summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/changelog27
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch2
-rw-r--r--debian/patches/debian-banner.patch34
-rw-r--r--debian/patches/debian-config.patch10
-rw-r--r--debian/patches/dnssec-sshfp.patch4
-rw-r--r--debian/patches/doc-hash-tab-completion.patch2
-rw-r--r--debian/patches/gssapi-autoconf.patch4
-rw-r--r--debian/patches/gssapi-compat.patch33
-rw-r--r--debian/patches/gssapi-dump.patch24
-rw-r--r--debian/patches/gssapi.patch201
-rw-r--r--debian/patches/keepalive-extensions.patch22
-rw-r--r--debian/patches/lintian-symlink-pickiness.patch2
-rw-r--r--debian/patches/openbsd-docs.patch20
-rw-r--r--debian/patches/package-versioning.patch4
-rw-r--r--debian/patches/scp-quoting.patch2
-rw-r--r--debian/patches/selinux-role.patch11
-rw-r--r--debian/patches/series3
-rw-r--r--debian/patches/shell-path.patch8
-rw-r--r--debian/patches/ssh-argv0.patch2
-rw-r--r--debian/patches/ssh-sigchld.patch55
-rw-r--r--debian/patches/ssh-vulnkey.patch90
-rw-r--r--debian/patches/ssh1-keepalive.patch6
-rw-r--r--debian/patches/syslog-level-silent.patch2
-rw-r--r--debian/patches/user-group-modes.patch22
24 files changed, 278 insertions, 312 deletions
diff --git a/debian/changelog b/debian/changelog
index 294f29f30..84269b035 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,30 @@
1openssh (1:5.7p1-1) UNRELEASED; urgency=low
2
3 * New upstream release (http://www.openssh.org/txt/release-5.7):
4 - Implement Elliptic Curve Cryptography modes for key exchange (ECDH)
5 and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA
6 offer better performance than plain DH and DSA at the same equivalent
7 symmetric key length, as well as much shorter keys.
8 - sftp(1)/sftp-server(8): add a protocol extension to support a hard
9 link operation. It is available through the "ln" command in the
10 client. The old "ln" behaviour of creating a symlink is available
11 using its "-s" option or through the preexisting "symlink" command.
12 - scp(1): Add a new -3 option to scp: Copies between two remote hosts
13 are transferred through the local host (closes: #508613).
14 - ssh(1): "atomically" create the listening mux socket by binding it on
15 a temporary name and then linking it into position after listen() has
16 succeeded. This allows the mux clients to determine that the server
17 socket is either ready or stale without races (closes: #454784).
18 Stale server sockets are now automatically removed (closes: #523250).
19 - ssh(1): install a SIGCHLD handler to reap expired child process
20 (closes: #594687).
21 - ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent
22 temporary directories (closes: #357469, although only if you arrange
23 for ssh-agent to actually see $TMPDIR since the setgid bit will cause
24 it to be stripped off).
25
26 -- Colin Watson <cjwatson@debian.org> Mon, 24 Jan 2011 12:07:24 +0000
27
1openssh (1:5.6p1-3) experimental; urgency=low 28openssh (1:5.6p1-3) experimental; urgency=low
2 29
3 * Drop override for desktop-file-but-no-dh_desktop-call, which Lintian no 30 * Drop override for desktop-file-but-no-dh_desktop-call, which Lintian no
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 34535f001..891b934ab 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -8,7 +8,7 @@ Index: b/Makefile.in
8=================================================================== 8===================================================================
9--- a/Makefile.in 9--- a/Makefile.in
10+++ b/Makefile.in 10+++ b/Makefile.in
11@@ -284,6 +284,7 @@ 11@@ -287,6 +287,7 @@
12 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 12 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
13 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 13 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
14 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 14 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index b0761420e..32251397d 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -10,42 +10,42 @@ Index: b/servconf.c
10=================================================================== 10===================================================================
11--- a/servconf.c 11--- a/servconf.c
12+++ b/servconf.c 12+++ b/servconf.c
13@@ -136,6 +136,7 @@ 13@@ -143,6 +143,7 @@
14 options->revoked_keys_file = NULL;
15 options->trusted_user_ca_keys = NULL;
16 options->authorized_principals_file = NULL; 14 options->authorized_principals_file = NULL;
15 options->ip_qos_interactive = -1;
16 options->ip_qos_bulk = -1;
17+ options->debian_banner = -1; 17+ options->debian_banner = -1;
18 } 18 }
19 19
20 void 20 void
21@@ -278,6 +279,8 @@ 21@@ -293,6 +294,8 @@
22 options->permit_tun = SSH_TUNMODE_NO; 22 options->ip_qos_interactive = IPTOS_LOWDELAY;
23 if (options->zero_knowledge_password_authentication == -1) 23 if (options->ip_qos_bulk == -1)
24 options->zero_knowledge_password_authentication = 0; 24 options->ip_qos_bulk = IPTOS_THROUGHPUT;
25+ if (options->debian_banner == -1) 25+ if (options->debian_banner == -1)
26+ options->debian_banner = 1; 26+ options->debian_banner = 1;
27 27
28 /* Turn privilege separation on by default */ 28 /* Turn privilege separation on by default */
29 if (use_privsep == -1) 29 if (use_privsep == -1)
30@@ -326,6 +329,7 @@ 30@@ -342,6 +345,7 @@
31 sUsePrivilegeSeparation, sAllowAgentForwarding,
32 sZeroKnowledgePasswordAuthentication, sHostCertificate, 31 sZeroKnowledgePasswordAuthentication, sHostCertificate,
33 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 32 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
33 sKexAlgorithms, sIPQoS,
34+ sDebianBanner, 34+ sDebianBanner,
35 sDeprecated, sUnsupported 35 sDeprecated, sUnsupported
36 } ServerOpCodes; 36 } ServerOpCodes;
37 37
38@@ -459,6 +463,7 @@ 38@@ -477,6 +481,7 @@
39 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
40 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
41 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, 39 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
40 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
41 { "ipqos", sIPQoS, SSHCFG_ALL },
42+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, 42+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
43 { NULL, sBadOption, 0 } 43 { NULL, sBadOption, 0 }
44 }; 44 };
45 45
46@@ -1392,6 +1397,10 @@ 46@@ -1439,6 +1444,10 @@
47 charptr = &options->revoked_keys_file; 47 }
48 goto parse_filename; 48 break;
49 49
50+ case sDebianBanner: 50+ case sDebianBanner:
51+ intptr = &options->debian_banner; 51+ intptr = &options->debian_banner;
@@ -58,7 +58,7 @@ Index: b/servconf.h
58=================================================================== 58===================================================================
59--- a/servconf.h 59--- a/servconf.h
60+++ b/servconf.h 60+++ b/servconf.h
61@@ -157,6 +157,8 @@ 61@@ -160,6 +160,8 @@
62 62
63 int num_permitted_opens; 63 int num_permitted_opens;
64 64
@@ -85,7 +85,7 @@ Index: b/sshd_config.5
85=================================================================== 85===================================================================
86--- a/sshd_config.5 86--- a/sshd_config.5
87+++ b/sshd_config.5 87+++ b/sshd_config.5
88@@ -340,6 +340,11 @@ 88@@ -339,6 +339,11 @@
89 .Dq no . 89 .Dq no .
90 The default is 90 The default is
91 .Dq delayed . 91 .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 2fe365639..e804aa526 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -24,7 +24,7 @@ Index: b/readconf.c
24=================================================================== 24===================================================================
25--- a/readconf.c 25--- a/readconf.c
26+++ b/readconf.c 26+++ b/readconf.c
27@@ -1179,7 +1179,7 @@ 27@@ -1223,7 +1223,7 @@
28 if (options->forward_x11 == -1) 28 if (options->forward_x11 == -1)
29 options->forward_x11 = 0; 29 options->forward_x11 = 0;
30 if (options->forward_x11_trusted == -1) 30 if (options->forward_x11_trusted == -1)
@@ -61,7 +61,7 @@ Index: b/ssh_config.5
61=================================================================== 61===================================================================
62--- a/ssh_config.5 62--- a/ssh_config.5
63+++ b/ssh_config.5 63+++ b/ssh_config.5
64@@ -72,6 +72,22 @@ 64@@ -71,6 +71,22 @@
65 host-specific declarations should be given near the beginning of the 65 host-specific declarations should be given near the beginning of the
66 file, and general defaults at the end. 66 file, and general defaults at the end.
67 .Pp 67 .Pp
@@ -84,7 +84,7 @@ Index: b/ssh_config.5
84 The configuration file has the following format: 84 The configuration file has the following format:
85 .Pp 85 .Pp
86 Empty lines and lines starting with 86 Empty lines and lines starting with
87@@ -483,7 +499,8 @@ 87@@ -482,7 +498,8 @@
88 Remote clients will be refused access after this time. 88 Remote clients will be refused access after this time.
89 .Pp 89 .Pp
90 The default is 90 The default is
@@ -98,7 +98,7 @@ Index: b/sshd_config
98=================================================================== 98===================================================================
99--- a/sshd_config 99--- a/sshd_config
100+++ b/sshd_config 100+++ b/sshd_config
101@@ -36,6 +36,7 @@ 101@@ -37,6 +37,7 @@
102 # Authentication: 102 # Authentication:
103 103
104 #LoginGraceTime 2m 104 #LoginGraceTime 2m
@@ -110,7 +110,7 @@ Index: b/sshd_config.5
110=================================================================== 110===================================================================
111--- a/sshd_config.5 111--- a/sshd_config.5
112+++ b/sshd_config.5 112+++ b/sshd_config.5
113@@ -58,6 +58,33 @@ 113@@ -57,6 +57,33 @@
114 .Pq \&" 114 .Pq \&"
115 in order to represent arguments containing spaces. 115 in order to represent arguments containing spaces.
116 .Pp 116 .Pp
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index a71b42f0f..8e8285a1f 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -9,7 +9,7 @@ Index: b/dns.c
9=================================================================== 9===================================================================
10--- a/dns.c 10--- a/dns.c
11+++ b/dns.c 11+++ b/dns.c
12@@ -176,6 +176,7 @@ 12@@ -177,6 +177,7 @@
13 { 13 {
14 u_int counter; 14 u_int counter;
15 int result; 15 int result;
@@ -17,7 +17,7 @@ Index: b/dns.c
17 struct rrsetinfo *fingerprints = NULL; 17 struct rrsetinfo *fingerprints = NULL;
18 18
19 u_int8_t hostkey_algorithm; 19 u_int8_t hostkey_algorithm;
20@@ -199,8 +200,19 @@ 20@@ -200,8 +201,19 @@
21 return -1; 21 return -1;
22 } 22 }
23 23
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index fb522013c..5cf8aa46b 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -8,7 +8,7 @@ Index: b/ssh_config.5
8=================================================================== 8===================================================================
9--- a/ssh_config.5 9--- a/ssh_config.5
10+++ b/ssh_config.5 10+++ b/ssh_config.5
11@@ -562,6 +562,9 @@ 11@@ -566,6 +566,9 @@
12 will not be converted automatically, 12 will not be converted automatically,
13 but may be manually hashed using 13 but may be manually hashed using
14 .Xr ssh-keygen 1 . 14 .Xr ssh-keygen 1 .
diff --git a/debian/patches/gssapi-autoconf.patch b/debian/patches/gssapi-autoconf.patch
index d88382dcb..51d8a8e72 100644
--- a/debian/patches/gssapi-autoconf.patch
+++ b/debian/patches/gssapi-autoconf.patch
@@ -7,7 +7,7 @@ Index: b/config.h.in
7=================================================================== 7===================================================================
8--- a/config.h.in 8--- a/config.h.in
9+++ b/config.h.in 9+++ b/config.h.in
10@@ -1387,6 +1387,9 @@ 10@@ -1417,6 +1417,9 @@
11 /* Use btmp to log bad logins */ 11 /* Use btmp to log bad logins */
12 #undef USE_BTMP 12 #undef USE_BTMP
13 13
@@ -17,7 +17,7 @@ Index: b/config.h.in
17 /* Use libedit for sftp */ 17 /* Use libedit for sftp */
18 #undef USE_LIBEDIT 18 #undef USE_LIBEDIT
19 19
20@@ -1399,6 +1402,9 @@ 20@@ -1432,6 +1435,9 @@
21 /* Use PIPES instead of a socketpair() */ 21 /* Use PIPES instead of a socketpair() */
22 #undef USE_PIPES 22 #undef USE_PIPES
23 23
diff --git a/debian/patches/gssapi-compat.patch b/debian/patches/gssapi-compat.patch
deleted file mode 100644
index b93134933..000000000
--- a/debian/patches/gssapi-compat.patch
+++ /dev/null
@@ -1,33 +0,0 @@
1Description: Compatibility with old GSSAPI option names
2 These options were supported by the old ssh-krb5 package in Debian.
3 .
