summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/.git-dpm14
-rw-r--r--debian/NEWS13
-rw-r--r--debian/changelog54
-rwxr-xr-xdebian/openssh-client.install2
-rw-r--r--debian/openssh-client.links2
-rw-r--r--debian/patches/auth-log-verbosity.patch16
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch4
-rw-r--r--debian/patches/debian-banner.patch24
-rw-r--r--debian/patches/debian-config.patch26
-rw-r--r--debian/patches/dnssec-sshfp.patch2
-rw-r--r--debian/patches/doc-hash-tab-completion.patch6
-rw-r--r--debian/patches/doc-upstart.patch4
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch2
-rw-r--r--debian/patches/gssapi.patch201
-rw-r--r--debian/patches/helpful-wait-terminate.patch6
-rw-r--r--debian/patches/keepalive-extensions.patch25
-rw-r--r--debian/patches/lintian-symlink-pickiness.patch32
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch8
-rw-r--r--debian/patches/no-openssl-version-status.patch2
-rw-r--r--debian/patches/openbsd-docs.patch32
-rw-r--r--debian/patches/package-versioning.patch18
-rw-r--r--debian/patches/quieter-signals.patch6
-rw-r--r--debian/patches/restore-tcp-wrappers.patch18
-rw-r--r--debian/patches/scp-quoting.patch4
-rw-r--r--debian/patches/selinux-role.patch44
-rw-r--r--debian/patches/series1
-rw-r--r--debian/patches/shell-path.patch8
-rw-r--r--debian/patches/sigstop.patch4
-rw-r--r--debian/patches/ssh-agent-setgid.patch6
-rw-r--r--debian/patches/ssh-argv0.patch6
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch10
-rw-r--r--debian/patches/syslog-level-silent.patch6
-rw-r--r--debian/patches/systemd-readiness.patch12
-rw-r--r--debian/patches/user-group-modes.patch22
34 files changed, 333 insertions, 307 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index e7130afa6..65e3d5e54 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,8 +1,8 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
2003a875a474100d250b6643270ef3874da6591d8 285e40e87a75fb80a0bf893ac05a417d6c353537d
3003a875a474100d250b6643270ef3874da6591d8 385e40e87a75fb80a0bf893ac05a417d6c353537d
4eeff4de96f5d7365750dc56912c2c62b5c28db6b 4c52a95cc4754e6630c96fe65ae0c65eb41d2c590
5eeff4de96f5d7365750dc56912c2c62b5c28db6b 5c52a95cc4754e6630c96fe65ae0c65eb41d2c590
6openssh_7.1p2.orig.tar.gz 6openssh_7.2p1.orig.tar.gz
79202f5a2a50c8a55ecfb830609df1e1fde97f758 7d30a6fd472199ab5838a7668c0c5fd885fb8d371
81475829 81499707
diff --git a/debian/NEWS b/debian/NEWS
index 4dc9ffd92..abbfcfcd0 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,16 @@
1openssh (1:7.2p1-1) UNRELEASED; urgency=medium
2
3 OpenSSH 7.2 disables a number of legacy cryptographic algorithms by
4 default in ssh:
5
6 * Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the
7 rijndael-cbc aliases for AES.
8 * MD5-based and truncated HMAC algorithms.
9
10 These algorithms are already disabled by default in sshd.
11
12 -- Colin Watson <cjwatson@debian.org> Mon, 29 Feb 2016 12:37:44 +0000
13
1openssh (1:7.1p1-2) unstable; urgency=medium 14openssh (1:7.1p1-2) unstable; urgency=medium
2 15
3 OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe 16 OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
diff --git a/debian/changelog b/debian/changelog
index dc9c82813..234cc9191 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,56 @@
1openssh (1:7.1p2-3) UNRELEASED; urgency=medium 1openssh (1:7.2p1-1) UNRELEASED; urgency=medium
2 2
3 * New upstream release (http://www.openssh.com/txt/release-7.2):
4 - This release disables a number of legacy cryptographic algorithms by
5 default in ssh:
6 + Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and
7 the rijndael-cbc aliases for AES.
8 + MD5-based and truncated HMAC algorithms.
9 These algorithms are already disabled by default in sshd.
10 - ssh(1), sshd(8): Remove unfinished and unused roaming code (was
11 already forcibly disabled in OpenSSH 7.1p2).
12 - ssh(1): Eliminate fallback from untrusted X11 forwarding to trusted
13 forwarding when the X server disables the SECURITY extension.
14 - ssh(1), sshd(8): Increase the minimum modulus size supported for
15 diffie-hellman-group-exchange to 2048 bits.
16 - sshd(8): Pre-auth sandboxing is now enabled by default (previous
17 releases enabled it for new installations via sshd_config).
18 - all: Add support for RSA signatures using SHA-256/512 hash algorithms
19 based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt.
20 - ssh(1): Add an AddKeysToAgent client option which can be set to 'yes',
21 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a
22 private key that is used during authentication will be added to
23 ssh-agent if it is running (with confirmation enabled if set to
24 'confirm').
25 - sshd(8): Add a new authorized_keys option "restrict" that includes all
26 current and future key restrictions (no-*-forwarding, etc.). Also add
27 permissive versions of the existing restrictions, e.g. "no-pty" ->
28 "pty". This simplifies the task of setting up restricted keys and
29 ensures they are maximally-restricted, regardless of any permissions
30 we might implement in the future.
31 - ssh(1): Add ssh_config CertificateFile option to explicitly list
32 certificates.
33 - ssh-keygen(1): Allow ssh-keygen to change the key comment for all
34 supported formats (closes: #811125).
35 - ssh-keygen(1): Allow fingerprinting from standard input, e.g.
36 "ssh-keygen -lf -" (closes: #509058).
37 - ssh-keygen(1): Allow fingerprinting multiple public keys in a file,
38 e.g. "ssh-keygen -lf ~/.ssh/authorized_keys".
39 - sshd(8): Support "none" as an argument for sshd_config Foreground and
40 ChrootDirectory. Useful inside Match blocks to override a global
41 default.
42 - ssh-keygen(1): Support multiple certificates (one per line) and
43 reading from standard input (using "-f -") for "ssh-keygen -L"
44 - ssh-keyscan(1): Add "ssh-keyscan -c ..." flag to allow fetching
45 certificates instead of plain keys.
46 - ssh(1): Better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in
47 hostname canonicalisation - treat them as already canonical and remove
48 the trailing '.' before matching ssh_config.
49 - sftp(1): Existing destination directories should not terminate
50 recursive uploads (regression in OpenSSH 6.8; LP: #1553378).
3 * Use HTTPS for Vcs-* URLs, and link to cgit rather than gitweb. 51 * Use HTTPS for Vcs-* URLs, and link to cgit rather than gitweb.
52 * Restore slogin symlinks for compatibility, although they were removed
53 upstream.
4 54
5 -- Colin Watson <cjwatson@debian.org> Wed, 27 Jan 2016 13:04:38 +0000 55 -- Colin Watson <cjwatson@debian.org> Wed, 27 Jan 2016 13:04:38 +0000
6 56
diff --git a/debian/openssh-client.install b/debian/openssh-client.install
index 18e529f64..fd6819a7c 100755
--- a/debian/openssh-client.install
+++ b/debian/openssh-client.install
@@ -4,7 +4,6 @@ etc/ssh/moduli
4etc/ssh/ssh_config 4etc/ssh/ssh_config
5usr/bin/scp 5usr/bin/scp
6usr/bin/sftp 6usr/bin/sftp
7usr/bin/slogin
8usr/bin/ssh 7usr/bin/ssh
9usr/bin/ssh-add 8usr/bin/ssh-add
10usr/bin/ssh-agent 9usr/bin/ssh-agent
@@ -14,7 +13,6 @@ usr/lib/openssh/ssh-keysign
14usr/lib/openssh/ssh-pkcs11-helper 13usr/lib/openssh/ssh-pkcs11-helper
15usr/share/man/man1/scp.1 14usr/share/man/man1/scp.1
16usr/share/man/man1/sftp.1 15usr/share/man/man1/sftp.1
17usr/share/man/man1/slogin.1
18usr/share/man/man1/ssh-add.1 16usr/share/man/man1/ssh-add.1
19usr/share/man/man1/ssh-agent.1 17usr/share/man/man1/ssh-agent.1
20usr/share/man/man1/ssh-keygen.1 18usr/share/man/man1/ssh-keygen.1
diff --git a/debian/openssh-client.links b/debian/openssh-client.links
new file mode 100644
index 000000000..75d798afc
--- /dev/null
+++ b/debian/openssh-client.links
@@ -0,0 +1,2 @@
1usr/bin/ssh usr/bin/slogin
2usr/share/man/man1/ssh.1 usr/share/man/man1/slogin.1
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index 3635e50ad..549570c5c 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
1From a791d607756f04e41153c2297e5f9a608daa7335 Mon Sep 17 00:00:00 2001 1From d104554289d524d6f8c97cc93a8ff5aabbfcdd6c Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:02 +0000 3Date: Sun, 9 Feb 2014 16:10:02 +0000
4Subject: Quieten logs when multiple from= restrictions are used 4Subject: Quieten logs when multiple from= restrictions are used
@@ -16,7 +16,7 @@ Patch-Name: auth-log-verbosity.patch
16 4 files changed, 32 insertions(+), 9 deletions(-) 16 4 files changed, 32 insertions(+), 9 deletions(-)
17 17
18diff --git a/auth-options.c b/auth-options.c 18diff --git a/auth-options.c b/auth-options.c
19index e387697..f1e3ddf 100644 19index edbaf80..bda39df 100644
20--- a/auth-options.c 20--- a/auth-options.c
21+++ b/auth-options.c 21+++ b/auth-options.c
22@@ -58,9 +58,20 @@ int forced_tun_device = -1; 22@@ -58,9 +58,20 @@ int forced_tun_device = -1;
@@ -40,7 +40,7 @@ index e387697..f1e3ddf 100644
40 auth_clear_options(void) 40 auth_clear_options(void)
41 { 41 {
42 no_agent_forwarding_flag = 0; 42 no_agent_forwarding_flag = 0;
43@@ -293,10 +304,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) 43@@ -314,10 +325,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
44 /* FALLTHROUGH */ 44 /* FALLTHROUGH */
45 case 0: 45 case 0:
46 free(patterns); 46 free(patterns);
@@ -58,7 +58,7 @@ index e387697..f1e3ddf 100644
58 auth_debug_add("Your host '%.200s' is not " 58 auth_debug_add("Your host '%.200s' is not "
59 "permitted to use this key for login.", 59 "permitted to use this key for login.",
60 remote_host); 60 remote_host);
61@@ -519,11 +533,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, 61@@ -540,11 +554,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
62 break; 62 break;
63 case 0: 63 case 0:
64 /* no match */ 64 /* no match */
@@ -104,10 +104,10 @@ index cbd971b..4cf2163 100644
104 * Go though the accepted keys, looking for the current key. If 104 * Go though the accepted keys, looking for the current key. If
105 * found, perform a challenge-response dialog to verify that the 105 * found, perform a challenge-response dialog to verify that the
106diff --git a/auth2-pubkey.c b/auth2-pubkey.c 106diff --git a/auth2-pubkey.c b/auth2-pubkey.c
107index 5aa319c..1eee161 100644 107index 41b34ae..aace7ca 100644
108--- a/auth2-pubkey.c 108--- a/auth2-pubkey.c
109+++ b/auth2-pubkey.c 109+++ b/auth2-pubkey.c
110@@ -561,6 +561,7 @@ process_principals(FILE *f, char *file, struct passwd *pw, 110@@ -566,6 +566,7 @@ process_principals(FILE *f, char *file, struct passwd *pw,
111 u_long linenum = 0; 111 u_long linenum = 0;
112 u_int i; 112 u_int i;
113 113
@@ -115,7 +115,7 @@ index 5aa319c..1eee161 100644
115 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 115 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
116 /* Skip leading whitespace. */ 116 /* Skip leading whitespace. */
117 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 117 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
118@@ -726,6 +727,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) 118@@ -731,6 +732,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
119 found_key = 0; 119 found_key = 0;
120 120
121 found = NULL; 121 found = NULL;
@@ -123,7 +123,7 @@ index 5aa319c..1eee161 100644
123 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 123 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
124 char *cp, *key_options = NULL; 124 char *cp, *key_options = NULL;
125 if (found != NULL) 125 if (found != NULL)
126@@ -872,6 +874,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) 126@@ -878,6 +880,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
127 if (key_cert_check_authority(key, 0, 1, 127 if (key_cert_check_authority(key, 0, 1,
128 use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) 128 use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
129 goto fail_reason; 129 goto fail_reason;
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 2b1bd05f7..5a0dcd806 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
1From 9769daa27369920a909debed3ee297c32f0c3ef7 Mon Sep 17 00:00:00 2001 1From 88659ca2f10e2401f887b9dd58f6361d7bfa08e4 Mon Sep 17 00:00:00 2001
2From: Tomas Pospisek <tpo_deb@sourcepole.ch> 2From: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Date: Sun, 9 Feb 2014 16:10:07 +0000 3Date: Sun, 9 Feb 2014 16:10:07 +0000
4Subject: Install authorized_keys(5) as a symlink to sshd(8) 4Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,7 +13,7 @@ Patch-Name: authorized-keys-man-symlink.patch
13 1 file changed, 1 insertion(+) 13 1 file changed, 1 insertion(+)
14 14
15diff --git a/Makefile.in b/Makefile.in 15diff --git a/Makefile.in b/Makefile.in
16index 3d2a328..915c740 100644 16index 0954c63..85cde7f 100644
17--- a/Makefile.in 17--- a/Makefile.in
18+++ b/Makefile.in 18+++ b/Makefile.in
19@@ -324,6 +324,7 @@ install-files: 19@@ -324,6 +324,7 @@ install-files:
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index eceac3ccf..7f8cdb172 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
1From 1cbbbb90ae1a4f88f8090e1fdecee007b8d360f8 Mon Sep 17 00:00:00 2001 1From 3c79e49a4fbd8e4c84f6af6f1173563bda8b273b Mon Sep 17 00:00:00 2001
2From: Kees Cook <kees@debian.org> 2From: Kees Cook <kees@debian.org>
3Date: Sun, 9 Feb 2014 16:10:06 +0000 3Date: Sun, 9 Feb 2014 16:10:06 +0000
4Subject: Add DebianBanner server configuration option 4Subject: Add DebianBanner server configuration option
@@ -19,7 +19,7 @@ Patch-Name: debian-banner.patch
19 4 files changed, 18 insertions(+), 1 deletion(-) 19 4 files changed, 18 insertions(+), 1 deletion(-)
20 20
21diff --git a/servconf.c b/servconf.c 21diff --git a/servconf.c b/servconf.c
22index ed3a88d..a778f44 100644 22index fad7c92..8ca9695 100644
23--- a/servconf.c 23--- a/servconf.c
24+++ b/servconf.c 24+++ b/servconf.c
25@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions *options) 25@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions *options)
@@ -30,16 +30,16 @@ index ed3a88d..a778f44 100644
30 } 30 }
31 31
32 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 32 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
33@@ -347,6 +348,8 @@ fill_default_server_options(ServerOptions *options) 33@@ -359,6 +360,8 @@ fill_default_server_options(ServerOptions *options)
34 options->fwd_opts.streamlocal_bind_unlink = 0; 34 options->fwd_opts.streamlocal_bind_unlink = 0;
35 if (options->fingerprint_hash == -1) 35 if (options->fingerprint_hash == -1)
36 options->fingerprint_hash = SSH_FP_HASH_DEFAULT; 36 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
37+ if (options->debian_banner == -1) 37+ if (options->debian_banner == -1)
38+ options->debian_banner = 1; 38+ options->debian_banner = 1;
39 39
40 if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 || 40 assemble_algorithms(options);
41 kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 || 41
42@@ -430,6 +433,7 @@ typedef enum { 42@@ -437,6 +440,7 @@ typedef enum {
43 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, 43 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
44 sStreamLocalBindMask, sStreamLocalBindUnlink, 44 sStreamLocalBindMask, sStreamLocalBindUnlink,
45 sAllowStreamLocalForwarding, sFingerprintHash, 45 sAllowStreamLocalForwarding, sFingerprintHash,
@@ -47,7 +47,7 @@ index ed3a88d..a778f44 100644
47 sDeprecated, sUnsupported 47 sDeprecated, sUnsupported
48 } ServerOpCodes; 48 } ServerOpCodes;
49 49
50@@ -577,6 +581,7 @@ static struct { 50@@ -588,6 +592,7 @@ static struct {
51 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, 51 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
52 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, 52 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
53 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, 53 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
@@ -55,7 +55,7 @@ index ed3a88d..a778f44 100644
55 { NULL, sBadOption, 0 } 55 { NULL, sBadOption, 0 }
56 }; 56 };
57 57
58@@ -1867,6 +1872,10 @@ process_server_config_line(ServerOptions *options, char *line, 58@@ -1874,6 +1879,10 @@ process_server_config_line(ServerOptions *options, char *line,
59 options->fingerprint_hash = value; 59 options->fingerprint_hash = value;
60 break; 60 break;
61 61
@@ -80,10 +80,10 @@ index 778ba17..161fa37 100644
80 80
81 /* Information about the incoming connection as used by Match */ 81 /* Information about the incoming connection as used by Match */
82diff --git a/sshd.c b/sshd.c 82diff --git a/sshd.c b/sshd.c
83index 189d34a..8d17521 100644 83index c762190..57ae4ad 100644
84--- a/sshd.c 84--- a/sshd.c
85+++ b/sshd.c 85+++ b/sshd.c
86@@ -443,7 +443,8 @@ sshd_exchange_identification(int sock_in, int sock_out) 86@@ -442,7 +442,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
87 } 87 }
88 88
89 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 89 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -94,10 +94,10 @@ index 189d34a..8d17521 100644
94 options.version_addendum, newline); 94 options.version_addendum, newline);
95 95
96diff --git a/sshd_config.5 b/sshd_config.5 96diff --git a/sshd_config.5 b/sshd_config.5
97index c8ee35d..b149bd3 100644 97index bc79a66..b565640 100644
98--- a/sshd_config.5 98--- a/sshd_config.5
99+++ b/sshd_config.5 99+++ b/sshd_config.5
100@@ -533,6 +533,11 @@ or 100@@ -534,6 +534,11 @@ or
101 .Dq no . 101 .Dq no .
