summaryrefslogtreecommitdiff
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/auth-log-verbosity.patch8
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch4
-rw-r--r--debian/patches/consolekit.patch55
-rw-r--r--debian/patches/copy-id-restorecon.patch19
-rw-r--r--debian/patches/debian-banner.patch31
-rw-r--r--debian/patches/debian-config.patch4
-rw-r--r--debian/patches/doc-hash-tab-completion.patch4
-rw-r--r--debian/patches/gssapi.patch123
-rw-r--r--debian/patches/keepalive-extensions.patch8
-rw-r--r--debian/patches/lintian-symlink-pickiness.patch4
-rw-r--r--debian/patches/max-startups-default.patch57
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch6
-rw-r--r--debian/patches/openbsd-docs.patch12
-rw-r--r--debian/patches/package-versioning.patch28
-rw-r--r--debian/patches/quieter-signals.patch4
-rw-r--r--debian/patches/selinux-role.patch56
-rw-r--r--debian/patches/series2
-rw-r--r--debian/patches/shell-path.patch4
-rw-r--r--debian/patches/ssh-argv0.patch4
-rw-r--r--debian/patches/ssh-vulnkey.patch74
-rw-r--r--debian/patches/ssh1-keepalive.patch4
-rw-r--r--debian/patches/user-group-modes.patch28
22 files changed, 235 insertions, 304 deletions
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index bc2602306..206967bc9 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -2,7 +2,7 @@ Description: Quieten logs when multiple from= restrictions are used
2Author: Colin Watson <cjwatson@debian.org> 2Author: Colin Watson <cjwatson@debian.org>
3Bug-Debian: http://bugs.debian.org/630606 3Bug-Debian: http://bugs.debian.org/630606
4Forwarded: no 4Forwarded: no
5Last-Update: 2011-07-28 5Last-Update: 2013-05-07
6 6
7Index: b/auth-options.c 7Index: b/auth-options.c
8=================================================================== 8===================================================================
@@ -96,7 +96,7 @@ Index: b/auth2-pubkey.c
96=================================================================== 96===================================================================
97--- a/auth2-pubkey.c 97--- a/auth2-pubkey.c
98+++ b/auth2-pubkey.c 98+++ b/auth2-pubkey.c
99@@ -211,6 +211,7 @@ 99@@ -217,6 +217,7 @@
100 restore_uid(); 100 restore_uid();
101 return 0; 101 return 0;
102 } 102 }
@@ -104,7 +104,7 @@ Index: b/auth2-pubkey.c
104 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 104 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
105 /* Skip leading whitespace. */ 105 /* Skip leading whitespace. */
106 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 106 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
107@@ -281,6 +282,8 @@ 107@@ -278,6 +279,8 @@
108 found_key = 0; 108 found_key = 0;
109 found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); 109 found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
110 110
@@ -113,7 +113,7 @@ Index: b/auth2-pubkey.c
113 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 113 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
114 char *cp, *key_options = NULL; 114 char *cp, *key_options = NULL;
115 115
116@@ -417,6 +420,7 @@ 116@@ -412,6 +415,7 @@
117 if (key_cert_check_authority(key, 0, 1, 117 if (key_cert_check_authority(key, 0, 1,
118 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) 118 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
119 goto fail_reason; 119 goto fail_reason;
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 6ffc716ee..c6a4b64c6 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -2,13 +2,13 @@ Description: Install authorized_keys(5) as a symlink to sshd(8)
2Author: Tomas Pospisek <tpo_deb@sourcepole.ch> 2Author: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
4Bug-Debian: http://bugs.debian.org/441817 4Bug-Debian: http://bugs.debian.org/441817
5Last-Update: 2010-03-01 5Last-Update: 2013-05-07
6 6
7Index: b/Makefile.in 7Index: b/Makefile.in
8=================================================================== 8===================================================================
9--- a/Makefile.in 9--- a/Makefile.in
10+++ b/Makefile.in 10+++ b/Makefile.in
11@@ -277,6 +277,7 @@ 11@@ -286,6 +286,7 @@
12 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 12 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
13 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 13 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
14 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 14 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch
index a952e4405..d67123a1e 100644
--- a/debian/patches/consolekit.patch
+++ b/debian/patches/consolekit.patch
@@ -1,13 +1,13 @@
1Description: Add support for registering ConsoleKit sessions on login 1Description: Add support for registering ConsoleKit sessions on login
2Author: Colin Watson <cjwatson@ubuntu.com> 2Author: Colin Watson <cjwatson@ubuntu.com>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450
4Last-Updated: 2012-10-31 4Last-Updated: 2013-05-07
5 5
6Index: b/Makefile.in 6Index: b/Makefile.in
7=================================================================== 7===================================================================
8--- a/Makefile.in 8--- a/Makefile.in
9+++ b/Makefile.in 9+++ b/Makefile.in
10@@ -94,7 +94,8 @@ 10@@ -96,7 +96,8 @@
11 sftp-server.o sftp-common.o \ 11 sftp-server.o sftp-common.o \
12 roaming_common.o roaming_serv.o \ 12 roaming_common.o roaming_serv.o \
13 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ 13 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
@@ -21,9 +21,9 @@ Index: b/configure.ac
21=================================================================== 21===================================================================
22--- a/configure.ac 22--- a/configure.ac
23+++ b/configure.ac 23+++ b/configure.ac
24@@ -3672,6 +3672,30 @@ 24@@ -3801,6 +3801,30 @@
25 ] 25 AC_SUBST([GSSLIBS])
26 ) 26 AC_SUBST([K5LIBS])
27 27
28+# Check whether user wants ConsoleKit support 28+# Check whether user wants ConsoleKit support
29+CONSOLEKIT_MSG="no" 29+CONSOLEKIT_MSG="no"
@@ -52,7 +52,7 @@ Index: b/configure.ac
52 # Looking for programs, paths and files 52 # Looking for programs, paths and files
53 53
54 PRIVSEP_PATH=/var/empty 54 PRIVSEP_PATH=/var/empty
55@@ -4435,6 +4459,7 @@ 55@@ -4600,6 +4624,7 @@
56 echo " libedit support: $LIBEDIT_MSG" 56 echo " libedit support: $LIBEDIT_MSG"
57 echo " Solaris process contract support: $SPC_MSG" 57 echo " Solaris process contract support: $SPC_MSG"
58 echo " Solaris project support: $SP_MSG" 58 echo " Solaris project support: $SP_MSG"
@@ -64,7 +64,7 @@ Index: b/configure
64=================================================================== 64===================================================================
65--- a/configure 65--- a/configure
66+++ b/configure 66+++ b/configure
67@@ -735,6 +735,7 @@ 67@@ -737,6 +737,7 @@
68 with_sandbox 68 with_sandbox
69 with_selinux 69 with_selinux
70 with_kerberos5 70 with_kerberos5
@@ -72,7 +72,7 @@ Index: b/configure
72 with_privsep_path 72 with_privsep_path
73 with_xauth 73 with_xauth
74 enable_strip 74 enable_strip
75@@ -1425,6 +1426,7 @@ 75@@ -1427,6 +1428,7 @@
76 --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter) 76 --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)
77 --with-selinux Enable SELinux support 77 --with-selinux Enable SELinux support
78 --with-kerberos5=PATH Enable Kerberos 5 support 78 --with-kerberos5=PATH Enable Kerberos 5 support
@@ -80,8 +80,8 @@ Index: b/configure
80 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) 80 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
81 --with-xauth=PATH Specify path to xauth program 81 --with-xauth=PATH Specify path to xauth program
82 --with-maildir=/path/to/mail Specify your system mail directory 82 --with-maildir=/path/to/mail Specify your system mail directory
83@@ -15683,6 +15685,135 @@ 83@@ -16002,6 +16004,135 @@
84 fi 84
85 85
86 86
87+# Check whether user wants ConsoleKit support 87+# Check whether user wants ConsoleKit support
@@ -216,7 +216,7 @@ Index: b/configure
216 # Looking for programs, paths and files 216 # Looking for programs, paths and files
217 217
218 PRIVSEP_PATH=/var/empty 218 PRIVSEP_PATH=/var/empty
219@@ -18155,6 +18286,7 @@ 219@@ -18527,6 +18658,7 @@
220 echo " libedit support: $LIBEDIT_MSG" 220 echo " libedit support: $LIBEDIT_MSG"
221 echo " Solaris process contract support: $SPC_MSG" 221 echo " Solaris process contract support: $SPC_MSG"
222 echo " Solaris project support: $SP_MSG" 222 echo " Solaris project support: $SP_MSG"
@@ -522,7 +522,7 @@ Index: b/monitor.c
522 static Authctxt *authctxt; 522 static Authctxt *authctxt;
523 static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ 523 static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
524 524
525@@ -283,6 +290,9 @@ 525@@ -284,6 +291,9 @@
526 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 526 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
527 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, 527 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
528 #endif 528 #endif
@@ -532,7 +532,7 @@ Index: b/monitor.c
532 {0, 0, NULL} 532 {0, 0, NULL}
533 }; 533 };
534 534
535@@ -325,6 +335,9 @@ 535@@ -326,6 +336,9 @@
536 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 536 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
537 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, 537 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
538 #endif 538 #endif
@@ -542,7 +542,7 @@ Index: b/monitor.c
542 {0, 0, NULL} 542 {0, 0, NULL}
543 }; 543 };
544 544
545@@ -495,6 +508,9 @@ 545@@ -514,6 +527,9 @@
546 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); 546 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
547 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); 547 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
548 } 548 }
@@ -552,7 +552,7 @@ Index: b/monitor.c
552 552
553 for (;;) 553 for (;;)
554 monitor_read(pmonitor, mon_dispatch, NULL); 554 monitor_read(pmonitor, mon_dispatch, NULL);
555@@ -2196,6 +2212,34 @@ 555@@ -2232,6 +2248,34 @@
556 buffer_put_int(m, major); 556 buffer_put_int(m, major);
