summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/changelog27
-rw-r--r--debian/patches/auth-log-verbosity.patch6
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch8
-rw-r--r--debian/patches/debian-banner.patch16
-rw-r--r--debian/patches/debian-config.patch4
-rw-r--r--debian/patches/doc-hash-tab-completion.patch2
-rw-r--r--debian/patches/gssapi-autoconf.patch29
-rw-r--r--debian/patches/gssapi.patch282
-rw-r--r--debian/patches/hostbased-ecdsa.patch71
-rw-r--r--debian/patches/keepalive-extensions.patch18
-rw-r--r--debian/patches/lintian-symlink-pickiness.patch2
-rw-r--r--debian/patches/openbsd-docs.patch58
-rw-r--r--debian/patches/package-versioning.patch6
-rw-r--r--debian/patches/quieter-signals.patch2
-rw-r--r--debian/patches/selinux-build-failure.patch19
-rw-r--r--debian/patches/selinux-role.patch42
-rw-r--r--debian/patches/series4
-rw-r--r--debian/patches/shell-path.patch2
-rw-r--r--debian/patches/ssh-add-fifo.patch37
-rw-r--r--debian/patches/ssh-argv0.patch2
-rw-r--r--debian/patches/ssh-vulnkey.patch121
-rw-r--r--debian/patches/ssh1-keepalive.patch6
-rw-r--r--debian/patches/syslog-level-silent.patch8
-rw-r--r--debian/patches/user-group-modes.patch16
-rwxr-xr-xdebian/rules1
25 files changed, 358 insertions, 431 deletions
diff --git a/debian/changelog b/debian/changelog
index 4ab7d8955..108d915bb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,30 @@
1openssh (1:5.9p1-1) UNRELEASED; urgency=low
2
3 * New upstream release (http://www.openssh.org/txt/release-5.9).
4 - Introduce sandboxing of the pre-auth privsep child using an optional
5 sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
6 mandatory restrictions on the syscalls the privsep child can perform.
7 - Add new SHA256-based HMAC transport integrity modes from
8 http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt.
9 - The pre-authentication sshd(8) privilege separation slave process now
10 logs via a socket shared with the master process, avoiding the need to
11 maintain /dev/log inside the chroot (closes: #75043, #429243,
12 #599240).
13 - ssh(1) now warns when a server refuses X11 forwarding (closes:
14 #504757).
15 - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
16 separated by whitespace (closes: #76312). The authorized_keys2
17 fallback is deprecated but documented (closes: #560156).
18 - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
19 ToS/DSCP (closes: #498297).
20 - ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add
21 - < /path/to/key" (closes: #229124).
22 - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
23 - Say "required" rather than "recommended" in unprotected-private-key
24 warning (LP: #663455).
25
26 -- Colin Watson <cjwatson@debian.org> Tue, 06 Sep 2011 10:16:33 +0100
27
1openssh (1:5.8p1-7) unstable; urgency=low 28openssh (1:5.8p1-7) unstable; urgency=low
2 29
3 * Only recommend ssh-import-id when built on Ubuntu (closes: #635887). 30 * Only recommend ssh-import-id when built on Ubuntu (closes: #635887).
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index 7aea6690d..da940d9fa 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -83,9 +83,9 @@ Index: b/auth-rsa.c
83=================================================================== 83===================================================================
84--- a/auth-rsa.c 84--- a/auth-rsa.c
85+++ b/auth-rsa.c 85+++ b/auth-rsa.c
86@@ -193,6 +193,8 @@ 86@@ -175,6 +175,8 @@
87 87 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
88 key = key_new(KEY_RSA1); 88 return 0;
89 89
90+ auth_start_parse_options(); 90+ auth_start_parse_options();
91+ 91+
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 13b3b6561..a9ca85407 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -8,11 +8,11 @@ Index: b/Makefile.in
8=================================================================== 8===================================================================
9--- a/Makefile.in 9--- a/Makefile.in
10+++ b/Makefile.in 10+++ b/Makefile.in
11@@ -289,6 +289,7 @@ 11@@ -275,6 +275,7 @@
12 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 12 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
13 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 13 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
14 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 14 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
15+ ln -s ../$(mansubdir)8/sshd.8 $(DESTDIR)$(mandir)/$(mansubdir)5/authorized_keys.5 15+ ln -s ../$(mansubdir)8/sshd.8 $(DESTDIR)$(mandir)/$(mansubdir)5/authorized_keys.5
16 if [ ! -z "$(INSTALL_SSH_RAND_HELPER)" ]; then \ 16 $(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
17 $(INSTALL) -m 644 ssh-rand-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 ; \ 17 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
18 fi 18 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 32251397d..57ca35e87 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -10,7 +10,7 @@ Index: b/servconf.c
10=================================================================== 10===================================================================
11--- a/servconf.c 11--- a/servconf.c
12+++ b/servconf.c 12+++ b/servconf.c
13@@ -143,6 +143,7 @@ 13@@ -142,6 +142,7 @@
14 options->authorized_principals_file = NULL; 14 options->authorized_principals_file = NULL;
15 options->ip_qos_interactive = -1; 15 options->ip_qos_interactive = -1;
16 options->ip_qos_bulk = -1; 16 options->ip_qos_bulk = -1;
@@ -18,7 +18,7 @@ Index: b/servconf.c
18 } 18 }
19 19
20 void 20 void
21@@ -293,6 +294,8 @@ 21@@ -289,6 +290,8 @@
22 options->ip_qos_interactive = IPTOS_LOWDELAY; 22 options->ip_qos_interactive = IPTOS_LOWDELAY;
23 if (options->ip_qos_bulk == -1) 23 if (options->ip_qos_bulk == -1)
24 options->ip_qos_bulk = IPTOS_THROUGHPUT; 24 options->ip_qos_bulk = IPTOS_THROUGHPUT;
@@ -27,7 +27,7 @@ Index: b/servconf.c
27 27
28 /* Turn privilege separation on by default */ 28 /* Turn privilege separation on by default */
29 if (use_privsep == -1) 29 if (use_privsep == -1)
30@@ -342,6 +345,7 @@ 30@@ -338,6 +341,7 @@
31 sZeroKnowledgePasswordAuthentication, sHostCertificate, 31 sZeroKnowledgePasswordAuthentication, sHostCertificate,
32 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 32 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
33 sKexAlgorithms, sIPQoS, 33 sKexAlgorithms, sIPQoS,
@@ -35,7 +35,7 @@ Index: b/servconf.c
35 sDeprecated, sUnsupported 35 sDeprecated, sUnsupported
36 } ServerOpCodes; 36 } ServerOpCodes;
37 37
38@@ -477,6 +481,7 @@ 38@@ -473,6 +477,7 @@
39 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, 39 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
40 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, 40 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
41 { "ipqos", sIPQoS, SSHCFG_ALL }, 41 { "ipqos", sIPQoS, SSHCFG_ALL },
@@ -43,7 +43,7 @@ Index: b/servconf.c
43 { NULL, sBadOption, 0 } 43 { NULL, sBadOption, 0 }
44 }; 44 };
45 45
46@@ -1439,6 +1444,10 @@ 46@@ -1436,6 +1441,10 @@
47 } 47 }
48 break; 48 break;
49 49
@@ -58,7 +58,7 @@ Index: b/servconf.h
58=================================================================== 58===================================================================
59--- a/servconf.h 59--- a/servconf.h
60+++ b/servconf.h 60+++ b/servconf.h
61@@ -160,6 +160,8 @@ 61@@ -166,6 +166,8 @@
62 62
63 int num_permitted_opens; 63 int num_permitted_opens;
64 64
@@ -71,7 +71,7 @@ Index: b/sshd.c
71=================================================================== 71===================================================================
72--- a/sshd.c 72--- a/sshd.c
73+++ b/sshd.c 73+++ b/sshd.c
74@@ -422,7 +422,8 @@ 74@@ -423,7 +423,8 @@
75 minor = PROTOCOL_MINOR_1; 75 minor = PROTOCOL_MINOR_1;
76 } 76 }
77 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, 77 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
@@ -85,7 +85,7 @@ Index: b/sshd_config.5
85=================================================================== 85===================================================================
86--- a/sshd_config.5 86--- a/sshd_config.5
87+++ b/sshd_config.5 87+++ b/sshd_config.5
88@@ -339,6 +339,11 @@ 88@@ -340,6 +340,11 @@
89 .Dq no . 89 .Dq no .
90 The default is 90 The default is
91 .Dq delayed . 91 .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index e804aa526..74aa53ecc 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -24,7 +24,7 @@ Index: b/readconf.c
24=================================================================== 24===================================================================
25--- a/readconf.c 25--- a/readconf.c
26+++ b/readconf.c 26+++ b/readconf.c
27@@ -1223,7 +1223,7 @@ 27@@ -1268,7 +1268,7 @@
28 if (options->forward_x11 == -1) 28 if (options->forward_x11 == -1)
29 options->forward_x11 = 0; 29 options->forward_x11 = 0;
30 if (options->forward_x11_trusted == -1) 30 if (options->forward_x11_trusted == -1)
@@ -84,7 +84,7 @@ Index: b/ssh_config.5
84 The configuration file has the following format: 84 The configuration file has the following format:
85 .Pp 85 .Pp
86 Empty lines and lines starting with 86 Empty lines and lines starting with
87@@ -482,7 +498,8 @@ 87@@ -499,7 +515,8 @@
88 Remote clients will be refused access after this time. 88 Remote clients will be refused access after this time.
89 .Pp 89 .Pp
90 The default is 90 The default is
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 5cf8aa46b..cec6f6639 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -8,7 +8,7 @@ Index: b/ssh_config.5
8=================================================================== 8===================================================================
9--- a/ssh_config.5 9--- a/ssh_config.5
10+++ b/ssh_config.5 10+++ b/ssh_config.5
11@@ -566,6 +566,9 @@ 11@@ -585,6 +585,9 @@
12 will not be converted automatically, 12 will not be converted automatically,
13 but may be manually hashed using 13 but may be manually hashed using
14 .Xr ssh-keygen 1 . 14 .Xr ssh-keygen 1 .
