summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/.git-dpm16
-rw-r--r--debian/NEWS47
-rw-r--r--debian/changelog103
-rw-r--r--debian/control14
-rw-r--r--debian/openssh-sk-helper.install2
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch6
-rw-r--r--debian/patches/conch-old-privkey-format.patch12
-rw-r--r--debian/patches/debian-banner.patch48
-rw-r--r--debian/patches/debian-config.patch18
-rw-r--r--debian/patches/dnssec-sshfp.patch2
-rw-r--r--debian/patches/doc-hash-tab-completion.patch6
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch6
-rw-r--r--debian/patches/gssapi.patch447
-rw-r--r--debian/patches/keepalive-extensions.patch37
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch8
-rw-r--r--debian/patches/no-openssl-version-status.patch2
-rw-r--r--debian/patches/openbsd-docs.patch30
-rw-r--r--debian/patches/package-versioning.patch10
-rw-r--r--debian/patches/regress-2020.patch44
-rw-r--r--debian/patches/restore-authorized_keys2.patch2
-rw-r--r--debian/patches/restore-tcp-wrappers.patch24
-rw-r--r--debian/patches/revert-ipqos-defaults.patch18
-rw-r--r--debian/patches/sandbox-seccomp-clock_gettime64.patch30
-rw-r--r--debian/patches/sandbox-seccomp-clock_nanosleep.patch31
-rw-r--r--debian/patches/sandbox-seccomp-clock_nanosleep_time64.patch29
-rw-r--r--debian/patches/sandbox-seccomp-ipc.patch33
-rw-r--r--debian/patches/scp-quoting.patch6
-rw-r--r--debian/patches/selinux-role.patch40
-rw-r--r--debian/patches/series5
-rw-r--r--debian/patches/shell-path.patch12
-rw-r--r--debian/patches/ssh-agent-setgid.patch14
-rw-r--r--debian/patches/ssh-argv0.patch6
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch10
-rw-r--r--debian/patches/syslog-level-silent.patch6
-rw-r--r--debian/patches/systemd-readiness.patch12
-rw-r--r--debian/patches/user-group-modes.patch36
-rwxr-xr-xdebian/rules7
37 files changed, 532 insertions, 647 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 07406955d..8acad4cd4 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,12 +1,12 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
22e128b223e8e73ace57a0726130bfbcf920d0f9e 2a2dabf35ce0228c86a288d11cc847a9d9801604f
32e128b223e8e73ace57a0726130bfbcf920d0f9e 3a2dabf35ce0228c86a288d11cc847a9d9801604f
44213eec74e74de6310c27a40c3e9759a08a73996 4f0de78bd4f29fa688c5df116f3f9cd43543a76d0
54213eec74e74de6310c27a40c3e9759a08a73996 5f0de78bd4f29fa688c5df116f3f9cd43543a76d0
6openssh_8.1p1.orig.tar.gz 6openssh_8.2p1.orig.tar.gz
7c44b96094869f177735ae053d92bd5fcab1319de 7d1ab35a93507321c5db885e02d41ce1414f0507c
81625894 81701197
9debianTag="debian/%e%%%V" 9debianTag="debian/%e%%%V"
10patchedTag="patched/%e%%%V" 10patchedTag="patched/%e%%%V"
11upstreamTag="upstream/%U" 11upstreamTag="upstream/%U"
12signature:8b241dee85731fb19e57622f160a4326da52a7a7:683:openssh_8.1p1.orig.tar.gz.asc 12signature:d3814ab57572c13bdee2037ad1477e2f7c51e1b0:683:openssh_8.2p1.orig.tar.gz.asc
diff --git a/debian/NEWS b/debian/NEWS
index 32a0c721e..1963c7919 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,50 @@
1openssh (1:8.2p1-1) unstable; urgency=medium
2
3 OpenSSH 8.2 includes a number of changes that may affect existing
4 configurations:
5
6 * ssh(1), sshd(8), ssh-keygen(1): This release removes the "ssh-rsa"
7 (RSA/SHA1) algorithm from those accepted for certificate signatures
8 (i.e. the client and server CASignatureAlgorithms option) and will use
9 the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1)
10 CA signs new certificates.
11
12 Certificates are at special risk to SHA1 collision vulnerabilities as
13 an attacker has effectively unlimited time in which to craft a
14 collision that yields them a valid certificate, far more than the
15 relatively brief LoginGraceTime window that they have to forge a host
16 key signature.
17
18 The OpenSSH certificate format includes a CA-specified (typically
19 random) nonce value near the start of the certificate that should make
20 exploitation of chosen-prefix collisions in this context challenging,
21 as the attacker does not have full control over the prefix that
22 actually gets signed. Nonetheless, SHA1 is now a demonstrably broken
23 algorithm and futher improvements in attacks are highly likely.
24
25 OpenSSH releases prior to 7.2 do not support the newer RSA/SHA2
26 algorithms and will refuse to accept certificates signed by an OpenSSH
27 8.2+ CA using RSA keys unless the unsafe algorithm is explicitly
28 selected during signing ("ssh-keygen -t ssh-rsa"). Older
29 clients/servers may use another CA key type such as ssh-ed25519
30 (supported since OpenSSH 6.5) or one of the ecdsa-sha2-nistp256/384/521
31 types (supported since OpenSSH 5.7) instead if they cannot be upgraded.
32
33 * ssh(1), sshd(8): Remove diffie-hellman-group14-sha1 from the default
34 key exchange proposal for both the client and server.
35
36 * ssh-keygen(1): The command-line options related to the generation and
37 screening of safe prime numbers used by the
38 diffie-hellman-group-exchange-* key exchange algorithms have changed.
39 Most options have been folded under the -O flag.
40
41 * sshd(8): The sshd listener process title visible to ps(1) has changed
42 to include information about the number of connections that are
43 currently attempting authentication and the limits configured by
44 MaxStartups.
45
46 -- Colin Watson <cjwatson@debian.org> Fri, 21 Feb 2020 12:11:52 +0000
47
1openssh (1:8.1p1-1) unstable; urgency=medium 48openssh (1:8.1p1-1) unstable; urgency=medium
2 49
3 OpenSSH 8.1 includes a number of changes that may affect existing 50 OpenSSH 8.1 includes a number of changes that may affect existing
diff --git a/debian/changelog b/debian/changelog
index fd967a966..b86ad184e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,11 +1,108 @@
1openssh (1:8.1p1-6) UNRELEASED; urgency=medium 1openssh (1:8.2p1-1) UNRELEASED; urgency=medium
2 2
3 * New upstream release (https://www.openssh.com/txt/release-8.2, closes:
4 #951582):
5 - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
6 (RSA/SHA1) algorithm from those accepted for certificate signatures
7 (i.e. the client and server CASignatureAlgorithms option) and will use
8 the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1)
9 CA signs new certificates.
10 - ssh(1), sshd(8): Remove diffie-hellman-group14-sha1 from the default
11 key exchange proposal for both the client and server.
12 - ssh-keygen(1): The command-line options related to the generation and
13 screening of safe prime numbers used by the
14 diffie-hellman-group-exchange-* key exchange algorithms have changed.
15 Most options have been folded under the -O flag.
16 - sshd(8): The sshd listener process title visible to ps(1) has changed
17 to include information about the number of connections that are
18 currently attempting authentication and the limits configured by
19 MaxStartups.
20 - Add support for FIDO/U2F hardware authenticators.
21 - ssh-keygen(1): Add a "no-touch-required" option when generating
22 FIDO-hosted keys, that disables their default behaviour of requiring a
23 physical touch/tap on the token during authentication. Note: not all
24 tokens support disabling the touch requirement.
25 - sshd(8): Add a sshd_config PubkeyAuthOptions directive that collects
26 miscellaneous public key authentication-related options for sshd(8).
27 At present it supports only a single option "no-touch-required". This
28 causes sshd to skip its default check for FIDO/U2F keys that the
29 signature was authorised by a touch or press event on the token
30 hardware.
31 - ssh(1), sshd(8), ssh-keygen(1): Add a "no-touch-required" option for
32 authorized_keys and a similar extension for certificates. This option
33 disables the default requirement that FIDO key signatures attest that
34 the user touched their key to authorize them, mirroring the similar
35 PubkeyAuthOptions sshd_config option.
36 - ssh-keygen(1): Add support for the writing the FIDO attestation
37 information that is returned when new keys are generated via the "-O
38 write-attestation=/path" option. FIDO attestation certificates may be
39 used to verify that a FIDO key is hosted in trusted hardware. OpenSSH
40 does not currently make use of this information, beyond optionally
41 writing it to disk.
42 - Add support for FIDO2 resident keys.
43 - sshd(8): Add an Include sshd_config keyword that allows including
44 additional configuration files via glob(3) patterns (closes: #631189).
45 - ssh(1)/sshd(8): Make the LE (low effort) DSCP code point available via
46 the IPQoS directive.
47 - ssh(1): When AddKeysToAgent=yes is set and the key contains no
48 comment, add the key to the agent with the key's path as the comment.
49 - ssh-keygen(1), ssh-agent(1): Expose PKCS#11 key labels and X.509
50 subjects as key comments, rather than simply listing the PKCS#11
51 provider library path.
52 - ssh-keygen(1): Allow PEM export of DSA and ECDSA keys.
53 - sshd(8): When clients get denied by MaxStartups, send a notification
54 prior to the SSH2 protocol banner according to RFC4253 section 4.2
55 (closes: #275458).
56 - ssh(1), ssh-agent(1): When invoking the $SSH_ASKPASS prompt program,
57 pass a hint to the program to describe the type of desired prompt.
58 The possible values are "confirm" (indicating that a yes/no
59 confirmation dialog with no text entry should be shown), "none" (to
60 indicate an informational message only), or blank for the original
61 ssh-askpass behaviour of requesting a password/phrase.
62 - ssh(1): Allow forwarding a different agent socket to the path
63 specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent
64 option to accepting an explicit path or the name of an environment
65 variable in addition to yes/no.
66 - ssh-keygen(1): Add a new signature operations "find-principals" to
67 look up the principal associated with a signature from an
68 allowed-signers file.
69 - sshd(8): Expose the number of currently-authenticating connections
70 along with the MaxStartups limit in the process title visible to "ps".
71 - sshd(8): Make ClientAliveCountMax=0 have sensible semantics: it will
72 now disable connection killing entirely rather than the current
73 behaviour of instantly killing the connection after the first liveness
74 test regardless of success.
75 - sshd(8): Clarify order of AllowUsers / DenyUsers vs AllowGroups /
76 DenyGroups in the sshd(8) manual page.
77 - sshd(8): Better describe HashKnownHosts in the manual page.
78 - sshd(8): Clarify that that permitopen=/PermitOpen do no name or
79 address translation in the manual page.
80 - sshd(8): Allow the UpdateHostKeys feature to function when multiple
81 known_hosts files are in use. When updating host keys, ssh will now
82 search subsequent known_hosts files, but will add updated host keys to
83 the first specified file only.
84 - All: Replace all calls to signal(2) with a wrapper around
85 sigaction(2). This wrapper blocks all other signals during the
86 handler preventing races between handlers, and sets SA_RESTART which
87 should reduce the potential for short read/write operations.
88 - sftp(1): Fix a race condition in the SIGCHILD handler that could turn
89 in to a kill(-1).
90 - sshd(8): Fix a case where valid (but extremely large) SSH channel IDs
91 were being incorrectly rejected.
92 - ssh(1): When checking host key fingerprints as answers to new hostkey
93 prompts, ignore whitespace surrounding the fingerprint itself.
94 - All: Wait for file descriptors to be readable or writeable during
95 non-blocking connect, not just readable. Prevents a timeout when the
96 server doesn't immediately send a banner (e.g. multiplexers like
97 sslh).
98 - sshd_config(5): Document the sntrup4591761x25519-sha512@tinyssh.org
99 key exchange algorithm.
3 * Add more historical md5sums of /etc/ssh/sshd_config between 1:7.4p1-1 100 * Add more historical md5sums of /etc/ssh/sshd_config between 1:7.4p1-1
4 and 1:7.7p1-4 inclusive (closes: #951220). 101 and 1:7.7p1-4 inclusive (closes: #951220).
5 * ssh(1): Explain that -Y is equivalent to -X in the default configuration 102 * ssh(1): Explain that -Y is equivalent to -X in the default configuration
6 (closes: #951640). 103 (closes: #951640).
7 104
8 -- Colin Watson <cjwatson@debian.org> Fri, 14 Feb 2020 18:43:44 +0000 105 -- Colin Watson <cjwatson@debian.org> Fri, 21 Feb 2020 12:11:52 +0000
9 106
10openssh (1:8.1p1-5) unstable; urgency=medium 107openssh (1:8.1p1-5) unstable; urgency=medium
11 108
diff --git a/debian/control b/debian/control
index 9b0bba2bb..8b7fe6b68 100644
--- a/debian/control
+++ b/debian/control
@@ -11,6 +11,7 @@ Build-Depends: autotools-dev,
11 dpkg-dev (>= 1.16.1~), 11 dpkg-dev (>= 1.16.1~),
12 libaudit-dev [linux-any], 12 libaudit-dev [linux-any],
13 libedit-dev, 13 libedit-dev,
14 libfido2-dev [linux-any],
14 libgtk-3-dev <!pkg.openssh.nognome>, 15 libgtk-3-dev <!pkg.openssh.nognome>,
15 libkrb5-dev | heimdal-dev, 16 libkrb5-dev | heimdal-dev,
16 libpam0g-dev | libpam-dev, 17 libpam0g-dev | libpam-dev,
@@ -34,7 +35,8 @@ Depends: adduser (>= 3.10),
34 passwd, 35 passwd,
35 ${misc:Depends}, 36 ${misc:Depends},
36 ${shlibs:Depends}, 37 ${shlibs:Depends},
37Recommends: xauth, 38Recommends: openssh-sk-helper,
39 xauth,
38Conflicts: sftp, 40Conflicts: sftp,
39Replaces: ssh, 41Replaces: ssh,
40 ssh-krb5, 42 ssh-krb5,
@@ -157,6 +159,16 @@ Description: secure shell (SSH) sftp server module, for SFTP access from remote
157 Newer versions of the draft will not be supported, though some features 159 Newer versions of the draft will not be supported, though some features
158 are individually implemented as extensions. 160 are individually implemented as extensions.
159 161
162Package: openssh-sk-helper
163Priority: optional
164Architecture: any
165Depends: ${misc:Depends},
166 ${shlibs:Depends}
167Multi-Arch: foreign
168Description: OpenSSH helper for FIDO authenticator support
169 This package provides ssh-sk-helper, which is used by ssh-agent to access
170 SSH keys provided by a FIDO authenticator for second-factor authentication.
171
160Package: openssh-tests 172Package: openssh-tests
161Priority: optional 173Priority: optional
162Architecture: any 174Architecture: any
diff --git a/debian/openssh-sk-helper.install b/debian/openssh-sk-helper.install
new file mode 100644
index 000000000..65fc98e66
--- /dev/null
+++ b/debian/openssh-sk-helper.install
@@ -0,0 +1,2 @@
1usr/lib/openssh/ssh-sk-helper
2usr/share/man/man8/ssh-sk-helper.8
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 01f1bf35c..43a160a0f 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
1From 7febe5a4b6bcb94d887ac1fe22e8a1742ffb609f Mon Sep 17 00:00:00 2001 1From b0cb3badf4d423f8ea7bf950e55ca72878cc224b Mon Sep 17 00:00:00 2001
2From: Tomas Pospisek <tpo_deb@sourcepole.ch> 2From: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Date: Sun, 9 Feb 2014 16:10:07 +0000 3Date: Sun, 9 Feb 2014 16:10:07 +0000
4Subject: Install authorized_keys(5) as a symlink to sshd(8) 4Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
13 1 file changed, 1 insertion(+) 13 1 file changed, 1 insertion(+)
14 14
15diff --git a/Makefile.in b/Makefile.in 15diff --git a/Makefile.in b/Makefile.in
16index ab29e4f05..9b8a42c1e 100644 16index b68c1710f..bff1db49b 100644
17--- a/Makefile.in 17--- a/Makefile.in
18+++ b/Makefile.in 18+++ b/Makefile.in
19@@ -362,6 +362,7 @@ install-files: 19@@ -402,6 +402,7 @@ install-files:
20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch
index ce7dc266e..b04c21060 100644
--- a/debian/patches/conch-old-privkey-format.patch
+++ b/debian/patches/conch-old-privkey-format.patch
@@ -1,4 +1,4 @@
1From 2e889a135439e6234502c813fa0ef2eb1fcd733c Mon Sep 17 00:00:00 2001 1From 311da721c2a5c6d147738e0699fa49d04cd5762a Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Thu, 30 Aug 2018 00:58:56 +0100 3Date: Thu, 30 Aug 2018 00:58:56 +0100
4Subject: Work around conch interoperability failure 4Subject: Work around conch interoperability failure
@@ -18,10 +18,10 @@ Patch-Name: conch-old-privkey-format.patch
18 3 files changed, 14 insertions(+), 2 deletions(-) 18 3 files changed, 14 insertions(+), 2 deletions(-)
19 19
20diff --git a/regress/Makefile b/regress/Makefile 20diff --git a/regress/Makefile b/regress/Makefile
21index 34c47e8cb..17e0a06e8 100644 21index 774c10d41..01e257a94 100644
22--- a/regress/Makefile 22--- a/regress/Makefile
23+++ b/regress/Makefile 23+++ b/regress/Makefile
24@@ -119,7 +119,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ 24@@ -120,7 +120,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
25 rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ 25 rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
26 scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ 26 scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
27 sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ 27 sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
@@ -29,7 +29,7 @@ index 34c47e8cb..17e0a06e8 100644
29+ ssh-rsa_oldfmt ssh-rsa_oldfmt.pub \ 29+ ssh-rsa_oldfmt ssh-rsa_oldfmt.pub \
30 ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ 30 ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
31 ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \ 31 ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \
32 sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \ 32 sshd_config.* sshd_proxy sshd_proxy.* sshd_proxy_bak \
33diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh 33diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh
34index 6678813a2..6ff5da20b 100644 34index 6678813a2..6ff5da20b 100644
35--- a/regress/conch-ciphers.sh 35--- a/regress/conch-ciphers.sh
@@ -44,10 +44,10 @@ index 6678813a2..6ff5da20b 100644
44 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY} 44 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY}
45 if [ $? -ne 0 ]; then 45 if [ $? -ne 0 ]; then
46diff --git a/regress/test-exec.sh b/regress/test-exec.sh 46diff --git a/regress/test-exec.sh b/regress/test-exec.sh
47index 508b93284..5e48bfbe3 100644 47index f5e3ee6f5..a3a40719f 100644
48--- a/regress/test-exec.sh 48--- a/regress/test-exec.sh
49+++ b/regress/test-exec.sh 49+++ b/regress/test-exec.sh
50@@ -510,6 +510,18 @@ REGRESS_INTEROP_CONCH=no 50@@ -573,6 +573,18 @@ REGRESS_INTEROP_CONCH=no
51 if test -x "$CONCH" ; then 51 if test -x "$CONCH" ; then
52 REGRESS_INTEROP_CONCH=yes 52 REGRESS_INTEROP_CONCH=yes
53 fi 53 fi
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index acf995e27..0d998fdd4 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
1From 4eb06adf69f21f387e4f2d29dad01b2ca1303094 Mon Sep 17 00:00:00 2001 1From 7d20d00ea24ec0c3fffacc80ab271d0699d198c6 Mon Sep 17 00:00:00 2001
2From: Kees Cook <kees@debian.org> 2From: Kees Cook <kees@debian.org>
3Date: Sun, 9 Feb 2014 16:10:06 +0000 3Date: Sun, 9 Feb 2014 16:10:06 +0000
4Subject: Add DebianBanner server configuration option 4Subject: Add DebianBanner server configuration option
@@ -8,7 +8,7 @@ initial protocol handshake, for those scared by package-versioning.patch.
