summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/changelog32
-rw-r--r--debian/patches/debian-banner.patch18
-rw-r--r--debian/patches/debian-config.patch8
-rw-r--r--debian/patches/doc-hash-tab-completion.patch2
-rw-r--r--debian/patches/gssapi-autoconf.patch4
-rw-r--r--debian/patches/gssapi-compat.patch2
-rw-r--r--debian/patches/gssapi-dump.patch2
-rw-r--r--debian/patches/gssapi.patch44
-rw-r--r--debian/patches/keepalive-extensions.patch16
-rw-r--r--debian/patches/openbsd-docs.patch12
-rw-r--r--debian/patches/package-versioning.patch2
-rw-r--r--debian/patches/quieter-signals.patch2
-rw-r--r--debian/patches/scp-quoting.patch2
-rw-r--r--debian/patches/series2
-rw-r--r--debian/patches/ssh-argv0.patch2
-rw-r--r--debian/patches/ssh-copy-id-trailing-colons.patch25
-rw-r--r--debian/patches/ssh-sigchld.patch55
-rw-r--r--debian/patches/ssh-vulnkey.patch80
-rw-r--r--debian/patches/ssh1-keepalive.patch33
-rw-r--r--debian/patches/syslog-level-silent.patch2
-rw-r--r--debian/patches/user-group-modes.patch16
-rw-r--r--debian/source.lintian-overrides2
22 files changed, 211 insertions, 152 deletions
diff --git a/debian/changelog b/debian/changelog
index 0697fd5ad..b499cde66 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,35 @@
1openssh (1:5.6p1-3) UNRELEASED; urgency=low
2
3 * Drop override for desktop-file-but-no-dh_desktop-call, which Lintian no
4 longer issues.
5 * Merge 1:5.5p1-6.
6
7 -- Colin Watson <cjwatson@debian.org> Tue, 02 Nov 2010 23:00:07 +0000
8
9openssh (1:5.6p1-2) experimental; urgency=low
10
11 * Backport upstream patch to install a SIGCHLD handler to reap expired ssh
12 child processes, preventing lots of zombies when using ControlPersist
13 (closes: #594687).
14
15 -- Colin Watson <cjwatson@debian.org> Tue, 26 Oct 2010 14:46:40 +0100
16
17openssh (1:5.6p1-1) experimental; urgency=low
18
19 * New upstream release (http://www.openssh.com/txt/release-5.6):
20 - Added a ControlPersist option to ssh_config(5) that automatically
21 starts a background ssh(1) multiplex master when connecting. This
22 connection can stay alive indefinitely, or can be set to automatically
23 close after a user-specified duration of inactivity (closes: #335697,
24 #350898, #454787, #500573, #550262).
25 - Support AuthorizedKeysFile, AuthorizedPrincipalsFile,
26 HostbasedUsesNameFromPacketOnly, and PermitTunnel in sshd_config(5)
27 Match blocks (closes: #549858).
28 - sftp(1): fix ls in working directories that contain globbing
29 characters in their pathnames (LP: #530714).
30
31 -- Colin Watson <cjwatson@debian.org> Tue, 24 Aug 2010 00:37:54 +0100
32
1openssh (1:5.5p1-6) unstable; urgency=low 33openssh (1:5.5p1-6) unstable; urgency=low
2 34
3 * Touch /var/run/sshd/.placeholder in the preinst so that /var/run/sshd, 35 * Touch /var/run/sshd/.placeholder in the preinst so that /var/run/sshd,
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index e608bd20d..b0761420e 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -10,15 +10,15 @@ Index: b/servconf.c
10=================================================================== 10===================================================================
11--- a/servconf.c 11--- a/servconf.c
12+++ b/servconf.c 12+++ b/servconf.c
13@@ -135,6 +135,7 @@ 13@@ -136,6 +136,7 @@
14 options->zero_knowledge_password_authentication = -1;
15 options->revoked_keys_file = NULL; 14 options->revoked_keys_file = NULL;
16 options->trusted_user_ca_keys = NULL; 15 options->trusted_user_ca_keys = NULL;
16 options->authorized_principals_file = NULL;
17+ options->debian_banner = -1; 17+ options->debian_banner = -1;
18 } 18 }
19 19
20 void 20 void
21@@ -277,6 +278,8 @@ 21@@ -278,6 +279,8 @@
22 options->permit_tun = SSH_TUNMODE_NO; 22 options->permit_tun = SSH_TUNMODE_NO;
23 if (options->zero_knowledge_password_authentication == -1) 23 if (options->zero_knowledge_password_authentication == -1)
24 options->zero_knowledge_password_authentication = 0; 24 options->zero_knowledge_password_authentication = 0;
@@ -27,23 +27,23 @@ Index: b/servconf.c
27 27
28 /* Turn privilege separation on by default */ 28 /* Turn privilege separation on by default */
29 if (use_privsep == -1) 29 if (use_privsep == -1)
30@@ -325,6 +328,7 @@ 30@@ -326,6 +329,7 @@
31 sUsePrivilegeSeparation, sAllowAgentForwarding, 31 sUsePrivilegeSeparation, sAllowAgentForwarding,
32 sZeroKnowledgePasswordAuthentication, sHostCertificate, 32 sZeroKnowledgePasswordAuthentication, sHostCertificate,
33 sRevokedKeys, sTrustedUserCAKeys, 33 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
34+ sDebianBanner, 34+ sDebianBanner,
35 sDeprecated, sUnsupported 35 sDeprecated, sUnsupported
36 } ServerOpCodes; 36 } ServerOpCodes;
37 37
38@@ -457,6 +461,7 @@ 38@@ -459,6 +463,7 @@
39 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
40 { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, 39 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
41 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, 40 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
41 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
42+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, 42+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
43 { NULL, sBadOption, 0 } 43 { NULL, sBadOption, 0 }
44 }; 44 };
45 45
46@@ -1386,6 +1391,10 @@ 46@@ -1392,6 +1397,10 @@
47 charptr = &options->revoked_keys_file; 47 charptr = &options->revoked_keys_file;
48 goto parse_filename; 48 goto parse_filename;
49 49
@@ -85,7 +85,7 @@ Index: b/sshd_config.5
85=================================================================== 85===================================================================
86--- a/sshd_config.5 86--- a/sshd_config.5
87+++ b/sshd_config.5 87+++ b/sshd_config.5
88@@ -295,6 +295,11 @@ 88@@ -340,6 +340,11 @@
89 .Dq no . 89 .Dq no .
