32 files changed, 305 insertions, 1063 deletions
diff --git a/debian/changelog b/debian/changelog
index d349e6ef9..e792fc91b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,33 @@
-openssh (1:5.3p1-4) UNRELEASED; urgency=low
+openssh (1:5.4p1-1) UNRELEASED; urgency=low
+  * New upstream release (LP: #535029).
+    - After a transition period of about 10 years, this release disables SSH
+      protocol 1 by default.  Clients and servers that need to use the
+      legacy protocol must explicitly enable it in ssh_config / sshd_config
+      or on the command-line.
+    - Remove the libsectok/OpenSC-based smartcard code and add support for
+      PKCS#11 tokens.  This support is enabled by default in the Debian
+      packaging, since it now doesn't involve additional library
+      dependencies (closes: #231472, LP: #16918).
+    - Add support for certificate authentication of users and hosts using a
+      new, minimal OpenSSH certificate format (closes: #482806).
+    - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
+    - Add the ability to revoke keys in sshd(8) and ssh(1).  (For the Debian
+      package, this overlaps with the key blacklisting facility added in
+      openssh 1:4.7p1-9, but with different file formats and slightly
+      different scopes; for the moment, I've roughly merged the two.)
+    - Various multiplexing improvements, including support for requesting
+      port-forwardings via the multiplex protocol (closes: #360151).
+    - Allow setting an explicit umask on the sftp-server(8) commandline to
+      override whatever default the user has (closes: #496843).
+    - Many sftp client improvements, including tab-completion, more options,
+      and recursive transfer support for get/put (LP: #33378).  The old
+      mget/mput commands never worked properly and have been removed
+      (closes: #270399, #428082).
+    - Do not prompt for a passphrase if we fail to open a keyfile, and log
+      the reason why the open failed to debug (closes: #431538).
+    - Prevent sftp from crashing when given a "-" without a command.  Also,
+      allow whitespace to follow a "-" (closes: #531561).
  * Fix 'debian/rules quilt-setup' to avoid writing .orig files if some
    patches apply with offsets.
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 34535f001..32b1dcc72 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -8,7 +8,7 @@ Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -284,6 +284,7 @@
+@@ -285,6 +285,7 @@
        $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
        $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
        $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/banner-noslash.patch b/debian/patches/banner-noslash.patch
deleted file mode 100644
index fa7b08f23..000000000
--- a/debian/patches/banner-noslash.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Description: Don't duplicate backslashes when displaying server banner
-Origin: vendor, http://bugs.gentoo.org/show_bug.cgi?id=244222
-Author: Michał Górny <gentoo@mgorny.alt.pl>
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1533
-Bug-Debian: http://bugs.debian.org/505378
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/425346
-Bug-Gentoo: http://bugs.gentoo.org/show_bug.cgi?id=244222
-Last-Update: 2010-02-27
-Index: b/sshconnect2.c
-===================================================================
--- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -472,7 +472,7 @@
-                if (len > 65536)
-                        len = 65536;
-                msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
-               strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL);
-+               strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
-                fprintf(stderr, "%s", msg);
-                xfree(msg);
-        }
diff --git a/debian/patches/config-guess-sub.patch b/debian/patches/config-guess-sub.patch
deleted file mode 100644
index aabe99b9e..000000000
--- a/debian/patches/config-guess-sub.patch
+++ /dev/null
@@ -1,387 +0,0 @@
-Description: Update config.guess and config.sub from autotools-dev 20090611.1
-From: Bradley Smith <bradsmith@debian.org>
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1722
-Bug-Debian: http://bugs.debian.org/538301
-Last-Update: 2010-03-01
-Index: b/config.guess
-===================================================================
--- a/config.guess
-+++ b/config.guess
-@@ -1,10 +1,10 @@
- #! /bin/sh
- # Attempt to guess a canonical system name.
- #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
-+#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009
- #   Free Software Foundation, Inc.
- 
-timestamp='2008-04-14'
-+timestamp='2009-06-10'
- 
- # This file is free software; you can redistribute it and/or modify it
- # under the terms of the GNU General Public License as published by
-@@ -170,7 +170,7 @@
-            arm*|i386|m68k|ns32k|sh3*|sparc|vax)
-                eval $set_cc_for_build
-                if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
-                       | grep __ELF__ >/dev/null
-+                       | grep -q __ELF__
-                then
-                    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
-                    # Return netbsd for either.  FIX?
-@@ -324,6 +324,9 @@
-        case `/usr/bin/uname -p` in
-            sparc) echo sparc-icl-nx7; exit ;;
-        esac ;;
-+    s390x:SunOS:*:*)
-+       echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-+       exit ;;
-     sun4H:SunOS:5.*:*)
-        echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-        exit ;;
-@@ -331,7 +334,20 @@
-        echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-        exit ;;
-     i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
-       echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-+       eval $set_cc_for_build
-+       SUN_ARCH="i386"
-+       # If there is a compiler, see if it is configured for 64-bit objects.
-+       # Note that the Sun cc does not turn __LP64__ into 1 like gcc does.
-+       # This test works for both compilers.
-+       if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
-+           if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \
-+               (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
-+               grep IS_64BIT_ARCH >/dev/null
-+           then
-+               SUN_ARCH="x86_64"
-+           fi
-+       fi
-+       echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-        exit ;;
-     sun4*:SunOS:6*:*)
-        # According to config.sub, this is the proper way to canonicalize
-@@ -640,7 +656,7 @@
-            # => hppa64-hp-hpux11.23
- 
-            if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
-               grep __LP64__ >/dev/null
-+               grep -q __LP64__
-            then
-                HP_ARCH="hppa2.0w"
-            else
-@@ -796,7 +812,7 @@
-            x86)
-                echo i586-pc-interix${UNAME_RELEASE}
-                exit ;;
-           EM64T | authenticamd)
-+           EM64T | authenticamd | genuineintel)
-                echo x86_64-unknown-interix${UNAME_RELEASE}
-                exit ;;
-            IA64)
-@@ -806,6 +822,9 @@
-     [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
-        echo i${UNAME_MACHINE}-pc-mks
-        exit ;;
-+    8664:Windows_NT:*)
-+       echo x86_64-pc-mks
-+       exit ;;
-     i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
-        # How do we know it's Interix rather than the generic POSIX subsystem?
-        # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
-@@ -866,40 +885,17 @@
-     m68*:Linux:*:*)
-        echo ${UNAME_MACHINE}-unknown-linux-gnu
-        exit ;;
-    mips:Linux:*:*)
-+    mips:Linux:*:* | mips64:Linux:*:*)
-        eval $set_cc_for_build
-        sed 's/^        //' << EOF >$dummy.c
-        #undef CPU
-       #undef mips
-       #undef mipsel
-+       #undef ${UNAME_MACHINE}
-+       #undef ${UNAME_MACHINE}el
-        #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
-       CPU=mipsel
-+       CPU=${UNAME_MACHINE}el
-        #else
-        #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
-       CPU=mips
-       #else
-       CPU=
-       #endif
-       #endif
-EOF
-       eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
-           /^CPU/{
-               s: ::g
-               p
-           }'`"
-       test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
-       ;;
-    mips64:Linux:*:*)
-       eval $set_cc_for_build
-       sed 's/^        //' << EOF >$dummy.c
-       #undef CPU
-       #undef mips64
-       #undef mips64el
-       #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
-       CPU=mips64el
-       #else
-       #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
-       CPU=mips64
-+       CPU=${UNAME_MACHINE}
-        #else
-        CPU=
-        #endif
-@@ -931,10 +927,13 @@
-          EV67)  UNAME_MACHINE=alphaev67 ;;
-          EV68*) UNAME_MACHINE=alphaev68 ;;
-         esac
-       objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
-+       objdump --private-headers /bin/sh | grep -q ld.so.1
-        if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
-        echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
-        exit ;;
-+    padre:Linux:*:*)
-+       echo sparc-unknown-linux-gnu
-+       exit ;;
-     parisc:Linux:*:* | hppa:Linux:*:*)
-        # Look for CPU level
-        case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
-@@ -982,14 +981,6 @@
-          elf32-i386)
-                TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
-                ;;
-         a.out-i386-linux)
-               echo "${UNAME_MACHINE}-pc-linux-gnuaout"
-               exit ;;
-         "")
-               # Either a pre-BFD a.out linker (linux-gnuoldld) or
-               # one that does not give us useful --help.
-               echo "${UNAME_MACHINE}-pc-linux-gnuoldld"
-               exit ;;
-        esac
-        # Determine whether the default compiler is a.out or elf
-        eval $set_cc_for_build
-@@ -1055,7 +1046,7 @@
-     i*86:syllable:*:*)
-        echo ${UNAME_MACHINE}-pc-syllable
-        exit ;;
-    i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
-+    i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*)
-        echo i386-unknown-lynxos${UNAME_RELEASE}
-        exit ;;
-     i*86:*DOS:*:*)
-@@ -1099,8 +1090,11 @@
-     pc:*:*:*)
-        # Left here for compatibility:
-         # uname -m prints for DJGPP always 'pc', but it prints nothing about
-        # the processor, so we play safe by assuming i386.
-       echo i386-pc-msdosdjgpp
-+        # the processor, so we play safe by assuming i586.
-+       # Note: whatever this is, it MUST be the same as what config.sub
-+       # prints for the "djgpp" host, or else GDB configury will decide that
-+       # this is a cross-build.
-+       echo i586-pc-msdosdjgpp
-         exit ;;
-     Intel:Mach:3*:*)
-        echo i386-pc-mach3
-@@ -1138,6 +1132,16 @@
-     3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
-         /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-           && { echo i486-ncr-sysv4; exit; } ;;
-+    NCR*:*:4.2:* | MPRAS*:*:4.2:*)
-+       OS_REL='.3'
-+       test -r /etc/.relid \
-+           && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
-+       /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-+           && { echo i486-ncr-sysv4.3${OS_REL}; exit; }
-+       /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
-+           && { echo i586-ncr-sysv4.3${OS_REL}; exit; }
-+       /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \
-+           && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
-     m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
-        echo m68k-unknown-lynxos${UNAME_RELEASE}
-        exit ;;
-@@ -1150,7 +1154,7 @@
-     rs6000:LynxOS:2.*:*)
-        echo rs6000-unknown-lynxos${UNAME_RELEASE}
-        exit ;;
-    PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
-+    PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*)
-        echo powerpc-unknown-lynxos${UNAME_RELEASE}
-        exit ;;
-     SM[BE]S:UNIX_SV:*:*)
-@@ -1324,6 +1328,9 @@
-     i*86:rdos:*:*)
-        echo ${UNAME_MACHINE}-pc-rdos
-        exit ;;
-+    i*86:AROS:*:*)
-+       echo ${UNAME_MACHINE}-pc-aros
-+       exit ;;
- esac
- 
- #echo '(No uname command or uname output not recognized.)' 1>&2
-Index: b/config.sub
-===================================================================
--- a/config.sub
-+++ b/config.sub
-@@ -1,10 +1,10 @@
- #! /bin/sh
- # Configuration validation subroutine script.
- #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
-+#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009
- #   Free Software Foundation, Inc.
- 
-timestamp='2008-06-16'
-+timestamp='2009-06-11'
- 
- # This file is (in principle) common to ALL GNU software.
- # The presence of a machine in this file suggests that SOME GNU software
-@@ -122,6 +122,7 @@
- case $maybe_os in
-   nto-qnx* | linux-gnu* | linux-dietlibc | linux-newlib* | linux-uclibc* | \
-   uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | \
-+  kopensolaris*-gnu* | \
-   storm-chaos* | os2-emx* | rtmk-nova*)
-     os=-$maybe_os
-     basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
-@@ -152,6 +153,9 @@
-                os=
-                basic_machine=$1
-                ;;
-+        -bluegene*)
-+               os=-cnk
-+               ;;
-        -sim | -cisco | -oki | -wec | -winbond)
-                os=
-                basic_machine=$1
-@@ -249,6 +253,7 @@
-        | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
-        | i370 | i860 | i960 | ia64 \
-        | ip2k | iq2000 \
-+       | lm32 \
-        | m32c | m32r | m32rle | m68000 | m68k | m88k \
-        | maxq | mb | microblaze | mcore | mep | metag \
-        | mips | mipsbe | mipseb | mipsel | mipsle \
-@@ -270,6 +275,7 @@
-        | mipsisa64sr71k | mipsisa64sr71kel \
-        | mipstx39 | mipstx39el \
-        | mn10200 | mn10300 \
-+       | moxie \
-        | mt \
-        | msp430 \
-        | nios | nios2 \
-@@ -279,7 +285,7 @@
-        | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
-        | pyramid \
-        | score \
-       | sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
-+       | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
-        | sh64 | sh64le \
-        | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
-        | sparcv8 | sparcv9 | sparcv9b | sparcv9v \
-@@ -288,7 +294,7 @@
-        | v850 | v850e \
-        | we32k \
-        | x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \
-       | z8k)
-+       | z8k | z80)
-                basic_machine=$basic_machine-unknown
-                ;;
-        m6811 | m68hc11 | m6812 | m68hc12)
-@@ -331,6 +337,7 @@
-        | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
-        | i*86-* | i860-* | i960-* | ia64-* \
-        | ip2k-* | iq2000-* \
-+       | lm32-* \
-        | m32c-* | m32r-* | m32rle-* \
-        | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
-        | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \
-@@ -362,7 +369,7 @@
-        | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
-        | pyramid-* \
-        | romp-* | rs6000-* \
-       | sh-* | sh[1234]-* | sh[24]a-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
-+       | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
-        | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
-        | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
-        | sparclite-* \
-@@ -375,7 +382,7 @@
-        | x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
-        | xstormy16-* | xtensa*-* \
-        | ymp-* \
-       | z8k-*)
-+       | z8k-* | z80-*)
-                ;;
-        # Recognize the basic CPU types without company name, with glob match.
-        xtensa*)
-@@ -443,6 +450,10 @@
-                basic_machine=m68k-apollo
-                os=-bsd
-                ;;
-+       aros)
-+               basic_machine=i386-pc
-+               os=-aros
-+               ;;
-        aux)
-                basic_machine=m68k-apple
-                os=-aux
-@@ -459,6 +470,10 @@
-                basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'`
-                os=-linux
-                ;;
-+       bluegene*)
-+               basic_machine=powerpc-ibm
-+               os=-cnk
-+               ;;
-        c90)
-                basic_machine=c90-cray
-                os=-unicos
-@@ -1140,6 +1155,10 @@
-                basic_machine=z8k-unknown
-                os=-sim
-                ;;
-+       z80-*-coff)
-+               basic_machine=z80-unknown
-+               os=-sim
-+               ;;
-        none)
-                basic_machine=none-none
-                os=-none
-@@ -1178,7 +1197,7 @@
-        we32k)
-                basic_machine=we32k-att
-                ;;
-       sh[1234] | sh[24]a | sh[34]eb | sh[1234]le | sh[23]ele)
-+       sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele)
-                basic_machine=sh-unknown
-                ;;
-        sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v)
-@@ -1248,10 +1267,11 @@
-        # Each alternative MUST END IN A *, to match a version number.
-        # -sysv* is not here because it comes later, after sysvr4.
-        -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
-             | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
-+             | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\
-              | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
-+             | -kopensolaris* \
-              | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
-             | -aos* \
-+             | -aos* | -aros* \
-              | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
-              | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
-              | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
-@@ -1600,7 +1620,7 @@
-                        -sunos*)
-                                vendor=sun
-                                ;;
-                       -aix*)
-+                       -cnk*|-aix*)
-                                vendor=ibm
-                                ;;
-                        -beos*)
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index a9b38e281..c0567f264 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -10,15 +10,15 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -132,6 +132,7 @@
+@@ -135,6 +135,7 @@
-        options->adm_forced_command = NULL;
-        options->chroot_directory = NULL;
        options->zero_knowledge_password_authentication = -1;
+        options->revoked_keys_file = NULL;
+        options->trusted_user_ca_keys = NULL;
 +       options->debian_banner = -1;
 }
 
