PSARC/2015/395 OpenSSH 7.1p1 s11u3-sru
authorJan Parcel <jan.parcel@oracle.com>
Mon, 25 Jan 2016 10:57:40 -0800
branchs11u3-sru
changeset 5324 5683175b6e99
parent 5322 e8cdd896f216
child 5329 901296430eab
PSARC/2015/395 OpenSSH 7.1p1 PSARC 2014/390 OpenSSH GSSKEY 21696247 upgrade OpenSSH to 7.1p1 22031540 problem in UTILITY/OPENSSH 22022180 problem in UTILITY/OPENSSH 22048638 problem in UTILITY/OPENSSH 19775805 OpenSSH contains a redundant call to do_pam_setcred() 21379157 OpenSSH shouldn't call setproject(3PROJECT) when configured to use PAM 20919294 upgrade OpenSSH to 6.8p1 19130869 migrate the Xforwarding bug fix (15350344) from SunSSH to OpenSSH 21861322 OpenSSH client hangs on broken pipe 22018764 remove cast128-cbc from OpenSSH 21919790 add GSSKeyEx as an alias to GSSAPIKeyExchange in OpenSSH 19941148 GSS-API Key Exchange for OpenSSH 21643415 OpenSSH should use AI_ADDRCONFIG per bug 19827438 20370803 OpenSSH patch number collision 20711463 OpenSSH wants to be able to login to a role too 22389801 OpenSSH: remove cast from ssh(1), sshd(8), ssh_config(5) and sshd_config(5) 22582153 openssh system/linker should be added to core REQ
components/openssh/Makefile
components/openssh/openssh.p5m
components/openssh/patches/003-last_login.patch
components/openssh/patches/005-openssh_krb5_build_fix.patch
components/openssh/patches/007-manpages.patch
components/openssh/patches/008-deprecate_sunssh_opt.patch
components/openssh/patches/010-gss_store_cred.patch
components/openssh/patches/011-useprivilegedport_regression.patch
components/openssh/patches/012-acceptenv.patch
components/openssh/patches/014-disable_banner.patch
components/openssh/patches/016-pam_enhancement.patch
components/openssh/patches/020-deprecate_sunssh_sshd_config_opts.patch
components/openssh/patches/021-CVE-2014-2653.patch
components/openssh/patches/022-solaris_audit.patch
components/openssh/patches/023-gsskex.patch
components/openssh/patches/024-disable_ed25519.patch
components/openssh/patches/025-login_to_a_role.patch
components/openssh/patches/029-disable-redundant-pam_setcred.patch
components/openssh/patches/030-auth_limits_bypass_fix.patch
components/openssh/patches/031-per_session_xauthfile.patch
components/openssh/patches/032-hang_on_closed_output.patch
components/openssh/patches/033-without_cast128.patch
components/openssh/patches/034-getaddrinfo_with_ai_addrconfig.patch
components/openssh/sources/kexgssc.c
components/openssh/sources/kexgsss.c
--- a/components/openssh/Makefile	Thu Jan 14 09:14:14 2016 +0100
+++ b/components/openssh/Makefile	Mon Jan 25 10:57:40 2016 -0800
@@ -18,29 +18,28 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
 #
-COMPILER=	gcc
-
 include ../../make-rules/shared-macros.mk
 
 COMPONENT_NAME=		openssh
-COMPONENT_VERSION=	6.5p1
+COMPONENT_VERSION=	7.1p1
 HUMAN_VERSION=		$(COMPONENT_VERSION)
 COMPONENT_SRC=		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 
 # Version for IPS.  The encoding rules are:
 #   OpenSSH <x>.<y>p<n>     => IPS <x>.<y>.0.<n>
 #   OpenSSH <x>.<y>.<z>p<n> => IPS <x>.<y>.<z>.<n>
-IPS_COMPONENT_VERSION=	6.5.0.1
+IPS_COMPONENT_VERSION=	7.1.0.1
 
 COMPONENT_PROJECT_URL=	http://www.openssh.org/
 COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.gz
-COMPONENT_ARCHIVE_HASH=	sha256:a1195ed55db945252d5a1730d4a2a2a5c1c9a6aa01ef2e5af750a962623d9027
+COMPONENT_ARCHIVE_HASH=	sha256:fc0a6d2d1d063d5c66dffd952493d0cda256cad204f681de0f84ef85b2ad8428
 COMPONENT_ARCHIVE_URL=	http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=utility/openssh
 
-TPNO=		16633
+TPNO_OPENSSH=		24282
+TPNO_GSSKEX=		20377
 
 include $(WS_MAKE_RULES)/prep.mk
 include $(WS_MAKE_RULES)/configure.mk
@@ -49,15 +48,18 @@
 # Enable ASLR for this component
 ASLR_MODE = $(ASLR_ENABLE)
 
+COMPILER=	gcc
+
 CFLAGS += -DSET_USE_PAM
 CFLAGS += -DDEPRECATE_SUNSSH_OPT
 CFLAGS += -DKRB5_BUILD_FIX
-CFLAGS += -DDTRACE_SFTP
 CFLAGS += -DDISABLE_BANNER
 CFLAGS += -DPAM_ENHANCEMENT
 CFLAGS += -DPAM_BUGFIX
 CFLAGS += -DOPTION_DEFAULT_VALUE
 CFLAGS += -DWITHOUT_ED25519
+CFLAGS += -DPER_SESSION_XAUTHFILE
+CFLAGS += -DWITHOUT_CAST128
 
 CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS)" 
 
@@ -65,7 +67,7 @@
 # pre-authentication phase, sshd will chroot to /var/empty which doesn't
 # contain any files. If we use lazyloading, sshd will fail to find any
 # libraries that it needs.
-CONFIGURE_OPTIONS += LDFLAGS="$(LDFLAGS) -B direct -z nolazyload"
+LDFLAGS += -B direct -z nolazyload
 
 CONFIGURE_OPTIONS += --with-audit=solaris
 CONFIGURE_OPTIONS += --with-libedit
@@ -73,7 +75,6 @@
 CONFIGURE_OPTIONS += --with-pam
 CONFIGURE_OPTIONS += --with-sandbox=no
 CONFIGURE_OPTIONS += --with-solaris-contracts
-CONFIGURE_OPTIONS += --with-solaris-projects
 CONFIGURE_OPTIONS += --with-tcp-wrappers
 CONFIGURE_OPTIONS += --with-4in6
 CONFIGURE_OPTIONS += --with-xauth=/usr/bin/xauth
@@ -89,6 +90,8 @@
 COMPONENT_PREP_ACTION += ($(CP) sources/*.c $(@D)/)
 