102 The default is 102 The default is
103 .Dq delayed . 103 .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 0a5e2cd39..24f1a77ec 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
1From 003a875a474100d250b6643270ef3874da6591d8 Mon Sep 17 00:00:00 2001 1From 85e40e87a75fb80a0bf893ac05a417d6c353537d Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:18 +0000 3Date: Sun, 9 Feb 2014 16:10:18 +0000
4Subject: Various Debian-specific configuration changes 4Subject: Various Debian-specific configuration changes
@@ -32,10 +32,10 @@ Patch-Name: debian-config.patch
32 6 files changed, 72 insertions(+), 4 deletions(-) 32 6 files changed, 72 insertions(+), 4 deletions(-)
33 33
34diff --git a/readconf.c b/readconf.c 34diff --git a/readconf.c b/readconf.c
35index b9442fd..ee46ad6 100644 35index cc1a633..dc22360 100644
36--- a/readconf.c 36--- a/readconf.c
37+++ b/readconf.c 37+++ b/readconf.c
38@@ -1749,7 +1749,7 @@ fill_default_options(Options * options) 38@@ -1797,7 +1797,7 @@ fill_default_options(Options * options)
39 if (options->forward_x11 == -1) 39 if (options->forward_x11 == -1)
40 options->forward_x11 = 0; 40 options->forward_x11 = 0;
41 if (options->forward_x11_trusted == -1) 41 if (options->forward_x11_trusted == -1)
@@ -45,10 +45,10 @@ index b9442fd..ee46ad6 100644
45 options->forward_x11_timeout = 1200; 45 options->forward_x11_timeout = 1200;
46 if (options->exit_on_forward_failure == -1) 46 if (options->exit_on_forward_failure == -1)
47diff --git a/ssh.1 b/ssh.1 47diff --git a/ssh.1 b/ssh.1
48index 05b7f10..649d6c3 100644 48index 74d9655..7fb9d30 100644
49--- a/ssh.1 49--- a/ssh.1
50+++ b/ssh.1 50+++ b/ssh.1
51@@ -755,6 +755,16 @@ directive in 51@@ -760,6 +760,16 @@ directive in
52 .Xr ssh_config 5 52 .Xr ssh_config 5
53 for more information. 53 for more information.
54 .Pp 54 .Pp
@@ -65,7 +65,7 @@ index 05b7f10..649d6c3 100644
65 .It Fl x 65 .It Fl x
66 Disables X11 forwarding. 66 Disables X11 forwarding.
67 .Pp 67 .Pp
68@@ -763,6 +773,17 @@ Enables trusted X11 forwarding. 68@@ -768,6 +778,17 @@ Enables trusted X11 forwarding.
69 Trusted X11 forwardings are not subjected to the X11 SECURITY extension 69 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
70 controls. 70 controls.
71 .Pp 71 .Pp
@@ -84,7 +84,7 @@ index 05b7f10..649d6c3 100644
84 Send log information using the 84 Send log information using the
85 .Xr syslog 3 85 .Xr syslog 3
86diff --git a/ssh_config b/ssh_config 86diff --git a/ssh_config b/ssh_config
87index 228e5ab..c9386aa 100644 87index 4e879cd..5190b06 100644
88--- a/ssh_config 88--- a/ssh_config
89+++ b/ssh_config 89+++ b/ssh_config
90@@ -17,9 +17,10 @@ 90@@ -17,9 +17,10 @@
@@ -99,7 +99,7 @@ index 228e5ab..c9386aa 100644
99 # RhostsRSAAuthentication no 99 # RhostsRSAAuthentication no
100 # RSAAuthentication yes 100 # RSAAuthentication yes
101 # PasswordAuthentication yes 101 # PasswordAuthentication yes
102@@ -48,3 +49,7 @@ 102@@ -50,3 +51,7 @@
103 # VisualHostKey no 103 # VisualHostKey no
104 # ProxyCommand ssh -q -W %h:%p gateway.example.com 104 # ProxyCommand ssh -q -W %h:%p gateway.example.com
105 # RekeyLimit 1G 1h 105 # RekeyLimit 1G 1h
@@ -108,7 +108,7 @@ index 228e5ab..c9386aa 100644
108+ GSSAPIAuthentication yes 108+ GSSAPIAuthentication yes
109+ GSSAPIDelegateCredentials no 109+ GSSAPIDelegateCredentials no
110diff --git a/ssh_config.5 b/ssh_config.5 110diff --git a/ssh_config.5 b/ssh_config.5
111index d4928b8..81b9b74 100644 111index 0f52d14..51765c9 100644
112--- a/ssh_config.5 112--- a/ssh_config.5
113+++ b/ssh_config.5 113+++ b/ssh_config.5
114@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more 114@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
@@ -134,7 +134,7 @@ index d4928b8..81b9b74 100644
134 The configuration file has the following format: 134 The configuration file has the following format:
135 .Pp 135 .Pp
136 Empty lines and lines starting with 136 Empty lines and lines starting with
137@@ -721,7 +737,8 @@ token used for the session will be set to expire after 20 minutes. 137@@ -799,7 +815,8 @@ token used for the session will be set to expire after 20 minutes.
138 Remote clients will be refused access after this time. 138 Remote clients will be refused access after this time.
139 .Pp 139 .Pp
140 The default is 140 The default is
@@ -145,10 +145,10 @@ index d4928b8..81b9b74 100644
145 See the X11 SECURITY extension specification for full details on 145 See the X11 SECURITY extension specification for full details on
146 the restrictions imposed on untrusted clients. 146 the restrictions imposed on untrusted clients.
147diff --git a/sshd_config b/sshd_config 147diff --git a/sshd_config b/sshd_config
148index 64786c9..d8338db 100644 148index f103298..d103ac5 100644
149--- a/sshd_config 149--- a/sshd_config
150+++ b/sshd_config 150+++ b/sshd_config
151@@ -125,7 +125,7 @@ UsePrivilegeSeparation sandbox # Default for new installations. 151@@ -125,7 +125,7 @@ AuthorizedKeysFile .ssh/authorized_keys
152 #Banner none 152 #Banner none
153 153
154 # override default of no subsystems 154 # override default of no subsystems
@@ -158,7 +158,7 @@ index 64786c9..d8338db 100644
158 # Example of overriding settings on a per-user basis 158 # Example of overriding settings on a per-user basis
159 #Match User anoncvs 159 #Match User anoncvs
160diff --git a/sshd_config.5 b/sshd_config.5 160diff --git a/sshd_config.5 b/sshd_config.5
161index 0828592..0be7250 100644 161index 4d255e5..2387b51 100644
162--- a/sshd_config.5 162--- a/sshd_config.5
163+++ b/sshd_config.5 163+++ b/sshd_config.5
164@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes 164@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 725d26e81..8b33364e4 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
1From 54d62ce82775d6a6f556cef7b1ff61412d2d0581 Mon Sep 17 00:00:00 2001 1From 094cc9bf1c7f873542a6c8dc25d0f8e61aa23318 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:01 +0000 3Date: Sun, 9 Feb 2014 16:10:01 +0000
4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf 4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 646716fe5..2b203f5dc 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
1From 6f8b6ab94f4c4351e49598f08abc6da16fe29740 Mon Sep 17 00:00:00 2001 1From 3aede5a89ef203b53ef86435fe4af709a39379c2 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:11 +0000 3Date: Sun, 9 Feb 2014 16:10:11 +0000
4Subject: Document that HashKnownHosts may break tab-completion 4Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
13 1 file changed, 3 insertions(+) 13 1 file changed, 3 insertions(+)
14 14
15diff --git a/ssh_config.5 b/ssh_config.5 15diff --git a/ssh_config.5 b/ssh_config.5
16index 1e9c058..d4928b8 100644 16index ab8f271..0f52d14 100644
17--- a/ssh_config.5 17--- a/ssh_config.5
18+++ b/ssh_config.5 18+++ b/ssh_config.5
19@@ -809,6 +809,9 @@ Note that existing names and addresses in known hosts files 19@@ -883,6 +883,9 @@ Note that existing names and addresses in known hosts files
20 will not be converted automatically, 20 will not be converted automatically,
21 but may be manually hashed using 21 but may be manually hashed using
22 .Xr ssh-keygen 1 . 22 .Xr ssh-keygen 1 .
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index b7a072414..3266c4707 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
1From 17063f049ca0f00cb455eed0852405bc9abe6213 Mon Sep 17 00:00:00 2001 1From 2c7520d8d6245868704cf01dd572cce744663173 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:12 +0000 3Date: Sun, 9 Feb 2014 16:10:12 +0000
4Subject: Refer to ssh's Upstart job as well as its init script 4Subject: Refer to ssh's Upstart job as well as its init script
@@ -12,7 +12,7 @@ Patch-Name: doc-upstart.patch
12 1 file changed, 4 insertions(+), 1 deletion(-) 12 1 file changed, 4 insertions(+), 1 deletion(-)
13 13
14diff --git a/sshd.8 b/sshd.8 14diff --git a/sshd.8 b/sshd.8
15index 42ba596..17b917c 100644 15index 58eefe9..4e75567 100644
16--- a/sshd.8 16--- a/sshd.8
17+++ b/sshd.8 17+++ b/sshd.8
18@@ -67,7 +67,10 @@ over an insecure network. 18@@ -67,7 +67,10 @@ over an insecure network.
