23 files changed, 251 insertions, 312 deletions
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 34535f001..891b934ab 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -8,7 +8,7 @@ Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -284,6 +284,7 @@
+@@ -287,6 +287,7 @@
        $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
        $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
        $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index b0761420e..32251397d 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -10,42 +10,42 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -136,6 +136,7 @@
+@@ -143,6 +143,7 @@
-        options->revoked_keys_file = NULL;
-        options->trusted_user_ca_keys = NULL;
        options->authorized_principals_file = NULL;
+        options->ip_qos_interactive = -1;
+        options->ip_qos_bulk = -1;
 +       options->debian_banner = -1;
 }
 
 void
-@@ -278,6 +279,8 @@
+@@ -293,6 +294,8 @@
-                options->permit_tun = SSH_TUNMODE_NO;
+                options->ip_qos_interactive = IPTOS_LOWDELAY;
-        if (options->zero_knowledge_password_authentication == -1)
+        if (options->ip_qos_bulk == -1)
-                options->zero_knowledge_password_authentication = 0;
+                options->ip_qos_bulk = IPTOS_THROUGHPUT;
 +       if (options->debian_banner == -1)
 +               options->debian_banner = 1;
 
        /* Turn privilege separation on by default */
        if (use_privsep == -1)
-@@ -326,6 +329,7 @@
+@@ -342,6 +345,7 @@
-        sUsePrivilegeSeparation, sAllowAgentForwarding,
        sZeroKnowledgePasswordAuthentication, sHostCertificate,
        sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+        sKexAlgorithms, sIPQoS,
 +       sDebianBanner,
        sDeprecated, sUnsupported
 } ServerOpCodes;
 
-@@ -459,6 +463,7 @@
+@@ -477,6 +481,7 @@
-        { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
-        { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
        { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+        { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+        { "ipqos", sIPQoS, SSHCFG_ALL },
 +       { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
        { NULL, sBadOption, 0 }
 };
 
-@@ -1392,6 +1397,10 @@
+@@ -1439,6 +1444,10 @@
-                charptr = &options->revoked_keys_file;
+                }
-                goto parse_filename;
+                break;
 
 +       case sDebianBanner:
 +               intptr = &options->debian_banner;
@@ -58,7 +58,7 @@ Index: b/servconf.h
 ===================================================================
 --- a/servconf.h
 +++ b/servconf.h
-@@ -157,6 +157,8 @@
+@@ -160,6 +160,8 @@
 
        int     num_permitted_opens;
 
@@ -85,7 +85,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -340,6 +340,11 @@
+@@ -339,6 +339,11 @@
 .Dq no .
 The default is
 .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 2fe365639..e804aa526 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -24,7 +24,7 @@ Index: b/readconf.c
 ===================================================================
 --- a/readconf.c
 +++ b/readconf.c
-@@ -1179,7 +1179,7 @@
+@@ -1223,7 +1223,7 @@
        if (options->forward_x11 == -1)
                options->forward_x11 = 0;
        if (options->forward_x11_trusted == -1)
@@ -61,7 +61,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -72,6 +72,22 @@
+@@ -71,6 +71,22 @@
 host-specific declarations should be given near the beginning of the
 file, and general defaults at the end.
 .Pp
@@ -84,7 +84,7 @@ Index: b/ssh_config.5
 The configuration file has the following format:
 .Pp
 Empty lines and lines starting with
-@@ -483,7 +499,8 @@
+@@ -482,7 +498,8 @@
 Remote clients will be refused access after this time.
 .Pp
 The default is
@@ -98,7 +98,7 @@ Index: b/sshd_config
 ===================================================================
 --- a/sshd_config
 +++ b/sshd_config
-@@ -36,6 +36,7 @@
+@@ -37,6 +37,7 @@
 # Authentication:
 
 #LoginGraceTime 2m
@@ -110,7 +110,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -58,6 +58,33 @@
+@@ -57,6 +57,33 @@
 .Pq \&"
 in order to represent arguments containing spaces.
 .Pp
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index a71b42f0f..8e8285a1f 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -9,7 +9,7 @@ Index: b/dns.c
 ===================================================================
 --- a/dns.c
 +++ b/dns.c
-@@ -176,6 +176,7 @@
+@@ -177,6 +177,7 @@
 {
        u_int counter;
        int result;
@@ -17,7 +17,7 @@ Index: b/dns.c
        struct rrsetinfo *fingerprints = NULL;
 
        u_int8_t hostkey_algorithm;
-@@ -199,8 +200,19 @@
+@@ -200,8 +201,19 @@
                return -1;
        }
 
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index fb522013c..5cf8aa46b 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -8,7 +8,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -562,6 +562,9 @@
+@@ -566,6 +566,9 @@
 will not be converted automatically,
 but may be manually hashed using
 .Xr ssh-keygen 1 .
diff --git a/debian/patches/gssapi-autoconf.patch b/debian/patches/gssapi-autoconf.patch
index d88382dcb..51d8a8e72 100644
--- a/debian/patches/gssapi-autoconf.patch
+++ b/debian/patches/gssapi-autoconf.patch
@@ -7,7 +7,7 @@ Index: b/config.h.in
 ===================================================================
 --- a/config.h.in
 +++ b/config.h.in
-@@ -1387,6 +1387,9 @@
+@@ -1417,6 +1417,9 @@
 /* Use btmp to log bad logins */
 #undef USE_BTMP
 
@@ -17,7 +17,7 @@ Index: b/config.h.in
 /* Use libedit for sftp */
 #undef USE_LIBEDIT
 
-@@ -1399,6 +1402,9 @@
+@@ -1432,6 +1435,9 @@
 /* Use PIPES instead of a socketpair() */
 #undef USE_PIPES
 
