summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/changelog15
-rw-r--r--debian/patches/auth-log-verbosity.patch19
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch4
-rw-r--r--debian/patches/consolekit.patch41
-rw-r--r--debian/patches/debian-banner.patch20
-rw-r--r--debian/patches/debian-config.patch12
-rw-r--r--debian/patches/doc-hash-tab-completion.patch4
-rw-r--r--debian/patches/doc-upstart.patch4
-rw-r--r--debian/patches/gssapi.patch268
-rw-r--r--debian/patches/keepalive-extensions.patch24
-rw-r--r--debian/patches/lintian-symlink-pickiness.patch4
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch6
-rw-r--r--debian/patches/openbsd-docs.patch20
-rw-r--r--debian/patches/package-versioning.patch8
-rw-r--r--debian/patches/quieter-signals.patch4
-rw-r--r--debian/patches/selinux-role.patch50
-rw-r--r--debian/patches/series1
-rw-r--r--debian/patches/shell-path.patch4
-rw-r--r--debian/patches/sigstop.patch4
-rw-r--r--debian/patches/ssh-argv0.patch4
-rw-r--r--debian/patches/ssh-copy-id-portable.patch20
-rw-r--r--debian/patches/ssh-vulnkey.patch114
-rw-r--r--debian/patches/ssh1-keepalive.patch16
-rw-r--r--debian/patches/syslog-level-silent.patch6
-rw-r--r--debian/patches/user-group-modes.patch26
25 files changed, 340 insertions, 358 deletions
diff --git a/debian/changelog b/debian/changelog
index 9ed26d33d..a7359c9c5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,16 @@
1openssh (1:6.2p2-7) UNRELEASED; urgency=low 1openssh (1:6.3p1-1) UNRELEASED; urgency=low
2 2
3 * New upstream release (http://www.openssh.com/txt/release-6.3).
4 - sftp(1): add support for resuming partial downloads using the "reget"
5 command and on the sftp commandline or on the "get" commandline using
6 the "-a" (append) option (closes: #158590).
7 - ssh(1): add an "IgnoreUnknown" configuration option to selectively
8 suppress errors arising from unknown configuration directives (closes:
9 #436052).
10 - sftp(1): update progressmeter when data is acknowledged, not when it's
11 sent (partially addresses #708372).
12 - ssh(1): do not fatally exit when attempting to cleanup multiplexing-
13 created channels that are incompletely opened (closes: #651357).
3 * When running under Upstart, only consider the daemon started once it is 14 * When running under Upstart, only consider the daemon started once it is
4 ready to accept connections (by raising SIGSTOP at that point and using 15 ready to accept connections (by raising SIGSTOP at that point and using
5 "expect stop"). 16 "expect stop").
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index 206967bc9..a6a842ecd 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -2,7 +2,7 @@ Description: Quieten logs when multiple from= restrictions are used
2Author: Colin Watson <cjwatson@debian.org> 2Author: Colin Watson <cjwatson@debian.org>
3Bug-Debian: http://bugs.debian.org/630606 3Bug-Debian: http://bugs.debian.org/630606
4Forwarded: no 4Forwarded: no
5Last-Update: 2013-05-07 5Last-Update: 2013-09-14
6 6
7Index: b/auth-options.c 7Index: b/auth-options.c
8=================================================================== 8===================================================================
@@ -32,7 +32,7 @@ Index: b/auth-options.c
32@@ -288,10 +299,13 @@ 32@@ -288,10 +299,13 @@
33 /* FALLTHROUGH */ 33 /* FALLTHROUGH */
34 case 0: 34 case 0:
35 xfree(patterns); 35 free(patterns);
36- logit("Authentication tried for %.100s with " 36- logit("Authentication tried for %.100s with "
37- "correct key but not from a permitted " 37- "correct key but not from a permitted "
38- "host (host=%.200s, ip=%.200s).", 38- "host (host=%.200s, ip=%.200s).",
@@ -47,7 +47,7 @@ Index: b/auth-options.c
47 auth_debug_add("Your host '%.200s' is not " 47 auth_debug_add("Your host '%.200s' is not "
48 "permitted to use this key for login.", 48 "permitted to use this key for login.",
49 remote_host); 49 remote_host);
50@@ -512,11 +526,14 @@ 50@@ -513,11 +527,14 @@
51 break; 51 break;
52 case 0: 52 case 0:
53 /* no match */ 53 /* no match */
@@ -83,7 +83,7 @@ Index: b/auth-rsa.c
83=================================================================== 83===================================================================
84--- a/auth-rsa.c 84--- a/auth-rsa.c
85+++ b/auth-rsa.c 85+++ b/auth-rsa.c
86@@ -175,6 +175,8 @@ 86@@ -174,6 +174,8 @@
87 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) 87 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
88 return 0; 88 return 0;
89 89
@@ -96,7 +96,7 @@ Index: b/auth2-pubkey.c
96=================================================================== 96===================================================================
97--- a/auth2-pubkey.c 97--- a/auth2-pubkey.c
98+++ b/auth2-pubkey.c 98+++ b/auth2-pubkey.c
99@@ -217,6 +217,7 @@ 99@@ -257,6 +257,7 @@
100 restore_uid(); 100 restore_uid();
101 return 0; 101 return 0;
102 } 102 }
@@ -104,16 +104,15 @@ Index: b/auth2-pubkey.c
104 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 104 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
105 /* Skip leading whitespace. */ 105 /* Skip leading whitespace. */
106 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 106 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
107@@ -278,6 +279,8 @@ 107@@ -318,6 +319,7 @@
108 found_key = 0; 108 found_key = 0;
109 found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
110 109
110 found = NULL;
111+ auth_start_parse_options(); 111+ auth_start_parse_options();
112+
113 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 112 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
114 char *cp, *key_options = NULL; 113 char *cp, *key_options = NULL;
115 114 if (found != NULL)
116@@ -412,6 +415,7 @@ 115@@ -453,6 +455,7 @@
117 if (key_cert_check_authority(key, 0, 1, 116 if (key_cert_check_authority(key, 0, 1,
118 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) 117 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
119 goto fail_reason; 118 goto fail_reason;
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index c6a4b64c6..e48a3cb3e 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -2,13 +2,13 @@ Description: Install authorized_keys(5) as a symlink to sshd(8)
2Author: Tomas Pospisek <tpo_deb@sourcepole.ch> 2Author: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
4Bug-Debian: http://bugs.debian.org/441817 4Bug-Debian: http://bugs.debian.org/441817
5Last-Update: 2013-05-07 5Last-Update: 2013-09-14
6 6
7Index: b/Makefile.in 7Index: b/Makefile.in
8=================================================================== 8===================================================================
9--- a/Makefile.in 9--- a/Makefile.in
10+++ b/Makefile.in 10+++ b/Makefile.in
11@@ -286,6 +286,7 @@ 11@@ -289,6 +289,7 @@
12 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 12 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
13 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 13 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
14 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 14 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch
index 36b3805b9..fd064a848 100644
--- a/debian/patches/consolekit.patch
+++ b/debian/patches/consolekit.patch
@@ -1,7 +1,7 @@
1Description: Add support for registering ConsoleKit sessions on login 1Description: Add support for registering ConsoleKit sessions on login
2Author: Colin Watson <cjwatson@ubuntu.com> 2Author: Colin Watson <cjwatson@ubuntu.com>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450
4Last-Updated: 2013-05-13 4Last-Updated: 2013-09-14
5 5
6Index: b/Makefile.in 6Index: b/Makefile.in
7=================================================================== 7===================================================================
@@ -21,7 +21,7 @@ Index: b/configure.ac
21=================================================================== 21===================================================================
22--- a/configure.ac 22--- a/configure.ac
23+++ b/configure.ac 23+++ b/configure.ac
24@@ -3801,6 +3801,30 @@ 24@@ -3841,6 +3841,30 @@
25 AC_SUBST([GSSLIBS]) 25 AC_SUBST([GSSLIBS])
26 AC_SUBST([K5LIBS]) 26 AC_SUBST([K5LIBS])
27 27
@@ -52,7 +52,7 @@ Index: b/configure.ac
52 # Looking for programs, paths and files 52 # Looking for programs, paths and files
53 53
54 PRIVSEP_PATH=/var/empty 54 PRIVSEP_PATH=/var/empty
55@@ -4600,6 +4624,7 @@ 55@@ -4641,6 +4665,7 @@
56 echo " libedit support: $LIBEDIT_MSG" 56 echo " libedit support: $LIBEDIT_MSG"
57 echo " Solaris process contract support: $SPC_MSG" 57 echo " Solaris process contract support: $SPC_MSG"
58 echo " Solaris project support: $SP_MSG" 58 echo " Solaris project support: $SP_MSG"
@@ -64,7 +64,7 @@ Index: b/configure
64=================================================================== 64===================================================================
65--- a/configure 65--- a/configure
66+++ b/configure 66+++ b/configure
67@@ -737,6 +737,7 @@ 67@@ -738,6 +738,7 @@
68 with_sandbox 68 with_sandbox
69 with_selinux 69 with_selinux
70 with_kerberos5 70 with_kerberos5
@@ -72,7 +72,7 @@ Index: b/configure
72 with_privsep_path 72 with_privsep_path
73 with_xauth 73 with_xauth
74 enable_strip 74 enable_strip
75@@ -1427,6 +1428,7 @@ 75@@ -1428,6 +1429,7 @@
76 --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter) 76 --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)
77 --with-selinux Enable SELinux support 77 --with-selinux Enable SELinux support
78 --with-kerberos5=PATH Enable Kerberos 5 support 78 --with-kerberos5=PATH Enable Kerberos 5 support
@@ -80,7 +80,7 @@ Index: b/configure
80 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) 80 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
81 --with-xauth=PATH Specify path to xauth program 81 --with-xauth=PATH Specify path to xauth program
82 --with-maildir=/path/to/mail Specify your system mail directory 82 --with-maildir=/path/to/mail Specify your system mail directory
83@@ -16002,6 +16004,135 @@ 83@@ -16375,6 +16377,135 @@
84 84
85 85
86 86
@@ -216,7 +216,7 @@ Index: b/configure
216 # Looking for programs, paths and files 216 # Looking for programs, paths and files
217 217
218 PRIVSEP_PATH=/var/empty 218 PRIVSEP_PATH=/var/empty
219@@ -18527,6 +18658,7 @@ 219@@ -18902,6 +19033,7 @@
220 echo " libedit support: $LIBEDIT_MSG" 220 echo " libedit support: $LIBEDIT_MSG"
221 echo " Solaris process contract support: $SPC_MSG" 221 echo " Solaris process contract support: $SPC_MSG"
222 echo " Solaris project support: $SP_MSG" 222 echo " Solaris project support: $SP_MSG"
@@ -502,17 +502,17 @@ Index: b/monitor.c
502=================================================================== 502===================================================================
503--- a/monitor.c 503--- a/monitor.c
504+++ b/monitor.c 504+++ b/monitor.c
505@@ -97,6 +97,9 @@ 505@@ -98,6 +98,9 @@
506 #include "ssh2.h"
507 #include "jpake.h" 506 #include "jpake.h"
508 #include "roaming.h" 507 #include "roaming.h"
508 #include "authfd.h"
509+#ifdef USE_CONSOLEKIT 509+#ifdef USE_CONSOLEKIT
510+#include "consolekit.h" 510+#include "consolekit.h"
511+#endif 511+#endif
512 512
513 #ifdef GSSAPI 513 #ifdef GSSAPI
514 static Gssctxt *gsscontext = NULL; 514 static Gssctxt *gsscontext = NULL;
515@@ -192,6 +195,10 @@ 515@@ -193,6 +196,10 @@
516 516
517 static int monitor_read_log(struct monitor *); 517 static int monitor_read_log(struct monitor *);
518 518
@@ -523,7 +523,7 @@ Index: b/monitor.c
523 static Authctxt *authctxt; 523 static Authctxt *authctxt;
524 static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ 524 static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
525 525
526@@ -284,6 +291,9 @@ 526@@ -285,6 +292,9 @@
527 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 527 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
528 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, 528 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
529 #endif 529 #endif
@@ -533,7 +533,7 @@ Index: b/monitor.c
533 {0, 0, NULL} 533 {0, 0, NULL}
534 }; 534 };
535 535
536@@ -326,6 +336,9 @@ 536@@ -327,6 +337,9 @@
537 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 537 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
538 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, 538 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
539 #endif 539 #endif
@@ -553,7 +553,7 @@ Index: b/monitor.c
553 553
554 for (;;) 554 for (;;)
555 monitor_read(pmonitor, mon_dispatch, NULL); 555 monitor_read(pmonitor, mon_dispatch, NULL);
556@@ -2472,3 +2488,31 @@ 556@@ -2492,3 +2508,30 @@
557 } 557 }
558 558
559 #endif /* JPAKE */ 559 #endif /* JPAKE */
@@ -577,10 +577,9 @@ Index: b/monitor.c
577+ buffer_put_cstring(m, cookie != NULL ? cookie : ""); 577+ buffer_put_cstring(m, cookie != NULL ? cookie : "");
578+ mm_request_send(sock, MONITOR_ANS_CONSOLEKIT_REGISTER, m); 578+ mm_request_send(sock, MONITOR_ANS_CONSOLEKIT_REGISTER, m);
579+ 579+
580+ if (cookie != NULL) 580+ free(cookie);
581+ xfree(cookie); 581+ free(display);
582+ xfree(display); 582+ free(tty);
583+ xfree(tty);
584+ 583+
585+ return (0); 584+ return (0);
586+} 585+}
@@ -602,7 +601,7 @@ Index: b/monitor_wrap.c
602=================================================================== 601===================================================================
603--- a/monitor_wrap.c 602--- a/monitor_wrap.c
604+++ b/monitor_wrap.c 603+++ b/monitor_wrap.c
605@@ -1514,3 +1514,34 @@ 604@@ -1516,3 +1516,34 @@
606 return success; 605 return success;
607 } 606 }
608 #endif /* JPAKE */ 607 #endif /* JPAKE */
@@ -631,7 +630,7 @@ Index: b/monitor_wrap.c
631+ 630+
632+ /* treat empty cookie as missing cookie */ 631+ /* treat empty cookie as missing cookie */
633+ if (strlen(cookie) == 0) { 632+ if (strlen(cookie) == 0) {
634+ xfree(cookie); 633+ free(cookie);
635+ cookie = NULL; 634+ cookie = NULL;
636+ } 635+ }
637+ return (cookie); 636+ return (cookie);
@@ -654,7 +653,7 @@ Index: b/session.c
654=================================================================== 653===================================================================
655--- a/session.c 654--- a/session.c
656+++ b/session.c 655+++ b/session.c
657@@ -91,6 +91,7 @@ 656@@ -92,6 +92,7 @@
658 #include "kex.h" 657 #include "kex.h"
659 #include "monitor_wrap.h" 658 #include "monitor_wrap.h"
660 #include "sftp.h" 659 #include "sftp.h"
@@ -684,7 +683,7 @@ Index: b/session.c
684 #ifdef USE_PAM 683 #ifdef USE_PAM
685 /* 684 /*
686 * Pull in any environment variables that may have 685 * Pull in any environment variables that may have
687@@ -2308,6 +2317,10 @@ 686@@ -2320,6 +2329,10 @@
688 687
689 debug("session_pty_cleanup: session %d release %s", s->self, s->tty); 688 debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
690 689
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index d96f2cc59..981cdd697 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -4,13 +4,13 @@ Description: Add DebianBanner server configuration option
4Author: Kees Cook <kees@debian.org> 4Author: Kees Cook <kees@debian.org>
5Bug-Debian: http://bugs.debian.org/562048 5Bug-Debian: http://bugs.debian.org/562048
6Forwarded: not-needed 6Forwarded: not-needed
7Last-Update: 2013-05-07 7Last-Update: 2013-09-14
8 8
9Index: b/servconf.c 9Index: b/servconf.c
10=================================================================== 10===================================================================
11--- a/servconf.c 11--- a/servconf.c
12+++ b/servconf.c 12+++ b/servconf.c
13@@ -150,6 +150,7 @@ 13@@ -157,6 +157,7 @@
14 options->ip_qos_interactive = -1; 14 options->ip_qos_interactive = -1;
15 options->ip_qos_bulk = -1; 15 options->ip_qos_bulk = -1;
16 options->version_addendum = NULL; 16 options->version_addendum = NULL;
@@ -18,7 +18,7 @@ Index: b/servconf.c
18 } 18 }
19 19
20 void 20 void
21@@ -299,6 +300,8 @@ 21@@ -310,6 +311,8 @@
22 options->ip_qos_bulk = IPTOS_THROUGHPUT; 22 options->ip_qos_bulk = IPTOS_THROUGHPUT;
23 if (options->version_addendum == NULL) 23 if (options->version_addendum == NULL)
24 options->version_addendum = xstrdup(""); 24 options->version_addendum = xstrdup("");
@@ -27,15 +27,15 @@ Index: b/servconf.c
27 /* Turn privilege separation on by default */ 27 /* Turn privilege separation on by default */
28 if (use_privsep == -1) 28 if (use_privsep == -1)
29 use_privsep = PRIVSEP_NOSANDBOX; 29 use_privsep = PRIVSEP_NOSANDBOX;
30@@ -349,6 +352,7 @@ 30@@ -360,6 +363,7 @@
31 sKexAlgorithms, sIPQoS, sVersionAddendum, 31 sKexAlgorithms, sIPQoS, sVersionAddendum,
32 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 32 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
33 sAuthenticationMethods, 33 sAuthenticationMethods, sHostKeyAgent,
34+ sDebianBanner, 34+ sDebianBanner,
35 sDeprecated, sUnsupported 35 sDeprecated, sUnsupported
36 } ServerOpCodes; 36 } ServerOpCodes;
37 37
38@@ -488,6 +492,7 @@ 38@@ -501,6 +505,7 @@
39 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, 39 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
40 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 40 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
41 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, 41 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
@@ -43,7 +43,7 @@ Index: b/servconf.c
43 { NULL, sBadOption, 0 } 43 { NULL, sBadOption, 0 }
44 }; 44 };
45 45
46@@ -1593,6 +1598,10 @@ 46@@ -1648,6 +1653,10 @@
47 } 47 }
48 return 0; 48 return 0;
49 49
@@ -58,7 +58,7 @@ Index: b/servconf.h
58=================================================================== 58===================================================================
59--- a/servconf.h 59--- a/servconf.h
60+++ b/servconf.h 60+++ b/servconf.h
61@@ -184,6 +184,8 @@ 61@@ -188,6 +188,8 @@
62 62
63 u_int num_auth_methods; 63 u_int num_auth_methods;
64 char *auth_methods[MAX_AUTH_METHODS]; 64 char *auth_methods[MAX_AUTH_METHODS];
@@ -71,7 +71,7 @@ Index: b/sshd.c
71=================================================================== 71===================================================================
72--- a/sshd.c 72--- a/sshd.c
73+++ b/sshd.c 73+++ b/sshd.c
74@@ -434,7 +434,8 @@ 74@@ -440,7 +440,8 @@
75 } 75 }
76 76
77 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 77 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -85,7 +85,7 @@ Index: b/sshd_config.5
85=================================================================== 85===================================================================
86--- a/sshd_config.5 86--- a/sshd_config.5
87+++ b/sshd_config.5 87+++ b/sshd_config.5
88@@ -397,6 +397,11 @@ 88@@ -404,6 +404,11 @@
89 .Dq no . 89 .Dq no .
