summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/.git-dpm14
-rw-r--r--debian/changelog89
-rw-r--r--debian/patches/auth-log-verbosity.patch120
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch6
-rw-r--r--debian/patches/debian-banner.patch34
-rw-r--r--debian/patches/debian-config.patch28
-rw-r--r--debian/patches/dnssec-sshfp.patch8
-rw-r--r--debian/patches/doc-hash-tab-completion.patch6
-rw-r--r--debian/patches/fix-regress-putty-transfer.patch37
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch2
-rw-r--r--debian/patches/gssapi.patch152
-rw-r--r--debian/patches/keepalive-extensions.patch20
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch8
-rw-r--r--debian/patches/no-dsa-host-key-by-default.patch83
-rw-r--r--debian/patches/no-openssl-version-status.patch2
-rw-r--r--debian/patches/openbsd-docs.patch22
-rw-r--r--debian/patches/package-versioning.patch14
-rw-r--r--debian/patches/permitopen-argument-handling.patch51
-rw-r--r--debian/patches/restore-authorized_keys2.patch4
-rw-r--r--debian/patches/restore-tcp-wrappers.patch26
-rw-r--r--debian/patches/scp-quoting.patch6
-rw-r--r--debian/patches/seccomp-getuid-geteuid.patch2
-rw-r--r--debian/patches/seccomp-s390-flock-ipc.patch2
-rw-r--r--debian/patches/seccomp-s390-ioctl-ep11-crypto.patch2
-rw-r--r--debian/patches/selinux-role.patch74
-rw-r--r--debian/patches/series4
-rw-r--r--debian/patches/shell-path.patch8
-rw-r--r--debian/patches/ssh-agent-setgid.patch2
-rw-r--r--debian/patches/ssh-argv0.patch6
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch8
-rw-r--r--debian/patches/syslog-level-silent.patch6
-rw-r--r--debian/patches/systemd-readiness.patch12
-rw-r--r--debian/patches/user-group-modes.patch32
33 files changed, 342 insertions, 548 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index c60a212e2..70448df87 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,8 +1,8 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
2bd081a1ae125c7c6b2cfec89746d1298a306ad78 276aa43d2298f322f0371b74462418d0461537131
3bd081a1ae125c7c6b2cfec89746d1298a306ad78 376aa43d2298f322f0371b74462418d0461537131
462f54f20bf351468e0124f63cc2902ee40d9b0e9 4ed6ae9c1a014a08ff5db3d768f01f2e427eeb476
562f54f20bf351468e0124f63cc2902ee40d9b0e9 5ed6ae9c1a014a08ff5db3d768f01f2e427eeb476
6openssh_7.6p1.orig.tar.gz 6openssh_7.7p1.orig.tar.gz
7a6984bc2c72192bed015c8b879b35dd9f5350b3b 7446fe9ed171f289f0d62197dffdbfdaaf21c49f2
81489788 81536900
diff --git a/debian/changelog b/debian/changelog
index 68b8167af..9646ee994 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,92 @@
1openssh (1:7.7p1-1) UNRELEASED; urgency=medium
2
3 * New upstream release (https://www.openssh.com/txt/release-7.7):
4 - ssh(1)/sshd(8): Drop compatibility support for some very old SSH
5 implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These
6 versions were all released in or before 2001 and predate the final SSH
7 RFCs. The support in question isn't necessary for RFC-compliant SSH
8 implementations.
9 - Add experimental support for PQC XMSS keys (Extended Hash-Based
10 Signatures).
11 - sshd(8): Add an "rdomain" criterion for the sshd_config Match keyword
12 to allow conditional configuration that depends on which routing
13 domain a connection was received on.
14 - sshd_config(5): Add an optional rdomain qualifier to the ListenAddress
15 directive to allow listening on different routing domains.
16 - sshd(8): Add "expiry-time" option for authorized_keys files to allow
17 for expiring keys.
18 - ssh(1): Add a BindInterface option to allow binding the outgoing
19 connection to an interface's address (basically a more usable
20 BindAddress; closes: #289592).
21 - ssh(1): Expose device allocated for tun/tap forwarding via a new %T
22 expansion for LocalCommand. This allows LocalCommand to be used to
23 prepare the interface.
24 - sshd(8): Expose the device allocated for tun/tap forwarding via a new
25 SSH_TUNNEL environment variable. This allows automatic setup of the
26 interface and surrounding network configuration automatically on the
27 server.
28 - ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g.
29 ssh://user@host or sftp://user@host/path. Additional connection
30 parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not
31 implemented since the ssh fingerprint format in the draft uses the
32 deprecated MD5 hash with no way to specify any other algorithm.
33 - ssh-keygen(1): Allow certificate validity intervals that specify only
34 a start or stop time (instead of both or neither).
35 - sftp(1): Allow "cd" and "lcd" commands with no explicit path argument.
36 lcd will change to the local user's home directory as usual. cd will
37 change to the starting directory for session (because the protocol
38 offers no way to obtain the remote user's home directory).
39 - sshd(8): When doing a config test with sshd -T, only require the
40 attributes that are actually used in Match criteria rather than (an
41 incomplete list of) all criteria.
42 - ssh(1)/sshd(8): More strictly check signature types during key
43 exchange against what was negotiated. Prevents downgrade of RSA
44 signatures made with SHA-256/512 to SHA-1.
45 - sshd(8): Fix support for client that advertise a protocol version of
46 "1.99" (indicating that they are prepared to accept both SSHv1 and
47 SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1
48 support.
49 - ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when a
50 rsa-sha2-256/512 signature was requested. This condition is possible
51 when an old or non-OpenSSH agent is in use.
52 - ssh-agent(1): Fix regression introduced in 7.6 that caused ssh-agent
53 to fatally exit if presented an invalid signature request message.
54 - sshd_config(5): Accept yes/no flag options case-insensitively, as has
55 been the case in ssh_config(5) for a long time (LP: #1656557).
56 - ssh(1): Improve error reporting for failures during connection. Under
57 some circumstances misleading errors were being shown.
58 - ssh-keyscan(1): Add -D option to allow printing of results directly in
59 SSHFP format.
60 - ssh(1): Compatibility fix for some servers that erroneously drop the
61 connection when the IUTF8 (RFC8160) option is sent.
62 - scp(1): Disable RemoteCommand and RequestTTY in the ssh session
63 started by scp (sftp was already doing this).
64 - ssh-keygen(1): Refuse to create a certificate with an unusable number
65 of principals.
66 - ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the
67 public key during key generation. Previously it would silently ignore
68 errors writing the comment and terminating newline.
69 - ssh(1): Do not modify hostname arguments that are addresses by
70 automatically forcing them to lower-case. Instead canonicalise them
71 jo resolve ambiguities (e.g. ::0001 => ::1) before they are matched
72 against known_hosts.
73 - ssh(1): Don't accept junk after "yes" or "no" responses to hostkey
74 prompts.
75 - sftp(1): Have sftp print a warning about shell cleanliness when
76 decoding the first packet fails, which is usually caused by shells
77 polluting stdout of non-interactive startups.
78 - ssh(1)/sshd(8): Switch timers in packet code from using wall-clock
79 time to monotonic time, allowing the packet layer to better function
80 over a clock step and avoiding possible integer overflows during
81 steps.
82 - sshd(8): Correctly detect MIPS ABI in use at configure time. Fixes
83 sandbox violations on some environments.
84 - Build and link with "retpoline" flags when available to mitigate the
85 "branch target injection" style (variant 2) of the Spectre
86 branch-prediction vulnerability.
87
88 -- Colin Watson <cjwatson@debian.org> Tue, 03 Apr 2018 08:33:10 +0100
89
1openssh (1:7.6p1-5) unstable; urgency=medium 90openssh (1:7.6p1-5) unstable; urgency=medium
2 91
3 * Explicitly build-depend on pkg-config, rather than implicitly 92 * Explicitly build-depend on pkg-config, rather than implicitly
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
deleted file mode 100644
index ba7642d83..000000000
--- a/debian/patches/auth-log-verbosity.patch
+++ /dev/null
@@ -1,120 +0,0 @@
1From 50e9edb57b6808cbbf63fe3433febb103baac1e8 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:02 +0000
4Subject: Quieten logs when multiple from= restrictions are used
5
6Bug-Debian: http://bugs.debian.org/630606
7Forwarded: no
8Last-Update: 2017-10-04
9
10Patch-Name: auth-log-verbosity.patch
11---
12 auth-options.c | 35 ++++++++++++++++++++++++++---------
13 auth-options.h | 1 +
14 auth2-pubkey.c | 3 +++
15 3 files changed, 30 insertions(+), 9 deletions(-)
16
17diff --git a/auth-options.c b/auth-options.c
18index bed00eef..ccdd0b20 100644
19--- a/auth-options.c
20+++ b/auth-options.c
21@@ -59,10 +59,21 @@ int forced_tun_device = -1;
22 /* "principals=" option. */
23 char *authorized_principals = NULL;
24
25+/* Throttle log messages. */
26+int logged_from_hostip = 0;
27+int logged_cert_hostip = 0;
28+
29 extern ServerOptions options;
30
31 /* XXX refactor to be stateless */
32
33+void
34+auth_start_parse_options(void)
35+{
36+ logged_from_hostip = 0;
37+ logged_cert_hostip = 0;
38+}
39+
40 void
41 auth_clear_options(void)
42 {
43@@ -322,10 +333,13 @@ auth_parse_options(struct passwd *pw, char *opts, const char *file,
44 /* FALLTHROUGH */
45 case 0:
46 free(patterns);
47- logit("Authentication tried for %.100s with "
48- "correct key but not from a permitted "
49- "host (host=%.200s, ip=%.200s).",
50- pw->pw_name, remote_host, remote_ip);
51+ if (!logged_from_hostip) {
52+ logit("Authentication tried for %.100s with "
53+ "correct key but not from a permitted "
54+ "host (host=%.200s, ip=%.200s).",
55+ pw->pw_name, remote_host, remote_ip);
56+ logged_from_hostip = 1;
57+ }
58 auth_debug_add("Your host '%.200s' is not "
59 "permitted to use this key for login.",
60 remote_host);
61@@ -549,11 +563,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
62 break;
63 case 0:
64 /* no match */
65- logit("Authentication tried for %.100s "
66- "with valid certificate but not "
67- "from a permitted host "
68- "(ip=%.200s).", pw->pw_name,
69- remote_ip);
70+ if (!logged_cert_hostip) {
71+ logit("Authentication tried for %.100s "
72+ "with valid certificate but not "
73+ "from a permitted host "
74+ "(ip=%.200s).", pw->pw_name,
75+ remote_ip);
76+ logged_cert_hostip = 1;
77+ }
78 auth_debug_add("Your address '%.200s' "
79 "is not permitted to use this "
80 "certificate for login.",
81diff --git a/auth-options.h b/auth-options.h
82index 547f0163..4de0f14d 100644
83--- a/auth-options.h
84+++ b/auth-options.h
85@@ -33,6 +33,7 @@ extern int forced_tun_device;
86 extern int key_is_cert_authority;
87 extern char *authorized_principals;
88
89+void auth_start_parse_options(void);
90 int auth_parse_options(struct passwd *, char *, const char *, u_long);
91 void auth_clear_options(void);
92 int auth_cert_options(struct sshkey *, struct passwd *, const char **);
93diff --git a/auth2-pubkey.c b/auth2-pubkey.c
94index 169839b0..43f880b6 100644
95--- a/auth2-pubkey.c
96+++ b/auth2-pubkey.c
97@@ -269,6 +269,7 @@ process_principals(FILE *f, const char *file, struct passwd *pw,
98 u_long linenum = 0;
99 u_int i, found_principal = 0;
100
101+ auth_start_parse_options();
102 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
103 /* Always consume entire input */
104 if (found_principal)
105@@ -471,6 +472,7 @@ check_authkeys_file(FILE *f, char *file, struct sshkey *key, struct passwd *pw)
106 u_long linenum = 0;
107 struct sshkey *found = NULL;
108
109+ auth_start_parse_options();
110 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
111 char *cp, *key_options = NULL, *fp = NULL;
112 const char *reason = NULL;
113@@ -624,6 +626,7 @@ user_cert_trusted_ca(struct passwd *pw, struct sshkey *key)
114 if (sshkey_cert_check_authority(key, 0, 1,
115 use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
116 goto fail_reason;
117+ auth_start_parse_options();
118 if (auth_cert_options(key, pw, &reason) != 0)
119 goto fail_reason;
120
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 56f6de37f..ddd5cee27 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
1From 312eb64a9faf4e8cdb95f2ae147ecbfa6c0efd83 Mon Sep 17 00:00:00 2001 1From 35b042aaa143ac815ada8cd746ef95ab538af1a7 Mon Sep 17 00:00:00 2001
2From: Tomas Pospisek <tpo_deb@sourcepole.ch> 2From: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Date: Sun, 9 Feb 2014 16:10:07 +0000 3Date: Sun, 9 Feb 2014 16:10:07 +0000
4Subject: Install authorized_keys(5) as a symlink to sshd(8) 4Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
13 1 file changed, 1 insertion(+) 13 1 file changed, 1 insertion(+)
14 14
15diff --git a/Makefile.in b/Makefile.in 15diff --git a/Makefile.in b/Makefile.in
16index f6e9fe4c..08b989a4 100644 16index 6f3f042b..1afb4f79 100644
17--- a/Makefile.in 17--- a/Makefile.in
18+++ b/Makefile.in 18+++ b/Makefile.in
19@@ -340,6 +340,7 @@ install-files: 19@@ -352,6 +352,7 @@ install-files:
20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 8134afba4..bc87d31b4 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
1From ae96c03ce51af2c529bfa2f2de57f4fa938ea552 Mon Sep 17 00:00:00 2001 1From 39e593d349cde42b6b5aac669a42eb1749ef70af Mon Sep 17 00:00:00 2001
2From: Kees Cook <kees@debian.org> 2From: Kees Cook <kees@debian.org>
3Date: Sun, 9 Feb 2014 16:10:06 +0000 3Date: Sun, 9 Feb 2014 16:10:06 +0000
4Subject: Add DebianBanner server configuration option 4Subject: Add DebianBanner server configuration option
@@ -19,10 +19,10 @@ Patch-Name: debian-banner.patch
19 4 files changed, 18 insertions(+), 1 deletion(-) 19 4 files changed, 18 insertions(+), 1 deletion(-)
20 20
21diff --git a/servconf.c b/servconf.c 21diff --git a/servconf.c b/servconf.c
22index 9889fb0a..b0146405 100644 22index 3fff3d53..5be47aec 100644
23--- a/servconf.c 23--- a/servconf.c
24+++ b/servconf.c 24+++ b/servconf.c
25@@ -167,6 +167,7 @@ initialize_server_options(ServerOptions *options) 25@@ -177,6 +177,7 @@ initialize_server_options(ServerOptions *options)
26 options->fingerprint_hash = -1; 26 options->fingerprint_hash = -1;
27 options->disable_forwarding = -1; 27 options->disable_forwarding = -1;
28 options->expose_userauth_info = -1; 28 options->expose_userauth_info = -1;
@@ -30,7 +30,7 @@ index 9889fb0a..b0146405 100644
30 } 30 }
31 31
32 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 32 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
33@@ -342,6 +343,8 @@ fill_default_server_options(ServerOptions *options) 33@@ -393,6 +394,8 @@ fill_default_server_options(ServerOptions *options)
34 options->disable_forwarding = 0; 34 options->disable_forwarding = 0;
35 if (options->expose_userauth_info == -1) 35 if (options->expose_userauth_info == -1)
36 options->expose_userauth_info = 0; 36 options->expose_userauth_info = 0;
@@ -39,25 +39,25 @@ index 9889fb0a..b0146405 100644
39 39
40 assemble_algorithms(options); 40 assemble_algorithms(options);
41 41
42@@ -429,6 +432,7 @@ typedef enum { 42@@ -480,6 +483,7 @@ typedef enum {
43 sStreamLocalBindMask, sStreamLocalBindUnlink, 43 sStreamLocalBindMask, sStreamLocalBindUnlink,
44 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, 44 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
45 sExposeAuthInfo, 45 sExposeAuthInfo, sRDomain,
46+ sDebianBanner, 46+ sDebianBanner,
47 sDeprecated, sIgnore, sUnsupported 47 sDeprecated, sIgnore, sUnsupported
48 } ServerOpCodes; 48 } ServerOpCodes;
49 49
50@@ -582,6 +586,7 @@ static struct { 50@@ -634,6 +638,7 @@ static struct {
51 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
52 { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, 51 { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
53 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, 52 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
53 { "rdomain", sRDomain, SSHCFG_ALL },
54+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, 54+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
55 { NULL, sBadOption, 0 } 55 { NULL, sBadOption, 0 }
56 }; 56 };
57 57
58@@ -1907,6 +1912,10 @@ process_server_config_line(ServerOptions *options, char *line, 58@@ -2056,6 +2061,10 @@ process_server_config_line(ServerOptions *options, char *line,
59 intptr = &options->expose_userauth_info; 59 *charptr = xstrdup(arg);
60 goto parse_flag; 60 break;
61 61
62+ case sDebianBanner: 62+ case sDebianBanner:
63+ intptr = &options->debian_banner; 63+ intptr = &options->debian_banner;
@@ -67,10 +67,10 @@ index 9889fb0a..b0146405 100644
67 case sIgnore: 67 case sIgnore:
68 case sUnsupported: 68 case sUnsupported:
69diff --git a/servconf.h b/servconf.h 69diff --git a/servconf.h b/servconf.h
70index 641e93c8..410c4275 100644 70index 5dfc9bc0..b0fa7045 100644
71--- a/servconf.h 71--- a/servconf.h
72+++ b/servconf.h 72+++ b/servconf.h
73@@ -200,6 +200,8 @@ typedef struct { 73@@ -211,6 +211,8 @@ typedef struct {
74 74
75 int fingerprint_hash; 75 int fingerprint_hash;
76 int expose_userauth_info; 76 int expose_userauth_info;
@@ -80,10 +80,10 @@ index 641e93c8..410c4275 100644
80 80
81 /* Information about the incoming connection as used by Match */ 81 /* Information about the incoming connection as used by Match */
82diff --git a/sshd.c b/sshd.c 82diff --git a/sshd.c b/sshd.c
83index eccf81bb..a5a1193d 100644 83index 9a7f5495..1d645a17 100644
84--- a/sshd.c 84--- a/sshd.c
85+++ b/sshd.c 85+++ b/sshd.c
86@@ -378,7 +378,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) 86@@ -384,7 +384,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
87 char remote_version[256]; /* Must be at least as big as buf. */ 87 char remote_version[256]; /* Must be at least as big as buf. */
88 88
89 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", 89 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
@@ -94,10 +94,10 @@ index eccf81bb..a5a1193d 100644
94 options.version_addendum); 94 options.version_addendum);
95 95
96diff --git a/sshd_config.5 b/sshd_config.5 96diff --git a/sshd_config.5 b/sshd_config.5
97index 7db25552..41e8c939 100644 97index 1a1c6dd0..45044a70 100644
98--- a/sshd_config.5 98--- a/sshd_config.5
99+++ b/sshd_config.5 99+++ b/sshd_config.5
100@@ -530,6 +530,11 @@ or 100@@ -531,6 +531,11 @@ or
101 .Cm no . 101 .Cm no .
