23 files changed, 243 insertions, 306 deletions

diff --git a/debian/changelog b/debian/changelog
index 092837792..174c0c585 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,11 @@
-openssh (1:6.1p1-5) UNRELEASED; urgency=low
-
+openssh (1:6.2p1-1) UNRELEASED; urgency=low
+
+  * New upstream release (http://www.openssh.com/txt/release-6.2).
+    - Add support for multiple required authentication in SSH protocol 2 via
+      an AuthenticationMethods option (closes: #195716).
+    - Fix Sophie Germain formula in moduli(5) (closes: #698612).
+    - Update ssh-copy-id to Phil Hands' greatly revised version (closes:
+      #99785, #322228, #620428; LP: #518883, #835901, #1074798).
   * Use dh-autoreconf.
 
  -- Colin Watson <cjwatson@debian.org>  Mon, 06 May 2013 10:47:33 +0100
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index bc2602306..206967bc9 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -2,7 +2,7 @@ Description: Quieten logs when multiple from= restrictions are used
 Author: Colin Watson <cjwatson@debian.org>
 Bug-Debian: http://bugs.debian.org/630606
 Forwarded: no
-Last-Update: 2011-07-28
+Last-Update: 2013-05-07
 
 Index: b/auth-options.c
 ===================================================================
@@ -96,7 +96,7 @@ Index: b/auth2-pubkey.c
 ===================================================================
 --- a/auth2-pubkey.c
 +++ b/auth2-pubkey.c
-@@ -211,6 +211,7 @@
+@@ -217,6 +217,7 @@
                 restore_uid();
                 return 0;
         }
@@ -104,7 +104,7 @@ Index: b/auth2-pubkey.c
         while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                 /* Skip leading whitespace. */
                 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-@@ -281,6 +282,8 @@
+@@ -278,6 +279,8 @@
         found_key = 0;
         found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
  
@@ -113,7 +113,7 @@ Index: b/auth2-pubkey.c
         while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                 char *cp, *key_options = NULL;
  
-@@ -417,6 +420,7 @@
+@@ -412,6 +415,7 @@
         if (key_cert_check_authority(key, 0, 1,
             principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
                 goto fail_reason;
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 6ffc716ee..c6a4b64c6 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -2,13 +2,13 @@ Description: Install authorized_keys(5) as a symlink to sshd(8)
 Author: Tomas Pospisek <tpo_deb@sourcepole.ch>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
 Bug-Debian: http://bugs.debian.org/441817
-Last-Update: 2010-03-01
+Last-Update: 2013-05-07
 
 Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -277,6 +277,7 @@
+@@ -286,6 +286,7 @@
         $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
         $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
         $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch
index a952e4405..d67123a1e 100644
--- a/debian/patches/consolekit.patch
+++ b/debian/patches/consolekit.patch
@@ -1,13 +1,13 @@
 Description: Add support for registering ConsoleKit sessions on login
 Author: Colin Watson <cjwatson@ubuntu.com>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450
-Last-Updated: 2012-10-31
+Last-Updated: 2013-05-07
 
 Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -94,7 +94,8 @@
+@@ -96,7 +96,8 @@
         sftp-server.o sftp-common.o \
         roaming_common.o roaming_serv.o \
         sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
@@ -21,9 +21,9 @@ Index: b/configure.ac
 ===================================================================
 --- a/configure.ac
 +++ b/configure.ac
-@@ -3672,6 +3672,30 @@
-        ]
- )
+@@ -3801,6 +3801,30 @@
+ AC_SUBST([GSSLIBS])
+ AC_SUBST([K5LIBS])
  
 +# Check whether user wants ConsoleKit support
 +CONSOLEKIT_MSG="no"
@@ -52,7 +52,7 @@ Index: b/configure.ac
  # Looking for programs, paths and files
  
  PRIVSEP_PATH=/var/empty
-@@ -4435,6 +4459,7 @@
+@@ -4600,6 +4624,7 @@
  echo "                   libedit support: $LIBEDIT_MSG"
  echo "  Solaris process contract support: $SPC_MSG"
  echo "           Solaris project support: $SP_MSG"
@@ -64,7 +64,7 @@ Index: b/configure
 ===================================================================
 --- a/configure
 +++ b/configure
-@@ -735,6 +735,7 @@
+@@ -737,6 +737,7 @@
  with_sandbox
  with_selinux
  with_kerberos5
@@ -72,7 +72,7 @@ Index: b/configure
  with_privsep_path
  with_xauth
  enable_strip
-@@ -1425,6 +1426,7 @@
+@@ -1427,6 +1428,7 @@
    --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)
    --with-selinux          Enable SELinux support
    --with-kerberos5=PATH   Enable Kerberos 5 support
@@ -80,8 +80,8 @@ Index: b/configure
    --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
    --with-xauth=PATH       Specify path to xauth program
    --with-maildir=/path/to/mail    Specify your system mail directory
-@@ -15683,6 +15685,135 @@
- fi
+@@ -16002,6 +16004,135 @@
+ 
  
  
 +# Check whether user wants ConsoleKit support
@@ -216,7 +216,7 @@ Index: b/configure
  # Looking for programs, paths and files
  
  PRIVSEP_PATH=/var/empty
-@@ -18155,6 +18286,7 @@
+@@ -18527,6 +18658,7 @@
  echo "                   libedit support: $LIBEDIT_MSG"
  echo "  Solaris process contract support: $SPC_MSG"
  echo "           Solaris project support: $SP_MSG"
@@ -522,7 +522,7 @@ Index: b/monitor.c
  static Authctxt *authctxt;
  static BIGNUM *ssh1_challenge = NULL;  /* used for ssh1 rsa auth */
  
-@@ -283,6 +290,9 @@
+@@ -284,6 +291,9 @@
      {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
      {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
  #endif
@@ -532,7 +532,7 @@ Index: b/monitor.c
      {0, 0, NULL}
  };
  
-@@ -325,6 +335,9 @@
+@@ -326,6 +336,9 @@
      {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
      {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
  #endif
@@ -542,7 +542,7 @@ Index: b/monitor.c
      {0, 0, NULL}
  };
  
-@@ -495,6 +508,9 @@
+@@ -514,6 +527,9 @@
                 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
         }
@@ -552,7 +552,7 @@ Index: b/monitor.c
  
         for (;;)
                 monitor_read(pmonitor, mon_dispatch, NULL);
-@@ -2196,6 +2212,34 @@
+@@ -2232,6 +2248,34 @@
         buffer_put_int(m, major);
         buffer_put_string(m, hash.value, hash.length);
  
@@ -591,19 +591,20 @@ Index: b/monitor.h
 ===================================================================
 --- a/monitor.h
 +++ b/monitor.h
-@@ -62,6 +62,7 @@
-        MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
-        MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
-        MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,
-+       MONITOR_REQ_CONSOLEKIT_REGISTER, MONITOR_ANS_CONSOLEKIT_REGISTER,
-        MONITOR_REQ_TERM,
-        MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
-        MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
+@@ -75,6 +75,8 @@
+ 
+        MONITOR_REQ_AUTHROLE = 300,
+ 
++       MONITOR_REQ_CONSOLEKIT_REGISTER = 400, MONITOR_ANS_CONSOLEKIT_REGISTER = 401,
++
+ };
+ 
+ struct mm_master;
 Index: b/monitor_wrap.c
 ===================================================================
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -1310,6 +1310,37 @@
+@@ -1311,6 +1311,37 @@
  mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
  {
         Buffer m;
@@ -666,7 +667,7 @@ Index: b/session.c
  