 # common targets
+configure:	$(CONFIGURE_32)
+
 build:		$(BUILD_32)
 
 install:	$(INSTALL_32)
@@ -102,7 +105,7 @@
 REQUIRED_PACKAGES += library/zlib
 REQUIRED_PACKAGES += service/security/kerberos-5
 REQUIRED_PACKAGES += system/library
-REQUIRED_PACKAGES += system/library/gcc-45-runtime
 REQUIRED_PACKAGES += system/library/gcc/gcc-c-runtime
 REQUIRED_PACKAGES += system/library/security/gss
 REQUIRED_PACKAGES += system/linker
+REQUIRED_PACKAGES += text/groff/groff-core
--- a/components/openssh/openssh.p5m	Thu Jan 14 09:14:14 2016 +0100
+++ b/components/openssh/openssh.p5m	Mon Jan 25 10:57:40 2016 -0800
@@ -18,9 +18,9 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
 #
-<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
+<transform file path=usr.*/man/.+ -> default mangler.man.stability "Pass-through Uncommitted">
 set name=pkg.fmri \
     value=pkg:/network/[email protected]$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
 set name=pkg.summary value=OpenSSH
@@ -29,7 +29,6 @@
 set name=pkg.human-version value=$(HUMAN_VERSION)
 set name=com.oracle.info.description \
     value="OpenSSH, a suite of tools that help secure network connections"
-set name=com.oracle.info.tpno value=$(TPNO)
 set name=info.classification \
     value=org.opensolaris.category.2008:Applications/Internet \
     value=org.opensolaris.category.2008:System/Security
@@ -128,7 +127,14 @@
 group groupname=sshd gid=22
 user username=sshd ftpuser=false gcos-field="sshd privsep" group=sshd \
     home-dir=/var/empty login-shell=/bin/false uid=22
-license openssh.license license="BSD, BSD-like"
+license openssh.license license="BSD, BSD-like (OpenSSH)" \
+    com.oracle.info.description="OpenSSH, a suite of tools that help secure network connections" \
+    com.oracle.info.name=openssh com.oracle.info.tpno=$(TPNO_OPENSSH) \
+    com.oracle.info.version=$(COMPONENT_VERSION)
+license openssh.license license="BSD, BSD-like (gsskex)" \
+    com.oracle.info.description="GSS-API authenticated key exchange" \
+    com.oracle.info.name=gsskex com.oracle.info.tpno=$(TPNO_GSSKEX) \
+    com.oracle.info.version=5.7p1
 depend type=conditional fmri=pkg:/x11/session/xauth \
     predicate=pkg:/x11/library/libxau
 depend type=require fmri=service/network/ssh-common
--- a/components/openssh/patches/003-last_login.patch	Thu Jan 14 09:14:14 2016 +0100
+++ b/components/openssh/patches/003-last_login.patch	Mon Jan 25 10:57:40 2016 -0800
@@ -12,58 +12,52 @@
 # can't be changed so we update sshd's configuration parsing to flag
 # this as unsupported and update the man page here.
 #
-*** old/servconf.c Wed Sep 17 02:54:26 2014
---- new/servconf.c Wed Sep 17 02:56:55 2014
-***************
-*** 432,438 ****
---- 432,442 ----
-  	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
-  	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
-  	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
-+ #ifdef DISABLE_LASTLOG
-+ 	{ "printlastlog", sUnsupported, SSHCFG_GLOBAL },
-+ #else
-  	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
-+ #endif
-  	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
-  	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
-  	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
-*** old/sshd_config.5	Tue Sep 16 06:24:13 2014
---- new/sshd_config.5	Tue Sep 16 06:47:47 2014
-***************
-*** 1008,1015 ****
-  .Xr sshd 1M
-  should print the date and time of the last user login when a user logs
-  in interactively.
-! The default is
-! .Dq yes .
-  .It Cm PrintMotd
-  Specifies whether
-  .Xr sshd 1M
---- 1008,1015 ----
-  .Xr sshd 1M
-  should print the date and time of the last user login when a user logs
-  in interactively.
-! On Solaris this option is always ignored since pam_unix_session(5)
-! reports the last login time.
-  .It Cm PrintMotd
-  Specifies whether
-  .Xr sshd 1M
-***************
-*** 1349,1355 ****
-  (though not necessary) that it be world-readable.
-  .El
-  .Sh SEE ALSO
-! .Xr sshd 8
-  .Sh AUTHORS
-  OpenSSH is a derivative of the original and free
-  ssh 1.2.12 release by Tatu Ylonen.
---- 1349,1356 ----
-  (though not necessary) that it be world-readable.
-  .El
-  .Sh SEE ALSO
-! .Xr sshd 8 ,
-! .Xr pam_unix_session 5
-  .Sh AUTHORS
-  OpenSSH is a derivative of the original and free
-  ssh 1.2.12 release by Tatu Ylonen.
+diff -pur old/servconf.c new/servconf.c
+--- old/servconf.c
++++ new/servconf.c
[email protected]@ -504,7 +504,11 @@ static struct {
+ 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
+ 	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
+ 	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
++#ifdef DISABLE_LASTLOG
++	{ "printlastlog", sUnsupported, SSHCFG_GLOBAL },
++#else
+ 	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
++#endif
+ 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
+ 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
+ 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
[email protected]@ -2268,7 +2272,9 @@ dump_config(ServerOptions *o)
+ 	dump_cfg_fmtint(sChallengeResponseAuthentication,
+ 	    o->challenge_response_authentication);
+ 	dump_cfg_fmtint(sPrintMotd, o->print_motd);
++#ifndef DISABLE_LASTLOG
+ 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
++#endif /* !DISABLE_LASTLOG */
+ 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
+ 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
+ 	dump_cfg_fmtint(sPermitTTY, o->permit_tty);
+diff -pur old/sshd_config.5 new/sshd_config.5
+--- old/sshd_config.5
++++ new/sshd_config.5
[email protected]@ -1300,8 +1300,8 @@ Specifies whether
+ .Xr sshd 8
+ should print the date and time of the last user login when a user logs
+ in interactively.
+-The default is
+-.Dq yes .
++On Solaris this option is always ignored since pam_unix_session(5)
++reports the last login time.
+ .It Cm PrintMotd
+ Specifies whether
+ .Xr sshd 8
[email protected]@ -1721,7 +1721,8 @@ This file should be writable by root onl
+ (though not necessary) that it be world-readable.
+ .El
+ .Sh SEE ALSO
+-.Xr sshd 8
++.Xr sshd 8 ,
++.Xr pam_unix_session 5
+ .Sh AUTHORS
+ OpenSSH is a derivative of the original and free
+ ssh 1.2.12 release by Tatu Ylonen.
--- a/components/openssh/patches/005-openssh_krb5_build_fix.patch	Thu Jan 14 09:14:14 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,102 +0,0 @@
-#
-# This is to work around an unresloved symbol problem with the Kerberos
-# build option. Unlike MIT Kerberos, the gss_krb5_copy_ccache() function
-# is not supported on Solaris, because it violates API abstraction. This
-# workaround disables delegated credentials storing on server side.
-#
-# The long term goal is to replace Solaris Kerberos libraries with MIT Kerberos
-# delivered from Userland gate (The Solaris MIT Kerberos Drop in Project).
-# After that, function gss_krb5_copy_ccache() will be available in Solaris and
-# the delegating credentials functionality will be made available using the
-# upstream code.
-#
---- orig/auth2-gss.c	Fri Mar 21 10:41:03 2014
-+++ new/auth2-gss.c	Fri Mar 21 11:13:57 2014
[email protected]@ -47,6 +47,10 @@
- 
- extern ServerOptions options;
- 
-+#ifdef KRB5_BUILD_FIX
-+        extern gss_OID_set g_supported;
-+#endif
-+
- static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
- static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
- static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
[email protected]@ -77,7 +81,13 @@
- 		return (0);
- 	}
- 
-+#ifdef KRB5_BUILD_FIX
-+	/* use value obtained in privileged parent */
-+	supported = g_supported;
-+#else
- 	ssh_gssapi_supported_oids(&supported);
-+#endif
-+
- 	do {
- 		mechs--;
- 
---- orig/configure	Fri Mar 21 10:41:03 2014
-+++ new/configure	Fri Mar 21 11:02:11 2014
[email protected]@ -16634,6 +16634,12 @@
- 				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
- $as_echo "no" >&6; }
- 			fi
-+
-+			# Oracle Solaris
-+			# OpenSSH is mixed-up gssapi AND krb5 aplication
-+			K5CFLAGS="$K5CFLAGS `$KRB5CONF --cflags krb5`"
-+			K5LIBS="$K5LIBS `$KRB5CONF --libs krb5`"
-+
- 			{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5
- $as_echo_n "checking whether we are using Heimdal... " >&6; }
- 			cat confdefs.h - <<_ACEOF >conftest.$ac_ext
---- orig/sshd.c	Fri Mar 21 10:41:03 2014
-+++ new/sshd.c	Fri Mar 21 11:09:30 2014
[email protected]@ -259,6 +259,11 @@
- /* Unprivileged user */
- struct passwd *privsep_pw = NULL;
- 
-+#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
-+/* Temporary storing supported GSS mechs */
-+gss_OID_set g_supported;
-+#endif
-+
- /* Prototypes for various functions defined later in this file. */
- void destroy_sensitive_data(void);
- void demote_sensitive_data(void);
[email protected]@ -1407,6 +1412,10 @@
- 	av = saved_argv;
- #endif
- 
-+#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
-+	OM_uint32 ms;
-+#endif
-+
- 	if (geteuid() == 0 && setgroups(0, NULL) == -1)
- 		debug("setgroups(): %.200s", strerror(errno));
- 
[email protected]@ -2083,6 +2092,11 @@
- 	buffer_init(&loginmsg);
- 	auth_debug_reset();
- 
-+#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
-+	/* collect gss mechs for later use in privsep child */
-+	ssh_gssapi_supported_oids(&g_supported);
-+#endif
-+
- 	if (use_privsep) {
- 		if (privsep_preauth(authctxt) == 1)
- 			goto authenticated;
[email protected]@ -2120,6 +2134,10 @@
- 		startup_pipe = -1;
- 	}
- 
-+#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
-+	gss_release_oid_set(&ms, &g_supported);
-+#endif 
-+
- #ifdef SSH_AUDIT_EVENTS
- 	audit_event(SSH_AUTH_SUCCESS);
- #endif
--- a/components/openssh/patches/007-manpages.patch	Thu Jan 14 09:14:14 2016 +0100
+++ b/components/openssh/patches/007-manpages.patch	Mon Jan 25 10:57:40 2016 -0800
@@ -7,8 +7,10 @@
 # pages, the section numbers of some OpenSSH man pages are changed to be the
 # same as their corresponding ones in SunSSH.
 #
---- orig/moduli.5	Thu Feb  6 10:00:17 2014
-+++ new/moduli.5	Thu Feb  6 10:08:07 2014
+
+diff -rupN old/moduli.5 new/moduli.5
+--- old/moduli.5	2015-12-08 21:19:59.482474430 -0800
++++ new/moduli.5	2015-12-08 21:15:53.128029200 -0800
 @@ -14,7 +14,7 @@
  .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
@@ -27,7 +29,7 @@
  in the Diffie-Hellman Group Exchange key exchange method.
  .Pp
  New moduli may be generated with
[email protected]@ -40,7 +40,7 @@
[email protected]@ -40,7 +40,7 @@ pass, using
  .Ic ssh-keygen -T ,
  provides a high degree of assurance that the numbers are prime and are
  safe for use in Diffie-Hellman operations by
@@ -36,7 +38,7 @@
  This
  .Nm
  format is used as the output from each pass.
[email protected]@ -70,7 +70,7 @@
[email protected]@ -70,7 +70,7 @@ are Sophie Germain primes (type 4).
  Further primality testing with
  .Xr ssh-keygen 1
  produces safe prime moduli (type 2) that are ready for use in
@@ -45,7 +47,7 @@
  Other types are not used by OpenSSH.
  .It tests
  Decimal number indicating the type of primality tests that the number
[email protected]@ -105,16 +105,16 @@
[email protected]@ -105,16 +105,16 @@ The modulus itself in hexadecimal.
  .El
  .Pp
  When performing Diffie-Hellman Group Exchange,
@@ -65,18 +67,19 @@
  .Sh STANDARDS
  .Rs
  .%A M. Friedl
---- orig/sftp-server.8	Thu Feb  6 10:01:20 2014
-+++ new/sftp-server.8	Thu Feb  6 10:09:59 2014
+diff -rupN old/sftp-server.8 new/sftp-server.8
+--- old/sftp-server.8	2015-12-08 21:04:19.872169630 -0800
++++ new/sftp-server.8	2015-12-08 21:36:18.267186200 -0800
 @@ -23,7 +23,7 @@
  .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  .\"
- .Dd $Mdocdate: October 14 2013 $
+ .Dd $Mdocdate: December 11 2014 $
 -.Dt SFTP-SERVER 8
-+.Dt SFTP-SERVER 1M
++.Dt SFTP-SERVER 1M 
  .Os
  .Sh NAME
  .Nm sftp-server
[email protected]@ -47,7 +47,7 @@
[email protected]@ -47,7 +47,7 @@ is a program that speaks the server side
  to stdout and expects client requests from stdin.
  .Nm
  is not intended to be called directly, but from
@@ -85,7 +88,7 @@
  using the
  .Cm Subsystem
  option.
[email protected]@ -58,7 +58,7 @@
[email protected]@ -58,7 +58,7 @@ should be specified in the
  .Cm Subsystem
  declaration.
  See
@@ -94,7 +97,7 @@
  for more information.
  .Pp
  Valid options are:
[email protected]@ -71,7 +71,7 @@
[email protected]@ -71,7 +71,7 @@ The pathname may contain the following t
  and %u is replaced by the username of that user.
  The default is to use the user's home directory.
  This option is useful in conjunction with the
@@ -103,7 +106,13 @@
  .Cm ChrootDirectory
  option.
  .It Fl e
[email protected]@ -152,8 +152,8 @@
[email protected]@ -147,13 +147,13 @@ must be able to access
+ for logging to work, and use of
+ .Nm
+ in a chroot configuration therefore requires that
+-.Xr syslogd 8
++.Xr syslogd 1M
+ establish a logging socket inside the chroot directory.
  .Sh SEE ALSO
  .Xr sftp 1 ,
  .Xr ssh 1 ,
@@ -114,18 +123,19 @@
  .Rs
  .%A T. Ylonen
  .%A S. Lehtinen
---- orig/ssh_config.5	Thu Feb  6 10:01:20 2014
-+++ new/ssh_config.5	Thu Mar 27 16:37:50 2014
+diff -rupN old/ssh_config.5 new/ssh_config.5
+--- old/ssh_config.5	2015-12-08 21:04:19.876611140 -0800
++++ new/ssh_config.5	2015-12-08 22:02:41.048804430 -0800
 @@ -35,7 +35,7 @@
  .\"
- .\" $OpenBSD: ssh_config.5,v 1.184 2014/01/19 04:48:08 djm Exp $
- .Dd $Mdocdate: January 19 2014 $
+ .\" $OpenBSD: ssh_config.5,v 1.215 2015/08/14 15:32:41 jmc Exp $
+ .Dd $Mdocdate: August 14 2015 $
 -.Dt SSH_CONFIG 5
 +.Dt SSH_CONFIG 4
  .Os
  .Sh NAME
  .Nm ssh_config
[email protected]@ -503,7 +503,7 @@
[email protected]@ -568,7 +568,7 @@ then the master connection will remain i
  .Dq Fl O No exit
  option).
  If set to a time in seconds, or a time in any of the formats documented in
@@ -134,7 +144,25 @@
  then the backgrounded master connection will automatically terminate
  after it has remained idle (with no client connections) for the
  specified time.
[email protected]@ -622,7 +622,7 @@
[email protected]@ -610,7 +610,7 @@ Setting this option to
+ in the global client configuration file
+ .Pa /etc/ssh/ssh_config
+ enables the use of the helper program
+-.Xr ssh-keysign 8
++.Xr ssh-keysign 1M
+ during
+ .Cm HostbasedAuthentication .
+ The argument must be
[email protected]@ -621,7 +621,7 @@ The default is
+ .Dq no .
+ This option should be placed in the non-hostspecific section.
+ See
+-.Xr ssh-keysign 8
++.Xr ssh-keysign 1M
+ for more information.
+ .It Cm EscapeChar
+ Sets the escape character (default:
[email protected]@ -695,7 +695,7 @@ option is also enabled.
  Specify a timeout for untrusted X11 forwarding
  using the format described in the
  TIME FORMATS section of
@@ -143,7 +171,7 @@
  X11 connections received by
  .Xr ssh 1
  after this time will be refused.
[email protected]@ -689,7 +689,7 @@
[email protected]@ -762,7 +762,7 @@ should hash host names and addresses whe
  These hashed names may be used normally by
  .Xr ssh 1
  and
@@ -152,7 +180,16 @@
  but they do not reveal identifying information should the file's contents
  be disclosed.
  The default is
[email protected]@ -1122,7 +1122,7 @@
[email protected]@ -1206,7 +1206,7 @@ by the remote user name.
+ The command can be basically anything,
+ and should read from its standard input and write to its standard output.
+ It should eventually connect an
+-.Xr sshd 8
++.Xr sshd 1M
+ server running on some machine, or execute
+ .Ic sshd -i
+ somewhere.
[email protected]@ -1286,7 +1286,7 @@ depending on the cipher.
  The optional second value is specified in seconds and may use any of the
  units documented in the
  TIME FORMATS section of
@@ -161,7 +198,7 @@
  The default value for
  .Cm RekeyLimit
  is
[email protected]@ -1166,7 +1166,7 @@
[email protected]@ -1330,7 +1330,7 @@ Specifying a remote
  will only succeed if the server's
  .Cm GatewayPorts
  option is enabled (see
@@ -170,7 +207,7 @@
  .It Cm RequestTTY
  Specifies whether to request a pseudo-tty for the session.
  The argument may be one of:
[email protected]@ -1218,7 +1218,7 @@
[email protected]@ -1396,7 +1396,7 @@ pseudo-terminal is requested as it is re
  Refer to
  .Cm AcceptEnv
  in
@@ -179,8 +216,18 @@
  for how to configure the server.
  Variables are specified by name, which may contain wildcard characters.
  Multiple environment variables may be separated by whitespace or spread
---- orig/ssh-keysign.8	Thu Feb  6 10:01:20 2014
-+++ new/ssh-keysign.8	Thu Feb  6 10:13:05 2014
[email protected]@ -1586,7 +1586,7 @@ Confirmation is currently incompatible w
+ and will be disabled if it is enabled.
+ .Pp
+ Presently, only
+-.Xr sshd 8
++.Xr sshd 1M
+ from OpenSSH 6.8 and greater support the
+ .Dq [email protected]
+ protocol extension used to inform the client of all the server's hostkeys.
+diff -rupN old/ssh-keysign.8 new/ssh-keysign.8
+--- old/ssh-keysign.8	2015-12-08 21:20:45.638888550 -0800
++++ new/ssh-keysign.8	2015-12-08 21:15:29.266139300 -0800
 @@ -23,7 +23,7 @@
  .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  .\"
@@ -190,7 +237,7 @@
  .Os
  .Sh NAME
  .Nm ssh-keysign
[email protected]@ -52,7 +52,7 @@
[email protected]@ -52,7 +52,7 @@ is not intended to be invoked by the use
  See
  .Xr ssh 1
  and
@@ -199,7 +246,7 @@
  for more information about host-based authentication.
  .Sh FILES
  .Bl -tag -width Ds -compact
[email protected]@ -83,8 +83,8 @@
[email protected]@ -83,8 +83,8 @@ information corresponding with the priva
  .Sh SEE ALSO
  .Xr ssh 1 ,
  .Xr ssh-keygen 1 ,
@@ -210,8 +257,9 @@
  .Sh HISTORY
  .Nm
  first appeared in
---- orig/ssh-pkcs11-helper.8	Thu Feb  6 10:01:20 2014
-+++ new/ssh-pkcs11-helper.8	Thu Feb  6 10:14:40 2014
+diff -rupN old/ssh-pkcs11-helper.8 new/ssh-pkcs11-helper.8
+--- old/ssh-pkcs11-helper.8	2015-12-08 21:18:49.511938140 -0800
++++ new/ssh-pkcs11-helper.8	2015-12-08 21:16:10.866823750 -0800
 @@ -15,7 +15,7 @@
  .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  .\"
@@ -221,12 +269,13 @@
  .Os
  .Sh NAME
  .Nm ssh-pkcs11-helper
---- orig/sshd_config.5	Thu Feb  6 10:01:20 2014
-+++ new/sshd_config.5	Thu Feb  6 10:17:21 2014
+diff -rupN old/sshd_config.5 new/sshd_config.5
+--- old/sshd_config.5	2015-12-08 21:04:19.889738130 -0800
++++ new/sshd_config.5	2015-12-08 22:19:12.187929340 -0800
 @@ -35,7 +35,7 @@
  .\"
- .\" $OpenBSD: sshd_config.5,v 1.170 2013/12/08 09:53:27 dtucker Exp $
- .Dd $Mdocdate: December 8 2013 $
+ .\" $OpenBSD: sshd_config.5,v 1.211 2015/08/14 15:32:41 jmc Exp $
+ .Dd $Mdocdate: August 14 2015 $
 -.Dt SSHD_CONFIG 5
 +.Dt SSHD_CONFIG 4
  .Os
@@ -241,16 +290,16 @@
  reads configuration data from
  .Pa /etc/ssh/sshd_config
  (or the file specified with
[email protected]@ -68,7 +68,7 @@
[email protected]@ -68,7 +68,7 @@ the session's
  See
  .Cm SendEnv
  in
 -.Xr ssh_config 5
 +.Xr ssh_config 4
  for how to configure the client.
- Note that environment passing is only supported for protocol 2.
- Variables are specified by name, which may contain the wildcard characters
[email protected]@ -85,7 +85,7 @@
+ Note that environment passing is only supported for protocol 2, and
+ that the
[email protected]@ -89,7 +89,7 @@ For this reason, care should be taken in
  The default is not to accept any environment variables.
  .It Cm AddressFamily
  Specifies which address family should be used by
@@ -259,7 +308,7 @@
  Valid arguments are
  .Dq any ,
  .Dq inet
[email protected]@ -118,7 +118,7 @@
[email protected]@ -122,7 +122,7 @@ and finally
  .Cm AllowGroups .
  .Pp
  See PATTERNS in
@@ -268,7 +317,7 @@
  for more information on patterns.
  .It Cm AllowTcpForwarding
  Specifies whether TCP forwarding is permitted.
[email protected]@ -158,7 +158,7 @@
[email protected]@ -182,7 +182,7 @@ and finally
  .Cm AllowGroups .
  .Pp
  See PATTERNS in
@@ -277,16 +326,34 @@
  for more information on patterns.
  .It Cm AuthenticationMethods
  Specifies the authentication methods that must be successfully completed
[email protected]@ -202,7 +202,7 @@
- It will be invoked with a single argument of the username
- being authenticated, and should produce on standard output zero or
[email protected]@ -217,7 +217,7 @@ device.
+ If the
+ .Dq publickey
+ method is listed more than once,
+-.Xr sshd 8
++.Xr sshd 1M
+ verifies that keys that have been used successfully are not reused for
+ subsequent authentications.
+ For example, an
[email protected]@ -250,7 +250,7 @@ will be supplied.
+ .Pp
+ The program should produce on standard output zero or
  more lines of authorized_keys output (see AUTHORIZED_KEYS in
 -.Xr sshd 8 ) .
 +.Xr sshd 1M ) .
  If a key supplied by AuthorizedKeysCommand does not successfully authenticate
  and authorize the user then public key authentication continues using the usual
  .Cm AuthorizedKeysFile
[email protected]@ -218,7 +218,7 @@
[email protected]@ -265,7 +265,7 @@ If
+ is specified but
+ .Cm AuthorizedKeysCommandUser
+ is not, then
+-.Xr sshd 8
++.Xr sshd 1M
+ will refuse to start.
+ .It Cm AuthorizedKeysFile
+ Specifies the file that contains the public keys that can be used
[email protected]@ -273,7 +273,7 @@ for user authentication.
  The format is described in the
  AUTHORIZED_KEYS FILE FORMAT
  section of
@@ -295,7 +362,16 @@
  .Cm AuthorizedKeysFile
  may contain tokens of the form %T which are substituted during connection
  setup.
[email protected]@ -241,7 +241,7 @@
[email protected]@ -321,7 +321,7 @@ If
+ is specified but
+ .Cm AuthorizedPrincipalsCommandUser
+ is not, then
+-.Xr sshd 8
++.Xr sshd 1M
+ will refuse to start.
+ .It Cm AuthorizedPrincipalsFile
+ Specifies a file that lists principal names that are accepted for
[email protected]@ -332,7 +332,7 @@ this file lists names, one of which must
  to be accepted for authentication.
  Names are listed one per line preceded by key options (as described
  in AUTHORIZED_KEYS FILE FORMAT in
@@ -304,7 +380,7 @@
  Empty lines and comments starting with
  .Ql #
  are ignored.
[email protected]@ -271,7 +271,7 @@
[email protected]@ -362,7 +362,7 @@ and is not consulted for certification a
  though the
  .Cm principals=
  key option offers a similar facility (see
@@ -313,16 +389,38 @@
  for details).
  .It Cm Banner
  The contents of the specified file are sent to the remote user before
[email protected]@ -294,7 +294,7 @@
- All components of the pathname must be root-owned directories that are
- not writable by any other user or group.
[email protected]@ -383,11 +383,11 @@ Specifies the pathname of a directory to
+ .Xr chroot 2
+ to after authentication.
+ At session startup
+-.Xr sshd 8
++.Xr sshd 1M
+ checks that all components of the pathname are root-owned directories
+ which are not writable by any other user or group.
  After the chroot,
 -.Xr sshd 8
 +.Xr sshd 1M
  changes the working directory to the user's home directory.
  .Pp
  The pathname may contain the following tokens that are expanded at runtime once
[email protected]@ -370,7 +370,7 @@
[email protected]@ -419,14 +419,14 @@ in-process sftp server is used,
+ though sessions which use logging may require
+ .Pa /dev/log
+ inside the chroot directory on some operating systems (see
+-.Xr sftp-server 8
++.Xr sftp-server 1M
+ for details).
+ .Pp
+ For safety, it is very important that the directory hierarchy be
+ prevented from modification by other processes on the system (especially
+ those outside the jail).
+ Misconfiguration can lead to unsafe environments which
+-.Xr sshd 8
++.Xr sshd 1M
+ cannot detect.
+ .Pp
+ The default is not to
[email protected]@ -490,7 +490,7 @@ with an argument of
  .It Cm ClientAliveCountMax
  Sets the number of client alive messages (see below) which may be
  sent without
@@ -331,7 +429,7 @@
  receiving any messages back from the client.
  If this threshold is reached while client alive messages are being sent,
  sshd will disconnect the client, terminating the session.
[email protected]@ -397,7 +397,7 @@
[email protected]@ -517,7 +517,7 @@ This option applies to protocol version 
  .It Cm ClientAliveInterval
  Sets a timeout interval in seconds after which if no data has been received
  from the client,
@@ -340,7 +438,7 @@
  will send a message through the encrypted
  channel to request a response from the client.
  The default
[email protected]@ -428,7 +428,7 @@
[email protected]@ -548,7 +548,7 @@ and finally
  .Cm AllowGroups .
  .Pp
  See PATTERNS in
@@ -349,16 +447,16 @@
  for more information on patterns.
  .It Cm DenyUsers
  This keyword can be followed by a list of user name patterns, separated
[email protected]@ -447,7 +447,7 @@
[email protected]@ -567,7 +567,7 @@ and finally
  .Cm AllowGroups .
  .Pp
  See PATTERNS in
 -.Xr ssh_config 5
 +.Xr ssh_config 4
  for more information on patterns.
- .It Cm ForceCommand
- Forces the execution of the command specified by
[email protected]@ -472,7 +472,7 @@
+ .It Cm FingerprintHash
+ Specifies the hash algorithm used when logging key fingerprints.
[email protected]@ -600,7 +600,7 @@ files when used with
  Specifies whether remote hosts are allowed to connect to ports
  forwarded for the client.
  By default,
@@ -367,7 +465,7 @@
  binds remote port forwardings to the loopback address.
  This prevents other remote hosts from connecting to forwarded ports.
  .Cm GatewayPorts
[email protected]@ -520,7 +520,7 @@
[email protected]@ -686,7 +686,7 @@ files during
  A setting of
  .Dq yes
  means that
@@ -376,7 +474,7 @@
  uses the name supplied by the client rather than
  attempting to resolve the name from the TCP connection itself.
  The default is
[email protected]@ -531,7 +531,7 @@
[email protected]@ -697,7 +697,7 @@ The certificate's public key must match 
  by
  .Cm HostKey .
  The default behaviour of
@@ -385,16 +483,22 @@
  is not to load any certificates.
  .It Cm HostKey
  Specifies a file containing a private host key
[email protected]@ -546,7 +546,7 @@
- .Pa /etc/ssh/ssh_host_rsa_key
[email protected]@ -713,12 +713,12 @@ and
  for protocol version 2.
+ .Pp
  Note that
 -.Xr sshd 8
 +.Xr sshd 1M
- will refuse to use a file if it is group/world-accessible.
+ will refuse to use a file if it is group/world-accessible
+ and that the
+ .Cm HostKeyAlgorithms
+ option restricts which of the keys are actually used by
+-.Xr sshd 8 .
++.Xr sshd 1M .
+ .Pp
  It is possible to have multiple host key files.
  .Dq rsa1
[email protected]@ -587,7 +587,7 @@
[email protected]@ -779,7 +779,7 @@ The default is
  .Dq yes .
  .It Cm IgnoreUserKnownHosts
  Specifies whether
@@ -403,7 +507,7 @@
  should ignore the user's
  .Pa ~/.ssh/known_hosts
  during
[email protected]@ -681,7 +681,7 @@
[email protected]@ -914,7 +914,7 @@ If the value is 0, the key is never rege
  The default is 3600 (seconds).
  .It Cm ListenAddress
  Specifies the local addresses
@@ -412,7 +516,7 @@
  should listen on.
  The following forms may be used:
  .Pp
[email protected]@ -724,7 +724,7 @@
[email protected]@ -954,7 +954,7 @@ If the value is 0, there is no time limi
  The default is 120 seconds.
  .It Cm LogLevel
  Gives the verbosity level that is used when logging messages from
@@ -421,7 +525,7 @@
  The possible values are:
  QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
  The default is INFO.
[email protected]@ -776,7 +776,7 @@
[email protected]@ -1059,7 +1059,7 @@ and
  The match patterns may consist of single entries or comma-separated
  lists and may use the wildcard and negation operators described in the
  PATTERNS section of
@@ -430,7 +534,7 @@
  .Pp
  The patterns in an
  .Cm Address
[email protected]@ -856,7 +856,7 @@
[email protected]@ -1148,7 +1148,7 @@ Alternatively, random early drop can be 
  the three colon separated values
  .Dq start:rate:full
  (e.g. "10:30:60").
@@ -439,7 +543,7 @@
  will refuse connection attempts with a probability of
  .Dq rate/100
  (30%)
[email protected]@ -969,7 +969,7 @@
[email protected]@ -1268,7 +1268,7 @@ and
  options in
  .Pa ~/.ssh/authorized_keys
  are processed by
@@ -448,7 +552,7 @@
  The default is
  .Dq no .
  Enabling environment processing may enable users to bypass access
[email protected]@ -982,7 +982,7 @@
[email protected]@ -1289,7 +1289,7 @@ The default is
  .Pa /var/run/sshd.pid .
  .It Cm Port
  Specifies the port number that
@@ -457,7 +561,7 @@
  listens on.
  The default is 22.
  Multiple options of this type are permitted.
[email protected]@ -990,7 +990,7 @@
[email protected]@ -1297,14 +1297,14 @@ See also
  .Cm ListenAddress .
  .It Cm PrintLastLog
  Specifies whether
@@ -465,9 +569,8 @@
 +.Xr sshd 1M
  should print the date and time of the last user login when a user logs
  in interactively.
- The default is
[email protected]@ -997,7 +997,7 @@
- .Dq yes .
+ On Solaris this option is always ignored since pam_unix_session(5)
+ reports the last login time.
  .It Cm PrintMotd
  Specifies whether
 -.Xr sshd 8
@@ -475,7 +578,7 @@
  should print
  .Pa /etc/motd
  when a user logs in interactively.
[email protected]@ -1008,7 +1008,7 @@
[email protected]@ -1315,7 +1315,7 @@ The default is
  .Dq yes .
  .It Cm Protocol
  Specifies the protocol versions
@@ -484,8 +587,8 @@
  supports.
  The possible values are
  .Sq 1
[email protected]@ -1081,7 +1081,7 @@
- The minimum value is 512, and the default is 1024.
[email protected]@ -1440,7 +1440,7 @@ The default is
+ .Dq no .
  .It Cm StrictModes
  Specifies whether
 -.Xr sshd 8
@@ -493,7 +596,16 @@
  should check file modes and ownership of the
  user's files and home directory before accepting login.
  This is normally desirable because novices sometimes accidentally leave their
[email protected]@ -1115,7 +1115,7 @@
[email protected]@ -1456,7 +1456,7 @@ Arguments should be a subsystem name and
+ to execute upon subsystem request.
+ .Pp
+ The command
+-.Xr sftp-server 8
++.Xr sftp-server 1M
+ implements the
+ .Dq sftp
+ file transfer subsystem.
[email protected]@ -1474,7 +1474,7 @@ By default no subsystems are defined.
  Note that this option applies to protocol version 2 only.
  .It Cm SyslogFacility
  Gives the facility code that is used when logging messages from
@@ -502,16 +614,16 @@
  The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
  LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
  The default is AUTH.
[email protected]@ -1156,7 +1156,7 @@
[email protected]@ -1517,7 +1517,7 @@ For more details on certificates, see th
  .Xr ssh-keygen 1 .
  .It Cm UseDNS
  Specifies whether
 -.Xr sshd 8
 +.Xr sshd 1M
- should look up the remote host name and check that
+ should look up the remote host name, and to check that
  the resolved host name for the remote IP address maps back to the
  very same IP address.
[email protected]@ -1201,13 +1201,13 @@
[email protected]@ -1571,13 +1571,13 @@ or
  If
  .Cm UsePAM
  is enabled, you will not be able to run
@@ -527,7 +639,7 @@
  separates privileges by creating an unprivileged child process
  to deal with incoming network traffic.
  After successful authentication, another process will be created that has
[email protected]@ -1229,7 +1229,7 @@
[email protected]@ -1599,7 +1599,7 @@ The default is
  .Dq none .
  .It Cm X11DisplayOffset
  Specifies the first display number available for
@@ -536,7 +648,7 @@
  X11 forwarding.
  This prevents sshd from interfering with real X11 servers.
  The default is 10.
[email protected]@ -1244,7 +1244,7 @@
[email protected]@ -1614,7 +1614,7 @@ The default is
  .Pp
  When X11 forwarding is enabled, there may be additional exposure to
  the server and to client displays if the
@@ -545,7 +657,7 @@
  proxy display is configured to listen on the wildcard address (see
  .Cm X11UseLocalhost
  below), though this is not the default.
[email protected]@ -1255,7 +1255,7 @@
[email protected]@ -1625,7 +1625,7 @@ display server may be exposed to attack 
  forwarding (see the warnings for
  .Cm ForwardX11
  in
@@ -554,7 +666,7 @@
  A system administrator may have a stance in which they want to
  protect clients that may expose themselves to attack by unwittingly
  requesting X11 forwarding, which can warrant a
[email protected]@ -1269,7 +1269,7 @@
[email protected]@ -1639,7 +1639,7 @@ X11 forwarding is automatically disabled
  is enabled.
  .It Cm X11UseLocalhost
  Specifies whether
@@ -563,7 +675,7 @@
  should bind the X11 forwarding server to the loopback address or to
  the wildcard address.
  By default,
[email protected]@ -1300,7 +1300,7 @@
[email protected]@ -1672,7 +1672,7 @@ The default is
  .Pa /usr/X11R6/bin/xauth .
  .El
  .Sh TIME FORMATS
@@ -572,7 +684,7 @@
  command-line arguments and configuration file options that specify time
  may be expressed using a sequence of the form:
  .Sm off
[email protected]@ -1344,12 +1344,12 @@
[email protected]@ -1716,12 +1716,12 @@ Time format examples:
  .Bl -tag -width Ds
  .It Pa /etc/ssh/sshd_config
  Contains configuration data for
@@ -587,19 +699,19 @@
  .Xr pam_unix_session 5
  .Sh AUTHORS
  OpenSSH is a derivative of the original and free
- ssh 1.2.12 release by Tatu Ylonen.
---- orig/sshd.8	Thu Feb  6 10:01:20 2014
-+++ new/sshd.8	Thu Feb  6 10:22:35 2014
+diff -rupN old/sshd.8 new/sshd.8
+--- old/sshd.8	2015-12-08 21:04:19.894093050 -0800
++++ new/sshd.8	2015-12-08 22:08:55.024892200 -0800
 @@ -35,7 +35,7 @@
  .\"
- .\" $OpenBSD: sshd.8,v 1.273 2013/12/07 11:58:46 naddy Exp $
- .Dd $Mdocdate: December 7 2013 $
+ .\" $OpenBSD: sshd.8,v 1.280 2015/07/03 03:49:45 djm Exp $
+ .Dd $Mdocdate: July 3 2015 $
 -.Dt SSHD 8
 +.Dt SSHD 1M
  .Os
  .Sh NAME
  .Nm sshd
[email protected]@ -80,7 +80,7 @@
[email protected]@ -77,7 +77,7 @@ and data exchange.
  .Nm
  can be configured using command-line options or a configuration file
  (by default
@@ -608,7 +720,7 @@
  command-line options override values specified in the
  configuration file.
  .Nm
[email protected]@ -210,7 +210,7 @@
[email protected]@ -204,7 +204,7 @@ Can be used to give options in the forma
  This is useful for specifying options for which there is no separate
  command-line flag.
  For full details of the options, and their values, see
@@ -617,16 +729,16 @@
  .It Fl p Ar port
  Specifies the port on which the server listens for connections
  (default 22).
[email protected]@ -280,7 +280,7 @@
[email protected]@ -274,7 +274,7 @@ The default is to use protocol 2 only,
  though this can be changed via the
  .Cm Protocol
  option in
 -.Xr sshd_config 5 .
 +.Xr sshd_config 4 .
- Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys;
+ Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys;
  protocol 1 only supports RSA keys.
  For both protocols,
[email protected]@ -405,7 +405,7 @@
[email protected]@ -399,14 +399,14 @@ if it exists, and users are allowed to c
  See the
  .Cm PermitUserEnvironment
  option in
@@ -635,7 +747,15 @@
  .It
  Changes to user's home directory.
  .It
[email protected]@ -550,7 +550,7 @@
+ If
+ .Pa ~/.ssh/rc
+ exists and the
+-.Xr sshd_config 5
++.Xr sshd_config 4
+ .Cm PermitUserRC
+ option is set, runs it; else if
+ .Pa /etc/ssh/sshrc
[email protected]@ -549,7 +549,7 @@ The command originally supplied by the c
  environment variable.
  Note that this option applies to shell, command or subsystem execution.
  Also note that this command may be superseded by either a
@@ -644,25 +764,7 @@
  .Cm ForceCommand
  directive or a command embedded in a certificate.
  .It Cm environment="NAME=value"
[email protected]@ -571,7 +571,7 @@
- name of the remote host or its IP address must be present in the
- comma-separated list of patterns.
- See PATTERNS in
--.Xr ssh_config 5
-+.Xr ssh_config 4
- for more information on patterns.
- .Pp
- In addition to the wildcard matching that may be applied to hostnames or
[email protected]@ -865,7 +865,7 @@
- .It Pa /etc/moduli
- Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
- The file format is described in
--.Xr moduli 5 .
-+.Xr moduli 4 .
- .Pp
- .It Pa /etc/motd
- See
[email protected]@ -926,7 +926,7 @@
[email protected]@ -919,7 +919,7 @@ should be world-readable.
  Contains configuration data for
  .Nm sshd .
  The file format and configuration options are described in
@@ -671,9 +773,11 @@
  .Pp
  .It Pa /etc/ssh/sshrc
  Similar to
[email protected]@ -962,10 +962,10 @@
[email protected]@ -953,11 +953,12 @@ The content of this file is not sensitiv
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
  .Xr chroot 2 ,
- .Xr hosts_access 5 ,
++.Xr hosts_access 5 ,
  .Xr login.conf 5 ,
 -.Xr moduli 5 ,
 -.Xr sshd_config 5 ,
--- a/components/openssh/patches/008-deprecate_sunssh_opt.patch	Thu Jan 14 09:14:14 2016 +0100
+++ b/components/openssh/patches/008-deprecate_sunssh_opt.patch	Mon Jan 25 10:57:40 2016 -0800
@@ -6,10 +6,26 @@
 # changed from deprecated to supported. Since this is for Solaris only, we will
 # not contribute back this change to the upstream community.
 #
---- orig/readconf.c	Fri May 23 09:56:00 2014
-+++ new/readconf.c	Fri May 23 09:59:57 2014
[email protected]@ -268,6 +268,25 @@
- 	{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
+diff -pur old/readconf.c new/readconf.c
+--- old/readconf.c
++++ new/readconf.c
[email protected]@ -192,10 +192,14 @@ static struct {
+ 	{ "afstokenpassing", oUnsupported },
+ #if defined(GSSAPI)
+ 	{ "gssapiauthentication", oGssAuthentication },
++	{ "gssauthentication", oGssAuthentication },                /* alias */
+ 	{ "gssapidelegatecredentials", oGssDelegateCreds },
++	{ "gssdelegatecreds", oGssDelegateCreds },                  /* alias */
+ #else
+ 	{ "gssapiauthentication", oUnsupported },
++	{ "gssauthentication", oUnsupported },
+ 	{ "gssapidelegatecredentials", oUnsupported },
++	{ "gssdelegatecreds", oUnsupported },
+ #endif
+ 	{ "fallbacktorsh", oDeprecated },
+ 	{ "usersh", oDeprecated },
[email protected]@ -279,6 +283,24 @@ static struct {
+ 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
  	{ "ignoreunknown", oIgnoreUnknown },
  