557 buffer_put_string(m, hash.value, hash.length); 557 buffer_put_string(m, hash.value, hash.length);
558 558
@@ -591,19 +591,20 @@ Index: b/monitor.h
591=================================================================== 591===================================================================
592--- a/monitor.h 592--- a/monitor.h
593+++ b/monitor.h 593+++ b/monitor.h
594@@ -62,6 +62,7 @@ 594@@ -75,6 +75,8 @@
595 MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, 595
596 MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, 596 MONITOR_REQ_AUTHROLE = 300,
597 MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND, 597
598+ MONITOR_REQ_CONSOLEKIT_REGISTER, MONITOR_ANS_CONSOLEKIT_REGISTER, 598+ MONITOR_REQ_CONSOLEKIT_REGISTER = 400, MONITOR_ANS_CONSOLEKIT_REGISTER = 401,
599 MONITOR_REQ_TERM, 599+
600 MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1, 600 };
601 MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA, 601
602 struct mm_master;
602Index: b/monitor_wrap.c 603Index: b/monitor_wrap.c
603=================================================================== 604===================================================================
604--- a/monitor_wrap.c 605--- a/monitor_wrap.c
605+++ b/monitor_wrap.c 606+++ b/monitor_wrap.c
606@@ -1310,6 +1310,37 @@ 607@@ -1311,6 +1311,37 @@
607 mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash) 608 mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
608 { 609 {
609 Buffer m; 610 Buffer m;
@@ -666,7 +667,7 @@ Index: b/session.c
666 667
667 #if defined(KRB5) && defined(USE_AFS) 668 #if defined(KRB5) && defined(USE_AFS)
668 #include <kafs.h> 669 #include <kafs.h>
669@@ -1129,6 +1130,9 @@ 670@@ -1132,6 +1133,9 @@
670 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) 671 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
671 char *path = NULL; 672 char *path = NULL;
672 #endif 673 #endif
@@ -676,7 +677,7 @@ Index: b/session.c
676 677
677 /* Initialize the environment. */ 678 /* Initialize the environment. */
678 envsize = 100; 679 envsize = 100;
679@@ -1273,6 +1277,11 @@ 680@@ -1276,6 +1280,11 @@
680 child_set_env(&env, &envsize, "KRB5CCNAME", 681 child_set_env(&env, &envsize, "KRB5CCNAME",
681 s->authctxt->krb5_ccname); 682 s->authctxt->krb5_ccname);
682 #endif 683 #endif
@@ -688,7 +689,7 @@ Index: b/session.c
688 #ifdef USE_PAM 689 #ifdef USE_PAM
689 /* 690 /*
690 * Pull in any environment variables that may have 691 * Pull in any environment variables that may have
691@@ -2300,6 +2309,10 @@ 692@@ -2308,6 +2317,10 @@
692 693
693 debug("session_pty_cleanup: session %d release %s", s->self, s->tty); 694 debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
694 695
diff --git a/debian/patches/copy-id-restorecon.patch b/debian/patches/copy-id-restorecon.patch
deleted file mode 100644
index d26680c4a..000000000
--- a/debian/patches/copy-id-restorecon.patch
+++ /dev/null
@@ -1,19 +0,0 @@
1Description: Call restorecon on copied ~/.ssh/authorized_keys if possible
2Author: Tomas Mraz <tmraz@fedoraproject.org>
3Bug-Debian: http://bugs.debian.org/658675
4Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=739989
5Last-Update: 2012-08-24
6
7Index: b/contrib/ssh-copy-id
8===================================================================
9--- a/contrib/ssh-copy-id
10+++ b/contrib/ssh-copy-id
11@@ -41,7 +41,7 @@
12 # strip any trailing colon
13 host=`echo $1 | sed 's/:$//'`
14
15-{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1
16+{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys && (test -x /sbin/restorecon && /sbin/restorecon ~/.ssh ~/.ssh/authorized_keys >/dev/null 2>&1 || true)" || exit 1
17
18 cat <<EOF
19 Now try logging into the machine, with "ssh '$host'", and check in:
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 22b1e4c14..d96f2cc59 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -4,13 +4,13 @@ Description: Add DebianBanner server configuration option
4Author: Kees Cook <kees@debian.org> 4Author: Kees Cook <kees@debian.org>
5Bug-Debian: http://bugs.debian.org/562048 5Bug-Debian: http://bugs.debian.org/562048
6Forwarded: not-needed 6Forwarded: not-needed
7Last-Update: 2012-09-07 7Last-Update: 2013-05-07
8 8
9Index: b/servconf.c 9Index: b/servconf.c
10=================================================================== 10===================================================================
11--- a/servconf.c 11--- a/servconf.c
12+++ b/servconf.c 12+++ b/servconf.c
13@@ -146,6 +146,7 @@ 13@@ -150,6 +150,7 @@
14 options->ip_qos_interactive = -1; 14 options->ip_qos_interactive = -1;
15 options->ip_qos_bulk = -1; 15 options->ip_qos_bulk = -1;
16 options->version_addendum = NULL; 16 options->version_addendum = NULL;
@@ -18,7 +18,7 @@ Index: b/servconf.c
18 } 18 }
19 19
20 void 20 void
21@@ -295,6 +296,8 @@ 21@@ -299,6 +300,8 @@
22 options->ip_qos_bulk = IPTOS_THROUGHPUT; 22 options->ip_qos_bulk = IPTOS_THROUGHPUT;
23 if (options->version_addendum == NULL) 23 if (options->version_addendum == NULL)
24 options->version_addendum = xstrdup(""); 24 options->version_addendum = xstrdup("");
@@ -27,23 +27,23 @@ Index: b/servconf.c
27 /* Turn privilege separation on by default */ 27 /* Turn privilege separation on by default */
28 if (use_privsep == -1) 28 if (use_privsep == -1)
29 use_privsep = PRIVSEP_NOSANDBOX; 29 use_privsep = PRIVSEP_NOSANDBOX;
30@@ -343,6 +346,7 @@ 30@@ -349,6 +352,7 @@
31 sZeroKnowledgePasswordAuthentication, sHostCertificate,
32 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
33 sKexAlgorithms, sIPQoS, sVersionAddendum, 31 sKexAlgorithms, sIPQoS, sVersionAddendum,
32 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
33 sAuthenticationMethods,
34+ sDebianBanner, 34+ sDebianBanner,
35 sDeprecated, sUnsupported 35 sDeprecated, sUnsupported
36 } ServerOpCodes; 36 } ServerOpCodes;
37 37
38@@ -479,6 +483,7 @@ 38@@ -488,6 +492,7 @@
39 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, 39 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
40 { "ipqos", sIPQoS, SSHCFG_ALL },
41 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 40 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
41 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
42+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, 42+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
43 { NULL, sBadOption, 0 } 43 { NULL, sBadOption, 0 }
44 }; 44 };
45 45
46@@ -1538,6 +1543,10 @@ 46@@ -1593,6 +1598,10 @@
47 } 47 }
48 return 0; 48 return 0;
49 49
@@ -58,10 +58,11 @@ Index: b/servconf.h
58=================================================================== 58===================================================================
59--- a/servconf.h 59--- a/servconf.h
60+++ b/servconf.h 60+++ b/servconf.h
61@@ -172,6 +172,7 @@ 61@@ -184,6 +184,8 @@
62 char *authorized_principals_file;
63 62
64 char *version_addendum; /* Appended to SSH banner */ 63 u_int num_auth_methods;
64 char *auth_methods[MAX_AUTH_METHODS];
65+
65+ int debian_banner; 66+ int debian_banner;
66 } ServerOptions; 67 } ServerOptions;
67 68
@@ -70,7 +71,7 @@ Index: b/sshd.c
70=================================================================== 71===================================================================
71--- a/sshd.c 72--- a/sshd.c
72+++ b/sshd.c 73+++ b/sshd.c
73@@ -425,7 +425,8 @@ 74@@ -434,7 +434,8 @@
74 } 75 }
75 76
76 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 77 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -84,7 +85,7 @@ Index: b/sshd_config.5
84=================================================================== 85===================================================================
85--- a/sshd_config.5 86--- a/sshd_config.5
86+++ b/sshd_config.5 87+++ b/sshd_config.5
87@@ -342,6 +342,11 @@ 88@@ -397,6 +397,11 @@
88 .Dq no . 89 .Dq no .
89 The default is 90 The default is
90 .Dq delayed . 91 .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 57ebbf540..77e807502 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -18,7 +18,7 @@ Description: Various Debian-specific configuration changes
18Author: Colin Watson <cjwatson@debian.org> 18Author: Colin Watson <cjwatson@debian.org>
19Author: Russ Allbery <rra@debian.org> 19Author: Russ Allbery <rra@debian.org>
20Forwarded: not-needed 20Forwarded: not-needed
21Last-Update: 2010-02-28 21Last-Update: 2013-05-07
22 22
23Index: b/readconf.c 23Index: b/readconf.c
24=================================================================== 24===================================================================
@@ -84,7 +84,7 @@ Index: b/ssh_config.5
84 The configuration file has the following format: 84 The configuration file has the following format:
85 .Pp 85 .Pp
86 Empty lines and lines starting with 86 Empty lines and lines starting with
87@@ -499,7 +515,8 @@ 87@@ -502,7 +518,8 @@
88 Remote clients will be refused access after this time. 88 Remote clients will be refused access after this time.
89 .Pp 89 .Pp
90 The default is 90 The default is
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index cec6f6639..25201a7d4 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -2,13 +2,13 @@ Description: Document that HashKnownHosts may break tab-completion
2Author: Colin Watson <cjwatson@debian.org> 2Author: Colin Watson <cjwatson@debian.org>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
4Bug-Debian: http://bugs.debian.org/430154 4Bug-Debian: http://bugs.debian.org/430154
5Last-Update: 2010-03-01 5Last-Update: 2013-05-07
6 6
7Index: b/ssh_config.5 7Index: b/ssh_config.5
8=================================================================== 8===================================================================
9--- a/ssh_config.5 9--- a/ssh_config.5
10+++ b/ssh_config.5 10+++ b/ssh_config.5
11@@ -585,6 +585,9 @@ 11@@ -588,6 +588,9 @@
12 will not be converted automatically, 12 will not be converted automatically,
13 but may be manually hashed using 13 but may be manually hashed using
14 .Xr ssh-keygen 1 . 14 .Xr ssh-keygen 1 .
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 786500feb..7690e5824 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -13,7 +13,7 @@ Description: GSSAPI key exchange support
13 security history. 13 security history.
