# HG changeset patch # User Tomas Kuthan # Date 1485555785 28800 # Node ID c11a68c3a63d7aa2ef72259da2795b459056f7cb # Parent c60efbddf9c8861e7989e57700fc9565bf3e702f 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH diff -r c60efbddf9c8 -r c11a68c3a63d components/openssh/Makefile --- a/components/openssh/Makefile Fri Jan 27 13:46:43 2017 -0800 +++ b/components/openssh/Makefile Fri Jan 27 14:23:05 2017 -0800 @@ -20,7 +20,7 @@ # # -# Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved. # COMPILER= gcc include ../../make-rules/shared-macros.mk @@ -54,6 +54,7 @@ CFLAGS += -DSET_USE_PAM CFLAGS += -DDEPRECATE_SUNSSH_OPT CFLAGS += -DKRB5_BUILD_FIX +CFLAGS += -DDTRACE_SFTP CFLAGS += -DDISABLE_BANNER CFLAGS += -DPAM_ENHANCEMENT CFLAGS += -DPAM_BUGFIX @@ -91,6 +92,12 @@ CONFIGURE_OPTIONS += --bindir=$(USRBINDIR) CONFIGURE_OPTIONS += --disable-lastlog +# Copy the sftp dtrace provider file and the header file to source directory +COMPONENT_PRE_BUILD_ACTION = \ + ( echo "Copying dtrace sftp files..."; \ + $(LN) -fs $(COMPONENT_DIR)/dtrace_sftp/*.[dh] $(SOURCE_DIR); \ + ) + MANLIST= moduli.5 scp.1 sftp-server.8 sftp.1 ssh-add.1 ssh-agent.1 \ ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8 \ ssh.1 ssh_config.5 sshd.8 sshd_config.5 diff -r c60efbddf9c8 -r c11a68c3a63d components/openssh/dtrace_sftp/sftp_provider.d --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/dtrace_sftp/sftp_provider.d Fri Jan 27 14:23:05 2017 -0800 @@ -0,0 +1,61 @@ +/* + * CDDL HEADER START + * + * The contents of this file are subject to the terms of the + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. + * + * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + * or http://www.opensolaris.org/os/licensing. + * See the License for the specific language governing permissions + * and limitations under the License. + * + * When distributing Covered Code, include this CDDL HEADER in each + * file and include the License file at usr/src/OPENSOLARIS.LICENSE. + * If applicable, add the following below this CDDL HEADER, with the + * fields enclosed by brackets "[]" replaced with your own identifying + * information: Portions Copyright [yyyy] [name of copyright owner] + * + * CDDL HEADER END + */ +/* + * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved. + */ + +/* + * We seem currently unable to depend properly on existing D libraries (like + * sftp.d). But the definitions for conninfo_t and sftpinfo_t are stored there + * (and have to be, since that's where the real translators live). So we're + * forced to define something here to satisfy dtrace(1M), but none of the + * definitions or translators here are actually used. + */ +typedef struct sftpinfo { + int dummy; +} sftpinfo_t; + +typedef struct sftpproto { + int dummy; +} sftpproto_t; + +typedef struct conninfo { + int dummy; +} conninfo_t; + +translator conninfo_t { +}; + +translator sftpinfo_t { +}; + +provider sftp { + probe transfer__start(sftpproto_t *p) : + (conninfo_t *p, sftpinfo_t *p); + probe transfer__done(sftpproto_t *p) : + (conninfo_t *p, sftpinfo_t *p); +}; + +#pragma D attributes Evolving/Evolving/ISA provider sftp provider +#pragma D attributes Private/Private/Unknown provider sftp module +#pragma D attributes Private/Private/Unknown provider sftp function +#pragma D attributes Private/Private/ISA provider sftp name +#pragma D attributes Evolving/Evolving/ISA provider sftp args diff -r c60efbddf9c8 -r c11a68c3a63d components/openssh/dtrace_sftp/sftp_provider_impl.