8 8
9Bug-Debian: http://bugs.debian.org/562048 9Bug-Debian: http://bugs.debian.org/562048
10Forwarded: not-needed 10Forwarded: not-needed
11Last-Update: 2019-06-05 11Last-Update: 2020-02-21
12 12
13Patch-Name: debian-banner.patch 13Patch-Name: debian-banner.patch
14--- 14---
@@ -22,10 +22,10 @@ Patch-Name: debian-banner.patch
22 7 files changed, 23 insertions(+), 5 deletions(-) 22 7 files changed, 23 insertions(+), 5 deletions(-)
23 23
24diff --git a/kex.c b/kex.c 24diff --git a/kex.c b/kex.c
25index 65ed6af02..f450bc2c7 100644 25index f638942d3..2abfbb95a 100644
26--- a/kex.c 26--- a/kex.c
27+++ b/kex.c 27+++ b/kex.c
28@@ -1221,7 +1221,7 @@ send_error(struct ssh *ssh, char *msg) 28@@ -1226,7 +1226,7 @@ send_error(struct ssh *ssh, char *msg)
29 */ 29 */
30 int 30 int
31 kex_exchange_identification(struct ssh *ssh, int timeout_ms, 31 kex_exchange_identification(struct ssh *ssh, int timeout_ms,
@@ -34,7 +34,7 @@ index 65ed6af02..f450bc2c7 100644
34 { 34 {
35 int remote_major, remote_minor, mismatch; 35 int remote_major, remote_minor, mismatch;
36 size_t len, i, n; 36 size_t len, i, n;
37@@ -1239,7 +1239,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, 37@@ -1244,7 +1244,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
38 if (version_addendum != NULL && *version_addendum == '\0') 38 if (version_addendum != NULL && *version_addendum == '\0')
39 version_addendum = NULL; 39 version_addendum = NULL;
40 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", 40 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
@@ -58,10 +58,10 @@ index fe7141414..938dca03b 100644
58 struct kex *kex_new(void); 58 struct kex *kex_new(void);
59 int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); 59 int kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
60diff --git a/servconf.c b/servconf.c 60diff --git a/servconf.c b/servconf.c
61index 73b93c636..5576098a5 100644 61index bf3cd84a4..7bbc25c2e 100644
62--- a/servconf.c 62--- a/servconf.c
63+++ b/servconf.c 63+++ b/servconf.c
64@@ -184,6 +184,7 @@ initialize_server_options(ServerOptions *options) 64@@ -194,6 +194,7 @@ initialize_server_options(ServerOptions *options)
65 options->fingerprint_hash = -1; 65 options->fingerprint_hash = -1;
66 options->disable_forwarding = -1; 66 options->disable_forwarding = -1;
67 options->expose_userauth_info = -1; 67 options->expose_userauth_info = -1;
@@ -69,32 +69,32 @@ index 73b93c636..5576098a5 100644
69 } 69 }
70 70
71 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 71 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
72@@ -437,6 +438,8 @@ fill_default_server_options(ServerOptions *options) 72@@ -468,6 +469,8 @@ fill_default_server_options(ServerOptions *options)
73 options->disable_forwarding = 0;
74 if (options->expose_userauth_info == -1)
75 options->expose_userauth_info = 0; 73 options->expose_userauth_info = 0;
74 if (options->sk_provider == NULL)
75 options->sk_provider = xstrdup("internal");
76+ if (options->debian_banner == -1) 76+ if (options->debian_banner == -1)
77+ options->debian_banner = 1; 77+ options->debian_banner = 1;
78 78
79 assemble_algorithms(options); 79 assemble_algorithms(options);
80 80
81@@ -523,6 +526,7 @@ typedef enum { 81@@ -556,6 +559,7 @@ typedef enum {
82 sStreamLocalBindMask, sStreamLocalBindUnlink, 82 sStreamLocalBindMask, sStreamLocalBindUnlink,
83 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, 83 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
84 sExposeAuthInfo, sRDomain, 84 sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
85+ sDebianBanner, 85+ sDebianBanner,
86 sDeprecated, sIgnore, sUnsupported 86 sDeprecated, sIgnore, sUnsupported
87 } ServerOpCodes; 87 } ServerOpCodes;
88 88
89@@ -682,6 +686,7 @@ static struct { 89@@ -719,6 +723,7 @@ static struct {
90 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
91 { "rdomain", sRDomain, SSHCFG_ALL }, 90 { "rdomain", sRDomain, SSHCFG_ALL },
92 { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, 91 { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
92 { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
93+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, 93+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
94 { NULL, sBadOption, 0 } 94 { NULL, sBadOption, 0 }
95 }; 95 };
96 96
97@@ -2217,6 +2222,10 @@ process_server_config_line(ServerOptions *options, char *line, 97@@ -2382,6 +2387,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
98 *charptr = xstrdup(arg); 98 *charptr = xstrdup(arg);
99 break; 99 break;
100 100
@@ -106,23 +106,23 @@ index 73b93c636..5576098a5 100644
106 case sIgnore: 106 case sIgnore:
107 case sUnsupported: 107 case sUnsupported:
108diff --git a/servconf.h b/servconf.h 108diff --git a/servconf.h b/servconf.h
109index 29329ba1f..d5ad19065 100644 109index 3f47ea25e..3fa05fcac 100644
110--- a/servconf.h 110--- a/servconf.h
111+++ b/servconf.h 111+++ b/servconf.h
112@@ -214,6 +214,8 @@ typedef struct { 112@@ -221,6 +221,8 @@ typedef struct {
113 int fingerprint_hash;
114 int expose_userauth_info; 113 int expose_userauth_info;
115 u_int64_t timing_secret; 114 u_int64_t timing_secret;
115 char *sk_provider;
116+ 116+
117+ int debian_banner; 117+ int debian_banner;
118 } ServerOptions; 118 } ServerOptions;
119 119
120 /* Information about the incoming connection as used by Match */ 120 /* Information about the incoming connection as used by Match */
121diff --git a/sshconnect.c b/sshconnect.c 121diff --git a/sshconnect.c b/sshconnect.c
122index 41e75a275..27daef74f 100644 122index b796d3c8a..9f2412e0d 100644
123--- a/sshconnect.c 123--- a/sshconnect.c
124+++ b/sshconnect.c 124+++ b/sshconnect.c
125@@ -1291,7 +1291,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, 125@@ -1292,7 +1292,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
126 lowercase(host); 126 lowercase(host);
127 127
128 /* Exchange protocol version identification strings with the server. */ 128 /* Exchange protocol version identification strings with the server. */
@@ -132,10 +132,10 @@ index 41e75a275..27daef74f 100644
132 132
133 /* Put the connection into non-blocking mode. */ 133 /* Put the connection into non-blocking mode. */
134diff --git a/sshd.c b/sshd.c 134diff --git a/sshd.c b/sshd.c
135index ea8beacb4..4e8ff0662 100644 135index 65916fc6d..da876a900 100644
136--- a/sshd.c 136--- a/sshd.c
137+++ b/sshd.c 137+++ b/sshd.c
138@@ -2165,7 +2165,8 @@ main(int ac, char **av) 138@@ -2187,7 +2187,8 @@ main(int ac, char **av)
139 if (!debug_flag) 139 if (!debug_flag)
140 alarm(options.login_grace_time); 140 alarm(options.login_grace_time);
141 141
@@ -146,10 +146,10 @@ index ea8beacb4..4e8ff0662 100644
146 146
147 ssh_packet_set_nonblocking(ssh); 147 ssh_packet_set_nonblocking(ssh);
148diff --git a/sshd_config.5 b/sshd_config.5 148diff --git a/sshd_config.5 b/sshd_config.5
149index eec224158..46537f177 100644 149index ebd09f891..c926f584c 100644
150--- a/sshd_config.5 150--- a/sshd_config.5
151+++ b/sshd_config.5 151+++ b/sshd_config.5
152@@ -545,6 +545,11 @@ or 152@@ -542,6 +542,11 @@ or
153 .Cm no . 153 .Cm no .
154 The default is 154 The default is
155 .Cm yes . 155 .Cm yes .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index acb4e3ce9..e5c690915 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
1From 9a713cd4bbaef5ad4f1d28c1718fb6960ac257b3 Mon Sep 17 00:00:00 2001 1From cc80ecc65d57a9e68ce84d67bcfece281ffa0e9f Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:18 +0000 3Date: Sun, 9 Feb 2014 16:10:18 +0000
4Subject: Various Debian-specific configuration changes 4Subject: Various Debian-specific configuration changes
@@ -39,10 +39,10 @@ Patch-Name: debian-config.patch
39 6 files changed, 80 insertions(+), 9 deletions(-) 39 6 files changed, 80 insertions(+), 9 deletions(-)
40 40
41diff --git a/readconf.c b/readconf.c 41diff --git a/readconf.c b/readconf.c
42index 16d2729dd..253574ce0 100644 42index 7f251dd4a..e82024678 100644
43--- a/readconf.c 43--- a/readconf.c
44+++ b/readconf.c 44+++ b/readconf.c
45@@ -2037,7 +2037,7 @@ fill_default_options(Options * options) 45@@ -2087,7 +2087,7 @@ fill_default_options(Options * options)
46 if (options->forward_x11 == -1) 46 if (options->forward_x11 == -1)
47 options->forward_x11 = 0; 47 options->forward_x11 = 0;
48 if (options->forward_x11_trusted == -1) 48 if (options->forward_x11_trusted == -1)
@@ -52,10 +52,10 @@ index 16d2729dd..253574ce0 100644
52 options->forward_x11_timeout = 1200; 52 options->forward_x11_timeout = 1200;
53 /* 53 /*
54diff --git a/ssh.1 b/ssh.1 54diff --git a/ssh.1 b/ssh.1
55index 24530e511..44a00d525 100644 55index b33a8049f..a8967c2f8 100644
56--- a/ssh.1 56--- a/ssh.1
57+++ b/ssh.1 57+++ b/ssh.1
58@@ -795,6 +795,16 @@ directive in 58@@ -809,6 +809,16 @@ directive in
59 .Xr ssh_config 5 59 .Xr ssh_config 5
60 for more information. 60 for more information.
61 .Pp 61 .Pp
@@ -72,7 +72,7 @@ index 24530e511..44a00d525 100644
72 .It Fl x 72 .It Fl x
73 Disables X11 forwarding. 73 Disables X11 forwarding.
74 .Pp 74 .Pp
75@@ -803,6 +813,20 @@ Enables trusted X11 forwarding. 75@@ -817,6 +827,20 @@ Enables trusted X11 forwarding.
76 Trusted X11 forwardings are not subjected to the X11 SECURITY extension 76 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
77 controls. 77 controls.
78 .Pp 78 .Pp
@@ -117,7 +117,7 @@ index 1ff999b68..6dd6ecf87 100644
117+ HashKnownHosts yes 117+ HashKnownHosts yes
118+ GSSAPIAuthentication yes 118+ GSSAPIAuthentication yes
119diff --git a/ssh_config.5 b/ssh_config.5 119diff --git a/ssh_config.5 b/ssh_config.5
120index 4b42aab9d..d27655e15 100644 120index c6eaa63e7..5c90d3e02 100644
121--- a/ssh_config.5 121--- a/ssh_config.5
122+++ b/ssh_config.5 122+++ b/ssh_config.5
123@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more 123@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
@@ -143,7 +143,7 @@ index 4b42aab9d..d27655e15 100644
143 The file contains keyword-argument pairs, one per line. 143 The file contains keyword-argument pairs, one per line.
144 Lines starting with 144 Lines starting with
145 .Ql # 145 .Ql #
146@@ -721,11 +737,12 @@ elapsed. 146@@ -729,11 +745,12 @@ elapsed.
147 .It Cm ForwardX11Trusted 147 .It Cm ForwardX11Trusted
148 If this option is set to 148 If this option is set to
149 .Cm yes , 149 .Cm yes ,
@@ -207,7 +207,7 @@ index 2c48105f8..ed8272f6d 100644
207 # Example of overriding settings on a per-user basis 207 # Example of overriding settings on a per-user basis
208 #Match User anoncvs 208 #Match User anoncvs
209diff --git a/sshd_config.5 b/sshd_config.5 209diff --git a/sshd_config.5 b/sshd_config.5
210index 270805060..02e29cb6f 100644 210index 25f4b8117..b8bea2ad7 100644
211--- a/sshd_config.5 211--- a/sshd_config.5
212+++ b/sshd_config.5 212+++ b/sshd_config.5
213@@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes 213@@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 6e8f0ae2f..3744218ff 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
1From 6220be7f65137290fbe3ad71b83667e71e4ccd03 Mon Sep 17 00:00:00 2001 1From 74c1c0ef7689ea68dc8263f73c00ff8675f9f0fe Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:01 +0000 3Date: Sun, 9 Feb 2014 16:10:01 +0000
4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf 4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index d5ddbbd26..b0faea78c 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
1From 944653642de12f09baa546011429fb69ffc0065a Mon Sep 17 00:00:00 2001 1From a14ddfc3f607b0bf29046bfb4b26a6d827fa58c7 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:11 +0000 3Date: Sun, 9 Feb 2014 16:10:11 +0000
4Subject: Document that HashKnownHosts may break tab-completion 4Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
13 1 file changed, 3 insertions(+) 13 1 file changed, 3 insertions(+)
14 14
15diff --git a/ssh_config.5 b/ssh_config.5 15diff --git a/ssh_config.5 b/ssh_config.5
16index 2c74b57c0..4b42aab9d 100644 16index e61a0fd43..c6eaa63e7 100644
17--- a/ssh_config.5 17--- a/ssh_config.5
18+++ b/ssh_config.5 18+++ b/ssh_config.5
19@@ -840,6 +840,9 @@ Note that existing names and addresses in known hosts files 19@@ -848,6 +848,9 @@ Note that existing names and addresses in known hosts files
20 will not be converted automatically, 20 will not be converted automatically,
21 but may be manually hashed using 21 but may be manually hashed using
22 .Xr ssh-keygen 1 . 22 .Xr ssh-keygen 1 .
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 89c2a9864..35b370752 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
1From 4360244ab2ed367bdb2c836292e761c589355950 Mon Sep 17 00:00:00 2001 1From 63da84c3570afb4fa6bab38fdac3e9af45d0ec54 Mon Sep 17 00:00:00 2001
2From: Vincent Untz <vuntz@ubuntu.com> 2From: Vincent Untz <vuntz@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:16 +0000 3Date: Sun, 9 Feb 2014 16:10:16 +0000
4Subject: Give the ssh-askpass-gnome window a default icon 4Subject: Give the ssh-askpass-gnome window a default icon
@@ -12,10 +12,10 @@ Patch-Name: gnome-ssh-askpass2-icon.patch
12 1 file changed, 2 insertions(+) 12 1 file changed, 2 insertions(+)
13 13
14diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c 14diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c
15index 535a69274..e37a13382 100644 15index bc83a2d67..88cdfaeff 100644
16--- a/contrib/gnome-ssh-askpass2.c 16--- a/contrib/gnome-ssh-askpass2.c
17+++ b/contrib/gnome-ssh-askpass2.c 17+++ b/contrib/gnome-ssh-askpass2.c
18@@ -211,6 +211,8 @@ main(int argc, char **argv) 18@@ -233,6 +233,8 @@ main(int argc, char **argv)
19 19
20 gtk_init(&argc, &argv); 20 gtk_init(&argc, &argv);
21 21
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index b858f4915..4bf1d3f73 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From 9da806e67101afdc0d3a1d304659927acf18f5c5 Mon Sep 17 00:00:00 2001 1From 34aff3aa136e5a65f441b25811dd466488fda087 Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -18,12 +18,12 @@ security history.
18 18
19Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master 19Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master
20Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 20Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
21Last-Updated: 2019-10-09 21Last-Updated: 2020-02-21
22 22
23Patch-Name: gssapi.patch 23Patch-Name: gssapi.patch
24--- 24---
25 Makefile.in | 3 +- 25 Makefile.in | 3 +-
26 auth-krb5.c | 17 +- 26 README.md | 33 +++
27 auth.c | 96 +------- 27 auth.c | 96 +-------
28 auth2-gss.c | 56 ++++- 28 auth2-gss.c | 56 ++++-
29 auth2.c | 2 + 29 auth2.c | 2 +
@@ -34,14 +34,12 @@ Patch-Name: gssapi.patch
34 gss-genr.c | 300 +++++++++++++++++++++++- 34 gss-genr.c | 300 +++++++++++++++++++++++-
35 gss-serv-krb5.c | 85 ++++++- 35 gss-serv-krb5.c | 85 ++++++-
36 gss-serv.c | 186 +++++++++++++-- 36 gss-serv.c | 186 +++++++++++++--
37 hmac.c | 1 +
38 kex.c | 66 +++++- 37 kex.c | 66 +++++-
39 kex.h | 29 +++ 38 kex.h | 29 +++
40 kexdh.c | 10 + 39 kexdh.c | 10 +
41 kexgen.c | 2 +- 40 kexgen.c | 2 +-
42 kexgssc.c | 606 ++++++++++++++++++++++++++++++++++++++++++++++++ 41 kexgssc.c | 606 ++++++++++++++++++++++++++++++++++++++++++++++++
43 kexgsss.c | 474 +++++++++++++++++++++++++++++++++++++ 42 kexgsss.c | 474 +++++++++++++++++++++++++++++++++++++
44 mac.c | 1 +
45 monitor.c | 139 ++++++++++- 43 monitor.c | 139 ++++++++++-
46 monitor.h | 2 + 44 monitor.h | 2 +
47 monitor_wrap.c | 57 ++++- 45 monitor_wrap.c | 57 ++++-
@@ -53,96 +51,86 @@ Patch-Name: gssapi.patch
53 session.c | 10 +- 51 session.c | 10 +-
54 ssh-gss.h | 50 +++- 52 ssh-gss.h | 50 +++-
55 ssh.1 | 8 + 53 ssh.1 | 8 +
56 ssh.c | 4 +- 54 ssh.c | 6 +-
57 ssh_config | 2 + 55 ssh_config | 2 +
58 ssh_config.5 | 57 +++++ 56 ssh_config.5 | 57 +++++
59 sshconnect2.c | 140 ++++++++++- 57 sshconnect2.c | 142 +++++++++++-
60 sshd.c | 120 +++++++++- 58 sshd.c | 62 ++++-
61 sshd_config | 2 + 59 sshd_config | 2 +
62 sshd_config.5 | 30 +++ 60 sshd_config.5 | 30 +++
63 sshkey.c | 3 +- 61 sshkey.c | 3 +-
64 sshkey.h | 1 + 62 sshkey.h | 1 +
65 40 files changed, 2664 insertions(+), 160 deletions(-) 63 38 files changed, 2624 insertions(+), 160 deletions(-)
66 create mode 100644 kexgssc.c 64 create mode 100644 kexgssc.c
67 create mode 100644 kexgsss.c 65 create mode 100644 kexgsss.c
68 66
69diff --git a/Makefile.in b/Makefile.in 67diff --git a/Makefile.in b/Makefile.in
70index adb1977e2..ab29e4f05 100644 68index e7549470c..b68c1710f 100644
71--- a/Makefile.in 69--- a/Makefile.in
72+++ b/Makefile.in 70+++ b/Makefile.in
73@@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ 71@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
74 kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ 72 kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
75 kexgexc.o kexgexs.o \ 73 kexgexc.o kexgexs.o \
76 sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \ 74 sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
77+ kexgssc.o \ 75+ kexgssc.o \
78 platform-pledge.o platform-tracing.o platform-misc.o 76 sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
77 sshbuf-io.o
79 78
80 79@@ -125,7 +126,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
81@@ -114,7 +115,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
82 auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ 80 auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
83 auth2-none.o auth2-passwd.o auth2-pubkey.o \ 81 auth2-none.o auth2-passwd.o auth2-pubkey.o \
84 monitor.o monitor_wrap.o auth-krb5.o \ 82 monitor.o monitor_wrap.o auth-krb5.o \
85- auth2-gss.o gss-serv.o gss-serv-krb5.o \ 83- auth2-gss.o gss-serv.o gss-serv-krb5.o \
86+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ 84+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
87 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ 85 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
88 sftp-server.o sftp-common.o sftp-realpath.o \ 86 sftp-server.o sftp-common.o \
89 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ 87 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
90diff --git a/auth-krb5.c b/auth-krb5.c 88diff --git a/README.md b/README.md
91index 3096f1c8e..204752e1b 100644 89index 28fb43d2a..5b73d24c0 100644
92--- a/auth-krb5.c 90--- a/README.md
93+++ b/auth-krb5.c 91+++ b/README.md
94@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) 92@@ -1,3 +1,36 @@
95 93+Portable OpenSSH with GSSAPI Key Exchange patches
96 len = strlen(authctxt->krb5_ticket_file) + 6; 94+=================================================
97 authctxt->krb5_ccname = xmalloc(len); 95+
98+#ifdef USE_CCAPI 96+Currently, there are two branches with gssapi key exchange related
99+ snprintf(authctxt->krb5_ccname, len, "API:%s", 97+patches:
100+ authctxt->krb5_ticket_file); 98+
101+#else 99+ * fedora/master: Changes that are shipped in Fedora
102 snprintf(authctxt->krb5_ccname, len, "FILE:%s", 100+ * debian/master: Changes that are shipped in Debian
103 authctxt->krb5_ticket_file); 101+
104+#endif 102+The target is to converge to a shared repository with single master
105 103+branch from where we could build releases for both OSes.
106 #ifdef USE_PAM 104+
107 if (options.use_pam) 105+
108@@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt) 106+What is in:
109 #ifndef HEIMDAL 107+
110 krb5_error_code 108+ * The original patch implementing missing parts of RFC4462 by Simon Wilkinson
111 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { 109+ adapted to the current OpenSSH versions and with several fixes
112- int tmpfd, ret, oerrno; 110+ * New methods for GSSAPI Kex from IETF draft [1] from Jakub Jelen
113+ int ret, oerrno; 111+
114 char ccname[40]; 112+
115 mode_t old_umask; 113+Missing kerberos-related parts:
116+#ifdef USE_CCAPI 114+
117+ char cctemplate[] = "API:krb5cc_%d"; 115+ * .k5login and .kusers support available in Fedora [2] [3].
