +#ifdef GSSAPI
 +#include "ssh-gss.h"
@@ -1323,22 +1323,22 @@ index 54bd1a4..1ec2782 100644
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
 # if defined(HAVE_EVP_SHA256)
 # define evp_ssh_sha256 EVP_sha256
-@@ -82,6 +86,14 @@ static const struct kexalg kexalgs[] = {
+@@ -92,6 +96,14 @@ static const struct kexalg kexalgs[] = {
 #endif
-        { NULL, -1, -1, NULL},
+        { NULL, -1, -1, -1},
 };
 +static const struct kexalg kexalg_prefixes[] = {
 +#ifdef GSSAPI
-+       { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, EVP_sha1 },
+       { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
-+       { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, EVP_sha1 },
+       { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
-+       { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, EVP_sha1 },
+       { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
 +#endif
-+       { NULL, -1, -1, NULL },
+       { NULL, -1, -1, -1 },
 +};
 
 char *
- kex_alg_list(void)
+ kex_alg_list(char sep)
-@@ -110,6 +122,10 @@ kex_alg_by_name(const char *name)
+@@ -120,6 +132,10 @@ kex_alg_by_name(const char *name)
                if (strcmp(k->name, name) == 0)
                        return k;
        }
@@ -1350,22 +1350,22 @@ index 54bd1a4..1ec2782 100644
 }
 
 diff --git a/kex.h b/kex.h
-index 9f1e1ad..d5046c6 100644
+index 1aa3ec2..8fbcb2b 100644
 --- a/kex.h
 +++ b/kex.h
-@@ -74,6 +74,9 @@ enum kex_exchange {
+@@ -76,6 +76,9 @@ enum kex_exchange {
-        KEX_DH_GEX_SHA1,
        KEX_DH_GEX_SHA256,
        KEX_ECDH_SHA2,
+        KEX_C25519_SHA256,
 +       KEX_GSS_GRP1_SHA1,
 +       KEX_GSS_GRP14_SHA1,
 +       KEX_GSS_GEX_SHA1,
        KEX_MAX
 };
 
-@@ -133,6 +136,12 @@ struct Kex {
+@@ -136,6 +139,12 @@ struct Kex {
        int     flags;
-        const EVP_MD *evp_md;
+        int     hash_alg;
        int     ec_nid;
 +#ifdef GSSAPI
 +       int     gss_deleg_creds;
@@ -1376,9 +1376,9 @@ index 9f1e1ad..d5046c6 100644
        char    *client_version_string;
        char    *server_version_string;
        int     (*verify_host_key)(Key *);
-@@ -162,6 +171,11 @@ void        kexgex_server(Kex *);
+@@ -168,6 +177,11 @@ void        kexecdh_server(Kex *);
- void    kexecdh_client(Kex *);
+ void    kexc25519_client(Kex *);
- void    kexecdh_server(Kex *);
+ void    kexc25519_server(Kex *);
 
 +#ifdef GSSAPI
 +void   kexgss_client(Kex *);
@@ -1390,7 +1390,7 @@ index 9f1e1ad..d5046c6 100644
     BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
 diff --git a/kexgssc.c b/kexgssc.c
 new file mode 100644
-index 0000000..616893c
+index 0000000..14f5598
 --- /dev/null
 +++ b/kexgssc.c
 @@ -0,0 +1,333 @@
@@ -1675,7 +1675,7 @@ index 0000000..616893c
 +               break;
 +       case KEX_GSS_GEX_SHA1:
 +               kexgex_hash(
-+                   kex->evp_md,
+                   kex->hash_alg,
 +                   kex->client_version_string,
 +                   kex->server_version_string,
 +                   buffer_ptr(&kex->my), buffer_len(&kex->my),
@@ -1721,7 +1721,7 @@ index 0000000..616893c
 +       else
 +               ssh_gssapi_delete_ctx(&ctxt);
 +
-+       kex_derive_keys(kex, hash, hashlen, shared_secret);
+       kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
 +       BN_clear_free(shared_secret);
 +       kex_finish(kex);
 +}
@@ -1729,7 +1729,7 @@ index 0000000..616893c
 +#endif /* GSSAPI */
 diff --git a/kexgsss.c b/kexgsss.c
 new file mode 100644
-index 0000000..18b065b
+index 0000000..8095259
 --- /dev/null
 +++ b/kexgsss.c
 @@ -0,0 +1,289 @@
@@ -1959,7 +1959,7 @@ index 0000000..18b065b
 +               break;
 +       case KEX_GSS_GEX_SHA1:
 +               kexgex_hash(
-+                   kex->evp_md,
+                   kex->hash_alg,
 +                   kex->client_version_string, kex->server_version_string,
 +                   buffer_ptr(&kex->peer), buffer_len(&kex->peer),
 +                   buffer_ptr(&kex->my), buffer_len(&kex->my),
@@ -2012,7 +2012,7 @@ index 0000000..18b065b
 +
 +       DH_free(dh);
 +
-+       kex_derive_keys(kex, hash, hashlen, shared_secret);
+       kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
 +       BN_clear_free(shared_secret);
 +       kex_finish(kex);
 +
@@ -2023,23 +2023,23 @@ index 0000000..18b065b
 +}
 +#endif /* GSSAPI */
 diff --git a/key.c b/key.c
-index 55ee789..2591635 100644
+index 9142338..3867eb3 100644
 --- a/key.c
 +++ b/key.c
-@@ -933,6 +933,7 @@ static const struct keytype keytypes[] = {
+@@ -985,6 +985,7 @@ static const struct keytype keytypes[] = {
-            KEY_RSA_CERT_V00, 0, 1 },
-        { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
            KEY_DSA_CERT_V00, 0, 1 },
+        { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
+            KEY_ED25519_CERT, 0, 1 },
 +       { "null", "null", KEY_NULL, 0, 0 },
        { NULL, NULL, -1, -1, 0 }
 };
 