 void
-@@ -273,6 +274,8 @@
+@@ -277,6 +278,8 @@
                options->permit_tun = SSH_TUNMODE_NO;
        if (options->zero_knowledge_password_authentication == -1)
                options->zero_knowledge_password_authentication = 0;
@@ -27,25 +27,25 @@ Index: b/servconf.c
 
        /* Turn privilege separation on by default */
        if (use_privsep == -1)
-@@ -320,6 +323,7 @@
+@@ -325,6 +328,7 @@
-        sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
        sUsePrivilegeSeparation, sAllowAgentForwarding,
-        sZeroKnowledgePasswordAuthentication,
+        sZeroKnowledgePasswordAuthentication, sHostCertificate,
+        sRevokedKeys, sTrustedUserCAKeys,
 +       sDebianBanner,
        sDeprecated, sUnsupported
 } ServerOpCodes;
 
-@@ -449,6 +453,7 @@
+@@ -457,6 +461,7 @@
-        { "permitopen", sPermitOpen, SSHCFG_ALL },
+        { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
-        { "forcecommand", sForceCommand, SSHCFG_ALL },
+        { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
-        { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
+        { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
 +       { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
        { NULL, sBadOption, 0 }
 };
 
-@@ -1335,6 +1340,10 @@
+@@ -1377,6 +1382,10 @@
-                        *charptr = xstrdup(arg);
+                charptr = &options->revoked_keys_file;
-                break;
+                goto parse_filename;
 
 +       case sDebianBanner:
 +               intptr = &options->debian_banner;
@@ -58,20 +58,20 @@ Index: b/servconf.h
 ===================================================================
 --- a/servconf.h
 +++ b/servconf.h
-@@ -154,6 +154,8 @@
+@@ -157,6 +157,8 @@
 
        int     num_permitted_opens;
 
 +       int     debian_banner;
 +
        char   *chroot_directory;
- }       ServerOptions;
+        char   *revoked_keys_file;
- 
+        char   *trusted_user_ca_keys;
 Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -426,7 +426,8 @@
+@@ -422,7 +422,8 @@
                minor = PROTOCOL_MINOR_1;
        }
        snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 3c8bbb0a4..a395d43a0 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -24,7 +24,7 @@ Index: b/readconf.c
 ===================================================================
 --- a/readconf.c
 +++ b/readconf.c
-@@ -1150,7 +1150,7 @@
+@@ -1152,7 +1152,7 @@
        if (options->forward_x11 == -1)
                options->forward_x11 = 0;
        if (options->forward_x11_trusted == -1)
@@ -49,10 +49,10 @@ Index: b/ssh_config
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
-@@ -46,3 +47,7 @@
+@@ -47,3 +48,7 @@
- #   TunnelDevice any:any
 #   PermitLocalCommand no
 #   VisualHostKey no
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 +    SendEnv LANG LC_*
 +    HashKnownHosts yes
 +    GSSAPIAuthentication yes
@@ -98,7 +98,7 @@ Index: b/sshd_config
 ===================================================================
 --- a/sshd_config
 +++ b/sshd_config
-@@ -38,6 +38,7 @@
+@@ -36,6 +36,7 @@
 # Authentication:
 
 #LoginGraceTime 2m
diff --git a/debian/patches/doc-connection-sharing.patch b/debian/patches/doc-connection-sharing.patch
index b53e95d34..759f86b30 100644
--- a/debian/patches/doc-connection-sharing.patch
+++ b/debian/patches/doc-connection-sharing.patch
@@ -9,7 +9,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -559,7 +559,10 @@
+@@ -563,7 +563,10 @@
 the listen port will be dynamically allocated on the server and reported
 to the client at run time.
 .It Fl S Ar ctl_path
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 400415511..96bbf3a09 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -7,7 +7,7 @@ Index: b/contrib/gnome-ssh-askpass2.c
 ===================================================================
 --- a/contrib/gnome-ssh-askpass2.c
 +++ b/contrib/gnome-ssh-askpass2.c
-@@ -207,6 +207,8 @@
+@@ -209,6 +209,8 @@
 
        gtk_init(&argc, &argv);
 
diff --git a/debian/patches/gssapi-autoconf.patch b/debian/patches/gssapi-autoconf.patch
index 0ae7d0129..5ef959de7 100644
--- a/debian/patches/gssapi-autoconf.patch
+++ b/debian/patches/gssapi-autoconf.patch
@@ -7,7 +7,7 @@ Index: b/config.h.in
 ===================================================================
 --- a/config.h.in
 +++ b/config.h.in
-@@ -1372,6 +1372,9 @@
+@@ -1378,6 +1378,9 @@
 /* Use btmp to log bad logins */
 #undef USE_BTMP
 
