summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/.git-dpm16
-rw-r--r--debian/NEWS10
-rw-r--r--debian/changelog84
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch6
-rw-r--r--debian/patches/conch-old-privkey-format.patch10
-rw-r--r--debian/patches/debian-banner.patch53
-rw-r--r--debian/patches/debian-config.patch16
-rw-r--r--debian/patches/dnssec-sshfp.patch2
-rw-r--r--debian/patches/doc-hash-tab-completion.patch4
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch2
-rw-r--r--debian/patches/gssapi.patch181
-rw-r--r--debian/patches/keepalive-extensions.patch18
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch4
-rw-r--r--debian/patches/no-openssl-version-status.patch2
-rw-r--r--debian/patches/openbsd-docs.patch20
-rw-r--r--debian/patches/package-versioning.patch12
-rw-r--r--debian/patches/restore-authorized_keys2.patch2
-rw-r--r--debian/patches/restore-tcp-wrappers.patch12
-rw-r--r--debian/patches/revert-ipqos-defaults.patch14
-rw-r--r--debian/patches/scp-quoting.patch4
-rw-r--r--debian/patches/selinux-role.patch16
-rw-r--r--debian/patches/shell-path.patch6
-rw-r--r--debian/patches/ssh-agent-setgid.patch2
-rw-r--r--debian/patches/ssh-argv0.patch6
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch6
-rw-r--r--debian/patches/syslog-level-silent.patch6
-rw-r--r--debian/patches/systemd-readiness.patch12
-rw-r--r--debian/patches/user-group-modes.patch18
28 files changed, 325 insertions, 219 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 281d947f2..033091076 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,12 +1,12 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
286fe78ef4686485394b464cf9d3393ce27b33979 239b8d128ef980a410bb1ea0ee80e95ac9fff59c3
386fe78ef4686485394b464cf9d3393ce27b33979 339b8d128ef980a410bb1ea0ee80e95ac9fff59c3
4f0de78bd4f29fa688c5df116f3f9cd43543a76d0 4202f5a676221c244cd450086c334c2b59f339e86
5f0de78bd4f29fa688c5df116f3f9cd43543a76d0 5202f5a676221c244cd450086c334c2b59f339e86
6openssh_8.2p1.orig.tar.gz 6openssh_8.3p1.orig.tar.gz
7d1ab35a93507321c5db885e02d41ce1414f0507c 704c7adb9986f16746588db8988b910530c589819
81701197 81706358
9debianTag="debian/%e%%%V" 9debianTag="debian/%e%%%V"
10patchedTag="patched/%e%%%V" 10patchedTag="patched/%e%%%V"
11upstreamTag="upstream/%U" 11upstreamTag="upstream/%U"
12signature:d3814ab57572c13bdee2037ad1477e2f7c51e1b0:683:openssh_8.2p1.orig.tar.gz.asc 12signature:e3fdeb7b96543bcc2854614c6163cfe860ba5ec8:683:openssh_8.3p1.orig.tar.gz.asc
diff --git a/debian/NEWS b/debian/NEWS
index 542d38173..81cf93185 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
1openssh (1:8.3p1-1) unstable; urgency=medium
2
3 OpenSSH 8.3 includes a number of changes that may affect existing
4 configurations:
5
6 * sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1)
7 do instead of accepting and silently ignoring it.
8
9 -- Colin Watson <cjwatson@debian.org> Sun, 07 Jun 2020 10:27:05 +0100
10
1openssh (1:8.2p1-1) unstable; urgency=medium 11openssh (1:8.2p1-1) unstable; urgency=medium
2 12
3 OpenSSH 8.2 includes a number of changes that may affect existing 13 OpenSSH 8.2 includes a number of changes that may affect existing
diff --git a/debian/changelog b/debian/changelog
index 69cbf0b4e..ab75bf2a7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,86 @@
1openssh (1:8.2p1-5) UNRELEASED; urgency=medium 1openssh (1:8.3p1-1) UNRELEASED; urgency=medium
2 2
3 * Fix or suppress various shellcheck errors under debian/. 3 * Fix or suppress various shellcheck errors under debian/.
4 4 * New upstream release (https://www.openssh.com/txt/release-8.3):
5 -- Colin Watson <cjwatson@debian.org> Sat, 23 May 2020 12:46:19 +0100 5 - [SECURITY] scp(1): when receiving files, scp(1) could become
6 desynchronised if a utimes(2) system call failed. This could allow
7 file contents to be interpreted as file metadata and thereby permit an
8 adversary to craft a file system that, when copied with scp(1) in a
9 configuration that caused utimes(2) to fail (e.g. under a SELinux
10 policy or syscall sandbox), transferred different file names and
11 contents to the actual file system layout.
12 - sftp(1): reject an argument of "-1" in the same way as ssh(1) and
13 scp(1) do instead of accepting and silently ignoring it.
14 - sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
15 rhosts/shosts, "no" to allow rhosts/shosts or (new) "shosts-only" to
16 allow .shosts files but not .rhosts.
17 - sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
18 sshd_config, not just before any Match blocks.
19 - ssh(1): add %TOKEN percent expansion for the LocalForward and
20 RemoteForward keywords when used for Unix domain socket forwarding.
21 - all: allow loading public keys from the unencrypted envelope of a
22 private key file if no corresponding public key file is present.
23 - ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible
24 instead of the (slower) portable C implementation included in OpenSSH.
25 - ssh-keygen(1): add ability to dump the contents of a binary key
26 revocation list via "ssh-keygen -lQf /path".
27 - ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from a
28 PKCS11Provider.
29 - ssh-keygen(1): avoid NULL dereference when trying to convert an
30 invalid RFC4716 private key.
31 - scp(1): when performing remote-to-remote copies using "scp -3", start
32 the second ssh(1) channel with BatchMode=yes enabled to avoid
33 confusing and non-deterministic ordering of prompts.
34 - ssh(1), ssh-keygen(1): when signing a challenge using a FIDO token,
35 perform hashing of the message to be signed in the middleware layer
36 rather than in OpenSSH code. This permits the use of security key
37 middlewares that perform the hashing implicitly, such as Windows
38 Hello.
39 - ssh(1): fix incorrect error message for "too many known hosts files."
40 - ssh(1): make failures when establishing "Tunnel" forwarding terminate
41 the connection when ExitOnForwardFailure is enabled.
42 - ssh-keygen(1): fix printing of fingerprints on private keys and add a
43 regression test for same.
44 - sshd(8): document order of checking AuthorizedKeysFile (first) and
45 AuthorizedKeysCommand (subsequently, if the file doesn't match).
46 - sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are not
47 considered for HostbasedAuthentication when the target user is root.
48 - ssh(1), ssh-keygen(1): fix NULL dereference in private certificate key
49 parsing.
50 - ssh(1), sshd(8): more consistency between sets of %TOKENS are accepted
51 in various configuration options.
52 - ssh(1), ssh-keygen(1): improve error messages for some common PKCS#11
53 C_Login failure cases.
54 - ssh(1), sshd(8): make error messages for problems during SSH banner
55 exchange consistent with other SSH transport-layer error messages and
56 ensure they include the relevant IP addresses.
57 - ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys from a
58 token, don't prompt for a PIN until the token has told us that it
59 needs one. Avoids double-prompting on devices that implement
60 on-device authentication (closes: #932071).
61 - sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option
62 should be an extension, not a critical option.
63 - ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message when
64 trying to use a FIDO key function and SecurityKeyProvider is empty.
65 - ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within the
66 values allowed by the wire format (u32). Prevents integer wraparound
67 of the timeout values.
68 - ssh(1): detect and prevent trivial configuration loops when using
69 ProxyJump. bz#3057.
70 - On platforms that do not support setting process-wide routing domains
71 (all excepting OpenBSD at present), fail to accept a configuration
72 attempts to set one at process start time rather than fatally erroring
73 at run time.
74 - Fix theoretical infinite loop in the glob(3) replacement
75 implementation.
76 * Update GSSAPI key exchange patch from
77 https://github.com/openssh-gsskex/openssh-gsskex:
78 - Fix connection through ProxyJump in combination with "GSSAPITrustDNS
79 yes".
80 - Enable SHA2-based GSSAPI key exchange methods by default as RFC 8732
81 was published.
82
83 -- Colin Watson <cjwatson@debian.org> Sun, 07 Jun 2020 10:25:54 +0100
6 84
7openssh (1:8.2p1-4) unstable; urgency=medium 85openssh (1:8.2p1-4) unstable; urgency=medium
8 86
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 43a160a0f..68f5029d5 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
1From b0cb3badf4d423f8ea7bf950e55ca72878cc224b Mon Sep 17 00:00:00 2001 1From eb51213d1bdc8d80cd7d0578737d8a7bfde992d2 Mon Sep 17 00:00:00 2001
2From: Tomas Pospisek <tpo_deb@sourcepole.ch> 2From: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Date: Sun, 9 Feb 2014 16:10:07 +0000 3Date: Sun, 9 Feb 2014 16:10:07 +0000
4Subject: Install authorized_keys(5) as a symlink to sshd(8) 4Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
13 1 file changed, 1 insertion(+) 13 1 file changed, 1 insertion(+)
14 14
15diff --git a/Makefile.in b/Makefile.in 15diff --git a/Makefile.in b/Makefile.in
16index b68c1710f..bff1db49b 100644 16index bf1e1de47..3aa808a38 100644
17--- a/Makefile.in 17--- a/Makefile.in
18+++ b/Makefile.in 18+++ b/Makefile.in
19@@ -402,6 +402,7 @@ install-files: 19@@ -406,6 +406,7 @@ install-files:
20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch
index c48220f63..dfd1058b8 100644
--- a/debian/patches/conch-old-privkey-format.patch
+++ b/debian/patches/conch-old-privkey-format.patch
@@ -1,4 +1,4 @@
1From 39d3bb41ec288e8ba2384c65248440603f65349c Mon Sep 17 00:00:00 2001 1From f2697f0c5ff23bc13dce1c90fb4c1c934c02070b Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Thu, 30 Aug 2018 00:58:56 +0100 3Date: Thu, 30 Aug 2018 00:58:56 +0100
4Subject: Work around conch interoperability failure 4Subject: Work around conch interoperability failure
@@ -18,10 +18,10 @@ Patch-Name: conch-old-privkey-format.patch
18 3 files changed, 14 insertions(+), 2 deletions(-) 18 3 files changed, 14 insertions(+), 2 deletions(-)
19 19
20diff --git a/regress/Makefile b/regress/Makefile 20diff --git a/regress/Makefile b/regress/Makefile
21index 774c10d41..01e257a94 100644 21index 62794d25f..53a50ffca 100644
22--- a/regress/Makefile 22--- a/regress/Makefile
23+++ b/regress/Makefile 23+++ b/regress/Makefile
24@@ -120,7 +120,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ 24@@ -121,7 +121,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
25 rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ 25 rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
26 scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ 26 scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
27 sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ 27 sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
@@ -44,10 +44,10 @@ index 6678813a2..6ff5da20b 100644
44 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY} 44 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY}
45 if [ $? -ne 0 ]; then 45 if [ $? -ne 0 ]; then
46diff --git a/regress/test-exec.sh b/regress/test-exec.sh 46diff --git a/regress/test-exec.sh b/regress/test-exec.sh
47index f5e3ee6f5..a3a40719f 100644 47index 5dc975d07..d8491b2be 100644
48--- a/regress/test-exec.sh 48--- a/regress/test-exec.sh
49+++ b/regress/test-exec.sh 49+++ b/regress/test-exec.sh
50@@ -573,6 +573,18 @@ REGRESS_INTEROP_CONCH=no 50@@ -587,6 +587,18 @@ REGRESS_INTEROP_CONCH=no
51 if test -x "$CONCH" ; then 51 if test -x "$CONCH" ; then
52 REGRESS_INTEROP_CONCH=yes 52 REGRESS_INTEROP_CONCH=yes
53 fi 53 fi
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 0d998fdd4..47a2fe372 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
1From 7d20d00ea24ec0c3fffacc80ab271d0699d198c6 Mon Sep 17 00:00:00 2001 1From 90c1c8771b61dd3ee0eacb4e1cfac404dc42f4b0 Mon Sep 17 00:00:00 2001
2From: Kees Cook <kees@debian.org> 2From: Kees Cook <kees@debian.org>
3Date: Sun, 9 Feb 2014 16:10:06 +0000 3Date: Sun, 9 Feb 2014 16:10:06 +0000
4Subject: Add DebianBanner server configuration option 4Subject: Add DebianBanner server configuration option
@@ -8,7 +8,7 @@ initial protocol handshake, for those scared by package-versioning.patch.