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/dtrace_sftp/sftp_provider_impl.h Fri Jan 27 14:23:05 2017 -0800 @@ -0,0 +1,73 @@ +/* + * CDDL HEADER START + * + * The contents of this file are subject to the terms of the + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. + * + * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + * or http://www.opensolaris.org/os/licensing. + * See the License for the specific language governing permissions + * and limitations under the License. + * + * When distributing Covered Code, include this CDDL HEADER in each + * file and include the License file at usr/src/OPENSOLARIS.LICENSE. + * If applicable, add the following below this CDDL HEADER, with the + * fields enclosed by brackets "[]" replaced with your own identifying + * information: Portions Copyright [yyyy] [name of copyright owner] + * + * CDDL HEADER END + */ +/* + * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved. + */ + +#ifndef _SFTP_PROVIDER_IMPL_H +#define _SFTP_PROVIDER_IMPL_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * This structure must match the definition of same in sftp.d. + */ +typedef struct sftpproto { + int64_t sftp_nbytes; /* bytes writtten or read */ + const char *sftp_user; /* user name */ + const char *sftp_operation; /* SFTP Operation */ + const char *sftp_raddr; /* remote address */ + const char *sftp_pathname; /* path with file name */ + int32_t sftp_fd; /* fd for transfer, if any */ +} sftpproto_t; + +#define SFTP_TRANSFER_PROTO(proto, op, fd, path, len) \ + bzero((proto), sizeof (struct sftpproto)); \ + (proto)->sftp_user = (pw->pw_name ? pw->pw_name : "UNKNOWN"); \ + (proto)->sftp_operation = (op ? op : "UNKNOWN"); \ + (proto)->sftp_raddr = (client_addr); \ + (proto)->sftp_fd = (fd); \ + (proto)->sftp_pathname = (path ? path : "UNKNOWN"); \ + (proto)->sftp_nbytes = (len); \ + +#define SFTP_TRANSFER_START_OP(op, fd, path, len) \ + if (SFTP_TRANSFER_START_ENABLED()) { \ + sftpproto_t proto; \ + SFTP_TRANSFER_PROTO(&proto, op, fd, path, len); \ + SFTP_TRANSFER_START(&proto); \ + } \ + +#define SFTP_TRANSFER_DONE_OP(op, fd, path, len) \ + if (SFTP_TRANSFER_DONE_ENABLED()) { \ + sftpproto_t proto; \ + SFTP_TRANSFER_PROTO(&proto, op, fd, path, len); \ + SFTP_TRANSFER_DONE(&proto); \ + } \ + +#include + +#ifdef __cplusplus +} +#endif + +#endif /* _SFTP_PROVIDER_IMPL_H */ diff -r c60efbddf9c8 -r c11a68c3a63d components/openssh/patches/013-dtrace_sftp.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/patches/013-dtrace_sftp.patch Fri Jan 27 14:23:05 2017 -0800 @@ -0,0 +1,137 @@ +# +# This patch is to provide a SFTP DTrace provider which offers an administrator +# some observability of SFTP data transfer. This was developed in-house. +# Because this is Solaris-specific and not suitable for upstream, we will not +# contribute the changes to the upstream community. +# +diff -pur old/Makefile.in new/Makefile.in +--- old/Makefile.in ++++ new/Makefile.in +@@ -85,6 +85,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ + atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \ + monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ + msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ ++ sftp_provider.o \ + ssh-pkcs11.o smult_curve25519_ref.o \ + poly1305.o chacha.o cipher-chachapoly.o \ + ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \ +@@ -107,7 +108,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw + monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o \ + loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ +- sftp-server.o sftp-common.o \ ++ sftp-server.o sftp-common.o sftp_provider.o \ + sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ + sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ + sandbox-solaris.o +@@ -187,8 +188,8 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o + $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + +-sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o +- $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o sftp_provider.o ++ $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o sftp_provider.