diff --git a/debian/patches/gssapi-compat.patch b/debian/patches/gssapi-compat.patch
deleted file mode 100644
index b93134933..000000000
--- a/debian/patches/gssapi-compat.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Description: Compatibility with old GSSAPI option names
- These options were supported by the old ssh-krb5 package in Debian.
- .
- Forwarded to Simon Wilkinson for inclusion in the GSSAPI patch.
-Author: Colin Watson <cjwatson@debian.org>
-Forwarded: yes
-Last-Updated: 2010-03-01
-Index: b/servconf.c
-===================================================================
--- a/servconf.c
-+++ b/servconf.c
-@@ -381,16 +381,20 @@
- #ifdef GSSAPI
-        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
-        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
-+       { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
-        { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
-        { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
-        { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
- #else
-        { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
-        { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
-+       { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
-        { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
-        { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
-        { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
- #endif
-+       { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
-+       { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
-        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
-        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
diff --git a/debian/patches/gssapi-dump.patch b/debian/patches/gssapi-dump.patch
deleted file mode 100644
index 0969c59b4..000000000
--- a/debian/patches/gssapi-dump.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Description: GSSAPI configuration dump fixes
- Add GSSAPIKeyExchange, GSSAPIStrictAcceptorCheck, and
- GSSAPIStoreCredentialsOnRekey to sshd -T configuration dump.
- .
- Forwarded to Simon Wilkinson for inclusion in the GSSAPI patch.
-Author: Colin Watson <cjwatson@debian.org>
-Forwarded: yes
-Last-Updated: 2010-02-27
-Index: b/servconf.c
-===================================================================
--- a/servconf.c
-+++ b/servconf.c
-@@ -1688,7 +1688,10 @@
- #endif
- #ifdef GSSAPI
-        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
-+       dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
-        dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
-+       dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
-+       dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
- #endif
- #ifdef JPAKE
-        dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 778c23023..692437142 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -19,14 +19,24 @@ Index: b/ChangeLog.gssapi
 ===================================================================
 --- /dev/null
 +++ b/ChangeLog.gssapi
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,113 @@
+20110101
+  - Finally update for OpenSSH 5.6p1
+  - Add GSSAPIServerIdentity option from Jim Basney
+ 
+20100308
+  - [ Makefile.in, key.c, key.h ]
+    Updates for OpenSSH 5.4p1
+  - [ servconf.c ]
+    Include GSSAPI options in the sshd -T configuration dump, and flag
+    some older configuration options as being unsupported. Thanks to Colin 
+    Watson.
+  -
+
 +20100124
 +  - [ sshconnect2.c ]
 +    Adapt to deal with additional element in Authmethod structure. Thanks to
-+    Colin Wilson
+    Colin Watson
-+  - [ clientloop.c ]
-+    Protect credentials updated code with suitable #ifdefs. Thanks to Colin
-+    Wilson
 +
 +20090615
 +  - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
@@ -127,23 +137,23 @@ Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -74,7 +74,7 @@
+@@ -75,7 +75,7 @@
-        monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
+        monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
-        kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
+        kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
-        entropy.o gss-genr.o umac.o jpake.o schnorr.o \
+        msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \
-       ssh-pkcs11.o
+-       schnorr.o ssh-pkcs11.o
-+       ssh-pkcs11.o kexgssc.o
+       schnorr.o kexgssc.o ssh-pkcs11.o
 
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
        sshconnect.o sshconnect1.o sshconnect2.o mux.o \
-@@ -88,7 +88,7 @@
+@@ -90,7 +90,7 @@
        auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
-        monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
+        monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
        auth-krb5.o \
 -       auth2-gss.o gss-serv.o gss-serv-krb5.o \
 +       auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
        loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
-        audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
+        sftp-server.o sftp-common.o \
        roaming_common.o roaming_serv.o
 Index: b/auth-krb5.c
 ===================================================================
@@ -384,7 +394,7 @@ Index: b/configure.ac
 ===================================================================
 --- a/configure.ac
 +++ b/configure.ac
-@@ -477,6 +477,30 @@
+@@ -514,6 +514,30 @@
            [Use tunnel device compatibility to OpenBSD])
        AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
            [Prepend the address family to IP tunnel traffic])
@@ -1222,9 +1232,9 @@ Index: b/kex.c
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
 # if defined(HAVE_EVP_SHA256)
 # define evp_ssh_sha256 EVP_sha256
-@@ -326,6 +330,20 @@
+@@ -358,6 +362,20 @@
-                k->kex_type = KEX_DH_GEX_SHA256;
+                k->kex_type = KEX_ECDH_SHA2;
-                k->evp_md = evp_ssh_sha256();
+                k->evp_md = kex_ecdh_name_to_evpmd(k->name);
 #endif
 +#ifdef GSSAPI
 +       } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID,
@@ -1247,17 +1257,17 @@ Index: b/kex.h
 ===================================================================
 --- a/kex.h
 +++ b/kex.h
-@@ -67,6 +67,9 @@
+@@ -73,6 +73,9 @@
-        KEX_DH_GRP14_SHA1,
        KEX_DH_GEX_SHA1,
        KEX_DH_GEX_SHA256,
+        KEX_ECDH_SHA2,
 +       KEX_GSS_GRP1_SHA1,
 +       KEX_GSS_GRP14_SHA1,
 +       KEX_GSS_GEX_SHA1,
        KEX_MAX
 };
 
-@@ -123,6 +126,12 @@
+@@ -129,6 +132,12 @@
        sig_atomic_t done;
        int     flags;
        const EVP_MD *evp_md;
@@ -1270,9 +1280,9 @@ Index: b/kex.h
        char    *client_version_string;
        char    *server_version_string;
        int     (*verify_host_key)(Key *);
-@@ -146,6 +155,11 @@
+@@ -156,6 +165,11 @@
- void    kexgex_client(Kex *);
+ void    kexecdh_client(Kex *);
- void    kexgex_server(Kex *);
+ void    kexecdh_server(Kex *);
 
 +#ifdef GSSAPI
 +void   kexgss_client(Kex *);
@@ -1918,21 +1928,30 @@ Index: b/key.c
 ===================================================================
 --- a/key.c
 +++ b/key.c
-@@ -1020,6 +1020,8 @@
+@@ -971,6 +971,8 @@
-                return KEY_RSA_CERT;
+                }
-        } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
+                break;
-                return KEY_DSA_CERT;
+ #endif /* OPENSSL_HAS_ECC */
+       case KEY_NULL:
+               return "null";
+        }
+        return "ssh-unknown";
+ }
+@@ -1276,6 +1278,8 @@
+            strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
+                return KEY_ECDSA_CERT;
+ #endif
 +       } else if (strcmp(name, "null") == 0) {
 +               return KEY_NULL;
        }
+ 
        debug2("key_type_from_name: unknown key type '%s'", name);
-        return KEY_UNSPEC;
 Index: b/key.h
 ===================================================================
 --- a/key.h
 +++ b/key.h
-@@ -39,6 +39,7 @@
+@@ -44,6 +44,7 @@
-        KEY_DSA_CERT,
+        KEY_ECDSA_CERT,
        KEY_RSA_CERT_V00,
        KEY_DSA_CERT_V00,
 +       KEY_NULL,
@@ -1995,10 +2014,10 @@ Index: b/monitor.c
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1691,6 +1708,13 @@
+@@ -1692,6 +1709,13 @@
-        kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
+        kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
 +#ifdef GSSAPI
 +       if (options.gss_keyex) {
 +               kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@@ -2009,7 +2028,7 @@ Index: b/monitor.c
        kex->server = 1;
        kex->hostkey_type = buffer_get_int(m);
        kex->kex_type = buffer_get_int(m);
-@@ -1897,6 +1921,9 @@
+@@ -1898,6 +1922,9 @@
        OM_uint32 major;
        u_int len;
 