4 Forwarded to Simon Wilkinson for inclusion in the GSSAPI patch.
5Author: Colin Watson <cjwatson@debian.org>
6Forwarded: yes
7Last-Updated: 2010-03-01
8
9Index: b/servconf.c
10===================================================================
11--- a/servconf.c
12+++ b/servconf.c
13@@ -381,16 +381,20 @@
14 #ifdef GSSAPI
15 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
16 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
17+ { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
18 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
19 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
20 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
21 #else
22 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
23 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
24+ { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
25 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
26 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
27 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
28 #endif
29+ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
30+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
31 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
32 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
33 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
diff --git a/debian/patches/gssapi-dump.patch b/debian/patches/gssapi-dump.patch
deleted file mode 100644
index 0969c59b4..000000000
--- a/debian/patches/gssapi-dump.patch
+++ /dev/null
@@ -1,24 +0,0 @@
1Description: GSSAPI configuration dump fixes
2 Add GSSAPIKeyExchange, GSSAPIStrictAcceptorCheck, and
3 GSSAPIStoreCredentialsOnRekey to sshd -T configuration dump.
4 .
5 Forwarded to Simon Wilkinson for inclusion in the GSSAPI patch.
6Author: Colin Watson <cjwatson@debian.org>
7Forwarded: yes
8Last-Updated: 2010-02-27
9
10Index: b/servconf.c
11===================================================================
12--- a/servconf.c
13+++ b/servconf.c
14@@ -1688,7 +1688,10 @@
15 #endif
16 #ifdef GSSAPI
17 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
18+ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
19 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
20+ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
21+ dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
22 #endif
23 #ifdef JPAKE
24 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 778c23023..692437142 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -19,14 +19,24 @@ Index: b/ChangeLog.gssapi
19=================================================================== 19===================================================================
20--- /dev/null 20--- /dev/null
21+++ b/ChangeLog.gssapi 21+++ b/ChangeLog.gssapi
22@@ -0,0 +1,103 @@ 22@@ -0,0 +1,113 @@
23+20110101
24+ - Finally update for OpenSSH 5.6p1
25+ - Add GSSAPIServerIdentity option from Jim Basney
26+
27+20100308
28+ - [ Makefile.in, key.c, key.h ]
29+ Updates for OpenSSH 5.4p1
30+ - [ servconf.c ]
31+ Include GSSAPI options in the sshd -T configuration dump, and flag
32+ some older configuration options as being unsupported. Thanks to Colin
33+ Watson.
34+ -
35+
23+20100124 36+20100124
24+ - [ sshconnect2.c ] 37+ - [ sshconnect2.c ]
25+ Adapt to deal with additional element in Authmethod structure. Thanks to 38+ Adapt to deal with additional element in Authmethod structure. Thanks to
26+ Colin Wilson 39+ Colin Watson
27+ - [ clientloop.c ]
28+ Protect credentials updated code with suitable #ifdefs. Thanks to Colin
29+ Wilson
30+ 40+
31+20090615 41+20090615
32+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c 42+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
@@ -127,23 +137,23 @@ Index: b/Makefile.in
127=================================================================== 137===================================================================
128--- a/Makefile.in 138--- a/Makefile.in
129+++ b/Makefile.in 139+++ b/Makefile.in
130@@ -74,7 +74,7 @@ 140@@ -75,7 +75,7 @@
131 monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ 141 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
132 kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ 142 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
133 entropy.o gss-genr.o umac.o jpake.o schnorr.o \ 143 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \
134- ssh-pkcs11.o 144- schnorr.o ssh-pkcs11.o
135+ ssh-pkcs11.o kexgssc.o 145+ schnorr.o kexgssc.o ssh-pkcs11.o
136 146
137 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ 147 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
138 sshconnect.o sshconnect1.o sshconnect2.o mux.o \ 148 sshconnect.o sshconnect1.o sshconnect2.o mux.o \
139@@ -88,7 +88,7 @@ 149@@ -90,7 +90,7 @@
140 auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ 150 auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
141 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ 151 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
142 auth-krb5.o \ 152 auth-krb5.o \
143- auth2-gss.o gss-serv.o gss-serv-krb5.o \ 153- auth2-gss.o gss-serv.o gss-serv-krb5.o \
144+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ 154+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
145 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ 155 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
146 audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ 156 sftp-server.o sftp-common.o \
147 roaming_common.o roaming_serv.o 157 roaming_common.o roaming_serv.o
148Index: b/auth-krb5.c 158Index: b/auth-krb5.c
149=================================================================== 159===================================================================
@@ -384,7 +394,7 @@ Index: b/configure.ac
384=================================================================== 394===================================================================
385--- a/configure.ac 395--- a/configure.ac
386+++ b/configure.ac 396+++ b/configure.ac
387@@ -477,6 +477,30 @@ 397@@ -514,6 +514,30 @@
388 [Use tunnel device compatibility to OpenBSD]) 398 [Use tunnel device compatibility to OpenBSD])
389 AC_DEFINE(SSH_TUN_PREPEND_AF, 1, 399 AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
390 [Prepend the address family to IP tunnel traffic]) 400 [Prepend the address family to IP tunnel traffic])
@@ -1222,9 +1232,9 @@ Index: b/kex.c
1222 #if OPENSSL_VERSION_NUMBER >= 0x00907000L 1232 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
1223 # if defined(HAVE_EVP_SHA256) 1233 # if defined(HAVE_EVP_SHA256)
1224 # define evp_ssh_sha256 EVP_sha256 1234 # define evp_ssh_sha256 EVP_sha256
1225@@ -326,6 +330,20 @@ 1235@@ -358,6 +362,20 @@
1226 k->kex_type = KEX_DH_GEX_SHA256; 1236 k->kex_type = KEX_ECDH_SHA2;
1227 k->evp_md = evp_ssh_sha256(); 1237 k->evp_md = kex_ecdh_name_to_evpmd(k->name);
1228 #endif 1238 #endif
1229+#ifdef GSSAPI 1239+#ifdef GSSAPI
1230+ } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID, 1240+ } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID,
@@ -1247,17 +1257,17 @@ Index: b/kex.h
1247=================================================================== 1257===================================================================
1248--- a/kex.h 1258--- a/kex.h
1249+++ b/kex.h 1259+++ b/kex.h
1250@@ -67,6 +67,9 @@ 1260@@ -73,6 +73,9 @@
1251 KEX_DH_GRP14_SHA1,
1252 KEX_DH_GEX_SHA1, 1261 KEX_DH_GEX_SHA1,
1253 KEX_DH_GEX_SHA256, 1262 KEX_DH_GEX_SHA256,
1263 KEX_ECDH_SHA2,
1254+ KEX_GSS_GRP1_SHA1, 1264+ KEX_GSS_GRP1_SHA1,
1255+ KEX_GSS_GRP14_SHA1, 1265+ KEX_GSS_GRP14_SHA1,
1256+ KEX_GSS_GEX_SHA1, 1266+ KEX_GSS_GEX_SHA1,
1257 KEX_MAX 1267 KEX_MAX
1258 }; 1268 };
1259 1269
1260@@ -123,6 +126,12 @@ 1270@@ -129,6 +132,12 @@
1261 sig_atomic_t done; 1271 sig_atomic_t done;
1262 int flags; 1272 int flags;
1263 const EVP_MD *evp_md; 1273 const EVP_MD *evp_md;
@@ -1270,9 +1280,9 @@ Index: b/kex.h
1270 char *client_version_string; 1280 char *client_version_string;
1271 char *server_version_string; 1281 char *server_version_string;
1272 int (*verify_host_key)(Key *); 1282 int (*verify_host_key)(Key *);
1273@@ -146,6 +155,11 @@ 1283@@ -156,6 +165,11 @@
1274 void kexgex_client(Kex *); 1284 void kexecdh_client(Kex *);
1275 void kexgex_server(Kex *); 1285 void kexecdh_server(Kex *);
1276 1286
1277+#ifdef GSSAPI 1287+#ifdef GSSAPI
1278+void kexgss_client(Kex *); 1288+void kexgss_client(Kex *);
@@ -1918,21 +1928,30 @@ Index: b/key.c
1918=================================================================== 1928===================================================================
1919--- a/key.c 1929--- a/key.c
1920+++ b/key.c 1930+++ b/key.c
1921@@ -1020,6 +1020,8 @@ 1931@@ -971,6 +971,8 @@
1922 return KEY_RSA_CERT; 1932 }
1923 } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) { 1933 break;
1924 return KEY_DSA_CERT; 1934 #endif /* OPENSSL_HAS_ECC */
1935+ case KEY_NULL:
1936+ return "null";
1937 }
1938 return "ssh-unknown";
1939 }
1940@@ -1276,6 +1278,8 @@
1941 strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
1942 return KEY_ECDSA_CERT;
1943 #endif
1925+ } else if (strcmp(name, "null") == 0) { 1944+ } else if (strcmp(name, "null") == 0) {
1926+ return KEY_NULL; 1945+ return KEY_NULL;
1927 } 1946 }
1947
1928 debug2("key_type_from_name: unknown key type '%s'", name); 1948 debug2("key_type_from_name: unknown key type '%s'", name);
1929 return KEY_UNSPEC;
1930Index: b/key.h 1949Index: b/key.h
1931=================================================================== 1950===================================================================
1932--- a/key.h 1951--- a/key.h
1933+++ b/key.h 1952+++ b/key.h
1934@@ -39,6 +39,7 @@ 1953@@ -44,6 +44,7 @@
1935 KEY_DSA_CERT, 1954 KEY_ECDSA_CERT,
1936 KEY_RSA_CERT_V00, 1955 KEY_RSA_CERT_V00,
1937 KEY_DSA_CERT_V00, 1956 KEY_DSA_CERT_V00,
1938+ KEY_NULL, 1957+ KEY_NULL,
@@ -1995,10 +2014,10 @@ Index: b/monitor.c
1995 } else { 2014 } else {
1996 mon_dispatch = mon_dispatch_postauth15; 2015 mon_dispatch = mon_dispatch_postauth15;
1997 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2016 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
1998@@ -1691,6 +1708,13 @@ 2017@@ -1692,6 +1709,13 @@
1999 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
2000 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 2018 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2001 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 2019 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2020 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
2002+#ifdef GSSAPI 2021+#ifdef GSSAPI
2003+ if (options.gss_keyex) { 2022+ if (options.gss_keyex) {
2004+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; 2023+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@@ -2009,7 +2028,7 @@ Index: b/monitor.c
2009 kex->server = 1; 2028 kex->server = 1;
2010 kex->hostkey_type = buffer_get_int(m); 2029 kex->hostkey_type = buffer_get_int(m);
2011 kex->kex_type = buffer_get_int(m); 2030 kex->kex_type = buffer_get_int(m);
2012@@ -1897,6 +1921,9 @@ 2031@@ -1898,6 +1922,9 @@
2013 OM_uint32 major; 2032 OM_uint32 major;
2014 u_int len; 2033 u_int len;
2015 2034
@@ -2019,7 +2038,7 @@ Index: b/monitor.c
2019 goid.elements = buffer_get_string(m, &len); 2038 goid.elements = buffer_get_string(m, &len);
2020 goid.length = len; 2039 goid.length = len;
2021 2040
2022@@ -1924,6 +1951,9 @@ 2041@@ -1925,6 +1952,9 @@
2023 OM_uint32 flags = 0; /* GSI needs this */ 2042 OM_uint32 flags = 0; /* GSI needs this */
2024 u_int len; 2043 u_int len;
2025 2044
@@ -2029,7 +2048,7 @@ Index: b/monitor.c
2029 in.value = buffer_get_string(m, &len); 2048 in.value = buffer_get_string(m, &len);
2030 in.length = len; 2049 in.length = len;
2031 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2050 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2032@@ -1941,6 +1971,7 @@ 2051@@ -1942,6 +1972,7 @@
2033 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2052 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2034 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2053 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2035 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2054 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2037,7 +2056,7 @@ Index: b/monitor.c
2037 } 2056 }
2038 return (0); 2057 return (0);
2039 } 2058 }
2040@@ -1952,6 +1983,9 @@ 2059@@ -1953,6 +1984,9 @@
2041 OM_uint32 ret; 2060 OM_uint32 ret;
2042 u_int len; 2061 u_int len;
2043 2062
@@ -2047,7 +2066,7 @@ Index: b/monitor.c
2047 gssbuf.value = buffer_get_string(m, &len); 2066 gssbuf.value = buffer_get_string(m, &len);
2048 gssbuf.length = len; 2067 gssbuf.length = len;
2049 mic.value = buffer_get_string(m, &len); 2068 mic.value = buffer_get_string(m, &len);
2050@@ -1978,7 +2012,11 @@ 2069@@ -1979,7 +2013,11 @@
2051 { 2070 {
2052 int authenticated; 2071 int authenticated;
2053 2072
@@ -2060,7 +2079,7 @@ Index: b/monitor.c
2060 2079
2061 buffer_clear(m); 2080 buffer_clear(m);
2062 buffer_put_int(m, authenticated); 2081 buffer_put_int(m, authenticated);