14Author: Simon Wilkinson <simon@sxw.org.uk> 14Author: Simon Wilkinson <simon@sxw.org.uk>
15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
16Last-Updated: 2012-09-07 16Last-Updated: 2013-05-07
17 17
18Index: b/ChangeLog.gssapi 18Index: b/ChangeLog.gssapi
19=================================================================== 19===================================================================
@@ -137,15 +137,15 @@ Index: b/Makefile.in
137=================================================================== 137===================================================================
138--- a/Makefile.in 138--- a/Makefile.in
139+++ b/Makefile.in 139+++ b/Makefile.in
140@@ -70,6 +70,7 @@ 140@@ -72,6 +72,7 @@
141 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ 141 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
142 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ 142 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
143 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ 143 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
144+ kexgssc.o \ 144+ kexgssc.o \
145 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \ 145 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
146 schnorr.o ssh-pkcs11.o 146 jpake.o schnorr.o ssh-pkcs11.o krl.o
147 147
148@@ -86,7 +87,7 @@ 148@@ -88,7 +89,7 @@
149 auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ 149 auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
150 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ 150 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
151 auth-krb5.o \ 151 auth-krb5.o \
@@ -210,7 +210,7 @@ Index: b/auth2-gss.c
210--- a/auth2-gss.c 210--- a/auth2-gss.c
211+++ b/auth2-gss.c 211+++ b/auth2-gss.c
212@@ -1,7 +1,7 @@ 212@@ -1,7 +1,7 @@
213 /* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */ 213 /* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */
214 214
215 /* 215 /*
216- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 216- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -280,7 +280,7 @@ Index: b/auth2-gss.c
280 logit("GSSAPI MIC check failed"); 280 logit("GSSAPI MIC check failed");
281 281
282@@ -294,6 +330,12 @@ 282@@ -294,6 +330,12 @@
283 userauth_finish(authctxt, authenticated, "gssapi-with-mic"); 283 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
284 } 284 }
285 285
286+Authmethod method_gsskeyex = { 286+Authmethod method_gsskeyex = {
@@ -327,7 +327,7 @@ Index: b/clientloop.c
327 /* import options */ 327 /* import options */
328 extern Options options; 328 extern Options options;
329 329
330@@ -1544,6 +1548,15 @@ 330@@ -1599,6 +1603,15 @@
331 /* Do channel operations unless rekeying in progress. */ 331 /* Do channel operations unless rekeying in progress. */
332 if (!rekeying) { 332 if (!rekeying) {
333 channel_after_select(readset, writeset); 333 channel_after_select(readset, writeset);
@@ -347,7 +347,7 @@ Index: b/config.h.in
347=================================================================== 347===================================================================
348--- a/config.h.in 348--- a/config.h.in
349+++ b/config.h.in 349+++ b/config.h.in
350@@ -1471,6 +1471,9 @@ 350@@ -1511,6 +1511,9 @@
351 /* Use btmp to log bad logins */ 351 /* Use btmp to log bad logins */
352 #undef USE_BTMP 352 #undef USE_BTMP
353 353
@@ -357,7 +357,7 @@ Index: b/config.h.in
357 /* Use libedit for sftp */ 357 /* Use libedit for sftp */
358 #undef USE_LIBEDIT 358 #undef USE_LIBEDIT
359 359
360@@ -1486,6 +1489,9 @@ 360@@ -1526,6 +1529,9 @@
361 /* Use PIPES instead of a socketpair() */ 361 /* Use PIPES instead of a socketpair() */
362 #undef USE_PIPES 362 #undef USE_PIPES
363 363
@@ -371,7 +371,7 @@ Index: b/configure
371=================================================================== 371===================================================================
372--- a/configure 372--- a/configure
373+++ b/configure 373+++ b/configure
374@@ -6608,6 +6608,63 @@ 374@@ -6588,6 +6588,63 @@
375 375
376 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h 376 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
377 377
@@ -439,7 +439,7 @@ Index: b/configure.ac
439=================================================================== 439===================================================================
440--- a/configure.ac 440--- a/configure.ac
441+++ b/configure.ac 441+++ b/configure.ac
442@@ -545,6 +545,30 @@ 442@@ -533,6 +533,30 @@
443 [Use tunnel device compatibility to OpenBSD]) 443 [Use tunnel device compatibility to OpenBSD])
444 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 444 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
445 [Prepend the address family to IP tunnel traffic]) 445 [Prepend the address family to IP tunnel traffic])
@@ -1277,7 +1277,7 @@ Index: b/kex.c
1277 #if OPENSSL_VERSION_NUMBER >= 0x00907000L 1277 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
1278 # if defined(HAVE_EVP_SHA256) 1278 # if defined(HAVE_EVP_SHA256)
1279 # define evp_ssh_sha256 EVP_sha256 1279 # define evp_ssh_sha256 EVP_sha256
1280@@ -358,6 +362,20 @@ 1280@@ -369,6 +373,20 @@
1281 k->kex_type = KEX_ECDH_SHA2; 1281 k->kex_type = KEX_ECDH_SHA2;
1282 k->evp_md = kex_ecdh_name_to_evpmd(k->name); 1282 k->evp_md = kex_ecdh_name_to_evpmd(k->name);
1283 #endif 1283 #endif
@@ -1312,7 +1312,7 @@ Index: b/kex.h
1312 KEX_MAX 1312 KEX_MAX
1313 }; 1313 };
1314 1314
1315@@ -129,6 +132,12 @@ 1315@@ -131,6 +134,12 @@
1316 sig_atomic_t done; 1316 sig_atomic_t done;
1317 int flags; 1317 int flags;
1318 const EVP_MD *evp_md; 1318 const EVP_MD *evp_md;
@@ -1325,7 +1325,7 @@ Index: b/kex.h
1325 char *client_version_string; 1325 char *client_version_string;
1326 char *server_version_string; 1326 char *server_version_string;
1327 int (*verify_host_key)(Key *); 1327 int (*verify_host_key)(Key *);
1328@@ -156,6 +165,11 @@ 1328@@ -158,6 +167,11 @@
1329 void kexecdh_client(Kex *); 1329 void kexecdh_client(Kex *);
1330 void kexecdh_server(Kex *); 1330 void kexecdh_server(Kex *);
1331 1331
@@ -2016,7 +2016,7 @@ Index: b/monitor.c
2016 #endif 2016 #endif
2017 2017
2018 #ifdef SSH_AUDIT_EVENTS 2018 #ifdef SSH_AUDIT_EVENTS
2019@@ -251,6 +253,7 @@ 2019@@ -252,6 +254,7 @@
2020 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 2020 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
2021 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, 2021 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
2022 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, 2022 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -2024,7 +2024,7 @@ Index: b/monitor.c
2024 #endif 2024 #endif
2025 #ifdef JPAKE 2025 #ifdef JPAKE
2026 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, 2026 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
2027@@ -263,6 +266,12 @@ 2027@@ -264,6 +267,12 @@
2028 }; 2028 };
2029 2029
2030 struct mon_table mon_dispatch_postauth20[] = { 2030 struct mon_table mon_dispatch_postauth20[] = {
@@ -2037,7 +2037,7 @@ Index: b/monitor.c
2037 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2037 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
2038 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, 2038 {MONITOR_REQ_SIGN, 0, mm_answer_sign},
2039 {MONITOR_REQ_PTY, 0, mm_answer_pty}, 2039 {MONITOR_REQ_PTY, 0, mm_answer_pty},
2040@@ -371,6 +380,10 @@ 2040@@ -372,6 +381,10 @@
2041 /* Permit requests for moduli and signatures */ 2041 /* Permit requests for moduli and signatures */
2042 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2042 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2043 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2043 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2048,7 +2048,7 @@ Index: b/monitor.c
2048 } else { 2048 } else {
2049 mon_dispatch = mon_dispatch_proto15; 2049 mon_dispatch = mon_dispatch_proto15;
2050 2050
2051@@ -468,6 +481,10 @@ 2051@@ -487,6 +500,10 @@
2052 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2052 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2053 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2053 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
2054 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2054 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2059,7 +2059,7 @@ Index: b/monitor.c
2059 } else { 2059 } else {
2060 mon_dispatch = mon_dispatch_postauth15; 2060 mon_dispatch = mon_dispatch_postauth15;
2061 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2061 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
2062@@ -1800,6 +1817,13 @@ 2062@@ -1836,6 +1853,13 @@
2063 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 2063 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2064 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 2064 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2065 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 2065 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2073,7 +2073,7 @@ Index: b/monitor.c
2073 kex->server = 1; 2073 kex->server = 1;
2074 kex->hostkey_type = buffer_get_int(m); 2074 kex->hostkey_type = buffer_get_int(m);
2075 kex->kex_type = buffer_get_int(m); 2075 kex->kex_type = buffer_get_int(m);
2076@@ -2006,6 +2030,9 @@ 2076@@ -2042,6 +2066,9 @@
2077 OM_uint32 major; 2077 OM_uint32 major;
2078 u_int len; 2078 u_int len;
2079 2079
@@ -2083,7 +2083,7 @@ Index: b/monitor.c
2083 goid.elements = buffer_get_string(m, &len); 2083 goid.elements = buffer_get_string(m, &len);
2084 goid.length = len; 2084 goid.length = len;
2085 2085
2086@@ -2033,6 +2060,9 @@ 2086@@ -2069,6 +2096,9 @@
2087 OM_uint32 flags = 0; /* GSI needs this */ 2087 OM_uint32 flags = 0; /* GSI needs this */
2088 u_int len; 2088 u_int len;
2089 2089
@@ -2093,7 +2093,7 @@ Index: b/monitor.c
2093 in.value = buffer_get_string(m, &len); 2093 in.value = buffer_get_string(m, &len);
2094 in.length = len; 2094 in.length = len;
2095 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2095 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2096@@ -2050,6 +2080,7 @@ 2096@@ -2086,6 +2116,7 @@
2097 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2097 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2098 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2098 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2099 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2099 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2101,7 +2101,7 @@ Index: b/monitor.c
2101 } 2101 }
2102 return (0); 2102 return (0);
2103 } 2103 }
2104@@ -2061,6 +2092,9 @@ 2104@@ -2097,6 +2128,9 @@
2105 OM_uint32 ret; 2105 OM_uint32 ret;
2106 u_int len; 2106 u_int len;
2107 2107
@@ -2111,7 +2111,7 @@ Index: b/monitor.c
2111 gssbuf.value = buffer_get_string(m, &len); 2111 gssbuf.value = buffer_get_string(m, &len);
2112 gssbuf.length = len; 2112 gssbuf.length = len;
2113 mic.value = buffer_get_string(m, &len); 2113 mic.value = buffer_get_string(m, &len);
2114@@ -2087,7 +2121,11 @@ 2114@@ -2123,7 +2157,11 @@
2115 { 2115 {
2116 int authenticated; 2116 int authenticated;
2117 2117
@@ -2124,7 +2124,7 @@ Index: b/monitor.c
2124 2124
2125 buffer_clear(m); 2125 buffer_clear(m);
2126 buffer_put_int(m, authenticated); 2126 buffer_put_int(m, authenticated);
2127@@ -2100,6 +2138,74 @@ 2127@@ -2136,6 +2174,74 @@
2128 /* Monitor loop will terminate if authenticated */ 2128 /* Monitor loop will terminate if authenticated */
2129 return (authenticated); 2129 return (authenticated);
2130 } 2130 }
@@ -2203,20 +2203,21 @@ Index: b/monitor.h
2203=================================================================== 2203===================================================================
2204--- a/monitor.h 2204--- a/monitor.h
2205+++ b/monitor.h 2205+++ b/monitor.h
2206@@ -53,6 +53,8 @@ 2206@@ -70,6 +70,9 @@
2207 MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, 2207 MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
2208 MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, 2208 MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
2209 MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC, 2209
2210+ MONITOR_REQ_GSSSIGN, MONITOR_ANS_GSSSIGN, 2210+ MONITOR_REQ_GSSSIGN = 200, MONITOR_ANS_GSSSIGN = 201,
2211+ MONITOR_REQ_GSSUPCREDS, MONITOR_ANS_GSSUPCREDS, 2211+ MONITOR_REQ_GSSUPCREDS = 202, MONITOR_ANS_GSSUPCREDS = 203,
2212 MONITOR_REQ_PAM_START, 2212+
2213 MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, 2213 };
2214 MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, 2214
2215 struct mm_master;
2215Index: b/monitor_wrap.c 2216Index: b/monitor_wrap.c
2216=================================================================== 2217===================================================================
2217--- a/monitor_wrap.c 2218--- a/monitor_wrap.c
2218+++ b/monitor_wrap.c 2219+++ b/monitor_wrap.c
2219@@ -1270,7 +1270,7 @@ 2220@@ -1271,7 +1271,7 @@
2220 } 2221 }
2221 2222
2222 int 2223 int
