summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/.git-dpm14
-rw-r--r--debian/NEWS16
-rw-r--r--debian/changelog103
-rw-r--r--debian/copyright16
-rw-r--r--debian/patches/auth-log-verbosity.patch32
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch6
-rw-r--r--debian/patches/debian-banner.patch40
-rw-r--r--debian/patches/debian-config.patch32
-rw-r--r--debian/patches/dnssec-sshfp.patch4
-rw-r--r--debian/patches/doc-hash-tab-completion.patch6
-rw-r--r--debian/patches/fix-incoming-compression-statistics.patch27
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch2
-rw-r--r--debian/patches/gssapi.patch218
-rw-r--r--debian/patches/keepalive-extensions.patch28
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch12
-rw-r--r--debian/patches/no-dsa-host-key-by-default.patch12
-rw-r--r--debian/patches/no-openssl-version-status.patch2
-rw-r--r--debian/patches/openbsd-docs.patch38
-rw-r--r--debian/patches/package-versioning.patch32
-rw-r--r--debian/patches/quieter-signals.patch40
-rw-r--r--debian/patches/regress-integrity-robust.patch40
-rw-r--r--debian/patches/restore-authorized_keys2.patch2
-rw-r--r--debian/patches/restore-tcp-wrappers.patch20
-rw-r--r--debian/patches/s390-missing-header.patch29
-rw-r--r--debian/patches/scp-quoting.patch6
-rw-r--r--debian/patches/seccomp-getuid-geteuid.patch4
-rw-r--r--debian/patches/seccomp-s390-flock-ipc.patch4
-rw-r--r--debian/patches/seccomp-s390-ioctl-ep11-crypto.patch6
-rw-r--r--debian/patches/selinux-role.patch76
-rw-r--r--debian/patches/series5
-rw-r--r--debian/patches/shell-path.patch8
-rw-r--r--debian/patches/ssh-agent-setgid.patch2
-rw-r--r--debian/patches/ssh-argv0.patch6
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch10
-rw-r--r--debian/patches/syslog-level-silent.patch8
-rw-r--r--debian/patches/systemd-readiness.patch12
-rw-r--r--debian/patches/user-group-modes.patch125
-rw-r--r--debian/patches/x32-syntax-error.patch28
38 files changed, 478 insertions, 593 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index c3f3645c9..f621e7ad8 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,8 +1,8 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
2375f99251da3754666750fe1ed63575ba909f397 2801a62eedaaf47b20dbf4b426dc3e084bf0c8d49
3375f99251da3754666750fe1ed63575ba909f397 3801a62eedaaf47b20dbf4b426dc3e084bf0c8d49
46fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874 462f54f20bf351468e0124f63cc2902ee40d9b0e9
56fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874 562f54f20bf351468e0124f63cc2902ee40d9b0e9
6openssh_7.5p1.orig.tar.gz 6openssh_7.6p1.orig.tar.gz
75e8f185d00afb4f4f89801e9b0f8b9cee9d87ebd 7a6984bc2c72192bed015c8b879b35dd9f5350b3b
81510857 81489788
diff --git a/debian/NEWS b/debian/NEWS
index 518294b5c..f908fb4e4 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,19 @@
1openssh (1:7.6p1-1) UNRELEASED; urgency=medium
2
3 OpenSSH 7.6 includes a number of changes that may affect existing
4 configurations:
5
6 * ssh(1): Delete SSH protocol version 1 support, associated configuration
7 options and documentation.
8 * ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC.
9 * ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST
10 ciphers.
11 * Refuse RSA keys <1024 bits in length and improve reporting for keys
12 that do not meet this requirement.
13 * ssh(1): Do not offer CBC ciphers by default.
14
15 -- Colin Watson <cjwatson@debian.org> Wed, 04 Oct 2017 12:34:34 +0100
16
1openssh (1:7.5p1-1) experimental; urgency=medium 17openssh (1:7.5p1-1) experimental; urgency=medium
2 18
3 OpenSSH 7.5 includes a number of changes that may affect existing 19 OpenSSH 7.5 includes a number of changes that may affect existing
diff --git a/debian/changelog b/debian/changelog
index baa28dff7..14eeaedd8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,106 @@
1openssh (1:7.6p1-1) UNRELEASED; urgency=medium
2
3 * New upstream release (https://www.openssh.com/txt/release-7.6):
4 - SECURITY: sftp-server(8): In read-only mode, sftp-server was
5 incorrectly permitting creation of zero-length files. Reported by
6 Michal Zalewski.
7 - ssh(1): Delete SSH protocol version 1 support, associated
8 configuration options and documentation (LP: #1584321).
9 - ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC.
10 - ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST
11 ciphers.
12 - Refuse RSA keys <1024 bits in length and improve reporting for keys
13 that do not meet this requirement.
14 - ssh(1): Do not offer CBC ciphers by default.
15 - ssh(1): Add RemoteCommand option to specify a command in the ssh
16 config file instead of giving it on the client's command line. This
17 allows the configuration file to specify the command that will be
18 executed on the remote host.
19 - sshd(8): Add ExposeAuthInfo option that enables writing details of the
20 authentication methods used (including public keys where applicable)
21 to a file that is exposed via a $SSH_USER_AUTH environment variable in
22 the subsequent session.
23 - ssh(1): Add support for reverse dynamic forwarding. In this mode, ssh
24 will act as a SOCKS4/5 proxy and forward connections to destinations
25 requested by the remote SOCKS client. This mode is requested using
26 extended syntax for the -R and RemoteForward options and, because it
27 is implemented solely at the client, does not require the server be
28 updated to be supported.
29 - sshd(8): Allow LogLevel directive in sshd_config Match blocks.
30 - ssh-keygen(1): Allow inclusion of arbitrary string or flag certificate
31 extensions and critical options.
32 - ssh-keygen(1): Allow ssh-keygen to use a key held in ssh-agent as a CA
33 when signing certificates.
34 - ssh(1)/sshd(8): Allow IPQoS=none in ssh/sshd to not set an explicit
35 ToS/DSCP value and just use the operating system default.
36 - ssh-add(1): Add -q option to make ssh-add quiet on success.
37 - ssh(1): Expand the StrictHostKeyChecking option with two new settings.
38 The first "accept-new" will automatically accept hitherto-unseen keys
39 but will refuse connections for changed or invalid hostkeys. This is
40 a safer subset of the current behaviour of StrictHostKeyChecking=no.
41 The second setting "off", is a synonym for the current behaviour of
42 StrictHostKeyChecking=no: accept new host keys, and continue
43 connection for hosts with incorrect hostkeys. A future release will
44 change the meaning of StrictHostKeyChecking=no to the behaviour of
45 "accept-new".
46 - ssh(1): Add SyslogFacility option to ssh(1) matching the equivalent
47 option in sshd(8).
48 - ssh(1): Use HostKeyAlias if specified instead of hostname for matching
49 host certificate principal names.
50 - sftp(1): Implement sorting for globbed ls.
51 - ssh(1): Add a user@host prefix to client's "Permission denied"
52 messages, useful in particular when using "stacked" connections (e.g.
53 ssh -J) where it's not clear which host is denying.
54 - ssh(1): Accept unknown EXT_INFO extension values that contain \0
55 characters. These are legal, but would previously cause fatal
56 connection errors if received.
57 - sftp(1): Print '?' instead of incorrect link count (that the protocol
58 doesn't provide) for remote listings.
59 - ssh(1): Return failure rather than fatal() for more cases during
60 session multiplexing negotiations. Causes the session to fall back to
61 a non-mux connection if they occur.
62 - ssh(1): Mention that the server may send debug messages to explain
63 public key authentication problems under some circumstances.
64 - Translate OpenSSL error codes to better report incorrect passphrase
65 errors when loading private keys.
66 - sshd(8): Adjust compatibility patterns for WinSCP to correctly
67 identify versions that implement only the legacy DH group exchange
68 scheme (closes: #877800).
69 - ssh(1): Print the "Killed by signal 1" message only at LogLevel
70 verbose so that it is not shown at the default level; prevents it from
71 appearing during ssh -J and equivalent ProxyCommand configs.
72 - ssh-keygen(1): When generating all hostkeys (ssh-keygen -A), clobber
73 existing keys if they exist but are zero length. Zero-length keys
74 could previously be made if ssh-keygen failed or was interrupted part
75 way through generating them.
76 - ssh-keyscan(1): Avoid double-close() on file descriptors.
77 - sshd(8): Avoid reliance on shared use of pointers shared between
78 monitor and child sshd processes.
79 - sshd_config(8): Document available AuthenticationMethods.
80 - ssh(1): Avoid truncation in some login prompts.
81 - ssh(1): Make "--" before the hostname terminate argument processing
82 after the hostname too (closes: #873201).
83 - ssh-keygen(1): Switch from aes256-cbc to aes256-ctr for encrypting
84 new-style private keys.
85 - ssh(1): Warn and do not attempt to use keys when the public and
86 private halves do not match.
87 - sftp(1): Don't print verbose error message when ssh disconnects from
88 under sftp.
89 - sshd(8): Fix keepalive scheduling problem: prevent activity on a
90 forwarded port from preventing the keepalive from being sent.
91 - sshd(8): When started without root privileges, don't require the
92 privilege separation user or path to exist.
93 - ssh(1)/sshd(8): Correctness fix for channels implementation: accept
94 channel IDs greater than 0x7FFFFFFF.
95 - sshd(8): Expose list of completed authentication methods to PAM via
96 the SSH_AUTH_INFO_0 PAM environment variable.
97 - ssh(1)/sshd(8): Fix several problems in the tun/tap forwarding code,
98 mostly to do with host/network byte order confusion.
99 - sshd(8): Avoid Linux seccomp violations on ppc64le over the socketcall
100 syscall.
101
102 -- Colin Watson <cjwatson@debian.org> Wed, 04 Oct 2017 12:34:34 +0100
103
1openssh (1:7.5p1-10) unstable; urgency=medium 104openssh (1:7.5p1-10) unstable; urgency=medium
2 105
3 * Tell haveged to create the pid file we expect. 106 * Tell haveged to create the pid file we expect.
diff --git a/debian/copyright b/debian/copyright
index 0b0c67480..fd85a51a0 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -110,22 +110,6 @@ License: OpenSSH
110 OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 110 OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
111 CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 111 CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
112 112
113Files: deattack.*
114Copyright: 1998 CORE SDI S.A., Buenos Aires, Argentina
115License: CORE-SDI-BSD-style
116 All rights reserved. Redistribution and use in source and binary
117 forms, with or without modification, are permitted provided that
118 this copyright notice is retained.
119 .
120 THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
121 WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
122 LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
123 CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
124 SOFTWARE.
125 .
126 Ariel Futoransky <futo@core-sdi.com>
127 <http://www.core-sdi.com>
128
129Files: ssh-keyscan.* 113Files: ssh-keyscan.*
130Copyright: 1995, 1996 David Mazieres <dm@lcs.mit.edu> 114Copyright: 1995, 1996 David Mazieres <dm@lcs.mit.edu>
131License: Mazieres-BSD-style 115License: Mazieres-BSD-style
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index fb3855f9a..ba7642d83 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,11 +1,11 @@
1From e08f96cf1105a3ee9a23de7102d593443e031e0c Mon Sep 17 00:00:00 2001 1From 50e9edb57b6808cbbf63fe3433febb103baac1e8 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:02 +0000 3Date: Sun, 9 Feb 2014 16:10:02 +0000
4Subject: Quieten logs when multiple from= restrictions are used 4Subject: Quieten logs when multiple from= restrictions are used
5 5
6Bug-Debian: http://bugs.debian.org/630606 6Bug-Debian: http://bugs.debian.org/630606
7Forwarded: no 7Forwarded: no
8Last-Update: 2013-09-14 8Last-Update: 2017-10-04
9 9
10Patch-Name: auth-log-verbosity.patch 10Patch-Name: auth-log-verbosity.patch
11--- 11---
@@ -15,10 +15,10 @@ Patch-Name: auth-log-verbosity.patch
15 3 files changed, 30 insertions(+), 9 deletions(-) 15 3 files changed, 30 insertions(+), 9 deletions(-)
16 16
17diff --git a/auth-options.c b/auth-options.c 17diff --git a/auth-options.c b/auth-options.c
18index 57b49f7f..7eb87b35 100644 18index bed00eef..ccdd0b20 100644
19--- a/auth-options.c 19--- a/auth-options.c
20+++ b/auth-options.c 20+++ b/auth-options.c
21@@ -59,8 +59,19 @@ int forced_tun_device = -1; 21@@ -59,10 +59,21 @@ int forced_tun_device = -1;
22 /* "principals=" option. */ 22 /* "principals=" option. */
23 char *authorized_principals = NULL; 23 char *authorized_principals = NULL;
24 24
@@ -28,6 +28,8 @@ index 57b49f7f..7eb87b35 100644
28+ 28+
29 extern ServerOptions options; 29 extern ServerOptions options;
30 30
31 /* XXX refactor to be stateless */
32
31+void 33+void
32+auth_start_parse_options(void) 34+auth_start_parse_options(void)
33+{ 35+{
@@ -38,7 +40,7 @@ index 57b49f7f..7eb87b35 100644
38 void 40 void
39 auth_clear_options(void) 41 auth_clear_options(void)
40 { 42 {
41@@ -316,10 +327,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) 43@@ -322,10 +333,13 @@ auth_parse_options(struct passwd *pw, char *opts, const char *file,
42 /* FALLTHROUGH */ 44 /* FALLTHROUGH */
43 case 0: 45 case 0:
44 free(patterns); 46 free(patterns);
@@ -56,7 +58,7 @@ index 57b49f7f..7eb87b35 100644
56 auth_debug_add("Your host '%.200s' is not " 58 auth_debug_add("Your host '%.200s' is not "
57 "permitted to use this key for login.", 59 "permitted to use this key for login.",
58 remote_host); 60 remote_host);
59@@ -543,11 +557,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, 61@@ -549,11 +563,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
60 break; 62 break;
61 case 0: 63 case 0:
62 /* no match */ 64 /* no match */
@@ -77,7 +79,7 @@ index 57b49f7f..7eb87b35 100644
77 "is not permitted to use this " 79 "is not permitted to use this "
78 "certificate for login.", 80 "certificate for login.",
79diff --git a/auth-options.h b/auth-options.h 81diff --git a/auth-options.h b/auth-options.h
80index 52cbb42a..82355276 100644 82index 547f0163..4de0f14d 100644
81--- a/auth-options.h 83--- a/auth-options.h
82+++ b/auth-options.h 84+++ b/auth-options.h
83@@ -33,6 +33,7 @@ extern int forced_tun_device; 85@@ -33,6 +33,7 @@ extern int forced_tun_device;
@@ -85,14 +87,14 @@ index 52cbb42a..82355276 100644
85 extern char *authorized_principals; 87 extern char *authorized_principals;
86 88
87+void auth_start_parse_options(void); 89+void auth_start_parse_options(void);
88 int auth_parse_options(struct passwd *, char *, char *, u_long); 90 int auth_parse_options(struct passwd *, char *, const char *, u_long);
89 void auth_clear_options(void); 91 void auth_clear_options(void);
90 int auth_cert_options(struct sshkey *, struct passwd *, const char **); 92 int auth_cert_options(struct sshkey *, struct passwd *, const char **);
91diff --git a/auth2-pubkey.c b/auth2-pubkey.c 93diff --git a/auth2-pubkey.c b/auth2-pubkey.c
92index 3e5706f4..6dc5076e 100644 94index 169839b0..43f880b6 100644
93--- a/auth2-pubkey.c 95--- a/auth2-pubkey.c
94+++ b/auth2-pubkey.c 96+++ b/auth2-pubkey.c
95@@ -566,6 +566,7 @@ process_principals(FILE *f, char *file, struct passwd *pw, 97@@ -269,6 +269,7 @@ process_principals(FILE *f, const char *file, struct passwd *pw,
96 u_long linenum = 0; 98 u_long linenum = 0;
97 u_int i, found_principal = 0; 99 u_int i, found_principal = 0;
98 100
@@ -100,16 +102,16 @@ index 3e5706f4..6dc5076e 100644
100 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 102 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
101 /* Always consume entire input */ 103 /* Always consume entire input */
102 if (found_principal) 104 if (found_principal)
103@@ -771,6 +772,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) 105@@ -471,6 +472,7 @@ check_authkeys_file(FILE *f, char *file, struct sshkey *key, struct passwd *pw)
104 found_key = 0; 106 u_long linenum = 0;
107 struct sshkey *found = NULL;
105 108
106 found = NULL;
107+ auth_start_parse_options(); 109+ auth_start_parse_options();
108 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 110 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
109 char *cp, *key_options = NULL, *fp = NULL; 111 char *cp, *key_options = NULL, *fp = NULL;
110 const char *reason = NULL; 112 const char *reason = NULL;
111@@ -921,6 +923,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) 113@@ -624,6 +626,7 @@ user_cert_trusted_ca(struct passwd *pw, struct sshkey *key)
112 if (key_cert_check_authority(key, 0, 1, 114 if (sshkey_cert_check_authority(key, 0, 1,
113 use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) 115 use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
114 goto fail_reason; 116 goto fail_reason;
115+ auth_start_parse_options(); 117+ auth_start_parse_options();
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 9287f84e2..56f6de37f 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
1From 603fd07727100d4d95d4ac2853a160878cf16b66 Mon Sep 17 00:00:00 2001 1From 312eb64a9faf4e8cdb95f2ae147ecbfa6c0efd83 Mon Sep 17 00:00:00 2001
2From: Tomas Pospisek <tpo_deb@sourcepole.ch> 2From: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Date: Sun, 9 Feb 2014 16:10:07 +0000 3Date: Sun, 9 Feb 2014 16:10:07 +0000
4Subject: Install authorized_keys(5) as a symlink to sshd(8) 4Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
13 1 file changed, 1 insertion(+) 13 1 file changed, 1 insertion(+)
14 14
15diff --git a/Makefile.in b/Makefile.in 15diff --git a/Makefile.in b/Makefile.in
16index 6b774c1a..0577a6c4 100644 16index f6e9fe4c..08b989a4 100644
17--- a/Makefile.in 17--- a/Makefile.in
18+++ b/Makefile.in 18+++ b/Makefile.in
19@@ -339,6 +339,7 @@ install-files: 19@@ -340,6 +340,7 @@ install-files:
20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 0939035cd..8134afba4 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
1From 0eb0f49c5c32940fd192ef98e0d13bf5407da27b Mon Sep 17 00:00:00 2001 1From ae96c03ce51af2c529bfa2f2de57f4fa938ea552 Mon Sep 17 00:00:00 2001
2From: Kees Cook <kees@debian.org> 2From: Kees Cook <kees@debian.org>
3Date: Sun, 9 Feb 2014 16:10:06 +0000 3Date: Sun, 9 Feb 2014 16:10:06 +0000
4Subject: Add DebianBanner server configuration option 4Subject: Add DebianBanner server configuration option
@@ -8,7 +8,7 @@ initial protocol handshake, for those scared by package-versioning.patch.