@@ -18,8 +18,8 @@ Index: b/config.h.in
 #undef USE_LIBEDIT
 
 @@ -1390,6 +1393,9 @@
- /* Define if you want smartcard support using sectok */
+ /* Use PIPES instead of a socketpair() */
- #undef USE_SECTOK
+ #undef USE_PIPES
 
 +/* platform has the Security Authorization Session API */
 +#undef USE_SECURITY_SESSION_API
diff --git a/debian/patches/gssapi-compat.patch b/debian/patches/gssapi-compat.patch
index b97ce9afd..369a23360 100644
--- a/debian/patches/gssapi-compat.patch
+++ b/debian/patches/gssapi-compat.patch
@@ -10,7 +10,7 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -375,16 +375,20 @@
+@@ -380,16 +380,20 @@
 #ifdef GSSAPI
        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
diff --git a/debian/patches/gssapi-dump.patch b/debian/patches/gssapi-dump.patch
index 14856e544..9ed033359 100644
--- a/debian/patches/gssapi-dump.patch
+++ b/debian/patches/gssapi-dump.patch
@@ -11,7 +11,7 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -1624,7 +1624,10 @@
+@@ -1668,7 +1668,10 @@
 #endif
 #ifdef GSSAPI
        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 6550ba60b..5c1b83415 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -127,17 +127,16 @@ Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -71,7 +71,8 @@
+@@ -74,7 +74,7 @@
-        atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
        monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
-        kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
+        kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
-       entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o
+        entropy.o gss-genr.o umac.o jpake.o schnorr.o \
-+       entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o \
+-       ssh-pkcs11.o
-+       kexgssc.o
+       ssh-pkcs11.o kexgssc.o
 
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
        sshconnect.o sshconnect1.o sshconnect2.o mux.o \
-@@ -85,7 +86,7 @@
+@@ -88,7 +88,7 @@
        auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
        monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
        auth-krb5.o \
@@ -145,12 +144,12 @@ Index: b/Makefile.in
 +       auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
        loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
        audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
-        roaming_common.o
+        roaming_common.o roaming_serv.o
 Index: b/auth-krb5.c
 ===================================================================
 --- a/auth-krb5.c
 +++ b/auth-krb5.c
-@@ -166,8 +166,13 @@
+@@ -170,8 +170,13 @@
 
        len = strlen(authctxt->krb5_ticket_file) + 6;
        authctxt->krb5_ccname = xmalloc(len);
@@ -164,7 +163,7 @@ Index: b/auth-krb5.c
 
 #ifdef USE_PAM
        if (options.use_pam)
-@@ -219,15 +224,22 @@
+@@ -226,15 +231,22 @@
 #ifndef HEIMDAL
 krb5_error_code
 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@@ -189,7 +188,7 @@ Index: b/auth-krb5.c
        old_umask = umask(0177);
        tmpfd = mkstemp(ccname + strlen("FILE:"));
        umask(old_umask);
-@@ -242,6 +254,7 @@
+@@ -249,6 +261,7 @@
                return errno;
        }
        close(tmpfd);
@@ -365,7 +364,7 @@ Index: b/clientloop.c
 /* import options */
 extern Options options;
 
-@@ -1430,6 +1434,15 @@
+@@ -1431,6 +1435,15 @@
                /* Do channel operations unless rekeying in progress. */
                if (!rekeying) {
                        channel_after_select(readset, writeset);
@@ -1212,9 +1211,9 @@ Index: b/kex.c
 ===================================================================
 --- a/kex.c
 +++ b/kex.c
-@@ -49,6 +49,10 @@
+@@ -50,6 +50,10 @@
- #include "dispatch.h"
 #include "monitor.h"
+ #include "roaming.h"
 
 +#ifdef GSSAPI
 +#include "ssh-gss.h"
@@ -1223,7 +1222,7 @@ Index: b/kex.c
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
 # if defined(HAVE_EVP_SHA256)
 # define evp_ssh_sha256 EVP_sha256
-@@ -325,6 +329,20 @@
+@@ -326,6 +330,20 @@
                k->kex_type = KEX_DH_GEX_SHA256;
                k->evp_md = evp_ssh_sha256();
 #endif
@@ -1248,7 +1247,7 @@ Index: b/kex.h
 ===================================================================
 --- a/kex.h
 +++ b/kex.h
-@@ -66,6 +66,9 @@
+@@ -67,6 +67,9 @@
        KEX_DH_GRP14_SHA1,
        KEX_DH_GEX_SHA1,
        KEX_DH_GEX_SHA256,
@@ -1258,7 +1257,7 @@ Index: b/kex.h
        KEX_MAX
 };
 
-@@ -121,6 +124,12 @@
+@@ -123,6 +126,12 @@
        sig_atomic_t done;
        int     flags;
        const EVP_MD *evp_md;
@@ -1271,7 +1270,7 @@ Index: b/kex.h
        char    *client_version_string;
        char    *server_version_string;
        int     (*verify_host_key)(Key *);
-@@ -143,6 +152,11 @@
+@@ -146,6 +155,11 @@
 void    kexgex_client(Kex *);
 void    kexgex_server(Kex *);
 
@@ -1919,10 +1918,10 @@ Index: b/key.c
 ===================================================================
 --- a/key.c
 +++ b/key.c
-@@ -764,6 +764,8 @@
+@@ -969,6 +969,8 @@
-                return KEY_RSA;
+                return KEY_RSA_CERT;
-        } else if (strcmp(name, "ssh-dss") == 0) {
+        } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) {
-                return KEY_DSA;
+                return KEY_DSA_CERT;
 +       } else if (strcmp(name, "null") == 0) {
 +               return KEY_NULL;
        }
@@ -1932,10 +1931,10 @@ Index: b/key.h
 ===================================================================
 --- a/key.h
 +++ b/key.h
-@@ -34,6 +34,7 @@
+@@ -37,6 +37,7 @@
-        KEY_RSA1,
-        KEY_RSA,
        KEY_DSA,
+        KEY_RSA_CERT,
+        KEY_DSA_CERT,
 +       KEY_NULL,
        KEY_UNSPEC
 };
@@ -1996,7 +1995,7 @@ Index: b/monitor.c
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1706,6 +1723,13 @@
+@@ -1691,6 +1708,13 @@
        kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
@@ -2010,7 +2009,7 @@ Index: b/monitor.c
        kex->server = 1;
        kex->hostkey_type = buffer_get_int(m);
        kex->kex_type = buffer_get_int(m);
-@@ -1911,6 +1935,9 @@
+@@ -1897,6 +1921,9 @@
        OM_uint32 major;
        u_int len;
 
@@ -2020,7 +2019,7 @@ Index: b/monitor.c
        goid.elements = buffer_get_string(m, &len);
        goid.length = len;
 
-@@ -1938,6 +1965,9 @@
+@@ -1924,6 +1951,9 @@
        OM_uint32 flags = 0; /* GSI needs this */
        u_int len;
 
@@ -2030,7 +2029,7 @@ Index: b/monitor.c
        in.value = buffer_get_string(m, &len);
        in.length = len;
        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -1955,6 +1985,7 @@
+@@ -1941,6 +1971,7 @@
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2038,7 +2037,7 @@ Index: b/monitor.c
        }
        return (0);
 }
-@@ -1966,6 +1997,9 @@
+@@ -1952,6 +1983,9 @@
        OM_uint32 ret;
        u_int len;
 
@@ -2048,7 +2047,7 @@ Index: b/monitor.c
        gssbuf.value = buffer_get_string(m, &len);
        gssbuf.length = len;
        mic.value = buffer_get_string(m, &len);
-@@ -1992,7 +2026,11 @@
+@@ -1978,7 +2012,11 @@
 {
        int authenticated;
 
@@ -2061,7 +2060,7 @@ Index: b/monitor.c
 
        buffer_clear(m);
        buffer_put_int(m, authenticated);
-@@ -2005,6 +2043,74 @@
+@@ -1991,6 +2029,74 @@
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
@@ -2153,7 +2152,7 @@ Index: b/monitor_wrap.c
 ===================================================================
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -1248,7 +1248,7 @@
+@@ -1231,7 +1231,7 @@
 }
 
 int
@@ -2162,7 +2161,7 @@ Index: b/monitor_wrap.c
 {
        Buffer m;
        int authenticated = 0;
-@@ -1265,6 +1265,51 @@
+@@ -1248,6 +1248,51 @@
        debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
        return (authenticated);
 }
@@ -2261,7 +2260,7 @@ Index: b/readconf.c
 #endif
        { "fallbacktorsh", oDeprecated },
        { "usersh", oDeprecated },
-@@ -454,10 +463,26 @@
+@@ -456,10 +465,26 @@
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -2288,7 +2287,7 @@ Index: b/readconf.c
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
-@@ -1013,7 +1038,11 @@
+@@ -1015,7 +1040,11 @@
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
@@ -2300,7 +2299,7 @@ Index: b/readconf.c
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
-@@ -1105,8 +1134,14 @@
+@@ -1107,8 +1136,14 @@
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -2335,7 +2334,7 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -92,7 +92,10 @@
+@@ -93,7 +93,10 @@
        options->kerberos_ticket_cleanup = -1;
        options->kerberos_get_afs_token = -1;
        options->gss_authentication=-1;
@@ -2346,7 +2345,7 @@ Index: b/servconf.c
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
-@@ -210,8 +213,14 @@
+@@ -214,8 +217,14 @@
                options->kerberos_get_afs_token = 0;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -2361,7 +2360,7 @@ Index: b/servconf.c
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
-@@ -302,7 +311,9 @@
+@@ -306,7 +315,9 @@
        sBanner, sUseDNS, sHostbasedAuthentication,
        sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
        sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@@ -2371,8 +2370,8 @@ Index: b/servconf.c
 +       sAcceptEnv, sPermitTunnel,
        sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
        sUsePrivilegeSeparation, sAllowAgentForwarding,
-        sZeroKnowledgePasswordAuthentication,
+        sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -364,9 +375,15 @@
+@@ -369,9 +380,15 @@
 #ifdef GSSAPI
        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2388,7 +2387,7 @@ Index: b/servconf.c
 #endif
        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -891,10 +908,22 @@
+@@ -925,10 +942,22 @@
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -2415,7 +2414,7 @@ Index: b/servconf.h
 ===================================================================
 --- a/servconf.h
 +++ b/servconf.h
-@@ -91,7 +91,10 @@
+@@ -94,7 +94,10 @@
        int     kerberos_get_afs_token;         /* If true, try to get AFS token if
                                                 * authenticated with Kerberos. */
        int     gss_authentication;     /* If true, permit GSSAPI authentication */
@@ -2588,7 +2587,7 @@ Index: b/sshconnect2.c
 ===================================================================
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -105,9 +105,34 @@
+@@ -106,9 +106,34 @@
 {
        Kex *kex;
 