102 The default is 102 The default is
103 .Cm yes . 103 .Cm yes .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index a3f595752..e90cbe8d9 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
1From 4847e512c0b94c615b838904a5f139a761bee284 Mon Sep 17 00:00:00 2001 1From 279cd9cd9a66daac701328cb0c53863e2bb5ab02 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:18 +0000 3Date: Sun, 9 Feb 2014 16:10:18 +0000
4Subject: Various Debian-specific configuration changes 4Subject: Various Debian-specific configuration changes
@@ -39,10 +39,10 @@ Patch-Name: debian-config.patch
39 6 files changed, 77 insertions(+), 9 deletions(-) 39 6 files changed, 77 insertions(+), 9 deletions(-)
40 40
41diff --git a/readconf.c b/readconf.c 41diff --git a/readconf.c b/readconf.c
42index be3d5873..41f36aa8 100644 42index 50349e23..efcf2d62 100644
43--- a/readconf.c 43--- a/readconf.c
44+++ b/readconf.c 44+++ b/readconf.c
45@@ -1940,7 +1940,7 @@ fill_default_options(Options * options) 45@@ -1916,7 +1916,7 @@ fill_default_options(Options * options)
46 if (options->forward_x11 == -1) 46 if (options->forward_x11 == -1)
47 options->forward_x11 = 0; 47 options->forward_x11 = 0;
48 if (options->forward_x11_trusted == -1) 48 if (options->forward_x11_trusted == -1)
@@ -52,10 +52,10 @@ index be3d5873..41f36aa8 100644
52 options->forward_x11_timeout = 1200; 52 options->forward_x11_timeout = 1200;
53 /* 53 /*
54diff --git a/ssh.1 b/ssh.1 54diff --git a/ssh.1 b/ssh.1
55index 711fe608..f1b01c56 100644 55index f8fc26d2..8a03db95 100644
56--- a/ssh.1 56--- a/ssh.1
57+++ b/ssh.1 57+++ b/ssh.1
58@@ -764,6 +764,16 @@ directive in 58@@ -768,6 +768,16 @@ directive in
59 .Xr ssh_config 5 59 .Xr ssh_config 5
60 for more information. 60 for more information.
61 .Pp 61 .Pp
@@ -72,7 +72,7 @@ index 711fe608..f1b01c56 100644
72 .It Fl x 72 .It Fl x
73 Disables X11 forwarding. 73 Disables X11 forwarding.
74 .Pp 74 .Pp
75@@ -772,6 +782,17 @@ Enables trusted X11 forwarding. 75@@ -776,6 +786,17 @@ Enables trusted X11 forwarding.
76 Trusted X11 forwardings are not subjected to the X11 SECURITY extension 76 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
77 controls. 77 controls.
78 .Pp 78 .Pp
@@ -114,7 +114,7 @@ index bcb9f153..1b676fb2 100644
114+ HashKnownHosts yes 114+ HashKnownHosts yes
115+ GSSAPIAuthentication yes 115+ GSSAPIAuthentication yes
116diff --git a/ssh_config.5 b/ssh_config.5 116diff --git a/ssh_config.5 b/ssh_config.5
117index 1edfe761..2da7029a 100644 117index ca052884..ed6e5d02 100644
118--- a/ssh_config.5 118--- a/ssh_config.5
119+++ b/ssh_config.5 119+++ b/ssh_config.5
120@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more 120@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
@@ -140,7 +140,7 @@ index 1edfe761..2da7029a 100644
140 The file contains keyword-argument pairs, one per line. 140 The file contains keyword-argument pairs, one per line.
141 Lines starting with 141 Lines starting with
142 .Ql # 142 .Ql #
143@@ -683,11 +699,12 @@ elapsed. 143@@ -690,11 +706,12 @@ elapsed.
144 .It Cm ForwardX11Trusted 144 .It Cm ForwardX11Trusted
145 If this option is set to 145 If this option is set to
146 .Cm yes , 146 .Cm yes ,
@@ -155,10 +155,10 @@ index 1edfe761..2da7029a 100644
155 from stealing or tampering with data belonging to trusted X11 155 from stealing or tampering with data belonging to trusted X11
156 clients. 156 clients.
157diff --git a/sshd_config b/sshd_config 157diff --git a/sshd_config b/sshd_config
158index c01dd656..f68edf36 100644 158index 86263d71..de9cc9fe 100644
159--- a/sshd_config 159--- a/sshd_config
160+++ b/sshd_config 160+++ b/sshd_config
161@@ -58,8 +58,9 @@ AuthorizedKeysFile .ssh/authorized_keys 161@@ -57,8 +57,9 @@ AuthorizedKeysFile .ssh/authorized_keys
162 #PasswordAuthentication yes 162 #PasswordAuthentication yes
163 #PermitEmptyPasswords no 163 #PermitEmptyPasswords no
164 164
@@ -170,7 +170,7 @@ index c01dd656..f68edf36 100644
170 170
171 # Kerberos options 171 # Kerberos options
172 #KerberosAuthentication no 172 #KerberosAuthentication no
173@@ -82,16 +83,16 @@ AuthorizedKeysFile .ssh/authorized_keys 173@@ -81,16 +82,16 @@ AuthorizedKeysFile .ssh/authorized_keys
174 # If you just want the PAM account and session checks to run without 174 # If you just want the PAM account and session checks to run without
175 # PAM authentication, then enable this but set PasswordAuthentication 175 # PAM authentication, then enable this but set PasswordAuthentication
176 # and ChallengeResponseAuthentication to 'no'. 176 # and ChallengeResponseAuthentication to 'no'.
@@ -190,7 +190,7 @@ index c01dd656..f68edf36 100644
190 #PrintLastLog yes 190 #PrintLastLog yes
191 #TCPKeepAlive yes 191 #TCPKeepAlive yes
192 #UseLogin no 192 #UseLogin no
193@@ -109,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys 193@@ -108,8 +109,11 @@ AuthorizedKeysFile .ssh/authorized_keys
194 # no default banner path 194 # no default banner path
195 #Banner none 195 #Banner none
196 196
@@ -204,10 +204,10 @@ index c01dd656..f68edf36 100644
204 # Example of overriding settings on a per-user basis 204 # Example of overriding settings on a per-user basis
205 #Match User anoncvs 205 #Match User anoncvs
206diff --git a/sshd_config.5 b/sshd_config.5 206diff --git a/sshd_config.5 b/sshd_config.5
207index 79676a95..16be4f62 100644 207index 44b91846..4c7ee425 100644
208--- a/sshd_config.5 208--- a/sshd_config.5
209+++ b/sshd_config.5 209+++ b/sshd_config.5
210@@ -55,6 +55,28 @@ Arguments may optionally be enclosed in double quotes 210@@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes
211 .Pq \&" 211 .Pq \&"
212 in order to represent arguments containing spaces. 212 in order to represent arguments containing spaces.
213 .Pp 213 .Pp
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index a8d98855a..0ba825f4e 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
1From f500e89e2310f6308a998357d72d767e3b01553c Mon Sep 17 00:00:00 2001 1From 8c11a03efd47de883b52838735d6890ca8d4d9f8 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:01 +0000 3Date: Sun, 9 Feb 2014 16:10:01 +0000
4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf 4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
@@ -18,10 +18,10 @@ Patch-Name: dnssec-sshfp.patch
18 3 files changed, 21 insertions(+), 6 deletions(-) 18 3 files changed, 21 insertions(+), 6 deletions(-)
19 19
20diff --git a/dns.c b/dns.c 20diff --git a/dns.c b/dns.c
21index 6e1abb53..8e0ca691 100644 21index ff1a2c41..82ec9719 100644
22--- a/dns.c 22--- a/dns.c
23+++ b/dns.c 23+++ b/dns.c
24@@ -206,6 +206,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, 24@@ -211,6 +211,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
25 { 25 {
26 u_int counter; 26 u_int counter;
27 int result; 27 int result;
@@ -29,7 +29,7 @@ index 6e1abb53..8e0ca691 100644
29 struct rrsetinfo *fingerprints = NULL; 29 struct rrsetinfo *fingerprints = NULL;
30 30
31 u_int8_t hostkey_algorithm; 31 u_int8_t hostkey_algorithm;
32@@ -229,8 +230,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, 32@@ -234,8 +235,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
33 return -1; 33 return -1;
34 } 34 }
35 35
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index c4342181d..5c0b0d8f8 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
1From a07f7c1fe9d8dc3bfe4cb8bbe6bb5a27b638d024 Mon Sep 17 00:00:00 2001 1From 4fc40c98c57ecd166f87008261357810a21178e6 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:11 +0000 3Date: Sun, 9 Feb 2014 16:10:11 +0000
4Subject: Document that HashKnownHosts may break tab-completion 4Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
13 1 file changed, 3 insertions(+) 13 1 file changed, 3 insertions(+)
14 14
15diff --git a/ssh_config.5 b/ssh_config.5 15diff --git a/ssh_config.5 b/ssh_config.5
16index 7810a418..1edfe761 100644 16index 84dcd52c..ca052884 100644
17--- a/ssh_config.5 17--- a/ssh_config.5
18+++ b/ssh_config.5 18+++ b/ssh_config.5
19@@ -777,6 +777,9 @@ Note that existing names and addresses in known hosts files 19@@ -784,6 +784,9 @@ Note that existing names and addresses in known hosts files
20 will not be converted automatically, 20 will not be converted automatically,
21 but may be manually hashed using 21 but may be manually hashed using
22 .Xr ssh-keygen 1 . 22 .Xr ssh-keygen 1 .
diff --git a/debian/patches/fix-regress-putty-transfer.patch b/debian/patches/fix-regress-putty-transfer.patch
deleted file mode 100644
index cfec3a9d2..000000000
--- a/debian/patches/fix-regress-putty-transfer.patch
+++ /dev/null
@@ -1,37 +0,0 @@
1From bd081a1ae125c7c6b2cfec89746d1298a306ad78 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org>
3Date: Tue, 16 Jan 2018 17:38:36 +0000
4Subject: Fix putty-transfer regression test
5
6The test key file is still called putty.rsa2, not putty.rsa.