8 8
9Bug-Debian: http://bugs.debian.org/562048 9Bug-Debian: http://bugs.debian.org/562048
10Forwarded: not-needed 10Forwarded: not-needed
11Last-Update: 2020-02-21 11Last-Update: 2020-06-07
12 12
13Patch-Name: debian-banner.patch 13Patch-Name: debian-banner.patch
14--- 14---
@@ -17,24 +17,24 @@ Patch-Name: debian-banner.patch
17 servconf.c | 9 +++++++++ 17 servconf.c | 9 +++++++++
18 servconf.h | 2 ++ 18 servconf.h | 2 ++
19 sshconnect.c | 2 +- 19 sshconnect.c | 2 +-
20 sshd.c | 3 ++- 20 sshd.c | 2 +-
21 sshd_config.5 | 5 +++++ 21 sshd_config.5 | 5 +++++
22 7 files changed, 23 insertions(+), 5 deletions(-) 22 7 files changed, 22 insertions(+), 5 deletions(-)
23 23
24diff --git a/kex.c b/kex.c 24diff --git a/kex.c b/kex.c
25index f638942d3..2abfbb95a 100644 25index 0e64bf760..aa5acaac3 100644
26--- a/kex.c 26--- a/kex.c
27+++ b/kex.c 27+++ b/kex.c
28@@ -1226,7 +1226,7 @@ send_error(struct ssh *ssh, char *msg) 28@@ -1225,7 +1225,7 @@ send_error(struct ssh *ssh, char *msg)
29 */ 29 */
30 int 30 int
31 kex_exchange_identification(struct ssh *ssh, int timeout_ms, 31 kex_exchange_identification(struct ssh *ssh, int timeout_ms,
32- const char *version_addendum) 32- const char *version_addendum)
33+ int debian_banner, const char *version_addendum) 33+ int debian_banner, const char *version_addendum)
34 { 34 {
35 int remote_major, remote_minor, mismatch; 35 int remote_major, remote_minor, mismatch, oerrno = 0;
36 size_t len, i, n; 36 size_t len, i, n;
37@@ -1244,7 +1244,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, 37@@ -1243,7 +1243,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
38 if (version_addendum != NULL && *version_addendum == '\0') 38 if (version_addendum != NULL && *version_addendum == '\0')
39 version_addendum = NULL; 39 version_addendum = NULL;
40 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", 40 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
@@ -43,7 +43,7 @@ index f638942d3..2abfbb95a 100644
43+ debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, 43+ debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
44 version_addendum == NULL ? "" : " ", 44 version_addendum == NULL ? "" : " ",
45 version_addendum == NULL ? "" : version_addendum)) != 0) { 45 version_addendum == NULL ? "" : version_addendum)) != 0) {
46 error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); 46 oerrno = errno;
47diff --git a/kex.h b/kex.h 47diff --git a/kex.h b/kex.h
48index fe7141414..938dca03b 100644 48index fe7141414..938dca03b 100644
49--- a/kex.h 49--- a/kex.h
@@ -58,7 +58,7 @@ index fe7141414..938dca03b 100644
58 struct kex *kex_new(void); 58 struct kex *kex_new(void);
59 int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); 59 int kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
60diff --git a/servconf.c b/servconf.c 60diff --git a/servconf.c b/servconf.c
61index bf3cd84a4..7bbc25c2e 100644 61index ff5b9436c..cf4e52f3b 100644
62--- a/servconf.c 62--- a/servconf.c
63+++ b/servconf.c 63+++ b/servconf.c
64@@ -194,6 +194,7 @@ initialize_server_options(ServerOptions *options) 64@@ -194,6 +194,7 @@ initialize_server_options(ServerOptions *options)
@@ -94,7 +94,7 @@ index bf3cd84a4..7bbc25c2e 100644
94 { NULL, sBadOption, 0 } 94 { NULL, sBadOption, 0 }
95 }; 95 };
96 96
97@@ -2382,6 +2387,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, 97@@ -2393,6 +2398,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
98 *charptr = xstrdup(arg); 98 *charptr = xstrdup(arg);
99 break; 99 break;
100 100
@@ -106,10 +106,10 @@ index bf3cd84a4..7bbc25c2e 100644
106 case sIgnore: 106 case sIgnore:
107 case sUnsupported: 107 case sUnsupported:
108diff --git a/servconf.h b/servconf.h 108diff --git a/servconf.h b/servconf.h
109index 3f47ea25e..3fa05fcac 100644 109index 253cad97e..5a2b60512 100644
110--- a/servconf.h 110--- a/servconf.h
111+++ b/servconf.h 111+++ b/servconf.h
112@@ -221,6 +221,8 @@ typedef struct { 112@@ -226,6 +226,8 @@ typedef struct {
113 int expose_userauth_info; 113 int expose_userauth_info;
114 u_int64_t timing_secret; 114 u_int64_t timing_secret;
115 char *sk_provider; 115 char *sk_provider;
@@ -119,37 +119,36 @@ index 3f47ea25e..3fa05fcac 100644
119 119
120 /* Information about the incoming connection as used by Match */ 120 /* Information about the incoming connection as used by Match */
121diff --git a/sshconnect.c b/sshconnect.c 121diff --git a/sshconnect.c b/sshconnect.c
122index b796d3c8a..9f2412e0d 100644 122index f20d3e792..1e5b8ea5a 100644
123--- a/sshconnect.c 123--- a/sshconnect.c
124+++ b/sshconnect.c 124+++ b/sshconnect.c
125@@ -1292,7 +1292,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, 125@@ -1293,7 +1293,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
126 lowercase(host); 126 lowercase(host);
127 127
128 /* Exchange protocol version identification strings with the server. */ 128 /* Exchange protocol version identification strings with the server. */
129- if (kex_exchange_identification(ssh, timeout_ms, NULL) != 0) 129- if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0)
130+ if (kex_exchange_identification(ssh, timeout_ms, 1, NULL) != 0) 130+ if ((r = kex_exchange_identification(ssh, timeout_ms, 1, NULL)) != 0)
131 cleanup_exit(255); /* error already logged */ 131 sshpkt_fatal(ssh, r, "banner exchange");
132 132
133 /* Put the connection into non-blocking mode. */ 133 /* Put the connection into non-blocking mode. */
134diff --git a/sshd.c b/sshd.c 134diff --git a/sshd.c b/sshd.c
135index 65916fc6d..da876a900 100644 135index e8b332ca4..baee13506 100644
136--- a/sshd.c 136--- a/sshd.c
137+++ b/sshd.c 137+++ b/sshd.c
138@@ -2187,7 +2187,8 @@ main(int ac, char **av) 138@@ -2181,7 +2181,7 @@ main(int ac, char **av)
139 if (!debug_flag) 139 if (!debug_flag)
140 alarm(options.login_grace_time); 140 alarm(options.login_grace_time);
141 141
142- if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0) 142- if ((r = kex_exchange_identification(ssh, -1,
143+ if (kex_exchange_identification(ssh, -1, options.debian_banner, 143+ if ((r = kex_exchange_identification(ssh, -1, options.debian_banner,
144+ options.version_addendum) != 0) 144 options.version_addendum)) != 0)
145 cleanup_exit(255); /* error already logged */ 145 sshpkt_fatal(ssh, r, "banner exchange");
146 146
147 ssh_packet_set_nonblocking(ssh);
148diff --git a/sshd_config.5 b/sshd_config.5 147diff --git a/sshd_config.5 b/sshd_config.5
149index ebd09f891..c926f584c 100644 148index 9f093be1f..753ceda10 100644
150--- a/sshd_config.5 149--- a/sshd_config.5
151+++ b/sshd_config.5 150+++ b/sshd_config.5
152@@ -542,6 +542,11 @@ or 151@@ -540,6 +540,11 @@ or
153 .Cm no . 152 .Cm no .
154 The default is 153 The default is
155 .Cm yes . 154 .Cm yes .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 35c71b0e9..d01331cc3 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
1From 8086961f9f4ad834e9c3b09b6e2c80273be1c506 Mon Sep 17 00:00:00 2001 1From 08ca1225e6979fc6b5b6e7f85ce5cb0ac5cc7405 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:18 +0000 3Date: Sun, 9 Feb 2014 16:10:18 +0000
4Subject: Various Debian-specific configuration changes 4Subject: Various Debian-specific configuration changes
@@ -43,10 +43,10 @@ Patch-Name: debian-config.patch
43 6 files changed, 98 insertions(+), 9 deletions(-) 43 6 files changed, 98 insertions(+), 9 deletions(-)
44 44
45diff --git a/readconf.c b/readconf.c 45diff --git a/readconf.c b/readconf.c
46index 7f251dd4a..e82024678 100644 46index 5bf0afbb4..87b0dc62a 100644
47--- a/readconf.c 47--- a/readconf.c
48+++ b/readconf.c 48+++ b/readconf.c
49@@ -2087,7 +2087,7 @@ fill_default_options(Options * options) 49@@ -2111,7 +2111,7 @@ fill_default_options(Options * options)
50 if (options->forward_x11 == -1) 50 if (options->forward_x11 == -1)
51 options->forward_x11 = 0; 51 options->forward_x11 = 0;
52 if (options->forward_x11_trusted == -1) 52 if (options->forward_x11_trusted == -1)
@@ -56,10 +56,10 @@ index 7f251dd4a..e82024678 100644
56 options->forward_x11_timeout = 1200; 56 options->forward_x11_timeout = 1200;
57 /* 57 /*
58diff --git a/ssh.1 b/ssh.1 58diff --git a/ssh.1 b/ssh.1
59index b33a8049f..a8967c2f8 100644 59index 5a31b5dde..035823da3 100644
60--- a/ssh.1 60--- a/ssh.1
61+++ b/ssh.1 61+++ b/ssh.1
62@@ -809,6 +809,16 @@ directive in 62@@ -812,6 +812,16 @@ directive in
63 .Xr ssh_config 5 63 .Xr ssh_config 5
64 for more information. 64 for more information.
65 .Pp 65 .Pp
@@ -76,7 +76,7 @@ index b33a8049f..a8967c2f8 100644
76 .It Fl x 76 .It Fl x
77 Disables X11 forwarding. 77 Disables X11 forwarding.
78 .Pp 78 .Pp
79@@ -817,6 +827,20 @@ Enables trusted X11 forwarding. 79@@ -820,6 +830,20 @@ Enables trusted X11 forwarding.
80 Trusted X11 forwardings are not subjected to the X11 SECURITY extension 80 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
81 controls. 81 controls.
82 .Pp 82 .Pp
@@ -123,7 +123,7 @@ index 1ff999b68..8a55237b9 100644
123+ HashKnownHosts yes 123+ HashKnownHosts yes
124+ GSSAPIAuthentication yes 124+ GSSAPIAuthentication yes
125diff --git a/ssh_config.5 b/ssh_config.5 125diff --git a/ssh_config.5 b/ssh_config.5
126index c6eaa63e7..34dc2d51b 100644 126index dd8241df1..aac3fabb7 100644
127--- a/ssh_config.5 127--- a/ssh_config.5
128+++ b/ssh_config.5 128+++ b/ssh_config.5
129@@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more 129@@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more
@@ -229,7 +229,7 @@ index 2c48105f8..459c1b230 100644
229 # Example of overriding settings on a per-user basis 229 # Example of overriding settings on a per-user basis
230 #Match User anoncvs 230 #Match User anoncvs
231diff --git a/sshd_config.5 b/sshd_config.5 231diff --git a/sshd_config.5 b/sshd_config.5
232index 25f4b8117..e8271be74 100644 232index c27f99937..b38025dbf 100644
233--- a/sshd_config.5 233--- a/sshd_config.5
234+++ b/sshd_config.5 234+++ b/sshd_config.5
235@@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes 235@@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 3744218ff..3b9e8df3c 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
1From 74c1c0ef7689ea68dc8263f73c00ff8675f9f0fe Mon Sep 17 00:00:00 2001 1From ca39bb2ab1f56d8ecdeadc32d6bda1a8e73301ac Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:01 +0000 3Date: Sun, 9 Feb 2014 16:10:01 +0000
4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf 4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index b0faea78c..f58bbaeee 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
1From a14ddfc3f607b0bf29046bfb4b26a6d827fa58c7 Mon Sep 17 00:00:00 2001 1From 0402bdf307736b3afae8c80c84f04b0295990c45 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:11 +0000 3Date: Sun, 9 Feb 2014 16:10:11 +0000
4Subject: Document that HashKnownHosts may break tab-completion 4Subject: Document that HashKnownHosts may break tab-completion
@@ -13,7 +13,7 @@ Patch-Name: doc-hash-tab-completion.patch
13 1 file changed, 3 insertions(+) 13 1 file changed, 3 insertions(+)
14 14
15diff --git a/ssh_config.5 b/ssh_config.5 15diff --git a/ssh_config.5 b/ssh_config.5
16index e61a0fd43..c6eaa63e7 100644 16index d814147d4..dd8241df1 100644
17--- a/ssh_config.5 17--- a/ssh_config.5
18+++ b/ssh_config.5 18+++ b/ssh_config.5
19@@ -848,6 +848,9 @@ Note that existing names and addresses in known hosts files 19@@ -848,6 +848,9 @@ Note that existing names and addresses in known hosts files
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 35b370752..7436be62d 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
1From 63da84c3570afb4fa6bab38fdac3e9af45d0ec54 Mon Sep 17 00:00:00 2001 1From 9b1d6a32944943b6b18861b97868c463bf5a6e8c Mon Sep 17 00:00:00 2001
2From: Vincent Untz <vuntz@ubuntu.com> 2From: Vincent Untz <vuntz@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:16 +0000 3Date: Sun, 9 Feb 2014 16:10:16 +0000
4Subject: Give the ssh-askpass-gnome window a default icon 4Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 4bf1d3f73..685923e47 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From 34aff3aa136e5a65f441b25811dd466488fda087 Mon Sep 17 00:00:00 2001 1From 79f9d21b406c172878896ef41cdc2502fc2f84a7 Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -16,9 +16,12 @@ have it merged into the main openssh package rather than having separate
16-krb5 packages (as we used to have). It seems to have a generally good 16-krb5 packages (as we used to have). It seems to have a generally good
17security history. 17security history.
