summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/.git-dpm16
-rw-r--r--debian/NEWS13
-rw-r--r--debian/changelog80
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch6
-rw-r--r--debian/patches/conch-old-privkey-format.patch18
-rw-r--r--debian/patches/debian-banner.patch30
-rw-r--r--debian/patches/debian-config.patch14
-rw-r--r--debian/patches/dnssec-sshfp.patch8
-rw-r--r--debian/patches/doc-hash-tab-completion.patch6
-rw-r--r--debian/patches/fix-interop-tests.patch71
-rw-r--r--debian/patches/fix-utimensat-test.patch58
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch2
-rw-r--r--debian/patches/gssapi.patch138
-rw-r--r--debian/patches/keepalive-extensions.patch18
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch8
-rw-r--r--debian/patches/no-openssl-version-status.patch2
-rw-r--r--debian/patches/openbsd-docs.patch20
-rw-r--r--debian/patches/package-versioning.patch10
-rw-r--r--debian/patches/restore-authorized_keys2.patch2
-rw-r--r--debian/patches/restore-tcp-wrappers.patch12
-rw-r--r--debian/patches/revert-ipqos-defaults.patch16
-rw-r--r--debian/patches/scp-quoting.patch4
-rw-r--r--debian/patches/seccomp-handle-shm.patch38
-rw-r--r--debian/patches/seccomp-s390-flock-ipc.patch8
-rw-r--r--debian/patches/seccomp-s390-ioctl-ep11-crypto.patch33
-rw-r--r--debian/patches/selinux-role.patch38
-rw-r--r--debian/patches/series4
-rw-r--r--debian/patches/shell-path.patch8
-rw-r--r--debian/patches/ssh-agent-setgid.patch2
-rw-r--r--debian/patches/ssh-argv0.patch4
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch6
-rw-r--r--debian/patches/syslog-level-silent.patch6
-rw-r--r--debian/patches/systemd-readiness.patch12
-rw-r--r--debian/patches/user-group-modes.patch36
-rwxr-xr-xdebian/rules6
35 files changed, 319 insertions, 434 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 6b01a8e76..27dfe06fe 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,12 +1,12 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
2ceefaa8ee80b63c0890d24c42369dc51880f53ea 2efef12825b9582c1710da3b7e50135870963d4f4
3ceefaa8ee80b63c0890d24c42369dc51880f53ea 3efef12825b9582c1710da3b7e50135870963d4f4
4102062f825fb26a74295a1c089c00c4c4c76b68a 44213eec74e74de6310c27a40c3e9759a08a73996
5102062f825fb26a74295a1c089c00c4c4c76b68a 54213eec74e74de6310c27a40c3e9759a08a73996
6openssh_8.0p1.orig.tar.gz 6openssh_8.1p1.orig.tar.gz
7756dbb99193f9541c9206a667eaa27b0fa184a4f 7c44b96094869f177735ae053d92bd5fcab1319de
81597697 81625894
9debianTag="debian/%e%%%V" 9debianTag="debian/%e%%%V"
10patchedTag="patched/%e%%%V" 10patchedTag="patched/%e%%%V"
11upstreamTag="upstream/%U" 11upstreamTag="upstream/%U"
12signature:a287987d9d505aaa8a89e693920f14b9b9e27a5f:683:openssh_8.0p1.orig.tar.gz.asc 12signature:8b241dee85731fb19e57622f160a4326da52a7a7:683:openssh_8.1p1.orig.tar.gz.asc
diff --git a/debian/NEWS b/debian/NEWS
index 9c9bd7e78..17ec2c1be 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,16 @@
1openssh (1:8.1p1-1) UNRELEASED; urgency=medium
2
3 OpenSSH 8.1 includes a number of changes that may affect existing
4 configurations:
5
6 * ssh-keygen(1): when acting as a CA and signing certificates with an RSA
7 key, default to using the rsa-sha2-512 signature algorithm.
8 Certificates signed by RSA keys will therefore be incompatible with
9 OpenSSH versions prior to 7.2 unless the default is overridden (using
10 "ssh-keygen -t ssh-rsa -s ...").
11
12 -- Colin Watson <cjwatson@debian.org> Wed, 09 Oct 2019 23:18:42 +0100
13
1openssh (1:8.0p1-1) experimental; urgency=medium 14openssh (1:8.0p1-1) experimental; urgency=medium
2 15
3 OpenSSH 8.0 includes a number of changes that may affect existing 16 OpenSSH 8.0 includes a number of changes that may affect existing
diff --git a/debian/changelog b/debian/changelog
index 58b1f45e2..9f799969b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,83 @@
1openssh (1:8.1p1-1) UNRELEASED; urgency=medium
2
3 * New upstream release (https://www.openssh.com/txt/release-8.1):
4 - ssh(1), sshd(8), ssh-agent(1): Add protection for private keys at rest
5 in RAM against speculation and memory side-channel attacks like
6 Spectre, Meltdown and Rambleed. This release encrypts private keys
7 when they are not in use with a symmetric key that is derived from a
8 relatively large "prekey" consisting of random data (currently 16KB).
9 - ssh(1): Allow %n to be expanded in ProxyCommand strings.
10 - ssh(1), sshd(8): Allow prepending a list of algorithms to the default
11 set by starting the list with the '^' character, e.g.
12 "HostKeyAlgorithms ^ssh-ed25519".
13 - ssh-keygen(1): Add an experimental lightweight signature and
14 verification ability. Signatures may be made using regular ssh keys
15 held on disk or stored in a ssh-agent and verified against an
16 authorized_keys-like list of allowed keys. Signatures embed a
17 namespace that prevents confusion and attacks between different usage
18 domains (e.g. files vs email).
19 - ssh-keygen(1): Print key comment when extracting public key from a
20 private key.
21 - ssh-keygen(1): Accept the verbose flag when searching for host keys in
22 known hosts (i.e. "ssh-keygen -vF host") to print the matching host's
23 random-art signature too.
24 - All: Support PKCS8 as an optional format for storage of private keys
25 to disk. The OpenSSH native key format remains the default, but PKCS8
26 is a superior format to PEM if interoperability with non-OpenSSH
27 software is required, as it may use a less insecure key derivation
28 function than PEM's.
29 - ssh(1): If a PKCS#11 token returns no keys then try to login and
30 refetch them.
31 - ssh(1): Produce a useful error message if the user's shell is set
32 incorrectly during "match exec" processing.
33 - sftp(1): Allow the maximum uint32 value for the argument passed to -b
34 which allows better error messages from later validation.
35 - ssh-keyscan(1): Include SHA2-variant RSA key algorithms in KEX
36 proposal; allows ssh-keyscan to harvest keys from servers that disable
37 old SHA1 ssh-rsa.
38 - sftp(1): Print explicit "not modified" message if a file was requested
39 for resumed download but was considered already complete.
40 - sftp(1): Fix a typo and make <esc><right> move right to the closest
41 end of a word just like <esc><left> moves left to the closest
42 beginning of a word.
43 - sshd(8): Cap the number of permitopen/permitlisten directives allowed
44 to appear on a single authorized_keys line.
45 - All: Fix a number of memory leaks (one-off or on exit paths).
46 - ssh(1), sshd(8): Check for convtime() refusing to accept times that
47 resolve to LONG_MAX.
48 - ssh(1): Slightly more instructive error message when the user
49 specifies multiple -J options on the command-line (closes: #929669).
50 - ssh-agent(1): Process agent requests for RSA certificate private keys
51 using correct signature algorithm when requested.
52 - sftp(1): Check for user@host when parsing sftp target. This allows
53 user@[1.2.3.4] to work without a path.
54 - sshd(8): Enlarge format buffer size for certificate serial number so
55 the log message can record any 64-bit integer without truncation.
56 - sshd(8): For PermitOpen violations add the remote host and port to be
57 able to more easily ascertain the source of the request. Add the same
58 logging for PermitListen violations which were not previously logged
59 at all.
60 - scp(1), sftp(1): Use the correct POSIX format style for left
61 justification for the transfer progress meter.
62 - sshd(8): When examining a configuration using sshd -T, assume any
63 attribute not provided by -C does not match, which allows it to work
64 when sshd_config contains a Match directive with or without -C.
65 - ssh(1), ssh-keygen(1): Downgrade PKCS#11 "provider returned no slots"
66 warning from log level error to debug. This is common when attempting
67 to enumerate keys on smartcard readers with no cards plugged in.
68 - ssh(1), ssh-keygen(1): Do not unconditionally log in to PKCS#11
69 tokens. Avoids spurious PIN prompts for keys not selected for
70 authentication in ssh(1) and when listing public keys available in a
71 token using ssh-keygen(1).
72 - ssh(1), sshd(8): Fix typo that prevented detection of Linux VRF.
73 - sshd(8): In the Linux seccomp-bpf sandbox, allow mprotect(2) with
74 PROT_(READ|WRITE|NONE) only. This syscall is used by some hardened
75 heap allocators.
76 - sshd(8): In the Linux seccomp-bpf sandbox, allow the s390-specific
77 ioctl for ECC hardware support.
78
79 -- Colin Watson <cjwatson@debian.org> Wed, 09 Oct 2019 23:18:42 +0100
80
1openssh (1:8.0p1-7) unstable; urgency=medium 81openssh (1:8.0p1-7) unstable; urgency=medium
2 82
3 [ Daniel Kahn Gillmor ] 83 [ Daniel Kahn Gillmor ]
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index d70269813..01f1bf35c 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
1From df7d113a48bd33e42754ee5e83d3cda84cc219f9 Mon Sep 17 00:00:00 2001 1From 7febe5a4b6bcb94d887ac1fe22e8a1742ffb609f Mon Sep 17 00:00:00 2001
2From: Tomas Pospisek <tpo_deb@sourcepole.ch> 2From: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Date: Sun, 9 Feb 2014 16:10:07 +0000 3Date: Sun, 9 Feb 2014 16:10:07 +0000
4Subject: Install authorized_keys(5) as a symlink to sshd(8) 4Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
13 1 file changed, 1 insertion(+) 13 1 file changed, 1 insertion(+)
14 14
15diff --git a/Makefile.in b/Makefile.in 15diff --git a/Makefile.in b/Makefile.in
16index c31821acc..0960a6a03 100644 16index ab29e4f05..9b8a42c1e 100644
17--- a/Makefile.in 17--- a/Makefile.in
18+++ b/Makefile.in 18+++ b/Makefile.in
19@@ -357,6 +357,7 @@ install-files: 19@@ -362,6 +362,7 @@ install-files:
20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch
index 3eaac8054..25c16526b 100644
--- a/debian/patches/conch-old-privkey-format.patch
+++ b/debian/patches/conch-old-privkey-format.patch
@@ -1,4 +1,4 @@
1From a20835ce2f9899305421bc478ba29d6524e89433 Mon Sep 17 00:00:00 2001 1From 46352085d71fe406537828a1cee3c2ce896eccb9 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Thu, 30 Aug 2018 00:58:56 +0100 3Date: Thu, 30 Aug 2018 00:58:56 +0100
4Subject: Work around conch interoperability failure 4Subject: Work around conch interoperability failure
@@ -8,7 +8,7 @@ Twisted Conch fails to read private keys in the new format
8can be fixed in Twisted. 8can be fixed in Twisted.
9 9
10Forwarded: not-needed 10Forwarded: not-needed
11Last-Update: 2019-06-14 11Last-Update: 2019-10-09
12 12
13Patch-Name: conch-old-privkey-format.patch 13Patch-Name: conch-old-privkey-format.patch
14--- 14---
@@ -18,20 +18,20 @@ Patch-Name: conch-old-privkey-format.patch
18 3 files changed, 14 insertions(+), 2 deletions(-) 18 3 files changed, 14 insertions(+), 2 deletions(-)
19 19
20diff --git a/regress/Makefile b/regress/Makefile 20diff --git a/regress/Makefile b/regress/Makefile
21index 781400fd0..491a3a46a 100644 21index 34c47e8cb..17e0a06e8 100644
22--- a/regress/Makefile 22--- a/regress/Makefile
23+++ b/regress/Makefile 23+++ b/regress/Makefile
24@@ -114,7 +114,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ 24@@ -119,7 +119,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
25 rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ 25 rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
26 scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ 26 scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
27 sftp-server.sh sftp.log ssh-log-wrapper.sh \ 27 sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
28- ssh-rsa_oldfmt \ 28- ssh-rsa_oldfmt \
29+ ssh-rsa_oldfmt ssh-rsa_oldfmt.pub \ 29+ ssh-rsa_oldfmt ssh-rsa_oldfmt.pub \
30 ssh.log ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ 30 ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
31 ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \ 31 ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \
32 sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \ 32 sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \
33diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh 33diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh
34index 51e3b705f..fa24552b0 100644 34index 6678813a2..6ff5da20b 100644
35--- a/regress/conch-ciphers.sh 35--- a/regress/conch-ciphers.sh
36+++ b/regress/conch-ciphers.sh 36+++ b/regress/conch-ciphers.sh
37@@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \ 37@@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \
@@ -44,10 +44,10 @@ index 51e3b705f..fa24552b0 100644
44 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY} 44 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY}
45 if [ $? -ne 0 ]; then 45 if [ $? -ne 0 ]; then
46diff --git a/regress/test-exec.sh b/regress/test-exec.sh 46diff --git a/regress/test-exec.sh b/regress/test-exec.sh
47index efde6a173..83c7d02e6 100644 47index 508b93284..5e48bfbe3 100644
48--- a/regress/test-exec.sh 48--- a/regress/test-exec.sh
49+++ b/regress/test-exec.sh 49+++ b/regress/test-exec.sh
50@@ -500,6 +500,18 @@ REGRESS_INTEROP_CONCH=no 50@@ -510,6 +510,18 @@ REGRESS_INTEROP_CONCH=no
51 if test -x "$CONCH" ; then 51 if test -x "$CONCH" ; then
52 REGRESS_INTEROP_CONCH=yes 52 REGRESS_INTEROP_CONCH=yes
53 fi 53 fi
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index d28573ed4..acf995e27 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
1From 0a938d856d024bfff79fac63e65df382ffa444a4 Mon Sep 17 00:00:00 2001 1From 4eb06adf69f21f387e4f2d29dad01b2ca1303094 Mon Sep 17 00:00:00 2001
2From: Kees Cook <kees@debian.org> 2From: Kees Cook <kees@debian.org>
3Date: Sun, 9 Feb 2014 16:10:06 +0000 3Date: Sun, 9 Feb 2014 16:10:06 +0000
4Subject: Add DebianBanner server configuration option 4Subject: Add DebianBanner server configuration option
@@ -22,10 +22,10 @@ Patch-Name: debian-banner.patch
22 7 files changed, 23 insertions(+), 5 deletions(-) 22 7 files changed, 23 insertions(+), 5 deletions(-)
23 23
24diff --git a/kex.c b/kex.c 24diff --git a/kex.c b/kex.c
25index be354206d..bbb7a2340 100644 25index 65ed6af02..f450bc2c7 100644
26--- a/kex.c 26--- a/kex.c
27+++ b/kex.c 27+++ b/kex.c
28@@ -1168,7 +1168,7 @@ send_error(struct ssh *ssh, char *msg) 28@@ -1221,7 +1221,7 @@ send_error(struct ssh *ssh, char *msg)
29 */ 29 */
30 int 30 int
31 kex_exchange_identification(struct ssh *ssh, int timeout_ms, 31 kex_exchange_identification(struct ssh *ssh, int timeout_ms,
@@ -34,7 +34,7 @@ index be354206d..bbb7a2340 100644
34 { 34 {
35 int remote_major, remote_minor, mismatch; 35 int remote_major, remote_minor, mismatch;
36 size_t len, i, n; 36 size_t len, i, n;
37@@ -1186,7 +1186,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, 37@@ -1239,7 +1239,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
38 if (version_addendum != NULL && *version_addendum == '\0') 38 if (version_addendum != NULL && *version_addendum == '\0')
39 version_addendum = NULL; 39 version_addendum = NULL;
40 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", 40 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
@@ -45,10 +45,10 @@ index be354206d..bbb7a2340 100644
45 version_addendum == NULL ? "" : version_addendum)) != 0) { 45 version_addendum == NULL ? "" : version_addendum)) != 0) {
46 error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); 46 error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
47diff --git a/kex.h b/kex.h 47diff --git a/kex.h b/kex.h
48index 2d5f1d4ed..39f67bbc1 100644 48index fe7141414..938dca03b 100644
49--- a/kex.h 49--- a/kex.h
50+++ b/kex.h 50+++ b/kex.h
51@@ -195,7 +195,7 @@ char *kex_names_cat(const char *, const char *); 51@@ -194,7 +194,7 @@ char *kex_names_cat(const char *, const char *);
52 int kex_assemble_names(char **, const char *, const char *); 52 int kex_assemble_names(char **, const char *, const char *);
53 int kex_gss_names_valid(const char *); 53 int kex_gss_names_valid(const char *);
54 54
@@ -58,7 +58,7 @@ index 2d5f1d4ed..39f67bbc1 100644
58 struct kex *kex_new(void); 58 struct kex *kex_new(void);
59 int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); 59 int kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
60diff --git a/servconf.c b/servconf.c 60diff --git a/servconf.c b/servconf.c
61index c01e0690e..8d2bced52 100644 61index 73b93c636..5576098a5 100644
62--- a/servconf.c 62--- a/servconf.c
63+++ b/servconf.c 63+++ b/servconf.c
64@@ -184,6 +184,7 @@ initialize_server_options(ServerOptions *options) 64@@ -184,6 +184,7 @@ initialize_server_options(ServerOptions *options)
@@ -94,7 +94,7 @@ index c01e0690e..8d2bced52 100644
94 { NULL, sBadOption, 0 } 94 { NULL, sBadOption, 0 }
95 }; 95 };
96 96
97@@ -2211,6 +2216,10 @@ process_server_config_line(ServerOptions *options, char *line, 97@@ -2217,6 +2222,10 @@ process_server_config_line(ServerOptions *options, char *line,
98 *charptr = xstrdup(arg); 98 *charptr = xstrdup(arg);
99 break; 99 break;
100 100
@@ -106,7 +106,7 @@ index c01e0690e..8d2bced52 100644
106 case sIgnore: 106 case sIgnore:
107 case sUnsupported: 107 case sUnsupported:
108diff --git a/servconf.h b/servconf.h 108diff --git a/servconf.h b/servconf.h
109index a476d5220..986093ffa 100644 109index 29329ba1f..d5ad19065 100644
110--- a/servconf.h 110--- a/servconf.h
111+++ b/servconf.h 111+++ b/servconf.h
112@@ -214,6 +214,8 @@ typedef struct { 112@@ -214,6 +214,8 @@ typedef struct {
@@ -119,10 +119,10 @@ index a476d5220..986093ffa 100644
119 119
120 /* Information about the incoming connection as used by Match */ 120 /* Information about the incoming connection as used by Match */
121diff --git a/sshconnect.c b/sshconnect.c 121diff --git a/sshconnect.c b/sshconnect.c
122index 0b6f6af4b..1183ffe0e 100644 122index 41e75a275..27daef74f 100644
123--- a/sshconnect.c 123--- a/sshconnect.c
124+++ b/sshconnect.c 124+++ b/sshconnect.c
125@@ -1287,7 +1287,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, 125@@ -1291,7 +1291,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
126 lowercase(host); 126 lowercase(host);
127 127
128 /* Exchange protocol version identification strings with the server. */ 128 /* Exchange protocol version identification strings with the server. */
@@ -132,10 +132,10 @@ index 0b6f6af4b..1183ffe0e 100644
132 132
133 /* Put the connection into non-blocking mode. */ 133 /* Put the connection into non-blocking mode. */
134diff --git a/sshd.c b/sshd.c 134diff --git a/sshd.c b/sshd.c
135index e3e96426e..1e7ece588 100644 135index ea8beacb4..4e8ff0662 100644
136--- a/sshd.c 136--- a/sshd.c
137+++ b/sshd.c 137+++ b/sshd.c
138@@ -2160,7 +2160,8 @@ main(int ac, char **av) 138@@ -2165,7 +2165,8 @@ main(int ac, char **av)
139 if (!debug_flag) 139 if (!debug_flag)
140 alarm(options.login_grace_time); 140 alarm(options.login_grace_time);
141 141
@@ -146,10 +146,10 @@ index e3e96426e..1e7ece588 100644
146 146
147 ssh_packet_set_nonblocking(ssh); 147 ssh_packet_set_nonblocking(ssh);
148diff --git a/sshd_config.5 b/sshd_config.5 148diff --git a/sshd_config.5 b/sshd_config.5
149index 2ef671d1b..addea54a0 100644 149index eec224158..46537f177 100644
150--- a/sshd_config.5 150--- a/sshd_config.5
151+++ b/sshd_config.5 151+++ b/sshd_config.5
152@@ -543,6 +543,11 @@ or 152@@ -545,6 +545,11 @@ or
153 .Cm no . 153 .Cm no .