7
8Forwarded: no
9Last-Update: 2018-01-16
10
11Patch-Name: fix-regress-putty-transfer.patch
12---
13 regress/putty-transfer.sh | 4 ++--
14 1 file changed, 2 insertions(+), 2 deletions(-)
15
16diff --git a/regress/putty-transfer.sh b/regress/putty-transfer.sh
17index 32c79f9e..57e46540 100644
18--- a/regress/putty-transfer.sh
19+++ b/regress/putty-transfer.sh
20@@ -15,7 +15,7 @@ for c in 0 1 ; do
21 ${OBJ}/.putty/sessions/compression_$c
22 echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
23 env HOME=$PWD ${PLINK} -load compression_$c -batch \
24- -i putty.rsa cat ${DATA} > ${COPY}
25+ -i putty.rsa2 cat ${DATA} > ${COPY}
26 if [ $? -ne 0 ]; then
27 fail "ssh cat $DATA failed"
28 fi
29@@ -26,7 +26,7 @@ for c in 0 1 ; do
30 rm -f ${COPY}
31 dd if=$DATA obs=${s} 2> /dev/null | \
32 env HOME=$PWD ${PLINK} -load compression_$c \
33- -batch -i putty.rsa \
34+ -batch -i putty.rsa2 \
35 "cat > ${COPY}"
36 if [ $? -ne 0 ]; then
37 fail "ssh cat $DATA failed"
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index e46c0f8b2..a679a4ed8 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
1From 18950b79898be885c6b77d463367639647e54e28 Mon Sep 17 00:00:00 2001 1From 8e54091347c2c94ab3872e1b9448b40038a63bfb Mon Sep 17 00:00:00 2001
2From: Vincent Untz <vuntz@ubuntu.com> 2From: Vincent Untz <vuntz@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:16 +0000 3Date: Sun, 9 Feb 2014 16:10:16 +0000
4Subject: Give the ssh-askpass-gnome window a default icon 4Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 0726a5020..a67ebced0 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From 4e70490950e5c5134df48848affaf73685bf0284 Mon Sep 17 00:00:00 2001 1From cb427e23bf78d65407c78d868c4ef525dbfaa68f Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -181,10 +181,10 @@ index 00000000..f117a336
181+ (from jbasney AT ncsa.uiuc.edu) 181+ (from jbasney AT ncsa.uiuc.edu)
182+ <gssapi-with-mic support is Bugzilla #1008> 182+ <gssapi-with-mic support is Bugzilla #1008>
183diff --git a/Makefile.in b/Makefile.in 183diff --git a/Makefile.in b/Makefile.in
184index c52ce191..f6e9fe4c 100644 184index 04e1c8e5..6f3f042b 100644
185--- a/Makefile.in 185--- a/Makefile.in
186+++ b/Makefile.in 186+++ b/Makefile.in
187@@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ 187@@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
188 kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ 188 kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
189 kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ 189 kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
190 kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ 190 kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
@@ -192,7 +192,7 @@ index c52ce191..f6e9fe4c 100644
192 platform-pledge.o platform-tracing.o platform-misc.o 192 platform-pledge.o platform-tracing.o platform-misc.o
193 193
194 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ 194 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
195@@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ 195@@ -113,7 +114,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
196 auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ 196 auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
197 auth2-none.o auth2-passwd.o auth2-pubkey.o \ 197 auth2-none.o auth2-passwd.o auth2-pubkey.o \
198 monitor.o monitor_wrap.o auth-krb5.o \ 198 monitor.o monitor_wrap.o auth-krb5.o \
@@ -253,10 +253,10 @@ index a5a81ed2..38e7fee2 100644
253 return (krb5_cc_resolve(ctx, ccname, ccache)); 253 return (krb5_cc_resolve(ctx, ccname, ccache));
254 } 254 }
255diff --git a/auth.c b/auth.c 255diff --git a/auth.c b/auth.c
256index a4490617..6aec3605 100644 256index 63366768..76d586e3 100644
257--- a/auth.c 257--- a/auth.c
258+++ b/auth.c 258+++ b/auth.c
259@@ -395,7 +395,8 @@ auth_root_allowed(const char *method) 259@@ -396,7 +396,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
260 case PERMIT_NO_PASSWD: 260 case PERMIT_NO_PASSWD:
261 if (strcmp(method, "publickey") == 0 || 261 if (strcmp(method, "publickey") == 0 ||
262 strcmp(method, "hostbased") == 0 || 262 strcmp(method, "hostbased") == 0 ||
@@ -266,7 +266,7 @@ index a4490617..6aec3605 100644
266 return 1; 266 return 1;
267 break; 267 break;
268 case PERMIT_FORCED_ONLY: 268 case PERMIT_FORCED_ONLY:
269@@ -727,99 +728,6 @@ fakepw(void) 269@@ -728,99 +729,6 @@ fakepw(void)
270 return (&fake); 270 return (&fake);
271 } 271 }
272 272
@@ -455,7 +455,7 @@ index 589283b7..fd411d3a 100644
455 "gssapi-with-mic", 455 "gssapi-with-mic",
456 userauth_gssapi, 456 userauth_gssapi,
457diff --git a/auth2.c b/auth2.c 457diff --git a/auth2.c b/auth2.c
458index 862e0996..54070e3a 100644 458index e0034229..c34f58c4 100644
459--- a/auth2.c 459--- a/auth2.c
460+++ b/auth2.c 460+++ b/auth2.c
461@@ -72,6 +72,7 @@ extern Authmethod method_passwd; 461@@ -72,6 +72,7 @@ extern Authmethod method_passwd;
@@ -593,7 +593,7 @@ index 26d62855..0cadc9f1 100644
593 int get_peer_port(int); 593 int get_peer_port(int);
594 char *get_local_ipaddr(int); 594 char *get_local_ipaddr(int);
595diff --git a/clientloop.c b/clientloop.c 595diff --git a/clientloop.c b/clientloop.c
596index 791d336e..0010b833 100644 596index 7bcf22e3..ef803e98 100644
597--- a/clientloop.c 597--- a/clientloop.c
598+++ b/clientloop.c 598+++ b/clientloop.c
599@@ -112,6 +112,10 @@ 599@@ -112,6 +112,10 @@
@@ -607,7 +607,7 @@ index 791d336e..0010b833 100644
607 /* import options */ 607 /* import options */
608 extern Options options; 608 extern Options options;
609 609
610@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, 610@@ -1335,9 +1339,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
611 break; 611 break;
612 612
613 /* Do channel operations unless rekeying in progress. */ 613 /* Do channel operations unless rekeying in progress. */
@@ -628,10 +628,10 @@ index 791d336e..0010b833 100644
628 client_process_net_input(readset); 628 client_process_net_input(readset);
629 629
630diff --git a/config.h.in b/config.h.in 630diff --git a/config.h.in b/config.h.in
631index 63fc548b..0b244fd5 100644 631index 57208740..4c9545c7 100644
632--- a/config.h.in 632--- a/config.h.in
633+++ b/config.h.in 633+++ b/config.h.in
634@@ -1696,6 +1696,9 @@ 634@@ -1746,6 +1746,9 @@
635 /* Use btmp to log bad logins */ 635 /* Use btmp to log bad logins */
636 #undef USE_BTMP 636 #undef USE_BTMP
637 637
@@ -641,7 +641,7 @@ index 63fc548b..0b244fd5 100644
641 /* Use libedit for sftp */ 641 /* Use libedit for sftp */
642 #undef USE_LIBEDIT 642 #undef USE_LIBEDIT
643 643
644@@ -1711,6 +1714,9 @@ 644@@ -1761,6 +1764,9 @@
645 /* Use PIPES instead of a socketpair() */ 645 /* Use PIPES instead of a socketpair() */
646 #undef USE_PIPES 646 #undef USE_PIPES
647 647
@@ -652,10 +652,10 @@ index 63fc548b..0b244fd5 100644
652 #undef USE_SOLARIS_PRIVS 652 #undef USE_SOLARIS_PRIVS
653 653
654diff --git a/configure.ac b/configure.ac 654diff --git a/configure.ac b/configure.ac
655index 889f5063..84bfad8c 100644 655index 663062be..1cd5eab6 100644
656--- a/configure.ac 656--- a/configure.ac
657+++ b/configure.ac 657+++ b/configure.ac
658@@ -621,6 +621,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 658@@ -664,6 +664,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
659 [Use tunnel device compatibility to OpenBSD]) 659 [Use tunnel device compatibility to OpenBSD])
660 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 660 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
661 [Prepend the address family to IP tunnel traffic]) 661 [Prepend the address family to IP tunnel traffic])
@@ -1435,7 +1435,7 @@ index 6cae720e..967c6cfb 100644
1435 1435
1436 /* Privileged */ 1436 /* Privileged */
1437diff --git a/kex.c b/kex.c 1437diff --git a/kex.c b/kex.c
1438index d5d5a9da..bb1bd661 100644 1438index 15ea28b0..6cc2935f 100644
1439--- a/kex.c 1439--- a/kex.c
1440+++ b/kex.c 1440+++ b/kex.c
1441@@ -54,6 +54,10 @@ 1441@@ -54,6 +54,10 @@
@@ -1475,7 +1475,7 @@ index d5d5a9da..bb1bd661 100644
1475 return NULL; 1475 return NULL;
1476 } 1476 }
1477 1477
1478@@ -601,6 +617,9 @@ kex_free(struct kex *kex) 1478@@ -599,6 +615,9 @@ kex_free(struct kex *kex)
1479 sshbuf_free(kex->peer); 1479 sshbuf_free(kex->peer);
1480 sshbuf_free(kex->my); 1480 sshbuf_free(kex->my);
1481 free(kex->session_id); 1481 free(kex->session_id);
@@ -2170,10 +2170,10 @@ index 00000000..38ca082b
2170+} 2170+}
2171+#endif /* GSSAPI */ 2171+#endif /* GSSAPI */
2172diff --git a/monitor.c b/monitor.c 2172diff --git a/monitor.c b/monitor.c
2173index f517da48..cabfeb8a 100644 2173index c68e1b0d..868fb0d2 100644
2174--- a/monitor.c 2174--- a/monitor.c
2175+++ b/monitor.c 2175+++ b/monitor.c
2176@@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); 2176@@ -158,6 +158,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
2177 int mm_answer_gss_accept_ctx(int, Buffer *); 2177 int mm_answer_gss_accept_ctx(int, Buffer *);
2178 int mm_answer_gss_userok(int, Buffer *); 2178 int mm_answer_gss_userok(int, Buffer *);
2179 int mm_answer_gss_checkmic(int, Buffer *); 2179 int mm_answer_gss_checkmic(int, Buffer *);
@@ -2182,7 +2182,7 @@ index f517da48..cabfeb8a 100644
2182 #endif 2182 #endif
2183 2183
2184 #ifdef SSH_AUDIT_EVENTS 2184 #ifdef SSH_AUDIT_EVENTS
2185@@ -230,11 +232,18 @@ struct mon_table mon_dispatch_proto20[] = { 2185@@ -232,11 +234,18 @@ struct mon_table mon_dispatch_proto20[] = {
2186 {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, 2186 {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
2187 {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok}, 2187 {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
2188 {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic}, 2188 {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
@@ -2201,7 +2201,7 @@ index f517da48..cabfeb8a 100644
2201 #ifdef WITH_OPENSSL 2201 #ifdef WITH_OPENSSL
2202 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2202 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
2203 #endif 2203 #endif
2204@@ -302,6 +311,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) 2204@@ -306,6 +315,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
2205 /* Permit requests for moduli and signatures */ 2205 /* Permit requests for moduli and signatures */
2206 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2206 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2207 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2207 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2212,7 +2212,7 @@ index f517da48..cabfeb8a 100644
2212 2212
2213 /* The first few requests do not require asynchronous access */ 2213 /* The first few requests do not require asynchronous access */
2214 while (!authenticated) { 2214 while (!authenticated) {
2215@@ -408,6 +421,10 @@ monitor_child_postauth(struct monitor *pmonitor) 2215@@ -415,6 +428,10 @@ monitor_child_postauth(struct monitor *pmonitor)
2216 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2216 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2217 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2217 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
2218 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2218 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2221,9 +2221,9 @@ index f517da48..cabfeb8a 100644
2221+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); 2221+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
2222+#endif 2222+#endif
2223 2223
2224 if (!no_pty_flag) { 2224 if (auth_opts->permit_pty_flag) {
2225 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); 2225 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
2226@@ -1626,6 +1643,13 @@ monitor_apply_keystate(struct monitor *pmonitor) 2226@@ -1652,6 +1669,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
2227 # endif 2227 # endif
2228 #endif /* WITH_OPENSSL */ 2228 #endif /* WITH_OPENSSL */
2229 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 2229 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2237,7 +2237,7 @@ index f517da48..cabfeb8a 100644
2237 kex->load_host_public_key=&get_hostkey_public_by_type; 2237 kex->load_host_public_key=&get_hostkey_public_by_type;
2238 kex->load_host_private_key=&get_hostkey_private_by_type; 2238 kex->load_host_private_key=&get_hostkey_private_by_type;
2239 kex->host_key_index=&get_hostkey_index; 2239 kex->host_key_index=&get_hostkey_index;
2240@@ -1714,8 +1738,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) 2240@@ -1740,8 +1764,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2241 OM_uint32 major; 2241 OM_uint32 major;
2242 u_int len; 2242 u_int len;
2243 2243
@@ -2248,7 +2248,7 @@ index f517da48..cabfeb8a 100644
2248 2248
2249 goid.elements = buffer_get_string(m, &len); 2249 goid.elements = buffer_get_string(m, &len);
2250 goid.length = len; 2250 goid.length = len;
2251@@ -1744,8 +1768,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2251@@ -1770,8 +1794,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2252 OM_uint32 flags = 0; /* GSI needs this */ 2252 OM_uint32 flags = 0; /* GSI needs this */
2253 u_int len; 2253 u_int len;
2254 2254
@@ -2259,7 +2259,7 @@ index f517da48..cabfeb8a 100644
2259 2259
2260 in.value = buffer_get_string(m, &len); 2260 in.value = buffer_get_string(m, &len);
2261 in.length = len; 2261 in.length = len;
2262@@ -1764,6 +1788,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2262@@ -1790,6 +1814,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2263 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2263 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2264 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2264 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2265 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2265 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2267,7 +2267,7 @@ index f517da48..cabfeb8a 100644
2267 } 2267 }
2268 return (0); 2268 return (0);
2269 } 2269 }
2270@@ -1775,8 +1800,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m) 2270@@ -1801,8 +1826,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2271 OM_uint32 ret; 2271 OM_uint32 ret;
2272 u_int len; 2272 u_int len;
2273 2273
@@ -2278,7 +2278,7 @@ index f517da48..cabfeb8a 100644
2278 2278
2279 gssbuf.value = buffer_get_string(m, &len); 2279 gssbuf.value = buffer_get_string(m, &len);
2280 gssbuf.length = len; 2280 gssbuf.length = len;
2281@@ -1805,10 +1830,11 @@ mm_answer_gss_userok(int sock, Buffer *m) 2281@@ -1831,10 +1856,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
2282 int authenticated; 2282 int authenticated;
2283 const char *displayname; 2283 const char *displayname;
2284 2284
@@ -2293,7 +2293,7 @@ index f517da48..cabfeb8a 100644
2293 2293
2294 buffer_clear(m); 2294 buffer_clear(m);
2295 buffer_put_int(m, authenticated); 2295 buffer_put_int(m, authenticated);
2296@@ -1824,5 +1850,76 @@ mm_answer_gss_userok(int sock, Buffer *m) 2296@@ -1850,5 +1876,76 @@ mm_answer_gss_userok(int sock, Buffer *m)
2297 /* Monitor loop will terminate if authenticated */ 2297 /* Monitor loop will terminate if authenticated */
2298 return (authenticated); 2298 return (authenticated);
2299 } 2299 }
@@ -2385,10 +2385,10 @@ index d68f6745..ec41404c 100644
2385 2385
2386 struct monitor { 2386 struct monitor {
2387diff --git a/monitor_wrap.c b/monitor_wrap.c 2387diff --git a/monitor_wrap.c b/monitor_wrap.c
2388index 69212aaf..0e171a6a 100644 2388index 9666bda4..e749efc1 100644
2389--- a/monitor_wrap.c 2389--- a/monitor_wrap.c
2390+++ b/monitor_wrap.c 2390+++ b/monitor_wrap.c
2391@@ -937,7 +937,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 2391@@ -943,7 +943,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
2392 } 2392 }
2393 2393
2394 int 2394 int
@@ -2397,7 +2397,7 @@ index 69212aaf..0e171a6a 100644
2397 { 2397 {
2398 Buffer m; 2398 Buffer m;
2399 int authenticated = 0; 2399 int authenticated = 0;
2400@@ -954,5 +954,50 @@ mm_ssh_gssapi_userok(char *user) 2400@@ -960,5 +960,50 @@ mm_ssh_gssapi_userok(char *user)
2401 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2401 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2402 return (authenticated); 2402 return (authenticated);
2403 } 2403 }
@@ -2449,10 +2449,10 @@ index 69212aaf..0e171a6a 100644
2449 #endif /* GSSAPI */ 2449 #endif /* GSSAPI */
2450 2450
2451diff --git a/monitor_wrap.h b/monitor_wrap.h 2451diff --git a/monitor_wrap.h b/monitor_wrap.h
2452index 9e032d20..7b2e8945 100644 2452index 76233270..0970d1f8 100644
2453--- a/monitor_wrap.h 2453--- a/monitor_wrap.h
2454+++ b/monitor_wrap.h 2454+++ b/monitor_wrap.h
2455@@ -57,8 +57,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, 2455@@ -60,8 +60,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
2456 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); 2456 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
2457 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, 2457 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
2458 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); 2458 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -2465,7 +2465,7 @@ index 9e032d20..7b2e8945 100644