@@ -2623,7 +2622,7 @@ Index: b/sshconnect2.c
        if (options.ciphers == (char *)-1) {
                logit("No valid ciphers for protocol version 2 given, using defaults.");
                options.ciphers = NULL;
-@@ -135,6 +160,17 @@
+@@ -136,6 +161,17 @@
                myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
                    options.hostkeyalgorithms;
 
@@ -2641,7 +2640,7 @@ Index: b/sshconnect2.c
        if (options.rekey_limit)
                packet_set_rekey_limit((u_int32_t)options.rekey_limit);
 
-@@ -144,10 +180,26 @@
+@@ -145,10 +181,26 @@
        kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
@@ -2668,7 +2667,7 @@ Index: b/sshconnect2.c
        xxx_kex = kex;
 
        dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
-@@ -236,6 +288,7 @@
+@@ -243,6 +295,7 @@
 void   input_gssapi_hash(int type, u_int32_t, void *);
 void   input_gssapi_error(int, u_int32_t, void *);
 void   input_gssapi_errtok(int, u_int32_t, void *);
@@ -2676,7 +2675,7 @@ Index: b/sshconnect2.c
 #endif
 
 void   userauth(Authctxt *, char *);
-@@ -251,6 +304,11 @@
+@@ -258,6 +311,11 @@
 
 Authmethod authmethods[] = {
 #ifdef GSSAPI
@@ -2688,7 +2687,7 @@ Index: b/sshconnect2.c
        {"gssapi-with-mic",
                userauth_gssapi,
                NULL,
-@@ -542,19 +600,29 @@
+@@ -564,19 +622,29 @@
        static u_int mech = 0;
        OM_uint32 min;
        int ok = 0;
@@ -2720,7 +2719,7 @@ Index: b/sshconnect2.c
                        ok = 1; /* Mechanism works */
                } else {
                        mech++;
-@@ -651,8 +719,8 @@
+@@ -673,8 +741,8 @@
 {
        Authctxt *authctxt = ctxt;
        Gssctxt *gssctxt;
@@ -2731,7 +2730,7 @@ Index: b/sshconnect2.c
 
        if (authctxt == NULL)
                fatal("input_gssapi_response: no authentication context");
-@@ -762,6 +830,48 @@
+@@ -784,6 +852,48 @@
        xfree(msg);
        xfree(lang);
 }
@@ -2795,7 +2794,7 @@ Index: b/sshd.c
 #ifdef LIBWRAP
 #include <tcpd.h>
 #include <syslog.h>
-@@ -1531,10 +1535,13 @@
+@@ -1577,10 +1581,13 @@
                logit("Disabling protocol version 1. Could not load host key");
                options.protocol &= ~SSH_PROTO_1;
        }
@@ -2809,7 +2808,7 @@ Index: b/sshd.c
        if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
                logit("sshd: no hostkeys available -- exiting.");
                exit(1);
-@@ -1818,6 +1825,60 @@
+@@ -1909,6 +1916,60 @@
        /* Log the connection. */
        verbose("Connection from %.500s port %d", remote_ip, remote_port);
 
@@ -2870,7 +2869,7 @@ Index: b/sshd.c
        /*
         * We don't want to listen forever unless the other side
         * successfully authenticates itself.  So we set up an alarm which is
-@@ -2195,12 +2256,61 @@
+@@ -2287,12 +2348,61 @@
 
        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
 
@@ -2936,7 +2935,7 @@ Index: b/sshd_config
 ===================================================================
 --- a/sshd_config
 +++ b/sshd_config
-@@ -73,6 +73,8 @@
+@@ -71,6 +71,8 @@
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
diff --git a/debian/patches/hurd-epfnosupport.patch b/debian/patches/hurd-epfnosupport.patch
index b8ae070f7..e06b46309 100644
--- a/debian/patches/hurd-epfnosupport.patch
+++ b/debian/patches/hurd-epfnosupport.patch
@@ -9,7 +9,7 @@ Index: b/channels.c
 ===================================================================
 --- a/channels.c
 +++ b/channels.c
-@@ -3098,7 +3098,11 @@
+@@ -3252,7 +3252,11 @@
                        sock = socket(ai->ai_family, ai->ai_socktype,
                            ai->ai_protocol);
                        if (sock < 0) {
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 1bfc9c798..55d07e0d6 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -26,7 +26,7 @@ Index: b/readconf.c
        oDeprecated, oUnsupported
 } OpCodes;
 
-@@ -246,6 +247,8 @@
+@@ -248,6 +249,8 @@
 #else
        { "zeroknowledgepasswordauthentication", oUnsupported },
 #endif
@@ -35,7 +35,7 @@ Index: b/readconf.c
 
        { NULL, oBadOption }
 };
-@@ -845,6 +848,8 @@
+@@ -847,6 +850,8 @@
                goto parse_flag;
 
        case oServerAliveInterval:
@@ -44,7 +44,7 @@ Index: b/readconf.c
                intptr = &options->server_alive_interval;
                goto parse_time;
 