@@ -2019,7 +2038,7 @@ Index: b/monitor.c
        goid.elements = buffer_get_string(m, &len);
        goid.length = len;
 
-@@ -1924,6 +1951,9 @@
+@@ -1925,6 +1952,9 @@
        OM_uint32 flags = 0; /* GSI needs this */
        u_int len;
 
@@ -2029,7 +2048,7 @@ Index: b/monitor.c
        in.value = buffer_get_string(m, &len);
        in.length = len;
        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -1941,6 +1971,7 @@
+@@ -1942,6 +1972,7 @@
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2037,7 +2056,7 @@ Index: b/monitor.c
        }
        return (0);
 }
-@@ -1952,6 +1983,9 @@
+@@ -1953,6 +1984,9 @@
        OM_uint32 ret;
        u_int len;
 
@@ -2047,7 +2066,7 @@ Index: b/monitor.c
        gssbuf.value = buffer_get_string(m, &len);
        gssbuf.length = len;
        mic.value = buffer_get_string(m, &len);
-@@ -1978,7 +2012,11 @@
+@@ -1979,7 +2013,11 @@
 {
        int authenticated;
 
@@ -2060,7 +2079,7 @@ Index: b/monitor.c
 
        buffer_clear(m);
        buffer_put_int(m, authenticated);
-@@ -1991,6 +2029,74 @@
+@@ -1992,6 +2030,74 @@
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
@@ -2152,7 +2171,7 @@ Index: b/monitor_wrap.c
 ===================================================================
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -1231,7 +1231,7 @@
+@@ -1232,7 +1232,7 @@
 }
 
 int
@@ -2161,7 +2180,7 @@ Index: b/monitor_wrap.c
 {
        Buffer m;
        int authenticated = 0;
-@@ -1248,6 +1248,51 @@
+@@ -1249,6 +1249,51 @@
        debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
        return (authenticated);
 }
@@ -2233,15 +2252,16 @@ Index: b/readconf.c
 ===================================================================
 --- a/readconf.c
 +++ b/readconf.c
-@@ -127,6 +127,7 @@
+@@ -129,6 +129,8 @@
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
 +       oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+       oGssServerIdentity, 
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
-@@ -166,10 +167,18 @@
+@@ -169,10 +171,19 @@
        { "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
@@ -2249,6 +2269,7 @@ Index: b/readconf.c
        { "gssapidelegatecredentials", oGssDelegateCreds },
 +       { "gssapitrustdns", oGssTrustDns },
 +       { "gssapiclientidentity", oGssClientIdentity },
+       { "gssapiserveridentity", oGssServerIdentity },
 +       { "gssapirenewalforcesrekey", oGssRenewalRekey },
 #else
        { "gssapiauthentication", oUnsupported },
@@ -2260,7 +2281,7 @@ Index: b/readconf.c
 #endif
        { "fallbacktorsh", oDeprecated },
        { "usersh", oDeprecated },
-@@ -474,10 +483,26 @@
+@@ -479,10 +490,30 @@
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -2280,6 +2301,10 @@ Index: b/readconf.c
 +               charptr = &options->gss_client_identity;
 +               goto parse_string;
 +
+       case oGssServerIdentity:
+               charptr = &options->gss_server_identity;
+               goto parse_string;
+
 +       case oGssRenewalRekey:
 +               intptr = &options->gss_renewal_rekey;
 +               goto parse_flag;
@@ -2287,7 +2312,7 @@ Index: b/readconf.c
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
-@@ -1058,7 +1083,11 @@
+@@ -1092,7 +1123,12 @@
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
@@ -2296,10 +2321,11 @@ Index: b/readconf.c
 +       options->gss_trust_dns = -1;
 +       options->gss_renewal_rekey = -1;
 +       options->gss_client_identity = NULL;
+       options->gss_server_identity = NULL;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
-@@ -1156,8 +1185,14 @@
+@@ -1193,8 +1229,14 @@
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -2318,7 +2344,7 @@ Index: b/readconf.h
 ===================================================================
 --- a/readconf.h
 +++ b/readconf.h
-@@ -46,7 +46,11 @@
+@@ -46,7 +46,12 @@
        int     challenge_response_authentication;
                                        /* Try S/Key or TIS, authentication. */
        int     gss_authentication;     /* Try GSS authentication */
@@ -2327,6 +2353,7 @@ Index: b/readconf.h
 +       int     gss_trust_dns;          /* Trust DNS for GSS canonicalization */
 +       int     gss_renewal_rekey;      /* Credential renewal forces rekey */
 +       char    *gss_client_identity;   /* Principal to initiate GSSAPI with */
+       char    *gss_server_identity;   /* GSSAPI target principal */
        int     password_authentication;        /* Try password
                                                 * authentication. */
        int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
@@ -2334,7 +2361,7 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -93,7 +93,10 @@
+@@ -97,7 +97,10 @@
        options->kerberos_ticket_cleanup = -1;
        options->kerberos_get_afs_token = -1;
        options->gss_authentication=-1;
@@ -2345,7 +2372,7 @@ Index: b/servconf.c
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
-@@ -215,8 +218,14 @@
+@@ -226,8 +229,14 @@
                options->kerberos_get_afs_token = 0;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -2360,7 +2387,7 @@ Index: b/servconf.c
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
-@@ -307,7 +316,9 @@
+@@ -322,7 +331,9 @@
        sBanner, sUseDNS, sHostbasedAuthentication,
        sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
        sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@@ -2371,23 +2398,28 @@ Index: b/servconf.c
        sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
        sUsePrivilegeSeparation, sAllowAgentForwarding,
        sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -370,9 +381,15 @@
+@@ -386,10 +397,20 @@
 #ifdef GSSAPI
        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+       { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
 +       { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
 +       { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
 +       { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
 #else
        { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
        { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+       { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
 +       { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
 +       { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
 +       { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
 #endif
+       { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
+       { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -926,10 +943,22 @@
+        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
+@@ -944,10 +965,22 @@
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -2410,11 +2442,22 @@ Index: b/servconf.c
        case sPasswordAuthentication:
                intptr = &options->password_authentication;
                goto parse_flag;
+@@ -1704,7 +1737,10 @@
+ #endif
+ #ifdef GSSAPI
+        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
+       dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
+        dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
+       dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
+       dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
+ #endif
+ #ifdef JPAKE
+        dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
 Index: b/servconf.h
 ===================================================================
 --- a/servconf.h
 +++ b/servconf.h
-@@ -94,7 +94,10 @@
+@@ -97,7 +97,10 @@
        int     kerberos_get_afs_token;         /* If true, try to get AFS token if
                                                 * authenticated with Kerberos. */
        int     gss_authentication;     /* If true, permit GSSAPI authentication */
@@ -2543,7 +2586,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -509,11 +509,38 @@
+@@ -508,11 +508,43 @@
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
@@ -2557,6 +2600,11 @@ Index: b/ssh_config.5
 +If set, specifies the GSSAPI client identity that ssh should use when 
 +connecting to the server. The default is unset, which means that the default 
 +identity will be used.
+.It Cm GSSAPIServerIdentity
+If set, specifies the GSSAPI server identity that ssh should expect when 
+connecting to the server. The default is unset, which means that the
+expected GSSAPI server identity will be determined from the target
+hostname.
 .It Cm GSSAPIDelegateCredentials
 Forward (delegate) credentials to the server.
 The default is
@@ -2587,7 +2635,7 @@ Index: b/sshconnect2.c
 ===================================================================
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -106,9 +106,34 @@
+@@ -159,9 +159,34 @@
 {
        Kex *kex;
 