154 The default is 154 The default is
155 .Cm yes . 155 .Cm yes .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 2a28586b0..fe1e3f550 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
1From d9eede9b2c86ddaccb35477f2904bfbdf223ffd4 Mon Sep 17 00:00:00 2001 1From 7abde40896668ce9debfe056c7dabc6a70ef7da4 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:18 +0000 3Date: Sun, 9 Feb 2014 16:10:18 +0000
4Subject: Various Debian-specific configuration changes 4Subject: Various Debian-specific configuration changes
@@ -39,10 +39,10 @@ Patch-Name: debian-config.patch
39 6 files changed, 77 insertions(+), 9 deletions(-) 39 6 files changed, 77 insertions(+), 9 deletions(-)
40 40
41diff --git a/readconf.c b/readconf.c 41diff --git a/readconf.c b/readconf.c
42index cd60007f8..f35bde6e6 100644 42index 16d2729dd..253574ce0 100644
43--- a/readconf.c 43--- a/readconf.c
44+++ b/readconf.c 44+++ b/readconf.c
45@@ -2028,7 +2028,7 @@ fill_default_options(Options * options) 45@@ -2037,7 +2037,7 @@ fill_default_options(Options * options)
46 if (options->forward_x11 == -1) 46 if (options->forward_x11 == -1)
47 options->forward_x11 = 0; 47 options->forward_x11 = 0;
48 if (options->forward_x11_trusted == -1) 48 if (options->forward_x11_trusted == -1)
@@ -52,7 +52,7 @@ index cd60007f8..f35bde6e6 100644
52 options->forward_x11_timeout = 1200; 52 options->forward_x11_timeout = 1200;
53 /* 53 /*
54diff --git a/ssh.1 b/ssh.1 54diff --git a/ssh.1 b/ssh.1
55index 8d2b08a29..4e298cb56 100644 55index 24530e511..fd495da2c 100644
56--- a/ssh.1 56--- a/ssh.1
57+++ b/ssh.1 57+++ b/ssh.1
58@@ -795,6 +795,16 @@ directive in 58@@ -795,6 +795,16 @@ directive in
@@ -114,7 +114,7 @@ index 1ff999b68..6dd6ecf87 100644
114+ HashKnownHosts yes 114+ HashKnownHosts yes
115+ GSSAPIAuthentication yes 115+ GSSAPIAuthentication yes
116diff --git a/ssh_config.5 b/ssh_config.5 116diff --git a/ssh_config.5 b/ssh_config.5
117index 39535c4f8..a27631ae9 100644 117index 4b42aab9d..d27655e15 100644
118--- a/ssh_config.5 118--- a/ssh_config.5
119+++ b/ssh_config.5 119+++ b/ssh_config.5
120@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more 120@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
@@ -140,7 +140,7 @@ index 39535c4f8..a27631ae9 100644
140 The file contains keyword-argument pairs, one per line. 140 The file contains keyword-argument pairs, one per line.
141 Lines starting with 141 Lines starting with
142 .Ql # 142 .Ql #
143@@ -717,11 +733,12 @@ elapsed. 143@@ -721,11 +737,12 @@ elapsed.
144 .It Cm ForwardX11Trusted 144 .It Cm ForwardX11Trusted
145 If this option is set to 145 If this option is set to
146 .Cm yes , 146 .Cm yes ,
@@ -204,7 +204,7 @@ index 2c48105f8..ed8272f6d 100644
204 # Example of overriding settings on a per-user basis 204 # Example of overriding settings on a per-user basis
205 #Match User anoncvs 205 #Match User anoncvs
206diff --git a/sshd_config.5 b/sshd_config.5 206diff --git a/sshd_config.5 b/sshd_config.5
207index f995e4ab0..c0c4ebd66 100644 207index 270805060..02e29cb6f 100644
208--- a/sshd_config.5 208--- a/sshd_config.5
209+++ b/sshd_config.5 209+++ b/sshd_config.5
210@@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes 210@@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index e3e362ee3..6e8f0ae2f 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
1From 6397deaa7d0951552afa7dbd6898d6172850378a Mon Sep 17 00:00:00 2001 1From 6220be7f65137290fbe3ad71b83667e71e4ccd03 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:01 +0000 3Date: Sun, 9 Feb 2014 16:10:01 +0000
4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf 4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
@@ -18,10 +18,10 @@ Patch-Name: dnssec-sshfp.patch
18 3 files changed, 21 insertions(+), 6 deletions(-) 18 3 files changed, 21 insertions(+), 6 deletions(-)
19 19
20diff --git a/dns.c b/dns.c 20diff --git a/dns.c b/dns.c
21index ff1a2c41c..82ec97199 100644 21index e4f9bf830..9c9fe6413 100644
22--- a/dns.c 22--- a/dns.c
23+++ b/dns.c 23+++ b/dns.c
24@@ -211,6 +211,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, 24@@ -210,6 +210,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
25 { 25 {
26 u_int counter; 26 u_int counter;
27 int result; 27 int result;
@@ -29,7 +29,7 @@ index ff1a2c41c..82ec97199 100644
29 struct rrsetinfo *fingerprints = NULL; 29 struct rrsetinfo *fingerprints = NULL;
30 30
31 u_int8_t hostkey_algorithm; 31 u_int8_t hostkey_algorithm;
32@@ -234,8 +235,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, 32@@ -233,8 +234,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
33 return -1; 33 return -1;
34 } 34 }
35 35
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 162776395..d5ddbbd26 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
1From 63f45f055fe3b0b1edd31a94b7627ee4e40647e8 Mon Sep 17 00:00:00 2001 1From 944653642de12f09baa546011429fb69ffc0065a Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:11 +0000 3Date: Sun, 9 Feb 2014 16:10:11 +0000
4Subject: Document that HashKnownHosts may break tab-completion 4Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
13 1 file changed, 3 insertions(+) 13 1 file changed, 3 insertions(+)
14 14
15diff --git a/ssh_config.5 b/ssh_config.5 15diff --git a/ssh_config.5 b/ssh_config.5
16index bd1e9311d..39535c4f8 100644 16index 2c74b57c0..4b42aab9d 100644
17--- a/ssh_config.5 17--- a/ssh_config.5
18+++ b/ssh_config.5 18+++ b/ssh_config.5
19@@ -836,6 +836,9 @@ Note that existing names and addresses in known hosts files 19@@ -840,6 +840,9 @@ Note that existing names and addresses in known hosts files
20 will not be converted automatically, 20 will not be converted automatically,
21 but may be manually hashed using 21 but may be manually hashed using
22 .Xr ssh-keygen 1 . 22 .Xr ssh-keygen 1 .
diff --git a/debian/patches/fix-interop-tests.patch b/debian/patches/fix-interop-tests.patch
deleted file mode 100644
index e00842290..000000000
--- a/debian/patches/fix-interop-tests.patch
+++ /dev/null
@@ -1,71 +0,0 @@
1From 42519a0f32765726ccd18a14aa6e877413a69662 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org>
3Date: Fri, 14 Jun 2019 11:57:15 +0100
4Subject: Fix interop tests for recent regress changes
5
6A recent regress change (2a9b3a2ce411d16cda9c79ab713c55f65b0ec257 in
7portable) broke the PuTTY and Twisted Conch interop tests, because the
8key they want to use is now called ssh-rsa rather than rsa. Fix them.
9
10Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=3020
11Last-Update: 2019-06-14
12
13Patch-Name: fix-interop-tests.patch
14---
15 regress/Makefile | 5 +++--
16 regress/conch-ciphers.sh | 2 +-
17 regress/test-exec.sh | 10 +++++-----
18 3 files changed, 9 insertions(+), 8 deletions(-)
19
20diff --git a/regress/Makefile b/regress/Makefile
21index 925edf71a..781400fd0 100644
22--- a/regress/Makefile
23+++ b/regress/Makefile
24@@ -113,8 +113,9 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
25 rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \
26 rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
27 scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
28- sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
29- ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
30+ sftp-server.sh sftp.log ssh-log-wrapper.sh \
31+ ssh-rsa_oldfmt \
32+ ssh.log ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
33 ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \
34 sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \
35 sshd_proxy_orig t10.out t10.out.pub t12.out t12.out.pub \
36diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh
37index 199d863a0..51e3b705f 100644
38--- a/regress/conch-ciphers.sh
39+++ b/regress/conch-ciphers.sh
40@@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \
41 rm -f ${COPY}
42 # XXX the 2nd "cat" seems to be needed because of buggy FD handling
43 # in conch
44- ${CONCH} --identity $OBJ/rsa --port $PORT --user $USER -e none \
45+ ${CONCH} --identity $OBJ/ssh-rsa --port $PORT --user $USER -e none \
46 --known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \
47 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY}
48 if [ $? -ne 0 ]; then
49diff --git a/regress/test-exec.sh b/regress/test-exec.sh
50index b8e2009de..efde6a173 100644
51--- a/regress/test-exec.sh
52+++ b/regress/test-exec.sh
53@@ -527,13 +527,13 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then
54 >> $OBJ/authorized_keys_$USER
55
56 # Convert rsa2 host key to PuTTY format
57- cp $OBJ/rsa $OBJ/rsa_oldfmt
58- ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/rsa_oldfmt >/dev/null
59- ${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/rsa_oldfmt > \
60+ cp $OBJ/ssh-rsa $OBJ/ssh-rsa_oldfmt
61+ ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/ssh-rsa_oldfmt >/dev/null
62+ ${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/ssh-rsa_oldfmt > \
63 ${OBJ}/.putty/sshhostkeys
64- ${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/rsa_oldfmt >> \
65+ ${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/ssh-rsa_oldfmt >> \
66 ${OBJ}/.putty/sshhostkeys
67- rm -f $OBJ/rsa_oldfmt
68+ rm -f $OBJ/ssh-rsa_oldfmt
69
70 # Setup proxied session
71 mkdir -p ${OBJ}/.putty/sessions
diff --git a/debian/patches/fix-utimensat-test.patch b/debian/patches/fix-utimensat-test.patch
deleted file mode 100644
index 56b6fcdbf..000000000
--- a/debian/patches/fix-utimensat-test.patch
+++ /dev/null
@@ -1,58 +0,0 @@
1From 61d2706623ed144ee9cbd212d13eeba202a7ce26 Mon Sep 17 00:00:00 2001
2From: Darren Tucker <dtucker@dtucker.net>
3Date: Fri, 7 Jun 2019 23:47:37 +1000
4Subject: Update utimensat test.
5
6POSIX specifies that when given a symlink, AT_SYMLINK_NOFOLLOW should
7update the symlink and not the destination. The compat code doesn't
8have a way to do this, so where possible it fails instead of following a
9symlink when explicitly asked not to. Instead of checking for an explicit
10failure, check that it does not update the destination, which both the
11real and compat implementations should honour.
12
13Inspired by github pull req #125 from chutzpah at gentoo.org.
14
15Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=182898192d4b720e4faeafd5b39c2cfb3b92aa21
16Last-Update: 2019-06-09
17
18Patch-Name: fix-utimensat-test.patch
19---
20 openbsd-compat/regress/utimensattest.c | 20 +++++++++++++++++---
21 1 file changed, 17 insertions(+), 3 deletions(-)
22
23diff --git a/openbsd-compat/regress/utimensattest.c b/openbsd-compat/regress/utimensattest.c
24index a7bc7634b..b29cef2f1 100644
25--- a/openbsd-compat/regress/utimensattest.c
26+++ b/openbsd-compat/regress/utimensattest.c
27@@ -83,14 +83,28 @@ main(void)
28 fail("mtim.tv_nsec", 45678000, sb.st_mtim.tv_nsec);
29 #endif
30
31+ /*
32+ * POSIX specifies that when given a symlink, AT_SYMLINK_NOFOLLOW
33+ * should update the symlink and not the destination. The compat
34+ * code doesn't have a way to do this, so where possible it fails
35+ * with ENOSYS instead of following a symlink when explicitly asked
36+ * not to. Here we just test that it does not update the destination.