 +#ifdef DEPRECATE_SUNSSH_OPT
@@ -23,7 +39,6 @@
 +         * smoother.  If a deprecated SunSSH-only option is migrated to OpenSSH
 +         * later, then it will be changed from deprecated to supported.
 +         */
-+        { "gssapikeyexchange", oDeprecated },
 +        { "kmfpolicydatabase", oDeprecated },
 +        { "kmfpolicyname", oDeprecated },
 +        { "trustedanchorkeystore", oDeprecated },
--- a/components/openssh/patches/010-gss_store_cred.patch	Thu Jan 14 09:14:14 2016 +0100
+++ b/components/openssh/patches/010-gss_store_cred.patch	Mon Jan 25 10:57:40 2016 -0800
@@ -16,9 +16,10 @@
 # The patch is implemented as Solaris-specific using USE_GSS_STORE_CRED
 # and GSSAPI_STORECREDS_NEEDS_RUID macros.
 #
---- orig/config.h.in	Fri Mar 21 11:42:17 2014
-+++ new/config.h.in	Fri Mar 21 11:46:26 2014
[email protected]@ -1616,6 +1616,12 @@
+diff -pur old/config.h.in new/config.h.in
+--- old/config.h.in
++++ new/config.h.in
[email protected]@ -1623,6 +1623,12 @@
  /* Use btmp to log bad logins */
  #undef USE_BTMP
  
@@ -31,9 +32,10 @@
  /* Use libedit for sftp */
  #undef USE_LIBEDIT
  
---- orig/configure	Fri Mar 21 11:42:24 2014
-+++ new/configure	Fri Mar 21 11:49:51 2014
[email protected]@ -7797,6 +7797,9 @@
+diff -pur old/configure new/configure
+--- old/configure
++++ new/configure
[email protected]@ -10944,6 +10944,9 @@ fi
  
  fi
  
@@ -43,9 +45,10 @@
  	TEST_SHELL=$SHELL	# let configure find us a capable shell
  	;;
  *-*-sunos4*)
---- orig/configure.ac	Fri Mar 21 11:42:28 2014
-+++ new/configure.ac	Fri Mar 21 16:32:28 2014
[email protected]@ -866,6 +866,8 @@
+diff -pur old/configure.ac new/configure.ac
+--- old/configure.ac
++++ new/configure.ac
[email protected]@ -910,6 +910,8 @@ mips-sony-bsd|mips-sony-newsos4)
  		],
  	)
  	TEST_SHELL=$SHELL	# let configure find us a capable shell
@@ -54,9 +57,10 @@
  	;;
  *-*-sunos4*)
  	CPPFLAGS="$CPPFLAGS -DSUNOS4"
---- orig/gss-serv-krb5.c	Fri Mar 21 11:42:46 2014
-+++ new/gss-serv-krb5.c	Fri Mar 21 11:54:48 2014
[email protected]@ -109,7 +109,7 @@
+diff -pur old/gss-serv-krb5.c new/gss-serv-krb5.c
+--- old/gss-serv-krb5.c
++++ new/gss-serv-krb5.c
[email protected]@ -110,7 +110,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
  	return retval;
  }
  
@@ -65,7 +69,7 @@
  /* This writes out any forwarded credentials from the structure populated
   * during userauth. Called after we have setuid to the user */
  
[email protected]@ -195,6 +195,7 @@
[email protected]@ -196,6 +196,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
  
  	return;
  }
@@ -73,7 +77,7 @@
  
  ssh_gssapi_mech gssapi_kerberos_mech = {
  	"toWM5Slw5Ew8Mqkay+al2g==",
[email protected]@ -203,7 +204,11 @@
[email protected]@ -204,7 +205,11 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
  	NULL,
  	&ssh_gssapi_krb5_userok,
  	NULL,
@@ -85,9 +89,10 @@
  };
  
  #endif /* KRB5 */
---- orig/gss-serv.c	Fri Mar 21 11:42:53 2014
-+++ new/gss-serv.c	Fri Mar 21 15:59:43 2014
[email protected]@ -292,6 +292,9 @@
+diff -pur old/gss-serv.c new/gss-serv.c
+--- old/gss-serv.c
++++ new/gss-serv.c
[email protected]@ -320,22 +320,66 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
  void
  ssh_gssapi_cleanup_creds(void)
  {
@@ -97,7 +102,6 @@
  	if (gssapi_client.store.filename != NULL) {
  		/* Unlink probably isn't sufficient */
  		debug("removing gssapi cred file\"%s\"",
[email protected]@ -298,6 +301,7 @@
  		    gssapi_client.store.filename);
  		unlink(gssapi_client.store.filename);
  	}
@@ -105,7 +109,6 @@
  }
  
  /* As user */
[email protected]@ -304,10 +308,50 @@
  void
  ssh_gssapi_storecreds(void)
  {
@@ -156,23 +159,36 @@
  }
  
  /* This allows GSSAPI methods to do things to the childs environment based
---- orig/servconf.c	Fri Mar 21 11:43:02 2014
-+++ new/servconf.c	Fri Mar 21 16:02:54 2014
[email protected]@ -409,7 +409,11 @@
+diff -pur old/servconf.c new/servconf.c
+--- old/servconf.c
++++ new/servconf.c
[email protected]@ -489,7 +489,11 @@ static struct {
  	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
  #ifdef GSSAPI
  	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
+-	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
 +#ifdef USE_GSS_STORE_CRED
 +	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
 +#else /* USE_GSS_STORE_CRED */
- 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
++ 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
 +#endif /* USE_GSS_STORE_CRED */
+ 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
  #else
  	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
- 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
---- orig/sshd.c	Fri Mar 21 11:43:08 2014
-+++ new/sshd.c	Mon Mar 24 15:05:30 2014
[email protected]@ -2126,9 +2126,23 @@
[email protected]@ -2264,7 +2268,9 @@ dump_config(ServerOptions *o)
+ #endif
+ #ifdef GSSAPI
+ 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
++#ifndef USE_GSS_STORE_CRED
+ 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
++#endif /* !USE_GSS_STORE_CRED */
+ #endif
+ 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
+ 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
+diff -pur old/sshd.c new/sshd.c
+--- old/sshd.c
++++ new/sshd.c
[email protected]@ -2228,9 +2228,23 @@ main(int ac, char **av)
  
  #ifdef GSSAPI
  	if (options.gss_authentication) {
--- a/components/openssh/patches/011-useprivilegedport_regression.patch	Thu Jan 14 09:14:14 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,62 +0,0 @@
-#
-# This is to fix a regression in OpenSSH6.5p1 for UsePrivilegedPort=yes. The
-# bug fix code came from OpenSSH.org.  When we upgrade OpenSSH to version 6.6
-# or later, we will remove this patch file.
-#
---- orig/sshconnect.c	Mon Feb 10 13:56:07 2014
-+++ new/sshconnect.c	Mon Feb 10 17:10:54 2014
[email protected]@ -269,7 +269,7 @@
- ssh_create_socket(int privileged, struct addrinfo *ai)
- {
- 	int sock, r, gaierr;
--	struct addrinfo hints, *res;
-+	struct addrinfo hints, *res = NULL;
- 
- 	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
- 	if (sock < 0) {
[email protected]@ -282,17 +282,19 @@
- 	if (options.bind_address == NULL && !privileged)
- 		return sock;
- 
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_family = ai->ai_family;
--	hints.ai_socktype = ai->ai_socktype;
--	hints.ai_protocol = ai->ai_protocol;
--	hints.ai_flags = AI_PASSIVE;
--	gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
--	if (gaierr) {
-+	if (options.bind_address) {
-+            memset(&hints, 0, sizeof(hints));
-+	    hints.ai_family = ai->ai_family;
-+	    hints.ai_socktype = ai->ai_socktype;
-+	    hints.ai_protocol = ai->ai_protocol;
-+	    hints.ai_flags = AI_PASSIVE;
-+	    gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
-+	    if (gaierr) {
- 		error("getaddrinfo: %s: %s", options.bind_address,
- 		    ssh_gai_strerror(gaierr));
- 		close(sock);
- 		return -1;
-+	    }
- 	}
- 	/*
- 	 * If we are running as root and want to connect to a privileged
[email protected]@ -300,7 +302,7 @@
- 	 */
- 	if (privileged) {
- 		PRIV_START;
--		r = bindresvport_sa(sock, res->ai_addr);
-+		r = bindresvport_sa(sock, res ? res->ai_addr : NULL);
- 		PRIV_END;
- 		if (r < 0) {
- 			error("bindresvport_sa: af=%d %s", ai->ai_family,
[email protected]@ -317,7 +319,8 @@
- 			return -1;
- 		}
- 	}
--	freeaddrinfo(res);
-+        if (res != NULL)
-+	        freeaddrinfo(res);
- 	return sock;
- }
- 
--- a/components/openssh/patches/012-acceptenv.patch	Thu Jan 14 09:14:14 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,33 +0,0 @@
-#
-# This is to fix a security bug (CVE-2014-2532) when using environment passing
-# with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6
-# could be tricked into accepting any enviornment variable that contains the
-# characters before the wildcard character.  The bug fix code came from 
-# OpenSSH.org.  When we upgrade OpenSSH to version 6.6 or later, we will remove
-# this patch file.
-#
---- orig/session.c	Tue Mar 18 18:37:57 2014
-+++ new/session.c	Tue Mar 18 18:41:17 2014
[email protected]@ -978,6 +978,11 @@
- 	u_int envsize;
- 	u_int i, namelen;
- 
-+	if (strchr(name, '=') != NULL) {
-+	        error("Invalid environment variable \"%.100s\"", name);
-+                return;
-+	}
-+
- 	/*
- 	 * If we're passed an uninitialized list, allocate a single null
- 	 * entry before continuing.
[email protected]@ -2225,8 +2230,8 @@
- 	char *name, *val;
- 	u_int name_len, val_len, i;
- 
--	name = packet_get_string(&name_len);
--	val = packet_get_string(&val_len);
-+	name = packet_get_cstring(&name_len);
-+	val = packet_get_cstring(&val_len);
- 	packet_check_eom();
- 
- 	/* Don't set too many environment variables */
--- a/components/openssh/patches/014-disable_banner.patch	Thu Jan 14 09:14:14 2016 +0100
+++ b/components/openssh/patches/014-disable_banner.patch	Mon Jan 25 10:57:40 2016 -0800
@@ -6,31 +6,30 @@
 # In the future, if this feature is accepted by the upsteam in a later release,
 # we will remove this patch when we upgrade to that release.  
 #
---- orig/readconf.c	Wed May 21 15:04:21 2014
-+++ new/readconf.c	Wed May 28 11:56:04 2014
[email protected]@ -148,7 +148,11 @@
+diff -pur old/readconf.c new/readconf.c
+--- old/readconf.c	2015-03-28 21:57:35.551727235 +0100
++++ new/readconf.c	2015-03-28 22:06:01.694836272 +0100
[email protected]@ -150,6 +150,9 @@ typedef enum {
+ 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
+ 	oHashKnownHosts,
++#ifdef DISABLE_BANNER 
++	oDisableBanner,
++#endif
+ 	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
+ 	oVisualHostKey, oUseRoaming,
  	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
- 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
- 	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
-+#ifdef DISABLE_BANNER
-+	oDisableBanner, oIgnoredUnknownOption, oDeprecated, oUnsupported
-+#else
- 	oIgnoredUnknownOption, oDeprecated, oUnsupported
-+#endif
- } OpCodes;
- 
- /* Textual representations of the tokens. */
[email protected]@ -266,6 +270,9 @@
- 	{ "canonicalizehostname", oCanonicalizeHostname },
- 	{ "canonicalizemaxdots", oCanonicalizeMaxDots },
- 	{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
[email protected]@ -254,6 +257,9 @@ static struct {
+ 	{ "controlmaster", oControlMaster },
+ 	{ "controlpersist", oControlPersist },
+ 	{ "hashknownhosts", oHashKnownHosts },
 +#ifdef DISABLE_BANNER
 +	{ "disablebanner", oDisableBanner },
 +#endif
- 	{ "ignoreunknown", oIgnoreUnknown },
- 
- 	{ NULL, oBadOption }
[email protected]@ -682,6 +689,17 @@
+ 	{ "tunnel", oTunnel },
+ 	{ "tunneldevice", oTunnelDevice },
+ 	{ "localcommand", oLocalCommand },
[email protected]@ -754,6 +760,17 @@ static const struct multistate multistat
  	{ NULL, -1 }
  };
  
@@ -48,9 +47,9 @@
  /*
   * Processes a single option line as used in the configuration files. This
   * only sets those values that have not already been set.
[email protected]@ -1392,6 +1410,13 @@
- 		intptr = &options->canonicalize_fallback_local;
- 		goto parse_flag;
[email protected]@ -1514,6 +1531,13 @@ parse_int:
+ 			*charptr = xstrdup(arg);
+ 		break;
  
 +#ifdef DISABLE_BANNER
 +	case oDisableBanner:
@@ -62,7 +61,7 @@
  	case oDeprecated:
  		debug("%s line %d: Deprecated option \"%s\"",
  		    filename, linenum, keyword);
[email protected]@ -1554,6 +1579,9 @@
[email protected]@ -1684,6 +1708,9 @@ initialize_options(Options * options)
  	options->ip_qos_bulk = -1;
  	options->request_tty = -1;
  	options->proxy_use_fdpass = -1;
@@ -72,23 +71,22 @@
  	options->ignored_unknown = NULL;
  	options->num_canonical_domains = 0;
  	options->num_permitted_cnames = 0;
[email protected]@ -1721,6 +1749,12 @@
[email protected]@ -1871,6 +1898,10 @@ fill_default_options(Options * options)
  		options->canonicalize_fallback_local = 1;
  	if (options->canonicalize_hostname == -1)
  		options->canonicalize_hostname = SSH_CANONICALISE_NO;
-+
 +#ifdef DISABLE_BANNER
 +	if (options->disable_banner == -1)
 +		options->disable_banner = 0;
 +#endif
-+
- #define CLEAR_ON_NONE(v) \
- 	do { \
- 		if (v != NULL && strcasecmp(v, "none") == 0) { \
---- orig/readconf.h	Wed May 21 15:04:35 2014
-+++ new/readconf.h	Wed May 28 11:08:53 2014
[email protected]@ -155,6 +155,9 @@
- 	struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS];
+ 	if (options->fingerprint_hash == -1)
+ 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ 	if (options->update_hostkeys == -1)
+diff -pur old/readconf.h new/readconf.h
+--- old/readconf.h	2015-03-17 06:49:20.000000000 +0100
++++ new/readconf.h	2015-03-28 21:57:35.684348892 +0100
[email protected]@ -153,6 +153,9 @@ typedef struct {
+ 	char	*hostbased_key_types;
  
  	char	*ignored_unknown; /* Pattern list of unknown tokens to ignore */
 +#ifdef DISABLE_BANNER
@@ -97,9 +95,9 @@
  }       Options;
  
  #define SSH_CANONICALISE_NO	0
[email protected]@ -175,6 +178,12 @@
- #define SSHCONF_CHECKPERM	1  /* check permissions on config file */
- #define SSHCONF_USERCONF	2  /* user provided config file not system */
[email protected]@ -178,6 +181,12 @@ typedef struct {
+ #define SSH_UPDATE_HOSTKEYS_YES	1
+ #define SSH_UPDATE_HOSTKEYS_ASK	2
  
 +#ifdef DISABLE_BANNER
 +#define SSH_DISABLEBANNER_NO		0
@@ -109,10 +107,11 @@
 +
  void     initialize_options(Options *);
  void     fill_default_options(Options *);
- int	 process_config_line(Options *, struct passwd *, const char *, char *,
---- orig/ssh_config.5	Thu May 22 15:05:04 2014
-+++ new/ssh_config.5	Fri May 23 09:36:52 2014
[email protected]@ -507,6 +507,14 @@
+ void	 fill_default_options_for_canonicalization(Options *);
+diff -pur old/ssh_config.5 new/ssh_config.5
+--- old/ssh_config.5	2015-03-28 21:57:35.544033907 +0100
++++ new/ssh_config.5	2015-03-28 21:57:35.684635985 +0100
[email protected]@ -566,6 +566,14 @@ If set to a time in seconds, or a time i
  then the backgrounded master connection will automatically terminate
  after it has remained idle (with no client connections) for the
  specified time.
@@ -127,9 +126,10 @@
  .It Cm DynamicForward
  Specifies that a TCP port on the local machine be forwarded
  over the secure channel, and the application
---- orig/sshconnect2.c	Wed May 21 15:05:27 2014
-+++ new/sshconnect2.c	Thu May 29 17:33:56 2014
[email protected]@ -82,6 +82,10 @@
+diff -pur old/sshconnect2.c new/sshconnect2.c
+--- old/sshconnect2.c	2015-03-17 06:49:20.000000000 +0100
++++ new/sshconnect2.c	2015-03-28 21:57:35.684940995 +0100
[email protected]@ -81,6 +81,10 @@ extern char *client_version_string;
  extern char *server_version_string;
  extern Options options;
  
@@ -140,7 +140,7 @@
  /*
   * SSH2 key exchange
   */
[email protected]@ -480,7 +484,20 @@
[email protected]@ -480,7 +484,20 @@ input_userauth_banner(int type, u_int32_
  	debug3("input_userauth_banner");
  	raw = packet_get_string(&len);
  	lang = packet_get_string(NULL);
--- a/components/openssh/patches/016-pam_enhancement.patch	Thu Jan 14 09:14:14 2016 +0100
+++ b/components/openssh/patches/016-pam_enhancement.patch	Mon Jan 25 10:57:40 2016 -0800
@@ -9,9 +9,10 @@
 # In the future, if these enhancements are accepted by the upsteam in a 
 # later release, we will remove this patch when we upgrade to that release.
 #
---- orig/auth-pam.c	Mon Jan 26 18:02:09 2015
-+++ new/auth-pam.c	Mon Mar 30 15:24:11 2015
[email protected]@ -617,6 +617,72 @@
+diff -pur old/auth-pam.c new/auth-pam.c
+--- old/auth-pam.c	2015-04-28 06:15:57.335765454 -0700
++++ new/auth-pam.c	2015-04-28 06:15:57.417753483 -0700
[email protected]@ -617,6 +617,72 @@ sshpam_cleanup(void)
  	sshpam_handle = NULL;
  }
  
@@ -84,7 +85,7 @@
  static int
  sshpam_init(Authctxt *authctxt)
  {
[email protected]@ -624,18 +690,71 @@
[email protected]@ -624,18 +690,71 @@ sshpam_init(Authctxt *authctxt)
  	const char *pam_rhost, *pam_user, *user = authctxt->user;
  	const char **ptr_pam_user = &pam_user;
  
@@ -146,31 +147,33 @@
 +#ifdef PAM_ENHANCEMENT
 +        debug3("Starting PAM service %s for user %s method %s", svc, user,
 +            authctxt->authmethod_name);
- 	sshpam_err =
++	sshpam_err =
 +	    pam_start(svc, user, &store_conv, &sshpam_handle);
 +	free(svc);
 +#else /* Original */
-+	sshpam_err =
+ 	sshpam_err =
  	    pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
 +#endif
  	sshpam_authctxt = authctxt;
  
  	if (sshpam_err != PAM_SUCCESS) {
---- orig/auth.h	Mon Jan 26 18:02:11 2015
-+++ new/auth.h	Mon Jan 26 18:02:11 2015
[email protected]@ -76,6 +76,9 @@
- #endif
- 	Buffer		*loginmsg;
- 	void		*methoddata;
+diff -pur old/auth.h new/auth.h
+--- old/auth.h	2015-03-16 22:49:20.000000000 -0700
++++ new/auth.h	2015-04-28 06:18:25.719914272 -0700
[email protected]@ -81,6 +81,9 @@ struct Authctxt {
+ 
+ 	struct sshkey	**prev_userkeys;
+ 	u_int		 nprev_userkeys;
 +#ifdef PAM_ENHANCEMENT
 +        char            *authmethod_name;
 +#endif 
  };
  /*
   * Every authentication method has to handle authentication requests for
---- orig/auth2.c	Mon Jan 26 18:02:10 2015
-+++ new/auth2.c	Tue Mar 31 15:19:10 2015
[email protected]@ -249,10 +249,21 @@
+diff -pur old/auth2.c new/auth2.c
+--- old/auth2.c	2015-03-16 22:49:20.000000000 -0700
++++ new/auth2.c	2015-04-28 06:15:57.419262466 -0700
[email protected]@ -243,10 +243,21 @@ input_userauth_request(int type, u_int32
  			PRIVSEP(audit_event(SSH_INVALID_USER));
  #endif
  		}
@@ -192,7 +195,7 @@
  		setproctitle("%s%s", authctxt->valid ? user : "unknown",
  		    use_privsep ? " [net]" : "");
  		authctxt->service = xstrdup(service);
[email protected]@ -286,6 +297,18 @@
[email protected]@ -277,6 +288,18 @@ input_userauth_request(int type, u_int32
  	/* try to authenticate user */
  	m = authmethod_lookup(authctxt, method);
  	if (m != NULL && authctxt->failures < options.max_authtries) {
@@ -211,7 +214,7 @@
  		debug2("input_userauth_request: try method %s", method);
  		authenticated =	m->userauth(authctxt);
  	}
[email protected]@ -303,6 +326,10 @@
[email protected]@ -295,6 +318,10 @@ userauth_finish(Authctxt *authctxt, int
  	char *methods;
  	int partial = 0;
  
@@ -222,7 +225,7 @@
  	if (!authctxt->valid && authenticated)
  		fatal("INTERNAL ERROR: authenticated invalid user %s",
  		    authctxt->user);
[email protected]@ -319,6 +346,25 @@
[email protected]@ -311,6 +338,25 @@ userauth_finish(Authctxt *authctxt, int
  	}
  
  	if (authenticated && options.num_auth_methods != 0) {
@@ -248,7 +251,7 @@
  		if (!auth2_update_methods_lists(authctxt, method, submethod)) {
  			authenticated = 0;
  			partial = 1;
[email protected]@ -332,7 +378,20 @@
[email protected]@ -324,7 +370,20 @@ userauth_finish(Authctxt *authctxt, int
  		return;
  