@@ -2622,9 +2670,9 @@ Index: b/sshconnect2.c
        if (options.ciphers == (char *)-1) {
                logit("No valid ciphers for protocol version 2 given, using defaults.");
                options.ciphers = NULL;
-@@ -136,6 +161,17 @@
+@@ -196,6 +221,17 @@
-                myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
+        if (options.kex_algorithms != NULL)
-                    options.hostkeyalgorithms;
+                myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
 
 +#ifdef GSSAPI
 +       /* If we've got GSSAPI algorithms, then we also support the
@@ -2640,10 +2688,10 @@ Index: b/sshconnect2.c
        if (options.rekey_limit)
                packet_set_rekey_limit((u_int32_t)options.rekey_limit);
 
-@@ -145,10 +181,26 @@
+@@ -206,10 +242,30 @@
-        kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
+        kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
 +#ifdef GSSAPI
 +       if (options.gss_keyex) {
 +               kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
@@ -2660,14 +2708,18 @@ Index: b/sshconnect2.c
 +               kex->gss_deleg_creds = options.gss_deleg_creds;
 +               kex->gss_trust_dns = options.gss_trust_dns;
 +               kex->gss_client = options.gss_client_identity;
-+               kex->gss_host = gss_host;
+               if (options.gss_server_identity) {
+                       kex->gss_host = options.gss_server_identity;
+               } else {
+                       kex->gss_host = gss_host;
+        }
 +       }
 +#endif
 +
        xxx_kex = kex;
 
        dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
-@@ -243,6 +295,7 @@
+@@ -304,6 +360,7 @@
 void   input_gssapi_hash(int type, u_int32_t, void *);
 void   input_gssapi_error(int, u_int32_t, void *);
 void   input_gssapi_errtok(int, u_int32_t, void *);
@@ -2675,7 +2727,7 @@ Index: b/sshconnect2.c
 #endif
 
 void   userauth(Authctxt *, char *);
-@@ -258,6 +311,11 @@
+@@ -319,6 +376,11 @@
 
 Authmethod authmethods[] = {
 #ifdef GSSAPI
@@ -2687,13 +2739,15 @@ Index: b/sshconnect2.c
        {"gssapi-with-mic",
                userauth_gssapi,
                NULL,
-@@ -564,19 +622,29 @@
+@@ -625,19 +687,31 @@
        static u_int mech = 0;
        OM_uint32 min;
        int ok = 0;
 +       const char *gss_host;
 +
-+       if (options.gss_trust_dns)
+       if (options.gss_server_identity)
+               gss_host = options.gss_server_identity;
+       else if (options.gss_trust_dns)
 +               gss_host = get_canonical_hostname(1);
 +       else
 +               gss_host = authctxt->host;
@@ -2719,7 +2773,7 @@ Index: b/sshconnect2.c
                        ok = 1; /* Mechanism works */
                } else {
                        mech++;
-@@ -673,8 +741,8 @@
+@@ -734,8 +808,8 @@
 {
        Authctxt *authctxt = ctxt;
        Gssctxt *gssctxt;
@@ -2730,7 +2784,7 @@ Index: b/sshconnect2.c
 
        if (authctxt == NULL)
                fatal("input_gssapi_response: no authentication context");
-@@ -784,6 +852,48 @@
+@@ -845,6 +919,48 @@
        xfree(msg);
        xfree(lang);
 }
@@ -2794,7 +2848,7 @@ Index: b/sshd.c
 #ifdef LIBWRAP
 #include <tcpd.h>
 #include <syslog.h>
-@@ -1586,10 +1590,13 @@
+@@ -1590,10 +1594,13 @@
                logit("Disabling protocol version 1. Could not load host key");
                options.protocol &= ~SSH_PROTO_1;
        }
@@ -2808,7 +2862,7 @@ Index: b/sshd.c
        if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
                logit("sshd: no hostkeys available -- exiting.");
                exit(1);
-@@ -1918,6 +1925,60 @@
+@@ -1922,6 +1929,60 @@
        /* Log the connection. */
        verbose("Connection from %.500s port %d", remote_ip, remote_port);
 
@@ -2869,7 +2923,7 @@ Index: b/sshd.c
        /*
         * We don't want to listen forever unless the other side
         * successfully authenticates itself.  So we set up an alarm which is
-@@ -2296,12 +2357,61 @@
+@@ -2303,6 +2364,48 @@
 
        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
 
@@ -2918,9 +2972,10 @@ Index: b/sshd.c
        /* start key exchange */
        kex = kex_setup(myproposal);
        kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
-        kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
+@@ -2310,6 +2413,13 @@
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
+        kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
 +#ifdef GSSAPI
 +       if (options.gss_keyex) {
 +               kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@@ -2935,7 +2990,7 @@ Index: b/sshd_config
 ===================================================================
 --- a/sshd_config
 +++ b/sshd_config
-@@ -71,6 +71,8 @@
+@@ -72,6 +72,8 @@
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
@@ -2948,7 +3003,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -424,12 +424,40 @@
+@@ -423,12 +423,40 @@
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 9e1705719..89011cfb7 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -18,24 +18,24 @@ Index: b/readconf.c
 ===================================================================
 --- a/readconf.c
 +++ b/readconf.c
-@@ -134,6 +134,7 @@
+@@ -138,6 +138,7 @@
-        oHashKnownHosts,
        oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
        oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
+        oKexAlgorithms, oIPQoS,
 +       oProtocolKeepAlives, oSetupTimeOut,
        oDeprecated, oUnsupported
 } OpCodes;
 