90 The default is 90 The default is
91 .Dq delayed . 91 .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 45a8364ca..d005bdc2e 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -18,13 +18,13 @@ Description: Various Debian-specific configuration changes
18Author: Colin Watson <cjwatson@debian.org> 18Author: Colin Watson <cjwatson@debian.org>
19Author: Russ Allbery <rra@debian.org> 19Author: Russ Allbery <rra@debian.org>
20Forwarded: not-needed 20Forwarded: not-needed
21Last-Update: 2013-05-16 21Last-Update: 2013-09-14
22 22
23Index: b/readconf.c 23Index: b/readconf.c
24=================================================================== 24===================================================================
25--- a/readconf.c 25--- a/readconf.c
26+++ b/readconf.c 26+++ b/readconf.c
27@@ -1288,7 +1288,7 @@ 27@@ -1298,7 +1298,7 @@
28 if (options->forward_x11 == -1) 28 if (options->forward_x11 == -1)
29 options->forward_x11 = 0; 29 options->forward_x11 = 0;
30 if (options->forward_x11_trusted == -1) 30 if (options->forward_x11_trusted == -1)
@@ -49,10 +49,10 @@ Index: b/ssh_config
49 # RhostsRSAAuthentication no 49 # RhostsRSAAuthentication no
50 # RSAAuthentication yes 50 # RSAAuthentication yes
51 # PasswordAuthentication yes 51 # PasswordAuthentication yes
52@@ -47,3 +48,7 @@ 52@@ -48,3 +49,7 @@
53 # PermitLocalCommand no
54 # VisualHostKey no 53 # VisualHostKey no
55 # ProxyCommand ssh -q -W %h:%p gateway.example.com 54 # ProxyCommand ssh -q -W %h:%p gateway.example.com
55 # RekeyLimit 1G 1h
56+ SendEnv LANG LC_* 56+ SendEnv LANG LC_*
57+ HashKnownHosts yes 57+ HashKnownHosts yes
58+ GSSAPIAuthentication yes 58+ GSSAPIAuthentication yes
@@ -84,7 +84,7 @@ Index: b/ssh_config.5
84 The configuration file has the following format: 84 The configuration file has the following format:
85 .Pp 85 .Pp
86 Empty lines and lines starting with 86 Empty lines and lines starting with
87@@ -502,7 +518,8 @@ 87@@ -501,7 +517,8 @@
88 Remote clients will be refused access after this time. 88 Remote clients will be refused access after this time.
89 .Pp 89 .Pp
90 The default is 90 The default is
@@ -98,7 +98,7 @@ Index: b/sshd_config
98=================================================================== 98===================================================================
99--- a/sshd_config 99--- a/sshd_config
100+++ b/sshd_config 100+++ b/sshd_config
101@@ -37,6 +37,7 @@ 101@@ -40,6 +40,7 @@
102 # Authentication: 102 # Authentication:
103 103
104 #LoginGraceTime 2m 104 #LoginGraceTime 2m
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 25201a7d4..4c197323c 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -2,13 +2,13 @@ Description: Document that HashKnownHosts may break tab-completion
2Author: Colin Watson <cjwatson@debian.org> 2Author: Colin Watson <cjwatson@debian.org>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
4Bug-Debian: http://bugs.debian.org/430154 4Bug-Debian: http://bugs.debian.org/430154
5Last-Update: 2013-05-07 5Last-Update: 2013-09-14
6 6
7Index: b/ssh_config.5 7Index: b/ssh_config.5
8=================================================================== 8===================================================================
9--- a/ssh_config.5 9--- a/ssh_config.5
10+++ b/ssh_config.5 10+++ b/ssh_config.5
11@@ -588,6 +588,9 @@ 11@@ -587,6 +587,9 @@
12 will not be converted automatically, 12 will not be converted automatically,
13 but may be manually hashed using 13 but may be manually hashed using
14 .Xr ssh-keygen 1 . 14 .Xr ssh-keygen 1 .
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index 5f35ac0c8..a471f9c4c 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,13 +1,13 @@
1Description: Refer to ssh's Upstart job as well as its init script 1Description: Refer to ssh's Upstart job as well as its init script
2Author: Colin Watson <cjwatson@ubuntu.com> 2Author: Colin Watson <cjwatson@ubuntu.com>
3Forwarded: not-needed 3Forwarded: not-needed
4Last-Update: 2012-11-26 4Last-Update: 2013-09-14
5 5
6Index: b/sshd.8 6Index: b/sshd.8
7=================================================================== 7===================================================================
8--- a/sshd.8 8--- a/sshd.8
9+++ b/sshd.8 9+++ b/sshd.8
10@@ -69,7 +69,10 @@ 10@@ -70,7 +70,10 @@
11 .Nm 11 .Nm
12 listens for connections from clients. 12 listens for connections from clients.
13 It is normally started at boot from 13 It is normally started at boot from
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 416e2f16c..85c6722f0 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -13,7 +13,7 @@ Description: GSSAPI key exchange support
13 security history. 13 security history.
14Author: Simon Wilkinson <simon@sxw.org.uk> 14Author: Simon Wilkinson <simon@sxw.org.uk>
15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
16Last-Updated: 2013-05-16 16Last-Updated: 2013-09-14
17 17
18Index: b/ChangeLog.gssapi 18Index: b/ChangeLog.gssapi
19=================================================================== 19===================================================================
@@ -158,7 +158,7 @@ Index: b/auth-krb5.c
158=================================================================== 158===================================================================
159--- a/auth-krb5.c 159--- a/auth-krb5.c
160+++ b/auth-krb5.c 160+++ b/auth-krb5.c
161@@ -170,8 +170,13 @@ 161@@ -181,8 +181,13 @@
162 162
163 len = strlen(authctxt->krb5_ticket_file) + 6; 163 len = strlen(authctxt->krb5_ticket_file) + 6;
164 authctxt->krb5_ccname = xmalloc(len); 164 authctxt->krb5_ccname = xmalloc(len);
@@ -172,7 +172,7 @@ Index: b/auth-krb5.c
172 172
173 #ifdef USE_PAM 173 #ifdef USE_PAM
174 if (options.use_pam) 174 if (options.use_pam)
175@@ -226,15 +231,22 @@ 175@@ -239,15 +244,22 @@
176 #ifndef HEIMDAL 176 #ifndef HEIMDAL
177 krb5_error_code 177 krb5_error_code
178 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { 178 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@@ -197,7 +197,7 @@ Index: b/auth-krb5.c
197 old_umask = umask(0177); 197 old_umask = umask(0177);
198 tmpfd = mkstemp(ccname + strlen("FILE:")); 198 tmpfd = mkstemp(ccname + strlen("FILE:"));
199 oerrno = errno; 199 oerrno = errno;
200@@ -251,6 +263,7 @@ 200@@ -264,6 +276,7 @@
201 return oerrno; 201 return oerrno;
202 } 202 }
203 close(tmpfd); 203 close(tmpfd);
@@ -210,7 +210,7 @@ Index: b/auth2-gss.c
210--- a/auth2-gss.c 210--- a/auth2-gss.c
211+++ b/auth2-gss.c 211+++ b/auth2-gss.c
212@@ -1,7 +1,7 @@ 212@@ -1,7 +1,7 @@
213 /* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */ 213 /* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
214 214
215 /* 215 /*
216- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 216- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -251,7 +251,7 @@ Index: b/auth2-gss.c
251+ authctxt->pw)); 251+ authctxt->pw));
252+ 252+
253+ buffer_free(&b); 253+ buffer_free(&b);
254+ xfree(mic.value); 254+ free(mic.value);
255+ 255+
256+ return (authenticated); 256+ return (authenticated);
257+} 257+}
@@ -259,7 +259,7 @@ Index: b/auth2-gss.c
259 /* 259 /*
260 * We only support those mechanisms that we know about (ie ones that we know 260 * We only support those mechanisms that we know about (ie ones that we know
261 * how to check local user kuserok and the like) 261 * how to check local user kuserok and the like)
262@@ -244,7 +278,8 @@ 262@@ -240,7 +274,8 @@
263 263
264 packet_check_eom(); 264 packet_check_eom();
265 265
@@ -269,7 +269,7 @@ Index: b/auth2-gss.c
269 269
270 authctxt->postponed = 0; 270 authctxt->postponed = 0;
271 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 271 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
272@@ -279,7 +314,8 @@ 272@@ -275,7 +310,8 @@
273 gssbuf.length = buffer_len(&b); 273 gssbuf.length = buffer_len(&b);
274 274
275 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) 275 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@@ -279,7 +279,7 @@ Index: b/auth2-gss.c
279 else 279 else
280 logit("GSSAPI MIC check failed"); 280 logit("GSSAPI MIC check failed");
281 281
282@@ -294,6 +330,12 @@ 282@@ -290,6 +326,12 @@
283 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); 283 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
284 } 284 }
285 285
@@ -327,7 +327,7 @@ Index: b/clientloop.c
327 /* import options */ 327 /* import options */
328 extern Options options; 328 extern Options options;
329 329
330@@ -1599,6 +1603,15 @@ 330@@ -1608,6 +1612,15 @@
331 /* Do channel operations unless rekeying in progress. */ 331 /* Do channel operations unless rekeying in progress. */
332 if (!rekeying) { 332 if (!rekeying) {
333 channel_after_select(readset, writeset); 333 channel_after_select(readset, writeset);
@@ -347,7 +347,7 @@ Index: b/config.h.in
347=================================================================== 347===================================================================
348--- a/config.h.in 348--- a/config.h.in
349+++ b/config.h.in 349+++ b/config.h.in
350@@ -1511,6 +1511,9 @@ 350@@ -1546,6 +1546,9 @@
351 /* Use btmp to log bad logins */ 351 /* Use btmp to log bad logins */
352 #undef USE_BTMP 352 #undef USE_BTMP
353 353
@@ -357,7 +357,7 @@ Index: b/config.h.in
357 /* Use libedit for sftp */ 357 /* Use libedit for sftp */
358 #undef USE_LIBEDIT 358 #undef USE_LIBEDIT
359 359
360@@ -1526,6 +1529,9 @@ 360@@ -1561,6 +1564,9 @@
361 /* Use PIPES instead of a socketpair() */ 361 /* Use PIPES instead of a socketpair() */
362 #undef USE_PIPES 362 #undef USE_PIPES
363 363
@@ -371,7 +371,7 @@ Index: b/configure
371=================================================================== 371===================================================================
372--- a/configure 372--- a/configure
373+++ b/configure 373+++ b/configure
374@@ -6588,6 +6588,63 @@ 374@@ -6780,6 +6780,63 @@
375 375
376 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h 376 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
377 377
@@ -439,7 +439,7 @@ Index: b/configure.ac
439=================================================================== 439===================================================================
440--- a/configure.ac 440--- a/configure.ac
441+++ b/configure.ac 441+++ b/configure.ac
442@@ -533,6 +533,30 @@ 442@@ -548,6 +548,30 @@
443 [Use tunnel device compatibility to OpenBSD]) 443 [Use tunnel device compatibility to OpenBSD])
444 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 444 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
445 [Prepend the address family to IP tunnel traffic]) 445 [Prepend the address family to IP tunnel traffic])
@@ -475,7 +475,7 @@ Index: b/gss-genr.c
475--- a/gss-genr.c 475--- a/gss-genr.c
476+++ b/gss-genr.c 476+++ b/gss-genr.c
477@@ -1,7 +1,7 @@ 477@@ -1,7 +1,7 @@
478 /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ 478 /* $OpenBSD: gss-genr.c,v 1.21 2013/05/17 00:13:13 djm Exp $ */
479 479
480 /* 480 /*
481- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. 481- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -549,8 +549,8 @@ Index: b/gss-genr.c
549+ 549+
550+ if (gss_enc2oid != NULL) { 550+ if (gss_enc2oid != NULL) {
551+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++) 551+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
552+ xfree(gss_enc2oid[i].encoded); 552+ free(gss_enc2oid[i].encoded);
553+ xfree(gss_enc2oid); 553+ free(gss_enc2oid);
554+ } 554+ }
555+ 555+
556+ gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) * 556+ gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
@@ -607,7 +607,7 @@ Index: b/gss-genr.c
607+ buffer_free(&buf); 607+ buffer_free(&buf);
608+ 608+
609+ if (strlen(mechs) == 0) { 609+ if (strlen(mechs) == 0) {
610+ xfree(mechs); 610+ free(mechs);
611+ mechs = NULL; 611+ mechs = NULL;
612+ } 612+ }
613+ 613+
@@ -826,7 +826,7 @@ Index: b/gss-serv-krb5.c
826--- a/gss-serv-krb5.c 826--- a/gss-serv-krb5.c
827+++ b/gss-serv-krb5.c 827+++ b/gss-serv-krb5.c
828@@ -1,7 +1,7 @@ 828@@ -1,7 +1,7 @@
829 /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ 829 /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
830 830
831 /* 831 /*
832- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 832- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -834,15 +834,15 @@ Index: b/gss-serv-krb5.c
834 * 834 *
835 * Redistribution and use in source and binary forms, with or without 835 * Redistribution and use in source and binary forms, with or without
836 * modification, are permitted provided that the following conditions 836 * modification, are permitted provided that the following conditions
837@@ -120,6 +120,7 @@ 837@@ -122,6 +122,7 @@
838 krb5_principal princ;
839 OM_uint32 maj_status, min_status; 838 OM_uint32 maj_status, min_status;
840 int len; 839 int len;
840 const char *errmsg;
841+ const char *new_ccname; 841+ const char *new_ccname;
842 842
843 if (client->creds == NULL) { 843 if (client->creds == NULL) {
844 debug("No credentials stored"); 844 debug("No credentials stored");
845@@ -168,11 +169,16 @@ 845@@ -174,11 +175,16 @@
846 return; 846 return;
847 } 847 }
848 848
@@ -863,7 +863,7 @@ Index: b/gss-serv-krb5.c
863 863
864 #ifdef USE_PAM 864 #ifdef USE_PAM
865 if (options.use_pam) 865 if (options.use_pam)
866@@ -184,6 +190,71 @@ 866@@ -190,6 +196,71 @@
867 return; 867 return;
868 } 868 }
869 869
@@ -935,7 +935,7 @@ Index: b/gss-serv-krb5.c
935 ssh_gssapi_mech gssapi_kerberos_mech = { 935 ssh_gssapi_mech gssapi_kerberos_mech = {
936 "toWM5Slw5Ew8Mqkay+al2g==", 936 "toWM5Slw5Ew8Mqkay+al2g==",
937 "Kerberos", 937 "Kerberos",
938@@ -191,7 +262,8 @@ 938@@ -197,7 +268,8 @@
939 NULL, 939 NULL,
940 &ssh_gssapi_krb5_userok, 940 &ssh_gssapi_krb5_userok,
941 NULL, 941 NULL,
@@ -950,7 +950,7 @@ Index: b/gss-serv.c
950--- a/gss-serv.c 950--- a/gss-serv.c
951+++ b/gss-serv.c 951+++ b/gss-serv.c
952@@ -1,7 +1,7 @@ 952@@ -1,7 +1,7 @@
953 /* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */ 953 /* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
954 954
955 /* 955 /*
956- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 956- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -958,7 +958,7 @@ Index: b/gss-serv.c
958 * 958 *
959 * Redistribution and use in source and binary forms, with or without 959 * Redistribution and use in source and binary forms, with or without
960 * modification, are permitted provided that the following conditions 960 * modification, are permitted provided that the following conditions
961@@ -45,15 +45,20 @@ 961@@ -45,15 +45,21 @@
962 #include "channels.h" 962 #include "channels.h"
963 #include "session.h" 963 #include "session.h"
964 #include "misc.h" 964 #include "misc.h"
@@ -972,8 +972,9 @@ Index: b/gss-serv.c
972 972
973 static ssh_gssapi_client gssapi_client = 973 static ssh_gssapi_client gssapi_client =
974 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, 974 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
975- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; 975- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
976+ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL}, 0, 0}; 976+ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL,
977+ {NULL, NULL, NULL, NULL, NULL}, 0, 0};
977 978
978 ssh_gssapi_mech gssapi_null_mech = 979 ssh_gssapi_mech gssapi_null_mech =
979- { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL}; 980- { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
@@ -981,7 +982,7 @@ Index: b/gss-serv.c
981 982
982 #ifdef KRB5 983 #ifdef KRB5
983 extern ssh_gssapi_mech gssapi_kerberos_mech; 984 extern ssh_gssapi_mech gssapi_kerberos_mech;
984@@ -81,25 +86,32 @@ 985@@ -81,25 +87,32 @@
985 char lname[MAXHOSTNAMELEN]; 986 char lname[MAXHOSTNAMELEN];
986 gss_OID_set oidset; 987 gss_OID_set oidset;
987 988
@@ -1028,7 +1029,7 @@ Index: b/gss-serv.c
1028 } 1029 }
1029 1030
1030 /* Privileged */ 1031 /* Privileged */
1031@@ -114,6 +126,29 @@ 1032@@ -114,6 +127,29 @@
1032 } 1033 }
1033 1034
1034 /* Unprivileged */ 1035 /* Unprivileged */
@@ -1058,7 +1059,7 @@ Index: b/gss-serv.c
1058 void 1059 void
1059 ssh_gssapi_supported_oids(gss_OID_set *oidset) 1060 ssh_gssapi_supported_oids(gss_OID_set *oidset)
1060 { 1061 {
1061@@ -123,7 +158,9 @@ 1062@@ -123,7 +159,9 @@
1062 gss_OID_set supported; 1063 gss_OID_set supported;
1063 1064
1064 gss_create_empty_oid_set(&min_status, oidset); 1065 gss_create_empty_oid_set(&min_status, oidset);
@@ -1069,7 +1070,7 @@ Index: b/gss-serv.c
1069 1070
1070 while (supported_mechs[i]->name != NULL) { 1071 while (supported_mechs[i]->name != NULL) {
1071 if (GSS_ERROR(gss_test_oid_set_member(&min_status, 1072 if (GSS_ERROR(gss_test_oid_set_member(&min_status,
1072@@ -249,8 +286,48 @@ 1073@@ -249,8 +287,48 @@
1073 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1074 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1074 { 1075 {
1075 int i = 0; 1076 int i = 0;
@@ -1119,7 +1120,7 @@ Index: b/gss-serv.c
1119 1120
1120 client->mech = NULL; 1121 client->mech = NULL;
1121 1122
1122@@ -265,6 +342,13 @@ 1123@@ -265,6 +343,13 @@
1123 if (client->mech == NULL) 1124 if (client->mech == NULL)
1124 return GSS_S_FAILURE; 1125 return GSS_S_FAILURE;
1125 1126
@@ -1133,7 +1134,7 @@ Index: b/gss-serv.c
1133 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, 1134 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
1134 &client->displayname, NULL))) { 1135 &client->displayname, NULL))) {
1135 ssh_gssapi_error(ctx); 1136 ssh_gssapi_error(ctx);
1136@@ -282,6 +366,8 @@ 1137@@ -282,6 +367,8 @@
1137 return (ctx->major); 1138 return (ctx->major);
1138 } 1139 }
1139 1140
@@ -1142,7 +1143,7 @@ Index: b/gss-serv.c
1142 /* We can't copy this structure, so we just move the pointer to it */ 1143 /* We can't copy this structure, so we just move the pointer to it */
1143 client->creds = ctx->client_creds; 1144 client->creds = ctx->client_creds;
1144 ctx->client_creds = GSS_C_NO_CREDENTIAL; 1145 ctx->client_creds = GSS_C_NO_CREDENTIAL;
1145@@ -329,7 +415,7 @@ 1146@@ -329,7 +416,7 @@
1146 1147
1147 /* Privileged */ 1148 /* Privileged */
1148 int 1149 int
@@ -1151,7 +1152,7 @@ Index: b/gss-serv.c
1151 { 1152 {
1152 OM_uint32 lmin; 1153 OM_uint32 lmin;
1153 1154
1154@@ -339,9 +425,11 @@ 1155@@ -339,9 +426,11 @@
1155 return 0; 1156 return 0;
1156 } 1157 }
1157 if (gssapi_client.mech && gssapi_client.mech->userok) 1158 if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -1165,7 +1166,7 @@ Index: b/gss-serv.c
1165 /* Destroy delegated credentials if userok fails */ 1166 /* Destroy delegated credentials if userok fails */
1166 gss_release_buffer(&lmin, &gssapi_client.displayname); 1167 gss_release_buffer(&lmin, &gssapi_client.displayname);
1167 gss_release_buffer(&lmin, &gssapi_client.exportedname); 1168 gss_release_buffer(&lmin, &gssapi_client.exportedname);
1168@@ -354,14 +442,90 @@ 1169@@ -354,14 +443,90 @@
1169 return (0); 1170 return (0);
1170 } 1171 }
1171 1172
@@ -1277,32 +1278,37 @@ Index: b/kex.c
1277 #if OPENSSL_VERSION_NUMBER >= 0x00907000L 1278 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
1278 # if defined(HAVE_EVP_SHA256) 1279 # if defined(HAVE_EVP_SHA256)
1279 # define evp_ssh_sha256 EVP_sha256 1280 # define evp_ssh_sha256 EVP_sha256
1280@@ -369,6 +373,20 @@ 1281@@ -82,6 +86,14 @@
1281 k->kex_type = KEX_ECDH_SHA2;
1282 k->evp_md = kex_ecdh_name_to_evpmd(k->name);
1283 #endif 1282 #endif
1283 { NULL, -1, -1, NULL},
1284 };
1285+static const struct kexalg kexalg_prefixes[] = {
1284+#ifdef GSSAPI 1286+#ifdef GSSAPI
1285+ } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID, 1287+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, EVP_sha1 },
1286+ sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) { 1288+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, EVP_sha1 },
1287+ k->kex_type = KEX_GSS_GEX_SHA1; 1289+ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, EVP_sha1 },
1288+ k->evp_md = EVP_sha1();
1289+ } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID,
1290+ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) {
1291+ k->kex_type = KEX_GSS_GRP1_SHA1;
1292+ k->evp_md = EVP_sha1();
1293+ } else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID,
1294+ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) {
1295+ k->kex_type = KEX_GSS_GRP14_SHA1;
1296+ k->evp_md = EVP_sha1();
1297+#endif 1290+#endif
1298 } else 1291+ { NULL, -1, -1, NULL },
1299 fatal("bad kex alg %s", k->name); 1292+};
1293
1294 char *
1295 kex_alg_list(void)
1296@@ -110,6 +122,10 @@
1297 if (strcmp(k->name, name) == 0)
1298 return k;
1299 }
1300+ for (k = kexalg_prefixes; k->name != NULL; k++) {
1301+ if (strncmp(k->name, name, strlen(k->name)) == 0)
1302+ return k;
1303+ }
1304 return NULL;
1300 } 1305 }
1306
1301Index: b/kex.h 1307Index: b/kex.h
1302=================================================================== 1308===================================================================
1303--- a/kex.h 1309--- a/kex.h
1304+++ b/kex.h 1310+++ b/kex.h
1305@@ -73,6 +73,9 @@ 1311@@ -74,6 +74,9 @@
1306 KEX_DH_GEX_SHA1, 1312 KEX_DH_GEX_SHA1,
1307 KEX_DH_GEX_SHA256, 1313 KEX_DH_GEX_SHA256,
1308 KEX_ECDH_SHA2, 1314 KEX_ECDH_SHA2,
@@ -1312,10 +1318,10 @@ Index: b/kex.h
1312 KEX_MAX 1318 KEX_MAX
1313 }; 1319 };
1314 1320
1315@@ -131,6 +134,12 @@ 1321@@ -133,6 +136,12 @@
1316 sig_atomic_t done;
1317 int flags; 1322 int flags;
1318 const EVP_MD *evp_md; 1323 const EVP_MD *evp_md;
1324 int ec_nid;
1319+#ifdef GSSAPI 1325+#ifdef GSSAPI
1320+ int gss_deleg_creds; 1326+ int gss_deleg_creds;
1321+ int gss_trust_dns; 1327+ int gss_trust_dns;
@@ -1325,7 +1331,7 @@ Index: b/kex.h
1325 char *client_version_string; 1331 char *client_version_string;
1326 char *server_version_string; 1332 char *server_version_string;
1327 int (*verify_host_key)(Key *); 1333 int (*verify_host_key)(Key *);
1328@@ -158,6 +167,11 @@ 1334@@ -162,6 +171,11 @@
1329 void kexecdh_client(Kex *); 1335 void kexecdh_client(Kex *);
1330 void kexecdh_server(Kex *); 1336 void kexecdh_server(Kex *);
1331 1337
@@ -1341,7 +1347,7 @@ Index: b/kexgssc.c
1341=================================================================== 1347===================================================================
1342--- /dev/null 1348--- /dev/null
1343+++ b/kexgssc.c 1349+++ b/kexgssc.c
1344@@ -0,0 +1,334 @@ 1350@@ -0,0 +1,333 @@
1345+/* 1351+/*
1346+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 1352+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
1347+ * 1353+ *
@@ -1488,7 +1494,7 @@ Index: b/kexgssc.c
1488+ 1494+
1489+ /* If we've got an old receive buffer get rid of it */ 1495+ /* If we've got an old receive buffer get rid of it */
1490+ if (token_ptr != GSS_C_NO_BUFFER) 1496+ if (token_ptr != GSS_C_NO_BUFFER)
1491+ xfree(recv_tok.value); 1497+ free(recv_tok.value);
1492+ 1498+
1493+ if (maj_status == GSS_S_COMPLETE) { 1499+ if (maj_status == GSS_S_COMPLETE) {
1494+ /* If mutual state flag is not true, kex fails */ 1500+ /* If mutual state flag is not true, kex fails */
@@ -1605,7 +1611,7 @@ Index: b/kexgssc.c
1605+ fatal("kexdh_client: BN_bin2bn failed"); 1611+ fatal("kexdh_client: BN_bin2bn failed");
1606+ 1612+
1607+ memset(kbuf, 0, klen); 1613+ memset(kbuf, 0, klen);
1608+ xfree(kbuf); 1614+ free(kbuf);
1609+ 1615+
1610+ switch (kex->kex_type) { 1616+ switch (kex->kex_type) {
1611+ case KEX_GSS_GRP1_SHA1: 1617+ case KEX_GSS_GRP1_SHA1:
@@ -1648,11 +1654,10 @@ Index: b/kexgssc.c
1648+ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) 1654+ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
1649+ packet_disconnect("Hash's MIC didn't verify"); 1655+ packet_disconnect("Hash's MIC didn't verify");
1650+ 1656+
1651+ xfree(msg_tok.value); 1657+ free(msg_tok.value);
1652+ 1658+
1653+ DH_free(dh); 1659+ DH_free(dh);
1654+ if (serverhostkey) 1660+ free(serverhostkey);
1655+ xfree(serverhostkey);
1656+ BN_clear_free(dh_server_pub); 1661+ BN_clear_free(dh_server_pub);
1657+ 1662+
1658+ /* save session id */ 1663+ /* save session id */
@@ -1680,7 +1685,7 @@ Index: b/kexgsss.c
1680=================================================================== 1685===================================================================
1681--- /dev/null 1686--- /dev/null
1682+++ b/kexgsss.c 1687+++ b/kexgsss.c
1683@@ -0,0 +1,288 @@ 1688@@ -0,0 +1,289 @@
1684+/* 1689+/*
1685+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 1690+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
1686+ * 1691+ *
@@ -1761,9 +1766,10 @@ Index: b/kexgsss.c
1761+ * in the GSSAPI code are no longer available. This kludges them back 1766+ * in the GSSAPI code are no longer available. This kludges them back
1762+ * into life 1767+ * into life
1763+ */ 1768+ */
1764+ if (!ssh_gssapi_oid_table_ok()) 1769+ if (!ssh_gssapi_oid_table_ok()) {
1765+ if ((mechs = ssh_gssapi_server_mechanisms())) 1770+ mechs = ssh_gssapi_server_mechanisms();
1766+ xfree(mechs); 1771+ free(mechs);
1772+ }
1767+ 1773+
1768+ debug2("%s: Identifying %s", __func__, kex->name); 1774+ debug2("%s: Identifying %s", __func__, kex->name);
1769+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); 1775+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
@@ -1841,7 +1847,7 @@ Index: b/kexgsss.c
1841+ maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok, 1847+ maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
1842+ &send_tok, &ret_flags)); 1848+ &send_tok, &ret_flags));
1843+ 1849+
1844+ xfree(recv_tok.value); 1850+ free(recv_tok.value);
1845+ 1851+
1846+ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0) 1852+ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
1847+ fatal("Zero length token output when incomplete"); 1853+ fatal("Zero length token output when incomplete");
@@ -1890,7 +1896,7 @@ Index: b/kexgsss.c
1890+ fatal("kexgss_server: BN_bin2bn failed"); 1896+ fatal("kexgss_server: BN_bin2bn failed");
1891+ 1897+
1892+ memset(kbuf, 0, klen); 1898+ memset(kbuf, 0, klen);
1893+ xfree(kbuf); 1899+ free(kbuf);
1894+ 1900+
1895+ switch (kex->kex_type) { 1901+ switch (kex->kex_type) {
1896+ case KEX_GSS_GRP1_SHA1: 1902+ case KEX_GSS_GRP1_SHA1:
@@ -1973,24 +1979,14 @@ Index: b/key.c
1973=================================================================== 1979===================================================================
1974--- a/key.c 1980--- a/key.c
1975+++ b/key.c 1981+++ b/key.c
1976@@ -976,6 +976,8 @@ 1982@@ -933,6 +933,7 @@
1977 } 1983 KEY_RSA_CERT_V00, 0, 1 },
1978 break; 1984 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
1979 #endif /* OPENSSL_HAS_ECC */ 1985 KEY_DSA_CERT_V00, 0, 1 },
1980+ case KEY_NULL: 1986+ { "null", "null", KEY_NULL, 0, 0 },
1981+ return "null"; 1987 { NULL, NULL, -1, -1, 0 }
1982 } 1988 };
1983 return "ssh-unknown";
1984 }
1985@@ -1281,6 +1283,8 @@
1986 strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
1987 return KEY_ECDSA_CERT;
1988 #endif
1989+ } else if (strcmp(name, "null") == 0) {
1990+ return KEY_NULL;
1991 }
1992 1989
1993 debug2("key_type_from_name: unknown key type '%s'", name);
1994Index: b/key.h 1990Index: b/key.h
1995=================================================================== 1991===================================================================
1996--- a/key.h 1992--- a/key.h
@@ -2007,7 +2003,7 @@ Index: b/monitor.c
2007=================================================================== 2003===================================================================
2008--- a/monitor.c 2004--- a/monitor.c
2009+++ b/monitor.c 2005+++ b/monitor.c
2010@@ -180,6 +180,8 @@ 2006@@ -181,6 +181,8 @@
2011 int mm_answer_gss_accept_ctx(int, Buffer *); 2007 int mm_answer_gss_accept_ctx(int, Buffer *);
2012 int mm_answer_gss_userok(int, Buffer *); 2008 int mm_answer_gss_userok(int, Buffer *);
2013 int mm_answer_gss_checkmic(int, Buffer *); 2009 int mm_answer_gss_checkmic(int, Buffer *);
@@ -2016,7 +2012,7 @@ Index: b/monitor.c
2016 #endif 2012 #endif
2017 2013
2018 #ifdef SSH_AUDIT_EVENTS 2014 #ifdef SSH_AUDIT_EVENTS
2019@@ -252,6 +254,7 @@ 2015@@ -253,6 +255,7 @@