2063@@ -1991,6 +2029,74 @@ 2082@@ -1992,6 +2030,74 @@
2064 /* Monitor loop will terminate if authenticated */ 2083 /* Monitor loop will terminate if authenticated */
2065 return (authenticated); 2084 return (authenticated);
2066 } 2085 }
@@ -2152,7 +2171,7 @@ Index: b/monitor_wrap.c
2152=================================================================== 2171===================================================================
2153--- a/monitor_wrap.c 2172--- a/monitor_wrap.c
2154+++ b/monitor_wrap.c 2173+++ b/monitor_wrap.c
2155@@ -1231,7 +1231,7 @@ 2174@@ -1232,7 +1232,7 @@
2156 } 2175 }
2157 2176
2158 int 2177 int
@@ -2161,7 +2180,7 @@ Index: b/monitor_wrap.c
2161 { 2180 {
2162 Buffer m; 2181 Buffer m;
2163 int authenticated = 0; 2182 int authenticated = 0;
2164@@ -1248,6 +1248,51 @@ 2183@@ -1249,6 +1249,51 @@
2165 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2184 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2166 return (authenticated); 2185 return (authenticated);
2167 } 2186 }
@@ -2233,15 +2252,16 @@ Index: b/readconf.c
2233=================================================================== 2252===================================================================
2234--- a/readconf.c 2253--- a/readconf.c
2235+++ b/readconf.c 2254+++ b/readconf.c
2236@@ -127,6 +127,7 @@ 2255@@ -129,6 +129,8 @@
2237 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 2256 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
2238 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 2257 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
2239 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 2258 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
2240+ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, 2259+ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
2260+ oGssServerIdentity,
2241 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2261 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
2242 oSendEnv, oControlPath, oControlMaster, oControlPersist, 2262 oSendEnv, oControlPath, oControlMaster, oControlPersist,
2243 oHashKnownHosts, 2263 oHashKnownHosts,
2244@@ -166,10 +167,18 @@ 2264@@ -169,10 +171,19 @@
2245 { "afstokenpassing", oUnsupported }, 2265 { "afstokenpassing", oUnsupported },
2246 #if defined(GSSAPI) 2266 #if defined(GSSAPI)
2247 { "gssapiauthentication", oGssAuthentication }, 2267 { "gssapiauthentication", oGssAuthentication },
@@ -2249,6 +2269,7 @@ Index: b/readconf.c
2249 { "gssapidelegatecredentials", oGssDelegateCreds }, 2269 { "gssapidelegatecredentials", oGssDelegateCreds },
2250+ { "gssapitrustdns", oGssTrustDns }, 2270+ { "gssapitrustdns", oGssTrustDns },
2251+ { "gssapiclientidentity", oGssClientIdentity }, 2271+ { "gssapiclientidentity", oGssClientIdentity },
2272+ { "gssapiserveridentity", oGssServerIdentity },
2252+ { "gssapirenewalforcesrekey", oGssRenewalRekey }, 2273+ { "gssapirenewalforcesrekey", oGssRenewalRekey },
2253 #else 2274 #else
2254 { "gssapiauthentication", oUnsupported }, 2275 { "gssapiauthentication", oUnsupported },
@@ -2260,7 +2281,7 @@ Index: b/readconf.c
2260 #endif 2281 #endif
2261 { "fallbacktorsh", oDeprecated }, 2282 { "fallbacktorsh", oDeprecated },
2262 { "usersh", oDeprecated }, 2283 { "usersh", oDeprecated },
2263@@ -474,10 +483,26 @@ 2284@@ -479,10 +490,30 @@
2264 intptr = &options->gss_authentication; 2285 intptr = &options->gss_authentication;
2265 goto parse_flag; 2286 goto parse_flag;
2266 2287
@@ -2280,6 +2301,10 @@ Index: b/readconf.c
2280+ charptr = &options->gss_client_identity; 2301+ charptr = &options->gss_client_identity;
2281+ goto parse_string; 2302+ goto parse_string;
2282+ 2303+
2304+ case oGssServerIdentity:
2305+ charptr = &options->gss_server_identity;
2306+ goto parse_string;
2307+
2283+ case oGssRenewalRekey: 2308+ case oGssRenewalRekey:
2284+ intptr = &options->gss_renewal_rekey; 2309+ intptr = &options->gss_renewal_rekey;
2285+ goto parse_flag; 2310+ goto parse_flag;
@@ -2287,7 +2312,7 @@ Index: b/readconf.c
2287 case oBatchMode: 2312 case oBatchMode:
2288 intptr = &options->batch_mode; 2313 intptr = &options->batch_mode;
2289 goto parse_flag; 2314 goto parse_flag;
2290@@ -1058,7 +1083,11 @@ 2315@@ -1092,7 +1123,12 @@
2291 options->pubkey_authentication = -1; 2316 options->pubkey_authentication = -1;
2292 options->challenge_response_authentication = -1; 2317 options->challenge_response_authentication = -1;
2293 options->gss_authentication = -1; 2318 options->gss_authentication = -1;
@@ -2296,10 +2321,11 @@ Index: b/readconf.c
2296+ options->gss_trust_dns = -1; 2321+ options->gss_trust_dns = -1;
2297+ options->gss_renewal_rekey = -1; 2322+ options->gss_renewal_rekey = -1;
2298+ options->gss_client_identity = NULL; 2323+ options->gss_client_identity = NULL;
2324+ options->gss_server_identity = NULL;
2299 options->password_authentication = -1; 2325 options->password_authentication = -1;
2300 options->kbd_interactive_authentication = -1; 2326 options->kbd_interactive_authentication = -1;
2301 options->kbd_interactive_devices = NULL; 2327 options->kbd_interactive_devices = NULL;
2302@@ -1156,8 +1185,14 @@ 2328@@ -1193,8 +1229,14 @@
2303 options->challenge_response_authentication = 1; 2329 options->challenge_response_authentication = 1;
2304 if (options->gss_authentication == -1) 2330 if (options->gss_authentication == -1)
2305 options->gss_authentication = 0; 2331 options->gss_authentication = 0;
@@ -2318,7 +2344,7 @@ Index: b/readconf.h
2318=================================================================== 2344===================================================================
2319--- a/readconf.h 2345--- a/readconf.h
2320+++ b/readconf.h 2346+++ b/readconf.h
2321@@ -46,7 +46,11 @@ 2347@@ -46,7 +46,12 @@
2322 int challenge_response_authentication; 2348 int challenge_response_authentication;
2323 /* Try S/Key or TIS, authentication. */ 2349 /* Try S/Key or TIS, authentication. */
2324 int gss_authentication; /* Try GSS authentication */ 2350 int gss_authentication; /* Try GSS authentication */
@@ -2327,6 +2353,7 @@ Index: b/readconf.h
2327+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ 2353+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
2328+ int gss_renewal_rekey; /* Credential renewal forces rekey */ 2354+ int gss_renewal_rekey; /* Credential renewal forces rekey */
2329+ char *gss_client_identity; /* Principal to initiate GSSAPI with */ 2355+ char *gss_client_identity; /* Principal to initiate GSSAPI with */
2356+ char *gss_server_identity; /* GSSAPI target principal */
2330 int password_authentication; /* Try password 2357 int password_authentication; /* Try password
2331 * authentication. */ 2358 * authentication. */
2332 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2359 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
@@ -2334,7 +2361,7 @@ Index: b/servconf.c
2334=================================================================== 2361===================================================================
2335--- a/servconf.c 2362--- a/servconf.c
2336+++ b/servconf.c 2363+++ b/servconf.c
2337@@ -93,7 +93,10 @@ 2364@@ -97,7 +97,10 @@
2338 options->kerberos_ticket_cleanup = -1; 2365 options->kerberos_ticket_cleanup = -1;
2339 options->kerberos_get_afs_token = -1; 2366 options->kerberos_get_afs_token = -1;
2340 options->gss_authentication=-1; 2367 options->gss_authentication=-1;
@@ -2345,7 +2372,7 @@ Index: b/servconf.c
2345 options->password_authentication = -1; 2372 options->password_authentication = -1;
2346 options->kbd_interactive_authentication = -1; 2373 options->kbd_interactive_authentication = -1;
2347 options->challenge_response_authentication = -1; 2374 options->challenge_response_authentication = -1;
2348@@ -215,8 +218,14 @@ 2375@@ -226,8 +229,14 @@
2349 options->kerberos_get_afs_token = 0; 2376 options->kerberos_get_afs_token = 0;
2350 if (options->gss_authentication == -1) 2377 if (options->gss_authentication == -1)
2351 options->gss_authentication = 0; 2378 options->gss_authentication = 0;
@@ -2360,7 +2387,7 @@ Index: b/servconf.c
2360 if (options->password_authentication == -1) 2387 if (options->password_authentication == -1)
2361 options->password_authentication = 1; 2388 options->password_authentication = 1;
2362 if (options->kbd_interactive_authentication == -1) 2389 if (options->kbd_interactive_authentication == -1)
2363@@ -307,7 +316,9 @@ 2390@@ -322,7 +331,9 @@
2364 sBanner, sUseDNS, sHostbasedAuthentication, 2391 sBanner, sUseDNS, sHostbasedAuthentication,
2365 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 2392 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
2366 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 2393 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@@ -2371,23 +2398,28 @@ Index: b/servconf.c
2371 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2398 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2372 sUsePrivilegeSeparation, sAllowAgentForwarding, 2399 sUsePrivilegeSeparation, sAllowAgentForwarding,
2373 sZeroKnowledgePasswordAuthentication, sHostCertificate, 2400 sZeroKnowledgePasswordAuthentication, sHostCertificate,
2374@@ -370,9 +381,15 @@ 2401@@ -386,10 +397,20 @@
2375 #ifdef GSSAPI 2402 #ifdef GSSAPI
2376 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2403 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2377 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2404 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
2405+ { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
2378+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, 2406+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
2379+ { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, 2407+ { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
2380+ { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, 2408+ { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
2381 #else 2409 #else
2382 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 2410 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
2383 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 2411 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
2412+ { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
2384+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, 2413+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
2385+ { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, 2414+ { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
2386+ { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, 2415+ { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
2387 #endif 2416 #endif
2417+ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
2418+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
2388 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2419 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2389 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2420 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2390@@ -926,10 +943,22 @@ 2421 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2422@@ -944,10 +965,22 @@
2391 intptr = &options->gss_authentication; 2423 intptr = &options->gss_authentication;
2392 goto parse_flag; 2424 goto parse_flag;
2393 2425
@@ -2410,11 +2442,22 @@ Index: b/servconf.c
2410 case sPasswordAuthentication: 2442 case sPasswordAuthentication:
2411 intptr = &options->password_authentication; 2443 intptr = &options->password_authentication;
2412 goto parse_flag; 2444 goto parse_flag;
2445@@ -1704,7 +1737,10 @@
2446 #endif
2447 #ifdef GSSAPI
2448 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2449+ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
2450 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2451+ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
2452+ dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
2453 #endif
2454 #ifdef JPAKE
2455 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
2413Index: b/servconf.h 2456Index: b/servconf.h
2414=================================================================== 2457===================================================================
2415--- a/servconf.h 2458--- a/servconf.h
2416+++ b/servconf.h 2459+++ b/servconf.h
2417@@ -94,7 +94,10 @@ 2460@@ -97,7 +97,10 @@
2418 int kerberos_get_afs_token; /* If true, try to get AFS token if 2461 int kerberos_get_afs_token; /* If true, try to get AFS token if
2419 * authenticated with Kerberos. */ 2462 * authenticated with Kerberos. */
2420 int gss_authentication; /* If true, permit GSSAPI authentication */ 2463 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2543,7 +2586,7 @@ Index: b/ssh_config.5
2543=================================================================== 2586===================================================================
2544--- a/ssh_config.5 2587--- a/ssh_config.5
2545+++ b/ssh_config.5 2588+++ b/ssh_config.5
2546@@ -509,11 +509,38 @@ 2589@@ -508,11 +508,43 @@
2547 The default is 2590 The default is
2548 .Dq no . 2591 .Dq no .