2465 2465
2466 #ifdef USE_PAM 2466 #ifdef USE_PAM
2467diff --git a/readconf.c b/readconf.c 2467diff --git a/readconf.c b/readconf.c
2468index f63894f9..99e03ee1 100644 2468index 88051db5..c8e79299 100644
2469--- a/readconf.c 2469--- a/readconf.c
2470+++ b/readconf.c 2470+++ b/readconf.c
2471@@ -160,6 +160,8 @@ typedef enum { 2471@@ -160,6 +160,8 @@ typedef enum {
@@ -2498,7 +2498,7 @@ index f63894f9..99e03ee1 100644
2498 #endif 2498 #endif
2499 #ifdef ENABLE_PKCS11 2499 #ifdef ENABLE_PKCS11
2500 { "smartcarddevice", oPKCS11Provider }, 2500 { "smartcarddevice", oPKCS11Provider },
2501@@ -976,10 +988,30 @@ parse_time: 2501@@ -950,10 +962,30 @@ parse_time:
2502 intptr = &options->gss_authentication; 2502 intptr = &options->gss_authentication;
2503 goto parse_flag; 2503 goto parse_flag;
2504 2504
@@ -2529,7 +2529,7 @@ index f63894f9..99e03ee1 100644
2529 case oBatchMode: 2529 case oBatchMode:
2530 intptr = &options->batch_mode; 2530 intptr = &options->batch_mode;
2531 goto parse_flag; 2531 goto parse_flag;
2532@@ -1790,7 +1822,12 @@ initialize_options(Options * options) 2532@@ -1765,7 +1797,12 @@ initialize_options(Options * options)
2533 options->pubkey_authentication = -1; 2533 options->pubkey_authentication = -1;
2534 options->challenge_response_authentication = -1; 2534 options->challenge_response_authentication = -1;
2535 options->gss_authentication = -1; 2535 options->gss_authentication = -1;
@@ -2542,7 +2542,7 @@ index f63894f9..99e03ee1 100644
2542 options->password_authentication = -1; 2542 options->password_authentication = -1;
2543 options->kbd_interactive_authentication = -1; 2543 options->kbd_interactive_authentication = -1;
2544 options->kbd_interactive_devices = NULL; 2544 options->kbd_interactive_devices = NULL;
2545@@ -1930,8 +1967,14 @@ fill_default_options(Options * options) 2545@@ -1906,8 +1943,14 @@ fill_default_options(Options * options)
2546 options->challenge_response_authentication = 1; 2546 options->challenge_response_authentication = 1;
2547 if (options->gss_authentication == -1) 2547 if (options->gss_authentication == -1)
2548 options->gss_authentication = 0; 2548 options->gss_authentication = 0;
@@ -2558,7 +2558,7 @@ index f63894f9..99e03ee1 100644
2558 options->password_authentication = 1; 2558 options->password_authentication = 1;
2559 if (options->kbd_interactive_authentication == -1) 2559 if (options->kbd_interactive_authentication == -1)
2560diff --git a/readconf.h b/readconf.h 2560diff --git a/readconf.h b/readconf.h
2561index 22fe5c18..d61161a8 100644 2561index f4d9e2b2..f469daaf 100644
2562--- a/readconf.h 2562--- a/readconf.h
2563+++ b/readconf.h 2563+++ b/readconf.h
2564@@ -42,7 +42,12 @@ typedef struct { 2564@@ -42,7 +42,12 @@ typedef struct {
@@ -2575,10 +2575,10 @@ index 22fe5c18..d61161a8 100644
2575 * authentication. */ 2575 * authentication. */
2576 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2576 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
2577diff --git a/servconf.c b/servconf.c 2577diff --git a/servconf.c b/servconf.c
2578index 2c321a4a..8ba74517 100644 2578index 0f0d0906..cbbea05b 100644
2579--- a/servconf.c 2579--- a/servconf.c
2580+++ b/servconf.c 2580+++ b/servconf.c
2581@@ -113,8 +113,10 @@ initialize_server_options(ServerOptions *options) 2581@@ -123,8 +123,10 @@ initialize_server_options(ServerOptions *options)
2582 options->kerberos_ticket_cleanup = -1; 2582 options->kerberos_ticket_cleanup = -1;
2583 options->kerberos_get_afs_token = -1; 2583 options->kerberos_get_afs_token = -1;
2584 options->gss_authentication=-1; 2584 options->gss_authentication=-1;
@@ -2589,7 +2589,7 @@ index 2c321a4a..8ba74517 100644
2589 options->password_authentication = -1; 2589 options->password_authentication = -1;
2590 options->kbd_interactive_authentication = -1; 2590 options->kbd_interactive_authentication = -1;
2591 options->challenge_response_authentication = -1; 2591 options->challenge_response_authentication = -1;
2592@@ -268,10 +270,14 @@ fill_default_server_options(ServerOptions *options) 2592@@ -315,10 +317,14 @@ fill_default_server_options(ServerOptions *options)
2593 options->kerberos_get_afs_token = 0; 2593 options->kerberos_get_afs_token = 0;
2594 if (options->gss_authentication == -1) 2594 if (options->gss_authentication == -1)
2595 options->gss_authentication = 0; 2595 options->gss_authentication = 0;
@@ -2604,7 +2604,7 @@ index 2c321a4a..8ba74517 100644
2604 if (options->password_authentication == -1) 2604 if (options->password_authentication == -1)
2605 options->password_authentication = 1; 2605 options->password_authentication = 1;
2606 if (options->kbd_interactive_authentication == -1) 2606 if (options->kbd_interactive_authentication == -1)
2607@@ -410,6 +416,7 @@ typedef enum { 2607@@ -461,6 +467,7 @@ typedef enum {
2608 sHostKeyAlgorithms, 2608 sHostKeyAlgorithms,
2609 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 2609 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
2610 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 2610 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@@ -2612,7 +2612,7 @@ index 2c321a4a..8ba74517 100644
2612 sAcceptEnv, sPermitTunnel, 2612 sAcceptEnv, sPermitTunnel,
2613 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2613 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2614 sUsePrivilegeSeparation, sAllowAgentForwarding, 2614 sUsePrivilegeSeparation, sAllowAgentForwarding,
2615@@ -484,12 +491,20 @@ static struct { 2615@@ -535,12 +542,20 @@ static struct {
2616 #ifdef GSSAPI 2616 #ifdef GSSAPI
2617 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2617 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2618 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2618 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2633,7 +2633,7 @@ index 2c321a4a..8ba74517 100644
2633 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2633 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2634 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2634 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2635 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2635 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2636@@ -1253,6 +1268,10 @@ process_server_config_line(ServerOptions *options, char *line, 2636@@ -1407,6 +1422,10 @@ process_server_config_line(ServerOptions *options, char *line,
2637 intptr = &options->gss_authentication; 2637 intptr = &options->gss_authentication;
2638 goto parse_flag; 2638 goto parse_flag;
2639 2639
@@ -2644,7 +2644,7 @@ index 2c321a4a..8ba74517 100644
2644 case sGssCleanupCreds: 2644 case sGssCleanupCreds:
2645 intptr = &options->gss_cleanup_creds; 2645 intptr = &options->gss_cleanup_creds;
2646 goto parse_flag; 2646 goto parse_flag;
2647@@ -1261,6 +1280,10 @@ process_server_config_line(ServerOptions *options, char *line, 2647@@ -1415,6 +1434,10 @@ process_server_config_line(ServerOptions *options, char *line,
2648 intptr = &options->gss_strict_acceptor; 2648 intptr = &options->gss_strict_acceptor;
2649 goto parse_flag; 2649 goto parse_flag;
2650 2650
@@ -2655,7 +2655,7 @@ index 2c321a4a..8ba74517 100644
2655 case sPasswordAuthentication: 2655 case sPasswordAuthentication:
2656 intptr = &options->password_authentication; 2656 intptr = &options->password_authentication;
2657 goto parse_flag; 2657 goto parse_flag;
2658@@ -2301,7 +2324,10 @@ dump_config(ServerOptions *o) 2658@@ -2453,7 +2476,10 @@ dump_config(ServerOptions *o)
2659 #endif 2659 #endif
2660 #ifdef GSSAPI 2660 #ifdef GSSAPI
2661 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2661 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2667,10 +2667,10 @@ index 2c321a4a..8ba74517 100644
2667 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2667 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2668 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2668 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2669diff --git a/servconf.h b/servconf.h 2669diff --git a/servconf.h b/servconf.h
2670index 1dca702e..641e93c8 100644 2670index 37a0fb1a..5dfc9bc0 100644
2671--- a/servconf.h 2671--- a/servconf.h
2672+++ b/servconf.h 2672+++ b/servconf.h
2673@@ -119,8 +119,10 @@ typedef struct { 2673@@ -130,8 +130,10 @@ typedef struct {
2674 int kerberos_get_afs_token; /* If true, try to get AFS token if 2674 int kerberos_get_afs_token; /* If true, try to get AFS token if
2675 * authenticated with Kerberos. */ 2675 * authenticated with Kerberos. */
2676 int gss_authentication; /* If true, permit GSSAPI authentication */ 2676 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2799,10 +2799,10 @@ index c12f5ef5..bcb9f153 100644
2799 # CheckHostIP yes 2799 # CheckHostIP yes
2800 # AddressFamily any 2800 # AddressFamily any
2801diff --git a/ssh_config.5 b/ssh_config.5 2801diff --git a/ssh_config.5 b/ssh_config.5
2802index eab8dd01..9a06a757 100644 2802index 71705cab..66826aa7 100644
2803--- a/ssh_config.5 2803--- a/ssh_config.5
2804+++ b/ssh_config.5 2804+++ b/ssh_config.5
2805@@ -720,10 +720,42 @@ The default is 2805@@ -727,10 +727,42 @@ The default is
2806 Specifies whether user authentication based on GSSAPI is allowed. 2806 Specifies whether user authentication based on GSSAPI is allowed.
2807 The default is 2807 The default is
2808 .Cm no . 2808 .Cm no .
@@ -2846,7 +2846,7 @@ index eab8dd01..9a06a757 100644
2846 Indicates that 2846 Indicates that
2847 .Xr ssh 1 2847 .Xr ssh 1
2848diff --git a/sshconnect2.c b/sshconnect2.c 2848diff --git a/sshconnect2.c b/sshconnect2.c
2849index be9397e4..c22477f5 100644 2849index 1f4a74cf..83562c68 100644
2850--- a/sshconnect2.c 2850--- a/sshconnect2.c
2851+++ b/sshconnect2.c 2851+++ b/sshconnect2.c
2852@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2852@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
@@ -2959,7 +2959,7 @@ index be9397e4..c22477f5 100644
2959 {"gssapi-with-mic", 2959 {"gssapi-with-mic",
2960 userauth_gssapi, 2960 userauth_gssapi,
2961 NULL, 2961 NULL,
2962@@ -654,25 +720,40 @@ userauth_gssapi(Authctxt *authctxt) 2962@@ -643,25 +709,40 @@ userauth_gssapi(Authctxt *authctxt)
2963 static u_int mech = 0; 2963 static u_int mech = 0;
2964 OM_uint32 min; 2964 OM_uint32 min;
2965 int ok = 0; 2965 int ok = 0;
@@ -3002,7 +3002,7 @@ index be9397e4..c22477f5 100644
3002 if (!ok) 3002 if (!ok)
3003 return 0; 3003 return 0;
3004 3004
3005@@ -763,8 +844,8 @@ input_gssapi_response(int type, u_int32_t plen, struct ssh *ssh) 3005@@ -752,8 +833,8 @@ input_gssapi_response(int type, u_int32_t plen, struct ssh *ssh)
3006 { 3006 {
3007 Authctxt *authctxt = ssh->authctxt; 3007 Authctxt *authctxt = ssh->authctxt;
3008 Gssctxt *gssctxt; 3008 Gssctxt *gssctxt;
@@ -3013,7 +3013,7 @@ index be9397e4..c22477f5 100644
3013 3013
3014 if (authctxt == NULL) 3014 if (authctxt == NULL)
3015 fatal("input_gssapi_response: no authentication context"); 3015 fatal("input_gssapi_response: no authentication context");
3016@@ -877,6 +958,48 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) 3016@@ -866,6 +947,48 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
3017 free(lang); 3017 free(lang);
3018 return 0; 3018 return 0;
3019 } 3019 }
@@ -3063,10 +3063,10 @@ index be9397e4..c22477f5 100644
3063 3063
3064 int 3064 int
3065diff --git a/sshd.c b/sshd.c 3065diff --git a/sshd.c b/sshd.c
3066index 51a1aaf6..45e50fac 100644 3066index fd95b681..e88185ef 100644
3067--- a/sshd.c 3067--- a/sshd.c
3068+++ b/sshd.c 3068+++ b/sshd.c
3069@@ -122,6 +122,10 @@ 3069@@ -123,6 +123,10 @@
3070 #include "version.h" 3070 #include "version.h"
3071 #include "ssherr.h" 3071 #include "ssherr.h"
3072 3072
@@ -3077,7 +3077,7 @@ index 51a1aaf6..45e50fac 100644
3077 /* Re-exec fds */ 3077 /* Re-exec fds */
3078 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 3078 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
3079 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 3079 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
3080@@ -529,7 +533,7 @@ privsep_preauth_child(void) 3080@@ -531,7 +535,7 @@ privsep_preauth_child(void)
3081 3081
3082 #ifdef GSSAPI 3082 #ifdef GSSAPI
3083 /* Cache supported mechanism OIDs for later use */ 3083 /* Cache supported mechanism OIDs for later use */
@@ -3086,7 +3086,7 @@ index 51a1aaf6..45e50fac 100644
3086 ssh_gssapi_prepare_supported_oids(); 3086 ssh_gssapi_prepare_supported_oids();
3087 #endif 3087 #endif
3088 3088
3089@@ -1708,10 +1712,13 @@ main(int ac, char **av) 3089@@ -1753,10 +1757,13 @@ main(int ac, char **av)
3090 key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp); 3090 key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
3091 free(fp); 3091 free(fp);
3092 } 3092 }
@@ -3100,8 +3100,8 @@ index 51a1aaf6..45e50fac 100644
3100 3100
3101 /* 3101 /*
3102 * Load certificates. They are stored in an array at identical 3102 * Load certificates. They are stored in an array at identical
3103@@ -1987,6 +1994,60 @@ main(int ac, char **av) 3103@@ -2047,6 +2054,60 @@ main(int ac, char **av)
3104 remote_ip, remote_port, laddr, ssh_local_port(ssh)); 3104 rdomain == NULL ? "" : "\"");
3105 free(laddr); 3105 free(laddr);
3106 3106
3107+#ifdef USE_SECURITY_SESSION_API 3107+#ifdef USE_SECURITY_SESSION_API
@@ -3161,7 +3161,7 @@ index 51a1aaf6..45e50fac 100644
3161 /* 3161 /*
3162 * We don't want to listen forever unless the other side 3162 * We don't want to listen forever unless the other side
3163 * successfully authenticates itself. So we set up an alarm which is 3163 * successfully authenticates itself. So we set up an alarm which is
3164@@ -2170,6 +2231,48 @@ do_ssh2_kex(void) 3164@@ -2234,6 +2295,48 @@ do_ssh2_kex(void)
3165 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 3165 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
3166 list_hostkey_types()); 3166 list_hostkey_types());
3167 3167
@@ -3210,7 +3210,7 @@ index 51a1aaf6..45e50fac 100644
3210 /* start key exchange */ 3210 /* start key exchange */
3211 if ((r = kex_setup(active_state, myproposal)) != 0) 3211 if ((r = kex_setup(active_state, myproposal)) != 0)
3212 fatal("kex_setup: %s", ssh_err(r)); 3212 fatal("kex_setup: %s", ssh_err(r));
3213@@ -2187,6 +2290,13 @@ do_ssh2_kex(void) 3213@@ -2251,6 +2354,13 @@ do_ssh2_kex(void)
3214 # endif 3214 # endif
3215 #endif 3215 #endif
3216 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 3216 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -3225,10 +3225,10 @@ index 51a1aaf6..45e50fac 100644
3225 kex->client_version_string=client_version_string; 3225 kex->client_version_string=client_version_string;
3226 kex->server_version_string=server_version_string; 3226 kex->server_version_string=server_version_string;
3227diff --git a/sshd_config b/sshd_config 3227diff --git a/sshd_config b/sshd_config
3228index 4eb2e02e..c01dd656 100644 3228index 3109d5d7..86263d71 100644
3229--- a/sshd_config 3229--- a/sshd_config
3230+++ b/sshd_config 3230+++ b/sshd_config
3231@@ -70,6 +70,8 @@ AuthorizedKeysFile .ssh/authorized_keys 3231@@ -69,6 +69,8 @@ AuthorizedKeysFile .ssh/authorized_keys
3232 # GSSAPI options 3232 # GSSAPI options
3233 #GSSAPIAuthentication no 3233 #GSSAPIAuthentication no
3234 #GSSAPICleanupCredentials yes 3234 #GSSAPICleanupCredentials yes
@@ -3238,10 +3238,10 @@ index 4eb2e02e..c01dd656 100644
3238 # Set this to 'yes' to enable PAM authentication, account processing, 3238 # Set this to 'yes' to enable PAM authentication, account processing,
3239 # and session processing. If this is enabled, PAM authentication will 3239 # and session processing. If this is enabled, PAM authentication will
3240diff --git a/sshd_config.5 b/sshd_config.5 3240diff --git a/sshd_config.5 b/sshd_config.5
3241index 251b7467..0dbcb8da 100644 3241index e3c7c393..c4a3f3cb 100644
3242--- a/sshd_config.5 3242--- a/sshd_config.5
3243+++ b/sshd_config.5 3243+++ b/sshd_config.5
3244@@ -635,6 +635,11 @@ The default is 3244@@ -636,6 +636,11 @@ The default is
3245 Specifies whether user authentication based on GSSAPI is allowed. 3245 Specifies whether user authentication based on GSSAPI is allowed.
3246 The default is 3246 The default is
3247 .Cm no . 3247 .Cm no .
@@ -3253,7 +3253,7 @@ index 251b7467..0dbcb8da 100644
3253 .It Cm GSSAPICleanupCredentials 3253 .It Cm GSSAPICleanupCredentials
3254 Specifies whether to automatically destroy the user's credentials cache 3254 Specifies whether to automatically destroy the user's credentials cache
3255 on logout. 3255 on logout.
3256@@ -654,6 +659,11 @@ machine's default store. 3256@@ -655,6 +660,11 @@ machine's default store.
3257 This facility is provided to assist with operation on multi homed machines. 3257 This facility is provided to assist with operation on multi homed machines.
3258 The default is 3258 The default is
3259 .Cm yes . 3259 .Cm yes .
@@ -3266,10 +3266,10 @@ index 251b7467..0dbcb8da 100644
3266 Specifies the key types that will be accepted for hostbased authentication 3266 Specifies the key types that will be accepted for hostbased authentication
3267 as a comma-separated pattern list. 3267 as a comma-separated pattern list.
