2 files changed, 94 insertions, 0 deletions
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch
new file mode 100644
index 000000000..a329b9be1
--- /dev/null
+++ b/debian/patches/revert-ipqos-defaults.patch
@@ -0,0 +1,93 @@
+From 6b56cd57db9061296231f14d537f1ebaf25e8877 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Mon, 8 Apr 2019 10:46:29 +0100
+Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
+ AF21 for"
+This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379.
+The IPQoS default changes have some unfortunate interactions with
+iptables (see https://bugs.debian.org/923880) and VMware, so I'm
+temporarily reverting them until those have been fixed.
+Bug-Debian: https://bugs.debian.org/923879
+Bug-Debian: https://bugs.debian.org/926229
+Bug-Ubuntu: https://bugs.launchpad.net/1822370
+Last-Update: 2019-04-08
+Patch-Name: revert-ipqos-defaults.patch
+---
+ readconf.c    | 4 ++--
+ servconf.c    | 4 ++--
+ ssh_config.5  | 6 ++----
+ sshd_config.5 | 6 ++----
+ 4 files changed, 8 insertions(+), 12 deletions(-)
+diff --git a/readconf.c b/readconf.c
+index 661b8bf40..6d046f063 100644
+--- a/readconf.c
+++ b/readconf.c
+@@ -2133,9 +2133,9 @@ fill_default_options(Options * options)
+        if (options->visual_host_key == -1)
+                options->visual_host_key = 0;
+        if (options->ip_qos_interactive == -1)
+-               options->ip_qos_interactive = IPTOS_DSCP_AF21;
+               options->ip_qos_interactive = IPTOS_LOWDELAY;
+        if (options->ip_qos_bulk == -1)
+-               options->ip_qos_bulk = IPTOS_DSCP_CS1;
+               options->ip_qos_bulk = IPTOS_THROUGHPUT;
+        if (options->request_tty == -1)
+                options->request_tty = REQUEST_TTY_AUTO;
+        if (options->proxy_use_fdpass == -1)
+diff --git a/servconf.c b/servconf.c
+index c5dd617ef..bf2669147 100644
+--- a/servconf.c
+++ b/servconf.c
+@@ -403,9 +403,9 @@ fill_default_server_options(ServerOptions *options)
+        if (options->permit_tun == -1)
+                options->permit_tun = SSH_TUNMODE_NO;
+        if (options->ip_qos_interactive == -1)
+-               options->ip_qos_interactive = IPTOS_DSCP_AF21;
+               options->ip_qos_interactive = IPTOS_LOWDELAY;
+        if (options->ip_qos_bulk == -1)
+-               options->ip_qos_bulk = IPTOS_DSCP_CS1;
+               options->ip_qos_bulk = IPTOS_THROUGHPUT;
+        if (options->version_addendum == NULL)
+                options->version_addendum = xstrdup("");
+        if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
+diff --git a/ssh_config.5 b/ssh_config.5
+index 1a8e24bd1..f6c1b3b33 100644
+--- a/ssh_config.5
+++ b/ssh_config.5
+@@ -1055,11 +1055,9 @@ If one argument is specified, it is used as the packet class unconditionally.
+ If two values are specified, the first is automatically selected for
+ interactive sessions and the second for non-interactive sessions.
+ The default is
+-.Cm af21
+-(Low-Latency Data)
+.Cm lowdelay
+ for interactive sessions and
+-.Cm cs1
+-(Lower Effort)
+.Cm throughput
+ for non-interactive sessions.
+ .It Cm KbdInteractiveAuthentication
+ Specifies whether to use keyboard-interactive authentication.
+diff --git a/sshd_config.5 b/sshd_config.5
+index ba50a30f1..03f813e72 100644
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -866,11 +866,9 @@ If one argument is specified, it is used as the packet class unconditionally.
+ If two values are specified, the first is automatically selected for
+ interactive sessions and the second for non-interactive sessions.
+ The default is
+-.Cm af21
+-(Low-Latency Data)
+.Cm lowdelay
+ for interactive sessions and
+-.Cm cs1
+-(Lower Effort)
+.Cm throughput
+ for non-interactive sessions.
+ .It Cm KbdInteractiveAuthentication
+ Specifies whether to allow keyboard-interactive authentication.
diff --git a/debian/patches/series b/debian/patches/series
index ff6011442..b0da97283 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -31,3 +31,4 @@ check-filenames-in-scp-client.patch
 fix-key-type-check.patch
 request-rsa-sha2-cert-signatures.patch
 scp-handle-braces.patch
+revert-ipqos-defaults.patch

diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch new file mode 100644 index 000000000..a329b9be1 --- /dev/null +++ b/debian/patches/revert-ipqos-defaults.patch
@@ -0,0 +1,93 @@
		1	From 6b56cd57db9061296231f14d537f1ebaf25e8877 Mon Sep 17 00:00:00 2001
		2	From: Colin Watson <cjwatson@debian.org>
		3	Date: Mon, 8 Apr 2019 10:46:29 +0100
		4	Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
		5	AF21 for"
		6
		7	This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379.
		8
		9	The IPQoS default changes have some unfortunate interactions with
		10	iptables (see https://bugs.debian.org/923880) and VMware, so I'm
		11	temporarily reverting them until those have been fixed.