diff --git a/debian/patches/gssapi-autoconf.patch b/debian/patches/gssapi-autoconf.patch
deleted file mode 100644
index 51d8a8e72..000000000
--- a/debian/patches/gssapi-autoconf.patch
+++ /dev/null
@@ -1,29 +0,0 @@
1Description: Update config.h.in following GSSAPI patch
2Author: Colin Watson <cjwatson@debian.org>
3Forwarded: not-needed
4Last-Updated: 2010-02-27
5
6Index: b/config.h.in
7===================================================================
8--- a/config.h.in
9+++ b/config.h.in
10@@ -1417,6 +1417,9 @@
11 /* Use btmp to log bad logins */
12 #undef USE_BTMP
13
14+/* platform uses an in-memory credentials cache */
15+#undef USE_CCAPI
16+
17 /* Use libedit for sftp */
18 #undef USE_LIBEDIT
19
20@@ -1432,6 +1435,9 @@
21 /* Use PIPES instead of a socketpair() */
22 #undef USE_PIPES
23
24+/* platform has the Security Authorization Session API */
25+#undef USE_SECURITY_SESSION_API
26+
27 /* Define if you have Solaris process contracts */
28 #undef USE_SOLARIS_PROCESS_CONTRACTS
29
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index c123bf7b9..dc293683e 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -137,7 +137,7 @@ Index: b/Makefile.in
137=================================================================== 137===================================================================
138--- a/Makefile.in 138--- a/Makefile.in
139+++ b/Makefile.in 139+++ b/Makefile.in
140@@ -75,6 +75,7 @@ 140@@ -70,6 +70,7 @@
141 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ 141 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
142 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ 142 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
143 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ 143 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
@@ -145,7 +145,7 @@ Index: b/Makefile.in
145 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \ 145 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \
146 schnorr.o ssh-pkcs11.o 146 schnorr.o ssh-pkcs11.o
147 147
148@@ -91,7 +92,7 @@ 148@@ -86,7 +87,7 @@
149 auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ 149 auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
150 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ 150 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
151 auth-krb5.o \ 151 auth-krb5.o \
@@ -153,7 +153,7 @@ Index: b/Makefile.in
153+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ 153+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
154 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ 154 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
155 sftp-server.o sftp-common.o \ 155 sftp-server.o sftp-common.o \
156 roaming_common.o roaming_serv.o 156 roaming_common.o roaming_serv.o \
157Index: b/auth-krb5.c 157Index: b/auth-krb5.c
158=================================================================== 158===================================================================
159--- a/auth-krb5.c 159--- a/auth-krb5.c
@@ -205,24 +205,12 @@ Index: b/auth-krb5.c
205 205
206 return (krb5_cc_resolve(ctx, ccname, ccache)); 206 return (krb5_cc_resolve(ctx, ccname, ccache));
207 } 207 }
208Index: b/auth.h
209===================================================================
210--- a/auth.h
211+++ b/auth.h
212@@ -53,6 +53,7 @@
213 int valid; /* user exists and is allowed to login */
214 int attempt;
215 int failures;
216+ int server_caused_failure;
217 int force_pwchange;
218 char *user; /* username sent by the client */
219 char *service;
220Index: b/auth2-gss.c 208Index: b/auth2-gss.c
221=================================================================== 209===================================================================
222--- a/auth2-gss.c 210--- a/auth2-gss.c
223+++ b/auth2-gss.c 211+++ b/auth2-gss.c
224@@ -1,7 +1,7 @@ 212@@ -1,7 +1,7 @@
225 /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */ 213 /* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */
226 214
227 /* 215 /*
228- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 216- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -271,23 +259,7 @@ Index: b/auth2-gss.c
271 /* 259 /*
272 * We only support those mechanisms that we know about (ie ones that we know 260 * We only support those mechanisms that we know about (ie ones that we know
273 * how to check local user kuserok and the like) 261 * how to check local user kuserok and the like)
274@@ -102,6 +136,7 @@ 262@@ -244,7 +278,8 @@
275
276 if (!present) {
277 xfree(doid);
278+ authctxt->server_caused_failure = 1;
279 return (0);
280 }
281
282@@ -109,6 +144,7 @@
283 if (ctxt != NULL)
284 ssh_gssapi_delete_ctx(&ctxt);
285 xfree(doid);
286+ authctxt->server_caused_failure = 1;
287 return (0);
288 }
289
290@@ -242,7 +278,8 @@
291 263
292 packet_check_eom(); 264 packet_check_eom();
293 265
@@ -297,7 +269,7 @@ Index: b/auth2-gss.c
297 269
298 authctxt->postponed = 0; 270 authctxt->postponed = 0;
299 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 271 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
300@@ -277,7 +314,8 @@ 272@@ -279,7 +314,8 @@
301 gssbuf.length = buffer_len(&b); 273 gssbuf.length = buffer_len(&b);
302 274
303 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) 275 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@@ -307,7 +279,7 @@ Index: b/auth2-gss.c
307 else 279 else
308 logit("GSSAPI MIC check failed"); 280 logit("GSSAPI MIC check failed");
309 281
310@@ -292,6 +330,12 @@ 282@@ -294,6 +330,12 @@
311 userauth_finish(authctxt, authenticated, "gssapi-with-mic"); 283 userauth_finish(authctxt, authenticated, "gssapi-with-mic");
312 } 284 }
313 285
@@ -340,24 +312,6 @@ Index: b/auth2.c
340 &method_gssapi, 312 &method_gssapi,
341 #endif 313 #endif
342 #ifdef JPAKE 314 #ifdef JPAKE
343@@ -274,6 +276,7 @@
344 #endif
345
346 authctxt->postponed = 0;
347+ authctxt->server_caused_failure = 0;
348
349 /* try to authenticate user */
350 m = authmethod_lookup(method);
351@@ -346,7 +349,8 @@
352 } else {
353
354 /* Allow initial try of "none" auth without failure penalty */
355- if (authctxt->attempt > 1 || strcmp(method, "none") != 0)
356+ if (!authctxt->server_caused_failure &&
357+ (authctxt->attempt > 1 || strcmp(method, "none") != 0))
358 authctxt->failures++;
359 if (authctxt->failures >= options.max_authtries) {
360 #ifdef SSH_AUDIT_EVENTS
361Index: b/clientloop.c 315Index: b/clientloop.c
362=================================================================== 316===================================================================
363--- a/clientloop.c 317--- a/clientloop.c
@@ -373,7 +327,7 @@ Index: b/clientloop.c
373 /* import options */ 327 /* import options */
374 extern Options options; 328 extern Options options;
375 329
376@@ -1483,6 +1487,15 @@ 330@@ -1508,6 +1512,15 @@
377 /* Do channel operations unless rekeying in progress. */ 331 /* Do channel operations unless rekeying in progress. */
378 if (!rekeying) { 332 if (!rekeying) {
379 channel_after_select(readset, writeset); 333 channel_after_select(readset, writeset);
@@ -389,41 +343,133 @@ Index: b/clientloop.c
389 if (need_rekeying || packet_need_rekeying()) { 343 if (need_rekeying || packet_need_rekeying()) {
390 debug("need rekeying"); 344 debug("need rekeying");
391 xxx_kex->done = 0; 345 xxx_kex->done = 0;
346Index: b/config.h.in
347===================================================================
348--- a/config.h.in
349+++ b/config.h.in
350@@ -1441,6 +1441,9 @@
351 /* Use btmp to log bad logins */
352 #undef USE_BTMP
353
354+/* platform uses an in-memory credentials cache */
355+#undef USE_CCAPI
356+
357 /* Use libedit for sftp */
358 #undef USE_LIBEDIT
359
360@@ -1456,6 +1459,9 @@
361 /* Use PIPES instead of a socketpair() */
362 #undef USE_PIPES
363
364+/* platform has the Security Authorization Session API */
365+#undef USE_SECURITY_SESSION_API
366+
367 /* Define if you have Solaris process contracts */
368 #undef USE_SOLARIS_PROCESS_CONTRACTS
369
370Index: b/configure
371===================================================================
372--- a/configure
373+++ b/configure
374@@ -6521,6 +6521,63 @@
375
376 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
377
378+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have the Security Authorization Session API" >&5
379+$as_echo_n "checking if we have the Security Authorization Session API... " >&6; }
380+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
381+/* end confdefs.h. */
382+#include <Security/AuthSession.h>
383+int
384+main ()
385+{
386+SessionCreate(0, 0);
387+ ;
388+ return 0;
389+}
390+_ACEOF
391+if ac_fn_c_try_compile "$LINENO"; then :
392+ ac_cv_use_security_session_api="yes"
393+
394+$as_echo "#define USE_SECURITY_SESSION_API 1" >>confdefs.h
395+
396+ LIBS="$LIBS -framework Security"
397+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
398+$as_echo "yes" >&6; }
399+else
400+ ac_cv_use_security_session_api="no"
401+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
402+$as_echo "no" >&6; }
403+fi
404+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
405+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have an in-memory credentials cache" >&5
406+$as_echo_n "checking if we have an in-memory credentials cache... " >&6; }
407+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
408+/* end confdefs.h. */
409+#include <Kerberos/Kerberos.h>
410+int
411+main ()
412+{
413+cc_context_t c;
414+ (void) cc_initialize (&c, 0, NULL, NULL);
415+ ;
416+ return 0;
417+}
418+_ACEOF
419+if ac_fn_c_try_compile "$LINENO"; then :
420+
421+$as_echo "#define USE_CCAPI 1" >>confdefs.h
422+
423+ LIBS="$LIBS -framework Security"
424+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
425+$as_echo "yes" >&6; }
426+ if test "x$ac_cv_use_security_session_api" = "xno"; then
427+ as_fn_error $? "*** Need a security framework to use the credentials cache API ***" "$LINENO" 5
428+ fi
429+else
430+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
431+$as_echo "no" >&6; }
432+
433+fi
434+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
435
436 ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default"
437 if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then :
392Index: b/configure.ac 438Index: b/configure.ac
393=================================================================== 439===================================================================
394--- a/configure.ac 440--- a/configure.ac
395+++ b/configure.ac 441+++ b/configure.ac
396@@ -514,6 +514,30 @@ 442@@ -515,6 +515,30 @@
397 [Use tunnel device compatibility to OpenBSD]) 443 [Use tunnel device compatibility to OpenBSD])
398 AC_DEFINE(SSH_TUN_PREPEND_AF, 1, 444 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
399 [Prepend the address family to IP tunnel traffic]) 445 [Prepend the address family to IP tunnel traffic])
400+ AC_MSG_CHECKING(if we have the Security Authorization Session API) 446+ AC_MSG_CHECKING([if we have the Security Authorization Session API])
401+ AC_TRY_COMPILE([#include <Security/AuthSession.h>], 447+ AC_TRY_COMPILE([#include <Security/AuthSession.h>],
402+ [SessionCreate(0, 0);], 448+ [SessionCreate(0, 0);],
403+ [ac_cv_use_security_session_api="yes" 449+ [ac_cv_use_security_session_api="yes"
404+ AC_DEFINE(USE_SECURITY_SESSION_API, 1, 450+ AC_DEFINE([USE_SECURITY_SESSION_API], [1],
405+ [platform has the Security Authorization Session API]) 451+ [platform has the Security Authorization Session API])
406+ LIBS="$LIBS -framework Security" 452+ LIBS="$LIBS -framework Security"
407+ AC_MSG_RESULT(yes)], 453+ AC_MSG_RESULT([yes])],
408+ [ac_cv_use_security_session_api="no" 454+ [ac_cv_use_security_session_api="no"
409+ AC_MSG_RESULT(no)]) 455+ AC_MSG_RESULT([no])])
410+ AC_MSG_CHECKING(if we have an in-memory credentials cache) 456+ AC_MSG_CHECKING([if we have an in-memory credentials cache])
411+ AC_TRY_COMPILE( 457+ AC_TRY_COMPILE(
412+ [#include <Kerberos/Kerberos.h>], 458+ [#include <Kerberos/Kerberos.h>],
413+ [cc_context_t c; 459+ [cc_context_t c;
414+ (void) cc_initialize (&c, 0, NULL, NULL);], 460+ (void) cc_initialize (&c, 0, NULL, NULL);],
415+ [AC_DEFINE(USE_CCAPI, 1, 461+ [AC_DEFINE([USE_CCAPI], [1],
416+ [platform uses an in-memory credentials cache]) 462+ [platform uses an in-memory credentials cache])
417+ LIBS="$LIBS -framework Security" 463+ LIBS="$LIBS -framework Security"
418+ AC_MSG_RESULT(yes) 464+ AC_MSG_RESULT([yes])
419+ if test "x$ac_cv_use_security_session_api" = "xno"; then 465+ if test "x$ac_cv_use_security_session_api" = "xno"; then
420+ AC_MSG_ERROR(*** Need a security framework to use the credentials cache API ***) 466+ AC_MSG_ERROR([*** Need a security framework to use the credentials cache API ***])
421+ fi], 467+ fi],
422+ [AC_MSG_RESULT(no)] 468+ [AC_MSG_RESULT([no])]
423+ ) 469+ )
424 m4_pattern_allow(AU_IPv) 470 m4_pattern_allow([AU_IPv])
425 AC_CHECK_DECL(AU_IPv4, [], 471 AC_CHECK_DECL([AU_IPv4], [],
426 AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records]) 472 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
427Index: b/gss-genr.c 473Index: b/gss-genr.c
428=================================================================== 474===================================================================
429--- a/gss-genr.c 475--- a/gss-genr.c
@@ -904,7 +950,7 @@ Index: b/gss-serv.c
904--- a/gss-serv.c 950--- a/gss-serv.c
905+++ b/gss-serv.c 951+++ b/gss-serv.c
906@@ -1,7 +1,7 @@ 952@@ -1,7 +1,7 @@
907 /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ 953 /* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
908 954
909 /* 955 /*
910- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 956- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1023,7 +1069,7 @@ Index: b/gss-serv.c
1023 1069
1024 while (supported_mechs[i]->name != NULL) { 1070 while (supported_mechs[i]->name != NULL) {
1025 if (GSS_ERROR(gss_test_oid_set_member(&min_status, 1071 if (GSS_ERROR(gss_test_oid_set_member(&min_status,
1026@@ -247,8 +284,48 @@ 1072@@ -249,8 +286,48 @@
1027 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1073 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1028 { 1074 {
1029 int i = 0; 1075 int i = 0;
@@ -1073,7 +1119,7 @@ Index: b/gss-serv.c
1073 1119
1074 client->mech = NULL; 1120 client->mech = NULL;
1075 1121
1076@@ -263,6 +340,13 @@ 1122@@ -265,6 +342,13 @@
1077 if (client->mech == NULL) 1123 if (client->mech == NULL)
1078 return GSS_S_FAILURE; 1124 return GSS_S_FAILURE;
1079 1125
@@ -1087,7 +1133,7 @@ Index: b/gss-serv.c
1087 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, 1133 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
1088 &client->displayname, NULL))) { 1134 &client->displayname, NULL))) {
1089 ssh_gssapi_error(ctx); 1135 ssh_gssapi_error(ctx);
1090@@ -280,6 +364,8 @@ 1136@@ -282,6 +366,8 @@
1091 return (ctx->major); 1137 return (ctx->major);
1092 } 1138 }
1093 1139
@@ -1096,7 +1142,7 @@ Index: b/gss-serv.c
1096 /* We can't copy this structure, so we just move the pointer to it */ 1142 /* We can't copy this structure, so we just move the pointer to it */
1097 client->creds = ctx->client_creds; 1143 client->creds = ctx->client_creds;
1098 ctx->client_creds = GSS_C_NO_CREDENTIAL; 1144 ctx->client_creds = GSS_C_NO_CREDENTIAL;
