summaryrefslogtreecommitdiff
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/auth-log-verbosity.patch14
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch6
-rw-r--r--debian/patches/consolekit.patch67
-rw-r--r--debian/patches/curve25519-sha256-bignum-encoding.patch161
-rw-r--r--debian/patches/debian-banner.patch50
-rw-r--r--debian/patches/debian-config.patch12
-rw-r--r--debian/patches/dnssec-sshfp.patch8
-rw-r--r--debian/patches/doc-hash-tab-completion.patch6
-rw-r--r--debian/patches/doc-upstart.patch6
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch2
-rw-r--r--debian/patches/gssapi.patch283
-rw-r--r--debian/patches/helpful-wait-terminate.patch4
-rw-r--r--debian/patches/keepalive-extensions.patch36
-rw-r--r--debian/patches/lintian-symlink-pickiness.patch6
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch8
-rw-r--r--debian/patches/no-openssl-version-check.patch41
-rw-r--r--debian/patches/no-openssl-version-status.patch62
-rw-r--r--debian/patches/openbsd-docs.patch20
-rw-r--r--debian/patches/package-versioning.patch14
-rw-r--r--debian/patches/quieter-signals.patch6
-rw-r--r--debian/patches/restore-tcp-wrappers.patch172
-rw-r--r--debian/patches/scp-quoting.patch4
-rw-r--r--debian/patches/selinux-role.patch66
-rw-r--r--debian/patches/series5
-rw-r--r--debian/patches/shell-path.patch8
-rw-r--r--debian/patches/sigstop.patch6
-rw-r--r--debian/patches/ssh-agent-setgid.patch8
-rw-r--r--debian/patches/ssh-argv0.patch6
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch10
-rw-r--r--debian/patches/ssh1-keepalive.patch8
-rw-r--r--debian/patches/sshfp_with_server_cert_upstr83
-rw-r--r--debian/patches/syslog-level-silent.patch6
-rw-r--r--debian/patches/user-group-modes.patch42
33 files changed, 593 insertions, 643 deletions
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index 8d26d7b6f..84a14cfb8 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
1From 283322f493ee7dc75511f6cf9e9b88e536de0874 Mon Sep 17 00:00:00 2001 1From 1ecd5db58295874d8b9a7ce98fe1880ab08fbcaf Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:02 +0000 3Date: Sun, 9 Feb 2014 16:10:02 +0000
4Subject: Quieten logs when multiple from= restrictions are used 4Subject: Quieten logs when multiple from= restrictions are used
@@ -16,7 +16,7 @@ Patch-Name: auth-log-verbosity.patch
16 4 files changed, 32 insertions(+), 9 deletions(-) 16 4 files changed, 32 insertions(+), 9 deletions(-)
17 17
18diff --git a/auth-options.c b/auth-options.c 18diff --git a/auth-options.c b/auth-options.c
19index fa209ea..df61330 100644 19index f3d9c9d..d4d22d7 100644
20--- a/auth-options.c 20--- a/auth-options.c
21+++ b/auth-options.c 21+++ b/auth-options.c
22@@ -54,9 +54,20 @@ int forced_tun_device = -1; 22@@ -54,9 +54,20 @@ int forced_tun_device = -1;
@@ -58,7 +58,7 @@ index fa209ea..df61330 100644
58 auth_debug_add("Your host '%.200s' is not " 58 auth_debug_add("Your host '%.200s' is not "
59 "permitted to use this key for login.", 59 "permitted to use this key for login.",
60 remote_host); 60 remote_host);
61@@ -510,11 +524,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, 61@@ -511,11 +525,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
62 break; 62 break;
63 case 0: 63 case 0:
64 /* no match */ 64 /* no match */
@@ -91,10 +91,10 @@ index 7455c94..a3f0a02 100644
91 void auth_clear_options(void); 91 void auth_clear_options(void);
92 int auth_cert_options(Key *, struct passwd *); 92 int auth_cert_options(Key *, struct passwd *);
93diff --git a/auth-rsa.c b/auth-rsa.c 93diff --git a/auth-rsa.c b/auth-rsa.c
94index 5dad6c3..260ce2f 100644 94index e9f4ede..5d7bdcb 100644
95--- a/auth-rsa.c 95--- a/auth-rsa.c
96+++ b/auth-rsa.c 96+++ b/auth-rsa.c
97@@ -178,6 +178,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, 97@@ -179,6 +179,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
98 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) 98 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
99 return 0; 99 return 0;
100 100
@@ -104,10 +104,10 @@ index 5dad6c3..260ce2f 100644
104 * Go though the accepted keys, looking for the current key. If 104 * Go though the accepted keys, looking for the current key. If
105 * found, perform a challenge-response dialog to verify that the 105 * found, perform a challenge-response dialog to verify that the
106diff --git a/auth2-pubkey.c b/auth2-pubkey.c 106diff --git a/auth2-pubkey.c b/auth2-pubkey.c
107index 0fd27bb..7c56927 100644 107index f3ca965..f78b046 100644
108--- a/auth2-pubkey.c 108--- a/auth2-pubkey.c
109+++ b/auth2-pubkey.c 109+++ b/auth2-pubkey.c
110@@ -263,6 +263,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert) 110@@ -263,6 +263,7 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert)
111 restore_uid(); 111 restore_uid();
112 return 0; 112 return 0;
113 } 113 }
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 74bfb46e6..6afb0420b 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
1From 71448da5ce75ba50bcb10dbbd3b8c7633f633e8f Mon Sep 17 00:00:00 2001 1From 19b0441502c07401dd6d418f8f81cc7f1a44ccb1 Mon Sep 17 00:00:00 2001
2From: Tomas Pospisek <tpo_deb@sourcepole.ch> 2From: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Date: Sun, 9 Feb 2014 16:10:07 +0000 3Date: Sun, 9 Feb 2014 16:10:07 +0000
4Subject: Install authorized_keys(5) as a symlink to sshd(8) 4Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
13 1 file changed, 1 insertion(+) 13 1 file changed, 1 insertion(+)
14 14
15diff --git a/Makefile.in b/Makefile.in 15diff --git a/Makefile.in b/Makefile.in
16index 3d96c05..feee0b2 100644 16index c4cb8ea..a4402e9 100644
17--- a/Makefile.in 17--- a/Makefile.in
18+++ b/Makefile.in 18+++ b/Makefile.in
19@@ -287,6 +287,7 @@ install-files: 19@@ -309,6 +309,7 @@ install-files:
20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch
index e3ff4d7e4..e50c77f62 100644
--- a/debian/patches/consolekit.patch
+++ b/debian/patches/consolekit.patch
@@ -1,33 +1,33 @@
1From 7a26d16efb4ee303c8d66ee82caf9d0686f4a074 Mon Sep 17 00:00:00 2001 1From f51fe0c55e54c12db952624e980d18f39c41e581 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:57 +0000 3Date: Sun, 9 Feb 2014 16:09:57 +0000
4Subject: Add support for registering ConsoleKit sessions on login 4Subject: Add support for registering ConsoleKit sessions on login
5 5
6Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 6Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450
7Last-Updated: 2014-03-20 7Last-Updated: 2014-10-07
8 8
9Patch-Name: consolekit.patch 9Patch-Name: consolekit.patch
10--- 10---
11 Makefile.in | 3 +- 11 Makefile.in | 3 +-
12 configure | 132 +++++++++++++++++++++++++++++++ 12 configure | 132 +++++++++++++++++++++++++++++++
13 configure.ac | 25 ++++++ 13 configure.ac | 25 ++++++
14 consolekit.c | 240 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 14 consolekit.c | 241 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
15 consolekit.h | 24 ++++++ 15 consolekit.h | 24 ++++++
16 monitor.c | 42 ++++++++++ 16 monitor.c | 42 ++++++++++
17 monitor.h | 2 + 17 monitor.h | 2 +
18 monitor_wrap.c | 30 ++++++++ 18 monitor_wrap.c | 30 +++++++
19 monitor_wrap.h | 4 + 19 monitor_wrap.h | 4 +
20 session.c | 13 ++++ 20 session.c | 13 ++++
21 session.h | 6 ++ 21 session.h | 6 ++
22 11 files changed, 520 insertions(+), 1 deletion(-) 22 11 files changed, 521 insertions(+), 1 deletion(-)
23 create mode 100644 consolekit.c 23 create mode 100644 consolekit.c
24 create mode 100644 consolekit.h 24 create mode 100644 consolekit.h
25 25
26diff --git a/Makefile.in b/Makefile.in 26diff --git a/Makefile.in b/Makefile.in
27index ee1d2c3..3d96c05 100644 27index 086d8dd..c4cb8ea 100644
28--- a/Makefile.in 28--- a/Makefile.in
29+++ b/Makefile.in 29+++ b/Makefile.in
30@@ -97,7 +97,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ 30@@ -107,7 +107,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
31 sftp-server.o sftp-common.o \ 31 sftp-server.o sftp-common.o \
32 roaming_common.o roaming_serv.o \ 32 roaming_common.o roaming_serv.o \
33 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ 33 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
@@ -38,10 +38,10 @@ index ee1d2c3..3d96c05 100644
38 MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out 38 MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
39 MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 39 MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
40diff --git a/configure b/configure 40diff --git a/configure b/configure
41index b6b5b6d..e2f12cd 100755 41index ea5f200..7be478a 100755
42--- a/configure 42--- a/configure
43+++ b/configure 43+++ b/configure
44@@ -740,6 +740,7 @@ with_privsep_user 44@@ -739,6 +739,7 @@ with_privsep_user
45 with_sandbox 45 with_sandbox
46 with_selinux 46 with_selinux
47 with_kerberos5 47 with_kerberos5
@@ -49,7 +49,7 @@ index b6b5b6d..e2f12cd 100755
49 with_privsep_path 49 with_privsep_path
50 with_xauth 50 with_xauth
51 enable_strip 51 enable_strip
52@@ -1432,6 +1433,7 @@ Optional Packages: 52@@ -1430,6 +1431,7 @@ Optional Packages:
53 --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum) 53 --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)
54 --with-selinux Enable SELinux support 54 --with-selinux Enable SELinux support
55 --with-kerberos5=PATH Enable Kerberos 5 support 55 --with-kerberos5=PATH Enable Kerberos 5 support
@@ -57,7 +57,7 @@ index b6b5b6d..e2f12cd 100755
57 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) 57 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
58 --with-xauth=PATH Specify path to xauth program 58 --with-xauth=PATH Specify path to xauth program
59 --with-maildir=/path/to/mail Specify your system mail directory 59 --with-maildir=/path/to/mail Specify your system mail directory
60@@ -17217,6 +17219,135 @@ fi 60@@ -17211,6 +17213,135 @@ fi
61 61
62 62
63 63
@@ -193,7 +193,7 @@ index b6b5b6d..e2f12cd 100755
193 # Looking for programs, paths and files 193 # Looking for programs, paths and files
194 194
195 PRIVSEP_PATH=/var/empty 195 PRIVSEP_PATH=/var/empty
196@@ -19746,6 +19877,7 @@ echo " MD5 password support: $MD5_MSG" 196@@ -19739,6 +19870,7 @@ echo " MD5 password support: $MD5_MSG"
197 echo " libedit support: $LIBEDIT_MSG" 197 echo " libedit support: $LIBEDIT_MSG"
198 echo " Solaris process contract support: $SPC_MSG" 198 echo " Solaris process contract support: $SPC_MSG"
199 echo " Solaris project support: $SP_MSG" 199 echo " Solaris project support: $SP_MSG"
@@ -202,10 +202,10 @@ index b6b5b6d..e2f12cd 100755
202 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" 202 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
203 echo " BSD Auth support: $BSD_AUTH_MSG" 203 echo " BSD Auth support: $BSD_AUTH_MSG"
204diff --git a/configure.ac b/configure.ac 204diff --git a/configure.ac b/configure.ac
205index d235fb0..8669271 100644 205index 7f160f1..f5c65c5 100644
206--- a/configure.ac 206--- a/configure.ac
207+++ b/configure.ac 207+++ b/configure.ac
208@@ -4072,6 +4072,30 @@ AC_ARG_WITH([kerberos5], 208@@ -4113,6 +4113,30 @@ AC_ARG_WITH([kerberos5],
209 AC_SUBST([GSSLIBS]) 209 AC_SUBST([GSSLIBS])
210 AC_SUBST([K5LIBS]) 210 AC_SUBST([K5LIBS])
211 211
@@ -236,7 +236,7 @@ index d235fb0..8669271 100644
236 # Looking for programs, paths and files 236 # Looking for programs, paths and files
237 237
238 PRIVSEP_PATH=/var/empty 238 PRIVSEP_PATH=/var/empty
239@@ -4873,6 +4897,7 @@ echo " MD5 password support: $MD5_MSG" 239@@ -4914,6 +4938,7 @@ echo " MD5 password support: $MD5_MSG"
240 echo " libedit support: $LIBEDIT_MSG" 240 echo " libedit support: $LIBEDIT_MSG"
241 echo " Solaris process contract support: $SPC_MSG" 241 echo " Solaris process contract support: $SPC_MSG"
242 echo " Solaris project support: $SP_MSG" 242 echo " Solaris project support: $SP_MSG"
@@ -246,10 +246,10 @@ index d235fb0..8669271 100644
246 echo " BSD Auth support: $BSD_AUTH_MSG" 246 echo " BSD Auth support: $BSD_AUTH_MSG"
247diff --git a/consolekit.c b/consolekit.c 247diff --git a/consolekit.c b/consolekit.c
248new file mode 100644 248new file mode 100644
249index 0000000..f1039e6 249index 0000000..0266f06
250--- /dev/null 250--- /dev/null
251+++ b/consolekit.c 251+++ b/consolekit.c
252@@ -0,0 +1,240 @@ 252@@ -0,0 +1,241 @@
253+/* 253+/*
254+ * Copyright (c) 2008 Colin Watson. All rights reserved. 254+ * Copyright (c) 2008 Colin Watson. All rights reserved.
255+ * 255+ *
@@ -305,6 +305,7 @@ index 0000000..f1039e6
305+#include "hostfile.h" 305+#include "hostfile.h"
306+#include "auth.h" 306+#include "auth.h"
307+#include "log.h" 307+#include "log.h"
308+#include "misc.h"
308+#include "servconf.h" 309+#include "servconf.h"
309+#include "canohost.h" 310+#include "canohost.h"
310+#include "session.h" 311+#include "session.h"
@@ -521,10 +522,10 @@ index 0000000..8ce3716
521+ 522+
522+#endif /* USE_CONSOLEKIT */ 523+#endif /* USE_CONSOLEKIT */
523diff --git a/monitor.c b/monitor.c 524diff --git a/monitor.c b/monitor.c
524index 11eac63..7c105e6 100644 525index 94b194d..cc15ce4 100644
525--- a/monitor.c 526--- a/monitor.c
526+++ b/monitor.c 527+++ b/monitor.c
527@@ -97,6 +97,9 @@ 528@@ -100,6 +100,9 @@
528 #include "ssh2.h" 529 #include "ssh2.h"
529 #include "roaming.h" 530 #include "roaming.h"
530 #include "authfd.h" 531 #include "authfd.h"
@@ -534,7 +535,7 @@ index 11eac63..7c105e6 100644
534 535
535 #ifdef GSSAPI 536 #ifdef GSSAPI
536 static Gssctxt *gsscontext = NULL; 537 static Gssctxt *gsscontext = NULL;
537@@ -187,6 +190,10 @@ int mm_answer_audit_command(int, Buffer *); 538@@ -190,6 +193,10 @@ int mm_answer_audit_command(int, Buffer *);
538 539
539 static int monitor_read_log(struct monitor *); 540 static int monitor_read_log(struct monitor *);
540 541
@@ -543,9 +544,9 @@ index 11eac63..7c105e6 100644
543+#endif 544+#endif
544+ 545+
545 static Authctxt *authctxt; 546 static Authctxt *authctxt;
546 static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
547 547
548@@ -272,6 +279,9 @@ struct mon_table mon_dispatch_postauth20[] = { 548 #ifdef WITH_SSH1
549@@ -282,6 +289,9 @@ struct mon_table mon_dispatch_postauth20[] = {
549 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 550 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
550 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, 551 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
551 #endif 552 #endif
@@ -555,17 +556,17 @@ index 11eac63..7c105e6 100644
555 {0, 0, NULL} 556 {0, 0, NULL}
556 }; 557 };
557 558
558@@ -314,6 +324,9 @@ struct mon_table mon_dispatch_postauth15[] = { 559@@ -327,6 +337,9 @@ struct mon_table mon_dispatch_postauth15[] = {
559 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 560 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
560 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, 561 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
561 #endif 562 #endif
562+#ifdef USE_CONSOLEKIT 563+#ifdef USE_CONSOLEKIT
563+ {MONITOR_REQ_CONSOLEKIT_REGISTER, 0, mm_answer_consolekit_register}, 564+ {MONITOR_REQ_CONSOLEKIT_REGISTER, 0, mm_answer_consolekit_register},
564+#endif 565+#endif
566 #endif /* WITH_SSH1 */
565 {0, 0, NULL} 567 {0, 0, NULL}
566 }; 568 };
567 569@@ -509,6 +522,9 @@ monitor_child_postauth(struct monitor *pmonitor)
568@@ -492,6 +505,9 @@ monitor_child_postauth(struct monitor *pmonitor)
569 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); 570 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
570 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); 571 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
571 } 572 }
@@ -575,7 +576,7 @@ index 11eac63..7c105e6 100644
575 576
576 for (;;) 577 for (;;)
577 monitor_read(pmonitor, mon_dispatch, NULL); 578 monitor_read(pmonitor, mon_dispatch, NULL);
578@@ -2269,3 +2285,29 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) { 579@@ -2296,3 +2312,29 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
579 580
580 #endif /* GSSAPI */ 581 #endif /* GSSAPI */
581 582
@@ -619,10 +620,10 @@ index 4d5e8fa..10ba59e 100644
619 620
620 struct mm_master; 621 struct mm_master;
621diff --git a/monitor_wrap.c b/monitor_wrap.c 622diff --git a/monitor_wrap.c b/monitor_wrap.c
622index f75dc9d..a8fb07b 100644 623index 6dc890a..4c57d4d 100644
623--- a/monitor_wrap.c 624--- a/monitor_wrap.c
624+++ b/monitor_wrap.c 625+++ b/monitor_wrap.c
625@@ -1353,3 +1353,33 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) 626@@ -1363,3 +1363,33 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
626 627
627 #endif /* GSSAPI */ 628 #endif /* GSSAPI */
628 629
@@ -670,10 +671,10 @@ index 9c2ee49..00e93fe 100644
670+ 671+
671 #endif /* _MM_WRAP_H_ */ 672 #endif /* _MM_WRAP_H_ */
672diff --git a/session.c b/session.c 673diff --git a/session.c b/session.c
673index 6848df4..9d43fc3 100644 674index 6f389ac..6250c20 100644
674--- a/session.c 675--- a/session.c
675+++ b/session.c 676+++ b/session.c
676@@ -92,6 +92,7 @@ 677@@ -93,6 +93,7 @@
677 #include "kex.h" 678 #include "kex.h"
678 #include "monitor_wrap.h" 679 #include "monitor_wrap.h"
679 #include "sftp.h" 680 #include "sftp.h"
@@ -681,7 +682,7 @@ index 6848df4..9d43fc3 100644
681 682
682 #if defined(KRB5) && defined(USE_AFS) 683 #if defined(KRB5) && defined(USE_AFS)
683 #include <kafs.h> 684 #include <kafs.h>
684@@ -1160,6 +1161,9 @@ do_setup_env(Session *s, const char *shell) 685@@ -1143,6 +1144,9 @@ do_setup_env(Session *s, const char *shell)
685 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) 686 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
686 char *path = NULL; 687 char *path = NULL;
687 #endif 688 #endif
@@ -691,7 +692,7 @@ index 6848df4..9d43fc3 100644
691 692
692 /* Initialize the environment. */ 693 /* Initialize the environment. */
693 envsize = 100; 694 envsize = 100;
694@@ -1304,6 +1308,11 @@ do_setup_env(Session *s, const char *shell) 695@@ -1287,6 +1291,11 @@ do_setup_env(Session *s, const char *shell)
695 child_set_env(&env, &envsize, "KRB5CCNAME", 696 child_set_env(&env, &envsize, "KRB5CCNAME",
696 s->authctxt->krb5_ccname); 697 s->authctxt->krb5_ccname);
697 #endif 698 #endif
@@ -703,7 +704,7 @@ index 6848df4..9d43fc3 100644
703 #ifdef USE_PAM 704 #ifdef USE_PAM
704 /* 705 /*
705 * Pull in any environment variables that may have 706 * Pull in any environment variables that may have
706@@ -2353,6 +2362,10 @@ session_pty_cleanup2(Session *s) 707@@ -2350,6 +2359,10 @@ session_pty_cleanup2(Session *s)
707 708
708 debug("session_pty_cleanup: session %d release %s", s->self, s->tty); 709 debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
709 710
diff --git a/debian/patches/curve25519-sha256-bignum-encoding.patch b/debian/patches/curve25519-sha256-bignum-encoding.patch
deleted file mode 100644
index ccb66048d..000000000
--- a/debian/patches/curve25519-sha256-bignum-encoding.patch
+++ /dev/null
@@ -1,161 +0,0 @@
1From 02883061577ec43ff8d0e8f0cf486bc5131db507 Mon Sep 17 00:00:00 2001
2From: Damien Miller <djm@mindrot.org>
3Date: Sun, 20 Apr 2014 13:47:45 +1000
4Subject: bad bignum encoding for curve25519-sha256@libssh.org
5
6Hi,
7
8So I screwed up when writing the support for the curve25519 KEX method
9that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
10leading zero bytes where they should have been skipped. The impact of
11this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
12peer that implements curve25519-sha256@libssh.org properly about 0.2%
13of the time (one in every 512ish connections).