  #if defined(KRB5) && defined(USE_AFS)
  #include <kafs.h>
-@@ -1129,6 +1130,9 @@
+@@ -1132,6 +1133,9 @@
  #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
         char *path = NULL;
  #endif
@@ -676,7 +677,7 @@ Index: b/session.c
  
         /* Initialize the environment. */
         envsize = 100;
-@@ -1273,6 +1277,11 @@
+@@ -1276,6 +1280,11 @@
                 child_set_env(&env, &envsize, "KRB5CCNAME",
                     s->authctxt->krb5_ccname);
  #endif
@@ -688,7 +689,7 @@ Index: b/session.c
  #ifdef USE_PAM
         /*
          * Pull in any environment variables that may have
-@@ -2300,6 +2309,10 @@
+@@ -2308,6 +2317,10 @@
  
         debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
  
diff --git a/debian/patches/copy-id-restorecon.patch b/debian/patches/copy-id-restorecon.patch
deleted file mode 100644
index d26680c4a..000000000
--- a/debian/patches/copy-id-restorecon.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Description: Call restorecon on copied ~/.ssh/authorized_keys if possible
-Author: Tomas Mraz <tmraz@fedoraproject.org>
-Bug-Debian: http://bugs.debian.org/658675
-Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=739989
-Last-Update: 2012-08-24
-
-Index: b/contrib/ssh-copy-id
-===================================================================
---- a/contrib/ssh-copy-id
-+++ b/contrib/ssh-copy-id
-@@ -41,7 +41,7 @@
- # strip any trailing colon
- host=`echo $1 | sed 's/:$//'`
- 
--{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1
-+{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys && (test -x /sbin/restorecon && /sbin/restorecon ~/.ssh ~/.ssh/authorized_keys >/dev/null 2>&1 || true)" || exit 1
- 
- cat <<EOF
- Now try logging into the machine, with "ssh '$host'", and check in:
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 22b1e4c14..d96f2cc59 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -4,13 +4,13 @@ Description: Add DebianBanner server configuration option
 Author: Kees Cook <kees@debian.org>
 Bug-Debian: http://bugs.debian.org/562048
 Forwarded: not-needed
-Last-Update: 2012-09-07
+Last-Update: 2013-05-07
 
 Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -146,6 +146,7 @@
+@@ -150,6 +150,7 @@
         options->ip_qos_interactive = -1;
         options->ip_qos_bulk = -1;
         options->version_addendum = NULL;
@@ -18,7 +18,7 @@ Index: b/servconf.c
  }
  
  void
-@@ -295,6 +296,8 @@
+@@ -299,6 +300,8 @@
                 options->ip_qos_bulk = IPTOS_THROUGHPUT;
         if (options->version_addendum == NULL)
                 options->version_addendum = xstrdup("");
@@ -27,23 +27,23 @@ Index: b/servconf.c
         /* Turn privilege separation on by default */
         if (use_privsep == -1)
                 use_privsep = PRIVSEP_NOSANDBOX;
-@@ -343,6 +346,7 @@
-        sZeroKnowledgePasswordAuthentication, sHostCertificate,
-        sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+@@ -349,6 +352,7 @@
         sKexAlgorithms, sIPQoS, sVersionAddendum,
+        sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
+        sAuthenticationMethods,
 +       sDebianBanner,
         sDeprecated, sUnsupported
  } ServerOpCodes;
  
-@@ -479,6 +483,7 @@
-        { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
-        { "ipqos", sIPQoS, SSHCFG_ALL },
+@@ -488,6 +492,7 @@
+        { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
         { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
+        { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
 +       { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
         { NULL, sBadOption, 0 }
  };
  
-@@ -1538,6 +1543,10 @@
+@@ -1593,6 +1598,10 @@
                 }
                 return 0;
  
@@ -58,10 +58,11 @@ Index: b/servconf.h
 ===================================================================
 --- a/servconf.h
 +++ b/servconf.h
-@@ -172,6 +172,7 @@
-        char   *authorized_principals_file;
+@@ -184,6 +184,8 @@
  
-        char   *version_addendum;       /* Appended to SSH banner */
+        u_int   num_auth_methods;
+        char   *auth_methods[MAX_AUTH_METHODS];
++
 +       int     debian_banner;
  }       ServerOptions;
  
@@ -70,7 +71,7 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -425,7 +425,8 @@
+@@ -434,7 +434,8 @@
         }
  
         xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -84,7 +85,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -342,6 +342,11 @@
+@@ -397,6 +397,11 @@
  .Dq no .
  The default is
  .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 57ebbf540..77e807502 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -18,7 +18,7 @@ Description: Various Debian-specific configuration changes
 Author: Colin Watson <cjwatson@debian.org>
 Author: Russ Allbery <rra@debian.org>
 Forwarded: not-needed
-Last-Update: 2010-02-28
+Last-Update: 2013-05-07
 
 Index: b/readconf.c
 ===================================================================
@@ -84,7 +84,7 @@ Index: b/ssh_config.5
  The configuration file has the following format:
  .Pp
  Empty lines and lines starting with
-@@ -499,7 +515,8 @@
+@@ -502,7 +518,8 @@
  Remote clients will be refused access after this time.
  .Pp
  The default is
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index cec6f6639..25201a7d4 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -2,13 +2,13 @@ Description: Document that HashKnownHosts may break tab-completion
 Author: Colin Watson <cjwatson@debian.org>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
 Bug-Debian: http://bugs.debian.org/430154
-Last-Update: 2010-03-01
+Last-Update: 2013-05-07
 
 Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -585,6 +585,9 @@
+@@ -588,6 +588,9 @@
  will not be converted automatically,
  but may be manually hashed using
  .Xr ssh-keygen 1 .
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 786500feb..7690e5824 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -13,7 +13,7 @@ Description: GSSAPI key exchange support
  security history.
 Author: Simon Wilkinson <simon@sxw.org.uk>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
-Last-Updated: 2012-09-07
+Last-Updated: 2013-05-07
 
 Index: b/ChangeLog.gssapi
 ===================================================================
@@ -137,15 +137,15 @@ Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -70,6 +70,7 @@
+@@ -72,6 +72,7 @@
         atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
         monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
         kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
 +       kexgssc.o \
-        msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \
-        schnorr.o ssh-pkcs11.o
+        msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
+        jpake.o schnorr.o ssh-pkcs11.o krl.o
  
-@@ -86,7 +87,7 @@
+@@ -88,7 +89,7 @@
         auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
         monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
         auth-krb5.o \
@@ -210,7 +210,7 @@ Index: b/auth2-gss.c
 --- a/auth2-gss.c
 +++ b/auth2-gss.c
 @@ -1,7 +1,7 @@
- /* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */
+ /* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */
  
  /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -280,7 +280,7 @@ Index: b/auth2-gss.c
                 logit("GSSAPI MIC check failed");
  
 @@ -294,6 +330,12 @@
-        userauth_finish(authctxt, authenticated, "gssapi-with-mic");
+        userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
  }
  