118+#else 116+ * Improved handling of kerberos ccache location [4]
119+ char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX"; 117+
120+ int tmpfd; 118+
121+#endif 119+[1] https://tools.ietf.org/html/draft-ietf-curdle-gss-keyex-sha2-08
122 120+[2] https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-6.6p1-kuserok.patch
123 ret = snprintf(ccname, sizeof(ccname), 121+[3] https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-6.6p1-GSSAPIEnablek5users.patch
124- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid()); 122+[4] https://bugzilla.mindrot.org/show_bug.cgi?id=2775
125+ cctemplate, geteuid()); 123+
126 if (ret < 0 || (size_t)ret >= sizeof(ccname)) 124+-------------------------------------------------------------------------------
127 return ENOMEM; 125+
128 126 # Portable OpenSSH
129+#ifndef USE_CCAPI
130 old_umask = umask(0177);
131 tmpfd = mkstemp(ccname + strlen("FILE:"));
132 oerrno = errno;
133@@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
134 return oerrno;
135 }
136 close(tmpfd);
137+#endif
138 127
139 return (krb5_cc_resolve(ctx, ccname, ccache)); 128 [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
140 }
141diff --git a/auth.c b/auth.c 129diff --git a/auth.c b/auth.c
142index ca450f4e4..47c27773c 100644 130index 086b8ebb1..687c57b42 100644
143--- a/auth.c 131--- a/auth.c
144+++ b/auth.c 132+++ b/auth.c
145@@ -399,7 +399,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) 133@@ -400,7 +400,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
146 case PERMIT_NO_PASSWD: 134 case PERMIT_NO_PASSWD:
147 if (strcmp(method, "publickey") == 0 || 135 if (strcmp(method, "publickey") == 0 ||
148 strcmp(method, "hostbased") == 0 || 136 strcmp(method, "hostbased") == 0 ||
@@ -152,7 +140,7 @@ index ca450f4e4..47c27773c 100644
152 return 1; 140 return 1;
153 break; 141 break;
154 case PERMIT_FORCED_ONLY: 142 case PERMIT_FORCED_ONLY:
155@@ -723,99 +724,6 @@ fakepw(void) 143@@ -724,99 +725,6 @@ fakepw(void)
156 return (&fake); 144 return (&fake);
157 } 145 }
158 146
@@ -181,7 +169,7 @@ index ca450f4e4..47c27773c 100644
181- if (getpeername(ssh_packet_get_connection_in(ssh), 169- if (getpeername(ssh_packet_get_connection_in(ssh),
182- (struct sockaddr *)&from, &fromlen) == -1) { 170- (struct sockaddr *)&from, &fromlen) == -1) {
183- debug("getpeername failed: %.100s", strerror(errno)); 171- debug("getpeername failed: %.100s", strerror(errno));
184- return strdup(ntop); 172- return xstrdup(ntop);
185- } 173- }
186- 174-
187- ipv64_normalise_mapped(&from, &fromlen); 175- ipv64_normalise_mapped(&from, &fromlen);
@@ -193,7 +181,7 @@ index ca450f4e4..47c27773c 100644
193- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), 181- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
194- NULL, 0, NI_NAMEREQD) != 0) { 182- NULL, 0, NI_NAMEREQD) != 0) {
195- /* Host name not found. Use ip address. */ 183- /* Host name not found. Use ip address. */
196- return strdup(ntop); 184- return xstrdup(ntop);
197- } 185- }
198- 186-
199- /* 187- /*
@@ -208,7 +196,7 @@ index ca450f4e4..47c27773c 100644
208- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", 196- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
209- name, ntop); 197- name, ntop);
210- freeaddrinfo(ai); 198- freeaddrinfo(ai);
211- return strdup(ntop); 199- return xstrdup(ntop);
212- } 200- }
213- 201-
214- /* Names are stored in lowercase. */ 202- /* Names are stored in lowercase. */
@@ -229,7 +217,7 @@ index ca450f4e4..47c27773c 100644
229- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { 217- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
230- logit("reverse mapping checking getaddrinfo for %.700s " 218- logit("reverse mapping checking getaddrinfo for %.700s "
231- "[%s] failed.", name, ntop); 219- "[%s] failed.", name, ntop);
232- return strdup(ntop); 220- return xstrdup(ntop);
233- } 221- }
234- /* Look for the address from the list of addresses. */ 222- /* Look for the address from the list of addresses. */
235- for (ai = aitop; ai; ai = ai->ai_next) { 223- for (ai = aitop; ai; ai = ai->ai_next) {
@@ -244,9 +232,9 @@ index ca450f4e4..47c27773c 100644
244- /* Address not found for the host name. */ 232- /* Address not found for the host name. */
245- logit("Address %.100s maps to %.600s, but this does not " 233- logit("Address %.100s maps to %.600s, but this does not "
246- "map back to the address.", ntop, name); 234- "map back to the address.", ntop, name);
247- return strdup(ntop); 235- return xstrdup(ntop);
248- } 236- }
249- return strdup(name); 237- return xstrdup(name);
250-} 238-}
251- 239-
252 /* 240 /*
@@ -368,7 +356,7 @@ index 0e7762242..1c217268c 100644
368 #endif 356 #endif
369 &method_passwd, 357 &method_passwd,
370diff --git a/canohost.c b/canohost.c 358diff --git a/canohost.c b/canohost.c
371index abea9c6e6..9a00fc2cf 100644 359index abea9c6e6..8e81b5193 100644
372--- a/canohost.c 360--- a/canohost.c
373+++ b/canohost.c 361+++ b/canohost.c
374@@ -35,6 +35,99 @@ 362@@ -35,6 +35,99 @@
@@ -400,7 +388,7 @@ index abea9c6e6..9a00fc2cf 100644
400+ if (getpeername(ssh_packet_get_connection_in(ssh), 388+ if (getpeername(ssh_packet_get_connection_in(ssh),
401+ (struct sockaddr *)&from, &fromlen) == -1) { 389+ (struct sockaddr *)&from, &fromlen) == -1) {
402+ debug("getpeername failed: %.100s", strerror(errno)); 390+ debug("getpeername failed: %.100s", strerror(errno));
403+ return strdup(ntop); 391+ return xstrdup(ntop);
404+ } 392+ }
405+ 393+
406+ ipv64_normalise_mapped(&from, &fromlen); 394+ ipv64_normalise_mapped(&from, &fromlen);
@@ -412,7 +400,7 @@ index abea9c6e6..9a00fc2cf 100644
412+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), 400+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
413+ NULL, 0, NI_NAMEREQD) != 0) { 401+ NULL, 0, NI_NAMEREQD) != 0) {
414+ /* Host name not found. Use ip address. */ 402+ /* Host name not found. Use ip address. */
415+ return strdup(ntop); 403+ return xstrdup(ntop);
416+ } 404+ }
417+ 405+
418+ /* 406+ /*
@@ -427,7 +415,7 @@ index abea9c6e6..9a00fc2cf 100644
427+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", 415+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
428+ name, ntop); 416+ name, ntop);
429+ freeaddrinfo(ai); 417+ freeaddrinfo(ai);
430+ return strdup(ntop); 418+ return xstrdup(ntop);
431+ } 419+ }
432+ 420+
433+ /* Names are stored in lowercase. */ 421+ /* Names are stored in lowercase. */
@@ -448,7 +436,7 @@ index abea9c6e6..9a00fc2cf 100644
448+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { 436+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
449+ logit("reverse mapping checking getaddrinfo for %.700s " 437+ logit("reverse mapping checking getaddrinfo for %.700s "
450+ "[%s] failed.", name, ntop); 438+ "[%s] failed.", name, ntop);
451+ return strdup(ntop); 439+ return xstrdup(ntop);
452+ } 440+ }
453+ /* Look for the address from the list of addresses. */ 441+ /* Look for the address from the list of addresses. */
454+ for (ai = aitop; ai; ai = ai->ai_next) { 442+ for (ai = aitop; ai; ai = ai->ai_next) {
@@ -463,9 +451,9 @@ index abea9c6e6..9a00fc2cf 100644
463+ /* Address not found for the host name. */ 451+ /* Address not found for the host name. */
464+ logit("Address %.100s maps to %.600s, but this does not " 452+ logit("Address %.100s maps to %.600s, but this does not "
465+ "map back to the address.", ntop, name); 453+ "map back to the address.", ntop, name);
466+ return strdup(ntop); 454+ return xstrdup(ntop);
467+ } 455+ }
468+ return strdup(name); 456+ return xstrdup(name);
469+} 457+}
470+ 458+
471 void 459 void
@@ -486,7 +474,7 @@ index 26d62855a..0cadc9f18 100644
486 int get_peer_port(int); 474 int get_peer_port(int);
487 char *get_local_ipaddr(int); 475 char *get_local_ipaddr(int);
488diff --git a/clientloop.c b/clientloop.c 476diff --git a/clientloop.c b/clientloop.c
489index b5a1f7038..9def2a1a9 100644 477index ebd0dbca1..1bdac6a46 100644
490--- a/clientloop.c 478--- a/clientloop.c
491+++ b/clientloop.c 479+++ b/clientloop.c
492@@ -112,6 +112,10 @@ 480@@ -112,6 +112,10 @@
@@ -500,7 +488,7 @@ index b5a1f7038..9def2a1a9 100644
500 /* import options */ 488 /* import options */
501 extern Options options; 489 extern Options options;
502 490
503@@ -1373,9 +1377,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, 491@@ -1379,9 +1383,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
504 break; 492 break;
505 493
506 /* Do channel operations unless rekeying in progress. */ 494 /* Do channel operations unless rekeying in progress. */
@@ -521,10 +509,10 @@ index b5a1f7038..9def2a1a9 100644
521 client_process_net_input(ssh, readset); 509 client_process_net_input(ssh, readset);
522 510
523diff --git a/configure.ac b/configure.ac 511diff --git a/configure.ac b/configure.ac
524index 3e93c0276..1c2512314 100644 512index b689db4b5..efafb6bd8 100644
525--- a/configure.ac 513--- a/configure.ac
526+++ b/configure.ac 514+++ b/configure.ac
527@@ -666,6 +666,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 515@@ -674,6 +674,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
528 [Use tunnel device compatibility to OpenBSD]) 516 [Use tunnel device compatibility to OpenBSD])
529 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 517 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
530 [Prepend the address family to IP tunnel traffic]) 518 [Prepend the address family to IP tunnel traffic])
@@ -1338,23 +1326,11 @@ index ab3a15f0f..1d47870e7 100644
1338 } 1326 }
1339 1327
1340 /* Privileged */ 1328 /* Privileged */
1341diff --git a/hmac.c b/hmac.c
1342index 32688876d..a79e8569c 100644
1343--- a/hmac.c
1344+++ b/hmac.c
1345@@ -21,6 +21,7 @@
1346
1347 #include <stdlib.h>
1348 #include <string.h>
1349+#include <stdlib.h>
1350
1351 #include "sshbuf.h"
1352 #include "digest.h"
1353diff --git a/kex.c b/kex.c 1329diff --git a/kex.c b/kex.c
1354index 49d701568..e09355dbd 100644 1330index ce85f0439..574c76093 100644
1355--- a/kex.c 1331--- a/kex.c
1356+++ b/kex.c 1332+++ b/kex.c
1357@@ -55,11 +55,16 @@ 1333@@ -57,11 +57,16 @@
1358 #include "misc.h" 1334 #include "misc.h"
1359 #include "dispatch.h" 1335 #include "dispatch.h"
1360 #include "monitor.h" 1336 #include "monitor.h"
@@ -1371,7 +1347,7 @@ index 49d701568..e09355dbd 100644
1371 /* prototype */ 1347 /* prototype */
1372 static int kex_choose_conf(struct ssh *); 1348 static int kex_choose_conf(struct ssh *);
1373 static int kex_input_newkeys(int, u_int32_t, struct ssh *); 1349 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
1374@@ -113,15 +118,28 @@ static const struct kexalg kexalgs[] = { 1350@@ -115,15 +120,28 @@ static const struct kexalg kexalgs[] = {
1375 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ 1351 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
1376 { NULL, 0, -1, -1}, 1352 { NULL, 0, -1, -1},
1377 }; 1353 };
@@ -1386,7 +1362,7 @@ index 49d701568..e09355dbd 100644
1386+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, 1362+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
1387+ { KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, 1363+ { KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
1388+#endif 1364+#endif
1389+ { NULL, 0, -1, -1 }, 1365+ { NULL, 0, -1, -1},
1390+}; 1366+};
1391 1367
1392-char * 1368-char *
@@ -1403,7 +1379,7 @@ index 49d701568..e09355dbd 100644
1403 if (ret != NULL) 1379 if (ret != NULL)
1404 ret[rlen++] = sep; 1380 ret[rlen++] = sep;
1405 nlen = strlen(k->name); 1381 nlen = strlen(k->name);
1406@@ -136,6 +154,18 @@ kex_alg_list(char sep) 1382@@ -138,6 +156,18 @@ kex_alg_list(char sep)
1407 return ret; 1383 return ret;
1408 } 1384 }
1409 1385
@@ -1422,7 +1398,7 @@ index 49d701568..e09355dbd 100644
1422 static const struct kexalg * 1398 static const struct kexalg *
1423 kex_alg_by_name(const char *name) 1399 kex_alg_by_name(const char *name)
1424 { 1400 {
1425@@ -145,6 +175,10 @@ kex_alg_by_name(const char *name) 1401@@ -147,6 +177,10 @@ kex_alg_by_name(const char *name)
1426 if (strcmp(k->name, name) == 0) 1402 if (strcmp(k->name, name) == 0)
1427 return k; 1403 return k;
1428 } 1404 }
@@ -1433,7 +1409,7 @@ index 49d701568..e09355dbd 100644
1433 return NULL; 1409 return NULL;
1434 } 1410 }
1435 1411
1436@@ -313,6 +347,29 @@ kex_assemble_names(char **listp, const char *def, const char *all) 1412@@ -315,6 +349,29 @@ kex_assemble_names(char **listp, const char *def, const char *all)
1437 return r; 1413 return r;
1438 } 1414 }
1439 1415
@@ -1463,7 +1439,7 @@ index 49d701568..e09355dbd 100644
1463 /* put algorithm proposal into buffer */ 1439 /* put algorithm proposal into buffer */
1464 int 1440 int
1465 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) 1441 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
1466@@ -696,6 +753,9 @@ kex_free(struct kex *kex) 1442@@ -698,6 +755,9 @@ kex_free(struct kex *kex)
1467 sshbuf_free(kex->server_version); 1443 sshbuf_free(kex->server_version);
1468 sshbuf_free(kex->client_pub); 1444 sshbuf_free(kex->client_pub);
1469 free(kex->session_id); 1445 free(kex->session_id);
@@ -1572,7 +1548,7 @@ index 67133e339..edaa46762 100644
1572 break; 1548 break;
1573 case KEX_DH_GRP18_SHA512: 1549 case KEX_DH_GRP18_SHA512:
1574diff --git a/kexgen.c b/kexgen.c 1550diff --git a/kexgen.c b/kexgen.c
1575index bb996b504..d353ed8b0 100644 1551index 69348b964..c0e8c2f44 100644
1576--- a/kexgen.c 1552--- a/kexgen.c
1577+++ b/kexgen.c 1553+++ b/kexgen.c
1578@@ -44,7 +44,7 @@ 1554@@ -44,7 +44,7 @@
@@ -2676,23 +2652,11 @@ index 000000000..60bc02deb
2676+ return r; 2652+ return r;
2677+} 2653+}
2678+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ 2654+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
2679diff --git a/mac.c b/mac.c
2680index f3dda6692..de346ed20 100644
2681--- a/mac.c
2682+++ b/mac.c
2683@@ -30,6 +30,7 @@
2684 #include <stdlib.h>
2685 #include <string.h>
2686 #include <stdio.h>
2687+#include <stdlib.h>
2688
2689 #include "digest.h"
2690 #include "hmac.h"
2691diff --git a/monitor.c b/monitor.c 2655diff --git a/monitor.c b/monitor.c
2692index 00af44f98..bead9e204 100644 2656index 2ce89fe90..ebf76c7f9 100644
2693--- a/monitor.c 2657--- a/monitor.c
2694+++ b/monitor.c 2658+++ b/monitor.c
2695@@ -147,6 +147,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); 2659@@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
2696 int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *); 2660 int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *);
2697 int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *); 2661 int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *);
2698 int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *); 2662 int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *);
@@ -2701,7 +2665,7 @@ index 00af44f98..bead9e204 100644
2701 #endif 2665 #endif
2702 2666
2703 #ifdef SSH_AUDIT_EVENTS 2667 #ifdef SSH_AUDIT_EVENTS
2704@@ -219,11 +221,18 @@ struct mon_table mon_dispatch_proto20[] = { 2668@@ -220,11 +222,18 @@ struct mon_table mon_dispatch_proto20[] = {
2705 {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, 2669 {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
2706 {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok}, 2670 {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
2707 {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic}, 2671 {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
@@ -2720,7 +2684,7 @@ index 00af44f98..bead9e204 100644
2720 #ifdef WITH_OPENSSL 2684 #ifdef WITH_OPENSSL
2721 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2685 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
2722 #endif 2686 #endif
2723@@ -292,6 +301,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) 2687@@ -293,6 +302,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
2724 /* Permit requests for moduli and signatures */ 2688 /* Permit requests for moduli and signatures */
2725 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2689 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2726 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2690 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2731,7 +2695,7 @@ index 00af44f98..bead9e204 100644
2731 2695
2732 /* The first few requests do not require asynchronous access */ 2696 /* The first few requests do not require asynchronous access */
2733 while (!authenticated) { 2697 while (!authenticated) {
2734@@ -405,6 +418,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor) 2698@@ -406,6 +419,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor)
2735 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2699 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2736 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2700 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
2737 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2701 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2742,7 +2706,7 @@ index 00af44f98..bead9e204 100644
2742 2706
2743 if (auth_opts->permit_pty_flag) { 2707 if (auth_opts->permit_pty_flag) {
2744 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); 2708 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
2745@@ -1687,6 +1704,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) 2709@@ -1713,6 +1730,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
2746 # ifdef OPENSSL_HAS_ECC 2710 # ifdef OPENSSL_HAS_ECC
2747 kex->kex[KEX_ECDH_SHA2] = kex_gen_server; 2711 kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
2748 # endif 2712 # endif
@@ -2760,7 +2724,7 @@ index 00af44f98..bead9e204 100644
2760 #endif /* WITH_OPENSSL */ 2724 #endif /* WITH_OPENSSL */
2761 kex->kex[KEX_C25519_SHA256] = kex_gen_server; 2725 kex->kex[KEX_C25519_SHA256] = kex_gen_server;
2762 kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; 2726 kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
2763@@ -1780,8 +1808,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) 2727@@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
2764 u_char *p; 2728 u_char *p;
2765 int r; 2729 int r;
2766 2730
@@ -2771,7 +2735,7 @@ index 00af44f98..bead9e204 100644
2771 2735
2772 if ((r = sshbuf_get_string(m, &p, &len)) != 0) 2736 if ((r = sshbuf_get_string(m, &p, &len)) != 0)
2773 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 2737 fatal("%s: buffer error: %s", __func__, ssh_err(r));
2774@@ -1813,8 +1841,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) 2738@@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
2775 OM_uint32 flags = 0; /* GSI needs this */ 2739 OM_uint32 flags = 0; /* GSI needs this */
2776 int r; 2740 int r;
2777 2741
@@ -2782,7 +2746,7 @@ index 00af44f98..bead9e204 100644
2782 2746
2783 if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) 2747 if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
2784 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 2748 fatal("%s: buffer error: %s", __func__, ssh_err(r));
2785@@ -1834,6 +1862,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) 2749@@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
2786 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2750 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2787 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2751 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2788 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2752 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2790,7 +2754,7 @@ index 00af44f98..bead9e204 100644
2790 } 2754 }
2791 return (0); 2755 return (0);
2792 } 2756 }
2793@@ -1845,8 +1874,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) 2757@@ -1871,8 +1900,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
2794 OM_uint32 ret; 2758 OM_uint32 ret;
2795 int r; 2759 int r;
2796 2760
@@ -2801,7 +2765,7 @@ index 00af44f98..bead9e204 100644
2801 2765
2802 if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || 2766 if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