14
15We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
16key exchange for previous versions, but I'd recommend distributors
17of OpenSSH apply this patch so the affected code doesn't become
18too entrenched in LTS releases.
19
20The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
21to distinguish itself from the incorrect versions so the compatibility
22code to disable the affected KEX isn't activated.
23
24I've committed this on the 6.6 branch too.
25
26Apologies for the hassle.
27
28-d
29
30Origin: upstream, https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html
31Forwarded: not-needed
32Last-Update: 2014-04-21
33
34Patch-Name: curve25519-sha256-bignum-encoding.patch
35---
36 bufaux.c | 5 ++++-
37 compat.c | 17 ++++++++++++++++-
38 compat.h | 2 ++
39 sshconnect2.c | 2 ++
40 sshd.c | 3 +++
41 version.h | 2 +-
42 6 files changed, 28 insertions(+), 3 deletions(-)
43
44diff --git a/bufaux.c b/bufaux.c
45index e24b5fc..f6a6f2a 100644
46--- a/bufaux.c
47+++ b/bufaux.c
48@@ -1,4 +1,4 @@
49-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
50+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
51 /*
52 * Author: Tatu Ylonen <ylo@cs.hut.fi>
53 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
54@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
55
56 if (l > 8 * 1024)
57 fatal("%s: length %u too long", __func__, l);
58+ /* Skip leading zero bytes */
59+ for (; l > 0 && *s == 0; l--, s++)
60+ ;
61 p = buf = xmalloc(l + 1);
62 /*
63 * If most significant bit is set then prepend a zero byte to
64diff --git a/compat.c b/compat.c
65index 9d9fabe..2709dc5 100644
66--- a/compat.c
67+++ b/compat.c
68@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
69 { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
70 { "OpenSSH_4*", 0 },
71 { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
72+ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
73+ { "OpenSSH_6.5*,"
74+ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
75 { "OpenSSH*", SSH_NEW_OPENSSH },
76 { "*MindTerm*", 0 },
77 { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
78@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
79 return cipher_prop;
80 }
81
82-
83 char *
84 compat_pkalg_proposal(char *pkalg_prop)
85 {
86@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
87 return pkalg_prop;
88 }
89
90+char *
91+compat_kex_proposal(char *kex_prop)
92+{
93+ if (!(datafellows & SSH_BUG_CURVE25519PAD))
94+ return kex_prop;
95+ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
96+ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
97+ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
98+ if (*kex_prop == '\0')
99+ fatal("No supported key exchange algorithms found");
100+ return kex_prop;
101+}
102+
103diff --git a/compat.h b/compat.h
104index b174fa1..a6c3f3d 100644
105--- a/compat.h
106+++ b/compat.h
107@@ -59,6 +59,7 @@
108 #define SSH_BUG_RFWD_ADDR 0x02000000
109 #define SSH_NEW_OPENSSH 0x04000000
110 #define SSH_BUG_DYNAMIC_RPORT 0x08000000
111+#define SSH_BUG_CURVE25519PAD 0x10000000
112
113 void enable_compat13(void);
114 void enable_compat20(void);
115@@ -66,6 +67,7 @@ void compat_datafellows(const char *);
116 int proto_spec(const char *);
117 char *compat_cipher_proposal(char *);
118 char *compat_pkalg_proposal(char *);
119+char *compat_kex_proposal(char *);
120
121 extern int compat13;
122 extern int compat20;
123diff --git a/sshconnect2.c b/sshconnect2.c
124index 66cb035..1a4e551 100644
125--- a/sshconnect2.c
126+++ b/sshconnect2.c
127@@ -220,6 +220,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
128 }
129 if (options.kex_algorithms != NULL)
130 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
131+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
132+ myproposal[PROPOSAL_KEX_ALGS]);
133
134 #ifdef GSSAPI
135 /* If we've got GSSAPI algorithms, then we also support the
136diff --git a/sshd.c b/sshd.c
137index 0964491..fe78d7b 100644
138--- a/sshd.c
139+++ b/sshd.c
140@@ -2534,6 +2534,9 @@ do_ssh2_kex(void)
141 if (options.kex_algorithms != NULL)
142 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
143
144+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
145+ myproposal[PROPOSAL_KEX_ALGS]);
146+
147 if (options.rekey_limit || options.rekey_interval)
148 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
149 (time_t)options.rekey_interval);
150diff --git a/version.h b/version.h
151index a97c337..0659576 100644
152--- a/version.h
153+++ b/version.h
154@@ -1,6 +1,6 @@
155 /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
156
157-#define SSH_VERSION "OpenSSH_6.6"
158+#define SSH_VERSION "OpenSSH_6.6.1"
159
160 #define SSH_PORTABLE "p1"
161 #define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 49219cf93..ab64cbed5 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
1From 9fcad888f4dbf0ecc0c7e87b6ef0f8d88d7ac3ec Mon Sep 17 00:00:00 2001 1From 114c8a8fb488cbe39507edb75c51198a4b9e8b24 Mon Sep 17 00:00:00 2001
2From: Kees Cook <kees@debian.org> 2From: Kees Cook <kees@debian.org>
3Date: Sun, 9 Feb 2014 16:10:06 +0000 3Date: Sun, 9 Feb 2014 16:10:06 +0000
4Subject: Add DebianBanner server configuration option 4Subject: Add DebianBanner server configuration option
@@ -8,7 +8,7 @@ initial protocol handshake, for those scared by package-versioning.patch.
8 8
9Bug-Debian: http://bugs.debian.org/562048 9Bug-Debian: http://bugs.debian.org/562048
10Forwarded: not-needed 10Forwarded: not-needed
11Last-Update: 2013-09-14 11Last-Update: 2014-10-07
12 12
13Patch-Name: debian-banner.patch 13Patch-Name: debian-banner.patch
14--- 14---
@@ -19,10 +19,10 @@ Patch-Name: debian-banner.patch
19 4 files changed, 18 insertions(+), 1 deletion(-) 19 4 files changed, 18 insertions(+), 1 deletion(-)
20 20
21diff --git a/servconf.c b/servconf.c 21diff --git a/servconf.c b/servconf.c
22index 90de888..37fd2de 100644 22index a252487..6c7741a 100644
23--- a/servconf.c 23--- a/servconf.c
24+++ b/servconf.c 24+++ b/servconf.c
25@@ -156,6 +156,7 @@ initialize_server_options(ServerOptions *options) 25@@ -160,6 +160,7 @@ initialize_server_options(ServerOptions *options)
26 options->ip_qos_interactive = -1; 26 options->ip_qos_interactive = -1;
27 options->ip_qos_bulk = -1; 27 options->ip_qos_bulk = -1;
28 options->version_addendum = NULL; 28 options->version_addendum = NULL;
@@ -30,34 +30,34 @@ index 90de888..37fd2de 100644
30 } 30 }
31 31
32 void 32 void
33@@ -309,6 +310,8 @@ fill_default_server_options(ServerOptions *options) 33@@ -321,6 +322,8 @@ fill_default_server_options(ServerOptions *options)
34 options->ip_qos_bulk = IPTOS_THROUGHPUT; 34 options->fwd_opts.streamlocal_bind_mask = 0177;
35 if (options->version_addendum == NULL) 35 if (options->fwd_opts.streamlocal_bind_unlink == -1)
36 options->version_addendum = xstrdup(""); 36 options->fwd_opts.streamlocal_bind_unlink = 0;
37+ if (options->debian_banner == -1) 37+ if (options->debian_banner == -1)
38+ options->debian_banner = 1; 38+ options->debian_banner = 1;
39 /* Turn privilege separation on by default */ 39 /* Turn privilege separation on by default */
40 if (use_privsep == -1) 40 if (use_privsep == -1)
41 use_privsep = PRIVSEP_NOSANDBOX; 41 use_privsep = PRIVSEP_NOSANDBOX;
42@@ -359,6 +362,7 @@ typedef enum { 42@@ -373,6 +376,7 @@ typedef enum {
43 sKexAlgorithms, sIPQoS, sVersionAddendum, 43 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
44 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 44 sStreamLocalBindMask, sStreamLocalBindUnlink,
45 sAuthenticationMethods, sHostKeyAgent, 45 sAllowStreamLocalForwarding,
46+ sDebianBanner, 46+ sDebianBanner,
47 sDeprecated, sUnsupported 47 sDeprecated, sUnsupported
48 } ServerOpCodes; 48 } ServerOpCodes;
49 49
50@@ -496,6 +500,7 @@ static struct { 50@@ -514,6 +518,7 @@ static struct {
51 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, 51 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
52 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 52 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
53 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, 53 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
54+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, 54+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
55 { NULL, sBadOption, 0 } 55 { NULL, sBadOption, 0 }
56 }; 56 };
57 57
58@@ -1654,6 +1659,10 @@ process_server_config_line(ServerOptions *options, char *line, 58@@ -1697,6 +1702,10 @@ process_server_config_line(ServerOptions *options, char *line,
59 } 59 intptr = &options->fwd_opts.streamlocal_bind_unlink;
60 return 0; 60 goto parse_flag;
61 61
62+ case sDebianBanner: 62+ case sDebianBanner:
63+ intptr = &options->debian_banner; 63+ intptr = &options->debian_banner;
@@ -67,10 +67,10 @@ index 90de888..37fd2de 100644
67 logit("%s line %d: Deprecated option %s", 67 logit("%s line %d: Deprecated option %s",
68 filename, linenum, arg); 68 filename, linenum, arg);
69diff --git a/servconf.h b/servconf.h 69diff --git a/servconf.h b/servconf.h
70index c922eb5..dcd1c2a 100644 70index f8265a8..fa48804 100644
71--- a/servconf.h 71--- a/servconf.h
72+++ b/servconf.h 72+++ b/servconf.h
73@@ -186,6 +186,8 @@ typedef struct { 73@@ -188,6 +188,8 @@ typedef struct {
74 74
75 u_int num_auth_methods; 75 u_int num_auth_methods;
76 char *auth_methods[MAX_AUTH_METHODS]; 76 char *auth_methods[MAX_AUTH_METHODS];
@@ -80,10 +80,10 @@ index c922eb5..dcd1c2a 100644
80 80
81 /* Information about the incoming connection as used by Match */ 81 /* Information about the incoming connection as used by Match */
82diff --git a/sshd.c b/sshd.c 82diff --git a/sshd.c b/sshd.c
83index af9b8f1..665c0b9 100644 83index 1710e71..87331c1 100644
84--- a/sshd.c 84--- a/sshd.c
85+++ b/sshd.c 85+++ b/sshd.c
86@@ -440,7 +440,8 @@ sshd_exchange_identification(int sock_in, int sock_out) 86@@ -443,7 +443,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
87 } 87 }
88 88
89 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 89 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -94,10 +94,10 @@ index af9b8f1..665c0b9 100644
94 options.version_addendum, newline); 94 options.version_addendum, newline);
95 95
96diff --git a/sshd_config.5 b/sshd_config.5 96diff --git a/sshd_config.5 b/sshd_config.5
97index 2164d58..8f078f6 100644 97index 2843048..58997d3 100644
98--- a/sshd_config.5 98--- a/sshd_config.5
99+++ b/sshd_config.5 99+++ b/sshd_config.5
100@@ -413,6 +413,11 @@ or 100@@ -447,6 +447,11 @@ or
101 .Dq no . 101 .Dq no .
102 The default is 102 The default is
103 .Dq delayed . 103 .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 9ada04a10..661d30ca8 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
1From df5c8d109fb3d9ec16a487107a44300ed3006849 Mon Sep 17 00:00:00 2001 1From 762c062828f5a8f6ed189ed6e44ad38fd92f8b36 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:18 +0000 3Date: Sun, 9 Feb 2014 16:10:18 +0000
4Subject: Various Debian-specific configuration changes 4Subject: Various Debian-specific configuration changes
@@ -34,10 +34,10 @@ Patch-Name: debian-config.patch
34 5 files changed, 51 insertions(+), 3 deletions(-) 34 5 files changed, 51 insertions(+), 3 deletions(-)
35 35
36diff --git a/readconf.c b/readconf.c 36diff --git a/readconf.c b/readconf.c
37index 32c4b42..5429fc2 100644 37index 0648867..29338b6 100644
38--- a/readconf.c 38--- a/readconf.c
39+++ b/readconf.c 39+++ b/readconf.c
40@@ -1640,7 +1640,7 @@ fill_default_options(Options * options) 40@@ -1681,7 +1681,7 @@ fill_default_options(Options * options)
41 if (options->forward_x11 == -1) 41 if (options->forward_x11 == -1)
42 options->forward_x11 = 0; 42 options->forward_x11 = 0;
43 if (options->forward_x11_trusted == -1) 43 if (options->forward_x11_trusted == -1)
@@ -71,7 +71,7 @@ index 228e5ab..c9386aa 100644
71+ GSSAPIAuthentication yes 71+ GSSAPIAuthentication yes
72+ GSSAPIDelegateCredentials no 72+ GSSAPIDelegateCredentials no
73diff --git a/ssh_config.5 b/ssh_config.5 73diff --git a/ssh_config.5 b/ssh_config.5
74index 1d500e9..22e6372 100644 74index a1005ba..da3c177 100644
75--- a/ssh_config.5 75--- a/ssh_config.5
76+++ b/ssh_config.5 76+++ b/ssh_config.5
77@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more 77@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
@@ -97,7 +97,7 @@ index 1d500e9..22e6372 100644
97 The configuration file has the following format: 97 The configuration file has the following format:
98 .Pp 98 .Pp
99 Empty lines and lines starting with 99 Empty lines and lines starting with
100@@ -654,7 +670,8 @@ token used for the session will be set to expire after 20 minutes. 100@@ -673,7 +689,8 @@ token used for the session will be set to expire after 20 minutes.
101 Remote clients will be refused access after this time. 101 Remote clients will be refused access after this time.
102 .Pp 102 .Pp
103 The default is 103 The default is
@@ -120,7 +120,7 @@ index d9b8594..4db32f5 100644
120 #StrictModes yes 120 #StrictModes yes
121 #MaxAuthTries 6 121 #MaxAuthTries 6
122diff --git a/sshd_config.5 b/sshd_config.5 122diff --git a/sshd_config.5 b/sshd_config.5
123index 908e0bb..90fd3f4 100644 123index 7396b23..7aa7b47 100644
124--- a/sshd_config.5 124--- a/sshd_config.5
125+++ b/sshd_config.5 125+++ b/sshd_config.5
126@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes 126@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index bc89c50fc..0212ea841 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
1From 912129ba92bea401d8cdeadc7aa7084fbf7625a1 Mon Sep 17 00:00:00 2001 1From 4ac9937c1d9f1901ab0694114d76e59a138aae96 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:01 +0000 3Date: Sun, 9 Feb 2014 16:10:01 +0000
4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf 4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
@@ -18,10 +18,10 @@ Patch-Name: dnssec-sshfp.patch
18 3 files changed, 21 insertions(+), 6 deletions(-) 18 3 files changed, 21 insertions(+), 6 deletions(-)
19 19
20diff --git a/dns.c b/dns.c 20diff --git a/dns.c b/dns.c
21index 630b97a..478c3d9 100644 21index c4d073c..e5872c1 100644
22--- a/dns.c 22--- a/dns.c
23+++ b/dns.c 23+++ b/dns.c
24@@ -196,6 +196,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, 24@@ -203,6 +203,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
25 { 25 {
26 u_int counter; 26 u_int counter;
27 int result; 27 int result;
@@ -29,7 +29,7 @@ index 630b97a..478c3d9 100644
29 struct rrsetinfo *fingerprints = NULL; 29 struct rrsetinfo *fingerprints = NULL;
30 30
31 u_int8_t hostkey_algorithm; 31 u_int8_t hostkey_algorithm;
32@@ -219,8 +220,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, 32@@ -226,8 +227,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
33 return -1; 33 return -1;
34 } 34 }
35 35
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 16c40b05f..8e6cfa575 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
1From 1d108ef62050b4368e24e1efada16ec88c177fb8 Mon Sep 17 00:00:00 2001 1From 2fd0b3814e27d584efa6df92845a7354e7c2de6c Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:11 +0000 3Date: Sun, 9 Feb 2014 16:10:11 +0000
4Subject: Document that HashKnownHosts may break tab-completion 4Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
13 1 file changed, 3 insertions(+) 13 1 file changed, 3 insertions(+)
14 14
15diff --git a/ssh_config.5 b/ssh_config.5 15diff --git a/ssh_config.5 b/ssh_config.5
16index 4bf7cbb..1d500e9 100644 16index d68b45a..a1005ba 100644
17--- a/ssh_config.5 17--- a/ssh_config.5
18+++ b/ssh_config.5 18+++ b/ssh_config.5
19@@ -740,6 +740,9 @@ Note that existing names and addresses in known hosts files 19@@ -759,6 +759,9 @@ Note that existing names and addresses in known hosts files
20 will not be converted automatically, 20 will not be converted automatically,
21 but may be manually hashed using 21 but may be manually hashed using
22 .Xr ssh-keygen 1 . 22 .Xr ssh-keygen 1 .
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index da8fc7ed4..c1ce1bcae 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
1From 111de26347496af3f6ed04849fd29bc4bf1c2cea Mon Sep 17 00:00:00 2001 1From 252e76b3ad6e83a798e479a2beba5be7000ff85e Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:12 +0000 3Date: Sun, 9 Feb 2014 16:10:12 +0000
4Subject: Refer to ssh's Upstart job as well as its init script 4Subject: Refer to ssh's Upstart job as well as its init script
@@ -12,10 +12,10 @@ Patch-Name: doc-upstart.patch
12 1 file changed, 4 insertions(+), 1 deletion(-) 12 1 file changed, 4 insertions(+), 1 deletion(-)
13 13
14diff --git a/sshd.8 b/sshd.8 14diff --git a/sshd.8 b/sshd.8
15index b016e90..cba168a 100644 15index 3538208..f8f9eac 100644
16--- a/sshd.8 16--- a/sshd.8
17+++ b/sshd.8 17+++ b/sshd.8
18@@ -70,7 +70,10 @@ over an insecure network. 18@@ -67,7 +67,10 @@ over an insecure network.
19 .Nm 19 .Nm
20 listens for connections from clients. 20 listens for connections from clients.
21 It is normally started at boot from 21 It is normally started at boot from
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index dab518f65..84fe03acc 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
1From b7df8fdb32f3d33b70ff8733cb0c39417e367534 Mon Sep 17 00:00:00 2001 1From 1195b028cb9f402633cfdcae6ec34bf63b4ab771 Mon Sep 17 00:00:00 2001
2From: Vincent Untz <vuntz@ubuntu.com> 2From: Vincent Untz <vuntz@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:16 +0000 3Date: Sun, 9 Feb 2014 16:10:16 +0000
4Subject: Give the ssh-askpass-gnome window a default icon 4Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index d8439bf03..e8cbc1083 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From 9dfcd1a0e691c1cad34b168e27b3ed31ab6986cd Mon Sep 17 00:00:00 2001 1From 1c1b6fa17982eb622e2c4e8f4a279f2113f57413 Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate
17security history. 17security history.