-@@ -251,6 +252,8 @@
+@@ -258,6 +259,8 @@
- #else
-        { "zeroknowledgepasswordauthentication", oUnsupported },
 #endif
+        { "kexalgorithms", oKexAlgorithms },
+        { "ipqos", oIPQoS },
 +       { "protocolkeepalives", oProtocolKeepAlives },
 +       { "setuptimeout", oSetupTimeOut },
 
        { NULL, oBadOption }
 };
-@@ -865,6 +868,8 @@
+@@ -888,6 +891,8 @@
                goto parse_flag;
 
        case oServerAliveInterval:
@@ -44,7 +44,7 @@ Index: b/readconf.c
                intptr = &options->server_alive_interval;
                goto parse_time;
 
-@@ -1284,8 +1289,13 @@
+@@ -1336,8 +1341,13 @@
                options->rekey_limit = 0;
        if (options->verify_host_key_dns == -1)
                options->verify_host_key_dns = 0;
@@ -64,7 +64,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -128,8 +128,12 @@
+@@ -127,8 +127,12 @@
 If set to
 .Dq yes ,
 passphrase/password querying will be disabled.
@@ -78,7 +78,7 @@ Index: b/ssh_config.5
 The argument must be
 .Dq yes
 or
-@@ -994,8 +998,15 @@
+@@ -1058,8 +1062,15 @@
 will send a message through the encrypted
 channel to request a response from the server.
 The default
@@ -95,7 +95,7 @@ Index: b/ssh_config.5
 .It Cm StrictHostKeyChecking
 If this flag is set to
 .Dq yes ,
-@@ -1034,6 +1045,12 @@
+@@ -1098,6 +1109,12 @@
 other side.
 If they are sent, death of the connection or crash of one
 of the machines will be properly noticed.
@@ -112,7 +112,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -985,6 +985,9 @@
+@@ -1034,6 +1034,9 @@
 .Pp
 To disable TCP keepalive messages, the value should be set to
 .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index 955d38b50..f5ac00814 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -9,7 +9,7 @@ Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -294,9 +294,9 @@
+@@ -297,9 +297,9 @@
        $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
        $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
        -rm -f $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index de63e46f8..fc07e8861 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -34,7 +34,7 @@ Index: b/ssh-keygen.1
 ===================================================================
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -148,9 +148,7 @@
+@@ -147,9 +147,7 @@
 .Pa ~/.ssh/id_dsa
 or
 .Pa ~/.ssh/id_rsa .
@@ -45,7 +45,7 @@ Index: b/ssh-keygen.1
 .Pp
 Normally this program generates the key and asks for a file in which
 to store the private key.
-@@ -394,9 +392,7 @@
+@@ -393,9 +391,7 @@
 .It Fl q
 Silence
 .Nm ssh-keygen .
@@ -60,7 +60,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -728,6 +728,10 @@
+@@ -726,6 +726,10 @@
 .Sx HISTORY
 section of
 .Xr ssl 8
@@ -68,14 +68,14 @@ Index: b/ssh.1
 +.nh
 +http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY)
 +.hy
- contains a brief discussion of the two algorithms.
+ contains a brief discussion of the DSA and RSA algorithms.
 .Pp
 The file
 Index: b/sshd.8
 ===================================================================
 --- a/sshd.8
 +++ b/sshd.8
-@@ -70,7 +70,7 @@
+@@ -69,7 +69,7 @@
 .Nm
 listens for connections from clients.
 It is normally started at boot from
@@ -84,16 +84,16 @@ Index: b/sshd.8
 It forks a new
 daemon for each incoming connection.
 The forked daemons handle
-@@ -845,7 +845,7 @@
+@@ -850,7 +850,7 @@
 .Xr ssh 1 ) .
 It should only be writable by root.
 .Pp
-.It /etc/moduli
+-.It Pa /etc/moduli
-+.It /etc/ssh/moduli
+.It Pa /etc/ssh/moduli
 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
 The file format is described in
 .Xr moduli 5 .
-@@ -941,7 +941,6 @@
+@@ -948,7 +948,6 @@
 .Xr ssh-vulnkey 1 ,
 .Xr chroot 2 ,
 .Xr hosts_access 5 ,
@@ -105,7 +105,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -222,8 +222,7 @@
+@@ -221,8 +221,7 @@
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 67e014002..ffd416d98 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -11,7 +11,7 @@ Index: b/sshconnect.c
 ===================================================================
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -542,7 +542,7 @@
+@@ -556,7 +556,7 @@
        snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s",
            compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
            compat20 ? PROTOCOL_MINOR_2 : minor1,
@@ -38,7 +38,7 @@ Index: b/version.h
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_5.6"
+ #define SSH_VERSION    "OpenSSH_5.7"
 
 #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index 3f06225ad..239c1b599 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -11,7 +11,7 @@ Index: b/scp.c
 ===================================================================
 --- a/scp.c
 +++ b/scp.c
-@@ -182,8 +182,16 @@
+@@ -189,8 +189,16 @@
 
        if (verbose_mode) {
                fprintf(stderr, "Executing:");
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 8a7e7c687..74cd06201 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -33,7 +33,7 @@ Index: b/auth1.c
        /* Get the name of the user that we wish to log in as. */
        packet_read_expect(SSH_CMSG_USER);
 @@ -392,11 +392,17 @@
-        user = packet_get_string(&ulen);
+        user = packet_get_cstring(&ulen);
        packet_check_eom();
 
 +       if ((role = strchr(user, '/')) != NULL)
@@ -173,7 +173,7 @@ Index: b/monitor_wrap.c
 ===================================================================
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -279,10 +279,10 @@
+@@ -280,10 +280,10 @@
        return (banner);
 }
 
@@ -186,7 +186,7 @@ Index: b/monitor_wrap.c
 {
        Buffer m;
 