2549 Note that this option applies to protocol version 2 only. 2592 Note that this option applies to protocol version 2 only.
@@ -2557,6 +2600,11 @@ Index: b/ssh_config.5
2557+If set, specifies the GSSAPI client identity that ssh should use when 2600+If set, specifies the GSSAPI client identity that ssh should use when
2558+connecting to the server. The default is unset, which means that the default 2601+connecting to the server. The default is unset, which means that the default
2559+identity will be used. 2602+identity will be used.
2603+.It Cm GSSAPIServerIdentity
2604+If set, specifies the GSSAPI server identity that ssh should expect when
2605+connecting to the server. The default is unset, which means that the
2606+expected GSSAPI server identity will be determined from the target
2607+hostname.
2560 .It Cm GSSAPIDelegateCredentials 2608 .It Cm GSSAPIDelegateCredentials
2561 Forward (delegate) credentials to the server. 2609 Forward (delegate) credentials to the server.
2562 The default is 2610 The default is
@@ -2587,7 +2635,7 @@ Index: b/sshconnect2.c
2587=================================================================== 2635===================================================================
2588--- a/sshconnect2.c 2636--- a/sshconnect2.c
2589+++ b/sshconnect2.c 2637+++ b/sshconnect2.c
2590@@ -106,9 +106,34 @@ 2638@@ -159,9 +159,34 @@
2591 { 2639 {
2592 Kex *kex; 2640 Kex *kex;
2593 2641
@@ -2622,9 +2670,9 @@ Index: b/sshconnect2.c
2622 if (options.ciphers == (char *)-1) { 2670 if (options.ciphers == (char *)-1) {
2623 logit("No valid ciphers for protocol version 2 given, using defaults."); 2671 logit("No valid ciphers for protocol version 2 given, using defaults.");
2624 options.ciphers = NULL; 2672 options.ciphers = NULL;
2625@@ -136,6 +161,17 @@ 2673@@ -196,6 +221,17 @@
2626 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = 2674 if (options.kex_algorithms != NULL)
2627 options.hostkeyalgorithms; 2675 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
2628 2676
2629+#ifdef GSSAPI 2677+#ifdef GSSAPI
2630+ /* If we've got GSSAPI algorithms, then we also support the 2678+ /* If we've got GSSAPI algorithms, then we also support the
@@ -2640,10 +2688,10 @@ Index: b/sshconnect2.c
2640 if (options.rekey_limit) 2688 if (options.rekey_limit)
2641 packet_set_rekey_limit((u_int32_t)options.rekey_limit); 2689 packet_set_rekey_limit((u_int32_t)options.rekey_limit);
2642 2690
2643@@ -145,10 +181,26 @@ 2691@@ -206,10 +242,30 @@
2644 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
2645 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; 2692 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
2646 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; 2693 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
2694 kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
2647+#ifdef GSSAPI 2695+#ifdef GSSAPI
2648+ if (options.gss_keyex) { 2696+ if (options.gss_keyex) {
2649+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; 2697+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
@@ -2660,14 +2708,18 @@ Index: b/sshconnect2.c
2660+ kex->gss_deleg_creds = options.gss_deleg_creds; 2708+ kex->gss_deleg_creds = options.gss_deleg_creds;
2661+ kex->gss_trust_dns = options.gss_trust_dns; 2709+ kex->gss_trust_dns = options.gss_trust_dns;
2662+ kex->gss_client = options.gss_client_identity; 2710+ kex->gss_client = options.gss_client_identity;
2663+ kex->gss_host = gss_host; 2711+ if (options.gss_server_identity) {
2712+ kex->gss_host = options.gss_server_identity;
2713+ } else {
2714+ kex->gss_host = gss_host;
2715+ }
2664+ } 2716+ }
2665+#endif 2717+#endif
2666+ 2718+
2667 xxx_kex = kex; 2719 xxx_kex = kex;
2668 2720
2669 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 2721 dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
2670@@ -243,6 +295,7 @@ 2722@@ -304,6 +360,7 @@
2671 void input_gssapi_hash(int type, u_int32_t, void *); 2723 void input_gssapi_hash(int type, u_int32_t, void *);
2672 void input_gssapi_error(int, u_int32_t, void *); 2724 void input_gssapi_error(int, u_int32_t, void *);
2673 void input_gssapi_errtok(int, u_int32_t, void *); 2725 void input_gssapi_errtok(int, u_int32_t, void *);
@@ -2675,7 +2727,7 @@ Index: b/sshconnect2.c
2675 #endif 2727 #endif
2676 2728
2677 void userauth(Authctxt *, char *); 2729 void userauth(Authctxt *, char *);
2678@@ -258,6 +311,11 @@ 2730@@ -319,6 +376,11 @@
2679 2731
2680 Authmethod authmethods[] = { 2732 Authmethod authmethods[] = {
2681 #ifdef GSSAPI 2733 #ifdef GSSAPI
@@ -2687,13 +2739,15 @@ Index: b/sshconnect2.c
2687 {"gssapi-with-mic", 2739 {"gssapi-with-mic",
2688 userauth_gssapi, 2740 userauth_gssapi,
2689 NULL, 2741 NULL,
2690@@ -564,19 +622,29 @@ 2742@@ -625,19 +687,31 @@
2691 static u_int mech = 0; 2743 static u_int mech = 0;
2692 OM_uint32 min; 2744 OM_uint32 min;
2693 int ok = 0; 2745 int ok = 0;
2694+ const char *gss_host; 2746+ const char *gss_host;
2695+ 2747+
2696+ if (options.gss_trust_dns) 2748+ if (options.gss_server_identity)
2749+ gss_host = options.gss_server_identity;
2750+ else if (options.gss_trust_dns)
2697+ gss_host = get_canonical_hostname(1); 2751+ gss_host = get_canonical_hostname(1);
2698+ else 2752+ else
2699+ gss_host = authctxt->host; 2753+ gss_host = authctxt->host;
@@ -2719,7 +2773,7 @@ Index: b/sshconnect2.c
2719 ok = 1; /* Mechanism works */ 2773 ok = 1; /* Mechanism works */
2720 } else { 2774 } else {
2721 mech++; 2775 mech++;
2722@@ -673,8 +741,8 @@ 2776@@ -734,8 +808,8 @@
2723 { 2777 {
2724 Authctxt *authctxt = ctxt; 2778 Authctxt *authctxt = ctxt;
2725 Gssctxt *gssctxt; 2779 Gssctxt *gssctxt;
@@ -2730,7 +2784,7 @@ Index: b/sshconnect2.c
2730 2784
2731 if (authctxt == NULL) 2785 if (authctxt == NULL)
2732 fatal("input_gssapi_response: no authentication context"); 2786 fatal("input_gssapi_response: no authentication context");
2733@@ -784,6 +852,48 @@ 2787@@ -845,6 +919,48 @@
2734 xfree(msg); 2788 xfree(msg);
2735 xfree(lang); 2789 xfree(lang);
2736 } 2790 }
@@ -2794,7 +2848,7 @@ Index: b/sshd.c
2794 #ifdef LIBWRAP 2848 #ifdef LIBWRAP
2795 #include <tcpd.h> 2849 #include <tcpd.h>
2796 #include <syslog.h> 2850 #include <syslog.h>
2797@@ -1586,10 +1590,13 @@ 2851@@ -1590,10 +1594,13 @@
2798 logit("Disabling protocol version 1. Could not load host key"); 2852 logit("Disabling protocol version 1. Could not load host key");
2799 options.protocol &= ~SSH_PROTO_1; 2853 options.protocol &= ~SSH_PROTO_1;
2800 } 2854 }
@@ -2808,7 +2862,7 @@ Index: b/sshd.c
2808 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2862 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2809 logit("sshd: no hostkeys available -- exiting."); 2863 logit("sshd: no hostkeys available -- exiting.");
2810 exit(1); 2864 exit(1);
2811@@ -1918,6 +1925,60 @@ 2865@@ -1922,6 +1929,60 @@
2812 /* Log the connection. */ 2866 /* Log the connection. */
2813 verbose("Connection from %.500s port %d", remote_ip, remote_port); 2867 verbose("Connection from %.500s port %d", remote_ip, remote_port);
2814 2868
@@ -2869,7 +2923,7 @@ Index: b/sshd.c
2869 /* 2923 /*
2870 * We don't want to listen forever unless the other side 2924 * We don't want to listen forever unless the other side
2871 * successfully authenticates itself. So we set up an alarm which is 2925 * successfully authenticates itself. So we set up an alarm which is
2872@@ -2296,12 +2357,61 @@ 2926@@ -2303,6 +2364,48 @@
2873 2927
2874 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); 2928 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2875 2929
@@ -2918,9 +2972,10 @@ Index: b/sshd.c
2918 /* start key exchange */ 2972 /* start key exchange */
2919 kex = kex_setup(myproposal); 2973 kex = kex_setup(myproposal);
2920 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 2974 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
2921 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; 2975@@ -2310,6 +2413,13 @@
2922 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 2976 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2923 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 2977 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2978 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
2924+#ifdef GSSAPI 2979+#ifdef GSSAPI
2925+ if (options.gss_keyex) { 2980+ if (options.gss_keyex) {
2926+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; 2981+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@@ -2935,7 +2990,7 @@ Index: b/sshd_config
2935=================================================================== 2990===================================================================
2936--- a/sshd_config 2991--- a/sshd_config
2937+++ b/sshd_config 2992+++ b/sshd_config
2938@@ -71,6 +71,8 @@ 2993@@ -72,6 +72,8 @@
2939 # GSSAPI options 2994 # GSSAPI options
2940 #GSSAPIAuthentication no 2995 #GSSAPIAuthentication no
2941 #GSSAPICleanupCredentials yes 2996 #GSSAPICleanupCredentials yes
@@ -2948,7 +3003,7 @@ Index: b/sshd_config.5
2948=================================================================== 3003===================================================================
2949--- a/sshd_config.5 3004--- a/sshd_config.5
2950+++ b/sshd_config.5 3005+++ b/sshd_config.5
2951@@ -424,12 +424,40 @@ 3006@@ -423,12 +423,40 @@
2952 The default is 3007 The default is
2953 .Dq no . 3008 .Dq no .