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index c3b601c76..ba2c684fd 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
1From a1913369b4abfcebec320706e561591c1ed8640c Mon Sep 17 00:00:00 2001 1From 5e5d8faea814efa9368ccec343580b6dcd440d5e Mon Sep 17 00:00:00 2001
2From: Vincent Untz <vuntz@ubuntu.com> 2From: Vincent Untz <vuntz@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:16 +0000 3Date: Sun, 9 Feb 2014 16:10:16 +0000
4Subject: Give the ssh-askpass-gnome window a default icon 4Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 8bc83cace..aa9f25848 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From 6a0a4b2f79889c9b0d5e2478a6ee5f51be38dcc9 Mon Sep 17 00:00:00 2001 1From 374db1757fc18bd6647539b80977e6907a2cecd4 Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -22,12 +22,12 @@ Last-Updated: 2016-01-04
22Patch-Name: gssapi.patch 22Patch-Name: gssapi.patch
23--- 23---
24 ChangeLog.gssapi | 113 +++++++++++++++++++ 24 ChangeLog.gssapi | 113 +++++++++++++++++++
25 Makefile.in | 5 +- 25 Makefile.in | 3 +-
26 auth-krb5.c | 17 ++- 26 auth-krb5.c | 17 ++-
27 auth.c | 3 +- 27 auth.c | 3 +-
28 auth2-gss.c | 48 +++++++- 28 auth2-gss.c | 48 +++++++-
29 auth2.c | 2 + 29 auth2.c | 2 +
30 clientloop.c | 13 +++ 30 clientloop.c | 15 ++-
31 config.h.in | 6 + 31 config.h.in | 6 +
32 configure.ac | 24 ++++ 32 configure.ac | 24 ++++
33 gss-genr.c | 275 ++++++++++++++++++++++++++++++++++++++++++++- 33 gss-genr.c | 275 ++++++++++++++++++++++++++++++++++++++++++++-
@@ -47,14 +47,14 @@ Patch-Name: gssapi.patch
47 servconf.h | 2 + 47 servconf.h | 2 +
48 ssh-gss.h | 41 ++++++- 48 ssh-gss.h | 41 ++++++-
49 ssh_config | 2 + 49 ssh_config | 2 +
50 ssh_config.5 | 36 +++++- 50 ssh_config.5 | 32 ++++++
51 sshconnect2.c | 120 +++++++++++++++++++- 51 sshconnect2.c | 120 +++++++++++++++++++-
52 sshd.c | 110 ++++++++++++++++++ 52 sshd.c | 110 ++++++++++++++++++
53 sshd_config | 2 + 53 sshd_config | 2 +
54 sshd_config.5 | 11 ++ 54 sshd_config.5 | 10 ++
55 sshkey.c | 3 +- 55 sshkey.c | 3 +-
56 sshkey.h | 1 + 56 sshkey.h | 1 +
57 33 files changed, 1955 insertions(+), 47 deletions(-) 57 33 files changed, 1951 insertions(+), 46 deletions(-)
58 create mode 100644 ChangeLog.gssapi 58 create mode 100644 ChangeLog.gssapi
59 create mode 100644 kexgssc.c 59 create mode 100644 kexgssc.c
60 create mode 100644 kexgsss.c 60 create mode 100644 kexgsss.c
@@ -179,19 +179,17 @@ index 0000000..f117a33
179+ (from jbasney AT ncsa.uiuc.edu) 179+ (from jbasney AT ncsa.uiuc.edu)
180+ <gssapi-with-mic support is Bugzilla #1008> 180+ <gssapi-with-mic support is Bugzilla #1008>
181diff --git a/Makefile.in b/Makefile.in 181diff --git a/Makefile.in b/Makefile.in
182index 40cc7aa..3d2a328 100644 182index d401787..0954c63 100644
183--- a/Makefile.in 183--- a/Makefile.in
184+++ b/Makefile.in 184+++ b/Makefile.in
185@@ -91,7 +91,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ 185@@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
186 sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
187 kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ 186 kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
188 kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ 187 kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
189- kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o 188 kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
190+ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ 189+ kexgssc.o \
191+ kexgssc.o 190 platform-pledge.o
192 191
193 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ 192 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
194 sshconnect.o sshconnect1.o sshconnect2.o mux.o \
195@@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ 193@@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
196 auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ 194 auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
197 auth2-none.o auth2-passwd.o auth2-pubkey.o \ 195 auth2-none.o auth2-passwd.o auth2-pubkey.o \
@@ -200,9 +198,9 @@ index 40cc7aa..3d2a328 100644
200+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ 198+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
201 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ 199 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
202 sftp-server.o sftp-common.o \ 200 sftp-server.o sftp-common.o \
203 roaming_common.o roaming_serv.o \ 201 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
204diff --git a/auth-krb5.c b/auth-krb5.c 202diff --git a/auth-krb5.c b/auth-krb5.c
205index 0089b18..ec47869 100644 203index d1c5a2f..f019fb1 100644
206--- a/auth-krb5.c 204--- a/auth-krb5.c
207+++ b/auth-krb5.c 205+++ b/auth-krb5.c
208@@ -183,8 +183,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) 206@@ -183,8 +183,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
@@ -374,10 +372,10 @@ index 7177962..3f49bdc 100644
374 #endif 372 #endif
375 &method_passwd, 373 &method_passwd,
376diff --git a/clientloop.c b/clientloop.c 374diff --git a/clientloop.c b/clientloop.c
377index 87ceb3d..fba1b54 100644 375index 9820455..1567e4a 100644
378--- a/clientloop.c 376--- a/clientloop.c
379+++ b/clientloop.c 377+++ b/clientloop.c
380@@ -115,6 +115,10 @@ 378@@ -114,6 +114,10 @@
381 #include "ssherr.h" 379 #include "ssherr.h"
382 #include "hostfile.h" 380 #include "hostfile.h"
383 381
@@ -388,11 +386,14 @@ index 87ceb3d..fba1b54 100644
388 /* import options */ 386 /* import options */
389 extern Options options; 387 extern Options options;
390 388
391@@ -1610,6 +1614,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) 389@@ -1662,9 +1666,18 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
390 break;
391
392 /* Do channel operations unless rekeying in progress. */ 392 /* Do channel operations unless rekeying in progress. */
393 if (!rekeying) { 393- if (!ssh_packet_is_rekeying(active_state))
394+ if (!ssh_packet_is_rekeying(active_state)) {
394 channel_after_select(readset, writeset); 395 channel_after_select(readset, writeset);
395+ 396
396+#ifdef GSSAPI 397+#ifdef GSSAPI
397+ if (options.gss_renewal_rekey && 398+ if (options.gss_renewal_rekey &&
398+ ssh_gssapi_credentials_updated(NULL)) { 399+ ssh_gssapi_credentials_updated(NULL)) {
@@ -400,15 +401,16 @@ index 87ceb3d..fba1b54 100644
400+ need_rekeying = 1; 401+ need_rekeying = 1;
401+ } 402+ }
402+#endif 403+#endif
404+ }
403+ 405+
404 if (need_rekeying || packet_need_rekeying()) { 406 /* Buffer input from the connection. */
405 debug("need rekeying"); 407 client_process_net_input(readset);
406 active_state->kex->done = 0; 408
407diff --git a/config.h.in b/config.h.in 409diff --git a/config.h.in b/config.h.in
408index 7500df5..97accd8 100644 410index 89bf1b0..621c139 100644
409--- a/config.h.in 411--- a/config.h.in
410+++ b/config.h.in 412+++ b/config.h.in
411@@ -1623,6 +1623,9 @@ 413@@ -1641,6 +1641,9 @@
412 /* Use btmp to log bad logins */ 414 /* Use btmp to log bad logins */
413 #undef USE_BTMP 415 #undef USE_BTMP
414 416
@@ -418,21 +420,21 @@ index 7500df5..97accd8 100644
418 /* Use libedit for sftp */ 420 /* Use libedit for sftp */
419 #undef USE_LIBEDIT 421 #undef USE_LIBEDIT
420 422
421@@ -1638,6 +1641,9 @@ 423@@ -1656,6 +1659,9 @@
422 /* Use PIPES instead of a socketpair() */ 424 /* Use PIPES instead of a socketpair() */
423 #undef USE_PIPES 425 #undef USE_PIPES
424 426
425+/* platform has the Security Authorization Session API */ 427+/* platform has the Security Authorization Session API */
426+#undef USE_SECURITY_SESSION_API 428+#undef USE_SECURITY_SESSION_API
427+ 429+
428 /* Define if you have Solaris process contracts */ 430 /* Define if you have Solaris privileges */
429 #undef USE_SOLARIS_PROCESS_CONTRACTS 431 #undef USE_SOLARIS_PRIVS
430 432
431diff --git a/configure.ac b/configure.ac 433diff --git a/configure.ac b/configure.ac
432index 9b05c30..7a25603 100644 434index 7258cc0..5f1ff74 100644
433--- a/configure.ac 435--- a/configure.ac
434+++ b/configure.ac 436+++ b/configure.ac
435@@ -625,6 +625,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 437@@ -632,6 +632,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
436 [Use tunnel device compatibility to OpenBSD]) 438 [Use tunnel device compatibility to OpenBSD])
437 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 439 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
438 [Prepend the address family to IP tunnel traffic]) 440 [Prepend the address family to IP tunnel traffic])
@@ -1212,10 +1214,10 @@ index 53993d6..2f6baf7 100644
1212 1214
1213 #endif 1215 #endif
1214diff --git a/kex.c b/kex.c 1216diff --git a/kex.c b/kex.c
1215index b777b7d..390bb69 100644 1217index d371f47..913e923 100644
1216--- a/kex.c 1218--- a/kex.c
1217+++ b/kex.c 1219+++ b/kex.c
1218@@ -55,6 +55,10 @@ 1220@@ -54,6 +54,10 @@
1219 #include "sshbuf.h" 1221 #include "sshbuf.h"
1220 #include "digest.h" 1222 #include "digest.h"
1221 1223
@@ -1226,7 +1228,7 @@ index b777b7d..390bb69 100644
1226 #if OPENSSL_VERSION_NUMBER >= 0x00907000L 1228 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
1227 # if defined(HAVE_EVP_SHA256) 1229 # if defined(HAVE_EVP_SHA256)
1228 # define evp_ssh_sha256 EVP_sha256 1230 # define evp_ssh_sha256 EVP_sha256
1229@@ -97,6 +101,14 @@ static const struct kexalg kexalgs[] = { 1231@@ -109,6 +113,14 @@ static const struct kexalg kexalgs[] = {
1230 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ 1232 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
1231 { NULL, -1, -1, -1}, 1233 { NULL, -1, -1, -1},
1232 }; 1234 };
@@ -1241,7 +1243,7 @@ index b777b7d..390bb69 100644
1241 1243
1242 char * 1244 char *
1243 kex_alg_list(char sep) 1245 kex_alg_list(char sep)
1244@@ -129,6 +141,10 @@ kex_alg_by_name(const char *name) 1246@@ -141,6 +153,10 @@ kex_alg_by_name(const char *name)
1245 if (strcmp(k->name, name) == 0) 1247 if (strcmp(k->name, name) == 0)
1246 return k; 1248 return k;
1247 } 1249 }
@@ -1253,10 +1255,10 @@ index b777b7d..390bb69 100644
1253 } 1255 }
1254 1256
1255diff --git a/kex.h b/kex.h 1257diff --git a/kex.h b/kex.h
1256index d71b532..ee46815 100644 1258index 1c58966..123ef83 100644
1257--- a/kex.h 1259--- a/kex.h
1258+++ b/kex.h 1260+++ b/kex.h
1259@@ -93,6 +93,9 @@ enum kex_exchange { 1261@@ -92,6 +92,9 @@ enum kex_exchange {
1260 KEX_DH_GEX_SHA256, 1262 KEX_DH_GEX_SHA256,
1261 KEX_ECDH_SHA2, 1263 KEX_ECDH_SHA2,
1262 KEX_C25519_SHA256, 1264 KEX_C25519_SHA256,
@@ -1266,7 +1268,7 @@ index d71b532..ee46815 100644
1266 KEX_MAX 1268 KEX_MAX
1267 }; 1269 };
1268 1270
1269@@ -139,6 +142,12 @@ struct kex { 1271@@ -140,6 +143,12 @@ struct kex {
1270 u_int flags; 1272 u_int flags;
1271 int hash_alg; 1273 int hash_alg;
1272 int ec_nid; 1274 int ec_nid;
@@ -1279,7 +1281,7 @@ index d71b532..ee46815 100644
1279 char *client_version_string; 1281 char *client_version_string;
1280 char *server_version_string; 1282 char *server_version_string;
1281 char *failed_choice; 1283 char *failed_choice;
1282@@ -187,6 +196,11 @@ int kexecdh_server(struct ssh *); 1284@@ -190,6 +199,11 @@ int kexecdh_server(struct ssh *);
1283 int kexc25519_client(struct ssh *); 1285 int kexc25519_client(struct ssh *);
1284 int kexc25519_server(struct ssh *); 1286 int kexc25519_server(struct ssh *);
1285 1287
@@ -1935,10 +1937,10 @@ index 0000000..0847469
1935+} 1937+}
1936+#endif /* GSSAPI */ 1938+#endif /* GSSAPI */
1937diff --git a/monitor.c b/monitor.c 1939diff --git a/monitor.c b/monitor.c
1938index a914209..2658aaa 100644 1940index ac7dd30..6c82023 100644
1939--- a/monitor.c 1941--- a/monitor.c
1940+++ b/monitor.c 1942+++ b/monitor.c
1941@@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); 1943@@ -156,6 +156,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
1942 int mm_answer_gss_accept_ctx(int, Buffer *); 1944 int mm_answer_gss_accept_ctx(int, Buffer *);
1943 int mm_answer_gss_userok(int, Buffer *); 1945 int mm_answer_gss_userok(int, Buffer *);
1944 int mm_answer_gss_checkmic(int, Buffer *); 1946 int mm_answer_gss_checkmic(int, Buffer *);
@@ -1947,7 +1949,7 @@ index a914209..2658aaa 100644
1947 #endif 1949 #endif
1948 1950
1949 #ifdef SSH_AUDIT_EVENTS 1951 #ifdef SSH_AUDIT_EVENTS
1950@@ -234,11 +236,18 @@ struct mon_table mon_dispatch_proto20[] = { 1952@@ -233,11 +235,18 @@ struct mon_table mon_dispatch_proto20[] = {
1951 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 1953 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
1952 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, 1954 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
1953 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, 1955 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -1966,7 +1968,7 @@ index a914209..2658aaa 100644
1966 #ifdef WITH_OPENSSL 1968 #ifdef WITH_OPENSSL
1967 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 1969 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
1968 #endif 1970 #endif
1969@@ -353,6 +362,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) 1971@@ -352,6 +361,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
1970 /* Permit requests for moduli and signatures */ 1972 /* Permit requests for moduli and signatures */
1971 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 1973 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
1972 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 1974 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -1977,7 +1979,7 @@ index a914209..2658aaa 100644
1977 } else { 1979 } else {
1978 mon_dispatch = mon_dispatch_proto15; 1980 mon_dispatch = mon_dispatch_proto15;
1979 1981
1980@@ -461,6 +474,10 @@ monitor_child_postauth(struct monitor *pmonitor) 1982@@ -460,6 +473,10 @@ monitor_child_postauth(struct monitor *pmonitor)
1981 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 1983 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
1982 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 1984 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
1983 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 1985 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1988,7 +1990,7 @@ index a914209..2658aaa 100644
1988 } else { 1990 } else {
1989 mon_dispatch = mon_dispatch_postauth15; 1991 mon_dispatch = mon_dispatch_postauth15;
1990 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 1992 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
1991@@ -1864,6 +1881,13 @@ monitor_apply_keystate(struct monitor *pmonitor) 1993@@ -1861,6 +1878,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
1992 # endif 1994 # endif
1993 #endif /* WITH_OPENSSL */ 1995 #endif /* WITH_OPENSSL */
1994 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 1996 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2002,7 +2004,7 @@ index a914209..2658aaa 100644
2002 kex->load_host_public_key=&get_hostkey_public_by_type; 2004 kex->load_host_public_key=&get_hostkey_public_by_type;
2003 kex->load_host_private_key=&get_hostkey_private_by_type; 2005 kex->load_host_private_key=&get_hostkey_private_by_type;
2004 kex->host_key_index=&get_hostkey_index; 2006 kex->host_key_index=&get_hostkey_index;