 diff --git a/key.h b/key.h
-index 17358ae..b57d6a4 100644
+index d8ad13d..c8aeba2 100644
 --- a/key.h
 +++ b/key.h
-@@ -44,6 +44,7 @@ enum types {
+@@ -46,6 +46,7 @@ enum types {
-        KEY_ECDSA_CERT,
+        KEY_ED25519_CERT,
        KEY_RSA_CERT_V00,
        KEY_DSA_CERT_V00,
 +       KEY_NULL,
@@ -2047,7 +2047,7 @@ index 17358ae..b57d6a4 100644
 };
 enum fp_type {
 diff --git a/monitor.c b/monitor.c
-index 44dff98..9079c97 100644
+index 03baf1e..a777c4c 100644
 --- a/monitor.c
 +++ b/monitor.c
 @@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
@@ -2102,10 +2102,10 @@ index 44dff98..9079c97 100644
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1855,6 +1872,13 @@ mm_get_kex(Buffer *m)
+@@ -1856,6 +1873,13 @@ mm_get_kex(Buffer *m)
-        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
        kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+        kex->kex[KEX_C25519_SHA256] = kexc25519_server;
 +#ifdef GSSAPI
 +       if (options.gss_keyex) {
 +               kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@@ -2116,7 +2116,7 @@ index 44dff98..9079c97 100644
        kex->server = 1;
        kex->hostkey_type = buffer_get_int(m);
        kex->kex_type = buffer_get_int(m);
-@@ -2062,6 +2086,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
+@@ -2063,6 +2087,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
        OM_uint32 major;
        u_int len;
 
@@ -2126,7 +2126,7 @@ index 44dff98..9079c97 100644
        goid.elements = buffer_get_string(m, &len);
        goid.length = len;
 
-@@ -2089,6 +2116,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -2090,6 +2117,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
        OM_uint32 flags = 0; /* GSI needs this */
        u_int len;
 
@@ -2136,7 +2136,7 @@ index 44dff98..9079c97 100644
        in.value = buffer_get_string(m, &len);
        in.length = len;
        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2106,6 +2136,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -2107,6 +2137,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2144,7 +2144,7 @@ index 44dff98..9079c97 100644
        }
        return (0);
 }
-@@ -2117,6 +2148,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
+@@ -2118,6 +2149,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
        OM_uint32 ret;
        u_int len;
 
@@ -2154,7 +2154,7 @@ index 44dff98..9079c97 100644
        gssbuf.value = buffer_get_string(m, &len);
        gssbuf.length = len;
        mic.value = buffer_get_string(m, &len);
-@@ -2143,7 +2177,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -2144,7 +2178,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
 {
        int authenticated;
 
@@ -2167,7 +2167,7 @@ index 44dff98..9079c97 100644
 
        buffer_clear(m);
        buffer_put_int(m, authenticated);
-@@ -2156,6 +2194,74 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -2157,6 +2195,74 @@ mm_answer_gss_userok(int sock, Buffer *m)
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
@@ -2338,10 +2338,10 @@ index 0c7f2e3..ec9b9b1 100644
 
 #ifdef USE_PAM
 diff --git a/readconf.c b/readconf.c
-index 1464430..2695fd6 100644
+index 9c7e73d..cb8bcb2 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -132,6 +132,8 @@ typedef enum {
+@@ -140,6 +140,8 @@ typedef enum {
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2350,7 +2350,7 @@ index 1464430..2695fd6 100644
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
-@@ -172,10 +174,19 @@ static struct {
+@@ -182,10 +184,19 @@ static struct {
        { "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
@@ -2370,7 +2370,7 @@ index 1464430..2695fd6 100644
 #endif
        { "fallbacktorsh", oDeprecated },
        { "usersh", oDeprecated },
-@@ -516,10 +527,30 @@ parse_flag:
+@@ -839,10 +850,30 @@ parse_time:
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -2401,7 +2401,7 @@ index 1464430..2695fd6 100644
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
-@@ -1168,7 +1199,12 @@ initialize_options(Options * options)
+@@ -1488,7 +1519,12 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
@@ -2414,7 +2414,7 @@ index 1464430..2695fd6 100644
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
-@@ -1268,8 +1304,14 @@ fill_default_options(Options * options)
+@@ -1594,8 +1630,14 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -2430,10 +2430,10 @@ index 1464430..2695fd6 100644
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
 diff --git a/readconf.h b/readconf.h
-index 23fc500..675b35d 100644
+index 2d7ea9f..826c676 100644
 --- a/readconf.h
 +++ b/readconf.h
-@@ -48,7 +48,12 @@ typedef struct {
+@@ -54,7 +54,12 @@ typedef struct {
        int     challenge_response_authentication;
                                        /* Try S/Key or TIS, authentication. */
        int     gss_authentication;     /* Try GSS authentication */
@@ -2447,10 +2447,10 @@ index 23fc500..675b35d 100644
                                                 * authentication. */
        int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
 diff --git a/servconf.c b/servconf.c
-index 747edde..c938ae3 100644
+index 9bcd05b..29209e4 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -107,7 +107,10 @@ initialize_server_options(ServerOptions *options)
+@@ -108,7 +108,10 @@ initialize_server_options(ServerOptions *options)
        options->kerberos_ticket_cleanup = -1;
        options->kerberos_get_afs_token = -1;
        options->gss_authentication=-1;
@@ -2461,7 +2461,7 @@ index 747edde..c938ae3 100644
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
-@@ -240,8 +243,14 @@ fill_default_server_options(ServerOptions *options)
+@@ -245,8 +248,14 @@ fill_default_server_options(ServerOptions *options)
                options->kerberos_get_afs_token = 0;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -2476,7 +2476,7 @@ index 747edde..c938ae3 100644
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
-@@ -338,7 +347,9 @@ typedef enum {
+@@ -343,7 +352,9 @@ typedef enum {
        sBanner, sUseDNS, sHostbasedAuthentication,
        sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
        sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2487,7 +2487,7 @@ index 747edde..c938ae3 100644
        sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
        sUsePrivilegeSeparation, sAllowAgentForwarding,
        sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -405,10 +416,20 @@ static struct {
+@@ -410,10 +421,20 @@ static struct {
 #ifdef GSSAPI
        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2508,7 +2508,7 @@ index 747edde..c938ae3 100644
        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1073,10 +1094,22 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1094,10 +1115,22 @@ process_server_config_line(ServerOptions *options, char *line,
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -2531,7 +2531,7 @@ index 747edde..c938ae3 100644
        case sPasswordAuthentication:
                intptr = &options->password_authentication;
                goto parse_flag;
-@@ -1983,7 +2016,10 @@ dump_config(ServerOptions *o)
+@@ -2008,7 +2041,10 @@ dump_config(ServerOptions *o)
 #endif
 #ifdef GSSAPI
        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2543,10 +2543,10 @@ index 747edde..c938ae3 100644
 #ifdef JPAKE
        dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
 diff --git a/servconf.h b/servconf.h
-index 98aad8b..ab6e346 100644
+index 8812c5a..eba76ee 100644
 --- a/servconf.h
 +++ b/servconf.h
-@@ -111,7 +111,10 @@ typedef struct {
+@@ -112,7 +112,10 @@ typedef struct {
        int     kerberos_get_afs_token;         /* If true, try to get AFS token if
                                                 * authenticated with Kerberos. */
        int     gss_authentication;     /* If true, permit GSSAPI authentication */
@@ -2659,7 +2659,7 @@ index 077e13c..bc6e8f9 100644
 