 +Authmethod method_gsskeyex = {
@@ -327,7 +327,7 @@ Index: b/clientloop.c
  /* import options */
  extern Options options;
  
-@@ -1544,6 +1548,15 @@
+@@ -1599,6 +1603,15 @@
                 /* Do channel operations unless rekeying in progress. */
                 if (!rekeying) {
                         channel_after_select(readset, writeset);
@@ -347,7 +347,7 @@ Index: b/config.h.in
 ===================================================================
 --- a/config.h.in
 +++ b/config.h.in
-@@ -1471,6 +1471,9 @@
+@@ -1511,6 +1511,9 @@
  /* Use btmp to log bad logins */
  #undef USE_BTMP
  
@@ -357,7 +357,7 @@ Index: b/config.h.in
  /* Use libedit for sftp */
  #undef USE_LIBEDIT
  
-@@ -1486,6 +1489,9 @@
+@@ -1526,6 +1529,9 @@
  /* Use PIPES instead of a socketpair() */
  #undef USE_PIPES
  
@@ -371,7 +371,7 @@ Index: b/configure
 ===================================================================
 --- a/configure
 +++ b/configure
-@@ -6608,6 +6608,63 @@
+@@ -6588,6 +6588,63 @@
  
  $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
  
@@ -439,7 +439,7 @@ Index: b/configure.ac
 ===================================================================
 --- a/configure.ac
 +++ b/configure.ac
-@@ -545,6 +545,30 @@
+@@ -533,6 +533,30 @@
             [Use tunnel device compatibility to OpenBSD])
         AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
             [Prepend the address family to IP tunnel traffic])
@@ -1277,7 +1277,7 @@ Index: b/kex.c
  #if OPENSSL_VERSION_NUMBER >= 0x00907000L
  # if defined(HAVE_EVP_SHA256)
  # define evp_ssh_sha256 EVP_sha256
-@@ -358,6 +362,20 @@
+@@ -369,6 +373,20 @@
                 k->kex_type = KEX_ECDH_SHA2;
                 k->evp_md = kex_ecdh_name_to_evpmd(k->name);
  #endif
@@ -1312,7 +1312,7 @@ Index: b/kex.h
         KEX_MAX
  };
  
-@@ -129,6 +132,12 @@
+@@ -131,6 +134,12 @@
         sig_atomic_t done;
         int     flags;
         const EVP_MD *evp_md;
@@ -1325,7 +1325,7 @@ Index: b/kex.h
         char    *client_version_string;
         char    *server_version_string;
         int     (*verify_host_key)(Key *);
-@@ -156,6 +165,11 @@
+@@ -158,6 +167,11 @@
  void    kexecdh_client(Kex *);
  void    kexecdh_server(Kex *);
  
@@ -2016,7 +2016,7 @@ Index: b/monitor.c
  #endif
  
  #ifdef SSH_AUDIT_EVENTS
-@@ -251,6 +253,7 @@
+@@ -252,6 +254,7 @@
      {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
      {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
      {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -2024,7 +2024,7 @@ Index: b/monitor.c
  #endif
  #ifdef JPAKE
      {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
-@@ -263,6 +266,12 @@
+@@ -264,6 +267,12 @@
  };
  
  struct mon_table mon_dispatch_postauth20[] = {
@@ -2037,7 +2037,7 @@ Index: b/monitor.c
      {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
      {MONITOR_REQ_SIGN, 0, mm_answer_sign},
      {MONITOR_REQ_PTY, 0, mm_answer_pty},
-@@ -371,6 +380,10 @@
+@@ -372,6 +381,10 @@
                 /* Permit requests for moduli and signatures */
                 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2048,7 +2048,7 @@ Index: b/monitor.c
         } else {
                 mon_dispatch = mon_dispatch_proto15;
  
-@@ -468,6 +481,10 @@
+@@ -487,6 +500,10 @@
                 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2059,7 +2059,7 @@ Index: b/monitor.c
         } else {
                 mon_dispatch = mon_dispatch_postauth15;
                 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1800,6 +1817,13 @@
+@@ -1836,6 +1853,13 @@
         kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
         kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
         kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2073,7 +2073,7 @@ Index: b/monitor.c
         kex->server = 1;
         kex->hostkey_type = buffer_get_int(m);
         kex->kex_type = buffer_get_int(m);
-@@ -2006,6 +2030,9 @@
+@@ -2042,6 +2066,9 @@
         OM_uint32 major;
         u_int len;
  
@@ -2083,7 +2083,7 @@ Index: b/monitor.c
         goid.elements = buffer_get_string(m, &len);
         goid.length = len;
  
-@@ -2033,6 +2060,9 @@
+@@ -2069,6 +2096,9 @@
         OM_uint32 flags = 0; /* GSI needs this */
         u_int len;
  
@@ -2093,7 +2093,7 @@ Index: b/monitor.c
         in.value = buffer_get_string(m, &len);
         in.length = len;
         major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2050,6 +2080,7 @@
+@@ -2086,6 +2116,7 @@
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2101,7 +2101,7 @@ Index: b/monitor.c
         }
         return (0);
  }
-@@ -2061,6 +2092,9 @@
+@@ -2097,6 +2128,9 @@
         OM_uint32 ret;
         u_int len;
  
@@ -2111,7 +2111,7 @@ Index: b/monitor.c
         gssbuf.value = buffer_get_string(m, &len);
         gssbuf.length = len;
         mic.value = buffer_get_string(m, &len);
-@@ -2087,7 +2121,11 @@
+@@ -2123,7 +2157,11 @@
  {
         int authenticated;
  
@@ -2124,7 +2124,7 @@ Index: b/monitor.c
  
         buffer_clear(m);
         buffer_put_int(m, authenticated);
-@@ -2100,6 +2138,74 @@
+@@ -2136,6 +2174,74 @@
         /* Monitor loop will terminate if authenticated */
         return (authenticated);
  }
@@ -2203,20 +2203,21 @@ Index: b/monitor.h
 ===================================================================
 --- a/monitor.h
 +++ b/monitor.h
-@@ -53,6 +53,8 @@
-        MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
-        MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
-        MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC,
-+       MONITOR_REQ_GSSSIGN, MONITOR_ANS_GSSSIGN,
-+       MONITOR_REQ_GSSUPCREDS, MONITOR_ANS_GSSUPCREDS,
-        MONITOR_REQ_PAM_START,
-        MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
-        MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
+@@ -70,6 +70,9 @@
+        MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
+        MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
+ 
++       MONITOR_REQ_GSSSIGN = 200, MONITOR_ANS_GSSSIGN = 201,
++       MONITOR_REQ_GSSUPCREDS = 202, MONITOR_ANS_GSSUPCREDS = 203,
++
+ };
+ 
+ struct mm_master;
 Index: b/monitor_wrap.c
 ===================================================================
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -1270,7 +1270,7 @@
+@@ -1271,7 +1271,7 @@
  }
  