@@ -2225,7 +2226,7 @@ Index: b/monitor_wrap.c
2225 { 2226 {
2226 Buffer m; 2227 Buffer m;
2227 int authenticated = 0; 2228 int authenticated = 0;
2228@@ -1287,6 +1287,51 @@ 2229@@ -1288,6 +1288,51 @@
2229 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2230 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2230 return (authenticated); 2231 return (authenticated);
2231 } 2232 }
@@ -2406,7 +2407,7 @@ Index: b/servconf.c
2406=================================================================== 2407===================================================================
2407--- a/servconf.c 2408--- a/servconf.c
2408+++ b/servconf.c 2409+++ b/servconf.c
2409@@ -100,7 +100,10 @@ 2410@@ -102,7 +102,10 @@
2410 options->kerberos_ticket_cleanup = -1; 2411 options->kerberos_ticket_cleanup = -1;
2411 options->kerberos_get_afs_token = -1; 2412 options->kerberos_get_afs_token = -1;
2412 options->gss_authentication=-1; 2413 options->gss_authentication=-1;
@@ -2417,7 +2418,7 @@ Index: b/servconf.c
2417 options->password_authentication = -1; 2418 options->password_authentication = -1;
2418 options->kbd_interactive_authentication = -1; 2419 options->kbd_interactive_authentication = -1;
2419 options->challenge_response_authentication = -1; 2420 options->challenge_response_authentication = -1;
2420@@ -229,8 +232,14 @@ 2421@@ -233,8 +236,14 @@
2421 options->kerberos_get_afs_token = 0; 2422 options->kerberos_get_afs_token = 0;
2422 if (options->gss_authentication == -1) 2423 if (options->gss_authentication == -1)
2423 options->gss_authentication = 0; 2424 options->gss_authentication = 0;
@@ -2432,7 +2433,7 @@ Index: b/servconf.c
2432 if (options->password_authentication == -1) 2433 if (options->password_authentication == -1)
2433 options->password_authentication = 1; 2434 options->password_authentication = 1;
2434 if (options->kbd_interactive_authentication == -1) 2435 if (options->kbd_interactive_authentication == -1)
2435@@ -323,7 +332,9 @@ 2436@@ -327,7 +336,9 @@
2436 sBanner, sUseDNS, sHostbasedAuthentication, 2437 sBanner, sUseDNS, sHostbasedAuthentication,
2437 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 2438 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
2438 sClientAliveCountMax, sAuthorizedKeysFile, 2439 sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2443,7 +2444,7 @@ Index: b/servconf.c
2443 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2444 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2444 sUsePrivilegeSeparation, sAllowAgentForwarding, 2445 sUsePrivilegeSeparation, sAllowAgentForwarding,
2445 sZeroKnowledgePasswordAuthentication, sHostCertificate, 2446 sZeroKnowledgePasswordAuthentication, sHostCertificate,
2446@@ -387,10 +398,20 @@ 2447@@ -393,10 +404,20 @@
2447 #ifdef GSSAPI 2448 #ifdef GSSAPI
2448 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2449 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2449 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2450 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2464,7 +2465,7 @@ Index: b/servconf.c
2464 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2465 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2465 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2466 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2466 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2467 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2467@@ -1031,10 +1052,22 @@ 2468@@ -1049,10 +1070,22 @@
2468 intptr = &options->gss_authentication; 2469 intptr = &options->gss_authentication;
2469 goto parse_flag; 2470 goto parse_flag;
2470 2471
@@ -2487,7 +2488,7 @@ Index: b/servconf.c
2487 case sPasswordAuthentication: 2488 case sPasswordAuthentication:
2488 intptr = &options->password_authentication; 2489 intptr = &options->password_authentication;
2489 goto parse_flag; 2490 goto parse_flag;
2490@@ -1868,7 +1901,10 @@ 2491@@ -1927,7 +1960,10 @@
2491 #endif 2492 #endif
2492 #ifdef GSSAPI 2493 #ifdef GSSAPI
2493 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2494 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2502,7 +2503,7 @@ Index: b/servconf.h
2502=================================================================== 2503===================================================================
2503--- a/servconf.h 2504--- a/servconf.h
2504+++ b/servconf.h 2505+++ b/servconf.h
2505@@ -103,7 +103,10 @@ 2506@@ -110,7 +110,10 @@
2506 int kerberos_get_afs_token; /* If true, try to get AFS token if 2507 int kerberos_get_afs_token; /* If true, try to get AFS token if
2507 * authenticated with Kerberos. */ 2508 * authenticated with Kerberos. */
2508 int gss_authentication; /* If true, permit GSSAPI authentication */ 2509 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2525,7 +2526,7 @@ Index: b/ssh-gss.h
2525 * 2526 *
2526 * Redistribution and use in source and binary forms, with or without 2527 * Redistribution and use in source and binary forms, with or without
2527 * modification, are permitted provided that the following conditions 2528 * modification, are permitted provided that the following conditions
2528@@ -60,10 +60,22 @@ 2529@@ -61,10 +61,22 @@
2529 2530
2530 #define SSH_GSS_OIDTYPE 0x06 2531 #define SSH_GSS_OIDTYPE 0x06
2531 2532
@@ -2548,7 +2549,7 @@ Index: b/ssh-gss.h
2548 void *data; 2549 void *data;
2549 } ssh_gssapi_ccache; 2550 } ssh_gssapi_ccache;
2550 2551
2551@@ -71,8 +83,11 @@ 2552@@ -72,8 +84,11 @@
2552 gss_buffer_desc displayname; 2553 gss_buffer_desc displayname;
2553 gss_buffer_desc exportedname; 2554 gss_buffer_desc exportedname;
2554 gss_cred_id_t creds; 2555 gss_cred_id_t creds;
@@ -2560,7 +2561,7 @@ Index: b/ssh-gss.h
2560 } ssh_gssapi_client; 2561 } ssh_gssapi_client;
2561 2562
2562 typedef struct ssh_gssapi_mech_struct { 2563 typedef struct ssh_gssapi_mech_struct {
2563@@ -83,6 +98,7 @@ 2564@@ -84,6 +99,7 @@
2564 int (*userok) (ssh_gssapi_client *, char *); 2565 int (*userok) (ssh_gssapi_client *, char *);
2565 int (*localname) (ssh_gssapi_client *, char **); 2566 int (*localname) (ssh_gssapi_client *, char **);
2566 void (*storecreds) (ssh_gssapi_client *); 2567 void (*storecreds) (ssh_gssapi_client *);
@@ -2568,7 +2569,7 @@ Index: b/ssh-gss.h
2568 } ssh_gssapi_mech; 2569 } ssh_gssapi_mech;
2569 2570
2570 typedef struct { 2571 typedef struct {
2571@@ -93,10 +109,11 @@ 2572@@ -94,10 +110,11 @@
2572 gss_OID oid; /* client */ 2573 gss_OID oid; /* client */
2573 gss_cred_id_t creds; /* server */ 2574 gss_cred_id_t creds; /* server */
2574 gss_name_t client; /* server */ 2575 gss_name_t client; /* server */
@@ -2581,7 +2582,7 @@ Index: b/ssh-gss.h
2581 2582
2582 int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); 2583 int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
2583 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); 2584 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
2584@@ -116,16 +133,30 @@ 2585@@ -117,16 +134,30 @@
2585 void ssh_gssapi_delete_ctx(Gssctxt **); 2586 void ssh_gssapi_delete_ctx(Gssctxt **);
2586 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); 2587 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
2587 void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); 2588 void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
@@ -2631,7 +2632,7 @@ Index: b/ssh_config.5
2631=================================================================== 2632===================================================================
2632--- a/ssh_config.5 2633--- a/ssh_config.5
2633+++ b/ssh_config.5 2634+++ b/ssh_config.5
2634@@ -527,11 +527,43 @@ 2635@@ -530,11 +530,43 @@
2635 The default is 2636 The default is
2636 .Dq no . 2637 .Dq no .
2637 Note that this option applies to protocol version 2 only. 2638 Note that this option applies to protocol version 2 only.
@@ -2764,7 +2765,7 @@ Index: b/sshconnect2.c
2764 xxx_kex = kex; 2765 xxx_kex = kex;
2765 2766
2766 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 2767 dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
2767@@ -305,6 +361,7 @@ 2768@@ -306,6 +362,7 @@
2768 void input_gssapi_hash(int type, u_int32_t, void *); 2769 void input_gssapi_hash(int type, u_int32_t, void *);
2769 void input_gssapi_error(int, u_int32_t, void *); 2770 void input_gssapi_error(int, u_int32_t, void *);
2770 void input_gssapi_errtok(int, u_int32_t, void *); 2771 void input_gssapi_errtok(int, u_int32_t, void *);
@@ -2772,7 +2773,7 @@ Index: b/sshconnect2.c
2772 #endif 2773 #endif
2773 2774
2774 void userauth(Authctxt *, char *); 2775 void userauth(Authctxt *, char *);
2775@@ -320,6 +377,11 @@ 2776@@ -321,6 +378,11 @@
2776 2777
2777 Authmethod authmethods[] = { 2778 Authmethod authmethods[] = {
2778 #ifdef GSSAPI 2779 #ifdef GSSAPI
@@ -2784,7 +2785,7 @@ Index: b/sshconnect2.c
2784 {"gssapi-with-mic", 2785 {"gssapi-with-mic",
2785 userauth_gssapi, 2786 userauth_gssapi,
2786 NULL, 2787 NULL,
2787@@ -626,19 +688,31 @@ 2788@@ -627,19 +689,31 @@
2788 static u_int mech = 0; 2789 static u_int mech = 0;
2789 OM_uint32 min; 2790 OM_uint32 min;
2790 int ok = 0; 2791 int ok = 0;
@@ -2818,7 +2819,7 @@ Index: b/sshconnect2.c
2818 ok = 1; /* Mechanism works */ 2819 ok = 1; /* Mechanism works */
2819 } else { 2820 } else {
2820 mech++; 2821 mech++;
2821@@ -735,8 +809,8 @@ 2822@@ -736,8 +810,8 @@
2822 { 2823 {
2823 Authctxt *authctxt = ctxt; 2824 Authctxt *authctxt = ctxt;
2824 Gssctxt *gssctxt; 2825 Gssctxt *gssctxt;
@@ -2829,7 +2830,7 @@ Index: b/sshconnect2.c
2829 2830
2830 if (authctxt == NULL) 2831 if (authctxt == NULL)
2831 fatal("input_gssapi_response: no authentication context"); 2832 fatal("input_gssapi_response: no authentication context");
2832@@ -846,6 +920,48 @@ 2833@@ -847,6 +921,48 @@
2833 xfree(msg); 2834 xfree(msg);
2834 xfree(lang); 2835 xfree(lang);
2835 } 2836 }
@@ -2893,7 +2894,7 @@ Index: b/sshd.c
2893 #ifdef LIBWRAP 2894 #ifdef LIBWRAP
2894 #include <tcpd.h> 2895 #include <tcpd.h>
2895 #include <syslog.h> 2896 #include <syslog.h>
2896@@ -1607,10 +1611,13 @@ 2897@@ -1645,10 +1649,13 @@
2897 logit("Disabling protocol version 1. Could not load host key"); 2898 logit("Disabling protocol version 1. Could not load host key");
2898 options.protocol &= ~SSH_PROTO_1; 2899 options.protocol &= ~SSH_PROTO_1;
2899 } 2900 }
@@ -2907,7 +2908,7 @@ Index: b/sshd.c
2907 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2908 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2908 logit("sshd: no hostkeys available -- exiting."); 2909 logit("sshd: no hostkeys available -- exiting.");
2909 exit(1); 2910 exit(1);
2910@@ -1938,6 +1945,60 @@ 2911@@ -1976,6 +1983,60 @@
2911 /* Log the connection. */ 2912 /* Log the connection. */
2912 verbose("Connection from %.500s port %d", remote_ip, remote_port); 2913 verbose("Connection from %.500s port %d", remote_ip, remote_port);
2913 2914
@@ -2968,7 +2969,7 @@ Index: b/sshd.c
2968 /* 2969 /*
2969 * We don't want to listen forever unless the other side 2970 * We don't want to listen forever unless the other side
2970 * successfully authenticates itself. So we set up an alarm which is 2971 * successfully authenticates itself. So we set up an alarm which is
2971@@ -2319,6 +2380,48 @@ 2972@@ -2357,6 +2418,48 @@
2972 2973
2973 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); 2974 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2974 2975
@@ -3017,7 +3018,7 @@ Index: b/sshd.c
3017 /* start key exchange */ 3018 /* start key exchange */
3018 kex = kex_setup(myproposal); 3019 kex = kex_setup(myproposal);
3019 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 3020 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
3020@@ -2326,6 +2429,13 @@ 3021@@ -2364,6 +2467,13 @@
3021 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 3022 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
3022 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 3023 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
3023 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 3024 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -3035,7 +3036,7 @@ Index: b/sshd_config
3035=================================================================== 3036===================================================================
3036--- a/sshd_config 3037--- a/sshd_config
3037+++ b/sshd_config 3038+++ b/sshd_config
3038@@ -77,6 +77,8 @@ 3039@@ -80,6 +80,8 @@
3039 # GSSAPI options 3040 # GSSAPI options
3040 #GSSAPIAuthentication no 3041 #GSSAPIAuthentication no
3041 #GSSAPICleanupCredentials yes 3042 #GSSAPICleanupCredentials yes
@@ -3048,7 +3049,7 @@ Index: b/sshd_config.5
3048=================================================================== 3049===================================================================
3049--- a/sshd_config.5 3050--- a/sshd_config.5
3050+++ b/sshd_config.5 3051+++ b/sshd_config.5
3051@@ -426,12 +426,40 @@ 3052@@ -481,12 +481,40 @@
3052 The default is 3053 The default is
3053 .Dq no . 3054 .Dq no .