1099@@ -327,7 +413,7 @@ 1145@@ -329,7 +415,7 @@
1100 1146
1101 /* Privileged */ 1147 /* Privileged */
1102 int 1148 int
@@ -1105,7 +1151,7 @@ Index: b/gss-serv.c
1105 { 1151 {
1106 OM_uint32 lmin; 1152 OM_uint32 lmin;
1107 1153
1108@@ -337,9 +423,11 @@ 1154@@ -339,9 +425,11 @@
1109 return 0; 1155 return 0;
1110 } 1156 }
1111 if (gssapi_client.mech && gssapi_client.mech->userok) 1157 if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -1119,7 +1165,7 @@ Index: b/gss-serv.c
1119 /* Destroy delegated credentials if userok fails */ 1165 /* Destroy delegated credentials if userok fails */
1120 gss_release_buffer(&lmin, &gssapi_client.displayname); 1166 gss_release_buffer(&lmin, &gssapi_client.displayname);
1121 gss_release_buffer(&lmin, &gssapi_client.exportedname); 1167 gss_release_buffer(&lmin, &gssapi_client.exportedname);
1122@@ -352,14 +440,90 @@ 1168@@ -354,14 +442,90 @@
1123 return (0); 1169 return (0);
1124 } 1170 }
1125 1171
@@ -1961,7 +2007,7 @@ Index: b/monitor.c
1961=================================================================== 2007===================================================================
1962--- a/monitor.c 2008--- a/monitor.c
1963+++ b/monitor.c 2009+++ b/monitor.c
1964@@ -172,6 +172,8 @@ 2010@@ -180,6 +180,8 @@
1965 int mm_answer_gss_accept_ctx(int, Buffer *); 2011 int mm_answer_gss_accept_ctx(int, Buffer *);
1966 int mm_answer_gss_userok(int, Buffer *); 2012 int mm_answer_gss_userok(int, Buffer *);
1967 int mm_answer_gss_checkmic(int, Buffer *); 2013 int mm_answer_gss_checkmic(int, Buffer *);
@@ -1970,7 +2016,7 @@ Index: b/monitor.c
1970 #endif 2016 #endif
1971 2017
1972 #ifdef SSH_AUDIT_EVENTS 2018 #ifdef SSH_AUDIT_EVENTS
1973@@ -241,6 +243,7 @@ 2019@@ -251,6 +253,7 @@
1974 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 2020 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
1975 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, 2021 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
1976 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, 2022 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -1978,7 +2024,7 @@ Index: b/monitor.c
1978 #endif 2024 #endif
1979 #ifdef JPAKE 2025 #ifdef JPAKE
1980 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, 2026 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
1981@@ -253,6 +256,12 @@ 2027@@ -263,6 +266,12 @@
1982 }; 2028 };
1983 2029
1984 struct mon_table mon_dispatch_postauth20[] = { 2030 struct mon_table mon_dispatch_postauth20[] = {
@@ -1991,7 +2037,7 @@ Index: b/monitor.c
1991 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2037 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
1992 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, 2038 {MONITOR_REQ_SIGN, 0, mm_answer_sign},
1993 {MONITOR_REQ_PTY, 0, mm_answer_pty}, 2039 {MONITOR_REQ_PTY, 0, mm_answer_pty},
1994@@ -357,6 +366,10 @@ 2040@@ -371,6 +380,10 @@
1995 /* Permit requests for moduli and signatures */ 2041 /* Permit requests for moduli and signatures */
1996 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2042 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
1997 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2043 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2002,7 +2048,7 @@ Index: b/monitor.c
2002 } else { 2048 } else {
2003 mon_dispatch = mon_dispatch_proto15; 2049 mon_dispatch = mon_dispatch_proto15;
2004 2050
2005@@ -443,6 +456,10 @@ 2051@@ -468,6 +481,10 @@
2006 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2052 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2007 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2053 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
2008 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2054 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2013,7 +2059,7 @@ Index: b/monitor.c
2013 } else { 2059 } else {
2014 mon_dispatch = mon_dispatch_postauth15; 2060 mon_dispatch = mon_dispatch_postauth15;
2015 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2061 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
2016@@ -1692,6 +1709,13 @@ 2062@@ -1802,6 +1819,13 @@
2017 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 2063 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2018 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 2064 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2019 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 2065 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2027,7 +2073,7 @@ Index: b/monitor.c
2027 kex->server = 1; 2073 kex->server = 1;
2028 kex->hostkey_type = buffer_get_int(m); 2074 kex->hostkey_type = buffer_get_int(m);
2029 kex->kex_type = buffer_get_int(m); 2075 kex->kex_type = buffer_get_int(m);
2030@@ -1898,6 +1922,9 @@ 2076@@ -2008,6 +2032,9 @@
2031 OM_uint32 major; 2077 OM_uint32 major;
2032 u_int len; 2078 u_int len;
2033 2079
@@ -2037,7 +2083,7 @@ Index: b/monitor.c
2037 goid.elements = buffer_get_string(m, &len); 2083 goid.elements = buffer_get_string(m, &len);
2038 goid.length = len; 2084 goid.length = len;
2039 2085
2040@@ -1925,6 +1952,9 @@ 2086@@ -2035,6 +2062,9 @@
2041 OM_uint32 flags = 0; /* GSI needs this */ 2087 OM_uint32 flags = 0; /* GSI needs this */
2042 u_int len; 2088 u_int len;
2043 2089
@@ -2047,7 +2093,7 @@ Index: b/monitor.c
2047 in.value = buffer_get_string(m, &len); 2093 in.value = buffer_get_string(m, &len);
2048 in.length = len; 2094 in.length = len;
2049 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2095 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2050@@ -1942,6 +1972,7 @@ 2096@@ -2052,6 +2082,7 @@
2051 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2097 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2052 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2098 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2053 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2099 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2055,7 +2101,7 @@ Index: b/monitor.c
2055 } 2101 }
2056 return (0); 2102 return (0);
2057 } 2103 }
2058@@ -1953,6 +1984,9 @@ 2104@@ -2063,6 +2094,9 @@
2059 OM_uint32 ret; 2105 OM_uint32 ret;
2060 u_int len; 2106 u_int len;
2061 2107
@@ -2065,7 +2111,7 @@ Index: b/monitor.c
2065 gssbuf.value = buffer_get_string(m, &len); 2111 gssbuf.value = buffer_get_string(m, &len);
2066 gssbuf.length = len; 2112 gssbuf.length = len;
2067 mic.value = buffer_get_string(m, &len); 2113 mic.value = buffer_get_string(m, &len);
2068@@ -1979,7 +2013,11 @@ 2114@@ -2089,7 +2123,11 @@
2069 { 2115 {
2070 int authenticated; 2116 int authenticated;
2071 2117
@@ -2078,7 +2124,7 @@ Index: b/monitor.c
2078 2124
2079 buffer_clear(m); 2125 buffer_clear(m);
2080 buffer_put_int(m, authenticated); 2126 buffer_put_int(m, authenticated);
2081@@ -1992,6 +2030,74 @@ 2127@@ -2102,6 +2140,74 @@
2082 /* Monitor loop will terminate if authenticated */ 2128 /* Monitor loop will terminate if authenticated */
2083 return (authenticated); 2129 return (authenticated);
2084 } 2130 }
@@ -2170,7 +2216,7 @@ Index: b/monitor_wrap.c
2170=================================================================== 2216===================================================================
2171--- a/monitor_wrap.c 2217--- a/monitor_wrap.c
2172+++ b/monitor_wrap.c 2218+++ b/monitor_wrap.c
2173@@ -1232,7 +1232,7 @@ 2219@@ -1270,7 +1270,7 @@
2174 } 2220 }
2175 2221
2176 int 2222 int
@@ -2179,7 +2225,7 @@ Index: b/monitor_wrap.c
2179 { 2225 {
2180 Buffer m; 2226 Buffer m;
2181 int authenticated = 0; 2227 int authenticated = 0;
2182@@ -1249,6 +1249,51 @@ 2228@@ -1287,6 +1287,51 @@
2183 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2229 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2184 return (authenticated); 2230 return (authenticated);
2185 } 2231 }
@@ -2235,7 +2281,7 @@ Index: b/monitor_wrap.h
2235=================================================================== 2281===================================================================
2236--- a/monitor_wrap.h 2282--- a/monitor_wrap.h
2237+++ b/monitor_wrap.h 2283+++ b/monitor_wrap.h
2238@@ -57,8 +57,10 @@ 2284@@ -58,8 +58,10 @@
2239 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); 2285 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
2240 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, 2286 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
2241 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); 2287 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -2280,7 +2326,7 @@ Index: b/readconf.c
2280 #endif 2326 #endif
2281 { "fallbacktorsh", oDeprecated }, 2327 { "fallbacktorsh", oDeprecated },
2282 { "usersh", oDeprecated }, 2328 { "usersh", oDeprecated },
2283@@ -479,10 +490,30 @@ 2329@@ -482,10 +493,30 @@
2284 intptr = &options->gss_authentication; 2330 intptr = &options->gss_authentication;
2285 goto parse_flag; 2331 goto parse_flag;
2286 2332
@@ -2311,7 +2357,7 @@ Index: b/readconf.c
2311 case oBatchMode: 2357 case oBatchMode:
2312 intptr = &options->batch_mode; 2358 intptr = &options->batch_mode;
2313 goto parse_flag; 2359 goto parse_flag;
2314@@ -1092,7 +1123,12 @@ 2360@@ -1138,7 +1169,12 @@
2315 options->pubkey_authentication = -1; 2361 options->pubkey_authentication = -1;
2316 options->challenge_response_authentication = -1; 2362 options->challenge_response_authentication = -1;
2317 options->gss_authentication = -1; 2363 options->gss_authentication = -1;
@@ -2324,7 +2370,7 @@ Index: b/readconf.c
2324 options->password_authentication = -1; 2370 options->password_authentication = -1;
2325 options->kbd_interactive_authentication = -1; 2371 options->kbd_interactive_authentication = -1;
2326 options->kbd_interactive_devices = NULL; 2372 options->kbd_interactive_devices = NULL;
2327@@ -1193,8 +1229,14 @@ 2373@@ -1238,8 +1274,14 @@
2328 options->challenge_response_authentication = 1; 2374 options->challenge_response_authentication = 1;
2329 if (options->gss_authentication == -1) 2375 if (options->gss_authentication == -1)
2330 options->gss_authentication = 0; 2376 options->gss_authentication = 0;
@@ -2343,7 +2389,7 @@ Index: b/readconf.h
2343=================================================================== 2389===================================================================
2344--- a/readconf.h 2390--- a/readconf.h
2345+++ b/readconf.h 2391+++ b/readconf.h
2346@@ -46,7 +46,12 @@ 2392@@ -47,7 +47,12 @@
2347 int challenge_response_authentication; 2393 int challenge_response_authentication;
2348 /* Try S/Key or TIS, authentication. */ 2394 /* Try S/Key or TIS, authentication. */
2349 int gss_authentication; /* Try GSS authentication */ 2395 int gss_authentication; /* Try GSS authentication */
@@ -2371,7 +2417,7 @@ Index: b/servconf.c
2371 options->password_authentication = -1; 2417 options->password_authentication = -1;
2372 options->kbd_interactive_authentication = -1; 2418 options->kbd_interactive_authentication = -1;
2373 options->challenge_response_authentication = -1; 2419 options->challenge_response_authentication = -1;
2374@@ -226,8 +229,14 @@ 2420@@ -225,8 +228,14 @@
2375 options->kerberos_get_afs_token = 0; 2421 options->kerberos_get_afs_token = 0;
2376 if (options->gss_authentication == -1) 2422 if (options->gss_authentication == -1)
2377 options->gss_authentication = 0; 2423 options->gss_authentication = 0;
@@ -2386,10 +2432,10 @@ Index: b/servconf.c
2386 if (options->password_authentication == -1) 2432 if (options->password_authentication == -1)
2387 options->password_authentication = 1; 2433 options->password_authentication = 1;
2388 if (options->kbd_interactive_authentication == -1) 2434 if (options->kbd_interactive_authentication == -1)
2389@@ -322,7 +331,9 @@ 2435@@ -318,7 +327,9 @@
2390 sBanner, sUseDNS, sHostbasedAuthentication, 2436 sBanner, sUseDNS, sHostbasedAuthentication,
2391 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 2437 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
2392 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 2438 sClientAliveCountMax, sAuthorizedKeysFile,
2393- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, 2439- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
2394+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 2440+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
2395+ sGssKeyEx, sGssStoreRekey, 2441+ sGssKeyEx, sGssStoreRekey,
@@ -2397,7 +2443,7 @@ Index: b/servconf.c
2397 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2443 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2398 sUsePrivilegeSeparation, sAllowAgentForwarding, 2444 sUsePrivilegeSeparation, sAllowAgentForwarding,
2399 sZeroKnowledgePasswordAuthentication, sHostCertificate, 2445 sZeroKnowledgePasswordAuthentication, sHostCertificate,
2400@@ -386,10 +397,20 @@ 2446@@ -382,10 +393,20 @@
2401 #ifdef GSSAPI 2447 #ifdef GSSAPI
2402 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2448 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2403 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2449 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2418,7 +2464,7 @@ Index: b/servconf.c
2418 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2464 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2419 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2465 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2420 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2466 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2421@@ -944,10 +965,22 @@ 2467@@ -962,10 +983,22 @@
2422 intptr = &options->gss_authentication; 2468 intptr = &options->gss_authentication;
2423 goto parse_flag; 2469 goto parse_flag;
2424 2470
@@ -2441,7 +2487,7 @@ Index: b/servconf.c
2441 case sPasswordAuthentication: 2487 case sPasswordAuthentication:
2442 intptr = &options->password_authentication; 2488 intptr = &options->password_authentication;
2443 goto parse_flag; 2489 goto parse_flag;
2444@@ -1704,7 +1737,10 @@ 2490@@ -1720,7 +1753,10 @@
2445 #endif 2491 #endif
2446 #ifdef GSSAPI 2492 #ifdef GSSAPI
2447 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2493 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2456,7 +2502,7 @@ Index: b/servconf.h
2456=================================================================== 2502===================================================================
2457--- a/servconf.h 2503--- a/servconf.h
2458+++ b/servconf.h 2504+++ b/servconf.h
2459@@ -97,7 +97,10 @@ 2505@@ -103,7 +103,10 @@
2460 int kerberos_get_afs_token; /* If true, try to get AFS token if 2506 int kerberos_get_afs_token; /* If true, try to get AFS token if
2461 * authenticated with Kerberos. */ 2507 * authenticated with Kerberos. */
2462 int gss_authentication; /* If true, permit GSSAPI authentication */ 2508 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2585,7 +2631,7 @@ Index: b/ssh_config.5
2585=================================================================== 2631===================================================================
2586--- a/ssh_config.5 2632--- a/ssh_config.5
2587+++ b/ssh_config.5 2633+++ b/ssh_config.5
2588@@ -508,11 +508,43 @@ 2634@@ -527,11 +527,43 @@
2589 The default is 2635 The default is
2590 .Dq no . 2636 .Dq no .