3268diff --git a/sshkey.c b/sshkey.c 3268diff --git a/sshkey.c b/sshkey.c
3269index e91c54f5..c2cf0e03 100644 3269index 7712fba2..08887286 100644
3270--- a/sshkey.c 3270--- a/sshkey.c
3271+++ b/sshkey.c 3271+++ b/sshkey.c
3272@@ -112,6 +112,7 @@ static const struct keytype keytypes[] = { 3272@@ -122,6 +122,7 @@ static const struct keytype keytypes[] = {
3273 # endif /* OPENSSL_HAS_NISTP521 */ 3273 # endif /* OPENSSL_HAS_NISTP521 */
3274 # endif /* OPENSSL_HAS_ECC */ 3274 # endif /* OPENSSL_HAS_ECC */
3275 #endif /* WITH_OPENSSL */ 3275 #endif /* WITH_OPENSSL */
@@ -3277,7 +3277,7 @@ index e91c54f5..c2cf0e03 100644
3277 { NULL, NULL, -1, -1, 0, 0 } 3277 { NULL, NULL, -1, -1, 0, 0 }
3278 }; 3278 };
3279 3279
3280@@ -200,7 +201,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 3280@@ -210,7 +211,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
3281 const struct keytype *kt; 3281 const struct keytype *kt;
3282 3282
3283 for (kt = keytypes; kt->type != -1; kt++) { 3283 for (kt = keytypes; kt->type != -1; kt++) {
@@ -3287,13 +3287,13 @@ index e91c54f5..c2cf0e03 100644
3287 if (!include_sigonly && kt->sigonly) 3287 if (!include_sigonly && kt->sigonly)
3288 continue; 3288 continue;
3289diff --git a/sshkey.h b/sshkey.h 3289diff --git a/sshkey.h b/sshkey.h
3290index 9093eac5..b5d020cb 100644 3290index 155cd45a..4e89049f 100644
3291--- a/sshkey.h 3291--- a/sshkey.h
3292+++ b/sshkey.h 3292+++ b/sshkey.h
3293@@ -61,6 +61,7 @@ enum sshkey_types { 3293@@ -63,6 +63,7 @@ enum sshkey_types {
3294 KEY_DSA_CERT,
3295 KEY_ECDSA_CERT,
3296 KEY_ED25519_CERT, 3294 KEY_ED25519_CERT,
3295 KEY_XMSS,
3296 KEY_XMSS_CERT,
3297+ KEY_NULL, 3297+ KEY_NULL,
3298 KEY_UNSPEC 3298 KEY_UNSPEC
3299 }; 3299 };
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index d3eca5924..68fa28e5c 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
1From c147d4dbab74e0dbf738beb9d9f4220534ae9da6 Mon Sep 17 00:00:00 2001 1From a7045c36e6e072c8f9250fbe11cf2f9db9f51a08 Mon Sep 17 00:00:00 2001
2From: Richard Kettlewell <rjk@greenend.org.uk> 2From: Richard Kettlewell <rjk@greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:52 +0000 3Date: Sun, 9 Feb 2014 16:09:52 +0000
4Subject: Various keepalive extensions 4Subject: Various keepalive extensions
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch
26 3 files changed, 34 insertions(+), 4 deletions(-) 26 3 files changed, 34 insertions(+), 4 deletions(-)
27 27
28diff --git a/readconf.c b/readconf.c 28diff --git a/readconf.c b/readconf.c
29index d2b28a41..45caa095 100644 29index 1f1be778..7f2b5c17 100644
30--- a/readconf.c 30--- a/readconf.c
31+++ b/readconf.c 31+++ b/readconf.c
32@@ -174,6 +174,7 @@ typedef enum { 32@@ -174,6 +174,7 @@ typedef enum {
@@ -37,7 +37,7 @@ index d2b28a41..45caa095 100644
37 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported 37 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
38 } OpCodes; 38 } OpCodes;
39 39
40@@ -318,6 +319,8 @@ static struct { 40@@ -319,6 +320,8 @@ static struct {
41 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, 41 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
42 { "ignoreunknown", oIgnoreUnknown }, 42 { "ignoreunknown", oIgnoreUnknown },
43 { "proxyjump", oProxyJump }, 43 { "proxyjump", oProxyJump },
@@ -46,7 +46,7 @@ index d2b28a41..45caa095 100644
46 46
47 { NULL, oBadOption } 47 { NULL, oBadOption }
48 }; 48 };
49@@ -1406,6 +1409,8 @@ parse_keytypes: 49@@ -1378,6 +1381,8 @@ parse_keytypes:
50 goto parse_flag; 50 goto parse_flag;
51 51
52 case oServerAliveInterval: 52 case oServerAliveInterval:
@@ -55,7 +55,7 @@ index d2b28a41..45caa095 100644
55 intptr = &options->server_alive_interval; 55 intptr = &options->server_alive_interval;
56 goto parse_time; 56 goto parse_time;
57 57
58@@ -2042,8 +2047,13 @@ fill_default_options(Options * options) 58@@ -2019,8 +2024,13 @@ fill_default_options(Options * options)
59 options->rekey_interval = 0; 59 options->rekey_interval = 0;
60 if (options->verify_host_key_dns == -1) 60 if (options->verify_host_key_dns == -1)
61 options->verify_host_key_dns = 0; 61 options->verify_host_key_dns = 0;
@@ -72,7 +72,7 @@ index d2b28a41..45caa095 100644
72 options->server_alive_count_max = 3; 72 options->server_alive_count_max = 3;
73 if (options->control_master == -1) 73 if (options->control_master == -1)
74diff --git a/ssh_config.5 b/ssh_config.5 74diff --git a/ssh_config.5 b/ssh_config.5
75index 9a06a757..d6f43c2d 100644 75index 66826aa7..32c3632c 100644
76--- a/ssh_config.5 76--- a/ssh_config.5
77+++ b/ssh_config.5 77+++ b/ssh_config.5
78@@ -247,8 +247,12 @@ Valid arguments are 78@@ -247,8 +247,12 @@ Valid arguments are
@@ -89,7 +89,7 @@ index 9a06a757..d6f43c2d 100644
89 The argument must be 89 The argument must be
90 .Cm yes 90 .Cm yes
91 or 91 or
92@@ -1455,7 +1459,14 @@ from the server, 92@@ -1463,7 +1467,14 @@ from the server,
93 will send a message through the encrypted 93 will send a message through the encrypted
94 channel to request a response from the server. 94 channel to request a response from the server.
95 The default 95 The default
@@ -105,7 +105,7 @@ index 9a06a757..d6f43c2d 100644
105 .It Cm StreamLocalBindMask 105 .It Cm StreamLocalBindMask
106 Sets the octal file creation mode mask 106 Sets the octal file creation mode mask
107 .Pq umask 107 .Pq umask
108@@ -1529,6 +1540,12 @@ Specifies whether the system should send TCP keepalive messages to the 108@@ -1537,6 +1548,12 @@ Specifies whether the system should send TCP keepalive messages to the
109 other side. 109 other side.
110 If they are sent, death of the connection or crash of one 110 If they are sent, death of the connection or crash of one
111 of the machines will be properly noticed. 111 of the machines will be properly noticed.
@@ -119,10 +119,10 @@ index 9a06a757..d6f43c2d 100644
119 connections will die if the route is down temporarily, and some people 119 connections will die if the route is down temporarily, and some people
120 find it annoying. 120 find it annoying.
121diff --git a/sshd_config.5 b/sshd_config.5 121diff --git a/sshd_config.5 b/sshd_config.5
122index 0dbcb8da..7db25552 100644 122index c4a3f3cb..1a1c6dd0 100644
123--- a/sshd_config.5 123--- a/sshd_config.5
124+++ b/sshd_config.5 124+++ b/sshd_config.5
125@@ -1454,6 +1454,9 @@ This avoids infinitely hanging sessions. 125@@ -1495,6 +1495,9 @@ This avoids infinitely hanging sessions.
126 .Pp 126 .Pp
127 To disable TCP keepalive messages, the value should be set to 127 To disable TCP keepalive messages, the value should be set to
128 .Cm no . 128 .Cm no .
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 3edb37705..542b42ae9 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
1From 19be4218cdb262f7b584b0104ee430de0e24eeb8 Mon Sep 17 00:00:00 2001 1From 76ab788bcf265360e1b88f8ced6085198c320fdd Mon Sep 17 00:00:00 2001
2From: Scott Moser <smoser@ubuntu.com> 2From: Scott Moser <smoser@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:03 +0000 3Date: Sun, 9 Feb 2014 16:10:03 +0000
4Subject: Mention ssh-keygen in ssh fingerprint changed warning 4Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -14,10 +14,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
14 1 file changed, 8 insertions(+), 1 deletion(-) 14 1 file changed, 8 insertions(+), 1 deletion(-)
15 15
16diff --git a/sshconnect.c b/sshconnect.c 16diff --git a/sshconnect.c b/sshconnect.c
17index 5eed5880..7ce2716c 100644 17index 8ab01c0e..58f9eac8 100644
18--- a/sshconnect.c 18--- a/sshconnect.c
19+++ b/sshconnect.c 19+++ b/sshconnect.c
20@@ -1022,9 +1022,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 20@@ -1141,9 +1141,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
21 error("%s. This could either mean that", key_msg); 21 error("%s. This could either mean that", key_msg);
22 error("DNS SPOOFING is happening or the IP address for the host"); 22 error("DNS SPOOFING is happening or the IP address for the host");
23 error("and its host key have changed at the same time."); 23 error("and its host key have changed at the same time.");
@@ -32,7 +32,7 @@ index 5eed5880..7ce2716c 100644
32 } 32 }
33 /* The host key has changed. */ 33 /* The host key has changed. */
34 warn_changed_key(host_key); 34 warn_changed_key(host_key);
35@@ -1033,6 +1037,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 35@@ -1152,6 +1156,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
36 error("Offending %s key in %s:%lu", 36 error("Offending %s key in %s:%lu",
37 sshkey_type(host_found->key), 37 sshkey_type(host_found->key),
38 host_found->file, host_found->line); 38 host_found->file, host_found->line);
diff --git a/debian/patches/no-dsa-host-key-by-default.patch b/debian/patches/no-dsa-host-key-by-default.patch
deleted file mode 100644
index c24ff4e3f..000000000
--- a/debian/patches/no-dsa-host-key-by-default.patch
+++ /dev/null
@@ -1,83 +0,0 @@
1From 922f3a7599d03234b6bb2ffb22a33624e7cf1953 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org>
3Date: Mon, 16 Jan 2017 13:53:04 +0000
4Subject: Remove ssh_host_dsa_key from HostKey default
5
6The client no longer accepts DSA host keys, and servers using the
7default HostKey setting should have better host keys available.
8
9Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662
10Bug-Debian: https://bugs.debian.org/850614
11Last-Update: 2017-01-16
12
13Patch-Name: no-dsa-host-key-by-default.patch
14---
15 servconf.c | 2 --
16 sshd.8 | 7 +++----
17 sshd_config | 1 -
18 sshd_config.5 | 7 +++----
19 4 files changed, 6 insertions(+), 11 deletions(-)
20
21diff --git a/servconf.c b/servconf.c
22index b0146405..5e996cf8 100644
23--- a/servconf.c
24+++ b/servconf.c
25@@ -205,8 +205,6 @@ fill_default_server_options(ServerOptions *options)
26 /* fill default hostkeys for protocols */
27 options->host_key_files[options->num_host_key_files++] =
28 _PATH_HOST_RSA_KEY_FILE;
29- options->host_key_files[options->num_host_key_files++] =
30- _PATH_HOST_DSA_KEY_FILE;
31 #ifdef OPENSSL_HAS_ECC
32 options->host_key_files[options->num_host_key_files++] =
33 _PATH_HOST_ECDSA_KEY_FILE;
34diff --git a/sshd.8 b/sshd.8
35index 02c5e1df..8c230657 100644
36--- a/sshd.8
37+++ b/sshd.8
38@@ -164,11 +164,10 @@ This option must be given if
39 is not run as root (as the normal
40 host key files are normally not readable by anyone but root).
41 The default is
42-.Pa /etc/ssh/ssh_host_dsa_key ,
43-.Pa /etc/ssh/ssh_host_ecdsa_key ,
44-.Pa /etc/ssh/ssh_host_ed25519_key
45+.Pa /etc/ssh/ssh_host_rsa_key ,
46+.Pa /etc/ssh/ssh_host_ecdsa_key
47 and
48-.Pa /etc/ssh/ssh_host_rsa_key .
49+.Pa /etc/ssh/ssh_host_ed25519_key .
50 It is possible to have multiple host key files for
51 the different host key algorithms.
52 .It Fl i
53diff --git a/sshd_config b/sshd_config
54index f68edf36..92822959 100644
55--- a/sshd_config
56+++ b/sshd_config
57@@ -16,7 +16,6 @@
58 #ListenAddress ::
59
60 #HostKey /etc/ssh/ssh_host_rsa_key
61-#HostKey /etc/ssh/ssh_host_dsa_key
62 #HostKey /etc/ssh/ssh_host_ecdsa_key
63 #HostKey /etc/ssh/ssh_host_ed25519_key
64
65diff --git a/sshd_config.5 b/sshd_config.5
66index 16be4f62..ef520680 100644
67--- a/sshd_config.5
68+++ b/sshd_config.5
69@@ -749,11 +749,10 @@ is not to load any certificates.
70 Specifies a file containing a private host key
71 used by SSH.
72 The defaults are
73-.Pa /etc/ssh/ssh_host_dsa_key ,
74-.Pa /etc/ssh/ssh_host_ecdsa_key ,
75-.Pa /etc/ssh/ssh_host_ed25519_key
76+.Pa /etc/ssh/ssh_host_rsa_key ,
77+.Pa /etc/ssh/ssh_host_ecdsa_key
78 and
79-.Pa /etc/ssh/ssh_host_rsa_key .
80+.Pa /etc/ssh/ssh_host_ed25519_key .
81 .Pp
82 Note that
83 .Xr sshd 8
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index cbfaebfe0..b65e9a51b 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
1From b614a7f9148af821919165be47c6c29f59dc6b44 Mon Sep 17 00:00:00 2001 1From 3854c30a0cb51e5ad753cd638fdee6690234dfa2 Mon Sep 17 00:00:00 2001
2From: Kurt Roeckx <kurt@roeckx.be> 2From: Kurt Roeckx <kurt@roeckx.be>
3Date: Sun, 9 Feb 2014 16:10:14 +0000 3Date: Sun, 9 Feb 2014 16:10:14 +0000
4Subject: Don't check the status field of the OpenSSL version 4Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 9297decd6..bb6b52666 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
1From 7e53354725eeb002e6126a73fd5f294ed9f9b03e Mon Sep 17 00:00:00 2001 1From aac4f0438e6fb33bbcda11e50483aa38f657d5f1 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:09 +0000 3Date: Sun, 9 Feb 2014 16:10:09 +0000
4Subject: Adjust various OpenBSD-specific references in manual pages 4Subject: Adjust various OpenBSD-specific references in manual pages
@@ -44,7 +44,7 @@ index ef0de085..149846c8 100644
44 .Sh SEE ALSO 44 .Sh SEE ALSO
45 .Xr ssh-keygen 1 , 45 .Xr ssh-keygen 1 ,
46diff --git a/ssh-keygen.1 b/ssh-keygen.1 46diff --git a/ssh-keygen.1 b/ssh-keygen.1
47index 5f1ec09b..dfbc65dd 100644 47index 3525d7d1..39767e62 100644
48--- a/ssh-keygen.1 48--- a/ssh-keygen.1
49+++ b/ssh-keygen.1 49+++ b/ssh-keygen.1
50@@ -176,9 +176,7 @@ key in 50@@ -176,9 +176,7 @@ key in
@@ -69,7 +69,7 @@ index 5f1ec09b..dfbc65dd 100644
69 .It Fl a Ar rounds 69 .It Fl a Ar rounds
70 When saving a new-format private key (i.e. an ed25519 key or when the 70 When saving a new-format private key (i.e. an ed25519 key or when the
71 .Fl o 71 .Fl o
72@@ -676,7 +672,7 @@ option. 72@@ -685,7 +681,7 @@ option.
73 Valid generator values are 2, 3, and 5. 73 Valid generator values are 2, 3, and 5.
74 .Pp 74 .Pp
75 Screened DH groups may be installed in 75 Screened DH groups may be installed in
@@ -78,7 +78,7 @@ index 5f1ec09b..dfbc65dd 100644
78 It is important that this file contains moduli of a range of bit lengths and 78 It is important that this file contains moduli of a range of bit lengths and
79 that both ends of a connection share common moduli. 79 that both ends of a connection share common moduli.
80 .Sh CERTIFICATES 80 .Sh CERTIFICATES
81@@ -863,7 +859,7 @@ on all machines 81@@ -872,7 +868,7 @@ on all machines
82 where the user wishes to log in using public key authentication. 82 where the user wishes to log in using public key authentication.
83 There is no need to keep the contents of this file secret. 83 There is no need to keep the contents of this file secret.
84 .Pp 84 .Pp
@@ -88,10 +88,10 @@ index 5f1ec09b..dfbc65dd 100644
88 The file format is described in 88 The file format is described in
89 .Xr moduli 5 . 89 .Xr moduli 5 .
90diff --git a/ssh.1 b/ssh.1 90diff --git a/ssh.1 b/ssh.1
91index 3cc94688..2a2aab30 100644 91index 0ef7c170..54e21d88 100644
92--- a/ssh.1 92--- a/ssh.1
93+++ b/ssh.1 93+++ b/ssh.1
94@@ -842,6 +842,10 @@ implements public key authentication protocol automatically, 94@@ -846,6 +846,10 @@ implements public key authentication protocol automatically,
95 using one of the DSA, ECDSA, Ed25519 or RSA algorithms. 95 using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
96 The HISTORY section of 96 The HISTORY section of
97 .Xr ssl 8 97 .Xr ssl 8
@@ -103,7 +103,7 @@ index 3cc94688..2a2aab30 100644
103 .Pp 103 .Pp
104 The file 104 The file
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index 2ed523a2..02c5e1df 100644 106index c8299d5e..378aeb9f 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -65,7 +65,7 @@ over an insecure network. 109@@ -65,7 +65,7 @@ over an insecure network.
@@ -115,7 +115,7 @@ index 2ed523a2..02c5e1df 100644
115 It forks a new 115 It forks a new
116 daemon for each incoming connection. 116 daemon for each incoming connection.
117 The forked daemons handle 117 The forked daemons handle
118@@ -850,7 +850,7 @@ This file is for host-based authentication (see 118@@ -856,7 +856,7 @@ This file is for host-based authentication (see
119 .Xr ssh 1 ) . 119 .Xr ssh 1 ) .
120 It should only be writable by root. 120 It should only be writable by root.
121 .Pp 121 .Pp
@@ -124,7 +124,7 @@ index 2ed523a2..02c5e1df 100644
124 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange" 124 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
125 key exchange method. 125 key exchange method.
126 The file format is described in 126 The file format is described in
127@@ -950,7 +950,6 @@ The content of this file is not sensitive; it can be world-readable. 127@@ -954,7 +954,6 @@ The content of this file is not sensitive; it can be world-readable.