37+ */
38 if (rename(TMPFILE, TMPFILE2) == -1)
39 fail("rename", 0, 0);
40 if (symlink(TMPFILE2, TMPFILE) == -1)
41 fail("symlink", 0, 0);
42+ ts[0].tv_sec = 11223344;
43+ ts[1].tv_sec = 55667788;
44+ (void)utimensat(AT_FDCWD, TMPFILE, ts, AT_SYMLINK_NOFOLLOW);
45+ if (stat(TMPFILE2, &sb) == -1)
46+ fail("stat", 0, 0 );
47+ if (sb.st_atime == 11223344)
48+ fail("utimensat symlink st_atime", 0, 0 );
49+ if (sb.st_mtime == 55667788)
50+ fail("utimensat symlink st_mtime", 0, 0 );
51
52- if (utimensat(AT_FDCWD, TMPFILE, ts, AT_SYMLINK_NOFOLLOW) != -1)
53- fail("utimensat followed symlink", 0, 0);
54-
55+ /* Clean up */
56 if (!(unlink(TMPFILE) == 0 && unlink(TMPFILE2) == 0))
57 fail("unlink", 0, 0);
58 exit(0);
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 405b1b884..89c2a9864 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
1From 734ffc23e368f9b0df085b4f191d66e21ed52d12 Mon Sep 17 00:00:00 2001 1From 4360244ab2ed367bdb2c836292e761c589355950 Mon Sep 17 00:00:00 2001
2From: Vincent Untz <vuntz@ubuntu.com> 2From: Vincent Untz <vuntz@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:16 +0000 3Date: Sun, 9 Feb 2014 16:10:16 +0000
4Subject: Give the ssh-askpass-gnome window a default icon 4Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 45d131d27..b858f4915 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From 7ce79be85036c4b36937f1b1ba85f6094068412c Mon Sep 17 00:00:00 2001 1From 9da806e67101afdc0d3a1d304659927acf18f5c5 Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -18,7 +18,7 @@ security history.
18 18
19Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master 19Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master
20Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 20Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
21Last-Updated: 2019-06-05 21Last-Updated: 2019-10-09
22 22
23Patch-Name: gssapi.patch 23Patch-Name: gssapi.patch
24--- 24---
@@ -67,7 +67,7 @@ Patch-Name: gssapi.patch
67 create mode 100644 kexgsss.c 67 create mode 100644 kexgsss.c
68 68
69diff --git a/Makefile.in b/Makefile.in 69diff --git a/Makefile.in b/Makefile.in
70index 6f001bb36..c31821acc 100644 70index adb1977e2..ab29e4f05 100644
71--- a/Makefile.in 71--- a/Makefile.in
72+++ b/Makefile.in 72+++ b/Makefile.in
73@@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ 73@@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@@ -85,7 +85,7 @@ index 6f001bb36..c31821acc 100644
85- auth2-gss.o gss-serv.o gss-serv-krb5.o \ 85- auth2-gss.o gss-serv.o gss-serv-krb5.o \
86+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ 86+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
87 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ 87 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
88 sftp-server.o sftp-common.o \ 88 sftp-server.o sftp-common.o sftp-realpath.o \
89 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ 89 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
90diff --git a/auth-krb5.c b/auth-krb5.c 90diff --git a/auth-krb5.c b/auth-krb5.c
91index 3096f1c8e..204752e1b 100644 91index 3096f1c8e..204752e1b 100644
@@ -139,7 +139,7 @@ index 3096f1c8e..204752e1b 100644
139 return (krb5_cc_resolve(ctx, ccname, ccache)); 139 return (krb5_cc_resolve(ctx, ccname, ccache));
140 } 140 }
141diff --git a/auth.c b/auth.c 141diff --git a/auth.c b/auth.c
142index 8696f258e..f7a23afba 100644 142index ca450f4e4..47c27773c 100644
143--- a/auth.c 143--- a/auth.c
144+++ b/auth.c 144+++ b/auth.c
145@@ -399,7 +399,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) 145@@ -399,7 +399,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
@@ -179,7 +179,7 @@ index 8696f258e..f7a23afba 100644
179- fromlen = sizeof(from); 179- fromlen = sizeof(from);
180- memset(&from, 0, sizeof(from)); 180- memset(&from, 0, sizeof(from));
181- if (getpeername(ssh_packet_get_connection_in(ssh), 181- if (getpeername(ssh_packet_get_connection_in(ssh),
182- (struct sockaddr *)&from, &fromlen) < 0) { 182- (struct sockaddr *)&from, &fromlen) == -1) {
183- debug("getpeername failed: %.100s", strerror(errno)); 183- debug("getpeername failed: %.100s", strerror(errno));
184- return strdup(ntop); 184- return strdup(ntop);
185- } 185- }
@@ -348,10 +348,10 @@ index 9351e0428..d6446c0cf 100644
348 "gssapi-with-mic", 348 "gssapi-with-mic",
349 userauth_gssapi, 349 userauth_gssapi,
350diff --git a/auth2.c b/auth2.c 350diff --git a/auth2.c b/auth2.c
351index 16ae1a363..7417eafa4 100644 351index 0e7762242..1c217268c 100644
352--- a/auth2.c 352--- a/auth2.c
353+++ b/auth2.c 353+++ b/auth2.c
354@@ -75,6 +75,7 @@ extern Authmethod method_passwd; 354@@ -73,6 +73,7 @@ extern Authmethod method_passwd;
355 extern Authmethod method_kbdint; 355 extern Authmethod method_kbdint;
356 extern Authmethod method_hostbased; 356 extern Authmethod method_hostbased;
357 #ifdef GSSAPI 357 #ifdef GSSAPI
@@ -359,7 +359,7 @@ index 16ae1a363..7417eafa4 100644
359 extern Authmethod method_gssapi; 359 extern Authmethod method_gssapi;
360 #endif 360 #endif
361 361
362@@ -82,6 +83,7 @@ Authmethod *authmethods[] = { 362@@ -80,6 +81,7 @@ Authmethod *authmethods[] = {
363 &method_none, 363 &method_none,
364 &method_pubkey, 364 &method_pubkey,
365 #ifdef GSSAPI 365 #ifdef GSSAPI
@@ -368,7 +368,7 @@ index 16ae1a363..7417eafa4 100644
368 #endif 368 #endif
369 &method_passwd, 369 &method_passwd,
370diff --git a/canohost.c b/canohost.c 370diff --git a/canohost.c b/canohost.c
371index f71a08568..404731d24 100644 371index abea9c6e6..9a00fc2cf 100644
372--- a/canohost.c 372--- a/canohost.c
373+++ b/canohost.c 373+++ b/canohost.c
374@@ -35,6 +35,99 @@ 374@@ -35,6 +35,99 @@
@@ -398,7 +398,7 @@ index f71a08568..404731d24 100644
398+ fromlen = sizeof(from); 398+ fromlen = sizeof(from);
399+ memset(&from, 0, sizeof(from)); 399+ memset(&from, 0, sizeof(from));
400+ if (getpeername(ssh_packet_get_connection_in(ssh), 400+ if (getpeername(ssh_packet_get_connection_in(ssh),
401+ (struct sockaddr *)&from, &fromlen) < 0) { 401+ (struct sockaddr *)&from, &fromlen) == -1) {
402+ debug("getpeername failed: %.100s", strerror(errno)); 402+ debug("getpeername failed: %.100s", strerror(errno));
403+ return strdup(ntop); 403+ return strdup(ntop);
404+ } 404+ }
@@ -486,7 +486,7 @@ index 26d62855a..0cadc9f18 100644
486 int get_peer_port(int); 486 int get_peer_port(int);
487 char *get_local_ipaddr(int); 487 char *get_local_ipaddr(int);
488diff --git a/clientloop.c b/clientloop.c 488diff --git a/clientloop.c b/clientloop.c
489index 086c0dfe8..9b90c64f3 100644 489index b5a1f7038..9def2a1a9 100644
490--- a/clientloop.c 490--- a/clientloop.c
491+++ b/clientloop.c 491+++ b/clientloop.c
492@@ -112,6 +112,10 @@ 492@@ -112,6 +112,10 @@
@@ -500,7 +500,7 @@ index 086c0dfe8..9b90c64f3 100644
500 /* import options */ 500 /* import options */
501 extern Options options; 501 extern Options options;
502 502
503@@ -1374,9 +1378,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, 503@@ -1373,9 +1377,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
504 break; 504 break;
505 505
506 /* Do channel operations unless rekeying in progress. */ 506 /* Do channel operations unless rekeying in progress. */
@@ -521,10 +521,10 @@ index 086c0dfe8..9b90c64f3 100644
521 client_process_net_input(ssh, readset); 521 client_process_net_input(ssh, readset);
522 522
523diff --git a/configure.ac b/configure.ac 523diff --git a/configure.ac b/configure.ac
524index 30be6c182..2869f7042 100644 524index 3e93c0276..1c2512314 100644
525--- a/configure.ac 525--- a/configure.ac
526+++ b/configure.ac 526+++ b/configure.ac
527@@ -665,6 +665,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 527@@ -666,6 +666,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
528 [Use tunnel device compatibility to OpenBSD]) 528 [Use tunnel device compatibility to OpenBSD])
529 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 529 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
530 [Prepend the address family to IP tunnel traffic]) 530 [Prepend the address family to IP tunnel traffic])
@@ -1339,19 +1339,19 @@ index ab3a15f0f..1d47870e7 100644
1339 1339
1340 /* Privileged */ 1340 /* Privileged */
1341diff --git a/hmac.c b/hmac.c 1341diff --git a/hmac.c b/hmac.c
1342index 1c879640c..a29f32c5c 100644 1342index 32688876d..a79e8569c 100644
1343--- a/hmac.c 1343--- a/hmac.c
1344+++ b/hmac.c 1344+++ b/hmac.c
1345@@ -19,6 +19,7 @@ 1345@@ -21,6 +21,7 @@
1346 1346
1347 #include <sys/types.h> 1347 #include <stdlib.h>
1348 #include <string.h> 1348 #include <string.h>
1349+#include <stdlib.h> 1349+#include <stdlib.h>
1350 1350
1351 #include "sshbuf.h" 1351 #include "sshbuf.h"
1352 #include "digest.h" 1352 #include "digest.h"
1353diff --git a/kex.c b/kex.c 1353diff --git a/kex.c b/kex.c
1354index 34808b5c3..a2a4794e8 100644 1354index 49d701568..e09355dbd 100644
1355--- a/kex.c 1355--- a/kex.c
1356+++ b/kex.c 1356+++ b/kex.c
1357@@ -55,11 +55,16 @@ 1357@@ -55,11 +55,16 @@
@@ -1373,7 +1373,7 @@ index 34808b5c3..a2a4794e8 100644
1373 static int kex_input_newkeys(int, u_int32_t, struct ssh *); 1373 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
1374@@ -113,15 +118,28 @@ static const struct kexalg kexalgs[] = { 1374@@ -113,15 +118,28 @@ static const struct kexalg kexalgs[] = {
1375 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ 1375 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
1376 { NULL, -1, -1, -1}, 1376 { NULL, 0, -1, -1},
1377 }; 1377 };
1378+static const struct kexalg gss_kexalgs[] = { 1378+static const struct kexalg gss_kexalgs[] = {
1379+#ifdef GSSAPI 1379+#ifdef GSSAPI
@@ -1386,7 +1386,7 @@ index 34808b5c3..a2a4794e8 100644
1386+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, 1386+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
1387+ { KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, 1387+ { KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
1388+#endif 1388+#endif
1389+ { NULL, -1, -1, -1 }, 1389+ { NULL, 0, -1, -1 },
1390+}; 1390+};
1391 1391
1392-char * 1392-char *
@@ -1433,7 +1433,7 @@ index 34808b5c3..a2a4794e8 100644
1433 return NULL; 1433 return NULL;
1434 } 1434 }
1435 1435
1436@@ -301,6 +335,29 @@ kex_assemble_names(char **listp, const char *def, const char *all) 1436@@ -313,6 +347,29 @@ kex_assemble_names(char **listp, const char *def, const char *all)
1437 return r; 1437 return r;
1438 } 1438 }
1439 1439
@@ -1463,7 +1463,7 @@ index 34808b5c3..a2a4794e8 100644
1463 /* put algorithm proposal into buffer */ 1463 /* put algorithm proposal into buffer */
1464 int 1464 int
1465 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) 1465 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
1466@@ -657,6 +714,9 @@ kex_free(struct kex *kex) 1466@@ -696,6 +753,9 @@ kex_free(struct kex *kex)
1467 sshbuf_free(kex->server_version); 1467 sshbuf_free(kex->server_version);
1468 sshbuf_free(kex->client_pub); 1468 sshbuf_free(kex->client_pub);
1469 free(kex->session_id); 1469 free(kex->session_id);
@@ -1474,10 +1474,10 @@ index 34808b5c3..a2a4794e8 100644
1474 free(kex->hostkey_alg); 1474 free(kex->hostkey_alg);
1475 free(kex->name); 1475 free(kex->name);
1476diff --git a/kex.h b/kex.h 1476diff --git a/kex.h b/kex.h
1477index 6d446d1cc..2d5f1d4ed 100644 1477index a5ae6ac05..fe7141414 100644
1478--- a/kex.h 1478--- a/kex.h
1479+++ b/kex.h 1479+++ b/kex.h
1480@@ -103,6 +103,15 @@ enum kex_exchange { 1480@@ -102,6 +102,15 @@ enum kex_exchange {
1481 KEX_ECDH_SHA2, 1481 KEX_ECDH_SHA2,
1482 KEX_C25519_SHA256, 1482 KEX_C25519_SHA256,
1483 KEX_KEM_SNTRUP4591761X25519_SHA512, 1483 KEX_KEM_SNTRUP4591761X25519_SHA512,
@@ -1493,7 +1493,7 @@ index 6d446d1cc..2d5f1d4ed 100644
1493 KEX_MAX 1493 KEX_MAX
1494 }; 1494 };
1495 1495
1496@@ -154,6 +163,12 @@ struct kex { 1496@@ -153,6 +162,12 @@ struct kex {
1497 u_int flags; 1497 u_int flags;
1498 int hash_alg; 1498 int hash_alg;
1499 int ec_nid; 1499 int ec_nid;
@@ -1506,7 +1506,7 @@ index 6d446d1cc..2d5f1d4ed 100644
1506 char *failed_choice; 1506 char *failed_choice;
1507 int (*verify_host_key)(struct sshkey *, struct ssh *); 1507 int (*verify_host_key)(struct sshkey *, struct ssh *);
1508 struct sshkey *(*load_host_public_key)(int, int, struct ssh *); 1508 struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
1509@@ -175,8 +190,10 @@ struct kex { 1509@@ -174,8 +189,10 @@ struct kex {
1510 1510
1511 int kex_names_valid(const char *); 1511 int kex_names_valid(const char *);
1512 char *kex_alg_list(char); 1512 char *kex_alg_list(char);
@@ -1517,7 +1517,7 @@ index 6d446d1cc..2d5f1d4ed 100644
1517 1517
1518 int kex_exchange_identification(struct ssh *, int, const char *); 1518 int kex_exchange_identification(struct ssh *, int, const char *);
