summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/.git-dpm14
-rw-r--r--debian/NEWS31
-rw-r--r--debian/changelog118
-rw-r--r--debian/patches/auth-log-verbosity.patch38
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch6
-rw-r--r--debian/patches/debian-banner.patch54
-rw-r--r--debian/patches/debian-config.patch46
-rw-r--r--debian/patches/dnssec-sshfp.patch8
-rw-r--r--debian/patches/doc-hash-tab-completion.patch6
-rw-r--r--debian/patches/doc-upstart.patch6
-rw-r--r--debian/patches/fix-putty-interop-tests.patch113
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch6
-rw-r--r--debian/patches/gssapi.patch318
-rw-r--r--debian/patches/helpful-wait-terminate.patch26
-rw-r--r--debian/patches/keepalive-extensions.patch26
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch8
-rw-r--r--debian/patches/no-openssl-version-status.patch12
-rw-r--r--debian/patches/openbsd-docs.patch22
-rw-r--r--debian/patches/package-versioning.patch20
-rw-r--r--debian/patches/quieter-signals.patch6
-rw-r--r--debian/patches/restore-tcp-wrappers.patch26
-rw-r--r--debian/patches/scp-quoting.patch6
-rw-r--r--debian/patches/selinux-role.patch151
-rw-r--r--debian/patches/series3
-rw-r--r--debian/patches/shell-path.patch8
-rw-r--r--debian/patches/sigstop.patch6
-rw-r--r--debian/patches/ssh-agent-setgid.patch8
-rw-r--r--debian/patches/ssh-argv0.patch4
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch10
-rw-r--r--debian/patches/syslog-level-silent.patch6
-rw-r--r--debian/patches/systemd-readiness.patch14
-rw-r--r--debian/patches/unregister-kexinit.patch34
-rw-r--r--debian/patches/user-group-modes.patch40
-rwxr-xr-xdebian/rules7
34 files changed, 570 insertions, 637 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index a3594adbc..5452ac780 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,8 +1,8 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
29c88f6248e9da14cb7916527862f2eac7f55b12a 22103d3e5566c54e08a59be750579a249e46747d7
39c88f6248e9da14cb7916527862f2eac7f55b12a 32103d3e5566c54e08a59be750579a249e46747d7
4a8ed8d256b2e2c05b0c15565a7938028c5192277 4971a7653746a6972b907dfe0ce139c06e4a6f482
5a8ed8d256b2e2c05b0c15565a7938028c5192277 5971a7653746a6972b907dfe0ce139c06e4a6f482
6openssh_7.3p1.orig.tar.gz 6openssh_7.4p1.orig.tar.gz
7bfade84283fcba885e2084343ab19a08c7d123a5 72330bbf82ed08cf3ac70e0acf00186ef3eeb97e0
81522617 81511780
diff --git a/debian/NEWS b/debian/NEWS
index 6f4564ba7..3a331e1fd 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,34 @@
1openssh (1:7.4p1-1) UNRELEASED; urgency=medium
2
3 OpenSSH 7.4 includes a number of changes that may affect existing
4 configurations:
5
6 * ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
7 block ciphers are not safe in 2016 and we don't want to wait until
8 attacks like SWEET32 are extended to SSH. As 3des-cbc was the only
9 mandatory cipher in the SSH RFCs, this may cause problems connecting to
10 older devices using the default configuration, but it's highly likely
11 that such devices already need explicit configuration for key exchange
12 and hostkey algorithms already anyway.
13 * sshd(8): Remove support for pre-authentication compression. Doing
14 compression early in the protocol probably seemed reasonable in the
15 1990s, but today it's clearly a bad idea in terms of both cryptography
16 (cf. multiple compression oracle attacks in TLS) and attack surface.
17 Pre-auth compression support has been disabled by default for >10
18 years. Support remains in the client.
19 * ssh-agent will refuse to load PKCS#11 modules outside a whitelist of
20 trusted paths by default. The path whitelist may be specified at
21 run-time.
22 * sshd(8): When a forced-command appears in both a certificate and an
23 authorized keys/principals command= restriction, sshd will now refuse
24 to accept the certificate unless they are identical. The previous
25 (documented) behaviour of having the certificate forced-command
26 override the other could be a bit confusing and error-prone.
27 * sshd(8): Remove the UseLogin configuration directive and support for
28 having /bin/login manage login sessions.
29
30 -- Colin Watson <cjwatson@debian.org> Tue, 20 Dec 2016 22:21:15 +0000
31
1openssh (1:7.2p1-1) unstable; urgency=medium 32openssh (1:7.2p1-1) unstable; urgency=medium
2 33
3 OpenSSH 7.2 disables a number of legacy cryptographic algorithms by 34 OpenSSH 7.2 disables a number of legacy cryptographic algorithms by
diff --git a/debian/changelog b/debian/changelog
index 8e094ecdb..c2065c580 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,119 @@
1openssh (1:7.3p1-6) UNRELEASED; urgency=medium 1openssh (1:7.4p1-1) UNRELEASED; urgency=medium
2 2
3 * New upstream release (http://www.openssh.com/txt/release-7.4):
4 - ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
5 block ciphers are not safe in 2016 and we don't want to wait until
6 attacks like SWEET32 are extended to SSH. As 3des-cbc was the only
7 mandatory cipher in the SSH RFCs, this may cause problems connecting
8 to older devices using the default configuration, but it's highly
9 likely that such devices already need explicit configuration for key
10 exchange and hostkey algorithms already anyway.
11 - sshd(8): When a forced-command appears in both a certificate and an
12 authorized keys/principals command= restriction, sshd will now refuse
13 to accept the certificate unless they are identical. The previous
14 (documented) behaviour of having the certificate forced-command
15 override the other could be a bit confusing and error-prone.
16 - sshd(8): Remove the UseLogin configuration directive and support for
17 having /bin/login manage login sessions.
18 - CVE-2016-10009: ssh-agent(1): Will now refuse to load PKCS#11 modules
19 from paths outside a trusted whitelist (run-time configurable).
20 Requests to load modules could be passed via agent forwarding and an
21 attacker could attempt to load a hostile PKCS#11 module across the
22 forwarded agent channel: PKCS#11 modules are shared libraries, so this
23 would result in code execution on the system running the ssh-agent if
24 the attacker has control of the forwarded agent-socket (on the host
25 running the sshd server) and the ability to write to the filesystem of
26 the host running ssh-agent (usually the host running the ssh client)
27 (closes: #848714).
28 - CVE-2016-10010: sshd(8): When privilege separation is disabled,
29 forwarded Unix-domain sockets would be created by sshd(8) with the
30 privileges of 'root' instead of the authenticated user. This release
31 refuses Unix-domain socket forwarding when privilege separation is
32 disabled (Privilege separation has been enabled by default for 14
33 years) (closes: #848715).
34 - CVE-2016-10011: sshd(8): Avoid theoretical leak of host private key
35 material to privilege-separated child processes via realloc() when
36 reading keys. No such leak was observed in practice for normal-sized
37 keys, nor does a leak to the child processes directly expose key
38 material to unprivileged users (closes: #848716).
39 - CVE-2016-10012: sshd(8): The shared memory manager used by
40 pre-authentication compression support had a bounds checks that could
41 be elided by some optimising compilers. Additionally, this memory
42 manager was incorrectly accessible when pre-authentication compression
43 was disabled. This could potentially allow attacks against the
44 privileged monitor process from the sandboxed privilege-separation
45 process (a compromise of the latter would be required first). This
46 release removes support for pre-authentication compression from
47 sshd(8) (closes: #848717).
48 - SECURITY: sshd(8): Validate address ranges for AllowUser and DenyUsers
49 directives at configuration load time and refuse to accept invalid
50 ones. It was previously possible to specify invalid CIDR address
51 ranges (e.g. user@127.1.2.3/55) and these would always match, possibly
52 resulting in granting access where it was not intended.
53 - ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the
54 version in PuTTY by Simon Tatham. This allows a multiplexing client
55 to communicate with the master process using a subset of the SSH
56 packet and channels protocol over a Unix-domain socket, with the main
57 process acting as a proxy that translates channel IDs, etc. This
58 allows multiplexing mode to run on systems that lack file-descriptor
59 passing (used by current multiplexing code) and potentially, in
60 conjunction with Unix-domain socket forwarding, with the client and
61 multiplexing master process on different machines. Multiplexing proxy
62 mode may be invoked using "ssh -O proxy ...".
63 - sshd(8): Add a sshd_config DisableForwarding option that disables X11,
64 agent, TCP, tunnel and Unix domain socket forwarding, as well as
65 anything else we might implement in the future. Like the 'restrict'
66 authorized_keys flag, this is intended to be a simple and future-proof
67 way of restricting an account.
68 - sshd(8), ssh(1): Support the "curve25519-sha256" key exchange method.
69 This is identical to the currently-supported method named
70 "curve25519-sha256@libssh.org".
71 - sshd(8): Improve handling of SIGHUP by checking to see if sshd is
72 already daemonised at startup and skipping the call to daemon(3) if it
73 is. This ensures that a SIGHUP restart of sshd(8) will retain the
74 same process-ID as the initial execution. sshd(8) will also now
75 unlink the PidFile prior to SIGHUP restart and re-create it after a
76 successful restart, rather than leaving a stale file in the case of a
77 configuration error.
78 - sshd(8): Allow ClientAliveInterval and ClientAliveCountMax directives
79 to appear in sshd_config Match blocks.
80 - sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match those
81 supported by AuthorizedKeysCommand (key, key type, fingerprint, etc.)
82 and a few more to provide access to the contents of the certificate
83 being offered.
84 - ssh(1): Allow IdentityFile to successfully load and use certificates
85 that have no corresponding bare public key.
86 - ssh(1): Fix public key authentication when multiple authentication is
87 in use and publickey is not just the first method attempted.
88 - ssh(1): Improve reporting when attempting to load keys from PKCS#11
89 tokens with fewer useless log messages and more detail in debug
90 messages.
91 - ssh(1): When tearing down ControlMaster connections, don't pollute
92 stderr when LogLevel=quiet.
93 - sftp(1): On ^Z wait for underlying ssh(1) to suspend before suspending
94 sftp(1) to ensure that ssh(1) restores the terminal mode correctly if
95 suspended during a password prompt.
96 - ssh(1): Avoid busy-wait when ssh(1) is suspended during a password
97 prompt (LP: #1646813).
98 - ssh(1), sshd(8): Correctly report errors during sending of ext-info
99 messages.
100 - sshd(8): Fix NULL-deref crash if sshd(8) received an out-of-sequence
101 NEWKEYS message.
102 - sshd(8): Correct list of supported signature algorithms sent in the
103 server-sig-algs extension.
104 - sshd(8): Fix sending ext_info message if privsep is disabled.
105 - sshd(8): More strictly enforce the expected ordering of privilege
106 separation monitor calls used for authentication and allow them only
107 when their respective authentication methods are enabled in the
108 configuration.
109 - sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for
110 configuration examples.
111 - On environments configured with Turkish locales, fall back to the
112 C/POSIX locale to avoid errors in configuration parsing caused by that
113 locale's unique handling of the letters 'i' and 'I' (LP: #1638338).
114 - contrib: Add a gnome-ssh-askpass3 with GTK+3 support.
115 - sshd(8): Improve PRNG reseeding across privilege separation and force
116 libcrypto to obtain a high-quality seed before chroot or sandboxing.
3 * Apply "wrap-and-sort -at -f debian/control -f debian/tests/control". 117 * Apply "wrap-and-sort -at -f debian/control -f debian/tests/control".
4 118
5 -- Colin Watson <cjwatson@debian.org> Mon, 05 Dec 2016 19:31:33 +0000 119 -- Colin Watson <cjwatson@debian.org> Mon, 05 Dec 2016 19:31:33 +0000
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index 7abed3704..55c5e84ff 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
1From b4b79ae5a16f73426b54c6394a29b2b49da4dc16 Mon Sep 17 00:00:00 2001 1From 69e0307a3bc73d5d360c19aeb61133c126cf63bf Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:02 +0000 3Date: Sun, 9 Feb 2014 16:10:02 +0000
4Subject: Quieten logs when multiple from= restrictions are used 4Subject: Quieten logs when multiple from= restrictions are used
@@ -11,12 +11,11 @@ Patch-Name: auth-log-verbosity.patch
11--- 11---
12 auth-options.c | 35 ++++++++++++++++++++++++++--------- 12 auth-options.c | 35 ++++++++++++++++++++++++++---------
13 auth-options.h | 1 + 13 auth-options.h | 1 +
14 auth-rsa.c | 2 ++
15 auth2-pubkey.c | 3 +++ 14 auth2-pubkey.c | 3 +++
16 4 files changed, 32 insertions(+), 9 deletions(-) 15 3 files changed, 30 insertions(+), 9 deletions(-)
17 16
18diff --git a/auth-options.c b/auth-options.c 17diff --git a/auth-options.c b/auth-options.c
19index b399b91..a9d9a81 100644 18index 57b49f7f..7eb87b35 100644
20--- a/auth-options.c 19--- a/auth-options.c
21+++ b/auth-options.c 20+++ b/auth-options.c
22@@ -59,9 +59,20 @@ int forced_tun_device = -1; 21@@ -59,9 +59,20 @@ int forced_tun_device = -1;
@@ -79,7 +78,7 @@ index b399b91..a9d9a81 100644
79 "is not permitted to use this " 78 "is not permitted to use this "
80 "certificate for login.", 79 "certificate for login.",
81diff --git a/auth-options.h b/auth-options.h 80diff --git a/auth-options.h b/auth-options.h
82index 34852e5..1653855 100644 81index 52cbb42a..82355276 100644
83--- a/auth-options.h 82--- a/auth-options.h
84+++ b/auth-options.h 83+++ b/auth-options.h
85@@ -33,6 +33,7 @@ extern int forced_tun_device; 84@@ -33,6 +33,7 @@ extern int forced_tun_device;
@@ -89,22 +88,9 @@ index 34852e5..1653855 100644
89+void auth_start_parse_options(void); 88+void auth_start_parse_options(void);
90 int auth_parse_options(struct passwd *, char *, char *, u_long); 89 int auth_parse_options(struct passwd *, char *, char *, u_long);
91 void auth_clear_options(void); 90 void auth_clear_options(void);
92 int auth_cert_options(struct sshkey *, struct passwd *); 91 int auth_cert_options(struct sshkey *, struct passwd *, const char **);
93diff --git a/auth-rsa.c b/auth-rsa.c
94index cbd971b..4cf2163 100644
95--- a/auth-rsa.c
96+++ b/auth-rsa.c
97@@ -181,6 +181,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
98 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
99 return 0;
100
101+ auth_start_parse_options();
102+
103 /*
104 * Go though the accepted keys, looking for the current key. If
105 * found, perform a challenge-response dialog to verify that the
106diff --git a/auth2-pubkey.c b/auth2-pubkey.c 92diff --git a/auth2-pubkey.c b/auth2-pubkey.c
107index 41b34ae..aace7ca 100644 93index 20f3309e..add77136 100644
108--- a/auth2-pubkey.c 94--- a/auth2-pubkey.c
109+++ b/auth2-pubkey.c 95+++ b/auth2-pubkey.c
110@@ -566,6 +566,7 @@ process_principals(FILE *f, char *file, struct passwd *pw, 96@@ -566,6 +566,7 @@ process_principals(FILE *f, char *file, struct passwd *pw,
@@ -115,19 +101,19 @@ index 41b34ae..aace7ca 100644
115 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 101 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
116 /* Skip leading whitespace. */ 102 /* Skip leading whitespace. */
117 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 103 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
118@@ -731,6 +732,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) 104@@ -764,6 +765,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
119 found_key = 0; 105 found_key = 0;
120 106
121 found = NULL; 107 found = NULL;
122+ auth_start_parse_options(); 108+ auth_start_parse_options();
123 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 109 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
124 char *cp, *key_options = NULL; 110 char *cp, *key_options = NULL, *fp = NULL;
125 if (found != NULL) 111 const char *reason = NULL;
126@@ -878,6 +880,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) 112@@ -911,6 +913,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
127 if (key_cert_check_authority(key, 0, 1, 113 if (key_cert_check_authority(key, 0, 1,
128 use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) 114 use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
129 goto fail_reason; 115 goto fail_reason;
130+ auth_start_parse_options(); 116+ auth_start_parse_options();
131 if (auth_cert_options(key, pw) != 0) 117 if (auth_cert_options(key, pw, &reason) != 0)
132 goto out; 118 goto fail_reason;
133 119
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index d75494fa6..145e667ba 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
1From 724283a55e8928a5564722ebe9c133033b51809d Mon Sep 17 00:00:00 2001 1From 59a369094592ce96510bb421d6e494b6f36eb7b7 Mon Sep 17 00:00:00 2001
2From: Tomas Pospisek <tpo_deb@sourcepole.ch> 2From: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Date: Sun, 9 Feb 2014 16:10:07 +0000 3Date: Sun, 9 Feb 2014 16:10:07 +0000
4Subject: Install authorized_keys(5) as a symlink to sshd(8) 4Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
13 1 file changed, 1 insertion(+) 13 1 file changed, 1 insertion(+)
14 14
15diff --git a/Makefile.in b/Makefile.in 15diff --git a/Makefile.in b/Makefile.in
16index 51817df..21948dd 100644 16index 00a320e1..a6eb81ec 100644
17--- a/Makefile.in 17--- a/Makefile.in
18+++ b/Makefile.in 18+++ b/Makefile.in
19@@ -327,6 +327,7 @@ install-files: 19@@ -335,6 +335,7 @@ install-files:
20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index cf4bfad50..ad842c23f 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
1From 277ad2acedde81dce324e711da116d100b47f445 Mon Sep 17 00:00:00 2001 1From 02a077d3c8f8491d277b2291d5ae538379c7ed44 Mon Sep 17 00:00:00 2001
2From: Kees Cook <kees@debian.org> 2From: Kees Cook <kees@debian.org>
3Date: Sun, 9 Feb 2014 16:10:06 +0000 3Date: Sun, 9 Feb 2014 16:10:06 +0000
4Subject: Add DebianBanner server configuration option 4Subject: Add DebianBanner server configuration option
@@ -19,43 +19,43 @@ Patch-Name: debian-banner.patch
19 4 files changed, 18 insertions(+), 1 deletion(-) 19 4 files changed, 18 insertions(+), 1 deletion(-)
20 20
21diff --git a/servconf.c b/servconf.c 21diff --git a/servconf.c b/servconf.c
22index bf9f8f7..a98b309 100644 22index 49d3bdc8..1cee3d6c 100644
23--- a/servconf.c 23--- a/servconf.c
24+++ b/servconf.c 24+++ b/servconf.c
25@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions *options) 25@@ -166,6 +166,7 @@ initialize_server_options(ServerOptions *options)
26 options->ip_qos_bulk = -1;
27 options->version_addendum = NULL; 26 options->version_addendum = NULL;
28 options->fingerprint_hash = -1; 27 options->fingerprint_hash = -1;
28 options->disable_forwarding = -1;
29+ options->debian_banner = -1; 29+ options->debian_banner = -1;
30 } 30 }
31 31
32 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 32 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
33@@ -359,6 +360,8 @@ fill_default_server_options(ServerOptions *options) 33@@ -339,6 +340,8 @@ fill_default_server_options(ServerOptions *options)
34 options->fwd_opts.streamlocal_bind_unlink = 0;
35 if (options->fingerprint_hash == -1)
36 options->fingerprint_hash = SSH_FP_HASH_DEFAULT; 34 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
35 if (options->disable_forwarding == -1)
36 options->disable_forwarding = 0;
37+ if (options->debian_banner == -1) 37+ if (options->debian_banner == -1)
38+ options->debian_banner = 1; 38+ options->debian_banner = 1;
39 39
40 assemble_algorithms(options); 40 assemble_algorithms(options);
41 41
42@@ -445,6 +448,7 @@ typedef enum { 42@@ -425,6 +428,7 @@ typedef enum {
43 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, 43 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
44 sStreamLocalBindMask, sStreamLocalBindUnlink, 44 sStreamLocalBindMask, sStreamLocalBindUnlink,
45 sAllowStreamLocalForwarding, sFingerprintHash, 45 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
46+ sDebianBanner, 46+ sDebianBanner,
47 sDeprecated, sUnsupported 47 sDeprecated, sIgnore, sUnsupported
48 } ServerOpCodes; 48 } ServerOpCodes;
49 49
50@@ -596,6 +600,7 @@ static struct { 50@@ -577,6 +581,7 @@ static struct {
51 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
52 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, 51 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
53 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, 52 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
53 { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
54+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, 54+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
55 { NULL, sBadOption, 0 } 55 { NULL, sBadOption, 0 }
56 }; 56 };
57 57
58@@ -1903,6 +1908,10 @@ process_server_config_line(ServerOptions *options, char *line, 58@@ -1860,6 +1865,10 @@ process_server_config_line(ServerOptions *options, char *line,
59 options->fingerprint_hash = value; 59 options->fingerprint_hash = value;
60 break; 60 break;
61 61
@@ -64,13 +64,13 @@ index bf9f8f7..a98b309 100644
64+ goto parse_int; 64+ goto parse_int;
65+ 65+
66 case sDeprecated: 66 case sDeprecated:
67 logit("%s line %d: Deprecated option %s", 67 case sIgnore:
68 filename, linenum, arg); 68 case sUnsupported:
69diff --git a/servconf.h b/servconf.h 69diff --git a/servconf.h b/servconf.h
70index 778ba17..161fa37 100644 70index 90dfa4c2..913a21b3 100644
71--- a/servconf.h 71--- a/servconf.h
72+++ b/servconf.h 72+++ b/servconf.h
73@@ -197,6 +197,8 @@ typedef struct { 73@@ -191,6 +191,8 @@ typedef struct {
74 char *auth_methods[MAX_AUTH_METHODS]; 74 char *auth_methods[MAX_AUTH_METHODS];
75 75
76 int fingerprint_hash; 76 int fingerprint_hash;
@@ -80,32 +80,32 @@ index 778ba17..161fa37 100644
80 80
81 /* Information about the incoming connection as used by Match */ 81 /* Information about the incoming connection as used by Match */
82diff --git a/sshd.c b/sshd.c 82diff --git a/sshd.c b/sshd.c
83index e873557..71fad9e 100644 83index 39e4699c..747beec8 100644
84--- a/sshd.c 84--- a/sshd.c
85+++ b/sshd.c 85+++ b/sshd.c
86@@ -443,7 +443,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) 86@@ -378,7 +378,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
87 } 87 char remote_version[256]; /* Must be at least as big as buf. */
88 88
89 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 89 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
90- major, minor, SSH_RELEASE, 90- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
91+ major, minor, 91+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
92+ options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, 92+ options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
93 *options.version_addendum == '\0' ? "" : " ", 93 *options.version_addendum == '\0' ? "" : " ",
94 options.version_addendum, newline); 94 options.version_addendum, newline);
95 95
96diff --git a/sshd_config.5 b/sshd_config.5 96diff --git a/sshd_config.5 b/sshd_config.5
97index e05cdbe..ac9b1f0 100644 97index 283ba889..4ea0a9c3 100644
98--- a/sshd_config.5 98--- a/sshd_config.5
99+++ b/sshd_config.5 99+++ b/sshd_config.5
100@@ -541,6 +541,11 @@ or 100@@ -526,6 +526,11 @@ or
101 .Dq no . 101 .Cm no .
