summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/.git-dpm14
-rw-r--r--debian/changelog57
-rw-r--r--debian/patches/CVE-2015-8325.patch33
-rw-r--r--debian/patches/CVE-2016-6210-1.patch114
-rw-r--r--debian/patches/CVE-2016-6210-2.patch111
-rw-r--r--debian/patches/CVE-2016-6210-3.patch60
-rw-r--r--debian/patches/auth-log-verbosity.patch10
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch6
-rw-r--r--debian/patches/control-persist-close-stderr.patch59
-rw-r--r--debian/patches/debian-banner.patch18
-rw-r--r--debian/patches/debian-config.patch22
-rw-r--r--debian/patches/dnssec-sshfp.patch2
-rw-r--r--debian/patches/doc-hash-tab-completion.patch4
-rw-r--r--debian/patches/doc-upstart.patch2
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch2
-rw-r--r--debian/patches/gssapi.patch451
-rw-r--r--debian/patches/helpful-wait-terminate.patch6
-rw-r--r--debian/patches/keepalive-extensions.patch26
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch2
-rw-r--r--debian/patches/no-openssl-version-status.patch2
-rw-r--r--debian/patches/openbsd-docs.patch16
-rw-r--r--debian/patches/package-versioning.patch12
-rw-r--r--debian/patches/quieter-signals.patch6
-rw-r--r--debian/patches/restore-tcp-wrappers.patch12
-rw-r--r--debian/patches/scp-quoting.patch12
-rw-r--r--debian/patches/selinux-role.patch52
-rw-r--r--debian/patches/series6
-rw-r--r--debian/patches/shell-path.patch2
-rw-r--r--debian/patches/sigstop.patch6
-rw-r--r--debian/patches/ssh-agent-setgid.patch2
-rw-r--r--debian/patches/ssh-argv0.patch6
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch10
-rw-r--r--debian/patches/syslog-level-silent.patch8
-rw-r--r--debian/patches/systemd-readiness.patch12
-rw-r--r--debian/patches/unbreak-certificate-auth.patch46
-rw-r--r--debian/patches/user-group-modes.patch53
36 files changed, 561 insertions, 701 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 782b862df..1532e846b 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,8 +1,8 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
2751d1f6494fb3ffd75188de7390c28725a5b91a6 24c914ccd85bbf391c4dc61b85e3c178fef465e3f
3751d1f6494fb3ffd75188de7390c28725a5b91a6 34c914ccd85bbf391c4dc61b85e3c178fef465e3f
4f0329aac23c61e1a5197d6d57349a63f459bccb0 4a8ed8d256b2e2c05b0c15565a7938028c5192277
5f0329aac23c61e1a5197d6d57349a63f459bccb0 5a8ed8d256b2e2c05b0c15565a7938028c5192277
6openssh_7.2p2.orig.tar.gz 6openssh_7.3p1.orig.tar.gz
770e35d7d6386fe08abbd823b3a12a3ca44ac6d38 7bfade84283fcba885e2084343ab19a08c7d123a5
81499808 81522617
diff --git a/debian/changelog b/debian/changelog
index 46a0a6f39..76607d617 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,60 @@
1openssh (1:7.3p1-1) UNRELEASED; urgency=medium
2
3 * New upstream release (http://www.openssh.com/txt/release-7.3):
4 - SECURITY: sshd(8): Mitigate a potential denial-of-service attack
5 against the system's crypt(3) function via sshd(8). An attacker could
6 send very long passwords that would cause excessive CPU use in
7 crypt(3). sshd(8) now refuses to accept password authentication
8 requests of length greater than 1024 characters.
9 - SECURITY: ssh(1), sshd(8): Fix observable timing weakness in the CBC
10 padding oracle countermeasures. Note that CBC ciphers are disabled by
11 default and only included for legacy compatibility.
12 - SECURITY: ssh(1), sshd(8): Improve operation ordering of MAC
13 verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms
14 to verify the MAC before decrypting any ciphertext. This removes the
15 possibility of timing differences leaking facts about the plaintext,
16 though no such leakage has been observed.
17 - ssh(1): Add a ProxyJump option and corresponding -J command-line flag
18 to allow simplified indirection through a one or more SSH bastions or
19 "jump hosts".
20 - ssh(1): Add an IdentityAgent option to allow specifying specific agent
21 sockets instead of accepting one from the environment.
22 - ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be
23 optionally overridden when using ssh -W.
24 - ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as per
25 draft-sgtatham-secsh-iutf8-00 (closes: #337041, LP: #394570).
26 - ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman 2K,
27 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
28 - ssh-keygen(1), ssh(1), sshd(8): Support SHA256 and SHA512 RSA
29 signatures in certificates.
30 - ssh(1): Add an Include directive for ssh_config(5) files (closes:
31 #536031).
32 - ssh(1): Permit UTF-8 characters in pre-authentication banners sent
33 from the server.
34 - ssh(1), sshd(8): Reduce the syslog level of some relatively common
35 protocol events from LOG_CRIT.
36 - sshd(8): Refuse AuthenticationMethods="" in configurations and accept
37 AuthenticationMethods=any for the default behaviour of not requiring
38 multiple authentication.
39 - sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN ATTEMPT!"
40 message when forward and reverse DNS don't match.
41 - ssh(1): Deduplicate LocalForward and RemoteForward entries to fix
42 failures when both ExitOnForwardFailure and hostname canonicalisation
43 are enabled.
44 - sshd(8): Remove fallback from moduli to obsolete "primes" file that
45 was deprecated in 2001 (LP: #1528251).
46 - sshd_config(5): Correct description of UseDNS: it affects ssh hostname
47 processing for authorized_keys, not known_hosts.
48 - sshd(8): Send ClientAliveInterval pings when a time-based RekeyLimit
49 is set; previously keepalive packets were not being sent.
50 - sshd(8): Whitelist more architectures to enable the seccomp-bpf
51 sandbox.
52 - scp(1): Respect the local user's LC_CTYPE locale (closes: #396295).
53 - Take character display widths into account for the progressmeter
54 (closes: #407088).
55
56 -- Colin Watson <cjwatson@debian.org> Sat, 06 Aug 2016 11:00:55 +0100
57
1openssh (1:7.2p2-8) unstable; urgency=medium 58openssh (1:7.2p2-8) unstable; urgency=medium
2 59
3 [ Colin Watson ] 60 [ Colin Watson ]
diff --git a/debian/patches/CVE-2015-8325.patch b/debian/patches/CVE-2015-8325.patch
deleted file mode 100644
index de2c33577..000000000
--- a/debian/patches/CVE-2015-8325.patch
+++ /dev/null
@@ -1,33 +0,0 @@
1From 7f3fb4e5fdddc6600e70ae663c21511fbcf2c64c Mon Sep 17 00:00:00 2001
2From: Damien Miller <djm@mindrot.org>
3Date: Wed, 13 Apr 2016 10:39:57 +1000
4Subject: ignore PAM environment vars when UseLogin=yes
5
6If PAM is configured to read user-specified environment variables
7and UseLogin=yes in sshd_config, then a hostile local user may
8attack /bin/login via LD_PRELOAD or similar environment variables
9set via PAM.
10
11CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
12
13Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755
14Last-Update: 2016-04-13
15
16Patch-Name: CVE-2015-8325.patch
17---
18 session.c | 2 +-
19 1 file changed, 1 insertion(+), 1 deletion(-)
20
21diff --git a/session.c b/session.c
22index f246b8a..8ab9814 100644
23--- a/session.c
24+++ b/session.c
25@@ -1317,7 +1317,7 @@ do_setup_env(Session *s, const char *shell)
26 * Pull in any environment variables that may have
27 * been set by PAM.
28 */
29- if (options.use_pam) {
30+ if (options.use_pam && !options.use_login) {
31 char **p;
32
33 p = fetch_pam_child_environment();
diff --git a/debian/patches/CVE-2016-6210-1.patch b/debian/patches/CVE-2016-6210-1.patch
deleted file mode 100644
index 9b46ec12a..000000000
--- a/debian/patches/CVE-2016-6210-1.patch
+++ /dev/null
@@ -1,114 +0,0 @@
1From e5ef9d3942cebda819a6fd81647b51c8d87d23df Mon Sep 17 00:00:00 2001
2From: Darren Tucker <dtucker@zip.com.au>
3Date: Fri, 15 Jul 2016 13:32:45 +1000
4Subject: Determine appropriate salt for invalid users.
5
6When sshd is processing a non-PAM login for a non-existent user it uses
7the string from the fakepw structure as the salt for crypt(3)ing the
8password supplied by the client. That string has a Blowfish prefix, so on
9systems that don't understand that crypt will fail fast due to an invalid
10salt, and even on those that do it may have significantly different timing
11from the hash methods used for real accounts (eg sha512). This allows
12user enumeration by, eg, sending large password strings. This was noted
13by EddieEzra.Harari at verint.com (CVE-2016-6210).
14
15To mitigate, use the same hash algorithm that root uses for hashing
16passwords for users that do not exist on the system. ok djm@
17
18Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=9286875a73b2de7736b5e50692739d314cd8d9dc
19Bug-Debian: https://bugs.debian.org/831902
20Last-Update: 2016-07-22
21
22Patch-Name: CVE-2016-6210-1.patch
23---
24 auth-passwd.c | 12 ++++++++----
25 openbsd-compat/xcrypt.c | 34 ++++++++++++++++++++++++++++++++++
26 2 files changed, 42 insertions(+), 4 deletions(-)
27
28diff --git a/auth-passwd.c b/auth-passwd.c
29index 63ccf3c..530b5d4 100644
30--- a/auth-passwd.c
31+++ b/auth-passwd.c
32@@ -193,7 +193,7 @@ int
33 sys_auth_passwd(Authctxt *authctxt, const char *password)
34 {
35 struct passwd *pw = authctxt->pw;
36- char *encrypted_password;
37+ char *encrypted_password, *salt = NULL;
38
39 /* Just use the supplied fake password if authctxt is invalid */
40 char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
41@@ -202,9 +202,13 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
42 if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
43 return (1);
44
45- /* Encrypt the candidate password using the proper salt. */
46- encrypted_password = xcrypt(password,
47- (pw_password[0] && pw_password[1]) ? pw_password : "xx");
48+ /*
49+ * Encrypt the candidate password using the proper salt, or pass a
50+ * NULL and let xcrypt pick one.
51+ */
52+ if (authctxt->valid && pw_password[0] && pw_password[1])
53+ salt = pw_password;
54+ encrypted_password = xcrypt(password, salt);
55
56 /*
57 * Authentication is accepted if the encrypted passwords
58diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
59index 8577cbd..8913bb8 100644
60--- a/openbsd-compat/xcrypt.c
61+++ b/openbsd-compat/xcrypt.c
62@@ -25,6 +25,7 @@
63 #include "includes.h"
64
65 #include <sys/types.h>
66+#include <string.h>
67 #include <unistd.h>
68 #include <pwd.h>
69
70@@ -62,11 +63,44 @@
71 # define crypt DES_crypt
72 # endif
73
74+/*
75+ * Pick an appropriate password encryption type and salt for the running
76+ * system.
77+ */
78+static const char *
79+pick_salt(void)
80+{
81+ struct passwd *pw;
82+ char *passwd, *p;
83+ size_t typelen;
84+ static char salt[32];
85+
86+ if (salt[0] != '\0')
87+ return salt;
88+ strlcpy(salt, "xx", sizeof(salt));
89+ if ((pw = getpwuid(0)) == NULL)
90+ return salt;
91+ passwd = shadow_pw(pw);
92+ if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
93+ return salt; /* no $, DES */
94+ typelen = p - passwd + 1;
95+ strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
96+ explicit_bzero(passwd, strlen(passwd));
97+ return salt;
98+}
99+
100 char *
101 xcrypt(const char *password, const char *salt)
102 {
103 char *crypted;
104
105+ /*
106+ * If we don't have a salt we are encrypting a fake password for
107+ * for timing purposes. Pick an appropriate salt.
108+ */
109+ if (salt == NULL)
110+ salt = pick_salt();
111+
112 # ifdef HAVE_MD5_PASSWORDS
113 if (is_md5_salt(salt))
114 crypted = md5_crypt(password, salt);
diff --git a/debian/patches/CVE-2016-6210-2.patch b/debian/patches/CVE-2016-6210-2.patch
deleted file mode 100644
index 1c580f90b..000000000
--- a/debian/patches/CVE-2016-6210-2.patch
+++ /dev/null
@@ -1,111 +0,0 @@
1From dde63f7f998ac3812a26bbb2c1b2947f24fcd060 Mon Sep 17 00:00:00 2001
2From: Darren Tucker <dtucker@zip.com.au>
3Date: Fri, 15 Jul 2016 13:49:44 +1000
4Subject: Mitigate timing of disallowed users PAM logins.
5
6When sshd decides to not allow a login (eg PermitRootLogin=no) and
7it's using PAM, it sends a fake password to PAM so that the timing for
8the failure is not noticeably different whether or not the password
9is correct. This behaviour can be detected by sending a very long
10password string which is slower to hash than the fake password.
11
12Mitigate by constructing an invalid password that is the same length
13as the one from the client and thus takes the same time to hash.
14Diff from djm@
15
16Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=283b97ff33ea2c641161950849931bd578de6946
17Bug-Debian: https://bugs.debian.org/831902
18Last-Update: 2016-07-22
19
20Patch-Name: CVE-2016-6210-2.patch
21---
22 auth-pam.c | 35 +++++++++++++++++++++++++++++++----
23 1 file changed, 31 insertions(+), 4 deletions(-)
24
25diff --git a/auth-pam.c b/auth-pam.c
26index 8425af1..abd6a5e 100644
27--- a/auth-pam.c
28+++ b/auth-pam.c
29@@ -232,7 +232,6 @@ static int sshpam_account_status = -1;
30 static char **sshpam_env = NULL;
31 static Authctxt *sshpam_authctxt = NULL;
32 static const char *sshpam_password = NULL;
33-static char badpw[] = "\b\n\r\177INCORRECT";
34
35 /* Some PAM implementations don't implement this */
36 #ifndef HAVE_PAM_GETENVLIST
37@@ -810,12 +809,35 @@ sshpam_query(void *ctx, char **name, char **info,
38 return (-1);
39 }
40
41+/*
42+ * Returns a junk password of identical length to that the user supplied.
43+ * Used to mitigate timing attacks against crypt(3)/PAM stacks that
44+ * vary processing time in proportion to password length.
45+ */
46+static char *
47+fake_password(const char *wire_password)
48+{
49+ const char junk[] = "\b\n\r\177INCORRECT";
50+ char *ret = NULL;
51+ size_t i, l = wire_password != NULL ? strlen(wire_password) : 0;
52+
53+ if (l >= INT_MAX)
54+ fatal("%s: password length too long: %zu", __func__, l);
55+
56+ ret = malloc(l + 1);
57+ for (i = 0; i < l; i++)
58+ ret[i] = junk[i % (sizeof(junk) - 1)];
59+ ret[i] = '\0';
60+ return ret;
61+}
62+
63 /* XXX - see also comment in auth-chall.c:verify_response */
64 static int
65 sshpam_respond(void *ctx, u_int num, char **resp)
66 {
67 Buffer buffer;
68 struct pam_ctxt *ctxt = ctx;
69+ char *fake;
70
71 debug2("PAM: %s entering, %u responses", __func__, num);
72 switch (ctxt->pam_done) {
73@@ -836,8 +858,11 @@ sshpam_respond(void *ctx, u_int num, char **resp)
74 (sshpam_authctxt->pw->pw_uid != 0 ||
75 options.permit_root_login == PERMIT_YES))
76 buffer_put_cstring(&buffer, *resp);
77- else
78- buffer_put_cstring(&buffer, badpw);
79+ else {
80+ fake = fake_password(*resp);
81+ buffer_put_cstring(&buffer, fake);
82+ free(fake);
83+ }
84 if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
85 buffer_free(&buffer);
86 return (-1);
87@@ -1181,6 +1206,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
88 {
89 int flags = (options.permit_empty_passwd == 0 ?
90 PAM_DISALLOW_NULL_AUTHTOK : 0);
91+ char *fake = NULL;
92
93 if (!options.use_pam || sshpam_handle == NULL)
94 fatal("PAM: %s called when PAM disabled or failed to "
95@@ -1196,7 +1222,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
96 */
97 if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
98 options.permit_root_login != PERMIT_YES))
99- sshpam_password = badpw;
100+ sshpam_password = fake = fake_password(password);
101
102 sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
103 (const void *)&passwd_conv);
104@@ -1206,6 +1232,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
105
106 sshpam_err = pam_authenticate(sshpam_handle, flags);
107 sshpam_password = NULL;
108+ free(fake);
109 if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
110 debug("PAM: password authentication accepted for %.100s",
111 authctxt->user);
diff --git a/debian/patches/CVE-2016-6210-3.patch b/debian/patches/CVE-2016-6210-3.patch
deleted file mode 100644
index 303c34ee1..000000000
--- a/debian/patches/CVE-2016-6210-3.patch
+++ /dev/null
@@ -1,60 +0,0 @@
1From abde8dda29c2db2405d6fbca2fe022430e2c1177 Mon Sep 17 00:00:00 2001
2From: Darren Tucker <dtucker@zip.com.au>
3Date: Thu, 21 Jul 2016 14:17:31 +1000
4Subject: Search users for one with a valid salt.
5
6If the root account is locked (eg password "!!" or "*LK*") keep looking
7until we find a user with a valid salt to use for crypting passwords of
8invalid users. ok djm@
9
10Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=dbf788b4d9d9490a5fff08a7b09888272bb10fcc
11Bug-Debian: https://bugs.debian.org/831902
12Last-Update: 2016-07-22
13
14Patch-Name: CVE-2016-6210-3.patch
15---
16 openbsd-compat/xcrypt.c | 24 +++++++++++++++---------
17 1 file changed, 15 insertions(+), 9 deletions(-)
18
19diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
20index 8913bb8..cf6a9b9 100644
21--- a/openbsd-compat/xcrypt.c
22+++ b/openbsd-compat/xcrypt.c
23@@ -65,7 +65,9 @@
24
25 /*
26 * Pick an appropriate password encryption type and salt for the running
27- * system.
28+ * system by searching through accounts until we find one that has a valid
29+ * salt. Usually this will be root unless the root account is locked out.
30+ * If we don't find one we return a traditional DES-based salt.