18 18
19Author: Simon Wilkinson <simon@sxw.org.uk>
20Author: Colin Watson <cjwatson@debian.org>
21Author: Jakub Jelen <jjelen@redhat.com>
19Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master 22Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master
20Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 23Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
21Last-Updated: 2020-02-21 24Last-Updated: 2020-06-07
22 25
23Patch-Name: gssapi.patch 26Patch-Name: gssapi.patch
24--- 27---
@@ -49,23 +52,23 @@ Patch-Name: gssapi.patch
49 servconf.c | 47 ++++ 52 servconf.c | 47 ++++
50 servconf.h | 3 + 53 servconf.h | 3 +
51 session.c | 10 +- 54 session.c | 10 +-
52 ssh-gss.h | 50 +++- 55 ssh-gss.h | 54 ++++-
53 ssh.1 | 8 + 56 ssh.1 | 8 +
54 ssh.c | 6 +- 57 ssh.c | 6 +-
55 ssh_config | 2 + 58 ssh_config | 2 +
56 ssh_config.5 | 57 +++++ 59 ssh_config.5 | 57 +++++
57 sshconnect2.c | 142 +++++++++++- 60 sshconnect2.c | 154 +++++++++++-
58 sshd.c | 62 ++++- 61 sshd.c | 62 ++++-
59 sshd_config | 2 + 62 sshd_config | 2 +
60 sshd_config.5 | 30 +++ 63 sshd_config.5 | 30 +++
61 sshkey.c | 3 +- 64 sshkey.c | 3 +-
62 sshkey.h | 1 + 65 sshkey.h | 1 +
63 38 files changed, 2624 insertions(+), 160 deletions(-) 66 38 files changed, 2640 insertions(+), 160 deletions(-)
64 create mode 100644 kexgssc.c 67 create mode 100644 kexgssc.c
65 create mode 100644 kexgsss.c 68 create mode 100644 kexgsss.c
66 69
67diff --git a/Makefile.in b/Makefile.in 70diff --git a/Makefile.in b/Makefile.in
68index e7549470c..b68c1710f 100644 71index c9e4294d3..bf1e1de47 100644
69--- a/Makefile.in 72--- a/Makefile.in
70+++ b/Makefile.in 73+++ b/Makefile.in
71@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ 74@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@@ -336,7 +339,7 @@ index 9351e0428..d6446c0cf 100644
336 "gssapi-with-mic", 339 "gssapi-with-mic",
337 userauth_gssapi, 340 userauth_gssapi,
338diff --git a/auth2.c b/auth2.c 341diff --git a/auth2.c b/auth2.c
339index 0e7762242..1c217268c 100644 342index 91aaf34a6..a4a5e0069 100644
340--- a/auth2.c 343--- a/auth2.c
341+++ b/auth2.c 344+++ b/auth2.c
342@@ -73,6 +73,7 @@ extern Authmethod method_passwd; 345@@ -73,6 +73,7 @@ extern Authmethod method_passwd;
@@ -474,7 +477,7 @@ index 26d62855a..0cadc9f18 100644
474 int get_peer_port(int); 477 int get_peer_port(int);
475 char *get_local_ipaddr(int); 478 char *get_local_ipaddr(int);
476diff --git a/clientloop.c b/clientloop.c 479diff --git a/clientloop.c b/clientloop.c
477index ebd0dbca1..1bdac6a46 100644 480index da396c72a..42ace7789 100644
478--- a/clientloop.c 481--- a/clientloop.c
479+++ b/clientloop.c 482+++ b/clientloop.c
480@@ -112,6 +112,10 @@ 483@@ -112,6 +112,10 @@
@@ -488,7 +491,7 @@ index ebd0dbca1..1bdac6a46 100644
488 /* import options */ 491 /* import options */
489 extern Options options; 492 extern Options options;
490 493
491@@ -1379,9 +1383,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, 494@@ -1361,9 +1365,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
492 break; 495 break;
493 496
494 /* Do channel operations unless rekeying in progress. */ 497 /* Do channel operations unless rekeying in progress. */
@@ -509,10 +512,10 @@ index ebd0dbca1..1bdac6a46 100644
509 client_process_net_input(ssh, readset); 512 client_process_net_input(ssh, readset);
510 513
511diff --git a/configure.ac b/configure.ac 514diff --git a/configure.ac b/configure.ac
512index b689db4b5..efafb6bd8 100644 515index 460383757..d98e6f74a 100644
513--- a/configure.ac 516--- a/configure.ac
514+++ b/configure.ac 517+++ b/configure.ac
515@@ -674,6 +674,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 518@@ -676,6 +676,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
516 [Use tunnel device compatibility to OpenBSD]) 519 [Use tunnel device compatibility to OpenBSD])
517 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 520 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
518 [Prepend the address family to IP tunnel traffic]) 521 [Prepend the address family to IP tunnel traffic])
@@ -1053,11 +1056,11 @@ index a151bc1e4..ef9beb67c 100644
1053 1056
1054 #endif /* KRB5 */ 1057 #endif /* KRB5 */
1055diff --git a/gss-serv.c b/gss-serv.c 1058diff --git a/gss-serv.c b/gss-serv.c
1056index ab3a15f0f..1d47870e7 100644 1059index b5d4bb2d1..55f4d4bda 100644
1057--- a/gss-serv.c 1060--- a/gss-serv.c
1058+++ b/gss-serv.c 1061+++ b/gss-serv.c
1059@@ -1,7 +1,7 @@ 1062@@ -1,7 +1,7 @@
1060 /* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */ 1063 /* $OpenBSD: gss-serv.c,v 1.32 2020/03/13 03:17:07 djm Exp $ */
1061 1064
1062 /* 1065 /*
1063- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 1066- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1327,7 +1330,7 @@ index ab3a15f0f..1d47870e7 100644
1327 1330
1328 /* Privileged */ 1331 /* Privileged */
1329diff --git a/kex.c b/kex.c 1332diff --git a/kex.c b/kex.c
1330index ce85f0439..574c76093 100644 1333index 09c7258e0..144dee512 100644
1331--- a/kex.c 1334--- a/kex.c
1332+++ b/kex.c 1335+++ b/kex.c
1333@@ -57,11 +57,16 @@ 1336@@ -57,11 +57,16 @@
@@ -1439,7 +1442,7 @@ index ce85f0439..574c76093 100644
1439 /* put algorithm proposal into buffer */ 1442 /* put algorithm proposal into buffer */
1440 int 1443 int
1441 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) 1444 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
1442@@ -698,6 +755,9 @@ kex_free(struct kex *kex) 1445@@ -697,6 +754,9 @@ kex_free(struct kex *kex)
1443 sshbuf_free(kex->server_version); 1446 sshbuf_free(kex->server_version);
1444 sshbuf_free(kex->client_pub); 1447 sshbuf_free(kex->client_pub);
1445 free(kex->session_id); 1448 free(kex->session_id);
@@ -2653,7 +2656,7 @@ index 000000000..60bc02deb
2653+} 2656+}
2654+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ 2657+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
2655diff --git a/monitor.c b/monitor.c 2658diff --git a/monitor.c b/monitor.c
2656index 2ce89fe90..ebf76c7f9 100644 2659index b6e855d5d..5347e900d 100644
2657--- a/monitor.c 2660--- a/monitor.c
2658+++ b/monitor.c 2661+++ b/monitor.c
2659@@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); 2662@@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
@@ -2706,7 +2709,7 @@ index 2ce89fe90..ebf76c7f9 100644
2706 2709
2707 if (auth_opts->permit_pty_flag) { 2710 if (auth_opts->permit_pty_flag) {
2708 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); 2711 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
2709@@ -1713,6 +1730,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) 2712@@ -1712,6 +1729,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
2710 # ifdef OPENSSL_HAS_ECC 2713 # ifdef OPENSSL_HAS_ECC
2711 kex->kex[KEX_ECDH_SHA2] = kex_gen_server; 2714 kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
2712 # endif 2715 # endif
@@ -2724,7 +2727,7 @@ index 2ce89fe90..ebf76c7f9 100644
2724 #endif /* WITH_OPENSSL */ 2727 #endif /* WITH_OPENSSL */
2725 kex->kex[KEX_C25519_SHA256] = kex_gen_server; 2728 kex->kex[KEX_C25519_SHA256] = kex_gen_server;
2726 kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; 2729 kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
2727@@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) 2730@@ -1805,8 +1833,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
2728 u_char *p; 2731 u_char *p;
2729 int r; 2732 int r;
2730 2733
@@ -2735,7 +2738,7 @@ index 2ce89fe90..ebf76c7f9 100644
2735 2738
2736 if ((r = sshbuf_get_string(m, &p, &len)) != 0) 2739 if ((r = sshbuf_get_string(m, &p, &len)) != 0)
2737 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 2740 fatal("%s: buffer error: %s", __func__, ssh_err(r));
2738@@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) 2741@@ -1838,8 +1866,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
2739 OM_uint32 flags = 0; /* GSI needs this */ 2742 OM_uint32 flags = 0; /* GSI needs this */
2740 int r; 2743 int r;
2741 2744
@@ -2746,7 +2749,7 @@ index 2ce89fe90..ebf76c7f9 100644
2746 2749
2747 if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) 2750 if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
2748 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 2751 fatal("%s: buffer error: %s", __func__, ssh_err(r));
2749@@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) 2752@@ -1859,6 +1887,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
2750 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2753 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2751 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2754 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2752 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2755 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2754,7 +2757,7 @@ index 2ce89fe90..ebf76c7f9 100644
2754 } 2757 }
2755 return (0); 2758 return (0);
2756 } 2759 }
2757@@ -1871,8 +1900,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) 2760@@ -1870,8 +1899,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
2758 OM_uint32 ret; 2761 OM_uint32 ret;
2759 int r; 2762 int r;
2760 2763
@@ -2765,7 +2768,7 @@ index 2ce89fe90..ebf76c7f9 100644
2765 2768
2766 if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || 2769 if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
2767 (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) 2770 (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
2768@@ -1898,13 +1927,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) 2771@@ -1897,13 +1926,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
2769 int 2772 int
2770 mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) 2773 mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
2771 { 2774 {
@@ -2787,7 +2790,7 @@ index 2ce89fe90..ebf76c7f9 100644
2787 2790
2788 sshbuf_reset(m); 2791 sshbuf_reset(m);
2789 if ((r = sshbuf_put_u32(m, authenticated)) != 0) 2792 if ((r = sshbuf_put_u32(m, authenticated)) != 0)
2790@@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) 2793@@ -1912,7 +1945,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
2791 debug3("%s: sending result %d", __func__, authenticated); 2794 debug3("%s: sending result %d", __func__, authenticated);
2792 mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); 2795 mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
2793 2796
@@ -2800,7 +2803,7 @@ index 2ce89fe90..ebf76c7f9 100644
2800 2803
2801 if ((displayname = ssh_gssapi_displayname()) != NULL) 2804 if ((displayname = ssh_gssapi_displayname()) != NULL)
2802 auth2_record_info(authctxt, "%s", displayname); 2805 auth2_record_info(authctxt, "%s", displayname);
2803@@ -1921,5 +1958,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) 2806@@ -1920,5 +1957,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
2804 /* Monitor loop will terminate if authenticated */ 2807 /* Monitor loop will terminate if authenticated */
2805 return (authenticated); 2808 return (authenticated);
2806 } 2809 }
@@ -2995,7 +2998,7 @@ index 23ab096aa..485590c18 100644
2995 2998
2996 #ifdef USE_PAM 2999 #ifdef USE_PAM
2997diff --git a/readconf.c b/readconf.c 3000diff --git a/readconf.c b/readconf.c
2998index f3cac6b3a..da8022dd0 100644 3001index 2afcbaeca..fb585e248 100644
2999--- a/readconf.c 3002--- a/readconf.c
3000+++ b/readconf.c 3003+++ b/readconf.c
3001@@ -67,6 +67,7 @@ 3004@@ -67,6 +67,7 @@
@@ -3038,7 +3041,7 @@ index f3cac6b3a..da8022dd0 100644
3038 #endif 3041 #endif
3039 #ifdef ENABLE_PKCS11 3042 #ifdef ENABLE_PKCS11
3040 { "pkcs11provider", oPKCS11Provider }, 3043 { "pkcs11provider", oPKCS11Provider },
3041@@ -1029,10 +1044,42 @@ parse_time: 3044@@ -1053,10 +1068,42 @@ parse_time:
3042 intptr = &options->gss_authentication; 3045 intptr = &options->gss_authentication;
3043 goto parse_flag; 3046 goto parse_flag;
3044 3047
@@ -3081,7 +3084,7 @@ index f3cac6b3a..da8022dd0 100644
3081 case oBatchMode: 3084 case oBatchMode:
3082 intptr = &options->batch_mode; 3085 intptr = &options->batch_mode;
3083 goto parse_flag; 3086 goto parse_flag;
3084@@ -1911,7 +1958,13 @@ initialize_options(Options * options) 3087@@ -1935,7 +1982,13 @@ initialize_options(Options * options)
3085 options->pubkey_authentication = -1; 3088 options->pubkey_authentication = -1;
3086 options->challenge_response_authentication = -1; 3089 options->challenge_response_authentication = -1;
3087 options->gss_authentication = -1; 3090 options->gss_authentication = -1;
@@ -3095,7 +3098,7 @@ index f3cac6b3a..da8022dd0 100644
3095 options->password_authentication = -1; 3098 options->password_authentication = -1;
3096 options->kbd_interactive_authentication = -1; 3099 options->kbd_interactive_authentication = -1;
3097 options->kbd_interactive_devices = NULL; 3100 options->kbd_interactive_devices = NULL;
3098@@ -2059,8 +2112,18 @@ fill_default_options(Options * options) 3101@@ -2083,8 +2136,18 @@ fill_default_options(Options * options)
3099 options->challenge_response_authentication = 1; 3102 options->challenge_response_authentication = 1;
3100 if (options->gss_authentication == -1) 3103 if (options->gss_authentication == -1)
3101 options->gss_authentication = 0; 3104 options->gss_authentication = 0;