2591 Note that this option applies to protocol version 2 only. 2637 Note that this option applies to protocol version 2 only.
@@ -2634,7 +2680,7 @@ Index: b/sshconnect2.c
2634=================================================================== 2680===================================================================
2635--- a/sshconnect2.c 2681--- a/sshconnect2.c
2636+++ b/sshconnect2.c 2682+++ b/sshconnect2.c
2637@@ -159,9 +159,34 @@ 2683@@ -160,9 +160,34 @@
2638 { 2684 {
2639 Kex *kex; 2685 Kex *kex;
2640 2686
@@ -2669,7 +2715,7 @@ Index: b/sshconnect2.c
2669 if (options.ciphers == (char *)-1) { 2715 if (options.ciphers == (char *)-1) {
2670 logit("No valid ciphers for protocol version 2 given, using defaults."); 2716 logit("No valid ciphers for protocol version 2 given, using defaults.");
2671 options.ciphers = NULL; 2717 options.ciphers = NULL;
2672@@ -196,6 +221,17 @@ 2718@@ -197,6 +222,17 @@
2673 if (options.kex_algorithms != NULL) 2719 if (options.kex_algorithms != NULL)
2674 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; 2720 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
2675 2721
@@ -2687,7 +2733,7 @@ Index: b/sshconnect2.c
2687 if (options.rekey_limit) 2733 if (options.rekey_limit)
2688 packet_set_rekey_limit((u_int32_t)options.rekey_limit); 2734 packet_set_rekey_limit((u_int32_t)options.rekey_limit);
2689 2735
2690@@ -206,10 +242,30 @@ 2736@@ -207,10 +243,30 @@
2691 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; 2737 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
2692 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; 2738 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
2693 kex->kex[KEX_ECDH_SHA2] = kexecdh_client; 2739 kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
@@ -2718,7 +2764,7 @@ Index: b/sshconnect2.c
2718 xxx_kex = kex; 2764 xxx_kex = kex;
2719 2765
2720 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 2766 dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
2721@@ -304,6 +360,7 @@ 2767@@ -305,6 +361,7 @@
2722 void input_gssapi_hash(int type, u_int32_t, void *); 2768 void input_gssapi_hash(int type, u_int32_t, void *);
2723 void input_gssapi_error(int, u_int32_t, void *); 2769 void input_gssapi_error(int, u_int32_t, void *);
2724 void input_gssapi_errtok(int, u_int32_t, void *); 2770 void input_gssapi_errtok(int, u_int32_t, void *);
@@ -2726,7 +2772,7 @@ Index: b/sshconnect2.c
2726 #endif 2772 #endif
2727 2773
2728 void userauth(Authctxt *, char *); 2774 void userauth(Authctxt *, char *);
2729@@ -319,6 +376,11 @@ 2775@@ -320,6 +377,11 @@
2730 2776
2731 Authmethod authmethods[] = { 2777 Authmethod authmethods[] = {
2732 #ifdef GSSAPI 2778 #ifdef GSSAPI
@@ -2738,7 +2784,7 @@ Index: b/sshconnect2.c
2738 {"gssapi-with-mic", 2784 {"gssapi-with-mic",
2739 userauth_gssapi, 2785 userauth_gssapi,
2740 NULL, 2786 NULL,
2741@@ -625,19 +687,31 @@ 2787@@ -626,19 +688,31 @@
2742 static u_int mech = 0; 2788 static u_int mech = 0;
2743 OM_uint32 min; 2789 OM_uint32 min;
2744 int ok = 0; 2790 int ok = 0;
@@ -2772,7 +2818,7 @@ Index: b/sshconnect2.c
2772 ok = 1; /* Mechanism works */ 2818 ok = 1; /* Mechanism works */
2773 } else { 2819 } else {
2774 mech++; 2820 mech++;
2775@@ -734,8 +808,8 @@ 2821@@ -735,8 +809,8 @@
2776 { 2822 {
2777 Authctxt *authctxt = ctxt; 2823 Authctxt *authctxt = ctxt;
2778 Gssctxt *gssctxt; 2824 Gssctxt *gssctxt;
@@ -2783,7 +2829,7 @@ Index: b/sshconnect2.c
2783 2829
2784 if (authctxt == NULL) 2830 if (authctxt == NULL)
2785 fatal("input_gssapi_response: no authentication context"); 2831 fatal("input_gssapi_response: no authentication context");
2786@@ -845,6 +919,48 @@ 2832@@ -846,6 +920,48 @@
2787 xfree(msg); 2833 xfree(msg);
2788 xfree(lang); 2834 xfree(lang);
2789 } 2835 }
@@ -2836,8 +2882,8 @@ Index: b/sshd.c
2836=================================================================== 2882===================================================================
2837--- a/sshd.c 2883--- a/sshd.c
2838+++ b/sshd.c 2884+++ b/sshd.c
2839@@ -120,6 +120,10 @@ 2885@@ -121,6 +121,10 @@
2840 #include "roaming.h" 2886 #include "ssh-sandbox.h"
2841 #include "version.h" 2887 #include "version.h"
2842 2888
2843+#ifdef USE_SECURITY_SESSION_API 2889+#ifdef USE_SECURITY_SESSION_API
@@ -2847,7 +2893,7 @@ Index: b/sshd.c
2847 #ifdef LIBWRAP 2893 #ifdef LIBWRAP
2848 #include <tcpd.h> 2894 #include <tcpd.h>
2849 #include <syslog.h> 2895 #include <syslog.h>
2850@@ -1590,10 +1594,13 @@ 2896@@ -1612,10 +1616,13 @@
2851 logit("Disabling protocol version 1. Could not load host key"); 2897 logit("Disabling protocol version 1. Could not load host key");
2852 options.protocol &= ~SSH_PROTO_1; 2898 options.protocol &= ~SSH_PROTO_1;
2853 } 2899 }
@@ -2861,7 +2907,7 @@ Index: b/sshd.c
2861 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2907 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2862 logit("sshd: no hostkeys available -- exiting."); 2908 logit("sshd: no hostkeys available -- exiting.");
2863 exit(1); 2909 exit(1);
2864@@ -1922,6 +1929,60 @@ 2910@@ -1944,6 +1951,60 @@
2865 /* Log the connection. */ 2911 /* Log the connection. */
2866 verbose("Connection from %.500s port %d", remote_ip, remote_port); 2912 verbose("Connection from %.500s port %d", remote_ip, remote_port);
2867 2913
@@ -2922,7 +2968,7 @@ Index: b/sshd.c
2922 /* 2968 /*
2923 * We don't want to listen forever unless the other side 2969 * We don't want to listen forever unless the other side
2924 * successfully authenticates itself. So we set up an alarm which is 2970 * successfully authenticates itself. So we set up an alarm which is
2925@@ -2303,6 +2364,48 @@ 2971@@ -2325,6 +2386,48 @@
2926 2972
2927 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); 2973 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2928 2974
@@ -2971,7 +3017,7 @@ Index: b/sshd.c
2971 /* start key exchange */ 3017 /* start key exchange */
2972 kex = kex_setup(myproposal); 3018 kex = kex_setup(myproposal);
2973 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 3019 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
2974@@ -2310,6 +2413,13 @@ 3020@@ -2332,6 +2435,13 @@
2975 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 3021 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2976 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 3022 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2977 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 3023 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2989,7 +3035,7 @@ Index: b/sshd_config
2989=================================================================== 3035===================================================================
2990--- a/sshd_config 3036--- a/sshd_config
2991+++ b/sshd_config 3037+++ b/sshd_config
2992@@ -72,6 +72,8 @@ 3038@@ -75,6 +75,8 @@
2993 # GSSAPI options 3039 # GSSAPI options
2994 #GSSAPIAuthentication no 3040 #GSSAPIAuthentication no
2995 #GSSAPICleanupCredentials yes 3041 #GSSAPICleanupCredentials yes
@@ -3002,7 +3048,7 @@ Index: b/sshd_config.5
3002=================================================================== 3048===================================================================
3003--- a/sshd_config.5 3049--- a/sshd_config.5
3004+++ b/sshd_config.5 3050+++ b/sshd_config.5
3005@@ -423,12 +423,40 @@ 3051@@ -424,12 +424,40 @@
3006 The default is 3052 The default is
3007 .Dq no . 3053 .Dq no .
3008 Note that this option applies to protocol version 2 only. 3054 Note that this option applies to protocol version 2 only.
diff --git a/debian/patches/hostbased-ecdsa.patch b/debian/patches/hostbased-ecdsa.patch
deleted file mode 100644
index fb618940a..000000000
--- a/debian/patches/hostbased-ecdsa.patch
+++ /dev/null
@@ -1,71 +0,0 @@
1Description: Make hostbased auth with ECDSA keys work correctly
2Author: Harv <harvey.eneman@oracle.com>
3Author: Damien Miller <djm@mindrot.org>
4Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1858
5Bug-Debian: http://bugs.debian.org/633368
6Origin: upstream, http://bazaar.launchpad.net/~vcs-imports/openssh/main/revision/6327
7Applied-Upstream: yes
8Forwarded: not-needed
9Last-Update: 2011-07-17
10
11Index: b/ssh-keysign.c
12===================================================================
13--- a/ssh-keysign.c
14+++ b/ssh-keysign.c
15@@ -150,9 +150,10 @@
16 {
17 Buffer b;
18 Options options;
19- Key *keys[2], *key = NULL;
20+#define NUM_KEYTYPES 3
21+ Key *keys[NUM_KEYTYPES], *key = NULL;
22 struct passwd *pw;
23- int key_fd[2], i, found, version = 2, fd;
24+ int key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
25 u_char *signature, *data;
26 char *host;
27 u_int slen, dlen;
28@@ -165,8 +166,10 @@
29 if (fd > 2)
30 close(fd);
31
32- key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
33- key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
34+ i = 0;
35+ key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
36+ key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
37+ key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
38
39 original_real_uid = getuid(); /* XXX readconf.c needs this */
40 if ((pw = getpwuid(original_real_uid)) == NULL)
41@@ -191,7 +194,11 @@
42 fatal("ssh-keysign not enabled in %s",
43 _PATH_HOST_CONFIG_FILE);
44
45- if (key_fd[0] == -1 && key_fd[1] == -1)
46+ for (i = found = 0; i < NUM_KEYTYPES; i++) {
47+ if (key_fd[i] != -1)
48+ found = 1;
49+ }
50+ if (found == 0)
51 fatal("could not open any host key");
52
53 OpenSSL_add_all_algorithms();
54@@ -200,7 +207,7 @@
55 RAND_seed(rnd, sizeof(rnd));
56
57 found = 0;
58- for (i = 0; i < 2; i++) {
59+ for (i = 0; i < NUM_KEYTYPES; i++) {
60 keys[i] = NULL;
61 if (key_fd[i] == -1)
62 continue;
63@@ -230,7 +237,7 @@
64 xfree(host);
65
66 found = 0;
67- for (i = 0; i < 2; i++) {
68+ for (i = 0; i < NUM_KEYTYPES; i++) {
69 if (keys[i] != NULL &&
70 key_equal_public(key, keys[i])) {
71 found = 1;
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 89011cfb7..d8362de70 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -21,21 +21,21 @@ Index: b/readconf.c
21@@ -138,6 +138,7 @@ 21@@ -138,6 +138,7 @@
22 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 22 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
23 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, 23 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
24 oKexAlgorithms, oIPQoS, 24 oKexAlgorithms, oIPQoS, oRequestTTY,
25+ oProtocolKeepAlives, oSetupTimeOut, 25+ oProtocolKeepAlives, oSetupTimeOut,
26 oDeprecated, oUnsupported 26 oDeprecated, oUnsupported
27 } OpCodes; 27 } OpCodes;
28 28
29@@ -258,6 +259,8 @@ 29@@ -259,6 +260,8 @@
30 #endif
31 { "kexalgorithms", oKexAlgorithms }, 30 { "kexalgorithms", oKexAlgorithms },
32 { "ipqos", oIPQoS }, 31 { "ipqos", oIPQoS },
32 { "requesttty", oRequestTTY },
33+ { "protocolkeepalives", oProtocolKeepAlives }, 33+ { "protocolkeepalives", oProtocolKeepAlives },
34+ { "setuptimeout", oSetupTimeOut }, 34+ { "setuptimeout", oSetupTimeOut },
35 35
36 { NULL, oBadOption } 36 { NULL, oBadOption }
37 }; 37 };
38@@ -888,6 +891,8 @@ 38@@ -914,6 +917,8 @@
39 goto parse_flag; 39 goto parse_flag;
40 40
41 case oServerAliveInterval: 41 case oServerAliveInterval:
@@ -44,7 +44,7 @@ Index: b/readconf.c
44 intptr = &options->server_alive_interval; 44 intptr = &options->server_alive_interval;
45 goto parse_time; 45 goto parse_time;
46 46
47@@ -1336,8 +1341,13 @@ 47@@ -1385,8 +1390,13 @@
48 options->rekey_limit = 0; 48 options->rekey_limit = 0;
49 if (options->verify_host_key_dns == -1) 49 if (options->verify_host_key_dns == -1)
50 options->verify_host_key_dns = 0; 50 options->verify_host_key_dns = 0;
@@ -64,7 +64,7 @@ Index: b/ssh_config.5
64=================================================================== 64===================================================================
65--- a/ssh_config.5 65--- a/ssh_config.5
66+++ b/ssh_config.5 66+++ b/ssh_config.5
67@@ -127,8 +127,12 @@ 67@@ -136,8 +136,12 @@
68 If set to 68 If set to
69 .Dq yes , 69 .Dq yes ,
70 passphrase/password querying will be disabled. 70 passphrase/password querying will be disabled.