31 */
32 static const char *
33 pick_salt(void)
34@@ -78,14 +80,18 @@ pick_salt(void)
35 if (salt[0] != '\0')
36 return salt;
37 strlcpy(salt, "xx", sizeof(salt));
38- if ((pw = getpwuid(0)) == NULL)
39- return salt;
40- passwd = shadow_pw(pw);
41- if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
42- return salt; /* no $, DES */
43- typelen = p - passwd + 1;
44- strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
45- explicit_bzero(passwd, strlen(passwd));
46+ setpwent();
47+ while ((pw = getpwent()) != NULL) {
48+ passwd = shadow_pw(pw);
49+ if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) {
50+ typelen = p - passwd + 1;
51+ strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
52+ explicit_bzero(passwd, strlen(passwd));
53+ goto out;
54+ }
55+ }
56+ out:
57+ endpwent();
58 return salt;
59 }
60
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index a08e710da..7abed3704 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
1From 1dd7836b386be1816bc565aafb9875769430a02d Mon Sep 17 00:00:00 2001 1From b4b79ae5a16f73426b54c6394a29b2b49da4dc16 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:02 +0000 3Date: Sun, 9 Feb 2014 16:10:02 +0000
4Subject: Quieten logs when multiple from= restrictions are used 4Subject: Quieten logs when multiple from= restrictions are used
@@ -16,10 +16,10 @@ Patch-Name: auth-log-verbosity.patch
16 4 files changed, 32 insertions(+), 9 deletions(-) 16 4 files changed, 32 insertions(+), 9 deletions(-)
17 17
18diff --git a/auth-options.c b/auth-options.c 18diff --git a/auth-options.c b/auth-options.c
19index edbaf80..bda39df 100644 19index b399b91..a9d9a81 100644
20--- a/auth-options.c 20--- a/auth-options.c
21+++ b/auth-options.c 21+++ b/auth-options.c
22@@ -58,9 +58,20 @@ int forced_tun_device = -1; 22@@ -59,9 +59,20 @@ int forced_tun_device = -1;
23 /* "principals=" option. */ 23 /* "principals=" option. */
24 char *authorized_principals = NULL; 24 char *authorized_principals = NULL;
25 25
@@ -40,7 +40,7 @@ index edbaf80..bda39df 100644
40 auth_clear_options(void) 40 auth_clear_options(void)
41 { 41 {
42 no_agent_forwarding_flag = 0; 42 no_agent_forwarding_flag = 0;
43@@ -314,10 +325,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) 43@@ -316,10 +327,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
44 /* FALLTHROUGH */ 44 /* FALLTHROUGH */
45 case 0: 45 case 0:
46 free(patterns); 46 free(patterns);
@@ -58,7 +58,7 @@ index edbaf80..bda39df 100644
58 auth_debug_add("Your host '%.200s' is not " 58 auth_debug_add("Your host '%.200s' is not "
59 "permitted to use this key for login.", 59 "permitted to use this key for login.",
60 remote_host); 60 remote_host);
61@@ -540,11 +554,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw, 61@@ -543,11 +557,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
62 break; 62 break;
63 case 0: 63 case 0:
64 /* no match */ 64 /* no match */
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 16319024c..d75494fa6 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
1From 37a9102e7075f34d57b02d1eac631efa73f120fd Mon Sep 17 00:00:00 2001 1From 724283a55e8928a5564722ebe9c133033b51809d Mon Sep 17 00:00:00 2001
2From: Tomas Pospisek <tpo_deb@sourcepole.ch> 2From: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Date: Sun, 9 Feb 2014 16:10:07 +0000 3Date: Sun, 9 Feb 2014 16:10:07 +0000
4Subject: Install authorized_keys(5) as a symlink to sshd(8) 4Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
13 1 file changed, 1 insertion(+) 13 1 file changed, 1 insertion(+)
14 14
15diff --git a/Makefile.in b/Makefile.in 15diff --git a/Makefile.in b/Makefile.in
16index 0954c63..85cde7f 100644 16index 51817df..21948dd 100644
17--- a/Makefile.in 17--- a/Makefile.in
18+++ b/Makefile.in 18+++ b/Makefile.in
19@@ -324,6 +324,7 @@ install-files: 19@@ -327,6 +327,7 @@ install-files:
20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/control-persist-close-stderr.patch b/debian/patches/control-persist-close-stderr.patch
deleted file mode 100644
index f800c0d13..000000000
--- a/debian/patches/control-persist-close-stderr.patch
+++ /dev/null
@@ -1,59 +0,0 @@
1From 751d1f6494fb3ffd75188de7390c28725a5b91a6 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Fri, 29 Apr 2016 08:07:53 +0000
4Subject: upstream commit
5
6close ControlPersist background process stderr when not
7 in debug mode or when logging to a file or syslog. bz#1988 ok dtucker
8
9Upstream-ID: 4fb726f0fdcb155ad419913cea10dc4afd409d24
10
11Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d2d6bf864e52af8491a60dd507f85b74361f5da3
12Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1988
13Bug-Debian: https://bugs.debian.org/714526
14Last-Update: 2016-07-22
15
16Patch-Name: control-persist-close-stderr.patch
17---
18 log.c | 2 +-
19 ssh.c | 6 ++++--
20 2 files changed, 5 insertions(+), 3 deletions(-)
21
22diff --git a/log.c b/log.c
23index e68b84a..6c59641 100644
24--- a/log.c
25+++ b/log.c
26@@ -343,7 +343,7 @@ log_change_level(LogLevel new_log_level)
27 int
28 log_is_on_stderr(void)
29 {
30- return log_on_stderr;
31+ return log_on_stderr && log_stderr_fd == STDERR_FILENO;
32 }
33
34 /* redirect what would usually get written to stderr to specified file */
35diff --git a/ssh.c b/ssh.c
36index 314dd52..af39e72 100644
37--- a/ssh.c
38+++ b/ssh.c
39@@ -1392,7 +1392,7 @@ static void
40 control_persist_detach(void)
41 {
42 pid_t pid;
43- int devnull;
44+ int devnull, keep_stderr;
45
46 debug("%s: backgrounding master process", __func__);
47
48@@ -1423,8 +1423,10 @@ control_persist_detach(void)
49 error("%s: open(\"/dev/null\"): %s", __func__,
50 strerror(errno));
51 } else {
52+ keep_stderr = log_is_on_stderr() && debug_flag;
53 if (dup2(devnull, STDIN_FILENO) == -1 ||
54- dup2(devnull, STDOUT_FILENO) == -1)
55+ dup2(devnull, STDOUT_FILENO) == -1 ||
56+ (!keep_stderr && dup2(devnull, STDERR_FILENO) == -1))
57 error("%s: dup2: %s", __func__, strerror(errno));
58 if (devnull > STDERR_FILENO)
59 close(devnull);
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 4d60c3c01..cf4bfad50 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
1From 1b9f8f458824d7e46f9f749c77f26016f2ea9967 Mon Sep 17 00:00:00 2001 1From 277ad2acedde81dce324e711da116d100b47f445 Mon Sep 17 00:00:00 2001
2From: Kees Cook <kees@debian.org> 2From: Kees Cook <kees@debian.org>
3Date: Sun, 9 Feb 2014 16:10:06 +0000 3Date: Sun, 9 Feb 2014 16:10:06 +0000
4Subject: Add DebianBanner server configuration option 4Subject: Add DebianBanner server configuration option
@@ -19,7 +19,7 @@ Patch-Name: debian-banner.patch
19 4 files changed, 18 insertions(+), 1 deletion(-) 19 4 files changed, 18 insertions(+), 1 deletion(-)
20 20
21diff --git a/servconf.c b/servconf.c 21diff --git a/servconf.c b/servconf.c
22index fad7c92..8ca9695 100644 22index bf9f8f7..a98b309 100644
23--- a/servconf.c 23--- a/servconf.c
24+++ b/servconf.c 24+++ b/servconf.c
25@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions *options) 25@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions *options)
@@ -39,7 +39,7 @@ index fad7c92..8ca9695 100644
39 39
40 assemble_algorithms(options); 40 assemble_algorithms(options);
41 41
42@@ -437,6 +440,7 @@ typedef enum { 42@@ -445,6 +448,7 @@ typedef enum {
43 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, 43 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
44 sStreamLocalBindMask, sStreamLocalBindUnlink, 44 sStreamLocalBindMask, sStreamLocalBindUnlink,
45 sAllowStreamLocalForwarding, sFingerprintHash, 45 sAllowStreamLocalForwarding, sFingerprintHash,
@@ -47,7 +47,7 @@ index fad7c92..8ca9695 100644
47 sDeprecated, sUnsupported 47 sDeprecated, sUnsupported
48 } ServerOpCodes; 48 } ServerOpCodes;
49 49
50@@ -588,6 +592,7 @@ static struct { 50@@ -596,6 +600,7 @@ static struct {
51 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, 51 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
52 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, 52 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
53 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, 53 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
@@ -55,7 +55,7 @@ index fad7c92..8ca9695 100644
55 { NULL, sBadOption, 0 } 55 { NULL, sBadOption, 0 }
56 }; 56 };
57 57
58@@ -1874,6 +1879,10 @@ process_server_config_line(ServerOptions *options, char *line, 58@@ -1903,6 +1908,10 @@ process_server_config_line(ServerOptions *options, char *line,
59 options->fingerprint_hash = value; 59 options->fingerprint_hash = value;
60 break; 60 break;
61 61
@@ -80,10 +80,10 @@ index 778ba17..161fa37 100644
80 80
81 /* Information about the incoming connection as used by Match */ 81 /* Information about the incoming connection as used by Match */
82diff --git a/sshd.c b/sshd.c 82diff --git a/sshd.c b/sshd.c
83index c762190..57ae4ad 100644 83index e873557..71fad9e 100644
84--- a/sshd.c 84--- a/sshd.c
85+++ b/sshd.c 85+++ b/sshd.c
86@@ -442,7 +442,8 @@ sshd_exchange_identification(int sock_in, int sock_out) 86@@ -443,7 +443,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
87 } 87 }
88 88
89 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 89 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -94,10 +94,10 @@ index c762190..57ae4ad 100644
94 options.version_addendum, newline); 94 options.version_addendum, newline);
95 95
96diff --git a/sshd_config.5 b/sshd_config.5 96diff --git a/sshd_config.5 b/sshd_config.5
97index bc79a66..b565640 100644 97index e05cdbe..ac9b1f0 100644
98--- a/sshd_config.5 98--- a/sshd_config.5
99+++ b/sshd_config.5 99+++ b/sshd_config.5
100@@ -534,6 +534,11 @@ or 100@@ -541,6 +541,11 @@ or
101 .Dq no . 101 .Dq no .
102 The default is 102 The default is
103 .Dq delayed . 103 .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index bb1728107..1d9efcbbf 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
1From d888c9637031a93c13c168a35e99e9aa76c14a9a Mon Sep 17 00:00:00 2001 1From 4c914ccd85bbf391c4dc61b85e3c178fef465e3f Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:18 +0000 3Date: Sun, 9 Feb 2014 16:10:18 +0000
4Subject: Various Debian-specific configuration changes 4Subject: Various Debian-specific configuration changes
@@ -32,10 +32,10 @@ Patch-Name: debian-config.patch
32 6 files changed, 72 insertions(+), 4 deletions(-) 32 6 files changed, 72 insertions(+), 4 deletions(-)
33 33
34diff --git a/readconf.c b/readconf.c 34diff --git a/readconf.c b/readconf.c
35index cc1a633..dc22360 100644 35index f6b4c8f..5cd51f3 100644
36--- a/readconf.c 36--- a/readconf.c
37+++ b/readconf.c 37+++ b/readconf.c
38@@ -1797,7 +1797,7 @@ fill_default_options(Options * options) 38@@ -1928,7 +1928,7 @@ fill_default_options(Options * options)
39 if (options->forward_x11 == -1) 39 if (options->forward_x11 == -1)
40 options->forward_x11 = 0; 40 options->forward_x11 = 0;
41 if (options->forward_x11_trusted == -1) 41 if (options->forward_x11_trusted == -1)
@@ -43,12 +43,12 @@ index cc1a633..dc22360 100644
43+ options->forward_x11_trusted = 1; 43+ options->forward_x11_trusted = 1;
44 if (options->forward_x11_timeout == -1) 44 if (options->forward_x11_timeout == -1)
45 options->forward_x11_timeout = 1200; 45 options->forward_x11_timeout = 1200;
46 if (options->exit_on_forward_failure == -1) 46 /*
47diff --git a/ssh.1 b/ssh.1 47diff --git a/ssh.1 b/ssh.1
48index 74d9655..7fb9d30 100644 48index 22e56a7..6aa57c4 100644
49--- a/ssh.1 49--- a/ssh.1
50+++ b/ssh.1 50+++ b/ssh.1
51@@ -760,6 +760,16 @@ directive in 51@@ -785,6 +785,16 @@ directive in
52 .Xr ssh_config 5 52 .Xr ssh_config 5
53 for more information. 53 for more information.
54 .Pp 54 .Pp
@@ -65,7 +65,7 @@ index 74d9655..7fb9d30 100644
65 .It Fl x 65 .It Fl x
66 Disables X11 forwarding. 66 Disables X11 forwarding.
67 .Pp 67 .Pp
68@@ -768,6 +778,17 @@ Enables trusted X11 forwarding. 68@@ -793,6 +803,17 @@ Enables trusted X11 forwarding.
69 Trusted X11 forwardings are not subjected to the X11 SECURITY extension 69 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
70 controls. 70 controls.
71 .Pp 71 .Pp
@@ -108,7 +108,7 @@ index 4e879cd..5190b06 100644
108+ GSSAPIAuthentication yes 108+ GSSAPIAuthentication yes
109+ GSSAPIDelegateCredentials no 109+ GSSAPIDelegateCredentials no
110diff --git a/ssh_config.5 b/ssh_config.5 110diff --git a/ssh_config.5 b/ssh_config.5
111index 0f52d14..51765c9 100644 111index 30c97a9..c967258 100644
112--- a/ssh_config.5 112--- a/ssh_config.5
113+++ b/ssh_config.5 113+++ b/ssh_config.5
114@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more 114@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
@@ -145,10 +145,10 @@ index 0f52d14..51765c9 100644
145 See the X11 SECURITY extension specification for full details on 145 See the X11 SECURITY extension specification for full details on
146 the restrictions imposed on untrusted clients. 146 the restrictions imposed on untrusted clients.
147diff --git a/sshd_config b/sshd_config 147diff --git a/sshd_config b/sshd_config
148index f103298..d103ac5 100644 148index 3fe3e01..ec8ff8f 100644
149--- a/sshd_config 149--- a/sshd_config
150+++ b/sshd_config 150+++ b/sshd_config
151@@ -125,7 +125,7 @@ AuthorizedKeysFile .ssh/authorized_keys 151@@ -124,7 +124,7 @@ AuthorizedKeysFile .ssh/authorized_keys
152 #Banner none 152 #Banner none
153 153
154 # override default of no subsystems 154 # override default of no subsystems
@@ -158,7 +158,7 @@ index f103298..d103ac5 100644
158 # Example of overriding settings on a per-user basis 158 # Example of overriding settings on a per-user basis
159 #Match User anoncvs 159 #Match User anoncvs
160diff --git a/sshd_config.5 b/sshd_config.5 160diff --git a/sshd_config.5 b/sshd_config.5
161index 4d255e5..2387b51 100644 161index b2b349e..79f2d61 100644
162--- a/sshd_config.5 162--- a/sshd_config.5
163+++ b/sshd_config.5 163+++ b/sshd_config.5
164@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes 164@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index a82a719b2..e4498fb48 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
1From ca8dd1a2520b4230dd97d8e4774426b756f16c42 Mon Sep 17 00:00:00 2001 1From 9d9a37bb0c2d7546253ff2b0b67e314d8475bfc7 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:01 +0000 3Date: Sun, 9 Feb 2014 16:10:01 +0000
4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf 4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index b0b7e5602..5f91cadfe 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
1From 298a5e96571cbe9036a2445eecaca26d2aeade11 Mon Sep 17 00:00:00 2001 1From bfea780bba64294541d98efcc26b01392ff64c60 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:11 +0000 3Date: Sun, 9 Feb 2014 16:10:11 +0000
4Subject: Document that HashKnownHosts may break tab-completion 4Subject: Document that HashKnownHosts may break tab-completion
@@ -13,7 +13,7 @@ Patch-Name: doc-hash-tab-completion.patch
13 1 file changed, 3 insertions(+) 13 1 file changed, 3 insertions(+)
14 14
15diff --git a/ssh_config.5 b/ssh_config.5 15diff --git a/ssh_config.5 b/ssh_config.5
16index ab8f271..0f52d14 100644 16index 5dd26bc..30c97a9 100644
17--- a/ssh_config.5 17--- a/ssh_config.5
18+++ b/ssh_config.5 18+++ b/ssh_config.5
19@@ -883,6 +883,9 @@ Note that existing names and addresses in known hosts files 19@@ -883,6 +883,9 @@ Note that existing names and addresses in known hosts files
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index 5d52dcde6..8f093d80c 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
1From ceec3c2a41d87211d478fa6332137aad39dcd18a Mon Sep 17 00:00:00 2001 1From e4ba4e1616d372522de9e18f0973ed49a5521b95 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:12 +0000 3Date: Sun, 9 Feb 2014 16:10:12 +0000
4Subject: Refer to ssh's Upstart job as well as its init script 4Subject: Refer to ssh's Upstart job as well as its init script
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 36ed11962..c34441df3 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
1From 067b8148b52fcf5de6e3bfa3a90ed8a2fa05d8e6 Mon Sep 17 00:00:00 2001 1From db85bf41862b80b0447777d942a091cd3ac5f1c1 Mon Sep 17 00:00:00 2001
2From: Vincent Untz <vuntz@ubuntu.com> 2From: Vincent Untz <vuntz@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:16 +0000 3Date: Sun, 9 Feb 2014 16:10:16 +0000
4Subject: Give the ssh-askpass-gnome window a default icon 4Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index fd3b9b630..8e946aa88 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From 8c27af53099b50387dda97c0aae36194197186f6 Mon Sep 17 00:00:00 2001 1From eecddf8b72fcad83ccca43b1badb03782704f6b7 Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -17,26 +17,28 @@ have it merged into the main openssh package rather than having separate
17security history. 17security history.