18 18
19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
20Last-Updated: 2014-03-19 20Last-Updated: 2014-10-07
21 21
22Patch-Name: gssapi.patch 22Patch-Name: gssapi.patch
23--- 23---
@@ -36,9 +36,7 @@ Patch-Name: gssapi.patch
36 kex.c | 16 +++ 36 kex.c | 16 +++
37 kex.h | 14 +++ 37 kex.h | 14 +++
38 kexgssc.c | 332 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 38 kexgssc.c | 332 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
39 kexgsss.c | 289 ++++++++++++++++++++++++++++++++++++++++++++++++ 39 kexgsss.c | 290 ++++++++++++++++++++++++++++++++++++++++++++++++
40 key.c | 3 +-
41 key.h | 1 +
42 monitor.c | 108 +++++++++++++++++- 40 monitor.c | 108 +++++++++++++++++-
43 monitor.h | 3 + 41 monitor.h | 3 +
44 monitor_wrap.c | 47 +++++++- 42 monitor_wrap.c | 47 +++++++-
@@ -54,7 +52,9 @@ Patch-Name: gssapi.patch
54 sshd.c | 110 ++++++++++++++++++ 52 sshd.c | 110 ++++++++++++++++++
55 sshd_config | 2 + 53 sshd_config | 2 +
56 sshd_config.5 | 28 +++++ 54 sshd_config.5 | 28 +++++
57 33 files changed, 2051 insertions(+), 59 deletions(-) 55 sshkey.c | 3 +-
56 sshkey.h | 1 +
57 33 files changed, 2052 insertions(+), 59 deletions(-)
58 create mode 100644 ChangeLog.gssapi 58 create mode 100644 ChangeLog.gssapi
59 create mode 100644 kexgssc.c 59 create mode 100644 kexgssc.c
60 create mode 100644 kexgsss.c 60 create mode 100644 kexgsss.c
@@ -179,10 +179,10 @@ index 0000000..f117a33
179+ (from jbasney AT ncsa.uiuc.edu) 179+ (from jbasney AT ncsa.uiuc.edu)
180+ <gssapi-with-mic support is Bugzilla #1008> 180+ <gssapi-with-mic support is Bugzilla #1008>
181diff --git a/Makefile.in b/Makefile.in 181diff --git a/Makefile.in b/Makefile.in
182index 28a8ec4..ee1d2c3 100644 182index 06be3d5..086d8dd 100644
183--- a/Makefile.in 183--- a/Makefile.in
184+++ b/Makefile.in 184+++ b/Makefile.in
185@@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ 185@@ -82,6 +82,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
186 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ 186 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
187 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ 187 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
188 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ 188 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
@@ -190,7 +190,7 @@ index 28a8ec4..ee1d2c3 100644
190 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ 190 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
191 ssh-pkcs11.o krl.o smult_curve25519_ref.o \ 191 ssh-pkcs11.o krl.o smult_curve25519_ref.o \
192 kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ 192 kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
193@@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ 193@@ -101,7 +102,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
194 auth2-none.o auth2-passwd.o auth2-pubkey.o \ 194 auth2-none.o auth2-passwd.o auth2-pubkey.o \
195 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ 195 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
196 kexc25519s.o auth-krb5.o \ 196 kexc25519s.o auth-krb5.o \
@@ -200,10 +200,10 @@ index 28a8ec4..ee1d2c3 100644
200 sftp-server.o sftp-common.o \ 200 sftp-server.o sftp-common.o \
201 roaming_common.o roaming_serv.o \ 201 roaming_common.o roaming_serv.o \
202diff --git a/auth-krb5.c b/auth-krb5.c 202diff --git a/auth-krb5.c b/auth-krb5.c
203index 6c62bdf..69a1a53 100644 203index 0089b18..ec47869 100644
204--- a/auth-krb5.c 204--- a/auth-krb5.c
205+++ b/auth-krb5.c 205+++ b/auth-krb5.c
206@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) 206@@ -183,8 +183,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
207 207
208 len = strlen(authctxt->krb5_ticket_file) + 6; 208 len = strlen(authctxt->krb5_ticket_file) + 6;
209 authctxt->krb5_ccname = xmalloc(len); 209 authctxt->krb5_ccname = xmalloc(len);
@@ -217,7 +217,7 @@ index 6c62bdf..69a1a53 100644
217 217
218 #ifdef USE_PAM 218 #ifdef USE_PAM
219 if (options.use_pam) 219 if (options.use_pam)
220@@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt) 220@@ -241,15 +246,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
221 #ifndef HEIMDAL 221 #ifndef HEIMDAL
222 krb5_error_code 222 krb5_error_code
223 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { 223 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@@ -242,7 +242,7 @@ index 6c62bdf..69a1a53 100644
242 old_umask = umask(0177); 242 old_umask = umask(0177);
243 tmpfd = mkstemp(ccname + strlen("FILE:")); 243 tmpfd = mkstemp(ccname + strlen("FILE:"));
244 oerrno = errno; 244 oerrno = errno;
245@@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { 245@@ -266,6 +278,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
246 return oerrno; 246 return oerrno;
247 } 247 }
248 close(tmpfd); 248 close(tmpfd);
@@ -251,7 +251,7 @@ index 6c62bdf..69a1a53 100644
251 return (krb5_cc_resolve(ctx, ccname, ccache)); 251 return (krb5_cc_resolve(ctx, ccname, ccache));
252 } 252 }
253diff --git a/auth2-gss.c b/auth2-gss.c 253diff --git a/auth2-gss.c b/auth2-gss.c
254index c28a705..3ff2d72 100644 254index 447f896..284f364 100644
255--- a/auth2-gss.c 255--- a/auth2-gss.c
256+++ b/auth2-gss.c 256+++ b/auth2-gss.c
257@@ -1,7 +1,7 @@ 257@@ -1,7 +1,7 @@
@@ -263,7 +263,7 @@ index c28a705..3ff2d72 100644
263 * 263 *
264 * Redistribution and use in source and binary forms, with or without 264 * Redistribution and use in source and binary forms, with or without
265 * modification, are permitted provided that the following conditions 265 * modification, are permitted provided that the following conditions
266@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); 266@@ -53,6 +53,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
267 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); 267 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
268 static void input_gssapi_errtok(int, u_int32_t, void *); 268 static void input_gssapi_errtok(int, u_int32_t, void *);
269 269
@@ -304,7 +304,7 @@ index c28a705..3ff2d72 100644
304 /* 304 /*
305 * We only support those mechanisms that we know about (ie ones that we know 305 * We only support those mechanisms that we know about (ie ones that we know
306 * how to check local user kuserok and the like) 306 * how to check local user kuserok and the like)
307@@ -235,7 +269,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) 307@@ -236,7 +270,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
308 308
309 packet_check_eom(); 309 packet_check_eom();
310 310
@@ -314,7 +314,7 @@ index c28a705..3ff2d72 100644
314 314
315 authctxt->postponed = 0; 315 authctxt->postponed = 0;
316 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 316 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
317@@ -270,7 +305,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) 317@@ -271,7 +306,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
318 gssbuf.length = buffer_len(&b); 318 gssbuf.length = buffer_len(&b);
319 319
320 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) 320 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@@ -324,7 +324,7 @@ index c28a705..3ff2d72 100644
324 else 324 else
325 logit("GSSAPI MIC check failed"); 325 logit("GSSAPI MIC check failed");
326 326
327@@ -285,6 +321,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) 327@@ -286,6 +322,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
328 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); 328 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
329 } 329 }
330 330
@@ -338,10 +338,10 @@ index c28a705..3ff2d72 100644
338 "gssapi-with-mic", 338 "gssapi-with-mic",
339 userauth_gssapi, 339 userauth_gssapi,
340diff --git a/auth2.c b/auth2.c 340diff --git a/auth2.c b/auth2.c
341index a5490c0..fbe3e1b 100644 341index d9b440a..2f0d565 100644
342--- a/auth2.c 342--- a/auth2.c
343+++ b/auth2.c 343+++ b/auth2.c
344@@ -69,6 +69,7 @@ extern Authmethod method_passwd; 344@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
345 extern Authmethod method_kbdint; 345 extern Authmethod method_kbdint;
346 extern Authmethod method_hostbased; 346 extern Authmethod method_hostbased;
347 #ifdef GSSAPI 347 #ifdef GSSAPI
@@ -349,7 +349,7 @@ index a5490c0..fbe3e1b 100644
349 extern Authmethod method_gssapi; 349 extern Authmethod method_gssapi;
350 #endif 350 #endif
351 351
352@@ -76,6 +77,7 @@ Authmethod *authmethods[] = { 352@@ -77,6 +78,7 @@ Authmethod *authmethods[] = {
353 &method_none, 353 &method_none,
354 &method_pubkey, 354 &method_pubkey,
355 #ifdef GSSAPI 355 #ifdef GSSAPI
@@ -358,7 +358,7 @@ index a5490c0..fbe3e1b 100644
358 #endif 358 #endif
359 &method_passwd, 359 &method_passwd,
360diff --git a/clientloop.c b/clientloop.c 360diff --git a/clientloop.c b/clientloop.c
361index 59ad3a2..6d8cd7d 100644 361index 397c965..f9175e3 100644
362--- a/clientloop.c 362--- a/clientloop.c
363+++ b/clientloop.c 363+++ b/clientloop.c
364@@ -111,6 +111,10 @@ 364@@ -111,6 +111,10 @@
@@ -372,7 +372,7 @@ index 59ad3a2..6d8cd7d 100644
372 /* import options */ 372 /* import options */
373 extern Options options; 373 extern Options options;
374 374
375@@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) 375@@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
376 /* Do channel operations unless rekeying in progress. */ 376 /* Do channel operations unless rekeying in progress. */
377 if (!rekeying) { 377 if (!rekeying) {
378 channel_after_select(readset, writeset); 378 channel_after_select(readset, writeset);
@@ -389,7 +389,7 @@ index 59ad3a2..6d8cd7d 100644
389 debug("need rekeying"); 389 debug("need rekeying");
390 xxx_kex->done = 0; 390 xxx_kex->done = 0;
391diff --git a/config.h.in b/config.h.in 391diff --git a/config.h.in b/config.h.in
392index 0401ad1..6bc422c 100644 392index 16d6206..a9a8b7a 100644
393--- a/config.h.in 393--- a/config.h.in
394+++ b/config.h.in 394+++ b/config.h.in
395@@ -1622,6 +1622,9 @@ 395@@ -1622,6 +1622,9 @@
@@ -413,10 +413,10 @@ index 0401ad1..6bc422c 100644
413 #undef USE_SOLARIS_PROCESS_CONTRACTS 413 #undef USE_SOLARIS_PROCESS_CONTRACTS
414 414
415diff --git a/configure b/configure 415diff --git a/configure b/configure
416index d690393..b6b5b6d 100755 416index 6815388..ea5f200 100755
417--- a/configure 417--- a/configure
418+++ b/configure 418+++ b/configure
419@@ -7170,6 +7170,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h 419@@ -7168,6 +7168,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h
420 420
421 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h 421 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
422 422
@@ -481,7 +481,7 @@ index d690393..b6b5b6d 100755
481 ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" 481 ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default"
482 if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : 482 if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then :
483diff --git a/configure.ac b/configure.ac 483diff --git a/configure.ac b/configure.ac
484index 7c6ce08..d235fb0 100644 484index 67c4486..90e81e1 100644
485--- a/configure.ac 485--- a/configure.ac
486+++ b/configure.ac 486+++ b/configure.ac
487@@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 487@@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
@@ -866,7 +866,7 @@ index b39281b..1e569ad 100644
866+ 866+
867 #endif /* GSSAPI */ 867 #endif /* GSSAPI */
868diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c 868diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
869index 759fa10..e678a27 100644 869index 795992d..fd8b371 100644
870--- a/gss-serv-krb5.c 870--- a/gss-serv-krb5.c
871+++ b/gss-serv-krb5.c 871+++ b/gss-serv-krb5.c
872@@ -1,7 +1,7 @@ 872@@ -1,7 +1,7 @@
@@ -878,7 +878,7 @@ index 759fa10..e678a27 100644
878 * 878 *
879 * Redistribution and use in source and binary forms, with or without 879 * Redistribution and use in source and binary forms, with or without
880 * modification, are permitted provided that the following conditions 880 * modification, are permitted provided that the following conditions
881@@ -120,8 +120,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) 881@@ -121,8 +121,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
882 krb5_error_code problem; 882 krb5_error_code problem;
883 krb5_principal princ; 883 krb5_principal princ;
884 OM_uint32 maj_status, min_status; 884 OM_uint32 maj_status, min_status;
@@ -888,7 +888,7 @@ index 759fa10..e678a27 100644
888 888
889 if (client->creds == NULL) { 889 if (client->creds == NULL) {
890 debug("No credentials stored"); 890 debug("No credentials stored");
891@@ -180,11 +180,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) 891@@ -181,11 +181,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
892 return; 892 return;
893 } 893 }
894 894
@@ -909,7 +909,7 @@ index 759fa10..e678a27 100644
909 909
910 #ifdef USE_PAM 910 #ifdef USE_PAM
911 if (options.use_pam) 911 if (options.use_pam)
912@@ -196,6 +201,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) 912@@ -197,6 +202,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
913 return; 913 return;
914 } 914 }
915 915
@@ -981,7 +981,7 @@ index 759fa10..e678a27 100644
981 ssh_gssapi_mech gssapi_kerberos_mech = { 981 ssh_gssapi_mech gssapi_kerberos_mech = {
982 "toWM5Slw5Ew8Mqkay+al2g==", 982 "toWM5Slw5Ew8Mqkay+al2g==",
983 "Kerberos", 983 "Kerberos",
984@@ -203,7 +273,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { 984@@ -204,7 +274,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
985 NULL, 985 NULL,
986 &ssh_gssapi_krb5_userok, 986 &ssh_gssapi_krb5_userok,
987 NULL, 987 NULL,
@@ -992,11 +992,11 @@ index 759fa10..e678a27 100644
992 992
993 #endif /* KRB5 */ 993 #endif /* KRB5 */
994diff --git a/gss-serv.c b/gss-serv.c 994diff --git a/gss-serv.c b/gss-serv.c
995index e61b37b..c33463b 100644 995index 5c59924..50fa438 100644
996--- a/gss-serv.c 996--- a/gss-serv.c
997+++ b/gss-serv.c 997+++ b/gss-serv.c
998@@ -1,7 +1,7 @@ 998@@ -1,7 +1,7 @@
999 /* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */ 999 /* $OpenBSD: gss-serv.c,v 1.27 2014/07/03 03:34:09 djm Exp $ */
1000 1000
1001 /* 1001 /*
1002- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 1002- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1029,7 +1029,7 @@ index e61b37b..c33463b 100644
1029 #ifdef KRB5 1029 #ifdef KRB5
1030 extern ssh_gssapi_mech gssapi_kerberos_mech; 1030 extern ssh_gssapi_mech gssapi_kerberos_mech;
1031@@ -100,25 +106,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) 1031@@ -100,25 +106,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
1032 char lname[MAXHOSTNAMELEN]; 1032 char lname[NI_MAXHOST];
1033 gss_OID_set oidset; 1033 gss_OID_set oidset;
1034 1034
1035- gss_create_empty_oid_set(&status, &oidset); 1035- gss_create_empty_oid_set(&status, &oidset);
@@ -1038,11 +1038,11 @@ index e61b37b..c33463b 100644
1038+ gss_create_empty_oid_set(&status, &oidset); 1038+ gss_create_empty_oid_set(&status, &oidset);
1039+ gss_add_oid_set_member(&status, ctx->oid, &oidset); 1039+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
1040 1040
1041- if (gethostname(lname, MAXHOSTNAMELEN)) { 1041- if (gethostname(lname, sizeof(lname))) {
1042- gss_release_oid_set(&status, &oidset); 1042- gss_release_oid_set(&status, &oidset);
1043- return (-1); 1043- return (-1);
1044- } 1044- }
1045+ if (gethostname(lname, MAXHOSTNAMELEN)) { 1045+ if (gethostname(lname, sizeof(lname))) {
1046+ gss_release_oid_set(&status, &oidset); 1046+ gss_release_oid_set(&status, &oidset);
1047+ return (-1); 1047+ return (-1);
1048+ } 1048+ }
@@ -1310,10 +1310,10 @@ index e61b37b..c33463b 100644
1310 1310
1311 #endif 1311 #endif
1312diff --git a/kex.c b/kex.c 1312diff --git a/kex.c b/kex.c
1313index 74e2b86..d114ee3 100644 1313index a173e70..891852b 100644
1314--- a/kex.c 1314--- a/kex.c
1315+++ b/kex.c 1315+++ b/kex.c
1316@@ -51,6 +51,10 @@ 1316@@ -53,6 +53,10 @@
1317 #include "roaming.h" 1317 #include "roaming.h"
1318 #include "digest.h" 1318 #include "digest.h"
1319 1319
@@ -1324,8 +1324,8 @@ index 74e2b86..d114ee3 100644
1324 #if OPENSSL_VERSION_NUMBER >= 0x00907000L 1324 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
1325 # if defined(HAVE_EVP_SHA256) 1325 # if defined(HAVE_EVP_SHA256)
1326 # define evp_ssh_sha256 EVP_sha256 1326 # define evp_ssh_sha256 EVP_sha256
1327@@ -92,6 +96,14 @@ static const struct kexalg kexalgs[] = { 1327@@ -96,6 +100,14 @@ static const struct kexalg kexalgs[] = {
1328 #endif 1328 #endif /* HAVE_EVP_SHA256 */
1329 { NULL, -1, -1, -1}, 1329 { NULL, -1, -1, -1},
1330 }; 1330 };
1331+static const struct kexalg kexalg_prefixes[] = { 1331+static const struct kexalg kexalg_prefixes[] = {
@@ -1339,7 +1339,7 @@ index 74e2b86..d114ee3 100644
1339 1339
1340 char * 1340 char *
1341 kex_alg_list(char sep) 1341 kex_alg_list(char sep)
1342@@ -120,6 +132,10 @@ kex_alg_by_name(const char *name) 1342@@ -124,6 +136,10 @@ kex_alg_by_name(const char *name)
1343 if (strcmp(k->name, name) == 0) 1343 if (strcmp(k->name, name) == 0)
1344 return k; 1344 return k;
1345 } 1345 }
@@ -1351,7 +1351,7 @@ index 74e2b86..d114ee3 100644
1351 } 1351 }
1352 1352
1353diff --git a/kex.h b/kex.h 1353diff --git a/kex.h b/kex.h
1354index c85680e..ea698c4 100644 1354index 4c40ec8..c179a4d 100644
1355--- a/kex.h 1355--- a/kex.h
1356+++ b/kex.h 1356+++ b/kex.h
1357@@ -76,6 +76,9 @@ enum kex_exchange { 1357@@ -76,6 +76,9 @@ enum kex_exchange {
@@ -1729,10 +1729,10 @@ index 0000000..92a31c5
1729+#endif /* GSSAPI */ 1729+#endif /* GSSAPI */
1730diff --git a/kexgsss.c b/kexgsss.c 1730diff --git a/kexgsss.c b/kexgsss.c
1731new file mode 100644 1731new file mode 100644
1732index 0000000..8095259 1732index 0000000..6a0ece8
1733--- /dev/null 1733--- /dev/null
1734+++ b/kexgsss.c 1734+++ b/kexgsss.c
1735@@ -0,0 +1,289 @@ 1735@@ -0,0 +1,290 @@
1736+/* 1736+/*
1737+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 1737+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
1738+ * 1738+ *
@@ -1777,6 +1777,7 @@ index 0000000..8095259
1777+#include "dh.h" 1777+#include "dh.h"
1778+#include "ssh-gss.h" 1778+#include "ssh-gss.h"
1779+#include "monitor_wrap.h" 1779+#include "monitor_wrap.h"
1780+#include "misc.h"
1780+#include "servconf.h" 1781+#include "servconf.h"
1781+ 1782+
1782+extern ServerOptions options; 1783+extern ServerOptions options;
@@ -2022,44 +2023,11 @@ index 0000000..8095259
2022+ ssh_gssapi_rekey_creds(); 2023+ ssh_gssapi_rekey_creds();
2023+} 2024+}
2024+#endif /* GSSAPI */ 2025+#endif /* GSSAPI */
2025diff --git a/key.c b/key.c
2026index 168e1b7..3d640e7 100644
2027--- a/key.c
2028+++ b/key.c
2029@@ -985,6 +985,7 @@ static const struct keytype keytypes[] = {
2030 KEY_DSA_CERT_V00, 0, 1 },
2031 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
2032 KEY_ED25519_CERT, 0, 1 },
2033+ { "null", "null", KEY_NULL, 0, 0 },