90 The default is 90 The default is
91 .Dq delayed . 91 .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index ac77919e6..2fe365639 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -24,15 +24,15 @@ Index: b/readconf.c
24=================================================================== 24===================================================================
25--- a/readconf.c 25--- a/readconf.c
26+++ b/readconf.c 26+++ b/readconf.c
27@@ -1132,7 +1132,7 @@ 27@@ -1179,7 +1179,7 @@
28 if (options->forward_x11 == -1) 28 if (options->forward_x11 == -1)
29 options->forward_x11 = 0; 29 options->forward_x11 = 0;
30 if (options->forward_x11_trusted == -1) 30 if (options->forward_x11_trusted == -1)
31- options->forward_x11_trusted = 0; 31- options->forward_x11_trusted = 0;
32+ options->forward_x11_trusted = 1; 32+ options->forward_x11_trusted = 1;
33 if (options->forward_x11_timeout == -1)
34 options->forward_x11_timeout = 1200;
33 if (options->exit_on_forward_failure == -1) 35 if (options->exit_on_forward_failure == -1)
34 options->exit_on_forward_failure = 0;
35 if (options->xauth_location == NULL)
36Index: b/ssh_config 36Index: b/ssh_config
37=================================================================== 37===================================================================
38--- a/ssh_config 38--- a/ssh_config
@@ -84,7 +84,7 @@ Index: b/ssh_config.5
84 The configuration file has the following format: 84 The configuration file has the following format:
85 .Pp 85 .Pp
86 Empty lines and lines starting with 86 Empty lines and lines starting with
87@@ -452,7 +468,8 @@ 87@@ -483,7 +499,8 @@
88 Remote clients will be refused access after this time. 88 Remote clients will be refused access after this time.
89 .Pp 89 .Pp
90 The default is 90 The default is
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 4c555799f..fb522013c 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -8,7 +8,7 @@ Index: b/ssh_config.5
8=================================================================== 8===================================================================
9--- a/ssh_config.5 9--- a/ssh_config.5
10+++ b/ssh_config.5 10+++ b/ssh_config.5
11@@ -531,6 +531,9 @@ 11@@ -562,6 +562,9 @@
12 will not be converted automatically, 12 will not be converted automatically,
13 but may be manually hashed using 13 but may be manually hashed using
14 .Xr ssh-keygen 1 . 14 .Xr ssh-keygen 1 .
diff --git a/debian/patches/gssapi-autoconf.patch b/debian/patches/gssapi-autoconf.patch
index 3ea221834..d88382dcb 100644
--- a/debian/patches/gssapi-autoconf.patch
+++ b/debian/patches/gssapi-autoconf.patch
@@ -7,7 +7,7 @@ Index: b/config.h.in
7=================================================================== 7===================================================================
8--- a/config.h.in 8--- a/config.h.in
9+++ b/config.h.in 9+++ b/config.h.in
10@@ -1384,6 +1384,9 @@ 10@@ -1387,6 +1387,9 @@
11 /* Use btmp to log bad logins */ 11 /* Use btmp to log bad logins */
12 #undef USE_BTMP 12 #undef USE_BTMP
13 13
@@ -17,7 +17,7 @@ Index: b/config.h.in
17 /* Use libedit for sftp */ 17 /* Use libedit for sftp */
18 #undef USE_LIBEDIT 18 #undef USE_LIBEDIT
19 19
20@@ -1396,6 +1399,9 @@ 20@@ -1399,6 +1402,9 @@
21 /* Use PIPES instead of a socketpair() */ 21 /* Use PIPES instead of a socketpair() */
22 #undef USE_PIPES 22 #undef USE_PIPES
23 23
diff --git a/debian/patches/gssapi-compat.patch b/debian/patches/gssapi-compat.patch
index 369a23360..b93134933 100644
--- a/debian/patches/gssapi-compat.patch
+++ b/debian/patches/gssapi-compat.patch
@@ -10,7 +10,7 @@ Index: b/servconf.c
10=================================================================== 10===================================================================
11--- a/servconf.c 11--- a/servconf.c
12+++ b/servconf.c 12+++ b/servconf.c
13@@ -380,16 +380,20 @@ 13@@ -381,16 +381,20 @@
14 #ifdef GSSAPI 14 #ifdef GSSAPI
15 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 15 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
16 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 16 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
diff --git a/debian/patches/gssapi-dump.patch b/debian/patches/gssapi-dump.patch
index 6e09df484..0969c59b4 100644
--- a/debian/patches/gssapi-dump.patch
+++ b/debian/patches/gssapi-dump.patch
@@ -11,7 +11,7 @@ Index: b/servconf.c
11=================================================================== 11===================================================================
12--- a/servconf.c 12--- a/servconf.c
13+++ b/servconf.c 13+++ b/servconf.c
14@@ -1677,7 +1677,10 @@ 14@@ -1688,7 +1688,10 @@
15 #endif 15 #endif
16 #ifdef GSSAPI 16 #ifdef GSSAPI
17 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 17 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index e39239fbd..778c23023 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -364,7 +364,7 @@ Index: b/clientloop.c
364 /* import options */ 364 /* import options */
365 extern Options options; 365 extern Options options;
366 366
367@@ -1431,6 +1435,15 @@ 367@@ -1483,6 +1487,15 @@
368 /* Do channel operations unless rekeying in progress. */ 368 /* Do channel operations unless rekeying in progress. */
369 if (!rekeying) { 369 if (!rekeying) {
370 channel_after_select(readset, writeset); 370 channel_after_select(readset, writeset);
@@ -1918,9 +1918,9 @@ Index: b/key.c
1918=================================================================== 1918===================================================================
1919--- a/key.c 1919--- a/key.c
1920+++ b/key.c 1920+++ b/key.c
1921@@ -982,6 +982,8 @@ 1921@@ -1020,6 +1020,8 @@
1922 return KEY_RSA_CERT; 1922 return KEY_RSA_CERT;
1923 } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { 1923 } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
1924 return KEY_DSA_CERT; 1924 return KEY_DSA_CERT;
1925+ } else if (strcmp(name, "null") == 0) { 1925+ } else if (strcmp(name, "null") == 0) {
1926+ return KEY_NULL; 1926+ return KEY_NULL;
@@ -1931,10 +1931,10 @@ Index: b/key.h
1931=================================================================== 1931===================================================================
1932--- a/key.h 1932--- a/key.h
1933+++ b/key.h 1933+++ b/key.h
1934@@ -37,6 +37,7 @@ 1934@@ -39,6 +39,7 @@
1935 KEY_DSA,
1936 KEY_RSA_CERT,
1937 KEY_DSA_CERT, 1935 KEY_DSA_CERT,
1936 KEY_RSA_CERT_V00,
1937 KEY_DSA_CERT_V00,
1938+ KEY_NULL, 1938+ KEY_NULL,
1939 KEY_UNSPEC 1939 KEY_UNSPEC
1940 }; 1940 };
@@ -2239,9 +2239,9 @@ Index: b/readconf.c
2239 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 2239 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
2240+ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, 2240+ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
2241 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2241 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
2242 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, 2242 oSendEnv, oControlPath, oControlMaster, oControlPersist,
2243 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 2243 oHashKnownHosts,
2244@@ -164,10 +165,18 @@ 2244@@ -166,10 +167,18 @@
2245 { "afstokenpassing", oUnsupported }, 2245 { "afstokenpassing", oUnsupported },
2246 #if defined(GSSAPI) 2246 #if defined(GSSAPI)
2247 { "gssapiauthentication", oGssAuthentication }, 2247 { "gssapiauthentication", oGssAuthentication },