@@ -3114,7 +3117,7 @@ index f3cac6b3a..da8022dd0 100644
3114 if (options->password_authentication == -1) 3117 if (options->password_authentication == -1)
3115 options->password_authentication = 1; 3118 options->password_authentication = 1;
3116 if (options->kbd_interactive_authentication == -1) 3119 if (options->kbd_interactive_authentication == -1)
3117@@ -2702,7 +2765,14 @@ dump_client_config(Options *o, const char *host) 3120@@ -2726,7 +2789,14 @@ dump_client_config(Options *o, const char *host)
3118 dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); 3121 dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
3119 #ifdef GSSAPI 3122 #ifdef GSSAPI
3120 dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); 3123 dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
@@ -3130,7 +3133,7 @@ index f3cac6b3a..da8022dd0 100644
3130 dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); 3133 dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
3131 dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); 3134 dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
3132diff --git a/readconf.h b/readconf.h 3135diff --git a/readconf.h b/readconf.h
3133index feedb3d20..a8a8870d7 100644 3136index e143a1082..c405b837f 100644
3134--- a/readconf.h 3137--- a/readconf.h
3135+++ b/readconf.h 3138+++ b/readconf.h
3136@@ -41,7 +41,13 @@ typedef struct { 3139@@ -41,7 +41,13 @@ typedef struct {
@@ -3148,7 +3151,7 @@ index feedb3d20..a8a8870d7 100644
3148 * authentication. */ 3151 * authentication. */
3149 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 3152 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
3150diff --git a/servconf.c b/servconf.c 3153diff --git a/servconf.c b/servconf.c
3151index 70f5f73f0..191575a16 100644 3154index ba0a92c7b..f38ba9e44 100644
3152--- a/servconf.c 3155--- a/servconf.c
3153+++ b/servconf.c 3156+++ b/servconf.c
3154@@ -69,6 +69,7 @@ 3157@@ -69,6 +69,7 @@
@@ -3221,7 +3224,7 @@ index 70f5f73f0..191575a16 100644
3221 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 3224 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
3222 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 3225 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
3223 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 3226 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
3224@@ -1548,6 +1571,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, 3227@@ -1555,6 +1578,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
3225 intptr = &options->gss_authentication; 3228 intptr = &options->gss_authentication;
3226 goto parse_flag; 3229 goto parse_flag;
3227 3230
@@ -3232,7 +3235,7 @@ index 70f5f73f0..191575a16 100644
3232 case sGssCleanupCreds: 3235 case sGssCleanupCreds:
3233 intptr = &options->gss_cleanup_creds; 3236 intptr = &options->gss_cleanup_creds;
3234 goto parse_flag; 3237 goto parse_flag;
3235@@ -1556,6 +1583,22 @@ process_server_config_line_depth(ServerOptions *options, char *line, 3238@@ -1563,6 +1590,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
3236 intptr = &options->gss_strict_acceptor; 3239 intptr = &options->gss_strict_acceptor;
3237 goto parse_flag; 3240 goto parse_flag;
3238 3241
@@ -3255,7 +3258,7 @@ index 70f5f73f0..191575a16 100644
3255 case sPasswordAuthentication: 3258 case sPasswordAuthentication:
3256 intptr = &options->password_authentication; 3259 intptr = &options->password_authentication;
3257 goto parse_flag; 3260 goto parse_flag;
3258@@ -2777,6 +2820,10 @@ dump_config(ServerOptions *o) 3261@@ -2791,6 +2834,10 @@ dump_config(ServerOptions *o)
3259 #ifdef GSSAPI 3262 #ifdef GSSAPI
3260 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 3263 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
3261 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 3264 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@@ -3267,10 +3270,10 @@ index 70f5f73f0..191575a16 100644
3267 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 3270 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
3268 dump_cfg_fmtint(sKbdInteractiveAuthentication, 3271 dump_cfg_fmtint(sKbdInteractiveAuthentication,
3269diff --git a/servconf.h b/servconf.h 3272diff --git a/servconf.h b/servconf.h
3270index 4202a2d02..3f47ea25e 100644 3273index a420f398d..253cad97e 100644
3271--- a/servconf.h 3274--- a/servconf.h
3272+++ b/servconf.h 3275+++ b/servconf.h
3273@@ -132,8 +132,11 @@ typedef struct { 3276@@ -137,8 +137,11 @@ typedef struct {
3274 int kerberos_get_afs_token; /* If true, try to get AFS token if 3277 int kerberos_get_afs_token; /* If true, try to get AFS token if
3275 * authenticated with Kerberos. */ 3278 * authenticated with Kerberos. */
3276 int gss_authentication; /* If true, permit GSSAPI authentication */ 3279 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -3283,7 +3286,7 @@ index 4202a2d02..3f47ea25e 100644
3283 * authentication. */ 3286 * authentication. */
3284 int kbd_interactive_authentication; /* If true, permit */ 3287 int kbd_interactive_authentication; /* If true, permit */
3285diff --git a/session.c b/session.c 3288diff --git a/session.c b/session.c
3286index 8c0e54f79..06a33442a 100644 3289index 18cdfa8cf..f9c2c866e 100644
3287--- a/session.c 3290--- a/session.c
3288+++ b/session.c 3291+++ b/session.c
3289@@ -2678,13 +2678,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt) 3292@@ -2678,13 +2678,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
@@ -3309,7 +3312,7 @@ index 8c0e54f79..06a33442a 100644
3309 3312
3310 /* remove agent socket */ 3313 /* remove agent socket */
3311diff --git a/ssh-gss.h b/ssh-gss.h 3314diff --git a/ssh-gss.h b/ssh-gss.h
3312index 36180d07a..70dd36658 100644 3315index 36180d07a..50d80bbca 100644
3313--- a/ssh-gss.h 3316--- a/ssh-gss.h
3314+++ b/ssh-gss.h 3317+++ b/ssh-gss.h
3315@@ -1,6 +1,6 @@ 3318@@ -1,6 +1,6 @@
@@ -3320,7 +3323,7 @@ index 36180d07a..70dd36658 100644
3320 * 3323 *
3321 * Redistribution and use in source and binary forms, with or without 3324 * Redistribution and use in source and binary forms, with or without
3322 * modification, are permitted provided that the following conditions 3325 * modification, are permitted provided that the following conditions
3323@@ -61,10 +61,30 @@ 3326@@ -61,10 +61,34 @@
3324 3327
3325 #define SSH_GSS_OIDTYPE 0x06 3328 #define SSH_GSS_OIDTYPE 0x06
3326 3329
@@ -3340,8 +3343,12 @@ index 36180d07a..70dd36658 100644
3340+#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-" 3343+#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-"
3341+ 3344+
3342+#define GSS_KEX_DEFAULT_KEX \ 3345+#define GSS_KEX_DEFAULT_KEX \
3343+ KEX_GSS_GEX_SHA1_ID "," \ 3346+ KEX_GSS_GRP14_SHA256_ID "," \
3344+ KEX_GSS_GRP14_SHA1_ID 3347+ KEX_GSS_GRP16_SHA512_ID "," \
3348+ KEX_GSS_NISTP256_SHA256_ID "," \
3349+ KEX_GSS_C25519_SHA256_ID "," \
3350+ KEX_GSS_GRP14_SHA1_ID "," \
3351+ KEX_GSS_GEX_SHA1_ID
3345+ 3352+
3346 typedef struct { 3353 typedef struct {
3347 char *filename; 3354 char *filename;
@@ -3351,7 +3358,7 @@ index 36180d07a..70dd36658 100644
3351 void *data; 3358 void *data;
3352 } ssh_gssapi_ccache; 3359 } ssh_gssapi_ccache;
3353 3360
3354@@ -72,8 +92,11 @@ typedef struct { 3361@@ -72,8 +96,11 @@ typedef struct {
3355 gss_buffer_desc displayname; 3362 gss_buffer_desc displayname;
3356 gss_buffer_desc exportedname; 3363 gss_buffer_desc exportedname;
3357 gss_cred_id_t creds; 3364 gss_cred_id_t creds;
@@ -3363,7 +3370,7 @@ index 36180d07a..70dd36658 100644
3363 } ssh_gssapi_client; 3370 } ssh_gssapi_client;
3364 3371
3365 typedef struct ssh_gssapi_mech_struct { 3372 typedef struct ssh_gssapi_mech_struct {
3366@@ -84,6 +107,7 @@ typedef struct ssh_gssapi_mech_struct { 3373@@ -84,6 +111,7 @@ typedef struct ssh_gssapi_mech_struct {
3367 int (*userok) (ssh_gssapi_client *, char *); 3374 int (*userok) (ssh_gssapi_client *, char *);
3368 int (*localname) (ssh_gssapi_client *, char **); 3375 int (*localname) (ssh_gssapi_client *, char **);
3369 void (*storecreds) (ssh_gssapi_client *); 3376 void (*storecreds) (ssh_gssapi_client *);
@@ -3371,7 +3378,7 @@ index 36180d07a..70dd36658 100644
3371 } ssh_gssapi_mech; 3378 } ssh_gssapi_mech;
3372 3379
3373 typedef struct { 3380 typedef struct {
3374@@ -94,10 +118,11 @@ typedef struct { 3381@@ -94,10 +122,11 @@ typedef struct {
3375 gss_OID oid; /* client */ 3382 gss_OID oid; /* client */
3376 gss_cred_id_t creds; /* server */ 3383 gss_cred_id_t creds; /* server */
3377 gss_name_t client; /* server */ 3384 gss_name_t client; /* server */
@@ -3384,7 +3391,7 @@ index 36180d07a..70dd36658 100644
3384 3391
3385 int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); 3392 int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
3386 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); 3393 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
3387@@ -109,6 +134,7 @@ OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *); 3394@@ -109,6 +138,7 @@ OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *);
3388 3395
3389 struct sshbuf; 3396 struct sshbuf;
3390 int ssh_gssapi_get_buffer_desc(struct sshbuf *, gss_buffer_desc *); 3397 int ssh_gssapi_get_buffer_desc(struct sshbuf *, gss_buffer_desc *);
@@ -3392,7 +3399,7 @@ index 36180d07a..70dd36658 100644
3392 3399
3393 OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *); 3400 OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
3394 OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int, 3401 OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int,
3395@@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **); 3402@@ -123,17 +153,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
3396 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); 3403 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
3397 void ssh_gssapi_buildmic(struct sshbuf *, const char *, 3404 void ssh_gssapi_buildmic(struct sshbuf *, const char *,
3398 const char *, const char *); 3405 const char *, const char *);
@@ -3429,10 +3436,10 @@ index 36180d07a..70dd36658 100644
3429 3436
3430 #endif /* _SSH_GSS_H */ 3437 #endif /* _SSH_GSS_H */
3431diff --git a/ssh.1 b/ssh.1 3438diff --git a/ssh.1 b/ssh.1
3432index 60de6087a..db5c65bc7 100644 3439index dce5f404b..7a3ba31ab 100644
3433--- a/ssh.1 3440--- a/ssh.1
3434+++ b/ssh.1 3441+++ b/ssh.1
3435@@ -503,7 +503,13 @@ For full details of the options listed below, and their possible values, see 3442@@ -506,7 +506,13 @@ For full details of the options listed below, and their possible values, see
3436 .It GatewayPorts 3443 .It GatewayPorts
3437 .It GlobalKnownHostsFile 3444 .It GlobalKnownHostsFile
3438 .It GSSAPIAuthentication 3445 .It GSSAPIAuthentication
@@ -3446,7 +3453,7 @@ index 60de6087a..db5c65bc7 100644
3446 .It HashKnownHosts 3453 .It HashKnownHosts
3447 .It Host 3454 .It Host
3448 .It HostbasedAuthentication 3455 .It HostbasedAuthentication
3449@@ -579,6 +585,8 @@ flag), 3456@@ -582,6 +588,8 @@ flag),
3450 (supported message integrity codes), 3457 (supported message integrity codes),
3451 .Ar kex 3458 .Ar kex
3452 (key exchange algorithms), 3459 (key exchange algorithms),
@@ -3456,10 +3463,10 @@ index 60de6087a..db5c65bc7 100644
3456 (key types), 3463 (key types),
3457 .Ar key-cert 3464 .Ar key-cert
3458diff --git a/ssh.c b/ssh.c 3465diff --git a/ssh.c b/ssh.c
3459index 15aee569e..110cf9c19 100644 3466index 98b6ce788..4a81ef810 100644
3460--- a/ssh.c 3467--- a/ssh.c
3461+++ b/ssh.c 3468+++ b/ssh.c
3462@@ -747,6 +747,8 @@ main(int ac, char **av) 3469@@ -773,6 +773,8 @@ main(int ac, char **av)
3463 else if (strcmp(optarg, "kex") == 0 || 3470 else if (strcmp(optarg, "kex") == 0 ||
3464 strcasecmp(optarg, "KexAlgorithms") == 0) 3471 strcasecmp(optarg, "KexAlgorithms") == 0)
3465 cp = kex_alg_list('\n'); 3472 cp = kex_alg_list('\n');
@@ -3468,7 +3475,7 @@ index 15aee569e..110cf9c19 100644
3468 else if (strcmp(optarg, "key") == 0) 3475 else if (strcmp(optarg, "key") == 0)
3469 cp = sshkey_alg_list(0, 0, 0, '\n'); 3476 cp = sshkey_alg_list(0, 0, 0, '\n');
3470 else if (strcmp(optarg, "key-cert") == 0) 3477 else if (strcmp(optarg, "key-cert") == 0)
3471@@ -772,8 +774,8 @@ main(int ac, char **av) 3478@@ -798,8 +800,8 @@ main(int ac, char **av)
3472 } else if (strcmp(optarg, "help") == 0) { 3479 } else if (strcmp(optarg, "help") == 0) {
3473 cp = xstrdup( 3480 cp = xstrdup(
3474 "cipher\ncipher-auth\ncompression\nkex\n" 3481 "cipher\ncipher-auth\ncompression\nkex\n"
@@ -3493,7 +3500,7 @@ index 5e8ef548b..1ff999b68 100644
3493 # CheckHostIP yes 3500 # CheckHostIP yes
3494 # AddressFamily any 3501 # AddressFamily any
3495diff --git a/ssh_config.5 b/ssh_config.5 3502diff --git a/ssh_config.5 b/ssh_config.5
3496index 06a32d314..3f4906972 100644 3503index dc010ccbd..e2a2359f9 100644
3497--- a/ssh_config.5 3504--- a/ssh_config.5
3498+++ b/ssh_config.5 3505+++ b/ssh_config.5
3499@@ -766,10 +766,67 @@ The default is 3506@@ -766,10 +766,67 @@ The default is
@@ -3559,13 +3566,13 @@ index 06a32d314..3f4906972 100644
3559+.Ed 3566+.Ed
3560+.Pp 3567+.Pp
3561+The default is 3568+The default is
3562+.Dq gss-gex-sha1-,gss-group14-sha1- . 3569+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- .