128 .Xr ssh-keyscan 1 , 128 .Xr ssh-keyscan 1 ,
129 .Xr chroot 2 , 129 .Xr chroot 2 ,
130 .Xr hosts_access 5 , 130 .Xr hosts_access 5 ,
@@ -133,10 +133,10 @@ index 2ed523a2..02c5e1df 100644
133 .Xr sshd_config 5 , 133 .Xr sshd_config 5 ,
134 .Xr inetd 8 , 134 .Xr inetd 8 ,
135diff --git a/sshd_config.5 b/sshd_config.5 135diff --git a/sshd_config.5 b/sshd_config.5
136index 41e8c939..79676a95 100644 136index 45044a70..44b91846 100644
137--- a/sshd_config.5 137--- a/sshd_config.5
138+++ b/sshd_config.5 138+++ b/sshd_config.5
139@@ -382,8 +382,7 @@ then no banner is displayed. 139@@ -383,8 +383,7 @@ then no banner is displayed.
140 By default, no banner is displayed. 140 By default, no banner is displayed.
141 .It Cm ChallengeResponseAuthentication 141 .It Cm ChallengeResponseAuthentication
142 Specifies whether challenge-response authentication is allowed (e.g. via 142 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 0d851e68c..db144f505 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
1From 326b09bce8058629980cc92f289fd7912269eb98 Mon Sep 17 00:00:00 2001 1From 52359fc0d6ee73ee6e24332b2777dc8abdaed652 Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:10:05 +0000 3Date: Sun, 9 Feb 2014 16:10:05 +0000
4Subject: Include the Debian version in our identification 4Subject: Include the Debian version in our identification
@@ -19,10 +19,10 @@ Patch-Name: package-versioning.patch
19 3 files changed, 8 insertions(+), 3 deletions(-) 19 3 files changed, 8 insertions(+), 3 deletions(-)
20 20
21diff --git a/sshconnect.c b/sshconnect.c 21diff --git a/sshconnect.c b/sshconnect.c
22index 7ce2716c..3280b310 100644 22index 58f9eac8..15d8b807 100644
23--- a/sshconnect.c 23--- a/sshconnect.c
24+++ b/sshconnect.c 24+++ b/sshconnect.c
25@@ -517,7 +517,7 @@ send_client_banner(int connection_out, int minor1) 25@@ -638,7 +638,7 @@ send_client_banner(int connection_out, int minor1)
26 { 26 {
27 /* Send our own protocol version identification. */ 27 /* Send our own protocol version identification. */
28 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", 28 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
@@ -32,10 +32,10 @@ index 7ce2716c..3280b310 100644
32 strlen(client_version_string)) != strlen(client_version_string)) 32 strlen(client_version_string)) != strlen(client_version_string))
33 fatal("write: %.100s", strerror(errno)); 33 fatal("write: %.100s", strerror(errno));
34diff --git a/sshd.c b/sshd.c 34diff --git a/sshd.c b/sshd.c
35index af1ec337..eccf81bb 100644 35index 6d911c19..9a7f5495 100644
36--- a/sshd.c 36--- a/sshd.c
37+++ b/sshd.c 37+++ b/sshd.c
38@@ -378,7 +378,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) 38@@ -384,7 +384,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
39 char remote_version[256]; /* Must be at least as big as buf. */ 39 char remote_version[256]; /* Must be at least as big as buf. */
40 40
41 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", 41 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
@@ -45,11 +45,11 @@ index af1ec337..eccf81bb 100644
45 options.version_addendum); 45 options.version_addendum);
46 46
47diff --git a/version.h b/version.h 47diff --git a/version.h b/version.h
48index e093f623..b7c5ad2a 100644 48index ea52b26f..a3fa6e0b 100644
49--- a/version.h 49--- a/version.h
50+++ b/version.h 50+++ b/version.h
51@@ -3,4 +3,9 @@ 51@@ -3,4 +3,9 @@
52 #define SSH_VERSION "OpenSSH_7.6" 52 #define SSH_VERSION "OpenSSH_7.7"
53 53
54 #define SSH_PORTABLE "p1" 54 #define SSH_PORTABLE "p1"
55-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 55-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/permitopen-argument-handling.patch b/debian/patches/permitopen-argument-handling.patch
deleted file mode 100644
index 6369c395c..000000000
--- a/debian/patches/permitopen-argument-handling.patch
+++ /dev/null
@@ -1,51 +0,0 @@
1From e293f21da513a7db59fe1997c9e90e2e9cdbceda Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Wed, 4 Oct 2017 18:49:30 +0000
4Subject: Fix PermitOpen argument handling
5
6fix (another) problem in PermitOpen introduced during the
7channels.c refactor: the third and subsequent arguments to PermitOpen were
8being silently ignored; ok markus@
9
10Upstream-ID: 067c89f1f53cbc381628012ba776d6861e6782fd
11
12Origin: https://anongit.mindrot.org/openssh.git/commit/?id=7c9613fac3371cf65fb07739212cdd1ebf6575da
13Last-Update: 2017-10-07
14
15Patch-Name: permitopen-argument-handling.patch
16---
17 servconf.c | 8 ++++----
18 1 file changed, 4 insertions(+), 4 deletions(-)
19
20diff --git a/servconf.c b/servconf.c
21index 5e996cf8..9daa182c 100644
22--- a/servconf.c
23+++ b/servconf.c
24@@ -1,5 +1,5 @@
25
26-/* $OpenBSD: servconf.c,v 1.312 2017/10/02 19:33:20 djm Exp $ */
27+/* $OpenBSD: servconf.c,v 1.313 2017/10/04 18:49:30 djm Exp $ */
28 /*
29 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
30 * All rights reserved
31@@ -1690,9 +1690,9 @@ process_server_config_line(ServerOptions *options, char *line,
32 if (!arg || *arg == '\0')
33 fatal("%s line %d: missing PermitOpen specification",
34 filename, linenum);
35- i = options->num_permitted_opens; /* modified later */
36+ value = options->num_permitted_opens; /* modified later */
37 if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
38- if (*activep && i == 0) {
39+ if (*activep && value == 0) {
40 options->num_permitted_opens = 1;
41 options->permitted_opens = xcalloc(1,
42 sizeof(*options->permitted_opens));
43@@ -1710,7 +1710,7 @@ process_server_config_line(ServerOptions *options, char *line,
44 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
45 fatal("%s line %d: bad port number in "
46 "PermitOpen", filename, linenum);
47- if (*activep && i == 0) {
48+ if (*activep && value == 0) {
49 options->permitted_opens = xrecallocarray(
50 options->permitted_opens,
51 options->num_permitted_opens,
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index 098f9d681..0082aaa15 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
1From 6c2e9847f608cc9c36236eecc58241cd3358dd5b Mon Sep 17 00:00:00 2001 1From efe3fd6e6d460836cd705c5746700fadb6751c0d Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 5 Mar 2017 02:02:11 +0000 3Date: Sun, 5 Mar 2017 02:02:11 +0000
4Subject: Restore reading authorized_keys2 by default 4Subject: Restore reading authorized_keys2 by default
@@ -18,7 +18,7 @@ Patch-Name: restore-authorized_keys2.patch
18 1 file changed, 2 insertions(+), 3 deletions(-) 18 1 file changed, 2 insertions(+), 3 deletions(-)
19 19
20diff --git a/sshd_config b/sshd_config 20diff --git a/sshd_config b/sshd_config
21index 92822959..a32dc1d4 100644 21index de9cc9fe..31e14a4f 100644
22--- a/sshd_config 22--- a/sshd_config
23+++ b/sshd_config 23+++ b/sshd_config
24@@ -36,9 +36,8 @@ 24@@ -36,9 +36,8 @@
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index 5832897d2..4132937da 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
1From cdd9076a145a95c21538eedb3f728a897480c5de Mon Sep 17 00:00:00 2001 1From 398af3d66bfe8dc7d436570026571e522a0a13a0 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Tue, 7 Oct 2014 13:22:41 +0100 3Date: Tue, 7 Oct 2014 13:22:41 +0100
4Subject: Restore TCP wrappers support 4Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
28 3 files changed, 89 insertions(+) 28 3 files changed, 89 insertions(+)
29 29
30diff --git a/configure.ac b/configure.ac 30diff --git a/configure.ac b/configure.ac
31index 84bfad8c..3b30736b 100644 31index 1cd5eab6..3e23e60d 100644
32--- a/configure.ac 32--- a/configure.ac
33+++ b/configure.ac 33+++ b/configure.ac
34@@ -1503,6 +1503,62 @@ AC_ARG_WITH([skey], 34@@ -1566,6 +1566,62 @@ AC_ARG_WITH([skey],
35 ] 35 ]
36 ) 36 )
37 37
@@ -94,19 +94,19 @@ index 84bfad8c..3b30736b 100644
94 # Check whether user wants to use ldns 94 # Check whether user wants to use ldns
95 LDNS_MSG="no" 95 LDNS_MSG="no"
96 AC_ARG_WITH(ldns, 96 AC_ARG_WITH(ldns,
97@@ -5133,6 +5189,7 @@ echo " KerberosV support: $KRB5_MSG" 97@@ -5240,6 +5296,7 @@ echo " OSF SIA support: $SIA_MSG"
98 echo " KerberosV support: $KRB5_MSG"
98 echo " SELinux support: $SELINUX_MSG" 99 echo " SELinux support: $SELINUX_MSG"
99 echo " Smartcard support: $SCARD_MSG"
100 echo " S/KEY support: $SKEY_MSG" 100 echo " S/KEY support: $SKEY_MSG"
101+echo " TCP Wrappers support: $TCPW_MSG" 101+echo " TCP Wrappers support: $TCPW_MSG"
102 echo " MD5 password support: $MD5_MSG" 102 echo " MD5 password support: $MD5_MSG"
103 echo " libedit support: $LIBEDIT_MSG" 103 echo " libedit support: $LIBEDIT_MSG"
104 echo " libldns support: $LDNS_MSG" 104 echo " libldns support: $LDNS_MSG"
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index a4201146..2ed523a2 100644 106index 968ba66b..c8299d5e 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -839,6 +839,12 @@ the user's home directory becomes accessible. 109@@ -845,6 +845,12 @@ the user's home directory becomes accessible.
110 This file should be writable only by the user, and need not be 110 This file should be writable only by the user, and need not be
111 readable by anyone else. 111 readable by anyone else.
112 .Pp 112 .Pp
@@ -119,7 +119,7 @@ index a4201146..2ed523a2 100644
119 .It Pa /etc/hosts.equiv 119 .It Pa /etc/hosts.equiv
120 This file is for host-based authentication (see 120 This file is for host-based authentication (see
121 .Xr ssh 1 ) . 121 .Xr ssh 1 ) .
122@@ -943,6 +949,7 @@ The content of this file is not sensitive; it can be world-readable. 122@@ -947,6 +953,7 @@ The content of this file is not sensitive; it can be world-readable.
123 .Xr ssh-keygen 1 , 123 .Xr ssh-keygen 1 ,
124 .Xr ssh-keyscan 1 , 124 .Xr ssh-keyscan 1 ,
125 .Xr chroot 2 , 125 .Xr chroot 2 ,
@@ -128,10 +128,10 @@ index a4201146..2ed523a2 100644
128 .Xr moduli 5 , 128 .Xr moduli 5 ,
129 .Xr sshd_config 5 , 129 .Xr sshd_config 5 ,
130diff --git a/sshd.c b/sshd.c 130diff --git a/sshd.c b/sshd.c
131index 45e50fac..a66e9ca6 100644 131index e88185ef..4ed0364f 100644
132--- a/sshd.c 132--- a/sshd.c
133+++ b/sshd.c 133+++ b/sshd.c
134@@ -126,6 +126,13 @@ 134@@ -127,6 +127,13 @@
135 #include <Security/AuthSession.h> 135 #include <Security/AuthSession.h>
136 #endif 136 #endif
137 137
@@ -145,7 +145,7 @@ index 45e50fac..a66e9ca6 100644
145 /* Re-exec fds */ 145 /* Re-exec fds */
146 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 146 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
147 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 147 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
148@@ -1987,6 +1994,24 @@ main(int ac, char **av) 148@@ -2042,6 +2049,24 @@ main(int ac, char **av)
149 #ifdef SSH_AUDIT_EVENTS 149 #ifdef SSH_AUDIT_EVENTS
150 audit_connection_from(remote_ip, remote_port); 150 audit_connection_from(remote_ip, remote_port);
151 #endif 151 #endif
@@ -168,5 +168,5 @@ index 45e50fac..a66e9ca6 100644
168+ } 168+ }
169+#endif /* LIBWRAP */ 169+#endif /* LIBWRAP */
170 170
171 /* Log the connection. */ 171 rdomain = ssh_packet_rdomain_in(ssh);
172 laddr = get_local_ipaddr(sock_in); 172
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index 43153ec04..d969d5e8e 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
1From ef7aa8189491e0b43f14f7f15fb5e66903f7e185 Mon Sep 17 00:00:00 2001 1From e800454207f4d7a0c402f129029b8282209cdf74 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> 2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:59 +0000 3Date: Sun, 9 Feb 2014 16:09:59 +0000
4Subject: Adjust scp quoting in verbose mode 4Subject: Adjust scp quoting in verbose mode
@@ -17,10 +17,10 @@ Patch-Name: scp-quoting.patch
17 1 file changed, 10 insertions(+), 2 deletions(-) 17 1 file changed, 10 insertions(+), 2 deletions(-)
18 18
19diff --git a/scp.c b/scp.c 19diff --git a/scp.c b/scp.c
20index a533eb09..12e3199d 100644 20index 31e6709f..2bbf6938 100644
21--- a/scp.c 21--- a/scp.c
22+++ b/scp.c 22+++ b/scp.c
23@@ -194,8 +194,16 @@ do_local_cmd(arglist *a) 23@@ -198,8 +198,16 @@ do_local_cmd(arglist *a)
24 24
25 if (verbose_mode) { 25 if (verbose_mode) {
26 fprintf(stderr, "Executing:"); 26 fprintf(stderr, "Executing:");
diff --git a/debian/patches/seccomp-getuid-geteuid.patch b/debian/patches/seccomp-getuid-geteuid.patch
index 41455aa83..eca78b26a 100644
--- a/debian/patches/seccomp-getuid-geteuid.patch
+++ b/debian/patches/seccomp-getuid-geteuid.patch
@@ -1,4 +1,4 @@
1From 8165600205696cca8a080a5cb6746070512174e9 Mon Sep 17 00:00:00 2001 1From 979c7c92111e0682d02888be50a3322c7de6520a Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 13:31:05 -0300 3Date: Tue, 9 May 2017 13:31:05 -0300
4Subject: Allow getuid and geteuid calls 4Subject: Allow getuid and geteuid calls
diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch
index 5fb94137d..4a800709f 100644
--- a/debian/patches/seccomp-s390-flock-ipc.patch
+++ b/debian/patches/seccomp-s390-flock-ipc.patch
@@ -1,4 +1,4 @@
1From a5a99443e190a90eb511215aa7c1fa940f79b901 Mon Sep 17 00:00:00 2001 1From a8dba2230bc3de444c48e48d1bfd57aca1db82b1 Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 10:53:04 -0300 3Date: Tue, 9 May 2017 10:53:04 -0300
4Subject: Allow flock and ipc syscall for s390 architecture 4Subject: Allow flock and ipc syscall for s390 architecture
diff --git a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
index 595b3d6ec..8ccf61508 100644
--- a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
+++ b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
@@ -1,4 +1,4 @@
1From 801a62eedaaf47b20dbf4b426dc3e084bf0c8d49 Mon Sep 17 00:00:00 2001 1From 76aa43d2298f322f0371b74462418d0461537131 Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 13:33:30 -0300 3Date: Tue, 9 May 2017 13:33:30 -0300
4Subject: Enable specific ioctl call for EP11 crypto card (s390) 4Subject: Enable specific ioctl call for EP11 crypto card (s390)
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 1402b9025..5662207cd 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1From 4b276122c04aed0726803a92c8ca955e614a4d3a Mon Sep 17 00:00:00 2001 1From 7da968d97beba5fb80a5488516563ea1376db907 Mon Sep 17 00:00:00 2001
2From: Manoj Srivastava <srivasta@debian.org> 2From: Manoj Srivastava <srivasta@debian.org>
3Date: Sun, 9 Feb 2014 16:09:49 +0000 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4Subject: Handle SELinux authorisation roles 4Subject: Handle SELinux authorisation roles
@@ -31,10 +31,10 @@ Patch-Name: selinux-role.patch
31 15 files changed, 97 insertions(+), 30 deletions(-) 31 15 files changed, 97 insertions(+), 30 deletions(-)
32 32
33diff --git a/auth.h b/auth.h 33diff --git a/auth.h b/auth.h
34index 29835ae9..27a1a88e 100644 34index 23ce67ca..15ba7073 100644
35--- a/auth.h 35--- a/auth.h
36+++ b/auth.h 36+++ b/auth.h
37@@ -63,6 +63,7 @@ struct Authctxt { 37@@ -65,6 +65,7 @@ struct Authctxt {
38 char *service; 38 char *service;
39 struct passwd *pw; /* set if 'valid' */ 39 struct passwd *pw; /* set if 'valid' */
40 char *style; 40 char *style;
@@ -43,10 +43,10 @@ index 29835ae9..27a1a88e 100644
43 /* Method lists for multiple authentication */ 43 /* Method lists for multiple authentication */
44 char **auth_methods; /* modified from server config */ 44 char **auth_methods; /* modified from server config */
45diff --git a/auth2.c b/auth2.c 45diff --git a/auth2.c b/auth2.c
46index 54070e3a..1f9ec632 100644 46index c34f58c4..be5e9f15 100644
47--- a/auth2.c 47--- a/auth2.c
48+++ b/auth2.c 48+++ b/auth2.c
49@@ -221,7 +221,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) 49@@ -218,7 +218,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
50 { 50 {
51 Authctxt *authctxt = ssh->authctxt; 51 Authctxt *authctxt = ssh->authctxt;
52 Authmethod *m = NULL; 52 Authmethod *m = NULL;
@@ -55,7 +55,7 @@ index 54070e3a..1f9ec632 100644
55 int authenticated = 0; 55 int authenticated = 0;
56 56
57 if (authctxt == NULL) 57 if (authctxt == NULL)
58@@ -233,8 +233,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) 58@@ -230,8 +230,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
59 debug("userauth-request for user %s service %s method %s", user, service, method); 59 debug("userauth-request for user %s service %s method %s", user, service, method);
60 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 60 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
61 61
@@ -69,7 +69,7 @@ index 54070e3a..1f9ec632 100644
69 69
70 if (authctxt->attempt++ == 0) { 70 if (authctxt->attempt++ == 0) {
71 /* setup auth context */ 71 /* setup auth context */
72@@ -261,8 +266,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) 72@@ -258,8 +263,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
73 use_privsep ? " [net]" : ""); 73 use_privsep ? " [net]" : "");