2005@@ -1963,6 +1987,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) 2007@@ -1960,6 +1984,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2006 OM_uint32 major; 2008 OM_uint32 major;
2007 u_int len; 2009 u_int len;
2008 2010
@@ -2012,7 +2014,7 @@ index a914209..2658aaa 100644
2012 goid.elements = buffer_get_string(m, &len); 2014 goid.elements = buffer_get_string(m, &len);
2013 goid.length = len; 2015 goid.length = len;
2014 2016
2015@@ -1990,6 +2017,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2017@@ -1987,6 +2014,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2016 OM_uint32 flags = 0; /* GSI needs this */ 2018 OM_uint32 flags = 0; /* GSI needs this */
2017 u_int len; 2019 u_int len;
2018 2020
@@ -2022,7 +2024,7 @@ index a914209..2658aaa 100644
2022 in.value = buffer_get_string(m, &len); 2024 in.value = buffer_get_string(m, &len);
2023 in.length = len; 2025 in.length = len;
2024 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2026 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2025@@ -2007,6 +2037,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2027@@ -2004,6 +2034,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2026 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2028 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2027 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2029 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2028 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2030 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2030,7 +2032,7 @@ index a914209..2658aaa 100644
2030 } 2032 }
2031 return (0); 2033 return (0);
2032 } 2034 }
2033@@ -2018,6 +2049,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) 2035@@ -2015,6 +2046,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2034 OM_uint32 ret; 2036 OM_uint32 ret;
2035 u_int len; 2037 u_int len;
2036 2038
@@ -2040,7 +2042,7 @@ index a914209..2658aaa 100644
2040 gssbuf.value = buffer_get_string(m, &len); 2042 gssbuf.value = buffer_get_string(m, &len);
2041 gssbuf.length = len; 2043 gssbuf.length = len;
2042 mic.value = buffer_get_string(m, &len); 2044 mic.value = buffer_get_string(m, &len);
2043@@ -2044,7 +2078,11 @@ mm_answer_gss_userok(int sock, Buffer *m) 2045@@ -2041,7 +2075,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
2044 { 2046 {
2045 int authenticated; 2047 int authenticated;
2046 2048
@@ -2053,7 +2055,7 @@ index a914209..2658aaa 100644
2053 2055
2054 buffer_clear(m); 2056 buffer_clear(m);
2055 buffer_put_int(m, authenticated); 2057 buffer_put_int(m, authenticated);
2056@@ -2057,5 +2095,73 @@ mm_answer_gss_userok(int sock, Buffer *m) 2058@@ -2054,5 +2092,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
2057 /* Monitor loop will terminate if authenticated */ 2059 /* Monitor loop will terminate if authenticated */
2058 return (authenticated); 2060 return (authenticated);
2059 } 2061 }
@@ -2142,7 +2144,7 @@ index 93b8b66..bc50ade 100644
2142 2144
2143 struct mm_master; 2145 struct mm_master;
2144diff --git a/monitor_wrap.c b/monitor_wrap.c 2146diff --git a/monitor_wrap.c b/monitor_wrap.c
2145index eac421b..81ceddb 100644 2147index c5db6df..74fbd2e 100644
2146--- a/monitor_wrap.c 2148--- a/monitor_wrap.c
2147+++ b/monitor_wrap.c 2149+++ b/monitor_wrap.c
2148@@ -1068,7 +1068,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 2150@@ -1068,7 +1068,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
@@ -2206,7 +2208,7 @@ index eac421b..81ceddb 100644
2206 #endif /* GSSAPI */ 2208 #endif /* GSSAPI */
2207 2209
2208diff --git a/monitor_wrap.h b/monitor_wrap.h 2210diff --git a/monitor_wrap.h b/monitor_wrap.h
2209index de4a08f..9758290 100644 2211index eb820ae..403f8d0 100644
2210--- a/monitor_wrap.h 2212--- a/monitor_wrap.h
2211+++ b/monitor_wrap.h 2213+++ b/monitor_wrap.h
2212@@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); 2214@@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *);
@@ -2222,10 +2224,10 @@ index de4a08f..9758290 100644
2222 2224
2223 #ifdef USE_PAM 2225 #ifdef USE_PAM
2224diff --git a/readconf.c b/readconf.c 2226diff --git a/readconf.c b/readconf.c
2225index cd01482..56e0f44 100644 2227index 69d4553..d2a3d4b 100644
2226--- a/readconf.c 2228--- a/readconf.c
2227+++ b/readconf.c 2229+++ b/readconf.c
2228@@ -147,6 +147,8 @@ typedef enum { 2230@@ -148,6 +148,8 @@ typedef enum {
2229 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 2231 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
2230 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 2232 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
2231 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 2233 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2234,7 +2236,7 @@ index cd01482..56e0f44 100644
2234 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2236 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
2235 oSendEnv, oControlPath, oControlMaster, oControlPersist, 2237 oSendEnv, oControlPath, oControlMaster, oControlPersist,
2236 oHashKnownHosts, 2238 oHashKnownHosts,
2237@@ -192,10 +194,19 @@ static struct { 2239@@ -193,10 +195,19 @@ static struct {
2238 { "afstokenpassing", oUnsupported }, 2240 { "afstokenpassing", oUnsupported },
2239 #if defined(GSSAPI) 2241 #if defined(GSSAPI)
2240 { "gssapiauthentication", oGssAuthentication }, 2242 { "gssapiauthentication", oGssAuthentication },
@@ -2254,7 +2256,7 @@ index cd01482..56e0f44 100644
2254 #endif 2256 #endif
2255 { "fallbacktorsh", oDeprecated }, 2257 { "fallbacktorsh", oDeprecated },
2256 { "usersh", oDeprecated }, 2258 { "usersh", oDeprecated },
2257@@ -894,10 +905,30 @@ parse_time: 2259@@ -926,10 +937,30 @@ parse_time:
2258 intptr = &options->gss_authentication; 2260 intptr = &options->gss_authentication;
2259 goto parse_flag; 2261 goto parse_flag;
2260 2262
@@ -2285,7 +2287,7 @@ index cd01482..56e0f44 100644
2285 case oBatchMode: 2287 case oBatchMode:
2286 intptr = &options->batch_mode; 2288 intptr = &options->batch_mode;
2287 goto parse_flag; 2289 goto parse_flag;
2288@@ -1601,7 +1632,12 @@ initialize_options(Options * options) 2290@@ -1648,7 +1679,12 @@ initialize_options(Options * options)
2289 options->pubkey_authentication = -1; 2291 options->pubkey_authentication = -1;
2290 options->challenge_response_authentication = -1; 2292 options->challenge_response_authentication = -1;
2291 options->gss_authentication = -1; 2293 options->gss_authentication = -1;
@@ -2298,7 +2300,7 @@ index cd01482..56e0f44 100644
2298 options->password_authentication = -1; 2300 options->password_authentication = -1;
2299 options->kbd_interactive_authentication = -1; 2301 options->kbd_interactive_authentication = -1;
2300 options->kbd_interactive_devices = NULL; 2302 options->kbd_interactive_devices = NULL;
2301@@ -1729,8 +1765,14 @@ fill_default_options(Options * options) 2303@@ -1777,8 +1813,14 @@ fill_default_options(Options * options)
2302 options->challenge_response_authentication = 1; 2304 options->challenge_response_authentication = 1;
2303 if (options->gss_authentication == -1) 2305 if (options->gss_authentication == -1)
2304 options->gss_authentication = 0; 2306 options->gss_authentication = 0;
@@ -2314,7 +2316,7 @@ index cd01482..56e0f44 100644
2314 options->password_authentication = 1; 2316 options->password_authentication = 1;
2315 if (options->kbd_interactive_authentication == -1) 2317 if (options->kbd_interactive_authentication == -1)
2316diff --git a/readconf.h b/readconf.h 2318diff --git a/readconf.h b/readconf.h
2317index bb2d552..e7e80c3 100644 2319index c84d068..37a0555 100644
2318--- a/readconf.h 2320--- a/readconf.h
2319+++ b/readconf.h 2321+++ b/readconf.h
2320@@ -45,7 +45,12 @@ typedef struct { 2322@@ -45,7 +45,12 @@ typedef struct {
@@ -2331,7 +2333,7 @@ index bb2d552..e7e80c3 100644
2331 * authentication. */ 2333 * authentication. */
2332 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2334 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
2333diff --git a/servconf.c b/servconf.c 2335diff --git a/servconf.c b/servconf.c
2334index 6c7a91e..cfe7029 100644 2336index b19d30e..b8af6dd 100644
2335--- a/servconf.c 2337--- a/servconf.c
2336+++ b/servconf.c 2338+++ b/servconf.c
2337@@ -117,8 +117,10 @@ initialize_server_options(ServerOptions *options) 2339@@ -117,8 +117,10 @@ initialize_server_options(ServerOptions *options)
@@ -2345,7 +2347,7 @@ index 6c7a91e..cfe7029 100644
2345 options->password_authentication = -1; 2347 options->password_authentication = -1;
2346 options->kbd_interactive_authentication = -1; 2348 options->kbd_interactive_authentication = -1;
2347 options->challenge_response_authentication = -1; 2349 options->challenge_response_authentication = -1;
2348@@ -275,10 +277,14 @@ fill_default_server_options(ServerOptions *options) 2350@@ -287,10 +289,14 @@ fill_default_server_options(ServerOptions *options)
2349 options->kerberos_get_afs_token = 0; 2351 options->kerberos_get_afs_token = 0;
2350 if (options->gss_authentication == -1) 2352 if (options->gss_authentication == -1)
2351 options->gss_authentication = 0; 2353 options->gss_authentication = 0;
@@ -2361,7 +2363,7 @@ index 6c7a91e..cfe7029 100644
2361 if (options->password_authentication == -1) 2363 if (options->password_authentication == -1)
2362 options->password_authentication = 1; 2364 options->password_authentication = 1;
2363 if (options->kbd_interactive_authentication == -1) 2365 if (options->kbd_interactive_authentication == -1)
2364@@ -412,6 +418,7 @@ typedef enum { 2366@@ -419,6 +425,7 @@ typedef enum {
2365 sHostKeyAlgorithms, 2367 sHostKeyAlgorithms,
2366 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 2368 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
2367 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 2369 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@@ -2369,7 +2371,7 @@ index 6c7a91e..cfe7029 100644
2369 sAcceptEnv, sPermitTunnel, 2371 sAcceptEnv, sPermitTunnel,
2370 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2372 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2371 sUsePrivilegeSeparation, sAllowAgentForwarding, 2373 sUsePrivilegeSeparation, sAllowAgentForwarding,
2372@@ -485,12 +492,20 @@ static struct { 2374@@ -492,12 +499,20 @@ static struct {
2373 #ifdef GSSAPI 2375 #ifdef GSSAPI
2374 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2376 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2375 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2377 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2390,7 +2392,7 @@ index 6c7a91e..cfe7029 100644
2390 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2392 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2391 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2393 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2392 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2394 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2393@@ -1231,6 +1246,10 @@ process_server_config_line(ServerOptions *options, char *line, 2395@@ -1242,6 +1257,10 @@ process_server_config_line(ServerOptions *options, char *line,
2394 intptr = &options->gss_authentication; 2396 intptr = &options->gss_authentication;
2395 goto parse_flag; 2397 goto parse_flag;
2396 2398
@@ -2401,7 +2403,7 @@ index 6c7a91e..cfe7029 100644
2401 case sGssCleanupCreds: 2403 case sGssCleanupCreds:
2402 intptr = &options->gss_cleanup_creds; 2404 intptr = &options->gss_cleanup_creds;
2403 goto parse_flag; 2405 goto parse_flag;
2404@@ -1239,6 +1258,10 @@ process_server_config_line(ServerOptions *options, char *line, 2406@@ -1250,6 +1269,10 @@ process_server_config_line(ServerOptions *options, char *line,
2405 intptr = &options->gss_strict_acceptor; 2407 intptr = &options->gss_strict_acceptor;
2406 goto parse_flag; 2408 goto parse_flag;
2407 2409
@@ -2412,7 +2414,7 @@ index 6c7a91e..cfe7029 100644
2412 case sPasswordAuthentication: 2414 case sPasswordAuthentication:
2413 intptr = &options->password_authentication; 2415 intptr = &options->password_authentication;
2414 goto parse_flag; 2416 goto parse_flag;
2415@@ -2246,7 +2269,10 @@ dump_config(ServerOptions *o) 2417@@ -2265,7 +2288,10 @@ dump_config(ServerOptions *o)
2416 #endif 2418 #endif
2417 #ifdef GSSAPI 2419 #ifdef GSSAPI
2418 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2420 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2542,7 +2544,7 @@ index a99d7f0..914701b 100644
2542 2544
2543 #endif /* _SSH_GSS_H */ 2545 #endif /* _SSH_GSS_H */
2544diff --git a/ssh_config b/ssh_config 2546diff --git a/ssh_config b/ssh_config
2545index 03a228f..228e5ab 100644 2547index 90fb63f..4e879cd 100644
2546--- a/ssh_config 2548--- a/ssh_config
2547+++ b/ssh_config 2549+++ b/ssh_config
2548@@ -26,6 +26,8 @@ 2550@@ -26,6 +26,8 @@
@@ -2555,19 +2557,18 @@ index 03a228f..228e5ab 100644
2555 # CheckHostIP yes 2557 # CheckHostIP yes
2556 # AddressFamily any 2558 # AddressFamily any
2557diff --git a/ssh_config.5 b/ssh_config.5 2559diff --git a/ssh_config.5 b/ssh_config.5
2558index a47f3ca..cac8cda 100644 2560index caf13a6..9060d5b 100644
2559--- a/ssh_config.5 2561--- a/ssh_config.5
2560+++ b/ssh_config.5 2562+++ b/ssh_config.5
2561@@ -749,11 +749,45 @@ Specifies whether user authentication based on GSSAPI is allowed. 2563@@ -826,10 +826,42 @@ The default is
2564 Specifies whether user authentication based on GSSAPI is allowed.
2562 The default is 2565 The default is
2563 .Dq no . 2566 .Dq no .
2564 Note that this option applies to protocol version 2 only.
2565+.It Cm GSSAPIKeyExchange 2567+.It Cm GSSAPIKeyExchange
2566+Specifies whether key exchange based on GSSAPI may be used. When using 2568+Specifies whether key exchange based on GSSAPI may be used. When using
2567+GSSAPI key exchange the server need not have a host key. 2569+GSSAPI key exchange the server need not have a host key.
2568+The default is 2570+The default is
2569+.Dq no . 2571+.Dq no .
2570+Note that this option applies to protocol version 2 only.
2571+.It Cm GSSAPIClientIdentity 2572+.It Cm GSSAPIClientIdentity
2572+If set, specifies the GSSAPI client identity that ssh should use when 2573+If set, specifies the GSSAPI client identity that ssh should use when
2573+connecting to the server. The default is unset, which means that the default 2574+connecting to the server. The default is unset, which means that the default
@@ -2581,8 +2582,6 @@ index a47f3ca..cac8cda 100644
2581 Forward (delegate) credentials to the server. 2582 Forward (delegate) credentials to the server.
2582 The default is 2583 The default is
2583 .Dq no . 2584 .Dq no .
2584-Note that this option applies to protocol version 2 only.
2585+Note that this option applies to protocol version 2 connections using GSSAPI.
2586+.It Cm GSSAPIRenewalForcesRekey 2585+.It Cm GSSAPIRenewalForcesRekey
2587+If set to 2586+If set to
2588+.Dq yes 2587+.Dq yes
@@ -2601,15 +2600,14 @@ index a47f3ca..cac8cda 100644
2601+command line will be passed untouched to the GSSAPI library. 2600+command line will be passed untouched to the GSSAPI library.
2602+The default is 2601+The default is
2603+.Dq no . 2602+.Dq no .
2604+This option only applies to protocol version 2 connections using GSSAPI.