3563+This option only applies to protocol version 2 connections using GSSAPI. 3570+This option only applies to connections using GSSAPI.
3564 .It Cm HashKnownHosts 3571 .It Cm HashKnownHosts
3565 Indicates that 3572 Indicates that
3566 .Xr ssh 1 3573 .Xr ssh 1
3567diff --git a/sshconnect2.c b/sshconnect2.c 3574diff --git a/sshconnect2.c b/sshconnect2.c
3568index af00fb30c..03bc87eb4 100644 3575index 1a6545edf..79a22e600 100644
3569--- a/sshconnect2.c 3576--- a/sshconnect2.c
3570+++ b/sshconnect2.c 3577+++ b/sshconnect2.c
3571@@ -80,8 +80,6 @@ 3578@@ -80,8 +80,6 @@
@@ -3589,7 +3596,7 @@ index af00fb30c..03bc87eb4 100644
3589 xxx_host = host; 3596 xxx_host = host;
3590 xxx_hostaddr = hostaddr; 3597 xxx_hostaddr = hostaddr;
3591 3598
3592@@ -206,6 +209,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) 3599@@ -206,6 +209,41 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
3593 compat_pkalg_proposal(options.hostkeyalgorithms); 3600 compat_pkalg_proposal(options.hostkeyalgorithms);
3594 } 3601 }
3595 3602
@@ -3599,12 +3606,18 @@ index af00fb30c..03bc87eb4 100644
3599+ * client to the key exchange algorithm proposal */ 3606+ * client to the key exchange algorithm proposal */
3600+ orig = myproposal[PROPOSAL_KEX_ALGS]; 3607+ orig = myproposal[PROPOSAL_KEX_ALGS];
3601+ 3608+
3602+ if (options.gss_server_identity) 3609+ if (options.gss_server_identity) {
3603+ gss_host = xstrdup(options.gss_server_identity); 3610+ gss_host = xstrdup(options.gss_server_identity);
3604+ else if (options.gss_trust_dns) 3611+ } else if (options.gss_trust_dns) {
3605+ gss_host = remote_hostname(ssh); 3612+ gss_host = remote_hostname(ssh);
3606+ else 3613+ /* Fall back to specified host if we are using proxy command
3614+ * and can not use DNS on that socket */
3615+ if (strcmp(gss_host, "UNKNOWN") == 0) {
3616+ gss_host = xstrdup(host);
3617+ }
3618+ } else {
3607+ gss_host = xstrdup(host); 3619+ gss_host = xstrdup(host);
3620+ }
3608+ 3621+
3609+ gss = ssh_gssapi_client_mechanisms(gss_host, 3622+ gss = ssh_gssapi_client_mechanisms(gss_host,
3610+ options.gss_client_identity, options.gss_kex_algorithms); 3623+ options.gss_client_identity, options.gss_kex_algorithms);
@@ -3625,7 +3638,7 @@ index af00fb30c..03bc87eb4 100644
3625 if (options.rekey_limit || options.rekey_interval) 3638 if (options.rekey_limit || options.rekey_interval)
3626 ssh_packet_set_rekey_limits(ssh, options.rekey_limit, 3639 ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
3627 options.rekey_interval); 3640 options.rekey_interval);
3628@@ -224,16 +256,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) 3641@@ -224,16 +262,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
3629 # ifdef OPENSSL_HAS_ECC 3642 # ifdef OPENSSL_HAS_ECC
3630 ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client; 3643 ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
3631 # endif 3644 # endif
@@ -3673,7 +3686,7 @@ index af00fb30c..03bc87eb4 100644
3673 if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) 3686 if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
3674 fatal("kex_prop2buf: %s", ssh_err(r)); 3687 fatal("kex_prop2buf: %s", ssh_err(r));
3675 3688
3676@@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *); 3689@@ -330,6 +398,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
3677 static int input_gssapi_token(int type, u_int32_t, struct ssh *); 3690 static int input_gssapi_token(int type, u_int32_t, struct ssh *);
3678 static int input_gssapi_error(int, u_int32_t, struct ssh *); 3691 static int input_gssapi_error(int, u_int32_t, struct ssh *);
3679 static int input_gssapi_errtok(int, u_int32_t, struct ssh *); 3692 static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
@@ -3681,7 +3694,7 @@ index af00fb30c..03bc87eb4 100644
3681 #endif 3694 #endif
3682 3695
3683 void userauth(struct ssh *, char *); 3696 void userauth(struct ssh *, char *);
3684@@ -346,6 +409,11 @@ static char *authmethods_get(void); 3697@@ -346,6 +415,11 @@ static char *authmethods_get(void);
3685 3698
3686 Authmethod authmethods[] = { 3699 Authmethod authmethods[] = {
3687 #ifdef GSSAPI 3700 #ifdef GSSAPI
@@ -3693,18 +3706,24 @@ index af00fb30c..03bc87eb4 100644
3693 {"gssapi-with-mic", 3706 {"gssapi-with-mic",
3694 userauth_gssapi, 3707 userauth_gssapi,
3695 userauth_gssapi_cleanup, 3708 userauth_gssapi_cleanup,
3696@@ -716,12 +784,25 @@ userauth_gssapi(struct ssh *ssh) 3709@@ -716,12 +790,31 @@ userauth_gssapi(struct ssh *ssh)
3697 OM_uint32 min; 3710 OM_uint32 min;
3698 int r, ok = 0; 3711 int r, ok = 0;
3699 gss_OID mech = NULL; 3712 gss_OID mech = NULL;
3700+ char *gss_host; 3713+ char *gss_host;
3701+ 3714+
3702+ if (options.gss_server_identity) 3715+ if (options.gss_server_identity) {
3703+ gss_host = xstrdup(options.gss_server_identity); 3716+ gss_host = xstrdup(options.gss_server_identity);
3704+ else if (options.gss_trust_dns) 3717+ } else if (options.gss_trust_dns) {
3705+ gss_host = remote_hostname(ssh); 3718+ gss_host = remote_hostname(ssh);
3706+ else 3719+ /* Fall back to specified host if we are using proxy command
3720+ * and can not use DNS on that socket */
3721+ if (strcmp(gss_host, "UNKNOWN") == 0) {
3722+ gss_host = authctxt->host;
3723+ }
3724+ } else {
3707+ gss_host = xstrdup(authctxt->host); 3725+ gss_host = xstrdup(authctxt->host);
3726+ }
3708 3727
3709 /* Try one GSSAPI method at a time, rather than sending them all at 3728 /* Try one GSSAPI method at a time, rather than sending them all at
3710 * once. */ 3729 * once. */
@@ -3720,7 +3739,7 @@ index af00fb30c..03bc87eb4 100644
3720 3739
3721 /* Check to see whether the mechanism is usable before we offer it */ 3740 /* Check to see whether the mechanism is usable before we offer it */
3722 while (authctxt->mech_tried < authctxt->gss_supported_mechs->count && 3741 while (authctxt->mech_tried < authctxt->gss_supported_mechs->count &&
3723@@ -730,13 +811,15 @@ userauth_gssapi(struct ssh *ssh) 3742@@ -730,13 +823,15 @@ userauth_gssapi(struct ssh *ssh)
3724 elements[authctxt->mech_tried]; 3743 elements[authctxt->mech_tried];
3725 /* My DER encoding requires length<128 */ 3744 /* My DER encoding requires length<128 */
3726 if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, 3745 if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
@@ -3737,7 +3756,7 @@ index af00fb30c..03bc87eb4 100644
3737 if (!ok || mech == NULL) 3756 if (!ok || mech == NULL)
3738 return 0; 3757 return 0;
3739 3758
3740@@ -976,6 +1059,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) 3759@@ -976,6 +1071,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
3741 free(lang); 3760 free(lang);
3742 return r; 3761 return r;
3743 } 3762 }
@@ -3794,10 +3813,10 @@ index af00fb30c..03bc87eb4 100644
3794 3813
3795 static int 3814 static int
3796diff --git a/sshd.c b/sshd.c 3815diff --git a/sshd.c b/sshd.c
3797index 60b2aaf73..d92f03aaf 100644 3816index 6f8f11a3b..02fca5c28 100644
3798--- a/sshd.c 3817--- a/sshd.c
3799+++ b/sshd.c 3818+++ b/sshd.c
3800@@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh) 3819@@ -816,8 +816,8 @@ notify_hostkeys(struct ssh *ssh)
3801 } 3820 }
3802 debug3("%s: sent %u hostkeys", __func__, nkeys); 3821 debug3("%s: sent %u hostkeys", __func__, nkeys);
3803 if (nkeys == 0) 3822 if (nkeys == 0)
@@ -3808,7 +3827,7 @@ index 60b2aaf73..d92f03aaf 100644
3808 sshpkt_fatal(ssh, r, "%s: send", __func__); 3827 sshpkt_fatal(ssh, r, "%s: send", __func__);
3809 sshbuf_free(buf); 3828 sshbuf_free(buf);
3810 } 3829 }
3811@@ -1852,7 +1852,8 @@ main(int ac, char **av) 3830@@ -1851,7 +1851,8 @@ main(int ac, char **av)
3812 free(fp); 3831 free(fp);
3813 } 3832 }
3814 accumulate_host_timing_secret(cfg, NULL); 3833 accumulate_host_timing_secret(cfg, NULL);
@@ -3818,7 +3837,7 @@ index 60b2aaf73..d92f03aaf 100644
3818 logit("sshd: no hostkeys available -- exiting."); 3837 logit("sshd: no hostkeys available -- exiting.");
3819 exit(1); 3838 exit(1);
3820 } 3839 }
3821@@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh) 3840@@ -2342,6 +2343,48 @@ do_ssh2_kex(struct ssh *ssh)
3822 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 3841 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
3823 list_hostkey_types()); 3842 list_hostkey_types());
3824 3843
@@ -3867,7 +3886,7 @@ index 60b2aaf73..d92f03aaf 100644
3867 /* start key exchange */ 3886 /* start key exchange */
3868 if ((r = kex_setup(ssh, myproposal)) != 0) 3887 if ((r = kex_setup(ssh, myproposal)) != 0)
3869 fatal("kex_setup: %s", ssh_err(r)); 3888 fatal("kex_setup: %s", ssh_err(r));
3870@@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh) 3889@@ -2357,7 +2400,18 @@ do_ssh2_kex(struct ssh *ssh)
3871 # ifdef OPENSSL_HAS_ECC 3890 # ifdef OPENSSL_HAS_ECC
3872 kex->kex[KEX_ECDH_SHA2] = kex_gen_server; 3891 kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
3873 # endif 3892 # endif
@@ -3901,10 +3920,10 @@ index 19b7c91a1..2c48105f8 100644
3901 # Set this to 'yes' to enable PAM authentication, account processing, 3920 # Set this to 'yes' to enable PAM authentication, account processing,
3902 # and session processing. If this is enabled, PAM authentication will 3921 # and session processing. If this is enabled, PAM authentication will
3903diff --git a/sshd_config.5 b/sshd_config.5 3922diff --git a/sshd_config.5 b/sshd_config.5
3904index 70ccea449..f6b41a2f8 100644 3923index b294efc2d..360e5fb1a 100644
3905--- a/sshd_config.5 3924--- a/sshd_config.5
3906+++ b/sshd_config.5 3925+++ b/sshd_config.5
3907@@ -646,6 +646,11 @@ Specifies whether to automatically destroy the user's credentials cache 3926@@ -644,6 +644,11 @@ Specifies whether to automatically destroy the user's credentials cache
3908 on logout. 3927 on logout.
3909 The default is 3928 The default is
3910 .Cm yes . 3929 .Cm yes .
@@ -3916,7 +3935,7 @@ index 70ccea449..f6b41a2f8 100644
3916 .It Cm GSSAPIStrictAcceptorCheck 3935 .It Cm GSSAPIStrictAcceptorCheck
3917 Determines whether to be strict about the identity of the GSSAPI acceptor 3936 Determines whether to be strict about the identity of the GSSAPI acceptor
3918 a client authenticates against. 3937 a client authenticates against.
3919@@ -660,6 +665,31 @@ machine's default store. 3938@@ -658,6 +663,31 @@ machine's default store.
3920 This facility is provided to assist with operation on multi homed machines. 3939 This facility is provided to assist with operation on multi homed machines.
3921 The default is 3940 The default is
3922 .Cm yes . 3941 .Cm yes .
@@ -3943,13 +3962,13 @@ index 70ccea449..f6b41a2f8 100644
3943+.Ed 3962+.Ed
3944+.Pp 3963+.Pp
3945+The default is 3964+The default is
3946+.Dq gss-gex-sha1-,gss-group14-sha1- . 3965+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- .
3947+This option only applies to protocol version 2 connections using GSSAPI. 3966+This option only applies to connections using GSSAPI.
3948 .It Cm HostbasedAcceptedKeyTypes 3967 .It Cm HostbasedAcceptedKeyTypes
3949 Specifies the key types that will be accepted for hostbased authentication 3968 Specifies the key types that will be accepted for hostbased authentication
3950 as a list of comma-separated patterns. 3969 as a list of comma-separated patterns.