  #ifdef USE_PAM
@@ -269,42 +272,16 @@
  		if (!PRIVSEP(do_pam_account())) {
  			/* if PAM returned a message, send it to the user */
  			if (buffer_len(&loginmsg) > 0) {
[email protected]@ -623,5 +682,3 @@
[email protected]@ -615,5 +674,3 @@ auth2_update_methods_lists(Authctxt *aut
  		fatal("%s: method not in AuthenticationMethods", __func__);
  	return 0;
  }
 -
 -
---- orig/monitor_wrap.c	Mon Jan 26 18:02:09 2015
-+++ new/monitor_wrap.c	Mon Jan 26 18:02:11 2015
[email protected]@ -338,6 +338,24 @@
- 	buffer_free(&m);
- }
- 
-+#ifdef PAM_ENHANCEMENT
-+/* Inform the privileged process about the authentication method */
-+void
-+mm_inform_authmethod(char *authmethod)
-+{
-+	Buffer m;
-+
-+	debug3("%s entering", __func__);
-+
-+	buffer_init(&m);
-+	buffer_put_cstring(&m, authmethod);
-+
-+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHMETHOD, &m);
-+
-+	buffer_free(&m);
-+}
-+#endif
-+
- /* Do the password authentication */
- int
- mm_auth_password(Authctxt *authctxt, char *password)
---- orig/monitor.c	Mon Jan 26 18:02:10 2015
-+++ new/monitor.c	Tue Mar 31 16:10:50 2015
[email protected]@ -146,6 +146,9 @@
+diff -pur old/monitor.c new/monitor.c
+--- old/monitor.c	2015-03-16 22:49:20.000000000 -0700
++++ new/monitor.c	2015-04-28 06:15:57.421294814 -0700
[email protected]@ -127,6 +127,9 @@ int mm_answer_sign(int, Buffer *);
  int mm_answer_pwnamallow(int, Buffer *);
  int mm_answer_auth2_read_banner(int, Buffer *);
  int mm_answer_authserv(int, Buffer *);
@@ -314,7 +291,7 @@
  int mm_answer_authpassword(int, Buffer *);
  int mm_answer_bsdauthquery(int, Buffer *);
  int mm_answer_bsdauthrespond(int, Buffer *);
[email protected]@ -225,10 +228,17 @@
[email protected]@ -206,10 +209,17 @@ struct mon_table mon_dispatch_proto20[]
      {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
      {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
      {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -332,7 +309,7 @@
      {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
      {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
      {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
[email protected]@ -391,6 +401,24 @@
[email protected]@ -371,6 +381,24 @@ monitor_child_preauth(Authctxt *_authctx
  			if (!compat20)
  				fatal("AuthenticationMethods is not supported"
  				    "with SSH protocol 1");
@@ -357,7 +334,7 @@
  			if (authenticated &&
  			    !auth2_update_methods_lists(authctxt,
  			    auth_method, auth_submethod)) {
[email protected]@ -409,8 +437,21 @@
[email protected]@ -389,8 +417,21 @@ monitor_child_preauth(Authctxt *_authctx
  			    !auth_root_allowed(auth_method))
  				authenticated = 0;
  #ifdef USE_PAM
@@ -379,7 +356,7 @@
  				Buffer m;
  
  				buffer_init(&m);
[email protected]@ -828,6 +869,10 @@
[email protected]@ -863,6 +904,10 @@ mm_answer_pwnamallow(int sock, Buffer *m
  		/* Allow service/style information on the auth context */
  		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
  		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
@@ -390,12 +367,12 @@
  	}
  #ifdef USE_PAM
  	if (options.use_pam)
[email protected]@ -868,7 +913,25 @@
[email protected]@ -903,6 +948,24 @@ mm_answer_authserv(int sock, Buffer *m)
  	return (0);
  }
  
 +#ifdef PAM_ENHANCEMENT
- int
++int
 +mm_answer_authmethod(int sock, Buffer *m)
 +{
 +	monitor_permit_authentications(1);
@@ -412,13 +389,13 @@
 +}
 +#endif
 +
-+int
+ int
  mm_answer_authpassword(int sock, Buffer *m)
  {
- 	static int call_count;
---- orig/monitor.h	Mon Jan 26 18:02:10 2015
-+++ new/monitor.h	Mon Jan 26 18:02:11 2015
[email protected]@ -70,6 +70,9 @@
+diff -pur old/monitor.h new/monitor.h
+--- old/monitor.h	2015-03-16 22:49:20.000000000 -0700
++++ new/monitor.h	2015-04-28 06:15:57.421684373 -0700
[email protected]@ -65,6 +65,9 @@ enum monitor_reqtype {
  	MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
  	MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
  
@@ -428,12 +405,41 @@
  };
  
  struct mm_master;
---- orig/servconf.c	Mon Jan 26 18:02:09 2015
-+++ new/servconf.c	Tue Mar 31 16:24:59 2015
[email protected]@ -154,6 +154,18 @@
- 	options->ip_qos_interactive = -1;
+diff -pur old/monitor_wrap.c new/monitor_wrap.c
+--- old/monitor_wrap.c	2015-03-16 22:49:20.000000000 -0700
++++ new/monitor_wrap.c	2015-04-28 06:15:57.419906674 -0700
[email protected]@ -347,6 +347,24 @@ mm_inform_authserv(char *service, char *
+ 	buffer_free(&m);
+ }
+ 
++#ifdef PAM_ENHANCEMENT
++/* Inform the privileged process about the authentication method */
++void
++mm_inform_authmethod(char *authmethod)
++{
++	Buffer m;
++
++	debug3("%s entering", __func__);
++
++	buffer_init(&m);
++	buffer_put_cstring(&m, authmethod);
++
++	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHMETHOD, &m);
++
++	buffer_free(&m);
++}
++#endif
++
+ /* Do the password authentication */
+ int
+ mm_auth_password(Authctxt *authctxt, char *password)
+diff -pur old/servconf.c new/servconf.c
+--- old/servconf.c	2015-04-28 06:15:57.300968063 -0700
++++ new/servconf.c	2015-04-28 06:27:06.330272555 -0700
[email protected]@ -163,6 +163,18 @@ initialize_server_options(ServerOptions
  	options->ip_qos_bulk = -1;
  	options->version_addendum = NULL;
+ 	options->fingerprint_hash = -1;
 +#ifdef PAM_ENHANCEMENT
 +	options->pam_service_name = NULL;
 +	options->pam_service_prefix = NULL;
@@ -444,48 +450,48 @@
 +	 * is not compat20, then there will be only one PAM service for the
 +	 * entire user authentication.
 +	 */
-+        options->pam_service_per_authmethod = 1;
++	options->pam_service_per_authmethod = 1;
 +#endif
  }
  
- void
[email protected]@ -303,6 +315,12 @@
+ /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
[email protected]@ -332,6 +344,12 @@ fill_default_server_options(ServerOption
  		options->ip_qos_bulk = IPTOS_THROUGHPUT;
  	if (options->version_addendum == NULL)
  		options->version_addendum = xstrdup("");
 +
 +#ifdef PAM_ENHANCEMENT
-+        if (options->pam_service_prefix == NULL)
-+                options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX;
++	if (options->pam_service_prefix == NULL)
++		options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX;
 +#endif
 +
- 	/* Turn privilege separation on by default */
- 	if (use_privsep == -1)
- 		use_privsep = PRIVSEP_NOSANDBOX;
[email protected]@ -351,6 +369,9 @@
- 	sKexAlgorithms, sIPQoS, sVersionAddendum,
- 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
- 	sAuthenticationMethods, sHostKeyAgent,
+ 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
+ 		options->fwd_opts.streamlocal_bind_mask = 0177;
+ 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
[email protected]@ -400,6 +418,9 @@ typedef enum {
+ 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
+ 	sUsePrivilegeSeparation, sAllowAgentForwarding,
+ 	sHostCertificate,
 +#ifdef PAM_ENHANCEMENT
 +	sPAMServicePrefix, sPAMServiceName,
 +#endif
- 	sDeprecated, sUnsupported
- } ServerOpCodes;
- 
[email protected]@ -482,6 +503,10 @@
- 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
- 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
- 	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
+ 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+ 	sKexAlgorithms, sIPQoS, sVersionAddendum,
+ 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
[email protected]@ -534,6 +555,10 @@ static struct {
+ 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
+ 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
+ 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
 +#ifdef PAM_ENHANCEMENT
-+        { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL },
-+        { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },
++	{ "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL },
++	{ "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },
 +#endif
- 	{ NULL, sBadOption, 0 }
- };
- 
[email protected]@ -1632,6 +1657,37 @@
- 		}
- 		return 0;
+ 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
+ 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
+ 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
[email protected]@ -1765,6 +1790,37 @@ process_server_config_line(ServerOptions
+ 			options->fingerprint_hash = value;
+ 		break;
  
 +	case sPAMServicePrefix:
 +		arg = strdelim(&cp);
@@ -521,8 +527,9 @@
  	case sDeprecated:
  		logit("%s line %d: Deprecated option %s",
  		    filename, linenum, arg);
---- orig/servconf.h	Mon Jan 26 18:02:10 2015
-+++ new/servconf.h	Tue Mar 31 15:07:14 2015
+diff -pur old/servconf.h new/servconf.h
+--- old/servconf.h	2015-03-16 22:49:20.000000000 -0700
++++ new/servconf.h	2015-04-28 06:28:25.181429777 -0700
 @@ -54,6 +54,10 @@
  /* Magic name for internal sftp-server */
  #define INTERNAL_SFTP_NAME	"internal-sftp"
@@ -534,57 +541,23 @@
  typedef struct {
  	u_int	num_ports;
  	u_int	ports_from_cmdline;
[email protected]@ -185,6 +189,13 @@
- 
[email protected]@ -188,6 +192,12 @@ typedef struct {
  	u_int	num_auth_methods;
  	char   *auth_methods[MAX_AUTH_METHODS];
-+
+ 
 +#ifdef PAM_ENHANCEMENT
 +	char   *pam_service_prefix;
 +	char   *pam_service_name;
 +	int	pam_service_per_authmethod;
 +#endif
 +        
+ 	int	fingerprint_hash;
  }       ServerOptions;
  
- /* Information about the incoming connection as used by Match */
---- orig/sshd_config.5	Mon Jan 26 18:02:10 2015
-+++ new/sshd_config.5	Mon Jan 26 18:03:45 2015
[email protected]@ -868,6 +868,21 @@
- are refused if the number of unauthenticated connections reaches
- .Dq full
- (60).
-+.It Cm PAMServiceName
-+Specifies the PAM service name for the PAM session. The PAMServiceName and 
-+PAMServicePrefix options are mutually exclusive and if both set, sshd does not
-+start. If this option is set the service name is the same for all user 
-+authentication methods. The option has no default value. See PAMServicePrefix 
-+for more information.
-+.It Cm PAMServicePrefix
-+Specifies the PAM service name prefix for service names used for individual 
-+user authentication methods. The default is sshd. The PAMServiceName and 
-+PAMServicePrefix options are mutually exclusive and if both set, sshd does not 
-+start.
-+.Pp
-+For example, if this option is set to admincli, the service name for the 
-+keyboard-interactive authentication method is admincli-kbdint instead of the 
-+default sshd-kbdint.
- .It Cm PasswordAuthentication
- Specifies whether password authentication is allowed.
- The default is
[email protected]@ -1203,8 +1218,7 @@
- is enabled, you will not be able to run
- .Xr sshd 8
- as a non-root user.
--The default is
--.Dq no .
-+On Solaris, the option is always enabled.
- .It Cm UsePrivilegeSeparation
- Specifies whether
- .Xr sshd 8
---- orig/sshd.8	Mon Jan 26 18:02:09 2015
-+++ new/sshd.8	Mon Jan 26 18:02:11 2015
[email protected]@ -951,6 +951,33 @@
+diff -pur old/sshd.8 new/sshd.8
+--- old/sshd.8	2015-04-28 06:15:57.254681499 -0700
++++ new/sshd.8	2015-04-28 06:15:57.426325504 -0700
[email protected]@ -945,6 +945,33 @@ concurrently for different ports, this c
  started last).
  The content of this file is not sensitive; it can be world-readable.
  .El
@@ -618,9 +591,10 @@
  .Sh SEE ALSO
  .Xr scp 1 ,
  .Xr sftp 1 ,
---- orig/sshd.c	Tue Mar 31 18:12:33 2015
-+++ new/sshd.c	Tue Mar 31 18:42:28 2015
[email protected]@ -2065,6 +2065,11 @@
+diff -pur old/sshd.c new/sshd.c
+--- old/sshd.c	2015-04-28 06:15:57.302106750 -0700
++++ new/sshd.c	2015-04-28 06:15:57.427449259 -0700
[email protected]@ -2146,6 +2146,11 @@ main(int ac, char **av)
  
  	sshd_exchange_identification(sock_in, sock_out);
  
@@ -632,3 +606,38 @@
  	/* In inetd mode, generate ephemeral key only for proto 1 connections */
  	if (!compat20 && inetd_flag && sensitive_data.server_key == NULL)
  		generate_ephemeral_server_key();
+diff -pur old/sshd_config.5 new/sshd_config.5
+--- old/sshd_config.5	2015-04-28 06:15:57.256560985 -0700
++++ new/sshd_config.5	2015-04-28 06:15:57.425661853 -0700
[email protected]@ -1044,6 +1044,21 @@ The probability increases linearly and a
+ are refused if the number of unauthenticated connections reaches
+ .Dq full
+ (60).
++.It Cm PAMServiceName
++Specifies the PAM service name for the PAM session. The PAMServiceName and 
++PAMServicePrefix options are mutually exclusive and if both set, sshd does not
++start. If this option is set the service name is the same for all user 
++authentication methods. The option has no default value. See PAMServicePrefix 
++for more information.
++.It Cm PAMServicePrefix
++Specifies the PAM service name prefix for service names used for individual 
++user authentication methods. The default is sshd. The PAMServiceName and 
++PAMServicePrefix options are mutually exclusive and if both set, sshd does not 
++start.
++.Pp
++For example, if this option is set to admincli, the service name for the 
++keyboard-interactive authentication method is admincli-kbdint instead of the 
++default sshd-kbdint.
+ .It Cm PasswordAuthentication
+ Specifies whether password authentication is allowed.
+ The default is
[email protected]@ -1427,8 +1442,7 @@ If
+ is enabled, you will not be able to run
+ .Xr sshd 8
+ as a non-root user.
+-The default is
+-.Dq no .
++On Solaris, the option is always enabled.
+ .It Cm UsePrivilegeSeparation
+ Specifies whether
+ .Xr sshd 8
--- a/components/openssh/patches/020-deprecate_sunssh_sshd_config_opts.patch	Thu Jan 14 09:14:14 2016 +0100
+++ b/components/openssh/patches/020-deprecate_sunssh_sshd_config_opts.patch	Mon Jan 25 10:57:40 2016 -0800
@@ -13,16 +13,28 @@
 # This is a Solaris specific change to ease the transition and will not be
 # offered upstream.
 #
---- orig/servconf.c	Mon Jun  1 15:37:53 2015
-+++ new/servconf.c	Mon Jun  1 15:43:35 2015
[email protected]@ -1,4 +1,3 @@
--
- /* $OpenBSD: servconf.c,v 1.248 2013/12/06 13:39:49 markus Exp $ */
- /*
-  * Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland
[email protected]@ -528,6 +527,30 @@
-         { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL },
-         { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },
+diff -pur old/servconf.c new/servconf.c
+--- old/servconf.c
++++ new/servconf.c
[email protected]@ -518,6 +518,7 @@ static struct {
+ 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
+ #ifdef GSSAPI
+ 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
++	{ "gssauthentication", sGssAuthentication, SSHCFG_ALL },   /* alias */
+ #ifdef USE_GSS_STORE_CRED
+ 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+ #else /* USE_GSS_STORE_CRED */
[email protected]@ -526,6 +527,7 @@ static struct {
+ 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+ #else
+ 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
++	{ "gssauthentication", sUnsupported, SSHCFG_ALL },          /* alias */
+ 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+ #endif
[email protected]@ -592,6 +594,30 @@ static struct {
+ 	{ "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL },
+ 	{ "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },
  #endif
 +#ifdef DEPRECATE_SUNSSH_OPT
 +	/*
@@ -46,8 +58,8 @@
 +	{ "useunsupportedsshv1", sDeprecated, SSHCFG_GLOBAL },
 +	{ "usefips140", sDeprecated, SSHCFG_ALL},
 +	{ "gssapistoredelegatedcredentials", sDeprecated, SSHCFG_ALL },
-+	{ "gssapikeyexchange", sDeprecated, SSHCFG_ALL},
++	{ "gssstoredelegcreds", sDeprecated, SSHCFG_ALL },
 +#endif
- 	{ NULL, sBadOption, 0 }
- };
- 
+ 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
+ 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
+ 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
--- a/components/openssh/patches/021-CVE-2014-2653.patch	Thu Jan 14 09:14:14 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,63 +0,0 @@
-#
-# This is to fix the CVE-2014-2653 security bug.  The bug fix code came from
-# OpenSSH. When we upgrade OpenSSH to version 6.7 or later, we will remove
-# this patch file.
-#
---- orig/sshconnect.c	Mon Jun 16 10:31:17 2014
-+++ new/sshconnect.c	Mon Jun 16 10:44:16 2014
[email protected]@ -1216,29 +1216,39 @@
- {
- 	int flags = 0;
- 	char *fp;
-+        Key *plain = NULL;
- 
- 	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- 	debug("Server host key: %s %s", key_type(host_key), fp);
- 	free(fp);
- 
--	/* XXX certs are not yet supported for DNS */
--	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
--	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
--		if (flags & DNS_VERIFY_FOUND) {
--
--			if (options.verify_host_key_dns == 1 &&
--			    flags & DNS_VERIFY_MATCH &&
--			    flags & DNS_VERIFY_SECURE)
--				return 0;
--
--			if (flags & DNS_VERIFY_MATCH) {
--				matching_host_key_dns = 1;
--			} else {
--				warn_changed_key(host_key);
--				error("Update the SSHFP RR in DNS with the new "
--				    "host key to get rid of this message.");
-+	if (options.verify_host_key_dns) {
-+		/*
-+		 * XXX certs are not yet supported for DNS, so downgrade
-+		 * them and try the plain key.
-+		 */
-+		plain = key_from_private(host_key);
-+		if (key_is_cert(plain))
-+			key_drop_cert(plain);
-+		if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
-+			if (flags & DNS_VERIFY_FOUND) {
-+				if (options.verify_host_key_dns == 1 &&
-+				    flags & DNS_VERIFY_MATCH &&
-+				    flags & DNS_VERIFY_SECURE) {
-+					key_free(plain);
-+					return 0;
-+				}
-+				if (flags & DNS_VERIFY_MATCH) {
-+					matching_host_key_dns = 1;
-+				} else {
-+					warn_changed_key(plain);
-+					error("Update the SSHFP RR in DNS "
-+					    "with the new host key to get rid "
-+					    "of this message.");
-+				}
- 			}
- 		}
-+		key_free(plain);
- 	}
- 
- 	return check_host_key(host, hostaddr, options.port, host_key, RDRW,
--- a/components/openssh/patches/022-solaris_audit.patch	Thu Jan 14 09:14:14 2016 +0100
+++ b/components/openssh/patches/022-solaris_audit.patch	Mon Jan 25 10:57:40 2016 -0800
@@ -20,74 +20,10 @@
 # An additional patch relying on the --with-audit=solaris configuration
 #  should/will be created for sftp Solaris Audit and password change.
 #
---- orig/config.h.in	2014-11-05 13:11:59.968745838 -0800
-+++ new/config.h.in	2014-10-13 14:00:31.117475979 -0700
[email protected]@ -1628,6 +1628,9 @@
- /* Use Linux audit module */
- #undef USE_LINUX_AUDIT
- 
-+/* Use Solaris audit module */
-+#undef USE_SOLARIS_AUDIT
-+
- /* Enable OpenSSL engine support */
- #undef USE_OPENSSL_ENGINE
- 
---- orig/configure	2014-11-05 13:11:59.971959419 -0800
-+++ new/configure	2014-12-04 08:43:59.945675841 -0800
[email protected]@ -1420,7 +1420,7 @@
-   --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
-   --with-ldns[=PATH]      Use ldns for DNSSEC support (optionally in PATH)
-   --with-libedit[=PATH]   Enable libedit support for sftp
--  --with-audit=module     Enable audit support (modules=debug,bsm,linux)
-+  --with-audit=module     Enable audit support (modules=debug,bsm,linux,solaris)
-   --with-pie           Build Position Independent Executables if possible
-   --with-ssl-dir=PATH     Specify path to OpenSSL installation
-   --without-openssl-header-check Disable OpenSSL version consistency check
[email protected]@ -10185,6 +10185,27 @@
- $as_echo "#define USE_LINUX_AUDIT 1" >>confdefs.h
- 
- 		;;
-+	  solaris)
-+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: solaris" >&5
-+$as_echo "solaris" >&6; }
-+		AUDIT_MODULE=solaris
-+				for ac_header in bsm/adt.h
-+do :
-+  ac_fn_c_check_header_compile "$LINENO" "bsm/adt.h" "ac_cv_header_bsm_adt_h" ""
-+if test "x$ac_cv_header_bsm_adt_h" = xyes; then :
-+  cat >>confdefs.h <<_ACEOF
-+#define HAVE_ADT_H 1
-+_ACEOF
-+
-+else
-+  as_fn_error $? "Solaris Audit enabled and bsm/adt.h not found" "$LINENO" 5
-+fi
-+
-+done
-+
-+		SSHDLIBS="$SSHDLIBS -lbsm"
-+$as_echo "#define USE_SOLARIS_AUDIT 1" >>confdefs.h
-+	  	;;
- 	  debug)
- 		AUDIT_MODULE=debug
- 		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: debug" >&5
---- orig/defines.h	2014-01-17 05:12:38.000000000 -0800
-+++ new/defines.h	2014-09-12 10:09:27.000000000 -0700
[email protected]@ -622,6 +622,11 @@
- # define CUSTOM_SSH_AUDIT_EVENTS
- #endif
- 
-+#ifdef USE_SOLARIS_AUDIT
-+# define SSH_AUDIT_EVENTS
-+# define CUSTOM_SSH_AUDIT_EVENTS
-+#endif
-+
- #if !defined(HAVE___func__) && defined(HAVE___FUNCTION__)
- #  define __func__ __FUNCTION__
- #elif !defined(HAVE___func__)
---- orig/INSTALL	2013-03-06 17:33:35.000000000 -0800
-+++ new/INSTALL	2014-12-04 08:41:24.369920230 -0800
[email protected]@ -97,9 +97,13 @@
+diff -pur old/INSTALL new/INSTALL
+--- old/INSTALL	2015-03-16 22:49:20.000000000 -0700
++++ new/INSTALL	2015-05-21 03:54:29.120932630 -0700
[email protected]@ -92,9 +92,13 @@ http://www.gnu.org/software/autoconf/
  
  Basic Security Module (BSM):
  
@@ -104,7 +40,7 @@
  
  
  2. Building / Installation
[email protected]@ -152,8 +156,9 @@
[email protected]@ -147,8 +151,9 @@ name).
  There are a few other options to the configure script:
  
  --with-audit=[module] enable additional auditing via the specified module.
@@ -116,9 +52,10 @@
  
  --with-pam enables PAM support. If PAM support is compiled in, it must
  also be enabled in sshd_config (refer to the UsePAM directive).
---- orig/Makefile.in	2014-11-12 15:18:05.366726810 -0800
-+++ new/Makefile.in	2014-11-12 15:22:36.825227512 -0800
[email protected]@ -84,7 +84,7 @@
+diff -pur old/Makefile.in new/Makefile.in
+--- old/Makefile.in	2015-12-07 15:43:45.335711670 -0800
++++ new/Makefile.in	2015-12-07 15:51:37.440455000 -0800
[email protected]@ -98,7 +98,7 @@ SSHOBJS= ssh.o readconf.o clientloop.o s
  	roaming_common.o roaming_client.o
  
  SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
@@ -127,9 +64,10 @@
  	sshpty.o sshlogin.o servconf.o serverloop.o \
  	auth.o auth1.o auth2.o auth-options.o session.o \
  	auth-chall.o auth2-chall.o groupaccess.o \
---- orig/README.platform	2009-08-28 16:14:48.000000000 -0700
-+++ new/README.platform	2014-09-12 09:45:50.000000000 -0700
[email protected]@ -68,8 +68,8 @@
+diff -pur old/README.platform new/README.platform
+--- old/README.platform	2015-03-16 22:49:20.000000000 -0700
++++ new/README.platform	2015-05-21 03:54:29.121331205 -0700
[email protected]@ -68,8 +68,8 @@ zlib-devel and pam-devel, on Debian base
  libssl-dev, libz-dev and libpam-dev.
  