8 8
9Bug-Debian: http://bugs.debian.org/562048 9Bug-Debian: http://bugs.debian.org/562048
10Forwarded: not-needed 10Forwarded: not-needed
11Last-Update: 2015-11-29 11Last-Update: 2017-10-04
12 12
13Patch-Name: debian-banner.patch 13Patch-Name: debian-banner.patch
14--- 14---
@@ -19,45 +19,45 @@ Patch-Name: debian-banner.patch
19 4 files changed, 18 insertions(+), 1 deletion(-) 19 4 files changed, 18 insertions(+), 1 deletion(-)
20 20
21diff --git a/servconf.c b/servconf.c 21diff --git a/servconf.c b/servconf.c
22index ca73f7c5..a391cf4b 100644 22index 9889fb0a..b0146405 100644
23--- a/servconf.c 23--- a/servconf.c
24+++ b/servconf.c 24+++ b/servconf.c
25@@ -166,6 +166,7 @@ initialize_server_options(ServerOptions *options) 25@@ -167,6 +167,7 @@ initialize_server_options(ServerOptions *options)
26 options->version_addendum = NULL;
27 options->fingerprint_hash = -1; 26 options->fingerprint_hash = -1;
28 options->disable_forwarding = -1; 27 options->disable_forwarding = -1;
28 options->expose_userauth_info = -1;
29+ options->debian_banner = -1; 29+ options->debian_banner = -1;
30 } 30 }
31 31
32 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 32 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
33@@ -339,6 +340,8 @@ fill_default_server_options(ServerOptions *options) 33@@ -342,6 +343,8 @@ fill_default_server_options(ServerOptions *options)
34 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
35 if (options->disable_forwarding == -1)
36 options->disable_forwarding = 0; 34 options->disable_forwarding = 0;
35 if (options->expose_userauth_info == -1)
36 options->expose_userauth_info = 0;
37+ if (options->debian_banner == -1) 37+ if (options->debian_banner == -1)
38+ options->debian_banner = 1; 38+ options->debian_banner = 1;
39 39
40 assemble_algorithms(options); 40 assemble_algorithms(options);
41 41
42@@ -425,6 +428,7 @@ typedef enum { 42@@ -429,6 +432,7 @@ typedef enum {
43 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
44 sStreamLocalBindMask, sStreamLocalBindUnlink, 43 sStreamLocalBindMask, sStreamLocalBindUnlink,
45 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, 44 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
45 sExposeAuthInfo,
46+ sDebianBanner, 46+ sDebianBanner,
47 sDeprecated, sIgnore, sUnsupported 47 sDeprecated, sIgnore, sUnsupported
48 } ServerOpCodes; 48 } ServerOpCodes;
49 49
50@@ -577,6 +581,7 @@ static struct { 50@@ -582,6 +586,7 @@ static struct {
51 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
52 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, 51 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
53 { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, 52 { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
53 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
54+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, 54+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
55 { NULL, sBadOption, 0 } 55 { NULL, sBadOption, 0 }
56 }; 56 };
57 57
58@@ -1866,6 +1871,10 @@ process_server_config_line(ServerOptions *options, char *line, 58@@ -1907,6 +1912,10 @@ process_server_config_line(ServerOptions *options, char *line,
59 options->fingerprint_hash = value; 59 intptr = &options->expose_userauth_info;
60 break; 60 goto parse_flag;
61 61
62+ case sDebianBanner: 62+ case sDebianBanner:
63+ intptr = &options->debian_banner; 63+ intptr = &options->debian_banner;
@@ -67,20 +67,20 @@ index ca73f7c5..a391cf4b 100644
67 case sIgnore: 67 case sIgnore:
68 case sUnsupported: 68 case sUnsupported:
69diff --git a/servconf.h b/servconf.h 69diff --git a/servconf.h b/servconf.h
70index 90dfa4c2..913a21b3 100644 70index 641e93c8..410c4275 100644
71--- a/servconf.h 71--- a/servconf.h
72+++ b/servconf.h 72+++ b/servconf.h
73@@ -191,6 +191,8 @@ typedef struct { 73@@ -200,6 +200,8 @@ typedef struct {
74 char *auth_methods[MAX_AUTH_METHODS];
75 74
76 int fingerprint_hash; 75 int fingerprint_hash;
76 int expose_userauth_info;
77+ 77+
78+ int debian_banner; 78+ int debian_banner;
79 } ServerOptions; 79 } ServerOptions;
80 80
81 /* Information about the incoming connection as used by Match */ 81 /* Information about the incoming connection as used by Match */
82diff --git a/sshd.c b/sshd.c 82diff --git a/sshd.c b/sshd.c
83index 602f4740..f2f54b51 100644 83index eccf81bb..a5a1193d 100644
84--- a/sshd.c 84--- a/sshd.c
85+++ b/sshd.c 85+++ b/sshd.c
86@@ -378,7 +378,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) 86@@ -378,7 +378,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
@@ -94,7 +94,7 @@ index 602f4740..f2f54b51 100644
94 options.version_addendum); 94 options.version_addendum);
95 95
96diff --git a/sshd_config.5 b/sshd_config.5 96diff --git a/sshd_config.5 b/sshd_config.5
97index 41ec6688..5f316481 100644 97index 7db25552..41e8c939 100644
98--- a/sshd_config.5 98--- a/sshd_config.5
99+++ b/sshd_config.5 99+++ b/sshd_config.5
100@@ -530,6 +530,11 @@ or 100@@ -530,6 +530,11 @@ or
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index d65ed45fa..a3f595752 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
1From cf60afd3438c444e20b114fbd799168002c74aae Mon Sep 17 00:00:00 2001 1From 4847e512c0b94c615b838904a5f139a761bee284 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:18 +0000 3Date: Sun, 9 Feb 2014 16:10:18 +0000
4Subject: Various Debian-specific configuration changes 4Subject: Various Debian-specific configuration changes
@@ -26,7 +26,7 @@ Document all of this.
26 26
27Author: Russ Allbery <rra@debian.org> 27Author: Russ Allbery <rra@debian.org>
28Forwarded: not-needed 28Forwarded: not-needed
29Last-Update: 2016-12-26 29Last-Update: 2017-10-04
30 30
31Patch-Name: debian-config.patch 31Patch-Name: debian-config.patch
32--- 32---
@@ -39,10 +39,10 @@ Patch-Name: debian-config.patch
39 6 files changed, 77 insertions(+), 9 deletions(-) 39 6 files changed, 77 insertions(+), 9 deletions(-)
40 40
41diff --git a/readconf.c b/readconf.c 41diff --git a/readconf.c b/readconf.c
42index 70fac682..4d92d174 100644 42index be3d5873..41f36aa8 100644
43--- a/readconf.c 43--- a/readconf.c
44+++ b/readconf.c 44+++ b/readconf.c
45@@ -1950,7 +1950,7 @@ fill_default_options(Options * options) 45@@ -1940,7 +1940,7 @@ fill_default_options(Options * options)
46 if (options->forward_x11 == -1) 46 if (options->forward_x11 == -1)
47 options->forward_x11 = 0; 47 options->forward_x11 = 0;
48 if (options->forward_x11_trusted == -1) 48 if (options->forward_x11_trusted == -1)
@@ -52,10 +52,10 @@ index 70fac682..4d92d174 100644
52 options->forward_x11_timeout = 1200; 52 options->forward_x11_timeout = 1200;
53 /* 53 /*
54diff --git a/ssh.1 b/ssh.1 54diff --git a/ssh.1 b/ssh.1
55index 22e56a7b..6aa57c46 100644 55index 711fe608..f1b01c56 100644
56--- a/ssh.1 56--- a/ssh.1
57+++ b/ssh.1 57+++ b/ssh.1
58@@ -785,6 +785,16 @@ directive in 58@@ -764,6 +764,16 @@ directive in
59 .Xr ssh_config 5 59 .Xr ssh_config 5
60 for more information. 60 for more information.
61 .Pp 61 .Pp
@@ -72,7 +72,7 @@ index 22e56a7b..6aa57c46 100644
72 .It Fl x 72 .It Fl x
73 Disables X11 forwarding. 73 Disables X11 forwarding.
74 .Pp 74 .Pp
75@@ -793,6 +803,17 @@ Enables trusted X11 forwarding. 75@@ -772,6 +782,17 @@ Enables trusted X11 forwarding.
76 Trusted X11 forwardings are not subjected to the X11 SECURITY extension 76 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
77 controls. 77 controls.
78 .Pp 78 .Pp
@@ -91,7 +91,7 @@ index 22e56a7b..6aa57c46 100644
91 Send log information using the 91 Send log information using the
92 .Xr syslog 3 92 .Xr syslog 3
93diff --git a/ssh_config b/ssh_config 93diff --git a/ssh_config b/ssh_config
94index 4e879cd2..093c8366 100644 94index bcb9f153..1b676fb2 100644
95--- a/ssh_config 95--- a/ssh_config
96+++ b/ssh_config 96+++ b/ssh_config
97@@ -17,9 +17,10 @@ 97@@ -17,9 +17,10 @@
@@ -103,10 +103,10 @@ index 4e879cd2..093c8366 100644
103 # ForwardAgent no 103 # ForwardAgent no
104 # ForwardX11 no 104 # ForwardX11 no
105+# ForwardX11Trusted yes 105+# ForwardX11Trusted yes
106 # RhostsRSAAuthentication no
107 # RSAAuthentication yes
108 # PasswordAuthentication yes 106 # PasswordAuthentication yes
109@@ -50,3 +51,6 @@ 107 # HostbasedAuthentication no
108 # GSSAPIAuthentication no
109@@ -46,3 +47,6 @@
110 # VisualHostKey no 110 # VisualHostKey no
111 # ProxyCommand ssh -q -W %h:%p gateway.example.com 111 # ProxyCommand ssh -q -W %h:%p gateway.example.com
112 # RekeyLimit 1G 1h 112 # RekeyLimit 1G 1h
@@ -114,10 +114,10 @@ index 4e879cd2..093c8366 100644
114+ HashKnownHosts yes 114+ HashKnownHosts yes
115+ GSSAPIAuthentication yes 115+ GSSAPIAuthentication yes
116diff --git a/ssh_config.5 b/ssh_config.5 116diff --git a/ssh_config.5 b/ssh_config.5
117index 093ea8a7..fc13fa51 100644 117index 1edfe761..2da7029a 100644
118--- a/ssh_config.5 118--- a/ssh_config.5
119+++ b/ssh_config.5 119+++ b/ssh_config.5
120@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more 120@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
121 host-specific declarations should be given near the beginning of the 121 host-specific declarations should be given near the beginning of the
122 file, and general defaults at the end. 122 file, and general defaults at the end.
123 .Pp 123 .Pp
@@ -140,7 +140,7 @@ index 093ea8a7..fc13fa51 100644
140 The file contains keyword-argument pairs, one per line. 140 The file contains keyword-argument pairs, one per line.
141 Lines starting with 141 Lines starting with
142 .Ql # 142 .Ql #
143@@ -715,11 +731,12 @@ elapsed. 143@@ -683,11 +699,12 @@ elapsed.
144 .It Cm ForwardX11Trusted 144 .It Cm ForwardX11Trusted
145 If this option is set to 145 If this option is set to
146 .Cm yes , 146 .Cm yes ,
@@ -204,10 +204,10 @@ index c01dd656..f68edf36 100644
204 # Example of overriding settings on a per-user basis 204 # Example of overriding settings on a per-user basis
205 #Match User anoncvs 205 #Match User anoncvs
206diff --git a/sshd_config.5 b/sshd_config.5 206diff --git a/sshd_config.5 b/sshd_config.5
207index 603c2ba7..cc5d9fb0 100644 207index 79676a95..16be4f62 100644
208--- a/sshd_config.5 208--- a/sshd_config.5
209+++ b/sshd_config.5 209+++ b/sshd_config.5
210@@ -57,6 +57,28 @@ Arguments may optionally be enclosed in double quotes 210@@ -55,6 +55,28 @@ Arguments may optionally be enclosed in double quotes
211 .Pq \&" 211 .Pq \&"
212 in order to represent arguments containing spaces. 212 in order to represent arguments containing spaces.
213 .Pp 213 .Pp
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 8f1f9bada..a8d98855a 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
1From 1e06dfb99d3a59ef0b0a804ed1c2a590b3fab71c Mon Sep 17 00:00:00 2001 1From f500e89e2310f6308a998357d72d767e3b01553c Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:01 +0000 3Date: Sun, 9 Feb 2014 16:10:01 +0000
4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf 4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
@@ -18,7 +18,7 @@ Patch-Name: dnssec-sshfp.patch
18 3 files changed, 21 insertions(+), 6 deletions(-) 18 3 files changed, 21 insertions(+), 6 deletions(-)
19 19
20diff --git a/dns.c b/dns.c 20diff --git a/dns.c b/dns.c
21index e813afea..fce2e308 100644 21index 6e1abb53..8e0ca691 100644
22--- a/dns.c 22--- a/dns.c
23+++ b/dns.c 23+++ b/dns.c
24@@ -206,6 +206,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, 24@@ -206,6 +206,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index cc30ec4b5..c4342181d 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
1From b0c0c72ecdbef4ae020bbe17b47f1f616253722d Mon Sep 17 00:00:00 2001 1From a07f7c1fe9d8dc3bfe4cb8bbe6bb5a27b638d024 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:11 +0000 3Date: Sun, 9 Feb 2014 16:10:11 +0000
4Subject: Document that HashKnownHosts may break tab-completion 4Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
13 1 file changed, 3 insertions(+) 13 1 file changed, 3 insertions(+)
14 14
15diff --git a/ssh_config.5 b/ssh_config.5 15diff --git a/ssh_config.5 b/ssh_config.5
16index a04e5757..093ea8a7 100644 16index 7810a418..1edfe761 100644
17--- a/ssh_config.5 17--- a/ssh_config.5
18+++ b/ssh_config.5 18+++ b/ssh_config.5
19@@ -809,6 +809,9 @@ Note that existing names and addresses in known hosts files 19@@ -777,6 +777,9 @@ Note that existing names and addresses in known hosts files
20 will not be converted automatically, 20 will not be converted automatically,
21 but may be manually hashed using 21 but may be manually hashed using
22 .Xr ssh-keygen 1 . 22 .Xr ssh-keygen 1 .
diff --git a/debian/patches/fix-incoming-compression-statistics.patch b/debian/patches/fix-incoming-compression-statistics.patch
deleted file mode 100644
index d948d67bc..000000000
--- a/debian/patches/fix-incoming-compression-statistics.patch
+++ /dev/null
@@ -1,27 +0,0 @@
1From cda04ac1f5c69710187e602043758063479c3c65 Mon Sep 17 00:00:00 2001
2From: Russell Coker <russell@coker.com.au>
3Date: Tue, 6 Jun 2017 15:00:20 +0100
4Subject: Fix incoming compression statistics
5
6Bug-Debian: https://bugs.debian.org/797964
7Forwarded: https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-June/036077.html
8Last-Update: 2017-06-06
9
10Patch-Name: fix-incoming-compression-statistics.patch
11---
12 packet.c | 2 +-
13 1 file changed, 1 insertion(+), 1 deletion(-)
14
15diff --git a/packet.c b/packet.c
16index 2f3a2ec7..6492b66f 100644
17--- a/packet.c
18+++ b/packet.c
19@@ -606,7 +606,7 @@ ssh_packet_close(struct ssh *ssh)
20 deflateEnd(stream);
21 }
22 if (state->compression_in_started) {
23- z_streamp stream = &state->compression_out_stream;
24+ z_streamp stream = &state->compression_in_stream;
25 debug("compress incoming: "
26 "raw data %llu, compressed %llu, factor %.2f",
27 (unsigned long long)stream->total_out,
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 5bfea56e9..e46c0f8b2 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
1From 28b830b6c22317c039ec2b2070fcd94bc3cf0477 Mon Sep 17 00:00:00 2001 1From 18950b79898be885c6b77d463367639647e54e28 Mon Sep 17 00:00:00 2001
2From: Vincent Untz <vuntz@ubuntu.com> 2From: Vincent Untz <vuntz@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:16 +0000 3Date: Sun, 9 Feb 2014 16:10:16 +0000
4Subject: Give the ssh-askpass-gnome window a default icon 4Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index deddbcb80..0726a5020 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From d51c7ac3328464dec21514fb398ab5c140a0664f Mon Sep 17 00:00:00 2001 1From 4e70490950e5c5134df48848affaf73685bf0284 Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate
17security history. 17security history.
18 18
19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
20Last-Updated: 2017-01-16 20Last-Updated: 2017-10-04
21 21
22Patch-Name: gssapi.patch 22Patch-Name: gssapi.patch
23--- 23---
@@ -25,7 +25,7 @@ Patch-Name: gssapi.patch
25 Makefile.in | 3 +- 25 Makefile.in | 3 +-
26 auth-krb5.c | 17 ++- 26 auth-krb5.c | 17 ++-
27 auth.c | 96 +--------------- 27 auth.c | 96 +---------------
28 auth2-gss.c | 48 +++++++- 28 auth2-gss.c | 49 +++++++-
29 auth2.c | 2 + 29 auth2.c | 2 +
30 canohost.c | 93 +++++++++++++++ 30 canohost.c | 93 +++++++++++++++
31 canohost.h | 3 + 31 canohost.h | 3 +
@@ -56,7 +56,7 @@ Patch-Name: gssapi.patch
56 sshd_config.5 | 10 ++ 56 sshd_config.5 | 10 ++
57 sshkey.c | 3 +- 57 sshkey.c | 3 +-
58 sshkey.h | 1 + 58 sshkey.h | 1 +
59 35 files changed, 2062 insertions(+), 147 deletions(-) 59 35 files changed, 2063 insertions(+), 147 deletions(-)
60 create mode 100644 ChangeLog.gssapi 60 create mode 100644 ChangeLog.gssapi
61 create mode 100644 kexgssc.c 61 create mode 100644 kexgssc.c
62 create mode 100644 kexgsss.c 62 create mode 100644 kexgsss.c
@@ -181,7 +181,7 @@ index 00000000..f117a336
181+ (from jbasney AT ncsa.uiuc.edu) 181+ (from jbasney AT ncsa.uiuc.edu)
182+ <gssapi-with-mic support is Bugzilla #1008> 182+ <gssapi-with-mic support is Bugzilla #1008>
183diff --git a/Makefile.in b/Makefile.in 183diff --git a/Makefile.in b/Makefile.in
184index 5870e9e6..6b774c1a 100644 184index c52ce191..f6e9fe4c 100644
185--- a/Makefile.in 185--- a/Makefile.in
186+++ b/Makefile.in 186+++ b/Makefile.in
187@@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ 187@@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@@ -189,7 +189,7 @@ index 5870e9e6..6b774c1a 100644
189 kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ 189 kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
190 kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ 190 kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
191+ kexgssc.o \ 191+ kexgssc.o \
192 platform-pledge.o platform-tracing.o 192 platform-pledge.o platform-tracing.o platform-misc.o
193 193
194 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ 194 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
195@@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ 195@@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
@@ -253,10 +253,10 @@ index a5a81ed2..38e7fee2 100644
253 return (krb5_cc_resolve(ctx, ccname, ccache)); 253 return (krb5_cc_resolve(ctx, ccname, ccache));
254 } 254 }
255diff --git a/auth.c b/auth.c 255diff --git a/auth.c b/auth.c
256index 6ee6116d..c6390687 100644 256index a4490617..6aec3605 100644
257--- a/auth.c 257--- a/auth.c
258+++ b/auth.c 258+++ b/auth.c
259@@ -372,7 +372,8 @@ auth_root_allowed(const char *method) 259@@ -395,7 +395,8 @@ auth_root_allowed(const char *method)
260 case PERMIT_NO_PASSWD: 260 case PERMIT_NO_PASSWD:
261 if (strcmp(method, "publickey") == 0 || 261 if (strcmp(method, "publickey") == 0 ||
262 strcmp(method, "hostbased") == 0 || 262 strcmp(method, "hostbased") == 0 ||
@@ -266,7 +266,7 @@ index 6ee6116d..c6390687 100644
266 return 1; 266 return 1;
267 break; 267 break;
268 case PERMIT_FORCED_ONLY: 268 case PERMIT_FORCED_ONLY:
269@@ -794,99 +795,6 @@ fakepw(void) 269@@ -727,99 +728,6 @@ fakepw(void)
270 return (&fake); 270 return (&fake);
271 } 271 }
272 272
@@ -367,11 +367,11 @@ index 6ee6116d..c6390687 100644
367 * Return the canonical name of the host in the other side of the current 367 * Return the canonical name of the host in the other side of the current
368 * connection. The host name is cached, so it is efficient to call this 368 * connection. The host name is cached, so it is efficient to call this
369diff --git a/auth2-gss.c b/auth2-gss.c 369diff --git a/auth2-gss.c b/auth2-gss.c
370index 1ca83577..3b5036df 100644 370index 589283b7..fd411d3a 100644
371--- a/auth2-gss.c 371--- a/auth2-gss.c
372+++ b/auth2-gss.c 372+++ b/auth2-gss.c
373@@ -1,7 +1,7 @@ 373@@ -1,7 +1,7 @@
374 /* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */ 374 /* $OpenBSD: auth2-gss.c,v 1.26 2017/06/24 06:34:38 djm Exp $ */
375 375
376 /* 376 /*
377- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 377- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -379,16 +379,17 @@ index 1ca83577..3b5036df 100644
379 * 379 *
380 * Redistribution and use in source and binary forms, with or without 380 * Redistribution and use in source and binary forms, with or without
381 * modification, are permitted provided that the following conditions 381 * modification, are permitted provided that the following conditions
382@@ -53,6 +53,40 @@ static int input_gssapi_mic(int type, u_int32_t plen, void *ctxt); 382@@ -53,6 +53,41 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh);
383 static int input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); 383 static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh);
384 static int input_gssapi_errtok(int, u_int32_t, void *); 384 static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
385 385
386+/* 386+/*
387+ * The 'gssapi_keyex' userauth mechanism. 387+ * The 'gssapi_keyex' userauth mechanism.