-@@ -291,12 +291,30 @@
+@@ -292,11 +292,29 @@
        buffer_init(&m);
        buffer_put_cstring(&m, service);
        buffer_put_cstring(&m, style ? style : "");
@@ -196,7 +196,7 @@ Index: b/monitor_wrap.c
 
        buffer_free(&m);
 }
- 
+
 +/* Inform the privileged process about role */
 +
 +void
@@ -213,10 +213,9 @@ Index: b/monitor_wrap.c
 +
 +       buffer_free(&m);
 +}
-+
+ 
 /* Do the password authentication */
 int
- mm_auth_password(Authctxt *authctxt, char *password)
 Index: b/monitor_wrap.h
 ===================================================================
 --- a/monitor_wrap.h
diff --git a/debian/patches/series b/debian/patches/series
index f3c6a87e0..751a9868c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,8 +1,6 @@
 # GSSAPI
 gssapi.patch
 gssapi-autoconf.patch
-gssapi-compat.patch
-gssapi-dump.patch
 # SELinux
 selinux-role.patch
@@ -41,4 +39,3 @@ doc-hash-tab-completion.patch
 # Debian-specific configuration
 gnome-ssh-askpass2-icon.patch
 debian-config.patch
-ssh-sigchld.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index ddae43a45..5100d8ec7 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -10,18 +10,18 @@ Index: b/sshconnect.c
 ===================================================================
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -141,7 +141,7 @@
+@@ -144,7 +144,7 @@
- 
                /* Execute the proxy command.  Note that we gave up any
                   extra privileges above. */
+                signal(SIGPIPE, SIG_DFL);
 -               execv(argv[0], argv);
 +               execvp(argv[0], argv);
                perror(argv[0]);
                exit(1);
        }
-@@ -1243,7 +1243,7 @@
+@@ -1274,7 +1274,7 @@
-        pid = fork();
        if (pid == 0) {
+                signal(SIGPIPE, SIG_DFL);
                debug3("Executing %s -c \"%s\"", shell, args);
 -               execl(shell, shell, "-c", args, (char *)NULL);
 +               execlp(shell, shell, "-c", args, (char *)NULL);
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 4a651bfa1..43d9d4d44 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -11,7 +11,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1396,6 +1396,7 @@
+@@ -1406,6 +1406,7 @@
 .Xr sftp 1 ,
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-sigchld.patch b/debian/patches/ssh-sigchld.patch
deleted file mode 100644
index 21d286b21..000000000
--- a/debian/patches/ssh-sigchld.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-Description: Install a SIGCHLD handler to reap expired child processes
-Origin: upstream, http://bazaar.launchpad.net/~vcs-imports/openssh/main/revision/6166
-Bug-Debian: http://bugs.debian.org/594687
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1812
-Forwarded: not-needed
-Last-Update: 2010-10-26
-Index: b/ssh.c
-===================================================================
--- a/ssh.c
-+++ b/ssh.c
-@@ -50,6 +50,7 @@
- #include <sys/ioctl.h>
- #include <sys/param.h>
- #include <sys/socket.h>
-+#include <sys/wait.h>
- 
- #include <ctype.h>
- #include <errno.h>
-@@ -210,6 +211,7 @@
- static int ssh_session(void);
- static int ssh_session2(void);
- static void load_public_identity_files(void);
-+static void main_sigchld_handler(int);
- 
- /* from muxclient.c */
- void muxclient(const char *);
-@@ -849,6 +851,7 @@
-            tilde_expand_filename(options.user_hostfile2, original_real_uid);
- 
-        signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
-+       signal(SIGCHLD, main_sigchld_handler);
- 
-        /* Log into the remote system.  Never returns if the login fails. */
-        ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr,
-@@ -1532,3 +1535,19 @@
-        bzero(pwdir, strlen(pwdir));
-        xfree(pwdir);
- }
-+
-+static void
-+main_sigchld_handler(int sig)
-+{
-+       int save_errno = errno;
-+       pid_t pid;
-+       int status;
-+
-+       while ((pid = waitpid(-1, &status, WNOHANG)) > 0 ||
-+           (pid < 0 && errno == EINTR))
-+               ;
-+
-+       signal(sig, main_sigchld_handler);
-+       errno = save_errno;
-+}
-+
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index 81c225a7f..444aef251 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -32,7 +32,7 @@ Index: b/Makefile.in
 
 CC=@CC@
 LD=@LD@
-@@ -62,7 +64,7 @@
+@@ -63,7 +65,7 @@
 INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
 INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
 
@@ -41,8 +41,8 @@ Index: b/Makefile.in
 
 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
        canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
-@@ -93,8 +95,8 @@
+@@ -95,8 +97,8 @@
-        audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
+        sftp-server.o sftp-common.o \
        roaming_common.o roaming_serv.o
 
 -MANPAGES       = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
@@ -52,7 +52,7 @@ Index: b/Makefile.in
 MANTYPE                = @MANTYPE@
 
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -174,6 +176,9 @@
+@@ -177,6 +179,9 @@
 ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o
        $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
@@ -62,7 +62,7 @@ Index: b/Makefile.in
 # test driver for the loginrec code - not built by default
 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
        $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
-@@ -268,6 +273,7 @@
+@@ -271,6 +276,7 @@
        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
        $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
        $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -70,7 +70,7 @@ Index: b/Makefile.in
        $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
        $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
        $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -285,6 +291,7 @@
+@@ -288,6 +294,7 @@
        $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
        $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
        $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -78,7 +78,7 @@ Index: b/Makefile.in
        -rm -f $(DESTDIR)$(bindir)/slogin
        ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-@@ -366,6 +373,7 @@
+@@ -377,6 +384,7 @@
        -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
        -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
        -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@@ -86,7 +86,7 @@ Index: b/Makefile.in
        -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
        -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
        -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-@@ -379,6 +387,7 @@
+@@ -390,6 +398,7 @@
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
@@ -111,15 +111,15 @@ Index: b/auth-rsa.c
 ===================================================================
 --- a/auth-rsa.c
 +++ b/auth-rsa.c
-@@ -94,7 +94,7 @@
+@@ -247,7 +247,7 @@
-        MD5_CTX md;
+                            file, linenum, BN_num_bits(key->rsa->n), bits);
-        int len;
 
-       if (auth_key_is_revoked(key))
+                /* Never accept a revoked key */
-+       if (auth_key_is_revoked(key, 0))
+-               if (auth_key_is_revoked(key))
-                return 0;
+               if (auth_key_is_revoked(key, 0))
+                        break;
 
-        /* don't allow short keys */
+                /* We have found the desired key. */
 Index: b/auth.c
 ===================================================================
 --- a/auth.c
@@ -132,7 +132,7 @@ Index: b/auth.c
 #include "auth.h"
 #include "auth-options.h"
 #include "canohost.h"
-@@ -615,10 +616,34 @@
+@@ -621,10 +622,34 @@
 