2020 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 2016 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
2021 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, 2017 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
2022 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, 2018 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -2024,7 +2020,7 @@ Index: b/monitor.c
2024 #endif 2020 #endif
2025 #ifdef JPAKE 2021 #ifdef JPAKE
2026 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, 2022 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
2027@@ -264,6 +267,12 @@ 2023@@ -265,6 +268,12 @@
2028 }; 2024 };
2029 2025
2030 struct mon_table mon_dispatch_postauth20[] = { 2026 struct mon_table mon_dispatch_postauth20[] = {
@@ -2037,7 +2033,7 @@ Index: b/monitor.c
2037 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2033 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
2038 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, 2034 {MONITOR_REQ_SIGN, 0, mm_answer_sign},
2039 {MONITOR_REQ_PTY, 0, mm_answer_pty}, 2035 {MONITOR_REQ_PTY, 0, mm_answer_pty},
2040@@ -372,6 +381,10 @@ 2036@@ -373,6 +382,10 @@
2041 /* Permit requests for moduli and signatures */ 2037 /* Permit requests for moduli and signatures */
2042 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2038 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2043 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2039 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2059,7 +2055,7 @@ Index: b/monitor.c
2059 } else { 2055 } else {
2060 mon_dispatch = mon_dispatch_postauth15; 2056 mon_dispatch = mon_dispatch_postauth15;
2061 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2057 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
2062@@ -1836,6 +1853,13 @@ 2058@@ -1855,6 +1872,13 @@
2063 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 2059 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2064 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 2060 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2065 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 2061 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2073,7 +2069,7 @@ Index: b/monitor.c
2073 kex->server = 1; 2069 kex->server = 1;
2074 kex->hostkey_type = buffer_get_int(m); 2070 kex->hostkey_type = buffer_get_int(m);
2075 kex->kex_type = buffer_get_int(m); 2071 kex->kex_type = buffer_get_int(m);
2076@@ -2042,6 +2066,9 @@ 2072@@ -2062,6 +2086,9 @@
2077 OM_uint32 major; 2073 OM_uint32 major;
2078 u_int len; 2074 u_int len;
2079 2075
@@ -2083,7 +2079,7 @@ Index: b/monitor.c
2083 goid.elements = buffer_get_string(m, &len); 2079 goid.elements = buffer_get_string(m, &len);
2084 goid.length = len; 2080 goid.length = len;
2085 2081
2086@@ -2069,6 +2096,9 @@ 2082@@ -2089,6 +2116,9 @@
2087 OM_uint32 flags = 0; /* GSI needs this */ 2083 OM_uint32 flags = 0; /* GSI needs this */
2088 u_int len; 2084 u_int len;
2089 2085
@@ -2093,7 +2089,7 @@ Index: b/monitor.c
2093 in.value = buffer_get_string(m, &len); 2089 in.value = buffer_get_string(m, &len);
2094 in.length = len; 2090 in.length = len;
2095 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2091 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2096@@ -2086,6 +2116,7 @@ 2092@@ -2106,6 +2136,7 @@
2097 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2093 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2098 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2094 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2099 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2095 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2101,7 +2097,7 @@ Index: b/monitor.c
2101 } 2097 }
2102 return (0); 2098 return (0);
2103 } 2099 }
2104@@ -2097,6 +2128,9 @@ 2100@@ -2117,6 +2148,9 @@
2105 OM_uint32 ret; 2101 OM_uint32 ret;
2106 u_int len; 2102 u_int len;
2107 2103
@@ -2111,7 +2107,7 @@ Index: b/monitor.c
2111 gssbuf.value = buffer_get_string(m, &len); 2107 gssbuf.value = buffer_get_string(m, &len);
2112 gssbuf.length = len; 2108 gssbuf.length = len;
2113 mic.value = buffer_get_string(m, &len); 2109 mic.value = buffer_get_string(m, &len);
2114@@ -2123,7 +2157,11 @@ 2110@@ -2143,7 +2177,11 @@
2115 { 2111 {
2116 int authenticated; 2112 int authenticated;
2117 2113
@@ -2124,7 +2120,7 @@ Index: b/monitor.c
2124 2120
2125 buffer_clear(m); 2121 buffer_clear(m);
2126 buffer_put_int(m, authenticated); 2122 buffer_put_int(m, authenticated);
2127@@ -2136,6 +2174,74 @@ 2123@@ -2156,6 +2194,74 @@
2128 /* Monitor loop will terminate if authenticated */ 2124 /* Monitor loop will terminate if authenticated */
2129 return (authenticated); 2125 return (authenticated);
2130 } 2126 }
@@ -2154,7 +2150,7 @@ Index: b/monitor.c
2154+ } 2150+ }
2155+ major = ssh_gssapi_sign(gsscontext, &data, &hash); 2151+ major = ssh_gssapi_sign(gsscontext, &data, &hash);
2156+ 2152+
2157+ xfree(data.value); 2153+ free(data.value);
2158+ 2154+
2159+ buffer_clear(m); 2155+ buffer_clear(m);
2160+ buffer_put_int(m, major); 2156+ buffer_put_int(m, major);
@@ -2184,9 +2180,9 @@ Index: b/monitor.c
2184+ 2180+
2185+ ok = ssh_gssapi_update_creds(&store); 2181+ ok = ssh_gssapi_update_creds(&store);
2186+ 2182+
2187+ xfree(store.filename); 2183+ free(store.filename);
2188+ xfree(store.envvar); 2184+ free(store.envvar);
2189+ xfree(store.envval); 2185+ free(store.envval);
2190+ 2186+
2191+ buffer_clear(m); 2187+ buffer_clear(m);
2192+ buffer_put_int(m, ok); 2188+ buffer_put_int(m, ok);
@@ -2217,7 +2213,7 @@ Index: b/monitor_wrap.c
2217=================================================================== 2213===================================================================
2218--- a/monitor_wrap.c 2214--- a/monitor_wrap.c
2219+++ b/monitor_wrap.c 2215+++ b/monitor_wrap.c
2220@@ -1271,7 +1271,7 @@ 2216@@ -1273,7 +1273,7 @@
2221 } 2217 }
2222 2218
2223 int 2219 int
@@ -2226,7 +2222,7 @@ Index: b/monitor_wrap.c
2226 { 2222 {
2227 Buffer m; 2223 Buffer m;
2228 int authenticated = 0; 2224 int authenticated = 0;
2229@@ -1288,6 +1288,51 @@ 2225@@ -1290,6 +1290,51 @@
2230 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2226 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2231 return (authenticated); 2227 return (authenticated);
2232 } 2228 }
@@ -2298,7 +2294,7 @@ Index: b/readconf.c
2298=================================================================== 2294===================================================================
2299--- a/readconf.c 2295--- a/readconf.c
2300+++ b/readconf.c 2296+++ b/readconf.c
2301@@ -129,6 +129,8 @@ 2297@@ -132,6 +132,8 @@
2302 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 2298 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
2303 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 2299 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
2304 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 2300 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2307,7 +2303,7 @@ Index: b/readconf.c
2307 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2303 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
2308 oSendEnv, oControlPath, oControlMaster, oControlPersist, 2304 oSendEnv, oControlPath, oControlMaster, oControlPersist,
2309 oHashKnownHosts, 2305 oHashKnownHosts,
2310@@ -169,10 +171,19 @@ 2306@@ -172,10 +174,19 @@
2311 { "afstokenpassing", oUnsupported }, 2307 { "afstokenpassing", oUnsupported },
2312 #if defined(GSSAPI) 2308 #if defined(GSSAPI)
2313 { "gssapiauthentication", oGssAuthentication }, 2309 { "gssapiauthentication", oGssAuthentication },
@@ -2327,7 +2323,7 @@ Index: b/readconf.c
2327 #endif 2323 #endif
2328 { "fallbacktorsh", oDeprecated }, 2324 { "fallbacktorsh", oDeprecated },
2329 { "usersh", oDeprecated }, 2325 { "usersh", oDeprecated },
2330@@ -503,10 +514,30 @@ 2326@@ -516,10 +527,30 @@
2331 intptr = &options->gss_authentication; 2327 intptr = &options->gss_authentication;
2332 goto parse_flag; 2328 goto parse_flag;
2333 2329
@@ -2358,7 +2354,7 @@ Index: b/readconf.c
2358 case oBatchMode: 2354 case oBatchMode:
2359 intptr = &options->batch_mode; 2355 intptr = &options->batch_mode;
2360 goto parse_flag; 2356 goto parse_flag;
2361@@ -1158,7 +1189,12 @@ 2357@@ -1168,7 +1199,12 @@
2362 options->pubkey_authentication = -1; 2358 options->pubkey_authentication = -1;
2363 options->challenge_response_authentication = -1; 2359 options->challenge_response_authentication = -1;
2364 options->gss_authentication = -1; 2360 options->gss_authentication = -1;
@@ -2371,7 +2367,7 @@ Index: b/readconf.c
2371 options->password_authentication = -1; 2367 options->password_authentication = -1;
2372 options->kbd_interactive_authentication = -1; 2368 options->kbd_interactive_authentication = -1;
2373 options->kbd_interactive_devices = NULL; 2369 options->kbd_interactive_devices = NULL;
2374@@ -1258,8 +1294,14 @@ 2370@@ -1268,8 +1304,14 @@
2375 options->challenge_response_authentication = 1; 2371 options->challenge_response_authentication = 1;
2376 if (options->gss_authentication == -1) 2372 if (options->gss_authentication == -1)
2377 options->gss_authentication = 0; 2373 options->gss_authentication = 0;
@@ -2407,7 +2403,7 @@ Index: b/servconf.c
2407=================================================================== 2403===================================================================
2408--- a/servconf.c 2404--- a/servconf.c
2409+++ b/servconf.c 2405+++ b/servconf.c
2410@@ -102,7 +102,10 @@ 2406@@ -107,7 +107,10 @@
2411 options->kerberos_ticket_cleanup = -1; 2407 options->kerberos_ticket_cleanup = -1;
2412 options->kerberos_get_afs_token = -1; 2408 options->kerberos_get_afs_token = -1;
2413 options->gss_authentication=-1; 2409 options->gss_authentication=-1;
@@ -2418,7 +2414,7 @@ Index: b/servconf.c
2418 options->password_authentication = -1; 2414 options->password_authentication = -1;
2419 options->kbd_interactive_authentication = -1; 2415 options->kbd_interactive_authentication = -1;
2420 options->challenge_response_authentication = -1; 2416 options->challenge_response_authentication = -1;
2421@@ -233,8 +236,14 @@ 2417@@ -240,8 +243,14 @@
2422 options->kerberos_get_afs_token = 0; 2418 options->kerberos_get_afs_token = 0;
2423 if (options->gss_authentication == -1) 2419 if (options->gss_authentication == -1)
2424 options->gss_authentication = 0; 2420 options->gss_authentication = 0;
@@ -2433,7 +2429,7 @@ Index: b/servconf.c
2433 if (options->password_authentication == -1) 2429 if (options->password_authentication == -1)
2434 options->password_authentication = 1; 2430 options->password_authentication = 1;
2435 if (options->kbd_interactive_authentication == -1) 2431 if (options->kbd_interactive_authentication == -1)
2436@@ -327,7 +336,9 @@ 2432@@ -338,7 +347,9 @@
2437 sBanner, sUseDNS, sHostbasedAuthentication, 2433 sBanner, sUseDNS, sHostbasedAuthentication,
2438 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 2434 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
2439 sClientAliveCountMax, sAuthorizedKeysFile, 2435 sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2444,7 +2440,7 @@ Index: b/servconf.c
2444 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2440 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2445 sUsePrivilegeSeparation, sAllowAgentForwarding, 2441 sUsePrivilegeSeparation, sAllowAgentForwarding,
2446 sZeroKnowledgePasswordAuthentication, sHostCertificate, 2442 sZeroKnowledgePasswordAuthentication, sHostCertificate,
2447@@ -393,10 +404,20 @@ 2443@@ -405,10 +416,20 @@
2448 #ifdef GSSAPI 2444 #ifdef GSSAPI
2449 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2445 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2450 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2446 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2465,7 +2461,7 @@ Index: b/servconf.c
2465 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2461 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2466 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2462 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2467 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2463 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2468@@ -1049,10 +1070,22 @@ 2464@@ -1073,10 +1094,22 @@
2469 intptr = &options->gss_authentication; 2465 intptr = &options->gss_authentication;
2470 goto parse_flag; 2466 goto parse_flag;
2471 2467
@@ -2488,7 +2484,7 @@ Index: b/servconf.c
2488 case sPasswordAuthentication: 2484 case sPasswordAuthentication:
2489 intptr = &options->password_authentication; 2485 intptr = &options->password_authentication;
2490 goto parse_flag; 2486 goto parse_flag;
2491@@ -1927,7 +1960,10 @@ 2487@@ -1983,7 +2016,10 @@
2492 #endif 2488 #endif
2493 #ifdef GSSAPI 2489 #ifdef GSSAPI
2494 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2490 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2503,7 +2499,7 @@ Index: b/servconf.h
2503=================================================================== 2499===================================================================
2504--- a/servconf.h 2500--- a/servconf.h
2505+++ b/servconf.h 2501+++ b/servconf.h
2506@@ -110,7 +110,10 @@ 2502@@ -111,7 +111,10 @@
2507 int kerberos_get_afs_token; /* If true, try to get AFS token if 2503 int kerberos_get_afs_token; /* If true, try to get AFS token if
2508 * authenticated with Kerberos. */ 2504 * authenticated with Kerberos. */
2509 int gss_authentication; /* If true, permit GSSAPI authentication */ 2505 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2632,7 +2628,7 @@ Index: b/ssh_config.5
2632=================================================================== 2628===================================================================
2633--- a/ssh_config.5 2629--- a/ssh_config.5
2634+++ b/ssh_config.5 2630+++ b/ssh_config.5
2635@@ -530,11 +530,43 @@ 2631@@ -529,11 +529,43 @@
2636 The default is 2632 The default is
2637 .Dq no . 2633 .Dq no .
2638 Note that this option applies to protocol version 2 only. 2634 Note that this option applies to protocol version 2 only.