388+ */ 388+ */
389+static int 389+static int
390+userauth_gsskeyex(Authctxt *authctxt) 390+userauth_gsskeyex(struct ssh *ssh)
391+{ 391+{
392+ Authctxt *authctxt = ssh->authctxt;
392+ int authenticated = 0; 393+ int authenticated = 0;
393+ Buffer b; 394+ Buffer b;
394+ gss_buffer_desc mic, gssbuf; 395+ gss_buffer_desc mic, gssbuf;
@@ -420,7 +421,7 @@ index 1ca83577..3b5036df 100644
420 /* 421 /*
421 * We only support those mechanisms that we know about (ie ones that we know 422 * We only support those mechanisms that we know about (ie ones that we know
422 * how to check local user kuserok and the like) 423 * how to check local user kuserok and the like)
423@@ -238,7 +272,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) 424@@ -240,7 +275,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
424 425
425 packet_check_eom(); 426 packet_check_eom();
426 427
@@ -428,9 +429,9 @@ index 1ca83577..3b5036df 100644
428+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, 429+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
429+ authctxt->pw)); 430+ authctxt->pw));
430 431
431 authctxt->postponed = 0; 432 if ((!use_privsep || mm_is_monitor()) &&
432 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 433 (displayname = ssh_gssapi_displayname()) != NULL)
433@@ -274,7 +309,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) 434@@ -281,7 +317,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
434 gssbuf.length = buffer_len(&b); 435 gssbuf.length = buffer_len(&b);
435 436
436 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) 437 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@@ -440,7 +441,7 @@ index 1ca83577..3b5036df 100644
440 else 441 else
441 logit("GSSAPI MIC check failed"); 442 logit("GSSAPI MIC check failed");
442 443
443@@ -290,6 +326,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) 444@@ -301,6 +338,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
444 return 0; 445 return 0;
445 } 446 }
446 447
@@ -454,10 +455,10 @@ index 1ca83577..3b5036df 100644
454 "gssapi-with-mic", 455 "gssapi-with-mic",
455 userauth_gssapi, 456 userauth_gssapi,
456diff --git a/auth2.c b/auth2.c 457diff --git a/auth2.c b/auth2.c
457index 97dd2ef0..946e9235 100644 458index 862e0996..54070e3a 100644
458--- a/auth2.c 459--- a/auth2.c
459+++ b/auth2.c 460+++ b/auth2.c
460@@ -70,6 +70,7 @@ extern Authmethod method_passwd; 461@@ -72,6 +72,7 @@ extern Authmethod method_passwd;
461 extern Authmethod method_kbdint; 462 extern Authmethod method_kbdint;
462 extern Authmethod method_hostbased; 463 extern Authmethod method_hostbased;
463 #ifdef GSSAPI 464 #ifdef GSSAPI
@@ -465,7 +466,7 @@ index 97dd2ef0..946e9235 100644
465 extern Authmethod method_gssapi; 466 extern Authmethod method_gssapi;
466 #endif 467 #endif
467 468
468@@ -77,6 +78,7 @@ Authmethod *authmethods[] = { 469@@ -79,6 +80,7 @@ Authmethod *authmethods[] = {
469 &method_none, 470 &method_none,
470 &method_pubkey, 471 &method_pubkey,
471 #ifdef GSSAPI 472 #ifdef GSSAPI
@@ -592,10 +593,10 @@ index 26d62855..0cadc9f1 100644
592 int get_peer_port(int); 593 int get_peer_port(int);
593 char *get_local_ipaddr(int); 594 char *get_local_ipaddr(int);
594diff --git a/clientloop.c b/clientloop.c 595diff --git a/clientloop.c b/clientloop.c
595index 06481623..38b0330e 100644 596index 791d336e..0010b833 100644
596--- a/clientloop.c 597--- a/clientloop.c
597+++ b/clientloop.c 598+++ b/clientloop.c
598@@ -113,6 +113,10 @@ 599@@ -112,6 +112,10 @@
599 #include "ssherr.h" 600 #include "ssherr.h"
600 #include "hostfile.h" 601 #include "hostfile.h"
601 602
@@ -606,13 +607,13 @@ index 06481623..38b0330e 100644
606 /* import options */ 607 /* import options */
607 extern Options options; 608 extern Options options;
608 609
609@@ -1664,9 +1668,18 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) 610@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
610 break; 611 break;
611 612
612 /* Do channel operations unless rekeying in progress. */ 613 /* Do channel operations unless rekeying in progress. */
613- if (!ssh_packet_is_rekeying(active_state)) 614- if (!ssh_packet_is_rekeying(ssh))
614+ if (!ssh_packet_is_rekeying(active_state)) { 615+ if (!ssh_packet_is_rekeying(ssh)) {
615 channel_after_select(readset, writeset); 616 channel_after_select(ssh, readset, writeset);
616 617
617+#ifdef GSSAPI 618+#ifdef GSSAPI
618+ if (options.gss_renewal_rekey && 619+ if (options.gss_renewal_rekey &&
@@ -627,10 +628,10 @@ index 06481623..38b0330e 100644
627 client_process_net_input(readset); 628 client_process_net_input(readset);
628 629
629diff --git a/config.h.in b/config.h.in 630diff --git a/config.h.in b/config.h.in
630index b65420e4..fd8a73f1 100644 631index 63fc548b..0b244fd5 100644
631--- a/config.h.in 632--- a/config.h.in
632+++ b/config.h.in 633+++ b/config.h.in
633@@ -1670,6 +1670,9 @@ 634@@ -1696,6 +1696,9 @@
634 /* Use btmp to log bad logins */ 635 /* Use btmp to log bad logins */
635 #undef USE_BTMP 636 #undef USE_BTMP
636 637
@@ -640,7 +641,7 @@ index b65420e4..fd8a73f1 100644
640 /* Use libedit for sftp */ 641 /* Use libedit for sftp */
641 #undef USE_LIBEDIT 642 #undef USE_LIBEDIT
642 643
643@@ -1685,6 +1688,9 @@ 644@@ -1711,6 +1714,9 @@
644 /* Use PIPES instead of a socketpair() */ 645 /* Use PIPES instead of a socketpair() */
645 #undef USE_PIPES 646 #undef USE_PIPES
646 647
@@ -651,10 +652,10 @@ index b65420e4..fd8a73f1 100644
651 #undef USE_SOLARIS_PRIVS 652 #undef USE_SOLARIS_PRIVS
652 653
653diff --git a/configure.ac b/configure.ac 654diff --git a/configure.ac b/configure.ac
654index c2878e3d..ead34acf 100644 655index 889f5063..84bfad8c 100644
655--- a/configure.ac 656--- a/configure.ac
656+++ b/configure.ac 657+++ b/configure.ac
657@@ -623,6 +623,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 658@@ -621,6 +621,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
658 [Use tunnel device compatibility to OpenBSD]) 659 [Use tunnel device compatibility to OpenBSD])
659 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 660 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
660 [Prepend the address family to IP tunnel traffic]) 661 [Prepend the address family to IP tunnel traffic])
@@ -1163,11 +1164,11 @@ index 795992d9..fd8b3718 100644
1163 1164
1164 #endif /* KRB5 */ 1165 #endif /* KRB5 */
1165diff --git a/gss-serv.c b/gss-serv.c 1166diff --git a/gss-serv.c b/gss-serv.c
1166index 53993d67..2e27cbf9 100644 1167index 6cae720e..967c6cfb 100644
1167--- a/gss-serv.c 1168--- a/gss-serv.c
1168+++ b/gss-serv.c 1169+++ b/gss-serv.c
1169@@ -1,7 +1,7 @@ 1170@@ -1,7 +1,7 @@
1170 /* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */ 1171 /* $OpenBSD: gss-serv.c,v 1.30 2017/06/24 06:34:38 djm Exp $ */
1171 1172
1172 /* 1173 /*
1173- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 1174- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1432,9 +1433,9 @@ index 53993d67..2e27cbf9 100644
1432+ return ok; 1433+ return ok;
1433 } 1434 }
1434 1435
1435 #endif 1436 /* Privileged */
1436diff --git a/kex.c b/kex.c 1437diff --git a/kex.c b/kex.c
1437index cf4ac0dc..556a32e9 100644 1438index d5d5a9da..bb1bd661 100644
1438--- a/kex.c 1439--- a/kex.c
1439+++ b/kex.c 1440+++ b/kex.c
1440@@ -54,6 +54,10 @@ 1441@@ -54,6 +54,10 @@
@@ -1445,10 +1446,10 @@ index cf4ac0dc..556a32e9 100644
1445+#include "ssh-gss.h" 1446+#include "ssh-gss.h"
1446+#endif 1447+#endif
1447+ 1448+
1448 #if OPENSSL_VERSION_NUMBER >= 0x00907000L 1449 /* prototype */
1449 # if defined(HAVE_EVP_SHA256) 1450 static int kex_choose_conf(struct ssh *);
1450 # define evp_ssh_sha256 EVP_sha256 1451 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
1451@@ -113,6 +117,14 @@ static const struct kexalg kexalgs[] = { 1452@@ -105,6 +109,14 @@ static const struct kexalg kexalgs[] = {
1452 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ 1453 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
1453 { NULL, -1, -1, -1}, 1454 { NULL, -1, -1, -1},
1454 }; 1455 };
@@ -1463,7 +1464,7 @@ index cf4ac0dc..556a32e9 100644
1463 1464
1464 char * 1465 char *
1465 kex_alg_list(char sep) 1466 kex_alg_list(char sep)
1466@@ -145,6 +157,10 @@ kex_alg_by_name(const char *name) 1467@@ -137,6 +149,10 @@ kex_alg_by_name(const char *name)
1467 if (strcmp(k->name, name) == 0) 1468 if (strcmp(k->name, name) == 0)
1468 return k; 1469 return k;
1469 } 1470 }
@@ -1474,7 +1475,7 @@ index cf4ac0dc..556a32e9 100644
1474 return NULL; 1475 return NULL;
1475 } 1476 }
1476 1477
1477@@ -605,6 +621,9 @@ kex_free(struct kex *kex) 1478@@ -601,6 +617,9 @@ kex_free(struct kex *kex)
1478 sshbuf_free(kex->peer); 1479 sshbuf_free(kex->peer);
1479 sshbuf_free(kex->my); 1480 sshbuf_free(kex->my);
1480 free(kex->session_id); 1481 free(kex->session_id);
@@ -1485,7 +1486,7 @@ index cf4ac0dc..556a32e9 100644
1485 free(kex->server_version_string); 1486 free(kex->server_version_string);
1486 free(kex->failed_choice); 1487 free(kex->failed_choice);
1487diff --git a/kex.h b/kex.h 1488diff --git a/kex.h b/kex.h
1488index 3794f212..fd56171d 100644 1489index 01bb3986..a708e486 100644
1489--- a/kex.h 1490--- a/kex.h
1490+++ b/kex.h 1491+++ b/kex.h
1491@@ -99,6 +99,9 @@ enum kex_exchange { 1492@@ -99,6 +99,9 @@ enum kex_exchange {
@@ -2169,7 +2170,7 @@ index 00000000..38ca082b
2169+} 2170+}
2170+#endif /* GSSAPI */ 2171+#endif /* GSSAPI */
2171diff --git a/monitor.c b/monitor.c 2172diff --git a/monitor.c b/monitor.c
2172index 96d22b7e..506645c7 100644 2173index f517da48..cabfeb8a 100644
2173--- a/monitor.c 2174--- a/monitor.c
2174+++ b/monitor.c 2175+++ b/monitor.c
2175@@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); 2176@@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
@@ -2211,7 +2212,7 @@ index 96d22b7e..506645c7 100644
2211 2212
2212 /* The first few requests do not require asynchronous access */ 2213 /* The first few requests do not require asynchronous access */
2213 while (!authenticated) { 2214 while (!authenticated) {
2214@@ -402,6 +415,10 @@ monitor_child_postauth(struct monitor *pmonitor) 2215@@ -408,6 +421,10 @@ monitor_child_postauth(struct monitor *pmonitor)
2215 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2216 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2216 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2217 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
2217 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2218 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2222,7 +2223,7 @@ index 96d22b7e..506645c7 100644
2222 2223
2223 if (!no_pty_flag) { 2224 if (!no_pty_flag) {
2224 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); 2225 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
2225@@ -1606,6 +1623,13 @@ monitor_apply_keystate(struct monitor *pmonitor) 2226@@ -1626,6 +1643,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
2226 # endif 2227 # endif
2227 #endif /* WITH_OPENSSL */ 2228 #endif /* WITH_OPENSSL */
2228 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 2229 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2236,7 +2237,7 @@ index 96d22b7e..506645c7 100644
2236 kex->load_host_public_key=&get_hostkey_public_by_type; 2237 kex->load_host_public_key=&get_hostkey_public_by_type;
2237 kex->load_host_private_key=&get_hostkey_private_by_type; 2238 kex->load_host_private_key=&get_hostkey_private_by_type;
2238 kex->host_key_index=&get_hostkey_index; 2239 kex->host_key_index=&get_hostkey_index;
2239@@ -1685,8 +1709,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) 2240@@ -1714,8 +1738,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2240 OM_uint32 major; 2241 OM_uint32 major;
2241 u_int len; 2242 u_int len;
2242 2243
@@ -2247,7 +2248,7 @@ index 96d22b7e..506645c7 100644
2247 2248
2248 goid.elements = buffer_get_string(m, &len); 2249 goid.elements = buffer_get_string(m, &len);
2249 goid.length = len; 2250 goid.length = len;
2250@@ -1715,8 +1739,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2251@@ -1744,8 +1768,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2251 OM_uint32 flags = 0; /* GSI needs this */ 2252 OM_uint32 flags = 0; /* GSI needs this */
2252 u_int len; 2253 u_int len;
2253 2254
@@ -2258,7 +2259,7 @@ index 96d22b7e..506645c7 100644
2258 2259
2259 in.value = buffer_get_string(m, &len); 2260 in.value = buffer_get_string(m, &len);
2260 in.length = len; 2261 in.length = len;
2261@@ -1735,6 +1759,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2262@@ -1764,6 +1788,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2262 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2263 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2263 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2264 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2264 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2265 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2266,7 +2267,7 @@ index 96d22b7e..506645c7 100644
2266 } 2267 }
2267 return (0); 2268 return (0);
2268 } 2269 }
2269@@ -1746,8 +1771,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m) 2270@@ -1775,8 +1800,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2270 OM_uint32 ret; 2271 OM_uint32 ret;
2271 u_int len; 2272 u_int len;
2272 2273
@@ -2277,9 +2278,9 @@ index 96d22b7e..506645c7 100644
2277 2278
2278 gssbuf.value = buffer_get_string(m, &len); 2279 gssbuf.value = buffer_get_string(m, &len);
2279 gssbuf.length = len; 2280 gssbuf.length = len;
2280@@ -1775,10 +1800,11 @@ mm_answer_gss_userok(int sock, Buffer *m) 2281@@ -1805,10 +1830,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
2281 {
2282 int authenticated; 2282 int authenticated;
2283 const char *displayname;
2283 2284
2284- if (!options.gss_authentication) 2285- if (!options.gss_authentication)
2285- fatal("%s: GSSAPI authentication not enabled", __func__); 2286- fatal("%s: GSSAPI authentication not enabled", __func__);
@@ -2292,7 +2293,7 @@ index 96d22b7e..506645c7 100644
2292 2293
2293 buffer_clear(m); 2294 buffer_clear(m);
2294 buffer_put_int(m, authenticated); 2295 buffer_put_int(m, authenticated);
2295@@ -1791,5 +1817,76 @@ mm_answer_gss_userok(int sock, Buffer *m) 2296@@ -1824,5 +1850,76 @@ mm_answer_gss_userok(int sock, Buffer *m)
2296 /* Monitor loop will terminate if authenticated */ 2297 /* Monitor loop will terminate if authenticated */
2297 return (authenticated); 2298 return (authenticated);
2298 } 2299 }
@@ -2384,10 +2385,10 @@ index d68f6745..ec41404c 100644
2384 2385
2385 struct monitor { 2386 struct monitor {
2386diff --git a/monitor_wrap.c b/monitor_wrap.c 2387diff --git a/monitor_wrap.c b/monitor_wrap.c
2387index 64ff9288..d5cb640a 100644 2388index 69212aaf..0e171a6a 100644
2388--- a/monitor_wrap.c 2389--- a/monitor_wrap.c
2389+++ b/monitor_wrap.c 2390+++ b/monitor_wrap.c
2390@@ -924,7 +924,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 2391@@ -937,7 +937,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
2391 } 2392 }
2392 2393
2393 int 2394 int
@@ -2396,7 +2397,7 @@ index 64ff9288..d5cb640a 100644
2396 { 2397 {
2397 Buffer m; 2398 Buffer m;
2398 int authenticated = 0; 2399 int authenticated = 0;
2399@@ -941,5 +941,50 @@ mm_ssh_gssapi_userok(char *user) 2400@@ -954,5 +954,50 @@ mm_ssh_gssapi_userok(char *user)
2400 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2401 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2401 return (authenticated); 2402 return (authenticated);
2402 } 2403 }
@@ -2448,10 +2449,10 @@ index 64ff9288..d5cb640a 100644
2448 #endif /* GSSAPI */ 2449 #endif /* GSSAPI */
2449 2450
2450diff --git a/monitor_wrap.h b/monitor_wrap.h 2451diff --git a/monitor_wrap.h b/monitor_wrap.h
2451index db5902f5..8f9dd896 100644 2452index 9e032d20..7b2e8945 100644
2452--- a/monitor_wrap.h 2453--- a/monitor_wrap.h
2453+++ b/monitor_wrap.h 2454+++ b/monitor_wrap.h
2454@@ -55,8 +55,10 @@ int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int); 2455@@ -57,8 +57,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
2455 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); 2456 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
2456 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, 2457 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
2457 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); 2458 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -2464,7 +2465,7 @@ index db5902f5..8f9dd896 100644
2464 2465
2465 #ifdef USE_PAM 2466 #ifdef USE_PAM
2466diff --git a/readconf.c b/readconf.c 2467diff --git a/readconf.c b/readconf.c
2467index 9d59493f..00d9cc30 100644 2468index f63894f9..99e03ee1 100644
2468--- a/readconf.c 2469--- a/readconf.c
2469+++ b/readconf.c 2470+++ b/readconf.c
2470@@ -160,6 +160,8 @@ typedef enum { 2471@@ -160,6 +160,8 @@ typedef enum {
@@ -2476,7 +2477,7 @@ index 9d59493f..00d9cc30 100644
2476 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2477 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
2477 oSendEnv, oControlPath, oControlMaster, oControlPersist, 2478 oSendEnv, oControlPath, oControlMaster, oControlPersist,
2478 oHashKnownHosts, 2479 oHashKnownHosts,
2479@@ -196,10 +198,20 @@ static struct { 2480@@ -199,10 +201,20 @@ static struct {
2480 /* Sometimes-unsupported options */ 2481 /* Sometimes-unsupported options */
2481 #if defined(GSSAPI) 2482 #if defined(GSSAPI)
2482 { "gssapiauthentication", oGssAuthentication }, 2483 { "gssapiauthentication", oGssAuthentication },
@@ -2497,7 +2498,7 @@ index 9d59493f..00d9cc30 100644
2497 #endif 2498 #endif
2498 #ifdef ENABLE_PKCS11 2499 #ifdef ENABLE_PKCS11
2499 { "smartcarddevice", oPKCS11Provider }, 2500 { "smartcarddevice", oPKCS11Provider },
2500@@ -973,10 +985,30 @@ parse_time: 2501@@ -976,10 +988,30 @@ parse_time:
2501 intptr = &options->gss_authentication; 2502 intptr = &options->gss_authentication;
2502 goto parse_flag; 2503 goto parse_flag;
2503 2504
@@ -2528,7 +2529,7 @@ index 9d59493f..00d9cc30 100644
2528 case oBatchMode: 2529 case oBatchMode:
2529 intptr = &options->batch_mode; 2530 intptr = &options->batch_mode;
2530 goto parse_flag; 2531 goto parse_flag;
2531@@ -1798,7 +1830,12 @@ initialize_options(Options * options) 2532@@ -1790,7 +1822,12 @@ initialize_options(Options * options)
2532 options->pubkey_authentication = -1; 2533 options->pubkey_authentication = -1;