1519 1519
1520@@ -203,6 +220,12 @@ int kexgex_client(struct ssh *); 1520@@ -202,6 +219,12 @@ int kexgex_client(struct ssh *);
1521 int kexgex_server(struct ssh *); 1521 int kexgex_server(struct ssh *);
1522 int kex_gen_client(struct ssh *); 1522 int kex_gen_client(struct ssh *);
1523 int kex_gen_server(struct ssh *); 1523 int kex_gen_server(struct ssh *);
@@ -1530,7 +1530,7 @@ index 6d446d1cc..2d5f1d4ed 100644
1530 1530
1531 int kex_dh_keypair(struct kex *); 1531 int kex_dh_keypair(struct kex *);
1532 int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **, 1532 int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
1533@@ -235,6 +258,12 @@ int kexgex_hash(int, const struct sshbuf *, const struct sshbuf *, 1533@@ -234,6 +257,12 @@ int kexgex_hash(int, const struct sshbuf *, const struct sshbuf *,
1534 const BIGNUM *, const u_char *, size_t, 1534 const BIGNUM *, const u_char *, size_t,
1535 u_char *, size_t *); 1535 u_char *, size_t *);
1536 1536
@@ -1572,10 +1572,10 @@ index 67133e339..edaa46762 100644
1572 break; 1572 break;
1573 case KEX_DH_GRP18_SHA512: 1573 case KEX_DH_GRP18_SHA512:
1574diff --git a/kexgen.c b/kexgen.c 1574diff --git a/kexgen.c b/kexgen.c
1575index 2abbb9ef6..569dc83f3 100644 1575index bb996b504..d353ed8b0 100644
1576--- a/kexgen.c 1576--- a/kexgen.c
1577+++ b/kexgen.c 1577+++ b/kexgen.c
1578@@ -43,7 +43,7 @@ 1578@@ -44,7 +44,7 @@
1579 static int input_kex_gen_init(int, u_int32_t, struct ssh *); 1579 static int input_kex_gen_init(int, u_int32_t, struct ssh *);
1580 static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh); 1580 static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh);
1581 1581
@@ -2677,11 +2677,11 @@ index 000000000..60bc02deb
2677+} 2677+}
2678+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ 2678+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
2679diff --git a/mac.c b/mac.c 2679diff --git a/mac.c b/mac.c
2680index 51dc11d76..3d11eba62 100644 2680index f3dda6692..de346ed20 100644
2681--- a/mac.c 2681--- a/mac.c
2682+++ b/mac.c 2682+++ b/mac.c
2683@@ -29,6 +29,7 @@ 2683@@ -30,6 +30,7 @@
2684 2684 #include <stdlib.h>
2685 #include <string.h> 2685 #include <string.h>
2686 #include <stdio.h> 2686 #include <stdio.h>
2687+#include <stdlib.h> 2687+#include <stdlib.h>
@@ -2689,7 +2689,7 @@ index 51dc11d76..3d11eba62 100644
2689 #include "digest.h" 2689 #include "digest.h"
2690 #include "hmac.h" 2690 #include "hmac.h"
2691diff --git a/monitor.c b/monitor.c 2691diff --git a/monitor.c b/monitor.c
2692index 60e529444..0766d6ef5 100644 2692index 00af44f98..bead9e204 100644
2693--- a/monitor.c 2693--- a/monitor.c
2694+++ b/monitor.c 2694+++ b/monitor.c
2695@@ -147,6 +147,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); 2695@@ -147,6 +147,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
@@ -2936,7 +2936,7 @@ index 683e5e071..2b1a2d590 100644
2936 2936
2937 struct ssh; 2937 struct ssh;
2938diff --git a/monitor_wrap.c b/monitor_wrap.c 2938diff --git a/monitor_wrap.c b/monitor_wrap.c
2939index 186e8f022..8e4c1c1f8 100644 2939index 4169b7604..fdca39a6a 100644
2940--- a/monitor_wrap.c 2940--- a/monitor_wrap.c
2941+++ b/monitor_wrap.c 2941+++ b/monitor_wrap.c
2942@@ -978,13 +978,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 2942@@ -978,13 +978,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
@@ -3015,10 +3015,10 @@ index 186e8f022..8e4c1c1f8 100644
3015+ 3015+
3016 #endif /* GSSAPI */ 3016 #endif /* GSSAPI */
3017diff --git a/monitor_wrap.h b/monitor_wrap.h 3017diff --git a/monitor_wrap.h b/monitor_wrap.h
3018index fdebb3aa4..69164a8c0 100644 3018index 191277f3a..92dda574b 100644
3019--- a/monitor_wrap.h 3019--- a/monitor_wrap.h
3020+++ b/monitor_wrap.h 3020+++ b/monitor_wrap.h
3021@@ -61,8 +61,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, 3021@@ -63,8 +63,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
3022 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); 3022 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
3023 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, 3023 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
3024 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); 3024 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -3031,7 +3031,7 @@ index fdebb3aa4..69164a8c0 100644
3031 3031
3032 #ifdef USE_PAM 3032 #ifdef USE_PAM
3033diff --git a/readconf.c b/readconf.c 3033diff --git a/readconf.c b/readconf.c
3034index ec497e79f..4d699e5f1 100644 3034index f78b4d6fe..3c68d1a88 100644
3035--- a/readconf.c 3035--- a/readconf.c
3036+++ b/readconf.c 3036+++ b/readconf.c
3037@@ -67,6 +67,7 @@ 3037@@ -67,6 +67,7 @@
@@ -3074,7 +3074,7 @@ index ec497e79f..4d699e5f1 100644
3074 #endif 3074 #endif
3075 #ifdef ENABLE_PKCS11 3075 #ifdef ENABLE_PKCS11
3076 { "pkcs11provider", oPKCS11Provider }, 3076 { "pkcs11provider", oPKCS11Provider },
3077@@ -983,10 +998,42 @@ parse_time: 3077@@ -988,10 +1003,42 @@ parse_time:
3078 intptr = &options->gss_authentication; 3078 intptr = &options->gss_authentication;
3079 goto parse_flag; 3079 goto parse_flag;
3080 3080
@@ -3117,7 +3117,7 @@ index ec497e79f..4d699e5f1 100644
3117 case oBatchMode: 3117 case oBatchMode:
3118 intptr = &options->batch_mode; 3118 intptr = &options->batch_mode;
3119 goto parse_flag; 3119 goto parse_flag;
3120@@ -1854,7 +1901,13 @@ initialize_options(Options * options) 3120@@ -1863,7 +1910,13 @@ initialize_options(Options * options)
3121 options->pubkey_authentication = -1; 3121 options->pubkey_authentication = -1;
3122 options->challenge_response_authentication = -1; 3122 options->challenge_response_authentication = -1;
3123 options->gss_authentication = -1; 3123 options->gss_authentication = -1;
@@ -3131,7 +3131,7 @@ index ec497e79f..4d699e5f1 100644
3131 options->password_authentication = -1; 3131 options->password_authentication = -1;
3132 options->kbd_interactive_authentication = -1; 3132 options->kbd_interactive_authentication = -1;
3133 options->kbd_interactive_devices = NULL; 3133 options->kbd_interactive_devices = NULL;
3134@@ -2000,8 +2053,18 @@ fill_default_options(Options * options) 3134@@ -2009,8 +2062,18 @@ fill_default_options(Options * options)
3135 options->challenge_response_authentication = 1; 3135 options->challenge_response_authentication = 1;
3136 if (options->gss_authentication == -1) 3136 if (options->gss_authentication == -1)
3137 options->gss_authentication = 0; 3137 options->gss_authentication = 0;
@@ -3150,7 +3150,7 @@ index ec497e79f..4d699e5f1 100644
3150 if (options->password_authentication == -1) 3150 if (options->password_authentication == -1)
3151 options->password_authentication = 1; 3151 options->password_authentication = 1;
3152 if (options->kbd_interactive_authentication == -1) 3152 if (options->kbd_interactive_authentication == -1)
3153@@ -2616,7 +2679,14 @@ dump_client_config(Options *o, const char *host) 3153@@ -2625,7 +2688,14 @@ dump_client_config(Options *o, const char *host)
3154 dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); 3154 dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
3155 #ifdef GSSAPI 3155 #ifdef GSSAPI
3156 dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); 3156 dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
@@ -3184,7 +3184,7 @@ index 8e36bf32a..0bff6d80a 100644
3184 * authentication. */ 3184 * authentication. */
3185 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 3185 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
3186diff --git a/servconf.c b/servconf.c 3186diff --git a/servconf.c b/servconf.c
3187index ffac5d2c7..ffdad31e7 100644 3187index e76f9c39e..f63eb0b94 100644
3188--- a/servconf.c 3188--- a/servconf.c
3189+++ b/servconf.c 3189+++ b/servconf.c
3190@@ -64,6 +64,7 @@ 3190@@ -64,6 +64,7 @@
@@ -3257,7 +3257,7 @@ index ffac5d2c7..ffdad31e7 100644
3257 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 3257 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
3258 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 3258 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
3259 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 3259 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
3260@@ -1485,6 +1508,10 @@ process_server_config_line(ServerOptions *options, char *line, 3260@@ -1488,6 +1511,10 @@ process_server_config_line(ServerOptions *options, char *line,
3261 intptr = &options->gss_authentication; 3261 intptr = &options->gss_authentication;
3262 goto parse_flag; 3262 goto parse_flag;
3263 3263
@@ -3268,7 +3268,7 @@ index ffac5d2c7..ffdad31e7 100644
3268 case sGssCleanupCreds: 3268 case sGssCleanupCreds:
3269 intptr = &options->gss_cleanup_creds; 3269 intptr = &options->gss_cleanup_creds;
3270 goto parse_flag; 3270 goto parse_flag;
3271@@ -1493,6 +1520,22 @@ process_server_config_line(ServerOptions *options, char *line, 3271@@ -1496,6 +1523,22 @@ process_server_config_line(ServerOptions *options, char *line,
3272 intptr = &options->gss_strict_acceptor; 3272 intptr = &options->gss_strict_acceptor;
3273 goto parse_flag; 3273 goto parse_flag;
3274 3274
@@ -3291,7 +3291,7 @@ index ffac5d2c7..ffdad31e7 100644
3291 case sPasswordAuthentication: 3291 case sPasswordAuthentication:
3292 intptr = &options->password_authentication; 3292 intptr = &options->password_authentication;
3293 goto parse_flag; 3293 goto parse_flag;
3294@@ -2579,6 +2622,10 @@ dump_config(ServerOptions *o) 3294@@ -2585,6 +2628,10 @@ dump_config(ServerOptions *o)
3295 #ifdef GSSAPI 3295 #ifdef GSSAPI
3296 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 3296 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
3297 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 3297 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@@ -3303,7 +3303,7 @@ index ffac5d2c7..ffdad31e7 100644
3303 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 3303 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
3304 dump_cfg_fmtint(sKbdInteractiveAuthentication, 3304 dump_cfg_fmtint(sKbdInteractiveAuthentication,
3305diff --git a/servconf.h b/servconf.h 3305diff --git a/servconf.h b/servconf.h
3306index 54e0a8d8d..a476d5220 100644 3306index 5483da051..29329ba1f 100644
3307--- a/servconf.h 3307--- a/servconf.h
3308+++ b/servconf.h 3308+++ b/servconf.h
3309@@ -126,8 +126,11 @@ typedef struct { 3309@@ -126,8 +126,11 @@ typedef struct {
@@ -3319,7 +3319,7 @@ index 54e0a8d8d..a476d5220 100644
3319 * authentication. */ 3319 * authentication. */
3320 int kbd_interactive_authentication; /* If true, permit */ 3320 int kbd_interactive_authentication; /* If true, permit */
3321diff --git a/session.c b/session.c 3321diff --git a/session.c b/session.c
3322index ac06b08e9..ac3d9d19d 100644 3322index 8f5d7e0a4..f1a47f766 100644
3323--- a/session.c 3323--- a/session.c
3324+++ b/session.c 3324+++ b/session.c
3325@@ -2674,13 +2674,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt) 3325@@ -2674,13 +2674,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
@@ -3465,7 +3465,7 @@ index 36180d07a..70dd36658 100644
3465 3465
3466 #endif /* _SSH_GSS_H */ 3466 #endif /* _SSH_GSS_H */
3467diff --git a/ssh.1 b/ssh.1 3467diff --git a/ssh.1 b/ssh.1
3468index 9480eba8d..a1c7d2305 100644 3468index 424d6c3e8..26940ad55 100644
3469--- a/ssh.1 3469--- a/ssh.1
3470+++ b/ssh.1 3470+++ b/ssh.1
3471@@ -497,7 +497,13 @@ For full details of the options listed below, and their possible values, see 3471@@ -497,7 +497,13 @@ For full details of the options listed below, and their possible values, see
@@ -3492,7 +3492,7 @@ index 9480eba8d..a1c7d2305 100644
3492 (key types), 3492 (key types),
3493 .Ar key-cert 3493 .Ar key-cert
3494diff --git a/ssh.c b/ssh.c 3494diff --git a/ssh.c b/ssh.c
3495index 91e7c3511..42be7d88f 100644 3495index ee51823cd..2da9f5d0d 100644
3496--- a/ssh.c 3496--- a/ssh.c
3497+++ b/ssh.c 3497+++ b/ssh.c
3498@@ -736,6 +736,8 @@ main(int ac, char **av) 3498@@ -736,6 +736,8 @@ main(int ac, char **av)
@@ -3527,10 +3527,10 @@ index 5e8ef548b..1ff999b68 100644
3527 # CheckHostIP yes 3527 # CheckHostIP yes
3528 # AddressFamily any 3528 # AddressFamily any
3529diff --git a/ssh_config.5 b/ssh_config.5 3529diff --git a/ssh_config.5 b/ssh_config.5
3530index 412629637..c3c8b274a 100644 3530index 02a87892d..f4668673b 100644
3531--- a/ssh_config.5 3531--- a/ssh_config.5
3532+++ b/ssh_config.5 3532+++ b/ssh_config.5
3533@@ -754,10 +754,67 @@ The default is 3533@@ -758,10 +758,67 @@ The default is
3534 Specifies whether user authentication based on GSSAPI is allowed. 3534 Specifies whether user authentication based on GSSAPI is allowed.
3535 The default is 3535 The default is
3536 .Cm no . 3536 .Cm no .