 #endif /* _SSH_GSS_H */
 diff --git a/ssh_config b/ssh_config
-index bb40819..3234321 100644
+index 03a228f..228e5ab 100644
 --- a/ssh_config
 +++ b/ssh_config
 @@ -26,6 +26,8 @@
@@ -2672,10 +2672,10 @@ index bb40819..3234321 100644
 #   CheckHostIP yes
 #   AddressFamily any
 diff --git a/ssh_config.5 b/ssh_config.5
-index 5d76c6d..e72919a 100644
+index 3cadcd7..49505ae 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -529,11 +529,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
+@@ -676,11 +676,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
@@ -2721,7 +2721,7 @@ index 5d76c6d..e72919a 100644
 Indicates that
 .Xr ssh 1
 diff --git a/sshconnect2.c b/sshconnect2.c
-index 70e3cd8..0b13530 100644
+index 8acffc5..21a269d 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
 @@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
@@ -2759,7 +2759,7 @@ index 70e3cd8..0b13530 100644
        if (options.ciphers == (char *)-1) {
                logit("No valid ciphers for protocol version 2 given, using defaults.");
                options.ciphers = NULL;
-@@ -197,6 +222,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -198,6 +223,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
        if (options.kex_algorithms != NULL)
                myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
 
@@ -2777,10 +2777,10 @@ index 70e3cd8..0b13530 100644
        if (options.rekey_limit || options.rekey_interval)
                packet_set_rekey_limits((u_int32_t)options.rekey_limit,
                    (time_t)options.rekey_interval);
-@@ -208,10 +244,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -210,10 +246,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
-        kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
        kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+        kex->kex[KEX_C25519_SHA256] = kexc25519_client;
 +#ifdef GSSAPI
 +       if (options.gss_keyex) {
 +               kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
@@ -2808,7 +2808,7 @@ index 70e3cd8..0b13530 100644
        xxx_kex = kex;
 
        dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
-@@ -307,6 +363,7 @@ void        input_gssapi_token(int type, u_int32_t, void *);
+@@ -309,6 +365,7 @@ void        input_gssapi_token(int type, u_int32_t, void *);
 void   input_gssapi_hash(int type, u_int32_t, void *);
 void   input_gssapi_error(int, u_int32_t, void *);
 void   input_gssapi_errtok(int, u_int32_t, void *);
@@ -2816,7 +2816,7 @@ index 70e3cd8..0b13530 100644
 #endif
 
 void   userauth(Authctxt *, char *);
-@@ -322,6 +379,11 @@ static char *authmethods_get(void);
+@@ -324,6 +381,11 @@ static char *authmethods_get(void);
 
 Authmethod authmethods[] = {
 #ifdef GSSAPI
@@ -2828,7 +2828,7 @@ index 70e3cd8..0b13530 100644
        {"gssapi-with-mic",
                userauth_gssapi,
                NULL,
-@@ -625,19 +687,31 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt)
        static u_int mech = 0;
        OM_uint32 min;
        int ok = 0;
@@ -2862,7 +2862,7 @@ index 70e3cd8..0b13530 100644
                        ok = 1; /* Mechanism works */
                } else {
                        mech++;
-@@ -734,8 +808,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
+@@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
 {
        Authctxt *authctxt = ctxt;
        Gssctxt *gssctxt;
@@ -2873,7 +2873,7 @@ index 70e3cd8..0b13530 100644
 
        if (authctxt == NULL)
                fatal("input_gssapi_response: no authentication context");
-@@ -844,6 +918,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
+@@ -846,6 +920,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
        free(msg);
        free(lang);
 }
@@ -2923,7 +2923,7 @@ index 70e3cd8..0b13530 100644
 
 int
 diff --git a/sshd.c b/sshd.c
-index 174cc7a..4eddeb8 100644
+index 25380c9..fe65132 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -122,6 +122,10 @@
@@ -2937,7 +2937,7 @@ index 174cc7a..4eddeb8 100644
 #ifdef LIBWRAP
 #include <tcpd.h>
 #include <syslog.h>
-@@ -1703,10 +1707,13 @@ main(int ac, char **av)
+@@ -1721,10 +1725,13 @@ main(int ac, char **av)
                logit("Disabling protocol version 1. Could not load host key");
                options.protocol &= ~SSH_PROTO_1;
        }
@@ -2951,9 +2951,9 @@ index 174cc7a..4eddeb8 100644
        if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
                logit("sshd: no hostkeys available -- exiting.");
                exit(1);
-@@ -2035,6 +2042,60 @@ main(int ac, char **av)
+@@ -2051,6 +2058,60 @@ main(int ac, char **av)
-        /* Log the connection. */
+            remote_ip, remote_port,
-        verbose("Connection from %.500s port %d", remote_ip, remote_port);
+            get_local_ipaddr(sock_in), get_local_port());
 
 +#ifdef USE_SECURITY_SESSION_API
 +       /*
@@ -3012,9 +3012,9 @@ index 174cc7a..4eddeb8 100644
        /*
         * We don't want to listen forever unless the other side
         * successfully authenticates itself.  So we set up an alarm which is
-@@ -2439,6 +2500,48 @@ do_ssh2_kex(void)
+@@ -2456,6 +2517,48 @@ do_ssh2_kex(void)
- 
+        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
-        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
+            list_hostkey_types());
 