74 authctxt->service = xstrdup(service); 74 authctxt->service = xstrdup(service);
75 authctxt->style = style ? xstrdup(style) : NULL; 75 authctxt->style = style ? xstrdup(style) : NULL;
@@ -81,10 +81,10 @@ index 54070e3a..1f9ec632 100644
81 if (auth2_setup_methods_lists(authctxt) != 0) 81 if (auth2_setup_methods_lists(authctxt) != 0)
82 packet_disconnect("no authentication methods enabled"); 82 packet_disconnect("no authentication methods enabled");
83diff --git a/monitor.c b/monitor.c 83diff --git a/monitor.c b/monitor.c
84index cabfeb8a..510e3496 100644 84index 868fb0d2..ed37458f 100644
85--- a/monitor.c 85--- a/monitor.c
86+++ b/monitor.c 86+++ b/monitor.c
87@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *); 87@@ -128,6 +128,7 @@ int mm_answer_sign(int, Buffer *);
88 int mm_answer_pwnamallow(int, Buffer *); 88 int mm_answer_pwnamallow(int, Buffer *);
89 int mm_answer_auth2_read_banner(int, Buffer *); 89 int mm_answer_auth2_read_banner(int, Buffer *);
90 int mm_answer_authserv(int, Buffer *); 90 int mm_answer_authserv(int, Buffer *);
@@ -92,7 +92,7 @@ index cabfeb8a..510e3496 100644
92 int mm_answer_authpassword(int, Buffer *); 92 int mm_answer_authpassword(int, Buffer *);
93 int mm_answer_bsdauthquery(int, Buffer *); 93 int mm_answer_bsdauthquery(int, Buffer *);
94 int mm_answer_bsdauthrespond(int, Buffer *); 94 int mm_answer_bsdauthrespond(int, Buffer *);
95@@ -204,6 +205,7 @@ struct mon_table mon_dispatch_proto20[] = { 95@@ -206,6 +207,7 @@ struct mon_table mon_dispatch_proto20[] = {
96 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 96 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
97 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 97 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
98 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 98 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -100,7 +100,7 @@ index cabfeb8a..510e3496 100644
100 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 100 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
101 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 101 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
102 #ifdef USE_PAM 102 #ifdef USE_PAM
103@@ -799,6 +801,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) 103@@ -806,6 +808,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
104 104
105 /* Allow service/style information on the auth context */ 105 /* Allow service/style information on the auth context */
106 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 106 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -108,7 +108,7 @@ index cabfeb8a..510e3496 100644
108 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 108 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
109 109
110 #ifdef USE_PAM 110 #ifdef USE_PAM
111@@ -829,14 +832,37 @@ mm_answer_authserv(int sock, Buffer *m) 111@@ -836,14 +839,37 @@ mm_answer_authserv(int sock, Buffer *m)
112 112
113 authctxt->service = buffer_get_string(m, NULL); 113 authctxt->service = buffer_get_string(m, NULL);
114 authctxt->style = buffer_get_string(m, NULL); 114 authctxt->style = buffer_get_string(m, NULL);
@@ -148,7 +148,7 @@ index cabfeb8a..510e3496 100644
148 return (0); 148 return (0);
149 } 149 }
150 150
151@@ -1471,7 +1497,7 @@ mm_answer_pty(int sock, Buffer *m) 151@@ -1497,7 +1523,7 @@ mm_answer_pty(int sock, Buffer *m)
152 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 152 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
153 if (res == 0) 153 if (res == 0)
154 goto error; 154 goto error;
@@ -171,10 +171,10 @@ index ec41404c..4c7955d7 100644
171 171
172 struct monitor { 172 struct monitor {
173diff --git a/monitor_wrap.c b/monitor_wrap.c 173diff --git a/monitor_wrap.c b/monitor_wrap.c
174index 0e171a6a..d806bb2e 100644 174index e749efc1..7b2d06c6 100644
175--- a/monitor_wrap.c 175--- a/monitor_wrap.c
176+++ b/monitor_wrap.c 176+++ b/monitor_wrap.c
177@@ -336,10 +336,10 @@ mm_auth2_read_banner(void) 177@@ -331,10 +331,10 @@ mm_auth2_read_banner(void)
178 return (banner); 178 return (banner);
179 } 179 }
180 180
@@ -187,7 +187,7 @@ index 0e171a6a..d806bb2e 100644
187 { 187 {
188 Buffer m; 188 Buffer m;
189 189
190@@ -348,12 +348,30 @@ mm_inform_authserv(char *service, char *style) 190@@ -343,12 +343,30 @@ mm_inform_authserv(char *service, char *style)
191 buffer_init(&m); 191 buffer_init(&m);
192 buffer_put_cstring(&m, service); 192 buffer_put_cstring(&m, service);
193 buffer_put_cstring(&m, style ? style : ""); 193 buffer_put_cstring(&m, style ? style : "");
@@ -217,12 +217,12 @@ index 0e171a6a..d806bb2e 100644
217+ 217+
218 /* Do the password authentication */ 218 /* Do the password authentication */
219 int 219 int
220 mm_auth_password(Authctxt *authctxt, char *password) 220 mm_auth_password(struct ssh *ssh, char *password)
221diff --git a/monitor_wrap.h b/monitor_wrap.h 221diff --git a/monitor_wrap.h b/monitor_wrap.h
222index 7b2e8945..a9ccb243 100644 222index 0970d1f8..492de5c8 100644
223--- a/monitor_wrap.h 223--- a/monitor_wrap.h
224+++ b/monitor_wrap.h 224+++ b/monitor_wrap.h
225@@ -41,7 +41,8 @@ int mm_is_monitor(void); 225@@ -43,7 +43,8 @@ int mm_is_monitor(void);
226 DH *mm_choose_dh(int, int, int); 226 DH *mm_choose_dh(int, int, int);
227 int mm_key_sign(struct sshkey *, u_char **, u_int *, const u_char *, u_int, 227 int mm_key_sign(struct sshkey *, u_char **, u_int *, const u_char *, u_int,
228 const char *); 228 const char *);
@@ -231,9 +231,9 @@ index 7b2e8945..a9ccb243 100644
231+void mm_inform_authrole(char *); 231+void mm_inform_authrole(char *);
232 struct passwd *mm_getpwnamallow(const char *); 232 struct passwd *mm_getpwnamallow(const char *);
233 char *mm_auth2_read_banner(void); 233 char *mm_auth2_read_banner(void);
234 int mm_auth_password(struct Authctxt *, char *); 234 int mm_auth_password(struct ssh *, char *);
235diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c 235diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
236index e4c5d1b7..e26faf08 100644 236index 8c5325cc..8a3e5c68 100644
237--- a/openbsd-compat/port-linux.c 237--- a/openbsd-compat/port-linux.c
238+++ b/openbsd-compat/port-linux.c 238+++ b/openbsd-compat/port-linux.c
239@@ -27,6 +27,12 @@ 239@@ -27,6 +27,12 @@
@@ -249,7 +249,7 @@ index e4c5d1b7..e26faf08 100644
249 #include "log.h" 249 #include "log.h"
250 #include "xmalloc.h" 250 #include "xmalloc.h"
251 #include "port-linux.h" 251 #include "port-linux.h"
252@@ -56,7 +62,7 @@ ssh_selinux_enabled(void) 252@@ -55,7 +61,7 @@ ssh_selinux_enabled(void)
253 253
254 /* Return the default security context for the given username */ 254 /* Return the default security context for the given username */
255 static security_context_t 255 static security_context_t
@@ -258,7 +258,7 @@ index e4c5d1b7..e26faf08 100644
258 { 258 {
259 security_context_t sc = NULL; 259 security_context_t sc = NULL;
260 char *sename = NULL, *lvl = NULL; 260 char *sename = NULL, *lvl = NULL;
261@@ -71,9 +77,16 @@ ssh_selinux_getctxbyname(char *pwname) 261@@ -70,9 +76,16 @@ ssh_selinux_getctxbyname(char *pwname)
262 #endif 262 #endif
263 263
264 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL 264 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
@@ -277,7 +277,7 @@ index e4c5d1b7..e26faf08 100644
277 #endif 277 #endif
278 278
279 if (r != 0) { 279 if (r != 0) {
280@@ -103,7 +116,7 @@ ssh_selinux_getctxbyname(char *pwname) 280@@ -102,7 +115,7 @@ ssh_selinux_getctxbyname(char *pwname)
281 281
282 /* Set the execution context to the default for the specified user */ 282 /* Set the execution context to the default for the specified user */
283 void 283 void
@@ -286,7 +286,7 @@ index e4c5d1b7..e26faf08 100644
286 { 286 {
287 security_context_t user_ctx = NULL; 287 security_context_t user_ctx = NULL;
288 288
289@@ -112,7 +125,7 @@ ssh_selinux_setup_exec_context(char *pwname) 289@@ -111,7 +124,7 @@ ssh_selinux_setup_exec_context(char *pwname)
290 290
291 debug3("%s: setting execution context", __func__); 291 debug3("%s: setting execution context", __func__);
292 292
@@ -295,7 +295,7 @@ index e4c5d1b7..e26faf08 100644
295 if (setexeccon(user_ctx) != 0) { 295 if (setexeccon(user_ctx) != 0) {
296 switch (security_getenforce()) { 296 switch (security_getenforce()) {
297 case -1: 297 case -1:
298@@ -134,7 +147,7 @@ ssh_selinux_setup_exec_context(char *pwname) 298@@ -133,7 +146,7 @@ ssh_selinux_setup_exec_context(char *pwname)
299 299
300 /* Set the TTY context for the specified user */ 300 /* Set the TTY context for the specified user */
301 void 301 void
@@ -364,10 +364,10 @@ index ea4f9c58..60d72ffe 100644
364 char *platform_krb5_get_principal_name(const char *); 364 char *platform_krb5_get_principal_name(const char *);
365 int platform_sys_dir_uid(uid_t); 365 int platform_sys_dir_uid(uid_t);
366diff --git a/session.c b/session.c 366diff --git a/session.c b/session.c
367index 4bccb62d..d40afe4f 100644 367index 58826db1..ff301c98 100644
368--- a/session.c 368--- a/session.c
369+++ b/session.c 369+++ b/session.c
370@@ -1312,7 +1312,7 @@ safely_chroot(const char *path, uid_t uid) 370@@ -1322,7 +1322,7 @@ safely_chroot(const char *path, uid_t uid)
371 371
372 /* Set login name, uid, gid, and groups. */ 372 /* Set login name, uid, gid, and groups. */
373 void 373 void
@@ -376,7 +376,7 @@ index 4bccb62d..d40afe4f 100644
376 { 376 {
377 char *chroot_path, *tmp; 377 char *chroot_path, *tmp;
378 378
379@@ -1340,7 +1340,7 @@ do_setusercontext(struct passwd *pw) 379@@ -1350,7 +1350,7 @@ do_setusercontext(struct passwd *pw)
380 endgrent(); 380 endgrent();
381 #endif 381 #endif
382 382
@@ -385,7 +385,7 @@ index 4bccb62d..d40afe4f 100644
385 385
386 if (!in_chroot && options.chroot_directory != NULL && 386 if (!in_chroot && options.chroot_directory != NULL &&
387 strcasecmp(options.chroot_directory, "none") != 0) { 387 strcasecmp(options.chroot_directory, "none") != 0) {
388@@ -1477,7 +1477,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) 388@@ -1487,7 +1487,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
389 389
390 /* Force a password change */ 390 /* Force a password change */
391 if (s->authctxt->force_pwchange) { 391 if (s->authctxt->force_pwchange) {
@@ -394,7 +394,7 @@ index 4bccb62d..d40afe4f 100644
394 child_close_fds(ssh); 394 child_close_fds(ssh);
395 do_pwchange(s); 395 do_pwchange(s);
396 exit(1); 396 exit(1);
397@@ -1499,7 +1499,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) 397@@ -1505,7 +1505,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
398 /* When PAM is enabled we rely on it to do the nologin check */ 398 /* When PAM is enabled we rely on it to do the nologin check */
399 if (!options.use_pam) 399 if (!options.use_pam)
400 do_nologin(pw); 400 do_nologin(pw);
@@ -403,7 +403,7 @@ index 4bccb62d..d40afe4f 100644
403 /* 403 /*
404 * PAM session modules in do_setusercontext may have 404 * PAM session modules in do_setusercontext may have
405 * generated messages, so if this in an interactive 405 * generated messages, so if this in an interactive
406@@ -1891,7 +1891,7 @@ session_pty_req(struct ssh *ssh, Session *s) 406@@ -1897,7 +1897,7 @@ session_pty_req(struct ssh *ssh, Session *s)
407 tty_parse_modes(s->ttyfd, &n_bytes); 407 tty_parse_modes(s->ttyfd, &n_bytes);
408 408
409 if (!use_privsep) 409 if (!use_privsep)
@@ -426,10 +426,10 @@ index 54dd1f0c..8535ebce 100644
426 const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); 426 const char *session_get_remote_name_or_ip(struct ssh *, u_int, int);
427 427
428diff --git a/sshd.c b/sshd.c 428diff --git a/sshd.c b/sshd.c
429index a66e9ca6..af1ec337 100644 429index 4ed0364f..6d911c19 100644
430--- a/sshd.c 430--- a/sshd.c
431+++ b/sshd.c 431+++ b/sshd.c
432@@ -677,7 +677,7 @@ privsep_postauth(Authctxt *authctxt) 432@@ -679,7 +679,7 @@ privsep_postauth(Authctxt *authctxt)
433 reseed_prngs(); 433 reseed_prngs();
434 434
435 /* Drop privileges */ 435 /* Drop privileges */
@@ -439,10 +439,10 @@ index a66e9ca6..af1ec337 100644
439 skip: 439 skip:
440 /* It is safe now to apply the key state */ 440 /* It is safe now to apply the key state */
441diff --git a/sshpty.c b/sshpty.c 441diff --git a/sshpty.c b/sshpty.c
442index fe2fb5aa..feb22b06 100644 442index 4da84d05..676ade50 100644
443--- a/sshpty.c 443--- a/sshpty.c
444+++ b/sshpty.c 444+++ b/sshpty.c
445@@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, 445@@ -162,7 +162,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
446 } 446 }
447 447
448 void 448 void
@@ -451,7 +451,7 @@ index fe2fb5aa..feb22b06 100644
451 { 451 {
452 struct group *grp; 452 struct group *grp;
453 gid_t gid; 453 gid_t gid;
454@@ -209,7 +209,7 @@ pty_setowner(struct passwd *pw, const char *tty) 454@@ -184,7 +184,7 @@ pty_setowner(struct passwd *pw, const char *tty)
455 strerror(errno)); 455 strerror(errno));
456 456
457 #ifdef WITH_SELINUX 457 #ifdef WITH_SELINUX
diff --git a/debian/patches/series b/debian/patches/series
index 01aa2c87c..e409902b5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,7 +8,6 @@ user-group-modes.patch
8scp-quoting.patch 8scp-quoting.patch
9shell-path.patch 9shell-path.patch
10dnssec-sshfp.patch 10dnssec-sshfp.patch
11auth-log-verbosity.patch
12mention-ssh-keygen-on-keychange.patch 11mention-ssh-keygen-on-keychange.patch
13package-versioning.patch 12package-versioning.patch
14debian-banner.patch 13debian-banner.patch
@@ -21,10 +20,7 @@ no-openssl-version-status.patch
21gnome-ssh-askpass2-icon.patch 20gnome-ssh-askpass2-icon.patch
22systemd-readiness.patch 21systemd-readiness.patch
23debian-config.patch 22debian-config.patch
24no-dsa-host-key-by-default.patch
25restore-authorized_keys2.patch 23restore-authorized_keys2.patch
26seccomp-s390-flock-ipc.patch 24seccomp-s390-flock-ipc.patch
27seccomp-getuid-geteuid.patch 25seccomp-getuid-geteuid.patch
28seccomp-s390-ioctl-ep11-crypto.patch 26seccomp-s390-ioctl-ep11-crypto.patch
29permitopen-argument-handling.patch
30fix-regress-putty-transfer.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 29abf10f2..638d348f2 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
1From c239ba6fa4560704a237779f82445d5f125847e1 Mon Sep 17 00:00:00 2001 1From 72fead7f622b074c9b92dbdb8ae745faf2702b3d Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:00 +0000 3Date: Sun, 9 Feb 2014 16:10:00 +0000
4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand 4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch
16 1 file changed, 2 insertions(+), 2 deletions(-) 16 1 file changed, 2 insertions(+), 2 deletions(-)
17 17
18diff --git a/sshconnect.c b/sshconnect.c 18diff --git a/sshconnect.c b/sshconnect.c
19index dc7a704d..5eed5880 100644 19index 3805d35d..8ab01c0e 100644
20--- a/sshconnect.c 20--- a/sshconnect.c
21+++ b/sshconnect.c 21+++ b/sshconnect.c
22@@ -235,7 +235,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port, 22@@ -239,7 +239,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port,
23 /* Execute the proxy command. Note that we gave up any 23 /* Execute the proxy command. Note that we gave up any
24 extra privileges above. */ 24 extra privileges above. */
25 signal(SIGPIPE, SIG_DFL); 25 signal(SIGPIPE, SIG_DFL);
@@ -28,7 +28,7 @@ index dc7a704d..5eed5880 100644
28 perror(argv[0]); 28 perror(argv[0]);
29 exit(1); 29 exit(1);
30 } 30 }
31@@ -1435,7 +1435,7 @@ ssh_local_cmd(const char *args) 31@@ -1554,7 +1554,7 @@ ssh_local_cmd(const char *args)
32 if (pid == 0) { 32 if (pid == 0) {
33 signal(SIGPIPE, SIG_DFL); 33 signal(SIGPIPE, SIG_DFL);
34 debug3("Executing %s -c \"%s\"", shell, args); 34 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 9ac4977b5..d9b86e20e 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
1From b37d4f364f9c9bfbaf372e903ebbe80ef8ae2264 Mon Sep 17 00:00:00 2001 1From 3fe0881b32198fc6121c6ded59beb1433236982a Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:13 +0000 3Date: Sun, 9 Feb 2014 16:10:13 +0000
4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) 4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 3a560ad78..771410ba9 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
1From 7e5cf5d27a7be47203280c665ca7311269f53671 Mon Sep 17 00:00:00 2001 1From e55358f350ef1183679c845a4f9913b2866cf847 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:10 +0000 3Date: Sun, 9 Feb 2014 16:10:10 +0000
4Subject: ssh(1): Refer to ssh-argv0(1) 4Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
18 1 file changed, 1 insertion(+) 18 1 file changed, 1 insertion(+)
19 19
20diff --git a/ssh.1 b/ssh.1 20diff --git a/ssh.1 b/ssh.1
21index 2a2aab30..711fe608 100644 21index 54e21d88..f8fc26d2 100644
22--- a/ssh.1 22--- a/ssh.1
23+++ b/ssh.1 23+++ b/ssh.1
24@@ -1556,6 +1556,7 @@ if an error occurred. 24@@ -1571,6 +1571,7 @@ if an error occurred.