@@ -2727,14 +2723,14 @@ Index: b/sshconnect2.c
2727+ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; 2723+ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
2728+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], 2724+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
2729+ "%s,null", orig); 2725+ "%s,null", orig);
2730+ xfree(gss); 2726+ free(gss);
2731+ } 2727+ }
2732+#endif 2728+#endif
2733+ 2729+
2734 if (options.rekey_limit) 2730 if (options.rekey_limit || options.rekey_interval)
2735 packet_set_rekey_limit((u_int32_t)options.rekey_limit); 2731 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
2736 2732 (time_t)options.rekey_interval);
2737@@ -207,10 +243,30 @@ 2733@@ -208,10 +244,30 @@
2738 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; 2734 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
2739 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; 2735 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
2740 kex->kex[KEX_ECDH_SHA2] = kexecdh_client; 2736 kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
@@ -2765,7 +2761,7 @@ Index: b/sshconnect2.c
2765 xxx_kex = kex; 2761 xxx_kex = kex;
2766 2762
2767 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 2763 dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
2768@@ -306,6 +362,7 @@ 2764@@ -307,6 +363,7 @@
2769 void input_gssapi_hash(int type, u_int32_t, void *); 2765 void input_gssapi_hash(int type, u_int32_t, void *);
2770 void input_gssapi_error(int, u_int32_t, void *); 2766 void input_gssapi_error(int, u_int32_t, void *);
2771 void input_gssapi_errtok(int, u_int32_t, void *); 2767 void input_gssapi_errtok(int, u_int32_t, void *);
@@ -2773,7 +2769,7 @@ Index: b/sshconnect2.c
2773 #endif 2769 #endif
2774 2770
2775 void userauth(Authctxt *, char *); 2771 void userauth(Authctxt *, char *);
2776@@ -321,6 +378,11 @@ 2772@@ -322,6 +379,11 @@
2777 2773
2778 Authmethod authmethods[] = { 2774 Authmethod authmethods[] = {
2779 #ifdef GSSAPI 2775 #ifdef GSSAPI
@@ -2785,7 +2781,7 @@ Index: b/sshconnect2.c
2785 {"gssapi-with-mic", 2781 {"gssapi-with-mic",
2786 userauth_gssapi, 2782 userauth_gssapi,
2787 NULL, 2783 NULL,
2788@@ -627,19 +689,31 @@ 2784@@ -625,19 +687,31 @@
2789 static u_int mech = 0; 2785 static u_int mech = 0;
2790 OM_uint32 min; 2786 OM_uint32 min;
2791 int ok = 0; 2787 int ok = 0;
@@ -2819,7 +2815,7 @@ Index: b/sshconnect2.c
2819 ok = 1; /* Mechanism works */ 2815 ok = 1; /* Mechanism works */
2820 } else { 2816 } else {
2821 mech++; 2817 mech++;
2822@@ -736,8 +810,8 @@ 2818@@ -734,8 +808,8 @@
2823 { 2819 {
2824 Authctxt *authctxt = ctxt; 2820 Authctxt *authctxt = ctxt;
2825 Gssctxt *gssctxt; 2821 Gssctxt *gssctxt;
@@ -2830,9 +2826,9 @@ Index: b/sshconnect2.c
2830 2826
2831 if (authctxt == NULL) 2827 if (authctxt == NULL)
2832 fatal("input_gssapi_response: no authentication context"); 2828 fatal("input_gssapi_response: no authentication context");
2833@@ -847,6 +921,48 @@ 2829@@ -844,6 +918,48 @@
2834 xfree(msg); 2830 free(msg);
2835 xfree(lang); 2831 free(lang);
2836 } 2832 }
2837+ 2833+
2838+int 2834+int
@@ -2883,7 +2879,7 @@ Index: b/sshd.c
2883=================================================================== 2879===================================================================
2884--- a/sshd.c 2880--- a/sshd.c
2885+++ b/sshd.c 2881+++ b/sshd.c
2886@@ -121,6 +121,10 @@ 2882@@ -122,6 +122,10 @@
2887 #include "ssh-sandbox.h" 2883 #include "ssh-sandbox.h"
2888 #include "version.h" 2884 #include "version.h"
2889 2885
@@ -2894,7 +2890,7 @@ Index: b/sshd.c
2894 #ifdef LIBWRAP 2890 #ifdef LIBWRAP
2895 #include <tcpd.h> 2891 #include <tcpd.h>
2896 #include <syslog.h> 2892 #include <syslog.h>
2897@@ -1645,10 +1649,13 @@ 2893@@ -1703,10 +1707,13 @@
2898 logit("Disabling protocol version 1. Could not load host key"); 2894 logit("Disabling protocol version 1. Could not load host key");
2899 options.protocol &= ~SSH_PROTO_1; 2895 options.protocol &= ~SSH_PROTO_1;
2900 } 2896 }
@@ -2908,7 +2904,7 @@ Index: b/sshd.c
2908 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2904 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2909 logit("sshd: no hostkeys available -- exiting."); 2905 logit("sshd: no hostkeys available -- exiting.");
2910 exit(1); 2906 exit(1);
2911@@ -1976,6 +1983,60 @@ 2907@@ -2035,6 +2042,60 @@
2912 /* Log the connection. */ 2908 /* Log the connection. */
2913 verbose("Connection from %.500s port %d", remote_ip, remote_port); 2909 verbose("Connection from %.500s port %d", remote_ip, remote_port);
2914 2910
@@ -2969,7 +2965,7 @@ Index: b/sshd.c
2969 /* 2965 /*
2970 * We don't want to listen forever unless the other side 2966 * We don't want to listen forever unless the other side
2971 * successfully authenticates itself. So we set up an alarm which is 2967 * successfully authenticates itself. So we set up an alarm which is
2972@@ -2357,6 +2418,48 @@ 2968@@ -2439,6 +2500,48 @@
2973 2969
2974 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); 2970 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2975 2971
@@ -3018,7 +3014,7 @@ Index: b/sshd.c
3018 /* start key exchange */ 3014 /* start key exchange */
3019 kex = kex_setup(myproposal); 3015 kex = kex_setup(myproposal);
3020 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 3016 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
3021@@ -2364,6 +2467,13 @@ 3017@@ -2446,6 +2549,13 @@
3022 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 3018 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
3023 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 3019 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
3024 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 3020 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -3036,7 +3032,7 @@ Index: b/sshd_config
3036=================================================================== 3032===================================================================
3037--- a/sshd_config 3033--- a/sshd_config
3038+++ b/sshd_config 3034+++ b/sshd_config
3039@@ -80,6 +80,8 @@ 3035@@ -83,6 +83,8 @@
3040 # GSSAPI options 3036 # GSSAPI options
3041 #GSSAPIAuthentication no 3037 #GSSAPIAuthentication no
3042 #GSSAPICleanupCredentials yes 3038 #GSSAPICleanupCredentials yes
@@ -3049,7 +3045,7 @@ Index: b/sshd_config.5
3049=================================================================== 3045===================================================================
3050--- a/sshd_config.5 3046--- a/sshd_config.5
3051+++ b/sshd_config.5 3047+++ b/sshd_config.5
3052@@ -481,12 +481,40 @@ 3048@@ -484,12 +484,40 @@
3053 The default is 3049 The default is
3054 .Dq no . 3050 .Dq no .
3055 Note that this option applies to protocol version 2 only. 3051 Note that this option applies to protocol version 2 only.
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 98e9f8bdd..a851a91bf 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -12,30 +12,30 @@ Author: Richard Kettlewell <rjk@greenend.org.uk>
12Author: Ian Jackson <ian@chiark.greenend.org.uk> 12Author: Ian Jackson <ian@chiark.greenend.org.uk>
13Author: Matthew Vernon <matthew@debian.org> 13Author: Matthew Vernon <matthew@debian.org>
14Author: Colin Watson <cjwatson@debian.org> 14Author: Colin Watson <cjwatson@debian.org>
15Last-Update: 2013-05-16 15Last-Update: 2013-09-14
16 16
17Index: b/readconf.c 17Index: b/readconf.c
18=================================================================== 18===================================================================
19--- a/readconf.c 19--- a/readconf.c
20+++ b/readconf.c 20+++ b/readconf.c
21@@ -138,6 +138,7 @@ 21@@ -141,6 +141,7 @@
22 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 22 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
23 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, 23 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
24 oKexAlgorithms, oIPQoS, oRequestTTY, 24 oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
25+ oProtocolKeepAlives, oSetupTimeOut, 25+ oProtocolKeepAlives, oSetupTimeOut,
26 oDeprecated, oUnsupported 26 oIgnoredUnknownOption, oDeprecated, oUnsupported
27 } OpCodes; 27 } OpCodes;
28 28
29@@ -259,6 +260,8 @@ 29@@ -263,6 +264,8 @@
30 { "kexalgorithms", oKexAlgorithms },
31 { "ipqos", oIPQoS }, 30 { "ipqos", oIPQoS },
32 { "requesttty", oRequestTTY }, 31 { "requesttty", oRequestTTY },
32 { "ignoreunknown", oIgnoreUnknown },
33+ { "protocolkeepalives", oProtocolKeepAlives }, 33+ { "protocolkeepalives", oProtocolKeepAlives },
34+ { "setuptimeout", oSetupTimeOut }, 34+ { "setuptimeout", oSetupTimeOut },
35 35
36 { NULL, oBadOption } 36 { NULL, oBadOption }
37 }; 37 };
38@@ -933,6 +936,8 @@ 38@@ -939,6 +942,8 @@
39 goto parse_flag; 39 goto parse_flag;
40 40
41 case oServerAliveInterval: 41 case oServerAliveInterval:
@@ -44,8 +44,8 @@ Index: b/readconf.c
44 intptr = &options->server_alive_interval; 44 intptr = &options->server_alive_interval;
45 goto parse_time; 45 goto parse_time;
46 46
47@@ -1392,8 +1397,13 @@ 47@@ -1404,8 +1409,13 @@
48 options->rekey_limit = 0; 48 options->rekey_interval = 0;
49 if (options->verify_host_key_dns == -1) 49 if (options->verify_host_key_dns == -1)
50 options->verify_host_key_dns = 0; 50 options->verify_host_key_dns = 0;
51- if (options->server_alive_interval == -1) 51- if (options->server_alive_interval == -1)
@@ -78,7 +78,7 @@ Index: b/ssh_config.5
78 The argument must be 78 The argument must be
79 .Dq yes 79 .Dq yes
80 or 80 or
81@@ -1113,8 +1117,15 @@ 81@@ -1141,8 +1145,15 @@
82 will send a message through the encrypted 82 will send a message through the encrypted
83 channel to request a response from the server. 83 channel to request a response from the server.
84 The default 84 The default
@@ -95,7 +95,7 @@ Index: b/ssh_config.5
95 .It Cm StrictHostKeyChecking 95 .It Cm StrictHostKeyChecking
96 If this flag is set to 96 If this flag is set to
97 .Dq yes , 97 .Dq yes ,
98@@ -1153,6 +1164,12 @@ 98@@ -1181,6 +1192,12 @@
99 other side. 99 other side.
100 If they are sent, death of the connection or crash of one 100 If they are sent, death of the connection or crash of one
101 of the machines will be properly noticed. 101 of the machines will be properly noticed.
@@ -112,7 +112,7 @@ Index: b/sshd_config.5
112=================================================================== 112===================================================================
113--- a/sshd_config.5 113--- a/sshd_config.5
114+++ b/sshd_config.5 114+++ b/sshd_config.5
115@@ -1122,6 +1122,9 @@ 115@@ -1161,6 +1161,9 @@
116 .Pp 116 .Pp
117 To disable TCP keepalive messages, the value should be set to 117 To disable TCP keepalive messages, the value should be set to
118 .Dq no . 118 .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index 8afabfaba..19ae33b22 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -3,13 +3,13 @@ Description: Fix picky lintian errors about slogin symlinks
3 either way and opted to keep the status quo. We need this patch anyway. 3 either way and opted to keep the status quo. We need this patch anyway.
4Author: Colin Watson <cjwatson@debian.org> 4Author: Colin Watson <cjwatson@debian.org>
5Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728 5Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728
6Last-Update: 2013-05-07 6Last-Update: 2013-09-14
7 7
8Index: b/Makefile.in 8Index: b/Makefile.in
9=================================================================== 9===================================================================
10--- a/Makefile.in 10--- a/Makefile.in
11+++ b/Makefile.in 11+++ b/Makefile.in
12@@ -293,9 +293,9 @@ 12@@ -296,9 +296,9 @@
13 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 13 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
14 $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 14 $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
15 -rm -f $(DESTDIR)$(bindir)/slogin 15 -rm -f $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index fd1b6f9f5..55c277031 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -2,13 +2,13 @@ Description: Mention ssh-keygen in ssh fingerprint changed warning
2Author: Scott Moser <smoser@ubuntu.com> 2Author: Scott Moser <smoser@ubuntu.com>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
4Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 4Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
5Last-Update: 2013-05-16 5Last-Update: 2013-09-14
6 6
7Index: b/sshconnect.c 7Index: b/sshconnect.c
8=================================================================== 8===================================================================
9--- a/sshconnect.c 9--- a/sshconnect.c
10+++ b/sshconnect.c 10+++ b/sshconnect.c
11@@ -982,9 +982,12 @@ 11@@ -981,9 +981,12 @@
12 error("%s. This could either mean that", key_msg); 12 error("%s. This could either mean that", key_msg);
13 error("DNS SPOOFING is happening or the IP address for the host"); 13 error("DNS SPOOFING is happening or the IP address for the host");
14 error("and its host key have changed at the same time."); 14 error("and its host key have changed at the same time.");
@@ -22,7 +22,7 @@ Index: b/sshconnect.c
22 } 22 }
23 /* The host key has changed. */ 23 /* The host key has changed. */
24 warn_changed_key(host_key); 24 warn_changed_key(host_key);
25@@ -992,6 +995,8 @@ 25@@ -991,6 +994,8 @@
26 user_hostfiles[0]); 26 user_hostfiles[0]);
27 error("Offending %s key in %s:%lu", key_type(host_found->key), 27 error("Offending %s key in %s:%lu", key_type(host_found->key),
28 host_found->file, host_found->line); 28 host_found->file, host_found->line);
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 48c3ff598..d4eeee6e8 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -6,7 +6,7 @@ Description: Adjust various OpenBSD-specific references in manual pages
6 https://bugs.launchpad.net/bugs/456660 (ssl(8)) 6 https://bugs.launchpad.net/bugs/456660 (ssl(8))
7Author: Colin Watson <cjwatson@debian.org> 7Author: Colin Watson <cjwatson@debian.org>
8Forwarded: not-needed 8Forwarded: not-needed
9Last-Update: 2013-05-07 9Last-Update: 2013-09-14
10 10
11Index: b/moduli.5 11Index: b/moduli.5
12=================================================================== 12===================================================================
@@ -56,7 +56,7 @@ Index: b/ssh-keygen.1
56 .It Fl a Ar trials 56 .It Fl a Ar trials
57 Specifies the number of primality tests to perform when screening DH-GEX 57 Specifies the number of primality tests to perform when screening DH-GEX
58 candidates using the 58 candidates using the
59@@ -606,7 +602,7 @@ 59@@ -605,7 +601,7 @@
60 Valid generator values are 2, 3, and 5. 60 Valid generator values are 2, 3, and 5.
61 .Pp 61 .Pp
62 Screened DH groups may be installed in 62 Screened DH groups may be installed in
@@ -65,7 +65,7 @@ Index: b/ssh-keygen.1
65 It is important that this file contains moduli of a range of bit lengths and 65 It is important that this file contains moduli of a range of bit lengths and
66 that both ends of a connection share common moduli. 66 that both ends of a connection share common moduli.
67 .Sh CERTIFICATES 67 .Sh CERTIFICATES
68@@ -801,7 +797,7 @@ 68@@ -800,7 +796,7 @@
69 where the user wishes to log in using public key authentication. 69 where the user wishes to log in using public key authentication.
70 There is no need to keep the contents of this file secret. 70 There is no need to keep the contents of this file secret.
71 .Pp 71 .Pp
@@ -78,9 +78,9 @@ Index: b/ssh.1
78=================================================================== 78===================================================================
79--- a/ssh.1 79--- a/ssh.1
80+++ b/ssh.1 80+++ b/ssh.1
81@@ -736,6 +736,10 @@ 81@@ -756,6 +756,10 @@
82 .Sx HISTORY 82 but protocol 2 may use any.
83 section of 83 The HISTORY section of
84 .Xr ssl 8 84 .Xr ssl 8
85+(on non-OpenBSD systems, see 85+(on non-OpenBSD systems, see
86+.nh 86+.nh
@@ -93,7 +93,7 @@ Index: b/sshd.8
93=================================================================== 93===================================================================
94--- a/sshd.8 94--- a/sshd.8
95+++ b/sshd.8 95+++ b/sshd.8
96@@ -69,7 +69,7 @@ 96@@ -70,7 +70,7 @@
97 .Nm 97 .Nm
98 listens for connections from clients. 98 listens for connections from clients.
99 It is normally started at boot from 99 It is normally started at boot from
@@ -102,7 +102,7 @@ Index: b/sshd.8
102 It forks a new 102 It forks a new
103 daemon for each incoming connection. 103 daemon for each incoming connection.
104 The forked daemons handle 104 The forked daemons handle
105@@ -858,7 +858,7 @@ 105@@ -859,7 +859,7 @@
106 .Xr ssh 1 ) . 106 .Xr ssh 1 ) .
107 It should only be writable by root. 107 It should only be writable by root.
108 .Pp 108 .Pp
@@ -111,7 +111,7 @@ Index: b/sshd.8
111 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". 111 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
112 The file format is described in 112 The file format is described in
113 .Xr moduli 5 . 113 .Xr moduli 5 .
114@@ -956,7 +956,6 @@ 114@@ -957,7 +957,6 @@
115 .Xr ssh-vulnkey 1 , 115 .Xr ssh-vulnkey 1 ,
116 .Xr chroot 2 , 116 .Xr chroot 2 ,
117 .Xr hosts_access 5 , 117 .Xr hosts_access 5 ,
@@ -123,7 +123,7 @@ Index: b/sshd_config.5
123=================================================================== 123===================================================================
124--- a/sshd_config.5 124--- a/sshd_config.5
125+++ b/sshd_config.5 125+++ b/sshd_config.5
126@@ -276,8 +276,7 @@ 126@@ -283,8 +283,7 @@
127 By default, no banner is displayed. 127 By default, no banner is displayed.
128 .It Cm ChallengeResponseAuthentication 128 .It Cm ChallengeResponseAuthentication
129 Specifies whether challenge-response authentication is allowed (e.g. via 129 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index b922a185b..2be45ebf8 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -5,7 +5,7 @@ Description: Include the Debian version in our identification
5 vulnerable-looking version strings. (However, see debian-banner.patch.) 5 vulnerable-looking version strings. (However, see debian-banner.patch.)