  
@@ -140,7 +78,7 @@
  If you enable BSM auditing on Solaris, you need to update audit_event(4)
  for praudit(1m) to give sensible output.  The following line needs to be
  added to /etc/security/audit_event:
[email protected]@ -82,6 +82,9 @@
[email protected]@ -82,6 +82,9 @@ There is no official registry of 3rd par
  number is already in use on your system, you may change it at build time
  by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
  
@@ -150,10 +88,212 @@
  
  Platforms using PAM
  -------------------
---- orig/sshd.c	2014-11-05 13:11:59.974945893 -0800
-+++ new/sshd.c	2014-11-10 13:33:12.279354856 -0800
[email protected]@ -2139,7 +2139,9 @@
- #endif 
+diff -pur old/config.h.in new/config.h.in
+--- old/config.h.in	2015-05-21 03:54:29.047656051 -0700
++++ new/config.h.in	2015-05-21 03:54:29.121686621 -0700
[email protected]@ -1635,6 +1635,9 @@
+ /* Use Linux audit module */
+ #undef USE_LINUX_AUDIT
+ 
++/* Use Solaris audit module */
++#undef USE_SOLARIS_AUDIT
++
+ /* Enable OpenSSL engine support */
+ #undef USE_OPENSSL_ENGINE
+ 
+diff -pur old/configure new/configure
+--- old/configure	2015-05-21 03:54:29.053171257 -0700
++++ new/configure	2015-05-21 06:53:04.579282150 -0700
[email protected]@ -1336,7 +1336,7 @@ Optional Packages:
+   --with-skey[=PATH]      Enable S/Key support (optionally in PATH)
+   --with-ldns[=PATH]      Use ldns for DNSSEC support (optionally in PATH)
+   --with-libedit[=PATH]   Enable libedit support for sftp
+-  --with-audit=module     Enable audit support (modules=debug,bsm,linux)
++  --with-audit=module     Enable audit support (modules=debug,bsm,linux,solaris)
+   --with-pie              Build Position Independent Executables if possible
+   --with-ssl-dir=PATH     Specify path to OpenSSL installation
+   --without-openssl-header-check Disable OpenSSL version consistency check
[email protected]@ -16106,6 +16106,160 @@ cat >>confdefs.h <<\_ACEOF
+ _ACEOF
+ 
+ 		;;
++	  solaris)
++		{ echo "$as_me:$LINENO: result: solaris" >&5
++echo "${ECHO_T}solaris" >&6; }
++		AUDIT_MODULE=solaris
++
++for ac_header in bsm/adt.h
++do
++as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
++if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
++  { echo "$as_me:$LINENO: checking for $ac_header" >&5
++echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
++if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
++  echo $ECHO_N "(cached) $ECHO_C" >&6
++fi
++ac_res=`eval echo '${'$as_ac_Header'}'`
++	       { echo "$as_me:$LINENO: result: $ac_res" >&5
++echo "${ECHO_T}$ac_res" >&6; }
++else
++  # Is the header compilable?
++{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
++echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++$ac_includes_default
++#include <$ac_header>
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  ac_header_compiler=yes
++else
++  echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_header_compiler=no
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
++echo "${ECHO_T}$ac_header_compiler" >&6; }
++
++# Is the header present?
++{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
++echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++#include <$ac_header>
++_ACEOF
++if { (ac_try="$ac_cpp conftest.$ac_ext"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
++  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } >/dev/null && {
++	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       }; then
++  ac_header_preproc=yes
++else
++  echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++  ac_header_preproc=no
++fi
++
++rm -f conftest.err conftest.$ac_ext
++{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
++echo "${ECHO_T}$ac_header_preproc" >&6; }
++
++# So?  What about this header?
++case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
++  yes:no: )
++    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
++echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
++    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
++echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
++    ac_header_preproc=yes
++    ;;
++  no:yes:* )
++    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
++echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
++    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
++echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
++    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
++echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
++    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
++echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
++    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
++echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
++    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
++echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
++    ( cat <<\_ASBOX
++## ------------------------------------------- ##
++## Report this to [email protected] ##
++## ------------------------------------------- ##
++_ASBOX
++     ) | sed "s/^/$as_me: WARNING:     /" >&2
++    ;;
++esac
++{ echo "$as_me:$LINENO: checking for $ac_header" >&5
++echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
++if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
++  echo $ECHO_N "(cached) $ECHO_C" >&6
++else
++  eval "$as_ac_Header=\$ac_header_preproc"
++fi
++ac_res=`eval echo '${'$as_ac_Header'}'`
++	       { echo "$as_me:$LINENO: result: $ac_res" >&5
++echo "${ECHO_T}$ac_res" >&6; }
++
++fi
++if test `eval echo '${'$as_ac_Header'}'` = yes; then
++  cat >>confdefs.h <<_ACEOF
++#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
++_ACEOF
++
++fi
++
++done
++
++		SSHDLIBS="$SSHDLIBS -lbsm"
++cat >>confdefs.h <<\_ACEOF
++#define USE_SOLARIS_AUDIT 1
++_ACEOF
++	  	;;
+ 	  debug)
+ 		AUDIT_MODULE=debug
+ 		{ echo "$as_me:$LINENO: result: debug" >&5
+diff -pur old/defines.h new/defines.h
+--- old/defines.h	2015-03-16 22:49:20.000000000 -0700
++++ new/defines.h	2015-05-21 03:54:29.127386034 -0700
[email protected]@ -635,6 +635,11 @@ struct winsize {
+ # define CUSTOM_SSH_AUDIT_EVENTS
+ #endif
+ 
++#ifdef USE_SOLARIS_AUDIT
++# define SSH_AUDIT_EVENTS
++# define CUSTOM_SSH_AUDIT_EVENTS
++#endif
++
+ #if !defined(HAVE___func__) && defined(HAVE___FUNCTION__)
+ #  define __func__ __FUNCTION__
+ #elif !defined(HAVE___func__)
+diff -pur old/sshd.c new/sshd.c
+--- old/sshd.c	2015-05-21 03:54:29.070139157 -0700
++++ new/sshd.c	2015-05-21 03:54:29.127803176 -0700
[email protected]@ -2215,7 +2215,9 @@ main(int ac, char **av)
+ 	}
  