2533 options->challenge_response_authentication = -1; 2534 options->challenge_response_authentication = -1;
2534 options->gss_authentication = -1; 2535 options->gss_authentication = -1;
@@ -2541,7 +2542,7 @@ index 9d59493f..00d9cc30 100644
2541 options->password_authentication = -1; 2542 options->password_authentication = -1;
2542 options->kbd_interactive_authentication = -1; 2543 options->kbd_interactive_authentication = -1;
2543 options->kbd_interactive_devices = NULL; 2544 options->kbd_interactive_devices = NULL;
2544@@ -1942,8 +1979,14 @@ fill_default_options(Options * options) 2545@@ -1930,8 +1967,14 @@ fill_default_options(Options * options)
2545 options->challenge_response_authentication = 1; 2546 options->challenge_response_authentication = 1;
2546 if (options->gss_authentication == -1) 2547 if (options->gss_authentication == -1)
2547 options->gss_authentication = 0; 2548 options->gss_authentication = 0;
@@ -2557,10 +2558,10 @@ index 9d59493f..00d9cc30 100644
2557 options->password_authentication = 1; 2558 options->password_authentication = 1;
2558 if (options->kbd_interactive_authentication == -1) 2559 if (options->kbd_interactive_authentication == -1)
2559diff --git a/readconf.h b/readconf.h 2560diff --git a/readconf.h b/readconf.h
2560index cef55f71..fd3d7c75 100644 2561index 22fe5c18..d61161a8 100644
2561--- a/readconf.h 2562--- a/readconf.h
2562+++ b/readconf.h 2563+++ b/readconf.h
2563@@ -45,7 +45,12 @@ typedef struct { 2564@@ -42,7 +42,12 @@ typedef struct {
2564 int challenge_response_authentication; 2565 int challenge_response_authentication;
2565 /* Try S/Key or TIS, authentication. */ 2566 /* Try S/Key or TIS, authentication. */
2566 int gss_authentication; /* Try GSS authentication */ 2567 int gss_authentication; /* Try GSS authentication */
@@ -2574,7 +2575,7 @@ index cef55f71..fd3d7c75 100644
2574 * authentication. */ 2575 * authentication. */
2575 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2576 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
2576diff --git a/servconf.c b/servconf.c 2577diff --git a/servconf.c b/servconf.c
2577index 56b83165..d796b7c8 100644 2578index 2c321a4a..8ba74517 100644
2578--- a/servconf.c 2579--- a/servconf.c
2579+++ b/servconf.c 2580+++ b/servconf.c
2580@@ -113,8 +113,10 @@ initialize_server_options(ServerOptions *options) 2581@@ -113,8 +113,10 @@ initialize_server_options(ServerOptions *options)
@@ -2588,7 +2589,7 @@ index 56b83165..d796b7c8 100644
2588 options->password_authentication = -1; 2589 options->password_authentication = -1;
2589 options->kbd_interactive_authentication = -1; 2590 options->kbd_interactive_authentication = -1;
2590 options->challenge_response_authentication = -1; 2591 options->challenge_response_authentication = -1;
2591@@ -267,10 +269,14 @@ fill_default_server_options(ServerOptions *options) 2592@@ -268,10 +270,14 @@ fill_default_server_options(ServerOptions *options)
2592 options->kerberos_get_afs_token = 0; 2593 options->kerberos_get_afs_token = 0;
2593 if (options->gss_authentication == -1) 2594 if (options->gss_authentication == -1)
2594 options->gss_authentication = 0; 2595 options->gss_authentication = 0;
@@ -2603,7 +2604,7 @@ index 56b83165..d796b7c8 100644
2603 if (options->password_authentication == -1) 2604 if (options->password_authentication == -1)
2604 options->password_authentication = 1; 2605 options->password_authentication = 1;
2605 if (options->kbd_interactive_authentication == -1) 2606 if (options->kbd_interactive_authentication == -1)
2606@@ -407,6 +413,7 @@ typedef enum { 2607@@ -410,6 +416,7 @@ typedef enum {
2607 sHostKeyAlgorithms, 2608 sHostKeyAlgorithms,
2608 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 2609 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
2609 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 2610 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@@ -2611,7 +2612,7 @@ index 56b83165..d796b7c8 100644
2611 sAcceptEnv, sPermitTunnel, 2612 sAcceptEnv, sPermitTunnel,
2612 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2613 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2613 sUsePrivilegeSeparation, sAllowAgentForwarding, 2614 sUsePrivilegeSeparation, sAllowAgentForwarding,
2614@@ -480,12 +487,20 @@ static struct { 2615@@ -484,12 +491,20 @@ static struct {
2615 #ifdef GSSAPI 2616 #ifdef GSSAPI
2616 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2617 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2617 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2618 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2632,7 +2633,7 @@ index 56b83165..d796b7c8 100644
2632 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2633 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2633 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2634 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2634 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2635 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2635@@ -1217,6 +1232,10 @@ process_server_config_line(ServerOptions *options, char *line, 2636@@ -1253,6 +1268,10 @@ process_server_config_line(ServerOptions *options, char *line,
2636 intptr = &options->gss_authentication; 2637 intptr = &options->gss_authentication;
2637 goto parse_flag; 2638 goto parse_flag;
2638 2639
@@ -2643,7 +2644,7 @@ index 56b83165..d796b7c8 100644
2643 case sGssCleanupCreds: 2644 case sGssCleanupCreds:
2644 intptr = &options->gss_cleanup_creds; 2645 intptr = &options->gss_cleanup_creds;
2645 goto parse_flag; 2646 goto parse_flag;
2646@@ -1225,6 +1244,10 @@ process_server_config_line(ServerOptions *options, char *line, 2647@@ -1261,6 +1280,10 @@ process_server_config_line(ServerOptions *options, char *line,
2647 intptr = &options->gss_strict_acceptor; 2648 intptr = &options->gss_strict_acceptor;
2648 goto parse_flag; 2649 goto parse_flag;
2649 2650
@@ -2654,7 +2655,7 @@ index 56b83165..d796b7c8 100644
2654 case sPasswordAuthentication: 2655 case sPasswordAuthentication:
2655 intptr = &options->password_authentication; 2656 intptr = &options->password_authentication;
2656 goto parse_flag; 2657 goto parse_flag;
2657@@ -2250,7 +2273,10 @@ dump_config(ServerOptions *o) 2658@@ -2301,7 +2324,10 @@ dump_config(ServerOptions *o)
2658 #endif 2659 #endif
2659 #ifdef GSSAPI 2660 #ifdef GSSAPI
2660 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2661 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2666,10 +2667,10 @@ index 56b83165..d796b7c8 100644
2666 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2667 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2667 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2668 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2668diff --git a/servconf.h b/servconf.h 2669diff --git a/servconf.h b/servconf.h
2669index 5853a974..90dfa4c2 100644 2670index 1dca702e..641e93c8 100644
2670--- a/servconf.h 2671--- a/servconf.h
2671+++ b/servconf.h 2672+++ b/servconf.h
2672@@ -112,8 +112,10 @@ typedef struct { 2673@@ -119,8 +119,10 @@ typedef struct {
2673 int kerberos_get_afs_token; /* If true, try to get AFS token if 2674 int kerberos_get_afs_token; /* If true, try to get AFS token if
2674 * authenticated with Kerberos. */ 2675 * authenticated with Kerberos. */
2675 int gss_authentication; /* If true, permit GSSAPI authentication */ 2676 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2681,11 +2682,11 @@ index 5853a974..90dfa4c2 100644
2681 * authentication. */ 2682 * authentication. */
2682 int kbd_interactive_authentication; /* If true, permit */ 2683 int kbd_interactive_authentication; /* If true, permit */
2683diff --git a/ssh-gss.h b/ssh-gss.h 2684diff --git a/ssh-gss.h b/ssh-gss.h
2684index a99d7f08..914701bc 100644 2685index 6593e422..919660a0 100644
2685--- a/ssh-gss.h 2686--- a/ssh-gss.h
2686+++ b/ssh-gss.h 2687+++ b/ssh-gss.h
2687@@ -1,6 +1,6 @@ 2688@@ -1,6 +1,6 @@
2688 /* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */ 2689 /* $OpenBSD: ssh-gss.h,v 1.12 2017/06/24 06:34:38 djm Exp $ */
2689 /* 2690 /*
2690- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 2691- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
2691+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 2692+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -2748,7 +2749,7 @@ index a99d7f08..914701bc 100644
2748 2749
2749 int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); 2750 int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
2750 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); 2751 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
2751@@ -119,16 +136,32 @@ void ssh_gssapi_build_ctx(Gssctxt **); 2752@@ -119,17 +136,33 @@ void ssh_gssapi_build_ctx(Gssctxt **);
2752 void ssh_gssapi_delete_ctx(Gssctxt **); 2753 void ssh_gssapi_delete_ctx(Gssctxt **);
2753 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); 2754 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
2754 void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); 2755 void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
@@ -2773,6 +2774,7 @@ index a99d7f08..914701bc 100644
2773 void ssh_gssapi_do_child(char ***, u_int *); 2774 void ssh_gssapi_do_child(char ***, u_int *);
2774 void ssh_gssapi_cleanup_creds(void); 2775 void ssh_gssapi_cleanup_creds(void);
2775 void ssh_gssapi_storecreds(void); 2776 void ssh_gssapi_storecreds(void);
2777 const char *ssh_gssapi_displayname(void);
2776 2778
2777+char *ssh_gssapi_server_mechanisms(void); 2779+char *ssh_gssapi_server_mechanisms(void);
2778+int ssh_gssapi_oid_table_ok(void); 2780+int ssh_gssapi_oid_table_ok(void);
@@ -2784,10 +2786,10 @@ index a99d7f08..914701bc 100644
2784 2786
2785 #endif /* _SSH_GSS_H */ 2787 #endif /* _SSH_GSS_H */
2786diff --git a/ssh_config b/ssh_config 2788diff --git a/ssh_config b/ssh_config
2787index 90fb63f0..4e879cd2 100644 2789index c12f5ef5..bcb9f153 100644
2788--- a/ssh_config 2790--- a/ssh_config
2789+++ b/ssh_config 2791+++ b/ssh_config
2790@@ -26,6 +26,8 @@ 2792@@ -24,6 +24,8 @@
2791 # HostbasedAuthentication no 2793 # HostbasedAuthentication no
2792 # GSSAPIAuthentication no 2794 # GSSAPIAuthentication no
2793 # GSSAPIDelegateCredentials no 2795 # GSSAPIDelegateCredentials no
@@ -2797,10 +2799,10 @@ index 90fb63f0..4e879cd2 100644
2797 # CheckHostIP yes 2799 # CheckHostIP yes
2798 # AddressFamily any 2800 # AddressFamily any
2799diff --git a/ssh_config.5 b/ssh_config.5 2801diff --git a/ssh_config.5 b/ssh_config.5
2800index 532745b2..ec60273e 100644 2802index eab8dd01..9a06a757 100644
2801--- a/ssh_config.5 2803--- a/ssh_config.5
2802+++ b/ssh_config.5 2804+++ b/ssh_config.5
2803@@ -752,10 +752,42 @@ The default is 2805@@ -720,10 +720,42 @@ The default is
2804 Specifies whether user authentication based on GSSAPI is allowed. 2806 Specifies whether user authentication based on GSSAPI is allowed.
2805 The default is 2807 The default is
2806 .Cm no . 2808 .Cm no .
@@ -2844,7 +2846,7 @@ index 532745b2..ec60273e 100644
2844 Indicates that 2846 Indicates that
2845 .Xr ssh 1 2847 .Xr ssh 1
2846diff --git a/sshconnect2.c b/sshconnect2.c 2848diff --git a/sshconnect2.c b/sshconnect2.c
2847index f8a54bee..5743c2c4 100644 2849index be9397e4..c22477f5 100644
2848--- a/sshconnect2.c 2850--- a/sshconnect2.c
2849+++ b/sshconnect2.c 2851+++ b/sshconnect2.c
2850@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2852@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
@@ -2919,7 +2921,7 @@ index f8a54bee..5743c2c4 100644
2919+ } 2921+ }
2920+#endif 2922+#endif
2921+ 2923+
2922 dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); 2924 ssh_dispatch_run_fatal(active_state, DISPATCH_BLOCK, &kex->done);
2923 2925
2924 /* remove ext-info from the KEX proposals for rekeying */ 2926 /* remove ext-info from the KEX proposals for rekeying */
2925 myproposal[PROPOSAL_KEX_ALGS] = 2927 myproposal[PROPOSAL_KEX_ALGS] =
@@ -2937,10 +2939,10 @@ index f8a54bee..5743c2c4 100644
2937 if ((r = kex_prop2buf(kex->my, myproposal)) != 0) 2939 if ((r = kex_prop2buf(kex->my, myproposal)) != 0)
2938 fatal("kex_prop2buf: %s", ssh_err(r)); 2940 fatal("kex_prop2buf: %s", ssh_err(r));
2939 2941
2940@@ -311,6 +371,7 @@ int input_gssapi_token(int type, u_int32_t, void *); 2942@@ -311,6 +371,7 @@ int input_gssapi_token(int type, u_int32_t, struct ssh *);
2941 int input_gssapi_hash(int type, u_int32_t, void *); 2943 int input_gssapi_hash(int type, u_int32_t, struct ssh *);
2942 int input_gssapi_error(int, u_int32_t, void *); 2944 int input_gssapi_error(int, u_int32_t, struct ssh *);
2943 int input_gssapi_errtok(int, u_int32_t, void *); 2945 int input_gssapi_errtok(int, u_int32_t, struct ssh *);
2944+int userauth_gsskeyex(Authctxt *authctxt); 2946+int userauth_gsskeyex(Authctxt *authctxt);
2945 #endif 2947 #endif
2946 2948
@@ -2957,7 +2959,7 @@ index f8a54bee..5743c2c4 100644
2957 {"gssapi-with-mic", 2959 {"gssapi-with-mic",
2958 userauth_gssapi, 2960 userauth_gssapi,
2959 NULL, 2961 NULL,
2960@@ -652,25 +718,40 @@ userauth_gssapi(Authctxt *authctxt) 2962@@ -654,25 +720,40 @@ userauth_gssapi(Authctxt *authctxt)
2961 static u_int mech = 0; 2963 static u_int mech = 0;
2962 OM_uint32 min; 2964 OM_uint32 min;
2963 int ok = 0; 2965 int ok = 0;
@@ -3000,9 +3002,9 @@ index f8a54bee..5743c2c4 100644
3000 if (!ok) 3002 if (!ok)
3001 return 0; 3003 return 0;
3002 3004
3003@@ -761,8 +842,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) 3005@@ -763,8 +844,8 @@ input_gssapi_response(int type, u_int32_t plen, struct ssh *ssh)
3004 { 3006 {
3005 Authctxt *authctxt = ctxt; 3007 Authctxt *authctxt = ssh->authctxt;
3006 Gssctxt *gssctxt; 3008 Gssctxt *gssctxt;
3007- int oidlen; 3009- int oidlen;
3008- char *oidv; 3010- char *oidv;
@@ -3011,7 +3013,7 @@ index f8a54bee..5743c2c4 100644
3011 3013
3012 if (authctxt == NULL) 3014 if (authctxt == NULL)
3013 fatal("input_gssapi_response: no authentication context"); 3015 fatal("input_gssapi_response: no authentication context");
3014@@ -875,6 +956,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) 3016@@ -877,6 +958,48 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
3015 free(lang); 3017 free(lang);
3016 return 0; 3018 return 0;
3017 } 3019 }
@@ -3061,10 +3063,10 @@ index f8a54bee..5743c2c4 100644
3061 3063
3062 int 3064 int
3063diff --git a/sshd.c b/sshd.c 3065diff --git a/sshd.c b/sshd.c
3064index 010a2c38..20a7a5f3 100644 3066index 51a1aaf6..45e50fac 100644
3065--- a/sshd.c 3067--- a/sshd.c
3066+++ b/sshd.c 3068+++ b/sshd.c
3067@@ -123,6 +123,10 @@ 3069@@ -122,6 +122,10 @@
3068 #include "version.h" 3070 #include "version.h"
3069 #include "ssherr.h" 3071 #include "ssherr.h"
3070 3072
@@ -3075,7 +3077,7 @@ index 010a2c38..20a7a5f3 100644
3075 /* Re-exec fds */ 3077 /* Re-exec fds */
3076 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 3078 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
3077 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 3079 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
3078@@ -531,7 +535,7 @@ privsep_preauth_child(void) 3080@@ -529,7 +533,7 @@ privsep_preauth_child(void)
3079 3081
3080 #ifdef GSSAPI 3082 #ifdef GSSAPI
3081 /* Cache supported mechanism OIDs for later use */ 3083 /* Cache supported mechanism OIDs for later use */
@@ -3084,7 +3086,7 @@ index 010a2c38..20a7a5f3 100644
3084 ssh_gssapi_prepare_supported_oids(); 3086 ssh_gssapi_prepare_supported_oids();
3085 #endif 3087 #endif
3086 3088
3087@@ -1719,10 +1723,13 @@ main(int ac, char **av) 3089@@ -1708,10 +1712,13 @@ main(int ac, char **av)
3088 key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp); 3090 key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
3089 free(fp); 3091 free(fp);
3090 } 3092 }
@@ -3098,7 +3100,7 @@ index 010a2c38..20a7a5f3 100644
3098 3100
3099 /* 3101 /*
3100 * Load certificates. They are stored in an array at identical 3102 * Load certificates. They are stored in an array at identical
3101@@ -1992,6 +1999,60 @@ main(int ac, char **av) 3103@@ -1987,6 +1994,60 @@ main(int ac, char **av)
3102 remote_ip, remote_port, laddr, ssh_local_port(ssh)); 3104 remote_ip, remote_port, laddr, ssh_local_port(ssh));
3103 free(laddr); 3105 free(laddr);
3104 3106
@@ -3159,7 +3161,7 @@ index 010a2c38..20a7a5f3 100644
3159 /* 3161 /*
3160 * We don't want to listen forever unless the other side 3162 * We don't want to listen forever unless the other side
3161 * successfully authenticates itself. So we set up an alarm which is 3163 * successfully authenticates itself. So we set up an alarm which is
3162@@ -2173,6 +2234,48 @@ do_ssh2_kex(void) 3164@@ -2170,6 +2231,48 @@ do_ssh2_kex(void)
3163 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 3165 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
3164 list_hostkey_types()); 3166 list_hostkey_types());
3165 3167
@@ -3208,7 +3210,7 @@ index 010a2c38..20a7a5f3 100644
3208 /* start key exchange */ 3210 /* start key exchange */
3209 if ((r = kex_setup(active_state, myproposal)) != 0) 3211 if ((r = kex_setup(active_state, myproposal)) != 0)
3210 fatal("kex_setup: %s", ssh_err(r)); 3212 fatal("kex_setup: %s", ssh_err(r));
3211@@ -2190,6 +2293,13 @@ do_ssh2_kex(void) 3213@@ -2187,6 +2290,13 @@ do_ssh2_kex(void)
3212 # endif 3214 # endif
3213 #endif 3215 #endif
3214 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 3216 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -3236,10 +3238,10 @@ index 4eb2e02e..c01dd656 100644
3236 # Set this to 'yes' to enable PAM authentication, account processing, 3238 # Set this to 'yes' to enable PAM authentication, account processing,
3237 # and session processing. If this is enabled, PAM authentication will 3239 # and session processing. If this is enabled, PAM authentication will
3238diff --git a/sshd_config.5 b/sshd_config.5 3240diff --git a/sshd_config.5 b/sshd_config.5
3239index ac6ccc79..3f819c76 100644 3241index 251b7467..0dbcb8da 100644
3240--- a/sshd_config.5 3242--- a/sshd_config.5
3241+++ b/sshd_config.5 3243+++ b/sshd_config.5
3242@@ -627,6 +627,11 @@ The default is 3244@@ -635,6 +635,11 @@ The default is
3243 Specifies whether user authentication based on GSSAPI is allowed. 3245 Specifies whether user authentication based on GSSAPI is allowed.