3054 Note that this option applies to protocol version 2 only. 3055 Note that this option applies to protocol version 2 only.
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 0937a49e6..028bd62e5 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -12,7 +12,7 @@ Author: Richard Kettlewell <rjk@greenend.org.uk>
12Author: Ian Jackson <ian@chiark.greenend.org.uk> 12Author: Ian Jackson <ian@chiark.greenend.org.uk>
13Author: Matthew Vernon <matthew@debian.org> 13Author: Matthew Vernon <matthew@debian.org>
14Author: Colin Watson <cjwatson@debian.org> 14Author: Colin Watson <cjwatson@debian.org>
15Last-Update: 2010-02-27 15Last-Update: 2013-05-07
16 16
17Index: b/readconf.c 17Index: b/readconf.c
18=================================================================== 18===================================================================
@@ -78,7 +78,7 @@ Index: b/ssh_config.5
78 The argument must be 78 The argument must be
79 .Dq yes 79 .Dq yes
80 or 80 or
81@@ -1099,8 +1103,15 @@ 81@@ -1113,8 +1117,15 @@
82 will send a message through the encrypted 82 will send a message through the encrypted
83 channel to request a response from the server. 83 channel to request a response from the server.
84 The default 84 The default
@@ -95,7 +95,7 @@ Index: b/ssh_config.5
95 .It Cm StrictHostKeyChecking 95 .It Cm StrictHostKeyChecking
96 If this flag is set to 96 If this flag is set to
97 .Dq yes , 97 .Dq yes ,
98@@ -1139,6 +1150,12 @@ 98@@ -1153,6 +1164,12 @@
99 other side. 99 other side.
100 If they are sent, death of the connection or crash of one 100 If they are sent, death of the connection or crash of one
101 of the machines will be properly noticed. 101 of the machines will be properly noticed.
@@ -112,7 +112,7 @@ Index: b/sshd_config.5
112=================================================================== 112===================================================================
113--- a/sshd_config.5 113--- a/sshd_config.5
114+++ b/sshd_config.5 114+++ b/sshd_config.5
115@@ -1048,6 +1048,9 @@ 115@@ -1122,6 +1122,9 @@
116 .Pp 116 .Pp
117 To disable TCP keepalive messages, the value should be set to 117 To disable TCP keepalive messages, the value should be set to
118 .Dq no . 118 .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index ae32969ea..8afabfaba 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -3,13 +3,13 @@ Description: Fix picky lintian errors about slogin symlinks
3 either way and opted to keep the status quo. We need this patch anyway. 3 either way and opted to keep the status quo. We need this patch anyway.
4Author: Colin Watson <cjwatson@debian.org> 4Author: Colin Watson <cjwatson@debian.org>
5Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728 5Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728
6Last-Update: 2010-04-10 6Last-Update: 2013-05-07
7 7
8Index: b/Makefile.in 8Index: b/Makefile.in
9=================================================================== 9===================================================================
10--- a/Makefile.in 10--- a/Makefile.in
11+++ b/Makefile.in 11+++ b/Makefile.in
12@@ -284,9 +284,9 @@ 12@@ -293,9 +293,9 @@
13 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 13 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
14 $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 14 $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
15 -rm -f $(DESTDIR)$(bindir)/slogin 15 -rm -f $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/max-startups-default.patch b/debian/patches/max-startups-default.patch
deleted file mode 100644
index 87e690bd1..000000000
--- a/debian/patches/max-startups-default.patch
+++ /dev/null
@@ -1,57 +0,0 @@
1Description: Change default of MaxStartups to 10:30:100
2 This causes sshd to start doing random early drop at 10 connections up to
3 100 connections. This will make it harder to DoS as CPUs have come a long
4 way since the original value was set back in 2000.
5Author: Darren Tucker
6Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
7Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
8Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
9Bug-Debian: http://bugs.debian.org/700102
10Forwarded: not-needed
11Last-Update: 2013-02-08
12
13Index: b/servconf.c
14===================================================================
15--- a/servconf.c
16+++ b/servconf.c
17@@ -264,11 +264,11 @@
18 if (options->gateway_ports == -1)
19 options->gateway_ports = 0;
20 if (options->max_startups == -1)
21- options->max_startups = 10;
22+ options->max_startups = 100;
23 if (options->max_startups_rate == -1)
24- options->max_startups_rate = 100; /* 100% */
25+ options->max_startups_rate = 30; /* 30% */
26 if (options->max_startups_begin == -1)
27- options->max_startups_begin = options->max_startups;
28+ options->max_startups_begin = 10;
29 if (options->max_authtries == -1)
30 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
31 if (options->max_sessions == -1)
32Index: b/sshd_config
33===================================================================
34--- a/sshd_config
35+++ b/sshd_config
36@@ -108,7 +108,7 @@
37 #ClientAliveCountMax 3
38 #UseDNS yes
39 #PidFile /var/run/sshd.pid
40-#MaxStartups 10
41+#MaxStartups 10:30:100
42 #PermitTunnel no
43 #ChrootDirectory none
44 #VersionAddendum none
45Index: b/sshd_config.5
46===================================================================
47--- a/sshd_config.5
48+++ b/sshd_config.5
49@@ -781,7 +781,7 @@
50 Additional connections will be dropped until authentication succeeds or the
51 .Cm LoginGraceTime
52 expires for a connection.
53-The default is 10.
54+The default is 10:30:100.
55 .Pp
56 Alternatively, random early drop can be enabled by specifying
57 the three colon separated values
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 42b32638c..fa7c725b4 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -2,13 +2,13 @@ Description: Mention ssh-keygen in ssh fingerprint changed warning
2Author: Scott Moser <smoser@ubuntu.com> 2Author: Scott Moser <smoser@ubuntu.com>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
4Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 4Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
5Last-Update: 2010-12-14 5Last-Update: 2013-05-07
6 6
7Index: b/sshconnect.c 7Index: b/sshconnect.c
8=================================================================== 8===================================================================
9--- a/sshconnect.c 9--- a/sshconnect.c
10+++ b/sshconnect.c 10+++ b/sshconnect.c
11@@ -956,9 +956,12 @@ 11@@ -975,9 +975,12 @@
12 error("%s. This could either mean that", key_msg); 12 error("%s. This could either mean that", key_msg);
13 error("DNS SPOOFING is happening or the IP address for the host"); 13 error("DNS SPOOFING is happening or the IP address for the host");
14 error("and its host key have changed at the same time."); 14 error("and its host key have changed at the same time.");
@@ -22,7 +22,7 @@ Index: b/sshconnect.c
22 } 22 }
23 /* The host key has changed. */ 23 /* The host key has changed. */
24 warn_changed_key(host_key); 24 warn_changed_key(host_key);
25@@ -966,6 +969,8 @@ 25@@ -985,6 +988,8 @@
26 user_hostfiles[0]); 26 user_hostfiles[0]);
27 error("Offending %s key in %s:%lu", key_type(host_found->key), 27 error("Offending %s key in %s:%lu", key_type(host_found->key),
28 host_found->file, host_found->line); 28 host_found->file, host_found->line);
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index fe8ebe757..48c3ff598 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -6,7 +6,7 @@ Description: Adjust various OpenBSD-specific references in manual pages
6 https://bugs.launchpad.net/bugs/456660 (ssl(8)) 6 https://bugs.launchpad.net/bugs/456660 (ssl(8))
7Author: Colin Watson <cjwatson@debian.org> 7Author: Colin Watson <cjwatson@debian.org>
8Forwarded: not-needed 8Forwarded: not-needed
9Last-Update: 2010-02-28 9Last-Update: 2013-05-07
10 10
11Index: b/moduli.5 11Index: b/moduli.5
12=================================================================== 12===================================================================
@@ -34,7 +34,7 @@ Index: b/ssh-keygen.1
34=================================================================== 34===================================================================
35--- a/ssh-keygen.1 35--- a/ssh-keygen.1
36+++ b/ssh-keygen.1 36+++ b/ssh-keygen.1
37@@ -152,9 +152,7 @@ 37@@ -171,9 +171,7 @@
38 .Pa ~/.ssh/id_dsa 38 .Pa ~/.ssh/id_dsa
39 or 39 or
40 .Pa ~/.ssh/id_rsa . 40 .Pa ~/.ssh/id_rsa .
@@ -45,7 +45,7 @@ Index: b/ssh-keygen.1
45 .Pp 45 .Pp
46 Normally this program generates the key and asks for a file in which 46 Normally this program generates the key and asks for a file in which
47 to store the private key. 47 to store the private key.
48@@ -200,9 +198,7 @@ 48@@ -219,9 +217,7 @@
49 For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys 49 For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys
50 do not exist, generate the host keys with the default key file path, 50 do not exist, generate the host keys with the default key file path,
51 an empty passphrase, default bits for the key type, and default comment. 51 an empty passphrase, default bits for the key type, and default comment.
@@ -56,7 +56,7 @@ Index: b/ssh-keygen.1
56 .It Fl a Ar trials 56 .It Fl a Ar trials
57 Specifies the number of primality tests to perform when screening DH-GEX 57 Specifies the number of primality tests to perform when screening DH-GEX
58 candidates using the 58 candidates using the
59@@ -556,7 +552,7 @@ 59@@ -606,7 +602,7 @@
60 Valid generator values are 2, 3, and 5. 60 Valid generator values are 2, 3, and 5.
61 .Pp 61 .Pp
62 Screened DH groups may be installed in 62 Screened DH groups may be installed in
@@ -65,7 +65,7 @@ Index: b/ssh-keygen.1
65 It is important that this file contains moduli of a range of bit lengths and 65 It is important that this file contains moduli of a range of bit lengths and
66 that both ends of a connection share common moduli. 66 that both ends of a connection share common moduli.
67 .Sh CERTIFICATES 67 .Sh CERTIFICATES
68@@ -682,7 +678,7 @@ 68@@ -801,7 +797,7 @@
69 where the user wishes to log in using public key authentication. 69 where the user wishes to log in using public key authentication.
70 There is no need to keep the contents of this file secret. 70 There is no need to keep the contents of this file secret.
71 .Pp 71 .Pp
@@ -123,7 +123,7 @@ Index: b/sshd_config.5
123=================================================================== 123===================================================================
124--- a/sshd_config.5 124--- a/sshd_config.5
125+++ b/sshd_config.5 125+++ b/sshd_config.5
126@@ -224,8 +224,7 @@ 126@@ -276,8 +276,7 @@
127 By default, no banner is displayed. 127 By default, no banner is displayed.
128 .It Cm ChallengeResponseAuthentication 128 .It Cm ChallengeResponseAuthentication
129 Specifies whether challenge-response authentication is allowed (e.g. via 129 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index b396cb116..c337ad671 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -5,26 +5,30 @@ Description: Include the Debian version in our identification
5 vulnerable-looking version strings. (However, see debian-banner.patch.) 5 vulnerable-looking version strings. (However, see debian-banner.patch.)