@@ -2260,7 +2260,7 @@ Index: b/readconf.c
2260 #endif 2260 #endif
2261 { "fallbacktorsh", oDeprecated }, 2261 { "fallbacktorsh", oDeprecated },
2262 { "usersh", oDeprecated }, 2262 { "usersh", oDeprecated },
2263@@ -456,10 +465,26 @@ 2263@@ -474,10 +483,26 @@
2264 intptr = &options->gss_authentication; 2264 intptr = &options->gss_authentication;
2265 goto parse_flag; 2265 goto parse_flag;
2266 2266
@@ -2287,7 +2287,7 @@ Index: b/readconf.c
2287 case oBatchMode: 2287 case oBatchMode:
2288 intptr = &options->batch_mode; 2288 intptr = &options->batch_mode;
2289 goto parse_flag; 2289 goto parse_flag;
2290@@ -1015,7 +1040,11 @@ 2290@@ -1058,7 +1083,11 @@
2291 options->pubkey_authentication = -1; 2291 options->pubkey_authentication = -1;
2292 options->challenge_response_authentication = -1; 2292 options->challenge_response_authentication = -1;
2293 options->gss_authentication = -1; 2293 options->gss_authentication = -1;
@@ -2299,7 +2299,7 @@ Index: b/readconf.c
2299 options->password_authentication = -1; 2299 options->password_authentication = -1;
2300 options->kbd_interactive_authentication = -1; 2300 options->kbd_interactive_authentication = -1;
2301 options->kbd_interactive_devices = NULL; 2301 options->kbd_interactive_devices = NULL;
2302@@ -1107,8 +1136,14 @@ 2302@@ -1156,8 +1185,14 @@
2303 options->challenge_response_authentication = 1; 2303 options->challenge_response_authentication = 1;
2304 if (options->gss_authentication == -1) 2304 if (options->gss_authentication == -1)
2305 options->gss_authentication = 0; 2305 options->gss_authentication = 0;
@@ -2318,7 +2318,7 @@ Index: b/readconf.h
2318=================================================================== 2318===================================================================
2319--- a/readconf.h 2319--- a/readconf.h
2320+++ b/readconf.h 2320+++ b/readconf.h
2321@@ -44,7 +44,11 @@ 2321@@ -46,7 +46,11 @@
2322 int challenge_response_authentication; 2322 int challenge_response_authentication;
2323 /* Try S/Key or TIS, authentication. */ 2323 /* Try S/Key or TIS, authentication. */
2324 int gss_authentication; /* Try GSS authentication */ 2324 int gss_authentication; /* Try GSS authentication */
@@ -2345,7 +2345,7 @@ Index: b/servconf.c
2345 options->password_authentication = -1; 2345 options->password_authentication = -1;
2346 options->kbd_interactive_authentication = -1; 2346 options->kbd_interactive_authentication = -1;
2347 options->challenge_response_authentication = -1; 2347 options->challenge_response_authentication = -1;
2348@@ -214,8 +217,14 @@ 2348@@ -215,8 +218,14 @@
2349 options->kerberos_get_afs_token = 0; 2349 options->kerberos_get_afs_token = 0;
2350 if (options->gss_authentication == -1) 2350 if (options->gss_authentication == -1)
2351 options->gss_authentication = 0; 2351 options->gss_authentication = 0;
@@ -2360,7 +2360,7 @@ Index: b/servconf.c
2360 if (options->password_authentication == -1) 2360 if (options->password_authentication == -1)
2361 options->password_authentication = 1; 2361 options->password_authentication = 1;
2362 if (options->kbd_interactive_authentication == -1) 2362 if (options->kbd_interactive_authentication == -1)
2363@@ -306,7 +315,9 @@ 2363@@ -307,7 +316,9 @@
2364 sBanner, sUseDNS, sHostbasedAuthentication, 2364 sBanner, sUseDNS, sHostbasedAuthentication,
2365 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 2365 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
2366 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 2366 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@@ -2371,7 +2371,7 @@ Index: b/servconf.c
2371 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2371 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2372 sUsePrivilegeSeparation, sAllowAgentForwarding, 2372 sUsePrivilegeSeparation, sAllowAgentForwarding,
2373 sZeroKnowledgePasswordAuthentication, sHostCertificate, 2373 sZeroKnowledgePasswordAuthentication, sHostCertificate,
2374@@ -369,9 +380,15 @@ 2374@@ -370,9 +381,15 @@
2375 #ifdef GSSAPI 2375 #ifdef GSSAPI
2376 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2376 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2377 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2377 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2387,7 +2387,7 @@ Index: b/servconf.c
2387 #endif 2387 #endif
2388 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2388 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2389 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2389 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2390@@ -924,10 +941,22 @@ 2390@@ -926,10 +943,22 @@
2391 intptr = &options->gss_authentication; 2391 intptr = &options->gss_authentication;
2392 goto parse_flag; 2392 goto parse_flag;
2393 2393
@@ -2543,7 +2543,7 @@ Index: b/ssh_config.5
2543=================================================================== 2543===================================================================
2544--- a/ssh_config.5 2544--- a/ssh_config.5
2545+++ b/ssh_config.5 2545+++ b/ssh_config.5
2546@@ -478,11 +478,38 @@ 2546@@ -509,11 +509,38 @@
2547 The default is 2547 The default is
2548 .Dq no . 2548 .Dq no .
2549 Note that this option applies to protocol version 2 only. 2549 Note that this option applies to protocol version 2 only.
@@ -2794,7 +2794,7 @@ Index: b/sshd.c
2794 #ifdef LIBWRAP 2794 #ifdef LIBWRAP
2795 #include <tcpd.h> 2795 #include <tcpd.h>
2796 #include <syslog.h> 2796 #include <syslog.h>
2797@@ -1577,10 +1581,13 @@ 2797@@ -1586,10 +1590,13 @@
2798 logit("Disabling protocol version 1. Could not load host key"); 2798 logit("Disabling protocol version 1. Could not load host key");
2799 options.protocol &= ~SSH_PROTO_1; 2799 options.protocol &= ~SSH_PROTO_1;
2800 } 2800 }
@@ -2808,7 +2808,7 @@ Index: b/sshd.c
2808 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2808 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2809 logit("sshd: no hostkeys available -- exiting."); 2809 logit("sshd: no hostkeys available -- exiting.");
2810 exit(1); 2810 exit(1);
2811@@ -1909,6 +1916,60 @@ 2811@@ -1918,6 +1925,60 @@
2812 /* Log the connection. */ 2812 /* Log the connection. */
2813 verbose("Connection from %.500s port %d", remote_ip, remote_port); 2813 verbose("Connection from %.500s port %d", remote_ip, remote_port);
2814 2814
@@ -2869,7 +2869,7 @@ Index: b/sshd.c
2869 /* 2869 /*
2870 * We don't want to listen forever unless the other side 2870 * We don't want to listen forever unless the other side
2871 * successfully authenticates itself. So we set up an alarm which is 2871 * successfully authenticates itself. So we set up an alarm which is
2872@@ -2287,12 +2348,61 @@ 2872@@ -2296,12 +2357,61 @@
2873 2873
2874 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); 2874 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2875 2875
@@ -2948,7 +2948,7 @@ Index: b/sshd_config.5
2948=================================================================== 2948===================================================================
2949--- a/sshd_config.5 2949--- a/sshd_config.5
2950+++ b/sshd_config.5 2950+++ b/sshd_config.5
2951@@ -379,12 +379,40 @@ 2951@@ -424,12 +424,40 @@
2952 The default is 2952 The default is
2953 .Dq no . 2953 .Dq no .
2954 Note that this option applies to protocol version 2 only. 2954 Note that this option applies to protocol version 2 only.