  int
@@ -2225,7 +2226,7 @@ Index: b/monitor_wrap.c
  {
         Buffer m;
         int authenticated = 0;
-@@ -1287,6 +1287,51 @@
+@@ -1288,6 +1288,51 @@
         debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
         return (authenticated);
  }
@@ -2406,7 +2407,7 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -100,7 +100,10 @@
+@@ -102,7 +102,10 @@
         options->kerberos_ticket_cleanup = -1;
         options->kerberos_get_afs_token = -1;
         options->gss_authentication=-1;
@@ -2417,7 +2418,7 @@ Index: b/servconf.c
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->challenge_response_authentication = -1;
-@@ -229,8 +232,14 @@
+@@ -233,8 +236,14 @@
                 options->kerberos_get_afs_token = 0;
         if (options->gss_authentication == -1)
                 options->gss_authentication = 0;
@@ -2432,7 +2433,7 @@ Index: b/servconf.c
         if (options->password_authentication == -1)
                 options->password_authentication = 1;
         if (options->kbd_interactive_authentication == -1)
-@@ -323,7 +332,9 @@
+@@ -327,7 +336,9 @@
         sBanner, sUseDNS, sHostbasedAuthentication,
         sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
         sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2443,7 +2444,7 @@ Index: b/servconf.c
         sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
         sUsePrivilegeSeparation, sAllowAgentForwarding,
         sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -387,10 +398,20 @@
+@@ -393,10 +404,20 @@
  #ifdef GSSAPI
         { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
         { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2464,7 +2465,7 @@ Index: b/servconf.c
         { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
         { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
         { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1031,10 +1052,22 @@
+@@ -1049,10 +1070,22 @@
                 intptr = &options->gss_authentication;
                 goto parse_flag;
  
@@ -2487,7 +2488,7 @@ Index: b/servconf.c
         case sPasswordAuthentication:
                 intptr = &options->password_authentication;
                 goto parse_flag;
-@@ -1868,7 +1901,10 @@
+@@ -1927,7 +1960,10 @@
  #endif
  #ifdef GSSAPI
         dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2502,7 +2503,7 @@ Index: b/servconf.h
 ===================================================================
 --- a/servconf.h
 +++ b/servconf.h
-@@ -103,7 +103,10 @@
+@@ -110,7 +110,10 @@
         int     kerberos_get_afs_token;         /* If true, try to get AFS token if
                                                  * authenticated with Kerberos. */
         int     gss_authentication;     /* If true, permit GSSAPI authentication */
@@ -2525,7 +2526,7 @@ Index: b/ssh-gss.h
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
-@@ -60,10 +60,22 @@
+@@ -61,10 +61,22 @@
  
  #define SSH_GSS_OIDTYPE 0x06
  
@@ -2548,7 +2549,7 @@ Index: b/ssh-gss.h
         void *data;
  } ssh_gssapi_ccache;
  
-@@ -71,8 +83,11 @@
+@@ -72,8 +84,11 @@
         gss_buffer_desc displayname;
         gss_buffer_desc exportedname;
         gss_cred_id_t creds;
@@ -2560,7 +2561,7 @@ Index: b/ssh-gss.h
  } ssh_gssapi_client;
  
  typedef struct ssh_gssapi_mech_struct {
-@@ -83,6 +98,7 @@
+@@ -84,6 +99,7 @@
         int (*userok) (ssh_gssapi_client *, char *);
         int (*localname) (ssh_gssapi_client *, char **);
         void (*storecreds) (ssh_gssapi_client *);
@@ -2568,7 +2569,7 @@ Index: b/ssh-gss.h
  } ssh_gssapi_mech;
  
  typedef struct {
-@@ -93,10 +109,11 @@
+@@ -94,10 +110,11 @@
         gss_OID         oid; /* client */
         gss_cred_id_t   creds; /* server */
         gss_name_t      client; /* server */
@@ -2581,7 +2582,7 @@ Index: b/ssh-gss.h
  
  int  ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
  void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
-@@ -116,16 +133,30 @@
+@@ -117,16 +134,30 @@
  void ssh_gssapi_delete_ctx(Gssctxt **);
  OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
  void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
@@ -2631,7 +2632,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -527,11 +527,43 @@
+@@ -530,11 +530,43 @@
  The default is
  .Dq no .
  Note that this option applies to protocol version 2 only.
@@ -2764,7 +2765,7 @@ Index: b/sshconnect2.c
         xxx_kex = kex;
  
         dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
-@@ -305,6 +361,7 @@
+@@ -306,6 +362,7 @@
  void   input_gssapi_hash(int type, u_int32_t, void *);
  void   input_gssapi_error(int, u_int32_t, void *);
  void   input_gssapi_errtok(int, u_int32_t, void *);
@@ -2772,7 +2773,7 @@ Index: b/sshconnect2.c
  #endif
  
  void   userauth(Authctxt *, char *);
-@@ -320,6 +377,11 @@
+@@ -321,6 +378,11 @@
  
  Authmethod authmethods[] = {
  #ifdef GSSAPI
@@ -2784,7 +2785,7 @@ Index: b/sshconnect2.c
         {"gssapi-with-mic",
                 userauth_gssapi,
                 NULL,
-@@ -626,19 +688,31 @@
+@@ -627,19 +689,31 @@
         static u_int mech = 0;
         OM_uint32 min;
         int ok = 0;
@@ -2818,7 +2819,7 @@ Index: b/sshconnect2.c
                         ok = 1; /* Mechanism works */
                 } else {
                         mech++;
-@@ -735,8 +809,8 @@
+@@ -736,8 +810,8 @@
  {
         Authctxt *authctxt = ctxt;
         Gssctxt *gssctxt;
@@ -2829,7 +2830,7 @@ Index: b/sshconnect2.c
  
         if (authctxt == NULL)
                 fatal("input_gssapi_response: no authentication context");
-@@ -846,6 +920,48 @@
+@@ -847,6 +921,48 @@
         xfree(msg);
         xfree(lang);
  }
@@ -2893,7 +2894,7 @@ Index: b/sshd.c
  #ifdef LIBWRAP
  #include <tcpd.h>
  #include <syslog.h>
-@@ -1607,10 +1611,13 @@
+@@ -1645,10 +1649,13 @@
                 logit("Disabling protocol version 1. Could not load host key");
                 options.protocol &= ~SSH_PROTO_1;
         }
@@ -2907,7 +2908,7 @@ Index: b/sshd.c
         if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
                 logit("sshd: no hostkeys available -- exiting.");
                 exit(1);
-@@ -1938,6 +1945,60 @@
+@@ -1976,6 +1983,60 @@
         /* Log the connection. */
         verbose("Connection from %.500s port %d", remote_ip, remote_port);
  
@@ -2968,7 +2969,7 @@ Index: b/sshd.c
         /*
          * We don't want to listen forever unless the other side
          * successfully authenticates itself.  So we set up an alarm which is
-@@ -2319,6 +2380,48 @@
+@@ -2357,6 +2418,48 @@
  
         myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
  
@@ -3017,7 +3018,7 @@ Index: b/sshd.c
         /* start key exchange */
         kex = kex_setup(myproposal);
         kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
-@@ -2326,6 +2429,13 @@
+@@ -2364,6 +2467,13 @@
         kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
         kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
         kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -3035,7 +3036,7 @@ Index: b/sshd_config
 ===================================================================
 --- a/sshd_config
 +++ b/sshd_config
-@@ -77,6 +77,8 @@
+@@ -80,6 +80,8 @@
  # GSSAPI options
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
@@ -3048,7 +3049,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -426,12 +426,40 @@
+@@ -481,12 +481,40 @@
  The default is
  .Dq no .
  Note that this option applies to protocol version 2 only.
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 0937a49e6..028bd62e5 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -12,7 +12,7 @@ Author: Richard Kettlewell <rjk@greenend.org.uk>
 Author: Ian Jackson <ian@chiark.greenend.org.uk>
 Author: Matthew Vernon <matthew@debian.org>
 Author: Colin Watson <cjwatson@debian.org>
-Last-Update: 2010-02-27
+Last-Update: 2013-05-07
 