2803 (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) 2767 (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
2804@@ -1872,13 +1901,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) 2768@@ -1898,13 +1927,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
2805 int 2769 int
2806 mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) 2770 mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
2807 { 2771 {
@@ -2823,7 +2787,7 @@ index 00af44f98..bead9e204 100644
2823 2787
2824 sshbuf_reset(m); 2788 sshbuf_reset(m);
2825 if ((r = sshbuf_put_u32(m, authenticated)) != 0) 2789 if ((r = sshbuf_put_u32(m, authenticated)) != 0)
2826@@ -1887,7 +1920,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) 2790@@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
2827 debug3("%s: sending result %d", __func__, authenticated); 2791 debug3("%s: sending result %d", __func__, authenticated);
2828 mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); 2792 mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
2829 2793
@@ -2836,7 +2800,7 @@ index 00af44f98..bead9e204 100644
2836 2800
2837 if ((displayname = ssh_gssapi_displayname()) != NULL) 2801 if ((displayname = ssh_gssapi_displayname()) != NULL)
2838 auth2_record_info(authctxt, "%s", displayname); 2802 auth2_record_info(authctxt, "%s", displayname);
2839@@ -1895,5 +1932,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) 2803@@ -1921,5 +1958,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
2840 /* Monitor loop will terminate if authenticated */ 2804 /* Monitor loop will terminate if authenticated */
2841 return (authenticated); 2805 return (authenticated);
2842 } 2806 }
@@ -2936,10 +2900,10 @@ index 683e5e071..2b1a2d590 100644
2936 2900
2937 struct ssh; 2901 struct ssh;
2938diff --git a/monitor_wrap.c b/monitor_wrap.c 2902diff --git a/monitor_wrap.c b/monitor_wrap.c
2939index 4169b7604..fdca39a6a 100644 2903index 001a8fa1c..6edb509a3 100644
2940--- a/monitor_wrap.c 2904--- a/monitor_wrap.c
2941+++ b/monitor_wrap.c 2905+++ b/monitor_wrap.c
2942@@ -978,13 +978,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 2906@@ -993,13 +993,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
2943 } 2907 }
2944 2908
2945 int 2909 int
@@ -2956,7 +2920,7 @@ index 4169b7604..fdca39a6a 100644
2956 2920
2957 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m); 2921 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
2958 mm_request_receive_expect(pmonitor->m_recvfd, 2922 mm_request_receive_expect(pmonitor->m_recvfd,
2959@@ -997,4 +999,57 @@ mm_ssh_gssapi_userok(char *user) 2923@@ -1012,4 +1014,57 @@ mm_ssh_gssapi_userok(char *user)
2960 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2924 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2961 return (authenticated); 2925 return (authenticated);
2962 } 2926 }
@@ -3015,10 +2979,10 @@ index 4169b7604..fdca39a6a 100644
3015+ 2979+
3016 #endif /* GSSAPI */ 2980 #endif /* GSSAPI */
3017diff --git a/monitor_wrap.h b/monitor_wrap.h 2981diff --git a/monitor_wrap.h b/monitor_wrap.h
3018index 191277f3a..92dda574b 100644 2982index 23ab096aa..485590c18 100644
3019--- a/monitor_wrap.h 2983--- a/monitor_wrap.h
3020+++ b/monitor_wrap.h 2984+++ b/monitor_wrap.h
3021@@ -63,8 +63,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, 2985@@ -64,8 +64,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
3022 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); 2986 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
3023 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, 2987 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
3024 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); 2988 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -3031,7 +2995,7 @@ index 191277f3a..92dda574b 100644
3031 2995
3032 #ifdef USE_PAM 2996 #ifdef USE_PAM
3033diff --git a/readconf.c b/readconf.c 2997diff --git a/readconf.c b/readconf.c
3034index f78b4d6fe..3c68d1a88 100644 2998index f3cac6b3a..da8022dd0 100644
3035--- a/readconf.c 2999--- a/readconf.c
3036+++ b/readconf.c 3000+++ b/readconf.c
3037@@ -67,6 +67,7 @@ 3001@@ -67,6 +67,7 @@
@@ -3042,7 +3006,7 @@ index f78b4d6fe..3c68d1a88 100644
3042 3006
3043 /* Format of the configuration file: 3007 /* Format of the configuration file:
3044 3008
3045@@ -162,6 +163,8 @@ typedef enum { 3009@@ -160,6 +161,8 @@ typedef enum {
3046 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 3010 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
3047 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 3011 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
3048 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 3012 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -3051,7 +3015,7 @@ index f78b4d6fe..3c68d1a88 100644
3051 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 3015 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
3052 oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, 3016 oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
3053 oHashKnownHosts, 3017 oHashKnownHosts,
3054@@ -202,10 +205,22 @@ static struct { 3018@@ -204,10 +207,22 @@ static struct {
3055 /* Sometimes-unsupported options */ 3019 /* Sometimes-unsupported options */
3056 #if defined(GSSAPI) 3020 #if defined(GSSAPI)
3057 { "gssapiauthentication", oGssAuthentication }, 3021 { "gssapiauthentication", oGssAuthentication },
@@ -3074,7 +3038,7 @@ index f78b4d6fe..3c68d1a88 100644
3074 #endif 3038 #endif
3075 #ifdef ENABLE_PKCS11 3039 #ifdef ENABLE_PKCS11
3076 { "pkcs11provider", oPKCS11Provider }, 3040 { "pkcs11provider", oPKCS11Provider },
3077@@ -988,10 +1003,42 @@ parse_time: 3041@@ -1029,10 +1044,42 @@ parse_time:
3078 intptr = &options->gss_authentication; 3042 intptr = &options->gss_authentication;
3079 goto parse_flag; 3043 goto parse_flag;
3080 3044
@@ -3117,7 +3081,7 @@ index f78b4d6fe..3c68d1a88 100644
3117 case oBatchMode: 3081 case oBatchMode:
3118 intptr = &options->batch_mode; 3082 intptr = &options->batch_mode;
3119 goto parse_flag; 3083 goto parse_flag;
3120@@ -1863,7 +1910,13 @@ initialize_options(Options * options) 3084@@ -1911,7 +1958,13 @@ initialize_options(Options * options)
3121 options->pubkey_authentication = -1; 3085 options->pubkey_authentication = -1;
3122 options->challenge_response_authentication = -1; 3086 options->challenge_response_authentication = -1;
3123 options->gss_authentication = -1; 3087 options->gss_authentication = -1;
@@ -3131,7 +3095,7 @@ index f78b4d6fe..3c68d1a88 100644
3131 options->password_authentication = -1; 3095 options->password_authentication = -1;
3132 options->kbd_interactive_authentication = -1; 3096 options->kbd_interactive_authentication = -1;
3133 options->kbd_interactive_devices = NULL; 3097 options->kbd_interactive_devices = NULL;
3134@@ -2009,8 +2062,18 @@ fill_default_options(Options * options) 3098@@ -2059,8 +2112,18 @@ fill_default_options(Options * options)
3135 options->challenge_response_authentication = 1; 3099 options->challenge_response_authentication = 1;
3136 if (options->gss_authentication == -1) 3100 if (options->gss_authentication == -1)
3137 options->gss_authentication = 0; 3101 options->gss_authentication = 0;
@@ -3150,7 +3114,7 @@ index f78b4d6fe..3c68d1a88 100644
3150 if (options->password_authentication == -1) 3114 if (options->password_authentication == -1)
3151 options->password_authentication = 1; 3115 options->password_authentication = 1;
3152 if (options->kbd_interactive_authentication == -1) 3116 if (options->kbd_interactive_authentication == -1)
3153@@ -2625,7 +2688,14 @@ dump_client_config(Options *o, const char *host) 3117@@ -2702,7 +2765,14 @@ dump_client_config(Options *o, const char *host)
3154 dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); 3118 dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
3155 #ifdef GSSAPI 3119 #ifdef GSSAPI
3156 dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); 3120 dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
@@ -3166,10 +3130,10 @@ index f78b4d6fe..3c68d1a88 100644
3166 dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); 3130 dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
3167 dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); 3131 dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
3168diff --git a/readconf.h b/readconf.h 3132diff --git a/readconf.h b/readconf.h
3169index 8e36bf32a..0bff6d80a 100644 3133index feedb3d20..a8a8870d7 100644
3170--- a/readconf.h 3134--- a/readconf.h
3171+++ b/readconf.h 3135+++ b/readconf.h
3172@@ -40,7 +40,13 @@ typedef struct { 3136@@ -41,7 +41,13 @@ typedef struct {
3173 int challenge_response_authentication; 3137 int challenge_response_authentication;
3174 /* Try S/Key or TIS, authentication. */ 3138 /* Try S/Key or TIS, authentication. */
3175 int gss_authentication; /* Try GSS authentication */ 3139 int gss_authentication; /* Try GSS authentication */
@@ -3184,10 +3148,10 @@ index 8e36bf32a..0bff6d80a 100644
3184 * authentication. */ 3148 * authentication. */
3185 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 3149 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
3186diff --git a/servconf.c b/servconf.c 3150diff --git a/servconf.c b/servconf.c
3187index e76f9c39e..f63eb0b94 100644 3151index 70f5f73f0..191575a16 100644
3188--- a/servconf.c 3152--- a/servconf.c
3189+++ b/servconf.c 3153+++ b/servconf.c
3190@@ -64,6 +64,7 @@ 3154@@ -69,6 +69,7 @@
3191 #include "auth.h" 3155 #include "auth.h"
3192 #include "myproposal.h" 3156 #include "myproposal.h"
3193 #include "digest.h" 3157 #include "digest.h"
@@ -3195,7 +3159,7 @@ index e76f9c39e..f63eb0b94 100644
3195 3159
3196 static void add_listen_addr(ServerOptions *, const char *, 3160 static void add_listen_addr(ServerOptions *, const char *,
3197 const char *, int); 3161 const char *, int);
3198@@ -124,8 +125,11 @@ initialize_server_options(ServerOptions *options) 3162@@ -133,8 +134,11 @@ initialize_server_options(ServerOptions *options)
3199 options->kerberos_ticket_cleanup = -1; 3163 options->kerberos_ticket_cleanup = -1;
3200 options->kerberos_get_afs_token = -1; 3164 options->kerberos_get_afs_token = -1;
3201 options->gss_authentication=-1; 3165 options->gss_authentication=-1;
@@ -3207,7 +3171,7 @@ index e76f9c39e..f63eb0b94 100644
3207 options->password_authentication = -1; 3171 options->password_authentication = -1;
3208 options->kbd_interactive_authentication = -1; 3172 options->kbd_interactive_authentication = -1;
3209 options->challenge_response_authentication = -1; 3173 options->challenge_response_authentication = -1;
3210@@ -351,10 +355,18 @@ fill_default_server_options(ServerOptions *options) 3174@@ -375,10 +379,18 @@ fill_default_server_options(ServerOptions *options)
3211 options->kerberos_get_afs_token = 0; 3175 options->kerberos_get_afs_token = 0;
3212 if (options->gss_authentication == -1) 3176 if (options->gss_authentication == -1)
3213 options->gss_authentication = 0; 3177 options->gss_authentication = 0;
@@ -3226,7 +3190,7 @@ index e76f9c39e..f63eb0b94 100644
3226 if (options->password_authentication == -1) 3190 if (options->password_authentication == -1)
3227 options->password_authentication = 1; 3191 options->password_authentication = 1;
3228 if (options->kbd_interactive_authentication == -1) 3192 if (options->kbd_interactive_authentication == -1)
3229@@ -498,6 +510,7 @@ typedef enum { 3193@@ -531,6 +543,7 @@ typedef enum {
3230 sHostKeyAlgorithms, 3194 sHostKeyAlgorithms,
3231 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 3195 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
3232 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 3196 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@@ -3234,7 +3198,7 @@ index e76f9c39e..f63eb0b94 100644
3234 sAcceptEnv, sSetEnv, sPermitTunnel, 3198 sAcceptEnv, sSetEnv, sPermitTunnel,
3235 sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, 3199 sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
3236 sUsePrivilegeSeparation, sAllowAgentForwarding, 3200 sUsePrivilegeSeparation, sAllowAgentForwarding,
3237@@ -572,12 +585,22 @@ static struct { 3201@@ -607,12 +620,22 @@ static struct {
3238 #ifdef GSSAPI 3202 #ifdef GSSAPI
3239 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 3203 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
3240 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 3204 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -3257,7 +3221,7 @@ index e76f9c39e..f63eb0b94 100644
3257 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 3221 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
3258 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 3222 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
3259 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 3223 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
3260@@ -1488,6 +1511,10 @@ process_server_config_line(ServerOptions *options, char *line, 3224@@ -1548,6 +1571,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
3261 intptr = &options->gss_authentication; 3225 intptr = &options->gss_authentication;
3262 goto parse_flag; 3226 goto parse_flag;
3263 3227
@@ -3268,7 +3232,7 @@ index e76f9c39e..f63eb0b94 100644
3268 case sGssCleanupCreds: 3232 case sGssCleanupCreds:
3269 intptr = &options->gss_cleanup_creds; 3233 intptr = &options->gss_cleanup_creds;
3270 goto parse_flag; 3234 goto parse_flag;
3271@@ -1496,6 +1523,22 @@ process_server_config_line(ServerOptions *options, char *line, 3235@@ -1556,6 +1583,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
3272 intptr = &options->gss_strict_acceptor; 3236 intptr = &options->gss_strict_acceptor;
3273 goto parse_flag; 3237 goto parse_flag;
3274 3238
@@ -3291,7 +3255,7 @@ index e76f9c39e..f63eb0b94 100644
3291 case sPasswordAuthentication: 3255 case sPasswordAuthentication:
3292 intptr = &options->password_authentication; 3256 intptr = &options->password_authentication;
3293 goto parse_flag; 3257 goto parse_flag;
3294@@ -2585,6 +2628,10 @@ dump_config(ServerOptions *o) 3258@@ -2777,6 +2820,10 @@ dump_config(ServerOptions *o)
3295 #ifdef GSSAPI 3259 #ifdef GSSAPI
3296 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 3260 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
3297 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 3261 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@@ -3303,10 +3267,10 @@ index e76f9c39e..f63eb0b94 100644
3303 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 3267 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
3304 dump_cfg_fmtint(sKbdInteractiveAuthentication, 3268 dump_cfg_fmtint(sKbdInteractiveAuthentication,
3305diff --git a/servconf.h b/servconf.h 3269diff --git a/servconf.h b/servconf.h
3306index 5483da051..29329ba1f 100644 3270index 4202a2d02..3f47ea25e 100644
3307--- a/servconf.h 3271--- a/servconf.h
3308+++ b/servconf.h 3272+++ b/servconf.h
3309@@ -126,8 +126,11 @@ typedef struct { 3273@@ -132,8 +132,11 @@ typedef struct {
3310 int kerberos_get_afs_token; /* If true, try to get AFS token if 3274 int kerberos_get_afs_token; /* If true, try to get AFS token if
3311 * authenticated with Kerberos. */ 3275 * authenticated with Kerberos. */
3312 int gss_authentication; /* If true, permit GSSAPI authentication */ 3276 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -3319,10 +3283,10 @@ index 5483da051..29329ba1f 100644
3319 * authentication. */ 3283 * authentication. */
3320 int kbd_interactive_authentication; /* If true, permit */ 3284 int kbd_interactive_authentication; /* If true, permit */
3321diff --git a/session.c b/session.c 3285diff --git a/session.c b/session.c
3322index 8f5d7e0a4..f1a47f766 100644 3286index 8c0e54f79..06a33442a 100644
3323--- a/session.c 3287--- a/session.c
3324+++ b/session.c 3288+++ b/session.c
3325@@ -2674,13 +2674,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt) 3289@@ -2678,13 +2678,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
3326 3290
3327 #ifdef KRB5 3291 #ifdef KRB5
3328 if (options.kerberos_ticket_cleanup && 3292 if (options.kerberos_ticket_cleanup &&
@@ -3465,10 +3429,10 @@ index 36180d07a..70dd36658 100644
3465 3429
3466 #endif /* _SSH_GSS_H */ 3430 #endif /* _SSH_GSS_H */
3467diff --git a/ssh.1 b/ssh.1 3431diff --git a/ssh.1 b/ssh.1
3468index 424d6c3e8..26940ad55 100644 3432index 60de6087a..db5c65bc7 100644
3469--- a/ssh.1 3433--- a/ssh.1
3470+++ b/ssh.1 3434+++ b/ssh.1
3471@@ -497,7 +497,13 @@ For full details of the options listed below, and their possible values, see 3435@@ -503,7 +503,13 @@ For full details of the options listed below, and their possible values, see
3472 .It GatewayPorts 3436 .It GatewayPorts
3473 .It GlobalKnownHostsFile 3437 .It GlobalKnownHostsFile
3474 .It GSSAPIAuthentication 3438 .It GSSAPIAuthentication
@@ -3482,7 +3446,7 @@ index 424d6c3e8..26940ad55 100644
3482 .It HashKnownHosts 3446 .It HashKnownHosts
3483 .It Host 3447 .It Host
3484 .It HostbasedAuthentication 3448 .It HostbasedAuthentication
3485@@ -573,6 +579,8 @@ flag), 3449@@ -579,6 +585,8 @@ flag),
3486 (supported message integrity codes), 3450 (supported message integrity codes),
3487 .Ar kex 3451 .Ar kex
3488 (key exchange algorithms), 3452 (key exchange algorithms),
@@ -3492,27 +3456,29 @@ index 424d6c3e8..26940ad55 100644
3492 (key types), 3456 (key types),
3493 .Ar key-cert 3457 .Ar key-cert
3494diff --git a/ssh.c b/ssh.c 3458diff --git a/ssh.c b/ssh.c
3495index ee51823cd..2da9f5d0d 100644 3459index 15aee569e..110cf9c19 100644
3496--- a/ssh.c 3460--- a/ssh.c
3497+++ b/ssh.c 3461+++ b/ssh.c
3498@@ -736,6 +736,8 @@ main(int ac, char **av) 3462@@ -747,6 +747,8 @@ main(int ac, char **av)
3499 cp = mac_alg_list('\n'); 3463 else if (strcmp(optarg, "kex") == 0 ||
3500 else if (strcmp(optarg, "kex") == 0) 3464 strcasecmp(optarg, "KexAlgorithms") == 0)
3501 cp = kex_alg_list('\n'); 3465 cp = kex_alg_list('\n');
3502+ else if (strcmp(optarg, "kex-gss") == 0) 3466+ else if (strcmp(optarg, "kex-gss") == 0)
3503+ cp = kex_gss_alg_list('\n'); 3467+ cp = kex_gss_alg_list('\n');
3504 else if (strcmp(optarg, "key") == 0) 3468 else if (strcmp(optarg, "key") == 0)
3505 cp = sshkey_alg_list(0, 0, 0, '\n'); 3469 cp = sshkey_alg_list(0, 0, 0, '\n');
3506 else if (strcmp(optarg, "key-cert") == 0) 3470 else if (strcmp(optarg, "key-cert") == 0)
3507@@ -748,7 +750,7 @@ main(int ac, char **av) 3471@@ -772,8 +774,8 @@ main(int ac, char **av)
3508 cp = xstrdup("2"); 3472 } else if (strcmp(optarg, "help") == 0) {
3509 else if (strcmp(optarg, "help") == 0) {
3510 cp = xstrdup( 3473 cp = xstrdup(
3511- "cipher\ncipher-auth\nkex\nkey\n" 3474 "cipher\ncipher-auth\ncompression\nkex\n"
3512+ "cipher\ncipher-auth\nkex\nkex-gss\nkey\n" 3475- "key\nkey-cert\nkey-plain\nkey-sig\nmac\n"
3513 "key-cert\nkey-plain\nmac\n" 3476- "protocol-version\nsig");
3514 "protocol-version\nsig"); 3477+ "kex-gss\nkey\nkey-cert\nkey-plain\n"
3478+ "key-sig\nmac\nprotocol-version\nsig");
3515 } 3479 }
3480 if (cp == NULL)
3481 fatal("Unsupported query \"%s\"", optarg);
3516diff --git a/ssh_config b/ssh_config 3482diff --git a/ssh_config b/ssh_config
3517index 5e8ef548b..1ff999b68 100644 3483index 5e8ef548b..1ff999b68 100644
3518--- a/ssh_config 3484--- a/ssh_config
@@ -3527,10 +3493,10 @@ index 5e8ef548b..1ff999b68 100644
3527 # CheckHostIP yes 3493 # CheckHostIP yes
3528 # AddressFamily any 3494 # AddressFamily any
3529diff --git a/ssh_config.5 b/ssh_config.5 3495diff --git a/ssh_config.5 b/ssh_config.5
3530index 02a87892d..f4668673b 100644 3496index 06a32d314..3f4906972 100644
3531--- a/ssh_config.5 3497--- a/ssh_config.5
3532+++ b/ssh_config.5 3498+++ b/ssh_config.5
3533@@ -758,10 +758,67 @@ The default is 3499@@ -766,10 +766,67 @@ The default is
3534 Specifies whether user authentication based on GSSAPI is allowed. 3500 Specifies whether user authentication based on GSSAPI is allowed.
3535 The default is 3501 The default is
3536 .Cm no . 3502 .Cm no .