-@@ -1233,8 +1238,13 @@
+@@ -1235,8 +1240,13 @@
                options->rekey_limit = 0;
        if (options->verify_host_key_dns == -1)
                options->verify_host_key_dns = 0;
@@ -78,7 +78,7 @@ Index: b/ssh_config.5
 The argument must be
 .Dq yes
 or
-@@ -946,8 +950,15 @@
+@@ -967,8 +971,15 @@
 will send a message through the encrypted
 channel to request a response from the server.
 The default
@@ -92,10 +92,10 @@ Index: b/ssh_config.5
 +and
 +.Cm SetupTimeOut
 +are Debian-specific compatibility aliases for this option.
- .It Cm SmartcardDevice
+ .It Cm StrictHostKeyChecking
- Specifies which smartcard device to use.
+ If this flag is set to
- The argument to this keyword is the device
+ .Dq yes ,
-@@ -993,6 +1004,12 @@
+@@ -1007,6 +1018,12 @@
 other side.
 If they are sent, death of the connection or crash of one
 of the machines will be properly noticed.
@@ -112,13 +112,13 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -919,6 +919,9 @@
+@@ -936,6 +936,9 @@
 .Pp
 To disable TCP keepalive messages, the value should be set to
 .Dq no .
 +.Pp
 +This option was formerly called
 +.Cm KeepAlive .
- .It Cm UseDNS
+ .It Cm TrustedUserCAKeys
- Specifies whether
+ Specifies a file containing public keys of certificate authorities that are
- .Xr sshd 8
+ trusted to sign user certificates for authentication.
diff --git a/debian/patches/keyfile-debug.patch b/debian/patches/keyfile-debug.patch
deleted file mode 100644
index 2e5f209f3..000000000
--- a/debian/patches/keyfile-debug.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Description: Output a debug if we can't open an existing keyfile
-Origin: upstream, http://bazaar.launchpad.net/~vcs-imports/openssh/main/revision/5873
-Author: Darren Tucker <dtucker@zip.com.au>
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1694
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/505301
-Last-Update: 2010-02-27
-Index: b/auth.c
-===================================================================
--- a/auth.c
-+++ b/auth.c
-@@ -516,8 +516,12 @@
-         * Open the file containing the authorized keys
-         * Fail quietly if file does not exist
-         */
-       if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1)
-+       if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) {
-+               if (errno != ENOENT)
-+                       debug("Could not open keyfile '%s': %s", file,
-+                          strerror(errno));
-                return NULL;
-+       }
- 
-        if (fstat(fd, &st) < 0) {
-                close(fd);
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index abfad4509..3afddb70e 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -7,8 +7,8 @@ Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -293,9 +293,9 @@
+@@ -295,9 +295,9 @@
-        $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
+        $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
        $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
        -rm -f $(DESTDIR)$(bindir)/slogin
 -       ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/no-constraint-fallback.patch b/debian/patches/no-constraint-fallback.patch
deleted file mode 100644
index dc01085cb..000000000
--- a/debian/patches/no-constraint-fallback.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-Description: ssh-add: Don't discard constraints when agent refuses request
- This was a useful migration measure back in 2002 when constraints were new,
- but just adds risk now.
-Origin: upstream, http://bazaar.launchpad.net/~vcs-imports/openssh/main/revision/5777
-Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1612
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/209447
-Last-Update: 2010-02-28
-Index: b/authfd.c
-===================================================================
--- a/authfd.c
-+++ b/authfd.c
-@@ -545,12 +545,6 @@
-        return decode_reply(type);
- }
- 
-int
-ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
-{
-       return ssh_add_identity_constrained(auth, key, comment, 0, 0);
-}
-
- /*
-  * Removes an identity from the authentication server.  This call is not
-  * meant to be used by normal applications.
-Index: b/authfd.h
-===================================================================
--- a/authfd.h
-+++ b/authfd.h
-@@ -75,7 +75,6 @@
- int     ssh_get_num_identities(AuthenticationConnection *, int);
- Key    *ssh_get_first_identity(AuthenticationConnection *, char **, int);
- Key    *ssh_get_next_identity(AuthenticationConnection *, char **, int);
-int     ssh_add_identity(AuthenticationConnection *, Key *, const char *);
- int     ssh_add_identity_constrained(AuthenticationConnection *, Key *,
-     const char *, u_int, u_int);
- int     ssh_remove_identity(AuthenticationConnection *, Key *);
-Index: b/ssh-add.c
-===================================================================
--- a/ssh-add.c
-+++ b/ssh-add.c
-@@ -203,9 +203,6 @@
-                if (confirm != 0)
-                        fprintf(stderr,
-                            "The user has to confirm each use of the key\n");
-       } else if (ssh_add_identity(ac, private, comment)) {
-               fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
-               ret = 0;
-        } else {
-                fprintf(stderr, "Could not add identity: %s\n", filename);
-        }
diff --git a/debian/patches/oom-adjust.patch b/debian/patches/oom-adjust.patch
deleted file mode 100644
index ce79053f7..000000000
--- a/debian/patches/oom-adjust.patch
+++ /dev/null
@@ -1,219 +0,0 @@
-Description: Disable the Linux kernel's OOM-killer for the sshd parent
-Author: Vaclav Ovsik <vaclav.ovsik@i.cz>
-Author: Colin Watson <cjwatson@debian.org>
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1470
-Bug-Debian: http://bugs.debian.org/480020
-Last-Update: 2010-02-27
-Index: b/config.h.in
-===================================================================
--- a/config.h.in
-+++ b/config.h.in
-@@ -1238,6 +1238,9 @@
- /* Define if X11 doesn't support AF_UNIX sockets on that system */
- #undef NO_X11_UNIX_SOCKETS
- 
-+/* Adjust Linux out-of-memory killer */
-+#undef OOM_ADJUST
-+
- /* Define if EVP_DigestUpdate returns void */
- #undef OPENSSL_EVP_DIGESTUPDATE_VOID
- 
-Index: b/configure
-===================================================================
--- a/configure
-+++ b/configure
-@@ -8369,6 +8369,11 @@
- _ACEOF
- 
-        fi
-+
-+cat >>confdefs.h <<\_ACEOF
-+#define OOM_ADJUST 1
-+_ACEOF
-+
-        ;;
- mips-sony-bsd|mips-sony-newsos4)
- 
-Index: b/configure.ac
-===================================================================
--- a/configure.ac
-+++ b/configure.ac
-@@ -630,6 +630,7 @@
-                AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
-                    [Prepend the address family to IP tunnel traffic])
-        fi
-+       AC_DEFINE(OOM_ADJUST, 1, [Adjust Linux out-of-memory killer])
-        ;;
- mips-sony-bsd|mips-sony-newsos4)
-        AC_DEFINE(NEED_SETPGRP, 1, [Need setpgrp to acquire controlling tty])
-Index: b/openbsd-compat/port-linux.c
-===================================================================
--- a/openbsd-compat/port-linux.c
-+++ b/openbsd-compat/port-linux.c
-@@ -18,7 +18,7 @@
-  */
- 
- /*
- * Linux-specific portability code - just SELinux support at present
-+ * Linux-specific portability code
-  */
- 
- #include "includes.h"
-@@ -27,6 +27,15 @@
- #include <stdarg.h>
- #include <string.h>
- 
-+#ifdef OOM_ADJUST
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <fcntl.h>
-+#include <unistd.h>
-+#endif
-+
-+#include "log.h"
-+
- #ifdef WITH_SELINUX
- #include "key.h"
- #include "hostfile.h"
-@@ -34,7 +43,6 @@
- #ifdef HAVE_GETSEUSERBYNAME
- #include "xmalloc.h"
- #endif
-#include "log.h"
- #include "port-linux.h"
- 
- #include <selinux/selinux.h>
-@@ -186,3 +194,47 @@
-        debug3("%s: done", __func__);
- }
- #endif /* WITH_SELINUX */
-+
-+#ifdef OOM_ADJUST
-+/* Get the out-of-memory adjustment file for the current process */
-+static int
-+oom_adj_open(int oflag)
-+{
-+       int fd = open("/proc/self/oom_adj", oflag);
-+       if (fd < 0)
-+               logit("error opening /proc/self/oom_adj: %s", strerror(errno));
-+       return fd;
-+}
-+
-+/* Get the current OOM adjustment */
-+int
-+oom_adj_get(char *buf, size_t maxlen)
-+{
-+       ssize_t n;
-+       int fd = oom_adj_open(O_RDONLY);
-+       if (fd < 0)
-+               return -1;
-+       n = read(fd, buf, maxlen);
-+       if (n < 0)
-+               logit("error reading /proc/self/oom_adj: %s", strerror(errno));
-+       else
-+               buf[n] = '\0';
-+       close(fd);
-+       return n < 0 ? -1 : 0;
-+}
-+
-+/* Set the current OOM adjustment */
-+int
-+oom_adj_set(const char *buf)
-+{
-+       ssize_t n;
-+       int fd = oom_adj_open(O_WRONLY);
-+       if (fd < 0)
-+               return -1;
-+       n = write(fd, buf, strlen(buf));
-+       if (n < 0)
-+               logit("error writing /proc/self/oom_adj: %s", strerror(errno));
-+       close(fd);
-+       return n < 0 ? -1 : 0;
-+}
-+#endif
-Index: b/openbsd-compat/port-linux.h
-===================================================================
--- a/openbsd-compat/port-linux.h
-+++ b/openbsd-compat/port-linux.h
-@@ -25,4 +25,9 @@
- void ssh_selinux_setup_exec_context(char *);
- #endif
- 
-+#ifdef OOM_ADJUST
-+int oom_adj_get(char *buf, size_t maxlen);
-+int oom_adj_set(const char *buf);
-+#endif
-+
- #endif /* ! _PORT_LINUX_H */
-Index: b/sshd.c
-===================================================================
--- a/sshd.c
-+++ b/sshd.c
-@@ -254,6 +254,11 @@
- /* Unprivileged user */
- struct passwd *privsep_pw = NULL;
- 
-+#ifdef OOM_ADJUST
-+/* Linux out-of-memory killer adjustment */
-+static char oom_adj_save[8];
-+#endif
-+
- /* Prototypes for various functions defined later in this file. */
- void destroy_sensitive_data(void);
- void demote_sensitive_data(void);
-@@ -908,6 +913,31 @@
-        debug3("%s: done", __func__);
- }
- 
-+#ifdef OOM_ADJUST
-+/*
-+ * If requested in the environment, tell the Linux kernel's out-of-memory
-+ * killer to avoid sshd. The old state will be restored when forking child
-+ * processes.
-+ */
-+static void
-+oom_adjust_startup(void)
-+{
-+       const char *oom_adj = getenv("SSHD_OOM_ADJUST");
-+
-+       if (!oom_adj || !*oom_adj)
-+               return;
-+       oom_adj_get(oom_adj_save, sizeof(oom_adj_save));
-+       oom_adj_set(oom_adj);
-+}
-+
-+static void
-+oom_restore(void)
-+{
-+       if (oom_adj_save[0])
-+               oom_adj_set(oom_adj_save);
-+}
-+#endif
-+
- /* Accept a connection from inetd */
- static void
- server_accept_inetd(int *sock_in, int *sock_out)
-@@ -1670,6 +1700,11 @@
-        /* ignore SIGPIPE */
-        signal(SIGPIPE, SIG_IGN);
- 
-+#ifdef OOM_ADJUST
-+       /* Adjust out-of-memory killer */
-+       oom_adjust_startup();
-+#endif
-+
-        /* Get a connection, either from inetd or a listening TCP socket */
-        if (inetd_flag) {
-                server_accept_inetd(&sock_in, &sock_out);
-@@ -1708,6 +1743,10 @@
-        /* This is the child processing a new connection. */
-        setproctitle("%s", "[accepted]");
- 
-+#ifdef OOM_ADJUST
-+       oom_restore();
-+#endif
-+
-        /*
-         * Create a new session and process group since the 4.4BSD
-         * setlogin() affects the entire process group.  We don't
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index f34a7f7e2..e98938c15 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -34,7 +34,7 @@ Index: b/ssh-keygen.1
 ===================================================================
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -137,9 +137,7 @@
+@@ -145,9 +145,7 @@
 .Pa ~/.ssh/id_dsa
 or
 .Pa ~/.ssh/id_rsa .
@@ -45,7 +45,7 @@ Index: b/ssh-keygen.1
 .Pp
 Normally this program generates the key and asks for a file in which
 to store the private key.
-@@ -282,9 +280,7 @@
+@@ -368,9 +366,7 @@
 .It Fl q
 Silence
 .Nm ssh-keygen .
@@ -60,7 +60,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -749,6 +749,10 @@
+@@ -764,6 +764,10 @@
 .Sx HISTORY
 section of
 .Xr ssl 8
@@ -75,7 +75,7 @@ Index: b/sshd.8
 ===================================================================
 --- a/sshd.8
 +++ b/sshd.8
-@@ -69,7 +69,7 @@
+@@ -70,7 +70,7 @@
 .Nm
 listens for connections from clients.
 It is normally started at boot from
@@ -84,7 +84,7 @@ Index: b/sshd.8
 It forks a new
 daemon for each incoming connection.
 The forked daemons handle
-@@ -781,7 +781,7 @@
+@@ -838,7 +838,7 @@
 .Xr ssh 1 ) .
 It should only be writable by root.
 .Pp
@@ -93,7 +93,7 @@ Index: b/sshd.8
 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
 The file format is described in
 .Xr moduli 5 .
-@@ -877,7 +877,6 @@
+@@ -934,7 +934,6 @@
 .Xr ssh-vulnkey 1 ,
 .Xr chroot 2 ,
 .Xr hosts_access 5 ,
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 939b9adca..b1162bfec 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -11,7 +11,7 @@ Index: b/sshconnect.c
 ===================================================================
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -537,7 +537,7 @@
+@@ -542,7 +542,7 @@
        snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s",
            compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
            compat20 ? PROTOCOL_MINOR_2 : minor1,
@@ -24,7 +24,7 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -426,7 +426,7 @@
+@@ -422,7 +422,7 @@
                minor = PROTOCOL_MINOR_1;
        }
        snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
@@ -38,7 +38,7 @@ Index: b/version.h
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_5.3"
+ #define SSH_VERSION    "OpenSSH_5.4"
 