2034 { NULL, NULL, -1, -1, 0 }
2035 };
2036
2037@@ -1063,7 +1064,7 @@ key_alg_list(int certs_only, int plain_only)
2038 const struct keytype *kt;
2039
2040 for (kt = keytypes; kt->type != -1; kt++) {
2041- if (kt->name == NULL)
2042+ if (kt->name == NULL || kt->type == KEY_NULL)
2043 continue;
2044 if ((certs_only && !kt->cert) || (plain_only && kt->cert))
2045 continue;
2046diff --git a/key.h b/key.h
2047index d8ad13d..c8aeba2 100644
2048--- a/key.h
2049+++ b/key.h
2050@@ -46,6 +46,7 @@ enum types {
2051 KEY_ED25519_CERT,
2052 KEY_RSA_CERT_V00,
2053 KEY_DSA_CERT_V00,
2054+ KEY_NULL,
2055 KEY_UNSPEC
2056 };
2057 enum fp_type {
2058diff --git a/monitor.c b/monitor.c 2026diff --git a/monitor.c b/monitor.c
2059index 531c4f9..2918814 100644 2027index dbe29f1..b0896ef 100644
2060--- a/monitor.c 2028--- a/monitor.c
2061+++ b/monitor.c 2029+++ b/monitor.c
2062@@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); 2030@@ -178,6 +178,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
2063 int mm_answer_gss_accept_ctx(int, Buffer *); 2031 int mm_answer_gss_accept_ctx(int, Buffer *);
2064 int mm_answer_gss_userok(int, Buffer *); 2032 int mm_answer_gss_userok(int, Buffer *);
2065 int mm_answer_gss_checkmic(int, Buffer *); 2033 int mm_answer_gss_checkmic(int, Buffer *);
@@ -2068,7 +2036,7 @@ index 531c4f9..2918814 100644
2068 #endif 2036 #endif
2069 2037
2070 #ifdef SSH_AUDIT_EVENTS 2038 #ifdef SSH_AUDIT_EVENTS
2071@@ -247,11 +249,18 @@ struct mon_table mon_dispatch_proto20[] = { 2039@@ -255,11 +257,18 @@ struct mon_table mon_dispatch_proto20[] = {
2072 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 2040 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
2073 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, 2041 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
2074 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, 2042 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -2084,10 +2052,10 @@ index 531c4f9..2918814 100644
2084+ {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, 2052+ {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
2085+ {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, 2053+ {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
2086+#endif 2054+#endif
2055 #ifdef WITH_OPENSSL
2087 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2056 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
2088 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, 2057 #endif
2089 {MONITOR_REQ_PTY, 0, mm_answer_pty}, 2058@@ -374,6 +383,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
2090@@ -360,6 +369,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
2091 /* Permit requests for moduli and signatures */ 2059 /* Permit requests for moduli and signatures */
2092 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2060 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2093 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2061 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2098,7 +2066,7 @@ index 531c4f9..2918814 100644
2098 } else { 2066 } else {
2099 mon_dispatch = mon_dispatch_proto15; 2067 mon_dispatch = mon_dispatch_proto15;
2100 2068
2101@@ -465,6 +478,10 @@ monitor_child_postauth(struct monitor *pmonitor) 2069@@ -482,6 +495,10 @@ monitor_child_postauth(struct monitor *pmonitor)
2102 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2070 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2103 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2071 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
2104 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2072 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2109,9 +2077,9 @@ index 531c4f9..2918814 100644
2109 } else { 2077 } else {
2110 mon_dispatch = mon_dispatch_postauth15; 2078 mon_dispatch = mon_dispatch_postauth15;
2111 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2079 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
2112@@ -1834,6 +1851,13 @@ mm_get_kex(Buffer *m) 2080@@ -1861,6 +1878,13 @@ mm_get_kex(Buffer *m)
2113 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2114 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 2081 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
2082 #endif
2115 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 2083 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
2116+#ifdef GSSAPI 2084+#ifdef GSSAPI
2117+ if (options.gss_keyex) { 2085+ if (options.gss_keyex) {
@@ -2123,7 +2091,7 @@ index 531c4f9..2918814 100644
2123 kex->server = 1; 2091 kex->server = 1;
2124 kex->hostkey_type = buffer_get_int(m); 2092 kex->hostkey_type = buffer_get_int(m);
2125 kex->kex_type = buffer_get_int(m); 2093 kex->kex_type = buffer_get_int(m);
2126@@ -2041,6 +2065,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) 2094@@ -2068,6 +2092,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2127 OM_uint32 major; 2095 OM_uint32 major;
2128 u_int len; 2096 u_int len;
2129 2097
@@ -2133,7 +2101,7 @@ index 531c4f9..2918814 100644
2133 goid.elements = buffer_get_string(m, &len); 2101 goid.elements = buffer_get_string(m, &len);
2134 goid.length = len; 2102 goid.length = len;
2135 2103
2136@@ -2068,6 +2095,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2104@@ -2095,6 +2122,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2137 OM_uint32 flags = 0; /* GSI needs this */ 2105 OM_uint32 flags = 0; /* GSI needs this */
2138 u_int len; 2106 u_int len;
2139 2107
@@ -2143,7 +2111,7 @@ index 531c4f9..2918814 100644
2143 in.value = buffer_get_string(m, &len); 2111 in.value = buffer_get_string(m, &len);
2144 in.length = len; 2112 in.length = len;
2145 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2113 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2146@@ -2085,6 +2115,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2114@@ -2112,6 +2142,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2147 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2115 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2148 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2116 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2149 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2117 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2151,7 +2119,7 @@ index 531c4f9..2918814 100644
2151 } 2119 }
2152 return (0); 2120 return (0);
2153 } 2121 }
2154@@ -2096,6 +2127,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) 2122@@ -2123,6 +2154,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2155 OM_uint32 ret; 2123 OM_uint32 ret;
2156 u_int len; 2124 u_int len;
2157 2125
@@ -2161,7 +2129,7 @@ index 531c4f9..2918814 100644
2161 gssbuf.value = buffer_get_string(m, &len); 2129 gssbuf.value = buffer_get_string(m, &len);
2162 gssbuf.length = len; 2130 gssbuf.length = len;
2163 mic.value = buffer_get_string(m, &len); 2131 mic.value = buffer_get_string(m, &len);
2164@@ -2122,7 +2156,11 @@ mm_answer_gss_userok(int sock, Buffer *m) 2132@@ -2149,7 +2183,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
2165 { 2133 {
2166 int authenticated; 2134 int authenticated;
2167 2135
@@ -2174,7 +2142,7 @@ index 531c4f9..2918814 100644
2174 2142
2175 buffer_clear(m); 2143 buffer_clear(m);
2176 buffer_put_int(m, authenticated); 2144 buffer_put_int(m, authenticated);
2177@@ -2135,5 +2173,73 @@ mm_answer_gss_userok(int sock, Buffer *m) 2145@@ -2162,5 +2200,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
2178 /* Monitor loop will terminate if authenticated */ 2146 /* Monitor loop will terminate if authenticated */
2179 return (authenticated); 2147 return (authenticated);
2180 } 2148 }
@@ -2263,10 +2231,10 @@ index 5bc41b5..7f32b0c 100644
2263 2231
2264 struct mm_master; 2232 struct mm_master;
2265diff --git a/monitor_wrap.c b/monitor_wrap.c 2233diff --git a/monitor_wrap.c b/monitor_wrap.c
2266index 1a47e41..60b987d 100644 2234index 45dc169..e476f0d 100644
2267--- a/monitor_wrap.c 2235--- a/monitor_wrap.c
2268+++ b/monitor_wrap.c 2236+++ b/monitor_wrap.c
2269@@ -1271,7 +1271,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 2237@@ -1281,7 +1281,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
2270 } 2238 }
2271 2239
2272 int 2240 int
@@ -2275,7 +2243,7 @@ index 1a47e41..60b987d 100644
2275 { 2243 {
2276 Buffer m; 2244 Buffer m;
2277 int authenticated = 0; 2245 int authenticated = 0;
2278@@ -1288,5 +1288,50 @@ mm_ssh_gssapi_userok(char *user) 2246@@ -1298,5 +1298,50 @@ mm_ssh_gssapi_userok(char *user)
2279 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2247 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2280 return (authenticated); 2248 return (authenticated);
2281 } 2249 }
@@ -2343,10 +2311,10 @@ index 18c2501..a4e9d24 100644
2343 2311
2344 #ifdef USE_PAM 2312 #ifdef USE_PAM
2345diff --git a/readconf.c b/readconf.c 2313diff --git a/readconf.c b/readconf.c
2346index dc884c9..7613ff2 100644 2314index 7948ce1..9127e93 100644
2347--- a/readconf.c 2315--- a/readconf.c
2348+++ b/readconf.c 2316+++ b/readconf.c
2349@@ -141,6 +141,8 @@ typedef enum { 2317@@ -142,6 +142,8 @@ typedef enum {
2350 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 2318 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
2351 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 2319 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
2352 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 2320 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2355,7 +2323,7 @@ index dc884c9..7613ff2 100644
2355 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2323 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
2356 oSendEnv, oControlPath, oControlMaster, oControlPersist, 2324 oSendEnv, oControlPath, oControlMaster, oControlPersist,
2357 oHashKnownHosts, 2325 oHashKnownHosts,
2358@@ -183,10 +185,19 @@ static struct { 2326@@ -185,10 +187,19 @@ static struct {
2359 { "afstokenpassing", oUnsupported }, 2327 { "afstokenpassing", oUnsupported },
2360 #if defined(GSSAPI) 2328 #if defined(GSSAPI)
2361 { "gssapiauthentication", oGssAuthentication }, 2329 { "gssapiauthentication", oGssAuthentication },
@@ -2375,7 +2343,7 @@ index dc884c9..7613ff2 100644
2375 #endif 2343 #endif
2376 { "fallbacktorsh", oDeprecated }, 2344 { "fallbacktorsh", oDeprecated },
2377 { "usersh", oDeprecated }, 2345 { "usersh", oDeprecated },
2378@@ -841,10 +852,30 @@ parse_time: 2346@@ -865,10 +876,30 @@ parse_time:
2379 intptr = &options->gss_authentication; 2347 intptr = &options->gss_authentication;
2380 goto parse_flag; 2348 goto parse_flag;
2381 2349
@@ -2406,7 +2374,7 @@ index dc884c9..7613ff2 100644
2406 case oBatchMode: 2374 case oBatchMode:
2407 intptr = &options->batch_mode; 2375 intptr = &options->batch_mode;
2408 goto parse_flag; 2376 goto parse_flag;
2409@@ -1497,7 +1528,12 @@ initialize_options(Options * options) 2377@@ -1538,7 +1569,12 @@ initialize_options(Options * options)
2410 options->pubkey_authentication = -1; 2378 options->pubkey_authentication = -1;
2411 options->challenge_response_authentication = -1; 2379 options->challenge_response_authentication = -1;
2412 options->gss_authentication = -1; 2380 options->gss_authentication = -1;
@@ -2419,7 +2387,7 @@ index dc884c9..7613ff2 100644
2419 options->password_authentication = -1; 2387 options->password_authentication = -1;
2420 options->kbd_interactive_authentication = -1; 2388 options->kbd_interactive_authentication = -1;
2421 options->kbd_interactive_devices = NULL; 2389 options->kbd_interactive_devices = NULL;
2422@@ -1616,8 +1652,14 @@ fill_default_options(Options * options) 2390@@ -1661,8 +1697,14 @@ fill_default_options(Options * options)
2423 options->challenge_response_authentication = 1; 2391 options->challenge_response_authentication = 1;
2424 if (options->gss_authentication == -1) 2392 if (options->gss_authentication == -1)
2425 options->gss_authentication = 0; 2393 options->gss_authentication = 0;
@@ -2435,10 +2403,10 @@ index dc884c9..7613ff2 100644
2435 options->password_authentication = 1; 2403 options->password_authentication = 1;
2436 if (options->kbd_interactive_authentication == -1) 2404 if (options->kbd_interactive_authentication == -1)
2437diff --git a/readconf.h b/readconf.h 2405diff --git a/readconf.h b/readconf.h
2438index 75e3f8f..5cc97f0 100644 2406index 0b9cb77..0e29889 100644
2439--- a/readconf.h 2407--- a/readconf.h
2440+++ b/readconf.h 2408+++ b/readconf.h
2441@@ -54,7 +54,12 @@ typedef struct { 2409@@ -45,7 +45,12 @@ typedef struct {
2442 int challenge_response_authentication; 2410 int challenge_response_authentication;
2443 /* Try S/Key or TIS, authentication. */ 2411 /* Try S/Key or TIS, authentication. */
2444 int gss_authentication; /* Try GSS authentication */ 2412 int gss_authentication; /* Try GSS authentication */
@@ -2452,10 +2420,10 @@ index 75e3f8f..5cc97f0 100644
2452 * authentication. */ 2420 * authentication. */
2453 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2421 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
2454diff --git a/servconf.c b/servconf.c 2422diff --git a/servconf.c b/servconf.c
2455index 7ba65d5..0083cf8 100644 2423index b7f3294..cb3c831 100644
2456--- a/servconf.c 2424--- a/servconf.c
2457+++ b/servconf.c 2425+++ b/servconf.c
2458@@ -108,7 +108,10 @@ initialize_server_options(ServerOptions *options) 2426@@ -109,7 +109,10 @@ initialize_server_options(ServerOptions *options)
2459 options->kerberos_ticket_cleanup = -1; 2427 options->kerberos_ticket_cleanup = -1;
2460 options->kerberos_get_afs_token = -1; 2428 options->kerberos_get_afs_token = -1;
2461 options->gss_authentication=-1; 2429 options->gss_authentication=-1;
@@ -2466,7 +2434,7 @@ index 7ba65d5..0083cf8 100644
2466 options->password_authentication = -1; 2434 options->password_authentication = -1;
2467 options->kbd_interactive_authentication = -1; 2435 options->kbd_interactive_authentication = -1;
2468 options->challenge_response_authentication = -1; 2436 options->challenge_response_authentication = -1;
2469@@ -244,8 +247,14 @@ fill_default_server_options(ServerOptions *options) 2437@@ -250,8 +253,14 @@ fill_default_server_options(ServerOptions *options)
2470 options->kerberos_get_afs_token = 0; 2438 options->kerberos_get_afs_token = 0;
2471 if (options->gss_authentication == -1) 2439 if (options->gss_authentication == -1)
2472 options->gss_authentication = 0; 2440 options->gss_authentication = 0;
@@ -2481,7 +2449,7 @@ index 7ba65d5..0083cf8 100644
2481 if (options->password_authentication == -1) 2449 if (options->password_authentication == -1)
2482 options->password_authentication = 1; 2450 options->password_authentication = 1;
2483 if (options->kbd_interactive_authentication == -1) 2451 if (options->kbd_interactive_authentication == -1)
2484@@ -340,7 +349,9 @@ typedef enum { 2452@@ -352,7 +361,9 @@ typedef enum {
2485 sBanner, sUseDNS, sHostbasedAuthentication, 2453 sBanner, sUseDNS, sHostbasedAuthentication,
2486 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 2454 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
2487 sClientAliveCountMax, sAuthorizedKeysFile, 2455 sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2492,7 +2460,7 @@ index 7ba65d5..0083cf8 100644
2492 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2460 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2493 sUsePrivilegeSeparation, sAllowAgentForwarding, 2461 sUsePrivilegeSeparation, sAllowAgentForwarding,
2494 sHostCertificate, 2462 sHostCertificate,
2495@@ -407,10 +418,20 @@ static struct { 2463@@ -421,10 +432,20 @@ static struct {
2496 #ifdef GSSAPI 2464 #ifdef GSSAPI
2497 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2465 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2498 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2466 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2513,7 +2481,7 @@ index 7ba65d5..0083cf8 100644
2513 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2481 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2514 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2482 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2515 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2483 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2516@@ -1086,10 +1107,22 @@ process_server_config_line(ServerOptions *options, char *line, 2484@@ -1104,10 +1125,22 @@ process_server_config_line(ServerOptions *options, char *line,
2517 intptr = &options->gss_authentication; 2485 intptr = &options->gss_authentication;
2518 goto parse_flag; 2486 goto parse_flag;
2519 2487
@@ -2536,7 +2504,7 @@ index 7ba65d5..0083cf8 100644
2536 case sPasswordAuthentication: 2504 case sPasswordAuthentication:
2537 intptr = &options->password_authentication; 2505 intptr = &options->password_authentication;
2538 goto parse_flag; 2506 goto parse_flag;
2539@@ -1995,7 +2028,10 @@ dump_config(ServerOptions *o) 2507@@ -2042,7 +2075,10 @@ dump_config(ServerOptions *o)
2540 #endif 2508 #endif
2541 #ifdef GSSAPI 2509 #ifdef GSSAPI
2542 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2510 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2548,10 +2516,10 @@ index 7ba65d5..0083cf8 100644
2548 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2516 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2549 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2517 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2550diff --git a/servconf.h b/servconf.h 2518diff --git a/servconf.h b/servconf.h
2551index 752d1c5..c922eb5 100644 2519index 766db3a..f8265a8 100644
2552--- a/servconf.h 2520--- a/servconf.h
2553+++ b/servconf.h 2521+++ b/servconf.h
2554@@ -112,7 +112,10 @@ typedef struct { 2522@@ -113,7 +113,10 @@ typedef struct {
2555 int kerberos_get_afs_token; /* If true, try to get AFS token if 2523 int kerberos_get_afs_token; /* If true, try to get AFS token if
2556 * authenticated with Kerberos. */ 2524 * authenticated with Kerberos. */
2557 int gss_authentication; /* If true, permit GSSAPI authentication */ 2525 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2679,10 +2647,10 @@ index 03a228f..228e5ab 100644
2679 # CheckHostIP yes 2647 # CheckHostIP yes
2680 # AddressFamily any 2648 # AddressFamily any
2681diff --git a/ssh_config.5 b/ssh_config.5 2649diff --git a/ssh_config.5 b/ssh_config.5
2682index b580392..e7accd6 100644 2650index f9ede7a..e6649ac 100644
2683--- a/ssh_config.5 2651--- a/ssh_config.5
2684+++ b/ssh_config.5 2652+++ b/ssh_config.5
2685@@ -682,11 +682,43 @@ Specifies whether user authentication based on GSSAPI is allowed. 2653@@ -701,11 +701,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
2686 The default is 2654 The default is
2687 .Dq no . 2655 .Dq no .
2688 Note that this option applies to protocol version 2 only. 2656 Note that this option applies to protocol version 2 only.