@@ -3599,7 +3599,7 @@ index 412629637..c3c8b274a 100644
3599 Indicates that 3599 Indicates that
3600 .Xr ssh 1 3600 .Xr ssh 1
3601diff --git a/sshconnect2.c b/sshconnect2.c 3601diff --git a/sshconnect2.c b/sshconnect2.c
3602index dffee90b1..4020371ae 100644 3602index 87fa70a40..a4ec75ca1 100644
3603--- a/sshconnect2.c 3603--- a/sshconnect2.c
3604+++ b/sshconnect2.c 3604+++ b/sshconnect2.c
3605@@ -78,8 +78,6 @@ 3605@@ -78,8 +78,6 @@
@@ -3726,7 +3726,7 @@ index dffee90b1..4020371ae 100644
3726 {"gssapi-with-mic", 3726 {"gssapi-with-mic",
3727 userauth_gssapi, 3727 userauth_gssapi,
3728 userauth_gssapi_cleanup, 3728 userauth_gssapi_cleanup,
3729@@ -698,12 +766,25 @@ userauth_gssapi(struct ssh *ssh) 3729@@ -697,12 +765,25 @@ userauth_gssapi(struct ssh *ssh)
3730 OM_uint32 min; 3730 OM_uint32 min;
3731 int r, ok = 0; 3731 int r, ok = 0;
3732 gss_OID mech = NULL; 3732 gss_OID mech = NULL;
@@ -3753,7 +3753,7 @@ index dffee90b1..4020371ae 100644
3753 3753
3754 /* Check to see whether the mechanism is usable before we offer it */ 3754 /* Check to see whether the mechanism is usable before we offer it */
3755 while (authctxt->mech_tried < authctxt->gss_supported_mechs->count && 3755 while (authctxt->mech_tried < authctxt->gss_supported_mechs->count &&
3756@@ -712,13 +793,15 @@ userauth_gssapi(struct ssh *ssh) 3756@@ -711,13 +792,15 @@ userauth_gssapi(struct ssh *ssh)
3757 elements[authctxt->mech_tried]; 3757 elements[authctxt->mech_tried];
3758 /* My DER encoding requires length<128 */ 3758 /* My DER encoding requires length<128 */
3759 if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, 3759 if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
@@ -3770,7 +3770,7 @@ index dffee90b1..4020371ae 100644
3770 if (!ok || mech == NULL) 3770 if (!ok || mech == NULL)
3771 return 0; 3771 return 0;
3772 3772
3773@@ -958,6 +1041,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) 3773@@ -957,6 +1040,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
3774 free(lang); 3774 free(lang);
3775 return r; 3775 return r;
3776 } 3776 }
@@ -3827,7 +3827,7 @@ index dffee90b1..4020371ae 100644
3827 3827
3828 static int 3828 static int
3829diff --git a/sshd.c b/sshd.c 3829diff --git a/sshd.c b/sshd.c
3830index cbd3bce91..98680721b 100644 3830index 11571c010..3a5c1ea78 100644
3831--- a/sshd.c 3831--- a/sshd.c
3832+++ b/sshd.c 3832+++ b/sshd.c
3833@@ -123,6 +123,10 @@ 3833@@ -123,6 +123,10 @@
@@ -3852,7 +3852,7 @@ index cbd3bce91..98680721b 100644
3852 sshpkt_fatal(ssh, r, "%s: send", __func__); 3852 sshpkt_fatal(ssh, r, "%s: send", __func__);
3853 sshbuf_free(buf); 3853 sshbuf_free(buf);
3854 } 3854 }
3855@@ -1769,7 +1773,8 @@ main(int ac, char **av) 3855@@ -1773,7 +1777,8 @@ main(int ac, char **av)
3856 free(fp); 3856 free(fp);
3857 } 3857 }
3858 accumulate_host_timing_secret(cfg, NULL); 3858 accumulate_host_timing_secret(cfg, NULL);
@@ -3862,7 +3862,7 @@ index cbd3bce91..98680721b 100644
3862 logit("sshd: no hostkeys available -- exiting."); 3862 logit("sshd: no hostkeys available -- exiting.");
3863 exit(1); 3863 exit(1);
3864 } 3864 }
3865@@ -2064,6 +2069,60 @@ main(int ac, char **av) 3865@@ -2069,6 +2074,60 @@ main(int ac, char **av)
3866 rdomain == NULL ? "" : "\""); 3866 rdomain == NULL ? "" : "\"");
3867 free(laddr); 3867 free(laddr);
3868 3868
@@ -3923,7 +3923,7 @@ index cbd3bce91..98680721b 100644
3923 /* 3923 /*
3924 * We don't want to listen forever unless the other side 3924 * We don't want to listen forever unless the other side
3925 * successfully authenticates itself. So we set up an alarm which is 3925 * successfully authenticates itself. So we set up an alarm which is
3926@@ -2260,6 +2319,48 @@ do_ssh2_kex(struct ssh *ssh) 3926@@ -2265,6 +2324,48 @@ do_ssh2_kex(struct ssh *ssh)
3927 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 3927 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
3928 list_hostkey_types()); 3928 list_hostkey_types());
3929 3929
@@ -3972,7 +3972,7 @@ index cbd3bce91..98680721b 100644
3972 /* start key exchange */ 3972 /* start key exchange */
3973 if ((r = kex_setup(ssh, myproposal)) != 0) 3973 if ((r = kex_setup(ssh, myproposal)) != 0)
3974 fatal("kex_setup: %s", ssh_err(r)); 3974 fatal("kex_setup: %s", ssh_err(r));
3975@@ -2275,7 +2376,18 @@ do_ssh2_kex(struct ssh *ssh) 3975@@ -2280,7 +2381,18 @@ do_ssh2_kex(struct ssh *ssh)
3976 # ifdef OPENSSL_HAS_ECC 3976 # ifdef OPENSSL_HAS_ECC
3977 kex->kex[KEX_ECDH_SHA2] = kex_gen_server; 3977 kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
3978 # endif 3978 # endif
@@ -4006,10 +4006,10 @@ index 19b7c91a1..2c48105f8 100644
4006 # Set this to 'yes' to enable PAM authentication, account processing, 4006 # Set this to 'yes' to enable PAM authentication, account processing,
4007 # and session processing. If this is enabled, PAM authentication will 4007 # and session processing. If this is enabled, PAM authentication will
4008diff --git a/sshd_config.5 b/sshd_config.5 4008diff --git a/sshd_config.5 b/sshd_config.5
4009index b224f2929..2baa6622b 100644 4009index 9486f2a1c..cec3c3c4e 100644
4010--- a/sshd_config.5 4010--- a/sshd_config.5
4011+++ b/sshd_config.5 4011+++ b/sshd_config.5
4012@@ -653,6 +653,11 @@ Specifies whether to automatically destroy the user's credentials cache 4012@@ -655,6 +655,11 @@ Specifies whether to automatically destroy the user's credentials cache
4013 on logout. 4013 on logout.
4014 The default is 4014 The default is
4015 .Cm yes . 4015 .Cm yes .
@@ -4021,7 +4021,7 @@ index b224f2929..2baa6622b 100644
4021 .It Cm GSSAPIStrictAcceptorCheck 4021 .It Cm GSSAPIStrictAcceptorCheck
4022 Determines whether to be strict about the identity of the GSSAPI acceptor 4022 Determines whether to be strict about the identity of the GSSAPI acceptor
4023 a client authenticates against. 4023 a client authenticates against.
4024@@ -667,6 +672,31 @@ machine's default store. 4024@@ -669,6 +674,31 @@ machine's default store.
4025 This facility is provided to assist with operation on multi homed machines. 4025 This facility is provided to assist with operation on multi homed machines.
4026 The default is 4026 The default is
4027 .Cm yes . 4027 .Cm yes .
@@ -4054,10 +4054,10 @@ index b224f2929..2baa6622b 100644
4054 Specifies the key types that will be accepted for hostbased authentication 4054 Specifies the key types that will be accepted for hostbased authentication
4055 as a list of comma-separated patterns. 4055 as a list of comma-separated patterns.
4056diff --git a/sshkey.c b/sshkey.c 4056diff --git a/sshkey.c b/sshkey.c
4057index ad1957762..789cd61ef 100644 4057index ef90563b3..4d2048b6a 100644
4058--- a/sshkey.c 4058--- a/sshkey.c
4059+++ b/sshkey.c 4059+++ b/sshkey.c
4060@@ -135,6 +135,7 @@ static const struct keytype keytypes[] = { 4060@@ -145,6 +145,7 @@ static const struct keytype keytypes[] = {
4061 # endif /* OPENSSL_HAS_NISTP521 */ 4061 # endif /* OPENSSL_HAS_NISTP521 */
4062 # endif /* OPENSSL_HAS_ECC */ 4062 # endif /* OPENSSL_HAS_ECC */
4063 #endif /* WITH_OPENSSL */ 4063 #endif /* WITH_OPENSSL */
@@ -4065,7 +4065,7 @@ index ad1957762..789cd61ef 100644
4065 { NULL, NULL, NULL, -1, -1, 0, 0 } 4065 { NULL, NULL, NULL, -1, -1, 0, 0 }
4066 }; 4066 };
4067 4067
4068@@ -223,7 +224,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 4068@@ -233,7 +234,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
4069 const struct keytype *kt; 4069 const struct keytype *kt;
4070 4070
4071 for (kt = keytypes; kt->type != -1; kt++) { 4071 for (kt = keytypes; kt->type != -1; kt++) {
@@ -4075,7 +4075,7 @@ index ad1957762..789cd61ef 100644
4075 if (!include_sigonly && kt->sigonly) 4075 if (!include_sigonly && kt->sigonly)
4076 continue; 4076 continue;
4077diff --git a/sshkey.h b/sshkey.h 4077diff --git a/sshkey.h b/sshkey.h
4078index a91e60436..c11106c93 100644 4078index 1119a7b07..1bf30d055 100644
4079--- a/sshkey.h 4079--- a/sshkey.h
4080+++ b/sshkey.h 4080+++ b/sshkey.h
4081@@ -65,6 +65,7 @@ enum sshkey_types { 4081@@ -65,6 +65,7 @@ enum sshkey_types {
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index fbfe6a1fb..2f7ac943d 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
1From 4d8dd12bab7bbc954815d7953a0c86ce1687bd34 Mon Sep 17 00:00:00 2001 1From 26d9fe60e31c78018bdfd49bba1196ea7c44405d Mon Sep 17 00:00:00 2001
2From: Richard Kettlewell <rjk@greenend.org.uk> 2From: Richard Kettlewell <rjk@greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:52 +0000 3Date: Sun, 9 Feb 2014 16:09:52 +0000
4Subject: Various keepalive extensions 4Subject: Various keepalive extensions
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch
26 3 files changed, 34 insertions(+), 4 deletions(-) 26 3 files changed, 34 insertions(+), 4 deletions(-)
27 27
28diff --git a/readconf.c b/readconf.c 28diff --git a/readconf.c b/readconf.c
29index 29f3bd98d..3d0b6ff90 100644 29index a7fb7ca15..09787c0e5 100644
30--- a/readconf.c 30--- a/readconf.c
31+++ b/readconf.c 31+++ b/readconf.c
32@@ -177,6 +177,7 @@ typedef enum { 32@@ -177,6 +177,7 @@ typedef enum {
@@ -46,7 +46,7 @@ index 29f3bd98d..3d0b6ff90 100644
46 46
47 { NULL, oBadOption } 47 { NULL, oBadOption }
48 }; 48 };
49@@ -1440,6 +1443,8 @@ parse_keytypes: 49@@ -1449,6 +1452,8 @@ parse_keytypes:
50 goto parse_flag; 50 goto parse_flag;
51 51
52 case oServerAliveInterval: 52 case oServerAliveInterval:
@@ -55,7 +55,7 @@ index 29f3bd98d..3d0b6ff90 100644
55 intptr = &options->server_alive_interval; 55 intptr = &options->server_alive_interval;
56 goto parse_time; 56 goto parse_time;
57 57
58@@ -2133,8 +2138,13 @@ fill_default_options(Options * options) 58@@ -2142,8 +2147,13 @@ fill_default_options(Options * options)
59 options->rekey_interval = 0; 59 options->rekey_interval = 0;
60 if (options->verify_host_key_dns == -1) 60 if (options->verify_host_key_dns == -1)
61 options->verify_host_key_dns = 0; 61 options->verify_host_key_dns = 0;
@@ -72,7 +72,7 @@ index 29f3bd98d..3d0b6ff90 100644
72 options->server_alive_count_max = 3; 72 options->server_alive_count_max = 3;
73 if (options->control_master == -1) 73 if (options->control_master == -1)
74diff --git a/ssh_config.5 b/ssh_config.5 74diff --git a/ssh_config.5 b/ssh_config.5
75index c3c8b274a..250c92d04 100644 75index f4668673b..bc04d8d02 100644
76--- a/ssh_config.5 76--- a/ssh_config.5
77+++ b/ssh_config.5 77+++ b/ssh_config.5
78@@ -265,8 +265,12 @@ Valid arguments are 78@@ -265,8 +265,12 @@ Valid arguments are
@@ -89,7 +89,7 @@ index c3c8b274a..250c92d04 100644
89 The argument must be 89 The argument must be
90 .Cm yes 90 .Cm yes
91 or 91 or
92@@ -1535,7 +1539,14 @@ from the server, 92@@ -1557,7 +1561,14 @@ from the server,
93 will send a message through the encrypted 93 will send a message through the encrypted
94 channel to request a response from the server. 94 channel to request a response from the server.
95 The default 95 The default
@@ -105,7 +105,7 @@ index c3c8b274a..250c92d04 100644
105 .It Cm SetEnv 105 .It Cm SetEnv
106 Directly specify one or more environment variables and their contents to 106 Directly specify one or more environment variables and their contents to
107 be sent to the server. 107 be sent to the server.
108@@ -1615,6 +1626,12 @@ Specifies whether the system should send TCP keepalive messages to the 108@@ -1637,6 +1648,12 @@ Specifies whether the system should send TCP keepalive messages to the
109 other side. 109 other side.
110 If they are sent, death of the connection or crash of one 110 If they are sent, death of the connection or crash of one
111 of the machines will be properly noticed. 111 of the machines will be properly noticed.
@@ -119,10 +119,10 @@ index c3c8b274a..250c92d04 100644
119 connections will die if the route is down temporarily, and some people 119 connections will die if the route is down temporarily, and some people
120 find it annoying. 120 find it annoying.
121diff --git a/sshd_config.5 b/sshd_config.5 121diff --git a/sshd_config.5 b/sshd_config.5
122index 2baa6622b..2ef671d1b 100644 122index cec3c3c4e..eec224158 100644
123--- a/sshd_config.5 123--- a/sshd_config.5
124+++ b/sshd_config.5 124+++ b/sshd_config.5
125@@ -1597,6 +1597,9 @@ This avoids infinitely hanging sessions. 125@@ -1615,6 +1615,9 @@ This avoids infinitely hanging sessions.
126 .Pp 126 .Pp
127 To disable TCP keepalive messages, the value should be set to 127 To disable TCP keepalive messages, the value should be set to
128 .Cm no . 128 .Cm no .
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index f429530a7..639b216d6 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
1From f9185fc3df5af5f724bca35a957f60309af1d89e Mon Sep 17 00:00:00 2001 1From fdcf8c0343564121a89be817386c5feabd40c609 Mon Sep 17 00:00:00 2001
2From: Scott Moser <smoser@ubuntu.com> 2From: Scott Moser <smoser@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:03 +0000 3Date: Sun, 9 Feb 2014 16:10:03 +0000
4Subject: Mention ssh-keygen in ssh fingerprint changed warning 4Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -14,10 +14,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
14 1 file changed, 8 insertions(+), 1 deletion(-) 14 1 file changed, 8 insertions(+), 1 deletion(-)
15 15
16diff --git a/sshconnect.c b/sshconnect.c 16diff --git a/sshconnect.c b/sshconnect.c
17index 103d84e38..0b6f6af4b 100644 17index 644057bc4..41e75a275 100644
18--- a/sshconnect.c 18--- a/sshconnect.c
19+++ b/sshconnect.c 19+++ b/sshconnect.c
20@@ -986,9 +986,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 20@@ -990,9 +990,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
21 error("%s. This could either mean that", key_msg); 21 error("%s. This could either mean that", key_msg);
22 error("DNS SPOOFING is happening or the IP address for the host"); 22 error("DNS SPOOFING is happening or the IP address for the host");
23 error("and its host key have changed at the same time."); 23 error("and its host key have changed at the same time.");
@@ -32,7 +32,7 @@ index 103d84e38..0b6f6af4b 100644
32 } 32 }
33 /* The host key has changed. */ 33 /* The host key has changed. */
34 warn_changed_key(host_key); 34 warn_changed_key(host_key);
35@@ -997,6 +1001,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 35@@ -1001,6 +1005,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
36 error("Offending %s key in %s:%lu", 36 error("Offending %s key in %s:%lu",
37 sshkey_type(host_found->key), 37 sshkey_type(host_found->key),
38 host_found->file, host_found->line); 38 host_found->file, host_found->line);
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index d67e00ffc..9b5baee08 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
1From 4cf082890d12604fcd28e7387b5eb4a5fb09695e Mon Sep 17 00:00:00 2001 1From ed88eee326ca80e1e0fdb6f9ef0346f6d5e021a8 Mon Sep 17 00:00:00 2001
2From: Kurt Roeckx <kurt@roeckx.be> 2From: Kurt Roeckx <kurt@roeckx.be>
3Date: Sun, 9 Feb 2014 16:10:14 +0000 3Date: Sun, 9 Feb 2014 16:10:14 +0000
4Subject: Don't check the status field of the OpenSSL version 4Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index b4ecb41eb..46e1f8712 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
1From b3a38ffd3427b5404210f841c8e29c2df21e1825 Mon Sep 17 00:00:00 2001 1From 8fb8f70b0534897791c61f2757e97bd13385944e Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:09 +0000 3Date: Sun, 9 Feb 2014 16:10:09 +0000
4Subject: Adjust various OpenBSD-specific references in manual pages 4Subject: Adjust various OpenBSD-specific references in manual pages
@@ -44,10 +44,10 @@ index ef0de0850..149846c8c 100644
44 .Sh SEE ALSO 44 .Sh SEE ALSO
45 .Xr ssh-keygen 1 , 45 .Xr ssh-keygen 1 ,
46diff --git a/ssh-keygen.1 b/ssh-keygen.1 46diff --git a/ssh-keygen.1 b/ssh-keygen.1
47index 124456577..9b877b860 100644 47index 957d2f0f0..143a2349f 100644
48--- a/ssh-keygen.1 48--- a/ssh-keygen.1
49+++ b/ssh-keygen.1 49+++ b/ssh-keygen.1
50@@ -178,9 +178,7 @@ key in 50@@ -191,9 +191,7 @@ key in
51 .Pa ~/.ssh/id_ed25519 51 .Pa ~/.ssh/id_ed25519
52 or 52 or
53 .Pa ~/.ssh/id_rsa . 53 .Pa ~/.ssh/id_rsa .