6Author: Matthew Vernon <matthew@debian.org> 6Author: Matthew Vernon <matthew@debian.org>
7Forwarded: not-needed 7Forwarded: not-needed
8Last-Update: 2013-05-16 8Last-Update: 2013-09-14
9 9
10Index: b/sshconnect.c 10Index: b/sshconnect.c
11=================================================================== 11===================================================================
@@ -28,7 +28,7 @@ Index: b/sshd.c
28=================================================================== 28===================================================================
29--- a/sshd.c 29--- a/sshd.c
30+++ b/sshd.c 30+++ b/sshd.c
31@@ -434,7 +434,7 @@ 31@@ -440,7 +440,7 @@
32 } 32 }
33 33
34 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 34 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -42,9 +42,9 @@ Index: b/version.h
42--- a/version.h 42--- a/version.h
43+++ b/version.h 43+++ b/version.h
44@@ -3,4 +3,9 @@ 44@@ -3,4 +3,9 @@
45 #define SSH_VERSION "OpenSSH_6.2" 45 #define SSH_VERSION "OpenSSH_6.3"
46 46
47 #define SSH_PORTABLE "p2" 47 #define SSH_PORTABLE "p1"
48-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 48-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
49+#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE 49+#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE
50+#ifdef SSH_EXTRAVERSION 50+#ifdef SSH_EXTRAVERSION
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index f25ff89d0..32f4cfc67 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -10,13 +10,13 @@ Author: Peter Samuelson <peter@p12n.org>
10Author: Colin Watson <cjwatson@debian.org> 10Author: Colin Watson <cjwatson@debian.org>
11Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118 11Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118
12Bug-Debian: http://bugs.debian.org/313371 12Bug-Debian: http://bugs.debian.org/313371
13Last-Update: 2013-05-07 13Last-Update: 2013-09-14
14 14
15Index: b/clientloop.c 15Index: b/clientloop.c
16=================================================================== 16===================================================================
17--- a/clientloop.c 17--- a/clientloop.c
18+++ b/clientloop.c 18+++ b/clientloop.c
19@@ -1710,8 +1710,10 @@ 19@@ -1717,8 +1717,10 @@
20 exit_status = 0; 20 exit_status = 0;
21 } 21 }
22 22
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index c41c78b3b..f3376c20a 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -5,7 +5,7 @@ Description: Handle SELinux authorisation roles
5Author: Manoj Srivastava <srivasta@debian.org> 5Author: Manoj Srivastava <srivasta@debian.org>
6Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 6Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
7Bug-Debian: http://bugs.debian.org/394795 7Bug-Debian: http://bugs.debian.org/394795
8Last-Update: 2013-05-13 8Last-Update: 2013-09-14
9 9
10Index: b/auth.h 10Index: b/auth.h
11=================================================================== 11===================================================================
@@ -17,13 +17,13 @@ Index: b/auth.h
17 char *style; 17 char *style;
18+ char *role; 18+ char *role;
19 void *kbdintctxt; 19 void *kbdintctxt;
20 char *info; /* Extra info for next auth_log */
20 void *jpake_ctx; 21 void *jpake_ctx;
21 #ifdef BSD_AUTH
22Index: b/auth1.c 22Index: b/auth1.c
23=================================================================== 23===================================================================
24--- a/auth1.c 24--- a/auth1.c
25+++ b/auth1.c 25+++ b/auth1.c
26@@ -385,7 +385,7 @@ 26@@ -380,7 +380,7 @@
27 do_authentication(Authctxt *authctxt) 27 do_authentication(Authctxt *authctxt)
28 { 28 {
29 u_int ulen; 29 u_int ulen;
@@ -32,7 +32,7 @@ Index: b/auth1.c
32 32
33 /* Get the name of the user that we wish to log in as. */ 33 /* Get the name of the user that we wish to log in as. */
34 packet_read_expect(SSH_CMSG_USER); 34 packet_read_expect(SSH_CMSG_USER);
35@@ -394,11 +394,17 @@ 35@@ -389,11 +389,17 @@
36 user = packet_get_cstring(&ulen); 36 user = packet_get_cstring(&ulen);
37 packet_check_eom(); 37 packet_check_eom();
38 38
@@ -54,7 +54,7 @@ Index: b/auth2.c
54=================================================================== 54===================================================================
55--- a/auth2.c 55--- a/auth2.c
56+++ b/auth2.c 56+++ b/auth2.c
57@@ -219,7 +219,7 @@ 57@@ -222,7 +222,7 @@
58 { 58 {
59 Authctxt *authctxt = ctxt; 59 Authctxt *authctxt = ctxt;
60 Authmethod *m = NULL; 60 Authmethod *m = NULL;
@@ -63,7 +63,7 @@ Index: b/auth2.c
63 int authenticated = 0; 63 int authenticated = 0;
64 64
65 if (authctxt == NULL) 65 if (authctxt == NULL)
66@@ -231,8 +231,13 @@ 66@@ -234,8 +234,13 @@
67 debug("userauth-request for user %s service %s method %s", user, service, method); 67 debug("userauth-request for user %s service %s method %s", user, service, method);
68 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 68 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
69 69
@@ -77,7 +77,7 @@ Index: b/auth2.c
77 77
78 if (authctxt->attempt++ == 0) { 78 if (authctxt->attempt++ == 0) {
79 /* setup auth context */ 79 /* setup auth context */
80@@ -256,8 +261,9 @@ 80@@ -259,8 +264,9 @@
81 use_privsep ? " [net]" : ""); 81 use_privsep ? " [net]" : "");
82 authctxt->service = xstrdup(service); 82 authctxt->service = xstrdup(service);
83 authctxt->style = style ? xstrdup(style) : NULL; 83 authctxt->style = style ? xstrdup(style) : NULL;
@@ -92,7 +92,7 @@ Index: b/monitor.c
92=================================================================== 92===================================================================
93--- a/monitor.c 93--- a/monitor.c
94+++ b/monitor.c 94+++ b/monitor.c
95@@ -145,6 +145,7 @@ 95@@ -146,6 +146,7 @@
96 int mm_answer_pwnamallow(int, Buffer *); 96 int mm_answer_pwnamallow(int, Buffer *);
97 int mm_answer_auth2_read_banner(int, Buffer *); 97 int mm_answer_auth2_read_banner(int, Buffer *);
98 int mm_answer_authserv(int, Buffer *); 98 int mm_answer_authserv(int, Buffer *);
@@ -100,7 +100,7 @@ Index: b/monitor.c
100 int mm_answer_authpassword(int, Buffer *); 100 int mm_answer_authpassword(int, Buffer *);
101 int mm_answer_bsdauthquery(int, Buffer *); 101 int mm_answer_bsdauthquery(int, Buffer *);
102 int mm_answer_bsdauthrespond(int, Buffer *); 102 int mm_answer_bsdauthrespond(int, Buffer *);
103@@ -226,6 +227,7 @@ 103@@ -227,6 +228,7 @@
104 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 104 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
105 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 105 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
106 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 106 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -108,7 +108,7 @@ Index: b/monitor.c
108 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 108 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
109 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 109 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
110 #ifdef USE_PAM 110 #ifdef USE_PAM
111@@ -837,6 +839,7 @@ 111@@ -844,6 +846,7 @@
112 else { 112 else {
113 /* Allow service/style information on the auth context */ 113 /* Allow service/style information on the auth context */
114 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 114 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -116,7 +116,7 @@ Index: b/monitor.c
116 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 116 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
117 } 117 }
118 #ifdef USE_PAM 118 #ifdef USE_PAM
119@@ -869,14 +872,37 @@ 119@@ -874,14 +877,37 @@
120 120
121 authctxt->service = buffer_get_string(m, NULL); 121 authctxt->service = buffer_get_string(m, NULL);
122 authctxt->style = buffer_get_string(m, NULL); 122 authctxt->style = buffer_get_string(m, NULL);
@@ -127,12 +127,12 @@ Index: b/monitor.c
127+ __func__, authctxt->service, authctxt->style, authctxt->role); 127+ __func__, authctxt->service, authctxt->style, authctxt->role);
128 128
129 if (strlen(authctxt->style) == 0) { 129 if (strlen(authctxt->style) == 0) {
130 xfree(authctxt->style); 130 free(authctxt->style);
131 authctxt->style = NULL; 131 authctxt->style = NULL;
132 } 132 }
133 133
134+ if (strlen(authctxt->role) == 0) { 134+ if (strlen(authctxt->role) == 0) {
135+ xfree(authctxt->role); 135+ free(authctxt->role);
136+ authctxt->role = NULL; 136+ authctxt->role = NULL;
137+ } 137+ }
138+ 138+
@@ -149,14 +149,14 @@ Index: b/monitor.c
149+ __func__, authctxt->role); 149+ __func__, authctxt->role);
150+ 150+
151+ if (strlen(authctxt->role) == 0) { 151+ if (strlen(authctxt->role) == 0) {
152+ xfree(authctxt->role); 152+ free(authctxt->role);
153+ authctxt->role = NULL; 153+ authctxt->role = NULL;
154+ } 154+ }
155+ 155+
156 return (0); 156 return (0);
157 } 157 }
158 158
159@@ -1471,7 +1497,7 @@ 159@@ -1486,7 +1512,7 @@
160 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 160 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
161 if (res == 0) 161 if (res == 0)
162 goto error; 162 goto error;
@@ -182,7 +182,7 @@ Index: b/monitor_wrap.c
182=================================================================== 182===================================================================
183--- a/monitor_wrap.c 183--- a/monitor_wrap.c
184+++ b/monitor_wrap.c 184+++ b/monitor_wrap.c
185@@ -318,10 +318,10 @@ 185@@ -320,10 +320,10 @@
186 return (banner); 186 return (banner);
187 } 187 }
188 188
@@ -195,7 +195,7 @@ Index: b/monitor_wrap.c
195 { 195 {
196 Buffer m; 196 Buffer m;
197 197
198@@ -330,11 +330,29 @@ 198@@ -332,11 +332,29 @@
199 buffer_init(&m); 199 buffer_init(&m);
200 buffer_put_cstring(&m, service); 200 buffer_put_cstring(&m, service);
201 buffer_put_cstring(&m, style ? style : ""); 201 buffer_put_cstring(&m, style ? style : "");
@@ -284,7 +284,7 @@ Index: b/openbsd-compat/port-linux.c
284 #endif 284 #endif
285 285
286 if (r != 0) { 286 if (r != 0) {
287@@ -107,7 +120,7 @@ 287@@ -105,7 +118,7 @@
288 288
289 /* Set the execution context to the default for the specified user */ 289 /* Set the execution context to the default for the specified user */
290 void 290 void
@@ -293,7 +293,7 @@ Index: b/openbsd-compat/port-linux.c
293 { 293 {
294 security_context_t user_ctx = NULL; 294 security_context_t user_ctx = NULL;
295 295
296@@ -116,7 +129,7 @@ 296@@ -114,7 +127,7 @@
297 297
298 debug3("%s: setting execution context", __func__); 298 debug3("%s: setting execution context", __func__);
299 299
@@ -302,7 +302,7 @@ Index: b/openbsd-compat/port-linux.c
302 if (setexeccon(user_ctx) != 0) { 302 if (setexeccon(user_ctx) != 0) {
303 switch (security_getenforce()) { 303 switch (security_getenforce()) {
304 case -1: 304 case -1:
305@@ -138,7 +151,7 @@ 305@@ -136,7 +149,7 @@
306 306
307 /* Set the TTY context for the specified user */ 307 /* Set the TTY context for the specified user */
308 void 308 void
@@ -311,7 +311,7 @@ Index: b/openbsd-compat/port-linux.c
311 { 311 {
312 security_context_t new_tty_ctx = NULL; 312 security_context_t new_tty_ctx = NULL;
313 security_context_t user_ctx = NULL; 313 security_context_t user_ctx = NULL;
314@@ -149,7 +162,7 @@ 314@@ -147,7 +160,7 @@
315 315
316 debug3("%s: setting TTY context on %s", __func__, tty); 316 debug3("%s: setting TTY context on %s", __func__, tty);
317 317
@@ -392,7 +392,7 @@ Index: b/session.c
392 392
393 if (options.chroot_directory != NULL && 393 if (options.chroot_directory != NULL &&
394 strcasecmp(options.chroot_directory, "none") != 0) { 394 strcasecmp(options.chroot_directory, "none") != 0) {
395@@ -1633,7 +1633,7 @@ 395@@ -1646,7 +1646,7 @@
396 396
397 /* Force a password change */ 397 /* Force a password change */
398 if (s->authctxt->force_pwchange) { 398 if (s->authctxt->force_pwchange) {
@@ -401,7 +401,7 @@ Index: b/session.c
401 child_close_fds(); 401 child_close_fds();
402 do_pwchange(s); 402 do_pwchange(s);
403 exit(1); 403 exit(1);
404@@ -1660,7 +1660,7 @@ 404@@ -1673,7 +1673,7 @@
405 /* When PAM is enabled we rely on it to do the nologin check */ 405 /* When PAM is enabled we rely on it to do the nologin check */
406 if (!options.use_pam) 406 if (!options.use_pam)
407 do_nologin(pw); 407 do_nologin(pw);
@@ -410,7 +410,7 @@ Index: b/session.c
410 /* 410 /*
411 * PAM session modules in do_setusercontext may have 411 * PAM session modules in do_setusercontext may have
412 * generated messages, so if this in an interactive 412 * generated messages, so if this in an interactive
413@@ -2072,7 +2072,7 @@ 413@@ -2084,7 +2084,7 @@
414 tty_parse_modes(s->ttyfd, &n_bytes); 414 tty_parse_modes(s->ttyfd, &n_bytes);
415 415
416 if (!use_privsep) 416 if (!use_privsep)
@@ -436,7 +436,7 @@ Index: b/sshd.c
436=================================================================== 436===================================================================
437--- a/sshd.c 437--- a/sshd.c
438+++ b/sshd.c 438+++ b/sshd.c
439@@ -745,7 +745,7 @@ 439@@ -753,7 +753,7 @@
440 RAND_seed(rnd, sizeof(rnd)); 440 RAND_seed(rnd, sizeof(rnd));
441 441
442 /* Drop privileges */ 442 /* Drop privileges */
diff --git a/debian/patches/series b/debian/patches/series
index 0e43d9fe9..f5c2ebb52 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,7 +26,6 @@ shell-path.patch
26dnssec-sshfp.patch 26dnssec-sshfp.patch
27auth-log-verbosity.patch 27auth-log-verbosity.patch
28mention-ssh-keygen-on-keychange.patch 28mention-ssh-keygen-on-keychange.patch
29ssh-copy-id-portable.patch
30 29
31# Versioning 30# Versioning
32package-versioning.patch 31package-versioning.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index d4cbc3e5f..a1c6efc8d 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -4,7 +4,7 @@ Description: Look for $SHELL on the path for ProxyCommand/LocalCommand
4Author: Colin Watson <cjwatson@debian.org> 4Author: Colin Watson <cjwatson@debian.org>
5Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 5Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
6Bug-Debian: http://bugs.debian.org/492728 6Bug-Debian: http://bugs.debian.org/492728
7Last-Update: 2013-05-16 7Last-Update: 2013-09-14
8 8
9Index: b/sshconnect.c 9Index: b/sshconnect.c
10=================================================================== 10===================================================================
@@ -19,7 +19,7 @@ Index: b/sshconnect.c
19 perror(argv[0]); 19 perror(argv[0]);
20 exit(1); 20 exit(1);
21 } 21 }
22@@ -1299,7 +1299,7 @@ 22@@ -1298,7 +1298,7 @@
23 if (pid == 0) { 23 if (pid == 0) {
24 signal(SIGPIPE, SIG_DFL); 24 signal(SIGPIPE, SIG_DFL);
25 debug3("Executing %s -c \"%s\"", shell, args); 25 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index 42bee0739..3311a797c 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,13 +1,13 @@
1Description: Support synchronisation with service supervisor using SIGSTOP 1Description: Support synchronisation with service supervisor using SIGSTOP
2Author: Colin Watson <cjwatson@debian.org> 2Author: Colin Watson <cjwatson@debian.org>
3Forwarded: no 3Forwarded: no
4Last-Update: 2013-08-12 4Last-Update: 2013-09-14
5 5
6Index: b/sshd.c 6Index: b/sshd.c
7=================================================================== 7===================================================================
8--- a/sshd.c 8--- a/sshd.c
9+++ b/sshd.c 9+++ b/sshd.c
10@@ -1855,6 +1855,10 @@ 10@@ -1914,6 +1914,10 @@
11 } 11 }
12 } 12 }
13 13
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 6f4a3cd9a..28d144221 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -5,13 +5,13 @@ Description: ssh(1): Refer to ssh-argv0(1)
5 manual page from ssh(1). 5 manual page from ssh(1).