 #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 79bbfe7a9..572a6e67c 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -16,7 +16,7 @@ Index: b/clientloop.c
 ===================================================================
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -1526,8 +1526,10 @@
+@@ -1529,8 +1529,10 @@
                exit_status = 0;
        }
 
diff --git a/debian/patches/selinux-autoconf.patch b/debian/patches/selinux-autoconf.patch
deleted file mode 100644
index 9ac4cd435..000000000
--- a/debian/patches/selinux-autoconf.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-Description: Fix seusers detection at configure time
- configure didn't add -lselinux to LIBS before it checked for the existence
- of getseuserbyname and get_default_context_with_level.  This resulted in
- seusers configuration not being handled correctly.  Most policies use the
- seusers feature, and without it login security contexts will not be
- correct.
-Author: Caleb Case <calebcase@gmail.com>
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1713
-Bug-Debian: http://bugs.debian.org/465614
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/188136
-Reviewed-by: Colin Watson <cjwatson@debian.org>
-Last-Update: 2010-02-27
-Index: b/configure
-===================================================================
--- a/configure
-+++ b/configure
-@@ -28011,6 +28011,8 @@
- $as_echo "$ac_cv_lib_selinux_setexeccon" >&6; }
- if test $ac_cv_lib_selinux_setexeccon = yes; then
-    LIBSELINUX="-lselinux"
-+                         LIBS="$LIBS -lselinux"
-+
- else
-   { { $as_echo "$as_me:$LINENO: error: SELinux support requires libselinux library" >&5
- $as_echo "$as_me: error: SELinux support requires libselinux library" >&2;}
-Index: b/configure.ac
-===================================================================
--- a/configure.ac
-+++ b/configure.ac
-@@ -3422,9 +3422,12 @@
-                AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
-                SELINUX_MSG="yes"
-                AC_CHECK_HEADER([selinux/selinux.h], ,
-                   AC_MSG_ERROR(SELinux support requires selinux.h header))
-               AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
-                   AC_MSG_ERROR(SELinux support requires libselinux library))
-+                       AC_MSG_ERROR(SELinux support requires selinux.h header))
-+               AC_CHECK_LIB(selinux, setexeccon,
-+                       [ LIBSELINUX="-lselinux"
-+                         LIBS="$LIBS -lselinux"
-+                       ],
-+                       AC_MSG_ERROR(SELinux support requires libselinux library))
-                SSHDLIBS="$SSHDLIBS $LIBSELINUX"
-                AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
-                LIBS="$save_LIBS"
diff --git a/debian/patches/selinux-fix-chroot-directory.patch b/debian/patches/selinux-fix-chroot-directory.patch
index 7b3fdac1a..03942392b 100644
--- a/debian/patches/selinux-fix-chroot-directory.patch
+++ b/debian/patches/selinux-fix-chroot-directory.patch
@@ -12,9 +12,9 @@ Index: b/session.c
 ===================================================================
 --- a/session.c
 +++ b/session.c
-@@ -1522,6 +1522,10 @@
+@@ -1551,6 +1551,10 @@
- # endif /* USE_LIBIAF */
+                }
- #endif
+ #endif /* HAVE_SETPCRED */
 
 +#ifdef WITH_SELINUX
 +               ssh_selinux_setup_exec_context(pw->pw_name);
@@ -23,7 +23,7 @@ Index: b/session.c
                if (options.chroot_directory != NULL &&
                    strcasecmp(options.chroot_directory, "none") != 0) {
                         tmp = tilde_expand_filename(options.chroot_directory,
-@@ -1550,10 +1554,6 @@
+@@ -1575,10 +1579,6 @@
 
        if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
                fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index ab343b083..8a7e7c687 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -186,7 +186,7 @@ Index: b/monitor_wrap.c
 {
        Buffer m;
 
-@@ -291,11 +291,29 @@
+@@ -291,12 +291,30 @@
        buffer_init(&m);
        buffer_put_cstring(&m, service);
        buffer_put_cstring(&m, style ? style : "");
@@ -196,7 +196,7 @@ Index: b/monitor_wrap.c
 
        buffer_free(&m);
 }
-+
+ 
 +/* Inform the privileged process about role */
 +
 +void
@@ -213,9 +213,10 @@ Index: b/monitor_wrap.c
 +
 +       buffer_free(&m);
 +}
- 
+
 /* Do the password authentication */
 int
+ mm_auth_password(Authctxt *authctxt, char *password)
 Index: b/monitor_wrap.h
 ===================================================================
 --- a/monitor_wrap.h
@@ -234,20 +235,20 @@ Index: b/openbsd-compat/port-linux.c
 ===================================================================
 --- a/openbsd-compat/port-linux.c
 +++ b/openbsd-compat/port-linux.c
-@@ -28,6 +28,12 @@
+@@ -29,6 +29,12 @@
 #include <string.h>
+ #include <stdio.h>
 
- #ifdef WITH_SELINUX
+#ifdef WITH_SELINUX
 +#include "key.h"
 +#include "hostfile.h"
 +#include "auth.h"
-+#ifdef HAVE_GETSEUSERBYNAME
-+#include "xmalloc.h"
 +#endif
+
 #include "log.h"
+ #include "xmalloc.h"
 #include "port-linux.h"
- 
+@@ -38,6 +44,8 @@
-@@ -35,6 +41,8 @@
 #include <selinux/flask.h>
 #include <selinux/get_context_list.h>
 
@@ -256,7 +257,7 @@ Index: b/openbsd-compat/port-linux.c
 /* Wrapper around is_selinux_enabled() to log its return value once only */
 int
 ssh_selinux_enabled(void)
-@@ -53,8 +61,8 @@
+@@ -56,8 +64,8 @@
 static security_context_t
 ssh_selinux_getctxbyname(char *pwname)
 {
@@ -267,7 +268,7 @@ Index: b/openbsd-compat/port-linux.c
        int r;
 
 #ifdef HAVE_GETSEUSERBYNAME
-@@ -64,11 +72,20 @@
+@@ -67,11 +75,20 @@
        sename = pwname;
        lvl = NULL;
 #endif
diff --git a/debian/patches/series b/debian/patches/series
index 7f410e363..aaee184ee 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,12 +4,8 @@ gssapi-autoconf.patch
 gssapi-compat.patch
 gssapi-dump.patch
-# Autotools
-config-guess-sub.patch
 # SELinux
 selinux-role.patch
-selinux-autoconf.patch
 selinux-fix-chroot-directory.patch
 # Key blacklisting
@@ -19,15 +15,10 @@ ssh-vulnkey.patch
 ssh1-keepalive.patch
 keepalive-extensions.patch
-# Linux OOM handling
-oom-adjust.patch
 # Message adjustments
 syslog-level-silent.patch
 quieter-signals.patch
 helpful-wait-terminate.patch
-banner-noslash.patch
-keyfile-debug.patch
 # Miscellaneous bug fixes
 gnome-ssh-askpass2-link.patch
@@ -37,8 +28,6 @@ scp-quoting.patch
 shell-path.patch
 ssh-copy-id-status-check.patch
 ssh-copy-id-trailing-colons.patch
-no-constraint-fallback.patch
-sshd-ignore-sighup.patch
 # Versioning
 package-versioning.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index cd1bafe83..ddae43a45 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -10,7 +10,7 @@ Index: b/sshconnect.c
 ===================================================================
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -139,7 +139,7 @@
+@@ -141,7 +141,7 @@
 
                /* Execute the proxy command.  Note that we gave up any
                   extra privileges above. */
@@ -19,7 +19,7 @@ Index: b/sshconnect.c
                perror(argv[0]);
                exit(1);
        }
-@@ -1167,7 +1167,7 @@
+@@ -1243,7 +1243,7 @@
        pid = fork();
        if (pid == 0) {
                debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 4fd544b3f..c0b747e84 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -11,7 +11,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1405,6 +1405,7 @@
+@@ -1432,6 +1432,7 @@
 .Xr sftp 1 ,
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index a0396a6eb..c2842a4cf 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -14,16 +14,16 @@ Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -26,6 +26,7 @@
+@@ -27,6 +27,7 @@
- SFTP_SERVER=$(libexecdir)/sftp-server
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
 RAND_HELPER=$(libexecdir)/ssh-rand-helper
 +SSH_DATADIR=$(datadir)/ssh
 PRIVSEP_PATH=@PRIVSEP_PATH@
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
 STRIP_OPT=@STRIP_OPT@
-@@ -37,7 +38,8 @@
+@@ -39,7 +40,8 @@
-        -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
+        -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
        -D_PATH_SSH_PIDDIR=\"$(piddir)\" \
        -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \
 -       -DSSH_RAND_HELPER=\"$(RAND_HELPER)\"
@@ -32,27 +32,27 @@ Index: b/Makefile.in
 
 CC=@CC@
 LD=@LD@
-@@ -60,7 +62,7 @@
+@@ -62,7 +64,7 @@
 INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
 INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
 
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT)
 
 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
        canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
-@@ -91,8 +93,8 @@
+@@ -93,8 +95,8 @@
        audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
-        roaming_common.o
+        roaming_common.o roaming_serv.o
 
-MANPAGES       = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
+-MANPAGES       = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
-MANPAGES_IN    = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
+-MANPAGES_IN    = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
-+MANPAGES       = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out
+MANPAGES       = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out
-+MANPAGES_IN    = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5
+MANPAGES_IN    = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5
 MANTYPE                = @MANTYPE@
 
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -169,6 +171,9 @@
+@@ -174,6 +176,9 @@
 ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o
        $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
@@ -62,23 +62,23 @@ Index: b/Makefile.in
 # test driver for the loginrec code - not built by default
 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
        $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
-@@ -268,6 +273,7 @@
+@@ -269,6 +274,7 @@
-        $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN)
+        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper $(DESTDIR)$(SSH_PKCS11_HELPER)
        $(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp
        $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER)
 +       $(INSTALL) -m 0755 $(STRIP_OPT) ssh-vulnkey $(DESTDIR)$(bindir)/ssh-vulnkey
        $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
        $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
        $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -284,6 +290,7 @@
+@@ -286,6 +292,7 @@
-        $(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
        $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
        $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
+        $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
 +       $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
        -rm -f $(DESTDIR)$(bindir)/slogin
        ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-@@ -365,6 +372,7 @@
+@@ -367,6 +374,7 @@
        -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
        -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
        -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@@ -86,7 +86,7 @@ Index: b/Makefile.in
        -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
        -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
        -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-@@ -377,6 +385,7 @@
+@@ -380,6 +388,7 @@
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
@@ -98,30 +98,28 @@ Index: b/auth-rh-rsa.c
 ===================================================================
 --- a/auth-rh-rsa.c
 +++ b/auth-rh-rsa.c
-@@ -44,6 +44,9 @@
+@@ -44,7 +44,7 @@
 {
        HostStatus host_status;
 