102 The default is 102 The default is
103 .Dq delayed . 103 .Cm yes .
104+.It Cm DebianBanner 104+.It Cm DebianBanner
105+Specifies whether the distribution-specified extra version suffix is 105+Specifies whether the distribution-specified extra version suffix is
106+included during initial protocol handshake. 106+included during initial protocol handshake.
107+The default is 107+The default is
108+.Dq yes . 108+.Cm yes .
109 .It Cm DenyGroups 109 .It Cm DenyGroups
110 This keyword can be followed by a list of group name patterns, separated 110 This keyword can be followed by a list of group name patterns, separated
111 by spaces. 111 by spaces.
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 1d9efcbbf..8129c1e58 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
1From 4c914ccd85bbf391c4dc61b85e3c178fef465e3f Mon Sep 17 00:00:00 2001 1From 2103d3e5566c54e08a59be750579a249e46747d7 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:18 +0000 3Date: Sun, 9 Feb 2014 16:10:18 +0000
4Subject: Various Debian-specific configuration changes 4Subject: Various Debian-specific configuration changes
@@ -32,10 +32,10 @@ Patch-Name: debian-config.patch
32 6 files changed, 72 insertions(+), 4 deletions(-) 32 6 files changed, 72 insertions(+), 4 deletions(-)
33 33
34diff --git a/readconf.c b/readconf.c 34diff --git a/readconf.c b/readconf.c
35index f6b4c8f..5cd51f3 100644 35index c02cdf63..d1091cbd 100644
36--- a/readconf.c 36--- a/readconf.c
37+++ b/readconf.c 37+++ b/readconf.c
38@@ -1928,7 +1928,7 @@ fill_default_options(Options * options) 38@@ -1927,7 +1927,7 @@ fill_default_options(Options * options)
39 if (options->forward_x11 == -1) 39 if (options->forward_x11 == -1)
40 options->forward_x11 = 0; 40 options->forward_x11 = 0;
41 if (options->forward_x11_trusted == -1) 41 if (options->forward_x11_trusted == -1)
@@ -45,7 +45,7 @@ index f6b4c8f..5cd51f3 100644
45 options->forward_x11_timeout = 1200; 45 options->forward_x11_timeout = 1200;
46 /* 46 /*
47diff --git a/ssh.1 b/ssh.1 47diff --git a/ssh.1 b/ssh.1
48index 22e56a7..6aa57c4 100644 48index 22e56a7b..6aa57c46 100644
49--- a/ssh.1 49--- a/ssh.1
50+++ b/ssh.1 50+++ b/ssh.1
51@@ -785,6 +785,16 @@ directive in 51@@ -785,6 +785,16 @@ directive in
@@ -84,7 +84,7 @@ index 22e56a7..6aa57c4 100644
84 Send log information using the 84 Send log information using the
85 .Xr syslog 3 85 .Xr syslog 3
86diff --git a/ssh_config b/ssh_config 86diff --git a/ssh_config b/ssh_config
87index 4e879cd..5190b06 100644 87index 4e879cd2..5190b06b 100644
88--- a/ssh_config 88--- a/ssh_config
89+++ b/ssh_config 89+++ b/ssh_config
90@@ -17,9 +17,10 @@ 90@@ -17,9 +17,10 @@
@@ -108,7 +108,7 @@ index 4e879cd..5190b06 100644
108+ GSSAPIAuthentication yes 108+ GSSAPIAuthentication yes
109+ GSSAPIDelegateCredentials no 109+ GSSAPIDelegateCredentials no
110diff --git a/ssh_config.5 b/ssh_config.5 110diff --git a/ssh_config.5 b/ssh_config.5
111index 30c97a9..c967258 100644 111index 40617be4..8dce757e 100644
112--- a/ssh_config.5 112--- a/ssh_config.5
113+++ b/ssh_config.5 113+++ b/ssh_config.5
114@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more 114@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
@@ -131,24 +131,28 @@ index 30c97a9..c967258 100644
131+.Cm GSSAPIAuthentication No yes 131+.Cm GSSAPIAuthentication No yes
132+.El 132+.El
133+.Pp 133+.Pp
134 The configuration file has the following format: 134 The file contains keyword-argument pairs, one per line.
135 Lines starting with
136 .Ql #
137@@ -711,11 +727,12 @@ elapsed.
138 .It Cm ForwardX11Trusted
139 If this option is set to
140 .Cm yes ,
141+(the Debian-specific default),
142 remote X11 clients will have full access to the original X11 display.
135 .Pp 143 .Pp
136 Empty lines and lines starting with 144 If this option is set to
137@@ -799,7 +815,8 @@ token used for the session will be set to expire after 20 minutes. 145 .Cm no
138 Remote clients will be refused access after this time. 146-(the default),
139 .Pp 147+(the upstream default),
140 The default is 148 remote X11 clients will be considered untrusted and prevented
141-.Dq no . 149 from stealing or tampering with data belonging to trusted X11
142+.Dq yes 150 clients.
143+(Debian-specific).
144 .Pp
145 See the X11 SECURITY extension specification for full details on
146 the restrictions imposed on untrusted clients.
147diff --git a/sshd_config b/sshd_config 151diff --git a/sshd_config b/sshd_config
148index 3fe3e01..ec8ff8f 100644 152index 00e5a728..c0b84f8e 100644
149--- a/sshd_config 153--- a/sshd_config
150+++ b/sshd_config 154+++ b/sshd_config
151@@ -124,7 +124,7 @@ AuthorizedKeysFile .ssh/authorized_keys 155@@ -111,7 +111,7 @@ AuthorizedKeysFile .ssh/authorized_keys
152 #Banner none 156 #Banner none
153 157
154 # override default of no subsystems 158 # override default of no subsystems
@@ -158,7 +162,7 @@ index 3fe3e01..ec8ff8f 100644
158 # Example of overriding settings on a per-user basis 162 # Example of overriding settings on a per-user basis
159 #Match User anoncvs 163 #Match User anoncvs
160diff --git a/sshd_config.5 b/sshd_config.5 164diff --git a/sshd_config.5 b/sshd_config.5
161index b2b349e..79f2d61 100644 165index e45a8937..d6911a98 100644
162--- a/sshd_config.5 166--- a/sshd_config.5
163+++ b/sshd_config.5 167+++ b/sshd_config.5
164@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes 168@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index e4498fb48..f85eaadd9 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
1From 9d9a37bb0c2d7546253ff2b0b67e314d8475bfc7 Mon Sep 17 00:00:00 2001 1From cb15899de8dc5d2e8b3869d743307d252af69643 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:01 +0000 3Date: Sun, 9 Feb 2014 16:10:01 +0000
4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf 4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
@@ -18,7 +18,7 @@ Patch-Name: dnssec-sshfp.patch
18 3 files changed, 21 insertions(+), 6 deletions(-) 18 3 files changed, 21 insertions(+), 6 deletions(-)
19 19
20diff --git a/dns.c b/dns.c 20diff --git a/dns.c b/dns.c
21index e813afe..fce2e30 100644 21index e813afea..fce2e308 100644
22--- a/dns.c 22--- a/dns.c
23+++ b/dns.c 23+++ b/dns.c
24@@ -206,6 +206,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, 24@@ -206,6 +206,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
@@ -51,7 +51,7 @@ index e813afe..fce2e30 100644
51 verbose("DNS lookup error: %s", dns_result_totext(result)); 51 verbose("DNS lookup error: %s", dns_result_totext(result));
52 return -1; 52 return -1;
53diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c 53diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
54index dc6fe05..e061a29 100644 54index dc6fe053..e061a290 100644
55--- a/openbsd-compat/getrrsetbyname.c 55--- a/openbsd-compat/getrrsetbyname.c
56+++ b/openbsd-compat/getrrsetbyname.c 56+++ b/openbsd-compat/getrrsetbyname.c
57@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, 57@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
@@ -79,7 +79,7 @@ index dc6fe05..e061a29 100644
79 79
80 /* make query */ 80 /* make query */
81diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h 81diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
82index 1283f55..dbbc85a 100644 82index 1283f550..dbbc85a2 100644
83--- a/openbsd-compat/getrrsetbyname.h 83--- a/openbsd-compat/getrrsetbyname.h
84+++ b/openbsd-compat/getrrsetbyname.h 84+++ b/openbsd-compat/getrrsetbyname.h
85@@ -72,6 +72,9 @@ 85@@ -72,6 +72,9 @@
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 5f91cadfe..9d03ff54e 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
1From bfea780bba64294541d98efcc26b01392ff64c60 Mon Sep 17 00:00:00 2001 1From 9d1bb4df39e51955442e82d8764827abdd2651c9 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:11 +0000 3Date: Sun, 9 Feb 2014 16:10:11 +0000
4Subject: Document that HashKnownHosts may break tab-completion 4Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
13 1 file changed, 3 insertions(+) 13 1 file changed, 3 insertions(+)
14 14
15diff --git a/ssh_config.5 b/ssh_config.5 15diff --git a/ssh_config.5 b/ssh_config.5
16index 5dd26bc..30c97a9 100644 16index f62ea6b8..40617be4 100644
17--- a/ssh_config.5 17--- a/ssh_config.5
18+++ b/ssh_config.5 18+++ b/ssh_config.5
19@@ -883,6 +883,9 @@ Note that existing names and addresses in known hosts files 19@@ -805,6 +805,9 @@ Note that existing names and addresses in known hosts files
20 will not be converted automatically, 20 will not be converted automatically,
21 but may be manually hashed using 21 but may be manually hashed using
22 .Xr ssh-keygen 1 . 22 .Xr ssh-keygen 1 .
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index 8f093d80c..67906f19a 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
1From e4ba4e1616d372522de9e18f0973ed49a5521b95 Mon Sep 17 00:00:00 2001 1From d52a0f1744dde27a36c3ee8314fbbab8c1a2216f Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:12 +0000 3Date: Sun, 9 Feb 2014 16:10:12 +0000
4Subject: Refer to ssh's Upstart job as well as its init script 4Subject: Refer to ssh's Upstart job as well as its init script
@@ -12,10 +12,10 @@ Patch-Name: doc-upstart.patch
12 1 file changed, 4 insertions(+), 1 deletion(-) 12 1 file changed, 4 insertions(+), 1 deletion(-)
13 13
14diff --git a/sshd.8 b/sshd.8 14diff --git a/sshd.8 b/sshd.8
15index 58eefe9..4e75567 100644 15index e6915141..38a72540 100644
16--- a/sshd.8 16--- a/sshd.8
17+++ b/sshd.8 17+++ b/sshd.8
18@@ -67,7 +67,10 @@ over an insecure network. 18@@ -65,7 +65,10 @@ over an insecure network.
19 .Nm 19 .Nm
20 listens for connections from clients. 20 listens for connections from clients.
21 It is normally started at boot from 21 It is normally started at boot from
diff --git a/debian/patches/fix-putty-interop-tests.patch b/debian/patches/fix-putty-interop-tests.patch
deleted file mode 100644
index c33c24acc..000000000
--- a/debian/patches/fix-putty-interop-tests.patch
+++ /dev/null
@@ -1,113 +0,0 @@
1From 9c88f6248e9da14cb7916527862f2eac7f55b12a Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org>
3Date: Sat, 19 Nov 2016 16:02:49 +0000
4Subject: Fix PuTTY interop tests
5
6A while back I got a patch into PuTTY (although it hasn't yet made it
7into an upstream release) to add passphrase-file options to puttygen.
8Use these to make the PuTTY interop tests non-interactive.
9
10Fix up a few details of the saved session.
11
12When plink is given a saved session name, it expects that *instead* of
13the host name (or IP address), not in addition to it. Drop "127.0.0.1"
14from the various plink test command lines.
15
16(It is possible that the last two of these represent compatibility
17breaks of some kind; but if they are, then that ship sailed sufficiently
18long ago - at least seven years, possibly more - that it's no longer
19worth worrying about it. It's more useful to test interoperability with
20current versions.)
21
22Origin: https://bugzilla.mindrot.org/attachment.cgi?id=2891
23Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2639
24Last-Update: 2016-11-19
25
26Patch-Name: fix-putty-interop-tests.patch
27---
28 regress/putty-ciphers.sh | 2 +-
29 regress/putty-kex.sh | 3 +--
30 regress/putty-transfer.sh | 4 ++--
31 regress/test-exec.sh | 10 ++++++++--
32 4 files changed, 12 insertions(+), 7 deletions(-)
33
34diff --git a/regress/putty-ciphers.sh b/regress/putty-ciphers.sh
35index 724a98c..3775b1d 100644
36--- a/regress/putty-ciphers.sh
37+++ b/regress/putty-ciphers.sh
38@@ -16,7 +16,7 @@ for c in aes blowfish 3des arcfour aes128-ctr aes192-ctr aes256-ctr ; do
39
40 rm -f ${COPY}
41 env HOME=$PWD ${PLINK} -load cipher_$c -batch -i putty.rsa2 \
42- 127.0.0.1 cat ${DATA} > ${COPY}
43+ cat ${DATA} > ${COPY}
44 if [ $? -ne 0 ]; then
45 fail "ssh cat $DATA failed"
46 fi
47diff --git a/regress/putty-kex.sh b/regress/putty-kex.sh
48index 1844d65..6ae2290 100644
49--- a/regress/putty-kex.sh
50+++ b/regress/putty-kex.sh
51@@ -14,8 +14,7 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do
52 ${OBJ}/.putty/sessions/kex_$k
53 echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
54
55- env HOME=$PWD ${PLINK} -load kex_$k -batch -i putty.rsa2 \
56- 127.0.0.1 true
57+ env HOME=$PWD ${PLINK} -load kex_$k -batch -i putty.rsa2 true
58 if [ $? -ne 0 ]; then
59 fail "KEX $k failed"
60 fi
61diff --git a/regress/putty-transfer.sh b/regress/putty-transfer.sh
62index aec0e04..cb1da94 100644
63--- a/regress/putty-transfer.sh
64+++ b/regress/putty-transfer.sh
65@@ -17,7 +17,7 @@ for p in 2; do
66 ${OBJ}/.putty/sessions/compression_$c
67 echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
68 env HOME=$PWD ${PLINK} -load compression_$c -batch \
69- -i putty.rsa$p 127.0.0.1 cat ${DATA} > ${COPY}
70+ -i putty.rsa$p cat ${DATA} > ${COPY}
71 if [ $? -ne 0 ]; then
72 fail "ssh cat $DATA failed"
73 fi
74@@ -28,7 +28,7 @@ for p in 2; do
75 rm -f ${COPY}
76 dd if=$DATA obs=${s} 2> /dev/null | \
77 env HOME=$PWD ${PLINK} -load compression_$c \
78- -batch -i putty.rsa$p 127.0.0.1 \
79+ -batch -i putty.rsa$p \
80 "cat > ${COPY}"
81 if [ $? -ne 0 ]; then
82 fail "ssh cat $DATA failed"
83diff --git a/regress/test-exec.sh b/regress/test-exec.sh
84index 1b6526d..74b365c 100644
85--- a/regress/test-exec.sh
86+++ b/regress/test-exec.sh
87@@ -513,7 +513,11 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then
88
89 # Add a PuTTY key to authorized_keys
90 rm -f ${OBJ}/putty.rsa2
91- puttygen -t rsa -o ${OBJ}/putty.rsa2 < /dev/null > /dev/null
92+ if ! puttygen -t rsa -o ${OBJ}/putty.rsa2 \
93+ --new-passphrase /dev/null < /dev/null > /dev/null; then
94+ echo "Your installed version of PuTTY is too old to support --new-passphrase; trying without (may require manual interaction) ..." >&2
95+ puttygen -t rsa -o ${OBJ}/putty.rsa2 < /dev/null > /dev/null
96+ fi
97 puttygen -O public-openssh ${OBJ}/putty.rsa2 \
98 >> $OBJ/authorized_keys_$USER
99
100@@ -526,10 +530,12 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then
101 # Setup proxied session
102 mkdir -p ${OBJ}/.putty/sessions
103 rm -f ${OBJ}/.putty/sessions/localhost_proxy
104- echo "Hostname=127.0.0.1" >> ${OBJ}/.putty/sessions/localhost_proxy
105+ echo "Protocol=ssh" >> ${OBJ}/.putty/sessions/localhost_proxy
106+ echo "HostName=127.0.0.1" >> ${OBJ}/.putty/sessions/localhost_proxy
107 echo "PortNumber=$PORT" >> ${OBJ}/.putty/sessions/localhost_proxy
108 echo "ProxyMethod=5" >> ${OBJ}/.putty/sessions/localhost_proxy
109 echo "ProxyTelnetCommand=sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy
110+ echo "ProxyLocalhost=1" >> ${OBJ}/.putty/sessions/localhost_proxy
111
112 REGRESS_INTEROP_PUTTY=yes
113 fi
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index c34441df3..8d4199907 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
1From db85bf41862b80b0447777d942a091cd3ac5f1c1 Mon Sep 17 00:00:00 2001 1From 39cb522642f428a818ef2cd56c39de4783da0b6e Mon Sep 17 00:00:00 2001
2From: Vincent Untz <vuntz@ubuntu.com> 2From: Vincent Untz <vuntz@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:16 +0000 3Date: Sun, 9 Feb 2014 16:10:16 +0000
4Subject: Give the ssh-askpass-gnome window a default icon 4Subject: Give the ssh-askpass-gnome window a default icon
@@ -12,10 +12,10 @@ Patch-Name: gnome-ssh-askpass2-icon.patch
12 1 file changed, 2 insertions(+) 12 1 file changed, 2 insertions(+)
13 13
14diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c 14diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c
15index 9d97c30..04b3a11 100644 15index 535a6927..e37a1338 100644
16--- a/contrib/gnome-ssh-askpass2.c 16--- a/contrib/gnome-ssh-askpass2.c
17+++ b/contrib/gnome-ssh-askpass2.c 17+++ b/contrib/gnome-ssh-askpass2.c
18@@ -209,6 +209,8 @@ main(int argc, char **argv) 18@@ -211,6 +211,8 @@ main(int argc, char **argv)
19 19
20 gtk_init(&argc, &argv); 20 gtk_init(&argc, &argv);
21 21
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 8e946aa88..ea56167d7 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From eecddf8b72fcad83ccca43b1badb03782704f6b7 Mon Sep 17 00:00:00 2001 1From 9f717de15a8e113f7c6a3db52d75ce0172885f95 Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -39,7 +39,7 @@ Patch-Name: gssapi.patch
39 kex.h | 14 +++ 39 kex.h | 14 +++
40 kexgssc.c | 338 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 40 kexgssc.c | 338 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
41 kexgsss.c | 295 ++++++++++++++++++++++++++++++++++++++++++++++++ 41 kexgsss.c | 295 ++++++++++++++++++++++++++++++++++++++++++++++++
42 monitor.c | 108 +++++++++++++++++- 42 monitor.c | 115 +++++++++++++++++--
43 monitor.h | 3 + 43 monitor.h | 3 +
44 monitor_wrap.c | 47 +++++++- 44 monitor_wrap.c | 47 +++++++-
45 monitor_wrap.h | 4 +- 45 monitor_wrap.h | 4 +-
@@ -56,14 +56,14 @@ Patch-Name: gssapi.patch
56 sshd_config.5 | 10 ++ 56 sshd_config.5 | 10 ++
57 sshkey.c | 3 +- 57 sshkey.c | 3 +-
58 sshkey.h | 1 + 58 sshkey.h | 1 +
59 35 files changed, 2054 insertions(+), 139 deletions(-) 59 35 files changed, 2053 insertions(+), 147 deletions(-)
60 create mode 100644 ChangeLog.gssapi 60 create mode 100644 ChangeLog.gssapi
61 create mode 100644 kexgssc.c 61 create mode 100644 kexgssc.c
62 create mode 100644 kexgsss.c 62 create mode 100644 kexgsss.c
63 63
64diff --git a/ChangeLog.gssapi b/ChangeLog.gssapi 64diff --git a/ChangeLog.gssapi b/ChangeLog.gssapi
65new file mode 100644 65new file mode 100644
66index 0000000..f117a33 66index 00000000..f117a336
67--- /dev/null 67--- /dev/null
68+++ b/ChangeLog.gssapi 68+++ b/ChangeLog.gssapi
69@@ -0,0 +1,113 @@ 69@@ -0,0 +1,113 @@
@@ -181,7 +181,7 @@ index 0000000..f117a33
181+ (from jbasney AT ncsa.uiuc.edu) 181+ (from jbasney AT ncsa.uiuc.edu)
182+ <gssapi-with-mic support is Bugzilla #1008> 182+ <gssapi-with-mic support is Bugzilla #1008>
183diff --git a/Makefile.in b/Makefile.in 183diff --git a/Makefile.in b/Makefile.in
184index 12991cd..51817df 100644 184index e10f3742..00a320e1 100644
185--- a/Makefile.in 185--- a/Makefile.in
186+++ b/Makefile.in 186+++ b/Makefile.in
187@@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ 187@@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@@ -192,17 +192,17 @@ index 12991cd..51817df 100644
192 platform-pledge.o platform-tracing.o 192 platform-pledge.o platform-tracing.o
193 193
194 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ 194 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
195@@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ 195@@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
196 auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ 196 auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
197 auth2-none.o auth2-passwd.o auth2-pubkey.o \ 197 auth2-none.o auth2-passwd.o auth2-pubkey.o \
198 monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \ 198 monitor.o monitor_wrap.o auth-krb5.o \
199- auth2-gss.o gss-serv.o gss-serv-krb5.o \ 199- auth2-gss.o gss-serv.o gss-serv-krb5.o \
200+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ 200+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
201 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ 201 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
202 sftp-server.o sftp-common.o \ 202 sftp-server.o sftp-common.o \
203 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ 203 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
204diff --git a/auth-krb5.c b/auth-krb5.c 204diff --git a/auth-krb5.c b/auth-krb5.c
205index a5a81ed..38e7fee 100644 205index a5a81ed2..38e7fee2 100644
206--- a/auth-krb5.c 206--- a/auth-krb5.c
207+++ b/auth-krb5.c 207+++ b/auth-krb5.c
208@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) 208@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
@@ -253,10 +253,10 @@ index a5a81ed..38e7fee 100644
253 return (krb5_cc_resolve(ctx, ccname, ccache)); 253 return (krb5_cc_resolve(ctx, ccname, ccache));
254 } 254 }
255diff --git a/auth.c b/auth.c 255diff --git a/auth.c b/auth.c
256index 24527dd..f56dcc6 100644 256index 6ee6116d..c6390687 100644
257--- a/auth.c 257--- a/auth.c
258+++ b/auth.c 258+++ b/auth.c
259@@ -363,7 +363,8 @@ auth_root_allowed(const char *method) 259@@ -372,7 +372,8 @@ auth_root_allowed(const char *method)
260 case PERMIT_NO_PASSWD: 260 case PERMIT_NO_PASSWD:
261 if (strcmp(method, "publickey") == 0 || 261 if (strcmp(method, "publickey") == 0 ||
262 strcmp(method, "hostbased") == 0 || 262 strcmp(method, "hostbased") == 0 ||
@@ -266,7 +266,7 @@ index 24527dd..f56dcc6 100644
266 return 1; 266 return 1;
267 break; 267 break;
268 case PERMIT_FORCED_ONLY: 268 case PERMIT_FORCED_ONLY:
269@@ -786,99 +787,6 @@ fakepw(void) 269@@ -795,99 +796,6 @@ fakepw(void)
270 } 270 }
271 271
272 /* 272 /*
@@ -367,7 +367,7 @@ index 24527dd..f56dcc6 100644
367 * connection. The host name is cached, so it is efficient to call this 367 * connection. The host name is cached, so it is efficient to call this
368 * several times. 368 * several times.