18 18
19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
20Last-Updated: 2016-03-21 20Last-Updated: 2016-08-07
21 21
22Patch-Name: gssapi.patch 22Patch-Name: gssapi.patch
23--- 23---
24 ChangeLog.gssapi | 113 +++++++++++++++++++ 24 ChangeLog.gssapi | 113 +++++++++++++++++++
25 Makefile.in | 3 +- 25 Makefile.in | 3 +-
26 auth-krb5.c | 17 ++- 26 auth-krb5.c | 17 ++-
27 auth.c | 3 +- 27 auth.c | 96 +---------------
28 auth2-gss.c | 48 +++++++- 28 auth2-gss.c | 48 +++++++-
29 auth2.c | 2 + 29 auth2.c | 2 +
30 canohost.c | 93 +++++++++++++++
31 canohost.h | 3 +
30 clientloop.c | 15 ++- 32 clientloop.c | 15 ++-
31 config.h.in | 6 + 33 config.h.in | 6 +
32 configure.ac | 24 ++++ 34 configure.ac | 24 ++++
33 gss-genr.c | 275 ++++++++++++++++++++++++++++++++++++++++++++- 35 gss-genr.c | 275 +++++++++++++++++++++++++++++++++++++++++++-
34 gss-serv-krb5.c | 85 ++++++++++++-- 36 gss-serv-krb5.c | 85 ++++++++++++--
35 gss-serv.c | 185 +++++++++++++++++++++++++++--- 37 gss-serv.c | 185 +++++++++++++++++++++++++++---
36 kex.c | 16 +++ 38 kex.c | 19 ++++
37 kex.h | 14 +++ 39 kex.h | 14 +++
38 kexgssc.c | 336 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 40 kexgssc.c | 338 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
39 kexgsss.c | 294 ++++++++++++++++++++++++++++++++++++++++++++++++ 41 kexgsss.c | 295 ++++++++++++++++++++++++++++++++++++++++++++++++
40 monitor.c | 108 +++++++++++++++++- 42 monitor.c | 108 +++++++++++++++++-
41 monitor.h | 3 + 43 monitor.h | 3 +
42 monitor_wrap.c | 47 +++++++- 44 monitor_wrap.c | 47 +++++++-
@@ -48,13 +50,13 @@ Patch-Name: gssapi.patch
48 ssh-gss.h | 41 ++++++- 50 ssh-gss.h | 41 ++++++-
49 ssh_config | 2 + 51 ssh_config | 2 +
50 ssh_config.5 | 32 ++++++ 52 ssh_config.5 | 32 ++++++
51 sshconnect2.c | 120 +++++++++++++++++++- 53 sshconnect2.c | 122 +++++++++++++++++++-
52 sshd.c | 110 ++++++++++++++++++ 54 sshd.c | 110 ++++++++++++++++++
53 sshd_config | 2 + 55 sshd_config | 2 +
54 sshd_config.5 | 10 ++ 56 sshd_config.5 | 10 ++
55 sshkey.c | 3 +- 57 sshkey.c | 3 +-
56 sshkey.h | 1 + 58 sshkey.h | 1 +
57 33 files changed, 1950 insertions(+), 46 deletions(-) 59 35 files changed, 2054 insertions(+), 139 deletions(-)
58 create mode 100644 ChangeLog.gssapi 60 create mode 100644 ChangeLog.gssapi
59 create mode 100644 kexgssc.c 61 create mode 100644 kexgssc.c
60 create mode 100644 kexgsss.c 62 create mode 100644 kexgsss.c
@@ -179,7 +181,7 @@ index 0000000..f117a33
179+ (from jbasney AT ncsa.uiuc.edu) 181+ (from jbasney AT ncsa.uiuc.edu)
180+ <gssapi-with-mic support is Bugzilla #1008> 182+ <gssapi-with-mic support is Bugzilla #1008>
181diff --git a/Makefile.in b/Makefile.in 183diff --git a/Makefile.in b/Makefile.in
182index d401787..0954c63 100644 184index 12991cd..51817df 100644
183--- a/Makefile.in 185--- a/Makefile.in
184+++ b/Makefile.in 186+++ b/Makefile.in
185@@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ 187@@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@@ -187,7 +189,7 @@ index d401787..0954c63 100644
187 kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ 189 kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
188 kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ 190 kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
189+ kexgssc.o \ 191+ kexgssc.o \
190 platform-pledge.o 192 platform-pledge.o platform-tracing.o
191 193
192 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ 194 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
193@@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ 195@@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
@@ -200,10 +202,10 @@ index d401787..0954c63 100644
200 sftp-server.o sftp-common.o \ 202 sftp-server.o sftp-common.o \
201 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ 203 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
202diff --git a/auth-krb5.c b/auth-krb5.c 204diff --git a/auth-krb5.c b/auth-krb5.c
203index d1c5a2f..f019fb1 100644 205index a5a81ed..38e7fee 100644
204--- a/auth-krb5.c 206--- a/auth-krb5.c
205+++ b/auth-krb5.c 207+++ b/auth-krb5.c
206@@ -183,8 +183,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) 208@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
207 209
208 len = strlen(authctxt->krb5_ticket_file) + 6; 210 len = strlen(authctxt->krb5_ticket_file) + 6;
209 authctxt->krb5_ccname = xmalloc(len); 211 authctxt->krb5_ccname = xmalloc(len);
@@ -217,7 +219,7 @@ index d1c5a2f..f019fb1 100644
217 219
218 #ifdef USE_PAM 220 #ifdef USE_PAM
219 if (options.use_pam) 221 if (options.use_pam)
220@@ -241,15 +246,22 @@ krb5_cleanup_proc(Authctxt *authctxt) 222@@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
221 #ifndef HEIMDAL 223 #ifndef HEIMDAL
222 krb5_error_code 224 krb5_error_code
223 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { 225 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@@ -242,7 +244,7 @@ index d1c5a2f..f019fb1 100644
242 old_umask = umask(0177); 244 old_umask = umask(0177);
243 tmpfd = mkstemp(ccname + strlen("FILE:")); 245 tmpfd = mkstemp(ccname + strlen("FILE:"));
244 oerrno = errno; 246 oerrno = errno;
245@@ -266,6 +278,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { 247@@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
246 return oerrno; 248 return oerrno;
247 } 249 }
248 close(tmpfd); 250 close(tmpfd);
@@ -251,10 +253,10 @@ index d1c5a2f..f019fb1 100644
251 return (krb5_cc_resolve(ctx, ccname, ccache)); 253 return (krb5_cc_resolve(ctx, ccname, ccache));
252 } 254 }
253diff --git a/auth.c b/auth.c 255diff --git a/auth.c b/auth.c
254index 214c2c7..bd6a026 100644 256index 24527dd..f56dcc6 100644
255--- a/auth.c 257--- a/auth.c
256+++ b/auth.c 258+++ b/auth.c
257@@ -354,7 +354,8 @@ auth_root_allowed(const char *method) 259@@ -363,7 +363,8 @@ auth_root_allowed(const char *method)
258 case PERMIT_NO_PASSWD: 260 case PERMIT_NO_PASSWD:
259 if (strcmp(method, "publickey") == 0 || 261 if (strcmp(method, "publickey") == 0 ||
260 strcmp(method, "hostbased") == 0 || 262 strcmp(method, "hostbased") == 0 ||
@@ -264,6 +266,106 @@ index 214c2c7..bd6a026 100644
264 return 1; 266 return 1;
265 break; 267 break;
266 case PERMIT_FORCED_ONLY: 268 case PERMIT_FORCED_ONLY:
269@@ -786,99 +787,6 @@ fakepw(void)
270 }
271
272 /*
273- * Returns the remote DNS hostname as a string. The returned string must not
274- * be freed. NB. this will usually trigger a DNS query the first time it is
275- * called.
276- * This function does additional checks on the hostname to mitigate some
277- * attacks on legacy rhosts-style authentication.
278- * XXX is RhostsRSAAuthentication vulnerable to these?
279- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
280- */
281-
282-static char *
283-remote_hostname(struct ssh *ssh)
284-{
285- struct sockaddr_storage from;
286- socklen_t fromlen;
287- struct addrinfo hints, *ai, *aitop;
288- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
289- const char *ntop = ssh_remote_ipaddr(ssh);
290-
291- /* Get IP address of client. */
292- fromlen = sizeof(from);
293- memset(&from, 0, sizeof(from));
294- if (getpeername(ssh_packet_get_connection_in(ssh),
295- (struct sockaddr *)&from, &fromlen) < 0) {
296- debug("getpeername failed: %.100s", strerror(errno));
297- return strdup(ntop);
298- }
299-
300- ipv64_normalise_mapped(&from, &fromlen);
301- if (from.ss_family == AF_INET6)
302- fromlen = sizeof(struct sockaddr_in6);
303-
304- debug3("Trying to reverse map address %.100s.", ntop);
305- /* Map the IP address to a host name. */
306- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
307- NULL, 0, NI_NAMEREQD) != 0) {
308- /* Host name not found. Use ip address. */
309- return strdup(ntop);
310- }
311-
312- /*
313- * if reverse lookup result looks like a numeric hostname,
314- * someone is trying to trick us by PTR record like following:
315- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
316- */
317- memset(&hints, 0, sizeof(hints));
318- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
319- hints.ai_flags = AI_NUMERICHOST;
320- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
321- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
322- name, ntop);
323- freeaddrinfo(ai);
324- return strdup(ntop);
325- }
326-
327- /* Names are stored in lowercase. */
328- lowercase(name);
329-
330- /*
331- * Map it back to an IP address and check that the given
332- * address actually is an address of this host. This is
333- * necessary because anyone with access to a name server can
334- * define arbitrary names for an IP address. Mapping from
335- * name to IP address can be trusted better (but can still be
336- * fooled if the intruder has access to the name server of
337- * the domain).
338- */
339- memset(&hints, 0, sizeof(hints));
340- hints.ai_family = from.ss_family;
341- hints.ai_socktype = SOCK_STREAM;
342- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
343- logit("reverse mapping checking getaddrinfo for %.700s "
344- "[%s] failed.", name, ntop);
345- return strdup(ntop);
346- }
347- /* Look for the address from the list of addresses. */
348- for (ai = aitop; ai; ai = ai->ai_next) {
349- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
350- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
351- (strcmp(ntop, ntop2) == 0))
352- break;
353- }
354- freeaddrinfo(aitop);
355- /* If we reached the end of the list, the address was not there. */
356- if (ai == NULL) {
357- /* Address not found for the host name. */
358- logit("Address %.100s maps to %.600s, but this does not "
359- "map back to the address.", ntop, name);
360- return strdup(ntop);
361- }
362- return strdup(name);
363-}
364-
365-/*
366 * Return the canonical name of the host in the other side of the current
367 * connection. The host name is cached, so it is efficient to call this
368 * several times.
267diff --git a/auth2-gss.c b/auth2-gss.c 369diff --git a/auth2-gss.c b/auth2-gss.c
268index 1ca8357..3b5036d 100644 370index 1ca8357..3b5036d 100644
269--- a/auth2-gss.c 371--- a/auth2-gss.c
@@ -352,7 +454,7 @@ index 1ca8357..3b5036d 100644
352 "gssapi-with-mic", 454 "gssapi-with-mic",
353 userauth_gssapi, 455 userauth_gssapi,
354diff --git a/auth2.c b/auth2.c 456diff --git a/auth2.c b/auth2.c
355index 7177962..3f49bdc 100644 457index 9108b86..ce0d376 100644
356--- a/auth2.c 458--- a/auth2.c
357+++ b/auth2.c 459+++ b/auth2.c
358@@ -70,6 +70,7 @@ extern Authmethod method_passwd; 460@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
@@ -371,8 +473,126 @@ index 7177962..3f49bdc 100644
371 &method_gssapi, 473 &method_gssapi,
372 #endif 474 #endif
373 &method_passwd, 475 &method_passwd,
476diff --git a/canohost.c b/canohost.c
477index f71a085..404731d 100644
478--- a/canohost.c
479+++ b/canohost.c
480@@ -35,6 +35,99 @@
481 #include "canohost.h"
482 #include "misc.h"
483
484+/*
485+ * Returns the remote DNS hostname as a string. The returned string must not
486+ * be freed. NB. this will usually trigger a DNS query the first time it is
487+ * called.
488+ * This function does additional checks on the hostname to mitigate some
489+ * attacks on legacy rhosts-style authentication.
490+ * XXX is RhostsRSAAuthentication vulnerable to these?
491+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
492+ */
493+
494+char *
495+remote_hostname(struct ssh *ssh)
496+{
497+ struct sockaddr_storage from;
498+ socklen_t fromlen;
499+ struct addrinfo hints, *ai, *aitop;
500+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
501+ const char *ntop = ssh_remote_ipaddr(ssh);
502+
503+ /* Get IP address of client. */
504+ fromlen = sizeof(from);
505+ memset(&from, 0, sizeof(from));
506+ if (getpeername(ssh_packet_get_connection_in(ssh),
507+ (struct sockaddr *)&from, &fromlen) < 0) {
508+ debug("getpeername failed: %.100s", strerror(errno));
509+ return strdup(ntop);
510+ }
511+
512+ ipv64_normalise_mapped(&from, &fromlen);
513+ if (from.ss_family == AF_INET6)
514+ fromlen = sizeof(struct sockaddr_in6);
515+
516+ debug3("Trying to reverse map address %.100s.", ntop);
517+ /* Map the IP address to a host name. */
518+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
519+ NULL, 0, NI_NAMEREQD) != 0) {
520+ /* Host name not found. Use ip address. */
521+ return strdup(ntop);
522+ }
523+
524+ /*
525+ * if reverse lookup result looks like a numeric hostname,
526+ * someone is trying to trick us by PTR record like following:
527+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
528+ */
529+ memset(&hints, 0, sizeof(hints));
530+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
531+ hints.ai_flags = AI_NUMERICHOST;
532+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
533+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
534+ name, ntop);
535+ freeaddrinfo(ai);
536+ return strdup(ntop);
537+ }
538+
539+ /* Names are stored in lowercase. */
540+ lowercase(name);
541+
542+ /*
543+ * Map it back to an IP address and check that the given
544+ * address actually is an address of this host. This is
545+ * necessary because anyone with access to a name server can
546+ * define arbitrary names for an IP address. Mapping from
547+ * name to IP address can be trusted better (but can still be
548+ * fooled if the intruder has access to the name server of
549+ * the domain).
550+ */
551+ memset(&hints, 0, sizeof(hints));
552+ hints.ai_family = from.ss_family;
553+ hints.ai_socktype = SOCK_STREAM;
554+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
555+ logit("reverse mapping checking getaddrinfo for %.700s "
556+ "[%s] failed.", name, ntop);
557+ return strdup(ntop);
558+ }
559+ /* Look for the address from the list of addresses. */
560+ for (ai = aitop; ai; ai = ai->ai_next) {
561+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
562+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
563+ (strcmp(ntop, ntop2) == 0))
564+ break;
565+ }
566+ freeaddrinfo(aitop);
567+ /* If we reached the end of the list, the address was not there. */
568+ if (ai == NULL) {
569+ /* Address not found for the host name. */
570+ logit("Address %.100s maps to %.600s, but this does not "
571+ "map back to the address.", ntop, name);
572+ return strdup(ntop);
573+ }
574+ return strdup(name);
575+}
576+
577 void
578 ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
579 {
580diff --git a/canohost.h b/canohost.h
581index 26d6285..0cadc9f 100644
582--- a/canohost.h
583+++ b/canohost.h
584@@ -15,6 +15,9 @@
585 #ifndef _CANOHOST_H
586 #define _CANOHOST_H
587
588+struct ssh;
589+
590+char *remote_hostname(struct ssh *);
591 char *get_peer_ipaddr(int);
592 int get_peer_port(int);
593 char *get_local_ipaddr(int);
374diff --git a/clientloop.c b/clientloop.c 594diff --git a/clientloop.c b/clientloop.c
375index 9820455..1567e4a 100644 595index 2c44f5d..421241f 100644
376--- a/clientloop.c 596--- a/clientloop.c
377+++ b/clientloop.c 597+++ b/clientloop.c
378@@ -114,6 +114,10 @@ 598@@ -114,6 +114,10 @@
@@ -386,7 +606,7 @@ index 9820455..1567e4a 100644
386 /* import options */ 606 /* import options */
387 extern Options options; 607 extern Options options;
388 608
389@@ -1662,9 +1666,18 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) 609@@ -1666,9 +1670,18 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
390 break; 610 break;
391 611
392 /* Do channel operations unless rekeying in progress. */ 612 /* Do channel operations unless rekeying in progress. */
@@ -407,10 +627,10 @@ index 9820455..1567e4a 100644
407 client_process_net_input(readset); 627 client_process_net_input(readset);
408 628
409diff --git a/config.h.in b/config.h.in 629diff --git a/config.h.in b/config.h.in
410index 89bf1b0..621c139 100644 630index 39d018f..d7caf9a 100644
411--- a/config.h.in 631--- a/config.h.in
412+++ b/config.h.in 632+++ b/config.h.in
413@@ -1641,6 +1641,9 @@ 633@@ -1668,6 +1668,9 @@
414 /* Use btmp to log bad logins */ 634 /* Use btmp to log bad logins */
415 #undef USE_BTMP 635 #undef USE_BTMP
416 636
@@ -420,7 +640,7 @@ index 89bf1b0..621c139 100644
420 /* Use libedit for sftp */ 640 /* Use libedit for sftp */
421 #undef USE_LIBEDIT 641 #undef USE_LIBEDIT
422 642
423@@ -1656,6 +1659,9 @@ 643@@ -1683,6 +1686,9 @@
424 /* Use PIPES instead of a socketpair() */ 644 /* Use PIPES instead of a socketpair() */
425 #undef USE_PIPES 645 #undef USE_PIPES
426 646
@@ -431,7 +651,7 @@ index 89bf1b0..621c139 100644
431 #undef USE_SOLARIS_PRIVS 651 #undef USE_SOLARIS_PRIVS
432 652
433diff --git a/configure.ac b/configure.ac 653diff --git a/configure.ac b/configure.ac
434index 7258cc0..5f1ff74 100644 654index 373d21b..894ec3b 100644
435--- a/configure.ac 655--- a/configure.ac
436+++ b/configure.ac 656+++ b/configure.ac
437@@ -632,6 +632,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 657@@ -632,6 +632,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
@@ -463,7 +683,7 @@ index 7258cc0..5f1ff74 100644
463+ [AC_MSG_RESULT([no])] 683+ [AC_MSG_RESULT([no])]
464+ ) 684+ )
465 m4_pattern_allow([AU_IPv]) 685 m4_pattern_allow([AU_IPv])
466 AC_CHECK_DECL([AU_IPv4], [], 686 AC_CHECK_DECL([AU_IPv4], [],
467 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) 687 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
468diff --git a/gss-genr.c b/gss-genr.c 688diff --git a/gss-genr.c b/gss-genr.c
469index d617d60..b4eca3f 100644 689index d617d60..b4eca3f 100644
@@ -1214,10 +1434,10 @@ index 53993d6..2f6baf7 100644
1214 1434
1215 #endif 1435 #endif
1216diff --git a/kex.c b/kex.c 1436diff --git a/kex.c b/kex.c