 Index: b/readconf.c
 ===================================================================
@@ -78,7 +78,7 @@ Index: b/ssh_config.5
  The argument must be
  .Dq yes
  or
-@@ -1099,8 +1103,15 @@
+@@ -1113,8 +1117,15 @@
  will send a message through the encrypted
  channel to request a response from the server.
  The default
@@ -95,7 +95,7 @@ Index: b/ssh_config.5
  .It Cm StrictHostKeyChecking
  If this flag is set to
  .Dq yes ,
-@@ -1139,6 +1150,12 @@
+@@ -1153,6 +1164,12 @@
  other side.
  If they are sent, death of the connection or crash of one
  of the machines will be properly noticed.
@@ -112,7 +112,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -1048,6 +1048,9 @@
+@@ -1122,6 +1122,9 @@
  .Pp
  To disable TCP keepalive messages, the value should be set to
  .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index ae32969ea..8afabfaba 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -3,13 +3,13 @@ Description: Fix picky lintian errors about slogin symlinks
  either way and opted to keep the status quo.  We need this patch anyway.
 Author: Colin Watson <cjwatson@debian.org>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728
-Last-Update: 2010-04-10
+Last-Update: 2013-05-07
 
 Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -284,9 +284,9 @@
+@@ -293,9 +293,9 @@
         $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
         $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
         -rm -f $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/max-startups-default.patch b/debian/patches/max-startups-default.patch
deleted file mode 100644
index 87e690bd1..000000000
--- a/debian/patches/max-startups-default.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-Description: Change default of MaxStartups to 10:30:100
- This causes sshd to start doing random early drop at 10 connections up to
- 100 connections.  This will make it harder to DoS as CPUs have come a long
- way since the original value was set back in 2000.
-Author: Darren Tucker
-Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
-Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
-Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
-Bug-Debian: http://bugs.debian.org/700102
-Forwarded: not-needed
-Last-Update: 2013-02-08
-
-Index: b/servconf.c
-===================================================================
---- a/servconf.c
-+++ b/servconf.c
-@@ -264,11 +264,11 @@
-        if (options->gateway_ports == -1)
-                options->gateway_ports = 0;
-        if (options->max_startups == -1)
--               options->max_startups = 10;
-+               options->max_startups = 100;
-        if (options->max_startups_rate == -1)
--               options->max_startups_rate = 100;               /* 100% */
-+               options->max_startups_rate = 30;                /* 30% */
-        if (options->max_startups_begin == -1)
--               options->max_startups_begin = options->max_startups;
-+               options->max_startups_begin = 10;
-        if (options->max_authtries == -1)
-                options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
-        if (options->max_sessions == -1)
-Index: b/sshd_config
-===================================================================
---- a/sshd_config
-+++ b/sshd_config
-@@ -108,7 +108,7 @@
- #ClientAliveCountMax 3
- #UseDNS yes
- #PidFile /var/run/sshd.pid
--#MaxStartups 10
-+#MaxStartups 10:30:100
- #PermitTunnel no
- #ChrootDirectory none
- #VersionAddendum none
-Index: b/sshd_config.5
-===================================================================
---- a/sshd_config.5
-+++ b/sshd_config.5
-@@ -781,7 +781,7 @@
- Additional connections will be dropped until authentication succeeds or the
- .Cm LoginGraceTime
- expires for a connection.
--The default is 10.
-+The default is 10:30:100.
- .Pp
- Alternatively, random early drop can be enabled by specifying
- the three colon separated values
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 42b32638c..fa7c725b4 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -2,13 +2,13 @@ Description: Mention ssh-keygen in ssh fingerprint changed warning
 Author: Scott Moser <smoser@ubuntu.com>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
-Last-Update: 2010-12-14
+Last-Update: 2013-05-07
 
 Index: b/sshconnect.c
 ===================================================================
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -956,9 +956,12 @@
+@@ -975,9 +975,12 @@
                         error("%s. This could either mean that", key_msg);
                         error("DNS SPOOFING is happening or the IP address for the host");
                         error("and its host key have changed at the same time.");
@@ -22,7 +22,7 @@ Index: b/sshconnect.c
                 }
                 /* The host key has changed. */
                 warn_changed_key(host_key);
-@@ -966,6 +969,8 @@
+@@ -985,6 +988,8 @@
                     user_hostfiles[0]);
                 error("Offending %s key in %s:%lu", key_type(host_found->key),
                     host_found->file, host_found->line);
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index fe8ebe757..48c3ff598 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -6,7 +6,7 @@ Description: Adjust various OpenBSD-specific references in manual pages
   https://bugs.launchpad.net/bugs/456660 (ssl(8))
 Author: Colin Watson <cjwatson@debian.org>
 Forwarded: not-needed
-Last-Update: 2010-02-28
+Last-Update: 2013-05-07
 
 Index: b/moduli.5
 ===================================================================
@@ -34,7 +34,7 @@ Index: b/ssh-keygen.1
 ===================================================================
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -152,9 +152,7 @@
+@@ -171,9 +171,7 @@
  .Pa ~/.ssh/id_dsa
  or
  .Pa ~/.ssh/id_rsa .
@@ -45,7 +45,7 @@ Index: b/ssh-keygen.1
  .Pp
  Normally this program generates the key and asks for a file in which
  to store the private key.
-@@ -200,9 +198,7 @@
+@@ -219,9 +217,7 @@
  For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys
  do not exist, generate the host keys with the default key file path,
  an empty passphrase, default bits for the key type, and default comment.
@@ -56,7 +56,7 @@ Index: b/ssh-keygen.1
  .It Fl a Ar trials
  Specifies the number of primality tests to perform when screening DH-GEX
  candidates using the
-@@ -556,7 +552,7 @@
+@@ -606,7 +602,7 @@
  Valid generator values are 2, 3, and 5.
  .Pp
  Screened DH groups may be installed in
@@ -65,7 +65,7 @@ Index: b/ssh-keygen.1
  It is important that this file contains moduli of a range of bit lengths and
  that both ends of a connection share common moduli.
  .Sh CERTIFICATES
-@@ -682,7 +678,7 @@
+@@ -801,7 +797,7 @@
  where the user wishes to log in using public key authentication.
  There is no need to keep the contents of this file secret.
  .Pp
@@ -123,7 +123,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -224,8 +224,7 @@
+@@ -276,8 +276,7 @@
  By default, no banner is displayed.
  .It Cm ChallengeResponseAuthentication
  Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index b396cb116..c337ad671 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -5,26 +5,30 @@ Description: Include the Debian version in our identification
  vulnerable-looking version strings.  (However, see debian-banner.patch.)
 Author: Matthew Vernon <matthew@debian.org>
 Forwarded: not-needed
-Last-Update: 2012-09-07
+Last-Update: 2013-05-07
 