 +#ifdef GSSAPI
 +       {
@@ -3061,10 +3061,10 @@ index 174cc7a..4eddeb8 100644
        /* start key exchange */
        kex = kex_setup(myproposal);
        kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
-@@ -2446,6 +2549,13 @@ do_ssh2_kex(void)
+@@ -2464,6 +2567,13 @@ do_ssh2_kex(void)
-        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
        kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+        kex->kex[KEX_C25519_SHA256] = kexc25519_server;
 +#ifdef GSSAPI
 +       if (options.gss_keyex) {
 +               kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@@ -3076,23 +3076,23 @@ index 174cc7a..4eddeb8 100644
        kex->client_version_string=client_version_string;
        kex->server_version_string=server_version_string;
 diff --git a/sshd_config b/sshd_config
-index b786361..9450141 100644
+index e9045bc..d9b8594 100644
 --- a/sshd_config
 +++ b/sshd_config
-@@ -83,6 +83,8 @@ AuthorizedKeysFile    .ssh/authorized_keys
+@@ -84,6 +84,8 @@ AuthorizedKeysFile    .ssh/authorized_keys
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 +#GSSAPIStrictAcceptorCheck yes
 +#GSSAPIKeyExchange no
 
- # Set this to 'yes' to enable PAM authentication, account processing, 
+ # Set this to 'yes' to enable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will 
+ # and session processing. If this is enabled, PAM authentication will
 diff --git a/sshd_config.5 b/sshd_config.5
-index 3abac6c..525d9c8 100644
+index 3b21ea6..9aa9eba 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -484,12 +484,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
+@@ -493,12 +493,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index 23afe3be9..ca90ba124 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -1,4 +1,4 @@
-From 84589dc348c43ec22b50ede0c2946cf6afd0980d Mon Sep 17 00:00:00 2001
+From 71003a35537df521296408d9f6bd0a200ed2a854 Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:09:56 +0000
 Subject: Mention ~& when waiting for forwarded connections to terminate
@@ -12,10 +12,10 @@ Patch-Name: helpful-wait-terminate.patch
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/serverloop.c b/serverloop.c
-index ccbad61..5f22df3 100644
+index 5b2f802..d3079d2 100644
 --- a/serverloop.c
 +++ b/serverloop.c
-@@ -686,7 +686,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
+@@ -687,7 +687,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
                        if (!channel_still_open())
                                break;
                        if (!waiting_termination) {
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index e22410298..84da73ae0 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
-From bd3d91c378d549aed56246ad4535aea29db04150 Mon Sep 17 00:00:00 2001
+From 043f937820e1152df2c8416f37e6c8d923fc1811 Mon Sep 17 00:00:00 2001
 From: Richard Kettlewell <rjk@greenend.org.uk>
 Date: Sun, 9 Feb 2014 16:09:52 +0000
 Subject: Various keepalive extensions
@@ -26,27 +26,27 @@ Patch-Name: keepalive-extensions.patch
 3 files changed, 34 insertions(+), 4 deletions(-)
 diff --git a/readconf.c b/readconf.c
-index 915a0f7..dab7963 100644
+index 2a1fe8e..e79e355 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -140,6 +140,7 @@ typedef enum {
+@@ -150,6 +150,7 @@ typedef enum {
-        oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
+        oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
-        oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
+        oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
-        oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
+        oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
 +       oProtocolKeepAlives, oSetupTimeOut,
        oIgnoredUnknownOption, oDeprecated, oUnsupported
 } OpCodes;
 
-@@ -262,6 +263,8 @@ static struct {
+@@ -279,6 +280,8 @@ static struct {
-        { "ipqos", oIPQoS },
+        { "canonicalizemaxdots", oCanonicalizeMaxDots },
-        { "requesttty", oRequestTTY },
+        { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
        { "ignoreunknown", oIgnoreUnknown },
 +       { "protocolkeepalives", oProtocolKeepAlives },
 +       { "setuptimeout", oSetupTimeOut },
 
        { NULL, oBadOption }
 };
-@@ -934,6 +937,8 @@ parse_int:
+@@ -1245,6 +1248,8 @@ parse_int:
                goto parse_flag;
 
        case oServerAliveInterval:
@@ -55,7 +55,7 @@ index 915a0f7..dab7963 100644
                intptr = &options->server_alive_interval;
                goto parse_time;
 