1217index d371f47..913e923 100644 1437index 50c7a0f..c17d652 100644
1218--- a/kex.c 1438--- a/kex.c
1219+++ b/kex.c 1439+++ b/kex.c
1220@@ -54,6 +54,10 @@ 1440@@ -55,6 +55,10 @@
1221 #include "sshbuf.h" 1441 #include "sshbuf.h"
1222 #include "digest.h" 1442 #include "digest.h"
1223 1443
@@ -1228,7 +1448,7 @@ index d371f47..913e923 100644
1228 #if OPENSSL_VERSION_NUMBER >= 0x00907000L 1448 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
1229 # if defined(HAVE_EVP_SHA256) 1449 # if defined(HAVE_EVP_SHA256)
1230 # define evp_ssh_sha256 EVP_sha256 1450 # define evp_ssh_sha256 EVP_sha256
1231@@ -109,6 +113,14 @@ static const struct kexalg kexalgs[] = { 1451@@ -113,6 +117,14 @@ static const struct kexalg kexalgs[] = {
1232 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ 1452 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
1233 { NULL, -1, -1, -1}, 1453 { NULL, -1, -1, -1},
1234 }; 1454 };
@@ -1243,7 +1463,7 @@ index d371f47..913e923 100644
1243 1463
1244 char * 1464 char *
1245 kex_alg_list(char sep) 1465 kex_alg_list(char sep)
1246@@ -141,6 +153,10 @@ kex_alg_by_name(const char *name) 1466@@ -145,6 +157,10 @@ kex_alg_by_name(const char *name)
1247 if (strcmp(k->name, name) == 0) 1467 if (strcmp(k->name, name) == 0)
1248 return k; 1468 return k;
1249 } 1469 }
@@ -1254,11 +1474,21 @@ index d371f47..913e923 100644
1254 return NULL; 1474 return NULL;
1255 } 1475 }
1256 1476
1477@@ -587,6 +603,9 @@ kex_free(struct kex *kex)
1478 sshbuf_free(kex->peer);
1479 sshbuf_free(kex->my);
1480 free(kex->session_id);
1481+#ifdef GSSAPI
1482+ free(kex->gss_host);
1483+#endif /* GSSAPI */
1484 free(kex->client_version_string);
1485 free(kex->server_version_string);
1486 free(kex->failed_choice);
1257diff --git a/kex.h b/kex.h 1487diff --git a/kex.h b/kex.h
1258index 1c58966..123ef83 100644 1488index c351955..8ed459a 100644
1259--- a/kex.h 1489--- a/kex.h
1260+++ b/kex.h 1490+++ b/kex.h
1261@@ -92,6 +92,9 @@ enum kex_exchange { 1491@@ -98,6 +98,9 @@ enum kex_exchange {
1262 KEX_DH_GEX_SHA256, 1492 KEX_DH_GEX_SHA256,
1263 KEX_ECDH_SHA2, 1493 KEX_ECDH_SHA2,
1264 KEX_C25519_SHA256, 1494 KEX_C25519_SHA256,
@@ -1268,7 +1498,7 @@ index 1c58966..123ef83 100644
1268 KEX_MAX 1498 KEX_MAX
1269 }; 1499 };
1270 1500
1271@@ -140,6 +143,12 @@ struct kex { 1501@@ -146,6 +149,12 @@ struct kex {
1272 u_int flags; 1502 u_int flags;
1273 int hash_alg; 1503 int hash_alg;
1274 int ec_nid; 1504 int ec_nid;
@@ -1281,7 +1511,7 @@ index 1c58966..123ef83 100644
1281 char *client_version_string; 1511 char *client_version_string;
1282 char *server_version_string; 1512 char *server_version_string;
1283 char *failed_choice; 1513 char *failed_choice;
1284@@ -190,6 +199,11 @@ int kexecdh_server(struct ssh *); 1514@@ -196,6 +205,11 @@ int kexecdh_server(struct ssh *);
1285 int kexc25519_client(struct ssh *); 1515 int kexc25519_client(struct ssh *);
1286 int kexc25519_server(struct ssh *); 1516 int kexc25519_server(struct ssh *);
1287 1517
@@ -1290,15 +1520,15 @@ index 1c58966..123ef83 100644
1290+int kexgss_server(struct ssh *); 1520+int kexgss_server(struct ssh *);
1291+#endif 1521+#endif
1292+ 1522+
1293 int kex_dh_hash(const char *, const char *, 1523 int kex_dh_hash(int, const char *, const char *,
1294 const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, 1524 const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
1295 const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); 1525 const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
1296diff --git a/kexgssc.c b/kexgssc.c 1526diff --git a/kexgssc.c b/kexgssc.c
1297new file mode 100644 1527new file mode 100644
1298index 0000000..a49bac2 1528index 0000000..10447f2
1299--- /dev/null 1529--- /dev/null
1300+++ b/kexgssc.c 1530+++ b/kexgssc.c
1301@@ -0,0 +1,336 @@ 1531@@ -0,0 +1,338 @@
1302+/* 1532+/*
1303+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 1533+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
1304+ * 1534+ *
@@ -1570,7 +1800,9 @@ index 0000000..a49bac2
1570+ switch (ssh->kex->kex_type) { 1800+ switch (ssh->kex->kex_type) {
1571+ case KEX_GSS_GRP1_SHA1: 1801+ case KEX_GSS_GRP1_SHA1:
1572+ case KEX_GSS_GRP14_SHA1: 1802+ case KEX_GSS_GRP14_SHA1:
1573+ kex_dh_hash( ssh->kex->client_version_string, 1803+ kex_dh_hash(
1804+ ssh->kex->hash_alg,
1805+ ssh->kex->client_version_string,
1574+ ssh->kex->server_version_string, 1806+ ssh->kex->server_version_string,
1575+ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), 1807+ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
1576+ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), 1808+ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
@@ -1637,10 +1869,10 @@ index 0000000..a49bac2
1637+#endif /* GSSAPI */ 1869+#endif /* GSSAPI */
1638diff --git a/kexgsss.c b/kexgsss.c 1870diff --git a/kexgsss.c b/kexgsss.c
1639new file mode 100644 1871new file mode 100644
1640index 0000000..dd8ba1d 1872index 0000000..38ca082
1641--- /dev/null 1873--- /dev/null
1642+++ b/kexgsss.c 1874+++ b/kexgsss.c
1643@@ -0,0 +1,294 @@ 1875@@ -0,0 +1,295 @@
1644+/* 1876+/*
1645+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 1877+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
1646+ * 1878+ *
@@ -1861,6 +2093,7 @@ index 0000000..dd8ba1d
1861+ case KEX_GSS_GRP1_SHA1: 2093+ case KEX_GSS_GRP1_SHA1:
1862+ case KEX_GSS_GRP14_SHA1: 2094+ case KEX_GSS_GRP14_SHA1:
1863+ kex_dh_hash( 2095+ kex_dh_hash(
2096+ ssh->kex->hash_alg,
1864+ ssh->kex->client_version_string, ssh->kex->server_version_string, 2097+ ssh->kex->client_version_string, ssh->kex->server_version_string,
1865+ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), 2098+ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
1866+ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), 2099+ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
@@ -1936,10 +2169,10 @@ index 0000000..dd8ba1d
1936+} 2169+}
1937+#endif /* GSSAPI */ 2170+#endif /* GSSAPI */
1938diff --git a/monitor.c b/monitor.c 2171diff --git a/monitor.c b/monitor.c
1939index ac7dd30..6c82023 100644 2172index cb57bd0..05bb48a 100644
1940--- a/monitor.c 2173--- a/monitor.c
1941+++ b/monitor.c 2174+++ b/monitor.c
1942@@ -156,6 +156,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); 2175@@ -158,6 +158,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
1943 int mm_answer_gss_accept_ctx(int, Buffer *); 2176 int mm_answer_gss_accept_ctx(int, Buffer *);
1944 int mm_answer_gss_userok(int, Buffer *); 2177 int mm_answer_gss_userok(int, Buffer *);
1945 int mm_answer_gss_checkmic(int, Buffer *); 2178 int mm_answer_gss_checkmic(int, Buffer *);
@@ -1948,7 +2181,7 @@ index ac7dd30..6c82023 100644
1948 #endif 2181 #endif
1949 2182
1950 #ifdef SSH_AUDIT_EVENTS 2183 #ifdef SSH_AUDIT_EVENTS
1951@@ -233,11 +235,18 @@ struct mon_table mon_dispatch_proto20[] = { 2184@@ -235,11 +237,18 @@ struct mon_table mon_dispatch_proto20[] = {
1952 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 2185 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
1953 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, 2186 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
1954 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, 2187 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -1967,7 +2200,7 @@ index ac7dd30..6c82023 100644
1967 #ifdef WITH_OPENSSL 2200 #ifdef WITH_OPENSSL
1968 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2201 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
1969 #endif 2202 #endif
1970@@ -352,6 +361,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) 2203@@ -354,6 +363,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
1971 /* Permit requests for moduli and signatures */ 2204 /* Permit requests for moduli and signatures */
1972 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2205 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
1973 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2206 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -1978,7 +2211,7 @@ index ac7dd30..6c82023 100644
1978 } else { 2211 } else {
1979 mon_dispatch = mon_dispatch_proto15; 2212 mon_dispatch = mon_dispatch_proto15;
1980 2213
1981@@ -460,6 +473,10 @@ monitor_child_postauth(struct monitor *pmonitor) 2214@@ -462,6 +475,10 @@ monitor_child_postauth(struct monitor *pmonitor)
1982 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2215 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
1983 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2216 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
1984 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2217 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1989,7 +2222,7 @@ index ac7dd30..6c82023 100644
1989 } else { 2222 } else {
1990 mon_dispatch = mon_dispatch_postauth15; 2223 mon_dispatch = mon_dispatch_postauth15;
1991 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2224 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
1992@@ -1861,6 +1878,13 @@ monitor_apply_keystate(struct monitor *pmonitor) 2225@@ -1876,6 +1893,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
1993 # endif 2226 # endif
1994 #endif /* WITH_OPENSSL */ 2227 #endif /* WITH_OPENSSL */
1995 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 2228 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2003,7 +2236,7 @@ index ac7dd30..6c82023 100644
2003 kex->load_host_public_key=&get_hostkey_public_by_type; 2236 kex->load_host_public_key=&get_hostkey_public_by_type;
2004 kex->load_host_private_key=&get_hostkey_private_by_type; 2237 kex->load_host_private_key=&get_hostkey_private_by_type;
2005 kex->host_key_index=&get_hostkey_index; 2238 kex->host_key_index=&get_hostkey_index;
2006@@ -1960,6 +1984,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) 2239@@ -1975,6 +1999,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2007 OM_uint32 major; 2240 OM_uint32 major;
2008 u_int len; 2241 u_int len;
2009 2242
@@ -2013,7 +2246,7 @@ index ac7dd30..6c82023 100644
2013 goid.elements = buffer_get_string(m, &len); 2246 goid.elements = buffer_get_string(m, &len);
2014 goid.length = len; 2247 goid.length = len;
2015 2248
2016@@ -1987,6 +2014,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2249@@ -2002,6 +2029,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2017 OM_uint32 flags = 0; /* GSI needs this */ 2250 OM_uint32 flags = 0; /* GSI needs this */
2018 u_int len; 2251 u_int len;
2019 2252
@@ -2023,7 +2256,7 @@ index ac7dd30..6c82023 100644
2023 in.value = buffer_get_string(m, &len); 2256 in.value = buffer_get_string(m, &len);
2024 in.length = len; 2257 in.length = len;
2025 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2258 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2026@@ -2004,6 +2034,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2259@@ -2019,6 +2049,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2027 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2260 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2028 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2261 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2029 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2262 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2031,7 +2264,7 @@ index ac7dd30..6c82023 100644
2031 } 2264 }
2032 return (0); 2265 return (0);
2033 } 2266 }
2034@@ -2015,6 +2046,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) 2267@@ -2030,6 +2061,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2035 OM_uint32 ret; 2268 OM_uint32 ret;
2036 u_int len; 2269 u_int len;
2037 2270
@@ -2041,7 +2274,7 @@ index ac7dd30..6c82023 100644
2041 gssbuf.value = buffer_get_string(m, &len); 2274 gssbuf.value = buffer_get_string(m, &len);
2042 gssbuf.length = len; 2275 gssbuf.length = len;
2043 mic.value = buffer_get_string(m, &len); 2276 mic.value = buffer_get_string(m, &len);
2044@@ -2041,7 +2075,11 @@ mm_answer_gss_userok(int sock, Buffer *m) 2277@@ -2056,7 +2090,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
2045 { 2278 {
2046 int authenticated; 2279 int authenticated;
2047 2280
@@ -2054,7 +2287,7 @@ index ac7dd30..6c82023 100644
2054 2287
2055 buffer_clear(m); 2288 buffer_clear(m);
2056 buffer_put_int(m, authenticated); 2289 buffer_put_int(m, authenticated);
2057@@ -2054,5 +2092,73 @@ mm_answer_gss_userok(int sock, Buffer *m) 2290@@ -2069,5 +2107,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
2058 /* Monitor loop will terminate if authenticated */ 2291 /* Monitor loop will terminate if authenticated */
2059 return (authenticated); 2292 return (authenticated);
2060 } 2293 }
@@ -2143,10 +2376,10 @@ index 93b8b66..bc50ade 100644
2143 2376
2144 struct mm_master; 2377 struct mm_master;
2145diff --git a/monitor_wrap.c b/monitor_wrap.c 2378diff --git a/monitor_wrap.c b/monitor_wrap.c
2146index c5db6df..74fbd2e 100644 2379index 99dc13b..5a9f1b5 100644
2147--- a/monitor_wrap.c 2380--- a/monitor_wrap.c
2148+++ b/monitor_wrap.c 2381+++ b/monitor_wrap.c
2149@@ -1068,7 +1068,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 2382@@ -1073,7 +1073,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
2150 } 2383 }
2151 2384
2152 int 2385 int
@@ -2155,7 +2388,7 @@ index c5db6df..74fbd2e 100644
2155 { 2388 {
2156 Buffer m; 2389 Buffer m;
2157 int authenticated = 0; 2390 int authenticated = 0;
2158@@ -1085,5 +1085,50 @@ mm_ssh_gssapi_userok(char *user) 2391@@ -1090,5 +1090,50 @@ mm_ssh_gssapi_userok(char *user)
2159 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2392 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2160 return (authenticated); 2393 return (authenticated);
2161 } 2394 }
@@ -2207,10 +2440,10 @@ index c5db6df..74fbd2e 100644
2207 #endif /* GSSAPI */ 2440 #endif /* GSSAPI */
2208 2441
2209diff --git a/monitor_wrap.h b/monitor_wrap.h 2442diff --git a/monitor_wrap.h b/monitor_wrap.h
2210index eb820ae..403f8d0 100644 2443index 9fd02b3..b5414c2 100644
2211--- a/monitor_wrap.h 2444--- a/monitor_wrap.h
2212+++ b/monitor_wrap.h 2445+++ b/monitor_wrap.h
2213@@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); 2446@@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *);
2214 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); 2447 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
2215 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, 2448 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
2216 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); 2449 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -2223,10 +2456,10 @@ index eb820ae..403f8d0 100644
2223 2456
2224 #ifdef USE_PAM 2457 #ifdef USE_PAM
2225diff --git a/readconf.c b/readconf.c 2458diff --git a/readconf.c b/readconf.c
2226index 69d4553..d2a3d4b 100644 2459index c177202..e019195 100644
2227--- a/readconf.c 2460--- a/readconf.c
2228+++ b/readconf.c 2461+++ b/readconf.c
2229@@ -148,6 +148,8 @@ typedef enum { 2462@@ -160,6 +160,8 @@ typedef enum {
2230 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 2463 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
2231 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 2464 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
2232 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 2465 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2235,7 +2468,7 @@ index 69d4553..d2a3d4b 100644
2235 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2468 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
2236 oSendEnv, oControlPath, oControlMaster, oControlPersist, 2469 oSendEnv, oControlPath, oControlMaster, oControlPersist,
2237 oHashKnownHosts, 2470 oHashKnownHosts,
2238@@ -193,10 +195,19 @@ static struct { 2471@@ -205,10 +207,19 @@ static struct {
2239 { "afstokenpassing", oUnsupported }, 2472 { "afstokenpassing", oUnsupported },
2240 #if defined(GSSAPI) 2473 #if defined(GSSAPI)
2241 { "gssapiauthentication", oGssAuthentication }, 2474 { "gssapiauthentication", oGssAuthentication },
@@ -2255,7 +2488,7 @@ index 69d4553..d2a3d4b 100644
2255 #endif 2488 #endif
2256 { "fallbacktorsh", oDeprecated }, 2489 { "fallbacktorsh", oDeprecated },
2257 { "usersh", oDeprecated }, 2490 { "usersh", oDeprecated },
2258@@ -926,10 +937,30 @@ parse_time: 2491@@ -962,10 +973,30 @@ parse_time:
2259 intptr = &options->gss_authentication; 2492 intptr = &options->gss_authentication;
2260 goto parse_flag; 2493 goto parse_flag;
2261 2494
@@ -2286,7 +2519,7 @@ index 69d4553..d2a3d4b 100644
2286 case oBatchMode: 2519 case oBatchMode:
2287 intptr = &options->batch_mode; 2520 intptr = &options->batch_mode;
2288 goto parse_flag; 2521 goto parse_flag;
2289@@ -1648,7 +1679,12 @@ initialize_options(Options * options) 2522@@ -1777,7 +1808,12 @@ initialize_options(Options * options)
2290 options->pubkey_authentication = -1; 2523 options->pubkey_authentication = -1;
2291 options->challenge_response_authentication = -1; 2524 options->challenge_response_authentication = -1;
2292 options->gss_authentication = -1; 2525 options->gss_authentication = -1;
@@ -2299,7 +2532,7 @@ index 69d4553..d2a3d4b 100644
2299 options->password_authentication = -1; 2532 options->password_authentication = -1;
2300 options->kbd_interactive_authentication = -1; 2533 options->kbd_interactive_authentication = -1;
2301 options->kbd_interactive_devices = NULL; 2534 options->kbd_interactive_devices = NULL;
2302@@ -1777,8 +1813,14 @@ fill_default_options(Options * options) 2535@@ -1921,8 +1957,14 @@ fill_default_options(Options * options)
2303 options->challenge_response_authentication = 1; 2536 options->challenge_response_authentication = 1;