369diff --git a/auth2-gss.c b/auth2-gss.c 369diff --git a/auth2-gss.c b/auth2-gss.c
370index 1ca8357..3b5036d 100644 370index 1ca83577..3b5036df 100644
371--- a/auth2-gss.c 371--- a/auth2-gss.c
372+++ b/auth2-gss.c 372+++ b/auth2-gss.c
373@@ -1,7 +1,7 @@ 373@@ -1,7 +1,7 @@
@@ -454,7 +454,7 @@ index 1ca8357..3b5036d 100644
454 "gssapi-with-mic", 454 "gssapi-with-mic",
455 userauth_gssapi, 455 userauth_gssapi,
456diff --git a/auth2.c b/auth2.c 456diff --git a/auth2.c b/auth2.c
457index 9108b86..ce0d376 100644 457index 9108b861..ce0d3760 100644
458--- a/auth2.c 458--- a/auth2.c
459+++ b/auth2.c 459+++ b/auth2.c
460@@ -70,6 +70,7 @@ extern Authmethod method_passwd; 460@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
@@ -474,7 +474,7 @@ index 9108b86..ce0d376 100644
474 #endif 474 #endif
475 &method_passwd, 475 &method_passwd,
476diff --git a/canohost.c b/canohost.c 476diff --git a/canohost.c b/canohost.c
477index f71a085..404731d 100644 477index f71a0856..404731d2 100644
478--- a/canohost.c 478--- a/canohost.c
479+++ b/canohost.c 479+++ b/canohost.c
480@@ -35,6 +35,99 @@ 480@@ -35,6 +35,99 @@
@@ -578,7 +578,7 @@ index f71a085..404731d 100644
578 ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) 578 ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
579 { 579 {
580diff --git a/canohost.h b/canohost.h 580diff --git a/canohost.h b/canohost.h
581index 26d6285..0cadc9f 100644 581index 26d62855..0cadc9f1 100644
582--- a/canohost.h 582--- a/canohost.h
583+++ b/canohost.h 583+++ b/canohost.h
584@@ -15,6 +15,9 @@ 584@@ -15,6 +15,9 @@
@@ -592,10 +592,10 @@ index 26d6285..0cadc9f 100644
592 int get_peer_port(int); 592 int get_peer_port(int);
593 char *get_local_ipaddr(int); 593 char *get_local_ipaddr(int);
594diff --git a/clientloop.c b/clientloop.c 594diff --git a/clientloop.c b/clientloop.c
595index 2c44f5d..421241f 100644 595index 4289a408..99c68b69 100644
596--- a/clientloop.c 596--- a/clientloop.c
597+++ b/clientloop.c 597+++ b/clientloop.c
598@@ -114,6 +114,10 @@ 598@@ -113,6 +113,10 @@
599 #include "ssherr.h" 599 #include "ssherr.h"
600 #include "hostfile.h" 600 #include "hostfile.h"
601 601
@@ -606,7 +606,7 @@ index 2c44f5d..421241f 100644
606 /* import options */ 606 /* import options */
607 extern Options options; 607 extern Options options;
608 608
609@@ -1666,9 +1670,18 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) 609@@ -1664,9 +1668,18 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
610 break; 610 break;
611 611
612 /* Do channel operations unless rekeying in progress. */ 612 /* Do channel operations unless rekeying in progress. */
@@ -627,10 +627,10 @@ index 2c44f5d..421241f 100644
627 client_process_net_input(readset); 627 client_process_net_input(readset);
628 628
629diff --git a/config.h.in b/config.h.in 629diff --git a/config.h.in b/config.h.in
630index 39d018f..d7caf9a 100644 630index 75e02ab4..afe540e9 100644
631--- a/config.h.in 631--- a/config.h.in
632+++ b/config.h.in 632+++ b/config.h.in
633@@ -1668,6 +1668,9 @@ 633@@ -1667,6 +1667,9 @@
634 /* Use btmp to log bad logins */ 634 /* Use btmp to log bad logins */
635 #undef USE_BTMP 635 #undef USE_BTMP
636 636
@@ -640,7 +640,7 @@ index 39d018f..d7caf9a 100644
640 /* Use libedit for sftp */ 640 /* Use libedit for sftp */
641 #undef USE_LIBEDIT 641 #undef USE_LIBEDIT
642 642
643@@ -1683,6 +1686,9 @@ 643@@ -1682,6 +1685,9 @@
644 /* Use PIPES instead of a socketpair() */ 644 /* Use PIPES instead of a socketpair() */
645 #undef USE_PIPES 645 #undef USE_PIPES
646 646
@@ -651,10 +651,10 @@ index 39d018f..d7caf9a 100644
651 #undef USE_SOLARIS_PRIVS 651 #undef USE_SOLARIS_PRIVS
652 652
653diff --git a/configure.ac b/configure.ac 653diff --git a/configure.ac b/configure.ac
654index 373d21b..894ec3b 100644 654index eb9f45dc..5fdc696c 100644
655--- a/configure.ac 655--- a/configure.ac
656+++ b/configure.ac 656+++ b/configure.ac
657@@ -632,6 +632,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 657@@ -623,6 +623,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
658 [Use tunnel device compatibility to OpenBSD]) 658 [Use tunnel device compatibility to OpenBSD])
659 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 659 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
660 [Prepend the address family to IP tunnel traffic]) 660 [Prepend the address family to IP tunnel traffic])
@@ -686,11 +686,11 @@ index 373d21b..894ec3b 100644
686 AC_CHECK_DECL([AU_IPv4], [], 686 AC_CHECK_DECL([AU_IPv4], [],
687 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) 687 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
688diff --git a/gss-genr.c b/gss-genr.c 688diff --git a/gss-genr.c b/gss-genr.c
689index d617d60..b4eca3f 100644 689index 62559ed9..0b3ae073 100644
690--- a/gss-genr.c 690--- a/gss-genr.c
691+++ b/gss-genr.c 691+++ b/gss-genr.c
692@@ -1,7 +1,7 @@ 692@@ -1,7 +1,7 @@
693 /* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */ 693 /* $OpenBSD: gss-genr.c,v 1.24 2016/09/12 01:22:38 deraadt Exp $ */
694 694
695 /* 695 /*
696- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. 696- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -698,7 +698,7 @@ index d617d60..b4eca3f 100644
698 * 698 *
699 * Redistribution and use in source and binary forms, with or without 699 * Redistribution and use in source and binary forms, with or without
700 * modification, are permitted provided that the following conditions 700 * modification, are permitted provided that the following conditions
701@@ -41,12 +41,167 @@ 701@@ -40,12 +40,167 @@
702 #include "buffer.h" 702 #include "buffer.h"
703 #include "log.h" 703 #include "log.h"
704 #include "ssh2.h" 704 #include "ssh2.h"
@@ -866,7 +866,7 @@ index d617d60..b4eca3f 100644
866 /* Check that the OID in a data stream matches that in the context */ 866 /* Check that the OID in a data stream matches that in the context */
867 int 867 int
868 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) 868 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
869@@ -199,7 +354,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, 869@@ -198,7 +353,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
870 } 870 }
871 871
872 ctx->major = gss_init_sec_context(&ctx->minor, 872 ctx->major = gss_init_sec_context(&ctx->minor,
@@ -875,7 +875,7 @@ index d617d60..b4eca3f 100644
875 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, 875 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
876 0, NULL, recv_tok, NULL, send_tok, flags, NULL); 876 0, NULL, recv_tok, NULL, send_tok, flags, NULL);
877 877
878@@ -229,8 +384,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) 878@@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
879 } 879 }
880 880
881 OM_uint32 881 OM_uint32
@@ -918,7 +918,7 @@ index d617d60..b4eca3f 100644
918 if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, 918 if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
919 GSS_C_QOP_DEFAULT, buffer, hash))) 919 GSS_C_QOP_DEFAULT, buffer, hash)))
920 ssh_gssapi_error(ctx); 920 ssh_gssapi_error(ctx);
921@@ -238,6 +427,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) 921@@ -237,6 +426,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
922 return (ctx->major); 922 return (ctx->major);
923 } 923 }
924 924
@@ -938,7 +938,7 @@ index d617d60..b4eca3f 100644
938 void 938 void
939 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, 939 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
940 const char *context) 940 const char *context)
941@@ -251,11 +453,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, 941@@ -250,11 +452,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
942 } 942 }
943 943
944 int 944 int
@@ -956,7 +956,7 @@ index d617d60..b4eca3f 100644
956 956
957 /* RFC 4462 says we MUST NOT do SPNEGO */ 957 /* RFC 4462 says we MUST NOT do SPNEGO */
958 if (oid->length == spnego_oid.length && 958 if (oid->length == spnego_oid.length &&
959@@ -265,6 +472,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) 959@@ -264,6 +471,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
960 ssh_gssapi_build_ctx(ctx); 960 ssh_gssapi_build_ctx(ctx);
961 ssh_gssapi_set_oid(*ctx, oid); 961 ssh_gssapi_set_oid(*ctx, oid);
962 major = ssh_gssapi_import_name(*ctx, host); 962 major = ssh_gssapi_import_name(*ctx, host);
@@ -967,7 +967,7 @@ index d617d60..b4eca3f 100644
967 if (!GSS_ERROR(major)) { 967 if (!GSS_ERROR(major)) {
968 major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 968 major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
969 NULL); 969 NULL);
970@@ -274,10 +485,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) 970@@ -273,10 +484,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
971 GSS_C_NO_BUFFER); 971 GSS_C_NO_BUFFER);
972 } 972 }
973 973
@@ -1036,7 +1036,7 @@ index d617d60..b4eca3f 100644
1036+ 1036+
1037 #endif /* GSSAPI */ 1037 #endif /* GSSAPI */
1038diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c 1038diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
1039index 795992d..fd8b371 100644 1039index 795992d9..fd8b3718 100644
1040--- a/gss-serv-krb5.c 1040--- a/gss-serv-krb5.c
1041+++ b/gss-serv-krb5.c 1041+++ b/gss-serv-krb5.c
1042@@ -1,7 +1,7 @@ 1042@@ -1,7 +1,7 @@
@@ -1162,7 +1162,7 @@ index 795992d..fd8b371 100644
1162 1162
1163 #endif /* KRB5 */ 1163 #endif /* KRB5 */
1164diff --git a/gss-serv.c b/gss-serv.c 1164diff --git a/gss-serv.c b/gss-serv.c
1165index 53993d6..2f6baf7 100644 1165index 53993d67..2f6baf70 100644
1166--- a/gss-serv.c 1166--- a/gss-serv.c
1167+++ b/gss-serv.c 1167+++ b/gss-serv.c
1168@@ -1,7 +1,7 @@ 1168@@ -1,7 +1,7 @@
@@ -1434,10 +1434,10 @@ index 53993d6..2f6baf7 100644
1434 1434
1435 #endif 1435 #endif
1436diff --git a/kex.c b/kex.c 1436diff --git a/kex.c b/kex.c
1437index 50c7a0f..c17d652 100644 1437index 6a94bc53..d8708684 100644
1438--- a/kex.c 1438--- a/kex.c
1439+++ b/kex.c 1439+++ b/kex.c
1440@@ -55,6 +55,10 @@ 1440@@ -54,6 +54,10 @@
1441 #include "sshbuf.h" 1441 #include "sshbuf.h"
1442 #include "digest.h" 1442 #include "digest.h"
1443 1443
@@ -1474,7 +1474,7 @@ index 50c7a0f..c17d652 100644
1474 return NULL; 1474 return NULL;
1475 } 1475 }
1476 1476
1477@@ -587,6 +603,9 @@ kex_free(struct kex *kex) 1477@@ -597,6 +613,9 @@ kex_free(struct kex *kex)
1478 sshbuf_free(kex->peer); 1478 sshbuf_free(kex->peer);
1479 sshbuf_free(kex->my); 1479 sshbuf_free(kex->my);
1480 free(kex->session_id); 1480 free(kex->session_id);
@@ -1485,10 +1485,10 @@ index 50c7a0f..c17d652 100644
1485 free(kex->server_version_string); 1485 free(kex->server_version_string);
1486 free(kex->failed_choice); 1486 free(kex->failed_choice);
1487diff --git a/kex.h b/kex.h 1487diff --git a/kex.h b/kex.h
1488index c351955..8ed459a 100644 1488index 3794f212..fd56171d 100644
1489--- a/kex.h 1489--- a/kex.h
1490+++ b/kex.h 1490+++ b/kex.h
1491@@ -98,6 +98,9 @@ enum kex_exchange { 1491@@ -99,6 +99,9 @@ enum kex_exchange {
1492 KEX_DH_GEX_SHA256, 1492 KEX_DH_GEX_SHA256,
1493 KEX_ECDH_SHA2, 1493 KEX_ECDH_SHA2,
1494 KEX_C25519_SHA256, 1494 KEX_C25519_SHA256,
@@ -1498,7 +1498,7 @@ index c351955..8ed459a 100644
1498 KEX_MAX 1498 KEX_MAX
1499 }; 1499 };
1500 1500
1501@@ -146,6 +149,12 @@ struct kex { 1501@@ -147,6 +150,12 @@ struct kex {
1502 u_int flags; 1502 u_int flags;
1503 int hash_alg; 1503 int hash_alg;
1504 int ec_nid; 1504 int ec_nid;
@@ -1511,7 +1511,7 @@ index c351955..8ed459a 100644
1511 char *client_version_string; 1511 char *client_version_string;
1512 char *server_version_string; 1512 char *server_version_string;
1513 char *failed_choice; 1513 char *failed_choice;
1514@@ -196,6 +205,11 @@ int kexecdh_server(struct ssh *); 1514@@ -197,6 +206,11 @@ int kexecdh_server(struct ssh *);
1515 int kexc25519_client(struct ssh *); 1515 int kexc25519_client(struct ssh *);
1516 int kexc25519_server(struct ssh *); 1516 int kexc25519_server(struct ssh *);
1517 1517
@@ -1525,7 +1525,7 @@ index c351955..8ed459a 100644
1525 const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); 1525 const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
1526diff --git a/kexgssc.c b/kexgssc.c 1526diff --git a/kexgssc.c b/kexgssc.c
1527new file mode 100644 1527new file mode 100644
1528index 0000000..10447f2 1528index 00000000..10447f2b
1529--- /dev/null 1529--- /dev/null
1530+++ b/kexgssc.c 1530+++ b/kexgssc.c
1531@@ -0,0 +1,338 @@ 1531@@ -0,0 +1,338 @@
@@ -1869,7 +1869,7 @@ index 0000000..10447f2
1869+#endif /* GSSAPI */ 1869+#endif /* GSSAPI */
1870diff --git a/kexgsss.c b/kexgsss.c 1870diff --git a/kexgsss.c b/kexgsss.c
1871new file mode 100644 1871new file mode 100644
1872index 0000000..38ca082 1872index 00000000..38ca082b
1873--- /dev/null 1873--- /dev/null
1874+++ b/kexgsss.c 1874+++ b/kexgsss.c
1875@@ -0,0 +1,295 @@ 1875@@ -0,0 +1,295 @@
@@ -2169,10 +2169,10 @@ index 0000000..38ca082
2169+} 2169+}
2170+#endif /* GSSAPI */ 2170+#endif /* GSSAPI */
2171diff --git a/monitor.c b/monitor.c 2171diff --git a/monitor.c b/monitor.c
2172index cb57bd0..05bb48a 100644 2172index 43f48470..76d9e346 100644
2173--- a/monitor.c 2173--- a/monitor.c
2174+++ b/monitor.c 2174+++ b/monitor.c
2175@@ -158,6 +158,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); 2175@@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
2176 int mm_answer_gss_accept_ctx(int, Buffer *); 2176 int mm_answer_gss_accept_ctx(int, Buffer *);
2177 int mm_answer_gss_userok(int, Buffer *); 2177 int mm_answer_gss_userok(int, Buffer *);
2178 int mm_answer_gss_checkmic(int, Buffer *); 2178 int mm_answer_gss_checkmic(int, Buffer *);
@@ -2181,10 +2181,10 @@ index cb57bd0..05bb48a 100644
2181 #endif 2181 #endif
2182 2182
2183 #ifdef SSH_AUDIT_EVENTS 2183 #ifdef SSH_AUDIT_EVENTS
2184@@ -235,11 +237,18 @@ struct mon_table mon_dispatch_proto20[] = { 2184@@ -230,11 +232,18 @@ struct mon_table mon_dispatch_proto20[] = {
2185 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 2185 {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
2186 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, 2186 {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
2187 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, 2187 {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
2188+ {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, 2188+ {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
2189 #endif 2189 #endif
2190 {0, 0, NULL} 2190 {0, 0, NULL}
@@ -2200,29 +2200,29 @@ index cb57bd0..05bb48a 100644
2200 #ifdef WITH_OPENSSL 2200 #ifdef WITH_OPENSSL
2201 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2201 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
2202 #endif 2202 #endif
2203@@ -354,6 +363,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) 2203@@ -301,6 +310,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
2204 /* Permit requests for moduli and signatures */ 2204 /* Permit requests for moduli and signatures */
2205 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2205 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2206 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2206 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
2207+#ifdef GSSAPI 2207+#ifdef GSSAPI
2208+ /* and for the GSSAPI key exchange */ 2208+ /* and for the GSSAPI key exchange */
2209+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); 2209+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
2210+#endif 2210+#endif
2211 } else {
2212 mon_dispatch = mon_dispatch_proto15;
2213 2211
2214@@ -462,6 +475,10 @@ monitor_child_postauth(struct monitor *pmonitor) 2212 /* The first few requests do not require asynchronous access */
2215 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2213 while (!authenticated) {
2216 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2214@@ -400,6 +413,10 @@ monitor_child_postauth(struct monitor *pmonitor)
2217 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2215 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2216 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
2217 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
2218+#ifdef GSSAPI 2218+#ifdef GSSAPI
2219+ /* and for the GSSAPI key exchange */ 2219+ /* and for the GSSAPI key exchange */
2220+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); 2220+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
2221+#endif 2221+#endif
2222 } else { 2222
2223 mon_dispatch = mon_dispatch_postauth15; 2223 if (!no_pty_flag) {
2224 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2224 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
2225@@ -1876,6 +1893,13 @@ monitor_apply_keystate(struct monitor *pmonitor) 2225@@ -1601,6 +1618,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
2226 # endif 2226 # endif
2227 #endif /* WITH_OPENSSL */ 2227 #endif /* WITH_OPENSSL */
2228 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 2228 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2236,27 +2236,29 @@ index cb57bd0..05bb48a 100644
2236 kex->load_host_public_key=&get_hostkey_public_by_type; 2236 kex->load_host_public_key=&get_hostkey_public_by_type;
2237 kex->load_host_private_key=&get_hostkey_private_by_type; 2237 kex->load_host_private_key=&get_hostkey_private_by_type;
2238 kex->host_key_index=&get_hostkey_index; 2238 kex->host_key_index=&get_hostkey_index;
2239@@ -1975,6 +1999,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) 2239@@ -1680,8 +1704,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2240 OM_uint32 major; 2240 OM_uint32 major;
2241 u_int len; 2241 u_int len;
2242 2242
2243- if (!options.gss_authentication)
2244- fatal("%s: GSSAPI authentication not enabled", __func__);
2243+ if (!options.gss_authentication && !options.gss_keyex) 2245+ if (!options.gss_authentication && !options.gss_keyex)
2244+ fatal("In GSSAPI monitor when GSSAPI is disabled"); 2246+ fatal("%s: GSSAPI not enabled", __func__);
2245+ 2247
2246 goid.elements = buffer_get_string(m, &len); 2248 goid.elements = buffer_get_string(m, &len);
2247 goid.length = len; 2249 goid.length = len;
2248 2250@@ -1710,8 +1734,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2249@@ -2002,6 +2029,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2250 OM_uint32 flags = 0; /* GSI needs this */ 2251 OM_uint32 flags = 0; /* GSI needs this */
2251 u_int len; 2252 u_int len;
2252 2253
2254- if (!options.gss_authentication)
2255- fatal("%s: GSSAPI authentication not enabled", __func__);
2253+ if (!options.gss_authentication && !options.gss_keyex) 2256+ if (!options.gss_authentication && !options.gss_keyex)
2254+ fatal("In GSSAPI monitor when GSSAPI is disabled"); 2257+ fatal("%s: GSSAPI not enabled", __func__);
2255+ 2258
2256 in.value = buffer_get_string(m, &len); 2259 in.value = buffer_get_string(m, &len);