2605 .It Cm HashKnownHosts 2603 .It Cm HashKnownHosts
2606 Indicates that 2604 Indicates that
2607 .Xr ssh 1 2605 .Xr ssh 1
2608diff --git a/sshconnect2.c b/sshconnect2.c 2606diff --git a/sshconnect2.c b/sshconnect2.c
2609index 7751031..32e9b0d 100644 2607index f79c96b..b452eae 100644
2610--- a/sshconnect2.c 2608--- a/sshconnect2.c
2611+++ b/sshconnect2.c 2609+++ b/sshconnect2.c
2612@@ -160,6 +160,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2610@@ -161,6 +161,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2613 struct kex *kex; 2611 struct kex *kex;
2614 int r; 2612 int r;
2615 2613
@@ -2621,7 +2619,7 @@ index 7751031..32e9b0d 100644
2621 xxx_host = host; 2619 xxx_host = host;
2622 xxx_hostaddr = hostaddr; 2620 xxx_hostaddr = hostaddr;
2623 2621
2624@@ -193,6 +198,33 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2622@@ -195,6 +200,33 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2625 order_hostkeyalgs(host, hostaddr, port)); 2623 order_hostkeyalgs(host, hostaddr, port));
2626 } 2624 }
2627 2625
@@ -2655,7 +2653,7 @@ index 7751031..32e9b0d 100644
2655 if (options.rekey_limit || options.rekey_interval) 2653 if (options.rekey_limit || options.rekey_interval)
2656 packet_set_rekey_limits((u_int32_t)options.rekey_limit, 2654 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
2657 (time_t)options.rekey_interval); 2655 (time_t)options.rekey_interval);
2658@@ -211,10 +243,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2656@@ -213,10 +245,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2659 # endif 2657 # endif
2660 #endif 2658 #endif
2661 kex->kex[KEX_C25519_SHA256] = kexc25519_client; 2659 kex->kex[KEX_C25519_SHA256] = kexc25519_client;
@@ -2685,8 +2683,8 @@ index 7751031..32e9b0d 100644
2685+ 2683+
2686 dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); 2684 dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
2687 2685
2688 if (options.use_roaming && !kex->roaming) { 2686 /* remove ext-info from the KEX proposals for rekeying */
2689@@ -306,6 +358,7 @@ int input_gssapi_token(int type, u_int32_t, void *); 2687@@ -311,6 +363,7 @@ int input_gssapi_token(int type, u_int32_t, void *);
2690 int input_gssapi_hash(int type, u_int32_t, void *); 2688 int input_gssapi_hash(int type, u_int32_t, void *);
2691 int input_gssapi_error(int, u_int32_t, void *); 2689 int input_gssapi_error(int, u_int32_t, void *);
2692 int input_gssapi_errtok(int, u_int32_t, void *); 2690 int input_gssapi_errtok(int, u_int32_t, void *);
@@ -2694,7 +2692,7 @@ index 7751031..32e9b0d 100644
2694 #endif 2692 #endif
2695 2693
2696 void userauth(Authctxt *, char *); 2694 void userauth(Authctxt *, char *);
2697@@ -321,6 +374,11 @@ static char *authmethods_get(void); 2695@@ -326,6 +379,11 @@ static char *authmethods_get(void);
2698 2696
2699 Authmethod authmethods[] = { 2697 Authmethod authmethods[] = {
2700 #ifdef GSSAPI 2698 #ifdef GSSAPI
@@ -2706,7 +2704,7 @@ index 7751031..32e9b0d 100644
2706 {"gssapi-with-mic", 2704 {"gssapi-with-mic",
2707 userauth_gssapi, 2705 userauth_gssapi,
2708 NULL, 2706 NULL,
2709@@ -627,19 +685,31 @@ userauth_gssapi(Authctxt *authctxt) 2707@@ -656,19 +714,31 @@ userauth_gssapi(Authctxt *authctxt)
2710 static u_int mech = 0; 2708 static u_int mech = 0;
2711 OM_uint32 min; 2709 OM_uint32 min;
2712 int ok = 0; 2710 int ok = 0;
@@ -2740,7 +2738,7 @@ index 7751031..32e9b0d 100644
2740 ok = 1; /* Mechanism works */ 2738 ok = 1; /* Mechanism works */
2741 } else { 2739 } else {
2742 mech++; 2740 mech++;
2743@@ -736,8 +806,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) 2741@@ -765,8 +835,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
2744 { 2742 {
2745 Authctxt *authctxt = ctxt; 2743 Authctxt *authctxt = ctxt;
2746 Gssctxt *gssctxt; 2744 Gssctxt *gssctxt;
@@ -2751,7 +2749,7 @@ index 7751031..32e9b0d 100644
2751 2749
2752 if (authctxt == NULL) 2750 if (authctxt == NULL)
2753 fatal("input_gssapi_response: no authentication context"); 2751 fatal("input_gssapi_response: no authentication context");
2754@@ -850,6 +920,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) 2752@@ -879,6 +949,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
2755 free(lang); 2753 free(lang);
2756 return 0; 2754 return 0;
2757 } 2755 }
@@ -2801,10 +2799,10 @@ index 7751031..32e9b0d 100644
2801 2799
2802 int 2800 int
2803diff --git a/sshd.c b/sshd.c 2801diff --git a/sshd.c b/sshd.c
2804index 43d4650..d659a68 100644 2802index 430569c..5cd9129 100644
2805--- a/sshd.c 2803--- a/sshd.c
2806+++ b/sshd.c 2804+++ b/sshd.c
2807@@ -126,6 +126,10 @@ 2805@@ -125,6 +125,10 @@
2808 #include "version.h" 2806 #include "version.h"
2809 #include "ssherr.h" 2807 #include "ssherr.h"
2810 2808
@@ -2890,7 +2888,7 @@ index 43d4650..d659a68 100644
2890 /* 2888 /*
2891 * We don't want to listen forever unless the other side 2889 * We don't want to listen forever unless the other side
2892 * successfully authenticates itself. So we set up an alarm which is 2890 * successfully authenticates itself. So we set up an alarm which is
2893@@ -2569,6 +2630,48 @@ do_ssh2_kex(void) 2891@@ -2571,6 +2632,48 @@ do_ssh2_kex(void)
2894 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 2892 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
2895 list_hostkey_types()); 2893 list_hostkey_types());
2896 2894
@@ -2939,7 +2937,7 @@ index 43d4650..d659a68 100644
2939 /* start key exchange */ 2937 /* start key exchange */
2940 if ((r = kex_setup(active_state, myproposal)) != 0) 2938 if ((r = kex_setup(active_state, myproposal)) != 0)
2941 fatal("kex_setup: %s", ssh_err(r)); 2939 fatal("kex_setup: %s", ssh_err(r));
2942@@ -2583,6 +2686,13 @@ do_ssh2_kex(void) 2940@@ -2585,6 +2688,13 @@ do_ssh2_kex(void)
2943 # endif 2941 # endif
2944 #endif 2942 #endif
2945 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 2943 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2954,7 +2952,7 @@ index 43d4650..d659a68 100644
2954 kex->client_version_string=client_version_string; 2952 kex->client_version_string=client_version_string;
2955 kex->server_version_string=server_version_string; 2953 kex->server_version_string=server_version_string;
2956diff --git a/sshd_config b/sshd_config 2954diff --git a/sshd_config b/sshd_config
2957index 4d77f05..64786c9 100644 2955index a848d73..f103298 100644
2958--- a/sshd_config 2956--- a/sshd_config
2959+++ b/sshd_config 2957+++ b/sshd_config
2960@@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys 2958@@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys
@@ -2967,23 +2965,22 @@ index 4d77f05..64786c9 100644
2967 # Set this to 'yes' to enable PAM authentication, account processing, 2965 # Set this to 'yes' to enable PAM authentication, account processing,
2968 # and session processing. If this is enabled, PAM authentication will 2966 # and session processing. If this is enabled, PAM authentication will
2969diff --git a/sshd_config.5 b/sshd_config.5 2967diff --git a/sshd_config.5 b/sshd_config.5
2970index b18d340..5491c89 100644 2968index a37a3ac..c6d6858 100644
2971--- a/sshd_config.5 2969--- a/sshd_config.5
2972+++ b/sshd_config.5 2970+++ b/sshd_config.5
2973@@ -621,6 +621,12 @@ Specifies whether user authentication based on GSSAPI is allowed. 2971@@ -623,6 +623,11 @@ The default is
2972 Specifies whether user authentication based on GSSAPI is allowed.
2974 The default is 2973 The default is
2975 .Dq no . 2974 .Dq no .
2976 Note that this option applies to protocol version 2 only.
2977+.It Cm GSSAPIKeyExchange 2975+.It Cm GSSAPIKeyExchange
2978+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange 2976+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
2979+doesn't rely on ssh keys to verify host identity. 2977+doesn't rely on ssh keys to verify host identity.
2980+The default is 2978+The default is
2981+.Dq no . 2979+.Dq no .
2982+Note that this option applies to protocol version 2 only.
2983 .It Cm GSSAPICleanupCredentials 2980 .It Cm GSSAPICleanupCredentials
2984 Specifies whether to automatically destroy the user's credentials cache 2981 Specifies whether to automatically destroy the user's credentials cache
2985 on logout. 2982 on logout.
2986@@ -642,6 +648,11 @@ machine's default store. 2983@@ -643,6 +648,11 @@ machine's default store.
2987 This facility is provided to assist with operation on multi homed machines. 2984 This facility is provided to assist with operation on multi homed machines.
2988 The default is 2985 The default is
2989 .Dq yes . 2986 .Dq yes .
@@ -2996,28 +2993,28 @@ index b18d340..5491c89 100644
2996 Specifies the key types that will be accepted for hostbased authentication 2993 Specifies the key types that will be accepted for hostbased authentication
2997 as a comma-separated pattern list. 2994 as a comma-separated pattern list.
2998diff --git a/sshkey.c b/sshkey.c 2995diff --git a/sshkey.c b/sshkey.c
2999index 32dd8f2..5368e7c 100644 2996index 87b093e..e595b11 100644
3000--- a/sshkey.c 2997--- a/sshkey.c
3001+++ b/sshkey.c 2998+++ b/sshkey.c
3002@@ -112,6 +112,7 @@ static const struct keytype keytypes[] = { 2999@@ -115,6 +115,7 @@ static const struct keytype keytypes[] = {
3003 # endif /* OPENSSL_HAS_NISTP521 */ 3000 # endif /* OPENSSL_HAS_NISTP521 */
3004 # endif /* OPENSSL_HAS_ECC */ 3001 # endif /* OPENSSL_HAS_ECC */
3005 #endif /* WITH_OPENSSL */ 3002 #endif /* WITH_OPENSSL */
3006+ { "null", "null", KEY_NULL, 0, 0 }, 3003+ { "null", "null", KEY_NULL, 0, 0, 0 },
3007 { NULL, NULL, -1, -1, 0 } 3004 { NULL, NULL, -1, -1, 0, 0 }
3008 }; 3005 };
3009 3006
3010@@ -200,7 +201,7 @@ key_alg_list(int certs_only, int plain_only) 3007@@ -203,7 +204,7 @@ key_alg_list(int certs_only, int plain_only)
3011 const struct keytype *kt; 3008 const struct keytype *kt;
3012 3009
3013 for (kt = keytypes; kt->type != -1; kt++) { 3010 for (kt = keytypes; kt->type != -1; kt++) {
3014- if (kt->name == NULL) 3011- if (kt->name == NULL || kt->sigonly)
3015+ if (kt->name == NULL || kt->type == KEY_NULL) 3012+ if (kt->name == NULL || kt->sigonly || kt->type == KEY_NULL)
3016 continue; 3013 continue;
3017 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 3014 if ((certs_only && !kt->cert) || (plain_only && kt->cert))
3018 continue; 3015 continue;
3019diff --git a/sshkey.h b/sshkey.h 3016diff --git a/sshkey.h b/sshkey.h
3020index c8d3cdd..5cf4e5d 100644 3017index a20a14f..2259cbb 100644
3021--- a/sshkey.h 3018--- a/sshkey.h
3022+++ b/sshkey.h 3019+++ b/sshkey.h
3023@@ -62,6 +62,7 @@ enum sshkey_types { 3020@@ -62,6 +62,7 @@ enum sshkey_types {
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index a19fe6c6d..935235b27 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -1,4 +1,4 @@
1From 0a3d1df1344642161b1ee001a3885a1ee8ebc03b Mon Sep 17 00:00:00 2001 1From 5c2c0e042d57cee75528686f47b4c47db434ad8b Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:09:56 +0000 3Date: Sun, 9 Feb 2014 16:09:56 +0000
4Subject: Mention ~& when waiting for forwarded connections to terminate 4Subject: Mention ~& when waiting for forwarded connections to terminate
@@ -12,10 +12,10 @@ Patch-Name: helpful-wait-terminate.patch
12 1 file changed, 1 insertion(+), 1 deletion(-) 12 1 file changed, 1 insertion(+), 1 deletion(-)
13 13
14diff --git a/serverloop.c b/serverloop.c 14diff --git a/serverloop.c b/serverloop.c
15index 306ac36..68f0251 100644 15index 80d1db5..830f885 100644
16--- a/serverloop.c 16--- a/serverloop.c
17+++ b/serverloop.c 17+++ b/serverloop.c
18@@ -687,7 +687,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) 18@@ -683,7 +683,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
19 if (!channel_still_open()) 19 if (!channel_still_open())
20 break; 20 break;
21 if (!waiting_termination) { 21 if (!waiting_termination) {
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 9b5d38271..de0f73c59 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
1From ea47a6eba9fce31a1b4cd909b7ba19541c9d9c9b Mon Sep 17 00:00:00 2001 1From a9c7a3f8b035fe820fd32283460b1a28e696d2fe Mon Sep 17 00:00:00 2001
2From: Richard Kettlewell <rjk@greenend.org.uk> 2From: Richard Kettlewell <rjk@greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:52 +0000 3Date: Sun, 9 Feb 2014 16:09:52 +0000
4Subject: Various keepalive extensions 4Subject: Various keepalive extensions
@@ -26,10 +26,10 @@ Patch-Name: keepalive-extensions.patch
26 3 files changed, 34 insertions(+), 4 deletions(-) 26 3 files changed, 34 insertions(+), 4 deletions(-)
27 27
28diff --git a/readconf.c b/readconf.c 28diff --git a/readconf.c b/readconf.c
29index 831072f..83582e3 100644 29index 559e4c7..fde6b41 100644
30--- a/readconf.c 30--- a/readconf.c
31+++ b/readconf.c 31+++ b/readconf.c
32@@ -160,6 +160,7 @@ typedef enum { 32@@ -161,6 +161,7 @@ typedef enum {
33 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, 33 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
34 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, 34 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
35 oPubkeyAcceptedKeyTypes, 35 oPubkeyAcceptedKeyTypes,
@@ -37,7 +37,7 @@ index 831072f..83582e3 100644
37 oIgnoredUnknownOption, oDeprecated, oUnsupported 37 oIgnoredUnknownOption, oDeprecated, oUnsupported
38 } OpCodes; 38 } OpCodes;
39 39
40@@ -290,6 +291,8 @@ static struct { 40@@ -293,6 +294,8 @@ static struct {
41 { "hostbasedkeytypes", oHostbasedKeyTypes }, 41 { "hostbasedkeytypes", oHostbasedKeyTypes },
42 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, 42 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
43 { "ignoreunknown", oIgnoreUnknown }, 43 { "ignoreunknown", oIgnoreUnknown },
@@ -46,7 +46,7 @@ index 831072f..83582e3 100644
46 46
47 { NULL, oBadOption } 47 { NULL, oBadOption }
48 }; 48 };
49@@ -1304,6 +1307,8 @@ parse_keytypes: 49@@ -1350,6 +1353,8 @@ parse_keytypes:
50 goto parse_flag; 50 goto parse_flag;
51 51
52 case oServerAliveInterval: 52 case oServerAliveInterval:
@@ -55,7 +55,7 @@ index 831072f..83582e3 100644
55 intptr = &options->server_alive_interval; 55 intptr = &options->server_alive_interval;
56 goto parse_time; 56 goto parse_time;
57 57
58@@ -1856,8 +1861,13 @@ fill_default_options(Options * options) 58@@ -1906,8 +1911,13 @@ fill_default_options(Options * options)
59 options->rekey_interval = 0; 59 options->rekey_interval = 0;
60 if (options->verify_host_key_dns == -1) 60 if (options->verify_host_key_dns == -1)
61 options->verify_host_key_dns = 0; 61 options->verify_host_key_dns = 0;
@@ -72,10 +72,10 @@ index 831072f..83582e3 100644
72 options->server_alive_count_max = 3; 72 options->server_alive_count_max = 3;
73 if (options->control_master == -1) 73 if (options->control_master == -1)
74diff --git a/ssh_config.5 b/ssh_config.5 74diff --git a/ssh_config.5 b/ssh_config.5
75index cac8cda..78e918a 100644 75index 9060d5b..bbf638b 100644
76--- a/ssh_config.5 76--- a/ssh_config.5
77+++ b/ssh_config.5 77+++ b/ssh_config.5
78@@ -233,8 +233,12 @@ Valid arguments are 78@@ -268,8 +268,12 @@ The default is
79 If set to 79 If set to
80 .Dq yes , 80 .Dq yes ,
81 passphrase/password querying will be disabled. 81 passphrase/password querying will be disabled.
@@ -89,7 +89,7 @@ index cac8cda..78e918a 100644
89 The argument must be 89 The argument must be
90 .Dq yes 90 .Dq yes
91 or 91 or
92@@ -1476,8 +1480,15 @@ from the server, 92@@ -1551,7 +1555,14 @@ from the server,
93 will send a message through the encrypted 93 will send a message through the encrypted
94 channel to request a response from the server. 94 channel to request a response from the server.
95 The default 95 The default
@@ -98,7 +98,6 @@ index cac8cda..78e918a 100644
98+or 300 if the 98+or 300 if the
99+.Cm BatchMode 99+.Cm BatchMode
100+option is set. 100+option is set.
101 This option applies to protocol version 2 only.
102+.Cm ProtocolKeepAlives 101+.Cm ProtocolKeepAlives
103+and 102+and
104+.Cm SetupTimeOut 103+.Cm SetupTimeOut
@@ -106,7 +105,7 @@ index cac8cda..78e918a 100644
106 .It Cm StreamLocalBindMask 105 .It Cm StreamLocalBindMask
107 Sets the octal file creation mode mask 106 Sets the octal file creation mode mask
108 .Pq umask 107 .Pq umask
109@@ -1543,6 +1554,12 @@ Specifies whether the system should send TCP keepalive messages to the 108@@ -1617,6 +1628,12 @@ Specifies whether the system should send TCP keepalive messages to the
110 other side. 109 other side.
111 If they are sent, death of the connection or crash of one 110 If they are sent, death of the connection or crash of one
112 of the machines will be properly noticed. 111 of the machines will be properly noticed.
@@ -120,10 +119,10 @@ index cac8cda..78e918a 100644
120 connections will die if the route is down temporarily, and some people 119 connections will die if the route is down temporarily, and some people
121 find it annoying. 120 find it annoying.
122diff --git a/sshd_config.5 b/sshd_config.5 121diff --git a/sshd_config.5 b/sshd_config.5
123index 5491c89..c8ee35d 100644 122index c6d6858..bc79a66 100644
124--- a/sshd_config.5 123--- a/sshd_config.5
125+++ b/sshd_config.5 124+++ b/sshd_config.5
126@@ -1510,6 +1510,9 @@ This avoids infinitely hanging sessions. 125@@ -1518,6 +1518,9 @@ This avoids infinitely hanging sessions.
127 .Pp 126 .Pp
128 To disable TCP keepalive messages, the value should be set to 127 To disable TCP keepalive messages, the value should be set to
129 .Dq no . 128 .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
deleted file mode 100644
index a2a440fae..000000000
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ /dev/null
@@ -1,32 +0,0 @@
1From c685ea67334abf73c014aa6ab9f833e9d28fdab8 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:08 +0000
4Subject: Fix picky lintian errors about slogin symlinks
5
6Apparently this breaks some SVR4 packaging systems, so upstream can't win
7either way and opted to keep the status quo. We need this patch anyway.