 Index: b/sshconnect.c
 ===================================================================
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -556,7 +556,7 @@
-        snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s",
-            compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
-            compat20 ? PROTOCOL_MINOR_2 : minor1,
--           SSH_VERSION, compat20 ? "\r\n" : "\n");
-+           SSH_RELEASE, compat20 ? "\r\n" : "\n");
-        if (roaming_atomicio(vwrite, connection_out, buf, strlen(buf))
-            != strlen(buf))
-                fatal("write: %.100s", strerror(errno));
+@@ -435,10 +435,10 @@
+        /* Send our own protocol version identification. */
+        if (compat20) {
+                xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
+-                   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
++                   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
+        } else {
+                xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
+-                   PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
++                   PROTOCOL_MAJOR_1, minor1, SSH_RELEASE);
+        }
+        if (roaming_atomicio(vwrite, connection_out, client_version_string,
+            strlen(client_version_string)) != strlen(client_version_string))
 Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -425,7 +425,7 @@
+@@ -434,7 +434,7 @@
         }
  
         xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -38,7 +42,7 @@ Index: b/version.h
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_6.1"
+ #define SSH_VERSION    "OpenSSH_6.2"
  
  #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index e436fe59e..f25ff89d0 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -10,13 +10,13 @@ Author: Peter Samuelson <peter@p12n.org>
 Author: Colin Watson <cjwatson@debian.org>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118
 Bug-Debian: http://bugs.debian.org/313371
-Last-Update: 2010-02-27
+Last-Update: 2013-05-07
 
 Index: b/clientloop.c
 ===================================================================
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -1655,8 +1655,10 @@
+@@ -1710,8 +1710,10 @@
                 exit_status = 0;
         }
  
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 80fe3247b..f2f8fcd21 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -5,7 +5,7 @@ Description: Handle SELinux authorisation roles
 Author: Manoj Srivastava <srivasta@debian.org>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
 Bug-Debian: http://bugs.debian.org/394795
-Last-Update: 2010-02-27
+Last-Update: 2013-05-07
 
 Index: b/auth.h
 ===================================================================
@@ -23,7 +23,7 @@ Index: b/auth1.c
 ===================================================================
 --- a/auth1.c
 +++ b/auth1.c
-@@ -383,7 +383,7 @@
+@@ -385,7 +385,7 @@
  do_authentication(Authctxt *authctxt)
  {
         u_int ulen;
@@ -32,7 +32,7 @@ Index: b/auth1.c
  
         /* Get the name of the user that we wish to log in as. */
         packet_read_expect(SSH_CMSG_USER);
-@@ -392,11 +392,17 @@
+@@ -394,11 +394,17 @@
         user = packet_get_cstring(&ulen);
         packet_check_eom();
  
@@ -54,7 +54,7 @@ Index: b/auth2.c
 ===================================================================
 --- a/auth2.c
 +++ b/auth2.c
-@@ -217,7 +217,7 @@
+@@ -219,7 +219,7 @@
  {
         Authctxt *authctxt = ctxt;
         Authmethod *m = NULL;
@@ -63,7 +63,7 @@ Index: b/auth2.c
         int authenticated = 0;
  
         if (authctxt == NULL)
-@@ -229,8 +229,13 @@
+@@ -231,8 +231,13 @@
         debug("userauth-request for user %s service %s method %s", user, service, method);
         debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
  
@@ -77,7 +77,7 @@ Index: b/auth2.c
  
         if (authctxt->attempt++ == 0) {
                 /* setup auth context */
-@@ -254,8 +259,9 @@
+@@ -256,8 +261,9 @@
                     use_privsep ? " [net]" : "");
                 authctxt->service = xstrdup(service);
                 authctxt->style = style ? xstrdup(style) : NULL;
@@ -86,8 +86,8 @@ Index: b/auth2.c
 -                       mm_inform_authserv(service, style);
 +                       mm_inform_authserv(service, style, role);
                 userauth_banner();
-        } else if (strcmp(user, authctxt->user) != 0 ||
-            strcmp(service, authctxt->service) != 0) {
+                if (auth2_setup_methods_lists(authctxt) != 0)
+                        packet_disconnect("no authentication methods enabled");
 Index: b/monitor.c
 ===================================================================
 --- a/monitor.c
@@ -100,7 +100,7 @@ Index: b/monitor.c
  int mm_answer_authpassword(int, Buffer *);
  int mm_answer_bsdauthquery(int, Buffer *);
  int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -225,6 +226,7 @@
+@@ -226,6 +227,7 @@
      {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
      {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
      {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -108,7 +108,7 @@ Index: b/monitor.c
      {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
      {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
  #ifdef USE_PAM
-@@ -808,6 +810,7 @@
+@@ -837,6 +839,7 @@
         else {
                 /* Allow service/style information on the auth context */
                 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -116,7 +116,7 @@ Index: b/monitor.c
                 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
         }
  #ifdef USE_PAM
-@@ -840,14 +843,37 @@
+@@ -869,14 +872,37 @@
  
         authctxt->service = buffer_get_string(m, NULL);
         authctxt->style = buffer_get_string(m, NULL);
@@ -156,7 +156,7 @@ Index: b/monitor.c
         return (0);
  }
  
-@@ -1435,7 +1461,7 @@
+@@ -1471,7 +1497,7 @@
         res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
         if (res == 0)
                 goto error;
@@ -169,15 +169,15 @@ Index: b/monitor.h
 ===================================================================
 --- a/monitor.h
 +++ b/monitor.h
-@@ -30,7 +30,7 @@
- 
- enum monitor_reqtype {
-        MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
--       MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
-+       MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE,
-        MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
-        MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
-        MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
+@@ -73,6 +73,8 @@
+        MONITOR_REQ_GSSSIGN = 200, MONITOR_ANS_GSSSIGN = 201,
+        MONITOR_REQ_GSSUPCREDS = 202, MONITOR_ANS_GSSUPCREDS = 203,
+ 
++       MONITOR_REQ_AUTHROLE = 300,
++
+ };
+ 
+ struct mm_master;
 Index: b/monitor_wrap.c
 ===================================================================
 --- a/monitor_wrap.c
@@ -369,12 +369,12 @@ Index: b/platform.h
 +void platform_setusercontext_post_groups(struct passwd *, const char *);
  char *platform_get_krb5_client(const char *);
  char *platform_krb5_get_principal_name(const char *);
- 
+ int platform_sys_dir_uid(uid_t);
 Index: b/session.c
 ===================================================================
 --- a/session.c
 +++ b/session.c
-@@ -1471,7 +1471,7 @@
+@@ -1474,7 +1474,7 @@
  
  /* Set login name, uid, gid, and groups. */
  void
@@ -383,7 +383,7 @@ Index: b/session.c
  {
         char *chroot_path, *tmp;
  
-@@ -1499,7 +1499,7 @@
+@@ -1502,7 +1502,7 @@
                 endgrent();
  #endif
  
@@ -392,7 +392,7 @@ Index: b/session.c
  
                 if (options.chroot_directory != NULL &&
                     strcasecmp(options.chroot_directory, "none") != 0) {
-@@ -1625,7 +1625,7 @@
+@@ -1633,7 +1633,7 @@
  