@@ -2728,11 +2696,11 @@ index b580392..e7accd6 100644
2728 Indicates that 2696 Indicates that
2729 .Xr ssh 1 2697 .Xr ssh 1
2730diff --git a/sshconnect2.c b/sshconnect2.c 2698diff --git a/sshconnect2.c b/sshconnect2.c
2731index 7f4ff41..66cb035 100644 2699index 68f7f4f..7b478f1 100644
2732--- a/sshconnect2.c 2700--- a/sshconnect2.c
2733+++ b/sshconnect2.c 2701+++ b/sshconnect2.c
2734@@ -158,9 +158,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2702@@ -159,9 +159,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2735 { 2703 char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
2736 Kex *kex; 2704 Kex *kex;
2737 2705
2738+#ifdef GSSAPI 2706+#ifdef GSSAPI
@@ -2766,9 +2734,9 @@ index 7f4ff41..66cb035 100644
2766 if (options.ciphers == (char *)-1) { 2734 if (options.ciphers == (char *)-1) {
2767 logit("No valid ciphers for protocol version 2 given, using defaults."); 2735 logit("No valid ciphers for protocol version 2 given, using defaults.");
2768 options.ciphers = NULL; 2736 options.ciphers = NULL;
2769@@ -196,6 +221,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2737@@ -199,6 +224,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2770 if (options.kex_algorithms != NULL) 2738 myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
2771 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; 2739 myproposal[PROPOSAL_KEX_ALGS]);
2772 2740
2773+#ifdef GSSAPI 2741+#ifdef GSSAPI
2774+ /* If we've got GSSAPI algorithms, then we also support the 2742+ /* If we've got GSSAPI algorithms, then we also support the
@@ -2784,9 +2752,9 @@ index 7f4ff41..66cb035 100644
2784 if (options.rekey_limit || options.rekey_interval) 2752 if (options.rekey_limit || options.rekey_interval)
2785 packet_set_rekey_limits((u_int32_t)options.rekey_limit, 2753 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
2786 (time_t)options.rekey_interval); 2754 (time_t)options.rekey_interval);
2787@@ -208,10 +244,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2755@@ -213,10 +249,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2788 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
2789 kex->kex[KEX_ECDH_SHA2] = kexecdh_client; 2756 kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
2757 #endif
2790 kex->kex[KEX_C25519_SHA256] = kexc25519_client; 2758 kex->kex[KEX_C25519_SHA256] = kexc25519_client;
2791+#ifdef GSSAPI 2759+#ifdef GSSAPI
2792+ if (options.gss_keyex) { 2760+ if (options.gss_keyex) {
@@ -2815,7 +2783,7 @@ index 7f4ff41..66cb035 100644
2815 xxx_kex = kex; 2783 xxx_kex = kex;
2816 2784
2817 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 2785 dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
2818@@ -301,6 +357,7 @@ void input_gssapi_token(int type, u_int32_t, void *); 2786@@ -306,6 +362,7 @@ void input_gssapi_token(int type, u_int32_t, void *);
2819 void input_gssapi_hash(int type, u_int32_t, void *); 2787 void input_gssapi_hash(int type, u_int32_t, void *);
2820 void input_gssapi_error(int, u_int32_t, void *); 2788 void input_gssapi_error(int, u_int32_t, void *);
2821 void input_gssapi_errtok(int, u_int32_t, void *); 2789 void input_gssapi_errtok(int, u_int32_t, void *);
@@ -2823,7 +2791,7 @@ index 7f4ff41..66cb035 100644
2823 #endif 2791 #endif
2824 2792
2825 void userauth(Authctxt *, char *); 2793 void userauth(Authctxt *, char *);
2826@@ -316,6 +373,11 @@ static char *authmethods_get(void); 2794@@ -321,6 +378,11 @@ static char *authmethods_get(void);
2827 2795
2828 Authmethod authmethods[] = { 2796 Authmethod authmethods[] = {
2829 #ifdef GSSAPI 2797 #ifdef GSSAPI
@@ -2835,7 +2803,7 @@ index 7f4ff41..66cb035 100644
2835 {"gssapi-with-mic", 2803 {"gssapi-with-mic",
2836 userauth_gssapi, 2804 userauth_gssapi,
2837 NULL, 2805 NULL,
2838@@ -612,19 +674,31 @@ userauth_gssapi(Authctxt *authctxt) 2806@@ -617,19 +679,31 @@ userauth_gssapi(Authctxt *authctxt)
2839 static u_int mech = 0; 2807 static u_int mech = 0;
2840 OM_uint32 min; 2808 OM_uint32 min;
2841 int ok = 0; 2809 int ok = 0;
@@ -2869,7 +2837,7 @@ index 7f4ff41..66cb035 100644
2869 ok = 1; /* Mechanism works */ 2837 ok = 1; /* Mechanism works */
2870 } else { 2838 } else {
2871 mech++; 2839 mech++;
2872@@ -721,8 +795,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) 2840@@ -726,8 +800,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
2873 { 2841 {
2874 Authctxt *authctxt = ctxt; 2842 Authctxt *authctxt = ctxt;
2875 Gssctxt *gssctxt; 2843 Gssctxt *gssctxt;
@@ -2880,7 +2848,7 @@ index 7f4ff41..66cb035 100644
2880 2848
2881 if (authctxt == NULL) 2849 if (authctxt == NULL)
2882 fatal("input_gssapi_response: no authentication context"); 2850 fatal("input_gssapi_response: no authentication context");
2883@@ -831,6 +905,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) 2851@@ -836,6 +910,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
2884 free(msg); 2852 free(msg);
2885 free(lang); 2853 free(lang);
2886 } 2854 }
@@ -2930,10 +2898,10 @@ index 7f4ff41..66cb035 100644
2930 2898
2931 int 2899 int
2932diff --git a/sshd.c b/sshd.c 2900diff --git a/sshd.c b/sshd.c
2933index 7523de9..d787fea 100644 2901index 481d001..e6706a8 100644
2934--- a/sshd.c 2902--- a/sshd.c
2935+++ b/sshd.c 2903+++ b/sshd.c
2936@@ -122,6 +122,10 @@ 2904@@ -123,6 +123,10 @@
2937 #include "ssh-sandbox.h" 2905 #include "ssh-sandbox.h"
2938 #include "version.h" 2906 #include "version.h"
2939 2907
@@ -2941,10 +2909,10 @@ index 7523de9..d787fea 100644
2941+#include <Security/AuthSession.h> 2909+#include <Security/AuthSession.h>
2942+#endif 2910+#endif
2943+ 2911+
2944 #ifdef LIBWRAP 2912 #ifndef O_NOCTTY
2945 #include <tcpd.h> 2913 #define O_NOCTTY 0
2946 #include <syslog.h> 2914 #endif
2947@@ -1728,10 +1732,13 @@ main(int ac, char **av) 2915@@ -1745,10 +1749,13 @@ main(int ac, char **av)
2948 logit("Disabling protocol version 1. Could not load host key"); 2916 logit("Disabling protocol version 1. Could not load host key");
2949 options.protocol &= ~SSH_PROTO_1; 2917 options.protocol &= ~SSH_PROTO_1;
2950 } 2918 }
@@ -2958,7 +2926,7 @@ index 7523de9..d787fea 100644
2958 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2926 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2959 logit("sshd: no hostkeys available -- exiting."); 2927 logit("sshd: no hostkeys available -- exiting.");
2960 exit(1); 2928 exit(1);
2961@@ -2058,6 +2065,60 @@ main(int ac, char **av) 2929@@ -2060,6 +2067,60 @@ main(int ac, char **av)
2962 remote_ip, remote_port, 2930 remote_ip, remote_port,
2963 get_local_ipaddr(sock_in), get_local_port()); 2931 get_local_ipaddr(sock_in), get_local_port());
2964 2932
@@ -3019,7 +2987,7 @@ index 7523de9..d787fea 100644
3019 /* 2987 /*
3020 * We don't want to listen forever unless the other side 2988 * We don't want to listen forever unless the other side
3021 * successfully authenticates itself. So we set up an alarm which is 2989 * successfully authenticates itself. So we set up an alarm which is
3022@@ -2469,6 +2530,48 @@ do_ssh2_kex(void) 2990@@ -2482,6 +2543,48 @@ do_ssh2_kex(void)
3023 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 2991 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
3024 list_hostkey_types()); 2992 list_hostkey_types());
3025 2993
@@ -3067,10 +3035,10 @@ index 7523de9..d787fea 100644
3067+ 3035+
3068 /* start key exchange */ 3036 /* start key exchange */
3069 kex = kex_setup(myproposal); 3037 kex = kex_setup(myproposal);
3070 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 3038 #ifdef WITH_OPENSSL
3071@@ -2477,6 +2580,13 @@ do_ssh2_kex(void) 3039@@ -2492,6 +2595,13 @@ do_ssh2_kex(void)
3072 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
3073 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 3040 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
3041 #endif
3074 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 3042 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
3075+#ifdef GSSAPI 3043+#ifdef GSSAPI
3076+ if (options.gss_keyex) { 3044+ if (options.gss_keyex) {
@@ -3096,10 +3064,10 @@ index e9045bc..d9b8594 100644
3096 # Set this to 'yes' to enable PAM authentication, account processing, 3064 # Set this to 'yes' to enable PAM authentication, account processing,
3097 # and session processing. If this is enabled, PAM authentication will 3065 # and session processing. If this is enabled, PAM authentication will
3098diff --git a/sshd_config.5 b/sshd_config.5 3066diff --git a/sshd_config.5 b/sshd_config.5
3099index ce71efe..ceed88a 100644 3067index fd44abe..c8b43da 100644
3100--- a/sshd_config.5 3068--- a/sshd_config.5
3101+++ b/sshd_config.5 3069+++ b/sshd_config.5
3102@@ -493,12 +493,40 @@ Specifies whether user authentication based on GSSAPI is allowed. 3070@@ -527,12 +527,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
3103 The default is 3071 The default is
3104 .Dq no . 3072 .Dq no .
3105 Note that this option applies to protocol version 2 only. 3073 Note that this option applies to protocol version 2 only.
@@ -3140,3 +3108,36 @@ index ce71efe..ceed88a 100644
3140 .It Cm HostbasedAuthentication 3108 .It Cm HostbasedAuthentication
3141 Specifies whether rhosts or /etc/hosts.equiv authentication together 3109 Specifies whether rhosts or /etc/hosts.equiv authentication together
3142 with successful public key client host authentication is allowed 3110 with successful public key client host authentication is allowed
3111diff --git a/sshkey.c b/sshkey.c
3112index fdd0c8a..1a96eae 100644
3113--- a/sshkey.c
3114+++ b/sshkey.c
3115@@ -110,6 +110,7 @@ static const struct keytype keytypes[] = {
3116 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
3117 KEY_DSA_CERT_V00, 0, 1 },
3118 #endif /* WITH_OPENSSL */
3119+ { "null", "null", KEY_NULL, 0, 0 },
3120 { NULL, NULL, -1, -1, 0 }
3121 };
3122
3123@@ -198,7 +199,7 @@ key_alg_list(int certs_only, int plain_only)
3124 const struct keytype *kt;
3125
3126 for (kt = keytypes; kt->type != -1; kt++) {
3127- if (kt->name == NULL)
3128+ if (kt->name == NULL || kt->type == KEY_NULL)
3129 continue;
3130 if ((certs_only && !kt->cert) || (plain_only && kt->cert))
3131 continue;
3132diff --git a/sshkey.h b/sshkey.h
3133index 450b30c..b573e7f 100644
3134--- a/sshkey.h
3135+++ b/sshkey.h
3136@@ -64,6 +64,7 @@ enum sshkey_types {
3137 KEY_ED25519_CERT,
3138 KEY_RSA_CERT_V00,
3139 KEY_DSA_CERT_V00,
3140+ KEY_NULL,
3141 KEY_UNSPEC
3142 };
3143
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index e79f4990f..de43f2a80 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -1,4 +1,4 @@
1From ef912859a4300360164292abe47b5516c8ee4a13 Mon Sep 17 00:00:00 2001 1From aca34215fc0e85d6b49e04f0a3cd0db79732125e Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:09:56 +0000 3Date: Sun, 9 Feb 2014 16:09:56 +0000
4Subject: Mention ~& when waiting for forwarded connections to terminate 4Subject: Mention ~& when waiting for forwarded connections to terminate
@@ -12,7 +12,7 @@ Patch-Name: helpful-wait-terminate.patch
12 1 file changed, 1 insertion(+), 1 deletion(-) 12 1 file changed, 1 insertion(+), 1 deletion(-)
13 13
14diff --git a/serverloop.c b/serverloop.c 14diff --git a/serverloop.c b/serverloop.c
15index 2f8e3a0..441d73b 100644 15index e92f9e2..813e5bf 100644
16--- a/serverloop.c 16--- a/serverloop.c
17+++ b/serverloop.c 17+++ b/serverloop.c
18@@ -687,7 +687,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) 18@@ -687,7 +687,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 680701f3d..15acabc0e 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
1From 81540b7886fdc73c7be304706ea33d6d87b5fc81 Mon Sep 17 00:00:00 2001 1From bd3abc2f732da3a61e4158b915480808957a4357 Mon Sep 17 00:00:00 2001
2From: Richard Kettlewell <rjk@greenend.org.uk> 2From: Richard Kettlewell <rjk@greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:52 +0000 3Date: Sun, 9 Feb 2014 16:09:52 +0000
4Subject: Various keepalive extensions 4Subject: Various keepalive extensions
@@ -16,7 +16,7 @@ keepalives.
16Author: Ian Jackson <ian@chiark.greenend.org.uk> 16Author: Ian Jackson <ian@chiark.greenend.org.uk>
17Author: Matthew Vernon <matthew@debian.org> 17Author: Matthew Vernon <matthew@debian.org>
18Author: Colin Watson <cjwatson@debian.org> 18Author: Colin Watson <cjwatson@debian.org>
19Last-Update: 2013-09-14 19Last-Update: 2014-10-07
20 20
21Patch-Name: keepalive-extensions.patch 21Patch-Name: keepalive-extensions.patch
22--- 22---
@@ -26,27 +26,27 @@ Patch-Name: keepalive-extensions.patch
26 3 files changed, 34 insertions(+), 4 deletions(-) 26 3 files changed, 34 insertions(+), 4 deletions(-)
27 27
28diff --git a/readconf.c b/readconf.c 28diff --git a/readconf.c b/readconf.c
29index bcd8cad..6409937 100644 29index bc879eb..337818c 100644
30--- a/readconf.c 30--- a/readconf.c
31+++ b/readconf.c 31+++ b/readconf.c
32@@ -151,6 +151,7 @@ typedef enum { 32@@ -153,6 +153,7 @@ typedef enum {
33 oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
34 oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, 33 oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
35 oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, 34 oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
35 oStreamLocalBindMask, oStreamLocalBindUnlink,
36+ oProtocolKeepAlives, oSetupTimeOut, 36+ oProtocolKeepAlives, oSetupTimeOut,
37 oIgnoredUnknownOption, oDeprecated, oUnsupported 37 oIgnoredUnknownOption, oDeprecated, oUnsupported
38 } OpCodes; 38 } OpCodes;
39 39
40@@ -274,6 +275,8 @@ static struct { 40@@ -278,6 +279,8 @@ static struct {
41 { "canonicalizemaxdots", oCanonicalizeMaxDots }, 41 { "streamlocalbindmask", oStreamLocalBindMask },
42 { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, 42 { "streamlocalbindunlink", oStreamLocalBindUnlink },
43 { "ignoreunknown", oIgnoreUnknown }, 43 { "ignoreunknown", oIgnoreUnknown },
44+ { "protocolkeepalives", oProtocolKeepAlives }, 44+ { "protocolkeepalives", oProtocolKeepAlives },
45+ { "setuptimeout", oSetupTimeOut }, 45+ { "setuptimeout", oSetupTimeOut },
46 46
47 { NULL, oBadOption } 47 { NULL, oBadOption }
48 }; 48 };
49@@ -1247,6 +1250,8 @@ parse_int: 49@@ -1271,6 +1274,8 @@ parse_int:
50 goto parse_flag; 50 goto parse_flag;
51 51
52 case oServerAliveInterval: 52 case oServerAliveInterval:
@@ -55,7 +55,7 @@ index bcd8cad..6409937 100644
55 intptr = &options->server_alive_interval; 55 intptr = &options->server_alive_interval;
56 goto parse_time; 56 goto parse_time;
57 57
58@@ -1746,8 +1751,13 @@ fill_default_options(Options * options) 58@@ -1791,8 +1796,13 @@ fill_default_options(Options * options)
59 options->rekey_interval = 0; 59 options->rekey_interval = 0;
60 if (options->verify_host_key_dns == -1) 60 if (options->verify_host_key_dns == -1)
61 options->verify_host_key_dns = 0; 61 options->verify_host_key_dns = 0;
@@ -72,7 +72,7 @@ index bcd8cad..6409937 100644
72 options->server_alive_count_max = 3; 72 options->server_alive_count_max = 3;
73 if (options->control_master == -1) 73 if (options->control_master == -1)
74diff --git a/ssh_config.5 b/ssh_config.5 74diff --git a/ssh_config.5 b/ssh_config.5
75index 473971e..3172fd4 100644 75index 01f1f7f..ea92ea8 100644
76--- a/ssh_config.5 76--- a/ssh_config.5
77+++ b/ssh_config.5 77+++ b/ssh_config.5
78@@ -205,8 +205,12 @@ Valid arguments are 78@@ -205,8 +205,12 @@ Valid arguments are
@@ -89,7 +89,7 @@ index 473971e..3172fd4 100644
89 The argument must be 89 The argument must be
90 .Dq yes 90 .Dq yes
91 or 91 or
92@@ -1305,8 +1309,15 @@ from the server, 92@@ -1336,8 +1340,15 @@ from the server,
93 will send a message through the encrypted 93 will send a message through the encrypted
94 channel to request a response from the server. 94 channel to request a response from the server.
95 The default 95 The default
@@ -103,10 +103,10 @@ index 473971e..3172fd4 100644
103+and 103+and
104+.Cm SetupTimeOut 104+.Cm SetupTimeOut
105+are Debian-specific compatibility aliases for this option. 105+are Debian-specific compatibility aliases for this option.
106 .It Cm StrictHostKeyChecking 106 .It Cm StreamLocalBindMask
107 If this flag is set to 107 Sets the octal file creation mode mask
108 .Dq yes , 108 .Pq umask
109@@ -1345,6 +1356,12 @@ Specifies whether the system should send TCP keepalive messages to the 109@@ -1403,6 +1414,12 @@ Specifies whether the system should send TCP keepalive messages to the
110 other side. 110 other side.
111 If they are sent, death of the connection or crash of one 111 If they are sent, death of the connection or crash of one
112 of the machines will be properly noticed. 112 of the machines will be properly noticed.
@@ -120,10 +120,10 @@ index 473971e..3172fd4 100644
120 connections will die if the route is down temporarily, and some people 120 connections will die if the route is down temporarily, and some people
121 find it annoying. 121 find it annoying.
122diff --git a/sshd_config.5 b/sshd_config.5 122diff --git a/sshd_config.5 b/sshd_config.5
123index ceed88a..2164d58 100644 123index c8b43da..2843048 100644
124--- a/sshd_config.5 124--- a/sshd_config.5
125+++ b/sshd_config.5 125+++ b/sshd_config.5
126@@ -1183,6 +1183,9 @@ This avoids infinitely hanging sessions. 126@@ -1307,6 +1307,9 @@ This avoids infinitely hanging sessions.
127 .Pp 127 .Pp
128 To disable TCP keepalive messages, the value should be set to 128 To disable TCP keepalive messages, the value should be set to
129 .Dq no . 129 .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index 09e09ecf8..81b924e35 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -1,4 +1,4 @@
1From eb567100ef178f4395c95cc1f37b921e02c3dd5b Mon Sep 17 00:00:00 2001 1From 248d3bb8de371b55aaf3a8f544c15f3a25eb7339 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:08 +0000 3Date: Sun, 9 Feb 2014 16:10:08 +0000
4Subject: Fix picky lintian errors about slogin symlinks 4Subject: Fix picky lintian errors about slogin symlinks
@@ -15,10 +15,10 @@ Patch-Name: lintian-symlink-pickiness.patch
15 1 file changed, 2 insertions(+), 2 deletions(-) 15 1 file changed, 2 insertions(+), 2 deletions(-)
16 16
17diff --git a/Makefile.in b/Makefile.in 17diff --git a/Makefile.in b/Makefile.in
18index feee0b2..7d192bb 100644 18index a4402e9..4eab574 100644
19--- a/Makefile.in 19--- a/Makefile.in
20+++ b/Makefile.in 20+++ b/Makefile.in
21@@ -293,9 +293,9 @@ install-files: 21@@ -315,9 +315,9 @@ install-files:
22 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 22 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
23 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 23 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
24 -rm -f $(DESTDIR)$(bindir)/slogin 24 -rm -f $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index e00b6c345..f90c7e2b1 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
1From 8ab8f1465980856291f215c7b7184a4456398fb4 Mon Sep 17 00:00:00 2001 1From 064453886f4c3d8ac0b0c8d015ad614c8bce3b42 Mon Sep 17 00:00:00 2001
2From: Scott Moser <smoser@ubuntu.com> 2From: Scott Moser <smoser@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:03 +0000 3Date: Sun, 9 Feb 2014 16:10:03 +0000
4Subject: Mention ssh-keygen in ssh fingerprint changed warning 4Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -13,10 +13,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
13 1 file changed, 6 insertions(+), 1 deletion(-) 13 1 file changed, 6 insertions(+), 1 deletion(-)
14 14
15diff --git a/sshconnect.c b/sshconnect.c 15diff --git a/sshconnect.c b/sshconnect.c
16index 9e02837..e0a5db9 100644 16index 26116d2..ab83d0c 100644
17--- a/sshconnect.c 17--- a/sshconnect.c
18+++ b/sshconnect.c 18+++ b/sshconnect.c
19@@ -1065,9 +1065,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 19@@ -1066,9 +1066,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
20 error("%s. This could either mean that", key_msg); 20 error("%s. This could either mean that", key_msg);
21 error("DNS SPOOFING is happening or the IP address for the host"); 21 error("DNS SPOOFING is happening or the IP address for the host");
22 error("and its host key have changed at the same time."); 22 error("and its host key have changed at the same time.");
@@ -30,7 +30,7 @@ index 9e02837..e0a5db9 100644
30 } 30 }
31 /* The host key has changed. */ 31 /* The host key has changed. */
32 warn_changed_key(host_key); 32 warn_changed_key(host_key);
33@@ -1075,6 +1078,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 33@@ -1076,6 +1079,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
34 user_hostfiles[0]); 34 user_hostfiles[0]);
35 error("Offending %s key in %s:%lu", key_type(host_found->key), 35 error("Offending %s key in %s:%lu", key_type(host_found->key),
36 host_found->file, host_found->line); 36 host_found->file, host_found->line);
diff --git a/debian/patches/no-openssl-version-check.patch b/debian/patches/no-openssl-version-check.patch
deleted file mode 100644
index 56fa46aac..000000000
--- a/debian/patches/no-openssl-version-check.patch
+++ /dev/null
@@ -1,41 +0,0 @@
1From 20690ea4b33e8ff81fea287492270df3a7029777 Mon Sep 17 00:00:00 2001
2From: Philip Hands <phil@hands.com>
3Date: Sun, 9 Feb 2014 16:10:14 +0000
4Subject: Disable OpenSSL version check
5
6OpenSSL's SONAME is sufficient nowadays.