25 .Xr sftp 1 , 25 .Xr sftp 1 ,
26 .Xr ssh-add 1 , 26 .Xr ssh-add 1 ,
27 .Xr ssh-agent 1 , 27 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index ef1ce4e99..34ff8a497 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
1From 19971fb92159a621b55f0b9da76dd38a56d7247c Mon Sep 17 00:00:00 2001 1From 4fb99d4eb8936b6ffae3749717abfc2dccbaa162 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:50 +0000 3Date: Sun, 9 Feb 2014 16:09:50 +0000
4Subject: Accept obsolete ssh-vulnkey configuration options 4Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch
17 2 files changed, 2 insertions(+) 17 2 files changed, 2 insertions(+)
18 18
19diff --git a/readconf.c b/readconf.c 19diff --git a/readconf.c b/readconf.c
20index 99e03ee1..d2b28a41 100644 20index c8e79299..1f1be778 100644
21--- a/readconf.c 21--- a/readconf.c
22+++ b/readconf.c 22+++ b/readconf.c
23@@ -189,6 +189,7 @@ static struct { 23@@ -189,6 +189,7 @@ static struct {
@@ -29,10 +29,10 @@ index 99e03ee1..d2b28a41 100644
29 { "useroaming", oDeprecated }, 29 { "useroaming", oDeprecated },
30 { "usersh", oDeprecated }, 30 { "usersh", oDeprecated },
31diff --git a/servconf.c b/servconf.c 31diff --git a/servconf.c b/servconf.c
32index 8ba74517..9889fb0a 100644 32index cbbea05b..3fff3d53 100644
33--- a/servconf.c 33--- a/servconf.c
34+++ b/servconf.c 34+++ b/servconf.c
35@@ -525,6 +525,7 @@ static struct { 35@@ -576,6 +576,7 @@ static struct {
36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 3ed6287a9..897433408 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
1From 215bd91f12b0ddb9754483ee6e3c3b4751256dca Mon Sep 17 00:00:00 2001 1From 027619c6b05713e3f08a51e7232389383900e5d8 Mon Sep 17 00:00:00 2001
2From: Jonathan David Amery <jdamery@ysolde.ucam.org> 2From: Jonathan David Amery <jdamery@ysolde.ucam.org>
3Date: Sun, 9 Feb 2014 16:09:54 +0000 3Date: Sun, 9 Feb 2014 16:09:54 +0000
4Subject: "LogLevel SILENT" compatibility 4Subject: "LogLevel SILENT" compatibility
@@ -33,10 +33,10 @@ index 99450dd1..1559091d 100644
33 { "FATAL", SYSLOG_LEVEL_FATAL }, 33 { "FATAL", SYSLOG_LEVEL_FATAL },
34 { "ERROR", SYSLOG_LEVEL_ERROR }, 34 { "ERROR", SYSLOG_LEVEL_ERROR },
35diff --git a/ssh.c b/ssh.c 35diff --git a/ssh.c b/ssh.c
36index ae37432b..9cb21171 100644 36index d3619fe2..e36debf6 100644
37--- a/ssh.c 37--- a/ssh.c
38+++ b/ssh.c 38+++ b/ssh.c
39@@ -1166,7 +1166,7 @@ main(int ac, char **av) 39@@ -1252,7 +1252,7 @@ main(int ac, char **av)
40 /* Do not allocate a tty if stdin is not a tty. */ 40 /* Do not allocate a tty if stdin is not a tty. */
41 if ((!isatty(fileno(stdin)) || stdin_null_flag) && 41 if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
42 options.request_tty != REQUEST_TTY_FORCE) { 42 options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index 537a5cab6..8c9832cdd 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
1From ba3f6b85ede72ef42987f0069f5ed2b88ebe69fd Mon Sep 17 00:00:00 2001 1From 293675c88b02f0a5ba3896db73b2716e70d87b31 Mon Sep 17 00:00:00 2001
2From: Michael Biebl <biebl@debian.org> 2From: Michael Biebl <biebl@debian.org>
3Date: Mon, 21 Dec 2015 16:08:47 +0000 3Date: Mon, 21 Dec 2015 16:08:47 +0000
4Subject: Add systemd readiness notification support 4Subject: Add systemd readiness notification support
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch
14 2 files changed, 33 insertions(+) 14 2 files changed, 33 insertions(+)
15 15
16diff --git a/configure.ac b/configure.ac 16diff --git a/configure.ac b/configure.ac
17index 3b30736b..483a9038 100644 17index 3e23e60d..eac143b4 100644
18--- a/configure.ac 18--- a/configure.ac
19+++ b/configure.ac 19+++ b/configure.ac
20@@ -4389,6 +4389,29 @@ AC_ARG_WITH([kerberos5], 20@@ -4496,6 +4496,29 @@ AC_ARG_WITH([kerberos5],
21 AC_SUBST([GSSLIBS]) 21 AC_SUBST([GSSLIBS])
22 AC_SUBST([K5LIBS]) 22 AC_SUBST([K5LIBS])
23 23
@@ -47,7 +47,7 @@ index 3b30736b..483a9038 100644
47 # Looking for programs, paths and files 47 # Looking for programs, paths and files
48 48
49 PRIVSEP_PATH=/var/empty 49 PRIVSEP_PATH=/var/empty
50@@ -5196,6 +5219,7 @@ echo " libldns support: $LDNS_MSG" 50@@ -5303,6 +5326,7 @@ echo " libldns support: $LDNS_MSG"
51 echo " Solaris process contract support: $SPC_MSG" 51 echo " Solaris process contract support: $SPC_MSG"
52 echo " Solaris project support: $SP_MSG" 52 echo " Solaris project support: $SP_MSG"
53 echo " Solaris privilege support: $SPP_MSG" 53 echo " Solaris privilege support: $SPP_MSG"
@@ -56,7 +56,7 @@ index 3b30736b..483a9038 100644
56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" 56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
57 echo " BSD Auth support: $BSD_AUTH_MSG" 57 echo " BSD Auth support: $BSD_AUTH_MSG"
58diff --git a/sshd.c b/sshd.c 58diff --git a/sshd.c b/sshd.c
59index a5a1193d..1fde5a63 100644 59index 1d645a17..3a86e66e 100644
60--- a/sshd.c 60--- a/sshd.c
61+++ b/sshd.c 61+++ b/sshd.c
62@@ -85,6 +85,10 @@ 62@@ -85,6 +85,10 @@
@@ -70,7 +70,7 @@ index a5a1193d..1fde5a63 100644
70 #include "xmalloc.h" 70 #include "xmalloc.h"
71 #include "ssh.h" 71 #include "ssh.h"
72 #include "ssh2.h" 72 #include "ssh2.h"
73@@ -1881,6 +1885,11 @@ main(int ac, char **av) 73@@ -1933,6 +1937,11 @@ main(int ac, char **av)
74 } 74 }
75 } 75 }
76 76
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 338c7567d..a7201b318 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
1From b1033fed87fd9fa24dccab45f00cadcbc7144c47 Mon Sep 17 00:00:00 2001 1From 9e45701c5d6105444cc2f4f5d6c44b0f69969479 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:58 +0000 3Date: Sun, 9 Feb 2014 16:09:58 +0000
4Subject: Allow harmless group-writability 4Subject: Allow harmless group-writability
@@ -51,10 +51,10 @@ index ecf956f0..4dccd5e6 100644
51 pw->pw_name, buf); 51 pw->pw_name, buf);
52 auth_debug_add("Bad file modes for %.200s", buf); 52 auth_debug_add("Bad file modes for %.200s", buf);
53diff --git a/auth.c b/auth.c 53diff --git a/auth.c b/auth.c
54index 6aec3605..68a1e4a7 100644 54index 76d586e3..68b9fe79 100644
55--- a/auth.c 55--- a/auth.c
56+++ b/auth.c 56+++ b/auth.c
57@@ -467,8 +467,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host, 57@@ -468,8 +468,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
58 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); 58 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
59 if (options.strict_modes && 59 if (options.strict_modes &&
60 (stat(user_hostfile, &st) == 0) && 60 (stat(user_hostfile, &st) == 0) &&
@@ -65,7 +65,7 @@ index 6aec3605..68a1e4a7 100644
65 "bad owner or modes for %.200s", 65 "bad owner or modes for %.200s",
66 pw->pw_name, user_hostfile); 66 pw->pw_name, user_hostfile);
67diff --git a/misc.c b/misc.c 67diff --git a/misc.c b/misc.c
68index 05950a47..40aeeef3 100644 68index 874dcc8a..75c4113f 100644
69--- a/misc.c 69--- a/misc.c
70+++ b/misc.c 70+++ b/misc.c
71@@ -57,8 +57,9 @@ 71@@ -57,8 +57,9 @@
@@ -79,7 +79,7 @@ index 05950a47..40aeeef3 100644
79 #ifdef SSH_TUN_OPENBSD 79 #ifdef SSH_TUN_OPENBSD
80 #include <net/if.h> 80 #include <net/if.h>
81 #endif 81 #endif
82@@ -723,6 +724,55 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, 82@@ -1030,6 +1031,55 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
83 return -1; 83 return -1;
84 } 84 }
85 85
@@ -133,9 +133,9 @@ index 05950a47..40aeeef3 100644
133+} 133+}
134+ 134+
135 int 135 int
136 tun_open(int tun, int mode) 136 tun_open(int tun, int mode, char **ifname)
137 { 137 {
138@@ -1626,8 +1676,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, 138@@ -1797,8 +1847,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
139 snprintf(err, errlen, "%s is not a regular file", buf); 139 snprintf(err, errlen, "%s is not a regular file", buf);
140 return -1; 140 return -1;
141 } 141 }
@@ -145,7 +145,7 @@ index 05950a47..40aeeef3 100644
145 snprintf(err, errlen, "bad ownership or modes for file %s", 145 snprintf(err, errlen, "bad ownership or modes for file %s",
146 buf); 146 buf);
147 return -1; 147 return -1;
148@@ -1642,8 +1691,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, 148@@ -1813,8 +1862,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
149 strlcpy(buf, cp, sizeof(buf)); 149 strlcpy(buf, cp, sizeof(buf));
150 150
151 if (stat(buf, &st) < 0 || 151 if (stat(buf, &st) < 0 ||
@@ -156,10 +156,10 @@ index 05950a47..40aeeef3 100644
156 "bad ownership or modes for directory %s", buf); 156 "bad ownership or modes for directory %s", buf);
157 return -1; 157 return -1;
158diff --git a/misc.h b/misc.h 158diff --git a/misc.h b/misc.h
159index 153d1137..d8759ab1 100644 159index cdafea73..51943db9 100644
160--- a/misc.h 160--- a/misc.h
161+++ b/misc.h 161+++ b/misc.h
162@@ -163,6 +163,8 @@ char *read_passphrase(const char *, int); 162@@ -168,6 +168,8 @@ char *read_passphrase(const char *, int);
163 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 163 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
164 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); 164 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
165 165
@@ -169,10 +169,10 @@ index 153d1137..d8759ab1 100644
169 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) 169 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b))
170 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) 170 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
171diff --git a/readconf.c b/readconf.c 171diff --git a/readconf.c b/readconf.c
172index 45caa095..be3d5873 100644 172index 7f2b5c17..50349e23 100644
173--- a/readconf.c 173--- a/readconf.c
174+++ b/readconf.c 174+++ b/readconf.c
175@@ -1766,8 +1766,7 @@ read_config_file_depth(const char *filename, struct passwd *pw, 175@@ -1741,8 +1741,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
176 176
177 if (fstat(fileno(f), &sb) == -1) 177 if (fstat(fileno(f), &sb) == -1)
178 fatal("fstat %s: %s", filename, strerror(errno)); 178 fatal("fstat %s: %s", filename, strerror(errno));
@@ -183,10 +183,10 @@ index 45caa095..be3d5873 100644
183 } 183 }
184 184
185diff --git a/ssh.1 b/ssh.1 185diff --git a/ssh.1 b/ssh.1
186index 2ab1697f..3cc94688 100644 186index b4078525..0ef7c170 100644
187--- a/ssh.1 187--- a/ssh.1
188+++ b/ssh.1 188+++ b/ssh.1
189@@ -1456,6 +1456,8 @@ The file format and configuration options are described in 189@@ -1471,6 +1471,8 @@ The file format and configuration options are described in
190 .Xr ssh_config 5 . 190 .Xr ssh_config 5 .
191 Because of the potential for abuse, this file must have strict permissions: 191 Because of the potential for abuse, this file must have strict permissions:
192 read/write for the user, and not writable by others. 192 read/write for the user, and not writable by others.
@@ -196,10 +196,10 @@ index 2ab1697f..3cc94688 100644
196 .It Pa ~/.ssh/environment 196 .It Pa ~/.ssh/environment
197 Contains additional definitions for environment variables; see 197 Contains additional definitions for environment variables; see
198diff --git a/ssh_config.5 b/ssh_config.5 198diff --git a/ssh_config.5 b/ssh_config.5
199index d6f43c2d..7810a418 100644 199index 32c3632c..84dcd52c 100644
200--- a/ssh_config.5 200--- a/ssh_config.5
201+++ b/ssh_config.5 201+++ b/ssh_config.5
202@@ -1786,6 +1786,8 @@ The format of this file is described above. 202@@ -1818,6 +1818,8 @@ The format of this file is described above.
203 This file is used by the SSH client. 203 This file is used by the SSH client.
204 Because of the potential for abuse, this file must have strict permissions: 204 Because of the potential for abuse, this file must have strict permissions:
205 read/write for the user, and not accessible by others. 205 read/write for the user, and not accessible by others.