         /* Force a password change */
         if (s->authctxt->force_pwchange) {
@@ -401,7 +401,7 @@ Index: b/session.c
                 child_close_fds();
                 do_pwchange(s);
                 exit(1);
-@@ -1652,7 +1652,7 @@
+@@ -1660,7 +1660,7 @@
                 /* When PAM is enabled we rely on it to do the nologin check */
                 if (!options.use_pam)
                         do_nologin(pw);
@@ -410,7 +410,7 @@ Index: b/session.c
                 /*
                  * PAM session modules in do_setusercontext may have
                  * generated messages, so if this in an interactive
-@@ -2064,7 +2064,7 @@
+@@ -2072,7 +2072,7 @@
         tty_parse_modes(s->ttyfd, &n_bytes);
  
         if (!use_privsep)
@@ -436,7 +436,7 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -736,7 +736,7 @@
+@@ -745,7 +745,7 @@
         RAND_seed(rnd, sizeof(rnd));
  
         /* Drop privileges */
diff --git a/debian/patches/series b/debian/patches/series
index efb2c5432..6f2da2944 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,7 +3,6 @@ gssapi.patch
 
 # SELinux
 selinux-role.patch
-copy-id-restorecon.patch
 
 # Key blacklisting
 ssh-vulnkey.patch
@@ -27,7 +26,6 @@ shell-path.patch
 dnssec-sshfp.patch
 auth-log-verbosity.patch
 mention-ssh-keygen-on-keychange.patch
-max-startups-default.patch
 
 # Versioning
 package-versioning.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 8c549128b..4c4532e99 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -4,7 +4,7 @@ Description: Look for $SHELL on the path for ProxyCommand/LocalCommand
 Author: Colin Watson <cjwatson@debian.org>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
 Bug-Debian: http://bugs.debian.org/492728
-Last-Update: 2010-02-27
+Last-Update: 2013-05-07
 
 Index: b/sshconnect.c
 ===================================================================
@@ -19,7 +19,7 @@ Index: b/sshconnect.c
                 perror(argv[0]);
                 exit(1);
         }
-@@ -1273,7 +1273,7 @@
+@@ -1292,7 +1292,7 @@
         if (pid == 0) {
                 signal(SIGPIPE, SIG_DFL);
                 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 3cc1272ec..6f4a3cd9a 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -5,13 +5,13 @@ Description: ssh(1): Refer to ssh-argv0(1)
  manual page from ssh(1).
 Bug-Debian: http://bugs.debian.org/111341
 Forwarded: not-needed
-Last-Update: 2010-02-28
+Last-Update: 2013-05-07
 
 Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1425,6 +1425,7 @@
+@@ -1433,6 +1433,7 @@
  .Xr sftp 1 ,
  .Xr ssh-add 1 ,
  .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index c13cb3412..b7531cce0 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -8,7 +8,7 @@ Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw
  See CVE-2008-0166.
 Author: Colin Watson <cjwatson@ubuntu.com>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
-Last-Update: 2010-02-27
+Last-Update: 2013-05-07
 
 Index: b/Makefile.in
 ===================================================================
@@ -22,24 +22,26 @@ Index: b/Makefile.in
  PRIVSEP_PATH=@PRIVSEP_PATH@
  SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
  STRIP_OPT=@STRIP_OPT@
-@@ -38,6 +39,7 @@
+@@ -37,7 +38,8 @@
+        -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
         -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
         -D_PATH_SSH_PIDDIR=\"$(piddir)\" \
-        -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \
-+       -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\" \
+-       -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\"
++       -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \
++       -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\"
  
  CC=@CC@
  LD=@LD@
-@@ -59,7 +61,7 @@
+@@ -61,7 +63,7 @@
  EXEEXT=@EXEEXT@
  MANFMT=@MANFMT@
  
 -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
 +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT)
  
- LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
-        canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
-@@ -94,8 +96,8 @@
+ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
+        canohost.o channels.o cipher.o cipher-aes.o \
+@@ -96,8 +98,8 @@
         sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
         sandbox-seccomp-filter.o
  
@@ -50,7 +52,7 @@ Index: b/Makefile.in
  MANTYPE                = @MANTYPE@
  
  CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -172,6 +174,9 @@
+@@ -174,6 +176,9 @@
  sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
         $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
  
@@ -60,7 +62,7 @@ Index: b/Makefile.in
  # test driver for the loginrec code - not built by default
  logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
         $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
-@@ -260,6 +265,7 @@
+@@ -269,6 +274,7 @@
         $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
         $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
         $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -68,7 +70,7 @@ Index: b/Makefile.in
         $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
         $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
         $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -274,6 +280,7 @@
+@@ -283,6 +289,7 @@
         $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
         $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
         $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -76,7 +78,7 @@ Index: b/Makefile.in
         -rm -f $(DESTDIR)$(bindir)/slogin
         ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
         -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-@@ -355,6 +362,7 @@
+@@ -364,6 +371,7 @@
         -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
         -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
         -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@@ -84,7 +86,7 @@ Index: b/Makefile.in
         -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
         -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
         -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-@@ -367,6 +375,7 @@
+@@ -376,6 +384,7 @@
         -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
         -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
         -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
@@ -130,7 +132,7 @@ Index: b/auth.c
  #include "auth.h"
  #include "auth-options.h"
  #include "canohost.h"
-@@ -608,10 +609,34 @@
+@@ -635,10 +636,34 @@
  
  /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
  int
@@ -165,12 +167,12 @@ Index: b/auth.c
 +
         if (options.revoked_keys_file == NULL)
                 return 0;
- 
+        switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) {
 Index: b/auth.h
 ===================================================================
 --- a/auth.h
 +++ b/auth.h
-@@ -174,7 +174,7 @@
+@@ -185,7 +185,7 @@
  
  FILE   *auth_openkeyfile(const char *, struct passwd *, int);
  FILE   *auth_openprincipals(const char *, struct passwd *, int);
@@ -196,7 +198,7 @@ Index: b/auth2-pubkey.c
 ===================================================================
 --- a/auth2-pubkey.c
 +++ b/auth2-pubkey.c
-@@ -440,9 +440,10 @@
+@@ -608,9 +608,10 @@
         u_int success, i;
         char *file;
  
@@ -462,7 +464,7 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -107,6 +107,7 @@
+@@ -109,6 +109,7 @@
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->challenge_response_authentication = -1;
@@ -470,7 +472,7 @@ Index: b/servconf.c
         options->permit_empty_passwd = -1;
         options->permit_user_env = -1;
         options->use_login = -1;
-@@ -246,6 +247,8 @@
+@@ -250,6 +251,8 @@
                 options->kbd_interactive_authentication = 0;
         if (options->challenge_response_authentication == -1)
                 options->challenge_response_authentication = 1;
@@ -479,7 +481,7 @@ Index: b/servconf.c
         if (options->permit_empty_passwd == -1)
                 options->permit_empty_passwd = 0;
         if (options->permit_user_env == -1)
-@@ -323,7 +326,7 @@
+@@ -327,7 +330,7 @@
         sListenAddress, sAddressFamily,
         sPrintMotd, sPrintLastLog, sIgnoreRhosts,
         sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -488,7 +490,7 @@ Index: b/servconf.c
         sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
         sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
         sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
-@@ -433,6 +436,7 @@
+@@ -439,6 +442,7 @@
         { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
         { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
         { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -496,7 +498,7 @@ Index: b/servconf.c
         { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
         { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
         { "uselogin", sUseLogin, SSHCFG_GLOBAL },
-@@ -1116,6 +1120,10 @@
+@@ -1134,6 +1138,10 @@
                 intptr = &options->tcp_keep_alive;
                 goto parse_flag;
  