@@ -78,7 +78,7 @@ Index: b/ssh_config.5
78 The argument must be 78 The argument must be
79 .Dq yes 79 .Dq yes
80 or 80 or
81@@ -1058,8 +1062,15 @@ 81@@ -1100,8 +1104,15 @@
82 will send a message through the encrypted 82 will send a message through the encrypted
83 channel to request a response from the server. 83 channel to request a response from the server.
84 The default 84 The default
@@ -95,7 +95,7 @@ Index: b/ssh_config.5
95 .It Cm StrictHostKeyChecking 95 .It Cm StrictHostKeyChecking
96 If this flag is set to 96 If this flag is set to
97 .Dq yes , 97 .Dq yes ,
98@@ -1098,6 +1109,12 @@ 98@@ -1140,6 +1151,12 @@
99 other side. 99 other side.
100 If they are sent, death of the connection or crash of one 100 If they are sent, death of the connection or crash of one
101 of the machines will be properly noticed. 101 of the machines will be properly noticed.
@@ -112,7 +112,7 @@ Index: b/sshd_config.5
112=================================================================== 112===================================================================
113--- a/sshd_config.5 113--- a/sshd_config.5
114+++ b/sshd_config.5 114+++ b/sshd_config.5
115@@ -1034,6 +1034,9 @@ 115@@ -1037,6 +1037,9 @@
116 .Pp 116 .Pp
117 To disable TCP keepalive messages, the value should be set to 117 To disable TCP keepalive messages, the value should be set to
118 .Dq no . 118 .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index 6e161f451..7ee91cce8 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -9,7 +9,7 @@ Index: b/Makefile.in
9=================================================================== 9===================================================================
10--- a/Makefile.in 10--- a/Makefile.in
11+++ b/Makefile.in 11+++ b/Makefile.in
12@@ -299,9 +299,9 @@ 12@@ -282,9 +282,9 @@
13 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 13 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
14 $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 14 $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
15 -rm -f $(DESTDIR)$(bindir)/slogin 15 -rm -f $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index fc07e8861..bda5f0c24 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -13,28 +13,28 @@ Index: b/moduli.5
13--- a/moduli.5 13--- a/moduli.5
14+++ b/moduli.5 14+++ b/moduli.5
15@@ -21,7 +21,7 @@ 15@@ -21,7 +21,7 @@
16 .Nd Diffie Hellman moduli 16 .Nd Diffie-Hellman moduli
17 .Sh DESCRIPTION 17 .Sh DESCRIPTION
18 The 18 The
19-.Pa /etc/moduli 19-.Pa /etc/moduli
20+.Pa /etc/ssh/moduli 20+.Pa /etc/ssh/moduli
21 file contains prime numbers and generators for use by 21 file contains prime numbers and generators for use by
22 .Xr sshd 8 22 .Xr sshd 8
23 in the Diffie-Hellman Group Exchange key exchange method. 23 in the Diffie-Hellman Group Exchange key exchange method.
24@@ -111,7 +111,7 @@ 24@@ -110,7 +110,7 @@
25 Diffie Hellman output to sufficiently key the selected symmetric cipher. 25 Diffie-Hellman output to sufficiently key the selected symmetric cipher.
26 .Xr sshd 8 26 .Xr sshd 8
27 then randomly selects a modulus from 27 then randomly selects a modulus from
28-.Fa /etc/moduli 28-.Fa /etc/moduli
29+.Fa /etc/ssh/moduli 29+.Fa /etc/ssh/moduli
30 that best meets the size requirement. 30 that best meets the size requirement.
31 .Pp
32 .Sh SEE ALSO 31 .Sh SEE ALSO
32 .Xr ssh-keygen 1 ,
33Index: b/ssh-keygen.1 33Index: b/ssh-keygen.1
34=================================================================== 34===================================================================
35--- a/ssh-keygen.1 35--- a/ssh-keygen.1
36+++ b/ssh-keygen.1 36+++ b/ssh-keygen.1
37@@ -147,9 +147,7 @@ 37@@ -149,9 +149,7 @@
38 .Pa ~/.ssh/id_dsa 38 .Pa ~/.ssh/id_dsa
39 or 39 or
40 .Pa ~/.ssh/id_rsa . 40 .Pa ~/.ssh/id_rsa .
@@ -45,22 +45,40 @@ Index: b/ssh-keygen.1
45 .Pp 45 .Pp
46 Normally this program generates the key and asks for a file in which 46 Normally this program generates the key and asks for a file in which
47 to store the private key. 47 to store the private key.
48@@ -393,9 +391,7 @@ 48@@ -197,9 +195,7 @@
49 .It Fl q 49 For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys
50 Silence 50 do not exist, generate the host keys with the default key file path,
51 .Nm ssh-keygen . 51 an empty passphrase, default bits for the key type, and default comment.
52-Used by 52-This is used by
53-.Pa /etc/rc 53-.Pa /etc/rc
54-when creating a new key. 54-to generate new host keys.
55+Used by system administration scripts when creating a new key. 55+This is used by system administration scripts to generate new host keys.
56 .It Fl R Ar hostname 56 .It Fl a Ar trials
57 Removes all keys belonging to 57 Specifies the number of primality tests to perform when screening DH-GEX
58 .Ar hostname 58 candidates using the
59@@ -535,7 +531,7 @@
60 Valid generator values are 2, 3, and 5.
61 .Pp
62 Screened DH groups may be installed in
63-.Pa /etc/moduli .
64+.Pa /etc/ssh/moduli .
65 It is important that this file contains moduli of a range of bit lengths and
66 that both ends of a connection share common moduli.
67 .Sh CERTIFICATES
68@@ -661,7 +657,7 @@
69 where the user wishes to log in using public key authentication.
70 There is no need to keep the contents of this file secret.
71 .Pp
72-.It Pa /etc/moduli
73+.It Pa /etc/ssh/moduli
74 Contains Diffie-Hellman groups used for DH-GEX.
75 The file format is described in
76 .Xr moduli 5 .
59Index: b/ssh.1 77Index: b/ssh.1
60=================================================================== 78===================================================================
61--- a/ssh.1 79--- a/ssh.1
62+++ b/ssh.1 80+++ b/ssh.1
63@@ -726,6 +726,10 @@ 81@@ -731,6 +731,10 @@
64 .Sx HISTORY 82 .Sx HISTORY
65 section of 83 section of
66 .Xr ssl 8 84 .Xr ssl 8
@@ -84,7 +102,7 @@ Index: b/sshd.8
84 It forks a new 102 It forks a new
85 daemon for each incoming connection. 103 daemon for each incoming connection.
86 The forked daemons handle 104 The forked daemons handle
87@@ -850,7 +850,7 @@ 105@@ -853,7 +853,7 @@
88 .Xr ssh 1 ) . 106 .Xr ssh 1 ) .
89 It should only be writable by root. 107 It should only be writable by root.
90 .Pp 108 .Pp
@@ -93,7 +111,7 @@ Index: b/sshd.8
93 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". 111 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
94 The file format is described in 112 The file format is described in
95 .Xr moduli 5 . 113 .Xr moduli 5 .
96@@ -948,7 +948,6 @@ 114@@ -951,7 +951,6 @@
97 .Xr ssh-vulnkey 1 , 115 .Xr ssh-vulnkey 1 ,
98 .Xr chroot 2 , 116 .Xr chroot 2 ,
99 .Xr hosts_access 5 , 117 .Xr hosts_access 5 ,
@@ -105,7 +123,7 @@ Index: b/sshd_config.5
105=================================================================== 123===================================================================