@@ -58,7 +58,7 @@ index 124456577..9b877b860 100644
58 .Pp 58 .Pp
59 Normally this program generates the key and asks for a file in which 59 Normally this program generates the key and asks for a file in which
60 to store the private key. 60 to store the private key.
61@@ -243,9 +241,7 @@ If 61@@ -256,9 +254,7 @@ If
62 .Fl f 62 .Fl f
63 has also been specified, its argument is used as a prefix to the 63 has also been specified, its argument is used as a prefix to the
64 default path for the resulting host key files. 64 default path for the resulting host key files.
@@ -67,9 +67,9 @@ index 124456577..9b877b860 100644
67-to generate new host keys. 67-to generate new host keys.
68+This is used by system administration scripts to generate new host keys. 68+This is used by system administration scripts to generate new host keys.
69 .It Fl a Ar rounds 69 .It Fl a Ar rounds
70 When saving a private key this option specifies the number of KDF 70 When saving a private key, this option specifies the number of KDF
71 (key derivation function) rounds used. 71 (key derivation function) rounds used.
72@@ -703,7 +699,7 @@ option. 72@@ -798,7 +794,7 @@ option.
73 Valid generator values are 2, 3, and 5. 73 Valid generator values are 2, 3, and 5.
74 .Pp 74 .Pp
75 Screened DH groups may be installed in 75 Screened DH groups may be installed in
@@ -78,7 +78,7 @@ index 124456577..9b877b860 100644
78 It is important that this file contains moduli of a range of bit lengths and 78 It is important that this file contains moduli of a range of bit lengths and
79 that both ends of a connection share common moduli. 79 that both ends of a connection share common moduli.
80 .Sh CERTIFICATES 80 .Sh CERTIFICATES
81@@ -903,7 +899,7 @@ on all machines 81@@ -1049,7 +1045,7 @@ on all machines
82 where the user wishes to log in using public key authentication. 82 where the user wishes to log in using public key authentication.
83 There is no need to keep the contents of this file secret. 83 There is no need to keep the contents of this file secret.
84 .Pp 84 .Pp
@@ -88,7 +88,7 @@ index 124456577..9b877b860 100644
88 The file format is described in 88 The file format is described in
89 .Xr moduli 5 . 89 .Xr moduli 5 .
90diff --git a/ssh.1 b/ssh.1 90diff --git a/ssh.1 b/ssh.1
91index 64ead5f57..e4aeae7b4 100644 91index 20e4c4efa..4923031f4 100644
92--- a/ssh.1 92--- a/ssh.1
93+++ b/ssh.1 93+++ b/ssh.1
94@@ -873,6 +873,10 @@ implements public key authentication protocol automatically, 94@@ -873,6 +873,10 @@ implements public key authentication protocol automatically,
@@ -133,10 +133,10 @@ index 57a7fd66b..4abc01d66 100644
133 .Xr sshd_config 5 , 133 .Xr sshd_config 5 ,
134 .Xr inetd 8 , 134 .Xr inetd 8 ,
135diff --git a/sshd_config.5 b/sshd_config.5 135diff --git a/sshd_config.5 b/sshd_config.5
136index addea54a0..f995e4ab0 100644 136index 46537f177..270805060 100644
137--- a/sshd_config.5 137--- a/sshd_config.5
138+++ b/sshd_config.5 138+++ b/sshd_config.5
139@@ -395,8 +395,7 @@ Certificates signed using other algorithms will not be accepted for 139@@ -393,8 +393,7 @@ Certificates signed using other algorithms will not be accepted for
140 public key or host-based authentication. 140 public key or host-based authentication.
141 .It Cm ChallengeResponseAuthentication 141 .It Cm ChallengeResponseAuthentication
142 Specifies whether challenge-response authentication is allowed (e.g. via 142 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 55e4cc930..7a811f9af 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
1From 0085b2106eb5307ebdae9601471d8387961b2e83 Mon Sep 17 00:00:00 2001 1From 6a8dfab1a067a52b004594fadb3a90578a8cc094 Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:10:05 +0000 3Date: Sun, 9 Feb 2014 16:10:05 +0000
4Subject: Include the Debian version in our identification 4Subject: Include the Debian version in our identification
@@ -18,10 +18,10 @@ Patch-Name: package-versioning.patch
18 2 files changed, 7 insertions(+), 2 deletions(-) 18 2 files changed, 7 insertions(+), 2 deletions(-)
19 19
20diff --git a/kex.c b/kex.c 20diff --git a/kex.c b/kex.c
21index a2a4794e8..be354206d 100644 21index e09355dbd..65ed6af02 100644
22--- a/kex.c 22--- a/kex.c
23+++ b/kex.c 23+++ b/kex.c
24@@ -1186,7 +1186,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, 24@@ -1239,7 +1239,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
25 if (version_addendum != NULL && *version_addendum == '\0') 25 if (version_addendum != NULL && *version_addendum == '\0')
26 version_addendum = NULL; 26 version_addendum = NULL;
27 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", 27 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
@@ -31,11 +31,11 @@ index a2a4794e8..be354206d 100644
31 version_addendum == NULL ? "" : version_addendum)) != 0) { 31 version_addendum == NULL ? "" : version_addendum)) != 0) {
32 error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); 32 error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
33diff --git a/version.h b/version.h 33diff --git a/version.h b/version.h
34index 806ead9a6..599c859e6 100644 34index 6b3fadf89..a24017eca 100644
35--- a/version.h 35--- a/version.h
36+++ b/version.h 36+++ b/version.h
37@@ -3,4 +3,9 @@ 37@@ -3,4 +3,9 @@
38 #define SSH_VERSION "OpenSSH_8.0" 38 #define SSH_VERSION "OpenSSH_8.1"
39 39
40 #define SSH_PORTABLE "p1" 40 #define SSH_PORTABLE "p1"
41-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 41-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index dcbe38501..ea5ea0396 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
1From 4eb4bf18caacd2fe12dbdde381347629dd8b3c95 Mon Sep 17 00:00:00 2001 1From f0c916d8008c30809fef44469bee1b74426a3071 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 5 Mar 2017 02:02:11 +0000 3Date: Sun, 5 Mar 2017 02:02:11 +0000
4Subject: Restore reading authorized_keys2 by default 4Subject: Restore reading authorized_keys2 by default
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index 0472ea7d0..222a996f1 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
1From 0f9f44654708e4fde2f52c52f717d061b5e458fa Mon Sep 17 00:00:00 2001 1From 57c1dd662f9259f58a47801e2d4b0f84e973441d Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Tue, 7 Oct 2014 13:22:41 +0100 3Date: Tue, 7 Oct 2014 13:22:41 +0100
4Subject: Restore TCP wrappers support 4Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
28 3 files changed, 89 insertions(+) 28 3 files changed, 89 insertions(+)
29 29
30diff --git a/configure.ac b/configure.ac 30diff --git a/configure.ac b/configure.ac
31index 2869f7042..ce16e7758 100644 31index 1c2512314..e894db9fc 100644
32--- a/configure.ac 32--- a/configure.ac
33+++ b/configure.ac 33+++ b/configure.ac
34@@ -1518,6 +1518,62 @@ else 34@@ -1521,6 +1521,62 @@ else
35 AC_MSG_RESULT([no]) 35 AC_MSG_RESULT([no])
36 fi 36 fi
37 37
@@ -94,7 +94,7 @@ index 2869f7042..ce16e7758 100644
94 # Check whether user wants to use ldns 94 # Check whether user wants to use ldns
95 LDNS_MSG="no" 95 LDNS_MSG="no"
96 AC_ARG_WITH(ldns, 96 AC_ARG_WITH(ldns,
97@@ -5269,6 +5325,7 @@ echo " PAM support: $PAM_MSG" 97@@ -5242,6 +5298,7 @@ echo " PAM support: $PAM_MSG"
98 echo " OSF SIA support: $SIA_MSG" 98 echo " OSF SIA support: $SIA_MSG"
99 echo " KerberosV support: $KRB5_MSG" 99 echo " KerberosV support: $KRB5_MSG"
100 echo " SELinux support: $SELINUX_MSG" 100 echo " SELinux support: $SELINUX_MSG"
@@ -128,7 +128,7 @@ index fb133c14b..57a7fd66b 100644
128 .Xr moduli 5 , 128 .Xr moduli 5 ,
129 .Xr sshd_config 5 , 129 .Xr sshd_config 5 ,
130diff --git a/sshd.c b/sshd.c 130diff --git a/sshd.c b/sshd.c
131index 98680721b..46870d3b5 100644 131index 3a5c1ea78..4e32fd10d 100644
132--- a/sshd.c 132--- a/sshd.c
133+++ b/sshd.c 133+++ b/sshd.c
134@@ -127,6 +127,13 @@ 134@@ -127,6 +127,13 @@
@@ -145,7 +145,7 @@ index 98680721b..46870d3b5 100644
145 /* Re-exec fds */ 145 /* Re-exec fds */
146 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 146 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
147 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 147 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
148@@ -2057,6 +2064,24 @@ main(int ac, char **av) 148@@ -2062,6 +2069,24 @@ main(int ac, char **av)
149 #ifdef SSH_AUDIT_EVENTS 149 #ifdef SSH_AUDIT_EVENTS
150 audit_connection_from(remote_ip, remote_port); 150 audit_connection_from(remote_ip, remote_port);
151 #endif 151 #endif
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch
index d524dc34f..34743f555 100644
--- a/debian/patches/revert-ipqos-defaults.patch
+++ b/debian/patches/revert-ipqos-defaults.patch
@@ -1,4 +1,4 @@
1From f08fbfbaad10ae0bd9f057de8e18071e588146a6 Mon Sep 17 00:00:00 2001 1From efef12825b9582c1710da3b7e50135870963d4f4 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Mon, 8 Apr 2019 10:46:29 +0100 3Date: Mon, 8 Apr 2019 10:46:29 +0100
4Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP 4Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
@@ -24,10 +24,10 @@ Patch-Name: revert-ipqos-defaults.patch
24 4 files changed, 8 insertions(+), 12 deletions(-) 24 4 files changed, 8 insertions(+), 12 deletions(-)
25 25
26diff --git a/readconf.c b/readconf.c 26diff --git a/readconf.c b/readconf.c
27index f35bde6e6..2ba312441 100644 27index 253574ce0..9812b8d98 100644
28--- a/readconf.c 28--- a/readconf.c
29+++ b/readconf.c 29+++ b/readconf.c
30@@ -2165,9 +2165,9 @@ fill_default_options(Options * options) 30@@ -2174,9 +2174,9 @@ fill_default_options(Options * options)
31 if (options->visual_host_key == -1) 31 if (options->visual_host_key == -1)
32 options->visual_host_key = 0; 32 options->visual_host_key = 0;
33 if (options->ip_qos_interactive == -1) 33 if (options->ip_qos_interactive == -1)
@@ -40,7 +40,7 @@ index f35bde6e6..2ba312441 100644
40 options->request_tty = REQUEST_TTY_AUTO; 40 options->request_tty = REQUEST_TTY_AUTO;
41 if (options->proxy_use_fdpass == -1) 41 if (options->proxy_use_fdpass == -1)
42diff --git a/servconf.c b/servconf.c 42diff --git a/servconf.c b/servconf.c
43index 8d2bced52..365e6ff1e 100644 43index 5576098a5..4464d51a5 100644
44--- a/servconf.c 44--- a/servconf.c
45+++ b/servconf.c 45+++ b/servconf.c
46@@ -423,9 +423,9 @@ fill_default_server_options(ServerOptions *options) 46@@ -423,9 +423,9 @@ fill_default_server_options(ServerOptions *options)
@@ -56,10 +56,10 @@ index 8d2bced52..365e6ff1e 100644
56 options->version_addendum = xstrdup(""); 56 options->version_addendum = xstrdup("");
57 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) 57 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
58diff --git a/ssh_config.5 b/ssh_config.5 58diff --git a/ssh_config.5 b/ssh_config.5
59index a27631ae9..a9f6d906f 100644 59index d27655e15..b71d5ede9 100644
60--- a/ssh_config.5 60--- a/ssh_config.5
61+++ b/ssh_config.5 61+++ b/ssh_config.5
62@@ -1098,11 +1098,9 @@ If one argument is specified, it is used as the packet class unconditionally. 62@@ -1110,11 +1110,9 @@ If one argument is specified, it is used as the packet class unconditionally.
63 If two values are specified, the first is automatically selected for 63 If two values are specified, the first is automatically selected for
64 interactive sessions and the second for non-interactive sessions. 64 interactive sessions and the second for non-interactive sessions.
65 The default is 65 The default is
@@ -74,10 +74,10 @@ index a27631ae9..a9f6d906f 100644
74 .It Cm KbdInteractiveAuthentication 74 .It Cm KbdInteractiveAuthentication
75 Specifies whether to use keyboard-interactive authentication. 75 Specifies whether to use keyboard-interactive authentication.
76diff --git a/sshd_config.5 b/sshd_config.5 76diff --git a/sshd_config.5 b/sshd_config.5
77index c0c4ebd66..e5380f5dc 100644 77index 02e29cb6f..ba533af9e 100644
78--- a/sshd_config.5 78--- a/sshd_config.5
79+++ b/sshd_config.5 79+++ b/sshd_config.5
80@@ -886,11 +886,9 @@ If one argument is specified, it is used as the packet class unconditionally. 80@@ -892,11 +892,9 @@ If one argument is specified, it is used as the packet class unconditionally.
81 If two values are specified, the first is automatically selected for 81 If two values are specified, the first is automatically selected for
82 interactive sessions and the second for non-interactive sessions. 82 interactive sessions and the second for non-interactive sessions.
83 The default is 83 The default is
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index d4561d053..e69c9c46e 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
1From 08821a1b464a0d0d62f735d6bf1e6305faf73fa1 Mon Sep 17 00:00:00 2001 1From 2d8e679834c81fc381d02974986e08cafe3efa29 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> 2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:59 +0000 3Date: Sun, 9 Feb 2014 16:09:59 +0000
4Subject: Adjust scp quoting in verbose mode 4Subject: Adjust scp quoting in verbose mode
@@ -17,7 +17,7 @@ Patch-Name: scp-quoting.patch
17 1 file changed, 10 insertions(+), 2 deletions(-) 17 1 file changed, 10 insertions(+), 2 deletions(-)
18 18
19diff --git a/scp.c b/scp.c 19diff --git a/scp.c b/scp.c
20index 80bc0e8b1..a2dc410bd 100644 20index 0348d0673..5a7a92a7e 100644
21--- a/scp.c 21--- a/scp.c
22+++ b/scp.c 22+++ b/scp.c
23@@ -199,8 +199,16 @@ do_local_cmd(arglist *a) 23@@ -199,8 +199,16 @@ do_local_cmd(arglist *a)
diff --git a/debian/patches/seccomp-handle-shm.patch b/debian/patches/seccomp-handle-shm.patch
deleted file mode 100644
index 7ad068190..000000000
--- a/debian/patches/seccomp-handle-shm.patch
+++ /dev/null
@@ -1,38 +0,0 @@
1From ceefaa8ee80b63c0890d24c42369dc51880f53ea Mon Sep 17 00:00:00 2001
2From: Lonnie Abelbeck <lonnie@abelbeck.com>
3Date: Tue, 1 Oct 2019 09:05:09 -0500
4Subject: Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child.
5
6New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt
7in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox.