-@@ -1396,8 +1401,13 @@ fill_default_options(Options * options)
+@@ -1724,8 +1729,13 @@ fill_default_options(Options * options)
                options->rekey_interval = 0;
        if (options->verify_host_key_dns == -1)
                options->verify_host_key_dns = 0;
@@ -72,10 +72,10 @@ index 915a0f7..dab7963 100644
                options->server_alive_count_max = 3;
        if (options->control_master == -1)
 diff --git a/ssh_config.5 b/ssh_config.5
-index 1fc0a6b..6948680 100644
+index 617a312..b3c5dc6 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -136,8 +136,12 @@ Valid arguments are
+@@ -205,8 +205,12 @@ Valid arguments are
 If set to
 .Dq yes ,
 passphrase/password querying will be disabled.
@@ -89,7 +89,7 @@ index 1fc0a6b..6948680 100644
 The argument must be
 .Dq yes
 or
-@@ -1141,8 +1145,15 @@ from the server,
+@@ -1299,8 +1303,15 @@ from the server,
 will send a message through the encrypted
 channel to request a response from the server.
 The default
@@ -106,7 +106,7 @@ index 1fc0a6b..6948680 100644
 .It Cm StrictHostKeyChecking
 If this flag is set to
 .Dq yes ,
-@@ -1181,6 +1192,12 @@ Specifies whether the system should send TCP keepalive messages to the
+@@ -1339,6 +1350,12 @@ Specifies whether the system should send TCP keepalive messages to the
 other side.
 If they are sent, death of the connection or crash of one
 of the machines will be properly noticed.
@@ -120,10 +120,10 @@ index 1fc0a6b..6948680 100644
 connections will die if the route is down temporarily, and some people
 find it annoying.
 diff --git a/sshd_config.5 b/sshd_config.5
-index 525d9c8..e29604a 100644
+index 9aa9eba..39643de 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -1147,6 +1147,9 @@ This avoids infinitely hanging sessions.
+@@ -1168,6 +1168,9 @@ This avoids infinitely hanging sessions.
 .Pp
 To disable TCP keepalive messages, the value should be set to
 .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index e1073e4ac..588834b5a 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -1,4 +1,4 @@
-From 9ffc99332ff1bac6be9f0af430268e7981bd3dd2 Mon Sep 17 00:00:00 2001
+From cf359c36be95e478071cb0dc4491aba88a5bae70 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:08 +0000
 Subject: Fix picky lintian errors about slogin symlinks
@@ -15,10 +15,10 @@ Patch-Name: lintian-symlink-pickiness.patch
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/Makefile.in b/Makefile.in
-index 7849979..095f4ff 100644
+index 5cf8100..b7de26f 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -289,9 +289,9 @@ install-files:
+@@ -293,9 +293,9 @@ install-files:
        $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
        $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
        -rm -f $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 08e1a2f3e..637d438b9 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
-From 6a137c3718ea1afab92b25a018e393cfede4d6a8 Mon Sep 17 00:00:00 2001
+From 9c6deb4e89ad1ac2c2046b1371f378a80b0b4dec Mon Sep 17 00:00:00 2001
 From: Scott Moser <smoser@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:03 +0000
 Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -13,10 +13,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
 1 file changed, 6 insertions(+), 1 deletion(-)
 diff --git a/sshconnect.c b/sshconnect.c
-index 91fd59a..bda83b2 100644
+index ef4d9e0..4ff5c73 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -981,9 +981,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+@@ -1062,9 +1062,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
                        error("%s. This could either mean that", key_msg);
                        error("DNS SPOOFING is happening or the IP address for the host");
                        error("and its host key have changed at the same time.");
@@ -30,7 +30,7 @@ index 91fd59a..bda83b2 100644
                }
                /* The host key has changed. */
                warn_changed_key(host_key);
-@@ -991,6 +994,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+@@ -1072,6 +1075,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
                    user_hostfiles[0]);
                error("Offending %s key in %s:%lu", key_type(host_found->key),
                    host_found->file, host_found->line);
diff --git a/debian/patches/no-openssl-version-check.patch b/debian/patches/no-openssl-version-check.patch
index 6e41d2ed9..ca2a83473 100644
--- a/debian/patches/no-openssl-version-check.patch
+++ b/debian/patches/no-openssl-version-check.patch
@@ -1,4 +1,4 @@
-From 3e3f5462b563ab0f2b4ba67590e5a5735fa17bec Mon Sep 17 00:00:00 2001
+From db27c81d3de93a0df6cb0f01e9b8b6bf4bb17d06 Mon Sep 17 00:00:00 2001
 From: Philip Hands <phil@hands.com>
 Date: Sun, 9 Feb 2014 16:10:14 +0000
 Subject: Disable OpenSSL version check
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 670eea421..2dbfd31b7 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
-From d087ec8cf190df54fa8cb77c6ffd55a819dd1777 Mon Sep 17 00:00:00 2001
+From 1c4af29874fe7bd1cec92ee90fc613c3cf83f571 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:09 +0000
 Subject: Adjust various OpenBSD-specific references in manual pages
@@ -44,11 +44,11 @@ index ef0de08..149846c 100644
 .Sh SEE ALSO
 .Xr ssh-keygen 1 ,
 diff --git a/ssh-keygen.1 b/ssh-keygen.1
-index 0d55854..151cab0 100644
+index 0e0ed98..299ccf8 100644
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -171,9 +171,7 @@ key in
+@@ -172,9 +172,7 @@ key in
- .Pa ~/.ssh/id_dsa
+ .Pa ~/.ssh/id_ed25519
 or
 .Pa ~/.ssh/id_rsa .
 -Additionally, the system administrator may use this to generate host keys,
@@ -58,18 +58,18 @@ index 0d55854..151cab0 100644
 .Pp
 Normally this program generates the key and asks for a file in which
 to store the private key.
-@@ -219,9 +217,7 @@ The options are as follows:
+@@ -221,9 +219,7 @@ For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
- For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys
+ for which host keys
 do not exist, generate the host keys with the default key file path,
 an empty passphrase, default bits for the key type, and default comment.
 -This is used by
 -.Pa /etc/rc
 -to generate new host keys.
 +This is used by system administration scripts to generate new host keys.
- .It Fl a Ar trials
+ .It Fl a Ar rounds
- Specifies the number of primality tests to perform when screening DH-GEX
+ When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
- candidates using the
+ 2 key when the
-@@ -605,7 +601,7 @@ option.
+@@ -628,7 +624,7 @@ option.
 Valid generator values are 2, 3, and 5.
 .Pp
 Screened DH groups may be installed in
@@ -78,7 +78,7 @@ index 0d55854..151cab0 100644
 It is important that this file contains moduli of a range of bit lengths and
 that both ends of a connection share common moduli.
 .Sh CERTIFICATES
-@@ -800,7 +796,7 @@ on all machines
+@@ -827,7 +823,7 @@ on all machines
 where the user wishes to log in using public key authentication.
 There is no need to keep the contents of this file secret.
 .Pp
@@ -88,10 +88,10 @@ index 0d55854..151cab0 100644
 The file format is described in
 .Xr moduli 5 .
 diff --git a/ssh.1 b/ssh.1
-index 05ae6ad..6e2e03b 100644
+index ff5e6ac..67b4f44 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -756,6 +756,10 @@ Protocol 1 is restricted to using only RSA keys,
+@@ -763,6 +763,10 @@ Protocol 1 is restricted to using only RSA keys,
 but protocol 2 may use any.
 The HISTORY section of
 .Xr ssl 8
@@ -103,7 +103,7 @@ index 05ae6ad..6e2e03b 100644
 .Pp
 The file
 diff --git a/sshd.8 b/sshd.8
-index b0c7ab6..95c1845 100644
+index e6a900b..b016e90 100644
 --- a/sshd.8
 +++ b/sshd.8
 @@ -70,7 +70,7 @@ over an insecure network.
@@ -115,7 +115,7 @@ index b0c7ab6..95c1845 100644
 It forks a new
 daemon for each incoming connection.
 The forked daemons handle
-@@ -859,7 +859,7 @@ This file is for host-based authentication (see
+@@ -862,7 +862,7 @@ This file is for host-based authentication (see
 .Xr ssh 1 ) .
 It should only be writable by root.
 .Pp
@@ -124,7 +124,7 @@ index b0c7ab6..95c1845 100644
 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
 The file format is described in
 .Xr moduli 5 .
-@@ -956,7 +956,6 @@ The content of this file is not sensitive; it can be world-readable.
+@@ -961,7 +961,6 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
 .Xr hosts_access 5 ,
@@ -133,7 +133,7 @@ index b0c7ab6..95c1845 100644
 .Xr sshd_config 5 ,
 .Xr inetd 8 ,
 diff --git a/sshd_config.5 b/sshd_config.5
-index 50eec53..04b5f1a 100644
+index bdca797..9fa6086 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -283,8 +283,7 @@ This option is only available for protocol version 2.
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index f6d793751..99a2167b3 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
-From 893bd5a6f70b58e1ed98d496c4f465d8c1df71a7 Mon Sep 17 00:00:00 2001
+From 03b1ae877da1db4c517747bee89f1a494cce8566 Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:10:05 +0000
 Subject: Include the Debian version in our identification
@@ -19,10 +19,10 @@ Patch-Name: package-versioning.patch
 3 files changed, 9 insertions(+), 4 deletions(-)
 diff --git a/sshconnect.c b/sshconnect.c
-index bda83b2..ad960fd 100644
+index 4ff5c73..a2fbf9e 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -442,10 +442,10 @@ send_client_banner(int connection_out, int minor1)
+@@ -517,10 +517,10 @@ send_client_banner(int connection_out, int minor1)
        /* Send our own protocol version identification. */
        if (compat20) {
                xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
@@ -36,7 +36,7 @@ index bda83b2..ad960fd 100644
        if (roaming_atomicio(vwrite, connection_out, client_version_string,
            strlen(client_version_string)) != strlen(client_version_string))
 diff --git a/sshd.c b/sshd.c
-index e5c9835..46ec1a7 100644
+index 0a30101..82168a1 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -440,7 +440,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
@@ -49,11 +49,11 @@ index e5c9835..46ec1a7 100644
            options.version_addendum, newline);
 