3951diff --git a/sshkey.c b/sshkey.c 3970diff --git a/sshkey.c b/sshkey.c
3952index 57995ee68..fd5b77246 100644 3971index 1571e3d93..1ac32a0ec 100644
3953--- a/sshkey.c 3972--- a/sshkey.c
3954+++ b/sshkey.c 3973+++ b/sshkey.c
3955@@ -154,6 +154,7 @@ static const struct keytype keytypes[] = { 3974@@ -154,6 +154,7 @@ static const struct keytype keytypes[] = {
@@ -3970,7 +3989,7 @@ index 57995ee68..fd5b77246 100644
3970 if (!include_sigonly && kt->sigonly) 3989 if (!include_sigonly && kt->sigonly)
3971 continue; 3990 continue;
3972diff --git a/sshkey.h b/sshkey.h 3991diff --git a/sshkey.h b/sshkey.h
3973index 71a3fddcb..37a43a67a 100644 3992index 9c1d4f637..f586e8967 100644
3974--- a/sshkey.h 3993--- a/sshkey.h
3975+++ b/sshkey.h 3994+++ b/sshkey.h
3976@@ -69,6 +69,7 @@ enum sshkey_types { 3995@@ -69,6 +69,7 @@ enum sshkey_types {
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 734118a19..4a26d9d31 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
1From 3558be2914c0127489faae40ce2eae66142c3287 Mon Sep 17 00:00:00 2001 1From 24c9c811bfd227e467ab1ce00503f08dcc22c0f4 Mon Sep 17 00:00:00 2001
2From: Richard Kettlewell <rjk@greenend.org.uk> 2From: Richard Kettlewell <rjk@greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:52 +0000 3Date: Sun, 9 Feb 2014 16:09:52 +0000
4Subject: Various keepalive extensions 4Subject: Various keepalive extensions
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch
26 3 files changed, 34 insertions(+), 4 deletions(-) 26 3 files changed, 34 insertions(+), 4 deletions(-)
27 27
28diff --git a/readconf.c b/readconf.c 28diff --git a/readconf.c b/readconf.c
29index 0fc996871..2399208f8 100644 29index 2ccc48572..431243193 100644
30--- a/readconf.c 30--- a/readconf.c
31+++ b/readconf.c 31+++ b/readconf.c
32@@ -176,6 +176,7 @@ typedef enum { 32@@ -176,6 +176,7 @@ typedef enum {
@@ -46,7 +46,7 @@ index 0fc996871..2399208f8 100644
46 46
47 { NULL, oBadOption } 47 { NULL, oBadOption }
48 }; 48 };
49@@ -1495,6 +1498,8 @@ parse_keytypes: 49@@ -1519,6 +1522,8 @@ parse_keytypes:
50 goto parse_flag; 50 goto parse_flag;
51 51
52 case oServerAliveInterval: 52 case oServerAliveInterval:
@@ -55,7 +55,7 @@ index 0fc996871..2399208f8 100644
55 intptr = &options->server_alive_interval; 55 intptr = &options->server_alive_interval;
56 goto parse_time; 56 goto parse_time;
57 57
58@@ -2198,8 +2203,13 @@ fill_default_options(Options * options) 58@@ -2222,8 +2227,13 @@ fill_default_options(Options * options)
59 options->rekey_interval = 0; 59 options->rekey_interval = 0;
60 if (options->verify_host_key_dns == -1) 60 if (options->verify_host_key_dns == -1)
61 options->verify_host_key_dns = 0; 61 options->verify_host_key_dns = 0;
@@ -72,7 +72,7 @@ index 0fc996871..2399208f8 100644
72 options->server_alive_count_max = 3; 72 options->server_alive_count_max = 3;
73 if (options->control_master == -1) 73 if (options->control_master == -1)
74diff --git a/ssh_config.5 b/ssh_config.5 74diff --git a/ssh_config.5 b/ssh_config.5
75index 3f4906972..3079db19b 100644 75index e2a2359f9..85ab7447f 100644
76--- a/ssh_config.5 76--- a/ssh_config.5
77+++ b/ssh_config.5 77+++ b/ssh_config.5
78@@ -266,9 +266,13 @@ If set to 78@@ -266,9 +266,13 @@ If set to
@@ -90,7 +90,7 @@ index 3f4906972..3079db19b 100644
90 The argument must be 90 The argument must be
91 .Cm yes 91 .Cm yes
92 or 92 or
93@@ -1593,7 +1597,14 @@ from the server, 93@@ -1604,7 +1608,14 @@ from the server,
94 will send a message through the encrypted 94 will send a message through the encrypted
95 channel to request a response from the server. 95 channel to request a response from the server.
96 The default 96 The default
@@ -106,7 +106,7 @@ index 3f4906972..3079db19b 100644
106 .It Cm SetEnv 106 .It Cm SetEnv
107 Directly specify one or more environment variables and their contents to 107 Directly specify one or more environment variables and their contents to
108 be sent to the server. 108 be sent to the server.
109@@ -1673,6 +1684,12 @@ Specifies whether the system should send TCP keepalive messages to the 109@@ -1684,6 +1695,12 @@ Specifies whether the system should send TCP keepalive messages to the
110 other side. 110 other side.
111 If they are sent, death of the connection or crash of one 111 If they are sent, death of the connection or crash of one
112 of the machines will be properly noticed. 112 of the machines will be properly noticed.
@@ -120,10 +120,10 @@ index 3f4906972..3079db19b 100644
120 connections will die if the route is down temporarily, and some people 120 connections will die if the route is down temporarily, and some people
121 find it annoying. 121 find it annoying.
122diff --git a/sshd_config.5 b/sshd_config.5 122diff --git a/sshd_config.5 b/sshd_config.5
123index f6b41a2f8..ebd09f891 100644 123index 360e5fb1a..9f093be1f 100644
124--- a/sshd_config.5 124--- a/sshd_config.5
125+++ b/sshd_config.5 125+++ b/sshd_config.5
126@@ -1668,6 +1668,9 @@ This avoids infinitely hanging sessions. 126@@ -1680,6 +1680,9 @@ This avoids infinitely hanging sessions.
127 .Pp 127 .Pp
128 To disable TCP keepalive messages, the value should be set to 128 To disable TCP keepalive messages, the value should be set to
129 .Cm no . 129 .Cm no .
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 6d48d7589..50b51619c 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
1From c18e3c8125fc4553951705a1da8c86395d219bb1 Mon Sep 17 00:00:00 2001 1From 8ec2f85d03524a6b4954f0a29496b5a301f92080 Mon Sep 17 00:00:00 2001
2From: Scott Moser <smoser@ubuntu.com> 2From: Scott Moser <smoser@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:03 +0000 3Date: Sun, 9 Feb 2014 16:10:03 +0000
4Subject: Mention ssh-keygen in ssh fingerprint changed warning 4Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -14,7 +14,7 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
14 1 file changed, 8 insertions(+), 1 deletion(-) 14 1 file changed, 8 insertions(+), 1 deletion(-)
15 15
16diff --git a/sshconnect.c b/sshconnect.c 16diff --git a/sshconnect.c b/sshconnect.c
17index 4a5d4a003..b796d3c8a 100644 17index bfbf80e92..f20d3e792 100644
18--- a/sshconnect.c 18--- a/sshconnect.c
19+++ b/sshconnect.c 19+++ b/sshconnect.c
20@@ -991,9 +991,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 20@@ -991,9 +991,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index 02a798b85..b91cbd4ea 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
1From ba0377ab3e6b68f7ab747f500991a0445c7f4086 Mon Sep 17 00:00:00 2001 1From a5d0b90bbd2c5a6bdec17b1abc5dca8166ae73f7 Mon Sep 17 00:00:00 2001
2From: Kurt Roeckx <kurt@roeckx.be> 2From: Kurt Roeckx <kurt@roeckx.be>
3Date: Sun, 9 Feb 2014 16:10:14 +0000 3Date: Sun, 9 Feb 2014 16:10:14 +0000
4Subject: Don't check the status field of the OpenSSL version 4Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 34ec87094..342487057 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
1From 39fe318a4b572deeb3f7d03e55d319c0ab112a28 Mon Sep 17 00:00:00 2001 1From 34bf12a8e8fcc7720168dac307ef9388af93b947 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:09 +0000 3Date: Sun, 9 Feb 2014 16:10:09 +0000
4Subject: Adjust various OpenBSD-specific references in manual pages 4Subject: Adjust various OpenBSD-specific references in manual pages
@@ -44,10 +44,10 @@ index ef0de0850..149846c8c 100644
44 .Sh SEE ALSO 44 .Sh SEE ALSO
45 .Xr ssh-keygen 1 , 45 .Xr ssh-keygen 1 ,
46diff --git a/ssh-keygen.1 b/ssh-keygen.1 46diff --git a/ssh-keygen.1 b/ssh-keygen.1
47index 7af564297..d6a7870e0 100644 47index 059c1b034..45866f931 100644
48--- a/ssh-keygen.1 48--- a/ssh-keygen.1
49+++ b/ssh-keygen.1 49+++ b/ssh-keygen.1
50@@ -196,9 +196,7 @@ key in 50@@ -197,9 +197,7 @@ key in
51 .Pa ~/.ssh/id_ed25519_sk 51 .Pa ~/.ssh/id_ed25519_sk
52 or 52 or
53 .Pa ~/.ssh/id_rsa . 53 .Pa ~/.ssh/id_rsa .
@@ -58,7 +58,7 @@ index 7af564297..d6a7870e0 100644
58 .Pp 58 .Pp
59 Normally this program generates the key and asks for a file in which 59 Normally this program generates the key and asks for a file in which
60 to store the private key. 60 to store the private key.
61@@ -261,9 +259,7 @@ If 61@@ -262,9 +260,7 @@ If
62 .Fl f 62 .Fl f
63 has also been specified, its argument is used as a prefix to the 63 has also been specified, its argument is used as a prefix to the
64 default path for the resulting host key files. 64 default path for the resulting host key files.
@@ -69,7 +69,7 @@ index 7af564297..d6a7870e0 100644
69 .It Fl a Ar rounds 69 .It Fl a Ar rounds
70 When saving a private key, this option specifies the number of KDF 70 When saving a private key, this option specifies the number of KDF
71 (key derivation function) rounds used. 71 (key derivation function) rounds used.
72@@ -783,7 +779,7 @@ option. 72@@ -787,7 +783,7 @@ option.
73 Valid generator values are 2, 3, and 5. 73 Valid generator values are 2, 3, and 5.
74 .Pp 74 .Pp
75 Screened DH groups may be installed in 75 Screened DH groups may be installed in
@@ -78,7 +78,7 @@ index 7af564297..d6a7870e0 100644
78 It is important that this file contains moduli of a range of bit lengths and 78 It is important that this file contains moduli of a range of bit lengths and
79 that both ends of a connection share common moduli. 79 that both ends of a connection share common moduli.
80 .Pp 80 .Pp
81@@ -1154,7 +1150,7 @@ on all machines 81@@ -1158,7 +1154,7 @@ on all machines
82 where the user wishes to log in using public key authentication. 82 where the user wishes to log in using public key authentication.
83 There is no need to keep the contents of this file secret. 83 There is no need to keep the contents of this file secret.
84 .Pp 84 .Pp
@@ -88,10 +88,10 @@ index 7af564297..d6a7870e0 100644
88 The file format is described in 88 The file format is described in
89 .Xr moduli 5 . 89 .Xr moduli 5 .
90diff --git a/ssh.1 b/ssh.1 90diff --git a/ssh.1 b/ssh.1
91index cf991e4ee..17b0e984f 100644 91index a80be8efe..566fdba6b 100644
92--- a/ssh.1 92--- a/ssh.1
93+++ b/ssh.1 93+++ b/ssh.1
94@@ -887,6 +887,10 @@ implements public key authentication protocol automatically, 94@@ -890,6 +890,10 @@ implements public key authentication protocol automatically,
95 using one of the DSA, ECDSA, Ed25519 or RSA algorithms. 95 using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
96 The HISTORY section of 96 The HISTORY section of
97 .Xr ssl 8 97 .Xr ssl 8
@@ -133,10 +133,10 @@ index 730520231..5ce0ea4fa 100644
133 .Xr sshd_config 5 , 133 .Xr sshd_config 5 ,
134 .Xr inetd 8 , 134 .Xr inetd 8 ,
135diff --git a/sshd_config.5 b/sshd_config.5 135diff --git a/sshd_config.5 b/sshd_config.5
136index c926f584c..25f4b8117 100644 136index 753ceda10..c27f99937 100644
137--- a/sshd_config.5 137--- a/sshd_config.5
138+++ b/sshd_config.5 138+++ b/sshd_config.5
139@@ -387,8 +387,7 @@ Certificates signed using other algorithms will not be accepted for 139@@ -385,8 +385,7 @@ Certificates signed using other algorithms will not be accepted for
140 public key or host-based authentication. 140 public key or host-based authentication.