3244 The default is 3246 The default is
3245 .Cm no . 3247 .Cm no .
@@ -3251,7 +3253,7 @@ index ac6ccc79..3f819c76 100644
3251 .It Cm GSSAPICleanupCredentials 3253 .It Cm GSSAPICleanupCredentials
3252 Specifies whether to automatically destroy the user's credentials cache 3254 Specifies whether to automatically destroy the user's credentials cache
3253 on logout. 3255 on logout.
3254@@ -646,6 +651,11 @@ machine's default store. 3256@@ -654,6 +659,11 @@ machine's default store.
3255 This facility is provided to assist with operation on multi homed machines. 3257 This facility is provided to assist with operation on multi homed machines.
3256 The default is 3258 The default is
3257 .Cm yes . 3259 .Cm yes .
@@ -3264,10 +3266,10 @@ index ac6ccc79..3f819c76 100644
3264 Specifies the key types that will be accepted for hostbased authentication 3266 Specifies the key types that will be accepted for hostbased authentication
3265 as a comma-separated pattern list. 3267 as a comma-separated pattern list.
3266diff --git a/sshkey.c b/sshkey.c 3268diff --git a/sshkey.c b/sshkey.c
3267index 53a7674b..54001989 100644 3269index e91c54f5..c2cf0e03 100644
3268--- a/sshkey.c 3270--- a/sshkey.c
3269+++ b/sshkey.c 3271+++ b/sshkey.c
3270@@ -116,6 +116,7 @@ static const struct keytype keytypes[] = { 3272@@ -112,6 +112,7 @@ static const struct keytype keytypes[] = {
3271 # endif /* OPENSSL_HAS_NISTP521 */ 3273 # endif /* OPENSSL_HAS_NISTP521 */
3272 # endif /* OPENSSL_HAS_ECC */ 3274 # endif /* OPENSSL_HAS_ECC */
3273 #endif /* WITH_OPENSSL */ 3275 #endif /* WITH_OPENSSL */
@@ -3275,7 +3277,7 @@ index 53a7674b..54001989 100644
3275 { NULL, NULL, -1, -1, 0, 0 } 3277 { NULL, NULL, -1, -1, 0, 0 }
3276 }; 3278 };
3277 3279
3278@@ -204,7 +205,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 3280@@ -200,7 +201,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
3279 const struct keytype *kt; 3281 const struct keytype *kt;
3280 3282
3281 for (kt = keytypes; kt->type != -1; kt++) { 3283 for (kt = keytypes; kt->type != -1; kt++) {
@@ -3285,10 +3287,10 @@ index 53a7674b..54001989 100644
3285 if (!include_sigonly && kt->sigonly) 3287 if (!include_sigonly && kt->sigonly)
3286 continue; 3288 continue;
3287diff --git a/sshkey.h b/sshkey.h 3289diff --git a/sshkey.h b/sshkey.h
3288index 1b9e42f4..f91e4a08 100644 3290index 9093eac5..b5d020cb 100644
3289--- a/sshkey.h 3291--- a/sshkey.h
3290+++ b/sshkey.h 3292+++ b/sshkey.h
3291@@ -62,6 +62,7 @@ enum sshkey_types { 3293@@ -61,6 +61,7 @@ enum sshkey_types {
3292 KEY_DSA_CERT, 3294 KEY_DSA_CERT,
3293 KEY_ECDSA_CERT, 3295 KEY_ECDSA_CERT,
3294 KEY_ED25519_CERT, 3296 KEY_ED25519_CERT,
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 8748ac286..d3eca5924 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
1From 74415628b380db26961259a25dcc47c4f02e8703 Mon Sep 17 00:00:00 2001 1From c147d4dbab74e0dbf738beb9d9f4220534ae9da6 Mon Sep 17 00:00:00 2001
2From: Richard Kettlewell <rjk@greenend.org.uk> 2From: Richard Kettlewell <rjk@greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:52 +0000 3Date: Sun, 9 Feb 2014 16:09:52 +0000
4Subject: Various keepalive extensions 4Subject: Various keepalive extensions
@@ -16,7 +16,7 @@ keepalives.
16Author: Ian Jackson <ian@chiark.greenend.org.uk> 16Author: Ian Jackson <ian@chiark.greenend.org.uk>
17Author: Matthew Vernon <matthew@debian.org> 17Author: Matthew Vernon <matthew@debian.org>
18Author: Colin Watson <cjwatson@debian.org> 18Author: Colin Watson <cjwatson@debian.org>
19Last-Update: 2016-12-26 19Last-Update: 2017-10-04
20 20
21Patch-Name: keepalive-extensions.patch 21Patch-Name: keepalive-extensions.patch
22--- 22---
@@ -26,18 +26,18 @@ Patch-Name: keepalive-extensions.patch
26 3 files changed, 34 insertions(+), 4 deletions(-) 26 3 files changed, 34 insertions(+), 4 deletions(-)
27 27
28diff --git a/readconf.c b/readconf.c 28diff --git a/readconf.c b/readconf.c
29index 32a72957..0b1370a8 100644 29index d2b28a41..45caa095 100644
30--- a/readconf.c 30--- a/readconf.c
31+++ b/readconf.c 31+++ b/readconf.c
32@@ -173,6 +173,7 @@ typedef enum { 32@@ -174,6 +174,7 @@ typedef enum {
33 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, 33 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
34 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, 34 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
35 oPubkeyAcceptedKeyTypes, oProxyJump, 35 oPubkeyAcceptedKeyTypes, oProxyJump,
36+ oProtocolKeepAlives, oSetupTimeOut, 36+ oProtocolKeepAlives, oSetupTimeOut,
37 oIgnoredUnknownOption, oDeprecated, oUnsupported 37 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
38 } OpCodes; 38 } OpCodes;
39 39
40@@ -321,6 +322,8 @@ static struct { 40@@ -318,6 +319,8 @@ static struct {
41 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, 41 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
42 { "ignoreunknown", oIgnoreUnknown }, 42 { "ignoreunknown", oIgnoreUnknown },
43 { "proxyjump", oProxyJump }, 43 { "proxyjump", oProxyJump },
@@ -46,7 +46,7 @@ index 32a72957..0b1370a8 100644
46 46
47 { NULL, oBadOption } 47 { NULL, oBadOption }
48 }; 48 };
49@@ -1417,6 +1420,8 @@ parse_keytypes: 49@@ -1406,6 +1409,8 @@ parse_keytypes:
50 goto parse_flag; 50 goto parse_flag;
51 51
52 case oServerAliveInterval: 52 case oServerAliveInterval:
@@ -55,7 +55,7 @@ index 32a72957..0b1370a8 100644
55 intptr = &options->server_alive_interval; 55 intptr = &options->server_alive_interval;
56 goto parse_time; 56 goto parse_time;
57 57
58@@ -2070,8 +2075,13 @@ fill_default_options(Options * options) 58@@ -2042,8 +2047,13 @@ fill_default_options(Options * options)
59 options->rekey_interval = 0; 59 options->rekey_interval = 0;
60 if (options->verify_host_key_dns == -1) 60 if (options->verify_host_key_dns == -1)
61 options->verify_host_key_dns = 0; 61 options->verify_host_key_dns = 0;
@@ -72,10 +72,10 @@ index 32a72957..0b1370a8 100644
72 options->server_alive_count_max = 3; 72 options->server_alive_count_max = 3;
73 if (options->control_master == -1) 73 if (options->control_master == -1)
74diff --git a/ssh_config.5 b/ssh_config.5 74diff --git a/ssh_config.5 b/ssh_config.5
75index ec60273e..e4eaa5ae 100644 75index 9a06a757..d6f43c2d 100644
76--- a/ssh_config.5 76--- a/ssh_config.5
77+++ b/ssh_config.5 77+++ b/ssh_config.5
78@@ -250,8 +250,12 @@ Valid arguments are 78@@ -247,8 +247,12 @@ Valid arguments are
79 If set to 79 If set to
80 .Cm yes , 80 .Cm yes ,
81 passphrase/password querying will be disabled. 81 passphrase/password querying will be disabled.
@@ -89,7 +89,7 @@ index ec60273e..e4eaa5ae 100644
89 The argument must be 89 The argument must be
90 .Cm yes 90 .Cm yes
91 or 91 or
92@@ -1509,7 +1513,14 @@ from the server, 92@@ -1455,7 +1459,14 @@ from the server,
93 will send a message through the encrypted 93 will send a message through the encrypted
94 channel to request a response from the server. 94 channel to request a response from the server.
95 The default 95 The default
@@ -105,7 +105,7 @@ index ec60273e..e4eaa5ae 100644
105 .It Cm StreamLocalBindMask 105 .It Cm StreamLocalBindMask
106 Sets the octal file creation mode mask 106 Sets the octal file creation mode mask
107 .Pq umask 107 .Pq umask
108@@ -1568,6 +1579,12 @@ Specifies whether the system should send TCP keepalive messages to the 108@@ -1529,6 +1540,12 @@ Specifies whether the system should send TCP keepalive messages to the
109 other side. 109 other side.
110 If they are sent, death of the connection or crash of one 110 If they are sent, death of the connection or crash of one
111 of the machines will be properly noticed. 111 of the machines will be properly noticed.
@@ -119,10 +119,10 @@ index ec60273e..e4eaa5ae 100644
119 connections will die if the route is down temporarily, and some people 119 connections will die if the route is down temporarily, and some people
120 find it annoying. 120 find it annoying.
121diff --git a/sshd_config.5 b/sshd_config.5 121diff --git a/sshd_config.5 b/sshd_config.5
122index 3f819c76..41ec6688 100644 122index 0dbcb8da..7db25552 100644
123--- a/sshd_config.5 123--- a/sshd_config.5
124+++ b/sshd_config.5 124+++ b/sshd_config.5
125@@ -1447,6 +1447,9 @@ This avoids infinitely hanging sessions. 125@@ -1454,6 +1454,9 @@ This avoids infinitely hanging sessions.
126 .Pp 126 .Pp
127 To disable TCP keepalive messages, the value should be set to 127 To disable TCP keepalive messages, the value should be set to
128 .Cm no . 128 .Cm no .
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index a425efa55..3edb37705 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
1From 78963ce671198209cadd01ebb0aa20ae4fac22d6 Mon Sep 17 00:00:00 2001 1From 19be4218cdb262f7b584b0104ee430de0e24eeb8 Mon Sep 17 00:00:00 2001
2From: Scott Moser <smoser@ubuntu.com> 2From: Scott Moser <smoser@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:03 +0000 3Date: Sun, 9 Feb 2014 16:10:03 +0000
4Subject: Mention ssh-keygen in ssh fingerprint changed warning 4Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -14,10 +14,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
14 1 file changed, 8 insertions(+), 1 deletion(-) 14 1 file changed, 8 insertions(+), 1 deletion(-)
15 15
16diff --git a/sshconnect.c b/sshconnect.c 16diff --git a/sshconnect.c b/sshconnect.c
17index 7f169a8f..881b0886 100644 17index 5eed5880..7ce2716c 100644
18--- a/sshconnect.c 18--- a/sshconnect.c
19+++ b/sshconnect.c 19+++ b/sshconnect.c
20@@ -1080,9 +1080,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 20@@ -1022,9 +1022,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
21 error("%s. This could either mean that", key_msg); 21 error("%s. This could either mean that", key_msg);
22 error("DNS SPOOFING is happening or the IP address for the host"); 22 error("DNS SPOOFING is happening or the IP address for the host");
23 error("and its host key have changed at the same time."); 23 error("and its host key have changed at the same time.");
@@ -32,9 +32,9 @@ index 7f169a8f..881b0886 100644
32 } 32 }
33 /* The host key has changed. */ 33 /* The host key has changed. */
34 warn_changed_key(host_key); 34 warn_changed_key(host_key);
35@@ -1090,6 +1094,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 35@@ -1033,6 +1037,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
36 user_hostfiles[0]); 36 error("Offending %s key in %s:%lu",
37 error("Offending %s key in %s:%lu", key_type(host_found->key), 37 sshkey_type(host_found->key),
38 host_found->file, host_found->line); 38 host_found->file, host_found->line);
39+ error(" remove with:"); 39+ error(" remove with:");
40+ error(" ssh-keygen -f \"%s\" -R \"%s\"", 40+ error(" ssh-keygen -f \"%s\" -R \"%s\"",
diff --git a/debian/patches/no-dsa-host-key-by-default.patch b/debian/patches/no-dsa-host-key-by-default.patch
index 92f9d7c61..c24ff4e3f 100644
--- a/debian/patches/no-dsa-host-key-by-default.patch
+++ b/debian/patches/no-dsa-host-key-by-default.patch
@@ -1,4 +1,4 @@
1From 5fc5168dde0c840bf743058d235193fc27e61cab Mon Sep 17 00:00:00 2001 1From 922f3a7599d03234b6bb2ffb22a33624e7cf1953 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Mon, 16 Jan 2017 13:53:04 +0000 3Date: Mon, 16 Jan 2017 13:53:04 +0000
4Subject: Remove ssh_host_dsa_key from HostKey default 4Subject: Remove ssh_host_dsa_key from HostKey default
@@ -19,10 +19,10 @@ Patch-Name: no-dsa-host-key-by-default.patch
19 4 files changed, 6 insertions(+), 11 deletions(-) 19 4 files changed, 6 insertions(+), 11 deletions(-)
20 20
21diff --git a/servconf.c b/servconf.c 21diff --git a/servconf.c b/servconf.c
22index a391cf4b..1a7a5f18 100644 22index b0146405..5e996cf8 100644
23--- a/servconf.c 23--- a/servconf.c
24+++ b/servconf.c 24+++ b/servconf.c
25@@ -204,8 +204,6 @@ fill_default_server_options(ServerOptions *options) 25@@ -205,8 +205,6 @@ fill_default_server_options(ServerOptions *options)
26 /* fill default hostkeys for protocols */ 26 /* fill default hostkeys for protocols */
27 options->host_key_files[options->num_host_key_files++] = 27 options->host_key_files[options->num_host_key_files++] =
28 _PATH_HOST_RSA_KEY_FILE; 28 _PATH_HOST_RSA_KEY_FILE;
@@ -32,7 +32,7 @@ index a391cf4b..1a7a5f18 100644
32 options->host_key_files[options->num_host_key_files++] = 32 options->host_key_files[options->num_host_key_files++] =
33 _PATH_HOST_ECDSA_KEY_FILE; 33 _PATH_HOST_ECDSA_KEY_FILE;
34diff --git a/sshd.8 b/sshd.8 34diff --git a/sshd.8 b/sshd.8
35index 6355178f..f038fb82 100644 35index 02c5e1df..8c230657 100644
36--- a/sshd.8 36--- a/sshd.8
37+++ b/sshd.8 37+++ b/sshd.8
38@@ -164,11 +164,10 @@ This option must be given if 38@@ -164,11 +164,10 @@ This option must be given if
@@ -63,10 +63,10 @@ index f68edf36..92822959 100644
63 #HostKey /etc/ssh/ssh_host_ed25519_key 63 #HostKey /etc/ssh/ssh_host_ed25519_key
64 64
65diff --git a/sshd_config.5 b/sshd_config.5 65diff --git a/sshd_config.5 b/sshd_config.5
66index cc5d9fb0..0747cc8b 100644 66index 16be4f62..ef520680 100644
67--- a/sshd_config.5 67--- a/sshd_config.5
68+++ b/sshd_config.5 68+++ b/sshd_config.5
69@@ -741,11 +741,10 @@ is not to load any certificates. 69@@ -749,11 +749,10 @@ is not to load any certificates.
70 Specifies a file containing a private host key 70 Specifies a file containing a private host key
71 used by SSH. 71 used by SSH.
72 The defaults are 72 The defaults are
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index 63a226284..cbfaebfe0 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
1From 1780065057642803e173730f6e2162943ae54302 Mon Sep 17 00:00:00 2001 1From b614a7f9148af821919165be47c6c29f59dc6b44 Mon Sep 17 00:00:00 2001
2From: Kurt Roeckx <kurt@roeckx.be> 2From: Kurt Roeckx <kurt@roeckx.be>
3Date: Sun, 9 Feb 2014 16:10:14 +0000 3Date: Sun, 9 Feb 2014 16:10:14 +0000
4Subject: Don't check the status field of the OpenSSL version 4Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 2a5a2e466..9297decd6 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
1From 10138a01a89b20e851d85bd040e289d47b9815b0 Mon Sep 17 00:00:00 2001 1From 7e53354725eeb002e6126a73fd5f294ed9f9b03e Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:09 +0000 3Date: Sun, 9 Feb 2014 16:10:09 +0000
4Subject: Adjust various OpenBSD-specific references in manual pages 4Subject: Adjust various OpenBSD-specific references in manual pages
@@ -10,7 +10,7 @@ No single bug reference for this patch, but history includes:
10 https://bugs.launchpad.net/bugs/456660 (ssl(8)) 10 https://bugs.launchpad.net/bugs/456660 (ssl(8))
11 11
12Forwarded: not-needed 12Forwarded: not-needed
13Last-Update: 2014-10-07 13Last-Update: 2017-10-04
14 14
15Patch-Name: openbsd-docs.patch 15Patch-Name: openbsd-docs.patch
16--- 16---
@@ -44,10 +44,10 @@ index ef0de085..149846c8 100644
44 .Sh SEE ALSO 44 .Sh SEE ALSO
45 .Xr ssh-keygen 1 , 45 .Xr ssh-keygen 1 ,
46diff --git a/ssh-keygen.1 b/ssh-keygen.1 46diff --git a/ssh-keygen.1 b/ssh-keygen.1
47index ce2213c7..01711dff 100644 47index 5f1ec09b..dfbc65dd 100644
48--- a/ssh-keygen.1 48--- a/ssh-keygen.1
49+++ b/ssh-keygen.1 49+++ b/ssh-keygen.1
50@@ -178,9 +178,7 @@ key in 50@@ -176,9 +176,7 @@ key in
51 .Pa ~/.ssh/id_ed25519 51 .Pa ~/.ssh/id_ed25519
52 or 52 or
53 .Pa ~/.ssh/id_rsa . 53 .Pa ~/.ssh/id_rsa .
@@ -58,18 +58,18 @@ index ce2213c7..01711dff 100644
58 .Pp 58 .Pp
59 Normally this program generates the key and asks for a file in which 59 Normally this program generates the key and asks for a file in which
60 to store the private key. 60 to store the private key.
61@@ -227,9 +225,7 @@ For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) 61@@ -229,9 +227,7 @@ If
62 for which host keys 62 .Fl f
63 do not exist, generate the host keys with the default key file path, 63 has also been specified, its argument is used as a prefix to the
64 an empty passphrase, default bits for the key type, and default comment. 64 default path for the resulting host key files.
65-This is used by 65-This is used by
66-.Pa /etc/rc 66-.Pa /etc/rc
67-to generate new host keys. 67-to generate new host keys.
68+This is used by system administration scripts to generate new host keys. 68+This is used by system administration scripts to generate new host keys.