7
8Author: Colin Watson <cjwatson@debian.org>
9Bug-Debian: http://bugs.debian.org/93581
10Bug-Debian: http://bugs.debian.org/664383
11Forwarded: not-needed
12Last-Update: 2013-12-23
13
14Patch-Name: no-openssl-version-check.patch
15---
16 entropy.c | 12 ------------
17 1 file changed, 12 deletions(-)
18
19diff --git a/entropy.c b/entropy.c
20index 2d483b3..2aee2d9 100644
21--- a/entropy.c
22+++ b/entropy.c
23@@ -209,18 +209,6 @@ seed_rng(void)
24 #ifndef OPENSSL_PRNG_ONLY
25 unsigned char buf[RANDOM_SEED_SIZE];
26 #endif
27- /*
28- * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
29- * We match major, minor, fix and status (not patch) for <1.0.0.
30- * After that, we acceptable compatible fix versions (so we
31- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
32- * within a patch series.
33- */
34- u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L;
35- if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||
36- (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12))
37- fatal("OpenSSL version mismatch. Built against %lx, you "
38- "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
39
40 #ifndef OPENSSL_PRNG_ONLY
41 if (RAND_status() == 1) {
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
new file mode 100644
index 000000000..dfcef83b0
--- /dev/null
+++ b/debian/patches/no-openssl-version-status.patch
@@ -0,0 +1,62 @@
1From 37fd625165d0df302e441d9cad9bcc742378eef5 Mon Sep 17 00:00:00 2001
2From: Kurt Roeckx <kurt@roeckx.be>
3Date: Sun, 9 Feb 2014 16:10:14 +0000
4Subject: Don't check the status field of the OpenSSL version
5
6There is no reason to check the version of OpenSSL (in Debian). If it's
7not compatible the soname will change. OpenSSH seems to want to do a
8check for the soname based on the version number, but wants to keep the
9status of the release the same. Remove that check on the status since
10it doesn't tell you anything about how compatible that version is.
11
12Author: Colin Watson <cjwatson@debian.org>
13Bug-Debian: https://bugs.debian.org/93581
14Bug-Debian: https://bugs.debian.org/664383
15Bug-Debian: https://bugs.debian.org/732940
16Forwarded: not-needed
17Last-Update: 2014-10-07
18
19Patch-Name: no-openssl-version-status.patch
20---
21 openbsd-compat/openssl-compat.c | 6 +++---
22 openbsd-compat/regress/opensslvertest.c | 1 +
23 2 files changed, 4 insertions(+), 3 deletions(-)
24
25diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
26index 36570e4..defd5fb 100644
27--- a/openbsd-compat/openssl-compat.c
28+++ b/openbsd-compat/openssl-compat.c
29@@ -34,7 +34,7 @@
30 /*
31 * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
32 * We match major, minor, fix and status (not patch) for <1.0.0.
33- * After that, we acceptable compatible fix versions (so we
34+ * After that, we accept compatible fix and status versions (so we
35 * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
36 * within a patch series.
37 */
38@@ -55,10 +55,10 @@ ssh_compatible_openssl(long headerver, long libver)
39 }
40
41 /*
42- * For versions >= 1.0.0, major,minor,status must match and library
43+ * For versions >= 1.0.0, major,minor must match and library
44 * fix version must be equal to or newer than the header.
45 */
46- mask = 0xfff0000fL; /* major,minor,status */
47+ mask = 0xfff00000L; /* major,minor */
48 hfix = (headerver & 0x000ff000) >> 12;
49 lfix = (libver & 0x000ff000) >> 12;
50 if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
51diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c
52index 5d019b5..5847487 100644
53--- a/openbsd-compat/regress/opensslvertest.c
54+++ b/openbsd-compat/regress/opensslvertest.c
55@@ -35,6 +35,7 @@ struct version_test {
56
57 /* built with 1.0.1b release headers */
58 { 0x1000101fL, 0x1000101fL, 1},/* exact match */
59+ { 0x1000101fL, 0x10001010L, 1}, /* different status: ok */
60 { 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */
61 { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */
62 { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 9a34a4182..37ad675d4 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
1From ec9bfd62211fdf5a3004ef2045c2eb3baccfd375 Mon Sep 17 00:00:00 2001 1From 0b9407d3023938b02bccf7dd1874a871d0cc8eb5 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:09 +0000 3Date: Sun, 9 Feb 2014 16:10:09 +0000
4Subject: Adjust various OpenBSD-specific references in manual pages 4Subject: Adjust various OpenBSD-specific references in manual pages
@@ -10,7 +10,7 @@ No single bug reference for this patch, but history includes:
10 https://bugs.launchpad.net/bugs/456660 (ssl(8)) 10 https://bugs.launchpad.net/bugs/456660 (ssl(8))
11 11
12Forwarded: not-needed 12Forwarded: not-needed
13Last-Update: 2013-09-14 13Last-Update: 2014-10-07
14 14
15Patch-Name: openbsd-docs.patch 15Patch-Name: openbsd-docs.patch
16--- 16---
@@ -44,7 +44,7 @@ index ef0de08..149846c 100644
44 .Sh SEE ALSO 44 .Sh SEE ALSO
45 .Xr ssh-keygen 1 , 45 .Xr ssh-keygen 1 ,
46diff --git a/ssh-keygen.1 b/ssh-keygen.1 46diff --git a/ssh-keygen.1 b/ssh-keygen.1
47index 12e00d4..a71de74 100644 47index 723a016..79b948c 100644
48--- a/ssh-keygen.1 48--- a/ssh-keygen.1
49+++ b/ssh-keygen.1 49+++ b/ssh-keygen.1
50@@ -172,9 +172,7 @@ key in 50@@ -172,9 +172,7 @@ key in
@@ -88,10 +88,10 @@ index 12e00d4..a71de74 100644
88 The file format is described in 88 The file format is described in
89 .Xr moduli 5 . 89 .Xr moduli 5 .
90diff --git a/ssh.1 b/ssh.1 90diff --git a/ssh.1 b/ssh.1
91index ff5e6ac..67b4f44 100644 91index 7f6ab77..de178cd 100644
92--- a/ssh.1 92--- a/ssh.1
93+++ b/ssh.1 93+++ b/ssh.1
94@@ -763,6 +763,10 @@ Protocol 1 is restricted to using only RSA keys, 94@@ -753,6 +753,10 @@ Protocol 1 is restricted to using only RSA keys,
95 but protocol 2 may use any. 95 but protocol 2 may use any.
96 The HISTORY section of 96 The HISTORY section of
97 .Xr ssl 8 97 .Xr ssl 8
@@ -103,10 +103,10 @@ index ff5e6ac..67b4f44 100644
103 .Pp 103 .Pp
104 The file 104 The file
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index e6a900b..b016e90 100644 106index eaeac45..3538208 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -70,7 +70,7 @@ over an insecure network. 109@@ -67,7 +67,7 @@ over an insecure network.
110 .Nm 110 .Nm
111 listens for connections from clients. 111 listens for connections from clients.
112 It is normally started at boot from 112 It is normally started at boot from
@@ -133,14 +133,14 @@ index e6a900b..b016e90 100644
133 .Xr sshd_config 5 , 133 .Xr sshd_config 5 ,
134 .Xr inetd 8 , 134 .Xr inetd 8 ,
135diff --git a/sshd_config.5 b/sshd_config.5 135diff --git a/sshd_config.5 b/sshd_config.5
136index 8f078f6..908e0bb 100644 136index 58997d3..7396b23 100644
137--- a/sshd_config.5 137--- a/sshd_config.5
138+++ b/sshd_config.5 138+++ b/sshd_config.5
139@@ -283,8 +283,7 @@ This option is only available for protocol version 2. 139@@ -303,8 +303,7 @@ This option is only available for protocol version 2.
140 By default, no banner is displayed. 140 By default, no banner is displayed.
141 .It Cm ChallengeResponseAuthentication 141 .It Cm ChallengeResponseAuthentication
142 Specifies whether challenge-response authentication is allowed (e.g. via 142 Specifies whether challenge-response authentication is allowed (e.g. via
143-PAM or though authentication styles supported in 143-PAM or through authentication styles supported in
144-.Xr login.conf 5 ) 144-.Xr login.conf 5 )
145+PAM). 145+PAM).
146 The default is 146 The default is
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index c9c20d1c0..07a28af9a 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
1From 6de70b95f5005447ae23532d4f3ee41a9338479f Mon Sep 17 00:00:00 2001 1From 8679c96f74ee7dbea6c15c764b036fbab7372740 Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:10:05 +0000 3Date: Sun, 9 Feb 2014 16:10:05 +0000
4Subject: Include the Debian version in our identification 4Subject: Include the Debian version in our identification
@@ -19,10 +19,10 @@ Patch-Name: package-versioning.patch
19 3 files changed, 9 insertions(+), 4 deletions(-) 19 3 files changed, 9 insertions(+), 4 deletions(-)
20 20
21diff --git a/sshconnect.c b/sshconnect.c 21diff --git a/sshconnect.c b/sshconnect.c
22index e0a5db9..87c3770 100644 22index ab83d0c..563405e 100644
23--- a/sshconnect.c 23--- a/sshconnect.c
24+++ b/sshconnect.c 24+++ b/sshconnect.c
25@@ -520,10 +520,10 @@ send_client_banner(int connection_out, int minor1) 25@@ -521,10 +521,10 @@ send_client_banner(int connection_out, int minor1)
26 /* Send our own protocol version identification. */ 26 /* Send our own protocol version identification. */
27 if (compat20) { 27 if (compat20) {
28 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", 28 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
@@ -36,10 +36,10 @@ index e0a5db9..87c3770 100644
36 if (roaming_atomicio(vwrite, connection_out, client_version_string, 36 if (roaming_atomicio(vwrite, connection_out, client_version_string,
37 strlen(client_version_string)) != strlen(client_version_string)) 37 strlen(client_version_string)) != strlen(client_version_string))
38diff --git a/sshd.c b/sshd.c 38diff --git a/sshd.c b/sshd.c
39index e343d90..af9b8f1 100644 39index 48a14dd..1710e71 100644
40--- a/sshd.c 40--- a/sshd.c
41+++ b/sshd.c 41+++ b/sshd.c
42@@ -440,7 +440,7 @@ sshd_exchange_identification(int sock_in, int sock_out) 42@@ -443,7 +443,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
43 } 43 }
44 44
45 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 45 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -49,11 +49,11 @@ index e343d90..af9b8f1 100644
49 options.version_addendum, newline); 49 options.version_addendum, newline);
50 50
51diff --git a/version.h b/version.h 51diff --git a/version.h b/version.h
52index a1579ac..a97c337 100644 52index cc8a079..0fee7c3 100644
53--- a/version.h 53--- a/version.h
54+++ b/version.h 54+++ b/version.h
55@@ -3,4 +3,9 @@ 55@@ -3,4 +3,9 @@
56 #define SSH_VERSION "OpenSSH_6.6" 56 #define SSH_VERSION "OpenSSH_6.7"
57 57
58 #define SSH_PORTABLE "p1" 58 #define SSH_PORTABLE "p1"
59-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 59-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 075b59823..6d9a2f9c0 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
1From 9875e47079abff55f8d2c1e958e9d50de6eae7ec Mon Sep 17 00:00:00 2001 1From dc028c5992b4b14cca380b6ad2115fcc6907a8b7 Mon Sep 17 00:00:00 2001
2From: Peter Samuelson <peter@p12n.org> 2From: Peter Samuelson <peter@p12n.org>
3Date: Sun, 9 Feb 2014 16:09:55 +0000 3Date: Sun, 9 Feb 2014 16:09:55 +0000
4Subject: Reduce severity of "Killed by signal %d" 4Subject: Reduce severity of "Killed by signal %d"
@@ -22,10 +22,10 @@ Patch-Name: quieter-signals.patch
22 1 file changed, 4 insertions(+), 2 deletions(-) 22 1 file changed, 4 insertions(+), 2 deletions(-)
23 23
24diff --git a/clientloop.c b/clientloop.c 24diff --git a/clientloop.c b/clientloop.c
25index 73a800c..4bc5b57 100644 25index 046ca8b..0180774 100644
26--- a/clientloop.c 26--- a/clientloop.c
27+++ b/clientloop.c 27+++ b/clientloop.c
28@@ -1717,8 +1717,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) 28@@ -1705,8 +1705,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
29 exit_status = 0; 29 exit_status = 0;
30 } 30 }
31 31
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
new file mode 100644
index 000000000..c590f52ce
--- /dev/null
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -0,0 +1,172 @@
1From b25d6dd3b6b5a2cb93723586c56d6fa0277ea56a Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org>
3Date: Tue, 7 Oct 2014 13:22:41 +0100
4Subject: Restore TCP wrappers support
5
6Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
7and thread:
8
9 https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
10
11It is true that this reduces preauth attack surface in sshd. On the
12other hand, this support seems to be quite widely used, and abruptly
13dropping it (from the perspective of users who don't read
14openssh-unix-dev) could easily cause more serious problems in practice.
15
16It's not entirely clear what the right long-term answer for Debian is,
17but it at least probably doesn't involve dropping this feature shortly
18before a freeze.
19
20Forwarded: not-needed
21Last-Update: 2014-10-07
22
23Patch-Name: restore-tcp-wrappers.patch
24---
25 configure.ac | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
26 sshd.8 | 7 +++++++
27 sshd.c | 25 +++++++++++++++++++++++++
28 3 files changed, 89 insertions(+)
29
30diff --git a/configure.ac b/configure.ac
31index 90e81e1..7f160f1 100644
32--- a/configure.ac
33+++ b/configure.ac
34@@ -1404,6 +1404,62 @@ AC_ARG_WITH([skey],
35 ]
36 )
37
38+# Check whether user wants TCP wrappers support
39+TCPW_MSG="no"
40+AC_ARG_WITH([tcp-wrappers],
41+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
42+ [
43+ if test "x$withval" != "xno" ; then
44+ saved_LIBS="$LIBS"
45+ saved_LDFLAGS="$LDFLAGS"
46+ saved_CPPFLAGS="$CPPFLAGS"
47+ if test -n "${withval}" && \
48+ test "x${withval}" != "xyes"; then
49+ if test -d "${withval}/lib"; then
50+ if test -n "${need_dash_r}"; then
51+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
52+ else
53+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
54+ fi
55+ else
56+ if test -n "${need_dash_r}"; then
57+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
58+ else
59+ LDFLAGS="-L${withval} ${LDFLAGS}"
60+ fi
61+ fi
62+ if test -d "${withval}/include"; then
63+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
64+ else
65+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
66+ fi
67+ fi
68+ LIBS="-lwrap $LIBS"
69+ AC_MSG_CHECKING([for libwrap])
70+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
71+#include <sys/types.h>
72+#include <sys/socket.h>
73+#include <netinet/in.h>
74+#include <tcpd.h>
75+int deny_severity = 0, allow_severity = 0;
76+ ]], [[
77+ hosts_access(0);
78+ ]])], [
79+ AC_MSG_RESULT([yes])
80+ AC_DEFINE([LIBWRAP], [1],
81+ [Define if you want
82+ TCP Wrappers support])
83+ SSHDLIBS="$SSHDLIBS -lwrap"
84+ TCPW_MSG="yes"
85+ ], [
86+ AC_MSG_ERROR([*** libwrap missing])
87+
88+ ])
89+ LIBS="$saved_LIBS"
90+ fi
91+ ]
92+)
93+
94 # Check whether user wants to use ldns
95 LDNS_MSG="no"
96 AC_ARG_WITH(ldns,
97@@ -4853,6 +4909,7 @@ echo " KerberosV support: $KRB5_MSG"
98 echo " SELinux support: $SELINUX_MSG"
99 echo " Smartcard support: $SCARD_MSG"
100 echo " S/KEY support: $SKEY_MSG"
101+echo " TCP Wrappers support: $TCPW_MSG"
102 echo " MD5 password support: $MD5_MSG"
103 echo " libedit support: $LIBEDIT_MSG"
104 echo " Solaris process contract support: $SPC_MSG"
105diff --git a/sshd.8 b/sshd.8
106index 01459d6..eaeac45 100644
107--- a/sshd.8
108+++ b/sshd.8
109@@ -851,6 +851,12 @@ the user's home directory becomes accessible.
110 This file should be writable only by the user, and need not be
111 readable by anyone else.
112 .Pp
113+.It Pa /etc/hosts.allow
114+.It Pa /etc/hosts.deny
115+Access controls that should be enforced by tcp-wrappers are defined here.
116+Further details are described in
117+.Xr hosts_access 5 .
118+.Pp
119 .It Pa /etc/hosts.equiv
120 This file is for host-based authentication (see
121 .Xr ssh 1 ) .
122@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable.