8
9Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728
10Last-Update: 2013-09-14
11
12Patch-Name: lintian-symlink-pickiness.patch
13---
14 Makefile.in | 4 ++--
15 1 file changed, 2 insertions(+), 2 deletions(-)
16
17diff --git a/Makefile.in b/Makefile.in
18index 915c740..e161d0e 100644
19--- a/Makefile.in
20+++ b/Makefile.in
21@@ -330,9 +330,9 @@ install-files:
22 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
23 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
24 -rm -f $(DESTDIR)$(bindir)/slogin
25- ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
26+ ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
27 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
28- ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
29+ ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
30
31 install-sysconf:
32 if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index a9c4cb7fc..7e6ad3996 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
1From 89f2729da6734f2d5e3a31d2a75e817750f6cd95 Mon Sep 17 00:00:00 2001 1From cbec84cf05e5dbd6d8a739a7d01e1d242a006d20 Mon Sep 17 00:00:00 2001
2From: Scott Moser <smoser@ubuntu.com> 2From: Scott Moser <smoser@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:03 +0000 3Date: Sun, 9 Feb 2014 16:10:03 +0000
4Subject: Mention ssh-keygen in ssh fingerprint changed warning 4Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -13,10 +13,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
13 1 file changed, 7 insertions(+), 1 deletion(-) 13 1 file changed, 7 insertions(+), 1 deletion(-)
14 14
15diff --git a/sshconnect.c b/sshconnect.c 15diff --git a/sshconnect.c b/sshconnect.c
16index cd467fd..bbde8af 100644 16index 8b8e760..fd67727 100644
17--- a/sshconnect.c 17--- a/sshconnect.c
18+++ b/sshconnect.c 18+++ b/sshconnect.c
19@@ -1078,9 +1078,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 19@@ -1081,9 +1081,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
20 error("%s. This could either mean that", key_msg); 20 error("%s. This could either mean that", key_msg);
21 error("DNS SPOOFING is happening or the IP address for the host"); 21 error("DNS SPOOFING is happening or the IP address for the host");
22 error("and its host key have changed at the same time."); 22 error("and its host key have changed at the same time.");
@@ -31,7 +31,7 @@ index cd467fd..bbde8af 100644
31 } 31 }
32 /* The host key has changed. */ 32 /* The host key has changed. */
33 warn_changed_key(host_key); 33 warn_changed_key(host_key);
34@@ -1088,6 +1092,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 34@@ -1091,6 +1095,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
35 user_hostfiles[0]); 35 user_hostfiles[0]);
36 error("Offending %s key in %s:%lu", key_type(host_found->key), 36 error("Offending %s key in %s:%lu", key_type(host_found->key),
37 host_found->file, host_found->line); 37 host_found->file, host_found->line);
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index 194100f56..42463eed7 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
1From dcc3ce03144d1560d878db8290c9f19dc0511f6f Mon Sep 17 00:00:00 2001 1From c2f77b15d182a5399d4548a57a471d6be7b25a87 Mon Sep 17 00:00:00 2001
2From: Kurt Roeckx <kurt@roeckx.be> 2From: Kurt Roeckx <kurt@roeckx.be>
3Date: Sun, 9 Feb 2014 16:10:14 +0000 3Date: Sun, 9 Feb 2014 16:10:14 +0000
4Subject: Don't check the status field of the OpenSSL version 4Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 9b1c38bfc..abeaad7a5 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
1From eb8141e6ac12c0714e0951598fe44634327bfde7 Mon Sep 17 00:00:00 2001 1From 5a19d59c0b76162929545ad1bc92e7de69ce9a7b Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:09 +0000 3Date: Sun, 9 Feb 2014 16:10:09 +0000
4Subject: Adjust various OpenBSD-specific references in manual pages 4Subject: Adjust various OpenBSD-specific references in manual pages
@@ -44,10 +44,10 @@ index ef0de08..149846c 100644
44 .Sh SEE ALSO 44 .Sh SEE ALSO
45 .Xr ssh-keygen 1 , 45 .Xr ssh-keygen 1 ,
46diff --git a/ssh-keygen.1 b/ssh-keygen.1 46diff --git a/ssh-keygen.1 b/ssh-keygen.1
47index ed17a08..c560179 100644 47index 37a4fc2..24bed5f 100644
48--- a/ssh-keygen.1 48--- a/ssh-keygen.1
49+++ b/ssh-keygen.1 49+++ b/ssh-keygen.1
50@@ -174,9 +174,7 @@ key in 50@@ -178,9 +178,7 @@ key in
51 .Pa ~/.ssh/id_ed25519 51 .Pa ~/.ssh/id_ed25519
52 or 52 or
53 .Pa ~/.ssh/id_rsa . 53 .Pa ~/.ssh/id_rsa .
@@ -58,7 +58,7 @@ index ed17a08..c560179 100644
58 .Pp 58 .Pp
59 Normally this program generates the key and asks for a file in which 59 Normally this program generates the key and asks for a file in which
60 to store the private key. 60 to store the private key.
61@@ -223,9 +221,7 @@ For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) 61@@ -227,9 +225,7 @@ For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
62 for which host keys 62 for which host keys
63 do not exist, generate the host keys with the default key file path, 63 do not exist, generate the host keys with the default key file path,
64 an empty passphrase, default bits for the key type, and default comment. 64 an empty passphrase, default bits for the key type, and default comment.
@@ -69,7 +69,7 @@ index ed17a08..c560179 100644
69 .It Fl a Ar rounds 69 .It Fl a Ar rounds
70 When saving a new-format private key (i.e. an ed25519 key or any SSH protocol 70 When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
71 2 key when the 71 2 key when the
72@@ -638,7 +634,7 @@ option. 72@@ -642,7 +638,7 @@ option.
73 Valid generator values are 2, 3, and 5. 73 Valid generator values are 2, 3, and 5.
74 .Pp 74 .Pp
75 Screened DH groups may be installed in 75 Screened DH groups may be installed in
@@ -78,7 +78,7 @@ index ed17a08..c560179 100644
78 It is important that this file contains moduli of a range of bit lengths and 78 It is important that this file contains moduli of a range of bit lengths and
79 that both ends of a connection share common moduli. 79 that both ends of a connection share common moduli.
80 .Sh CERTIFICATES 80 .Sh CERTIFICATES
81@@ -837,7 +833,7 @@ on all machines 81@@ -841,7 +837,7 @@ on all machines
82 where the user wishes to log in using public key authentication. 82 where the user wishes to log in using public key authentication.
83 There is no need to keep the contents of this file secret. 83 There is no need to keep the contents of this file secret.
84 .Pp 84 .Pp
@@ -88,11 +88,11 @@ index ed17a08..c560179 100644
88 The file format is described in 88 The file format is described in
89 .Xr moduli 5 . 89 .Xr moduli 5 .
90diff --git a/ssh.1 b/ssh.1 90diff --git a/ssh.1 b/ssh.1
91index ff80022..4fba77f 100644 91index feb0e89..41e0aab 100644
92--- a/ssh.1 92--- a/ssh.1
93+++ b/ssh.1 93+++ b/ssh.1
94@@ -853,6 +853,10 @@ Protocol 1 is restricted to using only RSA keys, 94@@ -852,6 +852,10 @@ implements public key authentication protocol automatically,
95 but protocol 2 may use any. 95 using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
96 The HISTORY section of 96 The HISTORY section of
97 .Xr ssl 8 97 .Xr ssl 8
98+(on non-OpenBSD systems, see 98+(on non-OpenBSD systems, see
@@ -103,7 +103,7 @@ index ff80022..4fba77f 100644
103 .Pp 103 .Pp
104 The file 104 The file
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index 2105979..42ba596 100644 106index 589841f..58eefe9 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -67,7 +67,7 @@ over an insecure network. 109@@ -67,7 +67,7 @@ over an insecure network.
@@ -115,16 +115,16 @@ index 2105979..42ba596 100644
115 It forks a new 115 It forks a new
116 daemon for each incoming connection. 116 daemon for each incoming connection.
117 The forked daemons handle 117 The forked daemons handle
118@@ -861,7 +861,7 @@ This file is for host-based authentication (see 118@@ -891,7 +891,7 @@ This file is for host-based authentication (see
119 .Xr ssh 1 ) . 119 .Xr ssh 1 ) .
120 It should only be writable by root. 120 It should only be writable by root.
121 .Pp 121 .Pp
122-.It Pa /etc/moduli 122-.It Pa /etc/moduli
123+.It Pa /etc/ssh/moduli 123+.It Pa /etc/ssh/moduli
124 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". 124 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
125 key exchange method.
125 The file format is described in 126 The file format is described in
126 .Xr moduli 5 . 127@@ -993,7 +993,6 @@ The content of this file is not sensitive; it can be world-readable.
127@@ -960,7 +960,6 @@ The content of this file is not sensitive; it can be world-readable.
128 .Xr ssh-keyscan 1 , 128 .Xr ssh-keyscan 1 ,
129 .Xr chroot 2 , 129 .Xr chroot 2 ,
130 .Xr hosts_access 5 , 130 .Xr hosts_access 5 ,
@@ -133,10 +133,10 @@ index 2105979..42ba596 100644
133 .Xr sshd_config 5 , 133 .Xr sshd_config 5 ,
134 .Xr inetd 8 , 134 .Xr inetd 8 ,
135diff --git a/sshd_config.5 b/sshd_config.5 135diff --git a/sshd_config.5 b/sshd_config.5
136index b149bd3..0828592 100644 136index b565640..4d255e5 100644
137--- a/sshd_config.5 137--- a/sshd_config.5
138+++ b/sshd_config.5 138+++ b/sshd_config.5
139@@ -374,8 +374,7 @@ This option is only available for protocol version 2. 139@@ -375,8 +375,7 @@ then no banner is displayed.
140 By default, no banner is displayed. 140 By default, no banner is displayed.
141 .It Cm ChallengeResponseAuthentication 141 .It Cm ChallengeResponseAuthentication
142 Specifies whether challenge-response authentication is allowed (e.g. via 142 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index fb7724f58..b41c066e3 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
1From 3e38e90de2e2ead094624f4f140568574c40cae6 Mon Sep 17 00:00:00 2001 1From f7587633dc374db82455fe7a3fa921de5c4a897b Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:10:05 +0000 3Date: Sun, 9 Feb 2014 16:10:05 +0000
4Subject: Include the Debian version in our identification 4Subject: Include the Debian version in our identification
@@ -19,10 +19,10 @@ Patch-Name: package-versioning.patch
19 3 files changed, 9 insertions(+), 4 deletions(-) 19 3 files changed, 9 insertions(+), 4 deletions(-)
20 20
21diff --git a/sshconnect.c b/sshconnect.c 21diff --git a/sshconnect.c b/sshconnect.c
22index bbde8af..0ec1e54 100644 22index fd67727..07dfc9d 100644
23--- a/sshconnect.c 23--- a/sshconnect.c
24+++ b/sshconnect.c 24+++ b/sshconnect.c
25@@ -524,10 +524,10 @@ send_client_banner(int connection_out, int minor1) 25@@ -527,10 +527,10 @@ send_client_banner(int connection_out, int minor1)
26 /* Send our own protocol version identification. */ 26 /* Send our own protocol version identification. */
27 if (compat20) { 27 if (compat20) {
28 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", 28 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
@@ -33,13 +33,13 @@ index bbde8af..0ec1e54 100644
33- PROTOCOL_MAJOR_1, minor1, SSH_VERSION); 33- PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
34+ PROTOCOL_MAJOR_1, minor1, SSH_RELEASE); 34+ PROTOCOL_MAJOR_1, minor1, SSH_RELEASE);
35 } 35 }
36 if (roaming_atomicio(vwrite, connection_out, client_version_string, 36 if (atomicio(vwrite, connection_out, client_version_string,
37 strlen(client_version_string)) != strlen(client_version_string)) 37 strlen(client_version_string)) != strlen(client_version_string))
38diff --git a/sshd.c b/sshd.c 38diff --git a/sshd.c b/sshd.c
39index 1b49b26..189d34a 100644 39index bb093cc..c762190 100644
40--- a/sshd.c 40--- a/sshd.c
41+++ b/sshd.c 41+++ b/sshd.c
42@@ -443,7 +443,7 @@ sshd_exchange_identification(int sock_in, int sock_out) 42@@ -442,7 +442,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
43 } 43 }
44 44
45 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 45 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -49,13 +49,13 @@ index 1b49b26..189d34a 100644
49 options.version_addendum, newline); 49 options.version_addendum, newline);
50 50
51diff --git a/version.h b/version.h 51diff --git a/version.h b/version.h
52index 41e1ea9..2969570 100644 52index 4189982..236dd87 100644
53--- a/version.h 53--- a/version.h
54+++ b/version.h 54+++ b/version.h
55@@ -3,4 +3,9 @@ 55@@ -3,4 +3,9 @@
56 #define SSH_VERSION "OpenSSH_7.1" 56 #define SSH_VERSION "OpenSSH_7.2"
57 57
58 #define SSH_PORTABLE "p2" 58 #define SSH_PORTABLE "p1"
59-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 59-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
60+#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE 60+#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE
61+#ifdef SSH_EXTRAVERSION 61+#ifdef SSH_EXTRAVERSION
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 0dc3f1c32..51d5c09d0 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
1From 72aec10a082f61d9a601b03ec57e0053e03397dd Mon Sep 17 00:00:00 2001 1From 754544297b321ab1ce1923e6aa9987bb82dd4fc5 Mon Sep 17 00:00:00 2001
2From: Peter Samuelson <peter@p12n.org> 2From: Peter Samuelson <peter@p12n.org>
3Date: Sun, 9 Feb 2014 16:09:55 +0000 3Date: Sun, 9 Feb 2014 16:09:55 +0000
4Subject: Reduce severity of "Killed by signal %d" 4Subject: Reduce severity of "Killed by signal %d"
@@ -22,10 +22,10 @@ Patch-Name: quieter-signals.patch
22 1 file changed, 4 insertions(+), 2 deletions(-) 22 1 file changed, 4 insertions(+), 2 deletions(-)
23 23
24diff --git a/clientloop.c b/clientloop.c 24diff --git a/clientloop.c b/clientloop.c
25index fba1b54..5653cc4 100644 25index 1567e4a..3b6cacb 100644
26--- a/clientloop.c 26--- a/clientloop.c
27+++ b/clientloop.c 27+++ b/clientloop.c
28@@ -1716,8 +1716,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) 28@@ -1753,8 +1753,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
29 exit_status = 0; 29 exit_status = 0;
30 } 30 }
31 31
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index 13090ff06..47ccdda3c 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
1From f1fe58341ea22a6f07e5e1de79aa0385c0ee0c6a Mon Sep 17 00:00:00 2001 1From 9496f70a8203592158275489519996476b2356af Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Tue, 7 Oct 2014 13:22:41 +0100 3Date: Tue, 7 Oct 2014 13:22:41 +0100
4Subject: Restore TCP wrappers support 4Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
28 3 files changed, 89 insertions(+) 28 3 files changed, 89 insertions(+)
29 29
30diff --git a/configure.ac b/configure.ac 30diff --git a/configure.ac b/configure.ac
31index 7a25603..128889a 100644 31index 5f1ff74..5d720f7 100644
32--- a/configure.ac 32--- a/configure.ac
33+++ b/configure.ac 33+++ b/configure.ac
34@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey], 34@@ -1481,6 +1481,62 @@ AC_ARG_WITH([skey],
35 ] 35 ]
36 ) 36 )
37 37
@@ -94,7 +94,7 @@ index 7a25603..128889a 100644
94 # Check whether user wants to use ldns 94 # Check whether user wants to use ldns
95 LDNS_MSG="no" 95 LDNS_MSG="no"
96 AC_ARG_WITH(ldns, 96 AC_ARG_WITH(ldns,
97@@ -4953,6 +5009,7 @@ echo " KerberosV support: $KRB5_MSG" 97@@ -5003,6 +5059,7 @@ echo " KerberosV support: $KRB5_MSG"
98 echo " SELinux support: $SELINUX_MSG" 98 echo " SELinux support: $SELINUX_MSG"
99 echo " Smartcard support: $SCARD_MSG" 99 echo " Smartcard support: $SCARD_MSG"
100 echo " S/KEY support: $SKEY_MSG" 100 echo " S/KEY support: $SKEY_MSG"
@@ -103,10 +103,10 @@ index 7a25603..128889a 100644
103 echo " libedit support: $LIBEDIT_MSG" 103 echo " libedit support: $LIBEDIT_MSG"
104 echo " Solaris process contract support: $SPC_MSG" 104 echo " Solaris process contract support: $SPC_MSG"
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index 213b5fc..2105979 100644 106index 6c521f2..589841f 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -850,6 +850,12 @@ the user's home directory becomes accessible. 109@@ -880,6 +880,12 @@ the user's home directory becomes accessible.