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + + sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o + $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) +@@ -225,9 +226,18 @@ umac128.o: umac.c + -Dumac_update=umac128_update -Dumac_final=umac128_final \ + -Dumac_delete=umac128_delete -Dumac_ctx=umac128_ctx + ++# dtrace sftp ++sftp_provider.h: $(srcdir)/sftp_provider.d ++ /usr/sbin/dtrace -xnolibs -h -s $(srcdir)/sftp_provider.d \ ++ -o $(srcdir)/sftp_provider.h ++ ++sftp_provider.o: sftp_provider.d sftp_provider.h sftp-server.o ++ /usr/sbin/dtrace -G -32 -xnolibs -s $(srcdir)/sftp_provider.d \ ++ sftp-server.o -o sftp_provider.o ++ + clean: regressclean + rm -f *.o *.a $(TARGETS) logintest config.cache config.log +- rm -f *.out core survey ++ rm -f *.out core survey sftp_provider.h + rm -f regress/unittests/test_helper/*.a + rm -f regress/unittests/test_helper/*.o + rm -f regress/unittests/sshbuf/*.o +diff -pur old/sftp-server.c new/sftp-server.c +--- old/sftp-server.c ++++ new/sftp-server.c +@@ -51,6 +51,9 @@ + + #include "sftp.h" + #include "sftp-common.h" ++#ifdef DTRACE_SFTP ++#include "sftp_provider_impl.h" ++#endif + + /* Our verbosity */ + static LogLevel log_level = SYSLOG_LEVEL_ERROR; +@@ -737,14 +740,17 @@ process_read(u_int32_t id) + u_int32_t len; + int r, handle, fd, ret, status = SSH2_FX_FAILURE; + u_int64_t off; ++ char *fpath; + + if ((r = get_handle(iqueue, &handle)) != 0 || + (r = sshbuf_get_u64(iqueue, &off)) != 0 || + (r = sshbuf_get_u32(iqueue, &len)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + +- debug("request %u: read \"%s\" (handle %d) off %llu len %d", +- id, handle_to_name(handle), handle, (unsigned long long)off, len); ++ fpath = handle_to_name(handle); ++ ++ debug("request %u: read \"%s\" (handle %d) off %llu len %d", ++ id, fpath, handle, (unsigned long long)off, len); + if (len > sizeof buf) { + len = sizeof buf; + debug2("read change len %d", len); +@@ -755,7 +761,13 @@ process_read(u_int32_t id) + error("process_read: seek failed"); + status = errno_to_portable(errno); + } else { ++#ifdef DTRACE_SFTP ++ SFTP_TRANSFER_START_OP("read", fd, fpath, len); ++#endif + ret = read(fd, buf, len); ++#ifdef DTRACE_SFTP ++ SFTP_TRANSFER_DONE_OP("read", fd, fpath, ret); ++#endif + if (ret < 0) { + status = errno_to_portable(errno); + } else if (ret == 0) { +@@ -778,14 +790,16 @@ process_write(u_int32_t id) + size_t len; + int r, handle, fd, ret, status; + u_char *data; ++ char *fpath; + + if ((r = get_handle(iqueue, &handle)) != 0 || + (r = sshbuf_get_u64(iqueue, &off)) != 0 || + (r = sshbuf_get_string(iqueue, &data, &len)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + ++ fpath = handle_to_name(handle); + debug("request %u: write \"%s\" (handle %d) off %llu len %zu", +- id, handle_to_name(handle), handle, (unsigned long long)off, len); ++ id, fpath, handle, (unsigned long long)off, len); + fd = handle_to_fd(handle); + + if (fd < 0) +@@ -797,7 +811,14 @@ process_write(u_int32_t id) + error("process_write: seek failed"); + } else { + /* XXX ATOMICIO ? */ ++#ifdef DTRACE_SFTP ++ SFTP_TRANSFER_START_OP("write", fd, fpath, len); ++#endif + ret = write(fd, data, len); ++#ifdef DTRACE_SFTP ++ SFTP_TRANSFER_DONE_OP("write", fd, fpath, ret); ++#endif ++ + if (ret < 0) { + error("process_write: write failed"); + status = errno_to_portable(errno); diff -r c60efbddf9c8 -r c11a68c3a63d