8
9Bug: https://github.com/openssh/openssh-portable/pull/149
10Bug-Debian: https://bugs.debian.org/941663
11Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=3ef92a657444f172b61f92d5da66d94fa8265602
12Last-Update: 2019-10-05
13
14Patch-Name: seccomp-handle-shm.patch
15---
16 sandbox-seccomp-filter.c | 9 +++++++++
17 1 file changed, 9 insertions(+)
18
19diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
20index ef4de8c65..e8f31555e 100644
21--- a/sandbox-seccomp-filter.c
22+++ b/sandbox-seccomp-filter.c
23@@ -149,6 +149,15 @@ static const struct sock_filter preauth_insns[] = {
24 #ifdef __NR_stat64
25 SC_DENY(__NR_stat64, EACCES),
26 #endif
27+#ifdef __NR_shmget
28+ SC_DENY(__NR_shmget, EACCES),
29+#endif
30+#ifdef __NR_shmat
31+ SC_DENY(__NR_shmat, EACCES),
32+#endif
33+#ifdef __NR_shmdt
34+ SC_DENY(__NR_shmdt, EACCES),
35+#endif
36
37 /* Syscalls to permit */
38 #ifdef __NR_brk
diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch
index cec741d2b..aaefa9ed4 100644
--- a/debian/patches/seccomp-s390-flock-ipc.patch
+++ b/debian/patches/seccomp-s390-flock-ipc.patch
@@ -1,4 +1,4 @@
1From a85bb8a31b789276d5edb0c34023ce833a402b00 Mon Sep 17 00:00:00 2001 1From cfc30ca51eba79f9f725c22528e3bfec036aa927 Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 10:53:04 -0300 3Date: Tue, 9 May 2017 10:53:04 -0300
4Subject: Allow flock and ipc syscall for s390 architecture 4Subject: Allow flock and ipc syscall for s390 architecture
@@ -22,10 +22,10 @@ Patch-Name: seccomp-s390-flock-ipc.patch
22 1 file changed, 6 insertions(+) 22 1 file changed, 6 insertions(+)
23 23
24diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c 24diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
25index 5edbc6946..d4bc20828 100644 25index b5cda70bb..2f6b0d55b 100644
26--- a/sandbox-seccomp-filter.c 26--- a/sandbox-seccomp-filter.c
27+++ b/sandbox-seccomp-filter.c 27+++ b/sandbox-seccomp-filter.c
28@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { 28@@ -194,6 +194,9 @@ static const struct sock_filter preauth_insns[] = {
29 #ifdef __NR_exit_group 29 #ifdef __NR_exit_group
30 SC_ALLOW(__NR_exit_group), 30 SC_ALLOW(__NR_exit_group),
31 #endif 31 #endif
@@ -35,7 +35,7 @@ index 5edbc6946..d4bc20828 100644
35 #ifdef __NR_futex 35 #ifdef __NR_futex
36 SC_ALLOW(__NR_futex), 36 SC_ALLOW(__NR_futex),
37 #endif 37 #endif
38@@ -193,6 +196,9 @@ static const struct sock_filter preauth_insns[] = { 38@@ -221,6 +224,9 @@ static const struct sock_filter preauth_insns[] = {
39 #ifdef __NR_getuid32 39 #ifdef __NR_getuid32
40 SC_ALLOW(__NR_getuid32), 40 SC_ALLOW(__NR_getuid32),
41 #endif 41 #endif
diff --git a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
deleted file mode 100644
index 257ea7e79..000000000
--- a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
+++ /dev/null
@@ -1,33 +0,0 @@
1From d38283cc4cba6bf7685a16898a3b9d3a6cecf661 Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 13:33:30 -0300
4Subject: Enable specific ioctl call for EP11 crypto card (s390)
5
6The EP11 crypto card needs to make an ioctl call, which receives an
7specific argument. This crypto card is for s390 only.
8
9Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
10
11Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
12Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
13Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
14Last-Update: 2017-08-28
15
16Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch
17---
18 sandbox-seccomp-filter.c | 2 ++
19 1 file changed, 2 insertions(+)
20
21diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
22index d4bc20828..ef4de8c65 100644
23--- a/sandbox-seccomp-filter.c
24+++ b/sandbox-seccomp-filter.c
25@@ -256,6 +256,8 @@ static const struct sock_filter preauth_insns[] = {
26 SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
27 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
28 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
29+ /* Allow ioctls for EP11 crypto card on s390 */
30+ SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
31 #endif
32 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
33 /*
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 5ab339ac9..02d740fe3 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1From 21e3ff3ab4791d3c94bd775da66cde29797fcb36 Mon Sep 17 00:00:00 2001 1From 3131e3bb3c56a6c6ee8cb9d68f542af04cd9e8ff Mon Sep 17 00:00:00 2001
2From: Manoj Srivastava <srivasta@debian.org> 2From: Manoj Srivastava <srivasta@debian.org>
3Date: Sun, 9 Feb 2014 16:09:49 +0000 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4Subject: Handle SELinux authorisation roles 4Subject: Handle SELinux authorisation roles
@@ -31,10 +31,10 @@ Patch-Name: selinux-role.patch
31 15 files changed, 99 insertions(+), 32 deletions(-) 31 15 files changed, 99 insertions(+), 32 deletions(-)
32 32
33diff --git a/auth.h b/auth.h 33diff --git a/auth.h b/auth.h
34index bf393e755..8f13bdf48 100644 34index becc672b5..5da9fe75f 100644
35--- a/auth.h 35--- a/auth.h
36+++ b/auth.h 36+++ b/auth.h
37@@ -65,6 +65,7 @@ struct Authctxt { 37@@ -63,6 +63,7 @@ struct Authctxt {
38 char *service; 38 char *service;
39 struct passwd *pw; /* set if 'valid' */ 39 struct passwd *pw; /* set if 'valid' */
40 char *style; 40 char *style;
@@ -43,10 +43,10 @@ index bf393e755..8f13bdf48 100644
43 /* Method lists for multiple authentication */ 43 /* Method lists for multiple authentication */
44 char **auth_methods; /* modified from server config */ 44 char **auth_methods; /* modified from server config */
45diff --git a/auth2.c b/auth2.c 45diff --git a/auth2.c b/auth2.c
46index 7417eafa4..d60e7f1f2 100644 46index 1c217268c..92a6bcaf4 100644
47--- a/auth2.c 47--- a/auth2.c
48+++ b/auth2.c 48+++ b/auth2.c
49@@ -267,7 +267,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) 49@@ -265,7 +265,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
50 { 50 {
51 Authctxt *authctxt = ssh->authctxt; 51 Authctxt *authctxt = ssh->authctxt;
52 Authmethod *m = NULL; 52 Authmethod *m = NULL;
@@ -55,7 +55,7 @@ index 7417eafa4..d60e7f1f2 100644
55 int r, authenticated = 0; 55 int r, authenticated = 0;
56 double tstart = monotime_double(); 56 double tstart = monotime_double();
57 57
58@@ -281,8 +281,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) 58@@ -279,8 +279,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
59 debug("userauth-request for user %s service %s method %s", user, service, method); 59 debug("userauth-request for user %s service %s method %s", user, service, method);
60 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 60 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
61 61
@@ -69,7 +69,7 @@ index 7417eafa4..d60e7f1f2 100644
69 69
70 if (authctxt->attempt++ == 0) { 70 if (authctxt->attempt++ == 0) {
71 /* setup auth context */ 71 /* setup auth context */
72@@ -309,8 +314,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) 72@@ -307,8 +312,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
73 use_privsep ? " [net]" : ""); 73 use_privsep ? " [net]" : "");
74 authctxt->service = xstrdup(service); 74 authctxt->service = xstrdup(service);
75 authctxt->style = style ? xstrdup(style) : NULL; 75 authctxt->style = style ? xstrdup(style) : NULL;
@@ -81,7 +81,7 @@ index 7417eafa4..d60e7f1f2 100644
81 if (auth2_setup_methods_lists(authctxt) != 0) 81 if (auth2_setup_methods_lists(authctxt) != 0)
82 ssh_packet_disconnect(ssh, 82 ssh_packet_disconnect(ssh,
83diff --git a/monitor.c b/monitor.c 83diff --git a/monitor.c b/monitor.c
84index 0766d6ef5..5f84e880d 100644 84index bead9e204..04db44c9c 100644
85--- a/monitor.c 85--- a/monitor.c
86+++ b/monitor.c 86+++ b/monitor.c
87@@ -117,6 +117,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *); 87@@ -117,6 +117,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *);
@@ -177,7 +177,7 @@ index 2b1a2d590..4d87284aa 100644
177 177
178 struct ssh; 178 struct ssh;
179diff --git a/monitor_wrap.c b/monitor_wrap.c 179diff --git a/monitor_wrap.c b/monitor_wrap.c
180index 8e4c1c1f8..6b3a6251c 100644 180index fdca39a6a..933ce9a3d 100644
181--- a/monitor_wrap.c 181--- a/monitor_wrap.c
182+++ b/monitor_wrap.c 182+++ b/monitor_wrap.c
183@@ -364,10 +364,10 @@ mm_auth2_read_banner(void) 183@@ -364,10 +364,10 @@ mm_auth2_read_banner(void)
@@ -231,11 +231,11 @@ index 8e4c1c1f8..6b3a6251c 100644
231 int 231 int
232 mm_auth_password(struct ssh *ssh, char *password) 232 mm_auth_password(struct ssh *ssh, char *password)
233diff --git a/monitor_wrap.h b/monitor_wrap.h 233diff --git a/monitor_wrap.h b/monitor_wrap.h
234index 69164a8c0..3d0e32d48 100644 234index 92dda574b..0f09dba09 100644
235--- a/monitor_wrap.h 235--- a/monitor_wrap.h
236+++ b/monitor_wrap.h 236+++ b/monitor_wrap.h
237@@ -44,7 +44,8 @@ int mm_is_monitor(void); 237@@ -46,7 +46,8 @@ DH *mm_choose_dh(int, int, int);
238 DH *mm_choose_dh(int, int, int); 238 #endif
239 int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *, 239 int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
240 const u_char *, size_t, const char *, u_int compat); 240 const u_char *, size_t, const char *, u_int compat);
241-void mm_inform_authserv(char *, char *); 241-void mm_inform_authserv(char *, char *);
@@ -328,10 +328,10 @@ index 3c22a854d..c88129428 100644
328 void ssh_selinux_setfscreatecon(const char *); 328 void ssh_selinux_setfscreatecon(const char *);
329 #endif 329 #endif
330diff --git a/platform.c b/platform.c 330diff --git a/platform.c b/platform.c
331index 41acc9370..35654ea51 100644 331index 44ba71dc5..2defe9425 100644
332--- a/platform.c 332--- a/platform.c
333+++ b/platform.c 333+++ b/platform.c
334@@ -142,7 +142,7 @@ platform_setusercontext(struct passwd *pw) 334@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw)
335 * called if sshd is running as root. 335 * called if sshd is running as root.
336 */ 336 */
337 void 337 void
@@ -340,7 +340,7 @@ index 41acc9370..35654ea51 100644
340 { 340 {
341 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) 341 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
342 /* 342 /*
343@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw) 343@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
344 } 344 }
345 #endif /* HAVE_SETPCRED */ 345 #endif /* HAVE_SETPCRED */
346 #ifdef WITH_SELINUX 346 #ifdef WITH_SELINUX
@@ -363,7 +363,7 @@ index ea4f9c584..60d72ffe7 100644
363 char *platform_krb5_get_principal_name(const char *); 363 char *platform_krb5_get_principal_name(const char *);
364 int platform_sys_dir_uid(uid_t); 364 int platform_sys_dir_uid(uid_t);
365diff --git a/session.c b/session.c 365diff --git a/session.c b/session.c
366index ac3d9d19d..d87ea4d44 100644 366index f1a47f766..df7d7cf55 100644
367--- a/session.c 367--- a/session.c
368+++ b/session.c 368+++ b/session.c
369@@ -1356,7 +1356,7 @@ safely_chroot(const char *path, uid_t uid) 369@@ -1356,7 +1356,7 @@ safely_chroot(const char *path, uid_t uid)
@@ -425,7 +425,7 @@ index ce59dabd9..675c91146 100644
425 const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); 425 const char *session_get_remote_name_or_ip(struct ssh *, u_int, int);
426 426
427diff --git a/sshd.c b/sshd.c 427diff --git a/sshd.c b/sshd.c
428index 46870d3b5..e3e96426e 100644 428index 4e32fd10d..ea8beacb4 100644
429--- a/sshd.c 429--- a/sshd.c
430+++ b/sshd.c 430+++ b/sshd.c
431@@ -594,7 +594,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) 431@@ -594,7 +594,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
@@ -438,7 +438,7 @@ index 46870d3b5..e3e96426e 100644
438 skip: 438 skip:
439 /* It is safe now to apply the key state */ 439 /* It is safe now to apply the key state */
440diff --git a/sshpty.c b/sshpty.c 440diff --git a/sshpty.c b/sshpty.c
441index 4da84d05f..676ade50e 100644 441index bce09e255..308449b37 100644
442--- a/sshpty.c 442--- a/sshpty.c
443+++ b/sshpty.c 443+++ b/sshpty.c
444@@ -162,7 +162,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, 444@@ -162,7 +162,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
@@ -450,7 +450,7 @@ index 4da84d05f..676ade50e 100644
450 { 450 {
451 struct group *grp; 451 struct group *grp;
452 gid_t gid; 452 gid_t gid;
453@@ -184,7 +184,7 @@ pty_setowner(struct passwd *pw, const char *tty) 453@@ -186,7 +186,7 @@ pty_setowner(struct passwd *pw, const char *tty)
454 strerror(errno)); 454 strerror(errno));
455 455
456 #ifdef WITH_SELINUX 456 #ifdef WITH_SELINUX
diff --git a/debian/patches/series b/debian/patches/series
index 4af8d8861..74cdd2ce3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,9 +22,5 @@ systemd-readiness.patch
22debian-config.patch 22debian-config.patch
23restore-authorized_keys2.patch 23restore-authorized_keys2.patch
24seccomp-s390-flock-ipc.patch 24seccomp-s390-flock-ipc.patch
25seccomp-s390-ioctl-ep11-crypto.patch
26fix-interop-tests.patch
27conch-old-privkey-format.patch 25conch-old-privkey-format.patch
28revert-ipqos-defaults.patch 26revert-ipqos-defaults.patch
29fix-utimensat-test.patch
30seccomp-handle-shm.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index e6a21fb79..d7f69011e 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
1From 2cbb28cbd60e1c5c13a8457ad77a62c7787ba4a8 Mon Sep 17 00:00:00 2001 1From 5d1aab0eb6baeb044516660a0bde36cba2a3f9c2 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:00 +0000 3Date: Sun, 9 Feb 2014 16:10:00 +0000
4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand 4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch
16 1 file changed, 2 insertions(+), 2 deletions(-) 16 1 file changed, 2 insertions(+), 2 deletions(-)
17 17
18diff --git a/sshconnect.c b/sshconnect.c 18diff --git a/sshconnect.c b/sshconnect.c
19index fdcdcd855..103d84e38 100644 19index 6230dad32..644057bc4 100644
20--- a/sshconnect.c 20--- a/sshconnect.c
21+++ b/sshconnect.c 21+++ b/sshconnect.c
22@@ -257,7 +257,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port, 22@@ -260,7 +260,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg,
23 /* Execute the proxy command. Note that we gave up any 23 /* Execute the proxy command. Note that we gave up any
24 extra privileges above. */ 24 extra privileges above. */
25 signal(SIGPIPE, SIG_DFL); 25 signal(SIGPIPE, SIG_DFL);
@@ -28,7 +28,7 @@ index fdcdcd855..103d84e38 100644
28 perror(argv[0]); 28 perror(argv[0]);
29 exit(1); 29 exit(1);
30 } 30 }
31@@ -1382,7 +1382,7 @@ ssh_local_cmd(const char *args) 31@@ -1387,7 +1387,7 @@ ssh_local_cmd(const char *args)
32 if (pid == 0) { 32 if (pid == 0) {
33 signal(SIGPIPE, SIG_DFL); 33 signal(SIGPIPE, SIG_DFL);
34 debug3("Executing %s -c \"%s\"", shell, args); 34 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index cbc781435..0dd4c662e 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
1From 22d2b4adcb38771adba96e326749cc67ee33d172 Mon Sep 17 00:00:00 2001 1From a8b5ec5c28805f0ab6b1b05474531521ac42eb12 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:13 +0000 3Date: Sun, 9 Feb 2014 16:10:13 +0000
4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) 4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 5b6c0ce4a..af95ce67e 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
1From a3f10aefc2ed6ea656f5e57985400f86f56c40f6 Mon Sep 17 00:00:00 2001 1From e9f961ffa4e4e73ed22103b5697147d135d88b4f Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:10 +0000 3Date: Sun, 9 Feb 2014 16:10:10 +0000
4Subject: ssh(1): Refer to ssh-argv0(1) 4Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,7 +18,7 @@ Patch-Name: ssh-argv0.patch
18 1 file changed, 1 insertion(+) 18 1 file changed, 1 insertion(+)
19 19
20diff --git a/ssh.1 b/ssh.1 20diff --git a/ssh.1 b/ssh.1
21index e4aeae7b4..8d2b08a29 100644 21index 4923031f4..24530e511 100644
22--- a/ssh.1 22--- a/ssh.1
23+++ b/ssh.1 23+++ b/ssh.1
24@@ -1584,6 +1584,7 @@ if an error occurred. 24@@ -1584,6 +1584,7 @@ if an error occurred.
