--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/030-auth_limits_bypass_fix.patch Mon Aug 03 15:31:47 2015 -0700
@@ -0,0 +1,35 @@
+#
+# This is to fix a keyboard-interactive authentication brute force
+# vulnerability (MaxAuthTries bypass). A CVE number (CVE-2015-5600) has been
+# reserved for this problem, but not officially issued yet. This fix came from
+# OpenSSH upstream, which will be included in the future OpenSSH 7.0p1 release.
+# When we upgrade OpenSSH to 7.0 in the future, we will remove this patch.
+#
+--- a/auth2-chall.c Mon Aug 3 15:25:43 2015
++++ b/auth2-chall.c Mon Aug 3 15:28:17 2015
+@@ -82,6 +82,7 @@
+ void *ctxt;
+ KbdintDevice *device;
+ u_int nreq;
++ u_int devices_done;
+ };
+
+ #ifdef USE_PAM
+@@ -168,11 +169,15 @@
+ if (len == 0)
+ break;
+ for (i = 0; devices[i]; i++) {
+- if (!auth2_method_allowed(authctxt,
++ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
++ !auth2_method_allowed(authctxt,
+ "keyboard-interactive", devices[i]->name))
+ continue;
+- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
++ if (strncmp(kbdintctxt->devices, devices[i]->name,
++ len) == 0) {
+ kbdintctxt->device = devices[i];
++ kbdintctxt->devices_done |= 1 << i;
++ }
+ }
+ t = kbdintctxt->devices;
+ kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;