 diff --git a/version.h b/version.h
-index 39033ed..036277d 100644
+index 83d70c6..0c6ea0f 100644
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_6.4"
+ #define SSH_VERSION    "OpenSSH_6.5"
 
 #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 664abf0ff..18489cabe 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
-From 360257b8a56798d507123ff770f2def408464f00 Mon Sep 17 00:00:00 2001
+From 32e3aad13edff8c03c524105e2c4d4194995573b Mon Sep 17 00:00:00 2001
 From: Peter Samuelson <peter@p12n.org>
 Date: Sun, 9 Feb 2014 16:09:55 +0000
 Subject: Reduce severity of "Killed by signal %d"
@@ -22,7 +22,7 @@ Patch-Name: quieter-signals.patch
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/clientloop.c b/clientloop.c
-index dc76d69..f2f474e 100644
+index 37b3a04..60c9e87 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 @@ -1717,8 +1717,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index 71dcecc9c..a2df78d10 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
-From bb3ea9f222f7f0fe9b449b75bfae93513f7ca3e2 Mon Sep 17 00:00:00 2001
+From 52d571e95114cd6d63b5dc4829f87fd55213c828 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:59 +0000
 Subject: Adjust scp quoting in verbose mode
@@ -17,7 +17,7 @@ Patch-Name: scp-quoting.patch
 1 file changed, 10 insertions(+), 2 deletions(-)
 diff --git a/scp.c b/scp.c
-index 28ded5e..b7a17ab 100644
+index 18d3b1d..0669d02 100644
 --- a/scp.c
 +++ b/scp.c
 @@ -189,8 +189,16 @@ do_local_cmd(arglist *a)
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 8aa8f614e..dc0ffa300 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From 07f2a771c490bd68cd5c5ea9c535705e93bd94f3 Mon Sep 17 00:00:00 2001
+From cc5ecb35ae6572d13ed523d143439a8559d1fee2 Mon Sep 17 00:00:00 2001
 From: Manoj Srivastava <srivasta@debian.org>
 Date: Sun, 9 Feb 2014 16:09:49 +0000
 Subject: Handle SELinux authorisation roles
@@ -113,7 +113,7 @@ index 6ed8f04..b55bbcd 100644
                if (auth2_setup_methods_lists(authctxt) != 0)
                        packet_disconnect("no authentication methods enabled");
 diff --git a/monitor.c b/monitor.c
-index 9079c97..e8d63eb 100644
+index a777c4c..88f472e 100644
 --- a/monitor.c
 +++ b/monitor.c
 @@ -146,6 +146,7 @@ int mm_answer_sign(int, Buffer *);
@@ -361,10 +361,10 @@ index e3d1004..80ce13a 100644
 void ssh_selinux_setfscreatecon(const char *);
 #endif
 diff --git a/platform.c b/platform.c
-index 3262b24..a962f15 100644
+index 30fc609..4aab9a9 100644
 --- a/platform.c
 +++ b/platform.c
-@@ -134,7 +134,7 @@ platform_setusercontext(struct passwd *pw)
+@@ -142,7 +142,7 @@ platform_setusercontext(struct passwd *pw)
  * called if sshd is running as root.
  */
 void
@@ -373,7 +373,7 @@ index 3262b24..a962f15 100644
 {
 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
        /*
-@@ -181,7 +181,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
+@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
        }
 #endif /* HAVE_SETPCRED */
 #ifdef WITH_SELINUX
@@ -383,10 +383,10 @@ index 3262b24..a962f15 100644
 }
 
 diff --git a/platform.h b/platform.h
-index 19f6bfd..3188a3d 100644
+index 1c7a45d..436ae7c 100644
 --- a/platform.h
 +++ b/platform.h
-@@ -26,7 +26,7 @@ void platform_post_fork_parent(pid_t child_pid);
+@@ -27,7 +27,7 @@ void platform_post_fork_parent(pid_t child_pid);
 void platform_post_fork_child(void);
 int  platform_privileged_uidswap(void);
 void platform_setusercontext(struct passwd *);
@@ -396,10 +396,10 @@ index 19f6bfd..3188a3d 100644
 char *platform_krb5_get_principal_name(const char *);
 int platform_sys_dir_uid(uid_t);
 diff --git a/session.c b/session.c
-index d4b57bd..b4d74d9 100644
+index 12dd9ab..5ddd82a 100644
 --- a/session.c
 +++ b/session.c
-@@ -1474,7 +1474,7 @@ safely_chroot(const char *path, uid_t uid)
+@@ -1497,7 +1497,7 @@ safely_chroot(const char *path, uid_t uid)
 
 /* Set login name, uid, gid, and groups. */
 void
@@ -408,7 +408,7 @@ index d4b57bd..b4d74d9 100644
 {
        char *chroot_path, *tmp;
 
-@@ -1502,7 +1502,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1525,7 +1525,7 @@ do_setusercontext(struct passwd *pw)
                endgrent();
 #endif
 
@@ -417,7 +417,7 @@ index d4b57bd..b4d74d9 100644
 
                if (options.chroot_directory != NULL &&
                    strcasecmp(options.chroot_directory, "none") != 0) {
-@@ -1646,7 +1646,7 @@ do_child(Session *s, const char *command)
+@@ -1674,7 +1674,7 @@ do_child(Session *s, const char *command)
 