106--- a/sshd_config.5 124--- a/sshd_config.5
107+++ b/sshd_config.5 125+++ b/sshd_config.5
108@@ -221,8 +221,7 @@ 126@@ -222,8 +222,7 @@
109 By default, no banner is displayed. 127 By default, no banner is displayed.
110 .It Cm ChallengeResponseAuthentication 128 .It Cm ChallengeResponseAuthentication
111 Specifies whether challenge-response authentication is allowed (e.g. via 129 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 0bcc7ed3b..6dd0cf78d 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -24,7 +24,7 @@ Index: b/sshd.c
24=================================================================== 24===================================================================
25--- a/sshd.c 25--- a/sshd.c
26+++ b/sshd.c 26+++ b/sshd.c
27@@ -422,7 +422,7 @@ 27@@ -423,7 +423,7 @@
28 minor = PROTOCOL_MINOR_1; 28 minor = PROTOCOL_MINOR_1;
29 } 29 }
30 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, 30 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
@@ -38,9 +38,9 @@ Index: b/version.h
38--- a/version.h 38--- a/version.h
39+++ b/version.h 39+++ b/version.h
40@@ -3,4 +3,9 @@ 40@@ -3,4 +3,9 @@
41 #define SSH_VERSION "OpenSSH_5.8" 41 #define SSH_VERSION "OpenSSH_5.9"
42 42
43 #define SSH_PORTABLE "p1" 43 #define SSH_PORTABLE "p2"
44-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 44-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
45+#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE 45+#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE
46+#ifdef SSH_EXTRAVERSION 46+#ifdef SSH_EXTRAVERSION
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index f8bc5fd4e..ff41f094d 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -16,7 +16,7 @@ Index: b/clientloop.c
16=================================================================== 16===================================================================
17--- a/clientloop.c 17--- a/clientloop.c
18+++ b/clientloop.c 18+++ b/clientloop.c
19@@ -1594,8 +1594,10 @@ 19@@ -1619,8 +1619,10 @@
20 exit_status = 0; 20 exit_status = 0;
21 } 21 }
22 22
diff --git a/debian/patches/selinux-build-failure.patch b/debian/patches/selinux-build-failure.patch
deleted file mode 100644
index 6c99e3f38..000000000
--- a/debian/patches/selinux-build-failure.patch
+++ /dev/null
@@ -1,19 +0,0 @@
1Description: Fix SELinux build failure
2Origin: other, https://bugzilla.mindrot.org/attachment.cgi?id=1991&action=diff
3Author: Leonardo Chiqitto <leonardo@ngdn.org>
4Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1851
5Last-Update: 2011-02-05
6
7Index: b/openbsd-compat/port-linux.c
8===================================================================
9--- a/openbsd-compat/port-linux.c
10+++ b/openbsd-compat/port-linux.c
11@@ -226,7 +226,7 @@
12
13 if (!ssh_selinux_enabled())
14 return;
15- if (path == NULL)
16+ if (path == NULL) {
17 setfscreatecon(NULL);
18 return;
19 }
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 70364f9d5..b14402199 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -92,7 +92,7 @@ Index: b/monitor.c
92=================================================================== 92===================================================================
93--- a/monitor.c 93--- a/monitor.c
94+++ b/monitor.c 94+++ b/monitor.c
95@@ -137,6 +137,7 @@ 95@@ -145,6 +145,7 @@
96 int mm_answer_pwnamallow(int, Buffer *); 96 int mm_answer_pwnamallow(int, Buffer *);
97 int mm_answer_auth2_read_banner(int, Buffer *); 97 int mm_answer_auth2_read_banner(int, Buffer *);
98 int mm_answer_authserv(int, Buffer *); 98 int mm_answer_authserv(int, Buffer *);
@@ -100,7 +100,7 @@ Index: b/monitor.c
100 int mm_answer_authpassword(int, Buffer *); 100 int mm_answer_authpassword(int, Buffer *);
101 int mm_answer_bsdauthquery(int, Buffer *); 101 int mm_answer_bsdauthquery(int, Buffer *);
102 int mm_answer_bsdauthrespond(int, Buffer *); 102 int mm_answer_bsdauthrespond(int, Buffer *);
103@@ -215,6 +216,7 @@ 103@@ -225,6 +226,7 @@
104 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 104 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
105 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 105 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
106 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 106 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -108,15 +108,15 @@ Index: b/monitor.c
108 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 108 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
109 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 109 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
110 #ifdef USE_PAM 110 #ifdef USE_PAM
111@@ -699,6 +701,7 @@ 111@@ -810,6 +812,7 @@
112 else { 112 else {
113 /* Allow service/style information on the auth context */ 113 /* Allow service/style information on the auth context */
114 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 114 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
115+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); 115+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
116 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 116 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
117 } 117 }
118 118 #ifdef USE_PAM
119@@ -732,14 +735,37 @@ 119@@ -842,14 +845,37 @@
120 120
121 authctxt->service = buffer_get_string(m, NULL); 121 authctxt->service = buffer_get_string(m, NULL);
122 authctxt->style = buffer_get_string(m, NULL); 122 authctxt->style = buffer_get_string(m, NULL);
@@ -156,7 +156,7 @@ Index: b/monitor.c
156 return (0); 156 return (0);
157 } 157 }
158 158
159@@ -1327,7 +1353,7 @@ 159@@ -1437,7 +1463,7 @@
160 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 160 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
161 if (res == 0) 161 if (res == 0)
162 goto error; 162 goto error;
@@ -182,7 +182,7 @@ Index: b/monitor_wrap.c
182=================================================================== 182===================================================================
183--- a/monitor_wrap.c 183--- a/monitor_wrap.c
184+++ b/monitor_wrap.c 184+++ b/monitor_wrap.c
185@@ -280,10 +280,10 @@ 185@@ -318,10 +318,10 @@
186 return (banner); 186 return (banner);
187 } 187 }
188 188
@@ -195,7 +195,7 @@ Index: b/monitor_wrap.c
195 { 195 {
196 Buffer m; 196 Buffer m;
197 197
198@@ -292,11 +292,29 @@ 198@@ -330,11 +330,29 @@
199 buffer_init(&m); 199 buffer_init(&m);
200 buffer_put_cstring(&m, service); 200 buffer_put_cstring(&m, service);
201 buffer_put_cstring(&m, style ? style : ""); 201 buffer_put_cstring(&m, style ? style : "");
@@ -229,7 +229,7 @@ Index: b/monitor_wrap.h
229=================================================================== 229===================================================================
230--- a/monitor_wrap.h 230--- a/monitor_wrap.h
231+++ b/monitor_wrap.h 231+++ b/monitor_wrap.h
232@@ -40,7 +40,8 @@ 232@@ -41,7 +41,8 @@
233 int mm_is_monitor(void); 233 int mm_is_monitor(void);
234 DH *mm_choose_dh(int, int, int); 234 DH *mm_choose_dh(int, int, int);
235 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); 235 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
@@ -256,7 +256,7 @@ Index: b/openbsd-compat/port-linux.c
256 #include "log.h" 256 #include "log.h"
257 #include "xmalloc.h" 257 #include "xmalloc.h"
258 #include "port-linux.h" 258 #include "port-linux.h"
259@@ -54,9 +60,9 @@ 259@@ -58,9 +64,9 @@
260 260
261 /* Return the default security context for the given username */ 261 /* Return the default security context for the given username */
262 static security_context_t 262 static security_context_t
@@ -268,7 +268,7 @@ Index: b/openbsd-compat/port-linux.c
268 char *sename = NULL, *lvl = NULL; 268 char *sename = NULL, *lvl = NULL;
269 int r; 269 int r;
270 270
271@@ -69,9 +75,16 @@ 271@@ -73,9 +79,16 @@
272 #endif 272 #endif
273 273
274 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL 274 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
@@ -287,7 +287,7 @@ Index: b/openbsd-compat/port-linux.c
287 #endif 287 #endif
288 288
289 if (r != 0) { 289 if (r != 0) {
290@@ -102,7 +115,7 @@ 290@@ -106,7 +119,7 @@
291 291
292 /* Set the execution context to the default for the specified user */ 292 /* Set the execution context to the default for the specified user */
293 void 293 void
@@ -296,7 +296,7 @@ Index: b/openbsd-compat/port-linux.c
296 { 296 {
297 security_context_t user_ctx = NULL; 297 security_context_t user_ctx = NULL;
298 298
299@@ -111,7 +124,7 @@ 299@@ -115,7 +128,7 @@
300 300
301 debug3("%s: setting execution context", __func__); 301 debug3("%s: setting execution context", __func__);
302 302
@@ -305,7 +305,7 @@ Index: b/openbsd-compat/port-linux.c
305 if (setexeccon(user_ctx) != 0) { 305 if (setexeccon(user_ctx) != 0) {
306 switch (security_getenforce()) { 306 switch (security_getenforce()) {
307 case -1: 307 case -1:
308@@ -133,7 +146,7 @@ 308@@ -137,7 +150,7 @@
309 309
310 /* Set the TTY context for the specified user */ 310 /* Set the TTY context for the specified user */
311 void 311 void
@@ -314,7 +314,7 @@ Index: b/openbsd-compat/port-linux.c
314 { 314 {
315 security_context_t new_tty_ctx = NULL; 315 security_context_t new_tty_ctx = NULL;
316 security_context_t user_ctx = NULL; 316 security_context_t user_ctx = NULL;
317@@ -144,7 +157,7 @@ 317@@ -148,7 +161,7 @@
318 318
319 debug3("%s: setting TTY context on %s", __func__, tty); 319 debug3("%s: setting TTY context on %s", __func__, tty);
320 320
@@ -377,7 +377,7 @@ Index: b/session.c
377=================================================================== 377===================================================================
378--- a/session.c 378--- a/session.c
379+++ b/session.c 379+++ b/session.c
380@@ -1467,7 +1467,7 @@ 380@@ -1471,7 +1471,7 @@
381 381
382 /* Set login name, uid, gid, and groups. */ 382 /* Set login name, uid, gid, and groups. */
383 void 383 void
@@ -386,7 +386,7 @@ Index: b/session.c
386 { 386 {
387 char *chroot_path, *tmp; 387 char *chroot_path, *tmp;
388 388
389@@ -1495,7 +1495,7 @@ 389@@ -1499,7 +1499,7 @@
390 endgrent(); 390 endgrent();
391 #endif 391 #endif
392 392
@@ -395,7 +395,7 @@ Index: b/session.c
395 395
396 if (options.chroot_directory != NULL && 396 if (options.chroot_directory != NULL &&
397 strcasecmp(options.chroot_directory, "none") != 0) { 397 strcasecmp(options.chroot_directory, "none") != 0) {
398@@ -1618,7 +1618,7 @@ 398@@ -1625,7 +1625,7 @@
399 399
400 /* Force a password change */ 400 /* Force a password change */
401 if (s->authctxt->force_pwchange) { 401 if (s->authctxt->force_pwchange) {
@@ -404,7 +404,7 @@ Index: b/session.c
404 child_close_fds(); 404 child_close_fds();
405 do_pwchange(s); 405 do_pwchange(s);
406 exit(1); 406 exit(1);
407@@ -1645,7 +1645,7 @@ 407@@ -1652,7 +1652,7 @@
408 /* When PAM is enabled we rely on it to do the nologin check */ 408 /* When PAM is enabled we rely on it to do the nologin check */
409 if (!options.use_pam) 409 if (!options.use_pam)
410 do_nologin(pw); 410 do_nologin(pw);
@@ -413,7 +413,7 @@ Index: b/session.c
413 /* 413 /*
414 * PAM session modules in do_setusercontext may have 414 * PAM session modules in do_setusercontext may have
415 * generated messages, so if this in an interactive 415 * generated messages, so if this in an interactive
416@@ -2057,7 +2057,7 @@ 416@@ -2064,7 +2064,7 @@
417 tty_parse_modes(s->ttyfd, &n_bytes); 417 tty_parse_modes(s->ttyfd, &n_bytes);
418 418
419 if (!use_privsep) 419 if (!use_privsep)
@@ -439,7 +439,7 @@ Index: b/sshd.c
439=================================================================== 439===================================================================
440--- a/sshd.c 440--- a/sshd.c
441+++ b/sshd.c 441+++ b/sshd.c
442@@ -707,7 +707,7 @@ 442@@ -730,7 +730,7 @@
443 RAND_seed(rnd, sizeof(rnd)); 443 RAND_seed(rnd, sizeof(rnd));
444 444
445 /* Drop privileges */ 445 /* Drop privileges */
diff --git a/debian/patches/series b/debian/patches/series
index 3450e4c55..2be7cf10a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,6 +1,5 @@
1# GSSAPI 1# GSSAPI
2gssapi.patch 2gssapi.patch
3gssapi-autoconf.patch
4 3
5# SELinux 4# SELinux
6selinux-role.patch 5selinux-role.patch
@@ -37,9 +36,6 @@ ssh-argv0.patch
37doc-hash-tab-completion.patch 36doc-hash-tab-completion.patch
38 37
39# Miscellaneous bug fixes 38# Miscellaneous bug fixes
40selinux-build-failure.patch
41ssh-add-fifo.patch
42hostbased-ecdsa.patch
43auth-log-verbosity.patch 39auth-log-verbosity.patch
44 40
45# Debian-specific configuration 41# Debian-specific configuration
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 5100d8ec7..8c549128b 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -19,7 +19,7 @@ Index: b/sshconnect.c
19 perror(argv[0]); 19 perror(argv[0]);
20 exit(1); 20 exit(1);
21 } 21 }
22@@ -1274,7 +1274,7 @@ 22@@ -1273,7 +1273,7 @@
23 if (pid == 0) { 23 if (pid == 0) {
24 signal(SIGPIPE, SIG_DFL); 24 signal(SIGPIPE, SIG_DFL);
25 debug3("Executing %s -c \"%s\"", shell, args); 25 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/ssh-add-fifo.patch b/debian/patches/ssh-add-fifo.patch
deleted file mode 100644
index deac58e75..000000000
--- a/debian/patches/ssh-add-fifo.patch
+++ /dev/null
@@ -1,37 +0,0 @@
1Description: Allow ssh-add to read from FIFOs
2Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1869
4Bug-Debian: http://bugs.debian.org/614897
5Origin: other, https://bugzilla.mindrot.org/attachment.cgi?id=2002&action=diff
6Forwarded: yes
7Last-Update: 2011-03-18
8
9Index: b/authfile.c
10===================================================================
11--- a/authfile.c
12+++ b/authfile.c
13@@ -317,7 +317,7 @@
14 static int
15 key_load_file(int fd, const char *filename, Buffer *blob)
16 {
17- size_t len;
18+ size_t len, readcount;
19 u_char *cp;
20 struct stat st;
21
22@@ -337,11 +337,14 @@
23 return 0;
24 }
25 len = (size_t)st.st_size; /* truncated */
26+ if (0 == len && S_ISFIFO(st.st_mode))
27+ len = 8192; /* we will try reading up to 8KiB from a FIFO */
28
29 buffer_init(blob);
30 cp = buffer_append_space(blob, len);
31
32- if (atomicio(read, fd, cp, len) != len) {
33+ readcount = atomicio(read, fd, cp, len);
34+ if (readcount != len && !(readcount > 0 && S_ISFIFO(st.st_mode))) {
35 debug("%s: read from key file %.200s%sfailed: %.100s", __func__,
36 filename == NULL ? "" : filename,
37 filename == NULL ? "" : " ",
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 43d9d4d44..a7750ed23 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -11,7 +11,7 @@ Index: b/ssh.1
11=================================================================== 11===================================================================
12--- a/ssh.1 12--- a/ssh.1
13+++ b/ssh.1 13+++ b/ssh.1
14@@ -1406,6 +1406,7 @@ 14@@ -1411,6 +1411,7 @@
15 .Xr sftp 1 , 15 .Xr sftp 1 ,
16 .Xr ssh-add 1 , 16 .Xr ssh-add 1 ,
17 .Xr ssh-agent 1 , 17 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index f3e08b06d..4245319c3 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -14,47 +14,45 @@ Index: b/Makefile.in
14=================================================================== 14===================================================================
15--- a/Makefile.in 15--- a/Makefile.in
16+++ b/Makefile.in 16+++ b/Makefile.in
17@@ -27,6 +27,7 @@ 17@@ -26,6 +26,7 @@
18 SFTP_SERVER=$(libexecdir)/sftp-server
18 SSH_KEYSIGN=$(libexecdir)/ssh-keysign 19 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
19 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper 20 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
20 RAND_HELPER=$(libexecdir)/ssh-rand-helper
21+SSH_DATADIR=$(datadir)/ssh 21+SSH_DATADIR=$(datadir)/ssh
22 PRIVSEP_PATH=@PRIVSEP_PATH@ 22 PRIVSEP_PATH=@PRIVSEP_PATH@
23 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ 23 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
24 STRIP_OPT=@STRIP_OPT@ 24 STRIP_OPT=@STRIP_OPT@
25@@ -39,7 +40,8 @@ 25@@ -38,6 +39,7 @@
26 -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ 26 -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
27 -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ 27 -D_PATH_SSH_PIDDIR=\"$(piddir)\" \
28 -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ 28 -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \
29- -DSSH_RAND_HELPER=\"$(RAND_HELPER)\" 29+ -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\" \
30+ -DSSH_RAND_HELPER=\"$(RAND_HELPER)\" \
31+ -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\"
32 30
33 CC=@CC@ 31 CC=@CC@
34 LD=@LD@ 32 LD=@LD@