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 36335f475..9e1705719 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -18,15 +18,15 @@ Index: b/readconf.c
18=================================================================== 18===================================================================
19--- a/readconf.c 19--- a/readconf.c
20+++ b/readconf.c 20+++ b/readconf.c
21@@ -133,6 +133,7 @@ 21@@ -134,6 +134,7 @@
22 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, 22 oHashKnownHosts,
23 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 23 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
24 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, 24 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
25+ oProtocolKeepAlives, oSetupTimeOut, 25+ oProtocolKeepAlives, oSetupTimeOut,
26 oDeprecated, oUnsupported 26 oDeprecated, oUnsupported
27 } OpCodes; 27 } OpCodes;
28 28
29@@ -248,6 +249,8 @@ 29@@ -251,6 +252,8 @@
30 #else 30 #else
31 { "zeroknowledgepasswordauthentication", oUnsupported }, 31 { "zeroknowledgepasswordauthentication", oUnsupported },
32 #endif 32 #endif
@@ -35,7 +35,7 @@ Index: b/readconf.c
35 35
36 { NULL, oBadOption } 36 { NULL, oBadOption }
37 }; 37 };
38@@ -847,6 +850,8 @@ 38@@ -865,6 +868,8 @@
39 goto parse_flag; 39 goto parse_flag;
40 40
41 case oServerAliveInterval: 41 case oServerAliveInterval:
@@ -44,7 +44,7 @@ Index: b/readconf.c
44 intptr = &options->server_alive_interval; 44 intptr = &options->server_alive_interval;
45 goto parse_time; 45 goto parse_time;
46 46
47@@ -1235,8 +1240,13 @@ 47@@ -1284,8 +1289,13 @@
48 options->rekey_limit = 0; 48 options->rekey_limit = 0;
49 if (options->verify_host_key_dns == -1) 49 if (options->verify_host_key_dns == -1)
50 options->verify_host_key_dns = 0; 50 options->verify_host_key_dns = 0;
@@ -78,7 +78,7 @@ Index: b/ssh_config.5
78 The argument must be 78 The argument must be
79 .Dq yes 79 .Dq yes
80 or 80 or
81@@ -963,8 +967,15 @@ 81@@ -994,8 +998,15 @@
82 will send a message through the encrypted 82 will send a message through the encrypted
83 channel to request a response from the server. 83 channel to request a response from the server.
84 The default 84 The default
@@ -95,7 +95,7 @@ Index: b/ssh_config.5
95 .It Cm StrictHostKeyChecking 95 .It Cm StrictHostKeyChecking
96 If this flag is set to 96 If this flag is set to
97 .Dq yes , 97 .Dq yes ,
98@@ -1003,6 +1014,12 @@ 98@@ -1034,6 +1045,12 @@
99 other side. 99 other side.
100 If they are sent, death of the connection or crash of one 100 If they are sent, death of the connection or crash of one
101 of the machines will be properly noticed. 101 of the machines will be properly noticed.
@@ -112,7 +112,7 @@ Index: b/sshd_config.5
112=================================================================== 112===================================================================
113--- a/sshd_config.5 113--- a/sshd_config.5
114+++ b/sshd_config.5 114+++ b/sshd_config.5
115@@ -936,6 +936,9 @@ 115@@ -985,6 +985,9 @@
116 .Pp 116 .Pp
117 To disable TCP keepalive messages, the value should be set to 117 To disable TCP keepalive messages, the value should be set to
118 .Dq no . 118 .Dq no .
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index dea370a1b..de63e46f8 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -34,7 +34,7 @@ Index: b/ssh-keygen.1
34=================================================================== 34===================================================================
35--- a/ssh-keygen.1 35--- a/ssh-keygen.1
36+++ b/ssh-keygen.1 36+++ b/ssh-keygen.1
37@@ -145,9 +145,7 @@ 37@@ -148,9 +148,7 @@
38 .Pa ~/.ssh/id_dsa 38 .Pa ~/.ssh/id_dsa
39 or 39 or
40 .Pa ~/.ssh/id_rsa . 40 .Pa ~/.ssh/id_rsa .
@@ -45,7 +45,7 @@ Index: b/ssh-keygen.1
45 .Pp 45 .Pp
46 Normally this program generates the key and asks for a file in which 46 Normally this program generates the key and asks for a file in which
47 to store the private key. 47 to store the private key.
48@@ -367,9 +365,7 @@ 48@@ -394,9 +392,7 @@
49 .It Fl q 49 .It Fl q
50 Silence 50 Silence
51 .Nm ssh-keygen . 51 .Nm ssh-keygen .
@@ -60,7 +60,7 @@ Index: b/ssh.1
60=================================================================== 60===================================================================
61--- a/ssh.1 61--- a/ssh.1
62+++ b/ssh.1 62+++ b/ssh.1
63@@ -762,6 +762,10 @@ 63@@ -728,6 +728,10 @@
64 .Sx HISTORY 64 .Sx HISTORY
65 section of 65 section of
66 .Xr ssl 8 66 .Xr ssl 8
@@ -84,7 +84,7 @@ Index: b/sshd.8
84 It forks a new 84 It forks a new
85 daemon for each incoming connection. 85 daemon for each incoming connection.
86 The forked daemons handle 86 The forked daemons handle
87@@ -835,7 +835,7 @@ 87@@ -845,7 +845,7 @@
88 .Xr ssh 1 ) . 88 .Xr ssh 1 ) .
89 It should only be writable by root. 89 It should only be writable by root.
90 .Pp 90 .Pp
@@ -93,7 +93,7 @@ Index: b/sshd.8
93 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". 93 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
94 The file format is described in 94 The file format is described in
95 .Xr moduli 5 . 95 .Xr moduli 5 .
96@@ -931,7 +931,6 @@ 96@@ -941,7 +941,6 @@
97 .Xr ssh-vulnkey 1 , 97 .Xr ssh-vulnkey 1 ,
98 .Xr chroot 2 , 98 .Xr chroot 2 ,
99 .Xr hosts_access 5 , 99 .Xr hosts_access 5 ,
@@ -105,7 +105,7 @@ Index: b/sshd_config.5
105=================================================================== 105===================================================================