6Bug-Debian: http://bugs.debian.org/111341 6Bug-Debian: http://bugs.debian.org/111341
7Forwarded: not-needed 7Forwarded: not-needed
8Last-Update: 2013-05-07 8Last-Update: 2013-09-14
9 9
10Index: b/ssh.1 10Index: b/ssh.1
11=================================================================== 11===================================================================
12--- a/ssh.1 12--- a/ssh.1
13+++ b/ssh.1 13+++ b/ssh.1
14@@ -1433,6 +1433,7 @@ 14@@ -1451,6 +1451,7 @@
15 .Xr sftp 1 , 15 .Xr sftp 1 ,
16 .Xr ssh-add 1 , 16 .Xr ssh-add 1 ,
17 .Xr ssh-agent 1 , 17 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-copy-id-portable.patch b/debian/patches/ssh-copy-id-portable.patch
deleted file mode 100644
index 9583eab4b..000000000
--- a/debian/patches/ssh-copy-id-portable.patch
+++ /dev/null
@@ -1,20 +0,0 @@
1Description: Fix non-portable shell in ssh-copy-id
2Author: Colin Watson <cjwatson@debian.org>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2117
4Bug-Debian: http://bugs.debian.org/711162
5Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=2117
6Last-Update: 2013-06-05
7
8Index: b/contrib/ssh-copy-id
9===================================================================
10--- a/contrib/ssh-copy-id
11+++ b/contrib/ssh-copy-id
12@@ -165,7 +165,7 @@
13
14 eval set -- "$SAVEARGS"
15
16-if [ $# == 0 ] ; then
17+if [ $# = 0 ] ; then
18 usage
19 fi
20 if [ $# != 1 ] ; then
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index 03d6f15d9..a56911290 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -8,7 +8,7 @@ Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw
8 See CVE-2008-0166. 8 See CVE-2008-0166.
9Author: Colin Watson <cjwatson@ubuntu.com> 9Author: Colin Watson <cjwatson@ubuntu.com>
10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469 10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
11Last-Update: 2013-05-16 11Last-Update: 2013-09-14
12 12
13Index: b/Makefile.in 13Index: b/Makefile.in
14=================================================================== 14===================================================================
@@ -52,7 +52,7 @@ Index: b/Makefile.in
52 MANTYPE = @MANTYPE@ 52 MANTYPE = @MANTYPE@
53 53
54 CONFIGFILES=sshd_config.out ssh_config.out moduli.out 54 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
55@@ -174,6 +176,9 @@ 55@@ -176,6 +178,9 @@
56 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o 56 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
57 $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) 57 $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
58 58
@@ -62,7 +62,7 @@ Index: b/Makefile.in
62 # test driver for the loginrec code - not built by default 62 # test driver for the loginrec code - not built by default
63 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o 63 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
64 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) 64 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
65@@ -269,6 +274,7 @@ 65@@ -272,6 +277,7 @@
66 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) 66 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
67 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) 67 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
68 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 68 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -70,7 +70,7 @@ Index: b/Makefile.in
70 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 70 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
71 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 71 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
72 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 72 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
73@@ -283,6 +289,7 @@ 73@@ -286,6 +292,7 @@
74 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 74 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
75 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 75 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
76 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 76 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -78,7 +78,7 @@ Index: b/Makefile.in
78 -rm -f $(DESTDIR)$(bindir)/slogin 78 -rm -f $(DESTDIR)$(bindir)/slogin
79 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin 79 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
80 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 80 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
81@@ -364,6 +371,7 @@ 81@@ -367,6 +374,7 @@
82 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) 82 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
83 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) 83 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
84 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) 84 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@@ -86,7 +86,7 @@ Index: b/Makefile.in
86 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) 86 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
87 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) 87 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
88 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 88 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
89@@ -376,6 +384,7 @@ 89@@ -379,6 +387,7 @@
90 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 90 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
91 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 91 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
92 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 92 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
@@ -111,8 +111,8 @@ Index: b/auth-rsa.c
111=================================================================== 111===================================================================
112--- a/auth-rsa.c 112--- a/auth-rsa.c
113+++ b/auth-rsa.c 113+++ b/auth-rsa.c
114@@ -233,7 +233,7 @@ 114@@ -237,7 +237,7 @@
115 file, linenum, BN_num_bits(key->rsa->n), bits); 115 free(fp);
116 116
117 /* Never accept a revoked key */ 117 /* Never accept a revoked key */
118- if (auth_key_is_revoked(key)) 118- if (auth_key_is_revoked(key))
@@ -132,7 +132,7 @@ Index: b/auth.c
132 #include "auth.h" 132 #include "auth.h"
133 #include "auth-options.h" 133 #include "auth-options.h"
134 #include "canohost.h" 134 #include "canohost.h"
135@@ -635,10 +636,34 @@ 135@@ -657,10 +658,34 @@
136 136
137 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ 137 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
138 int 138 int
@@ -151,7 +151,7 @@ Index: b/auth.c
151+ logit("Public key %s from %s blacklisted (see " 151+ logit("Public key %s from %s blacklisted (see "
152+ "ssh-vulnkey(1)); continuing anyway", 152+ "ssh-vulnkey(1)); continuing anyway",
153+ key_fp, get_remote_ipaddr()); 153+ key_fp, get_remote_ipaddr());
154+ xfree(key_fp); 154+ free(key_fp);
155+ } else { 155+ } else {
156+ if (hostkey) 156+ if (hostkey)
157+ error("Host key %s blacklisted (see " 157+ error("Host key %s blacklisted (see "
@@ -160,7 +160,7 @@ Index: b/auth.c
160+ logit("Public key %s from %s blacklisted (see " 160+ logit("Public key %s from %s blacklisted (see "
161+ "ssh-vulnkey(1))", 161+ "ssh-vulnkey(1))",
162+ key_fp, get_remote_ipaddr()); 162+ key_fp, get_remote_ipaddr());
163+ xfree(key_fp); 163+ free(key_fp);
164+ return 1; 164+ return 1;
165+ } 165+ }
166+ } 166+ }
@@ -172,7 +172,7 @@ Index: b/auth.h
172=================================================================== 172===================================================================
173--- a/auth.h 173--- a/auth.h
174+++ b/auth.h 174+++ b/auth.h
175@@ -185,7 +185,7 @@ 175@@ -191,7 +191,7 @@
176 176
177 FILE *auth_openkeyfile(const char *, struct passwd *, int); 177 FILE *auth_openkeyfile(const char *, struct passwd *, int);
178 FILE *auth_openprincipals(const char *, struct passwd *, int); 178 FILE *auth_openprincipals(const char *, struct passwd *, int);
@@ -185,7 +185,7 @@ Index: b/auth2-hostbased.c
185=================================================================== 185===================================================================
186--- a/auth2-hostbased.c 186--- a/auth2-hostbased.c
187+++ b/auth2-hostbased.c 187+++ b/auth2-hostbased.c
188@@ -146,7 +146,7 @@ 188@@ -150,7 +150,7 @@
189 int len; 189 int len;
190 char *fp; 190 char *fp;
191 191
@@ -198,7 +198,7 @@ Index: b/auth2-pubkey.c
198=================================================================== 198===================================================================
199--- a/auth2-pubkey.c 199--- a/auth2-pubkey.c
200+++ b/auth2-pubkey.c 200+++ b/auth2-pubkey.c
201@@ -608,9 +608,10 @@ 201@@ -647,9 +647,10 @@
202 u_int success, i; 202 u_int success, i;
203 char *file; 203 char *file;
204 204
@@ -223,7 +223,7 @@ Index: b/authfile.c
223 223
224 #define MAX_KEY_FILE_SIZE (1024 * 1024) 224 #define MAX_KEY_FILE_SIZE (1024 * 1024)
225 225
226@@ -944,3 +945,140 @@ 226@@ -944,3 +945,139 @@
227 return ret; 227 return ret;
228 } 228 }
229 229
@@ -316,10 +316,9 @@ Index: b/authfile.c
316+ } 316+ }
317+ 317+
318+out: 318+out:
319+ if (dgst_packed) 319+ free(dgst_packed);
320+ xfree(dgst_packed);
321+ if (ret != 1 && dgst_hex) { 320+ if (ret != 1 && dgst_hex) {
322+ xfree(dgst_hex); 321+ free(dgst_hex);
323+ dgst_hex = NULL; 322+ dgst_hex = NULL;
324+ } 323+ }
325+ if (fp) 324+ if (fp)
@@ -347,7 +346,7 @@ Index: b/authfile.c
347+ xasprintf(&blacklist_file, "%s.%s-%u", 346+ xasprintf(&blacklist_file, "%s.%s-%u",
348+ _PATH_BLACKLIST, key_type(public), key_size(public)); 347+ _PATH_BLACKLIST, key_type(public), key_size(public));
349+ ret = blacklisted_key_in_file(public, blacklist_file, fp); 348+ ret = blacklisted_key_in_file(public, blacklist_file, fp);
350+ xfree(blacklist_file); 349+ free(blacklist_file);
351+ if (ret > 0) { 350+ if (ret > 0) {
352+ key_free(public); 351+ key_free(public);
353+ return ret; 352+ return ret;
@@ -356,7 +355,7 @@ Index: b/authfile.c
356+ xasprintf(&blacklist_file, "%s.%s-%u", 355+ xasprintf(&blacklist_file, "%s.%s-%u",
357+ _PATH_BLACKLIST_CONFIG, key_type(public), key_size(public)); 356+ _PATH_BLACKLIST_CONFIG, key_type(public), key_size(public));
358+ ret2 = blacklisted_key_in_file(public, blacklist_file, fp); 357+ ret2 = blacklisted_key_in_file(public, blacklist_file, fp);
359+ xfree(blacklist_file); 358+ free(blacklist_file);
360+ if (ret2 > ret) 359+ if (ret2 > ret)
361+ ret = ret2; 360+ ret = ret2;
362+ 361+
@@ -404,7 +403,7 @@ Index: b/readconf.c
404=================================================================== 403===================================================================
405--- a/readconf.c 404--- a/readconf.c
406+++ b/readconf.c 405+++ b/readconf.c
407@@ -125,6 +125,7 @@ 406@@ -128,6 +128,7 @@
408 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, 407 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
409 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, 408 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
410 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, 409 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
@@ -412,7 +411,7 @@ Index: b/readconf.c
412 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, 411 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
413 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 412 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
414 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 413 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
415@@ -158,6 +159,7 @@ 414@@ -161,6 +162,7 @@
416 { "passwordauthentication", oPasswordAuthentication }, 415 { "passwordauthentication", oPasswordAuthentication },
417 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 416 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
418 { "kbdinteractivedevices", oKbdInteractiveDevices }, 417 { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -420,7 +419,7 @@ Index: b/readconf.c
420 { "rsaauthentication", oRSAAuthentication }, 419 { "rsaauthentication", oRSAAuthentication },
421 { "pubkeyauthentication", oPubkeyAuthentication }, 420 { "pubkeyauthentication", oPubkeyAuthentication },
422 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 421 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
423@@ -510,6 +512,10 @@ 422@@ -523,6 +525,10 @@
424 intptr = &options->challenge_response_authentication; 423 intptr = &options->challenge_response_authentication;
425 goto parse_flag; 424 goto parse_flag;
426 425
@@ -431,7 +430,7 @@ Index: b/readconf.c
431 case oGssAuthentication: 430 case oGssAuthentication:
432 intptr = &options->gss_authentication; 431 intptr = &options->gss_authentication;
433 goto parse_flag; 432 goto parse_flag;
434@@ -1200,6 +1206,7 @@ 433@@ -1210,6 +1216,7 @@
435 options->kbd_interactive_devices = NULL; 434 options->kbd_interactive_devices = NULL;
436 options->rhosts_rsa_authentication = -1; 435 options->rhosts_rsa_authentication = -1;
437 options->hostbased_authentication = -1; 436 options->hostbased_authentication = -1;
@@ -439,7 +438,7 @@ Index: b/readconf.c
439 options->batch_mode = -1; 438 options->batch_mode = -1;
440 options->check_host_ip = -1; 439 options->check_host_ip = -1;
441 options->strict_host_key_checking = -1; 440 options->strict_host_key_checking = -1;
442@@ -1310,6 +1317,8 @@ 441@@ -1320,6 +1327,8 @@
443 options->rhosts_rsa_authentication = 0; 442 options->rhosts_rsa_authentication = 0;
444 if (options->hostbased_authentication == -1) 443 if (options->hostbased_authentication == -1)
445 options->hostbased_authentication = 0; 444 options->hostbased_authentication = 0;
@@ -464,7 +463,7 @@ Index: b/servconf.c
464=================================================================== 463===================================================================
465--- a/servconf.c 464--- a/servconf.c
466+++ b/servconf.c 465+++ b/servconf.c
467@@ -109,6 +109,7 @@ 466@@ -114,6 +114,7 @@
468 options->password_authentication = -1; 467 options->password_authentication = -1;
469 options->kbd_interactive_authentication = -1; 468 options->kbd_interactive_authentication = -1;
470 options->challenge_response_authentication = -1; 469 options->challenge_response_authentication = -1;
@@ -472,7 +471,7 @@ Index: b/servconf.c
472 options->permit_empty_passwd = -1; 471 options->permit_empty_passwd = -1;
473 options->permit_user_env = -1; 472 options->permit_user_env = -1;
474 options->use_login = -1; 473 options->use_login = -1;
475@@ -250,6 +251,8 @@ 474@@ -257,6 +258,8 @@
476 options->kbd_interactive_authentication = 0; 475 options->kbd_interactive_authentication = 0;
477 if (options->challenge_response_authentication == -1) 476 if (options->challenge_response_authentication == -1)
478 options->challenge_response_authentication = 1; 477 options->challenge_response_authentication = 1;
@@ -481,16 +480,16 @@ Index: b/servconf.c
481 if (options->permit_empty_passwd == -1) 480 if (options->permit_empty_passwd == -1)
482 options->permit_empty_passwd = 0; 481 options->permit_empty_passwd = 0;
483 if (options->permit_user_env == -1) 482 if (options->permit_user_env == -1)
484@@ -327,7 +330,7 @@ 483@@ -338,7 +341,7 @@
485 sListenAddress, sAddressFamily, 484 sListenAddress, sAddressFamily,
486 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 485 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
487 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 486 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
488- sStrictModes, sEmptyPasswd, sTCPKeepAlive, 487- sStrictModes, sEmptyPasswd, sTCPKeepAlive,
489+ sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive, 488+ sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive,
490 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 489 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
491 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 490 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
492 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 491 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
493@@ -439,6 +442,7 @@ 492@@ -451,6 +454,7 @@
494 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 493 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
495 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 494 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
496 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 495 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -498,7 +497,7 @@ Index: b/servconf.c
498 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 497 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
499 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 498 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
500 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 499 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
501@@ -1134,6 +1138,10 @@ 500@@ -1158,6 +1162,10 @@
502 intptr = &options->tcp_keep_alive; 501 intptr = &options->tcp_keep_alive;
503 goto parse_flag; 502 goto parse_flag;
504 503
@@ -509,7 +508,7 @@ Index: b/servconf.c
509 case sEmptyPasswd: 508 case sEmptyPasswd:
510 intptr = &options->permit_empty_passwd; 509 intptr = &options->permit_empty_passwd;
511 goto parse_flag; 510 goto parse_flag;
512@@ -1980,6 +1988,7 @@ 511@@ -2036,6 +2044,7 @@
513 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 512 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
514 dump_cfg_fmtint(sStrictModes, o->strict_modes); 513 dump_cfg_fmtint(sStrictModes, o->strict_modes);
515 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 514 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -521,7 +520,7 @@ Index: b/servconf.h
521=================================================================== 520===================================================================
522--- a/servconf.h 521--- a/servconf.h
523+++ b/servconf.h 522+++ b/servconf.h
524@@ -120,6 +120,7 @@ 523@@ -121,6 +121,7 @@
525 int challenge_response_authentication; 524 int challenge_response_authentication;
526 int zero_knowledge_password_authentication; 525 int zero_knowledge_password_authentication;
527 /* If true, permit jpake auth */ 526 /* If true, permit jpake auth */
@@ -572,9 +571,9 @@ Index: b/ssh-add.c
572+ if (blacklisted_key(private, &fp) == 1) { 571+ if (blacklisted_key(private, &fp) == 1) {
573+ fprintf(stderr, "Public key %s blacklisted (see " 572+ fprintf(stderr, "Public key %s blacklisted (see "
574+ "ssh-vulnkey(1)); refusing to add it\n", fp); 573+ "ssh-vulnkey(1)); refusing to add it\n", fp);
575+ xfree(fp); 574+ free(fp);
576+ key_free(private); 575+ key_free(private);
577+ xfree(comment); 576+ free(comment);
578+ return -1; 577+ return -1;
579+ } 578+ }
580 579
@@ -584,7 +583,7 @@ Index: b/ssh-keygen.1
584=================================================================== 583===================================================================
585--- a/ssh-keygen.1 584--- a/ssh-keygen.1
586+++ b/ssh-keygen.1 585+++ b/ssh-keygen.1
587@@ -810,6 +810,7 @@ 586@@ -809,6 +809,7 @@
588 .Xr ssh 1 , 587 .Xr ssh 1 ,
589 .Xr ssh-add 1 , 588 .Xr ssh-add 1 ,
590 .Xr ssh-agent 1 , 589 .Xr ssh-agent 1 ,
@@ -843,7 +842,7 @@ Index: b/ssh-vulnkey.c
843=================================================================== 842===================================================================
844--- /dev/null 843--- /dev/null
845+++ b/ssh-vulnkey.c 844+++ b/ssh-vulnkey.c
846@@ -0,0 +1,387 @@ 845@@ -0,0 +1,386 @@
847+/* 846+/*
848+ * Copyright (c) 2008 Canonical Ltd. All rights reserved. 847+ * Copyright (c) 2008 Canonical Ltd. All rights reserved.