2257 in.length = len; 2260 in.length = len;
2258 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2261@@ -1730,6 +1754,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2259@@ -2019,6 +2049,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2260 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2262 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2261 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2263 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2262 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2264 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2264,30 +2266,33 @@ index cb57bd0..05bb48a 100644
2264 } 2266 }
2265 return (0); 2267 return (0);
2266 } 2268 }
2267@@ -2030,6 +2061,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) 2269@@ -1741,8 +1766,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2268 OM_uint32 ret; 2270 OM_uint32 ret;
2269 u_int len; 2271 u_int len;
2270 2272
2273- if (!options.gss_authentication)
2274- fatal("%s: GSSAPI authentication not enabled", __func__);
2271+ if (!options.gss_authentication && !options.gss_keyex) 2275+ if (!options.gss_authentication && !options.gss_keyex)
2272+ fatal("In GSSAPI monitor when GSSAPI is disabled"); 2276+ fatal("%s: GSSAPI not enabled", __func__);
2273+ 2277
2274 gssbuf.value = buffer_get_string(m, &len); 2278 gssbuf.value = buffer_get_string(m, &len);
2275 gssbuf.length = len; 2279 gssbuf.length = len;
2276 mic.value = buffer_get_string(m, &len); 2280@@ -1770,10 +1795,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
2277@@ -2056,7 +2090,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
2278 { 2281 {
2279 int authenticated; 2282 int authenticated;
2280 2283
2281- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); 2284- if (!options.gss_authentication)
2285- fatal("%s: GSSAPI authentication not enabled", __func__);
2282+ if (!options.gss_authentication && !options.gss_keyex) 2286+ if (!options.gss_authentication && !options.gss_keyex)
2283+ fatal("In GSSAPI monitor when GSSAPI is disabled"); 2287+ fatal("%s: GSSAPI not enabled", __func__);
2284+ 2288
2289- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
2285+ authenticated = authctxt->valid && 2290+ authenticated = authctxt->valid &&
2286+ ssh_gssapi_userok(authctxt->user, authctxt->pw); 2291+ ssh_gssapi_userok(authctxt->user, authctxt->pw);
2287 2292
2288 buffer_clear(m); 2293 buffer_clear(m);
2289 buffer_put_int(m, authenticated); 2294 buffer_put_int(m, authenticated);
2290@@ -2069,5 +2107,73 @@ mm_answer_gss_userok(int sock, Buffer *m) 2295@@ -1786,5 +1812,76 @@ mm_answer_gss_userok(int sock, Buffer *m)
2291 /* Monitor loop will terminate if authenticated */ 2296 /* Monitor loop will terminate if authenticated */
2292 return (authenticated); 2297 return (authenticated);
2293 } 2298 }
@@ -2301,7 +2306,7 @@ index cb57bd0..05bb48a 100644
2301+ u_int len; 2306+ u_int len;
2302+ 2307+
2303+ if (!options.gss_authentication && !options.gss_keyex) 2308+ if (!options.gss_authentication && !options.gss_keyex)
2304+ fatal("In GSSAPI monitor when GSSAPI is disabled"); 2309+ fatal("%s: GSSAPI not enabled", __func__);
2305+ 2310+
2306+ data.value = buffer_get_string(m, &len); 2311+ data.value = buffer_get_string(m, &len);
2307+ data.length = len; 2312+ data.length = len;
@@ -2341,6 +2346,9 @@ index cb57bd0..05bb48a 100644
2341+ ssh_gssapi_ccache store; 2346+ ssh_gssapi_ccache store;
2342+ int ok; 2347+ int ok;
2343+ 2348+
2349+ if (!options.gss_authentication && !options.gss_keyex)
2350+ fatal("%s: GSSAPI not enabled", __func__);
2351+
2344+ store.filename = buffer_get_string(m, NULL); 2352+ store.filename = buffer_get_string(m, NULL);
2345+ store.envvar = buffer_get_string(m, NULL); 2353+ store.envvar = buffer_get_string(m, NULL);
2346+ store.envval = buffer_get_string(m, NULL); 2354+ store.envval = buffer_get_string(m, NULL);
@@ -2362,7 +2370,7 @@ index cb57bd0..05bb48a 100644
2362 #endif /* GSSAPI */ 2370 #endif /* GSSAPI */
2363 2371
2364diff --git a/monitor.h b/monitor.h 2372diff --git a/monitor.h b/monitor.h
2365index 93b8b66..bc50ade 100644 2373index d68f6745..ec41404c 100644
2366--- a/monitor.h 2374--- a/monitor.h
2367+++ b/monitor.h 2375+++ b/monitor.h
2368@@ -65,6 +65,9 @@ enum monitor_reqtype { 2376@@ -65,6 +65,9 @@ enum monitor_reqtype {
@@ -2374,12 +2382,12 @@ index 93b8b66..bc50ade 100644
2374+ 2382+
2375 }; 2383 };
2376 2384
2377 struct mm_master; 2385 struct monitor {
2378diff --git a/monitor_wrap.c b/monitor_wrap.c 2386diff --git a/monitor_wrap.c b/monitor_wrap.c
2379index 99dc13b..5a9f1b5 100644 2387index 64ff9288..d5cb640a 100644
2380--- a/monitor_wrap.c 2388--- a/monitor_wrap.c
2381+++ b/monitor_wrap.c 2389+++ b/monitor_wrap.c
2382@@ -1073,7 +1073,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 2390@@ -924,7 +924,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
2383 } 2391 }
2384 2392
2385 int 2393 int
@@ -2388,7 +2396,7 @@ index 99dc13b..5a9f1b5 100644
2388 { 2396 {
2389 Buffer m; 2397 Buffer m;
2390 int authenticated = 0; 2398 int authenticated = 0;
2391@@ -1090,5 +1090,50 @@ mm_ssh_gssapi_userok(char *user) 2399@@ -941,5 +941,50 @@ mm_ssh_gssapi_userok(char *user)
2392 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2400 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2393 return (authenticated); 2401 return (authenticated);
2394 } 2402 }
@@ -2440,10 +2448,10 @@ index 99dc13b..5a9f1b5 100644
2440 #endif /* GSSAPI */ 2448 #endif /* GSSAPI */
2441 2449
2442diff --git a/monitor_wrap.h b/monitor_wrap.h 2450diff --git a/monitor_wrap.h b/monitor_wrap.h
2443index 9fd02b3..b5414c2 100644 2451index db5902f5..8f9dd896 100644
2444--- a/monitor_wrap.h 2452--- a/monitor_wrap.h
2445+++ b/monitor_wrap.h 2453+++ b/monitor_wrap.h
2446@@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); 2454@@ -55,8 +55,10 @@ int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int);
2447 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); 2455 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
2448 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, 2456 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
2449 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); 2457 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -2456,7 +2464,7 @@ index 9fd02b3..b5414c2 100644
2456 2464
2457 #ifdef USE_PAM 2465 #ifdef USE_PAM
2458diff --git a/readconf.c b/readconf.c 2466diff --git a/readconf.c b/readconf.c
2459index c177202..e019195 100644 2467index fa3fab8f..7902ef26 100644
2460--- a/readconf.c 2468--- a/readconf.c
2461+++ b/readconf.c 2469+++ b/readconf.c
2462@@ -160,6 +160,8 @@ typedef enum { 2470@@ -160,6 +160,8 @@ typedef enum {
@@ -2488,7 +2496,7 @@ index c177202..e019195 100644
2488 #endif 2496 #endif
2489 { "fallbacktorsh", oDeprecated }, 2497 { "fallbacktorsh", oDeprecated },
2490 { "usersh", oDeprecated }, 2498 { "usersh", oDeprecated },
2491@@ -962,10 +973,30 @@ parse_time: 2499@@ -961,10 +972,30 @@ parse_time:
2492 intptr = &options->gss_authentication; 2500 intptr = &options->gss_authentication;
2493 goto parse_flag; 2501 goto parse_flag;
2494 2502
@@ -2519,7 +2527,7 @@ index c177202..e019195 100644
2519 case oBatchMode: 2527 case oBatchMode:
2520 intptr = &options->batch_mode; 2528 intptr = &options->batch_mode;
2521 goto parse_flag; 2529 goto parse_flag;
2522@@ -1777,7 +1808,12 @@ initialize_options(Options * options) 2530@@ -1776,7 +1807,12 @@ initialize_options(Options * options)
2523 options->pubkey_authentication = -1; 2531 options->pubkey_authentication = -1;
2524 options->challenge_response_authentication = -1; 2532 options->challenge_response_authentication = -1;
2525 options->gss_authentication = -1; 2533 options->gss_authentication = -1;
@@ -2532,7 +2540,7 @@ index c177202..e019195 100644
2532 options->password_authentication = -1; 2540 options->password_authentication = -1;
2533 options->kbd_interactive_authentication = -1; 2541 options->kbd_interactive_authentication = -1;
2534 options->kbd_interactive_devices = NULL; 2542 options->kbd_interactive_devices = NULL;
2535@@ -1921,8 +1957,14 @@ fill_default_options(Options * options) 2543@@ -1920,8 +1956,14 @@ fill_default_options(Options * options)
2536 options->challenge_response_authentication = 1; 2544 options->challenge_response_authentication = 1;
2537 if (options->gss_authentication == -1) 2545 if (options->gss_authentication == -1)
2538 options->gss_authentication = 0; 2546 options->gss_authentication = 0;
@@ -2548,7 +2556,7 @@ index c177202..e019195 100644
2548 options->password_authentication = 1; 2556 options->password_authentication = 1;
2549 if (options->kbd_interactive_authentication == -1) 2557 if (options->kbd_interactive_authentication == -1)
2550diff --git a/readconf.h b/readconf.h 2558diff --git a/readconf.h b/readconf.h
2551index cef55f7..fd3d7c7 100644 2559index cef55f71..fd3d7c75 100644
2552--- a/readconf.h 2560--- a/readconf.h
2553+++ b/readconf.h 2561+++ b/readconf.h
2554@@ -45,7 +45,12 @@ typedef struct { 2562@@ -45,7 +45,12 @@ typedef struct {
@@ -2565,10 +2573,10 @@ index cef55f7..fd3d7c7 100644
2565 * authentication. */ 2573 * authentication. */
2566 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2574 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
2567diff --git a/servconf.c b/servconf.c 2575diff --git a/servconf.c b/servconf.c
2568index 873b0d0..9b06281 100644 2576index 795ddbab..14c81fa9 100644
2569--- a/servconf.c 2577--- a/servconf.c
2570+++ b/servconf.c 2578+++ b/servconf.c
2571@@ -117,8 +117,10 @@ initialize_server_options(ServerOptions *options) 2579@@ -113,8 +113,10 @@ initialize_server_options(ServerOptions *options)
2572 options->kerberos_ticket_cleanup = -1; 2580 options->kerberos_ticket_cleanup = -1;
2573 options->kerberos_get_afs_token = -1; 2581 options->kerberos_get_afs_token = -1;
2574 options->gss_authentication=-1; 2582 options->gss_authentication=-1;
@@ -2579,7 +2587,7 @@ index 873b0d0..9b06281 100644
2579 options->password_authentication = -1; 2587 options->password_authentication = -1;
2580 options->kbd_interactive_authentication = -1; 2588 options->kbd_interactive_authentication = -1;
2581 options->challenge_response_authentication = -1; 2589 options->challenge_response_authentication = -1;
2582@@ -287,10 +289,14 @@ fill_default_server_options(ServerOptions *options) 2590@@ -267,10 +269,14 @@ fill_default_server_options(ServerOptions *options)
2583 options->kerberos_get_afs_token = 0; 2591 options->kerberos_get_afs_token = 0;
2584 if (options->gss_authentication == -1) 2592 if (options->gss_authentication == -1)
2585 options->gss_authentication = 0; 2593 options->gss_authentication = 0;
@@ -2595,7 +2603,7 @@ index 873b0d0..9b06281 100644
2595 if (options->password_authentication == -1) 2603 if (options->password_authentication == -1)
2596 options->password_authentication = 1; 2604 options->password_authentication = 1;
2597 if (options->kbd_interactive_authentication == -1) 2605 if (options->kbd_interactive_authentication == -1)
2598@@ -427,6 +433,7 @@ typedef enum { 2606@@ -407,6 +413,7 @@ typedef enum {
2599 sHostKeyAlgorithms, 2607 sHostKeyAlgorithms,
2600 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 2608 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
2601 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 2609 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@@ -2603,7 +2611,7 @@ index 873b0d0..9b06281 100644
2603 sAcceptEnv, sPermitTunnel, 2611 sAcceptEnv, sPermitTunnel,
2604 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2612 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2605 sUsePrivilegeSeparation, sAllowAgentForwarding, 2613 sUsePrivilegeSeparation, sAllowAgentForwarding,
2606@@ -500,12 +507,20 @@ static struct { 2614@@ -480,12 +487,20 @@ static struct {
2607 #ifdef GSSAPI 2615 #ifdef GSSAPI
2608 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2616 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2609 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2617 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2624,7 +2632,7 @@ index 873b0d0..9b06281 100644
2624 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2632 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2625 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2633 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2626 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2634 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2627@@ -1251,6 +1266,10 @@ process_server_config_line(ServerOptions *options, char *line, 2635@@ -1207,6 +1222,10 @@ process_server_config_line(ServerOptions *options, char *line,
2628 intptr = &options->gss_authentication; 2636 intptr = &options->gss_authentication;
2629 goto parse_flag; 2637 goto parse_flag;
2630 2638
@@ -2635,7 +2643,7 @@ index 873b0d0..9b06281 100644
2635 case sGssCleanupCreds: 2643 case sGssCleanupCreds:
2636 intptr = &options->gss_cleanup_creds; 2644 intptr = &options->gss_cleanup_creds;
2637 goto parse_flag; 2645 goto parse_flag;
2638@@ -1259,6 +1278,10 @@ process_server_config_line(ServerOptions *options, char *line, 2646@@ -1215,6 +1234,10 @@ process_server_config_line(ServerOptions *options, char *line,
2639 intptr = &options->gss_strict_acceptor; 2647 intptr = &options->gss_strict_acceptor;
2640 goto parse_flag; 2648 goto parse_flag;
2641 2649
@@ -2646,7 +2654,7 @@ index 873b0d0..9b06281 100644
2646 case sPasswordAuthentication: 2654 case sPasswordAuthentication:
2647 intptr = &options->password_authentication; 2655 intptr = &options->password_authentication;
2648 goto parse_flag; 2656 goto parse_flag;
2649@@ -2308,7 +2331,10 @@ dump_config(ServerOptions *o) 2657@@ -2248,7 +2271,10 @@ dump_config(ServerOptions *o)
2650 #endif 2658 #endif
2651 #ifdef GSSAPI 2659 #ifdef GSSAPI
2652 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2660 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2658,10 +2666,10 @@ index 873b0d0..9b06281 100644
2658 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2666 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2659 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2667 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2660diff --git a/servconf.h b/servconf.h 2668diff --git a/servconf.h b/servconf.h
2661index f4137af..778ba17 100644 2669index 5853a974..90dfa4c2 100644
2662--- a/servconf.h 2670--- a/servconf.h
2663+++ b/servconf.h 2671+++ b/servconf.h
2664@@ -118,8 +118,10 @@ typedef struct { 2672@@ -112,8 +112,10 @@ typedef struct {
2665 int kerberos_get_afs_token; /* If true, try to get AFS token if 2673 int kerberos_get_afs_token; /* If true, try to get AFS token if
2666 * authenticated with Kerberos. */ 2674 * authenticated with Kerberos. */
2667 int gss_authentication; /* If true, permit GSSAPI authentication */ 2675 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2673,7 +2681,7 @@ index f4137af..778ba17 100644
2673 * authentication. */ 2681 * authentication. */
2674 int kbd_interactive_authentication; /* If true, permit */ 2682 int kbd_interactive_authentication; /* If true, permit */
2675diff --git a/ssh-gss.h b/ssh-gss.h 2683diff --git a/ssh-gss.h b/ssh-gss.h
2676index a99d7f0..914701b 100644 2684index a99d7f08..914701bc 100644
2677--- a/ssh-gss.h 2685--- a/ssh-gss.h
2678+++ b/ssh-gss.h 2686+++ b/ssh-gss.h
2679@@ -1,6 +1,6 @@ 2687@@ -1,6 +1,6 @@
@@ -2776,7 +2784,7 @@ index a99d7f0..914701b 100644
2776 2784
2777 #endif /* _SSH_GSS_H */ 2785 #endif /* _SSH_GSS_H */
2778diff --git a/ssh_config b/ssh_config 2786diff --git a/ssh_config b/ssh_config
2779index 90fb63f..4e879cd 100644 2787index 90fb63f0..4e879cd2 100644
2780--- a/ssh_config 2788--- a/ssh_config
2781+++ b/ssh_config 2789+++ b/ssh_config
2782@@ -26,6 +26,8 @@ 2790@@ -26,6 +26,8 @@
@@ -2789,18 +2797,18 @@ index 90fb63f..4e879cd 100644
2789 # CheckHostIP yes 2797 # CheckHostIP yes
2790 # AddressFamily any 2798 # AddressFamily any
2791diff --git a/ssh_config.5 b/ssh_config.5 2799diff --git a/ssh_config.5 b/ssh_config.5
2792index 7630e7b..707d0e1 100644 2800index 591365f3..a7703fc7 100644
2793--- a/ssh_config.5 2801--- a/ssh_config.5
2794+++ b/ssh_config.5 2802+++ b/ssh_config.5
2795@@ -826,10 +826,42 @@ The default is 2803@@ -748,10 +748,42 @@ The default is
2796 Specifies whether user authentication based on GSSAPI is allowed. 2804 Specifies whether user authentication based on GSSAPI is allowed.
2797 The default is 2805 The default is
2798 .Dq no . 2806 .Cm no .
2799+.It Cm GSSAPIKeyExchange 2807+.It Cm GSSAPIKeyExchange
2800+Specifies whether key exchange based on GSSAPI may be used. When using 2808+Specifies whether key exchange based on GSSAPI may be used. When using
2801+GSSAPI key exchange the server need not have a host key. 2809+GSSAPI key exchange the server need not have a host key.
2802+The default is 2810+The default is
2803+.Dq no . 2811+.Cm no .
2804+.It Cm GSSAPIClientIdentity 2812+.It Cm GSSAPIClientIdentity
2805+If set, specifies the GSSAPI client identity that ssh should use when 2813+If set, specifies the GSSAPI client identity that ssh should use when
2806+connecting to the server. The default is unset, which means that the default 2814+connecting to the server. The default is unset, which means that the default
@@ -2813,30 +2821,30 @@ index 7630e7b..707d0e1 100644
2813 .It Cm GSSAPIDelegateCredentials 2821 .It Cm GSSAPIDelegateCredentials
2814 Forward (delegate) credentials to the server. 2822 Forward (delegate) credentials to the server.
2815 The default is 2823 The default is
2816 .Dq no . 2824 .Cm no .
2817+.It Cm GSSAPIRenewalForcesRekey 2825+.It Cm GSSAPIRenewalForcesRekey
2818+If set to 2826+If set to
2819+.Dq yes 2827+.Cm yes
2820+then renewal of the client's GSSAPI credentials will force the rekeying of the 2828+then renewal of the client's GSSAPI credentials will force the rekeying of the
2821+ssh connection. With a compatible server, this can delegate the renewed 2829+ssh connection. With a compatible server, this can delegate the renewed
2822+credentials to a session on the server. 2830+credentials to a session on the server.
2823+The default is 2831+The default is
2824+.Dq no . 2832+.Cm no .
2825+.It Cm GSSAPITrustDns 2833+.It Cm GSSAPITrustDns
2826+Set to 2834+Set to
2827+.Dq yes 2835+.Cm yes
2828+to indicate that the DNS is trusted to securely canonicalize 2836+to indicate that the DNS is trusted to securely canonicalize
2829+the name of the host being connected to. If 2837+the name of the host being connected to. If
2830+.Dq no , 2838+.Cm no ,
2831+the hostname entered on the 2839+the hostname entered on the
2832+command line will be passed untouched to the GSSAPI library. 2840+command line will be passed untouched to the GSSAPI library.