106--- a/sshd_config.5 106--- a/sshd_config.5
107+++ b/sshd_config.5 107+++ b/sshd_config.5
108@@ -177,8 +177,7 @@ 108@@ -222,8 +222,7 @@
109 By default, no banner is displayed. 109 By default, no banner is displayed.
110 .It Cm ChallengeResponseAuthentication 110 .It Cm ChallengeResponseAuthentication
111 Specifies whether challenge-response authentication is allowed (e.g. via 111 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index f45cc6968..67e014002 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -38,7 +38,7 @@ Index: b/version.h
38--- a/version.h 38--- a/version.h
39+++ b/version.h 39+++ b/version.h
40@@ -3,4 +3,9 @@ 40@@ -3,4 +3,9 @@
41 #define SSH_VERSION "OpenSSH_5.5" 41 #define SSH_VERSION "OpenSSH_5.6"
42 42
43 #define SSH_PORTABLE "p1" 43 #define SSH_PORTABLE "p1"
44-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 44-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 96a26cf7e..f8bc5fd4e 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -16,7 +16,7 @@ Index: b/clientloop.c
16=================================================================== 16===================================================================
17--- a/clientloop.c 17--- a/clientloop.c
18+++ b/clientloop.c 18+++ b/clientloop.c
19@@ -1530,8 +1530,10 @@ 19@@ -1594,8 +1594,10 @@
20 exit_status = 0; 20 exit_status = 0;
21 } 21 }
22 22
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index 99702c317..3f06225ad 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -11,7 +11,7 @@ Index: b/scp.c
11=================================================================== 11===================================================================
12--- a/scp.c 12--- a/scp.c
13+++ b/scp.c 13+++ b/scp.c
14@@ -168,8 +168,16 @@ 14@@ -182,8 +182,16 @@
15 15
16 if (verbose_mode) { 16 if (verbose_mode) {
17 fprintf(stderr, "Executing:"); 17 fprintf(stderr, "Executing:");
diff --git a/debian/patches/series b/debian/patches/series
index 699dbaa98..f3c6a87e0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,7 +23,6 @@ helpful-wait-terminate.patch
23user-group-modes.patch 23user-group-modes.patch
24scp-quoting.patch 24scp-quoting.patch
25shell-path.patch 25shell-path.patch
26ssh-copy-id-trailing-colons.patch
27dnssec-sshfp.patch 26dnssec-sshfp.patch
28 27
29# Versioning 28# Versioning
@@ -42,3 +41,4 @@ doc-hash-tab-completion.patch
42# Debian-specific configuration 41# Debian-specific configuration
43gnome-ssh-askpass2-icon.patch 42gnome-ssh-askpass2-icon.patch
44debian-config.patch 43debian-config.patch
44ssh-sigchld.patch
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 851687dfd..4a651bfa1 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -11,7 +11,7 @@ Index: b/ssh.1
11=================================================================== 11===================================================================
12--- a/ssh.1 12--- a/ssh.1
13+++ b/ssh.1 13+++ b/ssh.1
14@@ -1430,6 +1430,7 @@ 14@@ -1396,6 +1396,7 @@
15 .Xr sftp 1 , 15 .Xr sftp 1 ,
16 .Xr ssh-add 1 , 16 .Xr ssh-add 1 ,
17 .Xr ssh-agent 1 , 17 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-copy-id-trailing-colons.patch b/debian/patches/ssh-copy-id-trailing-colons.patch
deleted file mode 100644
index 1063fc6bb..000000000
--- a/debian/patches/ssh-copy-id-trailing-colons.patch
+++ /dev/null
@@ -1,25 +0,0 @@
1Description: ssh-copy-id: Strip trailing colons from hostname
2Author: Karl Goetz <karl@kgoetz.id.au>
3Author: Colin Watson <cjwatson@debian.org>
4Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1530
5Bug-Debian: http://bugs.debian.org/226172
6Bug-Ubuntu: https://bugs.launchpad.net/bugs/249706
7Last-Update: 2010-02-27
8
9Index: b/contrib/ssh-copy-id
10===================================================================
11--- a/contrib/ssh-copy-id
12+++ b/contrib/ssh-copy-id
13@@ -38,10 +38,10 @@
14 exit 1
15 fi
16
17-{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1
18+{ eval "$GET_ID" ; } | ssh ${1%:} "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1
19
20 cat <<EOF
21-Now try logging into the machine, with "ssh '$1'", and check in:
22+Now try logging into the machine, with "ssh '${1%:}'", and check in:
23
24 .ssh/authorized_keys
25
diff --git a/debian/patches/ssh-sigchld.patch b/debian/patches/ssh-sigchld.patch
new file mode 100644
index 000000000..21d286b21
--- /dev/null
+++ b/debian/patches/ssh-sigchld.patch
@@ -0,0 +1,55 @@
1Description: Install a SIGCHLD handler to reap expired child processes
2Origin: upstream, http://bazaar.launchpad.net/~vcs-imports/openssh/main/revision/6166
3Bug-Debian: http://bugs.debian.org/594687
4Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1812
5Forwarded: not-needed
6Last-Update: 2010-10-26
7
8Index: b/ssh.c
9===================================================================
10--- a/ssh.c
11+++ b/ssh.c
12@@ -50,6 +50,7 @@
13 #include <sys/ioctl.h>
14 #include <sys/param.h>
15 #include <sys/socket.h>
16+#include <sys/wait.h>
17
18 #include <ctype.h>
19 #include <errno.h>
20@@ -210,6 +211,7 @@
21 static int ssh_session(void);
22 static int ssh_session2(void);
23 static void load_public_identity_files(void);
24+static void main_sigchld_handler(int);
25
26 /* from muxclient.c */
27 void muxclient(const char *);
28@@ -849,6 +851,7 @@
29 tilde_expand_filename(options.user_hostfile2, original_real_uid);
30
31 signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
32+ signal(SIGCHLD, main_sigchld_handler);
33
34 /* Log into the remote system. Never returns if the login fails. */
35 ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr,
36@@ -1532,3 +1535,19 @@
37 bzero(pwdir, strlen(pwdir));
38 xfree(pwdir);
39 }
40+
41+static void
42+main_sigchld_handler(int sig)
43+{
44+ int save_errno = errno;
45+ pid_t pid;
46+ int status;
47+
48+ while ((pid = waitpid(-1, &status, WNOHANG)) > 0 ||
49+ (pid < 0 && errno == EINTR))
50+ ;
51+
52+ signal(sig, main_sigchld_handler);
53+ errno = save_errno;
54+}
55+
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index af56dc031..81c225a7f 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -132,7 +132,7 @@ Index: b/auth.c
132 #include "auth.h" 132 #include "auth.h"
133 #include "auth-options.h" 133 #include "auth-options.h"
134 #include "canohost.h" 134 #include "canohost.h"
135@@ -593,10 +594,34 @@ 135@@ -615,10 +616,34 @@
136 136
137 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ 137 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
138 int 138 int
@@ -172,10 +172,10 @@ Index: b/auth.h
172=================================================================== 172===================================================================
173--- a/auth.h 173--- a/auth.h
174+++ b/auth.h 174+++ b/auth.h
175@@ -173,7 +173,7 @@ 175@@ -175,7 +175,7 @@
176 char *authorized_keys_file2(struct passwd *);
177 176
178 FILE *auth_openkeyfile(const char *, struct passwd *, int); 177 FILE *auth_openkeyfile(const char *, struct passwd *, int);
178 FILE *auth_openprincipals(const char *, struct passwd *, int);
179-int auth_key_is_revoked(Key *); 179-int auth_key_is_revoked(Key *);
180+int auth_key_is_revoked(Key *, int); 180+int auth_key_is_revoked(Key *, int);
181 181
@@ -185,9 +185,9 @@ Index: b/auth2-hostbased.c
185=================================================================== 185===================================================================
186--- a/auth2-hostbased.c 186--- a/auth2-hostbased.c
187+++ b/auth2-hostbased.c 187+++ b/auth2-hostbased.c
188@@ -145,7 +145,7 @@ 188@@ -146,7 +146,7 @@
189 HostStatus host_status;
190 int len; 189 int len;
190 char *fp;
191 191
192- if (auth_key_is_revoked(key)) 192- if (auth_key_is_revoked(key))
193+ if (auth_key_is_revoked(key, 0)) 193+ if (auth_key_is_revoked(key, 0))
@@ -198,7 +198,7 @@ Index: b/auth2-pubkey.c
198=================================================================== 198===================================================================
199--- a/auth2-pubkey.c 199--- a/auth2-pubkey.c
200+++ b/auth2-pubkey.c 200+++ b/auth2-pubkey.c
201@@ -328,9 +328,10 @@ 201@@ -439,9 +439,10 @@
202 int success; 202 int success;
203 char *file; 203 char *file;
204 204
@@ -223,13 +223,13 @@ Index: b/authfile.c
223 223
224 /* Version identification string for SSH v1 identity files. */ 224 /* Version identification string for SSH v1 identity files. */
225 static const char authfile_id_string[] = 225 static const char authfile_id_string[] =
226@@ -754,3 +755,140 @@ 226@@ -814,3 +815,140 @@
227 return ret; 227 return ret;
228 } 228 }
229 229
230+/* Scan a blacklist of known-vulnerable keys in blacklist_file. */ 230+/* Scan a blacklist of known-vulnerable keys in blacklist_file. */
231+static int 231+static int
232+blacklisted_key_in_file(const Key *key, const char *blacklist_file, char **fp) 232+blacklisted_key_in_file(Key *key, const char *blacklist_file, char **fp)
233+{ 233+{
234+ int fd = -1; 234+ int fd = -1;
235+ char *dgst_hex = NULL; 235+ char *dgst_hex = NULL;
@@ -334,7 +334,7 @@ Index: b/authfile.c
334+ * its fingerprint is returned in *fp, unless fp is NULL. 334+ * its fingerprint is returned in *fp, unless fp is NULL.