-+       if (reject_blacklisted_key(client_host_key, 0) == 1)
+-       if (auth_key_is_revoked(client_host_key))
-+               return 0;
+       if (auth_key_is_revoked(client_host_key, 0))
-+
-        /* Check if we would accept it using rhosts authentication. */
-        if (!auth_rhosts(pw, cuser))
                return 0;
+ 
+        /* Check if we would accept it using rhosts authentication. */
 Index: b/auth-rsa.c
 ===================================================================
 --- a/auth-rsa.c
 +++ b/auth-rsa.c
-@@ -246,6 +246,9 @@
+@@ -94,7 +94,7 @@
-                            "actual %d vs. announced %d.",
+        MD5_CTX md;
-                            file, linenum, BN_num_bits(key->rsa->n), bits);
+        int len;
 
-+               if (reject_blacklisted_key(key, 0) == 1)
+-       if (auth_key_is_revoked(key))
-+                       continue;
+       if (auth_key_is_revoked(key, 0))
-+
+                return 0;
-                /* We have found the desired key. */
+ 
-                /*
+        /* don't allow short keys */
-                 * If our options do not allow this key to be used,
 Index: b/auth.c
 ===================================================================
 --- a/auth.c
@@ -134,91 +132,86 @@ Index: b/auth.c
 #include "auth.h"
 #include "auth-options.h"
 #include "canohost.h"
-@@ -398,6 +399,38 @@
+@@ -593,10 +594,34 @@
-        return host_status;
- }
 
-+int
+ /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
-+reject_blacklisted_key(Key *key, int hostkey)
+ int
-+{
+-auth_key_is_revoked(Key *key)
-+       char *fp;
+auth_key_is_revoked(Key *key, int hostkey)
-+
+ {
-+       if (blacklisted_key(key, &fp) != 1)
+        char *key_fp;
-+               return 0;
+ 
-+
+       if (blacklisted_key(key, &key_fp) == 1) {
-+       if (options.permit_blacklisted_keys) {
+               if (options.permit_blacklisted_keys) {
-+               if (hostkey)
+                       if (hostkey)
-+                       error("Host key %s blacklisted (see "
+                               error("Host key %s blacklisted (see "
-+                           "ssh-vulnkey(1)); continuing anyway", fp);
+                                   "ssh-vulnkey(1)); continuing anyway",
-+               else
+                                   key_fp);
-+                       logit("Public key %s from %s blacklisted (see "
+                       else
-+                           "ssh-vulnkey(1)); continuing anyway",
+                               logit("Public key %s from %s blacklisted (see "
-+                           fp, get_remote_ipaddr());
+                                   "ssh-vulnkey(1)); continuing anyway",
-+               xfree(fp);
+                                   key_fp, get_remote_ipaddr());
-+       } else {
+                       xfree(key_fp);
-+               if (hostkey)
+               } else {
-+                       error("Host key %s blacklisted (see "
+                       if (hostkey)
-+                           "ssh-vulnkey(1))", fp);
+                               error("Host key %s blacklisted (see "
-+               else
+                                   "ssh-vulnkey(1))", key_fp);
-+                       logit("Public key %s from %s blacklisted (see "
+                       else
-+                           "ssh-vulnkey(1))",
+                               logit("Public key %s from %s blacklisted (see "
-+                           fp, get_remote_ipaddr());
+                                   "ssh-vulnkey(1))",
-+               xfree(fp);
+                                   key_fp, get_remote_ipaddr());
-+               return 1;
+                       xfree(key_fp);
+                       return 1;
+               }
 +       }
 +
-+       return 0;
+        if (options.revoked_keys_file == NULL)
-+}
+                return 0;
-+
 
- /*
-  * Check a given file for security. This is defined as all components
 Index: b/auth.h
 ===================================================================
 --- a/auth.h
 +++ b/auth.h
-@@ -178,6 +178,8 @@
+@@ -173,7 +173,7 @@
- check_key_in_hostfiles(struct passwd *, Key *, const char *,
+ char   *authorized_keys_file2(struct passwd *);
-     const char *, const char *);
 
-+int    reject_blacklisted_key(Key *, int);
+ FILE   *auth_openkeyfile(const char *, struct passwd *, int);
-+
+-int     auth_key_is_revoked(Key *);
- /* hostkey handling */
+int     auth_key_is_revoked(Key *, int);
- Key    *get_hostkey_by_index(int);
+ 
- Key    *get_hostkey_by_type(int);
+ HostStatus
+ check_key_in_hostfiles(struct passwd *, Key *, const char *,
 Index: b/auth2-hostbased.c
 ===================================================================
 --- a/auth2-hostbased.c
 +++ b/auth2-hostbased.c
-@@ -145,6 +145,9 @@
+@@ -145,7 +145,7 @@
        HostStatus host_status;
        int len;
 
-+       if (reject_blacklisted_key(key, 0) == 1)
+-       if (auth_key_is_revoked(key))
-+               return 0;
+       if (auth_key_is_revoked(key, 0))
-+
+                return 0;
-        resolvedname = get_canonical_hostname(options.use_dns);
-        ipaddr = get_remote_ipaddr();
 
+        resolvedname = get_canonical_hostname(options.use_dns);
 Index: b/auth2-pubkey.c
 ===================================================================
 --- a/auth2-pubkey.c
 +++ b/auth2-pubkey.c
-@@ -254,6 +254,9 @@
+@@ -325,7 +325,7 @@
        int success;
        char *file;
 
-+       if (reject_blacklisted_key(key, 0) == 1)
+-       if (auth_key_is_revoked(key))
-+               return 0;
+       if (auth_key_is_revoked(key, 0))
-+
+                return 0;
-        file = authorized_keys_file(pw);
+        if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
-        success = user_key_allowed2(pw, key, file);
+                return 0;
-        xfree(file);
 Index: b/authfile.c
 ===================================================================
 --- a/authfile.c
 +++ b/authfile.c
-@@ -65,6 +65,7 @@
+@@ -68,6 +68,7 @@
 #include "rsa.h"
 #include "misc.h"
 #include "atomicio.h"
@@ -226,11 +219,10 @@ Index: b/authfile.c
 
 /* Version identification string for SSH v1 identity files. */
 static const char authfile_id_string[] =
-@@ -677,3 +678,140 @@
+@@ -754,3 +755,140 @@
-        key_free(pub);
+        return ret;
-        return NULL;
 }
-+
+ 
 +/* Scan a blacklist of known-vulnerable keys in blacklist_file. */
 +static int
 +blacklisted_key_in_file(const Key *key, const char *blacklist_file, char **fp)
@@ -367,13 +359,14 @@ Index: b/authfile.c
 +       key_free(public);
 +       return ret;
 +}
+
 Index: b/authfile.h
 ===================================================================
 --- a/authfile.h
 +++ b/authfile.h
-@@ -23,4 +23,6 @@
+@@ -24,4 +24,6 @@
- Key    *key_load_private_pem(int, int, const char *, char **);
 int     key_perm_ok(int, const char *);
+ int     key_in_file(Key *, const char *, int);
 
 +int     blacklisted_key(const Key *key, char **fp);
 +
@@ -412,7 +405,7 @@ Index: b/readconf.c
        oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
        oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
 +       oUseBlacklistedKeys,
-        oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
+        oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
 @@ -152,6 +153,7 @@
@@ -423,7 +416,7 @@ Index: b/readconf.c
        { "rsaauthentication", oRSAAuthentication },
        { "pubkeyauthentication", oPubkeyAuthentication },
        { "dsaauthentication", oPubkeyAuthentication },             /* alias */
-@@ -459,6 +461,10 @@
+@@ -461,6 +463,10 @@
                intptr = &options->challenge_response_authentication;
                goto parse_flag;
 
@@ -434,7 +427,7 @@ Index: b/readconf.c
        case oGssAuthentication:
                intptr = &options->gss_authentication;
                goto parse_flag;
-@@ -1048,6 +1054,7 @@
+@@ -1050,6 +1056,7 @@
        options->kbd_interactive_devices = NULL;
        options->rhosts_rsa_authentication = -1;
        options->hostbased_authentication = -1;
@@ -442,7 +435,7 @@ Index: b/readconf.c
        options->batch_mode = -1;
        options->check_host_ip = -1;
        options->strict_host_key_checking = -1;
-@@ -1150,6 +1157,8 @@
+@@ -1152,6 +1159,8 @@
                options->rhosts_rsa_authentication = 0;
        if (options->hostbased_authentication == -1)
                options->hostbased_authentication = 0;
@@ -467,7 +460,7 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -99,6 +99,7 @@
+@@ -100,6 +100,7 @@
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
@@ -475,7 +468,7 @@ Index: b/servconf.c
        options->permit_empty_passwd = -1;
        options->permit_user_env = -1;
        options->use_login = -1;
-@@ -227,6 +228,8 @@
+@@ -231,6 +232,8 @@
                options->kbd_interactive_authentication = 0;
        if (options->challenge_response_authentication == -1)
                options->challenge_response_authentication = 1;
@@ -484,7 +477,7 @@ Index: b/servconf.c
        if (options->permit_empty_passwd == -1)
                options->permit_empty_passwd = 0;
        if (options->permit_user_env == -1)
-@@ -302,7 +305,7 @@
+@@ -306,7 +309,7 @@
        sListenAddress, sAddressFamily,
        sPrintMotd, sPrintLastLog, sIgnoreRhosts,
        sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -493,7 +486,7 @@ Index: b/servconf.c
        sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
        sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
        sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
-@@ -410,6 +413,7 @@
+@@ -415,6 +418,7 @@
        { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
        { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
        { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -501,7 +494,7 @@ Index: b/servconf.c
        { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
        { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
        { "uselogin", sUseLogin, SSHCFG_GLOBAL },
-@@ -976,6 +980,10 @@
+@@ -1010,6 +1014,10 @@
                intptr = &options->tcp_keep_alive;
                goto parse_flag;
 