  #ifdef SSH_AUDIT_EVENTS
 +#ifndef	USE_SOLARIS_AUDIT
@@ -162,7 +302,7 @@
  #endif
  
  #ifdef GSSAPI
[email protected]@ -2169,6 +2171,10 @@
[email protected]@ -2245,6 +2247,10 @@ main(int ac, char **av)
  		do_pam_session();
  	}
  #endif
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/023-gsskex.patch	Mon Jan 25 10:57:40 2016 -0800
@@ -0,0 +1,1256 @@
+#
+# GSS-API key exchange support
+#
+# Based on https://github.com/SimonWilkinson/gss-openssh/commit/ffae842
+# Updated to apply to OpenSSH 6.5.
+# Default value for GSSAPIKeyExchange changed to yes to match SunSSH behavior.
+# New files kexgssc.c and kexgsss.c moved to ../sources/ and made cstyle clean.
+#
+# Upstream rejected GSS-API key exchange several times before.
+#
+diff -pur old/Makefile.in new/Makefile.in
+--- old/Makefile.in	2015-12-10 14:51:47.781146370 -0800
++++ new/Makefile.in	2015-12-10 14:48:21.907121340 -0800
[email protected]@ -85,6 +85,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+ 	atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \
+ 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
+ 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
++	kexgssc.o \
+ 	ssh-pkcs11.o smult_curve25519_ref.o \
+ 	poly1305.o chacha.o cipher-chachapoly.o \
+ 	ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
[email protected]@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
+ 	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
+ 	auth2-none.o auth2-passwd.o auth2-pubkey.o \
+ 	monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
+-	auth2-gss.o gss-serv.o gss-serv-krb5.o \
++	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
+ 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
+ 	sftp-server.o sftp-common.o \
+ 	roaming_common.o roaming_serv.o \
+diff -pur old/auth2-gss.c new/auth2-gss.c
+--- old/auth2-gss.c
++++ new/auth2-gss.c
[email protected]@ -1,7 +1,7 @@
+ /* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */
+ 
+ /*
+- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
++ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
+  *
+  * Redistribution and use in source and binary forms, with or without
+  * modification, are permitted provided that the following conditions
[email protected]@ -53,6 +53,39 @@ static int input_gssapi_mic(int type, u_
+ static int input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
+ static int input_gssapi_errtok(int, u_int32_t, void *);
+ 
++/* 
++ * The 'gssapi_keyex' userauth mechanism.
++ */
++static int
++userauth_gsskeyex(Authctxt *authctxt)
++{
++	int authenticated = 0;
++	Buffer b;
++	gss_buffer_desc mic, gssbuf;
++	u_int len;
++
++	mic.value = packet_get_string(&len);
++	mic.length = len;
++
++	packet_check_eom();
++
++	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
++	    "gssapi-keyex");
++
++	gssbuf.value = buffer_ptr(&b);
++	gssbuf.length = buffer_len(&b);
++
++	/* gss_kex_context is NULL with privsep, so we can't check it here */
++	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 
++	    &gssbuf, &mic))))
++		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
++	
++	buffer_free(&b);
++	free(mic.value);
++
++	return (authenticated);
++}
++
+ /*
+  * We only support those mechanisms that we know about (ie ones that we know
+  * how to check local user kuserok and the like)
[email protected]@ -290,6 +323,12 @@ input_gssapi_mic(int type, u_int32_t ple
+ 	return 0;
+ }
+ 
++Authmethod method_gsskeyex = {
++	"gssapi-keyex",
++	userauth_gsskeyex,
++	&options.gss_authentication
++};
++
+ Authmethod method_gssapi = {
+ 	"gssapi-with-mic",
+ 	userauth_gssapi,
+diff -pur old/auth2.c new/auth2.c
+--- old/auth2.c
++++ new/auth2.c
[email protected]@ -70,6 +70,7 @@ extern Authmethod method_passwd;
+ extern Authmethod method_kbdint;
+ extern Authmethod method_hostbased;
+ #ifdef GSSAPI
++extern Authmethod method_gsskeyex;
+ extern Authmethod method_gssapi;
+ #endif
+ 
[email protected]@ -77,6 +78,7 @@ Authmethod *authmethods[] = {
+ 	&method_none,
+ 	&method_pubkey,
+ #ifdef GSSAPI
++	&method_gsskeyex,
+ 	&method_gssapi,
+ #endif
+ 	&method_passwd,
+diff -pur old/configure new/configure
+--- old/configure
++++ new/configure
[email protected]@ -10944,8 +10944,10 @@ fi
+ 
+ fi
+ 
+-        $as_echo "#define USE_GSS_STORE_CRED 1" >>confdefs.h
+-        $as_echo "#define GSSAPI_STORECREDS_NEEDS_RUID 1" >>confdefs.h
++cat >>confdefs.h <<\_ACEOF
++#define	USE_GSS_STORE_CRED 1
++#define	GSSAPI_STORECREDS_NEEDS_RUID 1
++_ACEOF
+ 
+ 	TEST_SHELL=$SHELL	# let configure find us a capable shell
+ 	;;
+diff -pur old/gss-genr.c new/gss-genr.c
+--- old/gss-genr.c
++++ new/gss-genr.c
[email protected]@ -1,7 +1,7 @@
+ /* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */
+ 
+ /*
+- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+  *
+  * Redistribution and use in source and binary forms, with or without
+  * modification, are permitted provided that the following conditions
[email protected]@ -41,12 +41,167 @@
+ #include "buffer.h"
+ #include "log.h"
+ #include "ssh2.h"
++#include "cipher.h"
++#include "key.h"
++#include "kex.h"
++#include <openssl/evp.h>
+ 
+ #include "ssh-gss.h"
+ 
+ extern u_char *session_id2;
+ extern u_int session_id2_len;
+ 
++typedef struct {
++	char *encoded;
++	gss_OID oid;
++} ssh_gss_kex_mapping;
++
++/*
++ * XXX - It would be nice to find a more elegant way of handling the
++ * XXX   passing of the key exchange context to the userauth routines
++ */
++
++Gssctxt *gss_kex_context = NULL;
++
++static ssh_gss_kex_mapping *gss_enc2oid = NULL;
++
++int 
++ssh_gssapi_oid_table_ok() {
++	return (gss_enc2oid != NULL);
++}
++
++/*
++ * Return a list of the gss-group1-sha1 mechanisms supported by this program
++ *
++ * We test mechanisms to ensure that we can use them, to avoid starting
++ * a key exchange with a bad mechanism
++ */
++
++char *
++ssh_gssapi_client_mechanisms(const char *host) {
++	gss_OID_set gss_supported;
++	OM_uint32 min_status;
++
++	if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported)))
++		return NULL;
++
++	return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
++	    host));
++}
++
++char *
++ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
++    const char *data) {
++	Buffer buf;
++	size_t i;
++	int oidpos, enclen;
++	char *mechs, *encoded;
++	u_char digest[EVP_MAX_MD_SIZE];
++	char deroid[2];
++	const EVP_MD *evp_md = EVP_md5();
++	EVP_MD_CTX md;
++
++	if (gss_enc2oid != NULL) {
++		for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
++			free(gss_enc2oid[i].encoded);
++		free(gss_enc2oid);
++	}
++
++	gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
++	    (gss_supported->count + 1));
++
++	buffer_init(&buf);
++
++	oidpos = 0;
++	for (i = 0; i < gss_supported->count; i++) {
++		if (gss_supported->elements[i].length < 128 &&
++		    (*check)(NULL, &(gss_supported->elements[i]), data)) {
++
++			deroid[0] = SSH_GSS_OIDTYPE;
++			deroid[1] = gss_supported->elements[i].length;
++
++			EVP_DigestInit(&md, evp_md);
++			EVP_DigestUpdate(&md, deroid, 2);
++			EVP_DigestUpdate(&md,
++			    gss_supported->elements[i].elements,
++			    gss_supported->elements[i].length);
++			EVP_DigestFinal(&md, digest, NULL);
++
++			encoded = xmalloc(EVP_MD_size(evp_md) * 2);
++			enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
++			    encoded, EVP_MD_size(evp_md) * 2);
++
++			if (oidpos != 0)
++				buffer_put_char(&buf, ',');
++
++			buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
++			    sizeof(KEX_GSS_GEX_SHA1_ID) - 1);
++			buffer_append(&buf, encoded, enclen);
++			buffer_put_char(&buf, ',');
++			buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, 
++			    sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);
++			buffer_append(&buf, encoded, enclen);
++			buffer_put_char(&buf, ',');
++			buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,
++			    sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);
++			buffer_append(&buf, encoded, enclen);
++
++			gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
++			gss_enc2oid[oidpos].encoded = encoded;
++			oidpos++;
++		}
++	}
++	gss_enc2oid[oidpos].oid = NULL;
++	gss_enc2oid[oidpos].encoded = NULL;
++
++	buffer_put_char(&buf, '\0');
++
++	mechs = xmalloc(buffer_len(&buf));
++	buffer_get(&buf, mechs, buffer_len(&buf));
++	buffer_free(&buf);
++
++	if (strlen(mechs) == 0) {
++		free(mechs);
++		mechs = NULL;
++	}
++	
++	return (mechs);
++}
++
++gss_OID
++ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {
++	int i = 0;
++	
++	switch (kex_type) {
++	case KEX_GSS_GRP1_SHA1:
++		if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID))
++			return GSS_C_NO_OID;
++		name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;
++		break;
++	case KEX_GSS_GRP14_SHA1:
++		if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID))
++			return GSS_C_NO_OID;
++		name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;
++		break;
++	case KEX_GSS_GEX_SHA1:
++		if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))
++			return GSS_C_NO_OID;
++		name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;
++		break;
++	default:
++		return GSS_C_NO_OID;
++	}
++
++	while (gss_enc2oid[i].encoded != NULL &&
++	    strcmp(name, gss_enc2oid[i].encoded) != 0)
++		i++;
++
++	if (gss_enc2oid[i].oid != NULL && ctx != NULL)
++		ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);
++
++	return gss_enc2oid[i].oid;
++}
++
+ /* Check that the OID in a data stream matches that in the context */
+ int
+ ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
[email protected]@ -231,6 +386,9 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
+ OM_uint32
+ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
+ {
++	if (ctx == NULL) 
++		return -1;
++
+ 	if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
+ 	    GSS_C_QOP_DEFAULT, buffer, hash)))
+ 		ssh_gssapi_error(ctx);
[email protected]@ -238,6 +396,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
+ 	return (ctx->major);
+ }
+ 
++/* Priviledged when used by server */
++OM_uint32
++ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
++{
++	if (ctx == NULL)
++		return -1;
++
++	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
++	    gssbuf, gssmic, NULL);
++
++	return (ctx->major);
++}
++
+ void
+ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
+     const char *context)
[email protected]@ -256,6 +427,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
+ 	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
+ 	OM_uint32 major, minor;
+ 	gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
++	Gssctxt *intctx = NULL;
++
++	if (ctx == NULL)
++		ctx = &intctx;
+ 
+ 	/* RFC 4462 says we MUST NOT do SPNEGO */
+ 	if (oid->length == spnego_oid.length && 
[email protected]@ -274,7 +449,7 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
+ 			    GSS_C_NO_BUFFER);
+ 	}
+ 
+-	if (GSS_ERROR(major)) 
++	if (GSS_ERROR(major) || intctx != NULL) 
+ 		ssh_gssapi_delete_ctx(ctx);
+ 
+ 	return (!GSS_ERROR(major));
+diff -pur old/gss-serv.c new/gss-serv.c
+--- old/gss-serv.c
++++ new/gss-serv.c
[email protected]@ -1,7 +1,7 @@
+ /* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */
+ 
+ /*
+- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+  *
+  * Redistribution and use in source and binary forms, with or without
+  * modification, are permitted provided that the following conditions
[email protected]@ -47,6 +47,7 @@
+ #include "servconf.h"
+ 
+ #include "ssh-gss.h"
++#include "monitor_wrap.h"
+ 
+ extern ServerOptions options;
+ 
[email protected]@ -142,6 +143,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss
+ }
+ 
+ /* Unprivileged */
++char *
++ssh_gssapi_server_mechanisms() {
++	gss_OID_set	supported;
++
++	ssh_gssapi_supported_oids(&supported);
++	return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech,
++	    NULL));
++}
++
++/* Unprivileged */
++int
++ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data) {
++	Gssctxt *ctx = NULL;
++	int res;
++ 
++	res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));
++	ssh_gssapi_delete_ctx(&ctx);
++
++	return (res);
++}
++
++/* Unprivileged */
+ void
+ ssh_gssapi_supported_oids(gss_OID_set *oidset)
+ {
[email protected]@ -151,7 +174,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o
+ 	gss_OID_set supported;
+ 
+ 	gss_create_empty_oid_set(&min_status, oidset);
+-	gss_indicate_mechs(&min_status, &supported);
++
++	if (GSS_ERROR(gss_indicate_mechs(&min_status, &supported)))
++		return;
+ 
+ 	while (supported_mechs[i]->name != NULL) {
+ 		if (GSS_ERROR(gss_test_oid_set_member(&min_status,
[email protected]@ -427,14 +452,4 @@ ssh_gssapi_userok(char *user)
+ 	return (0);
+ }
+ 
+-/* Privileged */
+-OM_uint32
+-ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+-{
+-	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
+-	    gssbuf, gssmic, NULL);
+-
+-	return (ctx->major);
+-}
+-
+ #endif
+diff -pur old/kex.c new/kex.c
+--- old/kex.c
++++ new/kex.c
[email protected]@ -55,6 +55,10 @@
+ #include "sshbuf.h"
+ #include "digest.h"
+ 
++#ifdef GSSAPI
++#include "ssh-gss.h"
++#endif
++
+ #if OPENSSL_VERSION_NUMBER >= 0x00907000L
+ # if defined(HAVE_EVP_SHA256)
+ # define evp_ssh_sha256 EVP_sha256
[email protected]@ -95,6 +99,11 @@ static const struct kexalg kexalgs[] = {
+ #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
+ 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
+ #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
++#ifdef GSSAPI
++	{ KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
++	{ KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
++	{ KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
++#endif
+ 	{ NULL, -1, -1, -1},
+ };
+ 
[email protected]@ -126,7 +135,7 @@ kex_alg_by_name(const char *name)
+ 	const struct kexalg *k;
+ 
+ 	for (k = kexalgs; k->name != NULL; k++) {
+-		if (strcmp(k->name, name) == 0)
++		if (strncmp(k->name, name, strlen(k->name)) == 0)
+ 			return k;
+ 	}
+ 	return NULL;
+diff -pur old/kex.h new/kex.h
+--- old/kex.h
++++ new/kex.h
[email protected]@ -93,6 +93,9 @@ enum kex_exchange {
+ 	KEX_DH_GEX_SHA256,
+ 	KEX_ECDH_SHA2,
+ 	KEX_C25519_SHA256,
++	KEX_GSS_GRP1_SHA1,
++	KEX_GSS_GRP14_SHA1,
++	KEX_GSS_GEX_SHA1,
+ 	KEX_MAX
+ };
+ 
[email protected]@ -139,6 +142,10 @@ struct kex {
+ 	u_int	flags;
+ 	int	hash_alg;
+ 	int	ec_nid;
++#ifdef GSSAPI
++	int	gss_deleg_creds;
++	char    *gss_host;
++#endif
+ 	char	*client_version_string;
+ 	char	*server_version_string;
+ 	char	*failed_choice;
[email protected]@ -186,6 +193,10 @@ int	 kexecdh_client(struct ssh *);
+ int	 kexecdh_server(struct ssh *);
+ int	 kexc25519_client(struct ssh *);
+ int	 kexc25519_server(struct ssh *);
++#ifdef GSSAPI
++int	 kexgss_client(struct ssh *);
++int	 kexgss_server(struct ssh *);
++#endif
+ 
+ int	 kex_dh_hash(const char *, const char *,
+     const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
+diff -pur old/monitor.c new/monitor.c
+--- old/monitor.c
++++ new/monitor.c
[email protected]@ -160,6 +160,7 @@ int mm_answer_gss_setup_ctx(int, Buffer
+ int mm_answer_gss_accept_ctx(int, Buffer *);
+ int mm_answer_gss_userok(int, Buffer *);
+ int mm_answer_gss_checkmic(int, Buffer *);
++int mm_answer_gss_sign(int, Buffer *);
+ #endif
+ 
+ #ifdef SSH_AUDIT_EVENTS
[email protected]@ -244,11 +245,17 @@ struct mon_table mon_dispatch_proto20[]
+     {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
+     {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
+     {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
++    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
+ #endif
+     {0, 0, NULL}
+ };
+ 
+ struct mon_table mon_dispatch_postauth20[] = {
++#ifdef GSSAPI
++    {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
++    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
++    {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
++#endif
+ #ifdef WITH_OPENSSL
+     {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
+ #endif
[email protected]@ -363,6 +370,10 @@ monitor_child_preauth(Authctxt *_authctx
+ 		/* Permit requests for moduli and signatures */
+ 		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
+ 		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
++#ifdef GSSAPI
++		/* and for the GSSAPI key exchange */
++		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
++#endif
+ 	} else {
+ 		mon_dispatch = mon_dispatch_proto15;
+ 
[email protected]@ -502,6 +513,10 @@ monitor_child_postauth(struct monitor *p
+ 		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
+ 		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+ 		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
++#ifdef GSSAPI
++		/* and for the GSSAPI key exchange */
++		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
++#endif		
+ 	} else {
+ 		mon_dispatch = mon_dispatch_postauth15;
+ 		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
[email protected]@ -1927,6 +1942,13 @@ monitor_apply_keystate(struct monitor *p
+ # endif
+ #endif /* WITH_OPENSSL */
+ 		kex->kex[KEX_C25519_SHA256] = kexc25519_server;
++#ifdef GSSAPI
++		if (options.gss_keyex) {
++			kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
++			kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
++			kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
++		}
++#endif
+ 		kex->load_host_public_key=&get_hostkey_public_by_type;
+ 		kex->load_host_private_key=&get_hostkey_private_by_type;
+ 		kex->host_key_index=&get_hostkey_index;
[email protected]@ -2026,6 +2048,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
+ 	OM_uint32 major;
+ 	u_int len;
+ 
++	if (!options.gss_authentication && !options.gss_keyex)
++		fatal("In GSSAPI monitor when GSSAPI is disabled");
++
+ 	goid.elements = buffer_get_string(m, &len);
+ 	goid.length = len;
+ 
[email protected]@ -2053,6 +2078,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+ 	OM_uint32 flags = 0; /* GSI needs this */
+ 	u_int len;
+ 
++	if (!options.gss_authentication && !options.gss_keyex)
++		fatal("In GSSAPI monitor when GSSAPI is disabled");
++
+ 	in.value = buffer_get_string(m, &len);
+ 	in.length = len;
+ 	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
[email protected]@ -2070,6 +2098,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+ 		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
+ 		monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
+ 		monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
++		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
+ 	}
+ 	return (0);
+ }
[email protected]@ -2081,6 +2110,9 @@ mm_answer_gss_checkmic(int sock, Buffer
+ 	OM_uint32 ret;
+ 	u_int len;
+ 
++	if (!options.gss_authentication && !options.gss_keyex)
++		fatal("In GSSAPI monitor when GSSAPI is disabled");
++
+ 	gssbuf.value = buffer_get_string(m, &len);
+ 	gssbuf.length = len;
+ 	mic.value = buffer_get_string(m, &len);
[email protected]@ -2107,6 +2139,9 @@ mm_answer_gss_userok(int sock, Buffer *m
+ {
+ 	int authenticated;
+ 
++	if (!options.gss_authentication && !options.gss_keyex)
++		fatal("In GSSAPI monitor when GSSAPI is disabled");
++
+ 	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+ 
+ 	buffer_clear(m);
[email protected]@ -2120,5 +2155,47 @@ mm_answer_gss_userok(int sock, Buffer *m
+ 	/* Monitor loop will terminate if authenticated */
+ 	return (authenticated);
+ }
++
++int 
++mm_answer_gss_sign(int socket, Buffer *m)
++{
++	gss_buffer_desc data;
++	gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
++	OM_uint32 major, minor;
++	u_int len;
++
++	if (!options.gss_authentication && !options.gss_keyex)
++		fatal("In GSSAPI monitor when GSSAPI is disabled");
++
++	data.value = buffer_get_string(m, &len);
++	data.length = len;
++	if (data.length != 20) 
++		fatal("%s: data length incorrect: %d", __func__, 
++		    (int) data.length);
++
++	/* Save the session ID on the first time around */
++	if (session_id2_len == 0) {
++		session_id2_len = data.length;
++		session_id2 = xmalloc(session_id2_len);
++		memcpy(session_id2, data.value, session_id2_len);
++	}
++	major = ssh_gssapi_sign(gsscontext, &data, &hash);
++
++	free(data.value);
++
++	buffer_clear(m);
++	buffer_put_int(m, major);
++	buffer_put_string(m, hash.value, hash.length);
++
++	mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
++
++	gss_release_buffer(&minor, &hash);
++
++	/* Turn on getpwnam permissions */
++	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
++
++	return (0);
++}
++
+ #endif /* GSSAPI */
+ 
+diff -pur old/monitor.h new/monitor.h
+--- old/monitor.h
++++ new/monitor.h
[email protected]@ -68,6 +68,9 @@ enum monitor_reqtype {
+ #ifdef PAM_ENHANCEMENT
+         MONITOR_REQ_AUTHMETHOD = 114,
+ #endif        
++#ifdef GSSAPI
++	MONITOR_REQ_GSSSIGN = 130, MONITOR_ANS_GSSSIGN = 131,
++#endif        
+ };
+ 
+ struct mm_master;
+diff -pur old/monitor_wrap.c new/monitor_wrap.c
+--- old/monitor_wrap.c
++++ new/monitor_wrap.c
[email protected]@ -1103,5 +1103,28 @@ mm_ssh_gssapi_userok(char *user)
+ 	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
+ 	return (authenticated);
+ }
++
++OM_uint32
++mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
++{
++	Buffer m;
++	OM_uint32 major;
++	u_int len;
++
++	buffer_init(&m);
++	buffer_put_string(&m, data->value, data->length);
++
++	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m);
++	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m);
++
++	major = buffer_get_int(&m);
++	hash->value = buffer_get_string(&m, &len);
++	hash->length = len;
++
++	buffer_free(&m);
++
++	return(major);
++}
++
+ #endif /* GSSAPI */
+ 
+diff -pur old/monitor_wrap.h new/monitor_wrap.h
+--- old/monitor_wrap.h
++++ new/monitor_wrap.h
[email protected]@ -60,6 +60,7 @@ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssct
+    gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
+ int mm_ssh_gssapi_userok(char *user);
+ OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
++OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
+ #endif
+ 
+ #ifdef USE_PAM
+diff -pur old/readconf.c new/readconf.c
+--- old/readconf.c
++++ new/readconf.c
[email protected]@ -147,6 +147,7 @@ typedef enum {
+ 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++	oGssKeyEx,
+ 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
+ 	oHashKnownHosts,
[email protected]@ -198,11 +199,15 @@ static struct {
+ 	{ "gssauthentication", oGssAuthentication },                /* alias */
+ 	{ "gssapidelegatecredentials", oGssDelegateCreds },
+ 	{ "gssdelegatecreds", oGssDelegateCreds },                  /* alias */
++	{ "gssapikeyexchange", oGssKeyEx },
++	{ "gsskeyex", oGssKeyEx },                                  /* alias */
+ #else
+ 	{ "gssapiauthentication", oUnsupported },
+ 	{ "gssauthentication", oUnsupported },
+ 	{ "gssapidelegatecredentials", oUnsupported },
+ 	{ "gssdelegatecreds", oUnsupported },
++	{ "gssapikeyexchange", oUnsupported },
++	{ "gsskeyex", oUnsupported },
+ #endif
+ 	{ "fallbacktorsh", oDeprecated },
+ 	{ "usersh", oDeprecated },
[email protected]@ -933,6 +938,10 @@ parse_time:
+ 		intptr = &options->gss_authentication;
+ 		goto parse_flag;
+ 
++	case oGssKeyEx:
++		intptr = &options->gss_keyex;
++		goto parse_flag;
++
+ 	case oGssDelegateCreds:
+ 		intptr = &options->gss_deleg_creds;
+ 		goto parse_flag;
[email protected]@ -1647,6 +1656,7 @@ initialize_options(Options * options)
+ 	options->pubkey_authentication = -1;
+ 	options->challenge_response_authentication = -1;
+ 	options->gss_authentication = -1;
++	options->gss_keyex = -1;
+ 	options->gss_deleg_creds = -1;
+ 	options->password_authentication = -1;
+ 	options->kbd_interactive_authentication = -1;
[email protected]@ -1786,6 +1796,12 @@ fill_default_options(Options * options)
+ #else
+ 		options->gss_authentication = 0;
+ #endif
++	if (options->gss_keyex == -1)
++#ifdef OPTION_DEFAULT_VALUE
++		options->gss_keyex = 1;
++#else
++		options->gss_keyex = 0;
++#endif
+ 	if (options->gss_deleg_creds == -1)
+ 		options->gss_deleg_creds = 0;
+ 	if (options->password_authentication == -1)
+diff -pur old/readconf.h new/readconf.h
+--- old/readconf.h
++++ new/readconf.h
[email protected]@ -45,6 +45,7 @@ typedef struct {
+ 	int     challenge_response_authentication;
+ 					/* Try S/Key or TIS, authentication. */
+ 	int     gss_authentication;	/* Try GSS authentication */
++	int     gss_keyex;		/* Try GSS key exchange */
+ 	int     gss_deleg_creds;	/* Delegate GSS credentials */
+ 	int     password_authentication;	/* Try password
+ 						 * authentication. */
+diff -pur old/servconf.c new/servconf.c
+--- old/servconf.c
++++ new/servconf.c
[email protected]@ -117,6 +117,7 @@ initialize_server_options(ServerOptions
+ 	options->kerberos_ticket_cleanup = -1;
+ 	options->kerberos_get_afs_token = -1;
+ 	options->gss_authentication=-1;
++	options->gss_keyex = -1;
+ 	options->gss_cleanup_creds = -1;
+ 	options->gss_strict_acceptor = -1;
+ 	options->password_authentication = -1;
[email protected]@ -300,6 +301,12 @@ fill_default_server_options(ServerOption
+ #else
+ 		options->gss_authentication = 0;
+ #endif
++	if (options->gss_keyex == -1)
++#ifdef OPTION_DEFAULT_VALUE
++		options->gss_keyex = 1;
++#else
++		options->gss_keyex = 0;
++#endif
+ 	if (options->gss_cleanup_creds == -1)
+ 		options->gss_cleanup_creds = 1;
+ 	if (options->gss_strict_acceptor == -1)
[email protected]@ -442,6 +449,7 @@ typedef enum {
+ 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
+ 	sHostKeyAlgorithms,
+ 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
++	sGssKeyEx,
+ 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ 	sAcceptEnv, sPermitTunnel,
+ 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
[email protected]@ -519,6 +527,8 @@ static struct {
+ #ifdef GSSAPI
+ 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
+ 	{ "gssauthentication", sGssAuthentication, SSHCFG_ALL },   /* alias */
++	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_ALL },
++	{ "gsskeyex", sGssKeyEx, SSHCFG_ALL },                     /* alias */
+ #ifdef USE_GSS_STORE_CRED
+ 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+ #else /* USE_GSS_STORE_CRED */
[email protected]@ -528,6 +538,8 @@ static struct {
+ #else
+ 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+ 	{ "gssauthentication", sUnsupported, SSHCFG_ALL },          /* alias */
++	{ "gssapikeyexchange", sUnsupported,, SSHCFG_ALL },
++	{ "gsskeyex", sUnsupported,, SSHCFG_ALL },
+ 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+ #endif
[email protected]@ -1311,6 +1323,10 @@ process_server_config_line(ServerOptions
+ 		intptr = &options->gss_authentication;
+ 		goto parse_flag;
+ 
++	case sGssKeyEx:
++		intptr = &options->gss_keyex;
++		goto parse_flag;
++
+ 	case sGssCleanupCreds:
+ 		intptr = &options->gss_cleanup_creds;
+ 		goto parse_flag;
[email protected]@ -2357,6 +2373,7 @@ dump_config(ServerOptions *o)
+ #endif
+ #ifdef GSSAPI
+ 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
++	dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
+ #ifndef USE_GSS_STORE_CRED
+ 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
+ #endif /* !USE_GSS_STORE_CRED */
+diff -pur old/servconf.h new/servconf.h
+--- old/servconf.h
++++ new/servconf.h
[email protected]@ -122,6 +122,7 @@ typedef struct {
+ 	int     kerberos_get_afs_token;		/* If true, try to get AFS token if
+ 						 * authenticated with Kerberos. */
+ 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
++	int     gss_keyex;		/* If true, permit GSSAPI key exchange */
+ 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
+ 	int     gss_strict_acceptor;	/* If true, restrict the GSSAPI acceptor name */
+ 	int     password_authentication;	/* If true, permit password
+diff -pur old/ssh-gss.h new/ssh-gss.h
+--- old/ssh-gss.h
++++ new/ssh-gss.h
[email protected]@ -61,6 +61,17 @@
+ 
+ #define SSH_GSS_OIDTYPE 0x06
+ 
++#define SSH2_MSG_KEXGSS_INIT                            30
++#define SSH2_MSG_KEXGSS_CONTINUE                        31
++#define SSH2_MSG_KEXGSS_COMPLETE                        32
++#define SSH2_MSG_KEXGSS_HOSTKEY                         33
++#define SSH2_MSG_KEXGSS_ERROR                           34
++#define SSH2_MSG_KEXGSS_GROUPREQ			40
++#define SSH2_MSG_KEXGSS_GROUP				41
++#define KEX_GSS_GRP1_SHA1_ID				"gss-group1-sha1-"
++#define KEX_GSS_GRP14_SHA1_ID				"gss-group14-sha1-"
++#define KEX_GSS_GEX_SHA1_ID				"gss-gex-sha1-"
++
+ typedef struct {
+ 	char *filename;
+ 	char *envvar;
[email protected]@ -98,6 +109,7 @@ typedef struct {
+ } Gssctxt;
+ 
+ extern ssh_gssapi_mech *supported_mechs[];
++extern Gssctxt *gss_kex_context;
+ 
+ int  ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
+ void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
[email protected]@ -122,6 +134,11 @@ void ssh_gssapi_buildmic(Buffer *, const
+ int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
+ 
+ /* In the server */
++typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *);
++char *ssh_gssapi_client_mechanisms(const char *host);
++char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *);
++gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
++int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *);
+ OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
+ int ssh_gssapi_userok(char *name);
+ OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
[email protected]@ -129,6 +146,8 @@ void ssh_gssapi_do_child(char ***, u_int
+ void ssh_gssapi_cleanup_creds(void);
+ void ssh_gssapi_storecreds(void);
+ 
++char *ssh_gssapi_server_mechanisms(void);
++int ssh_gssapi_oid_table_ok();
+ #endif /* GSSAPI */
+ 
+ #endif /* _SSH_GSS_H */
+diff -pur old/ssh_config new/ssh_config
+--- old/ssh_config
++++ new/ssh_config
[email protected]@ -26,6 +26,7 @@
+ #   HostbasedAuthentication no
+ #   GSSAPIAuthentication no
+ #   GSSAPIDelegateCredentials no
++#   GSSAPIKeyExchange yes
+ #   BatchMode no
+ #   CheckHostIP yes
+ #   AddressFamily any
+diff -pur old/ssh_config.5 new/ssh_config.5
+--- old/ssh_config.5
++++ new/ssh_config.5
[email protected]@ -757,6 +757,12 @@ Specifies whether user authentication ba
+ The default on Solaris is
+ .Dq yes .
+ Note that this option applies to protocol version 2 only.
++.It Cm GSSAPIKeyExchange
++Specifies whether key exchange based on GSSAPI may be used. When using
++GSSAPI key exchange the server need not have a host key.
++The default on Solaris is
++.Dq yes .
++Note that this option applies to protocol version 2 only.
+ .It Cm GSSAPIDelegateCredentials
+ Forward (delegate) credentials to the server.
+ The default is
+diff -pur old/sshconnect2.c new/sshconnect2.c
+--- old/sshconnect2.c
++++ new/sshconnect2.c
[email protected]@ -163,12 +163,37 @@ ssh_kex2(char *host, struct sockaddr *ho
+ 	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
+ 	struct kex *kex;
+ 	int r;
++#ifdef GSSAPI
++	char *orig = NULL, *gss = NULL;
++	char *gss_host = NULL;
++#endif
++
+ 
+ 	xxx_host = host;
+ 	xxx_hostaddr = hostaddr;
+ 
++	if (options.kex_algorithms != NULL)
++		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
++
++#ifdef GSSAPI
++	if (options.gss_keyex) {
++		/* Add the GSSAPI mechanisms currently supported on this 
++		 * client to the key exchange algorithm proposal */
++		orig = myproposal[PROPOSAL_KEX_ALGS];
++
++		gss_host = (char *)get_canonical_hostname(1);
++
++		gss = ssh_gssapi_client_mechanisms(gss_host);
++		if (gss) {
++			debug("Offering GSSAPI proposal: %s", gss);
++			xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
++			    "%s,%s", gss, orig);
++		}
++	}
++#endif
++
+ 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+-	    options.kex_algorithms);
++	    myproposal[PROPOSAL_KEX_ALGS]);
+ 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+ 	    compat_cipher_proposal(options.ciphers);
+ 	myproposal[PROPOSAL_ENC_ALGS_STOC] =
[email protected]@ -197,6 +222,17 @@ ssh_kex2(char *host, struct sockaddr *ho
+ 		    order_hostkeyalgs(host, hostaddr, port));
+ 	}
+ 
++#ifdef GSSAPI
++	/* If we've got GSSAPI algorithms, then we also support the
++	 * 'null' hostkey, as a last resort */
++	if (options.gss_keyex && gss) {
++		orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
++		xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], 
++		    "%s,null", orig);
++		free(gss);
++	}
++#endif
++
+ 	if (options.rekey_limit || options.rekey_interval)
+ 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+ 		    (time_t)options.rekey_interval);
[email protected]@ -215,9 +251,22 @@ ssh_kex2(char *host, struct sockaddr *ho
+ # endif
+ #endif
+ 	kex->kex[KEX_C25519_SHA256] = kexc25519_client;
++#ifdef GSSAPI
++	if (options.gss_keyex) {
++		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
++		kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
++		kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
++	}
++#endif
+ 	kex->client_version_string=client_version_string;
+ 	kex->server_version_string=server_version_string;
+ 	kex->verify_host_key=&verify_host_key_callback;
++#ifdef GSSAPI
++	if (options.gss_keyex) {
++		kex->gss_deleg_creds = options.gss_deleg_creds;
++		kex->gss_host = gss_host;
++	}
++#endif
+ 
+ 	dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
+ 
[email protected]@ -310,6 +359,7 @@ int	input_gssapi_token(int type, u_int32
+ int	input_gssapi_hash(int type, u_int32_t, void *);
+ int	input_gssapi_error(int, u_int32_t, void *);
+ int	input_gssapi_errtok(int, u_int32_t, void *);
++int	userauth_gsskeyex(Authctxt *authctxt);
+ #endif
+ 
+ void	userauth(Authctxt *, char *);
[email protected]@ -325,6 +375,11 @@ static char *authmethods_get(void);
+ 
+ Authmethod authmethods[] = {
+ #ifdef GSSAPI
++	{"gssapi-keyex",
++		userauth_gsskeyex,
++		NULL,
++		&options.gss_authentication,
++		NULL},
+ 	{"gssapi-with-mic",
+ 		userauth_gssapi,
+ 		NULL,
[email protected]@ -649,7 +704,10 @@ userauth_gssapi(Authctxt *authctxt)
+ 	 * once. */
+ 
+ 	if (gss_supported == NULL)
+-		gss_indicate_mechs(&min, &gss_supported);
++		if (GSS_ERROR(gss_indicate_mechs(&min, &gss_supported))) {
++			gss_supported = NULL;
++			return 0;
++		}
+ 
+ 	/* Check to see if the mechanism is usable before we offer it */
+ 	while (mech < gss_supported->count && !ok) {
[email protected]@ -753,8 +811,8 @@ input_gssapi_response(int type, u_int32_
+ {
+ 	Authctxt *authctxt = ctxt;
+ 	Gssctxt *gssctxt;
+-	int oidlen;
+-	char *oidv;
++	u_int oidlen;
++	u_char *oidv;
+ 
+ 	if (authctxt == NULL)
+ 		fatal("input_gssapi_response: no authentication context");
[email protected]@ -867,6 +925,48 @@ input_gssapi_error(int type, u_int32_t p
+ 	free(lang);
+ 	return 0;
+ }
++
++int
++userauth_gsskeyex(Authctxt *authctxt)
++{
++	Buffer b;
++	gss_buffer_desc gssbuf;
++	gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
++	OM_uint32 ms;
++
++	static int attempt = 0;
++	if (attempt++ >= 1)
++		return (0);
++
++	if (gss_kex_context == NULL) {
++		debug("No valid Key exchange context"); 
++		return (0);
++	}
++
++	ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service,
++	    "gssapi-keyex");
++
++	gssbuf.value = buffer_ptr(&b);
++	gssbuf.length = buffer_len(&b);
++
++	if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
++		buffer_free(&b);
++		return (0);
++	}
++
++	packet_start(SSH2_MSG_USERAUTH_REQUEST);
++	packet_put_cstring(authctxt->server_user);
++	packet_put_cstring(authctxt->service);
++	packet_put_cstring(authctxt->method->name);
++	packet_put_string(mic.value, mic.length);
++	packet_send();
++
++	buffer_free(&b);
++	gss_release_buffer(&ms, &mic);
++
++	return (1);
++}
++
+ #endif /* GSSAPI */
+ 
+ int
+diff -pur old/sshd.c new/sshd.c
+--- old/sshd.c
++++ new/sshd.c
[email protected]@ -1827,10 +1827,13 @@ main(int ac, char **av)
+ 		logit("Disabling protocol version 1. Could not load host key");
+ 		options.protocol &= ~SSH_PROTO_1;
+ 	}
++#ifndef GSSAPI
++	/* The GSSAPI key exchange can run without a host key */
+ 	if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
+ 		logit("Disabling protocol version 2. Could not load host key");
+ 		options.protocol &= ~SSH_PROTO_2;
+ 	}
++#endif
+ 	if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
+ 		logit("sshd: no hostkeys available -- exiting.");
+ 		exit(1);
[email protected]@ -2588,6 +2591,48 @@ do_ssh2_kex(void)
+ 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
+ 	    list_hostkey_types());
+ 
++#ifdef GSSAPI
++	{
++	char *orig;
++	char *gss = NULL;
++	char *newstr = NULL;
++	orig = myproposal[PROPOSAL_KEX_ALGS];
++
++	/* 
++	 * If we don't have a host key, then there's no point advertising
++	 * the other key exchange algorithms
++	 */
++
++	if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
++		orig = NULL;
++
++	if (options.gss_keyex)
++		gss = ssh_gssapi_server_mechanisms();
++	else
++		gss = NULL;
++
++	if (gss && orig)
++		xasprintf(&newstr, "%s,%s", gss, orig);
++	else if (gss)
++		newstr = gss;
++	else if (orig)
++		newstr = orig;
++
++	/* 
++	 * If we've got GSSAPI mechanisms, then we've got the 'null' host
++	 * key alg, but we can't tell people about it unless its the only
++  	 * host key algorithm we support
++	 */
++	if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0)
++		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null";
++
++	if (newstr)
++		myproposal[PROPOSAL_KEX_ALGS] = newstr;
++	else
++		fatal("No supported key exchange algorithms");
++	}
++#endif
++
+ 	/* start key exchange */
+ 	if ((r = kex_setup(active_state, myproposal)) != 0)
+ 		fatal("kex_setup: %s", ssh_err(r));
[email protected]@ -2602,6 +2647,13 @@ do_ssh2_kex(void)
+ # endif
+ #endif
+ 	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
++#ifdef GSSAPI
++	if (options.gss_keyex) {
++		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
++		kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
++		kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
++	}
++#endif
+ 	kex->server = 1;
+ 	kex->client_version_string=client_version_string;
+ 	kex->server_version_string=server_version_string;
+diff -pur old/sshd_config new/sshd_config
+--- old/sshd_config
++++ new/sshd_config
[email protected]@ -82,8 +82,9 @@ AuthorizedKeysFile	.ssh/authorized_keys
+ #KerberosGetAFSToken no
+ 
+ # GSSAPI options
+-#GSSAPIAuthentication no
++#GSSAPIAuthentication yes
+ #GSSAPICleanupCredentials yes
++#GSSAPIKeyExchange yes
+ 
+ # Set this to 'yes' to enable PAM authentication, account processing,
+ # and session processing. If this is enabled, PAM authentication will
+diff -pur old/sshd_config.5 new/sshd_config.5
+--- old/sshd_config.5
++++ new/sshd_config.5
[email protected]@ -621,6 +621,12 @@ Specifies whether user authentication ba
+ The default on Solaris is
+ .Dq yes .
+ Note that this option applies to protocol version 2 only.
++.It Cm GSSAPIKeyExchange
++Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
++doesn't rely on ssh keys to verify host identity.
++The default on Solaris is
++.Dq yes .
++Note that this option applies to protocol version 2 only.
+ .It Cm GSSAPICleanupCredentials
+ Specifies whether to automatically destroy the user's credentials cache
+ on logout.
+diff -pur old/sshkey.c new/sshkey.c
+--- old/sshkey.c
++++ new/sshkey.c
[email protected]@ -112,6 +112,7 @@ static const struct keytype keytypes[] =
+ #  endif /* OPENSSL_HAS_NISTP521 */
+ # endif /* OPENSSL_HAS_ECC */
+ #endif /* WITH_OPENSSL */
++	{ "null", "null", KEY_NULL, 0, 0 },
+ 	{ NULL, NULL, -1, -1, 0 }
+ };
+ 
+diff -pur old/sshkey.h new/sshkey.h
+--- old/sshkey.h
++++ new/sshkey.h
[email protected]@ -62,6 +62,7 @@ enum sshkey_types {
+ 	KEY_DSA_CERT,
+ 	KEY_ECDSA_CERT,
+ 	KEY_ED25519_CERT,
++	KEY_NULL,
+ 	KEY_UNSPEC
+ };
+ 
--- a/components/openssh/patches/024-disable_ed25519.patch	Thu Jan 14 09:14:14 2016 +0100
+++ b/components/openssh/patches/024-disable_ed25519.patch	Mon Jan 25 10:57:40 2016 -0800
@@ -1,8 +1,15 @@
+#
+# Per Solaris crypto team recommendation, we need to remove support for
+# Curve25519 from OpenSSH.
+#
+# Patch offered upstream but rejected:
+#     https://bugzilla.mindrot.org/show_bug.cgi?id=2376
+#
 diff -pur old/Makefile.in new/Makefile.in
---- old/Makefile.in	2015-04-10 02:43:51.101312444 -0700
-+++ new/Makefile.in	2015-04-10 02:43:51.156820521 -0700
[email protected]@ -138,7 +138,7 @@ $(SSHDOBJS): Makefile.in config.h
- 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
+--- old/Makefile.in	2015-12-07 15:58:19.591097920 -0800
++++ new/Makefile.in	2015-12-07 16:05:02.810457680 -0800
[email protected]@ -153,7 +153,7 @@ $(SSHDOBJS): Makefile.in config.h
+ 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o [email protected]
  
  LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
 -$(LIBCOMPAT): always
@@ -10,14 +17,13 @@
  	(cd openbsd-compat && $(MAKE))
  always:
  
-Only in new: Makefile.in.orig
 diff -pur old/authfd.c new/authfd.c
---- old/authfd.c	2013-12-28 22:49:56.000000000 -0800
-+++ new/authfd.c	2015-04-10 02:43:51.157515880 -0700
[email protected]@ -508,8 +508,10 @@ ssh_add_identity_constrained(Authenticat
- 	case KEY_DSA_CERT_V00:
+--- old/authfd.c
++++ new/authfd.c
[email protected]@ -565,8 +565,10 @@ ssh_add_identity_constrained(int sock, s
  	case KEY_ECDSA:
  	case KEY_ECDSA_CERT:
+ #endif
 +#ifndef WITHOUT_ED25519
  	case KEY_ED25519:
  	case KEY_ED25519_CERT:
@@ -26,127 +32,117 @@
  		    SSH2_AGENTC_ADD_ID_CONSTRAINED :
  		    SSH2_AGENTC_ADD_IDENTITY;
 diff -pur old/authfile.c new/authfile.c
---- old/authfile.c	2013-12-28 22:50:15.000000000 -0800
-+++ new/authfile.c	2015-04-10 02:43:51.158405633 -0700
[email protected]@ -597,9 +597,11 @@ key_private_to_blob(Key *key, Buffer *bl
- 			    comment, new_format_cipher, new_format_rounds);
- 		}
- 		return key_private_pem_to_blob(key, blob, passphrase, comment);
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 		return key_private_to_blob2(key, blob, passphrase,
- 		    comment, new_format_cipher, new_format_rounds);
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		error("%s: cannot save key type %d", __func__, key->type);
- 		return 0;
[email protected]@ -1005,8 +1007,10 @@ key_parse_private_type(Buffer *blob, int
- 	case KEY_ECDSA:
- 	case KEY_RSA:
- 		return key_parse_private_pem(blob, type, passphrase, commentp);
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 		return key_parse_private2(blob, type, passphrase, commentp);
-+#endif /* WITHOUT_ED25519 */
- 	case KEY_UNSPEC:
- 		if ((k = key_parse_private2(blob, type, passphrase, commentp)))
- 			return k;
[email protected]@ -1213,7 +1217,9 @@ key_load_private_cert(int type, const ch
- 	case KEY_RSA:
+--- old/authfile.c
++++ new/authfile.c
[email protected]@ -449,7 +449,9 @@ sshkey_load_private_cert(int type, const
  	case KEY_DSA:
  	case KEY_ECDSA:
+ #endif /* WITH_OPENSSL */
 +#ifndef WITHOUT_ED25519
  	case KEY_ED25519:
 +#endif /* WITHOUT_ED25519 */
+ 	case KEY_UNSPEC:
  		break;
  	default:
- 		error("%s: unsupported key type", __func__);
-diff -pur old/crypto_api.h new/crypto_api.h
---- old/crypto_api.h	2014-01-16 17:31:34.000000000 -0800
-+++ new/crypto_api.h	2015-04-10 02:43:51.158673341 -0700
[email protected]@ -26,7 +26,7 @@ int	crypto_hashblocks_sha512(unsigned ch
- 
- #define crypto_hash_sha512_BYTES 64U
+diff -pur old/dns.c new/dns.c
+--- old/dns.c
++++ new/dns.c
[email protected]@ -100,11 +100,13 @@ dns_read_key(u_int8_t *algorithm, u_int8
+ 		if (!*digest_type)
+ 			*digest_type = SSHFP_HASH_SHA256;
+ 		break;
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 		*algorithm = SSHFP_KEY_ED25519;
+ 		if (!*digest_type)
+ 			*digest_type = SSHFP_HASH_SHA256;
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		*algorithm = SSHFP_KEY_RESERVED; /* 0 */
+ 		*digest_type = SSHFP_HASH_RESERVED; /* 0 */
+diff -pur old/dns.h new/dns.h
+--- old/dns.h
++++ new/dns.h
[email protected]@ -33,7 +33,9 @@ enum sshfp_types {
+ 	SSHFP_KEY_RSA = 1,
+ 	SSHFP_KEY_DSA = 2,
+ 	SSHFP_KEY_ECDSA = 3,
+-	SSHFP_KEY_ED25519 = 4
++#ifndef WITHOUT_ED25519
++ 	SSHFP_KEY_ED25519 = 4 
++#endif /* WITHOUT_ED25519 */
+ };
  
--int	crypto_hash_sha512(unsigned char *, const unsigned char *,
-+extern int	crypto_hash_sha512(unsigned char *, const unsigned char *,
-     unsigned long long);
- 
- int	crypto_verify_32(const unsigned char *, const unsigned char *);
+ enum sshfp_hashes {
 diff -pur old/ed25519.c new/ed25519.c
---- old/ed25519.c	2013-12-17 22:48:11.000000000 -0800
-+++ new/ed25519.c	2015-04-10 02:43:51.158974499 -0700
[email protected]@ -6,6 +6,8 @@
-  * Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c
+--- old/ed25519.c
++++ new/ed25519.c
[email protected]@ -7,6 +7,7 @@
   */
  
+ #include "includes.h"
 +#ifndef WITHOUT_ED25519
-+
- #include "includes.h"
  #include "crypto_api.h"
  
[email protected]@ -142,3 +144,4 @@ int crypto_sign_ed25519_open(
+ #include "ge25519.h"
[email protected]@ -142,3 +143,4 @@ int crypto_sign_ed25519_open(
    }
    return ret;
  }
 +#endif /* WITHOUT_ED25519 */
 diff -pur old/fe25519.c new/fe25519.c
---- old/fe25519.c	2014-01-16 17:43:44.000000000 -0800
-+++ new/fe25519.c	2015-04-10 02:43:51.159348136 -0700
[email protected]@ -6,6 +6,8 @@
-  * Copied from supercop-20130419/crypto_sign/ed25519/ref/fe25519.c
-  */
+--- old/fe25519.c
++++ new/fe25519.c
[email protected]@ -8,6 +8,7 @@
+ 
+ #include "includes.h"
  
 +#ifndef WITHOUT_ED25519
-+
- #include "includes.h"
+ #define WINDOWSIZE 1 /* Should be 1,2, or 4 */
+ #define WINDOWMASK ((1<<WINDOWSIZE)-1)
  
- #define WINDOWSIZE 1 /* Should be 1,2, or 4 */
[email protected]@ -335,3 +337,5 @@ void fe25519_pow2523(fe25519 *r, const f
[email protected]@ -335,3 +336,4 @@ void fe25519_pow2523(fe25519 *r, const f
  	/* 2^252 - 2^2 */ fe25519_square(&t,&t);
  	/* 2^252 - 3 */ fe25519_mul(r,&t,x);
  }
-+
 +#endif /* WITHOUT_ED25519 */
 diff -pur old/fe25519.h new/fe25519.h
---- old/fe25519.h	2013-12-17 22:48:11.000000000 -0800
-+++ new/fe25519.h	2015-04-10 02:43:51.159633614 -0700
[email protected]@ -9,6 +9,8 @@
+--- old/fe25519.h
++++ new/fe25519.h
[email protected]@ -8,6 +8,7 @@
+ 
  #ifndef FE25519_H
  #define FE25519_H
++#ifndef WITHOUT_ED25519
  
-+#ifndef WITHOUT_ED25519
-+
  #include "crypto_api.h"
  
- #define fe25519              crypto_sign_ed25519_ref_fe25519
[email protected]@ -67,4 +69,5 @@ void fe25519_invert(fe25519 *r, const fe
[email protected]@ -67,4 +68,5 @@ void fe25519_invert(fe25519 *r, const fe
  
  void fe25519_pow2523(fe25519 *r, const fe25519 *x);
  
 +#endif /* WITHOUT_ED25519 */
  #endif
 diff -pur old/ge25519.c new/ge25519.c
---- old/ge25519.c	2014-01-16 17:43:44.000000000 -0800
-+++ new/ge25519.c	2015-04-10 02:43:51.160002884 -0700
[email protected]@ -6,6 +6,8 @@
-  * Copied from supercop-20130419/crypto_sign/ed25519/ref/ge25519.c
+--- old/ge25519.c
++++ new/ge25519.c
[email protected]@ -7,6 +7,7 @@
   */
  
+ #include "includes.h"
 +#ifndef WITHOUT_ED25519
-+
- #include "includes.h"
  
  #include "fe25519.h"
[email protected]@ -319,3 +321,5 @@ void ge25519_scalarmult_base(ge25519_p3 
+ #include "sc25519.h"
[email protected]@ -319,3 +320,4 @@ void ge25519_scalarmult_base(ge25519_p3
      ge25519_mixadd2(r, &t);
    }
  }
-+
 +#endif /* WITHOUT_ED25519 */
 diff -pur old/ge25519.h new/ge25519.h
---- old/ge25519.h	2013-12-17 22:48:11.000000000 -0800
-+++ new/ge25519.h	2015-04-10 02:43:51.160283095 -0700
+--- old/ge25519.h
++++ new/ge25519.h
 @@ -8,6 +8,7 @@
  
  #ifndef GE25519_H
@@ -162,22 +158,24 @@
 +#endif /* WITHOUT_ED25519 */
  #endif
 diff -pur old/kex.c new/kex.c
---- old/kex.c	2014-01-25 14:38:04.000000000 -0800
-+++ new/kex.c	2015-04-10 02:43:51.160754653 -0700
[email protected]@ -87,7 +87,7 @@ static const struct kexalg kexalgs[] = {
- # endif
- #endif
- 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
--#ifdef HAVE_EVP_SHA256
-+#if defined(HAVE_EVP_SHA256) && !defined(WITHOUT_ED25519)
+--- old/kex.c
++++ new/kex.c
[email protected]@ -96,9 +96,11 @@ static const struct kexalg kexalgs[] = {
+ # endif /* OPENSSL_HAS_NISTP521 */
+ #endif /* OPENSSL_HAS_ECC */
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
  	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
- #endif
- 	{ NULL, -1, -1, -1},
-Only in new: kex.c.orig
+ #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
++#endif /* WITHOUT_ED25519 */
+ #ifdef GSSAPI
+ 	{ KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
+ 	{ KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
 diff -pur old/kex.h new/kex.h
---- old/kex.h	2014-01-25 14:37:26.000000000 -0800
-+++ new/kex.h	2015-04-10 02:47:29.726358404 -0700
[email protected]@ -43,7 +43,9 @@
+--- old/kex.h
++++ new/kex.h
[email protected]@ -58,13 +58,17 @@
  #define	KEX_ECDH_SHA2_NISTP256	"ecdh-sha2-nistp256"
  #define	KEX_ECDH_SHA2_NISTP384	"ecdh-sha2-nistp384"
  #define	KEX_ECDH_SHA2_NISTP521	"ecdh-sha2-nistp521"
@@ -187,584 +185,190 @@
  
  #define COMP_NONE	0
  #define COMP_ZLIB	1
[email protected]@ -75,7 +77,9 @@ enum kex_exchange {
+ #define COMP_DELAYED	2
+ 
++#ifndef WITHOUT_ED25519
+ #define CURVE25519_SIZE 32
++#endif /* WITHOUT_ED25519 */
+ 
+ enum kex_init_proposals {
+ 	PROPOSAL_KEX_ALGS,
[email protected]@ -92,7 +96,9 @@ enum kex_exchange {
  	KEX_DH_GEX_SHA1,
  	KEX_DH_GEX_SHA256,
  	KEX_ECDH_SHA2,
 +#ifndef WITHOUT_ED25519
  	KEX_C25519_SHA256,
 +#endif /* WITHOUT_ED25519 */
- 	KEX_MAX
+ 	KEX_GSS_GRP1_SHA1,
+ 	KEX_GSS_GRP14_SHA1,
+ 	KEX_GSS_GEX_SHA1,
[email protected]@ -161,8 +167,10 @@ struct kex {
+ 	u_int	min, max, nbits;	/* GEX */
+ 	EC_KEY	*ec_client_key;		/* ECDH */
+ 	const EC_GROUP *ec_group;	/* ECDH */
++#ifndef WITHOUT_ED25519
+ 	u_char c25519_client_key[CURVE25519_SIZE]; /* 25519 */
+ 	u_char c25519_client_pubkey[CURVE25519_SIZE]; /* 25519 */
++#endif /* WITHOUT_ED25519 */
  };
  
[email protected]@ -165,8 +169,10 @@ void	 kexgex_client(Kex *);
- void	 kexgex_server(Kex *);
- void	 kexecdh_client(Kex *);
- void	 kexecdh_server(Kex *);
+ int	 kex_names_valid(const char *);
[email protected]@ -191,8 +199,10 @@ int	 kexgex_client(struct ssh *);
+ int	 kexgex_server(struct ssh *);
+ int	 kexecdh_client(struct ssh *);
+ int	 kexecdh_server(struct ssh *);
 +#ifndef WITHOUT_ED25519
- void	 kexc25519_client(Kex *);
- void	 kexc25519_server(Kex *);
+ int	 kexc25519_client(struct ssh *);
+ int	 kexc25519_server(struct ssh *);
 +#endif /* WITHOUT_ED25519 */
+ #ifdef GSSAPI
+ int	 kexgss_client(struct ssh *);
+ int	 kexgss_server(struct ssh *);
[email protected]@ -213,6 +223,7 @@ int kex_ecdh_hash(int, const EC_GROUP *,
+     const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
+     const EC_POINT *, const EC_POINT *, const BIGNUM *, u_char *, size_t *);
  
- void
- kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
[email protected]@ -181,6 +187,7 @@ kex_ecdh_hash(int, const EC_GROUP *, cha
-     char *, int, u_char *, int, const EC_POINT *, const EC_POINT *,
-     const BIGNUM *, u_char **, u_int *);
- #endif
 +#ifndef WITHOUT_ED25519
- void
- kex_c25519_hash(int, char *, char *, char *, int,
-     char *, int, u_char *, int, const u_char *, const u_char *,
[email protected]@ -194,6 +201,7 @@ void kexc25519_shared_key(const u_char k
-     const u_char pub[CURVE25519_SIZE], Buffer *out)
+ int	 kex_c25519_hash(int, const char *, const char *, const char *, size_t,
+     const char *, size_t, const u_char *, size_t, const u_char *, const u_char *,
+     const u_char *, size_t, u_char *, size_t *);
[email protected]@ -224,6 +235,7 @@ int	kexc25519_shared_key(const u_char ke
+     const u_char pub[CURVE25519_SIZE], struct sshbuf *out)
  	__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
  	__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
 +#endif /* WITHOUT_ED25519 */
  
- void
+ int
  derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);
-Only in new: kex.h.orig
-Only in new: kex.h.rej
 diff -pur old/kexc25519.c new/kexc25519.c
---- old/kexc25519.c	2014-01-12 00:21:23.000000000 -0800
-+++ new/kexc25519.c	2015-04-10 02:43:51.161993727 -0700
[email protected]@ -25,6 +25,8 @@
-  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-  */
+--- old/kexc25519.c
++++ new/kexc25519.c
[email protected]@ -27,6 +27,7 @@
+ 
+ #include "includes.h"
  
 +#ifndef WITHOUT_ED25519
-+
- #include "includes.h"
+ #include <sys/types.h>
  
- #include <sys/types.h>
[email protected]@ -120,3 +122,5 @@ kex_c25519_hash(
- 	*hash = digest;
- 	*hashlen = ssh_digest_bytes(hash_alg);
+ #include <signal.h>
[email protected]@ -131,3 +132,4 @@ kex_c25519_hash(
+ #endif
+ 	return 0;
  }
-+
 +#endif /* WITHOUT_ED25519 */
 diff -pur old/kexc25519c.c new/kexc25519c.c
---- old/kexc25519c.c	2014-01-12 00:21:23.000000000 -0800
-+++ new/kexc25519c.c	2015-04-10 02:43:51.162319004 -0700
[email protected]@ -25,6 +25,8 @@
-  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-  */
+--- old/kexc25519c.c
++++ new/kexc25519c.c
[email protected]@ -27,6 +27,7 @@
  
-+#ifndef WITHOUT_ED25519
-+
  #include "includes.h"
  
++#ifndef WITHOUT_ED25519
  #include <sys/types.h>
[email protected]@ -127,3 +129,5 @@ kexc25519_client(Kex *kex)
- 	buffer_free(&shared_secret);
- 	kex_finish(kex);
+ 
+ #include <stdio.h>
[email protected]@ -168,3 +169,4 @@ out:
+ 	sshbuf_free(shared_secret);
+ 	return r;
  }
-+
 +#endif /* WITHOUT_ED25519 */
 diff -pur old/kexc25519s.c new/kexc25519s.c
---- old/kexc25519s.c	2014-01-12 00:21:23.000000000 -0800
-+++ new/kexc25519s.c	2015-04-10 02:43:51.162628310 -0700
[email protected]@ -24,6 +24,8 @@
-  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-  */
+--- old/kexc25519s.c
++++ new/kexc25519s.c
[email protected]@ -26,6 +26,8 @@
+ 
+ #include "includes.h"
  