335+ */ 335+ */
336+int 336+int
337+blacklisted_key(const Key *key, char **fp) 337+blacklisted_key(Key *key, char **fp)
338+{ 338+{
339+ Key *public; 339+ Key *public;
340+ char *blacklist_file; 340+ char *blacklist_file;
@@ -368,11 +368,11 @@ Index: b/authfile.h
368=================================================================== 368===================================================================
369--- a/authfile.h 369--- a/authfile.h
370+++ b/authfile.h 370+++ b/authfile.h
371@@ -24,4 +24,6 @@ 371@@ -26,4 +26,6 @@
372 int key_perm_ok(int, const char *); 372 int key_perm_ok(int, const char *);
373 int key_in_file(Key *, const char *, int); 373 int key_in_file(Key *, const char *, int);
374 374
375+int blacklisted_key(const Key *key, char **fp); 375+int blacklisted_key(Key *key, char **fp);
376+ 376+
377 #endif 377 #endif
378Index: b/pathnames.h 378Index: b/pathnames.h
@@ -412,7 +412,7 @@ Index: b/readconf.c
412 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, 412 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
413 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 413 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
414 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 414 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
415@@ -152,6 +153,7 @@ 415@@ -154,6 +155,7 @@
416 { "passwordauthentication", oPasswordAuthentication }, 416 { "passwordauthentication", oPasswordAuthentication },
417 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 417 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
418 { "kbdinteractivedevices", oKbdInteractiveDevices }, 418 { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -420,7 +420,7 @@ Index: b/readconf.c
420 { "rsaauthentication", oRSAAuthentication }, 420 { "rsaauthentication", oRSAAuthentication },
421 { "pubkeyauthentication", oPubkeyAuthentication }, 421 { "pubkeyauthentication", oPubkeyAuthentication },
422 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 422 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
423@@ -461,6 +463,10 @@ 423@@ -479,6 +481,10 @@
424 intptr = &options->challenge_response_authentication; 424 intptr = &options->challenge_response_authentication;
425 goto parse_flag; 425 goto parse_flag;
426 426
@@ -431,7 +431,7 @@ Index: b/readconf.c
431 case oGssAuthentication: 431 case oGssAuthentication:
432 intptr = &options->gss_authentication; 432 intptr = &options->gss_authentication;
433 goto parse_flag; 433 goto parse_flag;
434@@ -1050,6 +1056,7 @@ 434@@ -1093,6 +1099,7 @@
435 options->kbd_interactive_devices = NULL; 435 options->kbd_interactive_devices = NULL;
436 options->rhosts_rsa_authentication = -1; 436 options->rhosts_rsa_authentication = -1;
437 options->hostbased_authentication = -1; 437 options->hostbased_authentication = -1;
@@ -439,7 +439,7 @@ Index: b/readconf.c
439 options->batch_mode = -1; 439 options->batch_mode = -1;
440 options->check_host_ip = -1; 440 options->check_host_ip = -1;
441 options->strict_host_key_checking = -1; 441 options->strict_host_key_checking = -1;
442@@ -1152,6 +1159,8 @@ 442@@ -1201,6 +1208,8 @@
443 options->rhosts_rsa_authentication = 0; 443 options->rhosts_rsa_authentication = 0;
444 if (options->hostbased_authentication == -1) 444 if (options->hostbased_authentication == -1)
445 options->hostbased_authentication = 0; 445 options->hostbased_authentication = 0;
@@ -452,7 +452,7 @@ Index: b/readconf.h
452=================================================================== 452===================================================================
453--- a/readconf.h 453--- a/readconf.h
454+++ b/readconf.h 454+++ b/readconf.h
455@@ -54,6 +54,7 @@ 455@@ -56,6 +56,7 @@
456 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 456 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
457 char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ 457 char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
458 int zero_knowledge_password_authentication; /* Try jpake */ 458 int zero_knowledge_password_authentication; /* Try jpake */
@@ -472,7 +472,7 @@ Index: b/servconf.c
472 options->permit_empty_passwd = -1; 472 options->permit_empty_passwd = -1;
473 options->permit_user_env = -1; 473 options->permit_user_env = -1;
474 options->use_login = -1; 474 options->use_login = -1;
475@@ -231,6 +232,8 @@ 475@@ -232,6 +233,8 @@
476 options->kbd_interactive_authentication = 0; 476 options->kbd_interactive_authentication = 0;
477 if (options->challenge_response_authentication == -1) 477 if (options->challenge_response_authentication == -1)
478 options->challenge_response_authentication = 1; 478 options->challenge_response_authentication = 1;
@@ -481,7 +481,7 @@ Index: b/servconf.c
481 if (options->permit_empty_passwd == -1) 481 if (options->permit_empty_passwd == -1)
482 options->permit_empty_passwd = 0; 482 options->permit_empty_passwd = 0;
483 if (options->permit_user_env == -1) 483 if (options->permit_user_env == -1)
484@@ -306,7 +309,7 @@ 484@@ -307,7 +310,7 @@
485 sListenAddress, sAddressFamily, 485 sListenAddress, sAddressFamily,
486 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 486 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
487 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 487 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -490,7 +490,7 @@ Index: b/servconf.c
490 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 490 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
491 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 491 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
492 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 492 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
493@@ -415,6 +418,7 @@ 493@@ -416,6 +419,7 @@
494 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 494 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
495 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 495 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
496 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 496 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -498,7 +498,7 @@ Index: b/servconf.c
498 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 498 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
499 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 499 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
500 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 500 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
501@@ -1009,6 +1013,10 @@ 501@@ -1011,6 +1015,10 @@
502 intptr = &options->tcp_keep_alive; 502 intptr = &options->tcp_keep_alive;
503 goto parse_flag; 503 goto parse_flag;
504 504
@@ -509,7 +509,7 @@ Index: b/servconf.c
509 case sEmptyPasswd: 509 case sEmptyPasswd:
510 intptr = &options->permit_empty_passwd; 510 intptr = &options->permit_empty_passwd;
511 goto parse_flag; 511 goto parse_flag;