2304 if (options->gss_authentication == -1) 2537 if (options->gss_authentication == -1)
2305 options->gss_authentication = 0; 2538 options->gss_authentication = 0;
@@ -2315,7 +2548,7 @@ index 69d4553..d2a3d4b 100644
2315 options->password_authentication = 1; 2548 options->password_authentication = 1;
2316 if (options->kbd_interactive_authentication == -1) 2549 if (options->kbd_interactive_authentication == -1)
2317diff --git a/readconf.h b/readconf.h 2550diff --git a/readconf.h b/readconf.h
2318index c84d068..37a0555 100644 2551index cef55f7..fd3d7c7 100644
2319--- a/readconf.h 2552--- a/readconf.h
2320+++ b/readconf.h 2553+++ b/readconf.h
2321@@ -45,7 +45,12 @@ typedef struct { 2554@@ -45,7 +45,12 @@ typedef struct {
@@ -2332,7 +2565,7 @@ index c84d068..37a0555 100644
2332 * authentication. */ 2565 * authentication. */
2333 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2566 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
2334diff --git a/servconf.c b/servconf.c 2567diff --git a/servconf.c b/servconf.c
2335index b19d30e..b8af6dd 100644 2568index 873b0d0..9b06281 100644
2336--- a/servconf.c 2569--- a/servconf.c
2337+++ b/servconf.c 2570+++ b/servconf.c
2338@@ -117,8 +117,10 @@ initialize_server_options(ServerOptions *options) 2571@@ -117,8 +117,10 @@ initialize_server_options(ServerOptions *options)
@@ -2362,7 +2595,7 @@ index b19d30e..b8af6dd 100644
2362 if (options->password_authentication == -1) 2595 if (options->password_authentication == -1)
2363 options->password_authentication = 1; 2596 options->password_authentication = 1;
2364 if (options->kbd_interactive_authentication == -1) 2597 if (options->kbd_interactive_authentication == -1)
2365@@ -419,6 +425,7 @@ typedef enum { 2598@@ -427,6 +433,7 @@ typedef enum {
2366 sHostKeyAlgorithms, 2599 sHostKeyAlgorithms,
2367 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 2600 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
2368 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 2601 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@@ -2370,7 +2603,7 @@ index b19d30e..b8af6dd 100644
2370 sAcceptEnv, sPermitTunnel, 2603 sAcceptEnv, sPermitTunnel,
2371 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2604 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2372 sUsePrivilegeSeparation, sAllowAgentForwarding, 2605 sUsePrivilegeSeparation, sAllowAgentForwarding,
2373@@ -492,12 +499,20 @@ static struct { 2606@@ -500,12 +507,20 @@ static struct {
2374 #ifdef GSSAPI 2607 #ifdef GSSAPI
2375 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2608 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2376 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2609 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2391,7 +2624,7 @@ index b19d30e..b8af6dd 100644
2391 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2624 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2392 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2625 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2393 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2626 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2394@@ -1242,6 +1257,10 @@ process_server_config_line(ServerOptions *options, char *line, 2627@@ -1251,6 +1266,10 @@ process_server_config_line(ServerOptions *options, char *line,
2395 intptr = &options->gss_authentication; 2628 intptr = &options->gss_authentication;
2396 goto parse_flag; 2629 goto parse_flag;
2397 2630
@@ -2402,7 +2635,7 @@ index b19d30e..b8af6dd 100644
2402 case sGssCleanupCreds: 2635 case sGssCleanupCreds:
2403 intptr = &options->gss_cleanup_creds; 2636 intptr = &options->gss_cleanup_creds;
2404 goto parse_flag; 2637 goto parse_flag;
2405@@ -1250,6 +1269,10 @@ process_server_config_line(ServerOptions *options, char *line, 2638@@ -1259,6 +1278,10 @@ process_server_config_line(ServerOptions *options, char *line,
2406 intptr = &options->gss_strict_acceptor; 2639 intptr = &options->gss_strict_acceptor;
2407 goto parse_flag; 2640 goto parse_flag;
2408 2641
@@ -2413,7 +2646,7 @@ index b19d30e..b8af6dd 100644
2413 case sPasswordAuthentication: 2646 case sPasswordAuthentication:
2414 intptr = &options->password_authentication; 2647 intptr = &options->password_authentication;
2415 goto parse_flag; 2648 goto parse_flag;
2416@@ -2265,7 +2288,10 @@ dump_config(ServerOptions *o) 2649@@ -2308,7 +2331,10 @@ dump_config(ServerOptions *o)
2417 #endif 2650 #endif
2418 #ifdef GSSAPI 2651 #ifdef GSSAPI
2419 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2652 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2556,7 +2789,7 @@ index 90fb63f..4e879cd 100644
2556 # CheckHostIP yes 2789 # CheckHostIP yes
2557 # AddressFamily any 2790 # AddressFamily any
2558diff --git a/ssh_config.5 b/ssh_config.5 2791diff --git a/ssh_config.5 b/ssh_config.5
2559index caf13a6..9060d5b 100644 2792index 7630e7b..707d0e1 100644
2560--- a/ssh_config.5 2793--- a/ssh_config.5
2561+++ b/ssh_config.5 2794+++ b/ssh_config.5
2562@@ -826,10 +826,42 @@ The default is 2795@@ -826,10 +826,42 @@ The default is
@@ -2603,10 +2836,10 @@ index caf13a6..9060d5b 100644
2603 Indicates that 2836 Indicates that
2604 .Xr ssh 1 2837 .Xr ssh 1
2605diff --git a/sshconnect2.c b/sshconnect2.c 2838diff --git a/sshconnect2.c b/sshconnect2.c
2606index f79c96b..b452eae 100644 2839index fae8b0f..34b9d30 100644
2607--- a/sshconnect2.c 2840--- a/sshconnect2.c
2608+++ b/sshconnect2.c 2841+++ b/sshconnect2.c
2609@@ -161,6 +161,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2842@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2610 struct kex *kex; 2843 struct kex *kex;
2611 int r; 2844 int r;
2612 2845
@@ -2618,7 +2851,7 @@ index f79c96b..b452eae 100644
2618 xxx_host = host; 2851 xxx_host = host;
2619 xxx_hostaddr = hostaddr; 2852 xxx_hostaddr = hostaddr;
2620 2853
2621@@ -195,6 +200,33 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2854@@ -192,6 +197,36 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2622 order_hostkeyalgs(host, hostaddr, port)); 2855 order_hostkeyalgs(host, hostaddr, port));
2623 } 2856 }
2624 2857
@@ -2628,12 +2861,15 @@ index f79c96b..b452eae 100644
2628+ * client to the key exchange algorithm proposal */ 2861+ * client to the key exchange algorithm proposal */
2629+ orig = myproposal[PROPOSAL_KEX_ALGS]; 2862+ orig = myproposal[PROPOSAL_KEX_ALGS];
2630+ 2863+
2631+ if (options.gss_trust_dns) 2864+ if (options.gss_server_identity)
2632+ gss_host = (char *)get_canonical_hostname(1); 2865+ gss_host = xstrdup(options.gss_server_identity);
2866+ else if (options.gss_trust_dns)
2867+ gss_host = remote_hostname(active_state);
2633+ else 2868+ else
2634+ gss_host = host; 2869+ gss_host = xstrdup(host);
2635+ 2870+
2636+ gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); 2871+ gss = ssh_gssapi_client_mechanisms(gss_host,
2872+ options.gss_client_identity);
2637+ if (gss) { 2873+ if (gss) {
2638+ debug("Offering GSSAPI proposal: %s", gss); 2874+ debug("Offering GSSAPI proposal: %s", gss);
2639+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS], 2875+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
@@ -2652,7 +2888,7 @@ index f79c96b..b452eae 100644
2652 if (options.rekey_limit || options.rekey_interval) 2888 if (options.rekey_limit || options.rekey_interval)
2653 packet_set_rekey_limits((u_int32_t)options.rekey_limit, 2889 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
2654 (time_t)options.rekey_interval); 2890 (time_t)options.rekey_interval);
2655@@ -213,10 +245,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2891@@ -213,10 +248,26 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2656 # endif 2892 # endif
2657 #endif 2893 #endif
2658 kex->kex[KEX_C25519_SHA256] = kexc25519_client; 2894 kex->kex[KEX_C25519_SHA256] = kexc25519_client;
@@ -2672,18 +2908,14 @@ index f79c96b..b452eae 100644
2672+ kex->gss_deleg_creds = options.gss_deleg_creds; 2908+ kex->gss_deleg_creds = options.gss_deleg_creds;
2673+ kex->gss_trust_dns = options.gss_trust_dns; 2909+ kex->gss_trust_dns = options.gss_trust_dns;
2674+ kex->gss_client = options.gss_client_identity; 2910+ kex->gss_client = options.gss_client_identity;
2675+ if (options.gss_server_identity) { 2911+ kex->gss_host = gss_host;
2676+ kex->gss_host = options.gss_server_identity;
2677+ } else {
2678+ kex->gss_host = gss_host;
2679+ }
2680+ } 2912+ }
2681+#endif 2913+#endif
2682+ 2914+
2683 dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); 2915 dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
2684 2916
2685 /* remove ext-info from the KEX proposals for rekeying */ 2917 /* remove ext-info from the KEX proposals for rekeying */
2686@@ -311,6 +363,7 @@ int input_gssapi_token(int type, u_int32_t, void *); 2918@@ -311,6 +362,7 @@ int input_gssapi_token(int type, u_int32_t, void *);
2687 int input_gssapi_hash(int type, u_int32_t, void *); 2919 int input_gssapi_hash(int type, u_int32_t, void *);
2688 int input_gssapi_error(int, u_int32_t, void *); 2920 int input_gssapi_error(int, u_int32_t, void *);
2689 int input_gssapi_errtok(int, u_int32_t, void *); 2921 int input_gssapi_errtok(int, u_int32_t, void *);
@@ -2691,7 +2923,7 @@ index f79c96b..b452eae 100644
2691 #endif 2923 #endif
2692 2924
2693 void userauth(Authctxt *, char *); 2925 void userauth(Authctxt *, char *);
2694@@ -326,6 +379,11 @@ static char *authmethods_get(void); 2926@@ -326,6 +378,11 @@ static char *authmethods_get(void);
2695 2927
2696 Authmethod authmethods[] = { 2928 Authmethod authmethods[] = {
2697 #ifdef GSSAPI 2929 #ifdef GSSAPI
@@ -2703,18 +2935,18 @@ index f79c96b..b452eae 100644
2703 {"gssapi-with-mic", 2935 {"gssapi-with-mic",
2704 userauth_gssapi, 2936 userauth_gssapi,
2705 NULL, 2937 NULL,
2706@@ -656,19 +714,31 @@ userauth_gssapi(Authctxt *authctxt) 2938@@ -650,25 +707,40 @@ userauth_gssapi(Authctxt *authctxt)
2707 static u_int mech = 0; 2939 static u_int mech = 0;
2708 OM_uint32 min; 2940 OM_uint32 min;
2709 int ok = 0; 2941 int ok = 0;
2710+ const char *gss_host; 2942+ char *gss_host;
2711+ 2943+
2712+ if (options.gss_server_identity) 2944+ if (options.gss_server_identity)
2713+ gss_host = options.gss_server_identity; 2945+ gss_host = xstrdup(options.gss_server_identity);
2714+ else if (options.gss_trust_dns) 2946+ else if (options.gss_trust_dns)
2715+ gss_host = get_canonical_hostname(1); 2947+ gss_host = remote_hostname(active_state);
2716+ else 2948+ else
2717+ gss_host = authctxt->host; 2949+ gss_host = xstrdup(authctxt->host);
2718 2950
2719 /* Try one GSSAPI method at a time, rather than sending them all at 2951 /* Try one GSSAPI method at a time, rather than sending them all at
2720 * once. */ 2952 * once. */
@@ -2723,6 +2955,7 @@ index f79c96b..b452eae 100644
2723- gss_indicate_mechs(&min, &gss_supported); 2955- gss_indicate_mechs(&min, &gss_supported);
2724+ if (GSS_ERROR(gss_indicate_mechs(&min, &gss_supported))) { 2956+ if (GSS_ERROR(gss_indicate_mechs(&min, &gss_supported))) {
2725+ gss_supported = NULL; 2957+ gss_supported = NULL;
2958+ free(gss_host);
2726+ return 0; 2959+ return 0;
2727+ } 2960+ }
2728 2961
@@ -2737,7 +2970,15 @@ index f79c96b..b452eae 100644
2737 ok = 1; /* Mechanism works */ 2970 ok = 1; /* Mechanism works */
2738 } else { 2971 } else {
2739 mech++; 2972 mech++;
2740@@ -765,8 +835,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) 2973 }
2974 }
2975
2976+ free(gss_host);
2977+
2978 if (!ok)
2979 return 0;
2980
2981@@ -759,8 +831,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
2741 { 2982 {
2742 Authctxt *authctxt = ctxt; 2983 Authctxt *authctxt = ctxt;
2743 Gssctxt *gssctxt; 2984 Gssctxt *gssctxt;
@@ -2748,7 +2989,7 @@ index f79c96b..b452eae 100644
2748 2989
2749 if (authctxt == NULL) 2990 if (authctxt == NULL)
2750 fatal("input_gssapi_response: no authentication context"); 2991 fatal("input_gssapi_response: no authentication context");
2751@@ -879,6 +949,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) 2992@@ -873,6 +945,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
2752 free(lang); 2993 free(lang);
2753 return 0; 2994 return 0;
2754 } 2995 }
@@ -2798,7 +3039,7 @@ index f79c96b..b452eae 100644
2798 3039
2799 int 3040 int
2800diff --git a/sshd.c b/sshd.c 3041diff --git a/sshd.c b/sshd.c
2801index 430569c..5cd9129 100644 3042index 799c771..ebb88c7 100644
2802--- a/sshd.c 3043--- a/sshd.c
2803+++ b/sshd.c 3044+++ b/sshd.c
2804@@ -125,6 +125,10 @@ 3045@@ -125,6 +125,10 @@
@@ -2812,7 +3053,7 @@ index 430569c..5cd9129 100644
2812 #ifndef O_NOCTTY 3053 #ifndef O_NOCTTY
2813 #define O_NOCTTY 0 3054 #define O_NOCTTY 0
2814 #endif 3055 #endif
2815@@ -1833,10 +1837,13 @@ main(int ac, char **av) 3056@@ -1892,10 +1896,13 @@ main(int ac, char **av)
2816 logit("Disabling protocol version 1. Could not load host key"); 3057 logit("Disabling protocol version 1. Could not load host key");
2817 options.protocol &= ~SSH_PROTO_1; 3058 options.protocol &= ~SSH_PROTO_1;
2818 } 3059 }
@@ -2826,8 +3067,8 @@ index 430569c..5cd9129 100644
2826 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 3067 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2827 logit("sshd: no hostkeys available -- exiting."); 3068 logit("sshd: no hostkeys available -- exiting.");
2828 exit(1); 3069 exit(1);
2829@@ -2151,6 +2158,60 @@ main(int ac, char **av) 3070@@ -2207,6 +2214,60 @@ main(int ac, char **av)
2830 remote_ip, remote_port, laddr, get_local_port()); 3071 remote_ip, remote_port, laddr, ssh_local_port(ssh));
2831 free(laddr); 3072 free(laddr);
2832 3073
2833+#ifdef USE_SECURITY_SESSION_API 3074+#ifdef USE_SECURITY_SESSION_API
@@ -2887,7 +3128,7 @@ index 430569c..5cd9129 100644
2887 /* 3128 /*
2888 * We don't want to listen forever unless the other side 3129 * We don't want to listen forever unless the other side
2889 * successfully authenticates itself. So we set up an alarm which is 3130 * successfully authenticates itself. So we set up an alarm which is
2890@@ -2571,6 +2632,48 @@ do_ssh2_kex(void) 3131@@ -2631,6 +2692,48 @@ do_ssh2_kex(void)
2891 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 3132 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
2892 list_hostkey_types()); 3133 list_hostkey_types());
2893 3134
@@ -2936,7 +3177,7 @@ index 430569c..5cd9129 100644
2936 /* start key exchange */ 3177 /* start key exchange */
2937 if ((r = kex_setup(active_state, myproposal)) != 0) 3178 if ((r = kex_setup(active_state, myproposal)) != 0)
2938 fatal("kex_setup: %s", ssh_err(r)); 3179 fatal("kex_setup: %s", ssh_err(r));
2939@@ -2585,6 +2688,13 @@ do_ssh2_kex(void) 3180@@ -2648,6 +2751,13 @@ do_ssh2_kex(void)
2940 # endif 3181 # endif
2941 #endif 3182 #endif
2942 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 3183 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2951,10 +3192,10 @@ index 430569c..5cd9129 100644
2951 kex->client_version_string=client_version_string; 3192 kex->client_version_string=client_version_string;
2952 kex->server_version_string=server_version_string; 3193 kex->server_version_string=server_version_string;
2953diff --git a/sshd_config b/sshd_config 3194diff --git a/sshd_config b/sshd_config
2954index a848d73..f103298 100644 3195index 75ae8e7..3fe3e01 100644
2955--- a/sshd_config 3196--- a/sshd_config
2956+++ b/sshd_config 3197+++ b/sshd_config
2957@@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys 3198@@ -83,6 +83,8 @@ AuthorizedKeysFile .ssh/authorized_keys
2958 # GSSAPI options 3199 # GSSAPI options
2959 #GSSAPIAuthentication no 3200 #GSSAPIAuthentication no
2960 #GSSAPICleanupCredentials yes 3201 #GSSAPICleanupCredentials yes
@@ -2964,10 +3205,10 @@ index a848d73..f103298 100644
2964 # Set this to 'yes' to enable PAM authentication, account processing, 3205 # Set this to 'yes' to enable PAM authentication, account processing,
2965 # and session processing. If this is enabled, PAM authentication will 3206 # and session processing. If this is enabled, PAM authentication will
2966diff --git a/sshd_config.5 b/sshd_config.5 3207diff --git a/sshd_config.5 b/sshd_config.5
2967index a37a3ac..c6d6858 100644 3208index 1bc26ec..3b4cba9 100644
2968--- a/sshd_config.5 3209--- a/sshd_config.5
2969+++ b/sshd_config.5 3210+++ b/sshd_config.5
2970@@ -623,6 +623,11 @@ The default is 3211@@ -632,6 +632,11 @@ The default is
2971 Specifies whether user authentication based on GSSAPI is allowed. 3212 Specifies whether user authentication based on GSSAPI is allowed.
2972 The default is 3213 The default is
2973 .Dq no . 3214 .Dq no .
@@ -2979,7 +3220,7 @@ index a37a3ac..c6d6858 100644
2979 .It Cm GSSAPICleanupCredentials 3220 .It Cm GSSAPICleanupCredentials
2980 Specifies whether to automatically destroy the user's credentials cache 3221 Specifies whether to automatically destroy the user's credentials cache
2981 on logout. 3222 on logout.
2982@@ -643,6 +648,11 @@ machine's default store. 3223@@ -652,6 +657,11 @@ machine's default store.
2983 This facility is provided to assist with operation on multi homed machines. 3224 This facility is provided to assist with operation on multi homed machines.
2984 The default is 3225 The default is
2985 .Dq yes . 3226 .Dq yes .
@@ -2992,7 +3233,7 @@ index a37a3ac..c6d6858 100644
2992 Specifies the key types that will be accepted for hostbased authentication 3233 Specifies the key types that will be accepted for hostbased authentication
2993 as a comma-separated pattern list. 3234 as a comma-separated pattern list.