2954 Note that this option applies to protocol version 2 only. 3009 Note that this option applies to protocol version 2 only.
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 9e1705719..89011cfb7 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -18,24 +18,24 @@ Index: b/readconf.c
18=================================================================== 18===================================================================
19--- a/readconf.c 19--- a/readconf.c
20+++ b/readconf.c 20+++ b/readconf.c
21@@ -134,6 +134,7 @@ 21@@ -138,6 +138,7 @@
22 oHashKnownHosts,
23 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 22 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
24 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, 23 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
24 oKexAlgorithms, oIPQoS,
25+ oProtocolKeepAlives, oSetupTimeOut, 25+ oProtocolKeepAlives, oSetupTimeOut,
26 oDeprecated, oUnsupported 26 oDeprecated, oUnsupported
27 } OpCodes; 27 } OpCodes;
28 28
29@@ -251,6 +252,8 @@ 29@@ -258,6 +259,8 @@
30 #else
31 { "zeroknowledgepasswordauthentication", oUnsupported },
32 #endif 30 #endif
31 { "kexalgorithms", oKexAlgorithms },
32 { "ipqos", oIPQoS },
33+ { "protocolkeepalives", oProtocolKeepAlives }, 33+ { "protocolkeepalives", oProtocolKeepAlives },
34+ { "setuptimeout", oSetupTimeOut }, 34+ { "setuptimeout", oSetupTimeOut },
35 35
36 { NULL, oBadOption } 36 { NULL, oBadOption }
37 }; 37 };
38@@ -865,6 +868,8 @@ 38@@ -888,6 +891,8 @@
39 goto parse_flag; 39 goto parse_flag;
40 40
41 case oServerAliveInterval: 41 case oServerAliveInterval:
@@ -44,7 +44,7 @@ Index: b/readconf.c
44 intptr = &options->server_alive_interval; 44 intptr = &options->server_alive_interval;
45 goto parse_time; 45 goto parse_time;
46 46
47@@ -1284,8 +1289,13 @@ 47@@ -1336,8 +1341,13 @@
48 options->rekey_limit = 0; 48 options->rekey_limit = 0;
49 if (options->verify_host_key_dns == -1) 49 if (options->verify_host_key_dns == -1)
50 options->verify_host_key_dns = 0; 50 options->verify_host_key_dns = 0;
@@ -64,7 +64,7 @@ Index: b/ssh_config.5
64=================================================================== 64===================================================================
65--- a/ssh_config.5 65--- a/ssh_config.5
66+++ b/ssh_config.5 66+++ b/ssh_config.5
67@@ -128,8 +128,12 @@ 67@@ -127,8 +127,12 @@
68 If set to 68 If set to
69 .Dq yes , 69 .Dq yes ,
70 passphrase/password querying will be disabled. 70 passphrase/password querying will be disabled.
@@ -78,7 +78,7 @@ Index: b/ssh_config.5
78 The argument must be 78 The argument must be
79 .Dq yes 79 .Dq yes
80 or 80 or
81@@ -994,8 +998,15 @@ 81@@ -1058,8 +1062,15 @@
82 will send a message through the encrypted 82 will send a message through the encrypted
83 channel to request a response from the server. 83 channel to request a response from the server.
84 The default 84 The default
@@ -95,7 +95,7 @@ Index: b/ssh_config.5
95 .It Cm StrictHostKeyChecking 95 .It Cm StrictHostKeyChecking
96 If this flag is set to 96 If this flag is set to
97 .Dq yes , 97 .Dq yes ,
98@@ -1034,6 +1045,12 @@ 98@@ -1098,6 +1109,12 @@
99 other side. 99 other side.
100 If they are sent, death of the connection or crash of one 100 If they are sent, death of the connection or crash of one
101 of the machines will be properly noticed. 101 of the machines will be properly noticed.
@@ -112,7 +112,7 @@ Index: b/sshd_config.5
112=================================================================== 112===================================================================
113--- a/sshd_config.5 113--- a/sshd_config.5
114+++ b/sshd_config.5 114+++ b/sshd_config.5
115@@ -985,6 +985,9 @@ 115@@ -1034,6 +1034,9 @@
116 .Pp 116 .Pp
117 To disable TCP keepalive messages, the value should be set to 117 To disable TCP keepalive messages, the value should be set to
118 .Dq no . 118 .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index 955d38b50..f5ac00814 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -9,7 +9,7 @@ Index: b/Makefile.in
9=================================================================== 9===================================================================
10--- a/Makefile.in 10--- a/Makefile.in
11+++ b/Makefile.in 11+++ b/Makefile.in
12@@ -294,9 +294,9 @@ 12@@ -297,9 +297,9 @@
13 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 13 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
14 $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 14 $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
15 -rm -f $(DESTDIR)$(bindir)/slogin 15 -rm -f $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index de63e46f8..fc07e8861 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -34,7 +34,7 @@ Index: b/ssh-keygen.1
34=================================================================== 34===================================================================
35--- a/ssh-keygen.1 35--- a/ssh-keygen.1
36+++ b/ssh-keygen.1 36+++ b/ssh-keygen.1
37@@ -148,9 +148,7 @@ 37@@ -147,9 +147,7 @@
38 .Pa ~/.ssh/id_dsa 38 .Pa ~/.ssh/id_dsa
39 or 39 or
40 .Pa ~/.ssh/id_rsa . 40 .Pa ~/.ssh/id_rsa .
@@ -45,7 +45,7 @@ Index: b/ssh-keygen.1
45 .Pp 45 .Pp
46 Normally this program generates the key and asks for a file in which 46 Normally this program generates the key and asks for a file in which
47 to store the private key. 47 to store the private key.
48@@ -394,9 +392,7 @@ 48@@ -393,9 +391,7 @@
49 .It Fl q 49 .It Fl q
50 Silence 50 Silence
51 .Nm ssh-keygen . 51 .Nm ssh-keygen .
@@ -60,7 +60,7 @@ Index: b/ssh.1
60=================================================================== 60===================================================================
61--- a/ssh.1 61--- a/ssh.1
62+++ b/ssh.1 62+++ b/ssh.1
63@@ -728,6 +728,10 @@ 63@@ -726,6 +726,10 @@
64 .Sx HISTORY 64 .Sx HISTORY
65 section of 65 section of
66 .Xr ssl 8 66 .Xr ssl 8
@@ -68,14 +68,14 @@ Index: b/ssh.1
68+.nh 68+.nh
69+http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY) 69+http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY)
70+.hy 70+.hy
71 contains a brief discussion of the two algorithms. 71 contains a brief discussion of the DSA and RSA algorithms.
72 .Pp 72 .Pp
73 The file 73 The file
74Index: b/sshd.8 74Index: b/sshd.8
75=================================================================== 75===================================================================
76--- a/sshd.8 76--- a/sshd.8
77+++ b/sshd.8 77+++ b/sshd.8
78@@ -70,7 +70,7 @@ 78@@ -69,7 +69,7 @@
79 .Nm 79 .Nm
80 listens for connections from clients. 80 listens for connections from clients.
81 It is normally started at boot from 81 It is normally started at boot from
@@ -84,16 +84,16 @@ Index: b/sshd.8
84 It forks a new 84 It forks a new
85 daemon for each incoming connection. 85 daemon for each incoming connection.
86 The forked daemons handle 86 The forked daemons handle
87@@ -845,7 +845,7 @@ 87@@ -850,7 +850,7 @@
88 .Xr ssh 1 ) . 88 .Xr ssh 1 ) .
89 It should only be writable by root. 89 It should only be writable by root.
90 .Pp 90 .Pp
91-.It /etc/moduli 91-.It Pa /etc/moduli
92+.It /etc/ssh/moduli 92+.It Pa /etc/ssh/moduli
93 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". 93 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
94 The file format is described in 94 The file format is described in
95 .Xr moduli 5 . 95 .Xr moduli 5 .
96@@ -941,7 +941,6 @@ 96@@ -948,7 +948,6 @@
97 .Xr ssh-vulnkey 1 , 97 .Xr ssh-vulnkey 1 ,
98 .Xr chroot 2 , 98 .Xr chroot 2 ,
99 .Xr hosts_access 5 , 99 .Xr hosts_access 5 ,
@@ -105,7 +105,7 @@ Index: b/sshd_config.5
105=================================================================== 105===================================================================