2833+The default is 2841+The default is
2834+.Dq no . 2842+.Cm no .
2835 .It Cm HashKnownHosts 2843 .It Cm HashKnownHosts
2836 Indicates that 2844 Indicates that
2837 .Xr ssh 1 2845 .Xr ssh 1
2838diff --git a/sshconnect2.c b/sshconnect2.c 2846diff --git a/sshconnect2.c b/sshconnect2.c
2839index fae8b0f..34b9d30 100644 2847index 103a2b36..d534e619 100644
2840--- a/sshconnect2.c 2848--- a/sshconnect2.c
2841+++ b/sshconnect2.c 2849+++ b/sshconnect2.c
2842@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2850@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
@@ -2923,7 +2931,7 @@ index fae8b0f..34b9d30 100644
2923 #endif 2931 #endif
2924 2932
2925 void userauth(Authctxt *, char *); 2933 void userauth(Authctxt *, char *);
2926@@ -326,6 +378,11 @@ static char *authmethods_get(void); 2934@@ -327,6 +379,11 @@ static char *authmethods_get(void);
2927 2935
2928 Authmethod authmethods[] = { 2936 Authmethod authmethods[] = {
2929 #ifdef GSSAPI 2937 #ifdef GSSAPI
@@ -2935,7 +2943,7 @@ index fae8b0f..34b9d30 100644
2935 {"gssapi-with-mic", 2943 {"gssapi-with-mic",
2936 userauth_gssapi, 2944 userauth_gssapi,
2937 NULL, 2945 NULL,
2938@@ -650,25 +707,40 @@ userauth_gssapi(Authctxt *authctxt) 2946@@ -652,25 +709,40 @@ userauth_gssapi(Authctxt *authctxt)
2939 static u_int mech = 0; 2947 static u_int mech = 0;
2940 OM_uint32 min; 2948 OM_uint32 min;
2941 int ok = 0; 2949 int ok = 0;
@@ -2978,7 +2986,7 @@ index fae8b0f..34b9d30 100644
2978 if (!ok) 2986 if (!ok)
2979 return 0; 2987 return 0;
2980 2988
2981@@ -759,8 +831,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) 2989@@ -761,8 +833,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
2982 { 2990 {
2983 Authctxt *authctxt = ctxt; 2991 Authctxt *authctxt = ctxt;
2984 Gssctxt *gssctxt; 2992 Gssctxt *gssctxt;
@@ -2989,7 +2997,7 @@ index fae8b0f..34b9d30 100644
2989 2997
2990 if (authctxt == NULL) 2998 if (authctxt == NULL)
2991 fatal("input_gssapi_response: no authentication context"); 2999 fatal("input_gssapi_response: no authentication context");
2992@@ -873,6 +945,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) 3000@@ -875,6 +947,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
2993 free(lang); 3001 free(lang);
2994 return 0; 3002 return 0;
2995 } 3003 }
@@ -3039,10 +3047,10 @@ index fae8b0f..34b9d30 100644
3039 3047
3040 int 3048 int
3041diff --git a/sshd.c b/sshd.c 3049diff --git a/sshd.c b/sshd.c
3042index 799c771..ebb88c7 100644 3050index 1dc4d182..ec2cf976 100644
3043--- a/sshd.c 3051--- a/sshd.c
3044+++ b/sshd.c 3052+++ b/sshd.c
3045@@ -125,6 +125,10 @@ 3053@@ -123,6 +123,10 @@
3046 #include "version.h" 3054 #include "version.h"
3047 #include "ssherr.h" 3055 #include "ssherr.h"
3048 3056
@@ -3050,24 +3058,24 @@ index 799c771..ebb88c7 100644
3050+#include <Security/AuthSession.h> 3058+#include <Security/AuthSession.h>
3051+#endif 3059+#endif
3052+ 3060+
3053 #ifndef O_NOCTTY 3061 /* Re-exec fds */
3054 #define O_NOCTTY 0 3062 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
3055 #endif 3063 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
3056@@ -1892,10 +1896,13 @@ main(int ac, char **av) 3064@@ -1705,10 +1709,13 @@ main(int ac, char **av)
3057 logit("Disabling protocol version 1. Could not load host key"); 3065 key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
3058 options.protocol &= ~SSH_PROTO_1; 3066 free(fp);
3059 } 3067 }
3060+#ifndef GSSAPI 3068+#ifndef GSSAPI
3061+ /* The GSSAPI key exchange can run without a host key */ 3069+ /* The GSSAPI key exchange can run without a host key */
3062 if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) { 3070 if (!sensitive_data.have_ssh2_key) {
3063 logit("Disabling protocol version 2. Could not load host key");
3064 options.protocol &= ~SSH_PROTO_2;
3065 }
3066+#endif
3067 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
3068 logit("sshd: no hostkeys available -- exiting."); 3071 logit("sshd: no hostkeys available -- exiting.");
3069 exit(1); 3072 exit(1);
3070@@ -2207,6 +2214,60 @@ main(int ac, char **av) 3073 }
3074+#endif
3075
3076 /*
3077 * Load certificates. They are stored in an array at identical
3078@@ -1978,6 +1985,60 @@ main(int ac, char **av)
3071 remote_ip, remote_port, laddr, ssh_local_port(ssh)); 3079 remote_ip, remote_port, laddr, ssh_local_port(ssh));
3072 free(laddr); 3080 free(laddr);
3073 3081
@@ -3128,7 +3136,7 @@ index 799c771..ebb88c7 100644
3128 /* 3136 /*
3129 * We don't want to listen forever unless the other side 3137 * We don't want to listen forever unless the other side
3130 * successfully authenticates itself. So we set up an alarm which is 3138 * successfully authenticates itself. So we set up an alarm which is
3131@@ -2631,6 +2692,48 @@ do_ssh2_kex(void) 3139@@ -2159,6 +2220,48 @@ do_ssh2_kex(void)
3132 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 3140 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
3133 list_hostkey_types()); 3141 list_hostkey_types());
3134 3142
@@ -3177,7 +3185,7 @@ index 799c771..ebb88c7 100644
3177 /* start key exchange */ 3185 /* start key exchange */
3178 if ((r = kex_setup(active_state, myproposal)) != 0) 3186 if ((r = kex_setup(active_state, myproposal)) != 0)
3179 fatal("kex_setup: %s", ssh_err(r)); 3187 fatal("kex_setup: %s", ssh_err(r));
3180@@ -2648,6 +2751,13 @@ do_ssh2_kex(void) 3188@@ -2176,6 +2279,13 @@ do_ssh2_kex(void)
3181 # endif 3189 # endif
3182 #endif 3190 #endif
3183 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 3191 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -3192,10 +3200,10 @@ index 799c771..ebb88c7 100644
3192 kex->client_version_string=client_version_string; 3200 kex->client_version_string=client_version_string;
3193 kex->server_version_string=server_version_string; 3201 kex->server_version_string=server_version_string;
3194diff --git a/sshd_config b/sshd_config 3202diff --git a/sshd_config b/sshd_config
3195index 75ae8e7..3fe3e01 100644 3203index 9f09e4a6..00e5a728 100644
3196--- a/sshd_config 3204--- a/sshd_config
3197+++ b/sshd_config 3205+++ b/sshd_config
3198@@ -83,6 +83,8 @@ AuthorizedKeysFile .ssh/authorized_keys 3206@@ -70,6 +70,8 @@ AuthorizedKeysFile .ssh/authorized_keys
3199 # GSSAPI options 3207 # GSSAPI options
3200 #GSSAPIAuthentication no 3208 #GSSAPIAuthentication no
3201 #GSSAPICleanupCredentials yes 3209 #GSSAPICleanupCredentials yes
@@ -3205,38 +3213,38 @@ index 75ae8e7..3fe3e01 100644
3205 # Set this to 'yes' to enable PAM authentication, account processing, 3213 # Set this to 'yes' to enable PAM authentication, account processing,
3206 # and session processing. If this is enabled, PAM authentication will 3214 # and session processing. If this is enabled, PAM authentication will
3207diff --git a/sshd_config.5 b/sshd_config.5 3215diff --git a/sshd_config.5 b/sshd_config.5
3208index 1bc26ec..3b4cba9 100644 3216index 32b29d24..dd765b39 100644
3209--- a/sshd_config.5 3217--- a/sshd_config.5
3210+++ b/sshd_config.5 3218+++ b/sshd_config.5
3211@@ -632,6 +632,11 @@ The default is 3219@@ -623,6 +623,11 @@ The default is
3212 Specifies whether user authentication based on GSSAPI is allowed. 3220 Specifies whether user authentication based on GSSAPI is allowed.
3213 The default is 3221 The default is
3214 .Dq no . 3222 .Cm no .
3215+.It Cm GSSAPIKeyExchange 3223+.It Cm GSSAPIKeyExchange
3216+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange 3224+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
3217+doesn't rely on ssh keys to verify host identity. 3225+doesn't rely on ssh keys to verify host identity.
3218+The default is 3226+The default is
3219+.Dq no . 3227+.Cm no .
3220 .It Cm GSSAPICleanupCredentials 3228 .It Cm GSSAPICleanupCredentials
3221 Specifies whether to automatically destroy the user's credentials cache 3229 Specifies whether to automatically destroy the user's credentials cache
3222 on logout. 3230 on logout.
3223@@ -652,6 +657,11 @@ machine's default store. 3231@@ -642,6 +647,11 @@ machine's default store.
3224 This facility is provided to assist with operation on multi homed machines. 3232 This facility is provided to assist with operation on multi homed machines.
3225 The default is 3233 The default is
3226 .Dq yes . 3234 .Cm yes .
3227+.It Cm GSSAPIStoreCredentialsOnRekey 3235+.It Cm GSSAPIStoreCredentialsOnRekey
3228+Controls whether the user's GSSAPI credentials should be updated following a 3236+Controls whether the user's GSSAPI credentials should be updated following a
3229+successful connection rekeying. This option can be used to accepted renewed 3237+successful connection rekeying. This option can be used to accepted renewed
3230+or updated credentials from a compatible client. The default is 3238+or updated credentials from a compatible client. The default is
3231+.Dq no . 3239+.Cm no .
3232 .It Cm HostbasedAcceptedKeyTypes 3240 .It Cm HostbasedAcceptedKeyTypes
3233 Specifies the key types that will be accepted for hostbased authentication 3241 Specifies the key types that will be accepted for hostbased authentication
3234 as a comma-separated pattern list. 3242 as a comma-separated pattern list.
3235diff --git a/sshkey.c b/sshkey.c 3243diff --git a/sshkey.c b/sshkey.c
3236index c9f04cd..558bbbe 100644 3244index c01da6c3..377d72fa 100644
3237--- a/sshkey.c 3245--- a/sshkey.c
3238+++ b/sshkey.c 3246+++ b/sshkey.c
3239@@ -115,6 +115,7 @@ static const struct keytype keytypes[] = { 3247@@ -114,6 +114,7 @@ static const struct keytype keytypes[] = {
3240 # endif /* OPENSSL_HAS_NISTP521 */ 3248 # endif /* OPENSSL_HAS_NISTP521 */
3241 # endif /* OPENSSL_HAS_ECC */ 3249 # endif /* OPENSSL_HAS_ECC */
3242 #endif /* WITH_OPENSSL */ 3250 #endif /* WITH_OPENSSL */
@@ -3244,7 +3252,7 @@ index c9f04cd..558bbbe 100644
3244 { NULL, NULL, -1, -1, 0, 0 } 3252 { NULL, NULL, -1, -1, 0, 0 }
3245 }; 3253 };
3246 3254
3247@@ -203,7 +204,7 @@ key_alg_list(int certs_only, int plain_only) 3255@@ -202,7 +203,7 @@ sshkey_alg_list(int certs_only, int plain_only, char sep)
3248 const struct keytype *kt; 3256 const struct keytype *kt;
3249 3257
3250 for (kt = keytypes; kt->type != -1; kt++) { 3258 for (kt = keytypes; kt->type != -1; kt++) {
@@ -3254,7 +3262,7 @@ index c9f04cd..558bbbe 100644
3254 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 3262 if ((certs_only && !kt->cert) || (plain_only && kt->cert))
3255 continue; 3263 continue;
3256diff --git a/sshkey.h b/sshkey.h 3264diff --git a/sshkey.h b/sshkey.h
3257index 8c3d866..e0caa37 100644 3265index f3936384..7eb2a139 100644
3258--- a/sshkey.h 3266--- a/sshkey.h
3259+++ b/sshkey.h 3267+++ b/sshkey.h
3260@@ -62,6 +62,7 @@ enum sshkey_types { 3268@@ -62,6 +62,7 @@ enum sshkey_types {
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
deleted file mode 100644
index a990ca1ea..000000000
--- a/debian/patches/helpful-wait-terminate.patch
+++ /dev/null
@@ -1,26 +0,0 @@
1From 173d65e72989cba82502604da3f1336766c0cf0f Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:09:56 +0000
4Subject: Mention ~& when waiting for forwarded connections to terminate
5
6Bug-Debian: http://bugs.debian.org/50308
7Last-Update: 2010-02-27
8
9Patch-Name: helpful-wait-terminate.patch
10---
11 serverloop.c | 2 +-
12 1 file changed, 1 insertion(+), 1 deletion(-)
13
14diff --git a/serverloop.c b/serverloop.c
15index 3563e5d..c4e1d1d 100644
16--- a/serverloop.c
17+++ b/serverloop.c
18@@ -687,7 +687,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
19 if (!channel_still_open())
20 break;
21 if (!waiting_termination) {
22- const char *s = "Waiting for forwarded connections to terminate...\r\n";
23+ const char *s = "Waiting for forwarded connections to terminate... (press ~& to background)\r\n";
24 char *cp;
25 waiting_termination = 1;
26 buffer_append(&stderr_buffer, s, strlen(s));
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 14ab7d34f..11378586d 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
1From 67c34f23edbcd0f39ebc2aadae9d33950bd1f98a Mon Sep 17 00:00:00 2001 1From 8f60ff6d23d4a1f8c347cf4b95267e00116f74fa Mon Sep 17 00:00:00 2001
2From: Richard Kettlewell <rjk@greenend.org.uk> 2From: Richard Kettlewell <rjk@greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:52 +0000 3Date: Sun, 9 Feb 2014 16:09:52 +0000
4Subject: Various keepalive extensions 4Subject: Various keepalive extensions
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch
26 3 files changed, 34 insertions(+), 4 deletions(-) 26 3 files changed, 34 insertions(+), 4 deletions(-)
27 27
28diff --git a/readconf.c b/readconf.c 28diff --git a/readconf.c b/readconf.c
29index c0b7822..3a6c67b 100644 29index c1c3aae0..3efba242 100644
30--- a/readconf.c 30--- a/readconf.c
31+++ b/readconf.c 31+++ b/readconf.c
32@@ -173,6 +173,7 @@ typedef enum { 32@@ -173,6 +173,7 @@ typedef enum {
@@ -46,7 +46,7 @@ index c0b7822..3a6c67b 100644
46 46
47 { NULL, oBadOption } 47 { NULL, oBadOption }
48 }; 48 };
49@@ -1403,6 +1406,8 @@ parse_keytypes: 49@@ -1402,6 +1405,8 @@ parse_keytypes:
50 goto parse_flag; 50 goto parse_flag;
51 51
52 case oServerAliveInterval: 52 case oServerAliveInterval:
@@ -55,7 +55,7 @@ index c0b7822..3a6c67b 100644
55 intptr = &options->server_alive_interval; 55 intptr = &options->server_alive_interval;
56 goto parse_time; 56 goto parse_time;
57 57
58@@ -2048,8 +2053,13 @@ fill_default_options(Options * options) 58@@ -2047,8 +2052,13 @@ fill_default_options(Options * options)
59 options->rekey_interval = 0; 59 options->rekey_interval = 0;
60 if (options->verify_host_key_dns == -1) 60 if (options->verify_host_key_dns == -1)
61 options->verify_host_key_dns = 0; 61 options->verify_host_key_dns = 0;
@@ -72,12 +72,12 @@ index c0b7822..3a6c67b 100644
72 options->server_alive_count_max = 3; 72 options->server_alive_count_max = 3;
73 if (options->control_master == -1) 73 if (options->control_master == -1)
74diff --git a/ssh_config.5 b/ssh_config.5 74diff --git a/ssh_config.5 b/ssh_config.5
75index 707d0e1..efc265a 100644 75index a7703fc7..32fd100d 100644
76--- a/ssh_config.5 76--- a/ssh_config.5
77+++ b/ssh_config.5 77+++ b/ssh_config.5
78@@ -268,8 +268,12 @@ The default is 78@@ -250,8 +250,12 @@ Valid arguments are
79 If set to 79 If set to
80 .Dq yes , 80 .Cm yes ,
81 passphrase/password querying will be disabled. 81 passphrase/password querying will be disabled.
82+In addition, the 82+In addition, the
83+.Cm ServerAliveInterval 83+.Cm ServerAliveInterval
@@ -87,9 +87,9 @@ index 707d0e1..efc265a 100644
87+is present to supply the password, 87+is present to supply the password,
88+and where it is desirable to detect a broken network swiftly. 88+and where it is desirable to detect a broken network swiftly.
89 The argument must be 89 The argument must be
90 .Dq yes 90 .Cm yes
91 or 91 or
92@@ -1624,7 +1628,14 @@ from the server, 92@@ -1485,7 +1489,14 @@ from the server,
93 will send a message through the encrypted 93 will send a message through the encrypted
94 channel to request a response from the server. 94 channel to request a response from the server.
95 The default 95 The default
@@ -105,7 +105,7 @@ index 707d0e1..efc265a 100644
105 .It Cm StreamLocalBindMask 105 .It Cm StreamLocalBindMask
106 Sets the octal file creation mode mask 106 Sets the octal file creation mode mask
107 .Pq umask 107 .Pq umask
108@@ -1690,6 +1701,12 @@ Specifies whether the system should send TCP keepalive messages to the 108@@ -1544,6 +1555,12 @@ Specifies whether the system should send TCP keepalive messages to the
109 other side. 109 other side.
110 If they are sent, death of the connection or crash of one 110 If they are sent, death of the connection or crash of one
111 of the machines will be properly noticed. 111 of the machines will be properly noticed.
@@ -119,13 +119,13 @@ index 707d0e1..efc265a 100644
119 connections will die if the route is down temporarily, and some people 119 connections will die if the route is down temporarily, and some people
120 find it annoying. 120 find it annoying.
121diff --git a/sshd_config.5 b/sshd_config.5 121diff --git a/sshd_config.5 b/sshd_config.5
122index 3b4cba9..e05cdbe 100644 122index dd765b39..283ba889 100644
123--- a/sshd_config.5 123--- a/sshd_config.5
124+++ b/sshd_config.5 124+++ b/sshd_config.5
125@@ -1530,6 +1530,9 @@ This avoids infinitely hanging sessions. 125@@ -1427,6 +1427,9 @@ This avoids infinitely hanging sessions.
126 .Pp 126 .Pp
127 To disable TCP keepalive messages, the value should be set to 127 To disable TCP keepalive messages, the value should be set to
128 .Dq no . 128 .Cm no .
129+.Pp 129+.Pp
130+This option was formerly called 130+This option was formerly called
131+.Cm KeepAlive . 131+.Cm KeepAlive .
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 12dbaf853..943fc901d 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
1From 6a1979d97fbde734a745b5123130fed669bfb145 Mon Sep 17 00:00:00 2001 1From e39bf0e814394fb5a14094b651f3bf9ddec0a782 Mon Sep 17 00:00:00 2001
2From: Scott Moser <smoser@ubuntu.com> 2From: Scott Moser <smoser@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:03 +0000 3Date: Sun, 9 Feb 2014 16:10:03 +0000
4Subject: Mention ssh-keygen in ssh fingerprint changed warning 4Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -13,10 +13,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
13 1 file changed, 7 insertions(+), 1 deletion(-) 13 1 file changed, 7 insertions(+), 1 deletion(-)
14 14
15diff --git a/sshconnect.c b/sshconnect.c 15diff --git a/sshconnect.c b/sshconnect.c
16index 8b8e760..fd67727 100644 16index 698a0711..1cc556e8 100644
17--- a/sshconnect.c 17--- a/sshconnect.c
18+++ b/sshconnect.c 18+++ b/sshconnect.c
19@@ -1081,9 +1081,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 19@@ -1080,9 +1080,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
20 error("%s. This could either mean that", key_msg); 20 error("%s. This could either mean that", key_msg);
21 error("DNS SPOOFING is happening or the IP address for the host"); 21 error("DNS SPOOFING is happening or the IP address for the host");
22 error("and its host key have changed at the same time."); 22 error("and its host key have changed at the same time.");
@@ -31,7 +31,7 @@ index 8b8e760..fd67727 100644
31 } 31 }
32 /* The host key has changed. */ 32 /* The host key has changed. */
33 warn_changed_key(host_key); 33 warn_changed_key(host_key);
34@@ -1091,6 +1095,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 34@@ -1090,6 +1094,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
35 user_hostfiles[0]); 35 user_hostfiles[0]);
36 error("Offending %s key in %s:%lu", key_type(host_found->key), 36 error("Offending %s key in %s:%lu", key_type(host_found->key),
37 host_found->file, host_found->line); 37 host_found->file, host_found->line);
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index 8503c5854..682455fe9 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
1From e7d4050d9077603c20a93bdfd6b99cd419d69f1c Mon Sep 17 00:00:00 2001 1From 27710ce6deb6e9a820235ac44dd82333ab330047 Mon Sep 17 00:00:00 2001
2From: Kurt Roeckx <kurt@roeckx.be> 2From: Kurt Roeckx <kurt@roeckx.be>
3Date: Sun, 9 Feb 2014 16:10:14 +0000 3Date: Sun, 9 Feb 2014 16:10:14 +0000
4Subject: Don't check the status field of the OpenSSL version 4Subject: Don't check the status field of the OpenSSL version
@@ -23,10 +23,10 @@ Patch-Name: no-openssl-version-status.patch
23 2 files changed, 4 insertions(+), 3 deletions(-) 23 2 files changed, 4 insertions(+), 3 deletions(-)
24 24
25diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c 25diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
26index 63a660c..3f62403 100644 26index 259fccbe..aaa953f2 100644
27--- a/openbsd-compat/openssl-compat.c 27--- a/openbsd-compat/openssl-compat.c
28+++ b/openbsd-compat/openssl-compat.c 28+++ b/openbsd-compat/openssl-compat.c
29@@ -36,7 +36,7 @@ 29@@ -34,7 +34,7 @@
30 /* 30 /*
31 * OpenSSL version numbers: MNNFFPPS: major minor fix patch status 31 * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
32 * We match major, minor, fix and status (not patch) for <1.0.0. 32 * We match major, minor, fix and status (not patch) for <1.0.0.