512@@ -1697,6 +1705,7 @@ 512@@ -1708,6 +1716,7 @@
513 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 513 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
514 dump_cfg_fmtint(sStrictModes, o->strict_modes); 514 dump_cfg_fmtint(sStrictModes, o->strict_modes);
515 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 515 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -584,7 +584,7 @@ Index: b/ssh-keygen.1
584=================================================================== 584===================================================================
585--- a/ssh-keygen.1 585--- a/ssh-keygen.1
586+++ b/ssh-keygen.1 586+++ b/ssh-keygen.1
587@@ -628,6 +628,7 @@ 587@@ -669,6 +669,7 @@
588 .Xr ssh 1 , 588 .Xr ssh 1 ,
589 .Xr ssh-add 1 , 589 .Xr ssh-add 1 ,
590 .Xr ssh-agent 1 , 590 .Xr ssh-agent 1 ,
@@ -925,9 +925,9 @@ Index: b/ssh-vulnkey.c
925+ exit(1); 925+ exit(1);
926+} 926+}
927+ 927+
928+void 928+static void
929+describe_key(const char *filename, u_long linenum, const char *msg, 929+describe_key(const char *filename, u_long linenum, const char *msg,
930+ const Key *key, const char *comment, int min_verbosity) 930+ Key *key, const char *comment, int min_verbosity)
931+{ 931+{
932+ char *fp; 932+ char *fp;
933+ 933+
@@ -943,9 +943,9 @@ Index: b/ssh-vulnkey.c
943+ xfree(fp); 943+ xfree(fp);
944+} 944+}
945+ 945+
946+int 946+static int
947+do_key(const char *filename, u_long linenum, 947+do_key(const char *filename, u_long linenum,
948+ const Key *key, const char *comment) 948+ Key *key, const char *comment)
949+{ 949+{
950+ Key *public; 950+ Key *public;
951+ int blacklist_status; 951+ int blacklist_status;
@@ -976,7 +976,7 @@ Index: b/ssh-vulnkey.c
976+ return ret; 976+ return ret;
977+} 977+}
978+ 978+
979+int 979+static int
980+do_filename(const char *filename, int quiet_open) 980+do_filename(const char *filename, int quiet_open)
981+{ 981+{
982+ FILE *f; 982+ FILE *f;
@@ -1100,7 +1100,7 @@ Index: b/ssh-vulnkey.c
1100+ return ret; 1100+ return ret;
1101+} 1101+}
1102+ 1102+
1103+int 1103+static int
1104+do_host(int quiet_open) 1104+do_host(int quiet_open)
1105+{ 1105+{
1106+ int i; 1106+ int i;
@@ -1117,7 +1117,7 @@ Index: b/ssh-vulnkey.c
1117+ return ret; 1117+ return ret;
1118+} 1118+}
1119+ 1119+
1120+int 1120+static int
1121+do_user(const char *dir) 1121+do_user(const char *dir)
1122+{ 1122+{
1123+ int i; 1123+ int i;
@@ -1236,7 +1236,7 @@ Index: b/ssh.1
1236=================================================================== 1236===================================================================
1237--- a/ssh.1 1237--- a/ssh.1
1238+++ b/ssh.1 1238+++ b/ssh.1
1239@@ -1426,6 +1426,7 @@ 1239@@ -1392,6 +1392,7 @@
1240 .Xr ssh-agent 1 , 1240 .Xr ssh-agent 1 ,
1241 .Xr ssh-keygen 1 , 1241 .Xr ssh-keygen 1 ,
1242 .Xr ssh-keyscan 1 , 1242 .Xr ssh-keyscan 1 ,
@@ -1248,7 +1248,7 @@ Index: b/ssh.c
1248=================================================================== 1248===================================================================
1249--- a/ssh.c 1249--- a/ssh.c
1250+++ b/ssh.c 1250+++ b/ssh.c
1251@@ -1301,7 +1301,7 @@ 1251@@ -1422,7 +1422,7 @@
1252 static void 1252 static void
1253 load_public_identity_files(void) 1253 load_public_identity_files(void)
1254 { 1254 {
@@ -1257,7 +1257,7 @@ Index: b/ssh.c
1257 char *pwdir = NULL, *pwname = NULL; 1257 char *pwdir = NULL, *pwname = NULL;
1258 int i = 0; 1258 int i = 0;
1259 Key *public; 1259 Key *public;
1260@@ -1358,6 +1358,22 @@ 1260@@ -1479,6 +1479,22 @@
1261 public = key_load_public(filename, NULL); 1261 public = key_load_public(filename, NULL);
1262 debug("identity file %s type %d", filename, 1262 debug("identity file %s type %d", filename,
1263 public ? public->type : -1); 1263 public ? public->type : -1);
@@ -1284,7 +1284,7 @@ Index: b/ssh_config.5
1284=================================================================== 1284===================================================================
1285--- a/ssh_config.5 1285--- a/ssh_config.5
1286+++ b/ssh_config.5 1286+++ b/ssh_config.5
1287@@ -1051,6 +1051,23 @@ 1287@@ -1082,6 +1082,23 @@
1288 .Dq any . 1288 .Dq any .
1289 The default is 1289 The default is
1290 .Dq any:any . 1290 .Dq any:any .
@@ -1312,7 +1312,7 @@ Index: b/sshconnect2.c
1312=================================================================== 1312===================================================================
1313--- a/sshconnect2.c 1313--- a/sshconnect2.c
1314+++ b/sshconnect2.c 1314+++ b/sshconnect2.c
1315@@ -1418,6 +1418,8 @@ 1315@@ -1421,6 +1421,8 @@
1316 1316
1317 /* list of keys stored in the filesystem */ 1317 /* list of keys stored in the filesystem */
1318 for (i = 0; i < options.num_identity_files; i++) { 1318 for (i = 0; i < options.num_identity_files; i++) {
@@ -1321,9 +1321,9 @@ Index: b/sshconnect2.c
1321 key = options.identity_keys[i]; 1321 key = options.identity_keys[i];
1322 if (key && key->type == KEY_RSA1) 1322 if (key && key->type == KEY_RSA1)
1323 continue; 1323 continue;
1324@@ -1510,7 +1512,7 @@ 1324@@ -1514,7 +1516,7 @@
1325 if (id->key && id->key->type != KEY_RSA1) { 1325 debug("Offering %s public key: %s", key_type(id->key),
1326 debug("Offering public key: %s", id->filename); 1326 id->filename);
1327 sent = send_pubkey_test(authctxt, id); 1327 sent = send_pubkey_test(authctxt, id);
1328- } else if (id->key == NULL) { 1328- } else if (id->key == NULL) {
1329+ } else if (id->key == NULL && id->filename) { 1329+ } else if (id->key == NULL && id->filename) {
@@ -1334,7 +1334,7 @@ Index: b/sshd.8
1334=================================================================== 1334===================================================================
1335--- a/sshd.8 1335--- a/sshd.8
1336+++ b/sshd.8 1336+++ b/sshd.8
1337@@ -928,6 +928,7 @@ 1337@@ -938,6 +938,7 @@
1338 .Xr ssh-agent 1 , 1338 .Xr ssh-agent 1 ,
1339 .Xr ssh-keygen 1 , 1339 .Xr ssh-keygen 1 ,
1340 .Xr ssh-keyscan 1 , 1340 .Xr ssh-keyscan 1 ,
@@ -1346,7 +1346,7 @@ Index: b/sshd.c
1346=================================================================== 1346===================================================================
1347--- a/sshd.c 1347--- a/sshd.c
1348+++ b/sshd.c 1348+++ b/sshd.c
1349@@ -1564,6 +1564,11 @@ 1349@@ -1573,6 +1573,11 @@
1350 sensitive_data.host_keys[i] = NULL; 1350 sensitive_data.host_keys[i] = NULL;
1351 continue; 1351 continue;
1352 } 1352 }
@@ -1362,7 +1362,7 @@ Index: b/sshd_config.5
1362=================================================================== 1362===================================================================
1363--- a/sshd_config.5 1363--- a/sshd_config.5
1364+++ b/sshd_config.5 1364+++ b/sshd_config.5
1365@@ -694,6 +694,20 @@ 1365@@ -743,6 +743,20 @@
1366 Specifies whether password authentication is allowed. 1366 Specifies whether password authentication is allowed.
1367 The default is 1367 The default is
1368 .Dq yes . 1368 .Dq yes .