@@ -3599,10 +3565,10 @@ index 02a87892d..f4668673b 100644
3599 Indicates that 3565 Indicates that
3600 .Xr ssh 1 3566 .Xr ssh 1
3601diff --git a/sshconnect2.c b/sshconnect2.c 3567diff --git a/sshconnect2.c b/sshconnect2.c
3602index 87fa70a40..a4ec75ca1 100644 3568index af00fb30c..03bc87eb4 100644
3603--- a/sshconnect2.c 3569--- a/sshconnect2.c
3604+++ b/sshconnect2.c 3570+++ b/sshconnect2.c
3605@@ -78,8 +78,6 @@ 3571@@ -80,8 +80,6 @@
3606 #endif 3572 #endif
3607 3573
3608 /* import */ 3574 /* import */
@@ -3611,9 +3577,9 @@ index 87fa70a40..a4ec75ca1 100644
3611 extern Options options; 3577 extern Options options;
3612 3578
3613 /* 3579 /*
3614@@ -161,6 +159,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) 3580@@ -163,6 +161,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
3615 char *s, *all_key; 3581 char *s, *all_key;
3616 int r; 3582 int r, use_known_hosts_order = 0;
3617 3583
3618+#if defined(GSSAPI) && defined(WITH_OPENSSL) 3584+#if defined(GSSAPI) && defined(WITH_OPENSSL)
3619+ char *orig = NULL, *gss = NULL; 3585+ char *orig = NULL, *gss = NULL;
@@ -3623,8 +3589,8 @@ index 87fa70a40..a4ec75ca1 100644
3623 xxx_host = host; 3589 xxx_host = host;
3624 xxx_hostaddr = hostaddr; 3590 xxx_hostaddr = hostaddr;
3625 3591
3626@@ -193,6 +196,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) 3592@@ -206,6 +209,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
3627 order_hostkeyalgs(host, hostaddr, port)); 3593 compat_pkalg_proposal(options.hostkeyalgorithms);
3628 } 3594 }
3629 3595
3630+#if defined(GSSAPI) && defined(WITH_OPENSSL) 3596+#if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -3659,10 +3625,11 @@ index 87fa70a40..a4ec75ca1 100644
3659 if (options.rekey_limit || options.rekey_interval) 3625 if (options.rekey_limit || options.rekey_interval)
3660 ssh_packet_set_rekey_limits(ssh, options.rekey_limit, 3626 ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
3661 options.rekey_interval); 3627 options.rekey_interval);
3662@@ -211,16 +243,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) 3628@@ -224,16 +256,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
3663 # ifdef OPENSSL_HAS_ECC 3629 # ifdef OPENSSL_HAS_ECC
3664 ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client; 3630 ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
3665 # endif 3631 # endif
3632-#endif
3666+# ifdef GSSAPI 3633+# ifdef GSSAPI
3667+ if (options.gss_keyex) { 3634+ if (options.gss_keyex) {
3668+ ssh->kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; 3635+ ssh->kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
@@ -3674,7 +3641,7 @@ index 87fa70a40..a4ec75ca1 100644
3674+ ssh->kex->kex[KEX_GSS_C25519_SHA256] = kexgss_client; 3641+ ssh->kex->kex[KEX_GSS_C25519_SHA256] = kexgss_client;
3675+ } 3642+ }
3676+# endif 3643+# endif
3677 #endif 3644+#endif /* WITH_OPENSSL */
3678 ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client; 3645 ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
3679 ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_client; 3646 ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_client;
3680 ssh->kex->verify_host_key=&verify_host_key_callback; 3647 ssh->kex->verify_host_key=&verify_host_key_callback;
@@ -3706,7 +3673,7 @@ index 87fa70a40..a4ec75ca1 100644
3706 if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) 3673 if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
3707 fatal("kex_prop2buf: %s", ssh_err(r)); 3674 fatal("kex_prop2buf: %s", ssh_err(r));
3708 3675
3709@@ -317,6 +379,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *); 3676@@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
3710 static int input_gssapi_token(int type, u_int32_t, struct ssh *); 3677 static int input_gssapi_token(int type, u_int32_t, struct ssh *);
3711 static int input_gssapi_error(int, u_int32_t, struct ssh *); 3678 static int input_gssapi_error(int, u_int32_t, struct ssh *);
3712 static int input_gssapi_errtok(int, u_int32_t, struct ssh *); 3679 static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
@@ -3714,7 +3681,7 @@ index 87fa70a40..a4ec75ca1 100644
3714 #endif 3681 #endif
3715 3682
3716 void userauth(struct ssh *, char *); 3683 void userauth(struct ssh *, char *);
3717@@ -333,6 +396,11 @@ static char *authmethods_get(void); 3684@@ -346,6 +409,11 @@ static char *authmethods_get(void);
3718 3685
3719 Authmethod authmethods[] = { 3686 Authmethod authmethods[] = {
3720 #ifdef GSSAPI 3687 #ifdef GSSAPI
@@ -3726,7 +3693,7 @@ index 87fa70a40..a4ec75ca1 100644
3726 {"gssapi-with-mic", 3693 {"gssapi-with-mic",
3727 userauth_gssapi, 3694 userauth_gssapi,
3728 userauth_gssapi_cleanup, 3695 userauth_gssapi_cleanup,
3729@@ -697,12 +765,25 @@ userauth_gssapi(struct ssh *ssh) 3696@@ -716,12 +784,25 @@ userauth_gssapi(struct ssh *ssh)
3730 OM_uint32 min; 3697 OM_uint32 min;
3731 int r, ok = 0; 3698 int r, ok = 0;
3732 gss_OID mech = NULL; 3699 gss_OID mech = NULL;
@@ -3753,7 +3720,7 @@ index 87fa70a40..a4ec75ca1 100644
3753 3720
3754 /* Check to see whether the mechanism is usable before we offer it */ 3721 /* Check to see whether the mechanism is usable before we offer it */
3755 while (authctxt->mech_tried < authctxt->gss_supported_mechs->count && 3722 while (authctxt->mech_tried < authctxt->gss_supported_mechs->count &&
3756@@ -711,13 +792,15 @@ userauth_gssapi(struct ssh *ssh) 3723@@ -730,13 +811,15 @@ userauth_gssapi(struct ssh *ssh)
3757 elements[authctxt->mech_tried]; 3724 elements[authctxt->mech_tried];
3758 /* My DER encoding requires length<128 */ 3725 /* My DER encoding requires length<128 */
3759 if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, 3726 if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
@@ -3770,7 +3737,7 @@ index 87fa70a40..a4ec75ca1 100644
3770 if (!ok || mech == NULL) 3737 if (!ok || mech == NULL)
3771 return 0; 3738 return 0;
3772 3739
3773@@ -957,6 +1040,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) 3740@@ -976,6 +1059,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
3774 free(lang); 3741 free(lang);
3775 return r; 3742 return r;
3776 } 3743 }
@@ -3827,21 +3794,10 @@ index 87fa70a40..a4ec75ca1 100644
3827 3794
3828 static int 3795 static int
3829diff --git a/sshd.c b/sshd.c 3796diff --git a/sshd.c b/sshd.c
3830index 11571c010..3a5c1ea78 100644 3797index 60b2aaf73..d92f03aaf 100644
3831--- a/sshd.c 3798--- a/sshd.c
3832+++ b/sshd.c 3799+++ b/sshd.c
3833@@ -123,6 +123,10 @@ 3800@@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh)
3834 #include "version.h"
3835 #include "ssherr.h"
3836
3837+#ifdef USE_SECURITY_SESSION_API
3838+#include <Security/AuthSession.h>
3839+#endif
3840+
3841 /* Re-exec fds */
3842 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
3843 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
3844@@ -796,8 +800,8 @@ notify_hostkeys(struct ssh *ssh)
3845 } 3801 }
3846 debug3("%s: sent %u hostkeys", __func__, nkeys); 3802 debug3("%s: sent %u hostkeys", __func__, nkeys);
3847 if (nkeys == 0) 3803 if (nkeys == 0)
@@ -3852,7 +3808,7 @@ index 11571c010..3a5c1ea78 100644
3852 sshpkt_fatal(ssh, r, "%s: send", __func__); 3808 sshpkt_fatal(ssh, r, "%s: send", __func__);
3853 sshbuf_free(buf); 3809 sshbuf_free(buf);
3854 } 3810 }
3855@@ -1773,7 +1777,8 @@ main(int ac, char **av) 3811@@ -1852,7 +1852,8 @@ main(int ac, char **av)
3856 free(fp); 3812 free(fp);
3857 } 3813 }
3858 accumulate_host_timing_secret(cfg, NULL); 3814 accumulate_host_timing_secret(cfg, NULL);
@@ -3862,68 +3818,7 @@ index 11571c010..3a5c1ea78 100644
3862 logit("sshd: no hostkeys available -- exiting."); 3818 logit("sshd: no hostkeys available -- exiting.");
3863 exit(1); 3819 exit(1);
3864 } 3820 }
3865@@ -2069,6 +2074,60 @@ main(int ac, char **av) 3821@@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh)
3866 rdomain == NULL ? "" : "\"");
3867 free(laddr);
3868
3869+#ifdef USE_SECURITY_SESSION_API
3870+ /*
3871+ * Create a new security session for use by the new user login if
3872+ * the current session is the root session or we are not launched
3873+ * by inetd (eg: debugging mode or server mode). We do not
3874+ * necessarily need to create a session if we are launched from
3875+ * inetd because Panther xinetd will create a session for us.
3876+ *
3877+ * The only case where this logic will fail is if there is an
3878+ * inetd running in a non-root session which is not creating
3879+ * new sessions for us. Then all the users will end up in the
3880+ * same session (bad).
3881+ *
3882+ * When the client exits, the session will be destroyed for us
3883+ * automatically.
3884+ *
3885+ * We must create the session before any credentials are stored
3886+ * (including AFS pags, which happens a few lines below).
3887+ */
3888+ {
3889+ OSStatus err = 0;
3890+ SecuritySessionId sid = 0;
3891+ SessionAttributeBits sattrs = 0;
3892+
3893+ err = SessionGetInfo(callerSecuritySession, &sid, &sattrs);
3894+ if (err)
3895+ error("SessionGetInfo() failed with error %.8X",
3896+ (unsigned) err);
3897+ else
3898+ debug("Current Session ID is %.8X / Session Attributes are %.8X",
3899+ (unsigned) sid, (unsigned) sattrs);
3900+
3901+ if (inetd_flag && !(sattrs & sessionIsRoot))
3902+ debug("Running in inetd mode in a non-root session... "
3903+ "assuming inetd created the session for us.");
3904+ else {
3905+ debug("Creating new security session...");
3906+ err = SessionCreate(0, sessionHasTTY | sessionIsRemote);
3907+ if (err)
3908+ error("SessionCreate() failed with error %.8X",
3909+ (unsigned) err);
3910+
3911+ err = SessionGetInfo(callerSecuritySession, &sid,
3912+ &sattrs);
3913+ if (err)
3914+ error("SessionGetInfo() failed with error %.8X",
3915+ (unsigned) err);
3916+ else
3917+ debug("New Session ID is %.8X / Session Attributes are %.8X",
3918+ (unsigned) sid, (unsigned) sattrs);
3919+ }
3920+ }
3921+#endif
3922+
3923 /*
3924 * We don't want to listen forever unless the other side
3925 * successfully authenticates itself. So we set up an alarm which is
3926@@ -2265,6 +2324,48 @@ do_ssh2_kex(struct ssh *ssh)
3927 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 3822 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
3928 list_hostkey_types()); 3823 list_hostkey_types());
3929 3824
@@ -3972,7 +3867,7 @@ index 11571c010..3a5c1ea78 100644
3972 /* start key exchange */ 3867 /* start key exchange */
3973 if ((r = kex_setup(ssh, myproposal)) != 0) 3868 if ((r = kex_setup(ssh, myproposal)) != 0)
3974 fatal("kex_setup: %s", ssh_err(r)); 3869 fatal("kex_setup: %s", ssh_err(r));
3975@@ -2280,7 +2381,18 @@ do_ssh2_kex(struct ssh *ssh) 3870@@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh)
3976 # ifdef OPENSSL_HAS_ECC 3871 # ifdef OPENSSL_HAS_ECC
3977 kex->kex[KEX_ECDH_SHA2] = kex_gen_server; 3872 kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
3978 # endif 3873 # endif
@@ -4006,10 +3901,10 @@ index 19b7c91a1..2c48105f8 100644
4006 # Set this to 'yes' to enable PAM authentication, account processing, 3901 # Set this to 'yes' to enable PAM authentication, account processing,
4007 # and session processing. If this is enabled, PAM authentication will 3902 # and session processing. If this is enabled, PAM authentication will
4008diff --git a/sshd_config.5 b/sshd_config.5 3903diff --git a/sshd_config.5 b/sshd_config.5
4009index 9486f2a1c..cec3c3c4e 100644 3904index 70ccea449..f6b41a2f8 100644
4010--- a/sshd_config.5 3905--- a/sshd_config.5
4011+++ b/sshd_config.5 3906+++ b/sshd_config.5
4012@@ -655,6 +655,11 @@ Specifies whether to automatically destroy the user's credentials cache 3907@@ -646,6 +646,11 @@ Specifies whether to automatically destroy the user's credentials cache
4013 on logout. 3908 on logout.
4014 The default is 3909 The default is
4015 .Cm yes . 3910 .Cm yes .
@@ -4021,7 +3916,7 @@ index 9486f2a1c..cec3c3c4e 100644
4021 .It Cm GSSAPIStrictAcceptorCheck 3916 .It Cm GSSAPIStrictAcceptorCheck
4022 Determines whether to be strict about the identity of the GSSAPI acceptor 3917 Determines whether to be strict about the identity of the GSSAPI acceptor
4023 a client authenticates against. 3918 a client authenticates against.
4024@@ -669,6 +674,31 @@ machine's default store. 3919@@ -660,6 +665,31 @@ machine's default store.
4025 This facility is provided to assist with operation on multi homed machines. 3920 This facility is provided to assist with operation on multi homed machines.
4026 The default is 3921 The default is
4027 .Cm yes . 3922 .Cm yes .
@@ -4054,18 +3949,18 @@ index 9486f2a1c..cec3c3c4e 100644
4054 Specifies the key types that will be accepted for hostbased authentication 3949 Specifies the key types that will be accepted for hostbased authentication
4055 as a list of comma-separated patterns. 3950 as a list of comma-separated patterns.
4056diff --git a/sshkey.c b/sshkey.c 3951diff --git a/sshkey.c b/sshkey.c
4057index ef90563b3..4d2048b6a 100644 3952index 57995ee68..fd5b77246 100644
4058--- a/sshkey.c 3953--- a/sshkey.c
4059+++ b/sshkey.c 3954+++ b/sshkey.c
4060@@ -145,6 +145,7 @@ static const struct keytype keytypes[] = { 3955@@ -154,6 +154,7 @@ static const struct keytype keytypes[] = {
4061 # endif /* OPENSSL_HAS_NISTP521 */ 3956 KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 },
4062 # endif /* OPENSSL_HAS_ECC */ 3957 # endif /* OPENSSL_HAS_ECC */
4063 #endif /* WITH_OPENSSL */ 3958 #endif /* WITH_OPENSSL */
4064+ { "null", "null", NULL, KEY_NULL, 0, 0, 0 }, 3959+ { "null", "null", NULL, KEY_NULL, 0, 0, 0 },
4065 { NULL, NULL, NULL, -1, -1, 0, 0 } 3960 { NULL, NULL, NULL, -1, -1, 0, 0 }
4066 }; 3961 };
4067 3962
4068@@ -233,7 +234,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 3963@@ -255,7 +256,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
4069 const struct keytype *kt; 3964 const struct keytype *kt;
4070 3965
4071 for (kt = keytypes; kt->type != -1; kt++) { 3966 for (kt = keytypes; kt->type != -1; kt++) {
@@ -4075,13 +3970,13 @@ index ef90563b3..4d2048b6a 100644
4075 if (!include_sigonly && kt->sigonly) 3970 if (!include_sigonly && kt->sigonly)
4076 continue; 3971 continue;
4077diff --git a/sshkey.h b/sshkey.h 3972diff --git a/sshkey.h b/sshkey.h
4078index 1119a7b07..1bf30d055 100644 3973index 71a3fddcb..37a43a67a 100644
4079--- a/sshkey.h 3974--- a/sshkey.h
4080+++ b/sshkey.h 3975+++ b/sshkey.h
4081@@ -65,6 +65,7 @@ enum sshkey_types { 3976@@ -69,6 +69,7 @@ enum sshkey_types {
4082 KEY_ED25519_CERT, 3977 KEY_ECDSA_SK_CERT,
4083 KEY_XMSS, 3978 KEY_ED25519_SK,
4084 KEY_XMSS_CERT, 3979 KEY_ED25519_SK_CERT,
4085+ KEY_NULL, 3980+ KEY_NULL,
4086 KEY_UNSPEC 3981 KEY_UNSPEC
4087 }; 3982 };
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 2f7ac943d..734118a19 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
1From 26d9fe60e31c78018bdfd49bba1196ea7c44405d Mon Sep 17 00:00:00 2001 1From 3558be2914c0127489faae40ce2eae66142c3287 Mon Sep 17 00:00:00 2001
2From: Richard Kettlewell <rjk@greenend.org.uk> 2From: Richard Kettlewell <rjk@greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:52 +0000 3Date: Sun, 9 Feb 2014 16:09:52 +0000
4Subject: Various keepalive extensions 4Subject: Various keepalive extensions
@@ -16,7 +16,7 @@ keepalives.
16Author: Ian Jackson <ian@chiark.greenend.org.uk> 16Author: Ian Jackson <ian@chiark.greenend.org.uk>
17Author: Matthew Vernon <matthew@debian.org> 17Author: Matthew Vernon <matthew@debian.org>
18Author: Colin Watson <cjwatson@debian.org> 18Author: Colin Watson <cjwatson@debian.org>
19Last-Update: 2018-10-19 19Last-Update: 2020-02-21
20 20
21Patch-Name: keepalive-extensions.patch 21Patch-Name: keepalive-extensions.patch
22--- 22---
@@ -26,27 +26,27 @@ Patch-Name: keepalive-extensions.patch
26 3 files changed, 34 insertions(+), 4 deletions(-) 26 3 files changed, 34 insertions(+), 4 deletions(-)
27 27
28diff --git a/readconf.c b/readconf.c 28diff --git a/readconf.c b/readconf.c
29index a7fb7ca15..09787c0e5 100644 29index 0fc996871..2399208f8 100644
30--- a/readconf.c 30--- a/readconf.c
31+++ b/readconf.c 31+++ b/readconf.c
32@@ -177,6 +177,7 @@ typedef enum { 32@@ -176,6 +176,7 @@ typedef enum {
33 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
34 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, 33 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
35 oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, 34 oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,
35 oSecurityKeyProvider,
36+ oProtocolKeepAlives, oSetupTimeOut, 36+ oProtocolKeepAlives, oSetupTimeOut,
37 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported 37 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
38 } OpCodes; 38 } OpCodes;
39 39
40@@ -326,6 +327,8 @@ static struct { 40@@ -326,6 +327,8 @@ static struct {
41 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
42 { "ignoreunknown", oIgnoreUnknown }, 41 { "ignoreunknown", oIgnoreUnknown },
43 { "proxyjump", oProxyJump }, 42 { "proxyjump", oProxyJump },
43 { "securitykeyprovider", oSecurityKeyProvider },
44+ { "protocolkeepalives", oProtocolKeepAlives }, 44+ { "protocolkeepalives", oProtocolKeepAlives },
45+ { "setuptimeout", oSetupTimeOut }, 45+ { "setuptimeout", oSetupTimeOut },
46 46
47 { NULL, oBadOption } 47 { NULL, oBadOption }
48 }; 48 };
49@@ -1449,6 +1452,8 @@ parse_keytypes: 49@@ -1495,6 +1498,8 @@ parse_keytypes:
50 goto parse_flag; 50 goto parse_flag;
51 51
52 case oServerAliveInterval: 52 case oServerAliveInterval:
@@ -55,7 +55,7 @@ index a7fb7ca15..09787c0e5 100644
55 intptr = &options->server_alive_interval; 55 intptr = &options->server_alive_interval;
56 goto parse_time; 56 goto parse_time;
57 57
58@@ -2142,8 +2147,13 @@ fill_default_options(Options * options) 58@@ -2198,8 +2203,13 @@ fill_default_options(Options * options)
59 options->rekey_interval = 0; 59 options->rekey_interval = 0;
60 if (options->verify_host_key_dns == -1) 60 if (options->verify_host_key_dns == -1)
61 options->verify_host_key_dns = 0; 61 options->verify_host_key_dns = 0;
@@ -72,24 +72,25 @@ index a7fb7ca15..09787c0e5 100644
72 options->server_alive_count_max = 3; 72 options->server_alive_count_max = 3;
73 if (options->control_master == -1) 73 if (options->control_master == -1)
74diff --git a/ssh_config.5 b/ssh_config.5 74diff --git a/ssh_config.5 b/ssh_config.5
75index f4668673b..bc04d8d02 100644 75index 3f4906972..3079db19b 100644
76--- a/ssh_config.5 76--- a/ssh_config.5
77+++ b/ssh_config.5 77+++ b/ssh_config.5
78@@ -265,8 +265,12 @@ Valid arguments are 78@@ -266,9 +266,13 @@ If set to
79 If set to
80 .Cm yes , 79 .Cm yes ,
81 passphrase/password querying will be disabled. 80 user interaction such as password prompts and host key confirmation requests
81 will be disabled.
82+In addition, the 82+In addition, the
83+.Cm ServerAliveInterval 83+.Cm ServerAliveInterval
84+option will be set to 300 seconds by default (Debian-specific). 84+option will be set to 300 seconds by default (Debian-specific).
85 This option is useful in scripts and other batch jobs where no user 85 This option is useful in scripts and other batch jobs where no user
86-is present to supply the password. 86 is present to interact with
87+is present to supply the password, 87-.Xr ssh 1 .
88+.Xr ssh 1 ,
88+and where it is desirable to detect a broken network swiftly. 89+and where it is desirable to detect a broken network swiftly.
89 The argument must be 90 The argument must be
90 .Cm yes 91 .Cm yes
91 or 92 or
92@@ -1557,7 +1561,14 @@ from the server, 93@@ -1593,7 +1597,14 @@ from the server,
93 will send a message through the encrypted 94 will send a message through the encrypted
94 channel to request a response from the server. 95 channel to request a response from the server.
95 The default 96 The default
@@ -105,7 +106,7 @@ index f4668673b..bc04d8d02 100644
105 .It Cm SetEnv 106 .It Cm SetEnv
106 Directly specify one or more environment variables and their contents to 107 Directly specify one or more environment variables and their contents to
107 be sent to the server. 108 be sent to the server.