849+ * 848+ *
@@ -940,7 +939,7 @@ Index: b/ssh-vulnkey.c
940+ printf(":%lu: %s: %s %u %s %s\n", linenum, msg, 939+ printf(":%lu: %s: %s %u %s %s\n", linenum, msg,
941+ key_type(key), key_size(key), fp, comment); 940+ key_type(key), key_size(key), fp, comment);
942+ } 941+ }
943+ xfree(fp); 942+ free(fp);
944+} 943+}
945+ 944+
946+static int 945+static int
@@ -1093,8 +1092,7 @@ Index: b/ssh-vulnkey.c
1093+ ret = 0; 1092+ ret = 0;
1094+ found = 1; 1093+ found = 1;
1095+ } 1094+ }
1096+ if (comment) 1095+ free(comment);
1097+ xfree(comment);
1098+ } 1096+ }
1099+ 1097+
1100+ return ret; 1098+ return ret;
@@ -1128,12 +1126,12 @@ Index: b/ssh-vulnkey.c
1128+ for (i = 0; default_files[i]; i++) { 1126+ for (i = 0; default_files[i]; i++) {
1129+ xasprintf(&file, "%s/%s", dir, default_files[i]); 1127+ xasprintf(&file, "%s/%s", dir, default_files[i]);
1130+ if (stat(file, &st) < 0 && errno == ENOENT) { 1128+ if (stat(file, &st) < 0 && errno == ENOENT) {
1131+ xfree(file); 1129+ free(file);
1132+ continue; 1130+ continue;
1133+ } 1131+ }
1134+ if (!do_filename(file, 0)) 1132+ if (!do_filename(file, 0))
1135+ ret = 0; 1133+ ret = 0;
1136+ xfree(file); 1134+ free(file);
1137+ } 1135+ }
1138+ 1136+
1139+ return ret; 1137+ return ret;
@@ -1235,7 +1233,7 @@ Index: b/ssh.1
1235=================================================================== 1233===================================================================
1236--- a/ssh.1 1234--- a/ssh.1
1237+++ b/ssh.1 1235+++ b/ssh.1
1238@@ -1429,6 +1429,7 @@ 1236@@ -1447,6 +1447,7 @@
1239 .Xr ssh-agent 1 , 1237 .Xr ssh-agent 1 ,
1240 .Xr ssh-keygen 1 , 1238 .Xr ssh-keygen 1 ,
1241 .Xr ssh-keyscan 1 , 1239 .Xr ssh-keyscan 1 ,
@@ -1247,7 +1245,7 @@ Index: b/ssh.c
1247=================================================================== 1245===================================================================
1248--- a/ssh.c 1246--- a/ssh.c
1249+++ b/ssh.c 1247+++ b/ssh.c
1250@@ -1492,7 +1492,7 @@ 1248@@ -1525,7 +1525,7 @@
1251 static void 1249 static void
1252 load_public_identity_files(void) 1250 load_public_identity_files(void)
1253 { 1251 {
@@ -1256,7 +1254,7 @@ Index: b/ssh.c
1256 char *pwdir = NULL, *pwname = NULL; 1254 char *pwdir = NULL, *pwname = NULL;
1257 int i = 0; 1255 int i = 0;
1258 Key *public; 1256 Key *public;
1259@@ -1550,6 +1550,22 @@ 1257@@ -1583,6 +1583,22 @@
1260 public = key_load_public(filename, NULL); 1258 public = key_load_public(filename, NULL);
1261 debug("identity file %s type %d", filename, 1259 debug("identity file %s type %d", filename,
1262 public ? public->type : -1); 1260 public ? public->type : -1);
@@ -1268,22 +1266,22 @@ Index: b/ssh.c
1268+ logit("Public key %s blacklisted (see " 1266+ logit("Public key %s blacklisted (see "
1269+ "ssh-vulnkey(1)); refusing to send it", 1267+ "ssh-vulnkey(1)); refusing to send it",
1270+ fp); 1268+ fp);
1271+ xfree(fp); 1269+ free(fp);
1272+ if (!options.use_blacklisted_keys) { 1270+ if (!options.use_blacklisted_keys) {
1273+ key_free(public); 1271+ key_free(public);
1274+ xfree(filename); 1272+ free(filename);
1275+ filename = NULL; 1273+ filename = NULL;
1276+ public = NULL; 1274+ public = NULL;
1277+ } 1275+ }
1278+ } 1276+ }
1279 xfree(options.identity_files[i]); 1277 free(options.identity_files[i]);
1280 identity_files[n_ids] = filename; 1278 identity_files[n_ids] = filename;
1281 identity_keys[n_ids] = public; 1279 identity_keys[n_ids] = public;
1282Index: b/ssh_config.5 1280Index: b/ssh_config.5
1283=================================================================== 1281===================================================================
1284--- a/ssh_config.5 1282--- a/ssh_config.5
1285+++ b/ssh_config.5 1283+++ b/ssh_config.5
1286@@ -1201,6 +1201,23 @@ 1284@@ -1229,6 +1229,23 @@
1287 .Dq any . 1285 .Dq any .
1288 The default is 1286 The default is
1289 .Dq any:any . 1287 .Dq any:any .
@@ -1320,7 +1318,7 @@ Index: b/sshconnect2.c
1320 key = options.identity_keys[i]; 1318 key = options.identity_keys[i];
1321 if (key && key->type == KEY_RSA1) 1319 if (key && key->type == KEY_RSA1)
1322 continue; 1320 continue;
1323@@ -1609,7 +1611,7 @@ 1321@@ -1608,7 +1610,7 @@
1324 debug("Offering %s public key: %s", key_type(id->key), 1322 debug("Offering %s public key: %s", key_type(id->key),
1325 id->filename); 1323 id->filename);
1326 sent = send_pubkey_test(authctxt, id); 1324 sent = send_pubkey_test(authctxt, id);
@@ -1333,7 +1331,7 @@ Index: b/sshd.8
1333=================================================================== 1331===================================================================
1334--- a/sshd.8 1332--- a/sshd.8
1335+++ b/sshd.8 1333+++ b/sshd.8
1336@@ -953,6 +953,7 @@ 1334@@ -954,6 +954,7 @@
1337 .Xr ssh-agent 1 , 1335 .Xr ssh-agent 1 ,
1338 .Xr ssh-keygen 1 , 1336 .Xr ssh-keygen 1 ,
1339 .Xr ssh-keyscan 1 , 1337 .Xr ssh-keyscan 1 ,
@@ -1345,23 +1343,23 @@ Index: b/sshd.c
1345=================================================================== 1343===================================================================
1346--- a/sshd.c 1344--- a/sshd.c
1347+++ b/sshd.c 1345+++ b/sshd.c
1348@@ -1631,6 +1631,11 @@ 1346@@ -1688,6 +1688,11 @@
1349 sensitive_data.host_keys[i] = NULL; 1347 sensitive_data.host_pubkeys[i] = NULL;
1350 continue; 1348 continue;
1351 } 1349 }
1352+ if (auth_key_is_revoked(key, 1)) { 1350+ if (auth_key_is_revoked(key != NULL ? key : pubkey, 1)) {
1353+ key_free(key);
1354+ sensitive_data.host_keys[i] = NULL; 1351+ sensitive_data.host_keys[i] = NULL;
1352+ sensitive_data.host_pubkeys[i] = NULL;
1355+ continue; 1353+ continue;
1356+ } 1354+ }
1357 switch (key->type) { 1355
1356 switch (keytype) {
1358 case KEY_RSA1: 1357 case KEY_RSA1:
1359 sensitive_data.ssh1_host_key = key;
1360Index: b/sshd_config.5 1358Index: b/sshd_config.5
1361=================================================================== 1359===================================================================
1362--- a/sshd_config.5 1360--- a/sshd_config.5
1363+++ b/sshd_config.5 1361+++ b/sshd_config.5
1364@@ -870,6 +870,20 @@ 1362@@ -885,6 +885,20 @@
1365 Specifies whether password authentication is allowed. 1363 Specifies whether password authentication is allowed.
1366 The default is 1364 The default is
1367 .Dq yes . 1365 .Dq yes .
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index 87211e8a3..de61e1dd9 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -1,13 +1,13 @@
1Description: Partial server keep-alive implementation for SSH1 1Description: Partial server keep-alive implementation for SSH1
2Author: Colin Watson <cjwatson@debian.org> 2Author: Colin Watson <cjwatson@debian.org>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712
4Last-Update: 2013-05-07 4Last-Update: 2013-09-14
5 5
6Index: b/clientloop.c 6Index: b/clientloop.c
7=================================================================== 7===================================================================
8--- a/clientloop.c 8--- a/clientloop.c
9+++ b/clientloop.c 9+++ b/clientloop.c
10@@ -565,16 +565,21 @@ 10@@ -563,16 +563,21 @@
11 static void 11 static void
12 server_alive_check(void) 12 server_alive_check(void)
13 { 13 {
@@ -38,20 +38,20 @@ Index: b/clientloop.c
38 } 38 }
39 39
40 /* 40 /*
41@@ -636,7 +641,7 @@ 41@@ -634,7 +639,7 @@
42 */ 42 */
43 43
44 timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */ 44 timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */
45- if (options.server_alive_interval > 0 && compat20) 45- if (options.server_alive_interval > 0 && compat20) {
46+ if (options.server_alive_interval > 0) 46+ if (options.server_alive_interval > 0) {
47 timeout_secs = options.server_alive_interval; 47 timeout_secs = options.server_alive_interval;
48 set_control_persist_exit_time(); 48 server_alive_time = now + options.server_alive_interval;
49 if (control_persist_exit_time > 0) { 49 }
50Index: b/ssh_config.5 50Index: b/ssh_config.5
51=================================================================== 51===================================================================
52--- a/ssh_config.5 52--- a/ssh_config.5
53+++ b/ssh_config.5 53+++ b/ssh_config.5
54@@ -1102,7 +1102,10 @@ 54@@ -1130,7 +1130,10 @@
55 .Cm ServerAliveCountMax 55 .Cm ServerAliveCountMax
56 is left at the default, if the server becomes unresponsive, 56 is left at the default, if the server becomes unresponsive,
57 ssh will disconnect after approximately 45 seconds. 57 ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 2bac7c8cb..f8be76c89 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -8,13 +8,13 @@ Description: "LogLevel SILENT" compatibility
8Author: Jonathan David Amery <jdamery@ysolde.ucam.org> 8Author: Jonathan David Amery <jdamery@ysolde.ucam.org>
9Author: Matthew Vernon <matthew@debian.org> 9Author: Matthew Vernon <matthew@debian.org>
10Author: Colin Watson <cjwatson@debian.org> 10Author: Colin Watson <cjwatson@debian.org>
11Last-Update: 2013-05-16 11Last-Update: 2013-09-14
12 12
13Index: b/log.c 13Index: b/log.c
14=================================================================== 14===================================================================
15--- a/log.c 15--- a/log.c
16+++ b/log.c 16+++ b/log.c
17@@ -92,6 +92,7 @@ 17@@ -94,6 +94,7 @@
18 LogLevel val; 18 LogLevel val;
19 } log_levels[] = 19 } log_levels[] =
20 { 20 {
@@ -26,7 +26,7 @@ Index: b/ssh.c
26=================================================================== 26===================================================================
27--- a/ssh.c 27--- a/ssh.c
28+++ b/ssh.c 28+++ b/ssh.c
29@@ -711,7 +711,7 @@ 29@@ -740,7 +740,7 @@
30 /* Do not allocate a tty if stdin is not a tty. */ 30 /* Do not allocate a tty if stdin is not a tty. */
31 if ((!isatty(fileno(stdin)) || stdin_null_flag) && 31 if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
32 options.request_tty != REQUEST_TTY_FORCE) { 32 options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index d0de9c006..ac00edac6 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -9,7 +9,7 @@ Description: Allow harmless group-writability
9Author: Colin Watson <cjwatson@debian.org> 9Author: Colin Watson <cjwatson@debian.org>
10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
11Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 11Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
12Last-Update: 2013-05-16 12Last-Update: 2013-09-14
13 13
14Index: b/readconf.c 14Index: b/readconf.c
15=================================================================== 15===================================================================
@@ -21,10 +21,10 @@ Index: b/readconf.c
21 #include <unistd.h> 21 #include <unistd.h>
22+#include <pwd.h> 22+#include <pwd.h>
23+#include <grp.h> 23+#include <grp.h>
24 24 #ifdef HAVE_UTIL_H
25 #include "xmalloc.h" 25 #include <util.h>
26 #include "ssh.h" 26 #endif
27@@ -1150,8 +1152,7 @@ 27@@ -1160,8 +1162,7 @@
28 28
29 if (fstat(fileno(f), &sb) == -1) 29 if (fstat(fileno(f), &sb) == -1)
30 fatal("fstat %s: %s", filename, strerror(errno)); 30 fatal("fstat %s: %s", filename, strerror(errno));
@@ -38,10 +38,10 @@ Index: b/ssh.1
38=================================================================== 38===================================================================
39--- a/ssh.1 39--- a/ssh.1
40+++ b/ssh.1 40+++ b/ssh.1
41@@ -1320,6 +1320,8 @@ 41@@ -1338,6 +1338,8 @@
42 .Xr ssh_config 5 . 42 .Xr ssh_config 5 .
43 Because of the potential for abuse, this file must have strict permissions: 43 Because of the potential for abuse, this file must have strict permissions:
44 read/write for the user, and not accessible by others. 44 read/write for the user, and not writable by others.
45+It may be group-writable provided that the group in question contains only 45+It may be group-writable provided that the group in question contains only
46+the user. 46+the user.
47 .Pp 47 .Pp
@@ -51,7 +51,7 @@ Index: b/ssh_config.5
51=================================================================== 51===================================================================
52--- a/ssh_config.5 52--- a/ssh_config.5
53+++ b/ssh_config.5 53+++ b/ssh_config.5
54@@ -1356,6 +1356,8 @@ 54@@ -1382,6 +1382,8 @@
55 This file is used by the SSH client. 55 This file is used by the SSH client.
56 Because of the potential for abuse, this file must have strict permissions: 56 Because of the potential for abuse, this file must have strict permissions:
57 read/write for the user, and not accessible by others. 57 read/write for the user, and not accessible by others.
@@ -64,7 +64,7 @@ Index: b/auth.c
64=================================================================== 64===================================================================
65--- a/auth.c 65--- a/auth.c
66+++ b/auth.c 66+++ b/auth.c
67@@ -386,8 +386,7 @@ 67@@ -408,8 +408,7 @@
68 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); 68 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
69 if (options.strict_modes && 69 if (options.strict_modes &&
70 (stat(user_hostfile, &st) == 0) && 70 (stat(user_hostfile, &st) == 0) &&
@@ -74,7 +74,7 @@ Index: b/auth.c
74 logit("Authentication refused for %.100s: " 74 logit("Authentication refused for %.100s: "
75 "bad owner or modes for %.200s", 75 "bad owner or modes for %.200s",
76 pw->pw_name, user_hostfile); 76 pw->pw_name, user_hostfile);
77@@ -449,8 +448,7 @@ 77@@ -471,8 +470,7 @@
78 snprintf(err, errlen, "%s is not a regular file", buf); 78 snprintf(err, errlen, "%s is not a regular file", buf);
79 return -1; 79 return -1;
80 } 80 }
@@ -84,7 +84,7 @@ Index: b/auth.c
84 snprintf(err, errlen, "bad ownership or modes for file %s", 84 snprintf(err, errlen, "bad ownership or modes for file %s",
85 buf); 85 buf);
86 return -1; 86 return -1;
87@@ -465,8 +463,7 @@ 87@@ -487,8 +485,7 @@
88 strlcpy(buf, cp, sizeof(buf)); 88 strlcpy(buf, cp, sizeof(buf));
89 89
90 if (stat(buf, &st) < 0 || 90 if (stat(buf, &st) < 0 ||
@@ -117,7 +117,7 @@ Index: b/misc.c
117 117
118 /* remove newline at end of string */ 118 /* remove newline at end of string */
119 char * 119 char *
120@@ -641,6 +643,71 @@ 120@@ -642,6 +644,71 @@
121 return -1; 121 return -1;
122 } 122 }
123 123
@@ -193,7 +193,7 @@ Index: b/misc.h
193=================================================================== 193===================================================================
194--- a/misc.h 194--- a/misc.h
195+++ b/misc.h 195+++ b/misc.h
196@@ -103,4 +103,6 @@ 196@@ -104,4 +104,6 @@
197 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 197 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
198 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); 198 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
199 199