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index 7682c0761..dac1ca1cc 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -7,20 +7,13 @@ Index: b/clientloop.c
7=================================================================== 7===================================================================
8--- a/clientloop.c 8--- a/clientloop.c
9+++ b/clientloop.c 9+++ b/clientloop.c
10@@ -507,16 +507,21 @@ 10@@ -547,16 +547,21 @@
11 static void 11 static void
12 server_alive_check(void) 12 server_alive_check(void)
13 { 13 {
14- if (packet_inc_alive_timeouts() > options.server_alive_count_max) { 14- if (packet_inc_alive_timeouts() > options.server_alive_count_max) {
15- logit("Timeout, server not responding."); 15- logit("Timeout, server not responding.");
16- cleanup_exit(255); 16- cleanup_exit(255);
17- }
18- packet_start(SSH2_MSG_GLOBAL_REQUEST);
19- packet_put_cstring("keepalive@openssh.com");
20- packet_put_char(1); /* boolean: want reply */
21- packet_send();
22- /* Insert an empty placeholder to maintain ordering */
23- client_register_global_confirm(NULL, NULL);
24+ if (compat20) { 17+ if (compat20) {
25+ if (packet_inc_alive_timeouts() > options.server_alive_count_max) { 18+ if (packet_inc_alive_timeouts() > options.server_alive_count_max) {
26+ logit("Timeout, server not responding."); 19+ logit("Timeout, server not responding.");
@@ -35,24 +28,30 @@ Index: b/clientloop.c
35+ } else { 28+ } else {
36+ packet_send_ignore(0); 29+ packet_send_ignore(0);
37+ packet_send(); 30+ packet_send();
38+ } 31 }
32- packet_start(SSH2_MSG_GLOBAL_REQUEST);
33- packet_put_cstring("keepalive@openssh.com");
34- packet_put_char(1); /* boolean: want reply */
35- packet_send();
36- /* Insert an empty placeholder to maintain ordering */
37- client_register_global_confirm(NULL, NULL);
39 } 38 }
40 39
41 /* 40 /*
42@@ -574,7 +579,7 @@ 41@@ -616,7 +621,7 @@
43 * event pending.
44 */ 42 */
45 43
46- if (options.server_alive_interval == 0 || !compat20) 44 timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */
47+ if (options.server_alive_interval == 0) 45- if (options.server_alive_interval > 0 && compat20)
48 tvp = NULL; 46+ if (options.server_alive_interval > 0)
49 else { 47 timeout_secs = options.server_alive_interval;
50 tv.tv_sec = options.server_alive_interval; 48 set_control_persist_exit_time();
49 if (control_persist_exit_time > 0) {
51Index: b/ssh_config.5 50Index: b/ssh_config.5
52=================================================================== 51===================================================================
53--- a/ssh_config.5 52--- a/ssh_config.5
54+++ b/ssh_config.5 53+++ b/ssh_config.5
55@@ -952,7 +952,10 @@ 54@@ -983,7 +983,10 @@
56 .Cm ServerAliveCountMax 55 .Cm ServerAliveCountMax
57 is left at the default, if the server becomes unresponsive, 56 is left at the default, if the server becomes unresponsive,
58 ssh will disconnect after approximately 45 seconds. 57 ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 2dc912b8e..3cb9fdc65 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -26,7 +26,7 @@ Index: b/ssh.c
26=================================================================== 26===================================================================
27--- a/ssh.c 27--- a/ssh.c
28+++ b/ssh.c 28+++ b/ssh.c
29@@ -624,7 +624,7 @@ 29@@ -642,7 +642,7 @@
30 tty_flag = 0; 30 tty_flag = 0;
31 /* Do not allocate a tty if stdin is not a tty. */ 31 /* Do not allocate a tty if stdin is not a tty. */
32 if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) { 32 if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) {
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 164b8ec81..69700e592 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -24,7 +24,7 @@ Index: b/readconf.c
24 24
25 #include "xmalloc.h" 25 #include "xmalloc.h"
26 #include "ssh.h" 26 #include "ssh.h"
27@@ -1003,8 +1005,7 @@ 27@@ -1045,8 +1047,7 @@
28 28
29 if (fstat(fileno(f), &sb) == -1) 29 if (fstat(fileno(f), &sb) == -1)
30 fatal("fstat %s: %s", filename, strerror(errno)); 30 fatal("fstat %s: %s", filename, strerror(errno));
@@ -38,7 +38,7 @@ Index: b/ssh.1
38=================================================================== 38===================================================================
39--- a/ssh.1 39--- a/ssh.1
40+++ b/ssh.1 40+++ b/ssh.1
41@@ -1324,6 +1324,8 @@ 41@@ -1290,6 +1290,8 @@
42 .Xr ssh_config 5 . 42 .Xr ssh_config 5 .
43 Because of the potential for abuse, this file must have strict permissions: 43 Because of the potential for abuse, this file must have strict permissions:
44 read/write for the user, and not accessible by others. 44 read/write for the user, and not accessible by others.
@@ -51,7 +51,7 @@ Index: b/ssh_config.5
51=================================================================== 51===================================================================
52--- a/ssh_config.5 52--- a/ssh_config.5
53+++ b/ssh_config.5 53+++ b/ssh_config.5
54@@ -1204,6 +1204,8 @@ 54@@ -1235,6 +1235,8 @@
55 This file is used by the SSH client. 55 This file is used by the SSH client.
56 Because of the potential for abuse, this file must have strict permissions: 56 Because of the potential for abuse, this file must have strict permissions:
57 read/write for the user, and not accessible by others. 57 read/write for the user, and not accessible by others.
@@ -64,7 +64,7 @@ Index: b/auth.c
64=================================================================== 64===================================================================
65--- a/auth.c 65--- a/auth.c
66+++ b/auth.c 66+++ b/auth.c
67@@ -385,8 +385,7 @@ 67@@ -393,8 +393,7 @@
68 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); 68 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
69 if (options.strict_modes && 69 if (options.strict_modes &&
70 (stat(user_hostfile, &st) == 0) && 70 (stat(user_hostfile, &st) == 0) &&
@@ -74,7 +74,7 @@ Index: b/auth.c
74 logit("Authentication refused for %.100s: " 74 logit("Authentication refused for %.100s: "
75 "bad owner or modes for %.200s", 75 "bad owner or modes for %.200s",
76 pw->pw_name, user_hostfile); 76 pw->pw_name, user_hostfile);
77@@ -438,8 +437,7 @@ 77@@ -448,8 +447,7 @@
78 78
79 /* check the open file to avoid races */ 79 /* check the open file to avoid races */
80 if (fstat(fileno(f), &st) < 0 || 80 if (fstat(fileno(f), &st) < 0 ||
@@ -84,7 +84,7 @@ Index: b/auth.c
84 snprintf(err, errlen, "bad ownership or modes for file %s", 84 snprintf(err, errlen, "bad ownership or modes for file %s",
85 buf); 85 buf);
86 return -1; 86 return -1;
87@@ -455,8 +453,7 @@ 87@@ -465,8 +463,7 @@
88 88
89 debug3("secure_filename: checking '%s'", buf); 89 debug3("secure_filename: checking '%s'", buf);
90 if (stat(buf, &st) < 0 || 90 if (stat(buf, &st) < 0 ||
@@ -109,7 +109,7 @@ Index: b/misc.c
109 #ifdef SSH_TUN_OPENBSD 109 #ifdef SSH_TUN_OPENBSD
110 #include <net/if.h> 110 #include <net/if.h>
111 #endif 111 #endif
112@@ -638,6 +639,55 @@ 112@@ -639,6 +640,55 @@
113 } 113 }
114 114
115 int 115 int
@@ -169,7 +169,7 @@ Index: b/misc.h
169=================================================================== 169===================================================================
170--- a/misc.h 170--- a/misc.h
171+++ b/misc.h 171+++ b/misc.h
172@@ -91,4 +91,6 @@ 172@@ -92,4 +92,6 @@
173 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 173 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
174 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); 174 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
175 175
diff --git a/debian/source.lintian-overrides b/debian/source.lintian-overrides
deleted file mode 100644
index 5ddb25600..000000000
--- a/debian/source.lintian-overrides
+++ /dev/null
@@ -1,2 +0,0 @@
1# .desktop file intentionally not installed
2openssh source: desktop-file-but-no-dh_desktop-call