69 .It Fl a Ar rounds 69 .It Fl a Ar rounds
70 When saving a new-format private key (i.e. an ed25519 key or any SSH protocol 70 When saving a new-format private key (i.e. an ed25519 key or when the
71 2 key when the 71 .Fl o
72@@ -644,7 +640,7 @@ option. 72@@ -676,7 +672,7 @@ option.
73 Valid generator values are 2, 3, and 5. 73 Valid generator values are 2, 3, and 5.
74 .Pp 74 .Pp
75 Screened DH groups may be installed in 75 Screened DH groups may be installed in
@@ -78,7 +78,7 @@ index ce2213c7..01711dff 100644
78 It is important that this file contains moduli of a range of bit lengths and 78 It is important that this file contains moduli of a range of bit lengths and
79 that both ends of a connection share common moduli. 79 that both ends of a connection share common moduli.
80 .Sh CERTIFICATES 80 .Sh CERTIFICATES
81@@ -843,7 +839,7 @@ on all machines 81@@ -863,7 +859,7 @@ on all machines
82 where the user wishes to log in using public key authentication. 82 where the user wishes to log in using public key authentication.
83 There is no need to keep the contents of this file secret. 83 There is no need to keep the contents of this file secret.
84 .Pp 84 .Pp
@@ -88,10 +88,10 @@ index ce2213c7..01711dff 100644
88 The file format is described in 88 The file format is described in
89 .Xr moduli 5 . 89 .Xr moduli 5 .
90diff --git a/ssh.1 b/ssh.1 90diff --git a/ssh.1 b/ssh.1
91index feef81a5..b1f128c2 100644 91index 3cc94688..2a2aab30 100644
92--- a/ssh.1 92--- a/ssh.1
93+++ b/ssh.1 93+++ b/ssh.1
94@@ -877,6 +877,10 @@ implements public key authentication protocol automatically, 94@@ -842,6 +842,10 @@ implements public key authentication protocol automatically,
95 using one of the DSA, ECDSA, Ed25519 or RSA algorithms. 95 using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
96 The HISTORY section of 96 The HISTORY section of
97 .Xr ssl 8 97 .Xr ssl 8
@@ -103,7 +103,7 @@ index feef81a5..b1f128c2 100644
103 .Pp 103 .Pp
104 The file 104 The file
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index 989dd4bf..6355178f 100644 106index 2ed523a2..02c5e1df 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -65,7 +65,7 @@ over an insecure network. 109@@ -65,7 +65,7 @@ over an insecure network.
@@ -115,7 +115,7 @@ index 989dd4bf..6355178f 100644
115 It forks a new 115 It forks a new
116 daemon for each incoming connection. 116 daemon for each incoming connection.
117 The forked daemons handle 117 The forked daemons handle
118@@ -836,7 +836,7 @@ This file is for host-based authentication (see 118@@ -850,7 +850,7 @@ This file is for host-based authentication (see
119 .Xr ssh 1 ) . 119 .Xr ssh 1 ) .
120 It should only be writable by root. 120 It should only be writable by root.
121 .Pp 121 .Pp
@@ -124,7 +124,7 @@ index 989dd4bf..6355178f 100644
124 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange" 124 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
125 key exchange method. 125 key exchange method.
126 The file format is described in 126 The file format is described in
127@@ -936,7 +936,6 @@ The content of this file is not sensitive; it can be world-readable. 127@@ -950,7 +950,6 @@ The content of this file is not sensitive; it can be world-readable.
128 .Xr ssh-keyscan 1 , 128 .Xr ssh-keyscan 1 ,
129 .Xr chroot 2 , 129 .Xr chroot 2 ,
130 .Xr hosts_access 5 , 130 .Xr hosts_access 5 ,
@@ -133,10 +133,10 @@ index 989dd4bf..6355178f 100644
133 .Xr sshd_config 5 , 133 .Xr sshd_config 5 ,
134 .Xr inetd 8 , 134 .Xr inetd 8 ,
135diff --git a/sshd_config.5 b/sshd_config.5 135diff --git a/sshd_config.5 b/sshd_config.5
136index 5f316481..603c2ba7 100644 136index 41e8c939..79676a95 100644
137--- a/sshd_config.5 137--- a/sshd_config.5
138+++ b/sshd_config.5 138+++ b/sshd_config.5
139@@ -372,8 +372,7 @@ then no banner is displayed. 139@@ -382,8 +382,7 @@ then no banner is displayed.
140 By default, no banner is displayed. 140 By default, no banner is displayed.
141 .It Cm ChallengeResponseAuthentication 141 .It Cm ChallengeResponseAuthentication
142 Specifies whether challenge-response authentication is allowed (e.g. via 142 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 566761b3a..0d851e68c 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
1From 24262015f741a40c9374b15d24c23b8e98b7b7ae Mon Sep 17 00:00:00 2001 1From 326b09bce8058629980cc92f289fd7912269eb98 Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:10:05 +0000 3Date: Sun, 9 Feb 2014 16:10:05 +0000
4Subject: Include the Debian version in our identification 4Subject: Include the Debian version in our identification
@@ -9,34 +9,30 @@ generally just try attacks rather than bothering to scan for
9vulnerable-looking version strings. (However, see debian-banner.patch.) 9vulnerable-looking version strings. (However, see debian-banner.patch.)
10 10
11Forwarded: not-needed 11Forwarded: not-needed
12Last-Update: 2013-09-14 12Last-Update: 2017-10-04
13 13
14Patch-Name: package-versioning.patch 14Patch-Name: package-versioning.patch
15--- 15---
16 sshconnect.c | 4 ++-- 16 sshconnect.c | 2 +-
17 sshd.c | 2 +- 17 sshd.c | 2 +-
18 version.h | 7 ++++++- 18 version.h | 7 ++++++-
19 3 files changed, 9 insertions(+), 4 deletions(-) 19 3 files changed, 8 insertions(+), 3 deletions(-)
20 20
21diff --git a/sshconnect.c b/sshconnect.c 21diff --git a/sshconnect.c b/sshconnect.c
22index 881b0886..d9ed5910 100644 22index 7ce2716c..3280b310 100644
23--- a/sshconnect.c 23--- a/sshconnect.c
24+++ b/sshconnect.c 24+++ b/sshconnect.c
25@@ -526,10 +526,10 @@ send_client_banner(int connection_out, int minor1) 25@@ -517,7 +517,7 @@ send_client_banner(int connection_out, int minor1)
26 {
26 /* Send our own protocol version identification. */ 27 /* Send our own protocol version identification. */
27 if (compat20) { 28 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
28 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", 29- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
29- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); 30+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
30+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
31 } else {
32 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
33- PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
34+ PROTOCOL_MAJOR_1, minor1, SSH_RELEASE);
35 }
36 if (atomicio(vwrite, connection_out, client_version_string, 31 if (atomicio(vwrite, connection_out, client_version_string,
37 strlen(client_version_string)) != strlen(client_version_string)) 32 strlen(client_version_string)) != strlen(client_version_string))
33 fatal("write: %.100s", strerror(errno));
38diff --git a/sshd.c b/sshd.c 34diff --git a/sshd.c b/sshd.c
39index 9221632e..602f4740 100644 35index af1ec337..eccf81bb 100644
40--- a/sshd.c 36--- a/sshd.c
41+++ b/sshd.c 37+++ b/sshd.c
42@@ -378,7 +378,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) 38@@ -378,7 +378,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
@@ -49,11 +45,11 @@ index 9221632e..602f4740 100644
49 options.version_addendum); 45 options.version_addendum);
50 46
51diff --git a/version.h b/version.h 47diff --git a/version.h b/version.h
52index c86e2097..f4d8b13a 100644 48index e093f623..b7c5ad2a 100644
53--- a/version.h 49--- a/version.h
54+++ b/version.h 50+++ b/version.h
55@@ -3,4 +3,9 @@ 51@@ -3,4 +3,9 @@
56 #define SSH_VERSION "OpenSSH_7.5" 52 #define SSH_VERSION "OpenSSH_7.6"
57 53
58 #define SSH_PORTABLE "p1" 54 #define SSH_PORTABLE "p1"
59-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 55-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
deleted file mode 100644
index 55dd37fb9..000000000
--- a/debian/patches/quieter-signals.patch
+++ /dev/null
@@ -1,40 +0,0 @@
1From 980646a9f7f03b43b678272b2a56e30906c6ddec Mon Sep 17 00:00:00 2001
2From: Peter Samuelson <peter@p12n.org>
3Date: Sun, 9 Feb 2014 16:09:55 +0000
4Subject: Reduce severity of "Killed by signal %d"
5
6This produces irritating messages when using ProxyCommand or other programs
7that use ssh under the covers (e.g. Subversion). These messages are more
8normally printed by the calling program, such as the shell.
9
10According to the upstream bug, the right way to avoid this is to use the -q
11option, so we may drop this patch after further investigation into whether
12any software in Debian is still relying on it.
13
14Author: Colin Watson <cjwatson@debian.org>
15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118
16Bug-Debian: http://bugs.debian.org/313371
17Last-Update: 2013-09-14
18
19Patch-Name: quieter-signals.patch
20---
21 clientloop.c | 6 ++++--
22 1 file changed, 4 insertions(+), 2 deletions(-)
23
24diff --git a/clientloop.c b/clientloop.c
25index 38b0330e..06845280 100644
26--- a/clientloop.c
27+++ b/clientloop.c
28@@ -1755,8 +1755,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
29 exit_status = 0;
30 }
31
32- if (received_signal)
33- fatal("Killed by signal %d.", (int) received_signal);
34+ if (received_signal) {
35+ debug("Killed by signal %d.", (int) received_signal);
36+ cleanup_exit((int) received_signal + 128);
37+ }
38
39 /*
40 * In interactive mode (with pseudo tty) display a message indicating
diff --git a/debian/patches/regress-integrity-robust.patch b/debian/patches/regress-integrity-robust.patch
deleted file mode 100644
index fe8a321c3..000000000
--- a/debian/patches/regress-integrity-robust.patch
+++ /dev/null
@@ -1,40 +0,0 @@
1From 11f55875afff41aa1f1732ff138c9f76dc2a0afa Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 1 Jan 2017 15:21:10 +0000
4Subject: Make integrity tests more robust against timeouts
5
6If the first test in a series for a given MAC happens to modify the low
7bytes of a packet length, then ssh will time out and this will be
8interpreted as a test failure. Handle this failure mode.
9
10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2658
11Patch-Name: regress-integrity-robust.patch
12
13Last-Update: 2017-01-01
14---
15 regress/integrity.sh | 6 ++++--
16 1 file changed, 4 insertions(+), 2 deletions(-)
17
18diff --git a/regress/integrity.sh b/regress/integrity.sh
19index 1df2924f..ed378337 100644
20--- a/regress/integrity.sh
21+++ b/regress/integrity.sh
22@@ -60,14 +60,16 @@ for m in $macs; do
23 Corrupted?MAC* | *message?authentication?code?incorrect*)
24 emac=`expr $emac + 1`; skip=0;;
25 padding*) epad=`expr $epad + 1`; skip=0;;
26+ *Timeout,?server*)
27+ etmo=`expr $etmo + 1`; skip=0;;
28 *) fail "unexpected error mac $m at $off: $out";;
29 esac
30 done
31- verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen"
32+ verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen timeout $etmo"
33 if [ $emac -eq 0 ]; then
34 fail "$m: no mac errors"
35 fi
36- expect=`expr $ecnt - $epad - $elen`
37+ expect=`expr $ecnt - $epad - $elen - $etmo`
38 if [ $emac -ne $expect ]; then
39 fail "$m: expected $expect mac errors, got $emac"
40 fi
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index 8ef01fe57..098f9d681 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
1From 91dbdb5e4e0a34acdf8dbc79ef70c7f3942d4a95 Mon Sep 17 00:00:00 2001 1From 6c2e9847f608cc9c36236eecc58241cd3358dd5b Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 5 Mar 2017 02:02:11 +0000 3Date: Sun, 5 Mar 2017 02:02:11 +0000
4Subject: Restore reading authorized_keys2 by default 4Subject: Restore reading authorized_keys2 by default
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index 67711c5f8..5832897d2 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
1From 9d91ede3c03c99b6584038aa07d095d7c277ad3a Mon Sep 17 00:00:00 2001 1From cdd9076a145a95c21538eedb3f728a897480c5de Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Tue, 7 Oct 2014 13:22:41 +0100 3Date: Tue, 7 Oct 2014 13:22:41 +0100
4Subject: Restore TCP wrappers support 4Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
28 3 files changed, 89 insertions(+) 28 3 files changed, 89 insertions(+)
29 29
30diff --git a/configure.ac b/configure.ac 30diff --git a/configure.ac b/configure.ac
31index ead34acf..a92425db 100644 31index 84bfad8c..3b30736b 100644
32--- a/configure.ac 32--- a/configure.ac
33+++ b/configure.ac 33+++ b/configure.ac
34@@ -1494,6 +1494,62 @@ AC_ARG_WITH([skey], 34@@ -1503,6 +1503,62 @@ AC_ARG_WITH([skey],
35 ] 35 ]
36 ) 36 )
37 37
@@ -94,7 +94,7 @@ index ead34acf..a92425db 100644
94 # Check whether user wants to use ldns 94 # Check whether user wants to use ldns
95 LDNS_MSG="no" 95 LDNS_MSG="no"
96 AC_ARG_WITH(ldns, 96 AC_ARG_WITH(ldns,
97@@ -5117,6 +5173,7 @@ echo " KerberosV support: $KRB5_MSG" 97@@ -5133,6 +5189,7 @@ echo " KerberosV support: $KRB5_MSG"
98 echo " SELinux support: $SELINUX_MSG" 98 echo " SELinux support: $SELINUX_MSG"
99 echo " Smartcard support: $SCARD_MSG" 99 echo " Smartcard support: $SCARD_MSG"
100 echo " S/KEY support: $SKEY_MSG" 100 echo " S/KEY support: $SKEY_MSG"
@@ -103,10 +103,10 @@ index ead34acf..a92425db 100644
103 echo " libedit support: $LIBEDIT_MSG" 103 echo " libedit support: $LIBEDIT_MSG"
104 echo " libldns support: $LDNS_MSG" 104 echo " libldns support: $LDNS_MSG"
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index 7725a692..989dd4bf 100644 106index a4201146..2ed523a2 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -825,6 +825,12 @@ the user's home directory becomes accessible. 109@@ -839,6 +839,12 @@ the user's home directory becomes accessible.
110 This file should be writable only by the user, and need not be 110 This file should be writable only by the user, and need not be
111 readable by anyone else. 111 readable by anyone else.
112 .Pp 112 .Pp
@@ -119,7 +119,7 @@ index 7725a692..989dd4bf 100644
119 .It Pa /etc/hosts.equiv 119 .It Pa /etc/hosts.equiv
120 This file is for host-based authentication (see 120 This file is for host-based authentication (see
121 .Xr ssh 1 ) . 121 .Xr ssh 1 ) .
122@@ -929,6 +935,7 @@ The content of this file is not sensitive; it can be world-readable. 122@@ -943,6 +949,7 @@ The content of this file is not sensitive; it can be world-readable.
123 .Xr ssh-keygen 1 , 123 .Xr ssh-keygen 1 ,
124 .Xr ssh-keyscan 1 , 124 .Xr ssh-keyscan 1 ,
125 .Xr chroot 2 , 125 .Xr chroot 2 ,
@@ -128,10 +128,10 @@ index 7725a692..989dd4bf 100644
128 .Xr moduli 5 , 128 .Xr moduli 5 ,
129 .Xr sshd_config 5 , 129 .Xr sshd_config 5 ,
130diff --git a/sshd.c b/sshd.c 130diff --git a/sshd.c b/sshd.c
131index 20a7a5f3..38cf9b49 100644 131index 45e50fac..a66e9ca6 100644
132--- a/sshd.c 132--- a/sshd.c
133+++ b/sshd.c 133+++ b/sshd.c
134@@ -127,6 +127,13 @@ 134@@ -126,6 +126,13 @@
135 #include <Security/AuthSession.h> 135 #include <Security/AuthSession.h>
136 #endif 136 #endif
137 137
@@ -145,7 +145,7 @@ index 20a7a5f3..38cf9b49 100644
145 /* Re-exec fds */ 145 /* Re-exec fds */
146 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 146 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
147 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 147 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
148@@ -1992,6 +1999,24 @@ main(int ac, char **av) 148@@ -1987,6 +1994,24 @@ main(int ac, char **av)
149 #ifdef SSH_AUDIT_EVENTS 149 #ifdef SSH_AUDIT_EVENTS
150 audit_connection_from(remote_ip, remote_port); 150 audit_connection_from(remote_ip, remote_port);
151 #endif 151 #endif
diff --git a/debian/patches/s390-missing-header.patch b/debian/patches/s390-missing-header.patch
deleted file mode 100644
index be7c511b9..000000000
--- a/debian/patches/s390-missing-header.patch
+++ /dev/null
@@ -1,29 +0,0 @@
1From 735a04bf257744fc490581e9d5d7e607e4419579 Mon Sep 17 00:00:00 2001
2From: Damien Miller <djm@mindrot.org>
3Date: Wed, 22 Mar 2017 12:43:02 +1100
4Subject: Missing header on Linux/s390
5
6Patch from Jakub Jelen
7
8Origin: https://anongit.mindrot.org/openssh.git/commit/?id=58b8cfa2a062b72139d7229ae8de567f55776f24
9Last-Update: 2017-04-02
10
11Patch-Name: s390-missing-header.patch
12---
13 sandbox-seccomp-filter.c | 3 +++
14 1 file changed, 3 insertions(+)
15
16diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
17index 3a1aedce..08dc3a8b 100644
18--- a/sandbox-seccomp-filter.c
19+++ b/sandbox-seccomp-filter.c
20@@ -50,6 +50,9 @@
21 #include <elf.h>
22
23 #include <asm/unistd.h>
24+#ifdef __s390__
25+#include <asm/zcrypt.h>
26+#endif
27
28 #include <errno.h>
29 #include <signal.h>
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index f48709864..43153ec04 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
1From 17d18d2f87eaa6c781356a78800ee17ccd12218b Mon Sep 17 00:00:00 2001 1From ef7aa8189491e0b43f14f7f15fb5e66903f7e185 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> 2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:59 +0000 3Date: Sun, 9 Feb 2014 16:09:59 +0000
4Subject: Adjust scp quoting in verbose mode 4Subject: Adjust scp quoting in verbose mode
@@ -17,10 +17,10 @@ Patch-Name: scp-quoting.patch
17 1 file changed, 10 insertions(+), 2 deletions(-) 17 1 file changed, 10 insertions(+), 2 deletions(-)
18 18
19diff --git a/scp.c b/scp.c 19diff --git a/scp.c b/scp.c
20index b4db8519..18c27720 100644 20index a533eb09..12e3199d 100644
21--- a/scp.c 21--- a/scp.c
22+++ b/scp.c 22+++ b/scp.c
23@@ -191,8 +191,16 @@ do_local_cmd(arglist *a) 23@@ -194,8 +194,16 @@ do_local_cmd(arglist *a)
24 24
25 if (verbose_mode) { 25 if (verbose_mode) {
26 fprintf(stderr, "Executing:"); 26 fprintf(stderr, "Executing:");
diff --git a/debian/patches/seccomp-getuid-geteuid.patch b/debian/patches/seccomp-getuid-geteuid.patch
index c829abaa9..41455aa83 100644
--- a/debian/patches/seccomp-getuid-geteuid.patch
+++ b/debian/patches/seccomp-getuid-geteuid.patch
@@ -1,4 +1,4 @@
1From b2195f2116754f99fff8ceae026931be3aa3cd3b Mon Sep 17 00:00:00 2001 1From 8165600205696cca8a080a5cb6746070512174e9 Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 13:31:05 -0300 3Date: Tue, 9 May 2017 13:31:05 -0300
4Subject: Allow getuid and geteuid calls 4Subject: Allow getuid and geteuid calls
@@ -20,7 +20,7 @@ Patch-Name: seccomp-getuid-geteuid.patch
20 1 file changed, 12 insertions(+) 20 1 file changed, 12 insertions(+)
21 21
22diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c 22diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
23index 997b66ff..4cbaaa2e 100644 23index 6e7de311..e86aa2c9 100644
24--- a/sandbox-seccomp-filter.c 24--- a/sandbox-seccomp-filter.c
25+++ b/sandbox-seccomp-filter.c 25+++ b/sandbox-seccomp-filter.c
26@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = { 26@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch
index 7b5ed1098..5fb94137d 100644
--- a/debian/patches/seccomp-s390-flock-ipc.patch
+++ b/debian/patches/seccomp-s390-flock-ipc.patch
@@ -1,4 +1,4 @@
1From 057d62d148428cf0411cf37d00feb8741e5a424c Mon Sep 17 00:00:00 2001 1From a5a99443e190a90eb511215aa7c1fa940f79b901 Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 10:53:04 -0300 3Date: Tue, 9 May 2017 10:53:04 -0300
4Subject: Allow flock and ipc syscall for s390 architecture 4Subject: Allow flock and ipc syscall for s390 architecture
@@ -22,7 +22,7 @@ Patch-Name: seccomp-s390-flock-ipc.patch
22 1 file changed, 6 insertions(+) 22 1 file changed, 6 insertions(+)
23 23
24diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c 24diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
25index 2831e9d1..997b66ff 100644 25index ca75cc71..6e7de311 100644
26--- a/sandbox-seccomp-filter.c 26--- a/sandbox-seccomp-filter.c
27+++ b/sandbox-seccomp-filter.c 27+++ b/sandbox-seccomp-filter.c
28@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { 28@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
diff --git a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
index 83997695e..595b3d6ec 100644
--- a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
+++ b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
@@ -1,4 +1,4 @@
1From 375f99251da3754666750fe1ed63575ba909f397 Mon Sep 17 00:00:00 2001 1From 801a62eedaaf47b20dbf4b426dc3e084bf0c8d49 Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 13:33:30 -0300 3Date: Tue, 9 May 2017 13:33:30 -0300
4Subject: Enable specific ioctl call for EP11 crypto card (s390) 4Subject: Enable specific ioctl call for EP11 crypto card (s390)
@@ -19,10 +19,10 @@ Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch
19 1 file changed, 2 insertions(+) 19 1 file changed, 2 insertions(+)
20 20
21diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c 21diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
22index 4cbaaa2e..3833424b 100644 22index e86aa2c9..98062f15 100644
23--- a/sandbox-seccomp-filter.c 23--- a/sandbox-seccomp-filter.c
24+++ b/sandbox-seccomp-filter.c 24+++ b/sandbox-seccomp-filter.c
25@@ -249,6 +249,8 @@ static const struct sock_filter preauth_insns[] = { 25@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
26 SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), 26 SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
27 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), 27 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
28 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), 28 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index ae83d23b0..1402b9025 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1From e5d3ea2ca423a54b1d53d45252cb7173a15600eb Mon Sep 17 00:00:00 2001 1From 4b276122c04aed0726803a92c8ca955e614a4d3a Mon Sep 17 00:00:00 2001
2From: Manoj Srivastava <srivasta@debian.org> 2From: Manoj Srivastava <srivasta@debian.org>
3Date: Sun, 9 Feb 2014 16:09:49 +0000 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4Subject: Handle SELinux authorisation roles 4Subject: Handle SELinux authorisation roles
@@ -9,7 +9,7 @@ SELinux maintainer, so we'll keep it until we have something better.