2994diff --git a/sshkey.c b/sshkey.c 3235diff --git a/sshkey.c b/sshkey.c
2995index 87b093e..e595b11 100644 3236index c9f04cd..558bbbe 100644
2996--- a/sshkey.c 3237--- a/sshkey.c
2997+++ b/sshkey.c 3238+++ b/sshkey.c
2998@@ -115,6 +115,7 @@ static const struct keytype keytypes[] = { 3239@@ -115,6 +115,7 @@ static const struct keytype keytypes[] = {
@@ -3013,7 +3254,7 @@ index 87b093e..e595b11 100644
3013 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 3254 if ((certs_only && !kt->cert) || (plain_only && kt->cert))
3014 continue; 3255 continue;
3015diff --git a/sshkey.h b/sshkey.h 3256diff --git a/sshkey.h b/sshkey.h
3016index a20a14f..2259cbb 100644 3257index 8c3d866..e0caa37 100644
3017--- a/sshkey.h 3258--- a/sshkey.h
3018+++ b/sshkey.h 3259+++ b/sshkey.h
3019@@ -62,6 +62,7 @@ enum sshkey_types { 3260@@ -62,6 +62,7 @@ enum sshkey_types {
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index 8ebbf1fbc..a990ca1ea 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -1,4 +1,4 @@
1From 2b2c5ff34efa305e141130466260ca97f3a429ff Mon Sep 17 00:00:00 2001 1From 173d65e72989cba82502604da3f1336766c0cf0f Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:09:56 +0000 3Date: Sun, 9 Feb 2014 16:09:56 +0000
4Subject: Mention ~& when waiting for forwarded connections to terminate 4Subject: Mention ~& when waiting for forwarded connections to terminate
@@ -12,10 +12,10 @@ Patch-Name: helpful-wait-terminate.patch
12 1 file changed, 1 insertion(+), 1 deletion(-) 12 1 file changed, 1 insertion(+), 1 deletion(-)
13 13
14diff --git a/serverloop.c b/serverloop.c 14diff --git a/serverloop.c b/serverloop.c
15index 80d1db5..830f885 100644 15index 3563e5d..c4e1d1d 100644
16--- a/serverloop.c 16--- a/serverloop.c
17+++ b/serverloop.c 17+++ b/serverloop.c
18@@ -683,7 +683,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) 18@@ -687,7 +687,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
19 if (!channel_still_open()) 19 if (!channel_still_open())
20 break; 20 break;
21 if (!waiting_termination) { 21 if (!waiting_termination) {
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index bc798582d..14ab7d34f 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
1From c7c5d5805bd2a58fcab69da87daa53259db06d81 Mon Sep 17 00:00:00 2001 1From 67c34f23edbcd0f39ebc2aadae9d33950bd1f98a Mon Sep 17 00:00:00 2001
2From: Richard Kettlewell <rjk@greenend.org.uk> 2From: Richard Kettlewell <rjk@greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:52 +0000 3Date: Sun, 9 Feb 2014 16:09:52 +0000
4Subject: Various keepalive extensions 4Subject: Various keepalive extensions
@@ -26,27 +26,27 @@ Patch-Name: keepalive-extensions.patch
26 3 files changed, 34 insertions(+), 4 deletions(-) 26 3 files changed, 34 insertions(+), 4 deletions(-)
27 27
28diff --git a/readconf.c b/readconf.c 28diff --git a/readconf.c b/readconf.c
29index 559e4c7..fde6b41 100644 29index c0b7822..3a6c67b 100644
30--- a/readconf.c 30--- a/readconf.c
31+++ b/readconf.c 31+++ b/readconf.c
32@@ -161,6 +161,7 @@ typedef enum { 32@@ -173,6 +173,7 @@ typedef enum {
33 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, 33 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
34 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, 34 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
35 oPubkeyAcceptedKeyTypes, 35 oPubkeyAcceptedKeyTypes, oProxyJump,
36+ oProtocolKeepAlives, oSetupTimeOut, 36+ oProtocolKeepAlives, oSetupTimeOut,
37 oIgnoredUnknownOption, oDeprecated, oUnsupported 37 oIgnoredUnknownOption, oDeprecated, oUnsupported
38 } OpCodes; 38 } OpCodes;
39 39
40@@ -293,6 +294,8 @@ static struct { 40@@ -308,6 +309,8 @@ static struct {
41 { "hostbasedkeytypes", oHostbasedKeyTypes },
42 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, 41 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
43 { "ignoreunknown", oIgnoreUnknown }, 42 { "ignoreunknown", oIgnoreUnknown },
43 { "proxyjump", oProxyJump },
44+ { "protocolkeepalives", oProtocolKeepAlives }, 44+ { "protocolkeepalives", oProtocolKeepAlives },
45+ { "setuptimeout", oSetupTimeOut }, 45+ { "setuptimeout", oSetupTimeOut },
46 46
47 { NULL, oBadOption } 47 { NULL, oBadOption }
48 }; 48 };
49@@ -1350,6 +1353,8 @@ parse_keytypes: 49@@ -1403,6 +1406,8 @@ parse_keytypes:
50 goto parse_flag; 50 goto parse_flag;
51 51
52 case oServerAliveInterval: 52 case oServerAliveInterval:
@@ -55,7 +55,7 @@ index 559e4c7..fde6b41 100644
55 intptr = &options->server_alive_interval; 55 intptr = &options->server_alive_interval;
56 goto parse_time; 56 goto parse_time;
57 57
58@@ -1906,8 +1911,13 @@ fill_default_options(Options * options) 58@@ -2048,8 +2053,13 @@ fill_default_options(Options * options)
59 options->rekey_interval = 0; 59 options->rekey_interval = 0;
60 if (options->verify_host_key_dns == -1) 60 if (options->verify_host_key_dns == -1)
61 options->verify_host_key_dns = 0; 61 options->verify_host_key_dns = 0;
@@ -72,7 +72,7 @@ index 559e4c7..fde6b41 100644
72 options->server_alive_count_max = 3; 72 options->server_alive_count_max = 3;
73 if (options->control_master == -1) 73 if (options->control_master == -1)
74diff --git a/ssh_config.5 b/ssh_config.5 74diff --git a/ssh_config.5 b/ssh_config.5
75index 9060d5b..bbf638b 100644 75index 707d0e1..efc265a 100644
76--- a/ssh_config.5 76--- a/ssh_config.5
77+++ b/ssh_config.5 77+++ b/ssh_config.5
78@@ -268,8 +268,12 @@ The default is 78@@ -268,8 +268,12 @@ The default is
@@ -89,7 +89,7 @@ index 9060d5b..bbf638b 100644
89 The argument must be 89 The argument must be
90 .Dq yes 90 .Dq yes
91 or 91 or
92@@ -1551,7 +1555,14 @@ from the server, 92@@ -1624,7 +1628,14 @@ from the server,
93 will send a message through the encrypted 93 will send a message through the encrypted
94 channel to request a response from the server. 94 channel to request a response from the server.
95 The default 95 The default
@@ -105,7 +105,7 @@ index 9060d5b..bbf638b 100644
105 .It Cm StreamLocalBindMask 105 .It Cm StreamLocalBindMask
106 Sets the octal file creation mode mask 106 Sets the octal file creation mode mask
107 .Pq umask 107 .Pq umask
108@@ -1617,6 +1628,12 @@ Specifies whether the system should send TCP keepalive messages to the 108@@ -1690,6 +1701,12 @@ Specifies whether the system should send TCP keepalive messages to the
109 other side. 109 other side.
110 If they are sent, death of the connection or crash of one 110 If they are sent, death of the connection or crash of one
111 of the machines will be properly noticed. 111 of the machines will be properly noticed.
@@ -119,10 +119,10 @@ index 9060d5b..bbf638b 100644
119 connections will die if the route is down temporarily, and some people 119 connections will die if the route is down temporarily, and some people
120 find it annoying. 120 find it annoying.
121diff --git a/sshd_config.5 b/sshd_config.5 121diff --git a/sshd_config.5 b/sshd_config.5
122index c6d6858..bc79a66 100644 122index 3b4cba9..e05cdbe 100644
123--- a/sshd_config.5 123--- a/sshd_config.5
124+++ b/sshd_config.5 124+++ b/sshd_config.5
125@@ -1518,6 +1518,9 @@ This avoids infinitely hanging sessions. 125@@ -1530,6 +1530,9 @@ This avoids infinitely hanging sessions.
126 .Pp 126 .Pp
127 To disable TCP keepalive messages, the value should be set to 127 To disable TCP keepalive messages, the value should be set to
128 .Dq no . 128 .Dq no .
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 80f9b78e0..12dbaf853 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
1From 4dc338b2703dd6169cecdbe3388c92f4cc2fc119 Mon Sep 17 00:00:00 2001 1From 6a1979d97fbde734a745b5123130fed669bfb145 Mon Sep 17 00:00:00 2001
2From: Scott Moser <smoser@ubuntu.com> 2From: Scott Moser <smoser@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:03 +0000 3Date: Sun, 9 Feb 2014 16:10:03 +0000
4Subject: Mention ssh-keygen in ssh fingerprint changed warning 4Subject: Mention ssh-keygen in ssh fingerprint changed warning
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index a53f6dee1..8503c5854 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
1From d3362ea5419b16b81eb171436b95b51beedb9242 Mon Sep 17 00:00:00 2001 1From e7d4050d9077603c20a93bdfd6b99cd419d69f1c Mon Sep 17 00:00:00 2001
2From: Kurt Roeckx <kurt@roeckx.be> 2From: Kurt Roeckx <kurt@roeckx.be>
3Date: Sun, 9 Feb 2014 16:10:14 +0000 3Date: Sun, 9 Feb 2014 16:10:14 +0000
4Subject: Don't check the status field of the OpenSSL version 4Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 6027ca645..771e77216 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
1From 9d764f08fd01fa5c62a7cbff66165bc5d5ffb637 Mon Sep 17 00:00:00 2001 1From ab7ae820a882c8a51b06ec0b3522813b4e90eeff Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:09 +0000 3Date: Sun, 9 Feb 2014 16:10:09 +0000
4Subject: Adjust various OpenBSD-specific references in manual pages 4Subject: Adjust various OpenBSD-specific references in manual pages
@@ -44,7 +44,7 @@ index ef0de08..149846c 100644
44 .Sh SEE ALSO 44 .Sh SEE ALSO
45 .Xr ssh-keygen 1 , 45 .Xr ssh-keygen 1 ,
46diff --git a/ssh-keygen.1 b/ssh-keygen.1 46diff --git a/ssh-keygen.1 b/ssh-keygen.1
47index 37a4fc2..24bed5f 100644 47index ce2213c..01711df 100644
48--- a/ssh-keygen.1 48--- a/ssh-keygen.1
49+++ b/ssh-keygen.1 49+++ b/ssh-keygen.1
50@@ -178,9 +178,7 @@ key in 50@@ -178,9 +178,7 @@ key in
@@ -69,7 +69,7 @@ index 37a4fc2..24bed5f 100644
69 .It Fl a Ar rounds 69 .It Fl a Ar rounds
70 When saving a new-format private key (i.e. an ed25519 key or any SSH protocol 70 When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
71 2 key when the 71 2 key when the
72@@ -642,7 +638,7 @@ option. 72@@ -644,7 +640,7 @@ option.
73 Valid generator values are 2, 3, and 5. 73 Valid generator values are 2, 3, and 5.
74 .Pp 74 .Pp
75 Screened DH groups may be installed in 75 Screened DH groups may be installed in
@@ -78,7 +78,7 @@ index 37a4fc2..24bed5f 100644
78 It is important that this file contains moduli of a range of bit lengths and 78 It is important that this file contains moduli of a range of bit lengths and
79 that both ends of a connection share common moduli. 79 that both ends of a connection share common moduli.
80 .Sh CERTIFICATES 80 .Sh CERTIFICATES
81@@ -841,7 +837,7 @@ on all machines 81@@ -843,7 +839,7 @@ on all machines
82 where the user wishes to log in using public key authentication. 82 where the user wishes to log in using public key authentication.
83 There is no need to keep the contents of this file secret. 83 There is no need to keep the contents of this file secret.
84 .Pp 84 .Pp
@@ -88,10 +88,10 @@ index 37a4fc2..24bed5f 100644
88 The file format is described in 88 The file format is described in
89 .Xr moduli 5 . 89 .Xr moduli 5 .
90diff --git a/ssh.1 b/ssh.1 90diff --git a/ssh.1 b/ssh.1
91index feb0e89..41e0aab 100644 91index feef81a..b1f128c 100644
92--- a/ssh.1 92--- a/ssh.1
93+++ b/ssh.1 93+++ b/ssh.1
94@@ -852,6 +852,10 @@ implements public key authentication protocol automatically, 94@@ -877,6 +877,10 @@ implements public key authentication protocol automatically,
95 using one of the DSA, ECDSA, Ed25519 or RSA algorithms. 95 using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
96 The HISTORY section of 96 The HISTORY section of
97 .Xr ssl 8 97 .Xr ssl 8
@@ -133,10 +133,10 @@ index 589841f..58eefe9 100644
133 .Xr sshd_config 5 , 133 .Xr sshd_config 5 ,
134 .Xr inetd 8 , 134 .Xr inetd 8 ,
135diff --git a/sshd_config.5 b/sshd_config.5 135diff --git a/sshd_config.5 b/sshd_config.5
136index b565640..4d255e5 100644 136index ac9b1f0..b2b349e 100644
137--- a/sshd_config.5 137--- a/sshd_config.5
138+++ b/sshd_config.5 138+++ b/sshd_config.5
139@@ -375,8 +375,7 @@ then no banner is displayed. 139@@ -382,8 +382,7 @@ then no banner is displayed.
140 By default, no banner is displayed. 140 By default, no banner is displayed.
141 .It Cm ChallengeResponseAuthentication 141 .It Cm ChallengeResponseAuthentication
142 Specifies whether challenge-response authentication is allowed (e.g. via 142 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 58c57dbac..efc629b71 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
1From 81e52d59797c24edadc36f0f90f96387976a82c0 Mon Sep 17 00:00:00 2001 1From c8105413361d3c97b6a2f72c9f1c85da830bed2c Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:10:05 +0000 3Date: Sun, 9 Feb 2014 16:10:05 +0000
4Subject: Include the Debian version in our identification 4Subject: Include the Debian version in our identification
@@ -36,10 +36,10 @@ index fd67727..07dfc9d 100644
36 if (atomicio(vwrite, connection_out, client_version_string, 36 if (atomicio(vwrite, connection_out, client_version_string,
37 strlen(client_version_string)) != strlen(client_version_string)) 37 strlen(client_version_string)) != strlen(client_version_string))
38diff --git a/sshd.c b/sshd.c 38diff --git a/sshd.c b/sshd.c
39index bb093cc..c762190 100644 39index 76306da..e873557 100644
40--- a/sshd.c 40--- a/sshd.c
41+++ b/sshd.c 41+++ b/sshd.c
42@@ -442,7 +442,7 @@ sshd_exchange_identification(int sock_in, int sock_out) 42@@ -443,7 +443,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
43 } 43 }
44 44
45 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 45 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -49,13 +49,13 @@ index bb093cc..c762190 100644
49 options.version_addendum, newline); 49 options.version_addendum, newline);
50 50
51diff --git a/version.h b/version.h 51diff --git a/version.h b/version.h
52index eb4e948..0840a1a 100644 52index 617ab62..fb81655 100644
53--- a/version.h 53--- a/version.h
54+++ b/version.h 54+++ b/version.h
55@@ -3,4 +3,9 @@ 55@@ -3,4 +3,9 @@
56 #define SSH_VERSION "OpenSSH_7.2" 56 #define SSH_VERSION "OpenSSH_7.3"
57 57
58 #define SSH_PORTABLE "p2" 58 #define SSH_PORTABLE "p1"
59-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 59-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
60+#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE 60+#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE
61+#ifdef SSH_EXTRAVERSION 61+#ifdef SSH_EXTRAVERSION
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index b085e5e08..36c366d95 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
1From f1e898fb6e470f99c3e64313c6f9fce08eb94e80 Mon Sep 17 00:00:00 2001 1From 8eeec10866f78acd021824225e9d62e4a18fc2c3 Mon Sep 17 00:00:00 2001
2From: Peter Samuelson <peter@p12n.org> 2From: Peter Samuelson <peter@p12n.org>
3Date: Sun, 9 Feb 2014 16:09:55 +0000 3Date: Sun, 9 Feb 2014 16:09:55 +0000
4Subject: Reduce severity of "Killed by signal %d" 4Subject: Reduce severity of "Killed by signal %d"
@@ -22,10 +22,10 @@ Patch-Name: quieter-signals.patch
22 1 file changed, 4 insertions(+), 2 deletions(-) 22 1 file changed, 4 insertions(+), 2 deletions(-)
23 23
24diff --git a/clientloop.c b/clientloop.c 24diff --git a/clientloop.c b/clientloop.c
25index 1567e4a..3b6cacb 100644 25index 421241f..e5cc3f8 100644
26--- a/clientloop.c 26--- a/clientloop.c
27+++ b/clientloop.c 27+++ b/clientloop.c
28@@ -1753,8 +1753,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) 28@@ -1757,8 +1757,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
29 exit_status = 0; 29 exit_status = 0;
30 } 30 }
31 31
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index 4607d5f53..bf3a575ad 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
1From 0031968609564a15294c39d2519201741664905d Mon Sep 17 00:00:00 2001 1From c027de5eb3e6cb1718990841c2a9cbc89fd53151 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Tue, 7 Oct 2014 13:22:41 +0100 3Date: Tue, 7 Oct 2014 13:22:41 +0100
4Subject: Restore TCP wrappers support 4Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
28 3 files changed, 89 insertions(+) 28 3 files changed, 89 insertions(+)
29 29
30diff --git a/configure.ac b/configure.ac 30diff --git a/configure.ac b/configure.ac
31index 5f1ff74..5d720f7 100644 31index 894ec3b..f822fb3 100644
32--- a/configure.ac 32--- a/configure.ac
33+++ b/configure.ac 33+++ b/configure.ac
34@@ -1481,6 +1481,62 @@ AC_ARG_WITH([skey], 34@@ -1510,6 +1510,62 @@ AC_ARG_WITH([skey],
35 ] 35 ]
36 ) 36 )
37 37
@@ -94,7 +94,7 @@ index 5f1ff74..5d720f7 100644
94 # Check whether user wants to use ldns 94 # Check whether user wants to use ldns
95 LDNS_MSG="no" 95 LDNS_MSG="no"
96 AC_ARG_WITH(ldns, 96 AC_ARG_WITH(ldns,
97@@ -5003,6 +5059,7 @@ echo " KerberosV support: $KRB5_MSG" 97@@ -5059,6 +5115,7 @@ echo " KerberosV support: $KRB5_MSG"
98 echo " SELinux support: $SELINUX_MSG" 98 echo " SELinux support: $SELINUX_MSG"
99 echo " Smartcard support: $SCARD_MSG" 99 echo " Smartcard support: $SCARD_MSG"
100 echo " S/KEY support: $SKEY_MSG" 100 echo " S/KEY support: $SKEY_MSG"
@@ -128,7 +128,7 @@ index 6c521f2..589841f 100644
128 .Xr moduli 5 , 128 .Xr moduli 5 ,
129 .Xr sshd_config 5 , 129 .Xr sshd_config 5 ,
130diff --git a/sshd.c b/sshd.c 130diff --git a/sshd.c b/sshd.c
131index 5cd9129..d1dd711 100644 131index ebb88c7..982e545 100644
132--- a/sshd.c 132--- a/sshd.c
133+++ b/sshd.c 133+++ b/sshd.c
134@@ -129,6 +129,13 @@ 134@@ -129,6 +129,13 @@