@@ -35,9 +35,9 @@ index 63a660c..3f62403 100644
35 * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed 35 * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
36 * within a patch series. 36 * within a patch series.
37 */ 37 */
38@@ -57,10 +57,10 @@ ssh_compatible_openssl(long headerver, long libver) 38@@ -55,10 +55,10 @@ ssh_compatible_openssl(long headerver, long libver)
39 } 39 }
40 40
41 /* 41 /*
42- * For versions >= 1.0.0, major,minor,status must match and library 42- * For versions >= 1.0.0, major,minor,status must match and library
43+ * For versions >= 1.0.0, major,minor must match and library 43+ * For versions >= 1.0.0, major,minor must match and library
@@ -49,7 +49,7 @@ index 63a660c..3f62403 100644
49 lfix = (libver & 0x000ff000) >> 12; 49 lfix = (libver & 0x000ff000) >> 12;
50 if ( (headerver & mask) == (libver & mask) && lfix >= hfix) 50 if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
51diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c 51diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c
52index 5d019b5..5847487 100644 52index 5d019b59..58474873 100644
53--- a/openbsd-compat/regress/opensslvertest.c 53--- a/openbsd-compat/regress/opensslvertest.c
54+++ b/openbsd-compat/regress/opensslvertest.c 54+++ b/openbsd-compat/regress/opensslvertest.c
55@@ -35,6 +35,7 @@ struct version_test { 55@@ -35,6 +35,7 @@ struct version_test {
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 771e77216..5a6428a16 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
1From ab7ae820a882c8a51b06ec0b3522813b4e90eeff Mon Sep 17 00:00:00 2001 1From 57a5ec3553730b373c96e8457815c42733304427 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:09 +0000 3Date: Sun, 9 Feb 2014 16:10:09 +0000
4Subject: Adjust various OpenBSD-specific references in manual pages 4Subject: Adjust various OpenBSD-specific references in manual pages
@@ -22,7 +22,7 @@ Patch-Name: openbsd-docs.patch
22 5 files changed, 13 insertions(+), 15 deletions(-) 22 5 files changed, 13 insertions(+), 15 deletions(-)
23 23
24diff --git a/moduli.5 b/moduli.5 24diff --git a/moduli.5 b/moduli.5
25index ef0de08..149846c 100644 25index ef0de085..149846c8 100644
26--- a/moduli.5 26--- a/moduli.5
27+++ b/moduli.5 27+++ b/moduli.5
28@@ -21,7 +21,7 @@ 28@@ -21,7 +21,7 @@
@@ -44,7 +44,7 @@ index ef0de08..149846c 100644
44 .Sh SEE ALSO 44 .Sh SEE ALSO
45 .Xr ssh-keygen 1 , 45 .Xr ssh-keygen 1 ,
46diff --git a/ssh-keygen.1 b/ssh-keygen.1 46diff --git a/ssh-keygen.1 b/ssh-keygen.1
47index ce2213c..01711df 100644 47index ce2213c7..01711dff 100644
48--- a/ssh-keygen.1 48--- a/ssh-keygen.1
49+++ b/ssh-keygen.1 49+++ b/ssh-keygen.1
50@@ -178,9 +178,7 @@ key in 50@@ -178,9 +178,7 @@ key in
@@ -88,7 +88,7 @@ index ce2213c..01711df 100644
88 The file format is described in 88 The file format is described in
89 .Xr moduli 5 . 89 .Xr moduli 5 .
90diff --git a/ssh.1 b/ssh.1 90diff --git a/ssh.1 b/ssh.1
91index feef81a..b1f128c 100644 91index feef81a5..b1f128c2 100644
92--- a/ssh.1 92--- a/ssh.1
93+++ b/ssh.1 93+++ b/ssh.1
94@@ -877,6 +877,10 @@ implements public key authentication protocol automatically, 94@@ -877,6 +877,10 @@ implements public key authentication protocol automatically,
@@ -103,10 +103,10 @@ index feef81a..b1f128c 100644
103 .Pp 103 .Pp
104 The file 104 The file
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index 589841f..58eefe9 100644 106index c6784602..e6915141 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -67,7 +67,7 @@ over an insecure network. 109@@ -65,7 +65,7 @@ over an insecure network.
110 .Nm 110 .Nm
111 listens for connections from clients. 111 listens for connections from clients.
112 It is normally started at boot from 112 It is normally started at boot from
@@ -115,7 +115,7 @@ index 589841f..58eefe9 100644
115 It forks a new 115 It forks a new
116 daemon for each incoming connection. 116 daemon for each incoming connection.
117 The forked daemons handle 117 The forked daemons handle
118@@ -891,7 +891,7 @@ This file is for host-based authentication (see 118@@ -836,7 +836,7 @@ This file is for host-based authentication (see
119 .Xr ssh 1 ) . 119 .Xr ssh 1 ) .
120 It should only be writable by root. 120 It should only be writable by root.
121 .Pp 121 .Pp
@@ -124,7 +124,7 @@ index 589841f..58eefe9 100644
124 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange" 124 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
125 key exchange method. 125 key exchange method.
126 The file format is described in 126 The file format is described in
127@@ -993,7 +993,6 @@ The content of this file is not sensitive; it can be world-readable. 127@@ -936,7 +936,6 @@ The content of this file is not sensitive; it can be world-readable.
128 .Xr ssh-keyscan 1 , 128 .Xr ssh-keyscan 1 ,
129 .Xr chroot 2 , 129 .Xr chroot 2 ,
130 .Xr hosts_access 5 , 130 .Xr hosts_access 5 ,
@@ -133,10 +133,10 @@ index 589841f..58eefe9 100644
133 .Xr sshd_config 5 , 133 .Xr sshd_config 5 ,
134 .Xr inetd 8 , 134 .Xr inetd 8 ,
135diff --git a/sshd_config.5 b/sshd_config.5 135diff --git a/sshd_config.5 b/sshd_config.5
136index ac9b1f0..b2b349e 100644 136index 4ea0a9c3..e45a8937 100644
137--- a/sshd_config.5 137--- a/sshd_config.5
138+++ b/sshd_config.5 138+++ b/sshd_config.5
139@@ -382,8 +382,7 @@ then no banner is displayed. 139@@ -372,8 +372,7 @@ then no banner is displayed.
140 By default, no banner is displayed. 140 By default, no banner is displayed.
141 .It Cm ChallengeResponseAuthentication 141 .It Cm ChallengeResponseAuthentication
142 Specifies whether challenge-response authentication is allowed (e.g. via 142 Specifies whether challenge-response authentication is allowed (e.g. via
@@ -144,5 +144,5 @@ index ac9b1f0..b2b349e 100644
144-.Xr login.conf 5 ) 144-.Xr login.conf 5 )
145+PAM). 145+PAM).
146 The default is 146 The default is
147 .Dq yes . 147 .Cm yes .
148 .It Cm ChrootDirectory 148 .It Cm ChrootDirectory
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index efc629b71..7b14bcc09 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
1From c8105413361d3c97b6a2f72c9f1c85da830bed2c Mon Sep 17 00:00:00 2001 1From cdce59c8c54d6d19ca0aa86cb4a62f6df94c7245 Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:10:05 +0000 3Date: Sun, 9 Feb 2014 16:10:05 +0000
4Subject: Include the Debian version in our identification 4Subject: Include the Debian version in our identification
@@ -19,10 +19,10 @@ Patch-Name: package-versioning.patch
19 3 files changed, 9 insertions(+), 4 deletions(-) 19 3 files changed, 9 insertions(+), 4 deletions(-)
20 20
21diff --git a/sshconnect.c b/sshconnect.c 21diff --git a/sshconnect.c b/sshconnect.c
22index fd67727..07dfc9d 100644 22index 1cc556e8..c64c51bb 100644
23--- a/sshconnect.c 23--- a/sshconnect.c
24+++ b/sshconnect.c 24+++ b/sshconnect.c
25@@ -527,10 +527,10 @@ send_client_banner(int connection_out, int minor1) 25@@ -526,10 +526,10 @@ send_client_banner(int connection_out, int minor1)
26 /* Send our own protocol version identification. */ 26 /* Send our own protocol version identification. */
27 if (compat20) { 27 if (compat20) {
28 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", 28 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
@@ -36,24 +36,24 @@ index fd67727..07dfc9d 100644
36 if (atomicio(vwrite, connection_out, client_version_string, 36 if (atomicio(vwrite, connection_out, client_version_string,
37 strlen(client_version_string)) != strlen(client_version_string)) 37 strlen(client_version_string)) != strlen(client_version_string))
38diff --git a/sshd.c b/sshd.c 38diff --git a/sshd.c b/sshd.c
39index 76306da..e873557 100644 39index 5a3f796d..39e4699c 100644
40--- a/sshd.c 40--- a/sshd.c
41+++ b/sshd.c 41+++ b/sshd.c
42@@ -443,7 +443,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) 42@@ -378,7 +378,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
43 } 43 char remote_version[256]; /* Must be at least as big as buf. */
44 44
45 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 45 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
46- major, minor, SSH_VERSION, 46- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
47+ major, minor, SSH_RELEASE, 47+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
48 *options.version_addendum == '\0' ? "" : " ", 48 *options.version_addendum == '\0' ? "" : " ",
49 options.version_addendum, newline); 49 options.version_addendum, newline);
50 50
51diff --git a/version.h b/version.h 51diff --git a/version.h b/version.h
52index 617ab62..fb81655 100644 52index 269ebcda..850a2f7d 100644
53--- a/version.h 53--- a/version.h
54+++ b/version.h 54+++ b/version.h
55@@ -3,4 +3,9 @@ 55@@ -3,4 +3,9 @@
56 #define SSH_VERSION "OpenSSH_7.3" 56 #define SSH_VERSION "OpenSSH_7.4"
57 57
58 #define SSH_PORTABLE "p1" 58 #define SSH_PORTABLE "p1"
59-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 59-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 36c366d95..49f1daf1c 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
1From 8eeec10866f78acd021824225e9d62e4a18fc2c3 Mon Sep 17 00:00:00 2001 1From 7083ae25ccce8bbdad40e7c7500f69f2c0cbce34 Mon Sep 17 00:00:00 2001
2From: Peter Samuelson <peter@p12n.org> 2From: Peter Samuelson <peter@p12n.org>
3Date: Sun, 9 Feb 2014 16:09:55 +0000 3Date: Sun, 9 Feb 2014 16:09:55 +0000
4Subject: Reduce severity of "Killed by signal %d" 4Subject: Reduce severity of "Killed by signal %d"
@@ -22,10 +22,10 @@ Patch-Name: quieter-signals.patch
22 1 file changed, 4 insertions(+), 2 deletions(-) 22 1 file changed, 4 insertions(+), 2 deletions(-)
23 23
24diff --git a/clientloop.c b/clientloop.c 24diff --git a/clientloop.c b/clientloop.c
25index 421241f..e5cc3f8 100644 25index 99c68b69..5876cc9a 100644
26--- a/clientloop.c 26--- a/clientloop.c
27+++ b/clientloop.c 27+++ b/clientloop.c
28@@ -1757,8 +1757,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) 28@@ -1755,8 +1755,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
29 exit_status = 0; 29 exit_status = 0;
30 } 30 }
31 31
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index bf3a575ad..e41b99d6e 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
1From c027de5eb3e6cb1718990841c2a9cbc89fd53151 Mon Sep 17 00:00:00 2001 1From 6a15c9b672c5833f21ed7e0cea3a25dd8de966c4 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Tue, 7 Oct 2014 13:22:41 +0100 3Date: Tue, 7 Oct 2014 13:22:41 +0100
4Subject: Restore TCP wrappers support 4Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
28 3 files changed, 89 insertions(+) 28 3 files changed, 89 insertions(+)
29 29
30diff --git a/configure.ac b/configure.ac 30diff --git a/configure.ac b/configure.ac
31index 894ec3b..f822fb3 100644 31index 5fdc696c..4747ce4a 100644
32--- a/configure.ac 32--- a/configure.ac
33+++ b/configure.ac 33+++ b/configure.ac
34@@ -1510,6 +1510,62 @@ AC_ARG_WITH([skey], 34@@ -1491,6 +1491,62 @@ AC_ARG_WITH([skey],
35 ] 35 ]
36 ) 36 )
37 37
@@ -94,7 +94,7 @@ index 894ec3b..f822fb3 100644
94 # Check whether user wants to use ldns 94 # Check whether user wants to use ldns
95 LDNS_MSG="no" 95 LDNS_MSG="no"
96 AC_ARG_WITH(ldns, 96 AC_ARG_WITH(ldns,
97@@ -5059,6 +5115,7 @@ echo " KerberosV support: $KRB5_MSG" 97@@ -5105,6 +5161,7 @@ echo " KerberosV support: $KRB5_MSG"
98 echo " SELinux support: $SELINUX_MSG" 98 echo " SELinux support: $SELINUX_MSG"
99 echo " Smartcard support: $SCARD_MSG" 99 echo " Smartcard support: $SCARD_MSG"
100 echo " S/KEY support: $SKEY_MSG" 100 echo " S/KEY support: $SKEY_MSG"
@@ -103,10 +103,10 @@ index 894ec3b..f822fb3 100644
103 echo " libedit support: $LIBEDIT_MSG" 103 echo " libedit support: $LIBEDIT_MSG"
104 echo " Solaris process contract support: $SPC_MSG" 104 echo " Solaris process contract support: $SPC_MSG"
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index 6c521f2..589841f 100644 106index 41fc5051..c6784602 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -880,6 +880,12 @@ the user's home directory becomes accessible. 109@@ -825,6 +825,12 @@ the user's home directory becomes accessible.
110 This file should be writable only by the user, and need not be 110 This file should be writable only by the user, and need not be
111 readable by anyone else. 111 readable by anyone else.
112 .Pp 112 .Pp
@@ -119,7 +119,7 @@ index 6c521f2..589841f 100644
119 .It Pa /etc/hosts.equiv 119 .It Pa /etc/hosts.equiv
120 This file is for host-based authentication (see 120 This file is for host-based authentication (see
121 .Xr ssh 1 ) . 121 .Xr ssh 1 ) .
122@@ -986,6 +992,7 @@ The content of this file is not sensitive; it can be world-readable. 122@@ -929,6 +935,7 @@ The content of this file is not sensitive; it can be world-readable.
123 .Xr ssh-keygen 1 , 123 .Xr ssh-keygen 1 ,
124 .Xr ssh-keyscan 1 , 124 .Xr ssh-keyscan 1 ,
125 .Xr chroot 2 , 125 .Xr chroot 2 ,
@@ -128,10 +128,10 @@ index 6c521f2..589841f 100644
128 .Xr moduli 5 , 128 .Xr moduli 5 ,
129 .Xr sshd_config 5 , 129 .Xr sshd_config 5 ,
130diff --git a/sshd.c b/sshd.c 130diff --git a/sshd.c b/sshd.c
131index ebb88c7..982e545 100644 131index ec2cf976..4f791b92 100644
132--- a/sshd.c 132--- a/sshd.c
133+++ b/sshd.c 133+++ b/sshd.c
134@@ -129,6 +129,13 @@ 134@@ -127,6 +127,13 @@
135 #include <Security/AuthSession.h> 135 #include <Security/AuthSession.h>
136 #endif 136 #endif
137 137
@@ -142,10 +142,10 @@ index ebb88c7..982e545 100644
142+int deny_severity; 142+int deny_severity;
143+#endif /* LIBWRAP */ 143+#endif /* LIBWRAP */
144+ 144+
145 #ifndef O_NOCTTY 145 /* Re-exec fds */
146 #define O_NOCTTY 0 146 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
147 #endif 147 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
148@@ -2207,6 +2214,24 @@ main(int ac, char **av) 148@@ -1978,6 +1985,24 @@ main(int ac, char **av)
149 #ifdef SSH_AUDIT_EVENTS 149 #ifdef SSH_AUDIT_EVENTS
150 audit_connection_from(remote_ip, remote_port); 150 audit_connection_from(remote_ip, remote_port);
151 #endif 151 #endif
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index 2efc40e07..8e426db77 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
1From 119936d7b64829f81cbc84c2e81bf23373c6ed37 Mon Sep 17 00:00:00 2001 1From 43205c71be413d2225ce3ea5cf81d79afd420b81 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> 2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:59 +0000 3Date: Sun, 9 Feb 2014 16:09:59 +0000
4Subject: Adjust scp quoting in verbose mode 4Subject: Adjust scp quoting in verbose mode
@@ -17,10 +17,10 @@ Patch-Name: scp-quoting.patch
17 1 file changed, 10 insertions(+), 2 deletions(-) 17 1 file changed, 10 insertions(+), 2 deletions(-)
18 18
19diff --git a/scp.c b/scp.c 19diff --git a/scp.c b/scp.c
20index 43ca3fa..4a7f73a 100644 20index b4db8519..18c27720 100644
21--- a/scp.c 21--- a/scp.c
22+++ b/scp.c 22+++ b/scp.c
23@@ -192,8 +192,16 @@ do_local_cmd(arglist *a) 23@@ -191,8 +191,16 @@ do_local_cmd(arglist *a)
24 24
25 if (verbose_mode) { 25 if (verbose_mode) {
26 fprintf(stderr, "Executing:"); 26 fprintf(stderr, "Executing:");
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index bcb61480d..9ab9394b3 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1From 7a7851c903e5dbb58a85014deb2c88cb718068c9 Mon Sep 17 00:00:00 2001 1From 5e4ebd6472d995738a2c67d618c4bd1ee2c00968 Mon Sep 17 00:00:00 2001
2From: Manoj Srivastava <srivasta@debian.org> 2From: Manoj Srivastava <srivasta@debian.org>
3Date: Sun, 9 Feb 2014 16:09:49 +0000 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4Subject: Handle SELinux authorisation roles 4Subject: Handle SELinux authorisation roles
@@ -14,7 +14,6 @@ Last-Update: 2015-08-19
14Patch-Name: selinux-role.patch 14Patch-Name: selinux-role.patch
15--- 15---
16 auth.h | 1 + 16 auth.h | 1 +
17 auth1.c | 8 +++++++-
18 auth2.c | 10 ++++++++-- 17 auth2.c | 10 ++++++++--
19 monitor.c | 32 +++++++++++++++++++++++++++++--- 18 monitor.c | 32 +++++++++++++++++++++++++++++---
20 monitor.h | 2 ++ 19 monitor.h | 2 ++
@@ -29,10 +28,10 @@ Patch-Name: selinux-role.patch
29 sshd.c | 2 +- 28 sshd.c | 2 +-
30 sshpty.c | 4 ++-- 29 sshpty.c | 4 ++--
31 sshpty.h | 2 +- 30 sshpty.h | 2 +-
32 16 files changed, 104 insertions(+), 31 deletions(-) 31 15 files changed, 97 insertions(+), 30 deletions(-)
33 32
34diff --git a/auth.h b/auth.h 33diff --git a/auth.h b/auth.h
35index 55170af..50baeaa 100644 34index 338a62da..8c658d16 100644
36--- a/auth.h 35--- a/auth.h
37+++ b/auth.h 36+++ b/auth.h
38@@ -62,6 +62,7 @@ struct Authctxt { 37@@ -62,6 +62,7 @@ struct Authctxt {
@@ -43,39 +42,8 @@ index 55170af..50baeaa 100644
43 void *kbdintctxt; 42 void *kbdintctxt;
44 char *info; /* Extra info for next auth_log */ 43 char *info; /* Extra info for next auth_log */
45 #ifdef BSD_AUTH 44 #ifdef BSD_AUTH
46diff --git a/auth1.c b/auth1.c
47index 5073c49..dd00648 100644
48--- a/auth1.c
49+++ b/auth1.c
50@@ -383,7 +383,7 @@ void
51 do_authentication(Authctxt *authctxt)
52 {
53 u_int ulen;
54- char *user, *style = NULL;
55+ char *user, *style = NULL, *role = NULL;
56
57 /* Get the name of the user that we wish to log in as. */
58 packet_read_expect(SSH_CMSG_USER);
59@@ -392,11 +392,17 @@ do_authentication(Authctxt *authctxt)
60 user = packet_get_cstring(&ulen);
61 packet_check_eom();
62
63+ if ((role = strchr(user, '/')) != NULL)
64+ *role++ = '\0';
65+
66 if ((style = strchr(user, ':')) != NULL)
67 *style++ = '\0';
68+ else if (role && (style = strchr(role, ':')) != NULL)
69+ *style++ = '\0';
70
71 authctxt->user = user;
72 authctxt->style = style;
73+ authctxt->role = role;
74
75 /* Verify that the user is a valid user. */
76 if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
77diff --git a/auth2.c b/auth2.c 45diff --git a/auth2.c b/auth2.c
78index ce0d376..461311b 100644 46index ce0d3760..461311bd 100644
79--- a/auth2.c 47--- a/auth2.c
80+++ b/auth2.c 48+++ b/auth2.c
81@@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) 49@@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
@@ -113,10 +81,10 @@ index ce0d376..461311b 100644
113 if (auth2_setup_methods_lists(authctxt) != 0) 81 if (auth2_setup_methods_lists(authctxt) != 0)
114 packet_disconnect("no authentication methods enabled"); 82 packet_disconnect("no authentication methods enabled");
115diff --git a/monitor.c b/monitor.c 83diff --git a/monitor.c b/monitor.c
116index 05bb48a..e91054e 100644 84index 76d9e346..64286a12 100644
117--- a/monitor.c 85--- a/monitor.c
118+++ b/monitor.c 86+++ b/monitor.c
119@@ -128,6 +128,7 @@ int mm_answer_sign(int, Buffer *); 87@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);
120 int mm_answer_pwnamallow(int, Buffer *); 88 int mm_answer_pwnamallow(int, Buffer *);
121 int mm_answer_auth2_read_banner(int, Buffer *); 89 int mm_answer_auth2_read_banner(int, Buffer *);
122 int mm_answer_authserv(int, Buffer *); 90 int mm_answer_authserv(int, Buffer *);
@@ -124,7 +92,7 @@ index 05bb48a..e91054e 100644
124 int mm_answer_authpassword(int, Buffer *); 92 int mm_answer_authpassword(int, Buffer *);
125 int mm_answer_bsdauthquery(int, Buffer *); 93 int mm_answer_bsdauthquery(int, Buffer *);
126 int mm_answer_bsdauthrespond(int, Buffer *); 94 int mm_answer_bsdauthrespond(int, Buffer *);
127@@ -209,6 +210,7 @@ struct mon_table mon_dispatch_proto20[] = { 95@@ -204,6 +205,7 @@ struct mon_table mon_dispatch_proto20[] = {
128 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 96 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
129 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 97 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
130 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 98 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -132,15 +100,15 @@ index 05bb48a..e91054e 100644
132 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 100 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