		12
		13	Bug-Debian: https://bugs.debian.org/923879
		14	Bug-Debian: https://bugs.debian.org/926229
		15	Bug-Ubuntu: https://bugs.launchpad.net/1822370
		16	Last-Update: 2019-04-08
		17
		18	Patch-Name: revert-ipqos-defaults.patch
		19	---
		20	readconf.c \| 4 ++--
		21	servconf.c \| 4 ++--
		22	ssh_config.5 \| 6 ++----
		23	sshd_config.5 \| 6 ++----
		24	4 files changed, 8 insertions(+), 12 deletions(-)
		25
		26	diff --git a/readconf.c b/readconf.c
		27	index 661b8bf40..6d046f063 100644
		28	--- a/readconf.c
		29	+++ b/readconf.c
		30	@@ -2133,9 +2133,9 @@ fill_default_options(Options * options)
		31	if (options->visual_host_key == -1)
		32	options->visual_host_key = 0;
		33	if (options->ip_qos_interactive == -1)
		34	- options->ip_qos_interactive = IPTOS_DSCP_AF21;
		35	+ options->ip_qos_interactive = IPTOS_LOWDELAY;
		36	if (options->ip_qos_bulk == -1)
		37	- options->ip_qos_bulk = IPTOS_DSCP_CS1;
		38	+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
		39	if (options->request_tty == -1)
		40	options->request_tty = REQUEST_TTY_AUTO;
		41	if (options->proxy_use_fdpass == -1)
		42	diff --git a/servconf.c b/servconf.c
		43	index c5dd617ef..bf2669147 100644
		44	--- a/servconf.c
		45	+++ b/servconf.c
		46	@@ -403,9 +403,9 @@ fill_default_server_options(ServerOptions *options)
		47	if (options->permit_tun == -1)
		48	options->permit_tun = SSH_TUNMODE_NO;
		49	if (options->ip_qos_interactive == -1)
		50	- options->ip_qos_interactive = IPTOS_DSCP_AF21;
		51	+ options->ip_qos_interactive = IPTOS_LOWDELAY;
		52	if (options->ip_qos_bulk == -1)
		53	- options->ip_qos_bulk = IPTOS_DSCP_CS1;
		54	+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
		55	if (options->version_addendum == NULL)
		56	options->version_addendum = xstrdup("");
		57	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
		58	diff --git a/ssh_config.5 b/ssh_config.5
		59	index 1a8e24bd1..f6c1b3b33 100644
		60	--- a/ssh_config.5
		61	+++ b/ssh_config.5
		62	@@ -1055,11 +1055,9 @@ If one argument is specified, it is used as the packet class unconditionally.
		63	If two values are specified, the first is automatically selected for
		64	interactive sessions and the second for non-interactive sessions.
		65	The default is
		66	-.Cm af21
		67	-(Low-Latency Data)
		68	+.Cm lowdelay
		69	for interactive sessions and
		70	-.Cm cs1
		71	-(Lower Effort)
		72	+.Cm throughput
		73	for non-interactive sessions.
		74	.It Cm KbdInteractiveAuthentication
		75	Specifies whether to use keyboard-interactive authentication.
		76	diff --git a/sshd_config.5 b/sshd_config.5
		77	index ba50a30f1..03f813e72 100644
		78	--- a/sshd_config.5
		79	+++ b/sshd_config.5
		80	@@ -866,11 +866,9 @@ If one argument is specified, it is used as the packet class unconditionally.
		81	If two values are specified, the first is automatically selected for
		82	interactive sessions and the second for non-interactive sessions.
		83	The default is
		84	-.Cm af21
		85	-(Low-Latency Data)
		86	+.Cm lowdelay
		87	for interactive sessions and
		88	-.Cm cs1
		89	-(Lower Effort)
		90	+.Cm throughput
		91	for non-interactive sessions.
		92	.It Cm KbdInteractiveAuthentication
		93	Specifies whether to allow keyboard-interactive authentication.


diff --git a/debian/patches/series b/debian/patches/series index ff6011442..b0da97283 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -31,3 +31,4 @@ check-filenames-in-scp-client.patch
31	fix-key-type-check.patch	31	fix-key-type-check.patch
32	request-rsa-sha2-cert-signatures.patch	32	request-rsa-sha2-cert-signatures.patch
33	scp-handle-braces.patch	33	scp-handle-braces.patch
		34	revert-ipqos-defaults.patch