@@ -145,7 +145,7 @@ index 5cd9129..d1dd711 100644
145 #ifndef O_NOCTTY 145 #ifndef O_NOCTTY
146 #define O_NOCTTY 0 146 #define O_NOCTTY 0
147 #endif 147 #endif
148@@ -2151,6 +2158,24 @@ main(int ac, char **av) 148@@ -2207,6 +2214,24 @@ main(int ac, char **av)
149 #ifdef SSH_AUDIT_EVENTS 149 #ifdef SSH_AUDIT_EVENTS
150 audit_connection_from(remote_ip, remote_port); 150 audit_connection_from(remote_ip, remote_port);
151 #endif 151 #endif
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index 1ad0d11e2..2efc40e07 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
1From eca335b47f5cf4adfc64cd17096f83d546fa91da Mon Sep 17 00:00:00 2001 1From 119936d7b64829f81cbc84c2e81bf23373c6ed37 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> 2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:59 +0000 3Date: Sun, 9 Feb 2014 16:09:59 +0000
4Subject: Adjust scp quoting in verbose mode 4Subject: Adjust scp quoting in verbose mode
@@ -17,24 +17,24 @@ Patch-Name: scp-quoting.patch
17 1 file changed, 10 insertions(+), 2 deletions(-) 17 1 file changed, 10 insertions(+), 2 deletions(-)
18 18
19diff --git a/scp.c b/scp.c 19diff --git a/scp.c b/scp.c
20index 0bdd7cb..51bc2b7 100644 20index 43ca3fa..4a7f73a 100644
21--- a/scp.c 21--- a/scp.c
22+++ b/scp.c 22+++ b/scp.c
23@@ -190,8 +190,16 @@ do_local_cmd(arglist *a) 23@@ -192,8 +192,16 @@ do_local_cmd(arglist *a)
24 24
25 if (verbose_mode) { 25 if (verbose_mode) {
26 fprintf(stderr, "Executing:"); 26 fprintf(stderr, "Executing:");
27- for (i = 0; i < a->num; i++) 27- for (i = 0; i < a->num; i++)
28- fprintf(stderr, " %s", a->list[i]); 28- fmprintf(stderr, " %s", a->list[i]);
29+ for (i = 0; i < a->num; i++) { 29+ for (i = 0; i < a->num; i++) {
30+ if (i == 0) 30+ if (i == 0)
31+ fprintf(stderr, " %s", a->list[i]); 31+ fmprintf(stderr, " %s", a->list[i]);
32+ else 32+ else
33+ /* 33+ /*
34+ * TODO: misbehaves if a->list[i] contains a 34+ * TODO: misbehaves if a->list[i] contains a
35+ * single quote 35+ * single quote
36+ */ 36+ */
37+ fprintf(stderr, " '%s'", a->list[i]); 37+ fmprintf(stderr, " '%s'", a->list[i]);
38+ } 38+ }
39 fprintf(stderr, "\n"); 39 fprintf(stderr, "\n");
40 } 40 }
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index fea289291..bcb61480d 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1From 206bdbf6bcc95e589effa11695aff2c6b9327e11 Mon Sep 17 00:00:00 2001 1From 7a7851c903e5dbb58a85014deb2c88cb718068c9 Mon Sep 17 00:00:00 2001
2From: Manoj Srivastava <srivasta@debian.org> 2From: Manoj Srivastava <srivasta@debian.org>
3Date: Sun, 9 Feb 2014 16:09:49 +0000 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4Subject: Handle SELinux authorisation roles 4Subject: Handle SELinux authorisation roles
@@ -32,7 +32,7 @@ Patch-Name: selinux-role.patch
32 16 files changed, 104 insertions(+), 31 deletions(-) 32 16 files changed, 104 insertions(+), 31 deletions(-)
33 33
34diff --git a/auth.h b/auth.h 34diff --git a/auth.h b/auth.h
35index 2160154..3b3a085 100644 35index 55170af..50baeaa 100644
36--- a/auth.h 36--- a/auth.h
37+++ b/auth.h 37+++ b/auth.h
38@@ -62,6 +62,7 @@ struct Authctxt { 38@@ -62,6 +62,7 @@ struct Authctxt {
@@ -75,7 +75,7 @@ index 5073c49..dd00648 100644
75 /* Verify that the user is a valid user. */ 75 /* Verify that the user is a valid user. */
76 if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) 76 if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
77diff --git a/auth2.c b/auth2.c 77diff --git a/auth2.c b/auth2.c
78index 3f49bdc..6eb3cc7 100644 78index ce0d376..461311b 100644
79--- a/auth2.c 79--- a/auth2.c
80+++ b/auth2.c 80+++ b/auth2.c
81@@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) 81@@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
@@ -113,10 +113,10 @@ index 3f49bdc..6eb3cc7 100644
113 if (auth2_setup_methods_lists(authctxt) != 0) 113 if (auth2_setup_methods_lists(authctxt) != 0)
114 packet_disconnect("no authentication methods enabled"); 114 packet_disconnect("no authentication methods enabled");
115diff --git a/monitor.c b/monitor.c 115diff --git a/monitor.c b/monitor.c
116index 6c82023..5be3fbf 100644 116index 05bb48a..e91054e 100644
117--- a/monitor.c 117--- a/monitor.c
118+++ b/monitor.c 118+++ b/monitor.c
119@@ -126,6 +126,7 @@ int mm_answer_sign(int, Buffer *); 119@@ -128,6 +128,7 @@ int mm_answer_sign(int, Buffer *);
120 int mm_answer_pwnamallow(int, Buffer *); 120 int mm_answer_pwnamallow(int, Buffer *);
121 int mm_answer_auth2_read_banner(int, Buffer *); 121 int mm_answer_auth2_read_banner(int, Buffer *);
122 int mm_answer_authserv(int, Buffer *); 122 int mm_answer_authserv(int, Buffer *);
@@ -124,7 +124,7 @@ index 6c82023..5be3fbf 100644
124 int mm_answer_authpassword(int, Buffer *); 124 int mm_answer_authpassword(int, Buffer *);
125 int mm_answer_bsdauthquery(int, Buffer *); 125 int mm_answer_bsdauthquery(int, Buffer *);
126 int mm_answer_bsdauthrespond(int, Buffer *); 126 int mm_answer_bsdauthrespond(int, Buffer *);
127@@ -207,6 +208,7 @@ struct mon_table mon_dispatch_proto20[] = { 127@@ -209,6 +210,7 @@ struct mon_table mon_dispatch_proto20[] = {
128 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 128 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
129 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 129 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
130 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 130 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -132,7 +132,7 @@ index 6c82023..5be3fbf 100644
132 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 132 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
133 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 133 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
134 #ifdef USE_PAM 134 #ifdef USE_PAM
135@@ -875,6 +877,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) 135@@ -880,6 +882,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
136 else { 136 else {
137 /* Allow service/style information on the auth context */ 137 /* Allow service/style information on the auth context */
138 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 138 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -140,7 +140,7 @@ index 6c82023..5be3fbf 100644
140 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 140 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
141 } 141 }
142 #ifdef USE_PAM 142 #ifdef USE_PAM
143@@ -905,14 +908,37 @@ mm_answer_authserv(int sock, Buffer *m) 143@@ -910,14 +913,37 @@ mm_answer_authserv(int sock, Buffer *m)
144 144
145 authctxt->service = buffer_get_string(m, NULL); 145 authctxt->service = buffer_get_string(m, NULL);
146 authctxt->style = buffer_get_string(m, NULL); 146 authctxt->style = buffer_get_string(m, NULL);
@@ -180,7 +180,7 @@ index 6c82023..5be3fbf 100644
180 return (0); 180 return (0);
181 } 181 }
182 182
183@@ -1541,7 +1567,7 @@ mm_answer_pty(int sock, Buffer *m) 183@@ -1553,7 +1579,7 @@ mm_answer_pty(int sock, Buffer *m)
184 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 184 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
185 if (res == 0) 185 if (res == 0)
186 goto error; 186 goto error;
@@ -203,10 +203,10 @@ index bc50ade..2d82b8b 100644
203 203
204 struct mm_master; 204 struct mm_master;
205diff --git a/monitor_wrap.c b/monitor_wrap.c 205diff --git a/monitor_wrap.c b/monitor_wrap.c
206index 74fbd2e..eaf0a12 100644 206index 5a9f1b5..11e3a69 100644
207--- a/monitor_wrap.c 207--- a/monitor_wrap.c
208+++ b/monitor_wrap.c 208+++ b/monitor_wrap.c
209@@ -327,10 +327,10 @@ mm_auth2_read_banner(void) 209@@ -328,10 +328,10 @@ mm_auth2_read_banner(void)
210 return (banner); 210 return (banner);
211 } 211 }
212 212
@@ -219,7 +219,7 @@ index 74fbd2e..eaf0a12 100644
219 { 219 {
220 Buffer m; 220 Buffer m;
221 221
222@@ -339,12 +339,30 @@ mm_inform_authserv(char *service, char *style) 222@@ -340,12 +340,30 @@ mm_inform_authserv(char *service, char *style)
223 buffer_init(&m); 223 buffer_init(&m);
224 buffer_put_cstring(&m, service); 224 buffer_put_cstring(&m, service);
225 buffer_put_cstring(&m, style ? style : ""); 225 buffer_put_cstring(&m, style ? style : "");
@@ -251,7 +251,7 @@ index 74fbd2e..eaf0a12 100644
251 int 251 int
252 mm_auth_password(Authctxt *authctxt, char *password) 252 mm_auth_password(Authctxt *authctxt, char *password)
253diff --git a/monitor_wrap.h b/monitor_wrap.h 253diff --git a/monitor_wrap.h b/monitor_wrap.h
254index 403f8d0..d9de551 100644 254index b5414c2..d5b3334 100644
255--- a/monitor_wrap.h 255--- a/monitor_wrap.h
256+++ b/monitor_wrap.h 256+++ b/monitor_wrap.h
257@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *); 257@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *);
@@ -361,10 +361,10 @@ index e3d1004..80ce13a 100644
361 void ssh_selinux_setfscreatecon(const char *); 361 void ssh_selinux_setfscreatecon(const char *);
362 #endif 362 #endif
363diff --git a/platform.c b/platform.c 363diff --git a/platform.c b/platform.c
364index ee313da..f35ec39 100644 364index acf8554..4831706 100644
365--- a/platform.c 365--- a/platform.c
366+++ b/platform.c 366+++ b/platform.c
367@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw) 367@@ -145,7 +145,7 @@ platform_setusercontext(struct passwd *pw)
368 * called if sshd is running as root. 368 * called if sshd is running as root.
369 */ 369 */
370 void 370 void
@@ -373,7 +373,7 @@ index ee313da..f35ec39 100644
373 { 373 {
374 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) 374 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
375 /* 375 /*
376@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw) 376@@ -186,7 +186,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
377 } 377 }
378 #endif /* HAVE_SETPCRED */ 378 #endif /* HAVE_SETPCRED */
379 #ifdef WITH_SELINUX 379 #ifdef WITH_SELINUX
@@ -383,7 +383,7 @@ index ee313da..f35ec39 100644
383 } 383 }
384 384
385diff --git a/platform.h b/platform.h 385diff --git a/platform.h b/platform.h
386index e687c99..823901b 100644 386index e97ecd9..5b72304 100644
387--- a/platform.h 387--- a/platform.h
388+++ b/platform.h 388+++ b/platform.h
389@@ -27,7 +27,7 @@ void platform_post_fork_parent(pid_t child_pid); 389@@ -27,7 +27,7 @@ void platform_post_fork_parent(pid_t child_pid);
@@ -396,10 +396,10 @@ index e687c99..823901b 100644
396 char *platform_krb5_get_principal_name(const char *); 396 char *platform_krb5_get_principal_name(const char *);
397 int platform_sys_dir_uid(uid_t); 397 int platform_sys_dir_uid(uid_t);
398diff --git a/session.c b/session.c 398diff --git a/session.c b/session.c
399index 87fddfc..f246b8a 100644 399index 2235f26..6dfcf84 100644
400--- a/session.c 400--- a/session.c
401+++ b/session.c 401+++ b/session.c
402@@ -1511,7 +1511,7 @@ safely_chroot(const char *path, uid_t uid) 402@@ -1517,7 +1517,7 @@ safely_chroot(const char *path, uid_t uid)
403 403
404 /* Set login name, uid, gid, and groups. */ 404 /* Set login name, uid, gid, and groups. */
405 void 405 void
@@ -408,7 +408,7 @@ index 87fddfc..f246b8a 100644
408 { 408 {
409 char *chroot_path, *tmp; 409 char *chroot_path, *tmp;
410 410
411@@ -1539,7 +1539,7 @@ do_setusercontext(struct passwd *pw) 411@@ -1545,7 +1545,7 @@ do_setusercontext(struct passwd *pw)
412 endgrent(); 412 endgrent();
413 #endif 413 #endif
414 414
@@ -417,7 +417,7 @@ index 87fddfc..f246b8a 100644
417 417
418 if (!in_chroot && options.chroot_directory != NULL && 418 if (!in_chroot && options.chroot_directory != NULL &&
419 strcasecmp(options.chroot_directory, "none") != 0) { 419 strcasecmp(options.chroot_directory, "none") != 0) {
420@@ -1696,7 +1696,7 @@ do_child(Session *s, const char *command) 420@@ -1703,7 +1703,7 @@ do_child(Session *s, const char *command)
421 421
422 /* Force a password change */ 422 /* Force a password change */
423 if (s->authctxt->force_pwchange) { 423 if (s->authctxt->force_pwchange) {
@@ -426,7 +426,7 @@ index 87fddfc..f246b8a 100644
426 child_close_fds(); 426 child_close_fds();
427 do_pwchange(s); 427 do_pwchange(s);
428 exit(1); 428 exit(1);
429@@ -1723,7 +1723,7 @@ do_child(Session *s, const char *command) 429@@ -1730,7 +1730,7 @@ do_child(Session *s, const char *command)
430 /* When PAM is enabled we rely on it to do the nologin check */ 430 /* When PAM is enabled we rely on it to do the nologin check */
431 if (!options.use_pam) 431 if (!options.use_pam)
432 do_nologin(pw); 432 do_nologin(pw);
@@ -435,7 +435,7 @@ index 87fddfc..f246b8a 100644
435 /* 435 /*
436 * PAM session modules in do_setusercontext may have 436 * PAM session modules in do_setusercontext may have
437 * generated messages, so if this in an interactive 437 * generated messages, so if this in an interactive
438@@ -2134,7 +2134,7 @@ session_pty_req(Session *s) 438@@ -2141,7 +2141,7 @@ session_pty_req(Session *s)
439 tty_parse_modes(s->ttyfd, &n_bytes); 439 tty_parse_modes(s->ttyfd, &n_bytes);
440 440
441 if (!use_privsep) 441 if (!use_privsep)
@@ -445,7 +445,7 @@ index 87fddfc..f246b8a 100644
445 /* Set window size from the packet. */ 445 /* Set window size from the packet. */
446 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); 446 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
447diff --git a/session.h b/session.h 447diff --git a/session.h b/session.h
448index 6a2f35e..ef6593c 100644 448index f18eaf3..2b7d939 100644
449--- a/session.h 449--- a/session.h
450+++ b/session.h 450+++ b/session.h
451@@ -77,7 +77,7 @@ void session_pty_cleanup2(Session *); 451@@ -77,7 +77,7 @@ void session_pty_cleanup2(Session *);
@@ -458,10 +458,10 @@ index 6a2f35e..ef6593c 100644
458 const char *value); 458 const char *value);
459 459
460diff --git a/sshd.c b/sshd.c 460diff --git a/sshd.c b/sshd.c
461index d1dd711..bb093cc 100644 461index 982e545..76306da 100644
462--- a/sshd.c 462--- a/sshd.c
463+++ b/sshd.c 463+++ b/sshd.c
464@@ -781,7 +781,7 @@ privsep_postauth(Authctxt *authctxt) 464@@ -787,7 +787,7 @@ privsep_postauth(Authctxt *authctxt)
465 explicit_bzero(rnd, sizeof(rnd)); 465 explicit_bzero(rnd, sizeof(rnd));
466 466
467 /* Drop privileges */ 467 /* Drop privileges */
diff --git a/debian/patches/series b/debian/patches/series
index d8ea2890b..e5821f627 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -25,9 +25,3 @@ gnome-ssh-askpass2-icon.patch
25sigstop.patch 25sigstop.patch
26systemd-readiness.patch 26systemd-readiness.patch
27debian-config.patch 27debian-config.patch
28CVE-2015-8325.patch
29unbreak-certificate-auth.patch
30CVE-2016-6210-1.patch
31CVE-2016-6210-2.patch
32CVE-2016-6210-3.patch
33control-persist-close-stderr.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 95ff21814..506ba3f7a 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
1From cfcbb82102babef6affeec3b8373f5811d82d065 Mon Sep 17 00:00:00 2001 1From ac283605e244f9dab676b039986f137f86284291 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:00 +0000 3Date: Sun, 9 Feb 2014 16:10:00 +0000
4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand 4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index b17176db8..7ae7f3558 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
1From 803865858838e2ccf1fa885ba14b9a11c4a3153e Mon Sep 17 00:00:00 2001 1From 8d765e441787d024e76369496316105fe736d3ba Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:17 +0000 3Date: Sun, 9 Feb 2014 16:10:17 +0000
4Subject: Support synchronisation with service supervisor using SIGSTOP 4Subject: Support synchronisation with service supervisor using SIGSTOP
@@ -13,10 +13,10 @@ Patch-Name: sigstop.patch
13 1 file changed, 10 insertions(+) 13 1 file changed, 10 insertions(+)
14 14
15diff --git a/sshd.c b/sshd.c 15diff --git a/sshd.c b/sshd.c
16index 57ae4ad..c2d42f5 100644 16index 71fad9e..837409b 100644
17--- a/sshd.c 17--- a/sshd.c
18+++ b/sshd.c 18+++ b/sshd.c
19@@ -2048,6 +2048,16 @@ main(int ac, char **av) 19@@ -2107,6 +2107,16 @@ main(int ac, char **av)
20 } 20 }
21 } 21 }
22 22
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 0a8180056..2d1dabfd3 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
1From c13ebec3d0989b374bef99d2d1f2a3bcc3c62aa8 Mon Sep 17 00:00:00 2001 1From 172bb48ec4cb3b65d26d4f3bd8bc0e82ddaf6ca1 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:13 +0000 3Date: Sun, 9 Feb 2014 16:10:13 +0000
4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) 4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 51cdfde48..614ed8195 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
1From 22585509beb1efc6a3a58c8ff714211043325201 Mon Sep 17 00:00:00 2001 1From ccfb71ca70b73f6d5a2873b31d0140c7cb5f4430 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:10 +0000 3Date: Sun, 9 Feb 2014 16:10:10 +0000
4Subject: ssh(1): Refer to ssh-argv0(1) 4Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
18 1 file changed, 1 insertion(+) 18 1 file changed, 1 insertion(+)
19 19
20diff --git a/ssh.1 b/ssh.1 20diff --git a/ssh.1 b/ssh.1
21index 41e0aab..74d9655 100644 21index b1f128c..22e56a7 100644
22--- a/ssh.1 22--- a/ssh.1
23+++ b/ssh.1 23+++ b/ssh.1
24@@ -1561,6 +1561,7 @@ if an error occurred. 24@@ -1586,6 +1586,7 @@ if an error occurred.