 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
 int
@@ -223,7 +223,7 @@ Index: b/authfile.c
 
 /* Version identification string for SSH v1 identity files. */
 static const char authfile_id_string[] =
-@@ -814,3 +815,140 @@
+@@ -906,3 +907,140 @@
        return ret;
 }
 
@@ -390,7 +390,7 @@ Index: b/pathnames.h
 #ifndef _PATH_SSH_PIDDIR
 #define _PATH_SSH_PIDDIR               "/var/run"
 #endif
-@@ -43,6 +47,9 @@
+@@ -44,6 +48,9 @@
 /* Backwards compatibility */
 #define _PATH_DH_PRIMES                        SSHDIR "/primes"
 
@@ -404,7 +404,7 @@ Index: b/readconf.c
 ===================================================================
 --- a/readconf.c
 +++ b/readconf.c
-@@ -123,6 +123,7 @@
+@@ -125,6 +125,7 @@
        oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
        oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
        oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
@@ -412,7 +412,7 @@ Index: b/readconf.c
        oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
-@@ -154,6 +155,7 @@
+@@ -158,6 +159,7 @@
        { "passwordauthentication", oPasswordAuthentication },
        { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
        { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -420,7 +420,7 @@ Index: b/readconf.c
        { "rsaauthentication", oRSAAuthentication },
        { "pubkeyauthentication", oPubkeyAuthentication },
        { "dsaauthentication", oPubkeyAuthentication },             /* alias */
-@@ -479,6 +481,10 @@
+@@ -486,6 +488,10 @@
                intptr = &options->challenge_response_authentication;
                goto parse_flag;
 
@@ -431,7 +431,7 @@ Index: b/readconf.c
        case oGssAuthentication:
                intptr = &options->gss_authentication;
                goto parse_flag;
-@@ -1093,6 +1099,7 @@
+@@ -1134,6 +1140,7 @@
        options->kbd_interactive_devices = NULL;
        options->rhosts_rsa_authentication = -1;
        options->hostbased_authentication = -1;
@@ -439,7 +439,7 @@ Index: b/readconf.c
        options->batch_mode = -1;
        options->check_host_ip = -1;
        options->strict_host_key_checking = -1;
-@@ -1201,6 +1208,8 @@
+@@ -1245,6 +1252,8 @@
                options->rhosts_rsa_authentication = 0;
        if (options->hostbased_authentication == -1)
                options->hostbased_authentication = 0;
@@ -452,7 +452,7 @@ Index: b/readconf.h
 ===================================================================
 --- a/readconf.h
 +++ b/readconf.h
-@@ -56,6 +56,7 @@
+@@ -57,6 +57,7 @@
        int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
        char    *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
        int     zero_knowledge_password_authentication; /* Try jpake */
@@ -464,7 +464,7 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -100,6 +100,7 @@
+@@ -104,6 +104,7 @@
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
@@ -472,7 +472,7 @@ Index: b/servconf.c
        options->permit_empty_passwd = -1;
        options->permit_user_env = -1;
        options->use_login = -1;
-@@ -232,6 +233,8 @@
+@@ -243,6 +244,8 @@
                options->kbd_interactive_authentication = 0;
        if (options->challenge_response_authentication == -1)
                options->challenge_response_authentication = 1;
@@ -481,7 +481,7 @@ Index: b/servconf.c
        if (options->permit_empty_passwd == -1)
                options->permit_empty_passwd = 0;
        if (options->permit_user_env == -1)
-@@ -307,7 +310,7 @@
+@@ -322,7 +325,7 @@
        sListenAddress, sAddressFamily,
        sPrintMotd, sPrintLastLog, sIgnoreRhosts,
        sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -490,7 +490,7 @@ Index: b/servconf.c
        sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
        sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
        sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
-@@ -416,6 +419,7 @@
+@@ -432,6 +435,7 @@
        { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
        { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
        { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -498,7 +498,7 @@ Index: b/servconf.c
        { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
        { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
        { "uselogin", sUseLogin, SSHCFG_GLOBAL },
-@@ -1011,6 +1015,10 @@
+@@ -1029,6 +1033,10 @@
                intptr = &options->tcp_keep_alive;
                goto parse_flag;
 
@@ -509,7 +509,7 @@ Index: b/servconf.c
        case sEmptyPasswd:
                intptr = &options->permit_empty_passwd;
                goto parse_flag;
-@@ -1708,6 +1716,7 @@
+@@ -1757,6 +1765,7 @@
        dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
        dump_cfg_fmtint(sStrictModes, o->strict_modes);
        dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -521,7 +521,7 @@ Index: b/servconf.h
 ===================================================================
 --- a/servconf.h
 +++ b/servconf.h
-@@ -104,6 +104,7 @@
+@@ -107,6 +107,7 @@
        int     challenge_response_authentication;
        int     zero_knowledge_password_authentication;
                                        /* If true, permit jpake auth */
@@ -533,7 +533,7 @@ Index: b/ssh-add.1
 ===================================================================
 --- a/ssh-add.1
 +++ b/ssh-add.1
-@@ -82,6 +82,10 @@
+@@ -81,6 +81,10 @@
 .Nm
 to work.
 .Pp
@@ -544,7 +544,7 @@ Index: b/ssh-add.1
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl c
-@@ -182,6 +186,7 @@
+@@ -183,6 +187,7 @@
 .Xr ssh 1 ,
 .Xr ssh-agent 1 ,
 .Xr ssh-keygen 1 ,
@@ -556,7 +556,7 @@ Index: b/ssh-add.c
 ===================================================================
 --- a/ssh-add.c
 +++ b/ssh-add.c
-@@ -139,7 +139,7 @@
+@@ -142,7 +142,7 @@
 add_file(AuthenticationConnection *ac, const char *filename)
 {
        Key *private, *cert;
@@ -565,7 +565,7 @@ Index: b/ssh-add.c
        char msg[1024], *certpath;
        int fd, perms_ok, ret = -1;
 