123 .Xr ssh-keygen 1 ,
124 .Xr ssh-keyscan 1 ,
125 .Xr chroot 2 ,
126+.Xr hosts_access 5 ,
127 .Xr login.conf 5 ,
128 .Xr moduli 5 ,
129 .Xr sshd_config 5 ,
130diff --git a/sshd.c b/sshd.c
131index e6706a8..3a6be65 100644
132--- a/sshd.c
133+++ b/sshd.c
134@@ -127,6 +127,13 @@
135 #include <Security/AuthSession.h>
136 #endif
137
138+#ifdef LIBWRAP
139+#include <tcpd.h>
140+#include <syslog.h>
141+int allow_severity;
142+int deny_severity;
143+#endif /* LIBWRAP */
144+
145 #ifndef O_NOCTTY
146 #define O_NOCTTY 0
147 #endif
148@@ -2061,6 +2068,24 @@ main(int ac, char **av)
149 #ifdef SSH_AUDIT_EVENTS
150 audit_connection_from(remote_ip, remote_port);
151 #endif
152+#ifdef LIBWRAP
153+ allow_severity = options.log_facility|LOG_INFO;
154+ deny_severity = options.log_facility|LOG_WARNING;
155+ /* Check whether logins are denied from this host. */
156+ if (packet_connection_is_on_socket()) {
157+ struct request_info req;
158+
159+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
160+ fromhost(&req);
161+
162+ if (!hosts_access(&req)) {
163+ debug("Connection refused by tcp wrapper");
164+ refuse(&req);
165+ /* NOTREACHED */
166+ fatal("libwrap refuse returns");
167+ }
168+ }
169+#endif /* LIBWRAP */
170
171 /* Log the connection. */
172 verbose("Connection from %s port %d on %s port %d",
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index ff037a43a..ee006da93 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
1From 8ab204ee192e655d5a8f4d599adb3d99eeabedc6 Mon Sep 17 00:00:00 2001 1From fd174c13c46191abdb33c0a45545573a8e06b061 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> 2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:59 +0000 3Date: Sun, 9 Feb 2014 16:09:59 +0000
4Subject: Adjust scp quoting in verbose mode 4Subject: Adjust scp quoting in verbose mode
@@ -17,7 +17,7 @@ Patch-Name: scp-quoting.patch
17 1 file changed, 10 insertions(+), 2 deletions(-) 17 1 file changed, 10 insertions(+), 2 deletions(-)
18 18
19diff --git a/scp.c b/scp.c 19diff --git a/scp.c b/scp.c
20index 18d3b1d..0669d02 100644 20index 1ec3b70..a1b318b 100644
21--- a/scp.c 21--- a/scp.c
22+++ b/scp.c 22+++ b/scp.c
23@@ -189,8 +189,16 @@ do_local_cmd(arglist *a) 23@@ -189,8 +189,16 @@ do_local_cmd(arglist *a)
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index e0ca12fb0..1fa0bf928 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1From ae32d626ed3d15cfd7f432358b63c005961921df Mon Sep 17 00:00:00 2001 1From c9638aa44d787849cea1ae273f0908c6313fd19b Mon Sep 17 00:00:00 2001
2From: Manoj Srivastava <srivasta@debian.org> 2From: Manoj Srivastava <srivasta@debian.org>
3Date: Sun, 9 Feb 2014 16:09:49 +0000 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4Subject: Handle SELinux authorisation roles 4Subject: Handle SELinux authorisation roles
@@ -32,7 +32,7 @@ Patch-Name: selinux-role.patch
32 16 files changed, 104 insertions(+), 31 deletions(-) 32 16 files changed, 104 insertions(+), 31 deletions(-)
33 33
34diff --git a/auth.h b/auth.h 34diff --git a/auth.h b/auth.h
35index 124e597..79e4ea5 100644 35index d081c94..f099e98 100644
36--- a/auth.h 36--- a/auth.h
37+++ b/auth.h 37+++ b/auth.h
38@@ -59,6 +59,7 @@ struct Authctxt { 38@@ -59,6 +59,7 @@ struct Authctxt {
@@ -44,10 +44,10 @@ index 124e597..79e4ea5 100644
44 char *info; /* Extra info for next auth_log */ 44 char *info; /* Extra info for next auth_log */
45 #ifdef BSD_AUTH 45 #ifdef BSD_AUTH
46diff --git a/auth1.c b/auth1.c 46diff --git a/auth1.c b/auth1.c
47index 0f870b3..c707390 100644 47index 5038828..52b17db 100644
48--- a/auth1.c 48--- a/auth1.c
49+++ b/auth1.c 49+++ b/auth1.c
50@@ -380,7 +380,7 @@ void 50@@ -381,7 +381,7 @@ void
51 do_authentication(Authctxt *authctxt) 51 do_authentication(Authctxt *authctxt)
52 { 52 {
53 u_int ulen; 53 u_int ulen;
@@ -56,7 +56,7 @@ index 0f870b3..c707390 100644
56 56
57 /* Get the name of the user that we wish to log in as. */ 57 /* Get the name of the user that we wish to log in as. */
58 packet_read_expect(SSH_CMSG_USER); 58 packet_read_expect(SSH_CMSG_USER);
59@@ -389,11 +389,17 @@ do_authentication(Authctxt *authctxt) 59@@ -390,11 +390,17 @@ do_authentication(Authctxt *authctxt)
60 user = packet_get_cstring(&ulen); 60 user = packet_get_cstring(&ulen);
61 packet_check_eom(); 61 packet_check_eom();
62 62
@@ -75,10 +75,10 @@ index 0f870b3..c707390 100644
75 /* Verify that the user is a valid user. */ 75 /* Verify that the user is a valid user. */
76 if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) 76 if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
77diff --git a/auth2.c b/auth2.c 77diff --git a/auth2.c b/auth2.c
78index fbe3e1b..70f2925 100644 78index 2f0d565..fa1a588 100644
79--- a/auth2.c 79--- a/auth2.c
80+++ b/auth2.c 80+++ b/auth2.c
81@@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) 81@@ -217,7 +217,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
82 { 82 {
83 Authctxt *authctxt = ctxt; 83 Authctxt *authctxt = ctxt;
84 Authmethod *m = NULL; 84 Authmethod *m = NULL;
@@ -87,7 +87,7 @@ index fbe3e1b..70f2925 100644
87 int authenticated = 0; 87 int authenticated = 0;
88 88
89 if (authctxt == NULL) 89 if (authctxt == NULL)
90@@ -228,8 +228,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) 90@@ -229,8 +229,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
91 debug("userauth-request for user %s service %s method %s", user, service, method); 91 debug("userauth-request for user %s service %s method %s", user, service, method);
92 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 92 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
93 93
@@ -101,7 +101,7 @@ index fbe3e1b..70f2925 100644
101 101
102 if (authctxt->attempt++ == 0) { 102 if (authctxt->attempt++ == 0) {
103 /* setup auth context */ 103 /* setup auth context */
104@@ -253,8 +258,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) 104@@ -254,8 +259,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
105 use_privsep ? " [net]" : ""); 105 use_privsep ? " [net]" : "");
106 authctxt->service = xstrdup(service); 106 authctxt->service = xstrdup(service);
107 authctxt->style = style ? xstrdup(style) : NULL; 107 authctxt->style = style ? xstrdup(style) : NULL;
@@ -113,10 +113,10 @@ index fbe3e1b..70f2925 100644
113 if (auth2_setup_methods_lists(authctxt) != 0) 113 if (auth2_setup_methods_lists(authctxt) != 0)
114 packet_disconnect("no authentication methods enabled"); 114 packet_disconnect("no authentication methods enabled");
115diff --git a/monitor.c b/monitor.c 115diff --git a/monitor.c b/monitor.c
116index 2918814..11eac63 100644 116index b0896ef..94b194d 100644
117--- a/monitor.c 117--- a/monitor.c
118+++ b/monitor.c 118+++ b/monitor.c
119@@ -145,6 +145,7 @@ int mm_answer_sign(int, Buffer *); 119@@ -148,6 +148,7 @@ int mm_answer_sign(int, Buffer *);
120 int mm_answer_pwnamallow(int, Buffer *); 120 int mm_answer_pwnamallow(int, Buffer *);
121 int mm_answer_auth2_read_banner(int, Buffer *); 121 int mm_answer_auth2_read_banner(int, Buffer *);
122 int mm_answer_authserv(int, Buffer *); 122 int mm_answer_authserv(int, Buffer *);
@@ -124,7 +124,7 @@ index 2918814..11eac63 100644
124 int mm_answer_authpassword(int, Buffer *); 124 int mm_answer_authpassword(int, Buffer *);
125 int mm_answer_bsdauthquery(int, Buffer *); 125 int mm_answer_bsdauthquery(int, Buffer *);
126 int mm_answer_bsdauthrespond(int, Buffer *); 126 int mm_answer_bsdauthrespond(int, Buffer *);
127@@ -221,6 +222,7 @@ struct mon_table mon_dispatch_proto20[] = { 127@@ -229,6 +230,7 @@ struct mon_table mon_dispatch_proto20[] = {
128 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 128 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
129 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 129 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
130 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 130 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -132,7 +132,7 @@ index 2918814..11eac63 100644
132 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 132 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
133 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 133 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
134 #ifdef USE_PAM 134 #ifdef USE_PAM
135@@ -822,6 +824,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) 135@@ -841,6 +843,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
136 else { 136 else {
137 /* Allow service/style information on the auth context */ 137 /* Allow service/style information on the auth context */
138 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 138 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -140,7 +140,7 @@ index 2918814..11eac63 100644
140 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 140 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
141 } 141 }
142 #ifdef USE_PAM 142 #ifdef USE_PAM
143@@ -852,14 +855,37 @@ mm_answer_authserv(int sock, Buffer *m) 143@@ -871,14 +874,37 @@ mm_answer_authserv(int sock, Buffer *m)
144 144
145 authctxt->service = buffer_get_string(m, NULL); 145 authctxt->service = buffer_get_string(m, NULL);
146 authctxt->style = buffer_get_string(m, NULL); 146 authctxt->style = buffer_get_string(m, NULL);
@@ -180,7 +180,7 @@ index 2918814..11eac63 100644
180 return (0); 180 return (0);
181 } 181 }
182 182
183@@ -1464,7 +1490,7 @@ mm_answer_pty(int sock, Buffer *m) 183@@ -1485,7 +1511,7 @@ mm_answer_pty(int sock, Buffer *m)
184 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 184 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
185 if (res == 0) 185 if (res == 0)
186 goto error; 186 goto error;
@@ -203,10 +203,10 @@ index 7f32b0c..4d5e8fa 100644
203 203
204 struct mm_master; 204 struct mm_master;
205diff --git a/monitor_wrap.c b/monitor_wrap.c 205diff --git a/monitor_wrap.c b/monitor_wrap.c
206index 60b987d..f75dc9d 100644 206index e476f0d..6dc890a 100644
207--- a/monitor_wrap.c 207--- a/monitor_wrap.c
208+++ b/monitor_wrap.c 208+++ b/monitor_wrap.c
209@@ -318,10 +318,10 @@ mm_auth2_read_banner(void) 209@@ -324,10 +324,10 @@ mm_auth2_read_banner(void)
210 return (banner); 210 return (banner);
211 } 211 }
212 212
@@ -219,7 +219,7 @@ index 60b987d..f75dc9d 100644
219 { 219 {
220 Buffer m; 220 Buffer m;
221 221
222@@ -330,12 +330,30 @@ mm_inform_authserv(char *service, char *style) 222@@ -336,12 +336,30 @@ mm_inform_authserv(char *service, char *style)
223 buffer_init(&m); 223 buffer_init(&m);
224 buffer_put_cstring(&m, service); 224 buffer_put_cstring(&m, service);
225 buffer_put_cstring(&m, style ? style : ""); 225 buffer_put_cstring(&m, style ? style : "");
@@ -361,10 +361,10 @@ index e3d1004..80ce13a 100644
361 void ssh_selinux_setfscreatecon(const char *); 361 void ssh_selinux_setfscreatecon(const char *);
362 #endif 362 #endif
363diff --git a/platform.c b/platform.c 363diff --git a/platform.c b/platform.c
364index 30fc609..4aab9a9 100644 364index ee313da..f35ec39 100644
365--- a/platform.c 365--- a/platform.c
366+++ b/platform.c 366+++ b/platform.c
367@@ -142,7 +142,7 @@ platform_setusercontext(struct passwd *pw) 367@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw)
368 * called if sshd is running as root. 368 * called if sshd is running as root.
369 */ 369 */
370 void 370 void
@@ -373,7 +373,7 @@ index 30fc609..4aab9a9 100644
373 { 373 {
374 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) 374 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
375 /* 375 /*
376@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw) 376@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
377 } 377 }
378 #endif /* HAVE_SETPCRED */ 378 #endif /* HAVE_SETPCRED */
379 #ifdef WITH_SELINUX 379 #ifdef WITH_SELINUX
@@ -396,10 +396,10 @@ index 1c7a45d..436ae7c 100644
396 char *platform_krb5_get_principal_name(const char *); 396 char *platform_krb5_get_principal_name(const char *);
397 int platform_sys_dir_uid(uid_t); 397 int platform_sys_dir_uid(uid_t);
398diff --git a/session.c b/session.c 398diff --git a/session.c b/session.c
399index 2bcf818..6848df4 100644 399index 3e96557..6f389ac 100644
400--- a/session.c 400--- a/session.c
401+++ b/session.c 401+++ b/session.c
402@@ -1502,7 +1502,7 @@ safely_chroot(const char *path, uid_t uid) 402@@ -1486,7 +1486,7 @@ safely_chroot(const char *path, uid_t uid)
403 403
404 /* Set login name, uid, gid, and groups. */ 404 /* Set login name, uid, gid, and groups. */
405 void 405 void
@@ -407,8 +407,8 @@ index 2bcf818..6848df4 100644
407+do_setusercontext(struct passwd *pw, const char *role) 407+do_setusercontext(struct passwd *pw, const char *role)
408 { 408 {
409 char *chroot_path, *tmp; 409 char *chroot_path, *tmp;
410 410 #ifdef USE_LIBIAF
411@@ -1530,7 +1530,7 @@ do_setusercontext(struct passwd *pw) 411@@ -1517,7 +1517,7 @@ do_setusercontext(struct passwd *pw)
412 endgrent(); 412 endgrent();
413 #endif 413 #endif
414 414
@@ -417,7 +417,7 @@ index 2bcf818..6848df4 100644
417 417
418 if (options.chroot_directory != NULL && 418 if (options.chroot_directory != NULL &&
419 strcasecmp(options.chroot_directory, "none") != 0) { 419 strcasecmp(options.chroot_directory, "none") != 0) {
420@@ -1679,7 +1679,7 @@ do_child(Session *s, const char *command) 420@@ -1676,7 +1676,7 @@ do_child(Session *s, const char *command)
421 421
422 /* Force a password change */ 422 /* Force a password change */
423 if (s->authctxt->force_pwchange) { 423 if (s->authctxt->force_pwchange) {
@@ -426,7 +426,7 @@ index 2bcf818..6848df4 100644
426 child_close_fds(); 426 child_close_fds();
427 do_pwchange(s); 427 do_pwchange(s);
428 exit(1); 428 exit(1);
429@@ -1706,7 +1706,7 @@ do_child(Session *s, const char *command) 429@@ -1703,7 +1703,7 @@ do_child(Session *s, const char *command)
430 /* When PAM is enabled we rely on it to do the nologin check */ 430 /* When PAM is enabled we rely on it to do the nologin check */
431 if (!options.use_pam) 431 if (!options.use_pam)
432 do_nologin(pw); 432 do_nologin(pw);
@@ -435,7 +435,7 @@ index 2bcf818..6848df4 100644
435 /* 435 /*
436 * PAM session modules in do_setusercontext may have 436 * PAM session modules in do_setusercontext may have
437 * generated messages, so if this in an interactive 437 * generated messages, so if this in an interactive
438@@ -2117,7 +2117,7 @@ session_pty_req(Session *s) 438@@ -2114,7 +2114,7 @@ session_pty_req(Session *s)
439 tty_parse_modes(s->ttyfd, &n_bytes); 439 tty_parse_modes(s->ttyfd, &n_bytes);
440 440
441 if (!use_privsep) 441 if (!use_privsep)
@@ -458,10 +458,10 @@ index 6a2f35e..ef6593c 100644
458 const char *value); 458 const char *value);
459 459
460diff --git a/sshd.c b/sshd.c 460diff --git a/sshd.c b/sshd.c
461index d787fea..e343d90 100644 461index 3a6be65..48a14dd 100644
462--- a/sshd.c 462--- a/sshd.c
463+++ b/sshd.c 463+++ b/sshd.c
464@@ -769,7 +769,7 @@ privsep_postauth(Authctxt *authctxt) 464@@ -772,7 +772,7 @@ privsep_postauth(Authctxt *authctxt)
465 explicit_bzero(rnd, sizeof(rnd)); 465 explicit_bzero(rnd, sizeof(rnd));
466 466
467 /* Drop privileges */ 467 /* Drop privileges */
@@ -471,10 +471,10 @@ index d787fea..e343d90 100644
471 skip: 471 skip:
472 /* It is safe now to apply the key state */ 472 /* It is safe now to apply the key state */
473diff --git a/sshpty.c b/sshpty.c 473diff --git a/sshpty.c b/sshpty.c
474index bbbc0fe..8cc26a2 100644 474index a2059b7..3512ec8 100644
475--- a/sshpty.c 475--- a/sshpty.c
476+++ b/sshpty.c 476+++ b/sshpty.c
477@@ -200,7 +200,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, 477@@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
478 } 478 }
479 479
480 void 480 void
@@ -483,7 +483,7 @@ index bbbc0fe..8cc26a2 100644
483 { 483 {
484 struct group *grp; 484 struct group *grp;
485 gid_t gid; 485 gid_t gid;
486@@ -227,7 +227,7 @@ pty_setowner(struct passwd *pw, const char *tty) 486@@ -214,7 +214,7 @@ pty_setowner(struct passwd *pw, const char *tty)
487 strerror(errno)); 487 strerror(errno));
488 488
489 #ifdef WITH_SELINUX 489 #ifdef WITH_SELINUX
diff --git a/debian/patches/series b/debian/patches/series
index c554b34ca..bbc7a5fb4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,4 +1,5 @@
1gssapi.patch 1gssapi.patch
2restore-tcp-wrappers.patch
2selinux-role.patch 3selinux-role.patch
3ssh-vulnkey-compat.patch 4ssh-vulnkey-compat.patch
4ssh1-keepalive.patch 5ssh1-keepalive.patch
@@ -22,9 +23,7 @@ ssh-argv0.patch
22doc-hash-tab-completion.patch 23doc-hash-tab-completion.patch
23doc-upstart.patch 24doc-upstart.patch
24ssh-agent-setgid.patch 25ssh-agent-setgid.patch
25no-openssl-version-check.patch 26no-openssl-version-status.patch
26gnome-ssh-askpass2-icon.patch 27gnome-ssh-askpass2-icon.patch
27sigstop.patch 28sigstop.patch
28debian-config.patch 29debian-config.patch
29sshfp_with_server_cert_upstr
30curve25519-sha256-bignum-encoding.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 48c16d2a2..07e20f03d 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
1From 6103c29d855e82c098e88ee12f05a6eb41f659ce Mon Sep 17 00:00:00 2001 1From 66377fbb52584b41bd7f6f19116107fbbad41058 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:00 +0000 3Date: Sun, 9 Feb 2014 16:10:00 +0000
4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand 4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch
16 1 file changed, 2 insertions(+), 2 deletions(-) 16 1 file changed, 2 insertions(+), 2 deletions(-)
17 17
18diff --git a/sshconnect.c b/sshconnect.c 18diff --git a/sshconnect.c b/sshconnect.c
19index 573d7a8..9e02837 100644 19index ac09eae..26116d2 100644
20--- a/sshconnect.c 20--- a/sshconnect.c
21+++ b/sshconnect.c 21+++ b/sshconnect.c
22@@ -227,7 +227,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) 22@@ -228,7 +228,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
23 /* Execute the proxy command. Note that we gave up any 23 /* Execute the proxy command. Note that we gave up any
24 extra privileges above. */ 24 extra privileges above. */
25 signal(SIGPIPE, SIG_DFL); 25 signal(SIGPIPE, SIG_DFL);
@@ -28,7 +28,7 @@ index 573d7a8..9e02837 100644
28 perror(argv[0]); 28 perror(argv[0]);
29 exit(1); 29 exit(1);
30 } 30 }
31@@ -1387,7 +1387,7 @@ ssh_local_cmd(const char *args) 31@@ -1416,7 +1416,7 @@ ssh_local_cmd(const char *args)
32 if (pid == 0) { 32 if (pid == 0) {
33 signal(SIGPIPE, SIG_DFL); 33 signal(SIGPIPE, SIG_DFL);
34 debug3("Executing %s -c \"%s\"", shell, args); 34 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index 6a15e0dc5..1eaa7758b 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
1From cfeaa0ba2ce2859573f7e980be09ef05511f56a2 Mon Sep 17 00:00:00 2001 1From 689f465c66059e527974c6d4ea8e95f04d5abab7 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:17 +0000 3Date: Sun, 9 Feb 2014 16:10:17 +0000
4Subject: Support synchronisation with service supervisor using SIGSTOP 4Subject: Support synchronisation with service supervisor using SIGSTOP
@@ -13,10 +13,10 @@ Patch-Name: sigstop.patch
13 1 file changed, 10 insertions(+) 13 1 file changed, 10 insertions(+)
14 14
15diff --git a/sshd.c b/sshd.c 15diff --git a/sshd.c b/sshd.c
16index 665c0b9..0964491 100644 16index 87331c1..23d5a64 100644
17--- a/sshd.c 17--- a/sshd.c
18+++ b/sshd.c 18+++ b/sshd.c
19@@ -1931,6 +1931,16 @@ main(int ac, char **av) 19@@ -1958,6 +1958,16 @@ main(int ac, char **av)
20 } 20 }
21 } 21 }
22 22
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index af23075b3..9c3ddc86e 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
1From d53483ab71ac2a9195c8f171da5a5dcf54ec16ec Mon Sep 17 00:00:00 2001 1From 78dd041bb6ad29ceb35f05b539b09ccf761eaee2 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:13 +0000 3Date: Sun, 9 Feb 2014 16:10:13 +0000
4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) 4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
@@ -13,10 +13,10 @@ Patch-Name: ssh-agent-setgid.patch
13 1 file changed, 15 insertions(+) 13 1 file changed, 15 insertions(+)
14 14
15diff --git a/ssh-agent.1 b/ssh-agent.1 15diff --git a/ssh-agent.1 b/ssh-agent.1
16index 281ecbd..38fd540 100644 16index a1e634f..f2c4080 100644
17--- a/ssh-agent.1 17--- a/ssh-agent.1
18+++ b/ssh-agent.1 18+++ b/ssh-agent.1
19@@ -183,6 +183,21 @@ environment variable holds the agent's process ID. 19@@ -172,6 +172,21 @@ environment variable holds the agent's process ID.