25 .Xr sftp 1 , 25 .Xr sftp 1 ,
26 .Xr ssh-add 1 , 26 .Xr ssh-add 1 ,
27 .Xr ssh-agent 1 , 27 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index b909e6ddb..0492c84fe 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
1From ceebe313c4b094557bda974d274a6e7b5b33e3f9 Mon Sep 17 00:00:00 2001 1From e35c0bb4c3997b8ef885c6afdcc600b403eb878b Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:50 +0000 3Date: Sun, 9 Feb 2014 16:09:50 +0000
4Subject: Accept obsolete ssh-vulnkey configuration options 4Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,10 +17,10 @@ Patch-Name: ssh-vulnkey-compat.patch
17 2 files changed, 2 insertions(+) 17 2 files changed, 2 insertions(+)
18 18
19diff --git a/readconf.c b/readconf.c 19diff --git a/readconf.c b/readconf.c
20index d2a3d4b..559e4c7 100644 20index e019195..c0b7822 100644
21--- a/readconf.c 21--- a/readconf.c
22+++ b/readconf.c 22+++ b/readconf.c
23@@ -182,6 +182,7 @@ static struct { 23@@ -194,6 +194,7 @@ static struct {
24 { "passwordauthentication", oPasswordAuthentication }, 24 { "passwordauthentication", oPasswordAuthentication },
25 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 25 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
26 { "kbdinteractivedevices", oKbdInteractiveDevices }, 26 { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -29,10 +29,10 @@ index d2a3d4b..559e4c7 100644
29 { "pubkeyauthentication", oPubkeyAuthentication }, 29 { "pubkeyauthentication", oPubkeyAuthentication },
30 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 30 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
31diff --git a/servconf.c b/servconf.c 31diff --git a/servconf.c b/servconf.c
32index b8af6dd..fad7c92 100644 32index 9b06281..bf9f8f7 100644
33--- a/servconf.c 33--- a/servconf.c
34+++ b/servconf.c 34+++ b/servconf.c
35@@ -533,6 +533,7 @@ static struct { 35@@ -541,6 +541,7 @@ static struct {
36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 6bc3911f7..3e46d03c8 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
1From 68388fa20403834f5559486542b1baf4ad36141a Mon Sep 17 00:00:00 2001 1From 21fb55231ad0422fa0e5f0c2f67093cb5f29dd47 Mon Sep 17 00:00:00 2001
2From: Jonathan David Amery <jdamery@ysolde.ucam.org> 2From: Jonathan David Amery <jdamery@ysolde.ucam.org>
3Date: Sun, 9 Feb 2014 16:09:54 +0000 3Date: Sun, 9 Feb 2014 16:09:54 +0000
4Subject: "LogLevel SILENT" compatibility 4Subject: "LogLevel SILENT" compatibility
@@ -21,7 +21,7 @@ Patch-Name: syslog-level-silent.patch
21 2 files changed, 2 insertions(+), 1 deletion(-) 21 2 files changed, 2 insertions(+), 1 deletion(-)
22 22
23diff --git a/log.c b/log.c 23diff --git a/log.c b/log.c
24index ad12930..e68b84a 100644 24index 2b59c42..ffc8ffb 100644
25--- a/log.c 25--- a/log.c
26+++ b/log.c 26+++ b/log.c
27@@ -93,6 +93,7 @@ static struct { 27@@ -93,6 +93,7 @@ static struct {
@@ -33,10 +33,10 @@ index ad12930..e68b84a 100644
33 { "FATAL", SYSLOG_LEVEL_FATAL }, 33 { "FATAL", SYSLOG_LEVEL_FATAL },
34 { "ERROR", SYSLOG_LEVEL_ERROR }, 34 { "ERROR", SYSLOG_LEVEL_ERROR },
35diff --git a/ssh.c b/ssh.c 35diff --git a/ssh.c b/ssh.c
36index f9ff91f..314dd52 100644 36index 03a23fb..1febb04 100644
37--- a/ssh.c 37--- a/ssh.c
38+++ b/ssh.c 38+++ b/ssh.c
39@@ -1119,7 +1119,7 @@ main(int ac, char **av) 39@@ -1167,7 +1167,7 @@ main(int ac, char **av)
40 /* Do not allocate a tty if stdin is not a tty. */ 40 /* Do not allocate a tty if stdin is not a tty. */
41 if ((!isatty(fileno(stdin)) || stdin_null_flag) && 41 if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
42 options.request_tty != REQUEST_TTY_FORCE) { 42 options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index ab3445fcc..deee48460 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
1From 643bc17ada741a9ee5b86170ad313f83278e1f72 Mon Sep 17 00:00:00 2001 1From fe97848e044743f0bac019a491ddf0138f84e14a Mon Sep 17 00:00:00 2001
2From: Michael Biebl <biebl@debian.org> 2From: Michael Biebl <biebl@debian.org>
3Date: Mon, 21 Dec 2015 16:08:47 +0000 3Date: Mon, 21 Dec 2015 16:08:47 +0000
4Subject: Add systemd readiness notification support 4Subject: Add systemd readiness notification support
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch
14 2 files changed, 33 insertions(+) 14 2 files changed, 33 insertions(+)
15 15
16diff --git a/configure.ac b/configure.ac 16diff --git a/configure.ac b/configure.ac
17index 5d720f7..c978c11 100644 17index f822fb3..6cafb15 100644
18--- a/configure.ac 18--- a/configure.ac
19+++ b/configure.ac 19+++ b/configure.ac
20@@ -4263,6 +4263,29 @@ AC_ARG_WITH([kerberos5], 20@@ -4319,6 +4319,29 @@ AC_ARG_WITH([kerberos5],
21 AC_SUBST([GSSLIBS]) 21 AC_SUBST([GSSLIBS])
22 AC_SUBST([K5LIBS]) 22 AC_SUBST([K5LIBS])
23 23
@@ -47,7 +47,7 @@ index 5d720f7..c978c11 100644
47 # Looking for programs, paths and files 47 # Looking for programs, paths and files
48 48
49 PRIVSEP_PATH=/var/empty 49 PRIVSEP_PATH=/var/empty
50@@ -5065,6 +5088,7 @@ echo " libedit support: $LIBEDIT_MSG" 50@@ -5121,6 +5144,7 @@ echo " libedit support: $LIBEDIT_MSG"
51 echo " Solaris process contract support: $SPC_MSG" 51 echo " Solaris process contract support: $SPC_MSG"
52 echo " Solaris project support: $SP_MSG" 52 echo " Solaris project support: $SP_MSG"
53 echo " Solaris privilege support: $SPP_MSG" 53 echo " Solaris privilege support: $SPP_MSG"
@@ -56,7 +56,7 @@ index 5d720f7..c978c11 100644
56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" 56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
57 echo " BSD Auth support: $BSD_AUTH_MSG" 57 echo " BSD Auth support: $BSD_AUTH_MSG"
58diff --git a/sshd.c b/sshd.c 58diff --git a/sshd.c b/sshd.c
59index c2d42f5..8802d18 100644 59index 837409b..868df9e 100644
60--- a/sshd.c 60--- a/sshd.c
61+++ b/sshd.c 61+++ b/sshd.c
62@@ -85,6 +85,10 @@ 62@@ -85,6 +85,10 @@
@@ -70,7 +70,7 @@ index c2d42f5..8802d18 100644
70 #include "xmalloc.h" 70 #include "xmalloc.h"
71 #include "ssh.h" 71 #include "ssh.h"
72 #include "ssh1.h" 72 #include "ssh1.h"
73@@ -2058,6 +2062,11 @@ main(int ac, char **av) 73@@ -2117,6 +2121,11 @@ main(int ac, char **av)
74 unsetenv("SSH_SIGSTOP"); 74 unsetenv("SSH_SIGSTOP");
75 } 75 }
76 76
diff --git a/debian/patches/unbreak-certificate-auth.patch b/debian/patches/unbreak-certificate-auth.patch
deleted file mode 100644
index cbf7c1800..000000000
--- a/debian/patches/unbreak-certificate-auth.patch
+++ /dev/null
@@ -1,46 +0,0 @@
1From 43a633de1cabe77e652125dac394a99ad9cac3b4 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Mon, 14 Mar 2016 16:20:54 +0000
4Subject: upstream commit
5
6unbreak authentication using lone certificate keys in
7 ssh-agent: when attempting pubkey auth with a certificate, if no separate
8 private key is found among the keys then try with the certificate key itself.
9
10bz#2550 reported by Peter Moody
11
12Upstream-ID: f939cd76d68e6a9a3d1711b5a943d6ed1e623966
13
14Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=c38905ba391434834da86abfc988a2b8b9b62477
15Bug-Ubuntu: https://bugs.launchpad.net/bugs/1575961
16Last-Update: 2016-04-28
17
18Patch-Name: unbreak-certificate-auth.patch
19---
20 sshconnect2.c | 8 ++------
21 1 file changed, 2 insertions(+), 6 deletions(-)
22
23diff --git a/sshconnect2.c b/sshconnect2.c
24index b452eae..40facda 100644
25--- a/sshconnect2.c
26+++ b/sshconnect2.c
27@@ -1,4 +1,4 @@
28-/* $OpenBSD: sshconnect2.c,v 1.239 2016/02/23 01:34:14 djm Exp $ */
29+/* $OpenBSD: sshconnect2.c,v 1.240 2016/03/14 16:20:54 djm Exp $ */
30 /*
31 * Copyright (c) 2000 Markus Friedl. All rights reserved.
32 * Copyright (c) 2008 Damien Miller. All rights reserved.
33@@ -1224,12 +1224,8 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
34 "certificate", __func__, id->filename,
35 id->agent_fd != -1 ? " from agent" : "");
36 } else {
37- /* XXX maybe verbose/error? */
38- debug("%s: no private key for certificate "
39+ debug("%s: no separate private key for certificate "
40 "\"%s\"", __func__, id->filename);
41- free(blob);
42- buffer_free(&b);
43- return 0;
44 }
45 }
46
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index c64e141f8..3bd2fd91f 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
1From bf0d87583a842b9e8aaf2a9cd9dbc3e976df2af4 Mon Sep 17 00:00:00 2001 1From 563974a78e937c4844e1198b5f6d79b8b2b5c600 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:58 +0000 3Date: Sun, 9 Feb 2014 16:09:58 +0000
4Subject: Allow harmless group-writability 4Subject: Allow harmless group-writability
@@ -22,16 +22,16 @@ Patch-Name: user-group-modes.patch
22 misc.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 22 misc.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
23 misc.h | 2 ++ 23 misc.h | 2 ++
24 platform.c | 16 -------------- 24 platform.c | 16 --------------
25 readconf.c | 5 +++-- 25 readconf.c | 3 +--
26 ssh.1 | 2 ++ 26 ssh.1 | 2 ++
27 ssh_config.5 | 2 ++ 27 ssh_config.5 | 2 ++
28 8 files changed, 82 insertions(+), 29 deletions(-) 28 8 files changed, 80 insertions(+), 29 deletions(-)
29 29
30diff --git a/auth-rhosts.c b/auth-rhosts.c 30diff --git a/auth-rhosts.c b/auth-rhosts.c
31index ee9e827..2ff2cff 100644 31index 0ef3447..c17c13c 100644
32--- a/auth-rhosts.c 32--- a/auth-rhosts.c
33+++ b/auth-rhosts.c 33+++ b/auth-rhosts.c
34@@ -271,8 +271,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam 34@@ -273,8 +273,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
35 return 0; 35 return 0;
36 } 36 }
37 if (options.strict_modes && 37 if (options.strict_modes &&
@@ -41,7 +41,7 @@ index ee9e827..2ff2cff 100644
41 logit("Rhosts authentication refused for %.100s: " 41 logit("Rhosts authentication refused for %.100s: "
42 "bad ownership or modes for home directory.", pw->pw_name); 42 "bad ownership or modes for home directory.", pw->pw_name);
43 auth_debug_add("Rhosts authentication refused for %.100s: " 43 auth_debug_add("Rhosts authentication refused for %.100s: "
44@@ -298,8 +297,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam 44@@ -300,8 +299,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
45 * allowing access to their account by anyone. 45 * allowing access to their account by anyone.
46 */ 46 */
47 if (options.strict_modes && 47 if (options.strict_modes &&
@@ -52,10 +52,10 @@ index ee9e827..2ff2cff 100644
52 pw->pw_name, buf); 52 pw->pw_name, buf);
53 auth_debug_add("Bad file modes for %.200s", buf); 53 auth_debug_add("Bad file modes for %.200s", buf);
54diff --git a/auth.c b/auth.c 54diff --git a/auth.c b/auth.c
55index bd6a026..782b7f8 100644 55index f56dcc6..3f8b348 100644
56--- a/auth.c 56--- a/auth.c
57+++ b/auth.c 57+++ b/auth.c
58@@ -425,8 +425,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, 58@@ -435,8 +435,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
59 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); 59 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
60 if (options.strict_modes && 60 if (options.strict_modes &&
61 (stat(user_hostfile, &st) == 0) && 61 (stat(user_hostfile, &st) == 0) &&
@@ -65,7 +65,7 @@ index bd6a026..782b7f8 100644
65 logit("Authentication refused for %.100s: " 65 logit("Authentication refused for %.100s: "
66 "bad owner or modes for %.200s", 66 "bad owner or modes for %.200s",
67 pw->pw_name, user_hostfile); 67 pw->pw_name, user_hostfile);
68@@ -488,8 +487,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, 68@@ -498,8 +497,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
69 snprintf(err, errlen, "%s is not a regular file", buf); 69 snprintf(err, errlen, "%s is not a regular file", buf);
70 return -1; 70 return -1;
71 } 71 }
@@ -75,7 +75,7 @@ index bd6a026..782b7f8 100644
75 snprintf(err, errlen, "bad ownership or modes for file %s", 75 snprintf(err, errlen, "bad ownership or modes for file %s",
76 buf); 76 buf);
77 return -1; 77 return -1;
78@@ -504,8 +502,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, 78@@ -514,8 +512,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
79 strlcpy(buf, cp, sizeof(buf)); 79 strlcpy(buf, cp, sizeof(buf));
80 80
81 if (stat(buf, &st) < 0 || 81 if (stat(buf, &st) < 0 ||
@@ -86,7 +86,7 @@ index bd6a026..782b7f8 100644
86 "bad ownership or modes for directory %s", buf); 86 "bad ownership or modes for directory %s", buf);
87 return -1; 87 return -1;
88diff --git a/misc.c b/misc.c 88diff --git a/misc.c b/misc.c
89index de7e1fa..5704fa6 100644 89index 9421b4d..68efb2b 100644
90--- a/misc.c 90--- a/misc.c
91+++ b/misc.c 91+++ b/misc.c
92@@ -51,8 +51,9 @@ 92@@ -51,8 +51,9 @@
@@ -108,7 +108,7 @@ index de7e1fa..5704fa6 100644
108 108
109 /* remove newline at end of string */ 109 /* remove newline at end of string */
110 char * 110 char *
111@@ -647,6 +649,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, 111@@ -708,6 +710,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
112 return -1; 112 return -1;
113 } 113 }
114 114
@@ -181,10 +181,10 @@ index de7e1fa..5704fa6 100644
181 tun_open(int tun, int mode) 181 tun_open(int tun, int mode)
182 { 182 {
183diff --git a/misc.h b/misc.h 183diff --git a/misc.h b/misc.h
184index 374c33c..89e1f75 100644 184index 7c76a6a..42cd95e 100644
185--- a/misc.h 185--- a/misc.h
186+++ b/misc.h 186+++ b/misc.h
187@@ -135,4 +135,6 @@ char *read_passphrase(const char *, int); 187@@ -139,4 +139,6 @@ char *read_passphrase(const char *, int);
188 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 188 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
189 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); 189 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
190 190
@@ -192,10 +192,10 @@ index 374c33c..89e1f75 100644
192+ 192+
193 #endif /* _MISC_H */ 193 #endif /* _MISC_H */
194diff --git a/platform.c b/platform.c 194diff --git a/platform.c b/platform.c
195index f35ec39..9a23e6e 100644 195index 4831706..2ce4dbf 100644
196--- a/platform.c 196--- a/platform.c
197+++ b/platform.c 197+++ b/platform.c
198@@ -197,19 +197,3 @@ platform_krb5_get_principal_name(const char *pw_name) 198@@ -199,19 +199,3 @@ platform_krb5_get_principal_name(const char *pw_name)
199 return NULL; 199 return NULL;
200 #endif 200 #endif
201 } 201 }
@@ -216,19 +216,10 @@ index f35ec39..9a23e6e 100644
216- return 0; 216- return 0;
217-} 217-}
218diff --git a/readconf.c b/readconf.c 218diff --git a/readconf.c b/readconf.c
219index fde6b41..cc1a633 100644 219index 3a6c67b..f6b4c8f 100644
220--- a/readconf.c 220--- a/readconf.c
221+++ b/readconf.c 221+++ b/readconf.c
222@@ -39,6 +39,8 @@ 222@@ -1753,8 +1753,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
223 #include <stdio.h>
224 #include <string.h>
225 #include <unistd.h>
226+#include <pwd.h>
227+#include <grp.h>
228 #ifdef HAVE_UTIL_H
229 #include <util.h>
230 #endif
231@@ -1626,8 +1628,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host,
232 223
233 if (fstat(fileno(f), &sb) == -1) 224 if (fstat(fileno(f), &sb) == -1)
234 fatal("fstat %s: %s", filename, strerror(errno)); 225 fatal("fstat %s: %s", filename, strerror(errno));
@@ -239,10 +230,10 @@ index fde6b41..cc1a633 100644
239 } 230 }
240 231
241diff --git a/ssh.1 b/ssh.1 232diff --git a/ssh.1 b/ssh.1
242index cc53343..feb0e89 100644 233index 4011c65..feef81a 100644
243--- a/ssh.1 234--- a/ssh.1
244+++ b/ssh.1 235+++ b/ssh.1
245@@ -1459,6 +1459,8 @@ The file format and configuration options are described in 236@@ -1484,6 +1484,8 @@ The file format and configuration options are described in
246 .Xr ssh_config 5 . 237 .Xr ssh_config 5 .
247 Because of the potential for abuse, this file must have strict permissions: 238 Because of the potential for abuse, this file must have strict permissions:
248 read/write for the user, and not writable by others. 239 read/write for the user, and not writable by others.
@@ -252,10 +243,10 @@ index cc53343..feb0e89 100644
252 .It Pa ~/.ssh/environment 243 .It Pa ~/.ssh/environment
253 Contains additional definitions for environment variables; see 244 Contains additional definitions for environment variables; see
254diff --git a/ssh_config.5 b/ssh_config.5 245diff --git a/ssh_config.5 b/ssh_config.5
255index bbf638b..ab8f271 100644 246index efc265a..5dd26bc 100644
256--- a/ssh_config.5 247--- a/ssh_config.5
257+++ b/ssh_config.5 248+++ b/ssh_config.5
258@@ -1830,6 +1830,8 @@ The format of this file is described above. 249@@ -1903,6 +1903,8 @@ The format of this file is described above.
259 This file is used by the SSH client. 250 This file is used by the SSH client.
260 Because of the potential for abuse, this file must have strict permissions: 251 Because of the potential for abuse, this file must have strict permissions:
261 read/write for the user, and not accessible by others. 252 read/write for the user, and not accessible by others.