9 9
10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
11Bug-Debian: http://bugs.debian.org/394795 11Bug-Debian: http://bugs.debian.org/394795
12Last-Update: 2015-08-19 12Last-Update: 2017-10-04
13 13
14Patch-Name: selinux-role.patch 14Patch-Name: selinux-role.patch
15--- 15---
@@ -31,31 +31,31 @@ Patch-Name: selinux-role.patch
31 15 files changed, 97 insertions(+), 30 deletions(-) 31 15 files changed, 97 insertions(+), 30 deletions(-)
32 32
33diff --git a/auth.h b/auth.h 33diff --git a/auth.h b/auth.h
34index 338a62da..8c658d16 100644 34index 29835ae9..27a1a88e 100644
35--- a/auth.h 35--- a/auth.h
36+++ b/auth.h 36+++ b/auth.h
37@@ -62,6 +62,7 @@ struct Authctxt { 37@@ -63,6 +63,7 @@ struct Authctxt {
38 char *service; 38 char *service;
39 struct passwd *pw; /* set if 'valid' */ 39 struct passwd *pw; /* set if 'valid' */
40 char *style; 40 char *style;
41+ char *role; 41+ char *role;
42 void *kbdintctxt; 42
43 char *info; /* Extra info for next auth_log */ 43 /* Method lists for multiple authentication */
44 #ifdef BSD_AUTH 44 char **auth_methods; /* modified from server config */
45diff --git a/auth2.c b/auth2.c 45diff --git a/auth2.c b/auth2.c
46index 946e9235..2f51be23 100644 46index 54070e3a..1f9ec632 100644
47--- a/auth2.c 47--- a/auth2.c
48+++ b/auth2.c 48+++ b/auth2.c
49@@ -217,7 +217,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) 49@@ -221,7 +221,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
50 struct ssh *ssh = active_state; /* XXX */ 50 {
51 Authctxt *authctxt = ctxt; 51 Authctxt *authctxt = ssh->authctxt;
52 Authmethod *m = NULL; 52 Authmethod *m = NULL;
53- char *user, *service, *method, *style = NULL; 53- char *user, *service, *method, *style = NULL;
54+ char *user, *service, *method, *style = NULL, *role = NULL; 54+ char *user, *service, *method, *style = NULL, *role = NULL;
55 int authenticated = 0; 55 int authenticated = 0;
56 56
57 if (authctxt == NULL) 57 if (authctxt == NULL)
58@@ -229,8 +229,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) 58@@ -233,8 +233,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
59 debug("userauth-request for user %s service %s method %s", user, service, method); 59 debug("userauth-request for user %s service %s method %s", user, service, method);
60 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 60 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
61 61
@@ -69,7 +69,7 @@ index 946e9235..2f51be23 100644
69 69
70 if (authctxt->attempt++ == 0) { 70 if (authctxt->attempt++ == 0) {
71 /* setup auth context */ 71 /* setup auth context */
72@@ -257,8 +262,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) 72@@ -261,8 +266,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
73 use_privsep ? " [net]" : ""); 73 use_privsep ? " [net]" : "");
74 authctxt->service = xstrdup(service); 74 authctxt->service = xstrdup(service);
75 authctxt->style = style ? xstrdup(style) : NULL; 75 authctxt->style = style ? xstrdup(style) : NULL;
@@ -81,7 +81,7 @@ index 946e9235..2f51be23 100644
81 if (auth2_setup_methods_lists(authctxt) != 0) 81 if (auth2_setup_methods_lists(authctxt) != 0)
82 packet_disconnect("no authentication methods enabled"); 82 packet_disconnect("no authentication methods enabled");
83diff --git a/monitor.c b/monitor.c 83diff --git a/monitor.c b/monitor.c
84index 506645c7..7452e20e 100644 84index cabfeb8a..510e3496 100644
85--- a/monitor.c 85--- a/monitor.c
86+++ b/monitor.c 86+++ b/monitor.c
87@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *); 87@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);
@@ -100,7 +100,7 @@ index 506645c7..7452e20e 100644
100 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 100 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
101 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 101 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
102 #ifdef USE_PAM 102 #ifdef USE_PAM
103@@ -791,6 +793,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) 103@@ -799,6 +801,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
104 104
105 /* Allow service/style information on the auth context */ 105 /* Allow service/style information on the auth context */
106 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 106 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -108,7 +108,7 @@ index 506645c7..7452e20e 100644
108 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 108 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
109 109
110 #ifdef USE_PAM 110 #ifdef USE_PAM
111@@ -821,14 +824,37 @@ mm_answer_authserv(int sock, Buffer *m) 111@@ -829,14 +832,37 @@ mm_answer_authserv(int sock, Buffer *m)
112 112
113 authctxt->service = buffer_get_string(m, NULL); 113 authctxt->service = buffer_get_string(m, NULL);
114 authctxt->style = buffer_get_string(m, NULL); 114 authctxt->style = buffer_get_string(m, NULL);
@@ -148,7 +148,7 @@ index 506645c7..7452e20e 100644
148 return (0); 148 return (0);
149 } 149 }
150 150
151@@ -1463,7 +1489,7 @@ mm_answer_pty(int sock, Buffer *m) 151@@ -1471,7 +1497,7 @@ mm_answer_pty(int sock, Buffer *m)
152 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 152 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
153 if (res == 0) 153 if (res == 0)
154 goto error; 154 goto error;
@@ -171,10 +171,10 @@ index ec41404c..4c7955d7 100644
171 171
172 struct monitor { 172 struct monitor {
173diff --git a/monitor_wrap.c b/monitor_wrap.c 173diff --git a/monitor_wrap.c b/monitor_wrap.c
174index d5cb640a..2ff8064a 100644 174index 0e171a6a..d806bb2e 100644
175--- a/monitor_wrap.c 175--- a/monitor_wrap.c
176+++ b/monitor_wrap.c 176+++ b/monitor_wrap.c
177@@ -327,10 +327,10 @@ mm_auth2_read_banner(void) 177@@ -336,10 +336,10 @@ mm_auth2_read_banner(void)
178 return (banner); 178 return (banner);
179 } 179 }
180 180
@@ -187,7 +187,7 @@ index d5cb640a..2ff8064a 100644
187 { 187 {
188 Buffer m; 188 Buffer m;
189 189
190@@ -339,12 +339,30 @@ mm_inform_authserv(char *service, char *style) 190@@ -348,12 +348,30 @@ mm_inform_authserv(char *service, char *style)
191 buffer_init(&m); 191 buffer_init(&m);
192 buffer_put_cstring(&m, service); 192 buffer_put_cstring(&m, service);
193 buffer_put_cstring(&m, style ? style : ""); 193 buffer_put_cstring(&m, style ? style : "");
@@ -219,13 +219,13 @@ index d5cb640a..2ff8064a 100644
219 int 219 int
220 mm_auth_password(Authctxt *authctxt, char *password) 220 mm_auth_password(Authctxt *authctxt, char *password)
221diff --git a/monitor_wrap.h b/monitor_wrap.h 221diff --git a/monitor_wrap.h b/monitor_wrap.h
222index 8f9dd896..3e75867c 100644 222index 7b2e8945..a9ccb243 100644
223--- a/monitor_wrap.h 223--- a/monitor_wrap.h
224+++ b/monitor_wrap.h 224+++ b/monitor_wrap.h
225@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *); 225@@ -41,7 +41,8 @@ int mm_is_monitor(void);
226 int mm_is_monitor(void);
227 DH *mm_choose_dh(int, int, int); 226 DH *mm_choose_dh(int, int, int);
228 int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *); 227 int mm_key_sign(struct sshkey *, u_char **, u_int *, const u_char *, u_int,
228 const char *);
229-void mm_inform_authserv(char *, char *); 229-void mm_inform_authserv(char *, char *);
230+void mm_inform_authserv(char *, char *, char *); 230+void mm_inform_authserv(char *, char *, char *);
231+void mm_inform_authrole(char *); 231+void mm_inform_authrole(char *);
@@ -329,7 +329,7 @@ index 3c22a854..c8812942 100644
329 void ssh_selinux_setfscreatecon(const char *); 329 void ssh_selinux_setfscreatecon(const char *);
330 #endif 330 #endif
331diff --git a/platform.c b/platform.c 331diff --git a/platform.c b/platform.c
332index 973a63e4..cd7bf566 100644 332index 18c7751d..380ee3a4 100644
333--- a/platform.c 333--- a/platform.c
334+++ b/platform.c 334+++ b/platform.c
335@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw) 335@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw)
@@ -364,10 +364,10 @@ index ea4f9c58..60d72ffe 100644
364 char *platform_krb5_get_principal_name(const char *); 364 char *platform_krb5_get_principal_name(const char *);
365 int platform_sys_dir_uid(uid_t); 365 int platform_sys_dir_uid(uid_t);
366diff --git a/session.c b/session.c 366diff --git a/session.c b/session.c
367index a08aa69d..ea3871eb 100644 367index 4bccb62d..d40afe4f 100644
368--- a/session.c 368--- a/session.c
369+++ b/session.c 369+++ b/session.c
370@@ -1325,7 +1325,7 @@ safely_chroot(const char *path, uid_t uid) 370@@ -1312,7 +1312,7 @@ safely_chroot(const char *path, uid_t uid)
371 371
372 /* Set login name, uid, gid, and groups. */ 372 /* Set login name, uid, gid, and groups. */
373 void 373 void
@@ -376,7 +376,7 @@ index a08aa69d..ea3871eb 100644
376 { 376 {
377 char *chroot_path, *tmp; 377 char *chroot_path, *tmp;
378 378
379@@ -1353,7 +1353,7 @@ do_setusercontext(struct passwd *pw) 379@@ -1340,7 +1340,7 @@ do_setusercontext(struct passwd *pw)
380 endgrent(); 380 endgrent();
381 #endif 381 #endif
382 382
@@ -385,16 +385,16 @@ index a08aa69d..ea3871eb 100644
385 385
386 if (!in_chroot && options.chroot_directory != NULL && 386 if (!in_chroot && options.chroot_directory != NULL &&
387 strcasecmp(options.chroot_directory, "none") != 0) { 387 strcasecmp(options.chroot_directory, "none") != 0) {
388@@ -1489,7 +1489,7 @@ do_child(Session *s, const char *command) 388@@ -1477,7 +1477,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
389 389
390 /* Force a password change */ 390 /* Force a password change */
391 if (s->authctxt->force_pwchange) { 391 if (s->authctxt->force_pwchange) {
392- do_setusercontext(pw); 392- do_setusercontext(pw);
393+ do_setusercontext(pw, s->authctxt->role); 393+ do_setusercontext(pw, s->authctxt->role);
394 child_close_fds(); 394 child_close_fds(ssh);
395 do_pwchange(s); 395 do_pwchange(s);
396 exit(1); 396 exit(1);
397@@ -1511,7 +1511,7 @@ do_child(Session *s, const char *command) 397@@ -1499,7 +1499,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
398 /* When PAM is enabled we rely on it to do the nologin check */ 398 /* When PAM is enabled we rely on it to do the nologin check */
399 if (!options.use_pam) 399 if (!options.use_pam)
400 do_nologin(pw); 400 do_nologin(pw);
@@ -403,7 +403,7 @@ index a08aa69d..ea3871eb 100644
403 /* 403 /*
404 * PAM session modules in do_setusercontext may have 404 * PAM session modules in do_setusercontext may have
405 * generated messages, so if this in an interactive 405 * generated messages, so if this in an interactive
406@@ -1903,7 +1903,7 @@ session_pty_req(Session *s) 406@@ -1891,7 +1891,7 @@ session_pty_req(struct ssh *ssh, Session *s)
407 tty_parse_modes(s->ttyfd, &n_bytes); 407 tty_parse_modes(s->ttyfd, &n_bytes);
408 408
409 if (!use_privsep) 409 if (!use_privsep)
@@ -413,23 +413,23 @@ index a08aa69d..ea3871eb 100644
413 /* Set window size from the packet. */ 413 /* Set window size from the packet. */
414 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); 414 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
415diff --git a/session.h b/session.h 415diff --git a/session.h b/session.h
416index 98e1dafe..0a31dce4 100644 416index 54dd1f0c..8535ebce 100644
417--- a/session.h 417--- a/session.h
418+++ b/session.h 418+++ b/session.h
419@@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *); 419@@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *);
420 Session *session_new(void); 420 Session *session_new(void);
421 Session *session_by_tty(char *); 421 Session *session_by_tty(char *);
422 void session_close(Session *); 422 void session_close(struct ssh *, Session *);
423-void do_setusercontext(struct passwd *); 423-void do_setusercontext(struct passwd *);
424+void do_setusercontext(struct passwd *, const char *); 424+void do_setusercontext(struct passwd *, const char *);
425 void child_set_env(char ***envp, u_int *envsizep, const char *name, 425
426 const char *value); 426 const char *session_get_remote_name_or_ip(struct ssh *, u_int, int);
427 427
428diff --git a/sshd.c b/sshd.c 428diff --git a/sshd.c b/sshd.c
429index 38cf9b49..9221632e 100644 429index a66e9ca6..af1ec337 100644
430--- a/sshd.c 430--- a/sshd.c
431+++ b/sshd.c 431+++ b/sshd.c
432@@ -678,7 +678,7 @@ privsep_postauth(Authctxt *authctxt) 432@@ -677,7 +677,7 @@ privsep_postauth(Authctxt *authctxt)
433 reseed_prngs(); 433 reseed_prngs();
434 434
435 /* Drop privileges */ 435 /* Drop privileges */
diff --git a/debian/patches/series b/debian/patches/series
index c9d79be6a..d1bb1ff5c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,7 +4,6 @@ selinux-role.patch
4ssh-vulnkey-compat.patch 4ssh-vulnkey-compat.patch
5keepalive-extensions.patch 5keepalive-extensions.patch
6syslog-level-silent.patch 6syslog-level-silent.patch
7quieter-signals.patch
8user-group-modes.patch 7user-group-modes.patch
9scp-quoting.patch 8scp-quoting.patch
10shell-path.patch 9shell-path.patch
@@ -22,12 +21,8 @@ no-openssl-version-status.patch
22gnome-ssh-askpass2-icon.patch 21gnome-ssh-askpass2-icon.patch
23systemd-readiness.patch 22systemd-readiness.patch
24debian-config.patch 23debian-config.patch
25regress-integrity-robust.patch
26no-dsa-host-key-by-default.patch 24no-dsa-host-key-by-default.patch
27restore-authorized_keys2.patch 25restore-authorized_keys2.patch
28s390-missing-header.patch
29x32-syntax-error.patch
30fix-incoming-compression-statistics.patch
31seccomp-s390-flock-ipc.patch 26seccomp-s390-flock-ipc.patch
32seccomp-getuid-geteuid.patch 27seccomp-getuid-geteuid.patch
33seccomp-s390-ioctl-ep11-crypto.patch 28seccomp-s390-ioctl-ep11-crypto.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 1fecd756e..29abf10f2 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
1From ce9a126fdaa8ef6488364107cc66d04ecabc8cc4 Mon Sep 17 00:00:00 2001 1From c239ba6fa4560704a237779f82445d5f125847e1 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:00 +0000 3Date: Sun, 9 Feb 2014 16:10:00 +0000
4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand 4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch
16 1 file changed, 2 insertions(+), 2 deletions(-) 16 1 file changed, 2 insertions(+), 2 deletions(-)
17 17
18diff --git a/sshconnect.c b/sshconnect.c 18diff --git a/sshconnect.c b/sshconnect.c
19index 948b638a..7f169a8f 100644 19index dc7a704d..5eed5880 100644
20--- a/sshconnect.c 20--- a/sshconnect.c
21+++ b/sshconnect.c 21+++ b/sshconnect.c
22@@ -231,7 +231,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) 22@@ -235,7 +235,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port,
23 /* Execute the proxy command. Note that we gave up any 23 /* Execute the proxy command. Note that we gave up any
24 extra privileges above. */ 24 extra privileges above. */
25 signal(SIGPIPE, SIG_DFL); 25 signal(SIGPIPE, SIG_DFL);
@@ -28,7 +28,7 @@ index 948b638a..7f169a8f 100644
28 perror(argv[0]); 28 perror(argv[0]);
29 exit(1); 29 exit(1);
30 } 30 }
31@@ -1498,7 +1498,7 @@ ssh_local_cmd(const char *args) 31@@ -1435,7 +1435,7 @@ ssh_local_cmd(const char *args)
32 if (pid == 0) { 32 if (pid == 0) {
33 signal(SIGPIPE, SIG_DFL); 33 signal(SIGPIPE, SIG_DFL);
34 debug3("Executing %s -c \"%s\"", shell, args); 34 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 188869fe2..9ac4977b5 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
1From 8c1482336efd745a72cbd27ac07977ccb6d8b35b Mon Sep 17 00:00:00 2001 1From b37d4f364f9c9bfbaf372e903ebbe80ef8ae2264 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:13 +0000 3Date: Sun, 9 Feb 2014 16:10:13 +0000
4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) 4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index f07a061a1..3a560ad78 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
1From 5be45fb4b0459bbff7b4b5a67c2f754c601155df Mon Sep 17 00:00:00 2001 1From 7e5cf5d27a7be47203280c665ca7311269f53671 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:10 +0000 3Date: Sun, 9 Feb 2014 16:10:10 +0000
4Subject: ssh(1): Refer to ssh-argv0(1) 4Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
18 1 file changed, 1 insertion(+) 18 1 file changed, 1 insertion(+)
19 19
20diff --git a/ssh.1 b/ssh.1 20diff --git a/ssh.1 b/ssh.1
21index b1f128c2..22e56a7b 100644 21index 2a2aab30..711fe608 100644
22--- a/ssh.1 22--- a/ssh.1
23+++ b/ssh.1 23+++ b/ssh.1
24@@ -1586,6 +1586,7 @@ if an error occurred. 24@@ -1556,6 +1556,7 @@ if an error occurred.