133 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 101 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
134 #ifdef USE_PAM 102 #ifdef USE_PAM
135@@ -880,6 +882,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) 103@@ -786,6 +788,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
136 else { 104
137 /* Allow service/style information on the auth context */ 105 /* Allow service/style information on the auth context */
138 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 106 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
139+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); 107+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
140 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 108 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
141 } 109
142 #ifdef USE_PAM 110 #ifdef USE_PAM
143@@ -910,14 +913,37 @@ mm_answer_authserv(int sock, Buffer *m) 111@@ -816,14 +819,37 @@ mm_answer_authserv(int sock, Buffer *m)
144 112
145 authctxt->service = buffer_get_string(m, NULL); 113 authctxt->service = buffer_get_string(m, NULL);
146 authctxt->style = buffer_get_string(m, NULL); 114 authctxt->style = buffer_get_string(m, NULL);
@@ -180,7 +148,7 @@ index 05bb48a..e91054e 100644
180 return (0); 148 return (0);
181 } 149 }
182 150
183@@ -1553,7 +1579,7 @@ mm_answer_pty(int sock, Buffer *m) 151@@ -1458,7 +1484,7 @@ mm_answer_pty(int sock, Buffer *m)
184 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 152 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
185 if (res == 0) 153 if (res == 0)
186 goto error; 154 goto error;
@@ -190,7 +158,7 @@ index 05bb48a..e91054e 100644
190 buffer_put_int(m, 1); 158 buffer_put_int(m, 1);
191 buffer_put_cstring(m, s->tty); 159 buffer_put_cstring(m, s->tty);
192diff --git a/monitor.h b/monitor.h 160diff --git a/monitor.h b/monitor.h
193index bc50ade..2d82b8b 100644 161index ec41404c..4c7955d7 100644
194--- a/monitor.h 162--- a/monitor.h
195+++ b/monitor.h 163+++ b/monitor.h
196@@ -68,6 +68,8 @@ enum monitor_reqtype { 164@@ -68,6 +68,8 @@ enum monitor_reqtype {
@@ -201,12 +169,12 @@ index bc50ade..2d82b8b 100644
201+ 169+
202 }; 170 };
203 171
204 struct mm_master; 172 struct monitor {
205diff --git a/monitor_wrap.c b/monitor_wrap.c 173diff --git a/monitor_wrap.c b/monitor_wrap.c
206index 5a9f1b5..11e3a69 100644 174index d5cb640a..2ff8064a 100644
207--- a/monitor_wrap.c 175--- a/monitor_wrap.c
208+++ b/monitor_wrap.c 176+++ b/monitor_wrap.c
209@@ -328,10 +328,10 @@ mm_auth2_read_banner(void) 177@@ -327,10 +327,10 @@ mm_auth2_read_banner(void)
210 return (banner); 178 return (banner);
211 } 179 }
212 180
@@ -219,7 +187,7 @@ index 5a9f1b5..11e3a69 100644
219 { 187 {
220 Buffer m; 188 Buffer m;
221 189
222@@ -340,12 +340,30 @@ mm_inform_authserv(char *service, char *style) 190@@ -339,12 +339,30 @@ mm_inform_authserv(char *service, char *style)
223 buffer_init(&m); 191 buffer_init(&m);
224 buffer_put_cstring(&m, service); 192 buffer_put_cstring(&m, service);
225 buffer_put_cstring(&m, style ? style : ""); 193 buffer_put_cstring(&m, style ? style : "");
@@ -251,7 +219,7 @@ index 5a9f1b5..11e3a69 100644
251 int 219 int
252 mm_auth_password(Authctxt *authctxt, char *password) 220 mm_auth_password(Authctxt *authctxt, char *password)
253diff --git a/monitor_wrap.h b/monitor_wrap.h 221diff --git a/monitor_wrap.h b/monitor_wrap.h
254index b5414c2..d5b3334 100644 222index 8f9dd896..3e75867c 100644
255--- a/monitor_wrap.h 223--- a/monitor_wrap.h
256+++ b/monitor_wrap.h 224+++ b/monitor_wrap.h
257@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *); 225@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *);
@@ -265,10 +233,10 @@ index b5414c2..d5b3334 100644
265 char *mm_auth2_read_banner(void); 233 char *mm_auth2_read_banner(void);
266 int mm_auth_password(struct Authctxt *, char *); 234 int mm_auth_password(struct Authctxt *, char *);
267diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c 235diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
268index f36999d..f9cdc15 100644 236index e4c5d1b7..e26faf08 100644
269--- a/openbsd-compat/port-linux.c 237--- a/openbsd-compat/port-linux.c
270+++ b/openbsd-compat/port-linux.c 238+++ b/openbsd-compat/port-linux.c
271@@ -29,6 +29,12 @@ 239@@ -27,6 +27,12 @@
272 #include <string.h> 240 #include <string.h>
273 #include <stdio.h> 241 #include <stdio.h>
274 242
@@ -281,7 +249,7 @@ index f36999d..f9cdc15 100644
281 #include "log.h" 249 #include "log.h"
282 #include "xmalloc.h" 250 #include "xmalloc.h"
283 #include "port-linux.h" 251 #include "port-linux.h"
284@@ -58,7 +64,7 @@ ssh_selinux_enabled(void) 252@@ -56,7 +62,7 @@ ssh_selinux_enabled(void)
285 253
286 /* Return the default security context for the given username */ 254 /* Return the default security context for the given username */
287 static security_context_t 255 static security_context_t
@@ -290,7 +258,7 @@ index f36999d..f9cdc15 100644
290 { 258 {
291 security_context_t sc = NULL; 259 security_context_t sc = NULL;
292 char *sename = NULL, *lvl = NULL; 260 char *sename = NULL, *lvl = NULL;
293@@ -73,9 +79,16 @@ ssh_selinux_getctxbyname(char *pwname) 261@@ -71,9 +77,16 @@ ssh_selinux_getctxbyname(char *pwname)
294 #endif 262 #endif
295 263
296 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL 264 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
@@ -309,7 +277,7 @@ index f36999d..f9cdc15 100644
309 #endif 277 #endif
310 278
311 if (r != 0) { 279 if (r != 0) {
312@@ -105,7 +118,7 @@ ssh_selinux_getctxbyname(char *pwname) 280@@ -103,7 +116,7 @@ ssh_selinux_getctxbyname(char *pwname)
313 281
314 /* Set the execution context to the default for the specified user */ 282 /* Set the execution context to the default for the specified user */
315 void 283 void
@@ -318,7 +286,7 @@ index f36999d..f9cdc15 100644
318 { 286 {
319 security_context_t user_ctx = NULL; 287 security_context_t user_ctx = NULL;
320 288
321@@ -114,7 +127,7 @@ ssh_selinux_setup_exec_context(char *pwname) 289@@ -112,7 +125,7 @@ ssh_selinux_setup_exec_context(char *pwname)
322 290
323 debug3("%s: setting execution context", __func__); 291 debug3("%s: setting execution context", __func__);
324 292
@@ -327,7 +295,7 @@ index f36999d..f9cdc15 100644
327 if (setexeccon(user_ctx) != 0) { 295 if (setexeccon(user_ctx) != 0) {
328 switch (security_getenforce()) { 296 switch (security_getenforce()) {
329 case -1: 297 case -1:
330@@ -136,7 +149,7 @@ ssh_selinux_setup_exec_context(char *pwname) 298@@ -134,7 +147,7 @@ ssh_selinux_setup_exec_context(char *pwname)
331 299
332 /* Set the TTY context for the specified user */ 300 /* Set the TTY context for the specified user */
333 void 301 void
@@ -336,7 +304,7 @@ index f36999d..f9cdc15 100644
336 { 304 {
337 security_context_t new_tty_ctx = NULL; 305 security_context_t new_tty_ctx = NULL;
338 security_context_t user_ctx = NULL; 306 security_context_t user_ctx = NULL;
339@@ -147,7 +160,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) 307@@ -145,7 +158,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
340 308
341 debug3("%s: setting TTY context on %s", __func__, tty); 309 debug3("%s: setting TTY context on %s", __func__, tty);
342 310
@@ -346,10 +314,10 @@ index f36999d..f9cdc15 100644
346 /* XXX: should these calls fatal() upon failure in enforcing mode? */ 314 /* XXX: should these calls fatal() upon failure in enforcing mode? */
347 315
348diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h 316diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
349index e3d1004..80ce13a 100644 317index 3c22a854..c8812942 100644
350--- a/openbsd-compat/port-linux.h 318--- a/openbsd-compat/port-linux.h
351+++ b/openbsd-compat/port-linux.h 319+++ b/openbsd-compat/port-linux.h
352@@ -21,8 +21,8 @@ 320@@ -19,8 +19,8 @@
353 321
354 #ifdef WITH_SELINUX 322 #ifdef WITH_SELINUX
355 int ssh_selinux_enabled(void); 323 int ssh_selinux_enabled(void);
@@ -361,10 +329,10 @@ index e3d1004..80ce13a 100644
361 void ssh_selinux_setfscreatecon(const char *); 329 void ssh_selinux_setfscreatecon(const char *);
362 #endif 330 #endif
363diff --git a/platform.c b/platform.c 331diff --git a/platform.c b/platform.c
364index acf8554..4831706 100644 332index 973a63e4..cd7bf566 100644
365--- a/platform.c 333--- a/platform.c
366+++ b/platform.c 334+++ b/platform.c
367@@ -145,7 +145,7 @@ platform_setusercontext(struct passwd *pw) 335@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw)
368 * called if sshd is running as root. 336 * called if sshd is running as root.
369 */ 337 */
370 void 338 void
@@ -373,7 +341,7 @@ index acf8554..4831706 100644
373 { 341 {
374 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) 342 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
375 /* 343 /*
376@@ -186,7 +186,7 @@ platform_setusercontext_post_groups(struct passwd *pw) 344@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
377 } 345 }
378 #endif /* HAVE_SETPCRED */ 346 #endif /* HAVE_SETPCRED */
379 #ifdef WITH_SELINUX 347 #ifdef WITH_SELINUX
@@ -383,10 +351,10 @@ index acf8554..4831706 100644
383 } 351 }
384 352
385diff --git a/platform.h b/platform.h 353diff --git a/platform.h b/platform.h
386index e97ecd9..5b72304 100644 354index ea4f9c58..60d72ffe 100644
387--- a/platform.h 355--- a/platform.h
388+++ b/platform.h 356+++ b/platform.h
389@@ -27,7 +27,7 @@ void platform_post_fork_parent(pid_t child_pid); 357@@ -25,7 +25,7 @@ void platform_post_fork_parent(pid_t child_pid);
390 void platform_post_fork_child(void); 358 void platform_post_fork_child(void);
391 int platform_privileged_uidswap(void); 359 int platform_privileged_uidswap(void);
392 void platform_setusercontext(struct passwd *); 360 void platform_setusercontext(struct passwd *);
@@ -396,10 +364,10 @@ index e97ecd9..5b72304 100644
396 char *platform_krb5_get_principal_name(const char *); 364 char *platform_krb5_get_principal_name(const char *);
397 int platform_sys_dir_uid(uid_t); 365 int platform_sys_dir_uid(uid_t);
398diff --git a/session.c b/session.c 366diff --git a/session.c b/session.c
399index 2235f26..6dfcf84 100644 367index a08aa69d..ea3871eb 100644
400--- a/session.c 368--- a/session.c
401+++ b/session.c 369+++ b/session.c
402@@ -1517,7 +1517,7 @@ safely_chroot(const char *path, uid_t uid) 370@@ -1325,7 +1325,7 @@ safely_chroot(const char *path, uid_t uid)
403 371
404 /* Set login name, uid, gid, and groups. */ 372 /* Set login name, uid, gid, and groups. */
405 void 373 void
@@ -408,7 +376,7 @@ index 2235f26..6dfcf84 100644
408 { 376 {
409 char *chroot_path, *tmp; 377 char *chroot_path, *tmp;
410 378
411@@ -1545,7 +1545,7 @@ do_setusercontext(struct passwd *pw) 379@@ -1353,7 +1353,7 @@ do_setusercontext(struct passwd *pw)
412 endgrent(); 380 endgrent();
413 #endif 381 #endif
414 382
@@ -417,7 +385,7 @@ index 2235f26..6dfcf84 100644
417 385
418 if (!in_chroot && options.chroot_directory != NULL && 386 if (!in_chroot && options.chroot_directory != NULL &&
419 strcasecmp(options.chroot_directory, "none") != 0) { 387 strcasecmp(options.chroot_directory, "none") != 0) {
420@@ -1703,7 +1703,7 @@ do_child(Session *s, const char *command) 388@@ -1489,7 +1489,7 @@ do_child(Session *s, const char *command)
421 389
422 /* Force a password change */ 390 /* Force a password change */
423 if (s->authctxt->force_pwchange) { 391 if (s->authctxt->force_pwchange) {
@@ -426,16 +394,16 @@ index 2235f26..6dfcf84 100644
426 child_close_fds(); 394 child_close_fds();
427 do_pwchange(s); 395 do_pwchange(s);
428 exit(1); 396 exit(1);
429@@ -1730,7 +1730,7 @@ do_child(Session *s, const char *command) 397@@ -1511,7 +1511,7 @@ do_child(Session *s, const char *command)
430 /* When PAM is enabled we rely on it to do the nologin check */ 398 /* When PAM is enabled we rely on it to do the nologin check */
431 if (!options.use_pam) 399 if (!options.use_pam)
432 do_nologin(pw); 400 do_nologin(pw);
433- do_setusercontext(pw); 401- do_setusercontext(pw);
434+ do_setusercontext(pw, s->authctxt->role); 402+ do_setusercontext(pw, s->authctxt->role);
435 /* 403 /*
436 * PAM session modules in do_setusercontext may have 404 * PAM session modules in do_setusercontext may have
437 * generated messages, so if this in an interactive 405 * generated messages, so if this in an interactive
438@@ -2141,7 +2141,7 @@ session_pty_req(Session *s) 406@@ -1903,7 +1903,7 @@ session_pty_req(Session *s)
439 tty_parse_modes(s->ttyfd, &n_bytes); 407 tty_parse_modes(s->ttyfd, &n_bytes);
440 408
441 if (!use_privsep) 409 if (!use_privsep)
@@ -445,10 +413,10 @@ index 2235f26..6dfcf84 100644
445 /* Set window size from the packet. */ 413 /* Set window size from the packet. */
446 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); 414 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
447diff --git a/session.h b/session.h 415diff --git a/session.h b/session.h
448index f18eaf3..2b7d939 100644 416index 98e1dafe..0a31dce4 100644
449--- a/session.h 417--- a/session.h
450+++ b/session.h 418+++ b/session.h
451@@ -77,7 +77,7 @@ void session_pty_cleanup2(Session *); 419@@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *);
452 Session *session_new(void); 420 Session *session_new(void);
453 Session *session_by_tty(char *); 421 Session *session_by_tty(char *);
454 void session_close(Session *); 422 void session_close(Session *);
@@ -458,11 +426,11 @@ index f18eaf3..2b7d939 100644
458 const char *value); 426 const char *value);
459 427
460diff --git a/sshd.c b/sshd.c 428diff --git a/sshd.c b/sshd.c
461index 982e545..76306da 100644 429index 4f791b92..5a3f796d 100644
462--- a/sshd.c 430--- a/sshd.c
463+++ b/sshd.c 431+++ b/sshd.c
464@@ -787,7 +787,7 @@ privsep_postauth(Authctxt *authctxt) 432@@ -678,7 +678,7 @@ privsep_postauth(Authctxt *authctxt)
465 explicit_bzero(rnd, sizeof(rnd)); 433 reseed_prngs();
466 434
467 /* Drop privileges */ 435 /* Drop privileges */
468- do_setusercontext(authctxt->pw); 436- do_setusercontext(authctxt->pw);
@@ -471,7 +439,7 @@ index 982e545..76306da 100644
471 skip: 439 skip:
472 /* It is safe now to apply the key state */ 440 /* It is safe now to apply the key state */
473diff --git a/sshpty.c b/sshpty.c 441diff --git a/sshpty.c b/sshpty.c
474index 15da8c6..e89efb7 100644 442index fe2fb5aa..feb22b06 100644
475--- a/sshpty.c 443--- a/sshpty.c
476+++ b/sshpty.c 444+++ b/sshpty.c
477@@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, 445@@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
@@ -493,12 +461,13 @@ index 15da8c6..e89efb7 100644
493 461
494 if (st.st_uid != pw->pw_uid || st.st_gid != gid) { 462 if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
495diff --git a/sshpty.h b/sshpty.h 463diff --git a/sshpty.h b/sshpty.h
496index cfa3224..edf2436 100644 464index 9ec7e9a1..de7e000a 100644
497--- a/sshpty.h 465--- a/sshpty.h
498+++ b/sshpty.h 466+++ b/sshpty.h
499@@ -24,4 +24,4 @@ int pty_allocate(int *, int *, char *, size_t); 467@@ -24,5 +24,5 @@ int pty_allocate(int *, int *, char *, size_t);
500 void pty_release(const char *); 468 void pty_release(const char *);
501 void pty_make_controlling_tty(int *, const char *); 469 void pty_make_controlling_tty(int *, const char *);
502 void pty_change_window_size(int, u_int, u_int, u_int, u_int); 470 void pty_change_window_size(int, u_int, u_int, u_int, u_int);
503-void pty_setowner(struct passwd *, const char *); 471-void pty_setowner(struct passwd *, const char *);
504+void pty_setowner(struct passwd *, const char *, const char *); 472+void pty_setowner(struct passwd *, const char *, const char *);
473 void disconnect_controlling_tty(void);
diff --git a/debian/patches/series b/debian/patches/series
index 8dfd83f16..f7dded322 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,7 +5,6 @@ ssh-vulnkey-compat.patch
5keepalive-extensions.patch 5keepalive-extensions.patch
6syslog-level-silent.patch 6syslog-level-silent.patch
7quieter-signals.patch 7quieter-signals.patch
8helpful-wait-terminate.patch
9user-group-modes.patch 8user-group-modes.patch
10scp-quoting.patch 9scp-quoting.patch
11shell-path.patch 10shell-path.patch
@@ -25,5 +24,3 @@ gnome-ssh-askpass2-icon.patch
25sigstop.patch 24sigstop.patch
26systemd-readiness.patch 25systemd-readiness.patch
27debian-config.patch 26debian-config.patch
28unregister-kexinit.patch
29fix-putty-interop-tests.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 506ba3f7a..82203e0d8 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
1From ac283605e244f9dab676b039986f137f86284291 Mon Sep 17 00:00:00 2001 1From f6973171005fc513fa25540a1561ca1128e488e1 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:00 +0000 3Date: Sun, 9 Feb 2014 16:10:00 +0000
4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand 4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch
16 1 file changed, 2 insertions(+), 2 deletions(-) 16 1 file changed, 2 insertions(+), 2 deletions(-)
17 17
18diff --git a/sshconnect.c b/sshconnect.c 18diff --git a/sshconnect.c b/sshconnect.c
19index 356ec79..8b8e760 100644 19index 96b91ce1..698a0711 100644
20--- a/sshconnect.c 20--- a/sshconnect.c
21+++ b/sshconnect.c 21+++ b/sshconnect.c
22@@ -232,7 +232,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) 22@@ -231,7 +231,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
23 /* Execute the proxy command. Note that we gave up any 23 /* Execute the proxy command. Note that we gave up any
24 extra privileges above. */ 24 extra privileges above. */
25 signal(SIGPIPE, SIG_DFL); 25 signal(SIGPIPE, SIG_DFL);
@@ -28,7 +28,7 @@ index 356ec79..8b8e760 100644
28 perror(argv[0]); 28 perror(argv[0]);
29 exit(1); 29 exit(1);
30 } 30 }
31@@ -1499,7 +1499,7 @@ ssh_local_cmd(const char *args) 31@@ -1498,7 +1498,7 @@ ssh_local_cmd(const char *args)
32 if (pid == 0) { 32 if (pid == 0) {
33 signal(SIGPIPE, SIG_DFL); 33 signal(SIGPIPE, SIG_DFL);
34 debug3("Executing %s -c \"%s\"", shell, args); 34 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index 7ae7f3558..5e07bf023 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
1From 8d765e441787d024e76369496316105fe736d3ba Mon Sep 17 00:00:00 2001 1From 7140d94420542a8af7459d08436af2fc950cd810 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:17 +0000 3Date: Sun, 9 Feb 2014 16:10:17 +0000
4Subject: Support synchronisation with service supervisor using SIGSTOP 4Subject: Support synchronisation with service supervisor using SIGSTOP
@@ -13,10 +13,10 @@ Patch-Name: sigstop.patch
13 1 file changed, 10 insertions(+) 13 1 file changed, 10 insertions(+)
14 14
15diff --git a/sshd.c b/sshd.c 15diff --git a/sshd.c b/sshd.c
16index 71fad9e..837409b 100644 16index 747beec8..414e19ee 100644
17--- a/sshd.c 17--- a/sshd.c
18+++ b/sshd.c 18+++ b/sshd.c
19@@ -2107,6 +2107,16 @@ main(int ac, char **av) 19@@ -1878,6 +1878,16 @@ main(int ac, char **av)
20 } 20 }
21 } 21 }
22 22
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 2d1dabfd3..4e087e47d 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
1From 172bb48ec4cb3b65d26d4f3bd8bc0e82ddaf6ca1 Mon Sep 17 00:00:00 2001 1From 42a3ec898a2dc3a752d675f48585109ab8a592f2 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:13 +0000 3Date: Sun, 9 Feb 2014 16:10:13 +0000
4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) 4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
@@ -13,10 +13,10 @@ Patch-Name: ssh-agent-setgid.patch
13 1 file changed, 15 insertions(+) 13 1 file changed, 15 insertions(+)
14 14
15diff --git a/ssh-agent.1 b/ssh-agent.1 15diff --git a/ssh-agent.1 b/ssh-agent.1
16index c4b50bb..2fe2201 100644 16index 83b2b41c..7230704a 100644
17--- a/ssh-agent.1 17--- a/ssh-agent.1
18+++ b/ssh-agent.1 18+++ b/ssh-agent.1
19@@ -193,6 +193,21 @@ environment variable holds the agent's process ID. 19@@ -206,6 +206,21 @@ environment variable holds the agent's process ID.