110 This file should be writable only by the user, and need not be 110 This file should be writable only by the user, and need not be
111 readable by anyone else. 111 readable by anyone else.
112 .Pp 112 .Pp
@@ -119,7 +119,7 @@ index 213b5fc..2105979 100644
119 .It Pa /etc/hosts.equiv 119 .It Pa /etc/hosts.equiv
120 This file is for host-based authentication (see 120 This file is for host-based authentication (see
121 .Xr ssh 1 ) . 121 .Xr ssh 1 ) .
122@@ -953,6 +959,7 @@ The content of this file is not sensitive; it can be world-readable. 122@@ -986,6 +992,7 @@ The content of this file is not sensitive; it can be world-readable.
123 .Xr ssh-keygen 1 , 123 .Xr ssh-keygen 1 ,
124 .Xr ssh-keyscan 1 , 124 .Xr ssh-keyscan 1 ,
125 .Xr chroot 2 , 125 .Xr chroot 2 ,
@@ -128,10 +128,10 @@ index 213b5fc..2105979 100644
128 .Xr moduli 5 , 128 .Xr moduli 5 ,
129 .Xr sshd_config 5 , 129 .Xr sshd_config 5 ,
130diff --git a/sshd.c b/sshd.c 130diff --git a/sshd.c b/sshd.c
131index d659a68..9275e0b 100644 131index 5cd9129..d1dd711 100644
132--- a/sshd.c 132--- a/sshd.c
133+++ b/sshd.c 133+++ b/sshd.c
134@@ -130,6 +130,13 @@ 134@@ -129,6 +129,13 @@
135 #include <Security/AuthSession.h> 135 #include <Security/AuthSession.h>
136 #endif 136 #endif
137 137
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index e8049d902..cd2685e3a 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
1From efd79b5b880f473ef06d4659cf279b07a65de208 Mon Sep 17 00:00:00 2001 1From c2c79a52f66eee7b85b5241d08a70b2593a9bc9e Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> 2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:59 +0000 3Date: Sun, 9 Feb 2014 16:09:59 +0000
4Subject: Adjust scp quoting in verbose mode 4Subject: Adjust scp quoting in verbose mode
@@ -17,7 +17,7 @@ Patch-Name: scp-quoting.patch
17 1 file changed, 10 insertions(+), 2 deletions(-) 17 1 file changed, 10 insertions(+), 2 deletions(-)
18 18
19diff --git a/scp.c b/scp.c 19diff --git a/scp.c b/scp.c
20index 593fe89..e39294e 100644 20index 0bdd7cb..51bc2b7 100644
21--- a/scp.c 21--- a/scp.c
22+++ b/scp.c 22+++ b/scp.c
23@@ -190,8 +190,16 @@ do_local_cmd(arglist *a) 23@@ -190,8 +190,16 @@ do_local_cmd(arglist *a)
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 5fec9eae0..c632f0349 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1From 701eb985309b1c9fce617949298659843fce723d Mon Sep 17 00:00:00 2001 1From a00cba810338ce920de432e7797a45794bf280ba Mon Sep 17 00:00:00 2001
2From: Manoj Srivastava <srivasta@debian.org> 2From: Manoj Srivastava <srivasta@debian.org>
3Date: Sun, 9 Feb 2014 16:09:49 +0000 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4Subject: Handle SELinux authorisation roles 4Subject: Handle SELinux authorisation roles
@@ -32,7 +32,7 @@ Patch-Name: selinux-role.patch
32 16 files changed, 104 insertions(+), 31 deletions(-) 32 16 files changed, 104 insertions(+), 31 deletions(-)
33 33
34diff --git a/auth.h b/auth.h 34diff --git a/auth.h b/auth.h
35index 8b27575..3c2222f 100644 35index 2160154..3b3a085 100644
36--- a/auth.h 36--- a/auth.h
37+++ b/auth.h 37+++ b/auth.h
38@@ -62,6 +62,7 @@ struct Authctxt { 38@@ -62,6 +62,7 @@ struct Authctxt {
@@ -113,10 +113,10 @@ index 3f49bdc..6eb3cc7 100644
113 if (auth2_setup_methods_lists(authctxt) != 0) 113 if (auth2_setup_methods_lists(authctxt) != 0)
114 packet_disconnect("no authentication methods enabled"); 114 packet_disconnect("no authentication methods enabled");
115diff --git a/monitor.c b/monitor.c 115diff --git a/monitor.c b/monitor.c
116index 2658aaa..c063ad1 100644 116index 6c82023..5be3fbf 100644
117--- a/monitor.c 117--- a/monitor.c
118+++ b/monitor.c 118+++ b/monitor.c
119@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *); 119@@ -126,6 +126,7 @@ int mm_answer_sign(int, Buffer *);
120 int mm_answer_pwnamallow(int, Buffer *); 120 int mm_answer_pwnamallow(int, Buffer *);
121 int mm_answer_auth2_read_banner(int, Buffer *); 121 int mm_answer_auth2_read_banner(int, Buffer *);
122 int mm_answer_authserv(int, Buffer *); 122 int mm_answer_authserv(int, Buffer *);
@@ -124,7 +124,7 @@ index 2658aaa..c063ad1 100644
124 int mm_answer_authpassword(int, Buffer *); 124 int mm_answer_authpassword(int, Buffer *);
125 int mm_answer_bsdauthquery(int, Buffer *); 125 int mm_answer_bsdauthquery(int, Buffer *);
126 int mm_answer_bsdauthrespond(int, Buffer *); 126 int mm_answer_bsdauthrespond(int, Buffer *);
127@@ -208,6 +209,7 @@ struct mon_table mon_dispatch_proto20[] = { 127@@ -207,6 +208,7 @@ struct mon_table mon_dispatch_proto20[] = {
128 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 128 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
129 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 129 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
130 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 130 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -132,7 +132,7 @@ index 2658aaa..c063ad1 100644
132 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 132 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
133 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 133 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
134 #ifdef USE_PAM 134 #ifdef USE_PAM
135@@ -879,6 +881,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) 135@@ -875,6 +877,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
136 else { 136 else {
137 /* Allow service/style information on the auth context */ 137 /* Allow service/style information on the auth context */
138 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 138 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -140,7 +140,7 @@ index 2658aaa..c063ad1 100644
140 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 140 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
141 } 141 }
142 #ifdef USE_PAM 142 #ifdef USE_PAM
143@@ -909,14 +912,37 @@ mm_answer_authserv(int sock, Buffer *m) 143@@ -905,14 +908,37 @@ mm_answer_authserv(int sock, Buffer *m)
144 144
145 authctxt->service = buffer_get_string(m, NULL); 145 authctxt->service = buffer_get_string(m, NULL);
146 authctxt->style = buffer_get_string(m, NULL); 146 authctxt->style = buffer_get_string(m, NULL);
@@ -180,7 +180,7 @@ index 2658aaa..c063ad1 100644
180 return (0); 180 return (0);
181 } 181 }
182 182
183@@ -1544,7 +1570,7 @@ mm_answer_pty(int sock, Buffer *m) 183@@ -1541,7 +1567,7 @@ mm_answer_pty(int sock, Buffer *m)
184 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 184 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
185 if (res == 0) 185 if (res == 0)
186 goto error; 186 goto error;
@@ -203,7 +203,7 @@ index bc50ade..2d82b8b 100644
203 203
204 struct mm_master; 204 struct mm_master;
205diff --git a/monitor_wrap.c b/monitor_wrap.c 205diff --git a/monitor_wrap.c b/monitor_wrap.c
206index 81ceddb..6799911 100644 206index 74fbd2e..eaf0a12 100644
207--- a/monitor_wrap.c 207--- a/monitor_wrap.c
208+++ b/monitor_wrap.c 208+++ b/monitor_wrap.c
209@@ -327,10 +327,10 @@ mm_auth2_read_banner(void) 209@@ -327,10 +327,10 @@ mm_auth2_read_banner(void)
@@ -251,13 +251,13 @@ index 81ceddb..6799911 100644
251 int 251 int
252 mm_auth_password(Authctxt *authctxt, char *password) 252 mm_auth_password(Authctxt *authctxt, char *password)
253diff --git a/monitor_wrap.h b/monitor_wrap.h 253diff --git a/monitor_wrap.h b/monitor_wrap.h
254index 9758290..57e740f 100644 254index 403f8d0..d9de551 100644
255--- a/monitor_wrap.h 255--- a/monitor_wrap.h
256+++ b/monitor_wrap.h 256+++ b/monitor_wrap.h
257@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *); 257@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *);
258 int mm_is_monitor(void); 258 int mm_is_monitor(void);
259 DH *mm_choose_dh(int, int, int); 259 DH *mm_choose_dh(int, int, int);
260 int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int); 260 int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *);
261-void mm_inform_authserv(char *, char *); 261-void mm_inform_authserv(char *, char *);
262+void mm_inform_authserv(char *, char *, char *); 262+void mm_inform_authserv(char *, char *, char *);
263+void mm_inform_authrole(char *); 263+void mm_inform_authrole(char *);
@@ -383,7 +383,7 @@ index ee313da..f35ec39 100644
383 } 383 }
384 384
385diff --git a/platform.h b/platform.h 385diff --git a/platform.h b/platform.h
386index 1c7a45d..436ae7c 100644 386index e687c99..823901b 100644
387--- a/platform.h 387--- a/platform.h
388+++ b/platform.h 388+++ b/platform.h
389@@ -27,7 +27,7 @@ void platform_post_fork_parent(pid_t child_pid); 389@@ -27,7 +27,7 @@ void platform_post_fork_parent(pid_t child_pid);
@@ -396,10 +396,10 @@ index 1c7a45d..436ae7c 100644
396 char *platform_krb5_get_principal_name(const char *); 396 char *platform_krb5_get_principal_name(const char *);
397 int platform_sys_dir_uid(uid_t); 397 int platform_sys_dir_uid(uid_t);
398diff --git a/session.c b/session.c 398diff --git a/session.c b/session.c
399index 5a64715..afac4a5 100644 399index 7a02500..99ec6f3 100644
400--- a/session.c 400--- a/session.c
401+++ b/session.c 401+++ b/session.c
402@@ -1487,7 +1487,7 @@ safely_chroot(const char *path, uid_t uid) 402@@ -1489,7 +1489,7 @@ safely_chroot(const char *path, uid_t uid)
403 403
404 /* Set login name, uid, gid, and groups. */ 404 /* Set login name, uid, gid, and groups. */
405 void 405 void
@@ -407,17 +407,17 @@ index 5a64715..afac4a5 100644
407+do_setusercontext(struct passwd *pw, const char *role) 407+do_setusercontext(struct passwd *pw, const char *role)
408 { 408 {
409 char *chroot_path, *tmp; 409 char *chroot_path, *tmp;
410 #ifdef USE_LIBIAF 410
411@@ -1518,7 +1518,7 @@ do_setusercontext(struct passwd *pw) 411@@ -1517,7 +1517,7 @@ do_setusercontext(struct passwd *pw)
412 endgrent(); 412 endgrent();
413 #endif 413 #endif
414 414
415- platform_setusercontext_post_groups(pw); 415- platform_setusercontext_post_groups(pw);
416+ platform_setusercontext_post_groups(pw, role); 416+ platform_setusercontext_post_groups(pw, role);
417 417
418 if (options.chroot_directory != NULL && 418 if (!in_chroot && options.chroot_directory != NULL &&
419 strcasecmp(options.chroot_directory, "none") != 0) { 419 strcasecmp(options.chroot_directory, "none") != 0) {
420@@ -1677,7 +1677,7 @@ do_child(Session *s, const char *command) 420@@ -1674,7 +1674,7 @@ do_child(Session *s, const char *command)
421 421
422 /* Force a password change */ 422 /* Force a password change */
423 if (s->authctxt->force_pwchange) { 423 if (s->authctxt->force_pwchange) {
@@ -426,7 +426,7 @@ index 5a64715..afac4a5 100644
426 child_close_fds(); 426 child_close_fds();
427 do_pwchange(s); 427 do_pwchange(s);
428 exit(1); 428 exit(1);
429@@ -1704,7 +1704,7 @@ do_child(Session *s, const char *command) 429@@ -1701,7 +1701,7 @@ do_child(Session *s, const char *command)
430 /* When PAM is enabled we rely on it to do the nologin check */ 430 /* When PAM is enabled we rely on it to do the nologin check */
431 if (!options.use_pam) 431 if (!options.use_pam)
432 do_nologin(pw); 432 do_nologin(pw);
@@ -435,7 +435,7 @@ index 5a64715..afac4a5 100644
435 /* 435 /*
436 * PAM session modules in do_setusercontext may have 436 * PAM session modules in do_setusercontext may have
437 * generated messages, so if this in an interactive 437 * generated messages, so if this in an interactive
438@@ -2115,7 +2115,7 @@ session_pty_req(Session *s) 438@@ -2112,7 +2112,7 @@ session_pty_req(Session *s)
439 tty_parse_modes(s->ttyfd, &n_bytes); 439 tty_parse_modes(s->ttyfd, &n_bytes);
440 440
441 if (!use_privsep) 441 if (!use_privsep)
@@ -458,10 +458,10 @@ index 6a2f35e..ef6593c 100644
458 const char *value); 458 const char *value);
459 459
460diff --git a/sshd.c b/sshd.c 460diff --git a/sshd.c b/sshd.c
461index 9275e0b..1b49b26 100644 461index d1dd711..bb093cc 100644
462--- a/sshd.c 462--- a/sshd.c
463+++ b/sshd.c 463+++ b/sshd.c
464@@ -786,7 +786,7 @@ privsep_postauth(Authctxt *authctxt) 464@@ -781,7 +781,7 @@ privsep_postauth(Authctxt *authctxt)
465 explicit_bzero(rnd, sizeof(rnd)); 465 explicit_bzero(rnd, sizeof(rnd));
466 466
467 /* Drop privileges */ 467 /* Drop privileges */
diff --git a/debian/patches/series b/debian/patches/series
index e612e0554..e5821f627 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,7 +15,6 @@ mention-ssh-keygen-on-keychange.patch
15package-versioning.patch 15package-versioning.patch
16debian-banner.patch 16debian-banner.patch
17authorized-keys-man-symlink.patch 17authorized-keys-man-symlink.patch
18lintian-symlink-pickiness.patch
19openbsd-docs.patch 18openbsd-docs.patch
20ssh-argv0.patch 19ssh-argv0.patch
21doc-hash-tab-completion.patch 20doc-hash-tab-completion.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index e60dfc4d3..953bae5d0 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
1From ccc03dd81a15fa91155bbdfa6b84a0d6e37c43e4 Mon Sep 17 00:00:00 2001 1From 434f7bc6f37b86a449d3d975fad53233f4c141f2 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:00 +0000 3Date: Sun, 9 Feb 2014 16:10:00 +0000
4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand 4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch
16 1 file changed, 2 insertions(+), 2 deletions(-) 16 1 file changed, 2 insertions(+), 2 deletions(-)
17 17
18diff --git a/sshconnect.c b/sshconnect.c 18diff --git a/sshconnect.c b/sshconnect.c
19index 17fbe39..cd467fd 100644 19index 356ec79..8b8e760 100644
20--- a/sshconnect.c 20--- a/sshconnect.c
21+++ b/sshconnect.c 21+++ b/sshconnect.c
22@@ -231,7 +231,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) 22@@ -232,7 +232,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
23 /* Execute the proxy command. Note that we gave up any 23 /* Execute the proxy command. Note that we gave up any
24 extra privileges above. */ 24 extra privileges above. */
25 signal(SIGPIPE, SIG_DFL); 25 signal(SIGPIPE, SIG_DFL);
@@ -28,7 +28,7 @@ index 17fbe39..cd467fd 100644
28 perror(argv[0]); 28 perror(argv[0]);
29 exit(1); 29 exit(1);
30 } 30 }
31@@ -1471,7 +1471,7 @@ ssh_local_cmd(const char *args) 31@@ -1499,7 +1499,7 @@ ssh_local_cmd(const char *args)
32 if (pid == 0) { 32 if (pid == 0) {
33 signal(SIGPIPE, SIG_DFL); 33 signal(SIGPIPE, SIG_DFL);
34 debug3("Executing %s -c \"%s\"", shell, args); 34 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index 0cf814455..e022fa53f 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
1From 5af03fab96e1d53019d1c50282eb21ce3e581895 Mon Sep 17 00:00:00 2001 1From e66add5020e18f6dd9b942b46e02d9b20e24edcc Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:17 +0000 3Date: Sun, 9 Feb 2014 16:10:17 +0000
4Subject: Support synchronisation with service supervisor using SIGSTOP 4Subject: Support synchronisation with service supervisor using SIGSTOP
@@ -13,7 +13,7 @@ Patch-Name: sigstop.patch
13 1 file changed, 10 insertions(+) 13 1 file changed, 10 insertions(+)
14 14
15diff --git a/sshd.c b/sshd.c 15diff --git a/sshd.c b/sshd.c
16index 8d17521..5ccf175 100644 16index 57ae4ad..c2d42f5 100644
17--- a/sshd.c 17--- a/sshd.c
18+++ b/sshd.c 18+++ b/sshd.c
19@@ -2048,6 +2048,16 @@ main(int ac, char **av) 19@@ -2048,6 +2048,16 @@ main(int ac, char **av)
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index ffab898c7..a2f23396e 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
1From 7566d3563c174cc339da8b72833e66614cfc1458 Mon Sep 17 00:00:00 2001 1From d7698edca3667ffacae051582028eb3971928edc Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:13 +0000 3Date: Sun, 9 Feb 2014 16:10:13 +0000
4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) 4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
@@ -13,10 +13,10 @@ Patch-Name: ssh-agent-setgid.patch
13 1 file changed, 15 insertions(+) 13 1 file changed, 15 insertions(+)
14 14
15diff --git a/ssh-agent.1 b/ssh-agent.1 15diff --git a/ssh-agent.1 b/ssh-agent.1
16index d0aa712..2a940d9 100644 16index c4b50bb..2fe2201 100644
17--- a/ssh-agent.1 17--- a/ssh-agent.1
18+++ b/ssh-agent.1 18+++ b/ssh-agent.1
19@@ -186,6 +186,21 @@ environment variable holds the agent's process ID. 19@@ -193,6 +193,21 @@ environment variable holds the agent's process ID.