141 .It Cm ChallengeResponseAuthentication 141 .It Cm ChallengeResponseAuthentication
142 Specifies whether challenge-response authentication is allowed (e.g. via 142 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 32a7a1fed..a560ae940 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
1From a4f868858c3395cacb59c58786b501317b9a3d03 Mon Sep 17 00:00:00 2001 1From d66c30698f807ab95aee7ea4a882c192884df047 Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:10:05 +0000 3Date: Sun, 9 Feb 2014 16:10:05 +0000
4Subject: Include the Debian version in our identification 4Subject: Include the Debian version in our identification
@@ -18,10 +18,10 @@ Patch-Name: package-versioning.patch
18 2 files changed, 7 insertions(+), 2 deletions(-) 18 2 files changed, 7 insertions(+), 2 deletions(-)
19 19
20diff --git a/kex.c b/kex.c 20diff --git a/kex.c b/kex.c
21index 574c76093..f638942d3 100644 21index 144dee512..0e64bf760 100644
22--- a/kex.c 22--- a/kex.c
23+++ b/kex.c 23+++ b/kex.c
24@@ -1244,7 +1244,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, 24@@ -1243,7 +1243,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
25 if (version_addendum != NULL && *version_addendum == '\0') 25 if (version_addendum != NULL && *version_addendum == '\0')
26 version_addendum = NULL; 26 version_addendum = NULL;
27 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", 27 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
@@ -29,13 +29,13 @@ index 574c76093..f638942d3 100644
29+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, 29+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
30 version_addendum == NULL ? "" : " ", 30 version_addendum == NULL ? "" : " ",
31 version_addendum == NULL ? "" : version_addendum)) != 0) { 31 version_addendum == NULL ? "" : version_addendum)) != 0) {
32 error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); 32 oerrno = errno;
33diff --git a/version.h b/version.h 33diff --git a/version.h b/version.h
34index c2affcb2a..d79126cc3 100644 34index a2eca3ec8..158eaee70 100644
35--- a/version.h 35--- a/version.h
36+++ b/version.h 36+++ b/version.h
37@@ -3,4 +3,9 @@ 37@@ -3,4 +3,9 @@
38 #define SSH_VERSION "OpenSSH_8.2" 38 #define SSH_VERSION "OpenSSH_8.3"
39 39
40 #define SSH_PORTABLE "p1" 40 #define SSH_PORTABLE "p1"
41-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 41-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index aa6f4cc31..e32c31717 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
1From 58390cbd5e07df92729b794beb491f7352b26993 Mon Sep 17 00:00:00 2001 1From a31d1fdf19480d9a184a27a4d221655f408f74d7 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 5 Mar 2017 02:02:11 +0000 3Date: Sun, 5 Mar 2017 02:02:11 +0000
4Subject: Restore reading authorized_keys2 by default 4Subject: Restore reading authorized_keys2 by default
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index d73cc283c..e544e3874 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
1From 31d42cd8624f29508f772447e617ab043a6487d9 Mon Sep 17 00:00:00 2001 1From 7e3de67f8447064d6963e8299653d8e01baaef1e Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Tue, 7 Oct 2014 13:22:41 +0100 3Date: Tue, 7 Oct 2014 13:22:41 +0100
4Subject: Restore TCP wrappers support 4Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
28 3 files changed, 89 insertions(+) 28 3 files changed, 89 insertions(+)
29 29
30diff --git a/configure.ac b/configure.ac 30diff --git a/configure.ac b/configure.ac
31index efafb6bd8..cee7cbc51 100644 31index d98e6f74a..812b7218f 100644
32--- a/configure.ac 32--- a/configure.ac
33+++ b/configure.ac 33+++ b/configure.ac
34@@ -1556,6 +1556,62 @@ else 34@@ -1558,6 +1558,62 @@ else
35 AC_MSG_RESULT([no]) 35 AC_MSG_RESULT([no])
36 fi 36 fi
37 37
@@ -94,7 +94,7 @@ index efafb6bd8..cee7cbc51 100644
94 # Check whether user wants to use ldns 94 # Check whether user wants to use ldns
95 LDNS_MSG="no" 95 LDNS_MSG="no"
96 AC_ARG_WITH(ldns, 96 AC_ARG_WITH(ldns,
97@@ -5413,6 +5469,7 @@ echo " PAM support: $PAM_MSG" 97@@ -5479,6 +5535,7 @@ echo " PAM support: $PAM_MSG"
98 echo " OSF SIA support: $SIA_MSG" 98 echo " OSF SIA support: $SIA_MSG"
99 echo " KerberosV support: $KRB5_MSG" 99 echo " KerberosV support: $KRB5_MSG"
100 echo " SELinux support: $SELINUX_MSG" 100 echo " SELinux support: $SELINUX_MSG"
@@ -128,7 +128,7 @@ index c5f8987d2..730520231 100644
128 .Xr moduli 5 , 128 .Xr moduli 5 ,
129 .Xr sshd_config 5 , 129 .Xr sshd_config 5 ,
130diff --git a/sshd.c b/sshd.c 130diff --git a/sshd.c b/sshd.c
131index d92f03aaf..62dc55cf2 100644 131index 02fca5c28..e96d90809 100644
132--- a/sshd.c 132--- a/sshd.c
133+++ b/sshd.c 133+++ b/sshd.c
134@@ -124,6 +124,13 @@ 134@@ -124,6 +124,13 @@
@@ -145,7 +145,7 @@ index d92f03aaf..62dc55cf2 100644
145 /* Re-exec fds */ 145 /* Re-exec fds */
146 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 146 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
147 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 147 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
148@@ -2138,6 +2145,24 @@ main(int ac, char **av) 148@@ -2132,6 +2139,24 @@ main(int ac, char **av)
149 #ifdef SSH_AUDIT_EVENTS 149 #ifdef SSH_AUDIT_EVENTS
150 audit_connection_from(remote_ip, remote_port); 150 audit_connection_from(remote_ip, remote_port);
151 #endif 151 #endif
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch
index 13192e380..0ec75419a 100644
--- a/debian/patches/revert-ipqos-defaults.patch
+++ b/debian/patches/revert-ipqos-defaults.patch
@@ -1,4 +1,4 @@
1From 86fe78ef4686485394b464cf9d3393ce27b33979 Mon Sep 17 00:00:00 2001 1From 39b8d128ef980a410bb1ea0ee80e95ac9fff59c3 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Mon, 8 Apr 2019 10:46:29 +0100 3Date: Mon, 8 Apr 2019 10:46:29 +0100
4Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP 4Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
@@ -24,10 +24,10 @@ Patch-Name: revert-ipqos-defaults.patch
24 4 files changed, 8 insertions(+), 12 deletions(-) 24 4 files changed, 8 insertions(+), 12 deletions(-)
25 25
26diff --git a/readconf.c b/readconf.c 26diff --git a/readconf.c b/readconf.c
27index e82024678..1b9494d7c 100644 27index 87b0dc62a..9a646dcaa 100644
28--- a/readconf.c 28--- a/readconf.c
29+++ b/readconf.c 29+++ b/readconf.c
30@@ -2230,9 +2230,9 @@ fill_default_options(Options * options) 30@@ -2254,9 +2254,9 @@ fill_default_options(Options * options)
31 if (options->visual_host_key == -1) 31 if (options->visual_host_key == -1)
32 options->visual_host_key = 0; 32 options->visual_host_key = 0;
33 if (options->ip_qos_interactive == -1) 33 if (options->ip_qos_interactive == -1)
@@ -40,7 +40,7 @@ index e82024678..1b9494d7c 100644
40 options->request_tty = REQUEST_TTY_AUTO; 40 options->request_tty = REQUEST_TTY_AUTO;
41 if (options->proxy_use_fdpass == -1) 41 if (options->proxy_use_fdpass == -1)
42diff --git a/servconf.c b/servconf.c 42diff --git a/servconf.c b/servconf.c
43index 7bbc25c2e..470ad3619 100644 43index cf4e52f3b..c290e9786 100644
44--- a/servconf.c 44--- a/servconf.c
45+++ b/servconf.c 45+++ b/servconf.c
46@@ -452,9 +452,9 @@ fill_default_server_options(ServerOptions *options) 46@@ -452,9 +452,9 @@ fill_default_server_options(ServerOptions *options)
@@ -56,7 +56,7 @@ index 7bbc25c2e..470ad3619 100644
56 options->version_addendum = xstrdup(""); 56 options->version_addendum = xstrdup("");
57 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) 57 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
58diff --git a/ssh_config.5 b/ssh_config.5 58diff --git a/ssh_config.5 b/ssh_config.5
59index 34dc2d51b..91beb6f50 100644 59index aac3fabb7..2574b1004 100644
60--- a/ssh_config.5 60--- a/ssh_config.5
61+++ b/ssh_config.5 61+++ b/ssh_config.5
62@@ -1140,11 +1140,9 @@ If one argument is specified, it is used as the packet class unconditionally. 62@@ -1140,11 +1140,9 @@ If one argument is specified, it is used as the packet class unconditionally.
@@ -74,10 +74,10 @@ index 34dc2d51b..91beb6f50 100644
74 .It Cm KbdInteractiveAuthentication 74 .It Cm KbdInteractiveAuthentication
75 Specifies whether to use keyboard-interactive authentication. 75 Specifies whether to use keyboard-interactive authentication.
76diff --git a/sshd_config.5 b/sshd_config.5 76diff --git a/sshd_config.5 b/sshd_config.5
77index e8271be74..d25b2f3d5 100644 77index b38025dbf..88db4db07 100644
78--- a/sshd_config.5 78--- a/sshd_config.5
79+++ b/sshd_config.5 79+++ b/sshd_config.5
80@@ -914,11 +914,9 @@ If one argument is specified, it is used as the packet class unconditionally. 80@@ -925,11 +925,9 @@ If one argument is specified, it is used as the packet class unconditionally.
81 If two values are specified, the first is automatically selected for 81 If two values are specified, the first is automatically selected for
82 interactive sessions and the second for non-interactive sessions. 82 interactive sessions and the second for non-interactive sessions.
83 The default is 83 The default is
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index 8935b8e04..0166c914a 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
1From 5166a6af68da4778c7e2c2d117bb56361c7aa361 Mon Sep 17 00:00:00 2001 1From 2520672d1ccfd88744c93bac102f461f9b1e0cf3 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> 2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:59 +0000 3Date: Sun, 9 Feb 2014 16:09:59 +0000
4Subject: Adjust scp quoting in verbose mode 4Subject: Adjust scp quoting in verbose mode
@@ -17,7 +17,7 @@ Patch-Name: scp-quoting.patch
17 1 file changed, 10 insertions(+), 2 deletions(-) 17 1 file changed, 10 insertions(+), 2 deletions(-)
18 18
19diff --git a/scp.c b/scp.c 19diff --git a/scp.c b/scp.c
20index 6901e0c94..9b64aa5f4 100644 20index b4492a062..66b4af8e8 100644
21--- a/scp.c 21--- a/scp.c
22+++ b/scp.c 22+++ b/scp.c
23@@ -201,8 +201,16 @@ do_local_cmd(arglist *a) 23@@ -201,8 +201,16 @@ do_local_cmd(arglist *a)
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 63e44af55..b0088c104 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1From b108c6bbe4b3691600a272b27fa24d9080018db7 Mon Sep 17 00:00:00 2001 1From 8641a3f57e67e087b4500beb9916e06c4d0ba94c Mon Sep 17 00:00:00 2001
2From: Manoj Srivastava <srivasta@debian.org> 2From: Manoj Srivastava <srivasta@debian.org>
3Date: Sun, 9 Feb 2014 16:09:49 +0000 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4Subject: Handle SELinux authorisation roles 4Subject: Handle SELinux authorisation roles
@@ -43,7 +43,7 @@ index becc672b5..5da9fe75f 100644
43 /* Method lists for multiple authentication */ 43 /* Method lists for multiple authentication */
44 char **auth_methods; /* modified from server config */ 44 char **auth_methods; /* modified from server config */
45diff --git a/auth2.c b/auth2.c 45diff --git a/auth2.c b/auth2.c
46index 1c217268c..92a6bcaf4 100644 46index a4a5e0069..05d6c2447 100644
47--- a/auth2.c 47--- a/auth2.c
48+++ b/auth2.c 48+++ b/auth2.c
49@@ -265,7 +265,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) 49@@ -265,7 +265,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
@@ -81,7 +81,7 @@ index 1c217268c..92a6bcaf4 100644
81 if (auth2_setup_methods_lists(authctxt) != 0) 81 if (auth2_setup_methods_lists(authctxt) != 0)
82 ssh_packet_disconnect(ssh, 82 ssh_packet_disconnect(ssh,
83diff --git a/monitor.c b/monitor.c 83diff --git a/monitor.c b/monitor.c
84index ebf76c7f9..947fdfadc 100644 84index 5347e900d..8002aca86 100644
85--- a/monitor.c 85--- a/monitor.c
86+++ b/monitor.c 86+++ b/monitor.c
87@@ -118,6 +118,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *); 87@@ -118,6 +118,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *);
@@ -154,7 +154,7 @@ index ebf76c7f9..947fdfadc 100644
154 return (0); 154 return (0);
155 } 155 }
156 156
157@@ -1554,7 +1583,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m) 157@@ -1553,7 +1582,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
158 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 158 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
159 if (res == 0) 159 if (res == 0)
160 goto error; 160 goto error;
@@ -245,7 +245,7 @@ index 485590c18..370b08e17 100644
245 char *mm_auth2_read_banner(void); 245 char *mm_auth2_read_banner(void);
246 int mm_auth_password(struct ssh *, char *); 246 int mm_auth_password(struct ssh *, char *);
247diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c 247diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
248index 622988822..3e6e07670 100644 248index f46094faf..56f1d2c1e 100644
249--- a/openbsd-compat/port-linux.c 249--- a/openbsd-compat/port-linux.c
250+++ b/openbsd-compat/port-linux.c 250+++ b/openbsd-compat/port-linux.c
251@@ -56,7 +56,7 @@ ssh_selinux_enabled(void) 251@@ -56,7 +56,7 @@ ssh_selinux_enabled(void)
@@ -363,7 +363,7 @@ index ea4f9c584..60d72ffe7 100644
363 char *platform_krb5_get_principal_name(const char *); 363 char *platform_krb5_get_principal_name(const char *);
364 int platform_sys_dir_uid(uid_t); 364 int platform_sys_dir_uid(uid_t);
365diff --git a/session.c b/session.c 365diff --git a/session.c b/session.c
366index 06a33442a..871799590 100644 366index f9c2c866e..837a8bacf 100644
367--- a/session.c 367--- a/session.c
368+++ b/session.c 368+++ b/session.c
369@@ -1360,7 +1360,7 @@ safely_chroot(const char *path, uid_t uid) 369@@ -1360,7 +1360,7 @@ safely_chroot(const char *path, uid_t uid)
@@ -425,10 +425,10 @@ index ce59dabd9..675c91146 100644
425 const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); 425 const char *session_get_remote_name_or_ip(struct ssh *, u_int, int);
426 426
427diff --git a/sshd.c b/sshd.c 427diff --git a/sshd.c b/sshd.c
428index 62dc55cf2..65916fc6d 100644 428index e96d90809..e8b332ca4 100644
429--- a/sshd.c 429--- a/sshd.c
430+++ b/sshd.c 430+++ b/sshd.c
431@@ -595,7 +595,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) 431@@ -594,7 +594,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
432 reseed_prngs(); 432 reseed_prngs();
433 433
434 /* Drop privileges */ 434 /* Drop privileges */
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 43fb1d145..4752e2a71 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
1From c19bcc02b07b450d585d0fd10ccd96174aeb3b7c Mon Sep 17 00:00:00 2001 1From b78e6371a98460f5d12683406674e117d64b35f2 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:00 +0000 3Date: Sun, 9 Feb 2014 16:10:00 +0000
4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand 4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,7 +16,7 @@ Patch-Name: shell-path.patch
16 1 file changed, 2 insertions(+), 2 deletions(-) 16 1 file changed, 2 insertions(+), 2 deletions(-)
17 17
18diff --git a/sshconnect.c b/sshconnect.c 18diff --git a/sshconnect.c b/sshconnect.c
19index 4711af782..4a5d4a003 100644 19index af08be415..bfbf80e92 100644
20--- a/sshconnect.c 20--- a/sshconnect.c
21+++ b/sshconnect.c 21+++ b/sshconnect.c
22@@ -260,7 +260,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg, 22@@ -260,7 +260,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg,
@@ -28,7 +28,7 @@ index 4711af782..4a5d4a003 100644
28 perror(argv[0]); 28 perror(argv[0]);
29 exit(1); 29 exit(1);
30 } 30 }
31@@ -1388,7 +1388,7 @@ ssh_local_cmd(const char *args) 31@@ -1389,7 +1389,7 @@ ssh_local_cmd(const char *args)
32 if (pid == 0) { 32 if (pid == 0) {
33 ssh_signal(SIGPIPE, SIG_DFL); 33 ssh_signal(SIGPIPE, SIG_DFL);
34 debug3("Executing %s -c \"%s\"", shell, args); 34 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index e7849e6c3..ed23334d9 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
1From ad09303388f0172ab6e028aaf27d87cf873d123d Mon Sep 17 00:00:00 2001 1From 303cbd5533df863d518bc61d837ce56a93166b11 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:13 +0000 3Date: Sun, 9 Feb 2014 16:10:13 +0000
4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) 4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 8f796719d..52e5bf70b 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
1From 4b1e0000a099f988553ccc4b274e1790b5114c12 Mon Sep 17 00:00:00 2001 1From 81723f749647928d918de21057d9dbfbebaa8e53 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:10 +0000 3Date: Sun, 9 Feb 2014 16:10:10 +0000
4Subject: ssh(1): Refer to ssh-argv0(1) 4Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
18 1 file changed, 1 insertion(+) 18 1 file changed, 1 insertion(+)
19 19
20diff --git a/ssh.1 b/ssh.1 20diff --git a/ssh.1 b/ssh.1
21index 17b0e984f..b33a8049f 100644 21index 566fdba6b..5a31b5dde 100644
22--- a/ssh.1 22--- a/ssh.1
23+++ b/ssh.1 23+++ b/ssh.1
24@@ -1610,6 +1610,7 @@ if an error occurred. 24@@ -1613,6 +1613,7 @@ if an error occurred.