20 .Pp 20 .Pp
21 The agent exits automatically when the command given on the command 21 The agent exits automatically when the command given on the command
22 line terminates. 22 line terminates.
@@ -37,4 +37,4 @@ index c4b50bb..2fe2201 100644
37+so in the program executed by ssh-agent. 37+so in the program executed by ssh-agent.
38 .Sh FILES 38 .Sh FILES
39 .Bl -tag -width Ds 39 .Bl -tag -width Ds
40 .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt 40 .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 614ed8195..70b13cd47 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
1From ccfb71ca70b73f6d5a2873b31d0140c7cb5f4430 Mon Sep 17 00:00:00 2001 1From 45d82ddb03e248dae4775ce1693654ea69d050ad Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:10 +0000 3Date: Sun, 9 Feb 2014 16:10:10 +0000
4Subject: ssh(1): Refer to ssh-argv0(1) 4Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,7 +18,7 @@ Patch-Name: ssh-argv0.patch
18 1 file changed, 1 insertion(+) 18 1 file changed, 1 insertion(+)
19 19
20diff --git a/ssh.1 b/ssh.1 20diff --git a/ssh.1 b/ssh.1
21index b1f128c..22e56a7 100644 21index b1f128c2..22e56a7b 100644
22--- a/ssh.1 22--- a/ssh.1
23+++ b/ssh.1 23+++ b/ssh.1
24@@ -1586,6 +1586,7 @@ if an error occurred. 24@@ -1586,6 +1586,7 @@ if an error occurred.
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 0492c84fe..29a876cd8 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
1From e35c0bb4c3997b8ef885c6afdcc600b403eb878b Mon Sep 17 00:00:00 2001 1From 01e8999cc86a0b2ffed5f98abed624b0e7c2707f Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:50 +0000 3Date: Sun, 9 Feb 2014 16:09:50 +0000
4Subject: Accept obsolete ssh-vulnkey configuration options 4Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch
17 2 files changed, 2 insertions(+) 17 2 files changed, 2 insertions(+)
18 18
19diff --git a/readconf.c b/readconf.c 19diff --git a/readconf.c b/readconf.c
20index e019195..c0b7822 100644 20index 7902ef26..c1c3aae0 100644
21--- a/readconf.c 21--- a/readconf.c
22+++ b/readconf.c 22+++ b/readconf.c
23@@ -194,6 +194,7 @@ static struct { 23@@ -194,6 +194,7 @@ static struct {
@@ -29,14 +29,14 @@ index e019195..c0b7822 100644
29 { "pubkeyauthentication", oPubkeyAuthentication }, 29 { "pubkeyauthentication", oPubkeyAuthentication },
30 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 30 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
31diff --git a/servconf.c b/servconf.c 31diff --git a/servconf.c b/servconf.c
32index 9b06281..bf9f8f7 100644 32index 14c81fa9..49d3bdc8 100644
33--- a/servconf.c 33--- a/servconf.c
34+++ b/servconf.c 34+++ b/servconf.c
35@@ -541,6 +541,7 @@ static struct { 35@@ -521,6 +521,7 @@ static struct {
36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
39+ { "permitblacklistedkeys", sDeprecated, SSHCFG_GLOBAL }, 39+ { "permitblacklistedkeys", sDeprecated, SSHCFG_GLOBAL },
40 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 40 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
41 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 41 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
42 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 42 { "uselogin", sDeprecated, SSHCFG_GLOBAL },
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 3e46d03c8..9fd4e96d3 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
1From 21fb55231ad0422fa0e5f0c2f67093cb5f29dd47 Mon Sep 17 00:00:00 2001 1From 3ffb3874831f9f4a0a2d02c82c3505166593f1c1 Mon Sep 17 00:00:00 2001
2From: Jonathan David Amery <jdamery@ysolde.ucam.org> 2From: Jonathan David Amery <jdamery@ysolde.ucam.org>
3Date: Sun, 9 Feb 2014 16:09:54 +0000 3Date: Sun, 9 Feb 2014 16:09:54 +0000
4Subject: "LogLevel SILENT" compatibility 4Subject: "LogLevel SILENT" compatibility
@@ -21,7 +21,7 @@ Patch-Name: syslog-level-silent.patch
21 2 files changed, 2 insertions(+), 1 deletion(-) 21 2 files changed, 2 insertions(+), 1 deletion(-)
22 22
23diff --git a/log.c b/log.c 23diff --git a/log.c b/log.c
24index 2b59c42..ffc8ffb 100644 24index 2b59c427..ffc8ffbb 100644
25--- a/log.c 25--- a/log.c
26+++ b/log.c 26+++ b/log.c
27@@ -93,6 +93,7 @@ static struct { 27@@ -93,6 +93,7 @@ static struct {
@@ -33,7 +33,7 @@ index 2b59c42..ffc8ffb 100644
33 { "FATAL", SYSLOG_LEVEL_FATAL }, 33 { "FATAL", SYSLOG_LEVEL_FATAL },
34 { "ERROR", SYSLOG_LEVEL_ERROR }, 34 { "ERROR", SYSLOG_LEVEL_ERROR },
35diff --git a/ssh.c b/ssh.c 35diff --git a/ssh.c b/ssh.c
36index 03a23fb..1febb04 100644 36index ee0b16dc..39609e79 100644
37--- a/ssh.c 37--- a/ssh.c
38+++ b/ssh.c 38+++ b/ssh.c
39@@ -1167,7 +1167,7 @@ main(int ac, char **av) 39@@ -1167,7 +1167,7 @@ main(int ac, char **av)
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index deee48460..a2ecd7e99 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
1From fe97848e044743f0bac019a491ddf0138f84e14a Mon Sep 17 00:00:00 2001 1From 6ea90cd25e0275c4153691a962bcc89007e77261 Mon Sep 17 00:00:00 2001
2From: Michael Biebl <biebl@debian.org> 2From: Michael Biebl <biebl@debian.org>
3Date: Mon, 21 Dec 2015 16:08:47 +0000 3Date: Mon, 21 Dec 2015 16:08:47 +0000
4Subject: Add systemd readiness notification support 4Subject: Add systemd readiness notification support
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch
14 2 files changed, 33 insertions(+) 14 2 files changed, 33 insertions(+)
15 15
16diff --git a/configure.ac b/configure.ac 16diff --git a/configure.ac b/configure.ac
17index f822fb3..6cafb15 100644 17index 4747ce4a..9f59794b 100644
18--- a/configure.ac 18--- a/configure.ac
19+++ b/configure.ac 19+++ b/configure.ac
20@@ -4319,6 +4319,29 @@ AC_ARG_WITH([kerberos5], 20@@ -4364,6 +4364,29 @@ AC_ARG_WITH([kerberos5],
21 AC_SUBST([GSSLIBS]) 21 AC_SUBST([GSSLIBS])
22 AC_SUBST([K5LIBS]) 22 AC_SUBST([K5LIBS])
23 23
@@ -47,7 +47,7 @@ index f822fb3..6cafb15 100644
47 # Looking for programs, paths and files 47 # Looking for programs, paths and files
48 48
49 PRIVSEP_PATH=/var/empty 49 PRIVSEP_PATH=/var/empty
50@@ -5121,6 +5144,7 @@ echo " libedit support: $LIBEDIT_MSG" 50@@ -5167,6 +5190,7 @@ echo " libedit support: $LIBEDIT_MSG"
51 echo " Solaris process contract support: $SPC_MSG" 51 echo " Solaris process contract support: $SPC_MSG"
52 echo " Solaris project support: $SP_MSG" 52 echo " Solaris project support: $SP_MSG"
53 echo " Solaris privilege support: $SPP_MSG" 53 echo " Solaris privilege support: $SPP_MSG"
@@ -56,7 +56,7 @@ index f822fb3..6cafb15 100644
56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" 56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
57 echo " BSD Auth support: $BSD_AUTH_MSG" 57 echo " BSD Auth support: $BSD_AUTH_MSG"
58diff --git a/sshd.c b/sshd.c 58diff --git a/sshd.c b/sshd.c
59index 837409b..868df9e 100644 59index 414e19ee..8b793480 100644
60--- a/sshd.c 60--- a/sshd.c
61+++ b/sshd.c 61+++ b/sshd.c
62@@ -85,6 +85,10 @@ 62@@ -85,6 +85,10 @@
@@ -69,8 +69,8 @@ index 837409b..868df9e 100644
69+ 69+
70 #include "xmalloc.h" 70 #include "xmalloc.h"
71 #include "ssh.h" 71 #include "ssh.h"
72 #include "ssh1.h" 72 #include "ssh2.h"
73@@ -2117,6 +2121,11 @@ main(int ac, char **av) 73@@ -1888,6 +1892,11 @@ main(int ac, char **av)
74 unsetenv("SSH_SIGSTOP"); 74 unsetenv("SSH_SIGSTOP");
75 } 75 }
76 76
diff --git a/debian/patches/unregister-kexinit.patch b/debian/patches/unregister-kexinit.patch
deleted file mode 100644
index 48da43273..000000000
--- a/debian/patches/unregister-kexinit.patch
+++ /dev/null
@@ -1,34 +0,0 @@
1From b139635512b1af75e82252c0c71ac66e08b78774 Mon Sep 17 00:00:00 2001
2From: "markus@openbsd.org" <markus@openbsd.org>
3Date: Mon, 10 Oct 2016 19:28:48 +0000
4Subject: upstream commit
5
6Unregister the KEXINIT handler after message has been
7received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
8allocation of up to 128MB -- until the connection is closed. Reported by
9shilei-c at 360.cn
10
11Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
12
13Origin: https://anongit.mindrot.org/openssh.git/commit/?id=ec165c392ca54317dbe3064a8c200de6531e89ad
14Bug-Debian: https://bugs.debian.org/841884
15Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1384860
16Last-Update: 2016-10-24
17
18Patch-Name: unregister-kexinit.patch
19---
20 kex.c | 1 +
21 1 file changed, 1 insertion(+)
22
23diff --git a/kex.c b/kex.c
24index c17d652..7ab72ba 100644
25--- a/kex.c
26+++ b/kex.c
27@@ -488,6 +488,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
28 if (kex == NULL)
29 return SSH_ERR_INVALID_ARGUMENT;
30
31+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
32 ptr = sshpkt_ptr(ssh, &dlen);
33 if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
34 return r;
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 3bd2fd91f..e08b6c7b7 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
1From 563974a78e937c4844e1198b5f6d79b8b2b5c600 Mon Sep 17 00:00:00 2001 1From df060c830ad66289a93be24268f3f70e7021be29 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:58 +0000 3Date: Sun, 9 Feb 2014 16:09:58 +0000
4Subject: Allow harmless group-writability 4Subject: Allow harmless group-writability
@@ -28,10 +28,10 @@ Patch-Name: user-group-modes.patch
28 8 files changed, 80 insertions(+), 29 deletions(-) 28 8 files changed, 80 insertions(+), 29 deletions(-)
29 29
30diff --git a/auth-rhosts.c b/auth-rhosts.c 30diff --git a/auth-rhosts.c b/auth-rhosts.c
31index 0ef3447..c17c13c 100644 31index ecf956f0..4dccd5e6 100644
32--- a/auth-rhosts.c 32--- a/auth-rhosts.c
33+++ b/auth-rhosts.c 33+++ b/auth-rhosts.c
34@@ -273,8 +273,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam 34@@ -261,8 +261,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
35 return 0; 35 return 0;
36 } 36 }
37 if (options.strict_modes && 37 if (options.strict_modes &&
@@ -41,7 +41,7 @@ index 0ef3447..c17c13c 100644
41 logit("Rhosts authentication refused for %.100s: " 41 logit("Rhosts authentication refused for %.100s: "
42 "bad ownership or modes for home directory.", pw->pw_name); 42 "bad ownership or modes for home directory.", pw->pw_name);
43 auth_debug_add("Rhosts authentication refused for %.100s: " 43 auth_debug_add("Rhosts authentication refused for %.100s: "
44@@ -300,8 +299,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam 44@@ -288,8 +287,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
45 * allowing access to their account by anyone. 45 * allowing access to their account by anyone.
46 */ 46 */
47 if (options.strict_modes && 47 if (options.strict_modes &&
@@ -52,10 +52,10 @@ index 0ef3447..c17c13c 100644
52 pw->pw_name, buf); 52 pw->pw_name, buf);
53 auth_debug_add("Bad file modes for %.200s", buf); 53 auth_debug_add("Bad file modes for %.200s", buf);
54diff --git a/auth.c b/auth.c 54diff --git a/auth.c b/auth.c
55index f56dcc6..3f8b348 100644 55index c6390687..90390724 100644
56--- a/auth.c 56--- a/auth.c
57+++ b/auth.c 57+++ b/auth.c
58@@ -435,8 +435,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, 58@@ -444,8 +444,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
59 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); 59 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
60 if (options.strict_modes && 60 if (options.strict_modes &&
61 (stat(user_hostfile, &st) == 0) && 61 (stat(user_hostfile, &st) == 0) &&
@@ -65,7 +65,7 @@ index f56dcc6..3f8b348 100644
65 logit("Authentication refused for %.100s: " 65 logit("Authentication refused for %.100s: "
66 "bad owner or modes for %.200s", 66 "bad owner or modes for %.200s",
67 pw->pw_name, user_hostfile); 67 pw->pw_name, user_hostfile);
68@@ -498,8 +497,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, 68@@ -507,8 +506,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
69 snprintf(err, errlen, "%s is not a regular file", buf); 69 snprintf(err, errlen, "%s is not a regular file", buf);
70 return -1; 70 return -1;
71 } 71 }
@@ -75,7 +75,7 @@ index f56dcc6..3f8b348 100644
75 snprintf(err, errlen, "bad ownership or modes for file %s", 75 snprintf(err, errlen, "bad ownership or modes for file %s",
76 buf); 76 buf);
77 return -1; 77 return -1;
78@@ -514,8 +512,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, 78@@ -523,8 +521,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
79 strlcpy(buf, cp, sizeof(buf)); 79 strlcpy(buf, cp, sizeof(buf));
80 80
81 if (stat(buf, &st) < 0 || 81 if (stat(buf, &st) < 0 ||
@@ -86,7 +86,7 @@ index f56dcc6..3f8b348 100644
86 "bad ownership or modes for directory %s", buf); 86 "bad ownership or modes for directory %s", buf);
87 return -1; 87 return -1;
88diff --git a/misc.c b/misc.c 88diff --git a/misc.c b/misc.c
89index 9421b4d..68efb2b 100644 89index 65c9222a..bf9153a6 100644
90--- a/misc.c 90--- a/misc.c
91+++ b/misc.c 91+++ b/misc.c
92@@ -51,8 +51,9 @@ 92@@ -51,8 +51,9 @@
@@ -181,21 +181,23 @@ index 9421b4d..68efb2b 100644
181 tun_open(int tun, int mode) 181 tun_open(int tun, int mode)
182 { 182 {
183diff --git a/misc.h b/misc.h 183diff --git a/misc.h b/misc.h
184index 7c76a6a..42cd95e 100644 184index c242f901..8b223b55 100644
185--- a/misc.h 185--- a/misc.h
186+++ b/misc.h 186+++ b/misc.h
187@@ -139,4 +139,6 @@ char *read_passphrase(const char *, int); 187@@ -143,6 +143,8 @@ char *read_passphrase(const char *, int);
188 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 188 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
189 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); 189 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
190 190
191+int secure_permissions(struct stat *st, uid_t uid); 191+int secure_permissions(struct stat *st, uid_t uid);
192+ 192+
193 #endif /* _MISC_H */ 193 #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b))
194 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b))
195 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
194diff --git a/platform.c b/platform.c 196diff --git a/platform.c b/platform.c
195index 4831706..2ce4dbf 100644 197index cd7bf566..380ee3a4 100644
196--- a/platform.c 198--- a/platform.c
197+++ b/platform.c 199+++ b/platform.c
198@@ -199,19 +199,3 @@ platform_krb5_get_principal_name(const char *pw_name) 200@@ -197,19 +197,3 @@ platform_krb5_get_principal_name(const char *pw_name)
199 return NULL; 201 return NULL;
200 #endif 202 #endif
201 } 203 }
@@ -216,10 +218,10 @@ index 4831706..2ce4dbf 100644
216- return 0; 218- return 0;
217-} 219-}
218diff --git a/readconf.c b/readconf.c 220diff --git a/readconf.c b/readconf.c
219index 3a6c67b..f6b4c8f 100644 221index 3efba242..c02cdf63 100644
220--- a/readconf.c 222--- a/readconf.c
221+++ b/readconf.c 223+++ b/readconf.c
222@@ -1753,8 +1753,7 @@ read_config_file_depth(const char *filename, struct passwd *pw, 224@@ -1752,8 +1752,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
223 225
224 if (fstat(fileno(f), &sb) == -1) 226 if (fstat(fileno(f), &sb) == -1)
225 fatal("fstat %s: %s", filename, strerror(errno)); 227 fatal("fstat %s: %s", filename, strerror(errno));
@@ -230,7 +232,7 @@ index 3a6c67b..f6b4c8f 100644
230 } 232 }
231 233
232diff --git a/ssh.1 b/ssh.1 234diff --git a/ssh.1 b/ssh.1
233index 4011c65..feef81a 100644 235index 4011c65a..feef81a5 100644
234--- a/ssh.1 236--- a/ssh.1
235+++ b/ssh.1 237+++ b/ssh.1
236@@ -1484,6 +1484,8 @@ The file format and configuration options are described in 238@@ -1484,6 +1484,8 @@ The file format and configuration options are described in
@@ -243,10 +245,10 @@ index 4011c65..feef81a 100644
243 .It Pa ~/.ssh/environment 245 .It Pa ~/.ssh/environment
244 Contains additional definitions for environment variables; see 246 Contains additional definitions for environment variables; see
245diff --git a/ssh_config.5 b/ssh_config.5 247diff --git a/ssh_config.5 b/ssh_config.5
246index efc265a..5dd26bc 100644 248index 32fd100d..f62ea6b8 100644
247--- a/ssh_config.5 249--- a/ssh_config.5
248+++ b/ssh_config.5 250+++ b/ssh_config.5
249@@ -1903,6 +1903,8 @@ The format of this file is described above. 251@@ -1803,6 +1803,8 @@ The format of this file is described above.
250 This file is used by the SSH client. 252 This file is used by the SSH client.
251 Because of the potential for abuse, this file must have strict permissions: 253 Because of the potential for abuse, this file must have strict permissions:
252 read/write for the user, and not accessible by others. 254 read/write for the user, and not accessible by others.
diff --git a/debian/rules b/debian/rules
index 76e71ecf1..86d15a0d0 100755
--- a/debian/rules
+++ b/debian/rules
@@ -153,12 +153,7 @@ override_dh_auto_build-indep:
153override_dh_auto_test-arch: 153override_dh_auto_test-arch:
154ifeq ($(RUN_TESTS),yes) 154ifeq ($(RUN_TESTS),yes)
155 $(MAKE) -C debian/build-deb regress-prep 155 $(MAKE) -C debian/build-deb regress-prep
156 $(MAKE) -C debian/build-deb $(PARALLEL) \ 156 $(MAKE) -C debian/build-deb $(PARALLEL) regress-binaries
157 regress/unittests/sshbuf/test_sshbuf \
158 regress/unittests/sshkey/test_sshkey \
159 regress/unittests/bitmap/test_bitmap \
160 regress/unittests/hostkeys/test_hostkeys \
161 regress/unittests/kex/test_kex
162 $(MAKE) -C debian/build-deb/regress \ 157 $(MAKE) -C debian/build-deb/regress \
163 .OBJDIR="$(CURDIR)/debian/build-deb/regress" \ 158 .OBJDIR="$(CURDIR)/debian/build-deb/regress" \
164 .CURDIR="$(CURDIR)/regress" \ 159 .CURDIR="$(CURDIR)/regress" \