components/openssh/patches/023-gsskex.patch --- a/components/openssh/patches/023-gsskex.patch Fri Jan 27 13:46:43 2017 -0800 +++ b/components/openssh/patches/023-gsskex.patch Fri Jan 27 14:23:05 2017 -0800 @@ -19,29 +19,29 @@ # # Upstream rejected GSS-API key exchange several times before. # -diff -rupN old/Makefile.in new/Makefile.in ---- old/Makefile.in 2016-09-21 19:40:34.495262333 -0700 -+++ new/Makefile.in 2016-09-21 20:20:17.560532505 -0700 +diff -pur old/Makefile.in new/Makefile.in +--- old/Makefile.in ++++ new/Makefile.in @@ -85,6 +85,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ + kexgssc.o \ + sftp_provider.o \ ssh-pkcs11.o smult_curve25519_ref.o \ poly1305.o chacha.o cipher-chachapoly.o \ - ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \ -@@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw +@@ -106,7 +107,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o \ monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \ - auth2-gss.o gss-serv.o gss-serv-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ - sftp-server.o sftp-common.o \ + sftp-server.o sftp-common.o sftp_provider.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ -diff -rupN old/auth.c new/auth.c ---- old/auth.c 2017-01-11 18:18:17.172126803 -0800 -+++ new/auth.c 2017-01-11 18:21:06.506811958 -0800 +diff -pur old/auth.c new/auth.c +--- old/auth.c ++++ new/auth.c @@ -363,6 +363,7 @@ auth_root_allowed(const char *method) case PERMIT_NO_PASSWD: if (strcmp(method, "publickey") == 0 || @@ -150,9 +150,9 @@ * Return the canonical name of the host in the other side of the current * connection. The host name is cached, so it is efficient to call this * several times. -diff -rupN old/auth2-gss.c new/auth2-gss.c ---- old/auth2-gss.c 2016-09-21 19:40:20.290128383 -0700 -+++ new/auth2-gss.c 2016-09-21 19:25:47.855250807 -0700 +diff -pur old/auth2-gss.c new/auth2-gss.c +--- old/auth2-gss.c ++++ new/auth2-gss.c @@ -1,7 +1,7 @@ /* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */ @@ -215,9 +215,9 @@ Authmethod method_gssapi = { "gssapi-with-mic", userauth_gssapi, -diff -rupN old/auth2.c new/auth2.c ---- old/auth2.c 2016-09-21 19:40:20.293020496 -0700 -+++ new/auth2.c 2016-09-21 19:25:47.497355321 -0700 +diff -pur old/auth2.c new/auth2.c +--- old/auth2.c ++++ new/auth2.c @@ -70,6 +70,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; @@ -234,9 +234,9 @@ &method_gssapi, #endif &method_passwd, -diff -rupN old/canohost.c new/canohost.c ---- old/canohost.c 2016-09-21 19:40:20.295936952 -0700 -+++ new/canohost.c 2016-09-21 19:25:47.908930173 -0700 +diff -pur old/canohost.c new/canohost.c +--- old/canohost.c ++++ new/canohost.c @@ -202,3 +202,97 @@ get_local_port(int sock) { return get_sock_port(sock, 1); @@ -335,9 +335,9 @@ + } + return strdup(name); +} -diff -rupN old/canohost.h new/canohost.h ---- old/canohost.h 2016-09-21 19:40:20.298804941 -0700 -+++ new/canohost.h 2016-09-21 19:25:47.335129267 -0700 +diff -pur old/canohost.h new/canohost.h +--- old/canohost.h ++++ new/canohost.h @@ -21,6 +21,9 @@ char *get_local_ipaddr(int); char *get_local_name(int); int get_local_port(int); @@ -348,9 +348,9 @@ #endif /* _CANOHOST_H */ void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *); -diff -rupN old/gss-genr.c new/gss-genr.c ---- old/gss-genr.c 2016-09-21 19:40:20.301650203 -0700 -+++ new/gss-genr.c 2016-09-21 19:25:47.301737088 -0700 +diff -pur old/gss-genr.c new/gss-genr.c +--- old/gss-genr.c ++++ new/gss-genr.c @@ -1,7 +1,7 @@ /* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */ @@ -578,9 +578,9 @@ ssh_gssapi_delete_ctx(ctx); return (!GSS_ERROR(major)); -diff -rupN old/gss-serv.c new/gss-serv.c ---- old/gss-serv.c 2016-09-21 19:40:20.304525100 -0700 -+++ new/gss-serv.c 2016-09-21 19:25:47.229908522 -0700 +diff -pur old/gss-serv.c new/gss-serv.c +--- old/gss-serv.c ++++ new/gss-serv.c @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */ @@ -653,9 +653,9 @@ -} - #endif -diff -rupN old/kex.c new/kex.c ---- old/kex.c 2016-09-21 19:40:20.307412118 -0700 -+++ new/kex.c 2016-09-21 19:25:47.559276736 -0700 +diff -pur old/kex.c new/kex.c +--- old/kex.c ++++ new/kex.c @@ -55,6 +55,10 @@ #include "sshbuf.h" #include "digest.h" @@ -688,9 +688,9 @@ return k; } return NULL; -diff -rupN old/kex.h new/kex.h ---- old/kex.h 2016-09-21 19:40:20.310245128 -0700 -+++ new/kex.h 2016-09-21 19:25:47.142516186 -0700 +diff -pur old/kex.h new/kex.h +--- old/kex.h ++++ new/kex.h @@ -98,6 +98,9 @@ enum kex_exchange { KEX_DH_GEX_SHA256, KEX_ECDH_SHA2, @@ -723,9 +723,9 @@ int kex_dh_hash(int, const char *, const char *, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, -diff -rupN old/monitor.c new/monitor.c ---- old/monitor.c 2016-09-21 19:40:20.313190151 -0700 -+++ new/monitor.c 2016-09-21 19:25:47.525137447 -0700 +diff -pur old/monitor.c new/monitor.c +--- old/monitor.c ++++ new/monitor.c @@ -161,6 +161,7 @@ int mm_answer_gss_setup_ctx(int, Buffer int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); @@ -884,9 +884,9 @@ + #endif /* GSSAPI */ -diff -rupN old/monitor.h new/monitor.h ---- old/monitor.h 2016-09-21 19:40:20.316049455 -0700 -+++ new/monitor.h 2016-09-21 19:25:47.113344203 -0700 +diff -pur old/monitor.h new/monitor.h +--- old/monitor.h ++++ new/monitor.h @@ -68,6 +68,9 @@ enum monitor_reqtype { #ifdef PAM_ENHANCEMENT MONITOR_REQ_AUTHMETHOD = 114, @@ -897,9 +897,9 @@ }; struct mm_master; -diff -rupN old/monitor_wrap.c new/monitor_wrap.c ---- old/monitor_wrap.c 2016-09-21 19:40:20.318913737 -0700 -+++ new/monitor_wrap.c 2016-09-21 19:25:47.668505812 -0700 +diff -pur old/monitor_wrap.c new/monitor_wrap.c +--- old/monitor_wrap.c ++++ new/monitor_wrap.c @@ -1108,5 +1108,28 @@ mm_ssh_gssapi_userok(char *user) debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); return (authenticated); @@ -929,9 +929,9 @@ + #endif /* GSSAPI */ -diff -rupN old/monitor_wrap.h new/monitor_wrap.h ---- old/monitor_wrap.h 2016-09-21 19:40:20.321783476 -0700 -+++ new/monitor_wrap.h 2016-09-21 19:25:47.026452744 -0700 +diff -pur old/monitor_wrap.h new/monitor_wrap.h +--- old/monitor_wrap.h ++++ new/monitor_wrap.h @@ -62,6 +62,7 @@ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssct gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); int mm_ssh_gssapi_userok(char *user); @@ -940,9 +940,9 @@ #endif #ifdef USE_PAM -diff -rupN old/readconf.c new/readconf.c ---- old/readconf.c 2016-09-21 19:40:20.324827120 -0700 -+++ new/readconf.c 2016-09-21 19:25:47.885753634 -0700 +diff -pur old/readconf.c new/readconf.c +--- old/readconf.c ++++ new/readconf.c @@ -160,6 +160,7 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, @@ -999,9 +999,9 @@ if (options->gss_deleg_creds == -1) options->gss_deleg_creds = 0; if (options->password_authentication == -1) -diff -rupN old/readconf.h new/readconf.h ---- old/readconf.h 2016-09-21 19:40:20.327689956 -0700 -+++ new/readconf.h 2016-09-21 19:25:47.449284716 -0700 +diff -pur old/readconf.h new/readconf.h +--- old/readconf.h ++++ new/readconf.h @@ -45,6 +45,7 @@ typedef struct { int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ @@ -1010,9 +1010,9 @@ int gss_deleg_creds; /* Delegate GSS credentials */ int password_authentication; /* Try password * authentication. */ -diff -rupN old/servconf.c new/servconf.c ---- old/servconf.c 2016-09-21 19:40:20.330699306 -0700 -+++ new/servconf.c 