25 .Xr sftp 1 , 25 .Xr sftp 1 ,
26 .Xr ssh-add 1 , 26 .Xr ssh-add 1 ,
27 .Xr ssh-agent 1 , 27 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 99116e9c4..cc2656bda 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
1From 11d571f137c76d8c2e38b1c1a537b04cc279f8e3 Mon Sep 17 00:00:00 2001 1From 6ed578a01fd61f9c930ef46cfefc467203ddd6c0 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:50 +0000 3Date: Sun, 9 Feb 2014 16:09:50 +0000
4Subject: Accept obsolete ssh-vulnkey configuration options 4Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch
17 2 files changed, 2 insertions(+) 17 2 files changed, 2 insertions(+)
18 18
19diff --git a/readconf.c b/readconf.c 19diff --git a/readconf.c b/readconf.c
20index da8022dd0..0fc996871 100644 20index fb585e248..2ccc48572 100644
21--- a/readconf.c 21--- a/readconf.c
22+++ b/readconf.c 22+++ b/readconf.c
23@@ -191,6 +191,7 @@ static struct { 23@@ -191,6 +191,7 @@ static struct {
@@ -29,7 +29,7 @@ index da8022dd0..0fc996871 100644
29 { "useroaming", oDeprecated }, 29 { "useroaming", oDeprecated },
30 { "usersh", oDeprecated }, 30 { "usersh", oDeprecated },
31diff --git a/servconf.c b/servconf.c 31diff --git a/servconf.c b/servconf.c
32index 191575a16..bf3cd84a4 100644 32index f38ba9e44..ff5b9436c 100644
33--- a/servconf.c 33--- a/servconf.c
34+++ b/servconf.c 34+++ b/servconf.c
35@@ -656,6 +656,7 @@ static struct { 35@@ -656,6 +656,7 @@ static struct {
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 234d95ad2..273f8069f 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
1From 387c2c1954773733bae9fca21a92db62c31180bd Mon Sep 17 00:00:00 2001 1From f2c3eb379d31f24de20dc9a2e0089ed84f52055b Mon Sep 17 00:00:00 2001
2From: Natalie Amery <nmamery@chiark.greenend.org.uk> 2From: Natalie Amery <nmamery@chiark.greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:54 +0000 3Date: Sun, 9 Feb 2014 16:09:54 +0000
4Subject: "LogLevel SILENT" compatibility 4Subject: "LogLevel SILENT" compatibility
@@ -33,10 +33,10 @@ index d9c2d136c..1749af6d1 100644
33 { "FATAL", SYSLOG_LEVEL_FATAL }, 33 { "FATAL", SYSLOG_LEVEL_FATAL },
34 { "ERROR", SYSLOG_LEVEL_ERROR }, 34 { "ERROR", SYSLOG_LEVEL_ERROR },
35diff --git a/ssh.c b/ssh.c 35diff --git a/ssh.c b/ssh.c
36index 110cf9c19..6138fd4d3 100644 36index 4a81ef810..7879d4f4d 100644
37--- a/ssh.c 37--- a/ssh.c
38+++ b/ssh.c 38+++ b/ssh.c
39@@ -1305,7 +1305,7 @@ main(int ac, char **av) 39@@ -1339,7 +1339,7 @@ main(int ac, char **av)
40 /* Do not allocate a tty if stdin is not a tty. */ 40 /* Do not allocate a tty if stdin is not a tty. */
41 if ((!isatty(fileno(stdin)) || stdin_null_flag) && 41 if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
42 options.request_tty != REQUEST_TTY_FORCE) { 42 options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index fdcfca30d..a85ed6732 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
1From a208834b2d1811dac7054d7fdcdd04672f8b19f6 Mon Sep 17 00:00:00 2001 1From fe8c9983321154a61f4f06be602f925f1fd24ee7 Mon Sep 17 00:00:00 2001
2From: Michael Biebl <biebl@debian.org> 2From: Michael Biebl <biebl@debian.org>
3Date: Mon, 21 Dec 2015 16:08:47 +0000 3Date: Mon, 21 Dec 2015 16:08:47 +0000
4Subject: Add systemd readiness notification support 4Subject: Add systemd readiness notification support
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch
14 2 files changed, 33 insertions(+) 14 2 files changed, 33 insertions(+)
15 15
16diff --git a/configure.ac b/configure.ac 16diff --git a/configure.ac b/configure.ac
17index cee7cbc51..5db3013de 100644 17index 812b7218f..7e0584d2c 100644
18--- a/configure.ac 18--- a/configure.ac
19+++ b/configure.ac 19+++ b/configure.ac
20@@ -4664,6 +4664,29 @@ AC_ARG_WITH([kerberos5], 20@@ -4730,6 +4730,29 @@ AC_ARG_WITH([kerberos5],
21 AC_SUBST([GSSLIBS]) 21 AC_SUBST([GSSLIBS])
22 AC_SUBST([K5LIBS]) 22 AC_SUBST([K5LIBS])
23 23
@@ -47,7 +47,7 @@ index cee7cbc51..5db3013de 100644
47 # Looking for programs, paths and files 47 # Looking for programs, paths and files
48 48
49 PRIVSEP_PATH=/var/empty 49 PRIVSEP_PATH=/var/empty
50@@ -5476,6 +5499,7 @@ echo " libldns support: $LDNS_MSG" 50@@ -5542,6 +5565,7 @@ echo " libldns support: $LDNS_MSG"
51 echo " Solaris process contract support: $SPC_MSG" 51 echo " Solaris process contract support: $SPC_MSG"
52 echo " Solaris project support: $SP_MSG" 52 echo " Solaris project support: $SP_MSG"
53 echo " Solaris privilege support: $SPP_MSG" 53 echo " Solaris privilege support: $SPP_MSG"
@@ -56,7 +56,7 @@ index cee7cbc51..5db3013de 100644
56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" 56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
57 echo " BSD Auth support: $BSD_AUTH_MSG" 57 echo " BSD Auth support: $BSD_AUTH_MSG"
58diff --git a/sshd.c b/sshd.c 58diff --git a/sshd.c b/sshd.c
59index da876a900..c069505a0 100644 59index baee13506..d2d1877d4 100644
60--- a/sshd.c 60--- a/sshd.c
61+++ b/sshd.c 61+++ b/sshd.c
62@@ -85,6 +85,10 @@ 62@@ -85,6 +85,10 @@
@@ -70,7 +70,7 @@ index da876a900..c069505a0 100644
70 #include "xmalloc.h" 70 #include "xmalloc.h"
71 #include "ssh.h" 71 #include "ssh.h"
72 #include "ssh2.h" 72 #include "ssh2.h"
73@@ -2027,6 +2031,11 @@ main(int ac, char **av) 73@@ -2026,6 +2030,11 @@ main(int ac, char **av)
74 } 74 }
75 } 75 }
76 76
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 8bd35addf..19c1809d9 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
1From 3309e464e5ae6c940ddd584eed4d2d403f4c168c Mon Sep 17 00:00:00 2001 1From cb72edd9757c469f3b5dc9cde374715ae8b54509 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:58 +0000 3Date: Sun, 9 Feb 2014 16:09:58 +0000
4Subject: Allow harmless group-writability 4Subject: Allow harmless group-writability
@@ -27,7 +27,7 @@ Patch-Name: user-group-modes.patch
27 7 files changed, 63 insertions(+), 13 deletions(-) 27 7 files changed, 63 insertions(+), 13 deletions(-)
28 28
29diff --git a/auth-rhosts.c b/auth-rhosts.c 29diff --git a/auth-rhosts.c b/auth-rhosts.c
30index 7a10210b6..587f53721 100644 30index e81321b49..3bcc73766 100644
31--- a/auth-rhosts.c 31--- a/auth-rhosts.c
32+++ b/auth-rhosts.c 32+++ b/auth-rhosts.c
33@@ -260,8 +260,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, 33@@ -260,8 +260,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
@@ -65,7 +65,7 @@ index 687c57b42..aed3c13ac 100644
65 "bad owner or modes for %.200s", 65 "bad owner or modes for %.200s",
66 pw->pw_name, user_hostfile); 66 pw->pw_name, user_hostfile);
67diff --git a/misc.c b/misc.c 67diff --git a/misc.c b/misc.c
68index 3a31d5c18..073d3be19 100644 68index 554ceb0b1..75fe4dfea 100644
69--- a/misc.c 69--- a/misc.c
70+++ b/misc.c 70+++ b/misc.c
71@@ -61,8 +61,9 @@ 71@@ -61,8 +61,9 @@
@@ -169,10 +169,10 @@ index 4a05db2da..5db594b91 100644
169 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) 169 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b))
170 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) 170 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
171diff --git a/readconf.c b/readconf.c 171diff --git a/readconf.c b/readconf.c
172index 2399208f8..7f251dd4a 100644 172index 431243193..5bf0afbb4 100644
173--- a/readconf.c 173--- a/readconf.c
174+++ b/readconf.c 174+++ b/readconf.c
175@@ -1902,8 +1902,7 @@ read_config_file_depth(const char *filename, struct passwd *pw, 175@@ -1926,8 +1926,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
176 176
177 if (fstat(fileno(f), &sb) == -1) 177 if (fstat(fileno(f), &sb) == -1)
178 fatal("fstat %s: %s", filename, strerror(errno)); 178 fatal("fstat %s: %s", filename, strerror(errno));
@@ -183,10 +183,10 @@ index 2399208f8..7f251dd4a 100644
183 } 183 }
184 184
185diff --git a/ssh.1 b/ssh.1 185diff --git a/ssh.1 b/ssh.1
186index db5c65bc7..cf991e4ee 100644 186index 7a3ba31ab..a80be8efe 100644
187--- a/ssh.1 187--- a/ssh.1
188+++ b/ssh.1 188+++ b/ssh.1
189@@ -1506,6 +1506,8 @@ The file format and configuration options are described in 189@@ -1509,6 +1509,8 @@ The file format and configuration options are described in
190 .Xr ssh_config 5 . 190 .Xr ssh_config 5 .
191 Because of the potential for abuse, this file must have strict permissions: 191 Because of the potential for abuse, this file must have strict permissions:
192 read/write for the user, and not writable by others. 192 read/write for the user, and not writable by others.
@@ -196,10 +196,10 @@ index db5c65bc7..cf991e4ee 100644
196 .It Pa ~/.ssh/environment 196 .It Pa ~/.ssh/environment
197 Contains additional definitions for environment variables; see 197 Contains additional definitions for environment variables; see
198diff --git a/ssh_config.5 b/ssh_config.5 198diff --git a/ssh_config.5 b/ssh_config.5
199index 3079db19b..e61a0fd43 100644 199index 85ab7447f..d814147d4 100644
200--- a/ssh_config.5 200--- a/ssh_config.5
201+++ b/ssh_config.5 201+++ b/ssh_config.5
202@@ -1952,6 +1952,8 @@ The format of this file is described above. 202@@ -1957,6 +1957,8 @@ The format of this file is described above.
203 This file is used by the SSH client. 203 This file is used by the SSH client.
204 Because of the potential for abuse, this file must have strict permissions: 204 Because of the potential for abuse, this file must have strict permissions:
205 read/write for the user, and not writable by others. 205 read/write for the user, and not writable by others.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-02 12:23:47 +0000