35@@ -64,7 +66,7 @@ 33@@ -59,7 +61,7 @@
36 INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ 34 EXEEXT=@EXEEXT@
37 INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ 35 MANFMT=@MANFMT@
38 36
39-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) 37-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
40+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT) 38+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT)
41 39
42 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ 40 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
43 canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ 41 canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
44@@ -97,8 +99,8 @@ 42@@ -93,8 +95,8 @@
45 sftp-server.o sftp-common.o \ 43 roaming_common.o roaming_serv.o \
46 roaming_common.o roaming_serv.o 44 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o
47 45
48-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out 46-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
49-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 47-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
50+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out 48+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out
51+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5 49+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5
52 MANTYPE = @MANTYPE@ 50 MANTYPE = @MANTYPE@
53 51
54 CONFIGFILES=sshd_config.out ssh_config.out moduli.out 52 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
55@@ -179,6 +181,9 @@ 53@@ -171,6 +173,9 @@
56 ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o 54 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
57 $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) 55 $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
58 56
59+ssh-vulnkey$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-vulnkey.o 57+ssh-vulnkey$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-vulnkey.o
60+ $(LD) -o $@ ssh-vulnkey.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) 58+ $(LD) -o $@ ssh-vulnkey.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -62,7 +60,7 @@ Index: b/Makefile.in
62 # test driver for the loginrec code - not built by default 60 # test driver for the loginrec code - not built by default
63 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o 61 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
64 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) 62 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
65@@ -273,6 +278,7 @@ 63@@ -259,6 +264,7 @@
66 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) 64 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
67 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) 65 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
68 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 66 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -70,7 +68,7 @@ Index: b/Makefile.in
70 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 68 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
71 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 69 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
72 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 70 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
73@@ -290,6 +296,7 @@ 71@@ -273,6 +279,7 @@
74 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 72 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
75 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 73 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
76 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 74 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -78,7 +76,7 @@ Index: b/Makefile.in
78 -rm -f $(DESTDIR)$(bindir)/slogin 76 -rm -f $(DESTDIR)$(bindir)/slogin
79 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin 77 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
80 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 78 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
81@@ -379,6 +386,7 @@ 79@@ -354,6 +361,7 @@
82 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) 80 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
83 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) 81 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
84 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) 82 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@@ -86,14 +84,14 @@ Index: b/Makefile.in
86 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) 84 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
87 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) 85 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
88 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 86 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
89@@ -392,6 +400,7 @@ 87@@ -366,6 +374,7 @@
90 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 88 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
91 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 89 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
92 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 90 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
93+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 91+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
94 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 92 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
95 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8
96 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 93 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
94 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
97Index: b/auth-rh-rsa.c 95Index: b/auth-rh-rsa.c
98=================================================================== 96===================================================================
99--- a/auth-rh-rsa.c 97--- a/auth-rh-rsa.c
@@ -111,7 +109,7 @@ Index: b/auth-rsa.c
111=================================================================== 109===================================================================
112--- a/auth-rsa.c 110--- a/auth-rsa.c
113+++ b/auth-rsa.c 111+++ b/auth-rsa.c
114@@ -247,7 +247,7 @@ 112@@ -233,7 +233,7 @@
115 file, linenum, BN_num_bits(key->rsa->n), bits); 113 file, linenum, BN_num_bits(key->rsa->n), bits);
116 114
117 /* Never accept a revoked key */ 115 /* Never accept a revoked key */
@@ -132,7 +130,7 @@ Index: b/auth.c
132 #include "auth.h" 130 #include "auth.h"
133 #include "auth-options.h" 131 #include "auth-options.h"
134 #include "canohost.h" 132 #include "canohost.h"
135@@ -621,10 +622,34 @@ 133@@ -606,10 +607,34 @@
136 134
137 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ 135 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
138 int 136 int
@@ -172,7 +170,7 @@ Index: b/auth.h
172=================================================================== 170===================================================================
173--- a/auth.h 171--- a/auth.h
174+++ b/auth.h 172+++ b/auth.h
175@@ -175,7 +175,7 @@ 173@@ -174,7 +174,7 @@
176 174
177 FILE *auth_openkeyfile(const char *, struct passwd *, int); 175 FILE *auth_openkeyfile(const char *, struct passwd *, int);
178 FILE *auth_openprincipals(const char *, struct passwd *, int); 176 FILE *auth_openprincipals(const char *, struct passwd *, int);
@@ -199,7 +197,7 @@ Index: b/auth2-pubkey.c
199--- a/auth2-pubkey.c 197--- a/auth2-pubkey.c
200+++ b/auth2-pubkey.c 198+++ b/auth2-pubkey.c
201@@ -439,9 +439,10 @@ 199@@ -439,9 +439,10 @@
202 int success; 200 u_int success, i;
203 char *file; 201 char *file;
204 202
205- if (auth_key_is_revoked(key)) 203- if (auth_key_is_revoked(key))
@@ -221,9 +219,9 @@ Index: b/authfile.c
221 #include "atomicio.h" 219 #include "atomicio.h"
222+#include "pathnames.h" 220+#include "pathnames.h"
223 221
224 /* Version identification string for SSH v1 identity files. */ 222 #define MAX_KEY_FILE_SIZE (1024 * 1024)
225 static const char authfile_id_string[] = 223
226@@ -906,3 +907,140 @@ 224@@ -944,3 +945,140 @@
227 return ret; 225 return ret;
228 } 226 }
229 227
@@ -368,7 +366,7 @@ Index: b/authfile.h
368=================================================================== 366===================================================================
369--- a/authfile.h 367--- a/authfile.h
370+++ b/authfile.h 368+++ b/authfile.h
371@@ -26,4 +26,6 @@ 369@@ -28,4 +28,6 @@
372 int key_perm_ok(int, const char *); 370 int key_perm_ok(int, const char *);
373 int key_in_file(Key *, const char *, int); 371 int key_in_file(Key *, const char *, int);
374 372
@@ -420,7 +418,7 @@ Index: b/readconf.c
420 { "rsaauthentication", oRSAAuthentication }, 418 { "rsaauthentication", oRSAAuthentication },
421 { "pubkeyauthentication", oPubkeyAuthentication }, 419 { "pubkeyauthentication", oPubkeyAuthentication },
422 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 420 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
423@@ -486,6 +488,10 @@ 421@@ -489,6 +491,10 @@
424 intptr = &options->challenge_response_authentication; 422 intptr = &options->challenge_response_authentication;
425 goto parse_flag; 423 goto parse_flag;
426 424
@@ -431,7 +429,7 @@ Index: b/readconf.c
431 case oGssAuthentication: 429 case oGssAuthentication:
432 intptr = &options->gss_authentication; 430 intptr = &options->gss_authentication;
433 goto parse_flag; 431 goto parse_flag;
434@@ -1134,6 +1140,7 @@ 432@@ -1180,6 +1186,7 @@
435 options->kbd_interactive_devices = NULL; 433 options->kbd_interactive_devices = NULL;
436 options->rhosts_rsa_authentication = -1; 434 options->rhosts_rsa_authentication = -1;
437 options->hostbased_authentication = -1; 435 options->hostbased_authentication = -1;
@@ -439,7 +437,7 @@ Index: b/readconf.c
439 options->batch_mode = -1; 437 options->batch_mode = -1;
440 options->check_host_ip = -1; 438 options->check_host_ip = -1;
441 options->strict_host_key_checking = -1; 439 options->strict_host_key_checking = -1;
442@@ -1245,6 +1252,8 @@ 440@@ -1290,6 +1297,8 @@
443 options->rhosts_rsa_authentication = 0; 441 options->rhosts_rsa_authentication = 0;
444 if (options->hostbased_authentication == -1) 442 if (options->hostbased_authentication == -1)
445 options->hostbased_authentication = 0; 443 options->hostbased_authentication = 0;
@@ -452,7 +450,7 @@ Index: b/readconf.h
452=================================================================== 450===================================================================
453--- a/readconf.h 451--- a/readconf.h
454+++ b/readconf.h 452+++ b/readconf.h
455@@ -57,6 +57,7 @@ 453@@ -58,6 +58,7 @@
456 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 454 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
457 char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ 455 char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
458 int zero_knowledge_password_authentication; /* Try jpake */ 456 int zero_knowledge_password_authentication; /* Try jpake */
@@ -472,7 +470,7 @@ Index: b/servconf.c
472 options->permit_empty_passwd = -1; 470 options->permit_empty_passwd = -1;
473 options->permit_user_env = -1; 471 options->permit_user_env = -1;
474 options->use_login = -1; 472 options->use_login = -1;
475@@ -243,6 +244,8 @@ 473@@ -242,6 +243,8 @@
476 options->kbd_interactive_authentication = 0; 474 options->kbd_interactive_authentication = 0;
477 if (options->challenge_response_authentication == -1) 475 if (options->challenge_response_authentication == -1)
478 options->challenge_response_authentication = 1; 476 options->challenge_response_authentication = 1;
@@ -481,7 +479,7 @@ Index: b/servconf.c
481 if (options->permit_empty_passwd == -1) 479 if (options->permit_empty_passwd == -1)
482 options->permit_empty_passwd = 0; 480 options->permit_empty_passwd = 0;
483 if (options->permit_user_env == -1) 481 if (options->permit_user_env == -1)
484@@ -322,7 +325,7 @@ 482@@ -318,7 +321,7 @@
485 sListenAddress, sAddressFamily, 483 sListenAddress, sAddressFamily,
486 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 484 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
487 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 485 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -490,7 +488,7 @@ Index: b/servconf.c
490 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 488 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
491 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 489 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
492 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 490 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
493@@ -432,6 +435,7 @@ 491@@ -428,6 +431,7 @@
494 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 492 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
495 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 493 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
496 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 494 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -498,7 +496,7 @@ Index: b/servconf.c
498 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 496 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
499 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 497 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
500 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 498 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
501@@ -1029,6 +1033,10 @@ 499@@ -1047,6 +1051,10 @@
502 intptr = &options->tcp_keep_alive; 500 intptr = &options->tcp_keep_alive;
503 goto parse_flag; 501 goto parse_flag;
504 502
@@ -509,7 +507,7 @@ Index: b/servconf.c
509 case sEmptyPasswd: 507 case sEmptyPasswd:
510 intptr = &options->permit_empty_passwd; 508 intptr = &options->permit_empty_passwd;
511 goto parse_flag; 509 goto parse_flag;
512@@ -1757,6 +1765,7 @@ 510@@ -1773,6 +1781,7 @@
513 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 511 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
514 dump_cfg_fmtint(sStrictModes, o->strict_modes); 512 dump_cfg_fmtint(sStrictModes, o->strict_modes);
515 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 513 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -521,7 +519,7 @@ Index: b/servconf.h
521=================================================================== 519===================================================================
522--- a/servconf.h 520--- a/servconf.h
523+++ b/servconf.h 521+++ b/servconf.h
524@@ -107,6 +107,7 @@ 522@@ -113,6 +113,7 @@
525 int challenge_response_authentication; 523 int challenge_response_authentication;
526 int zero_knowledge_password_authentication; 524 int zero_knowledge_password_authentication;
527 /* If true, permit jpake auth */ 525 /* If true, permit jpake auth */
@@ -564,10 +562,10 @@ Index: b/ssh-add.c
564+ char *comment = NULL, *fp; 562+ char *comment = NULL, *fp;
565 char msg[1024], *certpath; 563 char msg[1024], *certpath;
566 int fd, perms_ok, ret = -1; 564 int fd, perms_ok, ret = -1;
567 565 Buffer keyblob;
568@@ -187,6 +187,14 @@ 566@@ -218,6 +218,14 @@
569 "Bad passphrase, try again for %.200s: ", comment); 567 } else {
570 } 568 fprintf(stderr, "Could not add identity: %s\n", filename);
571 } 569 }
572+ if (blacklisted_key(private, &fp) == 1) { 570+ if (blacklisted_key(private, &fp) == 1) {
573+ fprintf(stderr, "Public key %s blacklisted (see " 571+ fprintf(stderr, "Public key %s blacklisted (see "
@@ -578,13 +576,13 @@ Index: b/ssh-add.c
578+ return -1; 576+ return -1;
579+ } 577+ }
580 578
581 if (ssh_add_identity_constrained(ac, private, comment, lifetime, 579
582 confirm)) { 580 /* Now try to add the certificate flavour too */
583Index: b/ssh-keygen.1 581Index: b/ssh-keygen.1
584=================================================================== 582===================================================================
585--- a/ssh-keygen.1 583--- a/ssh-keygen.1
586+++ b/ssh-keygen.1 584+++ b/ssh-keygen.1
587@@ -659,6 +659,7 @@ 585@@ -670,6 +670,7 @@
588 .Xr ssh 1 , 586 .Xr ssh 1 ,
589 .Xr ssh-add 1 , 587 .Xr ssh-add 1 ,
590 .Xr ssh-agent 1 , 588 .Xr ssh-agent 1 ,
@@ -843,7 +841,7 @@ Index: b/ssh-vulnkey.c
843=================================================================== 841===================================================================
844--- /dev/null 842--- /dev/null
845+++ b/ssh-vulnkey.c 843+++ b/ssh-vulnkey.c
846@@ -0,0 +1,388 @@ 844@@ -0,0 +1,387 @@
847+/* 845+/*
848+ * Copyright (c) 2008 Canonical Ltd. All rights reserved. 846+ * Copyright (c) 2008 Canonical Ltd. All rights reserved.