108@@ -1637,6 +1648,12 @@ Specifies whether the system should send TCP keepalive messages to the 109@@ -1673,6 +1684,12 @@ Specifies whether the system should send TCP keepalive messages to the
109 other side. 110 other side.
110 If they are sent, death of the connection or crash of one 111 If they are sent, death of the connection or crash of one
111 of the machines will be properly noticed. 112 of the machines will be properly noticed.
@@ -119,10 +120,10 @@ index f4668673b..bc04d8d02 100644
119 connections will die if the route is down temporarily, and some people 120 connections will die if the route is down temporarily, and some people
120 find it annoying. 121 find it annoying.
121diff --git a/sshd_config.5 b/sshd_config.5 122diff --git a/sshd_config.5 b/sshd_config.5
122index cec3c3c4e..eec224158 100644 123index f6b41a2f8..ebd09f891 100644
123--- a/sshd_config.5 124--- a/sshd_config.5
124+++ b/sshd_config.5 125+++ b/sshd_config.5
125@@ -1615,6 +1615,9 @@ This avoids infinitely hanging sessions. 126@@ -1668,6 +1668,9 @@ This avoids infinitely hanging sessions.
126 .Pp 127 .Pp
127 To disable TCP keepalive messages, the value should be set to 128 To disable TCP keepalive messages, the value should be set to
128 .Cm no . 129 .Cm no .
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 639b216d6..6d48d7589 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
1From fdcf8c0343564121a89be817386c5feabd40c609 Mon Sep 17 00:00:00 2001 1From c18e3c8125fc4553951705a1da8c86395d219bb1 Mon Sep 17 00:00:00 2001
2From: Scott Moser <smoser@ubuntu.com> 2From: Scott Moser <smoser@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:03 +0000 3Date: Sun, 9 Feb 2014 16:10:03 +0000
4Subject: Mention ssh-keygen in ssh fingerprint changed warning 4Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -14,10 +14,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
14 1 file changed, 8 insertions(+), 1 deletion(-) 14 1 file changed, 8 insertions(+), 1 deletion(-)
15 15
16diff --git a/sshconnect.c b/sshconnect.c 16diff --git a/sshconnect.c b/sshconnect.c
17index 644057bc4..41e75a275 100644 17index 4a5d4a003..b796d3c8a 100644
18--- a/sshconnect.c 18--- a/sshconnect.c
19+++ b/sshconnect.c 19+++ b/sshconnect.c
20@@ -990,9 +990,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 20@@ -991,9 +991,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
21 error("%s. This could either mean that", key_msg); 21 error("%s. This could either mean that", key_msg);
22 error("DNS SPOOFING is happening or the IP address for the host"); 22 error("DNS SPOOFING is happening or the IP address for the host");
23 error("and its host key have changed at the same time."); 23 error("and its host key have changed at the same time.");
@@ -32,7 +32,7 @@ index 644057bc4..41e75a275 100644
32 } 32 }
33 /* The host key has changed. */ 33 /* The host key has changed. */
34 warn_changed_key(host_key); 34 warn_changed_key(host_key);
35@@ -1001,6 +1005,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 35@@ -1002,6 +1006,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
36 error("Offending %s key in %s:%lu", 36 error("Offending %s key in %s:%lu",
37 sshkey_type(host_found->key), 37 sshkey_type(host_found->key),
38 host_found->file, host_found->line); 38 host_found->file, host_found->line);
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index 9b5baee08..02a798b85 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
1From ed88eee326ca80e1e0fdb6f9ef0346f6d5e021a8 Mon Sep 17 00:00:00 2001 1From ba0377ab3e6b68f7ab747f500991a0445c7f4086 Mon Sep 17 00:00:00 2001
2From: Kurt Roeckx <kurt@roeckx.be> 2From: Kurt Roeckx <kurt@roeckx.be>
3Date: Sun, 9 Feb 2014 16:10:14 +0000 3Date: Sun, 9 Feb 2014 16:10:14 +0000
4Subject: Don't check the status field of the OpenSSL version 4Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 46e1f8712..34ec87094 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
1From 8fb8f70b0534897791c61f2757e97bd13385944e Mon Sep 17 00:00:00 2001 1From 39fe318a4b572deeb3f7d03e55d319c0ab112a28 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:09 +0000 3Date: Sun, 9 Feb 2014 16:10:09 +0000
4Subject: Adjust various OpenBSD-specific references in manual pages 4Subject: Adjust various OpenBSD-specific references in manual pages
@@ -44,11 +44,11 @@ index ef0de0850..149846c8c 100644
44 .Sh SEE ALSO 44 .Sh SEE ALSO
45 .Xr ssh-keygen 1 , 45 .Xr ssh-keygen 1 ,
46diff --git a/ssh-keygen.1 b/ssh-keygen.1 46diff --git a/ssh-keygen.1 b/ssh-keygen.1
47index 957d2f0f0..143a2349f 100644 47index 7af564297..d6a7870e0 100644
48--- a/ssh-keygen.1 48--- a/ssh-keygen.1
49+++ b/ssh-keygen.1 49+++ b/ssh-keygen.1
50@@ -191,9 +191,7 @@ key in 50@@ -196,9 +196,7 @@ key in
51 .Pa ~/.ssh/id_ed25519 51 .Pa ~/.ssh/id_ed25519_sk
52 or 52 or
53 .Pa ~/.ssh/id_rsa . 53 .Pa ~/.ssh/id_rsa .
54-Additionally, the system administrator may use this to generate host keys, 54-Additionally, the system administrator may use this to generate host keys,
@@ -58,7 +58,7 @@ index 957d2f0f0..143a2349f 100644
58 .Pp 58 .Pp
59 Normally this program generates the key and asks for a file in which 59 Normally this program generates the key and asks for a file in which
60 to store the private key. 60 to store the private key.
61@@ -256,9 +254,7 @@ If 61@@ -261,9 +259,7 @@ If
62 .Fl f 62 .Fl f
63 has also been specified, its argument is used as a prefix to the 63 has also been specified, its argument is used as a prefix to the
64 default path for the resulting host key files. 64 default path for the resulting host key files.
@@ -69,7 +69,7 @@ index 957d2f0f0..143a2349f 100644
69 .It Fl a Ar rounds 69 .It Fl a Ar rounds
70 When saving a private key, this option specifies the number of KDF 70 When saving a private key, this option specifies the number of KDF
71 (key derivation function) rounds used. 71 (key derivation function) rounds used.
72@@ -798,7 +794,7 @@ option. 72@@ -783,7 +779,7 @@ option.
73 Valid generator values are 2, 3, and 5. 73 Valid generator values are 2, 3, and 5.
74 .Pp 74 .Pp
75 Screened DH groups may be installed in 75 Screened DH groups may be installed in
@@ -77,8 +77,8 @@ index 957d2f0f0..143a2349f 100644
77+.Pa /etc/ssh/moduli . 77+.Pa /etc/ssh/moduli .
78 It is important that this file contains moduli of a range of bit lengths and 78 It is important that this file contains moduli of a range of bit lengths and
79 that both ends of a connection share common moduli. 79 that both ends of a connection share common moduli.
80 .Sh CERTIFICATES 80 .Pp
81@@ -1049,7 +1045,7 @@ on all machines 81@@ -1154,7 +1150,7 @@ on all machines
82 where the user wishes to log in using public key authentication. 82 where the user wishes to log in using public key authentication.
83 There is no need to keep the contents of this file secret. 83 There is no need to keep the contents of this file secret.
84 .Pp 84 .Pp
@@ -88,10 +88,10 @@ index 957d2f0f0..143a2349f 100644
88 The file format is described in 88 The file format is described in
89 .Xr moduli 5 . 89 .Xr moduli 5 .
90diff --git a/ssh.1 b/ssh.1 90diff --git a/ssh.1 b/ssh.1
91index 20e4c4efa..4923031f4 100644 91index cf991e4ee..17b0e984f 100644
92--- a/ssh.1 92--- a/ssh.1
93+++ b/ssh.1 93+++ b/ssh.1
94@@ -873,6 +873,10 @@ implements public key authentication protocol automatically, 94@@ -887,6 +887,10 @@ implements public key authentication protocol automatically,
95 using one of the DSA, ECDSA, Ed25519 or RSA algorithms. 95 using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
96 The HISTORY section of 96 The HISTORY section of
97 .Xr ssl 8 97 .Xr ssl 8
@@ -103,7 +103,7 @@ index 20e4c4efa..4923031f4 100644
103 .Pp 103 .Pp
104 The file 104 The file
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index 57a7fd66b..4abc01d66 100644 106index 730520231..5ce0ea4fa 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -65,7 +65,7 @@ over an insecure network. 109@@ -65,7 +65,7 @@ over an insecure network.
@@ -115,7 +115,7 @@ index 57a7fd66b..4abc01d66 100644
115 It forks a new 115 It forks a new
116 daemon for each incoming connection. 116 daemon for each incoming connection.
117 The forked daemons handle 117 The forked daemons handle
118@@ -884,7 +884,7 @@ This file is for host-based authentication (see 118@@ -904,7 +904,7 @@ This file is for host-based authentication (see
119 .Xr ssh 1 ) . 119 .Xr ssh 1 ) .
120 It should only be writable by root. 120 It should only be writable by root.
121 .Pp 121 .Pp
@@ -124,7 +124,7 @@ index 57a7fd66b..4abc01d66 100644
124 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange" 124 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
125 key exchange method. 125 key exchange method.
126 The file format is described in 126 The file format is described in
127@@ -982,7 +982,6 @@ The content of this file is not sensitive; it can be world-readable. 127@@ -1002,7 +1002,6 @@ The content of this file is not sensitive; it can be world-readable.
128 .Xr ssh-keyscan 1 , 128 .Xr ssh-keyscan 1 ,
129 .Xr chroot 2 , 129 .Xr chroot 2 ,
130 .Xr hosts_access 5 , 130 .Xr hosts_access 5 ,
@@ -133,10 +133,10 @@ index 57a7fd66b..4abc01d66 100644
133 .Xr sshd_config 5 , 133 .Xr sshd_config 5 ,
134 .Xr inetd 8 , 134 .Xr inetd 8 ,
135diff --git a/sshd_config.5 b/sshd_config.5 135diff --git a/sshd_config.5 b/sshd_config.5
136index 46537f177..270805060 100644 136index c926f584c..25f4b8117 100644
137--- a/sshd_config.5 137--- a/sshd_config.5
138+++ b/sshd_config.5 138+++ b/sshd_config.5
139@@ -393,8 +393,7 @@ Certificates signed using other algorithms will not be accepted for 139@@ -387,8 +387,7 @@ Certificates signed using other algorithms will not be accepted for
140 public key or host-based authentication. 140 public key or host-based authentication.
141 .It Cm ChallengeResponseAuthentication 141 .It Cm ChallengeResponseAuthentication
142 Specifies whether challenge-response authentication is allowed (e.g. via 142 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 7a811f9af..32a7a1fed 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
1From 6a8dfab1a067a52b004594fadb3a90578a8cc094 Mon Sep 17 00:00:00 2001 1From a4f868858c3395cacb59c58786b501317b9a3d03 Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:10:05 +0000 3Date: Sun, 9 Feb 2014 16:10:05 +0000
4Subject: Include the Debian version in our identification 4Subject: Include the Debian version in our identification
@@ -18,10 +18,10 @@ Patch-Name: package-versioning.patch
18 2 files changed, 7 insertions(+), 2 deletions(-) 18 2 files changed, 7 insertions(+), 2 deletions(-)
19 19
20diff --git a/kex.c b/kex.c 20diff --git a/kex.c b/kex.c
21index e09355dbd..65ed6af02 100644 21index 574c76093..f638942d3 100644
22--- a/kex.c 22--- a/kex.c
23+++ b/kex.c 23+++ b/kex.c
24@@ -1239,7 +1239,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, 24@@ -1244,7 +1244,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
25 if (version_addendum != NULL && *version_addendum == '\0') 25 if (version_addendum != NULL && *version_addendum == '\0')
26 version_addendum = NULL; 26 version_addendum = NULL;
27 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", 27 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
@@ -31,11 +31,11 @@ index e09355dbd..65ed6af02 100644
31 version_addendum == NULL ? "" : version_addendum)) != 0) { 31 version_addendum == NULL ? "" : version_addendum)) != 0) {
32 error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); 32 error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
33diff --git a/version.h b/version.h 33diff --git a/version.h b/version.h
34index 6b3fadf89..a24017eca 100644 34index c2affcb2a..d79126cc3 100644
35--- a/version.h 35--- a/version.h
36+++ b/version.h 36+++ b/version.h
37@@ -3,4 +3,9 @@ 37@@ -3,4 +3,9 @@
38 #define SSH_VERSION "OpenSSH_8.1" 38 #define SSH_VERSION "OpenSSH_8.2"
39 39
40 #define SSH_PORTABLE "p1" 40 #define SSH_PORTABLE "p1"
41-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 41-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/regress-2020.patch b/debian/patches/regress-2020.patch
deleted file mode 100644
index 785945d33..000000000
--- a/debian/patches/regress-2020.patch
+++ /dev/null
@@ -1,44 +0,0 @@
1From 7ee24da2b84bf463dd5e8611479fa7a5acaa40e4 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Fri, 3 Jan 2020 03:02:26 +0000
4Subject: upstream: what bozo decided to use 2020 as a future date in a regress
5
6test?
7
8OpenBSD-Regress-ID: 3b953df5a7e14081ff6cf495d4e8d40e153cbc3a
9
10Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=ff31f15773ee173502eec4d7861ec56f26bba381
11Last-Update: 2020-01-09
12
13Patch-Name: regress-2020.patch
14---
15 regress/cert-hostkey.sh | 2 +-
16 regress/cert-userkey.sh | 2 +-
17 2 files changed, 2 insertions(+), 2 deletions(-)
18
19diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
20index 86ea62504..844adabcc 100644
21--- a/regress/cert-hostkey.sh
22+++ b/regress/cert-hostkey.sh
23@@ -252,7 +252,7 @@ test_one() {
24 test_one "user-certificate" failure "-n $HOSTS"
25 test_one "empty principals" success "-h"
26 test_one "wrong principals" failure "-h -n foo"
27-test_one "cert not yet valid" failure "-h -V20200101:20300101"
28+test_one "cert not yet valid" failure "-h -V20300101:20320101"
29 test_one "cert expired" failure "-h -V19800101:19900101"
30 test_one "cert valid interval" success "-h -V-1w:+2w"
31 test_one "cert has constraints" failure "-h -Oforce-command=false"
32diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
33index 38c14a698..5cd02fc3f 100644
34--- a/regress/cert-userkey.sh
35+++ b/regress/cert-userkey.sh
36@@ -338,7 +338,7 @@ test_one() {
37 test_one "correct principal" success "-n ${USER}"
38 test_one "host-certificate" failure "-n ${USER} -h"
39 test_one "wrong principals" failure "-n foo"
40-test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
41+test_one "cert not yet valid" failure "-n ${USER} -V20300101:20320101"
42 test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
43 test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
44 test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index 15102b004..7281395ae 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
1From 5c1ed7182e928fcf03d11c1bcc51c26c2c42629d Mon Sep 17 00:00:00 2001 1From 2fe72c4e855be0fc87dbdc296632394b6cfe957a Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 5 Mar 2017 02:02:11 +0000 3Date: Sun, 5 Mar 2017 02:02:11 +0000
4Subject: Restore reading authorized_keys2 by default 4Subject: Restore reading authorized_keys2 by default
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index 222a996f1..d73cc283c 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
1From 57c1dd662f9259f58a47801e2d4b0f84e973441d Mon Sep 17 00:00:00 2001 1From 31d42cd8624f29508f772447e617ab043a6487d9 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Tue, 7 Oct 2014 13:22:41 +0100 3Date: Tue, 7 Oct 2014 13:22:41 +0100
4Subject: Restore TCP wrappers support 4Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
28 3 files changed, 89 insertions(+) 28 3 files changed, 89 insertions(+)
29 29
30diff --git a/configure.ac b/configure.ac 30diff --git a/configure.ac b/configure.ac
31index 1c2512314..e894db9fc 100644 31index efafb6bd8..cee7cbc51 100644
32--- a/configure.ac 32--- a/configure.ac
33+++ b/configure.ac 33+++ b/configure.ac
34@@ -1521,6 +1521,62 @@ else 34@@ -1556,6 +1556,62 @@ else
35 AC_MSG_RESULT([no]) 35 AC_MSG_RESULT([no])
36 fi 36 fi
37 37
@@ -94,7 +94,7 @@ index 1c2512314..e894db9fc 100644
94 # Check whether user wants to use ldns 94 # Check whether user wants to use ldns
95 LDNS_MSG="no" 95 LDNS_MSG="no"
96 AC_ARG_WITH(ldns, 96 AC_ARG_WITH(ldns,
97@@ -5242,6 +5298,7 @@ echo " PAM support: $PAM_MSG" 97@@ -5413,6 +5469,7 @@ echo " PAM support: $PAM_MSG"
98 echo " OSF SIA support: $SIA_MSG" 98 echo " OSF SIA support: $SIA_MSG"
99 echo " KerberosV support: $KRB5_MSG" 99 echo " KerberosV support: $KRB5_MSG"
100 echo " SELinux support: $SELINUX_MSG" 100 echo " SELinux support: $SELINUX_MSG"
@@ -103,10 +103,10 @@ index 1c2512314..e894db9fc 100644
103 echo " libedit support: $LIBEDIT_MSG" 103 echo " libedit support: $LIBEDIT_MSG"
104 echo " libldns support: $LDNS_MSG" 104 echo " libldns support: $LDNS_MSG"
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index fb133c14b..57a7fd66b 100644 106index c5f8987d2..730520231 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -873,6 +873,12 @@ the user's home directory becomes accessible. 109@@ -893,6 +893,12 @@ the user's home directory becomes accessible.
110 This file should be writable only by the user, and need not be 110 This file should be writable only by the user, and need not be
111 readable by anyone else. 111 readable by anyone else.
112 .Pp 112 .Pp
@@ -119,7 +119,7 @@ index fb133c14b..57a7fd66b 100644
119 .It Pa /etc/hosts.equiv 119 .It Pa /etc/hosts.equiv
120 This file is for host-based authentication (see 120 This file is for host-based authentication (see
121 .Xr ssh 1 ) . 121 .Xr ssh 1 ) .
122@@ -975,6 +981,7 @@ The content of this file is not sensitive; it can be world-readable. 122@@ -995,6 +1001,7 @@ The content of this file is not sensitive; it can be world-readable.
123 .Xr ssh-keygen 1 , 123 .Xr ssh-keygen 1 ,
124 .Xr ssh-keyscan 1 , 124 .Xr ssh-keyscan 1 ,
125 .Xr chroot 2 , 125 .Xr chroot 2 ,
@@ -128,12 +128,12 @@ index fb133c14b..57a7fd66b 100644
128 .Xr moduli 5 , 128 .Xr moduli 5 ,
129 .Xr sshd_config 5 , 129 .Xr sshd_config 5 ,
130diff --git a/sshd.c b/sshd.c 130diff --git a/sshd.c b/sshd.c
131index 3a5c1ea78..4e32fd10d 100644 131index d92f03aaf..62dc55cf2 100644
132--- a/sshd.c 132--- a/sshd.c
133+++ b/sshd.c 133+++ b/sshd.c
134@@ -127,6 +127,13 @@ 134@@ -124,6 +124,13 @@
135 #include <Security/AuthSession.h> 135 #include "ssherr.h"
136 #endif 136 #include "sk-api.h"
137 137
138+#ifdef LIBWRAP 138+#ifdef LIBWRAP
139+#include <tcpd.h> 139+#include <tcpd.h>
@@ -145,7 +145,7 @@ index 3a5c1ea78..4e32fd10d 100644
145 /* Re-exec fds */ 145 /* Re-exec fds */
146 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 146 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
147 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 147 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
148@@ -2062,6 +2069,24 @@ main(int ac, char **av) 148@@ -2138,6 +2145,24 @@ main(int ac, char **av)
149 #ifdef SSH_AUDIT_EVENTS 149 #ifdef SSH_AUDIT_EVENTS
150 audit_connection_from(remote_ip, remote_port); 150 audit_connection_from(remote_ip, remote_port);
151 #endif 151 #endif
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch
index 37a1fec98..02c505531 100644
--- a/debian/patches/revert-ipqos-defaults.patch
+++ b/debian/patches/revert-ipqos-defaults.patch
@@ -1,4 +1,4 @@
1From 08ef8cb952462442660914b42de3f84f31ec1a6d Mon Sep 17 00:00:00 2001 1From a2dabf35ce0228c86a288d11cc847a9d9801604f Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Mon, 8 Apr 2019 10:46:29 +0100 3Date: Mon, 8 Apr 2019 10:46:29 +0100
4Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP 4Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
@@ -24,10 +24,10 @@ Patch-Name: revert-ipqos-defaults.patch
24 4 files changed, 8 insertions(+), 12 deletions(-) 24 4 files changed, 8 insertions(+), 12 deletions(-)
25 25
26diff --git a/readconf.c b/readconf.c 26diff --git a/readconf.c b/readconf.c
27index 253574ce0..9812b8d98 100644 27index e82024678..1b9494d7c 100644
28--- a/readconf.c 28--- a/readconf.c
29+++ b/readconf.c 29+++ b/readconf.c
30@@ -2174,9 +2174,9 @@ fill_default_options(Options * options) 30@@ -2230,9 +2230,9 @@ fill_default_options(Options * options)
31 if (options->visual_host_key == -1) 31 if (options->visual_host_key == -1)
32 options->visual_host_key = 0; 32 options->visual_host_key = 0;
33 if (options->ip_qos_interactive == -1) 33 if (options->ip_qos_interactive == -1)
@@ -40,10 +40,10 @@ index 253574ce0..9812b8d98 100644
40 options->request_tty = REQUEST_TTY_AUTO; 40 options->request_tty = REQUEST_TTY_AUTO;
41 if (options->proxy_use_fdpass == -1) 41 if (options->proxy_use_fdpass == -1)
42diff --git a/servconf.c b/servconf.c 42diff --git a/servconf.c b/servconf.c
43index 5576098a5..4464d51a5 100644 43index 7bbc25c2e..470ad3619 100644
44--- a/servconf.c 44--- a/servconf.c
45+++ b/servconf.c 45+++ b/servconf.c
46@@ -423,9 +423,9 @@ fill_default_server_options(ServerOptions *options) 46@@ -452,9 +452,9 @@ fill_default_server_options(ServerOptions *options)
47 if (options->permit_tun == -1) 47 if (options->permit_tun == -1)
48 options->permit_tun = SSH_TUNMODE_NO; 48 options->permit_tun = SSH_TUNMODE_NO;
49 if (options->ip_qos_interactive == -1) 49 if (options->ip_qos_interactive == -1)
@@ -56,10 +56,10 @@ index 5576098a5..4464d51a5 100644
56 options->version_addendum = xstrdup(""); 56 options->version_addendum = xstrdup("");
57 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) 57 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
58diff --git a/ssh_config.5 b/ssh_config.5 58diff --git a/ssh_config.5 b/ssh_config.5
59index d27655e15..b71d5ede9 100644 59index 5c90d3e02..6b4e4f43b 100644
60--- a/ssh_config.5 60--- a/ssh_config.5
61+++ b/ssh_config.5 61+++ b/ssh_config.5
62@@ -1110,11 +1110,9 @@ If one argument is specified, it is used as the packet class unconditionally. 62@@ -1133,11 +1133,9 @@ If one argument is specified, it is used as the packet class unconditionally.