@@ -507,7 +509,7 @@ Index: b/servconf.c
         case sEmptyPasswd:
                 intptr = &options->permit_empty_passwd;
                 goto parse_flag;
-@@ -1921,6 +1929,7 @@
+@@ -1980,6 +1988,7 @@
         dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
         dump_cfg_fmtint(sStrictModes, o->strict_modes);
         dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -519,7 +521,7 @@ Index: b/servconf.h
 ===================================================================
 --- a/servconf.h
 +++ b/servconf.h
-@@ -113,6 +113,7 @@
+@@ -120,6 +120,7 @@
         int     challenge_response_authentication;
         int     zero_knowledge_password_authentication;
                                         /* If true, permit jpake auth */
@@ -554,7 +556,7 @@ Index: b/ssh-add.c
 ===================================================================
 --- a/ssh-add.c
 +++ b/ssh-add.c
-@@ -142,7 +142,7 @@
+@@ -167,7 +167,7 @@
  add_file(AuthenticationConnection *ac, const char *filename, int key_only)
  {
         Key *private, *cert;
@@ -563,7 +565,7 @@ Index: b/ssh-add.c
         char msg[1024], *certpath = NULL;
         int fd, perms_ok, ret = -1;
         Buffer keyblob;
-@@ -218,6 +218,14 @@
+@@ -243,6 +243,14 @@
         } else {
                 fprintf(stderr, "Could not add identity: %s\n", filename);
         }
@@ -582,7 +584,7 @@ Index: b/ssh-keygen.1
 ===================================================================
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -691,6 +691,7 @@
+@@ -810,6 +810,7 @@
  .Xr ssh 1 ,
  .Xr ssh-add 1 ,
  .Xr ssh-agent 1 ,
@@ -1233,7 +1235,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1421,6 +1421,7 @@
+@@ -1429,6 +1429,7 @@
  .Xr ssh-agent 1 ,
  .Xr ssh-keygen 1 ,
  .Xr ssh-keyscan 1 ,
@@ -1281,7 +1283,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1187,6 +1187,23 @@
+@@ -1201,6 +1201,23 @@
  .Dq any .
  The default is
  .Dq any:any .
@@ -1309,24 +1311,24 @@ Index: b/sshconnect2.c
 ===================================================================
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -1489,6 +1489,8 @@
+@@ -1491,6 +1491,8 @@
  
-        /* list of keys stored in the filesystem */
+        /* list of keys stored in the filesystem and PKCS#11 */
         for (i = 0; i < options.num_identity_files; i++) {
 +               if (options.identity_files[i] == NULL)
 +                       continue;
                 key = options.identity_keys[i];
                 if (key && key->type == KEY_RSA1)
                         continue;
-@@ -1582,7 +1584,7 @@
+@@ -1609,7 +1611,7 @@
                         debug("Offering %s public key: %s", key_type(id->key),
                             id->filename);
                         sent = send_pubkey_test(authctxt, id);
 -               } else if (id->key == NULL) {
 +               } else if (id->key == NULL && id->filename) {
                         debug("Trying private key: %s", id->filename);
-                        id->key = load_identity_file(id->filename);
-                        if (id->key != NULL) {
+                        id->key = load_identity_file(id->filename,
+                            id->userprovided);
 Index: b/sshd.8
 ===================================================================
 --- a/sshd.8
@@ -1343,7 +1345,7 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1593,6 +1593,11 @@
+@@ -1631,6 +1631,11 @@
                         sensitive_data.host_keys[i] = NULL;
                         continue;
                 }
@@ -1359,7 +1361,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -803,6 +803,20 @@
+@@ -870,6 +870,20 @@
  Specifies whether password authentication is allowed.
  The default is
  .Dq yes .
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index b71ff9df9..87211e8a3 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -1,7 +1,7 @@
 Description: Partial server keep-alive implementation for SSH1
 Author: Colin Watson <cjwatson@debian.org>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712
-Last-Update: 2010-02-27
+Last-Update: 2013-05-07
 
 Index: b/clientloop.c
 ===================================================================
@@ -51,7 +51,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1088,7 +1088,10 @@
+@@ -1102,7 +1102,10 @@
  .Cm ServerAliveCountMax
  is left at the default, if the server becomes unresponsive,
  ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 1368ccb3c..ddedbf79a 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -9,7 +9,7 @@ Description: Allow harmless group-writability
 Author: Colin Watson <cjwatson@debian.org>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
-Last-Update: 2010-02-27
+Last-Update: 2013-05-07
 
 Index: b/readconf.c
 ===================================================================
@@ -38,7 +38,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1312,6 +1312,8 @@
+@@ -1320,6 +1320,8 @@
  .Xr ssh_config 5 .
  Because of the potential for abuse, this file must have strict permissions:
  read/write for the user, and not accessible by others.
@@ -51,7 +51,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1342,6 +1342,8 @@
+@@ -1356,6 +1356,8 @@
  This file is used by the SSH client.
  Because of the potential for abuse, this file must have strict permissions:
  read/write for the user, and not accessible by others.
@@ -64,7 +64,7 @@ Index: b/auth.c
 ===================================================================
 --- a/auth.c
 +++ b/auth.c
-@@ -381,8 +381,7 @@
+@@ -386,8 +386,7 @@
                 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
                 if (options.strict_modes &&
                     (stat(user_hostfile, &st) == 0) &&
@@ -74,21 +74,21 @@ Index: b/auth.c
                         logit("Authentication refused for %.100s: "
                             "bad owner or modes for %.200s",
                             pw->pw_name, user_hostfile);
-@@ -443,8 +442,7 @@
- 
-        /* check the open file to avoid races */
-        if (fstat(fileno(f), &st) < 0 ||
--           (st.st_uid != 0 && st.st_uid != uid) ||
--           (st.st_mode & 022) != 0) {
-+           !secure_permissions(&st, uid)) {
+@@ -449,8 +448,7 @@
+                snprintf(err, errlen, "%s is not a regular file", buf);
+                return -1;
+        }
+-       if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
+-           (stp->st_mode & 022) != 0) {
++       if (!secure_permissions(stp, uid)) {
                 snprintf(err, errlen, "bad ownership or modes for file %s",
                     buf);
                 return -1;
-@@ -459,8 +457,7 @@
+@@ -465,8 +463,7 @@
                 strlcpy(buf, cp, sizeof(buf));
  
                 if (stat(buf, &st) < 0 ||
--                   (st.st_uid != 0 && st.st_uid != uid) ||
+-                   (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
 -                   (st.st_mode & 022) != 0) {
 +                   !secure_permissions(&st, uid)) {
                         snprintf(err, errlen,
@@ -115,7 +115,7 @@ Index: b/misc.c
  int
 +secure_permissions(struct stat *st, uid_t uid)
 +{
-+       if (st->st_uid != 0 && st->st_uid != uid)
++       if (!platform_sys_dir_uid(st->st_uid) && st->st_uid != uid)
 +               return 0;
 +       if ((st->st_mode & 002) != 0)
 +               return 0;