        /* Force a password change */
        if (s->authctxt->force_pwchange) {
@@ -426,7 +426,7 @@ index d4b57bd..b4d74d9 100644
                child_close_fds();
                do_pwchange(s);
                exit(1);
-@@ -1673,7 +1673,7 @@ do_child(Session *s, const char *command)
+@@ -1701,7 +1701,7 @@ do_child(Session *s, const char *command)
                /* When PAM is enabled we rely on it to do the nologin check */
                if (!options.use_pam)
                        do_nologin(pw);
@@ -435,7 +435,7 @@ index d4b57bd..b4d74d9 100644
                /*
                 * PAM session modules in do_setusercontext may have
                 * generated messages, so if this in an interactive
-@@ -2084,7 +2084,7 @@ session_pty_req(Session *s)
+@@ -2112,7 +2112,7 @@ session_pty_req(Session *s)
        tty_parse_modes(s->ttyfd, &n_bytes);
 
        if (!use_privsep)
@@ -445,10 +445,10 @@ index d4b57bd..b4d74d9 100644
        /* Set window size from the packet. */
        pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
 diff --git a/session.h b/session.h
-index cbb8e3a..cb4f196 100644
+index 6a2f35e..ef6593c 100644
 --- a/session.h
 +++ b/session.h
-@@ -76,7 +76,7 @@ void   session_pty_cleanup2(Session *);
+@@ -77,7 +77,7 @@ void   session_pty_cleanup2(Session *);
 Session        *session_new(void);
 Session        *session_by_tty(char *);
 void    session_close(Session *);
@@ -458,11 +458,11 @@ index cbb8e3a..cb4f196 100644
                       const char *value);
 
 diff --git a/sshd.c b/sshd.c
-index 4eddeb8..e5c9835 100644
+index fe65132..0a30101 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -753,7 +753,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -763,7 +763,7 @@ privsep_postauth(Authctxt *authctxt)
-        RAND_seed(rnd, sizeof(rnd));
+        bzero(rnd, sizeof(rnd));
 
        /* Drop privileges */
 -       do_setusercontext(authctxt->pw);
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index a7540eb34..8f716f8de 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
-From 7231af57ca3efb451ace1b8e056fa0e52c67654e Mon Sep 17 00:00:00 2001
+From 95e6f7afe0ca1c16c31845d6fa30453b45b73e0e Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:00 +0000
 Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/sshconnect.c b/sshconnect.c
-index 483eb85..91fd59a 100644
+index d21781e..ef4d9e0 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -151,7 +151,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
+@@ -227,7 +227,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
                /* Execute the proxy command.  Note that we gave up any
                   extra privileges above. */
                signal(SIGPIPE, SIG_DFL);
@@ -28,7 +28,7 @@ index 483eb85..91fd59a 100644
                perror(argv[0]);
                exit(1);
        }
-@@ -1298,7 +1298,7 @@ ssh_local_cmd(const char *args)
+@@ -1384,7 +1384,7 @@ ssh_local_cmd(const char *args)
        if (pid == 0) {
                signal(SIGPIPE, SIG_DFL);
                debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index 7776b6d11..0abebb664 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
-From 727d51f30918f6635f06694f71f4318a6038296d Mon Sep 17 00:00:00 2001
+From 6b7aca6f112d216f321466cc7301b5183e772513 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:17 +0000
 Subject: Support synchronisation with service supervisor using SIGSTOP
@@ -12,10 +12,10 @@ Patch-Name: sigstop.patch
 1 file changed, 4 insertions(+)
 diff --git a/sshd.c b/sshd.c
-index 63b9357..fd7f182 100644
+index c49a877..23e8c2d 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1909,6 +1909,10 @@ main(int ac, char **av)
+@@ -1924,6 +1924,10 @@ main(int ac, char **av)
                        }
                }
 