106--- a/sshd_config.5 106--- a/sshd_config.5
107+++ b/sshd_config.5 107+++ b/sshd_config.5
108@@ -222,8 +222,7 @@ 108@@ -221,8 +221,7 @@
109 By default, no banner is displayed. 109 By default, no banner is displayed.
110 .It Cm ChallengeResponseAuthentication 110 .It Cm ChallengeResponseAuthentication
111 Specifies whether challenge-response authentication is allowed (e.g. via 111 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 67e014002..ffd416d98 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -11,7 +11,7 @@ Index: b/sshconnect.c
11=================================================================== 11===================================================================
12--- a/sshconnect.c 12--- a/sshconnect.c
13+++ b/sshconnect.c 13+++ b/sshconnect.c
14@@ -542,7 +542,7 @@ 14@@ -556,7 +556,7 @@
15 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", 15 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s",
16 compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, 16 compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
17 compat20 ? PROTOCOL_MINOR_2 : minor1, 17 compat20 ? PROTOCOL_MINOR_2 : minor1,
@@ -38,7 +38,7 @@ Index: b/version.h
38--- a/version.h 38--- a/version.h
39+++ b/version.h 39+++ b/version.h
40@@ -3,4 +3,9 @@ 40@@ -3,4 +3,9 @@
41 #define SSH_VERSION "OpenSSH_5.6" 41 #define SSH_VERSION "OpenSSH_5.7"
42 42
43 #define SSH_PORTABLE "p1" 43 #define SSH_PORTABLE "p1"
44-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 44-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index 3f06225ad..239c1b599 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -11,7 +11,7 @@ Index: b/scp.c
11=================================================================== 11===================================================================
12--- a/scp.c 12--- a/scp.c
13+++ b/scp.c 13+++ b/scp.c
14@@ -182,8 +182,16 @@ 14@@ -189,8 +189,16 @@
15 15
16 if (verbose_mode) { 16 if (verbose_mode) {
17 fprintf(stderr, "Executing:"); 17 fprintf(stderr, "Executing:");
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 8a7e7c687..74cd06201 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -33,7 +33,7 @@ Index: b/auth1.c
33 /* Get the name of the user that we wish to log in as. */ 33 /* Get the name of the user that we wish to log in as. */
34 packet_read_expect(SSH_CMSG_USER); 34 packet_read_expect(SSH_CMSG_USER);
35@@ -392,11 +392,17 @@ 35@@ -392,11 +392,17 @@
36 user = packet_get_string(&ulen); 36 user = packet_get_cstring(&ulen);
37 packet_check_eom(); 37 packet_check_eom();
38 38
39+ if ((role = strchr(user, '/')) != NULL) 39+ if ((role = strchr(user, '/')) != NULL)
@@ -173,7 +173,7 @@ Index: b/monitor_wrap.c
173=================================================================== 173===================================================================
174--- a/monitor_wrap.c 174--- a/monitor_wrap.c
175+++ b/monitor_wrap.c 175+++ b/monitor_wrap.c
176@@ -279,10 +279,10 @@ 176@@ -280,10 +280,10 @@
177 return (banner); 177 return (banner);
178 } 178 }
179 179
@@ -186,7 +186,7 @@ Index: b/monitor_wrap.c
186 { 186 {
187 Buffer m; 187 Buffer m;
188 188
189@@ -291,12 +291,30 @@ 189@@ -292,11 +292,29 @@
190 buffer_init(&m); 190 buffer_init(&m);
191 buffer_put_cstring(&m, service); 191 buffer_put_cstring(&m, service);
192 buffer_put_cstring(&m, style ? style : ""); 192 buffer_put_cstring(&m, style ? style : "");
@@ -196,7 +196,7 @@ Index: b/monitor_wrap.c
196 196
197 buffer_free(&m); 197 buffer_free(&m);
198 } 198 }
199 199+
200+/* Inform the privileged process about role */ 200+/* Inform the privileged process about role */
201+ 201+
202+void 202+void
@@ -213,10 +213,9 @@ Index: b/monitor_wrap.c
213+ 213+
214+ buffer_free(&m); 214+ buffer_free(&m);
215+} 215+}
216+ 216
217 /* Do the password authentication */ 217 /* Do the password authentication */
218 int 218 int
219 mm_auth_password(Authctxt *authctxt, char *password)
220Index: b/monitor_wrap.h 219Index: b/monitor_wrap.h
221=================================================================== 220===================================================================
222--- a/monitor_wrap.h 221--- a/monitor_wrap.h
diff --git a/debian/patches/series b/debian/patches/series
index f3c6a87e0..751a9868c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,8 +1,6 @@
1# GSSAPI 1# GSSAPI
2gssapi.patch 2gssapi.patch
3gssapi-autoconf.patch 3gssapi-autoconf.patch
4gssapi-compat.patch
5gssapi-dump.patch
6 4
7# SELinux 5# SELinux
8selinux-role.patch 6selinux-role.patch
@@ -41,4 +39,3 @@ doc-hash-tab-completion.patch
41# Debian-specific configuration 39# Debian-specific configuration
42gnome-ssh-askpass2-icon.patch 40gnome-ssh-askpass2-icon.patch
43debian-config.patch 41debian-config.patch
44ssh-sigchld.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index ddae43a45..5100d8ec7 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -10,18 +10,18 @@ Index: b/sshconnect.c
10=================================================================== 10===================================================================
11--- a/sshconnect.c 11--- a/sshconnect.c
12+++ b/sshconnect.c 12+++ b/sshconnect.c
13@@ -141,7 +141,7 @@ 13@@ -144,7 +144,7 @@
14
15 /* Execute the proxy command. Note that we gave up any 14 /* Execute the proxy command. Note that we gave up any
16 extra privileges above. */ 15 extra privileges above. */
16 signal(SIGPIPE, SIG_DFL);
17- execv(argv[0], argv); 17- execv(argv[0], argv);
18+ execvp(argv[0], argv); 18+ execvp(argv[0], argv);
19 perror(argv[0]); 19 perror(argv[0]);
20 exit(1); 20 exit(1);
21 } 21 }
22@@ -1243,7 +1243,7 @@ 22@@ -1274,7 +1274,7 @@
23 pid = fork();
24 if (pid == 0) { 23 if (pid == 0) {
24 signal(SIGPIPE, SIG_DFL);
25 debug3("Executing %s -c \"%s\"", shell, args); 25 debug3("Executing %s -c \"%s\"", shell, args);
26- execl(shell, shell, "-c", args, (char *)NULL); 26- execl(shell, shell, "-c", args, (char *)NULL);
27+ execlp(shell, shell, "-c", args, (char *)NULL); 27+ execlp(shell, shell, "-c", args, (char *)NULL);
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 4a651bfa1..43d9d4d44 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -11,7 +11,7 @@ Index: b/ssh.1
11=================================================================== 11===================================================================
12--- a/ssh.1 12--- a/ssh.1
13+++ b/ssh.1 13+++ b/ssh.1
14@@ -1396,6 +1396,7 @@ 14@@ -1406,6 +1406,7 @@
15 .Xr sftp 1 , 15 .Xr sftp 1 ,
16 .Xr ssh-add 1 , 16 .Xr ssh-add 1 ,
17 .Xr ssh-agent 1 , 17 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-sigchld.patch b/debian/patches/ssh-sigchld.patch
deleted file mode 100644
index 21d286b21..000000000
--- a/debian/patches/ssh-sigchld.patch
+++ /dev/null
@@ -1,55 +0,0 @@
1Description: Install a SIGCHLD handler to reap expired child processes
2Origin: upstream, http://bazaar.launchpad.net/~vcs-imports/openssh/main/revision/6166
3Bug-Debian: http://bugs.debian.org/594687
4Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1812
5Forwarded: not-needed
6Last-Update: 2010-10-26
7
8Index: b/ssh.c
9===================================================================
10--- a/ssh.c
11+++ b/ssh.c
12@@ -50,6 +50,7 @@
13 #include <sys/ioctl.h>
14 #include <sys/param.h>
15 #include <sys/socket.h>
16+#include <sys/wait.h>
17
18 #include <ctype.h>
19 #include <errno.h>
20@@ -210,6 +211,7 @@
21 static int ssh_session(void);
22 static int ssh_session2(void);
23 static void load_public_identity_files(void);
24+static void main_sigchld_handler(int);
25
26 /* from muxclient.c */
27 void muxclient(const char *);
28@@ -849,6 +851,7 @@
29 tilde_expand_filename(options.user_hostfile2, original_real_uid);
30
31 signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
32+ signal(SIGCHLD, main_sigchld_handler);
33
34 /* Log into the remote system. Never returns if the login fails. */
35 ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr,
36@@ -1532,3 +1535,19 @@
37 bzero(pwdir, strlen(pwdir));
38 xfree(pwdir);
39 }
40+
41+static void
42+main_sigchld_handler(int sig)
43+{
44+ int save_errno = errno;
45+ pid_t pid;
46+ int status;
47+
48+ while ((pid = waitpid(-1, &status, WNOHANG)) > 0 ||
49+ (pid < 0 && errno == EINTR))
50+ ;
51+
52+ signal(sig, main_sigchld_handler);
53+ errno = save_errno;
54+}
55+
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index 81c225a7f..444aef251 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -32,7 +32,7 @@ Index: b/Makefile.in
32 32
33 CC=@CC@ 33 CC=@CC@
34 LD=@LD@ 34 LD=@LD@
35@@ -62,7 +64,7 @@ 35@@ -63,7 +65,7 @@
36 INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ 36 INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
37 INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ 37 INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
38 38
@@ -41,8 +41,8 @@ Index: b/Makefile.in
41 41
42 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ 42 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
43 canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ 43 canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
44@@ -93,8 +95,8 @@ 44@@ -95,8 +97,8 @@
45 audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ 45 sftp-server.o sftp-common.o \
46 roaming_common.o roaming_serv.o 46 roaming_common.o roaming_serv.o
47 47
48-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out 48-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
@@ -52,7 +52,7 @@ Index: b/Makefile.in
52 MANTYPE = @MANTYPE@ 52 MANTYPE = @MANTYPE@
53 53
54 CONFIGFILES=sshd_config.out ssh_config.out moduli.out 54 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
55@@ -174,6 +176,9 @@ 55@@ -177,6 +179,9 @@
56 ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o 56 ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o
57 $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) 57 $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
58 58
@@ -62,7 +62,7 @@ Index: b/Makefile.in
62 # test driver for the loginrec code - not built by default 62 # test driver for the loginrec code - not built by default
63 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o 63 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
64 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) 64 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
65@@ -268,6 +273,7 @@ 65@@ -271,6 +276,7 @@
66 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) 66 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
67 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) 67 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
68 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 68 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -70,7 +70,7 @@ Index: b/Makefile.in
70 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 70 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
71 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 71 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
72 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 72 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
73@@ -285,6 +291,7 @@ 73@@ -288,6 +294,7 @@
74 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 74 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
75 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 75 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
76 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 76 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -78,7 +78,7 @@ Index: b/Makefile.in
78 -rm -f $(DESTDIR)$(bindir)/slogin 78 -rm -f $(DESTDIR)$(bindir)/slogin
79 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin 79 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
80 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 80 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
81@@ -366,6 +373,7 @@ 81@@ -377,6 +384,7 @@
82 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) 82 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
83 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) 83 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
84 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) 84 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@@ -86,7 +86,7 @@ Index: b/Makefile.in
86 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) 86 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
87 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) 87 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
88 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 88 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
89@@ -379,6 +387,7 @@ 89@@ -390,6 +398,7 @@
90 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 90 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
91 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 91 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
92 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 92 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
@@ -111,15 +111,15 @@ Index: b/auth-rsa.c
111=================================================================== 111===================================================================
112--- a/auth-rsa.c 112--- a/auth-rsa.c
113+++ b/auth-rsa.c 113+++ b/auth-rsa.c
114@@ -94,7 +94,7 @@ 114@@ -247,7 +247,7 @@
115 MD5_CTX md; 115 file, linenum, BN_num_bits(key->rsa->n), bits);
116 int len;
117 116
118- if (auth_key_is_revoked(key)) 117 /* Never accept a revoked key */
119+ if (auth_key_is_revoked(key, 0)) 118- if (auth_key_is_revoked(key))