25 .Xr sftp 1 , 25 .Xr sftp 1 ,
26 .Xr ssh-add 1 , 26 .Xr ssh-add 1 ,
27 .Xr ssh-agent 1 , 27 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index d8f4ec973..ef1ce4e99 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
1From fb7c3c37876359b7a110e1386a6b7887cd2c8ca2 Mon Sep 17 00:00:00 2001 1From 19971fb92159a621b55f0b9da76dd38a56d7247c Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:50 +0000 3Date: Sun, 9 Feb 2014 16:09:50 +0000
4Subject: Accept obsolete ssh-vulnkey configuration options 4Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,10 +17,10 @@ Patch-Name: ssh-vulnkey-compat.patch
17 2 files changed, 2 insertions(+) 17 2 files changed, 2 insertions(+)
18 18
19diff --git a/readconf.c b/readconf.c 19diff --git a/readconf.c b/readconf.c
20index 00d9cc30..32a72957 100644 20index 99e03ee1..d2b28a41 100644
21--- a/readconf.c 21--- a/readconf.c
22+++ b/readconf.c 22+++ b/readconf.c
23@@ -186,6 +186,7 @@ static struct { 23@@ -189,6 +189,7 @@ static struct {
24 { "fallbacktorsh", oDeprecated }, 24 { "fallbacktorsh", oDeprecated },
25 { "globalknownhostsfile2", oDeprecated }, 25 { "globalknownhostsfile2", oDeprecated },
26 { "rhostsauthentication", oDeprecated }, 26 { "rhostsauthentication", oDeprecated },
@@ -29,10 +29,10 @@ index 00d9cc30..32a72957 100644
29 { "useroaming", oDeprecated }, 29 { "useroaming", oDeprecated },
30 { "usersh", oDeprecated }, 30 { "usersh", oDeprecated },
31diff --git a/servconf.c b/servconf.c 31diff --git a/servconf.c b/servconf.c
32index d796b7c8..ca73f7c5 100644 32index 8ba74517..9889fb0a 100644
33--- a/servconf.c 33--- a/servconf.c
34+++ b/servconf.c 34+++ b/servconf.c
35@@ -521,6 +521,7 @@ static struct { 35@@ -525,6 +525,7 @@ static struct {
36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 3f012c99c..3ed6287a9 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
1From b5695a565e466477305d2ae0059b09e94ae6f44e Mon Sep 17 00:00:00 2001 1From 215bd91f12b0ddb9754483ee6e3c3b4751256dca Mon Sep 17 00:00:00 2001
2From: Jonathan David Amery <jdamery@ysolde.ucam.org> 2From: Jonathan David Amery <jdamery@ysolde.ucam.org>
3Date: Sun, 9 Feb 2014 16:09:54 +0000 3Date: Sun, 9 Feb 2014 16:09:54 +0000
4Subject: "LogLevel SILENT" compatibility 4Subject: "LogLevel SILENT" compatibility
@@ -21,7 +21,7 @@ Patch-Name: syslog-level-silent.patch
21 2 files changed, 2 insertions(+), 1 deletion(-) 21 2 files changed, 2 insertions(+), 1 deletion(-)
22 22
23diff --git a/log.c b/log.c 23diff --git a/log.c b/log.c
24index d0f86cf6..0e515e26 100644 24index 99450dd1..1559091d 100644
25--- a/log.c 25--- a/log.c
26+++ b/log.c 26+++ b/log.c
27@@ -93,6 +93,7 @@ static struct { 27@@ -93,6 +93,7 @@ static struct {
@@ -33,10 +33,10 @@ index d0f86cf6..0e515e26 100644
33 { "FATAL", SYSLOG_LEVEL_FATAL }, 33 { "FATAL", SYSLOG_LEVEL_FATAL },
34 { "ERROR", SYSLOG_LEVEL_ERROR }, 34 { "ERROR", SYSLOG_LEVEL_ERROR },
35diff --git a/ssh.c b/ssh.c 35diff --git a/ssh.c b/ssh.c
36index 32b27bbc..b65f35ac 100644 36index ae37432b..9cb21171 100644
37--- a/ssh.c 37--- a/ssh.c
38+++ b/ssh.c 38+++ b/ssh.c
39@@ -1167,7 +1167,7 @@ main(int ac, char **av) 39@@ -1166,7 +1166,7 @@ main(int ac, char **av)
40 /* Do not allocate a tty if stdin is not a tty. */ 40 /* Do not allocate a tty if stdin is not a tty. */
41 if ((!isatty(fileno(stdin)) || stdin_null_flag) && 41 if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
42 options.request_tty != REQUEST_TTY_FORCE) { 42 options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index bddc781f2..537a5cab6 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
1From 49ea641997b0dce73df3271f10a875cb702729b7 Mon Sep 17 00:00:00 2001 1From ba3f6b85ede72ef42987f0069f5ed2b88ebe69fd Mon Sep 17 00:00:00 2001
2From: Michael Biebl <biebl@debian.org> 2From: Michael Biebl <biebl@debian.org>
3Date: Mon, 21 Dec 2015 16:08:47 +0000 3Date: Mon, 21 Dec 2015 16:08:47 +0000
4Subject: Add systemd readiness notification support 4Subject: Add systemd readiness notification support
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch
14 2 files changed, 33 insertions(+) 14 2 files changed, 33 insertions(+)
15 15
16diff --git a/configure.ac b/configure.ac 16diff --git a/configure.ac b/configure.ac
17index a92425db..9d89bc35 100644 17index 3b30736b..483a9038 100644
18--- a/configure.ac 18--- a/configure.ac
19+++ b/configure.ac 19+++ b/configure.ac
20@@ -4376,6 +4376,29 @@ AC_ARG_WITH([kerberos5], 20@@ -4389,6 +4389,29 @@ AC_ARG_WITH([kerberos5],
21 AC_SUBST([GSSLIBS]) 21 AC_SUBST([GSSLIBS])
22 AC_SUBST([K5LIBS]) 22 AC_SUBST([K5LIBS])
23 23
@@ -47,7 +47,7 @@ index a92425db..9d89bc35 100644
47 # Looking for programs, paths and files 47 # Looking for programs, paths and files
48 48
49 PRIVSEP_PATH=/var/empty 49 PRIVSEP_PATH=/var/empty
50@@ -5180,6 +5203,7 @@ echo " libldns support: $LDNS_MSG" 50@@ -5196,6 +5219,7 @@ echo " libldns support: $LDNS_MSG"
51 echo " Solaris process contract support: $SPC_MSG" 51 echo " Solaris process contract support: $SPC_MSG"
52 echo " Solaris project support: $SP_MSG" 52 echo " Solaris project support: $SP_MSG"
53 echo " Solaris privilege support: $SPP_MSG" 53 echo " Solaris privilege support: $SPP_MSG"
@@ -56,7 +56,7 @@ index a92425db..9d89bc35 100644
56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" 56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
57 echo " BSD Auth support: $BSD_AUTH_MSG" 57 echo " BSD Auth support: $BSD_AUTH_MSG"
58diff --git a/sshd.c b/sshd.c 58diff --git a/sshd.c b/sshd.c
59index f2f54b51..44772c6d 100644 59index a5a1193d..1fde5a63 100644
60--- a/sshd.c 60--- a/sshd.c
61+++ b/sshd.c 61+++ b/sshd.c
62@@ -85,6 +85,10 @@ 62@@ -85,6 +85,10 @@
@@ -70,7 +70,7 @@ index f2f54b51..44772c6d 100644
70 #include "xmalloc.h" 70 #include "xmalloc.h"
71 #include "ssh.h" 71 #include "ssh.h"
72 #include "ssh2.h" 72 #include "ssh2.h"
73@@ -1892,6 +1896,11 @@ main(int ac, char **av) 73@@ -1881,6 +1885,11 @@ main(int ac, char **av)
74 } 74 }
75 } 75 }
76 76
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 17e7126ca..338c7567d 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
1From 0b9c0482cbff9ce16384e4247d955676d4d77df3 Mon Sep 17 00:00:00 2001 1From b1033fed87fd9fa24dccab45f00cadcbc7144c47 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:58 +0000 3Date: Sun, 9 Feb 2014 16:09:58 +0000
4Subject: Allow harmless group-writability 4Subject: Allow harmless group-writability
@@ -13,19 +13,18 @@ default.
13 13
14Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 14Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
15Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 15Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
16Last-Update: 2013-09-14 16Last-Update: 2017-10-04
17 17
18Patch-Name: user-group-modes.patch 18Patch-Name: user-group-modes.patch
19--- 19---
20 auth-rhosts.c | 6 ++---- 20 auth-rhosts.c | 6 ++----
21 auth.c | 9 +++----- 21 auth.c | 3 +--
22 misc.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 22 misc.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++-----
23 misc.h | 2 ++ 23 misc.h | 2 ++
24 platform.c | 16 --------------
25 readconf.c | 3 +-- 24 readconf.c | 3 +--
26 ssh.1 | 2 ++ 25 ssh.1 | 2 ++
27 ssh_config.5 | 2 ++ 26 ssh_config.5 | 2 ++
28 8 files changed, 80 insertions(+), 29 deletions(-) 27 7 files changed, 63 insertions(+), 13 deletions(-)
29 28
30diff --git a/auth-rhosts.c b/auth-rhosts.c 29diff --git a/auth-rhosts.c b/auth-rhosts.c
31index ecf956f0..4dccd5e6 100644 30index ecf956f0..4dccd5e6 100644
@@ -52,10 +51,10 @@ index ecf956f0..4dccd5e6 100644
52 pw->pw_name, buf); 51 pw->pw_name, buf);
53 auth_debug_add("Bad file modes for %.200s", buf); 52 auth_debug_add("Bad file modes for %.200s", buf);
54diff --git a/auth.c b/auth.c 53diff --git a/auth.c b/auth.c
55index c6390687..90390724 100644 54index 6aec3605..68a1e4a7 100644
56--- a/auth.c 55--- a/auth.c
57+++ b/auth.c 56+++ b/auth.c
58@@ -444,8 +444,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, 57@@ -467,8 +467,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
59 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); 58 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
60 if (options.strict_modes && 59 if (options.strict_modes &&
61 (stat(user_hostfile, &st) == 0) && 60 (stat(user_hostfile, &st) == 0) &&
@@ -65,31 +64,11 @@ index c6390687..90390724 100644
65 logit("Authentication refused for %.100s: " 64 logit("Authentication refused for %.100s: "
66 "bad owner or modes for %.200s", 65 "bad owner or modes for %.200s",
67 pw->pw_name, user_hostfile); 66 pw->pw_name, user_hostfile);
68@@ -507,8 +506,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
69 snprintf(err, errlen, "%s is not a regular file", buf);
70 return -1;
71 }
72- if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
73- (stp->st_mode & 022) != 0) {
74+ if (!secure_permissions(stp, uid)) {
75 snprintf(err, errlen, "bad ownership or modes for file %s",
76 buf);
77 return -1;
78@@ -523,8 +521,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
79 strlcpy(buf, cp, sizeof(buf));
80
81 if (stat(buf, &st) < 0 ||
82- (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
83- (st.st_mode & 022) != 0) {
84+ !secure_permissions(&st, uid)) {
85 snprintf(err, errlen,
86 "bad ownership or modes for directory %s", buf);
87 return -1;
88diff --git a/misc.c b/misc.c 67diff --git a/misc.c b/misc.c
89index cfd32729..6e972f56 100644 68index 05950a47..40aeeef3 100644
90--- a/misc.c 69--- a/misc.c
91+++ b/misc.c 70+++ b/misc.c
92@@ -51,8 +51,9 @@ 71@@ -57,8 +57,9 @@
93 #include <netdb.h> 72 #include <netdb.h>
94 #ifdef HAVE_PATHS_H 73 #ifdef HAVE_PATHS_H
95 # include <paths.h> 74 # include <paths.h>
@@ -100,34 +79,10 @@ index cfd32729..6e972f56 100644
100 #ifdef SSH_TUN_OPENBSD 79 #ifdef SSH_TUN_OPENBSD
101 #include <net/if.h> 80 #include <net/if.h>
102 #endif 81 #endif
103@@ -61,6 +62,7 @@ 82@@ -723,6 +724,55 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
104 #include "misc.h"
105 #include "log.h"
106 #include "ssh.h"
107+#include "platform.h"
108
109 /* remove newline at end of string */
110 char *
111@@ -713,6 +715,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
112 return -1; 83 return -1;
113 } 84 }
114 85
115+/*
116+ * return 1 if the specified uid is a uid that may own a system directory
117+ * otherwise 0.
118+ */
119+int
120+platform_sys_dir_uid(uid_t uid)
121+{
122+ if (uid == 0)
123+ return 1;
124+#ifdef PLATFORM_SYS_DIR_UID
125+ if (uid == PLATFORM_SYS_DIR_UID)
126+ return 1;
127+#endif
128+ return 0;
129+}
130+
131+int 86+int
132+secure_permissions(struct stat *st, uid_t uid) 87+secure_permissions(struct stat *st, uid_t uid)
133+{ 88+{
@@ -180,11 +135,31 @@ index cfd32729..6e972f56 100644
180 int 135 int
181 tun_open(int tun, int mode) 136 tun_open(int tun, int mode)
182 { 137 {
138@@ -1626,8 +1676,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
139 snprintf(err, errlen, "%s is not a regular file", buf);
140 return -1;
141 }
142- if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
143- (stp->st_mode & 022) != 0) {
144+ if (!secure_permissions(stp, uid)) {
145 snprintf(err, errlen, "bad ownership or modes for file %s",
146 buf);
147 return -1;
148@@ -1642,8 +1691,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
149 strlcpy(buf, cp, sizeof(buf));
150
151 if (stat(buf, &st) < 0 ||
152- (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
153- (st.st_mode & 022) != 0) {
154+ !secure_permissions(&st, uid)) {
155 snprintf(err, errlen,
156 "bad ownership or modes for directory %s", buf);
157 return -1;
183diff --git a/misc.h b/misc.h 158diff --git a/misc.h b/misc.h
184index c242f901..8b223b55 100644 159index 153d1137..d8759ab1 100644
185--- a/misc.h 160--- a/misc.h
186+++ b/misc.h 161+++ b/misc.h
187@@ -143,6 +143,8 @@ char *read_passphrase(const char *, int); 162@@ -163,6 +163,8 @@ char *read_passphrase(const char *, int);
188 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 163 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
189 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); 164 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
190 165
@@ -193,35 +168,11 @@ index c242f901..8b223b55 100644
193 #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) 168 #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b))
194 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) 169 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b))
195 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) 170 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
196diff --git a/platform.c b/platform.c
197index cd7bf566..380ee3a4 100644
198--- a/platform.c
199+++ b/platform.c
200@@ -197,19 +197,3 @@ platform_krb5_get_principal_name(const char *pw_name)
201 return NULL;
202 #endif
203 }
204-
205-/*
206- * return 1 if the specified uid is a uid that may own a system directory
207- * otherwise 0.
208- */
209-int
210-platform_sys_dir_uid(uid_t uid)
211-{
212- if (uid == 0)
213- return 1;
214-#ifdef PLATFORM_SYS_DIR_UID
215- if (uid == PLATFORM_SYS_DIR_UID)
216- return 1;
217-#endif
218- return 0;
219-}
220diff --git a/readconf.c b/readconf.c 171diff --git a/readconf.c b/readconf.c
221index 0b1370a8..70fac682 100644 172index 45caa095..be3d5873 100644
222--- a/readconf.c 173--- a/readconf.c
223+++ b/readconf.c 174+++ b/readconf.c
224@@ -1773,8 +1773,7 @@ read_config_file_depth(const char *filename, struct passwd *pw, 175@@ -1766,8 +1766,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
225 176
226 if (fstat(fileno(f), &sb) == -1) 177 if (fstat(fileno(f), &sb) == -1)
227 fatal("fstat %s: %s", filename, strerror(errno)); 178 fatal("fstat %s: %s", filename, strerror(errno));
@@ -232,10 +183,10 @@ index 0b1370a8..70fac682 100644
232 } 183 }
233 184
234diff --git a/ssh.1 b/ssh.1 185diff --git a/ssh.1 b/ssh.1
235index 4011c65a..feef81a5 100644 186index 2ab1697f..3cc94688 100644
236--- a/ssh.1 187--- a/ssh.1
237+++ b/ssh.1 188+++ b/ssh.1
238@@ -1484,6 +1484,8 @@ The file format and configuration options are described in 189@@ -1456,6 +1456,8 @@ The file format and configuration options are described in
239 .Xr ssh_config 5 . 190 .Xr ssh_config 5 .
240 Because of the potential for abuse, this file must have strict permissions: 191 Because of the potential for abuse, this file must have strict permissions:
241 read/write for the user, and not writable by others. 192 read/write for the user, and not writable by others.
@@ -245,10 +196,10 @@ index 4011c65a..feef81a5 100644
245 .It Pa ~/.ssh/environment 196 .It Pa ~/.ssh/environment
246 Contains additional definitions for environment variables; see 197 Contains additional definitions for environment variables; see
247diff --git a/ssh_config.5 b/ssh_config.5 198diff --git a/ssh_config.5 b/ssh_config.5
248index e4eaa5ae..a04e5757 100644 199index d6f43c2d..7810a418 100644
249--- a/ssh_config.5 200--- a/ssh_config.5
250+++ b/ssh_config.5 201+++ b/ssh_config.5
251@@ -1827,6 +1827,8 @@ The format of this file is described above. 202@@ -1786,6 +1786,8 @@ The format of this file is described above.
252 This file is used by the SSH client. 203 This file is used by the SSH client.
253 Because of the potential for abuse, this file must have strict permissions: 204 Because of the potential for abuse, this file must have strict permissions:
254 read/write for the user, and not accessible by others. 205 read/write for the user, and not accessible by others.
diff --git a/debian/patches/x32-syntax-error.patch b/debian/patches/x32-syntax-error.patch
deleted file mode 100644
index c7b7a0a94..000000000
--- a/debian/patches/x32-syntax-error.patch
+++ /dev/null
@@ -1,28 +0,0 @@
1From 4a6a0dd530022333dccf0e54a4c2827662b14109 Mon Sep 17 00:00:00 2001
2From: Damien Miller <djm@mindrot.org>
3Date: Tue, 21 Mar 2017 08:47:55 +1100
4Subject: Fix syntax error on Linux/X32
5
6Patch from Mike Frysinger
7
8Origin: https://anongit.mindrot.org/openssh.git/commit/?id=6b853c6f8ba5eecc50f3b57af8e63f8184eb0fa6
9Last-Update: 2017-04-02
10
11Patch-Name: x32-syntax-error.patch
12---
13 sandbox-seccomp-filter.c | 2 +-
14 1 file changed, 1 insertion(+), 1 deletion(-)
15
16diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
17index 08dc3a8b..2831e9d1 100644
18--- a/sandbox-seccomp-filter.c
19+++ b/sandbox-seccomp-filter.c
20@@ -238,7 +238,7 @@ static const struct sock_filter preauth_insns[] = {
21 * x86-64 syscall under some circumstances, e.g.
22 * https://bugs.debian.org/849923
23 */
24- SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
25+ SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
26 #endif
27
28 /* Default deny */