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 9ae105960..78047d30c 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
-From ad4f5086a0f0c47daf04be484ff310101551e48a Mon Sep 17 00:00:00 2001
+From 0b9347201e50bd518c09babde3e7650c2b2e9228 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:13 +0000
 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
@@ -13,10 +13,10 @@ Patch-Name: ssh-agent-setgid.patch
 1 file changed, 15 insertions(+)
 diff --git a/ssh-agent.1 b/ssh-agent.1
-index bb801c9..d370531 100644
+index 281ecbd..38fd540 100644
 --- a/ssh-agent.1
 +++ b/ssh-agent.1
-@@ -182,6 +182,21 @@ environment variable holds the agent's process ID.
+@@ -183,6 +183,21 @@ environment variable holds the agent's process ID.
 .Pp
 The agent exits automatically when the command given on the command
 line terminates.
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 138a3632a..53f7d6641 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
-From 901a9e09f92a72c4a627af9feffdd39fb805e95d Mon Sep 17 00:00:00 2001
+From 4e249feb183e35e32cbc0f68cfdfb6bbe09576a9 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:10 +0000
 Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
 1 file changed, 1 insertion(+)
 diff --git a/ssh.1 b/ssh.1
-index 6e2e03b..63b0573 100644
+index 67b4f44..9868025 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1451,6 +1451,7 @@ if an error occurred.
+@@ -1468,6 +1468,7 @@ if an error occurred.
 .Xr sftp 1 ,
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 50d500f6d..a14f7ae06 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
-From bdc94de85ed7dbafb949c239d7c3eff23ea4aa28 Mon Sep 17 00:00:00 2001
+From 889e217b88a7848e6c997f7f87d07b9d1a35fb49 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:50 +0000
 Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,10 +17,10 @@ Patch-Name: ssh-vulnkey-compat.patch
 2 files changed, 2 insertions(+)
 diff --git a/readconf.c b/readconf.c
-index 2695fd6..915a0f7 100644
+index cb8bcb2..2a1fe8e 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -161,6 +161,7 @@ static struct {
+@@ -171,6 +171,7 @@ static struct {
        { "passwordauthentication", oPasswordAuthentication },
        { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
        { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -29,10 +29,10 @@ index 2695fd6..915a0f7 100644
        { "pubkeyauthentication", oPubkeyAuthentication },
        { "dsaauthentication", oPubkeyAuthentication },             /* alias */
 diff --git a/servconf.c b/servconf.c
-index c938ae3..dcb8caf 100644
+index 29209e4..65f71ad 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -451,6 +451,7 @@ static struct {
+@@ -456,6 +456,7 @@ static struct {
        { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
        { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
        { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index 1ab818a37..4eab486fe 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -1,4 +1,4 @@
-From 3d498ae4180b8338db5f960865882b3f781aec2a Mon Sep 17 00:00:00 2001
+From 9f42d3b964854aecfed2fff64ac375c0c4805fa5 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:09:51 +0000
 Subject: Partial server keep-alive implementation for SSH1
@@ -13,7 +13,7 @@ Patch-Name: ssh1-keepalive.patch
 2 files changed, 19 insertions(+), 11 deletions(-)
 diff --git a/clientloop.c b/clientloop.c
-index 311dc13..dc76d69 100644
+index 6d02b0b..37b3a04 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 @@ -563,16 +563,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
@@ -57,10 +57,10 @@ index 311dc13..dc76d69 100644
                server_alive_time = now + options.server_alive_interval;
        }
 diff --git a/ssh_config.5 b/ssh_config.5
-index e72919a..1fc0a6b 100644
+index 49505ae..617a312 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1130,7 +1130,10 @@ If, for example,
+@@ -1288,7 +1288,10 @@ If, for example,
 .Cm ServerAliveCountMax
 is left at the default, if the server becomes unresponsive,
 ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 40b26d002..682ec3657 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
-From b8a355b5db58dc489fca181e333dacf5e14f4f1d Mon Sep 17 00:00:00 2001
+From 36c21f10bd09ee15eb7f5bd7448309bf9a5cd466 Mon Sep 17 00:00:00 2001
 From: Jonathan David Amery <jdamery@ysolde.ucam.org>
 Date: Sun, 9 Feb 2014 16:09:54 +0000
 Subject: "LogLevel SILENT" compatibility
@@ -33,10 +33,10 @@ index 32e1d2e..53e7b65 100644
        { "FATAL",      SYSLOG_LEVEL_FATAL },
        { "ERROR",      SYSLOG_LEVEL_ERROR },
 diff --git a/ssh.c b/ssh.c
-index 87233bc..5502889 100644
+index 5de8fcf..0cea713 100644
 --- a/ssh.c
 +++ b/ssh.c
-@@ -740,7 +740,7 @@ main(int ac, char **av)
+@@ -889,7 +889,7 @@ main(int ac, char **av)
        /* Do not allocate a tty if stdin is not a tty. */
        if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
            options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index cfc14523a..0bc245ab1 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
-From 2bb37315c1e077bc176e703fbf0028a1f6315d37 Mon Sep 17 00:00:00 2001
+From b63620615d5c8af09e350608233f69191ad6c275 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:09:58 +0000
 Subject: Allow harmless group-writability
@@ -86,10 +86,10 @@ index 9a36f1d..0c45f09 100644
                            "bad ownership or modes for directory %s", buf);
                        return -1;
 diff --git a/misc.c b/misc.c
-index c3c8099..eb57bfc 100644
+index e4c8c32..4e756b0 100644
 --- a/misc.c
 +++ b/misc.c
-@@ -48,8 +48,9 @@
+@@ -49,8 +49,9 @@
 #include <netdb.h>
 #ifdef HAVE_PATHS_H
 # include <paths.h>
@@ -100,7 +100,7 @@ index c3c8099..eb57bfc 100644
 #ifdef SSH_TUN_OPENBSD
 #include <net/if.h>
 #endif
-@@ -58,6 +59,7 @@
+@@ -59,6 +60,7 @@
 #include "misc.h"
 #include "log.h"
 #include "ssh.h"
@@ -108,7 +108,7 @@ index c3c8099..eb57bfc 100644
 
 /* remove newline at end of string */
 char *
-@@ -642,6 +644,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
+@@ -643,6 +645,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
        return -1;
 }
 
@@ -181,10 +181,10 @@ index c3c8099..eb57bfc 100644
 tun_open(int tun, int mode)
 {
 diff --git a/misc.h b/misc.h
-index fceb306..51ba182 100644
+index d4df619..ceb173b 100644
 --- a/misc.h
 +++ b/misc.h
-@@ -104,4 +104,6 @@ char        *read_passphrase(const char *, int);
+@@ -106,4 +106,6 @@ char        *read_passphrase(const char *, int);
 int     ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
 int     read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
 
@@ -192,10 +192,10 @@ index fceb306..51ba182 100644
 +
 #endif /* _MISC_H */
 diff --git a/platform.c b/platform.c
-index a962f15..0b3bee1 100644
+index 4aab9a9..f99de7f 100644
 --- a/platform.c
 +++ b/platform.c
-@@ -194,19 +194,3 @@ platform_krb5_get_principal_name(const char *pw_name)
+@@ -196,19 +196,3 @@ platform_krb5_get_principal_name(const char *pw_name)
        return NULL;
 #endif
 }
@@ -216,10 +216,10 @@ index a962f15..0b3bee1 100644
 -       return 0;
 -}
 diff --git a/readconf.c b/readconf.c
-index dab7963..c741934 100644
+index e79e355..273552d 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -30,6 +30,8 @@
+@@ -36,6 +36,8 @@
 #include <stdio.h>
 #include <string.h>
 #include <unistd.h>
@@ -228,7 +228,7 @@ index dab7963..c741934 100644
 #ifdef HAVE_UTIL_H
 #include <util.h>
 #endif
-@@ -1155,8 +1157,7 @@ read_config_file(const char *filename, const char *host, Options *options,
+@@ -1475,8 +1477,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host,
 
                if (fstat(fileno(f), &sb) == -1)
                        fatal("fstat %s: %s", filename, strerror(errno));
@@ -239,10 +239,10 @@ index dab7963..c741934 100644
        }
 
 diff --git a/ssh.1 b/ssh.1
-index 62292cc..05ae6ad 100644
+index 27794e2..ff5e6ac 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1338,6 +1338,8 @@ The file format and configuration options are described in
+@@ -1352,6 +1352,8 @@ The file format and configuration options are described in
 .Xr ssh_config 5 .
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not writable by others.
@@ -252,10 +252,10 @@ index 62292cc..05ae6ad 100644
 .It Pa ~/.ssh/environment
 Contains additional definitions for environment variables; see
 diff --git a/ssh_config.5 b/ssh_config.5
-index 6948680..a1e18d2 100644
+index b3c5dc6..3c6b9d4 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1365,6 +1365,8 @@ The format of this file is described above.
+@@ -1523,6 +1523,8 @@ The format of this file is described above.
 This file is used by the SSH client.
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.