120 return 0; 119+ if (auth_key_is_revoked(key, 0))
120 break;
121 121
122 /* don't allow short keys */ 122 /* We have found the desired key. */
123Index: b/auth.c 123Index: b/auth.c
124=================================================================== 124===================================================================
125--- a/auth.c 125--- a/auth.c
@@ -132,7 +132,7 @@ Index: b/auth.c
132 #include "auth.h" 132 #include "auth.h"
133 #include "auth-options.h" 133 #include "auth-options.h"
134 #include "canohost.h" 134 #include "canohost.h"
135@@ -615,10 +616,34 @@ 135@@ -621,10 +622,34 @@
136 136
137 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ 137 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
138 int 138 int
@@ -223,7 +223,7 @@ Index: b/authfile.c
223 223
224 /* Version identification string for SSH v1 identity files. */ 224 /* Version identification string for SSH v1 identity files. */
225 static const char authfile_id_string[] = 225 static const char authfile_id_string[] =
226@@ -814,3 +815,140 @@ 226@@ -906,3 +907,140 @@
227 return ret; 227 return ret;
228 } 228 }
229 229
@@ -390,7 +390,7 @@ Index: b/pathnames.h
390 #ifndef _PATH_SSH_PIDDIR 390 #ifndef _PATH_SSH_PIDDIR
391 #define _PATH_SSH_PIDDIR "/var/run" 391 #define _PATH_SSH_PIDDIR "/var/run"
392 #endif 392 #endif
393@@ -43,6 +47,9 @@ 393@@ -44,6 +48,9 @@
394 /* Backwards compatibility */ 394 /* Backwards compatibility */
395 #define _PATH_DH_PRIMES SSHDIR "/primes" 395 #define _PATH_DH_PRIMES SSHDIR "/primes"
396 396
@@ -404,7 +404,7 @@ Index: b/readconf.c
404=================================================================== 404===================================================================
405--- a/readconf.c 405--- a/readconf.c
406+++ b/readconf.c 406+++ b/readconf.c
407@@ -123,6 +123,7 @@ 407@@ -125,6 +125,7 @@
408 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, 408 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
409 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, 409 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
410 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, 410 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
@@ -412,7 +412,7 @@ Index: b/readconf.c
412 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, 412 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
413 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 413 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
414 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 414 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
415@@ -154,6 +155,7 @@ 415@@ -158,6 +159,7 @@
416 { "passwordauthentication", oPasswordAuthentication }, 416 { "passwordauthentication", oPasswordAuthentication },
417 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 417 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
418 { "kbdinteractivedevices", oKbdInteractiveDevices }, 418 { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -420,7 +420,7 @@ Index: b/readconf.c
420 { "rsaauthentication", oRSAAuthentication }, 420 { "rsaauthentication", oRSAAuthentication },
421 { "pubkeyauthentication", oPubkeyAuthentication }, 421 { "pubkeyauthentication", oPubkeyAuthentication },
422 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 422 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
423@@ -479,6 +481,10 @@ 423@@ -486,6 +488,10 @@
424 intptr = &options->challenge_response_authentication; 424 intptr = &options->challenge_response_authentication;
425 goto parse_flag; 425 goto parse_flag;
426 426
@@ -431,7 +431,7 @@ Index: b/readconf.c
431 case oGssAuthentication: 431 case oGssAuthentication:
432 intptr = &options->gss_authentication; 432 intptr = &options->gss_authentication;
433 goto parse_flag; 433 goto parse_flag;
434@@ -1093,6 +1099,7 @@ 434@@ -1134,6 +1140,7 @@
435 options->kbd_interactive_devices = NULL; 435 options->kbd_interactive_devices = NULL;
436 options->rhosts_rsa_authentication = -1; 436 options->rhosts_rsa_authentication = -1;
437 options->hostbased_authentication = -1; 437 options->hostbased_authentication = -1;
@@ -439,7 +439,7 @@ Index: b/readconf.c
439 options->batch_mode = -1; 439 options->batch_mode = -1;
440 options->check_host_ip = -1; 440 options->check_host_ip = -1;
441 options->strict_host_key_checking = -1; 441 options->strict_host_key_checking = -1;
442@@ -1201,6 +1208,8 @@ 442@@ -1245,6 +1252,8 @@
443 options->rhosts_rsa_authentication = 0; 443 options->rhosts_rsa_authentication = 0;
444 if (options->hostbased_authentication == -1) 444 if (options->hostbased_authentication == -1)
445 options->hostbased_authentication = 0; 445 options->hostbased_authentication = 0;
@@ -452,7 +452,7 @@ Index: b/readconf.h
452=================================================================== 452===================================================================
453--- a/readconf.h 453--- a/readconf.h
454+++ b/readconf.h 454+++ b/readconf.h
455@@ -56,6 +56,7 @@ 455@@ -57,6 +57,7 @@
456 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 456 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
457 char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ 457 char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
458 int zero_knowledge_password_authentication; /* Try jpake */ 458 int zero_knowledge_password_authentication; /* Try jpake */
@@ -464,7 +464,7 @@ Index: b/servconf.c
464=================================================================== 464===================================================================
465--- a/servconf.c 465--- a/servconf.c
466+++ b/servconf.c 466+++ b/servconf.c
467@@ -100,6 +100,7 @@ 467@@ -104,6 +104,7 @@
468 options->password_authentication = -1; 468 options->password_authentication = -1;
469 options->kbd_interactive_authentication = -1; 469 options->kbd_interactive_authentication = -1;
470 options->challenge_response_authentication = -1; 470 options->challenge_response_authentication = -1;
@@ -472,7 +472,7 @@ Index: b/servconf.c
472 options->permit_empty_passwd = -1; 472 options->permit_empty_passwd = -1;
473 options->permit_user_env = -1; 473 options->permit_user_env = -1;
474 options->use_login = -1; 474 options->use_login = -1;
475@@ -232,6 +233,8 @@ 475@@ -243,6 +244,8 @@
476 options->kbd_interactive_authentication = 0; 476 options->kbd_interactive_authentication = 0;
477 if (options->challenge_response_authentication == -1) 477 if (options->challenge_response_authentication == -1)
478 options->challenge_response_authentication = 1; 478 options->challenge_response_authentication = 1;
@@ -481,7 +481,7 @@ Index: b/servconf.c
481 if (options->permit_empty_passwd == -1) 481 if (options->permit_empty_passwd == -1)
482 options->permit_empty_passwd = 0; 482 options->permit_empty_passwd = 0;
483 if (options->permit_user_env == -1) 483 if (options->permit_user_env == -1)
484@@ -307,7 +310,7 @@ 484@@ -322,7 +325,7 @@
485 sListenAddress, sAddressFamily, 485 sListenAddress, sAddressFamily,
486 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 486 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
487 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 487 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -490,7 +490,7 @@ Index: b/servconf.c
490 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 490 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
491 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 491 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
492 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 492 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
493@@ -416,6 +419,7 @@ 493@@ -432,6 +435,7 @@
494 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 494 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
495 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 495 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
496 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 496 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -498,7 +498,7 @@ Index: b/servconf.c
498 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 498 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
499 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 499 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
500 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 500 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
501@@ -1011,6 +1015,10 @@ 501@@ -1029,6 +1033,10 @@
502 intptr = &options->tcp_keep_alive; 502 intptr = &options->tcp_keep_alive;
503 goto parse_flag; 503 goto parse_flag;
504 504
@@ -509,7 +509,7 @@ Index: b/servconf.c
509 case sEmptyPasswd: 509 case sEmptyPasswd:
510 intptr = &options->permit_empty_passwd; 510 intptr = &options->permit_empty_passwd;
511 goto parse_flag; 511 goto parse_flag;
512@@ -1708,6 +1716,7 @@ 512@@ -1757,6 +1765,7 @@
513 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 513 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
514 dump_cfg_fmtint(sStrictModes, o->strict_modes); 514 dump_cfg_fmtint(sStrictModes, o->strict_modes);
515 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 515 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -521,7 +521,7 @@ Index: b/servconf.h
521=================================================================== 521===================================================================
522--- a/servconf.h 522--- a/servconf.h
523+++ b/servconf.h 523+++ b/servconf.h
524@@ -104,6 +104,7 @@ 524@@ -107,6 +107,7 @@
525 int challenge_response_authentication; 525 int challenge_response_authentication;
526 int zero_knowledge_password_authentication; 526 int zero_knowledge_password_authentication;
527 /* If true, permit jpake auth */ 527 /* If true, permit jpake auth */
@@ -533,7 +533,7 @@ Index: b/ssh-add.1
533=================================================================== 533===================================================================
534--- a/ssh-add.1 534--- a/ssh-add.1
535+++ b/ssh-add.1 535+++ b/ssh-add.1
536@@ -82,6 +82,10 @@ 536@@ -81,6 +81,10 @@
537 .Nm 537 .Nm
538 to work. 538 to work.
539 .Pp 539 .Pp
@@ -544,7 +544,7 @@ Index: b/ssh-add.1
544 The options are as follows: 544 The options are as follows:
545 .Bl -tag -width Ds 545 .Bl -tag -width Ds
546 .It Fl c 546 .It Fl c
547@@ -182,6 +186,7 @@ 547@@ -183,6 +187,7 @@
548 .Xr ssh 1 , 548 .Xr ssh 1 ,
549 .Xr ssh-agent 1 , 549 .Xr ssh-agent 1 ,
550 .Xr ssh-keygen 1 , 550 .Xr ssh-keygen 1 ,
@@ -556,7 +556,7 @@ Index: b/ssh-add.c
556=================================================================== 556===================================================================
557--- a/ssh-add.c 557--- a/ssh-add.c
558+++ b/ssh-add.c 558+++ b/ssh-add.c
559@@ -139,7 +139,7 @@ 559@@ -142,7 +142,7 @@
560 add_file(AuthenticationConnection *ac, const char *filename) 560 add_file(AuthenticationConnection *ac, const char *filename)
561 { 561 {
562 Key *private, *cert; 562 Key *private, *cert;
@@ -565,7 +565,7 @@ Index: b/ssh-add.c
565 char msg[1024], *certpath; 565 char msg[1024], *certpath;
566 int fd, perms_ok, ret = -1; 566 int fd, perms_ok, ret = -1;
567 567
568@@ -184,6 +184,14 @@ 568@@ -187,6 +187,14 @@
569 "Bad passphrase, try again for %.200s: ", comment); 569 "Bad passphrase, try again for %.200s: ", comment);
570 } 570 }
571 } 571 }
@@ -584,7 +584,7 @@ Index: b/ssh-keygen.1
584=================================================================== 584===================================================================
585--- a/ssh-keygen.1 585--- a/ssh-keygen.1
586+++ b/ssh-keygen.1 586+++ b/ssh-keygen.1
587@@ -669,6 +669,7 @@ 587@@ -659,6 +659,7 @@
588 .Xr ssh 1 , 588 .Xr ssh 1 ,
589 .Xr ssh-add 1 , 589 .Xr ssh-add 1 ,
590 .Xr ssh-agent 1 , 590 .Xr ssh-agent 1 ,
@@ -1236,7 +1236,7 @@ Index: b/ssh.1
1236=================================================================== 1236===================================================================
1237--- a/ssh.1 1237--- a/ssh.1
1238+++ b/ssh.1 1238+++ b/ssh.1
1239@@ -1392,6 +1392,7 @@ 1239@@ -1402,6 +1402,7 @@
1240 .Xr ssh-agent 1 , 1240 .Xr ssh-agent 1 ,
1241 .Xr ssh-keygen 1 , 1241 .Xr ssh-keygen 1 ,
1242 .Xr ssh-keyscan 1 , 1242 .Xr ssh-keyscan 1 ,
@@ -1248,7 +1248,7 @@ Index: b/ssh.c
1248=================================================================== 1248===================================================================
1249--- a/ssh.c 1249--- a/ssh.c
1250+++ b/ssh.c 1250+++ b/ssh.c
1251@@ -1422,7 +1422,7 @@ 1251@@ -1448,7 +1448,7 @@
1252 static void 1252 static void
1253 load_public_identity_files(void) 1253 load_public_identity_files(void)
1254 { 1254 {
@@ -1257,7 +1257,7 @@ Index: b/ssh.c
1257 char *pwdir = NULL, *pwname = NULL; 1257 char *pwdir = NULL, *pwname = NULL;
1258 int i = 0; 1258 int i = 0;
1259 Key *public; 1259 Key *public;
1260@@ -1479,6 +1479,22 @@ 1260@@ -1505,6 +1505,22 @@
1261 public = key_load_public(filename, NULL); 1261 public = key_load_public(filename, NULL);
1262 debug("identity file %s type %d", filename, 1262 debug("identity file %s type %d", filename,
1263 public ? public->type : -1); 1263 public ? public->type : -1);
@@ -1284,7 +1284,7 @@ Index: b/ssh_config.5
1284=================================================================== 1284===================================================================
1285--- a/ssh_config.5 1285--- a/ssh_config.5
1286+++ b/ssh_config.5 1286+++ b/ssh_config.5
1287@@ -1082,6 +1082,23 @@ 1287@@ -1146,6 +1146,23 @@
1288 .Dq any . 1288 .Dq any .