20 .Pp 20 .Pp
21 The agent exits automatically when the command given on the command 21 The agent exits automatically when the command given on the command
22 line terminates. 22 line terminates.
@@ -37,4 +37,4 @@ index 281ecbd..38fd540 100644
37+so in the program executed by ssh-agent. 37+so in the program executed by ssh-agent.
38 .Sh FILES 38 .Sh FILES
39 .Bl -tag -width Ds 39 .Bl -tag -width Ds
40 .It Pa ~/.ssh/identity 40 .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index d456facea..0ccf7c42b 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
1From d4ac61d918775f629eff9a389d0f7bb0f8426b48 Mon Sep 17 00:00:00 2001 1From cbd5cb03866f6df50c82d26588b73135d05bf245 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:10 +0000 3Date: Sun, 9 Feb 2014 16:10:10 +0000
4Subject: ssh(1): Refer to ssh-argv0(1) 4Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
18 1 file changed, 1 insertion(+) 18 1 file changed, 1 insertion(+)
19 19
20diff --git a/ssh.1 b/ssh.1 20diff --git a/ssh.1 b/ssh.1
21index 67b4f44..9868025 100644 21index de178cd..2606b15 100644
22--- a/ssh.1 22--- a/ssh.1
23+++ b/ssh.1 23+++ b/ssh.1
24@@ -1468,6 +1468,7 @@ if an error occurred. 24@@ -1458,6 +1458,7 @@ if an error occurred.
25 .Xr sftp 1 , 25 .Xr sftp 1 ,
26 .Xr ssh-add 1 , 26 .Xr ssh-add 1 ,
27 .Xr ssh-agent 1 , 27 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index fa738b084..427ee6be1 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
1From d422205e757aaf23e8e0e787f842ef37f6a170a2 Mon Sep 17 00:00:00 2001 1From e6836d7c98c75d3252de56c2f3ea07e12c817e00 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:50 +0000 3Date: Sun, 9 Feb 2014 16:09:50 +0000
4Subject: Accept obsolete ssh-vulnkey configuration options 4Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,10 +17,10 @@ Patch-Name: ssh-vulnkey-compat.patch
17 2 files changed, 2 insertions(+) 17 2 files changed, 2 insertions(+)
18 18
19diff --git a/readconf.c b/readconf.c 19diff --git a/readconf.c b/readconf.c
20index 7613ff2..bcd8cad 100644 20index 9127e93..bc879eb 100644
21--- a/readconf.c 21--- a/readconf.c
22+++ b/readconf.c 22+++ b/readconf.c
23@@ -172,6 +172,7 @@ static struct { 23@@ -174,6 +174,7 @@ static struct {
24 { "passwordauthentication", oPasswordAuthentication }, 24 { "passwordauthentication", oPasswordAuthentication },
25 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 25 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
26 { "kbdinteractivedevices", oKbdInteractiveDevices }, 26 { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -29,10 +29,10 @@ index 7613ff2..bcd8cad 100644
29 { "pubkeyauthentication", oPubkeyAuthentication }, 29 { "pubkeyauthentication", oPubkeyAuthentication },
30 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 30 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
31diff --git a/servconf.c b/servconf.c 31diff --git a/servconf.c b/servconf.c
32index 0083cf8..90de888 100644 32index cb3c831..a252487 100644
33--- a/servconf.c 33--- a/servconf.c
34+++ b/servconf.c 34+++ b/servconf.c
35@@ -448,6 +448,7 @@ static struct { 35@@ -462,6 +462,7 @@ static struct {
36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index ded7c122a..2e5fa306d 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -1,4 +1,4 @@
1From 789d58ed3df120c7b80d07fb2d259c216194a29c Mon Sep 17 00:00:00 2001 1From cbbc8577950b93090171c7394bcdeb68b7c3cd0c Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:51 +0000 3Date: Sun, 9 Feb 2014 16:09:51 +0000
4Subject: Partial server keep-alive implementation for SSH1 4Subject: Partial server keep-alive implementation for SSH1
@@ -13,7 +13,7 @@ Patch-Name: ssh1-keepalive.patch
13 2 files changed, 19 insertions(+), 11 deletions(-) 13 2 files changed, 19 insertions(+), 11 deletions(-)
14 14
15diff --git a/clientloop.c b/clientloop.c 15diff --git a/clientloop.c b/clientloop.c
16index 6d8cd7d..73a800c 100644 16index f9175e3..046ca8b 100644
17--- a/clientloop.c 17--- a/clientloop.c
18+++ b/clientloop.c 18+++ b/clientloop.c
19@@ -563,16 +563,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) 19@@ -563,16 +563,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
@@ -57,10 +57,10 @@ index 6d8cd7d..73a800c 100644
57 server_alive_time = now + options.server_alive_interval; 57 server_alive_time = now + options.server_alive_interval;
58 } 58 }
59diff --git a/ssh_config.5 b/ssh_config.5 59diff --git a/ssh_config.5 b/ssh_config.5
60index e7accd6..473971e 100644 60index e6649ac..01f1f7f 100644
61--- a/ssh_config.5 61--- a/ssh_config.5
62+++ b/ssh_config.5 62+++ b/ssh_config.5
63@@ -1294,7 +1294,10 @@ If, for example, 63@@ -1325,7 +1325,10 @@ If, for example,
64 .Cm ServerAliveCountMax 64 .Cm ServerAliveCountMax
65 is left at the default, if the server becomes unresponsive, 65 is left at the default, if the server becomes unresponsive,
66 ssh will disconnect after approximately 45 seconds. 66 ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/sshfp_with_server_cert_upstr b/debian/patches/sshfp_with_server_cert_upstr
deleted file mode 100644
index b453081c5..000000000
--- a/debian/patches/sshfp_with_server_cert_upstr
+++ /dev/null
@@ -1,83 +0,0 @@
1From 08a63152deb5deda168aaef870bdb9f56425acb3 Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <mcv21@cam.ac.uk>
3Date: Wed, 26 Mar 2014 15:32:23 +0000
4Subject: Attempt SSHFP lookup even if server presents a certificate
5
6If an ssh server presents a certificate to the client, then the client
7does not check the DNS for SSHFP records. This means that a malicious
8server can essentially disable DNS-host-key-checking, which means the
9client will fall back to asking the user (who will just say "yes" to
10the fingerprint, sadly).
11
12This patch is by Damien Miller (of openssh upstream). It's simpler
13than the patch by Mark Wooding which I applied yesterday; a copy is
14taken of the proffered key/cert, the key extracted from the cert (if
15necessary), and then the DNS consulted.
16
17Signed-off-by: Matthew Vernon <matthew@debian.org>
18Bug-Debian: http://bugs.debian.org/742513
19Patch-Name: sshfp_with_server_cert_upstr
20---
21 sshconnect.c | 42 ++++++++++++++++++++++++++----------------
22 1 file changed, 26 insertions(+), 16 deletions(-)
23
24diff --git a/sshconnect.c b/sshconnect.c
25index 87c3770..324f5e0 100644
26--- a/sshconnect.c
27+++ b/sshconnect.c
28@@ -1224,29 +1224,39 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
29 {
30 int flags = 0;
31 char *fp;
32+ Key *plain = NULL;
33
34 fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
35 debug("Server host key: %s %s", key_type(host_key), fp);
36 free(fp);
37
38- /* XXX certs are not yet supported for DNS */
39- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
40- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
41- if (flags & DNS_VERIFY_FOUND) {
42-
43- if (options.verify_host_key_dns == 1 &&
44- flags & DNS_VERIFY_MATCH &&
45- flags & DNS_VERIFY_SECURE)
46- return 0;
47-
48- if (flags & DNS_VERIFY_MATCH) {
49- matching_host_key_dns = 1;
50- } else {
51- warn_changed_key(host_key);
52- error("Update the SSHFP RR in DNS with the new "
53- "host key to get rid of this message.");
54+ if (options.verify_host_key_dns) {
55+ /*
56+ * XXX certs are not yet supported for DNS, so downgrade
57+ * them and try the plain key.
58+ */
59+ plain = key_from_private(host_key);
60+ if (key_is_cert(plain))
61+ key_drop_cert(plain);
62+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
63+ if (flags & DNS_VERIFY_FOUND) {
64+ if (options.verify_host_key_dns == 1 &&
65+ flags & DNS_VERIFY_MATCH &&
66+ flags & DNS_VERIFY_SECURE) {
67+ key_free(plain);
68+ return 0;
69+ }
70+ if (flags & DNS_VERIFY_MATCH) {
71+ matching_host_key_dns = 1;
72+ } else {
73+ warn_changed_key(plain);
74+ error("Update the SSHFP RR in DNS "
75+ "with the new host key to get rid "
76+ "of this message.");
77+ }
78 }
79 }
80+ key_free(plain);
81 }
82
83 return check_host_key(host, hostaddr, options.port, host_key, RDRW,
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 7cbd3a7e3..bfc236927 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
1From b8ed36cdf2dbebc01e52e83eece4bb1d78607e84 Mon Sep 17 00:00:00 2001 1From 69f7c00e04d1baa01a9038eeb764cfed0830fb19 Mon Sep 17 00:00:00 2001
2From: Jonathan David Amery <jdamery@ysolde.ucam.org> 2From: Jonathan David Amery <jdamery@ysolde.ucam.org>
3Date: Sun, 9 Feb 2014 16:09:54 +0000 3Date: Sun, 9 Feb 2014 16:09:54 +0000
4Subject: "LogLevel SILENT" compatibility 4Subject: "LogLevel SILENT" compatibility
@@ -33,10 +33,10 @@ index 32e1d2e..53e7b65 100644
33 { "FATAL", SYSLOG_LEVEL_FATAL }, 33 { "FATAL", SYSLOG_LEVEL_FATAL },
34 { "ERROR", SYSLOG_LEVEL_ERROR }, 34 { "ERROR", SYSLOG_LEVEL_ERROR },
35diff --git a/ssh.c b/ssh.c 35diff --git a/ssh.c b/ssh.c
36index 1e6cb90..3e63708 100644 36index 26e9681..5bce695 100644
37--- a/ssh.c 37--- a/ssh.c
38+++ b/ssh.c 38+++ b/ssh.c
39@@ -965,7 +965,7 @@ main(int ac, char **av) 39@@ -989,7 +989,7 @@ main(int ac, char **av)
40 /* Do not allocate a tty if stdin is not a tty. */ 40 /* Do not allocate a tty if stdin is not a tty. */
41 if ((!isatty(fileno(stdin)) || stdin_null_flag) && 41 if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
42 options.request_tty != REQUEST_TTY_FORCE) { 42 options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 3cdb9d8a1..e4e4657f3 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
1From 77638f6662ecd8500e1b97e537233b1277ca829f Mon Sep 17 00:00:00 2001 1From 28ea747089f695e58a476a2849133402d4f86b92 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:58 +0000 3Date: Sun, 9 Feb 2014 16:09:58 +0000
4Subject: Allow harmless group-writability 4Subject: Allow harmless group-writability
@@ -28,7 +28,7 @@ Patch-Name: user-group-modes.patch
28 8 files changed, 82 insertions(+), 29 deletions(-) 28 8 files changed, 82 insertions(+), 29 deletions(-)
29 29
30diff --git a/auth-rhosts.c b/auth-rhosts.c 30diff --git a/auth-rhosts.c b/auth-rhosts.c
31index 06ae7f0..f202787 100644 31index b5bedee..11fcca6 100644
32--- a/auth-rhosts.c 32--- a/auth-rhosts.c
33+++ b/auth-rhosts.c 33+++ b/auth-rhosts.c
34@@ -256,8 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam 34@@ -256,8 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
@@ -52,10 +52,10 @@ index 06ae7f0..f202787 100644
52 pw->pw_name, buf); 52 pw->pw_name, buf);
53 auth_debug_add("Bad file modes for %.200s", buf); 53 auth_debug_add("Bad file modes for %.200s", buf);
54diff --git a/auth.c b/auth.c 54diff --git a/auth.c b/auth.c
55index 9a36f1d..0c45f09 100644 55index 5e60682..18de51a 100644
56--- a/auth.c 56--- a/auth.c
57+++ b/auth.c 57+++ b/auth.c
58@@ -407,8 +407,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, 58@@ -421,8 +421,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
59 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); 59 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
60 if (options.strict_modes && 60 if (options.strict_modes &&
61 (stat(user_hostfile, &st) == 0) && 61 (stat(user_hostfile, &st) == 0) &&
@@ -65,7 +65,7 @@ index 9a36f1d..0c45f09 100644
65 logit("Authentication refused for %.100s: " 65 logit("Authentication refused for %.100s: "
66 "bad owner or modes for %.200s", 66 "bad owner or modes for %.200s",
67 pw->pw_name, user_hostfile); 67 pw->pw_name, user_hostfile);
68@@ -470,8 +469,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, 68@@ -484,8 +483,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
69 snprintf(err, errlen, "%s is not a regular file", buf); 69 snprintf(err, errlen, "%s is not a regular file", buf);
70 return -1; 70 return -1;
71 } 71 }
@@ -75,7 +75,7 @@ index 9a36f1d..0c45f09 100644
75 snprintf(err, errlen, "bad ownership or modes for file %s", 75 snprintf(err, errlen, "bad ownership or modes for file %s",
76 buf); 76 buf);
77 return -1; 77 return -1;
78@@ -486,8 +484,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, 78@@ -500,8 +498,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
79 strlcpy(buf, cp, sizeof(buf)); 79 strlcpy(buf, cp, sizeof(buf));
80 80
81 if (stat(buf, &st) < 0 || 81 if (stat(buf, &st) < 0 ||
@@ -86,10 +86,10 @@ index 9a36f1d..0c45f09 100644
86 "bad ownership or modes for directory %s", buf); 86 "bad ownership or modes for directory %s", buf);
87 return -1; 87 return -1;
88diff --git a/misc.c b/misc.c 88diff --git a/misc.c b/misc.c
89index e4c8c32..4e756b0 100644 89index 94b05b0..c25ccd8 100644
90--- a/misc.c 90--- a/misc.c
91+++ b/misc.c 91+++ b/misc.c
92@@ -49,8 +49,9 @@ 92@@ -50,8 +50,9 @@
93 #include <netdb.h> 93 #include <netdb.h>
94 #ifdef HAVE_PATHS_H 94 #ifdef HAVE_PATHS_H
95 # include <paths.h> 95 # include <paths.h>
@@ -100,7 +100,7 @@ index e4c8c32..4e756b0 100644
100 #ifdef SSH_TUN_OPENBSD 100 #ifdef SSH_TUN_OPENBSD
101 #include <net/if.h> 101 #include <net/if.h>
102 #endif 102 #endif
103@@ -59,6 +60,7 @@ 103@@ -60,6 +61,7 @@
104 #include "misc.h" 104 #include "misc.h"
105 #include "log.h" 105 #include "log.h"
106 #include "ssh.h" 106 #include "ssh.h"
@@ -108,7 +108,7 @@ index e4c8c32..4e756b0 100644
108 108
109 /* remove newline at end of string */ 109 /* remove newline at end of string */
110 char * 110 char *
111@@ -643,6 +645,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, 111@@ -644,6 +646,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
112 return -1; 112 return -1;
113 } 113 }
114 114
@@ -181,10 +181,10 @@ index e4c8c32..4e756b0 100644
181 tun_open(int tun, int mode) 181 tun_open(int tun, int mode)
182 { 182 {
183diff --git a/misc.h b/misc.h 183diff --git a/misc.h b/misc.h
184index d4df619..ceb173b 100644 184index 374c33c..89e1f75 100644
185--- a/misc.h 185--- a/misc.h
186+++ b/misc.h 186+++ b/misc.h
187@@ -106,4 +106,6 @@ char *read_passphrase(const char *, int); 187@@ -135,4 +135,6 @@ char *read_passphrase(const char *, int);
188 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 188 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
189 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); 189 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
190 190
@@ -192,10 +192,10 @@ index d4df619..ceb173b 100644
192+ 192+
193 #endif /* _MISC_H */ 193 #endif /* _MISC_H */
194diff --git a/platform.c b/platform.c 194diff --git a/platform.c b/platform.c
195index 4aab9a9..f99de7f 100644 195index f35ec39..9a23e6e 100644
196--- a/platform.c 196--- a/platform.c
197+++ b/platform.c 197+++ b/platform.c
198@@ -196,19 +196,3 @@ platform_krb5_get_principal_name(const char *pw_name) 198@@ -197,19 +197,3 @@ platform_krb5_get_principal_name(const char *pw_name)
199 return NULL; 199 return NULL;
200 #endif 200 #endif
201 } 201 }
@@ -216,10 +216,10 @@ index 4aab9a9..f99de7f 100644
216- return 0; 216- return 0;
217-} 217-}
218diff --git a/readconf.c b/readconf.c 218diff --git a/readconf.c b/readconf.c
219index 6409937..32c4b42 100644 219index 337818c..0648867 100644
220--- a/readconf.c 220--- a/readconf.c
221+++ b/readconf.c 221+++ b/readconf.c
222@@ -37,6 +37,8 @@ 222@@ -38,6 +38,8 @@
223 #include <stdio.h> 223 #include <stdio.h>
224 #include <string.h> 224 #include <string.h>
225 #include <unistd.h> 225 #include <unistd.h>
@@ -228,7 +228,7 @@ index 6409937..32c4b42 100644
228 #ifdef HAVE_UTIL_H 228 #ifdef HAVE_UTIL_H
229 #include <util.h> 229 #include <util.h>
230 #endif 230 #endif
231@@ -1477,8 +1479,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host, 231@@ -1516,8 +1518,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host,
232 232
233 if (fstat(fileno(f), &sb) == -1) 233 if (fstat(fileno(f), &sb) == -1)
234 fatal("fstat %s: %s", filename, strerror(errno)); 234 fatal("fstat %s: %s", filename, strerror(errno));
@@ -239,10 +239,10 @@ index 6409937..32c4b42 100644
239 } 239 }
240 240
241diff --git a/ssh.1 b/ssh.1 241diff --git a/ssh.1 b/ssh.1
242index 27794e2..ff5e6ac 100644 242index fa5cfb2..7f6ab77 100644
243--- a/ssh.1 243--- a/ssh.1
244+++ b/ssh.1 244+++ b/ssh.1
245@@ -1352,6 +1352,8 @@ The file format and configuration options are described in 245@@ -1342,6 +1342,8 @@ The file format and configuration options are described in
246 .Xr ssh_config 5 . 246 .Xr ssh_config 5 .
247 Because of the potential for abuse, this file must have strict permissions: 247 Because of the potential for abuse, this file must have strict permissions:
248 read/write for the user, and not writable by others. 248 read/write for the user, and not writable by others.
@@ -252,10 +252,10 @@ index 27794e2..ff5e6ac 100644
252 .It Pa ~/.ssh/environment 252 .It Pa ~/.ssh/environment
253 Contains additional definitions for environment variables; see 253 Contains additional definitions for environment variables; see
254diff --git a/ssh_config.5 b/ssh_config.5 254diff --git a/ssh_config.5 b/ssh_config.5
255index 3172fd4..4bf7cbb 100644 255index ea92ea8..d68b45a 100644
256--- a/ssh_config.5 256--- a/ssh_config.5
257+++ b/ssh_config.5 257+++ b/ssh_config.5
258@@ -1529,6 +1529,8 @@ The format of this file is described above. 258@@ -1587,6 +1587,8 @@ The format of this file is described above.
259 This file is used by the SSH client. 259 This file is used by the SSH client.
260 Because of the potential for abuse, this file must have strict permissions: 260 Because of the potential for abuse, this file must have strict permissions:
261 read/write for the user, and not accessible by others. 261 read/write for the user, and not accessible by others.