6Author: Matthew Vernon <matthew@debian.org> 6Author: Matthew Vernon <matthew@debian.org>
7Forwarded: not-needed 7Forwarded: not-needed
8Last-Update: 2012-09-07 8Last-Update: 2013-05-07
9 9
10Index: b/sshconnect.c 10Index: b/sshconnect.c
11=================================================================== 11===================================================================
12--- a/sshconnect.c 12--- a/sshconnect.c
13+++ b/sshconnect.c 13+++ b/sshconnect.c
14@@ -556,7 +556,7 @@ 14@@ -435,10 +435,10 @@
15 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", 15 /* Send our own protocol version identification. */
16 compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, 16 if (compat20) {
17 compat20 ? PROTOCOL_MINOR_2 : minor1, 17 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
18- SSH_VERSION, compat20 ? "\r\n" : "\n"); 18- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
19+ SSH_RELEASE, compat20 ? "\r\n" : "\n"); 19+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
20 if (roaming_atomicio(vwrite, connection_out, buf, strlen(buf)) 20 } else {
21 != strlen(buf)) 21 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
22 fatal("write: %.100s", strerror(errno)); 22- PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
23+ PROTOCOL_MAJOR_1, minor1, SSH_RELEASE);
24 }
25 if (roaming_atomicio(vwrite, connection_out, client_version_string,
26 strlen(client_version_string)) != strlen(client_version_string))
23Index: b/sshd.c 27Index: b/sshd.c
24=================================================================== 28===================================================================
25--- a/sshd.c 29--- a/sshd.c
26+++ b/sshd.c 30+++ b/sshd.c
27@@ -425,7 +425,7 @@ 31@@ -434,7 +434,7 @@
28 } 32 }
29 33
30 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 34 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -38,7 +42,7 @@ Index: b/version.h
38--- a/version.h 42--- a/version.h
39+++ b/version.h 43+++ b/version.h
40@@ -3,4 +3,9 @@ 44@@ -3,4 +3,9 @@
41 #define SSH_VERSION "OpenSSH_6.1" 45 #define SSH_VERSION "OpenSSH_6.2"
42 46
43 #define SSH_PORTABLE "p1" 47 #define SSH_PORTABLE "p1"
44-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 48-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index e436fe59e..f25ff89d0 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -10,13 +10,13 @@ Author: Peter Samuelson <peter@p12n.org>
10Author: Colin Watson <cjwatson@debian.org> 10Author: Colin Watson <cjwatson@debian.org>
11Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118 11Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118
12Bug-Debian: http://bugs.debian.org/313371 12Bug-Debian: http://bugs.debian.org/313371
13Last-Update: 2010-02-27 13Last-Update: 2013-05-07
14 14
15Index: b/clientloop.c 15Index: b/clientloop.c
16=================================================================== 16===================================================================
17--- a/clientloop.c 17--- a/clientloop.c
18+++ b/clientloop.c 18+++ b/clientloop.c
19@@ -1655,8 +1655,10 @@ 19@@ -1710,8 +1710,10 @@
20 exit_status = 0; 20 exit_status = 0;
21 } 21 }
22 22
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 80fe3247b..f2f8fcd21 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -5,7 +5,7 @@ Description: Handle SELinux authorisation roles
5Author: Manoj Srivastava <srivasta@debian.org> 5Author: Manoj Srivastava <srivasta@debian.org>
6Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 6Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
7Bug-Debian: http://bugs.debian.org/394795 7Bug-Debian: http://bugs.debian.org/394795
8Last-Update: 2010-02-27 8Last-Update: 2013-05-07
9 9
10Index: b/auth.h 10Index: b/auth.h
11=================================================================== 11===================================================================
@@ -23,7 +23,7 @@ Index: b/auth1.c
23=================================================================== 23===================================================================
24--- a/auth1.c 24--- a/auth1.c
25+++ b/auth1.c 25+++ b/auth1.c
26@@ -383,7 +383,7 @@ 26@@ -385,7 +385,7 @@
27 do_authentication(Authctxt *authctxt) 27 do_authentication(Authctxt *authctxt)
28 { 28 {
29 u_int ulen; 29 u_int ulen;
@@ -32,7 +32,7 @@ Index: b/auth1.c
32 32
33 /* Get the name of the user that we wish to log in as. */ 33 /* Get the name of the user that we wish to log in as. */
34 packet_read_expect(SSH_CMSG_USER); 34 packet_read_expect(SSH_CMSG_USER);
35@@ -392,11 +392,17 @@ 35@@ -394,11 +394,17 @@
36 user = packet_get_cstring(&ulen); 36 user = packet_get_cstring(&ulen);
37 packet_check_eom(); 37 packet_check_eom();
38 38
@@ -54,7 +54,7 @@ Index: b/auth2.c
54=================================================================== 54===================================================================
55--- a/auth2.c 55--- a/auth2.c
56+++ b/auth2.c 56+++ b/auth2.c
57@@ -217,7 +217,7 @@ 57@@ -219,7 +219,7 @@
58 { 58 {
59 Authctxt *authctxt = ctxt; 59 Authctxt *authctxt = ctxt;
60 Authmethod *m = NULL; 60 Authmethod *m = NULL;
@@ -63,7 +63,7 @@ Index: b/auth2.c
63 int authenticated = 0; 63 int authenticated = 0;
64 64
65 if (authctxt == NULL) 65 if (authctxt == NULL)
66@@ -229,8 +229,13 @@ 66@@ -231,8 +231,13 @@
67 debug("userauth-request for user %s service %s method %s", user, service, method); 67 debug("userauth-request for user %s service %s method %s", user, service, method);
68 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 68 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
69 69
@@ -77,7 +77,7 @@ Index: b/auth2.c
77 77
78 if (authctxt->attempt++ == 0) { 78 if (authctxt->attempt++ == 0) {
79 /* setup auth context */ 79 /* setup auth context */
80@@ -254,8 +259,9 @@ 80@@ -256,8 +261,9 @@
81 use_privsep ? " [net]" : ""); 81 use_privsep ? " [net]" : "");
82 authctxt->service = xstrdup(service); 82 authctxt->service = xstrdup(service);
83 authctxt->style = style ? xstrdup(style) : NULL; 83 authctxt->style = style ? xstrdup(style) : NULL;
@@ -86,8 +86,8 @@ Index: b/auth2.c
86- mm_inform_authserv(service, style); 86- mm_inform_authserv(service, style);
87+ mm_inform_authserv(service, style, role); 87+ mm_inform_authserv(service, style, role);
88 userauth_banner(); 88 userauth_banner();
89 } else if (strcmp(user, authctxt->user) != 0 || 89 if (auth2_setup_methods_lists(authctxt) != 0)
90 strcmp(service, authctxt->service) != 0) { 90 packet_disconnect("no authentication methods enabled");
91Index: b/monitor.c 91Index: b/monitor.c
92=================================================================== 92===================================================================
93--- a/monitor.c 93--- a/monitor.c
@@ -100,7 +100,7 @@ Index: b/monitor.c
100 int mm_answer_authpassword(int, Buffer *); 100 int mm_answer_authpassword(int, Buffer *);
101 int mm_answer_bsdauthquery(int, Buffer *); 101 int mm_answer_bsdauthquery(int, Buffer *);
102 int mm_answer_bsdauthrespond(int, Buffer *); 102 int mm_answer_bsdauthrespond(int, Buffer *);
103@@ -225,6 +226,7 @@ 103@@ -226,6 +227,7 @@
104 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 104 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
105 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 105 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
106 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 106 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -108,7 +108,7 @@ Index: b/monitor.c
108 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 108 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
109 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 109 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
110 #ifdef USE_PAM 110 #ifdef USE_PAM
111@@ -808,6 +810,7 @@ 111@@ -837,6 +839,7 @@
112 else { 112 else {
113 /* Allow service/style information on the auth context */ 113 /* Allow service/style information on the auth context */
114 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 114 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -116,7 +116,7 @@ Index: b/monitor.c
116 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 116 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
117 } 117 }
118 #ifdef USE_PAM 118 #ifdef USE_PAM
119@@ -840,14 +843,37 @@ 119@@ -869,14 +872,37 @@
120 120
121 authctxt->service = buffer_get_string(m, NULL); 121 authctxt->service = buffer_get_string(m, NULL);
122 authctxt->style = buffer_get_string(m, NULL); 122 authctxt->style = buffer_get_string(m, NULL);
@@ -156,7 +156,7 @@ Index: b/monitor.c
156 return (0); 156 return (0);
157 } 157 }
158 158
159@@ -1435,7 +1461,7 @@ 159@@ -1471,7 +1497,7 @@
160 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 160 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
161 if (res == 0) 161 if (res == 0)
162 goto error; 162 goto error;
@@ -169,15 +169,15 @@ Index: b/monitor.h
169=================================================================== 169===================================================================
170--- a/monitor.h 170--- a/monitor.h
171+++ b/monitor.h 171+++ b/monitor.h
172@@ -30,7 +30,7 @@ 172@@ -73,6 +73,8 @@
173 173 MONITOR_REQ_GSSSIGN = 200, MONITOR_ANS_GSSSIGN = 201,
174 enum monitor_reqtype { 174 MONITOR_REQ_GSSUPCREDS = 202, MONITOR_ANS_GSSUPCREDS = 203,
175 MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, 175
176- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, 176+ MONITOR_REQ_AUTHROLE = 300,
177+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE, 177+
178 MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, 178 };
179 MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, 179
180 MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, 180 struct mm_master;
181Index: b/monitor_wrap.c 181Index: b/monitor_wrap.c
182=================================================================== 182===================================================================
183--- a/monitor_wrap.c 183--- a/monitor_wrap.c
@@ -369,12 +369,12 @@ Index: b/platform.h
369+void platform_setusercontext_post_groups(struct passwd *, const char *); 369+void platform_setusercontext_post_groups(struct passwd *, const char *);
370 char *platform_get_krb5_client(const char *); 370 char *platform_get_krb5_client(const char *);
371 char *platform_krb5_get_principal_name(const char *); 371 char *platform_krb5_get_principal_name(const char *);
372 372 int platform_sys_dir_uid(uid_t);
373Index: b/session.c 373Index: b/session.c
374=================================================================== 374===================================================================
375--- a/session.c 375--- a/session.c
376+++ b/session.c 376+++ b/session.c
377@@ -1471,7 +1471,7 @@ 377@@ -1474,7 +1474,7 @@
378 378
379 /* Set login name, uid, gid, and groups. */ 379 /* Set login name, uid, gid, and groups. */
380 void 380 void
@@ -383,7 +383,7 @@ Index: b/session.c
383 { 383 {
384 char *chroot_path, *tmp; 384 char *chroot_path, *tmp;
385 385
386@@ -1499,7 +1499,7 @@ 386@@ -1502,7 +1502,7 @@
387 endgrent(); 387 endgrent();
388 #endif 388 #endif
389 389
@@ -392,7 +392,7 @@ Index: b/session.c
392 392
393 if (options.chroot_directory != NULL && 393 if (options.chroot_directory != NULL &&
394 strcasecmp(options.chroot_directory, "none") != 0) { 394 strcasecmp(options.chroot_directory, "none") != 0) {
395@@ -1625,7 +1625,7 @@ 395@@ -1633,7 +1633,7 @@
396 396
397 /* Force a password change */ 397 /* Force a password change */
398 if (s->authctxt->force_pwchange) { 398 if (s->authctxt->force_pwchange) {
@@ -401,7 +401,7 @@ Index: b/session.c
401 child_close_fds(); 401 child_close_fds();
402 do_pwchange(s); 402 do_pwchange(s);
403 exit(1); 403 exit(1);
404@@ -1652,7 +1652,7 @@ 404@@ -1660,7 +1660,7 @@
405 /* When PAM is enabled we rely on it to do the nologin check */ 405 /* When PAM is enabled we rely on it to do the nologin check */
406 if (!options.use_pam) 406 if (!options.use_pam)
407 do_nologin(pw); 407 do_nologin(pw);
@@ -410,7 +410,7 @@ Index: b/session.c
410 /* 410 /*
411 * PAM session modules in do_setusercontext may have 411 * PAM session modules in do_setusercontext may have
412 * generated messages, so if this in an interactive 412 * generated messages, so if this in an interactive
413@@ -2064,7 +2064,7 @@ 413@@ -2072,7 +2072,7 @@
414 tty_parse_modes(s->ttyfd, &n_bytes); 414 tty_parse_modes(s->ttyfd, &n_bytes);
415 415
416 if (!use_privsep) 416 if (!use_privsep)
@@ -436,7 +436,7 @@ Index: b/sshd.c
436=================================================================== 436===================================================================
437--- a/sshd.c 437--- a/sshd.c
438+++ b/sshd.c 438+++ b/sshd.c
439@@ -736,7 +736,7 @@ 439@@ -745,7 +745,7 @@
440 RAND_seed(rnd, sizeof(rnd)); 440 RAND_seed(rnd, sizeof(rnd));
441 441
442 /* Drop privileges */ 442 /* Drop privileges */
diff --git a/debian/patches/series b/debian/patches/series
index efb2c5432..6f2da2944 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,7 +3,6 @@ gssapi.patch
3 3
4# SELinux 4# SELinux
5selinux-role.patch 5selinux-role.patch
6copy-id-restorecon.patch
7 6
8# Key blacklisting 7# Key blacklisting
9ssh-vulnkey.patch 8ssh-vulnkey.patch
@@ -27,7 +26,6 @@ shell-path.patch
27dnssec-sshfp.patch 26dnssec-sshfp.patch
28auth-log-verbosity.patch 27auth-log-verbosity.patch
29mention-ssh-keygen-on-keychange.patch 28mention-ssh-keygen-on-keychange.patch
30max-startups-default.patch
31 29
32# Versioning 30# Versioning
33package-versioning.patch 31package-versioning.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 8c549128b..4c4532e99 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -4,7 +4,7 @@ Description: Look for $SHELL on the path for ProxyCommand/LocalCommand
4Author: Colin Watson <cjwatson@debian.org> 4Author: Colin Watson <cjwatson@debian.org>
5Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 5Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
6Bug-Debian: http://bugs.debian.org/492728 6Bug-Debian: http://bugs.debian.org/492728
7Last-Update: 2010-02-27 7Last-Update: 2013-05-07
8 8
9Index: b/sshconnect.c 9Index: b/sshconnect.c
10=================================================================== 10===================================================================
@@ -19,7 +19,7 @@ Index: b/sshconnect.c
19 perror(argv[0]); 19 perror(argv[0]);
20 exit(1); 20 exit(1);
21 } 21 }
22@@ -1273,7 +1273,7 @@ 22@@ -1292,7 +1292,7 @@
23 if (pid == 0) { 23 if (pid == 0) {
24 signal(SIGPIPE, SIG_DFL); 24 signal(SIGPIPE, SIG_DFL);
25 debug3("Executing %s -c \"%s\"", shell, args); 25 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 3cc1272ec..6f4a3cd9a 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -5,13 +5,13 @@ Description: ssh(1): Refer to ssh-argv0(1)
5 manual page from ssh(1). 5 manual page from ssh(1).