20 .Pp 20 .Pp
21 The agent exits automatically when the command given on the command 21 The agent exits automatically when the command given on the command
22 line terminates. 22 line terminates.
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index d3097fe10..f830f2cf2 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
1From 078b7a5e7b89d20ce867e2c9839096be673b6ae0 Mon Sep 17 00:00:00 2001 1From 30dfe2ed8df15c27b53c883c1b718b13416299d5 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:10 +0000 3Date: Sun, 9 Feb 2014 16:10:10 +0000
4Subject: ssh(1): Refer to ssh-argv0(1) 4Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
18 1 file changed, 1 insertion(+) 18 1 file changed, 1 insertion(+)
19 19
20diff --git a/ssh.1 b/ssh.1 20diff --git a/ssh.1 b/ssh.1
21index 4fba77f..05b7f10 100644 21index 41e0aab..74d9655 100644
22--- a/ssh.1 22--- a/ssh.1
23+++ b/ssh.1 23+++ b/ssh.1
24@@ -1574,6 +1574,7 @@ if an error occurred. 24@@ -1561,6 +1561,7 @@ if an error occurred.
25 .Xr sftp 1 , 25 .Xr sftp 1 ,
26 .Xr ssh-add 1 , 26 .Xr ssh-add 1 ,
27 .Xr ssh-agent 1 , 27 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index be725e357..f2bb35326 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
1From 7f0a4ecb6694298414e6d84c0aa49c35b19cad1b Mon Sep 17 00:00:00 2001 1From 68e8163d9209f731c582fe5350002c51c9551983 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:50 +0000 3Date: Sun, 9 Feb 2014 16:09:50 +0000
4Subject: Accept obsolete ssh-vulnkey configuration options 4Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,10 +17,10 @@ Patch-Name: ssh-vulnkey-compat.patch
17 2 files changed, 2 insertions(+) 17 2 files changed, 2 insertions(+)
18 18
19diff --git a/readconf.c b/readconf.c 19diff --git a/readconf.c b/readconf.c
20index 56e0f44..831072f 100644 20index d2a3d4b..559e4c7 100644
21--- a/readconf.c 21--- a/readconf.c
22+++ b/readconf.c 22+++ b/readconf.c
23@@ -181,6 +181,7 @@ static struct { 23@@ -182,6 +182,7 @@ static struct {
24 { "passwordauthentication", oPasswordAuthentication }, 24 { "passwordauthentication", oPasswordAuthentication },
25 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 25 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
26 { "kbdinteractivedevices", oKbdInteractiveDevices }, 26 { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -29,10 +29,10 @@ index 56e0f44..831072f 100644
29 { "pubkeyauthentication", oPubkeyAuthentication }, 29 { "pubkeyauthentication", oPubkeyAuthentication },
30 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 30 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
31diff --git a/servconf.c b/servconf.c 31diff --git a/servconf.c b/servconf.c
32index cfe7029..ed3a88d 100644 32index b8af6dd..fad7c92 100644
33--- a/servconf.c 33--- a/servconf.c
34+++ b/servconf.c 34+++ b/servconf.c
35@@ -522,6 +522,7 @@ static struct { 35@@ -533,6 +533,7 @@ static struct {
36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 255395666..5ac2fc593 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
1From 25ead9080a3f98eafc64a9a9c4b6650d922a19fa Mon Sep 17 00:00:00 2001 1From c87856cd1b99bc4188b145b0689af5e1d1babe24 Mon Sep 17 00:00:00 2001
2From: Jonathan David Amery <jdamery@ysolde.ucam.org> 2From: Jonathan David Amery <jdamery@ysolde.ucam.org>
3Date: Sun, 9 Feb 2014 16:09:54 +0000 3Date: Sun, 9 Feb 2014 16:09:54 +0000
4Subject: "LogLevel SILENT" compatibility 4Subject: "LogLevel SILENT" compatibility
@@ -33,10 +33,10 @@ index ad12930..e68b84a 100644
33 { "FATAL", SYSLOG_LEVEL_FATAL }, 33 { "FATAL", SYSLOG_LEVEL_FATAL },
34 { "ERROR", SYSLOG_LEVEL_ERROR }, 34 { "ERROR", SYSLOG_LEVEL_ERROR },
35diff --git a/ssh.c b/ssh.c 35diff --git a/ssh.c b/ssh.c
36index 67c1ebf..eb73903 100644 36index f9ff91f..314dd52 100644
37--- a/ssh.c 37--- a/ssh.c
38+++ b/ssh.c 38+++ b/ssh.c
39@@ -1106,7 +1106,7 @@ main(int ac, char **av) 39@@ -1119,7 +1119,7 @@ main(int ac, char **av)
40 /* Do not allocate a tty if stdin is not a tty. */ 40 /* Do not allocate a tty if stdin is not a tty. */
41 if ((!isatty(fileno(stdin)) || stdin_null_flag) && 41 if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
42 options.request_tty != REQUEST_TTY_FORCE) { 42 options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index 62ca0f284..3c2c67cda 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
1From 9d88bc29443745ebf30004136ac18ced47292833 Mon Sep 17 00:00:00 2001 1From a7c8a6babe3b4c47fd00bdbefc22fc10d97b9a26 Mon Sep 17 00:00:00 2001
2From: Michael Biebl <biebl@debian.org> 2From: Michael Biebl <biebl@debian.org>
3Date: Mon, 21 Dec 2015 16:08:47 +0000 3Date: Mon, 21 Dec 2015 16:08:47 +0000
4Subject: Add systemd readiness notification support 4Subject: Add systemd readiness notification support
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch
14 2 files changed, 33 insertions(+) 14 2 files changed, 33 insertions(+)
15 15
16diff --git a/configure.ac b/configure.ac 16diff --git a/configure.ac b/configure.ac
17index 128889a..eec2b72 100644 17index 5d720f7..c978c11 100644
18--- a/configure.ac 18--- a/configure.ac
19+++ b/configure.ac 19+++ b/configure.ac
20@@ -4213,6 +4213,29 @@ AC_ARG_WITH([kerberos5], 20@@ -4263,6 +4263,29 @@ AC_ARG_WITH([kerberos5],
21 AC_SUBST([GSSLIBS]) 21 AC_SUBST([GSSLIBS])
22 AC_SUBST([K5LIBS]) 22 AC_SUBST([K5LIBS])
23 23
@@ -47,16 +47,16 @@ index 128889a..eec2b72 100644
47 # Looking for programs, paths and files 47 # Looking for programs, paths and files
48 48
49 PRIVSEP_PATH=/var/empty 49 PRIVSEP_PATH=/var/empty
50@@ -5014,6 +5037,7 @@ echo " MD5 password support: $MD5_MSG" 50@@ -5065,6 +5088,7 @@ echo " libedit support: $LIBEDIT_MSG"
51 echo " libedit support: $LIBEDIT_MSG"
52 echo " Solaris process contract support: $SPC_MSG" 51 echo " Solaris process contract support: $SPC_MSG"
53 echo " Solaris project support: $SP_MSG" 52 echo " Solaris project support: $SP_MSG"
53 echo " Solaris privilege support: $SPP_MSG"
54+echo " systemd support: $SYSTEMD_MSG" 54+echo " systemd support: $SYSTEMD_MSG"
55 echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" 55 echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" 56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
57 echo " BSD Auth support: $BSD_AUTH_MSG" 57 echo " BSD Auth support: $BSD_AUTH_MSG"
58diff --git a/sshd.c b/sshd.c 58diff --git a/sshd.c b/sshd.c
59index 5ccf175..366ae92 100644 59index c2d42f5..8802d18 100644
60--- a/sshd.c 60--- a/sshd.c
61+++ b/sshd.c 61+++ b/sshd.c
62@@ -85,6 +85,10 @@ 62@@ -85,6 +85,10 @@
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index c2dbdcd7a..456944f6b 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
1From a1010980d6906a140307825466934a21c3d4d228 Mon Sep 17 00:00:00 2001 1From 6f05f80017871238b4e50fc4e09d57d722416743 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:58 +0000 3Date: Sun, 9 Feb 2014 16:09:58 +0000
4Subject: Allow harmless group-writability 4Subject: Allow harmless group-writability
@@ -86,10 +86,10 @@ index bd6a026..782b7f8 100644
86 "bad ownership or modes for directory %s", buf); 86 "bad ownership or modes for directory %s", buf);
87 return -1; 87 return -1;
88diff --git a/misc.c b/misc.c 88diff --git a/misc.c b/misc.c
89index ddd2b2d..1c063ea 100644 89index de7e1fa..5704fa6 100644
90--- a/misc.c 90--- a/misc.c
91+++ b/misc.c 91+++ b/misc.c
92@@ -50,8 +50,9 @@ 92@@ -51,8 +51,9 @@
93 #include <netdb.h> 93 #include <netdb.h>
94 #ifdef HAVE_PATHS_H 94 #ifdef HAVE_PATHS_H
95 # include <paths.h> 95 # include <paths.h>
@@ -100,7 +100,7 @@ index ddd2b2d..1c063ea 100644
100 #ifdef SSH_TUN_OPENBSD 100 #ifdef SSH_TUN_OPENBSD
101 #include <net/if.h> 101 #include <net/if.h>
102 #endif 102 #endif
103@@ -60,6 +61,7 @@ 103@@ -61,6 +62,7 @@
104 #include "misc.h" 104 #include "misc.h"
105 #include "log.h" 105 #include "log.h"
106 #include "ssh.h" 106 #include "ssh.h"
@@ -108,7 +108,7 @@ index ddd2b2d..1c063ea 100644
108 108
109 /* remove newline at end of string */ 109 /* remove newline at end of string */
110 char * 110 char *
111@@ -644,6 +646,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, 111@@ -647,6 +649,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
112 return -1; 112 return -1;
113 } 113 }
114 114
@@ -216,7 +216,7 @@ index f35ec39..9a23e6e 100644
216- return 0; 216- return 0;
217-} 217-}
218diff --git a/readconf.c b/readconf.c 218diff --git a/readconf.c b/readconf.c
219index 83582e3..b9442fd 100644 219index fde6b41..cc1a633 100644
220--- a/readconf.c 220--- a/readconf.c
221+++ b/readconf.c 221+++ b/readconf.c
222@@ -39,6 +39,8 @@ 222@@ -39,6 +39,8 @@
@@ -228,7 +228,7 @@ index 83582e3..b9442fd 100644
228 #ifdef HAVE_UTIL_H 228 #ifdef HAVE_UTIL_H
229 #include <util.h> 229 #include <util.h>
230 #endif 230 #endif
231@@ -1579,8 +1581,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host, 231@@ -1626,8 +1628,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host,
232 232
233 if (fstat(fileno(f), &sb) == -1) 233 if (fstat(fileno(f), &sb) == -1)
234 fatal("fstat %s: %s", filename, strerror(errno)); 234 fatal("fstat %s: %s", filename, strerror(errno));
@@ -239,10 +239,10 @@ index 83582e3..b9442fd 100644
239 } 239 }
240 240
241diff --git a/ssh.1 b/ssh.1 241diff --git a/ssh.1 b/ssh.1
242index 2ea0a20..ff80022 100644 242index cc53343..feb0e89 100644
243--- a/ssh.1 243--- a/ssh.1
244+++ b/ssh.1 244+++ b/ssh.1
245@@ -1458,6 +1458,8 @@ The file format and configuration options are described in 245@@ -1459,6 +1459,8 @@ The file format and configuration options are described in
246 .Xr ssh_config 5 . 246 .Xr ssh_config 5 .
247 Because of the potential for abuse, this file must have strict permissions: 247 Because of the potential for abuse, this file must have strict permissions:
248 read/write for the user, and not writable by others. 248 read/write for the user, and not writable by others.
@@ -252,10 +252,10 @@ index 2ea0a20..ff80022 100644
252 .It Pa ~/.ssh/environment 252 .It Pa ~/.ssh/environment
253 Contains additional definitions for environment variables; see 253 Contains additional definitions for environment variables; see
254diff --git a/ssh_config.5 b/ssh_config.5 254diff --git a/ssh_config.5 b/ssh_config.5
255index 78e918a..1e9c058 100644 255index bbf638b..ab8f271 100644
256--- a/ssh_config.5 256--- a/ssh_config.5
257+++ b/ssh_config.5 257+++ b/ssh_config.5
258@@ -1757,6 +1757,8 @@ The format of this file is described above. 258@@ -1830,6 +1830,8 @@ The format of this file is described above.
259 This file is used by the SSH client. 259 This file is used by the SSH client.
260 Because of the potential for abuse, this file must have strict permissions: 260 Because of the potential for abuse, this file must have strict permissions:
261 read/write for the user, and not accessible by others. 261 read/write for the user, and not accessible by others.