2016-09-21 19:25:47.054209571 -0700 +diff -pur old/servconf.c new/servconf.c +--- old/servconf.c ++++ new/servconf.c @@ -117,6 +117,7 @@ initialize_server_options(ServerOptions options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; @@ -1079,9 +1079,9 @@ #ifndef USE_GSS_STORE_CRED dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); #endif /* !USE_GSS_STORE_CRED */ -diff -rupN old/servconf.h new/servconf.h ---- old/servconf.h 2016-09-21 19:40:20.333544958 -0700 -+++ new/servconf.h 2016-09-21 19:25:47.739063955 -0700 +diff -pur old/servconf.h new/servconf.h +--- old/servconf.h ++++ new/servconf.h @@ -122,6 +122,7 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ @@ -1090,9 +1090,9 @@ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ int password_authentication; /* If true, permit password -diff -rupN old/ssh-gss.h new/ssh-gss.h ---- old/ssh-gss.h 2016-09-21 19:40:20.336386442 -0700 -+++ new/ssh-gss.h 2016-09-21 19:25:47.600702960 -0700 +diff -pur old/ssh-gss.h new/ssh-gss.h +--- old/ssh-gss.h ++++ new/ssh-gss.h @@ -61,6 +61,17 @@ #define SSH_GSS_OIDTYPE 0x06 @@ -1140,9 +1140,9 @@ #endif /* GSSAPI */ #endif /* _SSH_GSS_H */ -diff -rupN old/ssh_config.5 new/ssh_config.5 ---- old/ssh_config.5 2016-09-21 19:40:20.339307715 -0700 -+++ new/ssh_config.5 2016-09-21 19:25:47.188814608 -0700 +diff -pur old/ssh_config.5 new/ssh_config.5 +--- old/ssh_config.5 ++++ new/ssh_config.5 @@ -834,6 +834,12 @@ The default is Specifies whether user authentication based on GSSAPI is allowed. The default on Solaris is @@ -1156,9 +1156,9 @@ .It Cm GSSAPIDelegateCredentials Forward (delegate) credentials to the server. The default is -diff -rupN old/sshconnect2.c new/sshconnect2.c ---- old/sshconnect2.c 2016-09-21 19:40:20.342249196 -0700 -+++ new/sshconnect2.c 2016-09-21 19:25:47.810679787 -0700 +diff -pur old/sshconnect2.c new/sshconnect2.c +--- old/sshconnect2.c ++++ new/sshconnect2.c @@ -165,11 +165,35 @@ ssh_kex2(char *host, struct sockaddr *ho char *s; struct kex *kex; @@ -1329,9 +1329,9 @@ #endif /* GSSAPI */ int -diff -rupN old/sshd.c new/sshd.c ---- old/sshd.c 2016-09-21 19:40:20.345291027 -0700 -+++ new/sshd.c 2016-09-21 19:25:47.376369649 -0700 +diff -pur old/sshd.c new/sshd.c +--- old/sshd.c ++++ new/sshd.c @@ -1892,10 +1892,13 @@ main(int ac, char **av) logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; @@ -1409,9 +1409,9 @@ kex->server = 1; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; -diff -rupN old/sshd_config.5 new/sshd_config.5 ---- old/sshd_config.5 2016-09-21 19:40:20.348225013 -0700 -+++ new/sshd_config.5 2016-09-21 19:25:47.433470021 -0700 +diff -pur old/sshd_config.5 new/sshd_config.5 +--- old/sshd_config.5 ++++ new/sshd_config.5 @@ -632,6 +632,11 @@ The default is Specifies whether user authentication based on GSSAPI is allowed. The default on Solaris is @@ -1424,9 +1424,9 @@ .It Cm GSSAPICleanupCredentials Specifies whether to automatically destroy the user's credentials cache on logout. -diff -rupN old/sshkey.c new/sshkey.c ---- old/sshkey.c 2016-09-21 19:40:20.351243462 -0700 -+++ new/sshkey.c 2016-09-21 19:25:47.271519675 -0700 +diff -pur old/sshkey.c new/sshkey.c +--- old/sshkey.c ++++ new/sshkey.c @@ -115,6 +115,7 @@ static const struct keytype keytypes[] = # endif /* OPENSSL_HAS_NISTP521 */ # endif /* OPENSSL_HAS_ECC */ @@ -1435,9 +1435,9 @@ { NULL, NULL, -1, -1, 0, 0 } }; -diff -rupN old/sshkey.h new/sshkey.h ---- old/sshkey.h 2016-09-21 19:40:20.354147713 -0700 -+++ new/sshkey.h 2016-09-21 19:25:47.934179627 -0700 +diff -pur old/sshkey.h new/sshkey.h +--- old/sshkey.h ++++ new/sshkey.h @@ -62,6 +62,7 @@ enum sshkey_types { KEY_DSA_CERT, KEY_ECDSA_CERT,