6Bug-Debian: http://bugs.debian.org/111341 6Bug-Debian: http://bugs.debian.org/111341
7Forwarded: not-needed 7Forwarded: not-needed
8Last-Update: 2010-02-28 8Last-Update: 2013-05-07
9 9
10Index: b/ssh.1 10Index: b/ssh.1
11=================================================================== 11===================================================================
12--- a/ssh.1 12--- a/ssh.1
13+++ b/ssh.1 13+++ b/ssh.1
14@@ -1425,6 +1425,7 @@ 14@@ -1433,6 +1433,7 @@
15 .Xr sftp 1 , 15 .Xr sftp 1 ,
16 .Xr ssh-add 1 , 16 .Xr ssh-add 1 ,
17 .Xr ssh-agent 1 , 17 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index c13cb3412..b7531cce0 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -8,7 +8,7 @@ Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw
8 See CVE-2008-0166. 8 See CVE-2008-0166.
9Author: Colin Watson <cjwatson@ubuntu.com> 9Author: Colin Watson <cjwatson@ubuntu.com>
10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469 10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
11Last-Update: 2010-02-27 11Last-Update: 2013-05-07
12 12
13Index: b/Makefile.in 13Index: b/Makefile.in
14=================================================================== 14===================================================================
@@ -22,24 +22,26 @@ Index: b/Makefile.in
22 PRIVSEP_PATH=@PRIVSEP_PATH@ 22 PRIVSEP_PATH=@PRIVSEP_PATH@
23 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ 23 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
24 STRIP_OPT=@STRIP_OPT@ 24 STRIP_OPT=@STRIP_OPT@
25@@ -38,6 +39,7 @@ 25@@ -37,7 +38,8 @@
26 -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
26 -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ 27 -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
27 -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ 28 -D_PATH_SSH_PIDDIR=\"$(piddir)\" \
28 -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ 29- -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\"
29+ -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\" \ 30+ -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \
31+ -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\"
30 32
31 CC=@CC@ 33 CC=@CC@
32 LD=@LD@ 34 LD=@LD@
33@@ -59,7 +61,7 @@ 35@@ -61,7 +63,7 @@
34 EXEEXT=@EXEEXT@ 36 EXEEXT=@EXEEXT@
35 MANFMT=@MANFMT@ 37 MANFMT=@MANFMT@
36 38
37-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) 39-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
38+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT) 40+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT)
39 41
40 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ 42 LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
41 canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ 43 canohost.o channels.o cipher.o cipher-aes.o \
42@@ -94,8 +96,8 @@ 44@@ -96,8 +98,8 @@
43 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ 45 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
44 sandbox-seccomp-filter.o 46 sandbox-seccomp-filter.o
45 47
@@ -50,7 +52,7 @@ Index: b/Makefile.in
50 MANTYPE = @MANTYPE@ 52 MANTYPE = @MANTYPE@
51 53
52 CONFIGFILES=sshd_config.out ssh_config.out moduli.out 54 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
53@@ -172,6 +174,9 @@ 55@@ -174,6 +176,9 @@
54 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o 56 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
55 $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) 57 $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
56 58
@@ -60,7 +62,7 @@ Index: b/Makefile.in
60 # test driver for the loginrec code - not built by default 62 # test driver for the loginrec code - not built by default
61 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o 63 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
62 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) 64 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
63@@ -260,6 +265,7 @@ 65@@ -269,6 +274,7 @@
64 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) 66 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
65 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) 67 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
66 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 68 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -68,7 +70,7 @@ Index: b/Makefile.in
68 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 70 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
69 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 71 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
70 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 72 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
71@@ -274,6 +280,7 @@ 73@@ -283,6 +289,7 @@
72 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 74 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
73 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 75 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
74 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 76 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -76,7 +78,7 @@ Index: b/Makefile.in
76 -rm -f $(DESTDIR)$(bindir)/slogin 78 -rm -f $(DESTDIR)$(bindir)/slogin
77 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin 79 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
78 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 80 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
79@@ -355,6 +362,7 @@ 81@@ -364,6 +371,7 @@
80 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) 82 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
81 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) 83 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
82 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) 84 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@@ -84,7 +86,7 @@ Index: b/Makefile.in
84 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) 86 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
85 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) 87 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
86 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 88 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
87@@ -367,6 +375,7 @@ 89@@ -376,6 +384,7 @@
88 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 90 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
89 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 91 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
90 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 92 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
@@ -130,7 +132,7 @@ Index: b/auth.c
130 #include "auth.h" 132 #include "auth.h"
131 #include "auth-options.h" 133 #include "auth-options.h"
132 #include "canohost.h" 134 #include "canohost.h"
133@@ -608,10 +609,34 @@ 135@@ -635,10 +636,34 @@
134 136
135 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ 137 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
136 int 138 int
@@ -165,12 +167,12 @@ Index: b/auth.c
165+ 167+
166 if (options.revoked_keys_file == NULL) 168 if (options.revoked_keys_file == NULL)
167 return 0; 169 return 0;
168 170 switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) {
169Index: b/auth.h 171Index: b/auth.h
170=================================================================== 172===================================================================
171--- a/auth.h 173--- a/auth.h
172+++ b/auth.h 174+++ b/auth.h
173@@ -174,7 +174,7 @@ 175@@ -185,7 +185,7 @@
174 176
175 FILE *auth_openkeyfile(const char *, struct passwd *, int); 177 FILE *auth_openkeyfile(const char *, struct passwd *, int);
176 FILE *auth_openprincipals(const char *, struct passwd *, int); 178 FILE *auth_openprincipals(const char *, struct passwd *, int);
@@ -196,7 +198,7 @@ Index: b/auth2-pubkey.c
196=================================================================== 198===================================================================
197--- a/auth2-pubkey.c 199--- a/auth2-pubkey.c
198+++ b/auth2-pubkey.c 200+++ b/auth2-pubkey.c
199@@ -440,9 +440,10 @@ 201@@ -608,9 +608,10 @@
200 u_int success, i; 202 u_int success, i;
201 char *file; 203 char *file;
202 204
@@ -462,7 +464,7 @@ Index: b/servconf.c
462=================================================================== 464===================================================================
463--- a/servconf.c 465--- a/servconf.c
464+++ b/servconf.c 466+++ b/servconf.c
465@@ -107,6 +107,7 @@ 467@@ -109,6 +109,7 @@
466 options->password_authentication = -1; 468 options->password_authentication = -1;
467 options->kbd_interactive_authentication = -1; 469 options->kbd_interactive_authentication = -1;
468 options->challenge_response_authentication = -1; 470 options->challenge_response_authentication = -1;
@@ -470,7 +472,7 @@ Index: b/servconf.c
470 options->permit_empty_passwd = -1; 472 options->permit_empty_passwd = -1;
471 options->permit_user_env = -1; 473 options->permit_user_env = -1;
472 options->use_login = -1; 474 options->use_login = -1;
473@@ -246,6 +247,8 @@ 475@@ -250,6 +251,8 @@
474 options->kbd_interactive_authentication = 0; 476 options->kbd_interactive_authentication = 0;
475 if (options->challenge_response_authentication == -1) 477 if (options->challenge_response_authentication == -1)
476 options->challenge_response_authentication = 1; 478 options->challenge_response_authentication = 1;
@@ -479,7 +481,7 @@ Index: b/servconf.c
479 if (options->permit_empty_passwd == -1) 481 if (options->permit_empty_passwd == -1)
480 options->permit_empty_passwd = 0; 482 options->permit_empty_passwd = 0;
481 if (options->permit_user_env == -1) 483 if (options->permit_user_env == -1)
482@@ -323,7 +326,7 @@ 484@@ -327,7 +330,7 @@
483 sListenAddress, sAddressFamily, 485 sListenAddress, sAddressFamily,
484 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 486 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
485 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 487 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -488,7 +490,7 @@ Index: b/servconf.c
488 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 490 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
489 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 491 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
490 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 492 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
491@@ -433,6 +436,7 @@ 493@@ -439,6 +442,7 @@
492 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 494 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
493 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 495 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
494 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 496 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -496,7 +498,7 @@ Index: b/servconf.c
496 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 498 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
497 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 499 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
498 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 500 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
499@@ -1116,6 +1120,10 @@ 501@@ -1134,6 +1138,10 @@
500 intptr = &options->tcp_keep_alive; 502 intptr = &options->tcp_keep_alive;
501 goto parse_flag; 503 goto parse_flag;
502 504
@@ -507,7 +509,7 @@ Index: b/servconf.c
507 case sEmptyPasswd: 509 case sEmptyPasswd:
508 intptr = &options->permit_empty_passwd; 510 intptr = &options->permit_empty_passwd;
509 goto parse_flag; 511 goto parse_flag;
510@@ -1921,6 +1929,7 @@ 512@@ -1980,6 +1988,7 @@
511 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 513 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
512 dump_cfg_fmtint(sStrictModes, o->strict_modes); 514 dump_cfg_fmtint(sStrictModes, o->strict_modes);
513 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 515 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -519,7 +521,7 @@ Index: b/servconf.h
519=================================================================== 521===================================================================
520--- a/servconf.h 522--- a/servconf.h
521+++ b/servconf.h 523+++ b/servconf.h
522@@ -113,6 +113,7 @@ 524@@ -120,6 +120,7 @@
523 int challenge_response_authentication; 525 int challenge_response_authentication;
524 int zero_knowledge_password_authentication; 526 int zero_knowledge_password_authentication;
525 /* If true, permit jpake auth */ 527 /* If true, permit jpake auth */
@@ -554,7 +556,7 @@ Index: b/ssh-add.c
554=================================================================== 556===================================================================
555--- a/ssh-add.c 557--- a/ssh-add.c
556+++ b/ssh-add.c 558+++ b/ssh-add.c
557@@ -142,7 +142,7 @@ 559@@ -167,7 +167,7 @@
558 add_file(AuthenticationConnection *ac, const char *filename, int key_only) 560 add_file(AuthenticationConnection *ac, const char *filename, int key_only)
559 { 561 {
560 Key *private, *cert; 562 Key *private, *cert;
@@ -563,7 +565,7 @@ Index: b/ssh-add.c
563 char msg[1024], *certpath = NULL; 565 char msg[1024], *certpath = NULL;
564 int fd, perms_ok, ret = -1; 566 int fd, perms_ok, ret = -1;
565 Buffer keyblob; 567 Buffer keyblob;
566@@ -218,6 +218,14 @@ 568@@ -243,6 +243,14 @@
567 } else { 569 } else {
568 fprintf(stderr, "Could not add identity: %s\n", filename); 570 fprintf(stderr, "Could not add identity: %s\n", filename);
569 } 571 }
@@ -582,7 +584,7 @@ Index: b/ssh-keygen.1
582=================================================================== 584===================================================================
583--- a/ssh-keygen.1 585--- a/ssh-keygen.1
584+++ b/ssh-keygen.1 586+++ b/ssh-keygen.1
585@@ -691,6 +691,7 @@ 587@@ -810,6 +810,7 @@
586 .Xr ssh 1 , 588 .Xr ssh 1 ,
587 .Xr ssh-add 1 , 589 .Xr ssh-add 1 ,
588 .Xr ssh-agent 1 , 590 .Xr ssh-agent 1 ,
@@ -1233,7 +1235,7 @@ Index: b/ssh.1
1233=================================================================== 1235===================================================================
1234--- a/ssh.1 1236--- a/ssh.1
1235+++ b/ssh.1 1237+++ b/ssh.1
1236@@ -1421,6 +1421,7 @@ 1238@@ -1429,6 +1429,7 @@
1237 .Xr ssh-agent 1 , 1239 .Xr ssh-agent 1 ,
1238 .Xr ssh-keygen 1 , 1240 .Xr ssh-keygen 1 ,
1239 .Xr ssh-keyscan 1 , 1241 .Xr ssh-keyscan 1 ,
@@ -1281,7 +1283,7 @@ Index: b/ssh_config.5
1281=================================================================== 1283===================================================================
1282--- a/ssh_config.5 1284--- a/ssh_config.5
1283+++ b/ssh_config.5 1285+++ b/ssh_config.5
1284@@ -1187,6 +1187,23 @@ 1286@@ -1201,6 +1201,23 @@
1285 .Dq any . 1287 .Dq any .