849+ * 847+ *
@@ -1157,7 +1155,6 @@ Index: b/ssh-vulnkey.c
1157+ /* We don't need the RNG ourselves, but symbol references here allow 1155+ /* We don't need the RNG ourselves, but symbol references here allow
1158+ * ld to link us properly. 1156+ * ld to link us properly.
1159+ */ 1157+ */
1160+ init_rng();
1161+ seed_rng(); 1158+ seed_rng();
1162+ 1159+
1163+ while ((opt = getopt(argc, argv, "ahqv")) != -1) { 1160+ while ((opt = getopt(argc, argv, "ahqv")) != -1) {
@@ -1236,7 +1233,7 @@ Index: b/ssh.1
1236=================================================================== 1233===================================================================
1237--- a/ssh.1 1234--- a/ssh.1
1238+++ b/ssh.1 1235+++ b/ssh.1
1239@@ -1402,6 +1402,7 @@ 1236@@ -1407,6 +1407,7 @@
1240 .Xr ssh-agent 1 , 1237 .Xr ssh-agent 1 ,
1241 .Xr ssh-keygen 1 , 1238 .Xr ssh-keygen 1 ,
1242 .Xr ssh-keyscan 1 , 1239 .Xr ssh-keyscan 1 ,
@@ -1248,7 +1245,7 @@ Index: b/ssh.c
1248=================================================================== 1245===================================================================
1249--- a/ssh.c 1246--- a/ssh.c
1250+++ b/ssh.c 1247+++ b/ssh.c
1251@@ -1445,7 +1445,7 @@ 1248@@ -1476,7 +1476,7 @@
1252 static void 1249 static void
1253 load_public_identity_files(void) 1250 load_public_identity_files(void)
1254 { 1251 {
@@ -1257,7 +1254,7 @@ Index: b/ssh.c
1257 char *pwdir = NULL, *pwname = NULL; 1254 char *pwdir = NULL, *pwname = NULL;
1258 int i = 0; 1255 int i = 0;
1259 Key *public; 1256 Key *public;
1260@@ -1502,6 +1502,22 @@ 1257@@ -1533,6 +1533,22 @@
1261 public = key_load_public(filename, NULL); 1258 public = key_load_public(filename, NULL);
1262 debug("identity file %s type %d", filename, 1259 debug("identity file %s type %d", filename,
1263 public ? public->type : -1); 1260 public ? public->type : -1);
@@ -1284,7 +1281,7 @@ Index: b/ssh_config.5
1284=================================================================== 1281===================================================================
1285--- a/ssh_config.5 1282--- a/ssh_config.5
1286+++ b/ssh_config.5 1283+++ b/ssh_config.5
1287@@ -1146,6 +1146,23 @@ 1284@@ -1188,6 +1188,23 @@
1288 .Dq any . 1285 .Dq any .
1289 The default is 1286 The default is
1290 .Dq any:any . 1287 .Dq any:any .
@@ -1312,7 +1309,7 @@ Index: b/sshconnect2.c
1312=================================================================== 1309===================================================================
1313--- a/sshconnect2.c 1310--- a/sshconnect2.c
1314+++ b/sshconnect2.c 1311+++ b/sshconnect2.c
1315@@ -1488,6 +1488,8 @@ 1312@@ -1489,6 +1489,8 @@
1316 1313
1317 /* list of keys stored in the filesystem */ 1314 /* list of keys stored in the filesystem */
1318 for (i = 0; i < options.num_identity_files; i++) { 1315 for (i = 0; i < options.num_identity_files; i++) {
@@ -1321,7 +1318,7 @@ Index: b/sshconnect2.c
1321 key = options.identity_keys[i]; 1318 key = options.identity_keys[i];
1322 if (key && key->type == KEY_RSA1) 1319 if (key && key->type == KEY_RSA1)
1323 continue; 1320 continue;
1324@@ -1581,7 +1583,7 @@ 1321@@ -1582,7 +1584,7 @@
1325 debug("Offering %s public key: %s", key_type(id->key), 1322 debug("Offering %s public key: %s", key_type(id->key),
1326 id->filename); 1323 id->filename);
1327 sent = send_pubkey_test(authctxt, id); 1324 sent = send_pubkey_test(authctxt, id);
@@ -1334,7 +1331,7 @@ Index: b/sshd.8
1334=================================================================== 1331===================================================================
1335--- a/sshd.8 1332--- a/sshd.8
1336+++ b/sshd.8 1333+++ b/sshd.8
1337@@ -945,6 +945,7 @@ 1334@@ -948,6 +948,7 @@
1338 .Xr ssh-agent 1 , 1335 .Xr ssh-agent 1 ,
1339 .Xr ssh-keygen 1 , 1336 .Xr ssh-keygen 1 ,
1340 .Xr ssh-keyscan 1 , 1337 .Xr ssh-keyscan 1 ,
@@ -1346,7 +1343,7 @@ Index: b/sshd.c
1346=================================================================== 1343===================================================================
1347--- a/sshd.c 1344--- a/sshd.c
1348+++ b/sshd.c 1345+++ b/sshd.c
1349@@ -1576,6 +1576,11 @@ 1346@@ -1598,6 +1598,11 @@
1350 sensitive_data.host_keys[i] = NULL; 1347 sensitive_data.host_keys[i] = NULL;
1351 continue; 1348 continue;
1352 } 1349 }
@@ -1362,7 +1359,7 @@ Index: b/sshd_config.5
1362=================================================================== 1359===================================================================
1363--- a/sshd_config.5 1360--- a/sshd_config.5
1364+++ b/sshd_config.5 1361+++ b/sshd_config.5
1365@@ -792,6 +792,20 @@ 1362@@ -795,6 +795,20 @@
1366 Specifies whether password authentication is allowed. 1363 Specifies whether password authentication is allowed.
1367 The default is 1364 The default is
1368 .Dq yes . 1365 .Dq yes .
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index 5f1caddc9..d5a7fe07a 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -7,7 +7,7 @@ Index: b/clientloop.c
7=================================================================== 7===================================================================
8--- a/clientloop.c 8--- a/clientloop.c
9+++ b/clientloop.c 9+++ b/clientloop.c
10@@ -547,16 +547,21 @@ 10@@ -545,16 +545,21 @@
11 static void 11 static void
12 server_alive_check(void) 12 server_alive_check(void)
13 { 13 {
@@ -38,7 +38,7 @@ Index: b/clientloop.c
38 } 38 }
39 39
40 /* 40 /*
41@@ -616,7 +621,7 @@ 41@@ -614,7 +619,7 @@
42 */ 42 */
43 43
44 timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */ 44 timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */
@@ -51,7 +51,7 @@ Index: b/ssh_config.5
51=================================================================== 51===================================================================
52--- a/ssh_config.5 52--- a/ssh_config.5
53+++ b/ssh_config.5 53+++ b/ssh_config.5
54@@ -1047,7 +1047,10 @@ 54@@ -1089,7 +1089,10 @@
55 .Cm ServerAliveCountMax 55 .Cm ServerAliveCountMax
56 is left at the default, if the server becomes unresponsive, 56 is left at the default, if the server becomes unresponsive,
57 ssh will disconnect after approximately 45 seconds. 57 ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 9b560217f..90ddca4ad 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -14,7 +14,7 @@ Index: b/log.c
14=================================================================== 14===================================================================
15--- a/log.c 15--- a/log.c
16+++ b/log.c 16+++ b/log.c
17@@ -90,6 +90,7 @@ 17@@ -92,6 +92,7 @@
18 LogLevel val; 18 LogLevel val;
19 } log_levels[] = 19 } log_levels[] =
20 { 20 {
@@ -26,10 +26,10 @@ Index: b/ssh.c
26=================================================================== 26===================================================================
27--- a/ssh.c 27--- a/ssh.c
28+++ b/ssh.c 28+++ b/ssh.c
29@@ -641,7 +641,7 @@ 29@@ -678,7 +678,7 @@
30 tty_flag = 0;
31 /* Do not allocate a tty if stdin is not a tty. */ 30 /* Do not allocate a tty if stdin is not a tty. */
32 if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) { 31 if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
32 options.request_tty != REQUEST_TTY_FORCE) {
33- if (tty_flag) 33- if (tty_flag)
34+ if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET) 34+ if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET)
35 logit("Pseudo-terminal will not be allocated because " 35 logit("Pseudo-terminal will not be allocated because "
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index fe2d99be0..01ba05526 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -24,7 +24,7 @@ Index: b/readconf.c
24 24
25 #include "xmalloc.h" 25 #include "xmalloc.h"
26 #include "ssh.h" 26 #include "ssh.h"
27@@ -1085,8 +1087,7 @@ 27@@ -1131,8 +1133,7 @@
28 28
29 if (fstat(fileno(f), &sb) == -1) 29 if (fstat(fileno(f), &sb) == -1)
30 fatal("fstat %s: %s", filename, strerror(errno)); 30 fatal("fstat %s: %s", filename, strerror(errno));
@@ -38,7 +38,7 @@ Index: b/ssh.1
38=================================================================== 38===================================================================
39--- a/ssh.1 39--- a/ssh.1
40+++ b/ssh.1 40+++ b/ssh.1
41@@ -1293,6 +1293,8 @@ 41@@ -1298,6 +1298,8 @@
42 .Xr ssh_config 5 . 42 .Xr ssh_config 5 .
43 Because of the potential for abuse, this file must have strict permissions: 43 Because of the potential for abuse, this file must have strict permissions:
44 read/write for the user, and not accessible by others. 44 read/write for the user, and not accessible by others.
@@ -51,7 +51,7 @@ Index: b/ssh_config.5
51=================================================================== 51===================================================================
52--- a/ssh_config.5 52--- a/ssh_config.5
53+++ b/ssh_config.5 53+++ b/ssh_config.5
54@@ -1299,6 +1299,8 @@ 54@@ -1343,6 +1343,8 @@
55 This file is used by the SSH client. 55 This file is used by the SSH client.
56 Because of the potential for abuse, this file must have strict permissions: 56 Because of the potential for abuse, this file must have strict permissions:
57 read/write for the user, and not accessible by others. 57 read/write for the user, and not accessible by others.
@@ -64,7 +64,7 @@ Index: b/auth.c
64=================================================================== 64===================================================================
65--- a/auth.c 65--- a/auth.c
66+++ b/auth.c 66+++ b/auth.c
67@@ -392,8 +392,7 @@ 67@@ -380,8 +380,7 @@
68 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); 68 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
69 if (options.strict_modes && 69 if (options.strict_modes &&
70 (stat(user_hostfile, &st) == 0) && 70 (stat(user_hostfile, &st) == 0) &&
@@ -74,7 +74,7 @@ Index: b/auth.c
74 logit("Authentication refused for %.100s: " 74 logit("Authentication refused for %.100s: "
75 "bad owner or modes for %.200s", 75 "bad owner or modes for %.200s",
76 pw->pw_name, user_hostfile); 76 pw->pw_name, user_hostfile);
77@@ -454,8 +453,7 @@ 77@@ -442,8 +441,7 @@
78 78
79 /* check the open file to avoid races */ 79 /* check the open file to avoid races */
80 if (fstat(fileno(f), &st) < 0 || 80 if (fstat(fileno(f), &st) < 0 ||
@@ -84,9 +84,9 @@ Index: b/auth.c
84 snprintf(err, errlen, "bad ownership or modes for file %s", 84 snprintf(err, errlen, "bad ownership or modes for file %s",
85 buf); 85 buf);
86 return -1; 86 return -1;
87@@ -471,8 +469,7 @@ 87@@ -458,8 +456,7 @@
88 strlcpy(buf, cp, sizeof(buf));
88 89
89 debug3("secure_filename: checking '%s'", buf);
90 if (stat(buf, &st) < 0 || 90 if (stat(buf, &st) < 0 ||
91- (st.st_uid != 0 && st.st_uid != uid) || 91- (st.st_uid != 0 && st.st_uid != uid) ||
92- (st.st_mode & 022) != 0) { 92- (st.st_mode & 022) != 0) {
@@ -169,7 +169,7 @@ Index: b/misc.h
169=================================================================== 169===================================================================
170--- a/misc.h 170--- a/misc.h
171+++ b/misc.h 171+++ b/misc.h
172@@ -102,4 +102,6 @@ 172@@ -103,4 +103,6 @@
173 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 173 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
174 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); 174 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
175 175
diff --git a/debian/rules b/debian/rules
index eb895e0c3..ce56fdea4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -80,7 +80,6 @@ confflags += --disable-strip
80confflags += --with-mantype=doc 80confflags += --with-mantype=doc
81confflags += --with-4in6 81confflags += --with-4in6
82confflags += --with-privsep-path=/var/run/sshd 82confflags += --with-privsep-path=/var/run/sshd
83confflags += --without-rand-helper
84 83
85# The Hurd needs libcrypt for res_query et al. 84# The Hurd needs libcrypt for res_query et al.
86ifeq ($(DEB_HOST_ARCH_OS),hurd) 85ifeq ($(DEB_HOST_ARCH_OS),hurd)
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-17 22:27:00 +0000