@@ -512,7 +505,7 @@ Index: b/servconf.c
        case sEmptyPasswd:
                intptr = &options->permit_empty_passwd;
                goto parse_flag;
-@@ -1644,6 +1652,7 @@
+@@ -1688,6 +1696,7 @@
        dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
        dump_cfg_fmtint(sStrictModes, o->strict_modes);
        dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -524,7 +517,7 @@ Index: b/servconf.h
 ===================================================================
 --- a/servconf.h
 +++ b/servconf.h
-@@ -101,6 +101,7 @@
+@@ -104,6 +104,7 @@
        int     challenge_response_authentication;
        int     zero_knowledge_password_authentication;
                                        /* If true, permit jpake auth */
@@ -536,7 +529,7 @@ Index: b/ssh-add.1
 ===================================================================
 --- a/ssh-add.1
 +++ b/ssh-add.1
-@@ -75,6 +75,10 @@
+@@ -82,6 +82,10 @@
 .Nm
 to work.
 .Pp
@@ -547,7 +540,7 @@ Index: b/ssh-add.1
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl c
-@@ -174,6 +178,7 @@
+@@ -182,6 +186,7 @@
 .Xr ssh 1 ,
 .Xr ssh-agent 1 ,
 .Xr ssh-keygen 1 ,
@@ -562,10 +555,10 @@ Index: b/ssh-add.c
 @@ -139,7 +139,7 @@
 add_file(AuthenticationConnection *ac, const char *filename)
 {
-        Key *private;
+        Key *private, *cert;
 -       char *comment = NULL;
 +       char *comment = NULL, *fp;
-        char msg[1024];
+        char msg[1024], *certpath;
        int fd, perms_ok, ret = -1;
 
 @@ -184,6 +184,14 @@
@@ -587,7 +580,7 @@ Index: b/ssh-keygen.1
 ===================================================================
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -451,6 +451,7 @@
+@@ -629,6 +629,7 @@
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
@@ -1239,7 +1232,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1396,6 +1396,7 @@
+@@ -1423,6 +1423,7 @@
 .Xr ssh-agent 1 ,
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
@@ -1251,7 +1244,7 @@ Index: b/ssh.c
 ===================================================================
 --- a/ssh.c
 +++ b/ssh.c
-@@ -1229,7 +1229,7 @@
+@@ -1301,7 +1301,7 @@
 static void
 load_public_identity_files(void)
 {
@@ -1260,7 +1253,7 @@ Index: b/ssh.c
        char *pwdir = NULL, *pwname = NULL;
        int i = 0;
        Key *public;
-@@ -1276,6 +1276,22 @@
+@@ -1358,6 +1358,22 @@
                public = key_load_public(filename, NULL);
                debug("identity file %s type %d", filename,
                    public ? public->type : -1);
@@ -1281,13 +1274,13 @@ Index: b/ssh.c
 +                       }
 +               }
                xfree(options.identity_files[i]);
-                options.identity_files[i] = filename;
+                identity_files[n_ids] = filename;
-                options.identity_keys[i] = public;
+                identity_keys[n_ids] = public;
 Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1041,6 +1041,23 @@
+@@ -1055,6 +1055,23 @@
 .Dq any .
 The default is
 .Dq any:any .
@@ -1315,7 +1308,7 @@ Index: b/sshconnect2.c
 ===================================================================
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -1392,6 +1392,8 @@
+@@ -1418,6 +1418,8 @@
 
        /* list of keys stored in the filesystem */
        for (i = 0; i < options.num_identity_files; i++) {
@@ -1324,7 +1317,7 @@ Index: b/sshconnect2.c
                key = options.identity_keys[i];
                if (key && key->type == KEY_RSA1)
                        continue;
-@@ -1482,7 +1484,7 @@
+@@ -1510,7 +1512,7 @@
                if (id->key && id->key->type != KEY_RSA1) {
                        debug("Offering public key: %s", id->filename);
                        sent = send_pubkey_test(authctxt, id);
@@ -1337,7 +1330,7 @@ Index: b/sshd.8
 ===================================================================
 --- a/sshd.8
 +++ b/sshd.8
-@@ -871,6 +871,7 @@
+@@ -928,6 +928,7 @@
 .Xr ssh-agent 1 ,
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
@@ -1349,11 +1342,11 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1518,6 +1518,11 @@
+@@ -1564,6 +1564,11 @@
                        sensitive_data.host_keys[i] = NULL;
                        continue;
                }
-+               if (reject_blacklisted_key(key, 1) == 1) {
+               if (auth_key_is_revoked(key, 1)) {
 +                       key_free(key);
 +                       sensitive_data.host_keys[i] = NULL;
 +                       continue;
@@ -1365,7 +1358,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -685,6 +685,20 @@
+@@ -694,6 +694,20 @@
 Specifies whether password authentication is allowed.
 The default is
 .Dq yes .
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index c82563033..ccd9a668e 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -7,13 +7,20 @@ Index: b/clientloop.c
 ===================================================================
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -502,16 +502,21 @@
+@@ -507,16 +507,21 @@
 static void
 server_alive_check(void)
 {
 -       if (packet_inc_alive_timeouts() > options.server_alive_count_max) {
 -               logit("Timeout, server not responding.");
 -               cleanup_exit(255);
+-       }
+-       packet_start(SSH2_MSG_GLOBAL_REQUEST);
+-       packet_put_cstring("keepalive@openssh.com");
+-       packet_put_char(1);     /* boolean: want reply */
+-       packet_send();
+-       /* Insert an empty placeholder to maintain ordering */
+-       client_register_global_confirm(NULL, NULL);
 +       if (compat20) {
 +               if (packet_inc_alive_timeouts() > options.server_alive_count_max) {
 +                       logit("Timeout, server not responding.");
@@ -28,17 +35,11 @@ Index: b/clientloop.c
 +       } else {
 +               packet_send_ignore(0);
 +               packet_send();
-        }
+       }
-       packet_start(SSH2_MSG_GLOBAL_REQUEST);
-       packet_put_cstring("keepalive@openssh.com");
-       packet_put_char(1);     /* boolean: want reply */
-       packet_send();
-       /* Insert an empty placeholder to maintain ordering */
-       client_register_global_confirm(NULL, NULL);
 }
 
 /*
-@@ -572,7 +577,7 @@
+@@ -574,7 +579,7 @@
         * event pending.
         */
 
@@ -51,7 +52,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -935,7 +935,10 @@
+@@ -956,7 +956,10 @@
 .Cm ServerAliveCountMax
 is left at the default, if the server becomes unresponsive,
 ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/sshd-ignore-sighup.patch b/debian/patches/sshd-ignore-sighup.patch
deleted file mode 100644
index ded8bc247..000000000
--- a/debian/patches/sshd-ignore-sighup.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Description: sshd: Ignore subsequent SIGHUPs during re-exec
- Prevents two HUPs in quick succession from resulting in sshd dying.
-Author: Colin Watson <cjwatson@debian.org>
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1692
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/497781
-Last-Update: 2010-02-28
-Index: b/sshd.c
-===================================================================
--- a/sshd.c
-+++ b/sshd.c
-@@ -318,6 +318,7 @@
-        close_listen_socks();
-        close_startup_pipes();
-        alarm(0);  /* alarm timer persists across exec */
-+       signal(SIGHUP, SIG_IGN); /* will be restored after exec */
-        execv(saved_argv[0], saved_argv);
-        logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
-            strerror(errno));
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 04ea64d34..3ed46c8f8 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -18,7 +18,7 @@ Index: b/clientloop.c
 ===================================================================
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -1533,7 +1533,7 @@
+@@ -1536,7 +1536,7 @@
         * In interactive mode (with pseudo tty) display a message indicating
         * that the connection has been closed.
         */
@@ -63,20 +63,20 @@ Index: b/mux.c
 ===================================================================
 --- a/mux.c
 +++ b/mux.c
-@@ -721,7 +721,7 @@
+@@ -1553,7 +1553,7 @@
        } else
-                debug2("Received exit status from master %d", exitval[0]);
+                debug2("Received exit status from master %d", exitval);
 
 -       if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET)
 +       if (tty_flag && options.log_level > SYSLOG_LEVEL_QUIET)
                fprintf(stderr, "Shared connection to %s closed.\r\n", host);
 
-        exit(exitval[0]);
+        exit(exitval);
 Index: b/sftp-server.8
 ===================================================================
 --- a/sftp-server.8
 +++ b/sftp-server.8
-@@ -64,7 +64,7 @@
+@@ -74,7 +74,7 @@
 Specifies which messages will be logged by
 .Nm .
 The possible values are:
@@ -89,7 +89,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -500,6 +500,11 @@
+@@ -504,6 +504,11 @@
 .It Fl q
 Quiet mode.
 Causes most warning and diagnostic messages to be suppressed.
@@ -105,8 +105,8 @@ Index: b/ssh.c
 ===================================================================
 --- a/ssh.c
 +++ b/ssh.c
-@@ -389,7 +389,12 @@
+@@ -421,7 +421,12 @@
-                        }
+                        options.exit_on_forward_failure = 1;
                        break;
                case 'q':
 -                       options.log_level = SYSLOG_LEVEL_QUIET;
@@ -119,7 +119,7 @@ Index: b/ssh.c
                        break;
                case 'e':
                        if (optarg[0] == '^' && optarg[2] == 0 &&
-@@ -592,7 +597,7 @@
+@@ -624,7 +629,7 @@
                tty_flag = 0;
        /* Do not allocate a tty if stdin is not a tty. */
        if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) {
@@ -132,7 +132,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -685,7 +685,7 @@
+@@ -698,7 +698,7 @@
 Gives the verbosity level that is used when logging messages from
 .Xr ssh 1 .
 The possible values are:
@@ -145,7 +145,7 @@ Index: b/sshd.8
 ===================================================================
 --- a/sshd.8
 +++ b/sshd.8
-@@ -207,9 +207,12 @@
+@@ -217,9 +217,12 @@
 option override command-line ports.
 .It Fl q
 Quiet mode.
@@ -163,7 +163,7 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1355,7 +1355,12 @@
+@@ -1370,7 +1370,12 @@
                        /* ignored */
                        break;
                case 'q':
@@ -181,7 +181,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -567,7 +567,7 @@
+@@ -575,7 +575,7 @@
 Gives the verbosity level that is used when logging messages from
 .Xr sshd 8 .
 The possible values are:
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index c99c796f3..375a098f9 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -23,7 +23,7 @@ Index: b/readconf.c
 
 #include "xmalloc.h"
 #include "ssh.h"
-@@ -998,11 +1000,30 @@
+@@ -1000,11 +1002,30 @@
 
        if (checkperm) {
                struct stat sb;
@@ -60,7 +60,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1299,6 +1299,8 @@
+@@ -1326,6 +1326,8 @@
 .Xr ssh_config 5 .
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.
@@ -73,7 +73,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1194,6 +1194,8 @@
+@@ -1208,6 +1208,8 @@
 This file is used by the SSH client.
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.