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 8adc301fc..5c2b58257 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
1From 0138f331a73d692f4543477ce7f64f9ede7d6b08 Mon Sep 17 00:00:00 2001 1From 42c820f76fddf2f2e537dbe10842aa39f6154059 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:50 +0000 3Date: Sun, 9 Feb 2014 16:09:50 +0000
4Subject: Accept obsolete ssh-vulnkey configuration options 4Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch
17 2 files changed, 2 insertions(+) 17 2 files changed, 2 insertions(+)
18 18
19diff --git a/readconf.c b/readconf.c 19diff --git a/readconf.c b/readconf.c
20index 4d699e5f1..29f3bd98d 100644 20index 3c68d1a88..a7fb7ca15 100644
21--- a/readconf.c 21--- a/readconf.c
22+++ b/readconf.c 22+++ b/readconf.c
23@@ -192,6 +192,7 @@ static struct { 23@@ -192,6 +192,7 @@ static struct {
@@ -29,7 +29,7 @@ index 4d699e5f1..29f3bd98d 100644
29 { "useroaming", oDeprecated }, 29 { "useroaming", oDeprecated },
30 { "usersh", oDeprecated }, 30 { "usersh", oDeprecated },
31diff --git a/servconf.c b/servconf.c 31diff --git a/servconf.c b/servconf.c
32index ffdad31e7..c01e0690e 100644 32index f63eb0b94..73b93c636 100644
33--- a/servconf.c 33--- a/servconf.c
34+++ b/servconf.c 34+++ b/servconf.c
35@@ -621,6 +621,7 @@ static struct { 35@@ -621,6 +621,7 @@ static struct {
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index dd242d80a..2e4e5bbec 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
1From e9dd9cd95fe8fe2da9b114a1546a90634b3ce4be Mon Sep 17 00:00:00 2001 1From 3d1a993f484e9043e57af3ae37b7c9c608d5a5f1 Mon Sep 17 00:00:00 2001
2From: Natalie Amery <nmamery@chiark.greenend.org.uk> 2From: Natalie Amery <nmamery@chiark.greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:54 +0000 3Date: Sun, 9 Feb 2014 16:09:54 +0000
4Subject: "LogLevel SILENT" compatibility 4Subject: "LogLevel SILENT" compatibility
@@ -33,10 +33,10 @@ index d9c2d136c..1749af6d1 100644
33 { "FATAL", SYSLOG_LEVEL_FATAL }, 33 { "FATAL", SYSLOG_LEVEL_FATAL },
34 { "ERROR", SYSLOG_LEVEL_ERROR }, 34 { "ERROR", SYSLOG_LEVEL_ERROR },
35diff --git a/ssh.c b/ssh.c 35diff --git a/ssh.c b/ssh.c
36index 42be7d88f..86f143341 100644 36index 2da9f5d0d..7b482dcb0 100644
37--- a/ssh.c 37--- a/ssh.c
38+++ b/ssh.c 38+++ b/ssh.c
39@@ -1265,7 +1265,7 @@ main(int ac, char **av) 39@@ -1268,7 +1268,7 @@ main(int ac, char **av)
40 /* Do not allocate a tty if stdin is not a tty. */ 40 /* Do not allocate a tty if stdin is not a tty. */
41 if ((!isatty(fileno(stdin)) || stdin_null_flag) && 41 if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
42 options.request_tty != REQUEST_TTY_FORCE) { 42 options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index c3b8f9f86..7fb76cf3d 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
1From d23f57ff1e85ded1298886968c9949282c4cba08 Mon Sep 17 00:00:00 2001 1From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001
2From: Michael Biebl <biebl@debian.org> 2From: Michael Biebl <biebl@debian.org>
3Date: Mon, 21 Dec 2015 16:08:47 +0000 3Date: Mon, 21 Dec 2015 16:08:47 +0000
4Subject: Add systemd readiness notification support 4Subject: Add systemd readiness notification support
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch
14 2 files changed, 33 insertions(+) 14 2 files changed, 33 insertions(+)
15 15
16diff --git a/configure.ac b/configure.ac 16diff --git a/configure.ac b/configure.ac
17index ce16e7758..de140f578 100644 17index e894db9fc..c119d6fd1 100644
18--- a/configure.ac 18--- a/configure.ac
19+++ b/configure.ac 19+++ b/configure.ac
20@@ -4526,6 +4526,29 @@ AC_ARG_WITH([kerberos5], 20@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5],
21 AC_SUBST([GSSLIBS]) 21 AC_SUBST([GSSLIBS])
22 AC_SUBST([K5LIBS]) 22 AC_SUBST([K5LIBS])
23 23
@@ -47,7 +47,7 @@ index ce16e7758..de140f578 100644
47 # Looking for programs, paths and files 47 # Looking for programs, paths and files
48 48
49 PRIVSEP_PATH=/var/empty 49 PRIVSEP_PATH=/var/empty
50@@ -5332,6 +5355,7 @@ echo " libldns support: $LDNS_MSG" 50@@ -5305,6 +5328,7 @@ echo " libldns support: $LDNS_MSG"
51 echo " Solaris process contract support: $SPC_MSG" 51 echo " Solaris process contract support: $SPC_MSG"
52 echo " Solaris project support: $SP_MSG" 52 echo " Solaris project support: $SP_MSG"
53 echo " Solaris privilege support: $SPP_MSG" 53 echo " Solaris privilege support: $SPP_MSG"
@@ -56,7 +56,7 @@ index ce16e7758..de140f578 100644
56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" 56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
57 echo " BSD Auth support: $BSD_AUTH_MSG" 57 echo " BSD Auth support: $BSD_AUTH_MSG"
58diff --git a/sshd.c b/sshd.c 58diff --git a/sshd.c b/sshd.c
59index 1e7ece588..48162b629 100644 59index 4e8ff0662..5e7679a33 100644
60--- a/sshd.c 60--- a/sshd.c
61+++ b/sshd.c 61+++ b/sshd.c
62@@ -85,6 +85,10 @@ 62@@ -85,6 +85,10 @@
@@ -70,7 +70,7 @@ index 1e7ece588..48162b629 100644
70 #include "xmalloc.h" 70 #include "xmalloc.h"
71 #include "ssh.h" 71 #include "ssh.h"
72 #include "ssh2.h" 72 #include "ssh2.h"
73@@ -1946,6 +1950,11 @@ main(int ac, char **av) 73@@ -1951,6 +1955,11 @@ main(int ac, char **av)
74 } 74 }
75 } 75 }
76 76
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 05ea5f486..9a1b434fa 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
1From 0fc2ac6707abe076cd6b444f73c478eeda54b25f Mon Sep 17 00:00:00 2001 1From 19f1d075a06f4d3c9b440d7272272569d8bb0a17 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:58 +0000 3Date: Sun, 9 Feb 2014 16:09:58 +0000
4Subject: Allow harmless group-writability 4Subject: Allow harmless group-writability
@@ -13,7 +13,7 @@ default.
13 13
14Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 14Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
15Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 15Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
16Last-Update: 2019-06-05 16Last-Update: 2019-10-09
17 17
18Patch-Name: user-group-modes.patch 18Patch-Name: user-group-modes.patch
19--- 19---
@@ -27,10 +27,10 @@ Patch-Name: user-group-modes.patch
27 7 files changed, 63 insertions(+), 13 deletions(-) 27 7 files changed, 63 insertions(+), 13 deletions(-)
28 28
29diff --git a/auth-rhosts.c b/auth-rhosts.c 29diff --git a/auth-rhosts.c b/auth-rhosts.c
30index 57296e1f6..546aa0495 100644 30index 7a10210b6..587f53721 100644
31--- a/auth-rhosts.c 31--- a/auth-rhosts.c
32+++ b/auth-rhosts.c 32+++ b/auth-rhosts.c
33@@ -261,8 +261,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, 33@@ -260,8 +260,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
34 return 0; 34 return 0;
35 } 35 }
36 if (options.strict_modes && 36 if (options.strict_modes &&
@@ -40,7 +40,7 @@ index 57296e1f6..546aa0495 100644
40 logit("Rhosts authentication refused for %.100s: " 40 logit("Rhosts authentication refused for %.100s: "
41 "bad ownership or modes for home directory.", pw->pw_name); 41 "bad ownership or modes for home directory.", pw->pw_name);
42 auth_debug_add("Rhosts authentication refused for %.100s: " 42 auth_debug_add("Rhosts authentication refused for %.100s: "
43@@ -288,8 +287,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, 43@@ -287,8 +286,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
44 * allowing access to their account by anyone. 44 * allowing access to their account by anyone.
45 */ 45 */
46 if (options.strict_modes && 46 if (options.strict_modes &&
@@ -51,7 +51,7 @@ index 57296e1f6..546aa0495 100644
51 pw->pw_name, buf); 51 pw->pw_name, buf);
52 auth_debug_add("Bad file modes for %.200s", buf); 52 auth_debug_add("Bad file modes for %.200s", buf);
53diff --git a/auth.c b/auth.c 53diff --git a/auth.c b/auth.c
54index f7a23afba..8ffd77662 100644 54index 47c27773c..fc0c05bae 100644
55--- a/auth.c 55--- a/auth.c
56+++ b/auth.c 56+++ b/auth.c
57@@ -473,8 +473,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host, 57@@ -473,8 +473,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
@@ -65,7 +65,7 @@ index f7a23afba..8ffd77662 100644
65 "bad owner or modes for %.200s", 65 "bad owner or modes for %.200s",
66 pw->pw_name, user_hostfile); 66 pw->pw_name, user_hostfile);
67diff --git a/misc.c b/misc.c 67diff --git a/misc.c b/misc.c
68index 009e02bc5..634b5060a 100644 68index 88833d7ff..42eeb425a 100644
69--- a/misc.c 69--- a/misc.c
70+++ b/misc.c 70+++ b/misc.c
71@@ -59,8 +59,9 @@ 71@@ -59,8 +59,9 @@
@@ -79,7 +79,7 @@ index 009e02bc5..634b5060a 100644
79 #ifdef SSH_TUN_OPENBSD 79 #ifdef SSH_TUN_OPENBSD
80 #include <net/if.h> 80 #include <net/if.h>
81 #endif 81 #endif
82@@ -1103,6 +1104,55 @@ percent_expand(const char *string, ...) 82@@ -1112,6 +1113,55 @@ percent_expand(const char *string, ...)
83 #undef EXPAND_MAX_KEYS 83 #undef EXPAND_MAX_KEYS
84 } 84 }
85 85
@@ -135,7 +135,7 @@ index 009e02bc5..634b5060a 100644
135 int 135 int
136 tun_open(int tun, int mode, char **ifname) 136 tun_open(int tun, int mode, char **ifname)
137 { 137 {
138@@ -1860,8 +1910,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, 138@@ -1869,8 +1919,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
139 snprintf(err, errlen, "%s is not a regular file", buf); 139 snprintf(err, errlen, "%s is not a regular file", buf);
140 return -1; 140 return -1;
141 } 141 }
@@ -145,10 +145,10 @@ index 009e02bc5..634b5060a 100644
145 snprintf(err, errlen, "bad ownership or modes for file %s", 145 snprintf(err, errlen, "bad ownership or modes for file %s",
146 buf); 146 buf);
147 return -1; 147 return -1;
148@@ -1876,8 +1925,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, 148@@ -1885,8 +1934,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
149 strlcpy(buf, cp, sizeof(buf)); 149 strlcpy(buf, cp, sizeof(buf));
150 150
151 if (stat(buf, &st) < 0 || 151 if (stat(buf, &st) == -1 ||
152- (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) || 152- (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
153- (st.st_mode & 022) != 0) { 153- (st.st_mode & 022) != 0) {
154+ !secure_permissions(&st, uid)) { 154+ !secure_permissions(&st, uid)) {
@@ -156,10 +156,10 @@ index 009e02bc5..634b5060a 100644
156 "bad ownership or modes for directory %s", buf); 156 "bad ownership or modes for directory %s", buf);
157 return -1; 157 return -1;
158diff --git a/misc.h b/misc.h 158diff --git a/misc.h b/misc.h
159index 5b4325aba..a4bdee187 100644 159index bcc34f980..869895d3a 100644
160--- a/misc.h 160--- a/misc.h
161+++ b/misc.h 161+++ b/misc.h
162@@ -175,6 +175,8 @@ int safe_path_fd(int, const char *, struct passwd *, 162@@ -181,6 +181,8 @@ int opt_match(const char **opts, const char *term);
163 char *read_passphrase(const char *, int); 163 char *read_passphrase(const char *, int);
164 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 164 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
165 165
@@ -169,10 +169,10 @@ index 5b4325aba..a4bdee187 100644
169 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) 169 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b))
170 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) 170 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
171diff --git a/readconf.c b/readconf.c 171diff --git a/readconf.c b/readconf.c
172index 3d0b6ff90..cd60007f8 100644 172index 09787c0e5..16d2729dd 100644
173--- a/readconf.c 173--- a/readconf.c
174+++ b/readconf.c 174+++ b/readconf.c
175@@ -1846,8 +1846,7 @@ read_config_file_depth(const char *filename, struct passwd *pw, 175@@ -1855,8 +1855,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
176 176
177 if (fstat(fileno(f), &sb) == -1) 177 if (fstat(fileno(f), &sb) == -1)
178 fatal("fstat %s: %s", filename, strerror(errno)); 178 fatal("fstat %s: %s", filename, strerror(errno));
@@ -183,7 +183,7 @@ index 3d0b6ff90..cd60007f8 100644
183 } 183 }
184 184
185diff --git a/ssh.1 b/ssh.1 185diff --git a/ssh.1 b/ssh.1
186index a1c7d2305..64ead5f57 100644 186index 26940ad55..20e4c4efa 100644
187--- a/ssh.1 187--- a/ssh.1
188+++ b/ssh.1 188+++ b/ssh.1
189@@ -1484,6 +1484,8 @@ The file format and configuration options are described in 189@@ -1484,6 +1484,8 @@ The file format and configuration options are described in
@@ -196,10 +196,10 @@ index a1c7d2305..64ead5f57 100644
196 .It Pa ~/.ssh/environment 196 .It Pa ~/.ssh/environment
197 Contains additional definitions for environment variables; see 197 Contains additional definitions for environment variables; see
198diff --git a/ssh_config.5 b/ssh_config.5 198diff --git a/ssh_config.5 b/ssh_config.5
199index 250c92d04..bd1e9311d 100644 199index bc04d8d02..2c74b57c0 100644
200--- a/ssh_config.5 200--- a/ssh_config.5
201+++ b/ssh_config.5 201+++ b/ssh_config.5
202@@ -1885,6 +1885,8 @@ The format of this file is described above. 202@@ -1907,6 +1907,8 @@ The format of this file is described above.
203 This file is used by the SSH client. 203 This file is used by the SSH client.
204 Because of the potential for abuse, this file must have strict permissions: 204 Because of the potential for abuse, this file must have strict permissions:
205 read/write for the user, and not writable by others. 205 read/write for the user, and not writable by others.
diff --git a/debian/rules b/debian/rules
index 2a41b023b..c8b778dc0 100755
--- a/debian/rules
+++ b/debian/rules
@@ -144,11 +144,7 @@ override_dh_auto_build-indep:
144 144
145override_dh_auto_test-arch: 145override_dh_auto_test-arch:
146ifeq ($(RUN_TESTS),yes) 146ifeq ($(RUN_TESTS),yes)
147 $(MAKE) -C debian/build-deb/regress \ 147 $(MAKE) -C debian/build-deb unit compat-tests
148 .OBJDIR="$(CURDIR)/debian/build-deb/regress" \
149 .CURDIR="$(CURDIR)/regress" \
150 unit
151 $(MAKE) -C debian/build-deb compat-tests
152 $(MAKE) -C debian/keygen-test 148 $(MAKE) -C debian/keygen-test
153endif 149endif
154 150