63 If two values are specified, the first is automatically selected for 63 If two values are specified, the first is automatically selected for
64 interactive sessions and the second for non-interactive sessions. 64 interactive sessions and the second for non-interactive sessions.
65 The default is 65 The default is
@@ -74,10 +74,10 @@ index d27655e15..b71d5ede9 100644
74 .It Cm KbdInteractiveAuthentication 74 .It Cm KbdInteractiveAuthentication
75 Specifies whether to use keyboard-interactive authentication. 75 Specifies whether to use keyboard-interactive authentication.
76diff --git a/sshd_config.5 b/sshd_config.5 76diff --git a/sshd_config.5 b/sshd_config.5
77index 02e29cb6f..ba533af9e 100644 77index b8bea2ad7..fd205e418 100644
78--- a/sshd_config.5 78--- a/sshd_config.5
79+++ b/sshd_config.5 79+++ b/sshd_config.5
80@@ -892,11 +892,9 @@ If one argument is specified, it is used as the packet class unconditionally. 80@@ -907,11 +907,9 @@ If one argument is specified, it is used as the packet class unconditionally.
81 If two values are specified, the first is automatically selected for 81 If two values are specified, the first is automatically selected for
82 interactive sessions and the second for non-interactive sessions. 82 interactive sessions and the second for non-interactive sessions.
83 The default is 83 The default is
diff --git a/debian/patches/sandbox-seccomp-clock_gettime64.patch b/debian/patches/sandbox-seccomp-clock_gettime64.patch
deleted file mode 100644
index d3e0bc40c..000000000
--- a/debian/patches/sandbox-seccomp-clock_gettime64.patch
+++ /dev/null
@@ -1,30 +0,0 @@
1From ba675f490d681365db5a4e4ea6419e8690da6f30 Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Tue, 7 Jan 2020 16:26:45 -0800
4Subject: seccomp: Allow clock_gettime64() in sandbox.
5
6This helps sshd accept connections on mips platforms with
7upcoming glibc ( 2.31 )
8
9Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=b110cefdfbf5a20f49b774a55062d6ded2fb6e22
10Last-Update: 2020-01-11
11
12Patch-Name: sandbox-seccomp-clock_gettime64.patch
13---
14 sandbox-seccomp-filter.c | 3 +++
15 1 file changed, 3 insertions(+)
16
17diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
18index 3ef30c9d5..999c46c9f 100644
19--- a/sandbox-seccomp-filter.c
20+++ b/sandbox-seccomp-filter.c
21@@ -248,6 +248,9 @@ static const struct sock_filter preauth_insns[] = {
22 #ifdef __NR_clock_nanosleep_time64
23 SC_ALLOW(__NR_clock_nanosleep_time64),
24 #endif
25+#ifdef __NR_clock_gettime64
26+ SC_ALLOW(__NR_clock_gettime64),
27+#endif
28 #ifdef __NR__newselect
29 SC_ALLOW(__NR__newselect),
30 #endif
diff --git a/debian/patches/sandbox-seccomp-clock_nanosleep.patch b/debian/patches/sandbox-seccomp-clock_nanosleep.patch
deleted file mode 100644
index 2023717b9..000000000
--- a/debian/patches/sandbox-seccomp-clock_nanosleep.patch
+++ /dev/null
@@ -1,31 +0,0 @@
1From cb38e55b8af8756b2d6d6f6a1c1a5f949e15b980 Mon Sep 17 00:00:00 2001
2From: Darren Tucker <dtucker@dtucker.net>
3Date: Wed, 13 Nov 2019 23:19:35 +1100
4Subject: seccomp: Allow clock_nanosleep() in sandbox.
5
6seccomp: Allow clock_nanosleep() to make OpenSSH working with latest
7glibc. Patch from Jakub Jelen <jjelen@redhat.com> via bz #3093.
8
9Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=b1c82f4b8adf3f42476d8a1f292df33fb7aa1a56
10Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=546274a6f89489d2e6be8a8b62f2bb63c87a61fd
11Last-Update: 2020-01-11
12
13Patch-Name: sandbox-seccomp-clock_nanosleep.patch
14---
15 sandbox-seccomp-filter.c | 3 +++
16 1 file changed, 3 insertions(+)
17
18diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
19index b5cda70bb..be2397671 100644
20--- a/sandbox-seccomp-filter.c
21+++ b/sandbox-seccomp-filter.c
22@@ -242,6 +242,9 @@ static const struct sock_filter preauth_insns[] = {
23 #ifdef __NR_nanosleep
24 SC_ALLOW(__NR_nanosleep),
25 #endif
26+#ifdef __NR_clock_nanosleep
27+ SC_ALLOW(__NR_clock_nanosleep),
28+#endif
29 #ifdef __NR__newselect
30 SC_ALLOW(__NR__newselect),
31 #endif
diff --git a/debian/patches/sandbox-seccomp-clock_nanosleep_time64.patch b/debian/patches/sandbox-seccomp-clock_nanosleep_time64.patch
deleted file mode 100644
index b8d7ad569..000000000
--- a/debian/patches/sandbox-seccomp-clock_nanosleep_time64.patch
+++ /dev/null
@@ -1,29 +0,0 @@
1From f0cfb9ad4b83693731505c945c0685de64483c8d Mon Sep 17 00:00:00 2001
2From: Darren Tucker <dtucker@dtucker.net>
3Date: Mon, 16 Dec 2019 13:55:56 +1100
4Subject: Allow clock_nanosleep_time64 in seccomp sandbox.
5
6Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com.
7
8Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5af6fd5461bb709304e6979c8b7856c7af921c9e
9Last-Update: 2020-01-11
10
11Patch-Name: sandbox-seccomp-clock_nanosleep_time64.patch
12---
13 sandbox-seccomp-filter.c | 3 +++
14 1 file changed, 3 insertions(+)
15
16diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
17index be2397671..3ef30c9d5 100644
18--- a/sandbox-seccomp-filter.c
19+++ b/sandbox-seccomp-filter.c
20@@ -245,6 +245,9 @@ static const struct sock_filter preauth_insns[] = {
21 #ifdef __NR_clock_nanosleep
22 SC_ALLOW(__NR_clock_nanosleep),
23 #endif
24+#ifdef __NR_clock_nanosleep_time64
25+ SC_ALLOW(__NR_clock_nanosleep_time64),
26+#endif
27 #ifdef __NR__newselect
28 SC_ALLOW(__NR__newselect),
29 #endif
diff --git a/debian/patches/sandbox-seccomp-ipc.patch b/debian/patches/sandbox-seccomp-ipc.patch
deleted file mode 100644
index c84290726..000000000
--- a/debian/patches/sandbox-seccomp-ipc.patch
+++ /dev/null
@@ -1,33 +0,0 @@
1From 2e128b223e8e73ace57a0726130bfbcf920d0f9e Mon Sep 17 00:00:00 2001
2From: Jeremy Drake <github@jdrake.com>
3Date: Fri, 11 Oct 2019 18:31:05 -0700
4Subject: Deny (non-fatal) ipc in preauth privsep child.
5
6As noted in openssh/openssh-portable#149, i386 does not have have
7_NR_shmget etc. Instead, it has a single ipc syscall (see man 2 ipc,
8https://linux.die.net/man/2/ipc). Add this syscall, if present, to the
9list of syscalls that seccomp will deny non-fatally.
10
11Bug-Debian: https://bugs.debian.org/946242
12Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=30f704ebc0e9e32b3d12f5d9e8c1b705fdde2c89
13Last-Update: 2020-01-11
14
15Patch-Name: sandbox-seccomp-ipc.patch
16---
17 sandbox-seccomp-filter.c | 3 +++
18 1 file changed, 3 insertions(+)
19
20diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
21index 999c46c9f..0914e48ba 100644
22--- a/sandbox-seccomp-filter.c
23+++ b/sandbox-seccomp-filter.c
24@@ -177,6 +177,9 @@ static const struct sock_filter preauth_insns[] = {
25 #ifdef __NR_shmdt
26 SC_DENY(__NR_shmdt, EACCES),
27 #endif
28+#ifdef __NR_ipc
29+ SC_DENY(__NR_ipc, EACCES),
30+#endif
31
32 /* Syscalls to permit */
33 #ifdef __NR_brk
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index e69c9c46e..8935b8e04 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
1From 2d8e679834c81fc381d02974986e08cafe3efa29 Mon Sep 17 00:00:00 2001 1From 5166a6af68da4778c7e2c2d117bb56361c7aa361 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> 2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:59 +0000 3Date: Sun, 9 Feb 2014 16:09:59 +0000
4Subject: Adjust scp quoting in verbose mode 4Subject: Adjust scp quoting in verbose mode
@@ -17,10 +17,10 @@ Patch-Name: scp-quoting.patch
17 1 file changed, 10 insertions(+), 2 deletions(-) 17 1 file changed, 10 insertions(+), 2 deletions(-)
18 18
19diff --git a/scp.c b/scp.c 19diff --git a/scp.c b/scp.c
20index 0348d0673..5a7a92a7e 100644 20index 6901e0c94..9b64aa5f4 100644
21--- a/scp.c 21--- a/scp.c
22+++ b/scp.c 22+++ b/scp.c
23@@ -199,8 +199,16 @@ do_local_cmd(arglist *a) 23@@ -201,8 +201,16 @@ do_local_cmd(arglist *a)
24 24
25 if (verbose_mode) { 25 if (verbose_mode) {
26 fprintf(stderr, "Executing:"); 26 fprintf(stderr, "Executing:");
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 02d740fe3..63e44af55 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1From 3131e3bb3c56a6c6ee8cb9d68f542af04cd9e8ff Mon Sep 17 00:00:00 2001 1From b108c6bbe4b3691600a272b27fa24d9080018db7 Mon Sep 17 00:00:00 2001
2From: Manoj Srivastava <srivasta@debian.org> 2From: Manoj Srivastava <srivasta@debian.org>
3Date: Sun, 9 Feb 2014 16:09:49 +0000 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4Subject: Handle SELinux authorisation roles 4Subject: Handle SELinux authorisation roles
@@ -9,7 +9,7 @@ SELinux maintainer, so we'll keep it until we have something better.
9 9
10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
11Bug-Debian: http://bugs.debian.org/394795 11Bug-Debian: http://bugs.debian.org/394795
12Last-Update: 2019-06-05 12Last-Update: 2020-02-21
13 13
14Patch-Name: selinux-role.patch 14Patch-Name: selinux-role.patch
15--- 15---
@@ -81,10 +81,10 @@ index 1c217268c..92a6bcaf4 100644
81 if (auth2_setup_methods_lists(authctxt) != 0) 81 if (auth2_setup_methods_lists(authctxt) != 0)
82 ssh_packet_disconnect(ssh, 82 ssh_packet_disconnect(ssh,
83diff --git a/monitor.c b/monitor.c 83diff --git a/monitor.c b/monitor.c
84index bead9e204..04db44c9c 100644 84index ebf76c7f9..947fdfadc 100644
85--- a/monitor.c 85--- a/monitor.c
86+++ b/monitor.c 86+++ b/monitor.c
87@@ -117,6 +117,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *); 87@@ -118,6 +118,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *);
88 int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *); 88 int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
89 int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *); 89 int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
90 int mm_answer_authserv(struct ssh *, int, struct sshbuf *); 90 int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
@@ -92,7 +92,7 @@ index bead9e204..04db44c9c 100644
92 int mm_answer_authpassword(struct ssh *, int, struct sshbuf *); 92 int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
93 int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *); 93 int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
94 int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *); 94 int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
95@@ -197,6 +198,7 @@ struct mon_table mon_dispatch_proto20[] = { 95@@ -198,6 +199,7 @@ struct mon_table mon_dispatch_proto20[] = {
96 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 96 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
97 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 97 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
98 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 98 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -100,7 +100,7 @@ index bead9e204..04db44c9c 100644
100 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 100 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
101 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 101 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
102 #ifdef USE_PAM 102 #ifdef USE_PAM
103@@ -819,6 +821,7 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m) 103@@ -820,6 +822,7 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
104 104
105 /* Allow service/style information on the auth context */ 105 /* Allow service/style information on the auth context */
106 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 106 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -108,7 +108,7 @@ index bead9e204..04db44c9c 100644
108 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 108 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
109 109
110 #ifdef USE_PAM 110 #ifdef USE_PAM
111@@ -852,16 +855,42 @@ mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m) 111@@ -853,16 +856,42 @@ mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m)
112 monitor_permit_authentications(1); 112 monitor_permit_authentications(1);
113 113
114 if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 || 114 if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 ||
@@ -154,7 +154,7 @@ index bead9e204..04db44c9c 100644
154 return (0); 154 return (0);
155 } 155 }
156 156
157@@ -1528,7 +1557,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m) 157@@ -1554,7 +1583,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
158 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 158 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
159 if (res == 0) 159 if (res == 0)
160 goto error; 160 goto error;
@@ -177,7 +177,7 @@ index 2b1a2d590..4d87284aa 100644
177 177
178 struct ssh; 178 struct ssh;
179diff --git a/monitor_wrap.c b/monitor_wrap.c 179diff --git a/monitor_wrap.c b/monitor_wrap.c
180index fdca39a6a..933ce9a3d 100644 180index 6edb509a3..b49c268d3 100644
181--- a/monitor_wrap.c 181--- a/monitor_wrap.c
182+++ b/monitor_wrap.c 182+++ b/monitor_wrap.c
183@@ -364,10 +364,10 @@ mm_auth2_read_banner(void) 183@@ -364,10 +364,10 @@ mm_auth2_read_banner(void)
@@ -231,13 +231,13 @@ index fdca39a6a..933ce9a3d 100644
231 int 231 int
232 mm_auth_password(struct ssh *ssh, char *password) 232 mm_auth_password(struct ssh *ssh, char *password)
233diff --git a/monitor_wrap.h b/monitor_wrap.h 233diff --git a/monitor_wrap.h b/monitor_wrap.h
234index 92dda574b..0f09dba09 100644 234index 485590c18..370b08e17 100644
235--- a/monitor_wrap.h 235--- a/monitor_wrap.h
236+++ b/monitor_wrap.h 236+++ b/monitor_wrap.h
237@@ -46,7 +46,8 @@ DH *mm_choose_dh(int, int, int); 237@@ -47,7 +47,8 @@ DH *mm_choose_dh(int, int, int);
238 #endif 238 #endif
239 int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *, 239 int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
240 const u_char *, size_t, const char *, u_int compat); 240 const u_char *, size_t, const char *, const char *, u_int compat);
241-void mm_inform_authserv(char *, char *); 241-void mm_inform_authserv(char *, char *);
242+void mm_inform_authserv(char *, char *, char *); 242+void mm_inform_authserv(char *, char *, char *);
243+void mm_inform_authrole(char *); 243+void mm_inform_authrole(char *);
@@ -363,10 +363,10 @@ index ea4f9c584..60d72ffe7 100644
363 char *platform_krb5_get_principal_name(const char *); 363 char *platform_krb5_get_principal_name(const char *);
364 int platform_sys_dir_uid(uid_t); 364 int platform_sys_dir_uid(uid_t);
365diff --git a/session.c b/session.c 365diff --git a/session.c b/session.c
366index f1a47f766..df7d7cf55 100644 366index 06a33442a..871799590 100644
367--- a/session.c 367--- a/session.c
368+++ b/session.c 368+++ b/session.c
369@@ -1356,7 +1356,7 @@ safely_chroot(const char *path, uid_t uid) 369@@ -1360,7 +1360,7 @@ safely_chroot(const char *path, uid_t uid)
370 370
371 /* Set login name, uid, gid, and groups. */ 371 /* Set login name, uid, gid, and groups. */
372 void 372 void
@@ -375,7 +375,7 @@ index f1a47f766..df7d7cf55 100644
375 { 375 {
376 char uidstr[32], *chroot_path, *tmp; 376 char uidstr[32], *chroot_path, *tmp;
377 377
378@@ -1384,7 +1384,7 @@ do_setusercontext(struct passwd *pw) 378@@ -1388,7 +1388,7 @@ do_setusercontext(struct passwd *pw)
379 endgrent(); 379 endgrent();
380 #endif 380 #endif
381 381
@@ -384,7 +384,7 @@ index f1a47f766..df7d7cf55 100644
384 384
385 if (!in_chroot && options.chroot_directory != NULL && 385 if (!in_chroot && options.chroot_directory != NULL &&
386 strcasecmp(options.chroot_directory, "none") != 0) { 386 strcasecmp(options.chroot_directory, "none") != 0) {
387@@ -1525,7 +1525,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) 387@@ -1529,7 +1529,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
388 388
389 /* Force a password change */ 389 /* Force a password change */
390 if (s->authctxt->force_pwchange) { 390 if (s->authctxt->force_pwchange) {
@@ -393,7 +393,7 @@ index f1a47f766..df7d7cf55 100644
393 child_close_fds(ssh); 393 child_close_fds(ssh);
394 do_pwchange(s); 394 do_pwchange(s);
395 exit(1); 395 exit(1);
396@@ -1543,7 +1543,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) 396@@ -1547,7 +1547,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
397 /* When PAM is enabled we rely on it to do the nologin check */ 397 /* When PAM is enabled we rely on it to do the nologin check */
398 if (!options.use_pam) 398 if (!options.use_pam)
399 do_nologin(pw); 399 do_nologin(pw);
@@ -402,7 +402,7 @@ index f1a47f766..df7d7cf55 100644
402 /* 402 /*
403 * PAM session modules in do_setusercontext may have 403 * PAM session modules in do_setusercontext may have
404 * generated messages, so if this in an interactive 404 * generated messages, so if this in an interactive
405@@ -1942,7 +1942,7 @@ session_pty_req(struct ssh *ssh, Session *s) 405@@ -1946,7 +1946,7 @@ session_pty_req(struct ssh *ssh, Session *s)
406 sshpkt_fatal(ssh, r, "%s: parse packet", __func__); 406 sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
407 407
408 if (!use_privsep) 408 if (!use_privsep)
@@ -425,10 +425,10 @@ index ce59dabd9..675c91146 100644
425 const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); 425 const char *session_get_remote_name_or_ip(struct ssh *, u_int, int);
426 426
427diff --git a/sshd.c b/sshd.c 427diff --git a/sshd.c b/sshd.c
428index 4e32fd10d..ea8beacb4 100644 428index 62dc55cf2..65916fc6d 100644
429--- a/sshd.c 429--- a/sshd.c
430+++ b/sshd.c 430+++ b/sshd.c
431@@ -594,7 +594,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) 431@@ -595,7 +595,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
432 reseed_prngs(); 432 reseed_prngs();
433 433
434 /* Drop privileges */ 434 /* Drop privileges */
diff --git a/debian/patches/series b/debian/patches/series
index 59c651095..8c1046a74 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,8 +23,3 @@ debian-config.patch
23restore-authorized_keys2.patch 23restore-authorized_keys2.patch
24conch-old-privkey-format.patch 24conch-old-privkey-format.patch
25revert-ipqos-defaults.patch 25revert-ipqos-defaults.patch
26regress-2020.patch
27sandbox-seccomp-clock_nanosleep.patch
28sandbox-seccomp-clock_nanosleep_time64.patch
29sandbox-seccomp-clock_gettime64.patch
30sandbox-seccomp-ipc.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index d7f69011e..43fb1d145 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
1From 5d1aab0eb6baeb044516660a0bde36cba2a3f9c2 Mon Sep 17 00:00:00 2001 1From c19bcc02b07b450d585d0fd10ccd96174aeb3b7c Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:00 +0000 3Date: Sun, 9 Feb 2014 16:10:00 +0000
4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand 4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -8,7 +8,7 @@ I (Colin Watson) agree with Vincent and think it does.