1286 The default is 1288 The default is
1287 .Dq any:any . 1289 .Dq any:any .
@@ -1309,24 +1311,24 @@ Index: b/sshconnect2.c
1309=================================================================== 1311===================================================================
1310--- a/sshconnect2.c 1312--- a/sshconnect2.c
1311+++ b/sshconnect2.c 1313+++ b/sshconnect2.c
1312@@ -1489,6 +1489,8 @@ 1314@@ -1491,6 +1491,8 @@
1313 1315
1314 /* list of keys stored in the filesystem */ 1316 /* list of keys stored in the filesystem and PKCS#11 */
1315 for (i = 0; i < options.num_identity_files; i++) { 1317 for (i = 0; i < options.num_identity_files; i++) {
1316+ if (options.identity_files[i] == NULL) 1318+ if (options.identity_files[i] == NULL)
1317+ continue; 1319+ continue;
1318 key = options.identity_keys[i]; 1320 key = options.identity_keys[i];
1319 if (key && key->type == KEY_RSA1) 1321 if (key && key->type == KEY_RSA1)
1320 continue; 1322 continue;
1321@@ -1582,7 +1584,7 @@ 1323@@ -1609,7 +1611,7 @@
1322 debug("Offering %s public key: %s", key_type(id->key), 1324 debug("Offering %s public key: %s", key_type(id->key),
1323 id->filename); 1325 id->filename);
1324 sent = send_pubkey_test(authctxt, id); 1326 sent = send_pubkey_test(authctxt, id);
1325- } else if (id->key == NULL) { 1327- } else if (id->key == NULL) {
1326+ } else if (id->key == NULL && id->filename) { 1328+ } else if (id->key == NULL && id->filename) {
1327 debug("Trying private key: %s", id->filename); 1329 debug("Trying private key: %s", id->filename);
1328 id->key = load_identity_file(id->filename); 1330 id->key = load_identity_file(id->filename,
1329 if (id->key != NULL) { 1331 id->userprovided);
1330Index: b/sshd.8 1332Index: b/sshd.8
1331=================================================================== 1333===================================================================
1332--- a/sshd.8 1334--- a/sshd.8
@@ -1343,7 +1345,7 @@ Index: b/sshd.c
1343=================================================================== 1345===================================================================
1344--- a/sshd.c 1346--- a/sshd.c
1345+++ b/sshd.c 1347+++ b/sshd.c
1346@@ -1593,6 +1593,11 @@ 1348@@ -1631,6 +1631,11 @@
1347 sensitive_data.host_keys[i] = NULL; 1349 sensitive_data.host_keys[i] = NULL;
1348 continue; 1350 continue;
1349 } 1351 }
@@ -1359,7 +1361,7 @@ Index: b/sshd_config.5
1359=================================================================== 1361===================================================================
1360--- a/sshd_config.5 1362--- a/sshd_config.5
1361+++ b/sshd_config.5 1363+++ b/sshd_config.5
1362@@ -803,6 +803,20 @@ 1364@@ -870,6 +870,20 @@
1363 Specifies whether password authentication is allowed. 1365 Specifies whether password authentication is allowed.
1364 The default is 1366 The default is
1365 .Dq yes . 1367 .Dq yes .
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index b71ff9df9..87211e8a3 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -1,7 +1,7 @@
1Description: Partial server keep-alive implementation for SSH1 1Description: Partial server keep-alive implementation for SSH1
2Author: Colin Watson <cjwatson@debian.org> 2Author: Colin Watson <cjwatson@debian.org>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712
4Last-Update: 2010-02-27 4Last-Update: 2013-05-07
5 5
6Index: b/clientloop.c 6Index: b/clientloop.c
7=================================================================== 7===================================================================
@@ -51,7 +51,7 @@ Index: b/ssh_config.5
51=================================================================== 51===================================================================
52--- a/ssh_config.5 52--- a/ssh_config.5
53+++ b/ssh_config.5 53+++ b/ssh_config.5
54@@ -1088,7 +1088,10 @@ 54@@ -1102,7 +1102,10 @@
55 .Cm ServerAliveCountMax 55 .Cm ServerAliveCountMax
56 is left at the default, if the server becomes unresponsive, 56 is left at the default, if the server becomes unresponsive,
57 ssh will disconnect after approximately 45 seconds. 57 ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 1368ccb3c..ddedbf79a 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -9,7 +9,7 @@ Description: Allow harmless group-writability
9Author: Colin Watson <cjwatson@debian.org> 9Author: Colin Watson <cjwatson@debian.org>
10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
11Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 11Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
12Last-Update: 2010-02-27 12Last-Update: 2013-05-07
13 13
14Index: b/readconf.c 14Index: b/readconf.c
15=================================================================== 15===================================================================
@@ -38,7 +38,7 @@ Index: b/ssh.1
38=================================================================== 38===================================================================
39--- a/ssh.1 39--- a/ssh.1
40+++ b/ssh.1 40+++ b/ssh.1
41@@ -1312,6 +1312,8 @@ 41@@ -1320,6 +1320,8 @@
42 .Xr ssh_config 5 . 42 .Xr ssh_config 5 .
43 Because of the potential for abuse, this file must have strict permissions: 43 Because of the potential for abuse, this file must have strict permissions:
44 read/write for the user, and not accessible by others. 44 read/write for the user, and not accessible by others.
@@ -51,7 +51,7 @@ Index: b/ssh_config.5
51=================================================================== 51===================================================================
52--- a/ssh_config.5 52--- a/ssh_config.5
53+++ b/ssh_config.5 53+++ b/ssh_config.5
54@@ -1342,6 +1342,8 @@ 54@@ -1356,6 +1356,8 @@
55 This file is used by the SSH client. 55 This file is used by the SSH client.
56 Because of the potential for abuse, this file must have strict permissions: 56 Because of the potential for abuse, this file must have strict permissions:
57 read/write for the user, and not accessible by others. 57 read/write for the user, and not accessible by others.
@@ -64,7 +64,7 @@ Index: b/auth.c
64=================================================================== 64===================================================================
65--- a/auth.c 65--- a/auth.c
66+++ b/auth.c 66+++ b/auth.c
67@@ -381,8 +381,7 @@ 67@@ -386,8 +386,7 @@
68 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); 68 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
69 if (options.strict_modes && 69 if (options.strict_modes &&
70 (stat(user_hostfile, &st) == 0) && 70 (stat(user_hostfile, &st) == 0) &&
@@ -74,21 +74,21 @@ Index: b/auth.c
74 logit("Authentication refused for %.100s: " 74 logit("Authentication refused for %.100s: "
75 "bad owner or modes for %.200s", 75 "bad owner or modes for %.200s",
76 pw->pw_name, user_hostfile); 76 pw->pw_name, user_hostfile);
77@@ -443,8 +442,7 @@ 77@@ -449,8 +448,7 @@
78 78 snprintf(err, errlen, "%s is not a regular file", buf);
79 /* check the open file to avoid races */ 79 return -1;
80 if (fstat(fileno(f), &st) < 0 || 80 }
81- (st.st_uid != 0 && st.st_uid != uid) || 81- if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
82- (st.st_mode & 022) != 0) { 82- (stp->st_mode & 022) != 0) {
83+ !secure_permissions(&st, uid)) { 83+ if (!secure_permissions(stp, uid)) {
84 snprintf(err, errlen, "bad ownership or modes for file %s", 84 snprintf(err, errlen, "bad ownership or modes for file %s",
85 buf); 85 buf);
86 return -1; 86 return -1;
87@@ -459,8 +457,7 @@ 87@@ -465,8 +463,7 @@
88 strlcpy(buf, cp, sizeof(buf)); 88 strlcpy(buf, cp, sizeof(buf));
89 89
90 if (stat(buf, &st) < 0 || 90 if (stat(buf, &st) < 0 ||
91- (st.st_uid != 0 && st.st_uid != uid) || 91- (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
92- (st.st_mode & 022) != 0) { 92- (st.st_mode & 022) != 0) {
93+ !secure_permissions(&st, uid)) { 93+ !secure_permissions(&st, uid)) {
94 snprintf(err, errlen, 94 snprintf(err, errlen,
@@ -115,7 +115,7 @@ Index: b/misc.c
115 int 115 int
116+secure_permissions(struct stat *st, uid_t uid) 116+secure_permissions(struct stat *st, uid_t uid)
117+{ 117+{
118+ if (st->st_uid != 0 && st->st_uid != uid) 118+ if (!platform_sys_dir_uid(st->st_uid) && st->st_uid != uid)
119+ return 0; 119+ return 0;
120+ if ((st->st_mode & 002) != 0) 120+ if ((st->st_mode & 002) != 0)
121+ return 0; 121+ return 0;