-@@ -184,6 +184,14 @@
+@@ -187,6 +187,14 @@
                            "Bad passphrase, try again for %.200s: ", comment);
                }
        }
@@ -584,7 +584,7 @@ Index: b/ssh-keygen.1
 ===================================================================
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -669,6 +669,7 @@
+@@ -659,6 +659,7 @@
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
@@ -1236,7 +1236,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1392,6 +1392,7 @@
+@@ -1402,6 +1402,7 @@
 .Xr ssh-agent 1 ,
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
@@ -1248,7 +1248,7 @@ Index: b/ssh.c
 ===================================================================
 --- a/ssh.c
 +++ b/ssh.c
-@@ -1422,7 +1422,7 @@
+@@ -1448,7 +1448,7 @@
 static void
 load_public_identity_files(void)
 {
@@ -1257,7 +1257,7 @@ Index: b/ssh.c
        char *pwdir = NULL, *pwname = NULL;
        int i = 0;
        Key *public;
-@@ -1479,6 +1479,22 @@
+@@ -1505,6 +1505,22 @@
                public = key_load_public(filename, NULL);
                debug("identity file %s type %d", filename,
                    public ? public->type : -1);
@@ -1284,7 +1284,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1082,6 +1082,23 @@
+@@ -1146,6 +1146,23 @@
 .Dq any .
 The default is
 .Dq any:any .
@@ -1312,7 +1312,7 @@ Index: b/sshconnect2.c
 ===================================================================
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -1421,6 +1421,8 @@
+@@ -1488,6 +1488,8 @@
 
        /* list of keys stored in the filesystem */
        for (i = 0; i < options.num_identity_files; i++) {
@@ -1321,7 +1321,7 @@ Index: b/sshconnect2.c
                key = options.identity_keys[i];
                if (key && key->type == KEY_RSA1)
                        continue;
-@@ -1514,7 +1516,7 @@
+@@ -1581,7 +1583,7 @@
                        debug("Offering %s public key: %s", key_type(id->key),
                            id->filename);
                        sent = send_pubkey_test(authctxt, id);
@@ -1334,7 +1334,7 @@ Index: b/sshd.8
 ===================================================================
 --- a/sshd.8
 +++ b/sshd.8
-@@ -938,6 +938,7 @@
+@@ -945,6 +945,7 @@
 .Xr ssh-agent 1 ,
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
@@ -1346,7 +1346,7 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1573,6 +1573,11 @@
+@@ -1576,6 +1576,11 @@
                        sensitive_data.host_keys[i] = NULL;
                        continue;
                }
@@ -1362,7 +1362,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -743,6 +743,20 @@
+@@ -792,6 +792,20 @@
 Specifies whether password authentication is allowed.
 The default is
 .Dq yes .
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index dac1ca1cc..5f1caddc9 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -12,11 +12,11 @@ Index: b/clientloop.c
 server_alive_check(void)
 {
 -       if (packet_inc_alive_timeouts() > options.server_alive_count_max) {
-               logit("Timeout, server not responding.");
+-               logit("Timeout, server %s not responding.", host);
 -               cleanup_exit(255);
 +       if (compat20) {
 +               if (packet_inc_alive_timeouts() > options.server_alive_count_max) {
-+                       logit("Timeout, server not responding.");
+                       logit("Timeout, server %s not responding.", host);
 +                       cleanup_exit(255);
 +               }
 +               packet_start(SSH2_MSG_GLOBAL_REQUEST);
@@ -51,7 +51,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -983,7 +983,10 @@
+@@ -1047,7 +1047,10 @@
 .Cm ServerAliveCountMax
 is left at the default, if the server becomes unresponsive,
 ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 3cb9fdc65..9b560217f 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -26,7 +26,7 @@ Index: b/ssh.c
 ===================================================================
 --- a/ssh.c
 +++ b/ssh.c
-@@ -642,7 +642,7 @@
+@@ -641,7 +641,7 @@
                tty_flag = 0;
        /* Do not allocate a tty if stdin is not a tty. */
        if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) {
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 69700e592..fe2d99be0 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -15,7 +15,7 @@ Index: b/readconf.c
 ===================================================================
 --- a/readconf.c
 +++ b/readconf.c
-@@ -28,6 +28,8 @@
+@@ -30,6 +30,8 @@
 #include <stdio.h>
 #include <string.h>
 #include <unistd.h>
@@ -24,7 +24,7 @@ Index: b/readconf.c
 
 #include "xmalloc.h"
 #include "ssh.h"
-@@ -1045,8 +1047,7 @@
+@@ -1085,8 +1087,7 @@
 
                if (fstat(fileno(f), &sb) == -1)
                        fatal("fstat %s: %s", filename, strerror(errno));
@@ -38,20 +38,20 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1290,6 +1290,8 @@
+@@ -1293,6 +1293,8 @@
 .Xr ssh_config 5 .
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.
 +It may be group-writable provided that the group in question contains only
 +the user.
 .Pp
- .It ~/.ssh/environment
+ .It Pa ~/.ssh/environment
 Contains additional definitions for environment variables; see
 Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1235,6 +1235,8 @@
+@@ -1299,6 +1299,8 @@
 This file is used by the SSH client.
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.
@@ -64,7 +64,7 @@ Index: b/auth.c
 ===================================================================
 --- a/auth.c
 +++ b/auth.c
-@@ -393,8 +393,7 @@
+@@ -392,8 +392,7 @@
                user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
                if (options.strict_modes &&
                    (stat(user_hostfile, &st) == 0) &&
@@ -74,7 +74,7 @@ Index: b/auth.c
                        logit("Authentication refused for %.100s: "
                            "bad owner or modes for %.200s",
                            pw->pw_name, user_hostfile);
-@@ -448,8 +447,7 @@
+@@ -454,8 +453,7 @@
 
        /* check the open file to avoid races */
        if (fstat(fileno(f), &st) < 0 ||
@@ -84,7 +84,7 @@ Index: b/auth.c
                snprintf(err, errlen, "bad ownership or modes for file %s",
                    buf);
                return -1;
-@@ -465,8 +463,7 @@
+@@ -471,8 +469,7 @@
 
                debug3("secure_filename: checking '%s'", buf);
                if (stat(buf, &st) < 0 ||
@@ -98,7 +98,7 @@ Index: b/misc.c
 ===================================================================
 --- a/misc.c
 +++ b/misc.c
-@@ -45,8 +45,9 @@
+@@ -48,8 +48,9 @@
 #include <netdb.h>
 #ifdef HAVE_PATHS_H
 # include <paths.h>
@@ -109,7 +109,7 @@ Index: b/misc.c
 #ifdef SSH_TUN_OPENBSD
 #include <net/if.h>
 #endif
-@@ -639,6 +640,55 @@
+@@ -642,6 +643,55 @@
 }
 
 int
@@ -169,7 +169,7 @@ Index: b/misc.h
 ===================================================================
 --- a/misc.h
 +++ b/misc.h
-@@ -92,4 +92,6 @@
+@@ -102,4 +102,6 @@
 int     ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
 int     read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);