8 8
9Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 9Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
10Bug-Debian: http://bugs.debian.org/492728 10Bug-Debian: http://bugs.debian.org/492728
11Last-Update: 2013-09-14 11Last-Update: 2020-02-21
12 12
13Patch-Name: shell-path.patch 13Patch-Name: shell-path.patch
14--- 14---
@@ -16,21 +16,21 @@ Patch-Name: shell-path.patch
16 1 file changed, 2 insertions(+), 2 deletions(-) 16 1 file changed, 2 insertions(+), 2 deletions(-)
17 17
18diff --git a/sshconnect.c b/sshconnect.c 18diff --git a/sshconnect.c b/sshconnect.c
19index 6230dad32..644057bc4 100644 19index 4711af782..4a5d4a003 100644
20--- a/sshconnect.c 20--- a/sshconnect.c
21+++ b/sshconnect.c 21+++ b/sshconnect.c
22@@ -260,7 +260,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg, 22@@ -260,7 +260,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg,
23 /* Execute the proxy command. Note that we gave up any 23 /* Execute the proxy command. Note that we gave up any
24 extra privileges above. */ 24 extra privileges above. */
25 signal(SIGPIPE, SIG_DFL); 25 ssh_signal(SIGPIPE, SIG_DFL);
26- execv(argv[0], argv); 26- execv(argv[0], argv);
27+ execvp(argv[0], argv); 27+ execvp(argv[0], argv);
28 perror(argv[0]); 28 perror(argv[0]);
29 exit(1); 29 exit(1);
30 } 30 }
31@@ -1387,7 +1387,7 @@ ssh_local_cmd(const char *args) 31@@ -1388,7 +1388,7 @@ ssh_local_cmd(const char *args)
32 if (pid == 0) { 32 if (pid == 0) {
33 signal(SIGPIPE, SIG_DFL); 33 ssh_signal(SIGPIPE, SIG_DFL);
34 debug3("Executing %s -c \"%s\"", shell, args); 34 debug3("Executing %s -c \"%s\"", shell, args);
35- execl(shell, shell, "-c", args, (char *)NULL); 35- execl(shell, shell, "-c", args, (char *)NULL);
36+ execlp(shell, shell, "-c", args, (char *)NULL); 36+ execlp(shell, shell, "-c", args, (char *)NULL);
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 0dd4c662e..e7849e6c3 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,11 +1,11 @@
1From a8b5ec5c28805f0ab6b1b05474531521ac42eb12 Mon Sep 17 00:00:00 2001 1From ad09303388f0172ab6e028aaf27d87cf873d123d Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:13 +0000 3Date: Sun, 9 Feb 2014 16:10:13 +0000
4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) 4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
5 5
6Bug-Debian: http://bugs.debian.org/711623 6Bug-Debian: http://bugs.debian.org/711623
7Forwarded: no 7Forwarded: no
8Last-Update: 2013-06-08 8Last-Update: 2020-02-21
9 9
10Patch-Name: ssh-agent-setgid.patch 10Patch-Name: ssh-agent-setgid.patch
11--- 11---
@@ -13,13 +13,13 @@ Patch-Name: ssh-agent-setgid.patch
13 1 file changed, 15 insertions(+) 13 1 file changed, 15 insertions(+)
14 14
15diff --git a/ssh-agent.1 b/ssh-agent.1 15diff --git a/ssh-agent.1 b/ssh-agent.1
16index 83b2b41c8..7230704a3 100644 16index fff0db6bc..99e4f6d2e 100644
17--- a/ssh-agent.1 17--- a/ssh-agent.1
18+++ b/ssh-agent.1 18+++ b/ssh-agent.1
19@@ -206,6 +206,21 @@ environment variable holds the agent's process ID. 19@@ -201,6 +201,21 @@ socket and stores its pathname in this variable.
20 .Pp 20 It is accessible only to the current user,
21 The agent exits automatically when the command given on the command 21 but is easily abused by root or another instance of the same user.
22 line terminates. 22 .El
23+.Pp 23+.Pp
24+In Debian, 24+In Debian,
25+.Nm 25+.Nm
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index af95ce67e..8f796719d 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
1From e9f961ffa4e4e73ed22103b5697147d135d88b4f Mon Sep 17 00:00:00 2001 1From 4b1e0000a099f988553ccc4b274e1790b5114c12 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:10 +0000 3Date: Sun, 9 Feb 2014 16:10:10 +0000
4Subject: ssh(1): Refer to ssh-argv0(1) 4Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
18 1 file changed, 1 insertion(+) 18 1 file changed, 1 insertion(+)
19 19
20diff --git a/ssh.1 b/ssh.1 20diff --git a/ssh.1 b/ssh.1
21index 4923031f4..24530e511 100644 21index 17b0e984f..b33a8049f 100644
22--- a/ssh.1 22--- a/ssh.1
23+++ b/ssh.1 23+++ b/ssh.1
24@@ -1584,6 +1584,7 @@ if an error occurred. 24@@ -1610,6 +1610,7 @@ if an error occurred.
25 .Xr sftp 1 , 25 .Xr sftp 1 ,
26 .Xr ssh-add 1 , 26 .Xr ssh-add 1 ,
27 .Xr ssh-agent 1 , 27 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 5c2b58257..99116e9c4 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
1From 42c820f76fddf2f2e537dbe10842aa39f6154059 Mon Sep 17 00:00:00 2001 1From 11d571f137c76d8c2e38b1c1a537b04cc279f8e3 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:50 +0000 3Date: Sun, 9 Feb 2014 16:09:50 +0000
4Subject: Accept obsolete ssh-vulnkey configuration options 4Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,10 +17,10 @@ Patch-Name: ssh-vulnkey-compat.patch
17 2 files changed, 2 insertions(+) 17 2 files changed, 2 insertions(+)
18 18
19diff --git a/readconf.c b/readconf.c 19diff --git a/readconf.c b/readconf.c
20index 3c68d1a88..a7fb7ca15 100644 20index da8022dd0..0fc996871 100644
21--- a/readconf.c 21--- a/readconf.c
22+++ b/readconf.c 22+++ b/readconf.c
23@@ -192,6 +192,7 @@ static struct { 23@@ -191,6 +191,7 @@ static struct {
24 { "fallbacktorsh", oDeprecated }, 24 { "fallbacktorsh", oDeprecated },
25 { "globalknownhostsfile2", oDeprecated }, 25 { "globalknownhostsfile2", oDeprecated },
26 { "rhostsauthentication", oDeprecated }, 26 { "rhostsauthentication", oDeprecated },
@@ -29,10 +29,10 @@ index 3c68d1a88..a7fb7ca15 100644
29 { "useroaming", oDeprecated }, 29 { "useroaming", oDeprecated },
30 { "usersh", oDeprecated }, 30 { "usersh", oDeprecated },
31diff --git a/servconf.c b/servconf.c 31diff --git a/servconf.c b/servconf.c
32index f63eb0b94..73b93c636 100644 32index 191575a16..bf3cd84a4 100644
33--- a/servconf.c 33--- a/servconf.c
34+++ b/servconf.c 34+++ b/servconf.c
35@@ -621,6 +621,7 @@ static struct { 35@@ -656,6 +656,7 @@ static struct {
36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 2e4e5bbec..234d95ad2 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
1From 3d1a993f484e9043e57af3ae37b7c9c608d5a5f1 Mon Sep 17 00:00:00 2001 1From 387c2c1954773733bae9fca21a92db62c31180bd Mon Sep 17 00:00:00 2001
2From: Natalie Amery <nmamery@chiark.greenend.org.uk> 2From: Natalie Amery <nmamery@chiark.greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:54 +0000 3Date: Sun, 9 Feb 2014 16:09:54 +0000
4Subject: "LogLevel SILENT" compatibility 4Subject: "LogLevel SILENT" compatibility
@@ -33,10 +33,10 @@ index d9c2d136c..1749af6d1 100644
33 { "FATAL", SYSLOG_LEVEL_FATAL }, 33 { "FATAL", SYSLOG_LEVEL_FATAL },
34 { "ERROR", SYSLOG_LEVEL_ERROR }, 34 { "ERROR", SYSLOG_LEVEL_ERROR },
35diff --git a/ssh.c b/ssh.c 35diff --git a/ssh.c b/ssh.c
36index 2da9f5d0d..7b482dcb0 100644 36index 110cf9c19..6138fd4d3 100644
37--- a/ssh.c 37--- a/ssh.c
38+++ b/ssh.c 38+++ b/ssh.c
39@@ -1268,7 +1268,7 @@ main(int ac, char **av) 39@@ -1305,7 +1305,7 @@ main(int ac, char **av)
40 /* Do not allocate a tty if stdin is not a tty. */ 40 /* Do not allocate a tty if stdin is not a tty. */
41 if ((!isatty(fileno(stdin)) || stdin_null_flag) && 41 if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
42 options.request_tty != REQUEST_TTY_FORCE) { 42 options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index 7fb76cf3d..fdcfca30d 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
1From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001 1From a208834b2d1811dac7054d7fdcdd04672f8b19f6 Mon Sep 17 00:00:00 2001
2From: Michael Biebl <biebl@debian.org> 2From: Michael Biebl <biebl@debian.org>
3Date: Mon, 21 Dec 2015 16:08:47 +0000 3Date: Mon, 21 Dec 2015 16:08:47 +0000
4Subject: Add systemd readiness notification support 4Subject: Add systemd readiness notification support
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch
14 2 files changed, 33 insertions(+) 14 2 files changed, 33 insertions(+)
15 15
16diff --git a/configure.ac b/configure.ac 16diff --git a/configure.ac b/configure.ac
17index e894db9fc..c119d6fd1 100644 17index cee7cbc51..5db3013de 100644
18--- a/configure.ac 18--- a/configure.ac
19+++ b/configure.ac 19+++ b/configure.ac
20@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5], 20@@ -4664,6 +4664,29 @@ AC_ARG_WITH([kerberos5],
21 AC_SUBST([GSSLIBS]) 21 AC_SUBST([GSSLIBS])
22 AC_SUBST([K5LIBS]) 22 AC_SUBST([K5LIBS])
23 23
@@ -47,7 +47,7 @@ index e894db9fc..c119d6fd1 100644
47 # Looking for programs, paths and files 47 # Looking for programs, paths and files
48 48
49 PRIVSEP_PATH=/var/empty 49 PRIVSEP_PATH=/var/empty
50@@ -5305,6 +5328,7 @@ echo " libldns support: $LDNS_MSG" 50@@ -5476,6 +5499,7 @@ echo " libldns support: $LDNS_MSG"
51 echo " Solaris process contract support: $SPC_MSG" 51 echo " Solaris process contract support: $SPC_MSG"
52 echo " Solaris project support: $SP_MSG" 52 echo " Solaris project support: $SP_MSG"
53 echo " Solaris privilege support: $SPP_MSG" 53 echo " Solaris privilege support: $SPP_MSG"
@@ -56,7 +56,7 @@ index e894db9fc..c119d6fd1 100644
56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" 56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
57 echo " BSD Auth support: $BSD_AUTH_MSG" 57 echo " BSD Auth support: $BSD_AUTH_MSG"
58diff --git a/sshd.c b/sshd.c 58diff --git a/sshd.c b/sshd.c
59index 4e8ff0662..5e7679a33 100644 59index da876a900..c069505a0 100644
60--- a/sshd.c 60--- a/sshd.c
61+++ b/sshd.c 61+++ b/sshd.c
62@@ -85,6 +85,10 @@ 62@@ -85,6 +85,10 @@
@@ -70,7 +70,7 @@ index 4e8ff0662..5e7679a33 100644
70 #include "xmalloc.h" 70 #include "xmalloc.h"
71 #include "ssh.h" 71 #include "ssh.h"
72 #include "ssh2.h" 72 #include "ssh2.h"
73@@ -1951,6 +1955,11 @@ main(int ac, char **av) 73@@ -2027,6 +2031,11 @@ main(int ac, char **av)
74 } 74 }
75 } 75 }
76 76
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 9a1b434fa..8bd35addf 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
1From 19f1d075a06f4d3c9b440d7272272569d8bb0a17 Mon Sep 17 00:00:00 2001 1From 3309e464e5ae6c940ddd584eed4d2d403f4c168c Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:58 +0000 3Date: Sun, 9 Feb 2014 16:09:58 +0000
4Subject: Allow harmless group-writability 4Subject: Allow harmless group-writability
@@ -51,10 +51,10 @@ index 7a10210b6..587f53721 100644
51 pw->pw_name, buf); 51 pw->pw_name, buf);
52 auth_debug_add("Bad file modes for %.200s", buf); 52 auth_debug_add("Bad file modes for %.200s", buf);
53diff --git a/auth.c b/auth.c 53diff --git a/auth.c b/auth.c
54index 47c27773c..fc0c05bae 100644 54index 687c57b42..aed3c13ac 100644
55--- a/auth.c 55--- a/auth.c
56+++ b/auth.c 56+++ b/auth.c
57@@ -473,8 +473,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host, 57@@ -474,8 +474,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
58 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); 58 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
59 if (options.strict_modes && 59 if (options.strict_modes &&
60 (stat(user_hostfile, &st) == 0) && 60 (stat(user_hostfile, &st) == 0) &&
@@ -65,10 +65,10 @@ index 47c27773c..fc0c05bae 100644
65 "bad owner or modes for %.200s", 65 "bad owner or modes for %.200s",
66 pw->pw_name, user_hostfile); 66 pw->pw_name, user_hostfile);
67diff --git a/misc.c b/misc.c 67diff --git a/misc.c b/misc.c
68index 88833d7ff..42eeb425a 100644 68index 3a31d5c18..073d3be19 100644
69--- a/misc.c 69--- a/misc.c
70+++ b/misc.c 70+++ b/misc.c
71@@ -59,8 +59,9 @@ 71@@ -61,8 +61,9 @@
72 #include <netdb.h> 72 #include <netdb.h>
73 #ifdef HAVE_PATHS_H 73 #ifdef HAVE_PATHS_H
74 # include <paths.h> 74 # include <paths.h>
@@ -79,7 +79,7 @@ index 88833d7ff..42eeb425a 100644
79 #ifdef SSH_TUN_OPENBSD 79 #ifdef SSH_TUN_OPENBSD
80 #include <net/if.h> 80 #include <net/if.h>
81 #endif 81 #endif
82@@ -1112,6 +1113,55 @@ percent_expand(const char *string, ...) 82@@ -1124,6 +1125,55 @@ percent_expand(const char *string, ...)
83 #undef EXPAND_MAX_KEYS 83 #undef EXPAND_MAX_KEYS
84 } 84 }
85 85
@@ -135,7 +135,7 @@ index 88833d7ff..42eeb425a 100644
135 int 135 int
136 tun_open(int tun, int mode, char **ifname) 136 tun_open(int tun, int mode, char **ifname)
137 { 137 {
138@@ -1869,8 +1919,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, 138@@ -1909,8 +1959,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
139 snprintf(err, errlen, "%s is not a regular file", buf); 139 snprintf(err, errlen, "%s is not a regular file", buf);
140 return -1; 140 return -1;
141 } 141 }
@@ -145,7 +145,7 @@ index 88833d7ff..42eeb425a 100644
145 snprintf(err, errlen, "bad ownership or modes for file %s", 145 snprintf(err, errlen, "bad ownership or modes for file %s",
146 buf); 146 buf);
147 return -1; 147 return -1;
148@@ -1885,8 +1934,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, 148@@ -1925,8 +1974,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
149 strlcpy(buf, cp, sizeof(buf)); 149 strlcpy(buf, cp, sizeof(buf));
150 150
151 if (stat(buf, &st) == -1 || 151 if (stat(buf, &st) == -1 ||
@@ -156,12 +156,12 @@ index 88833d7ff..42eeb425a 100644
156 "bad ownership or modes for directory %s", buf); 156 "bad ownership or modes for directory %s", buf);
157 return -1; 157 return -1;
158diff --git a/misc.h b/misc.h 158diff --git a/misc.h b/misc.h
159index bcc34f980..869895d3a 100644 159index 4a05db2da..5db594b91 100644
160--- a/misc.h 160--- a/misc.h
161+++ b/misc.h 161+++ b/misc.h
162@@ -181,6 +181,8 @@ int opt_match(const char **opts, const char *term); 162@@ -188,6 +188,8 @@ struct notifier_ctx *notify_start(int, const char *, ...)
163 char *read_passphrase(const char *, int); 163 __attribute__((format(printf, 2, 3)));
164 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 164 void notify_complete(struct notifier_ctx *);
165 165
166+int secure_permissions(struct stat *st, uid_t uid); 166+int secure_permissions(struct stat *st, uid_t uid);
167+ 167+
@@ -169,10 +169,10 @@ index bcc34f980..869895d3a 100644
169 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) 169 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b))
170 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) 170 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
171diff --git a/readconf.c b/readconf.c 171diff --git a/readconf.c b/readconf.c
172index 09787c0e5..16d2729dd 100644 172index 2399208f8..7f251dd4a 100644
173--- a/readconf.c 173--- a/readconf.c
174+++ b/readconf.c 174+++ b/readconf.c
175@@ -1855,8 +1855,7 @@ read_config_file_depth(const char *filename, struct passwd *pw, 175@@ -1902,8 +1902,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
176 176
177 if (fstat(fileno(f), &sb) == -1) 177 if (fstat(fileno(f), &sb) == -1)
178 fatal("fstat %s: %s", filename, strerror(errno)); 178 fatal("fstat %s: %s", filename, strerror(errno));
@@ -183,10 +183,10 @@ index 09787c0e5..16d2729dd 100644
183 } 183 }
184 184
185diff --git a/ssh.1 b/ssh.1 185diff --git a/ssh.1 b/ssh.1
186index 26940ad55..20e4c4efa 100644 186index db5c65bc7..cf991e4ee 100644
187--- a/ssh.1 187--- a/ssh.1
188+++ b/ssh.1 188+++ b/ssh.1
189@@ -1484,6 +1484,8 @@ The file format and configuration options are described in 189@@ -1506,6 +1506,8 @@ The file format and configuration options are described in
190 .Xr ssh_config 5 . 190 .Xr ssh_config 5 .
191 Because of the potential for abuse, this file must have strict permissions: 191 Because of the potential for abuse, this file must have strict permissions:
192 read/write for the user, and not writable by others. 192 read/write for the user, and not writable by others.
@@ -196,10 +196,10 @@ index 26940ad55..20e4c4efa 100644
196 .It Pa ~/.ssh/environment 196 .It Pa ~/.ssh/environment
197 Contains additional definitions for environment variables; see 197 Contains additional definitions for environment variables; see
198diff --git a/ssh_config.5 b/ssh_config.5 198diff --git a/ssh_config.5 b/ssh_config.5
199index bc04d8d02..2c74b57c0 100644 199index 3079db19b..e61a0fd43 100644
200--- a/ssh_config.5 200--- a/ssh_config.5
201+++ b/ssh_config.5 201+++ b/ssh_config.5
202@@ -1907,6 +1907,8 @@ The format of this file is described above. 202@@ -1952,6 +1952,8 @@ The format of this file is described above.
203 This file is used by the SSH client. 203 This file is used by the SSH client.
204 Because of the potential for abuse, this file must have strict permissions: 204 Because of the potential for abuse, this file must have strict permissions:
205 read/write for the user, and not writable by others. 205 read/write for the user, and not writable by others.
diff --git a/debian/rules b/debian/rules
index 5e415fc7f..b4dbec715 100755
--- a/debian/rules
+++ b/debian/rules
@@ -78,6 +78,7 @@ ifeq ($(DEB_HOST_ARCH_OS),linux)
78confflags += --with-selinux 78confflags += --with-selinux
79confflags += --with-audit=linux 79confflags += --with-audit=linux
80confflags += --with-systemd 80confflags += --with-systemd
81confflags += --with-security-key-builtin
81endif 82endif
82 83
83# The deb build wants xauth; the udeb build doesn't. 84# The deb build wants xauth; the udeb build doesn't.
@@ -184,8 +185,10 @@ override_dh_install-indep:
184 dh_install 185 dh_install
185 186
186override_dh_installdocs: 187override_dh_installdocs:
187 dh_installdocs -Nopenssh-server -Nopenssh-sftp-server 188 dh_installdocs \
188 dh_installdocs -popenssh-server -popenssh-sftp-server \ 189 -Nopenssh-server -Nopenssh-sftp-server -Nopenssh-sk-helper
190 dh_installdocs \
191 -popenssh-server -popenssh-sftp-server -popenssh-sk-helper \
189 --link-doc=openssh-client 192 --link-doc=openssh-client
190 # Avoid breaking dh_installexamples later. 193 # Avoid breaking dh_installexamples later.
191 mkdir -p debian/openssh-server/usr/share/doc/openssh-client 194 mkdir -p debian/openssh-server/usr/share/doc/openssh-client