1289 The default is 1289 The default is
1290 .Dq any:any . 1290 .Dq any:any .
@@ -1312,7 +1312,7 @@ Index: b/sshconnect2.c
1312=================================================================== 1312===================================================================
1313--- a/sshconnect2.c 1313--- a/sshconnect2.c
1314+++ b/sshconnect2.c 1314+++ b/sshconnect2.c
1315@@ -1421,6 +1421,8 @@ 1315@@ -1488,6 +1488,8 @@
1316 1316
1317 /* list of keys stored in the filesystem */ 1317 /* list of keys stored in the filesystem */
1318 for (i = 0; i < options.num_identity_files; i++) { 1318 for (i = 0; i < options.num_identity_files; i++) {
@@ -1321,7 +1321,7 @@ Index: b/sshconnect2.c
1321 key = options.identity_keys[i]; 1321 key = options.identity_keys[i];
1322 if (key && key->type == KEY_RSA1) 1322 if (key && key->type == KEY_RSA1)
1323 continue; 1323 continue;
1324@@ -1514,7 +1516,7 @@ 1324@@ -1581,7 +1583,7 @@
1325 debug("Offering %s public key: %s", key_type(id->key), 1325 debug("Offering %s public key: %s", key_type(id->key),
1326 id->filename); 1326 id->filename);
1327 sent = send_pubkey_test(authctxt, id); 1327 sent = send_pubkey_test(authctxt, id);
@@ -1334,7 +1334,7 @@ Index: b/sshd.8
1334=================================================================== 1334===================================================================
1335--- a/sshd.8 1335--- a/sshd.8
1336+++ b/sshd.8 1336+++ b/sshd.8
1337@@ -938,6 +938,7 @@ 1337@@ -945,6 +945,7 @@
1338 .Xr ssh-agent 1 , 1338 .Xr ssh-agent 1 ,
1339 .Xr ssh-keygen 1 , 1339 .Xr ssh-keygen 1 ,
1340 .Xr ssh-keyscan 1 , 1340 .Xr ssh-keyscan 1 ,
@@ -1346,7 +1346,7 @@ Index: b/sshd.c
1346=================================================================== 1346===================================================================
1347--- a/sshd.c 1347--- a/sshd.c
1348+++ b/sshd.c 1348+++ b/sshd.c
1349@@ -1573,6 +1573,11 @@ 1349@@ -1576,6 +1576,11 @@
1350 sensitive_data.host_keys[i] = NULL; 1350 sensitive_data.host_keys[i] = NULL;
1351 continue; 1351 continue;
1352 } 1352 }
@@ -1362,7 +1362,7 @@ Index: b/sshd_config.5
1362=================================================================== 1362===================================================================
1363--- a/sshd_config.5 1363--- a/sshd_config.5
1364+++ b/sshd_config.5 1364+++ b/sshd_config.5
1365@@ -743,6 +743,20 @@ 1365@@ -792,6 +792,20 @@
1366 Specifies whether password authentication is allowed. 1366 Specifies whether password authentication is allowed.
1367 The default is 1367 The default is
1368 .Dq yes . 1368 .Dq yes .
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index dac1ca1cc..5f1caddc9 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -12,11 +12,11 @@ Index: b/clientloop.c
12 server_alive_check(void) 12 server_alive_check(void)
13 { 13 {
14- if (packet_inc_alive_timeouts() > options.server_alive_count_max) { 14- if (packet_inc_alive_timeouts() > options.server_alive_count_max) {
15- logit("Timeout, server not responding."); 15- logit("Timeout, server %s not responding.", host);
16- cleanup_exit(255); 16- cleanup_exit(255);
17+ if (compat20) { 17+ if (compat20) {
18+ if (packet_inc_alive_timeouts() > options.server_alive_count_max) { 18+ if (packet_inc_alive_timeouts() > options.server_alive_count_max) {
19+ logit("Timeout, server not responding."); 19+ logit("Timeout, server %s not responding.", host);
20+ cleanup_exit(255); 20+ cleanup_exit(255);
21+ } 21+ }
22+ packet_start(SSH2_MSG_GLOBAL_REQUEST); 22+ packet_start(SSH2_MSG_GLOBAL_REQUEST);
@@ -51,7 +51,7 @@ Index: b/ssh_config.5
51=================================================================== 51===================================================================
52--- a/ssh_config.5 52--- a/ssh_config.5
53+++ b/ssh_config.5 53+++ b/ssh_config.5
54@@ -983,7 +983,10 @@ 54@@ -1047,7 +1047,10 @@
55 .Cm ServerAliveCountMax 55 .Cm ServerAliveCountMax
56 is left at the default, if the server becomes unresponsive, 56 is left at the default, if the server becomes unresponsive,
57 ssh will disconnect after approximately 45 seconds. 57 ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 3cb9fdc65..9b560217f 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -26,7 +26,7 @@ Index: b/ssh.c
26=================================================================== 26===================================================================
27--- a/ssh.c 27--- a/ssh.c
28+++ b/ssh.c 28+++ b/ssh.c
29@@ -642,7 +642,7 @@ 29@@ -641,7 +641,7 @@
30 tty_flag = 0; 30 tty_flag = 0;
31 /* Do not allocate a tty if stdin is not a tty. */ 31 /* Do not allocate a tty if stdin is not a tty. */
32 if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) { 32 if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) {
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 69700e592..fe2d99be0 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -15,7 +15,7 @@ Index: b/readconf.c
15=================================================================== 15===================================================================
16--- a/readconf.c 16--- a/readconf.c
17+++ b/readconf.c 17+++ b/readconf.c
18@@ -28,6 +28,8 @@ 18@@ -30,6 +30,8 @@
19 #include <stdio.h> 19 #include <stdio.h>
20 #include <string.h> 20 #include <string.h>
21 #include <unistd.h> 21 #include <unistd.h>
@@ -24,7 +24,7 @@ Index: b/readconf.c
24 24
25 #include "xmalloc.h" 25 #include "xmalloc.h"
26 #include "ssh.h" 26 #include "ssh.h"
27@@ -1045,8 +1047,7 @@ 27@@ -1085,8 +1087,7 @@
28 28
29 if (fstat(fileno(f), &sb) == -1) 29 if (fstat(fileno(f), &sb) == -1)
30 fatal("fstat %s: %s", filename, strerror(errno)); 30 fatal("fstat %s: %s", filename, strerror(errno));
@@ -38,20 +38,20 @@ Index: b/ssh.1
38=================================================================== 38===================================================================
39--- a/ssh.1 39--- a/ssh.1
40+++ b/ssh.1 40+++ b/ssh.1
41@@ -1290,6 +1290,8 @@ 41@@ -1293,6 +1293,8 @@
42 .Xr ssh_config 5 . 42 .Xr ssh_config 5 .
43 Because of the potential for abuse, this file must have strict permissions: 43 Because of the potential for abuse, this file must have strict permissions:
44 read/write for the user, and not accessible by others. 44 read/write for the user, and not accessible by others.
45+It may be group-writable provided that the group in question contains only 45+It may be group-writable provided that the group in question contains only
46+the user. 46+the user.
47 .Pp 47 .Pp
48 .It ~/.ssh/environment 48 .It Pa ~/.ssh/environment
49 Contains additional definitions for environment variables; see 49 Contains additional definitions for environment variables; see
50Index: b/ssh_config.5 50Index: b/ssh_config.5
51=================================================================== 51===================================================================
52--- a/ssh_config.5 52--- a/ssh_config.5
53+++ b/ssh_config.5 53+++ b/ssh_config.5
54@@ -1235,6 +1235,8 @@ 54@@ -1299,6 +1299,8 @@
55 This file is used by the SSH client. 55 This file is used by the SSH client.
56 Because of the potential for abuse, this file must have strict permissions: 56 Because of the potential for abuse, this file must have strict permissions:
57 read/write for the user, and not accessible by others. 57 read/write for the user, and not accessible by others.
@@ -64,7 +64,7 @@ Index: b/auth.c
64=================================================================== 64===================================================================
65--- a/auth.c 65--- a/auth.c
66+++ b/auth.c 66+++ b/auth.c
67@@ -393,8 +393,7 @@ 67@@ -392,8 +392,7 @@
68 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); 68 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
69 if (options.strict_modes && 69 if (options.strict_modes &&
70 (stat(user_hostfile, &st) == 0) && 70 (stat(user_hostfile, &st) == 0) &&
@@ -74,7 +74,7 @@ Index: b/auth.c
74 logit("Authentication refused for %.100s: " 74 logit("Authentication refused for %.100s: "
75 "bad owner or modes for %.200s", 75 "bad owner or modes for %.200s",
76 pw->pw_name, user_hostfile); 76 pw->pw_name, user_hostfile);
77@@ -448,8 +447,7 @@ 77@@ -454,8 +453,7 @@
78 78
79 /* check the open file to avoid races */ 79 /* check the open file to avoid races */
80 if (fstat(fileno(f), &st) < 0 || 80 if (fstat(fileno(f), &st) < 0 ||
@@ -84,7 +84,7 @@ Index: b/auth.c
84 snprintf(err, errlen, "bad ownership or modes for file %s", 84 snprintf(err, errlen, "bad ownership or modes for file %s",
85 buf); 85 buf);
86 return -1; 86 return -1;
87@@ -465,8 +463,7 @@ 87@@ -471,8 +469,7 @@
88 88
89 debug3("secure_filename: checking '%s'", buf); 89 debug3("secure_filename: checking '%s'", buf);
90 if (stat(buf, &st) < 0 || 90 if (stat(buf, &st) < 0 ||
@@ -98,7 +98,7 @@ Index: b/misc.c
98=================================================================== 98===================================================================
99--- a/misc.c 99--- a/misc.c
100+++ b/misc.c 100+++ b/misc.c
101@@ -45,8 +45,9 @@ 101@@ -48,8 +48,9 @@
102 #include <netdb.h> 102 #include <netdb.h>
103 #ifdef HAVE_PATHS_H 103 #ifdef HAVE_PATHS_H
104 # include <paths.h> 104 # include <paths.h>
@@ -109,7 +109,7 @@ Index: b/misc.c
109 #ifdef SSH_TUN_OPENBSD 109 #ifdef SSH_TUN_OPENBSD
110 #include <net/if.h> 110 #include <net/if.h>
111 #endif 111 #endif
112@@ -639,6 +640,55 @@ 112@@ -642,6 +643,55 @@
113 } 113 }
114 114
115 int 115 int
@@ -169,7 +169,7 @@ Index: b/misc.h
169=================================================================== 169===================================================================
170--- a/misc.h 170--- a/misc.h
171+++ b/misc.h 171+++ b/misc.h
172@@ -92,4 +92,6 @@ 172@@ -102,4 +102,6 @@
173 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 173 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
174 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); 174 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
175 175