 +#ifndef WITHOUT_ED25519
 +
- #include "includes.h"
- 
  #include <sys/types.h>
[email protected]@ -124,3 +126,5 @@ kexc25519_server(Kex *kex)
- 	buffer_free(&shared_secret);
- 	kex_finish(kex);
+ #include <stdio.h>
+ #include <string.h>
[email protected]@ -157,3 +159,4 @@ out:
+ 	sshbuf_free(shared_secret);
+ 	return r;
  }
-+
-+#endif /* WITHOUT_ED25519 */
-diff -pur old/key.c new/key.c
---- old/key.c	2014-01-09 15:58:53.000000000 -0800
-+++ new/key.c	2015-04-10 02:48:40.602200617 -0700
[email protected]@ -89,8 +89,10 @@ key_new(int type)
- 	k->dsa = NULL;
- 	k->rsa = NULL;
- 	k->cert = NULL;
-+#ifndef WITHOUT_ED25519
- 	k->ed25519_sk = NULL;
- 	k->ed25519_pk = NULL;
-+#endif /* WITHOUT_ED25519 */
- 	switch (k->type) {
- 	case KEY_RSA1:
- 	case KEY_RSA:
[email protected]@ -125,10 +127,12 @@ key_new(int type)
- 		/* Cannot do anything until we know the group */
- 		break;
- #endif
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 	case KEY_ED25519_CERT:
- 		/* no need to prealloc */
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	case KEY_UNSPEC:
- 		break;
- 	default:
[email protected]@ -173,10 +177,12 @@ key_add_private(Key *k)
- 	case KEY_ECDSA_CERT:
- 		/* Cannot do anything until we know the group */
- 		break;
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 	case KEY_ED25519_CERT:
- 		/* no need to prealloc */
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	case KEY_UNSPEC:
- 		break;
- 	default:
[email protected]@ -239,6 +245,7 @@ key_free(Key *k)
- 		k->ecdsa = NULL;
- 		break;
- #endif
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 	case KEY_ED25519_CERT:
- 		if (k->ed25519_pk) {
[email protected]@ -252,6 +259,7 @@ key_free(Key *k)
- 			k->ed25519_sk = NULL;
- 		}
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	case KEY_UNSPEC:
- 		break;
- 	default:
[email protected]@ -333,10 +341,12 @@ key_equal_public(const Key *a, const Key
- 		BN_CTX_free(bnctx);
- 		return 1;
- #endif /* OPENSSL_HAS_ECC */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 	case KEY_ED25519_CERT:
- 		return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
- 		    memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		fatal("key_equal: bad key type %d", a->type);
- 	}
[email protected]@ -392,7 +402,9 @@ key_fingerprint_raw(const Key *k, enum f
- 	case KEY_DSA:
- 	case KEY_ECDSA:
- 	case KEY_RSA:
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
-+#endif /* WITHOUT_ED25519 */
- 		key_to_blob(k, &blob, &len);
- 		break;
- 	case KEY_DSA_CERT_V00:
[email protected]@ -400,7 +412,9 @@ key_fingerprint_raw(const Key *k, enum f
- 	case KEY_DSA_CERT:
- 	case KEY_ECDSA_CERT:
- 	case KEY_RSA_CERT:
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519_CERT:
-+#endif /* WITHOUT_ED25519 */
- 		/* We want a fingerprint of the _key_ not of the cert */
- 		to_blob(k, &blob, &len, 1);
- 		break;
[email protected]@ -728,13 +742,17 @@ key_read(Key *ret, char **cpp)
- 	case KEY_RSA:
- 	case KEY_DSA:
- 	case KEY_ECDSA:
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
-+#endif /* WITHOUT_ED25519 */
- 	case KEY_DSA_CERT_V00:
- 	case KEY_RSA_CERT_V00:
- 	case KEY_DSA_CERT:
- 	case KEY_ECDSA_CERT:
- 	case KEY_RSA_CERT:
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519_CERT:
-+#endif /* WITHOUT_ED25519 */
- 		space = strchr(cp, ' ');
- 		if (space == NULL) {
- 			debug3("key_read: missing whitespace");
[email protected]@ -836,6 +854,7 @@ key_read(Key *ret, char **cpp)
- #endif
- 		}
- #endif
-+#ifndef WITHOUT_ED25519
- 		if (key_type_plain(ret->type) == KEY_ED25519) {
- 			free(ret->ed25519_pk);
- 			ret->ed25519_pk = k->ed25519_pk;
[email protected]@ -844,6 +863,7 @@ key_read(Key *ret, char **cpp)
- 			/* XXX */
- #endif
- 		}
-+#endif /* WITHOUT_ED25519 */
- 		success = 1;
- /*XXXX*/
- 		key_free(k);
[email protected]@ -907,11 +927,13 @@ key_write(const Key *key, FILE *f)
- 			return 0;
- 		break;
- #endif
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 	case KEY_ED25519_CERT:
- 		if (key->ed25519_pk == NULL)
- 			return 0;
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	case KEY_RSA:
- 	case KEY_RSA_CERT_V00:
- 	case KEY_RSA_CERT:
[email protected]@ -959,7 +981,9 @@ static const struct keytype keytypes[] =
- 	{ NULL, "RSA1", KEY_RSA1, 0, 0 },
- 	{ "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
- 	{ "ssh-dss", "DSA", KEY_DSA, 0, 0 },
-+#ifndef WITHOUT_ED25519
- 	{ "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 },
-+#endif /* WITHOUT_ED25519 */
- #ifdef OPENSSL_HAS_ECC
- 	{ "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },
- 	{ "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },
[email protected]@ -983,8 +1007,10 @@ static const struct keytype keytypes[] =
- 	    KEY_RSA_CERT_V00, 0, 1 },
- 	{ "[email protected]", "DSA-CERT-V00",
- 	    KEY_DSA_CERT_V00, 0, 1 },
-+#ifndef WITHOUT_ED25519
- 	{ "[email protected]", "ED25519-CERT",
- 	    KEY_ED25519_CERT, 0, 1 },
-+#endif /* WITHOUT_ED25519 */
- 	{ NULL, NULL, -1, -1, 0 }
- };
- 
[email protected]@ -1096,7 +1122,9 @@ key_type_is_valid_ca(int type)
- 	case KEY_RSA:
- 	case KEY_DSA:
- 	case KEY_ECDSA:
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
-+#endif /* WITHOUT_ED25519 */
- 		return 1;
- 	default:
- 		return 0;
[email protected]@ -1116,8 +1144,10 @@ key_size(const Key *k)
- 	case KEY_DSA_CERT_V00:
- 	case KEY_DSA_CERT:
- 		return BN_num_bits(k->dsa->p);
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 		return 256;	/* XXX */
-+#endif /* WITHOUT_ED25519 */
- #ifdef OPENSSL_HAS_ECC
- 	case KEY_ECDSA:
- 	case KEY_ECDSA_CERT:
[email protected]@ -1261,11 +1291,13 @@ key_generate(int type, u_int bits)
- 	case KEY_RSA1:
- 		k->rsa = rsa_generate_private_key(bits);
- 		break;
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 		k->ed25519_pk = xmalloc(ED25519_PK_SZ);
- 		k->ed25519_sk = xmalloc(ED25519_SK_SZ);
- 		crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
- 		break;
 +#endif /* WITHOUT_ED25519 */
- 	case KEY_RSA_CERT_V00:
- 	case KEY_DSA_CERT_V00:
- 	case KEY_RSA_CERT:
[email protected]@ -1359,6 +1391,7 @@ key_from_private(const Key *k)
- 		    (BN_copy(n->rsa->e, k->rsa->e) == NULL))
- 			fatal("key_from_private: BN_copy failed");
- 		break;
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 	case KEY_ED25519_CERT:
- 		n = key_new(k->type);
[email protected]@ -1367,6 +1400,7 @@ key_from_private(const Key *k)
- 			memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
- 		}
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		fatal("key_from_private: unknown type %d", k->type);
- 		break;
[email protected]@ -1628,6 +1662,7 @@ key_from_blob2(const u_char *blob, u_int
- #endif
- 		break;
- #endif /* OPENSSL_HAS_ECC */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519_CERT:
- 		(void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
- 		/* FALLTHROUGH */
[email protected]@ -1645,6 +1680,7 @@ key_from_blob2(const u_char *blob, u_int
- 		key->ed25519_pk = pk;
- 		pk = NULL;
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	case KEY_UNSPEC:
- 		key = key_new(type);
- 		break;
[email protected]@ -1699,7 +1735,9 @@ to_blob(const Key *key, u_char **blobp, 
- 	case KEY_DSA_CERT:
- 	case KEY_ECDSA_CERT:
- 	case KEY_RSA_CERT:
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519_CERT:
-+#endif /* WITHOUT_ED25519 */
- 		/* Use the existing blob */
- 		buffer_append(&b, buffer_ptr(&key->cert->certblob),
- 		    buffer_len(&key->cert->certblob));
[email protected]@ -1727,11 +1765,13 @@ to_blob(const Key *key, u_char **blobp, 
- 		buffer_put_bignum2(&b, key->rsa->e);
- 		buffer_put_bignum2(&b, key->rsa->n);
- 		break;
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 		buffer_put_cstring(&b,
- 		    key_ssh_name_from_type_nid(type, key->ecdsa_nid));
- 		buffer_put_string(&b, key->ed25519_pk, ED25519_PK_SZ);
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		error("key_to_blob: unsupported key type %d", key->type);
- 		buffer_free(&b);
[email protected]@ -1775,9 +1815,11 @@ key_sign(
- 	case KEY_RSA_CERT:
- 	case KEY_RSA:
- 		return ssh_rsa_sign(key, sigp, lenp, data, datalen);
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 	case KEY_ED25519_CERT:
- 		return ssh_ed25519_sign(key, sigp, lenp, data, datalen);
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		error("key_sign: invalid key type %d", key->type);
- 		return -1;
[email protected]@ -1811,9 +1853,11 @@ key_verify(
- 	case KEY_RSA_CERT:
- 	case KEY_RSA:
- 		return ssh_rsa_verify(key, signature, signaturelen, data, datalen);
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 	case KEY_ED25519_CERT:
- 		return ssh_ed25519_verify(key, signature, signaturelen, data, datalen);
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		error("key_verify: invalid key type %d", key->type);
- 		return -1;
[email protected]@ -1833,8 +1877,10 @@ key_demote(const Key *k)
- 	pk->dsa = NULL;
- 	pk->ecdsa = NULL;
- 	pk->rsa = NULL;
-+#ifndef WITHOUT_ED25519
- 	pk->ed25519_pk = NULL;
- 	pk->ed25519_sk = NULL;
-+#endif /* WITHOUT_ED25519 */
- 
- 	switch (k->type) {
- 	case KEY_RSA_CERT_V00:
[email protected]@ -1878,6 +1924,7 @@ key_demote(const Key *k)
- 			fatal("key_demote: EC_KEY_set_public_key failed");
- 		break;
- #endif
+diff -pur old/monitor.c new/monitor.c
+--- old/monitor.c
++++ new/monitor.c
[email protected]@ -1941,7 +1941,9 @@ monitor_apply_keystate(struct monitor *p
+ 		kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+ # endif
+ #endif /* WITH_OPENSSL */
 +#ifndef WITHOUT_ED25519
- 	case KEY_ED25519_CERT:
- 		key_cert_copy(k, pk);
- 		/* FALLTHROUGH */
[email protected]@ -1887,6 +1934,7 @@ key_demote(const Key *k)
- 			memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
- 		}
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		fatal("key_demote: bad key type %d", k->type);
- 		break;
[email protected]@ -1916,8 +1964,10 @@ key_type_plain(int type)
- 		return KEY_DSA;
- 	case KEY_ECDSA_CERT:
- 		return KEY_ECDSA;
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519_CERT:
- 		return KEY_ED25519;
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		return type;
- 	}
[email protected]@ -1943,6 +1993,7 @@ key_to_certified(Key *k, int legacy)
- 		k->cert = cert_new();
- 		k->type = KEY_ECDSA_CERT;
- 		return 0;
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 		if (legacy)
- 			fatal("%s: legacy ED25519 certificates are not "
[email protected]@ -1950,6 +2001,7 @@ key_to_certified(Key *k, int legacy)
- 		k->cert = cert_new();
- 		k->type = KEY_ED25519_CERT;
- 		return 0;
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		error("%s: key has incorrect type %s", __func__, key_type(k));
- 		return -1;
[email protected]@ -2028,10 +2080,12 @@ key_certify(Key *k, Key *ca)
- 		buffer_put_bignum2(&k->cert->certblob, k->rsa->e);
- 		buffer_put_bignum2(&k->cert->certblob, k->rsa->n);
- 		break;
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519_CERT:
- 		buffer_put_string(&k->cert->certblob,
- 		    k->ed25519_pk, ED25519_PK_SZ);
- 		break;
+ 		kex->kex[KEX_C25519_SHA256] = kexc25519_server;
 +#endif /* WITHOUT_ED25519 */
- 	default:
- 		error("%s: key has incorrect type %s", __func__, key_type(k));
- 		buffer_clear(&k->cert->certblob);
[email protected]@ -2449,6 +2503,7 @@ key_private_serialize(const Key *key, Bu
- 		buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa));
- 		break;
- #endif /* OPENSSL_HAS_ECC */
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 		buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ);
- 		buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ);
[email protected]@ -2461,6 +2516,7 @@ key_private_serialize(const Key *key, Bu
- 		buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ);
- 		buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ);
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	}
- }
- 
[email protected]@ -2575,6 +2631,7 @@ key_private_deserialize(Buffer *blob)
- 		buffer_get_bignum2(blob, k->rsa->p);
- 		buffer_get_bignum2(blob, k->rsa->q);
- 		break;
-+#ifndef WITHOUT_ED25519
- 	case KEY_ED25519:
- 		k = key_new_private(type);
- 		k->ed25519_pk = buffer_get_string(blob, &pklen);
[email protected]@ -2601,6 +2658,7 @@ key_private_deserialize(Buffer *blob)
- 			fatal("%s: ed25519 sklen %d != %d",
- 			    __func__, sklen, ED25519_SK_SZ);
- 		break;
-+#endif /* WITHOUT_ED25519 */
- 	default:
- 		free(type_name);
- 		buffer_clear(blob);
-Only in new: key.c.orig
-Only in new: key.c.rej
-diff -pur old/key.h new/key.h
---- old/key.h	2014-01-09 15:58:53.000000000 -0800
-+++ new/key.h	2015-04-10 02:43:51.166553603 -0700
[email protected]@ -39,11 +39,15 @@ enum types {
- 	KEY_RSA,
- 	KEY_DSA,
- 	KEY_ECDSA,
-+#ifndef WITHOUT_ED25519
- 	KEY_ED25519,
-+#endif /* WITHOUT_ED25519 */
- 	KEY_RSA_CERT,
- 	KEY_DSA_CERT,
- 	KEY_ECDSA_CERT,
-+#ifndef WITHOUT_ED25519
- 	KEY_ED25519_CERT,
-+#endif /* WITHOUT_ED25519 */
- 	KEY_RSA_CERT_V00,
- 	KEY_DSA_CERT_V00,
- 	KEY_UNSPEC
[email protected]@ -88,12 +92,16 @@ struct Key {
- 	void	*ecdsa;
+ #ifdef GSSAPI
+ 		if (options.gss_keyex) {
+ 			kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+diff -pur old/myproposal.h new/myproposal.h
+--- old/myproposal.h
++++ new/myproposal.h
[email protected]@ -59,6 +59,20 @@
+ # define HOSTKEY_ECDSA_METHODS
  #endif
- 	struct KeyCert *cert;
-+#ifndef WITHOUT_ED25519
- 	u_char	*ed25519_sk;
- 	u_char	*ed25519_pk;
-+#endif /* WITHOUT_ED25519 */
- };
  
 +#ifndef WITHOUT_ED25519
- #define	ED25519_SK_SZ	crypto_sign_ed25519_SECRETKEYBYTES
- #define	ED25519_PK_SZ	crypto_sign_ed25519_PUBLICKEYBYTES
-+#endif /* WITHOUT_ED25519 */
- 
- Key		*key_new(int);
- void		 key_add_private(Key *);
[email protected]@ -152,8 +160,10 @@ int	 ssh_ecdsa_sign(const Key *, u_char 
- int	 ssh_ecdsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
- int	 ssh_rsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
- int	 ssh_rsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
-+#ifndef WITHOUT_ED25519
- int	 ssh_ed25519_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
- int	 ssh_ed25519_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
++# if defined(WITH_OPENSSL) && defined(HAVE_EVP_SHA256)
++#  define KEX_CURVE25519_METHODS "[email protected],"
++# else
++#  define KEX_CURVE25519_METHODS
++# endif
++# define HOSTKEY_CURVE25519_CERT_METHODS "[email protected],"
++# define HOSTKEY_CURVE25519_METHODS "ssh-ed25519,"
++#else
++# define KEX_CURVE25519_METHODS
++# define HOSTKEY_CURVE25519_CERT_METHODS
++# define HOSTKEY_CURVE25519_METHODS
 +#endif /* WITHOUT_ED25519 */
- 
- #if defined(OPENSSL_HAS_ECC) && (defined(DEBUG_KEXECDH) || defined(DEBUG_PK))
- void	key_dump_ec_point(const EC_GROUP *, const EC_POINT *);
-Only in new: key.h.orig
-diff -pur old/monitor.c new/monitor.c
---- old/monitor.c	2015-04-10 02:43:51.067342317 -0700
-+++ new/monitor.c	2015-04-10 02:49:10.399820034 -0700
[email protected]@ -1887,7 +1887,9 @@ mm_get_kex(Buffer *m)
- 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
- 	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
- 	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
-+#ifndef WITHOUT_ED25519
- 	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
-+#endif /* WITHOUT_ED25519 */
- 	kex->server = 1;
- 	kex->hostkey_type = buffer_get_int(m);
- 	kex->kex_type = buffer_get_int(m);
-Only in new: monitor.c.orig
-Only in new: monitor.c.rej
-diff -pur old/myproposal.h new/myproposal.h
---- old/myproposal.h	2013-12-06 16:24:02.000000000 -0800
-+++ new/myproposal.h	2015-04-10 02:43:51.168744484 -0700
[email protected]@ -80,6 +80,24 @@
- # define SHA2_HMAC_MODES
++
+ #ifdef OPENSSL_HAVE_EVPGCM
+ # define AESGCM_CIPHER_MODES \
+ 	",[email protected],[email protected]"
[email protected]@ -78,11 +92,6 @@
  #endif
  
-+#ifdef WITHOUT_ED25519
-+# define KEX_DEFAULT_KEX \
-+	KEX_ECDH_METHODS \
-+	KEX_SHA256_METHODS \
-+	"diffie-hellman-group-exchange-sha1," \
-+	"diffie-hellman-group14-sha1," \
-+	"diffie-hellman-group1-sha1"
-+
-+#define	KEX_DEFAULT_PK_ALG	\
-+	HOSTKEY_ECDSA_CERT_METHODS \
-+	"[email protected]," \
-+	"[email protected]," \
-+	"[email protected]," \
-+	"[email protected]," \
-+	HOSTKEY_ECDSA_METHODS \
-+	"ssh-rsa," \
-+	"ssh-dss"
-+#else /* WITHOUT_ED25519 */
- # define KEX_DEFAULT_KEX \
+ #ifdef WITH_OPENSSL
+-# ifdef HAVE_EVP_SHA256
+-#  define KEX_CURVE25519_METHODS "[email protected],"
+-# else
+-#  define KEX_CURVE25519_METHODS ""
+-# endif
+ #define KEX_COMMON_KEX \
  	KEX_CURVE25519_METHODS \
  	KEX_ECDH_METHODS \
[email protected]@ -99,6 +117,7 @@
- 	"ssh-ed25519," \
- 	"ssh-rsa," \
- 	"ssh-dss"
-+#endif /* WITHOUT_ED25519 */
[email protected]@ -97,10 +106,10 @@
+ 
+ #define	KEX_DEFAULT_PK_ALG	\
+ 	HOSTKEY_ECDSA_CERT_METHODS \
+-	"[email protected]," \
++	HOSTKEY_CURVE25519_CERT_METHODS \
+ 	"[email protected]," \
+ 	HOSTKEY_ECDSA_METHODS \
+-	"ssh-ed25519," \
++	HOSTKEY_CURVE25519_METHODS \
+ 	"ssh-rsa" \
  
  /* the actual algorithms */
- 
-diff -pur old/openbsd-compat/Makefile.in new/openbsd-compat/Makefile.in
---- old/openbsd-compat/Makefile.in	2013-12-06 17:37:54.000000000 -0800
-+++ new/openbsd-compat/Makefile.in	2015-04-10 02:43:51.169041778 -0700
[email protected]@ -18,7 +18,7 @@ LDFLAGS=-L. @[email protected]
[email protected]@ -141,10 +150,10 @@
+ #else
  
- OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o
- 
--COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
-+COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o 
- 
- PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
- 
+ #define KEX_SERVER_KEX		\
+-	"[email protected]"
++	KEX_CURVE25519_METHODS
+ #define	KEX_DEFAULT_PK_ALG	\
+-	"[email protected]," \
+-	"ssh-ed25519"
++	HOSTKEY_CURVE25519_CERT_METHODS \
++	HOSTKEY_CURVE25519_METHODS
+ #define	KEX_SERVER_ENCRYPT \
+ 	"[email protected]," \
+ 	"aes128-ctr,aes192-ctr,aes256-ctr"
+diff -pur old/openbsd-compat/Makefile.in new/openbsd-compat/Makefile.in
+--- old/openbsd-compat/Makefile.in
++++ new/openbsd-compat/Makefile.in
 @@ -32,7 +32,7 @@ $(OPENBSD): ../config.h
  $(PORTS): ../config.h
  
@@ -775,8 +379,8 @@
  
  clean:
 diff -pur old/pathnames.h new/pathnames.h
---- old/pathnames.h	2013-12-06 16:24:02.000000000 -0800
-+++ new/pathnames.h	2015-04-10 02:43:51.169362243 -0700
+--- old/pathnames.h
++++ new/pathnames.h
 @@ -39,7 +39,9 @@
  #define _PATH_HOST_KEY_FILE		SSHDIR "/ssh_host_key"
  #define _PATH_HOST_DSA_KEY_FILE		SSHDIR "/ssh_host_dsa_key"
@@ -798,9 +402,9 @@
  /*
   * Configuration file in user's home directory.  This file need not be
 diff -pur old/readconf.c new/readconf.c
---- old/readconf.c	2015-04-10 02:43:51.075573457 -0700
-+++ new/readconf.c	2015-04-10 02:43:51.170150446 -0700
[email protected]@ -1702,8 +1702,10 @@ fill_default_options(Options * options)
+--- old/readconf.c
++++ new/readconf.c
[email protected]@ -1846,8 +1846,10 @@ fill_default_options(Options * options)
  			add_identity_file(options, "~/",
  			    _PATH_SSH_CLIENT_ID_ECDSA, 0);
  #endif
@@ -811,46 +415,10 @@
  		}
  	}
  	if (options->escape_char == -1)
-Only in new: readconf.c.orig
-diff -pur old/sc25519.c new/sc25519.c
---- old/sc25519.c	2014-01-16 17:43:44.000000000 -0800
-+++ new/sc25519.c	2015-04-10 02:43:51.170631841 -0700
[email protected]@ -6,6 +6,8 @@
-  * Copied from supercop-20130419/crypto_sign/ed25519/ref/sc25519.c
-  */
- 
-+#ifndef WITHOUT_ED25519
-+
- #include "includes.h"
- 
- #include "sc25519.h"
[email protected]@ -306,3 +308,5 @@ void sc25519_2interleave2(unsigned char 
-   r[125] = ((s1->v[31] >> 2) & 3) ^ (((s2->v[31] >> 2) & 3) << 2);
-   r[126] = ((s1->v[31] >> 4) & 3) ^ (((s2->v[31] >> 4) & 3) << 2);
- }
-+
-+#endif /* WITHOUT_ED25519 */
-diff -pur old/sc25519.h new/sc25519.h
---- old/sc25519.h	2013-12-17 22:48:11.000000000 -0800
-+++ new/sc25519.h	2015-04-10 02:43:51.170901036 -0700
[email protected]@ -8,6 +8,7 @@
- 
- #ifndef SC25519_H
- #define SC25519_H
-+#ifndef WITHOUT_ED25519
- 
- #include "crypto_api.h"
- 
[email protected]@ -77,4 +78,5 @@ void sc25519_window5(signed char r[51], 
- 
- void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const sc25519 *s2);
- 
-+#endif /* WITHOUT_ED25519 */
- #endif
 diff -pur old/servconf.c new/servconf.c
---- old/servconf.c	2015-04-10 02:43:51.086374994 -0700
-+++ new/servconf.c	2015-04-10 02:43:51.171761969 -0700
[email protected]@ -189,8 +189,10 @@ fill_default_server_options(ServerOption
+--- old/servconf.c
++++ new/servconf.c
[email protected]@ -222,8 +222,10 @@ fill_default_server_options(ServerOption
  			options->host_key_files[options->num_host_key_files++] =
  			    _PATH_HOST_ECDSA_KEY_FILE;
  #endif
@@ -861,10 +429,9 @@
  		}
  	}
  	/* No certificates by default */
-Only in new: servconf.c.orig
 diff -pur old/smult_curve25519_ref.c new/smult_curve25519_ref.c
---- old/smult_curve25519_ref.c	2013-11-03 13:26:53.000000000 -0800
-+++ new/smult_curve25519_ref.c	2015-04-10 02:43:51.172253244 -0700
+--- old/smult_curve25519_ref.c
++++ new/smult_curve25519_ref.c
 @@ -6,6 +6,8 @@ Public domain.
  Derived from public domain code by D. J. Bernstein.
  */
@@ -874,98 +441,23 @@
  int crypto_scalarmult_curve25519(unsigned char *, const unsigned char *, const unsigned char *);
  
  static void add(unsigned int out[32],const unsigned int a[32],const unsigned int b[32])
[email protected]@ -263,3 +265,5 @@ int crypto_scalarmult_curve25519(unsigne
[email protected]@ -263,3 +265,4 @@ int crypto_scalarmult_curve25519(unsigne
    for (i = 0;i < 32;++i) q[i] = work[64 + i];
    return 0;
  }
-+
 +#endif /* WITHOUT_ED25519 */
 diff -pur old/ssh-add.0 new/ssh-add.0
---- old/ssh-add.0	2014-01-29 17:52:47.000000000 -0800
-+++ new/ssh-add.0	2015-04-10 02:43:51.172577448 -0700
+--- old/ssh-add.0
++++ new/ssh-add.0
 @@ -11,7 +11,7 @@ SYNOPSIS
  DESCRIPTION
       ssh-add adds private key identities to the authentication agent,
       ssh-agent(1).  When run without arguments, it adds the files
 -     ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and
-+     ~/.ssh/id_rsa, ~/.ssh/id_dsa and
++     ~/.ssh/id_rsa, ~/.ssh/id_dsa, and
       ~/.ssh/identity.  After loading a private key, ssh-add will try to load
       corresponding certificate information from the filename obtained by
       appending -cert.pub to the name of the private key file.  Alternative
[email protected]@ -91,14 +91,6 @@ FILES
-              Contains the protocol version 2 DSA authentication identity of
-              the user.
- 
--     ~/.ssh/id_ecdsa
--             Contains the protocol version 2 ECDSA authentication identity of
--             the user.
--
--     ~/.ssh/id_ed25519
--             Contains the protocol version 2 ED25519 authentication identity
--             of the user.
--
-      ~/.ssh/id_rsa
-              Contains the protocol version 2 RSA authentication identity of
-              the user.
-diff -pur old/ssh-add.1 new/ssh-add.1
---- old/ssh-add.1	2013-12-17 22:46:28.000000000 -0800
-+++ new/ssh-add.1	2015-04-10 02:43:51.172897417 -0700
[email protected]@ -57,8 +57,6 @@ adds private key identities to the authe
- When run without arguments, it adds the files
- .Pa ~/.ssh/id_rsa ,
- .Pa ~/.ssh/id_dsa ,
--.Pa ~/.ssh/id_ecdsa ,
--.Pa ~/.ssh/id_ed25519
- and
- .Pa ~/.ssh/identity .
- After loading a private key,
[email protected]@ -168,10 +166,6 @@ socket used to communicate with the agen
- Contains the protocol version 1 RSA authentication identity of the user.
- .It Pa ~/.ssh/id_dsa
- Contains the protocol version 2 DSA authentication identity of the user.
--.It Pa ~/.ssh/id_ecdsa
--Contains the protocol version 2 ECDSA authentication identity of the user.
--.It Pa ~/.ssh/id_ed25519
--Contains the protocol version 2 ED25519 authentication identity of the user.
- .It Pa ~/.ssh/id_rsa
- Contains the protocol version 2 RSA authentication identity of the user.
- .El
-diff -pur old/ssh-add.c new/ssh-add.c
---- old/ssh-add.c	2013-12-28 22:44:07.000000000 -0800
-+++ new/ssh-add.c	2015-04-10 02:43:51.173249822 -0700
[email protected]@ -73,7 +73,9 @@ static char *default_files[] = {
- #ifdef OPENSSL_HAS_ECC
- 	_PATH_SSH_CLIENT_ID_ECDSA,
- #endif
-+#ifndef WITHOUT_ED25519
- 	_PATH_SSH_CLIENT_ID_ED25519,
-+#endif /* WITHOUT_ED25519 */
- 	_PATH_SSH_CLIENT_IDENTITY,
- 	NULL
- };
-diff -pur old/ssh-agent.0 new/ssh-agent.0
---- old/ssh-agent.0	2014-01-29 17:52:47.000000000 -0800
-+++ new/ssh-agent.0	2015-04-10 02:43:51.173618938 -0700
[email protected]@ -9,7 +9,7 @@ SYNOPSIS
- 
- DESCRIPTION
-      ssh-agent is a program to hold private keys used for public key
--     authentication (RSA, DSA, ECDSA, ED25519).  The idea is that ssh-agent is
-+     authentication (RSA, DSA).  The idea is that ssh-agent is
-      started in the beginning of an X-session or a login session, and all
-      other windows or programs are started as clients to the ssh-agent
-      program.  Through use of environment variables the agent can be located
[email protected]@ -46,8 +46,8 @@ DESCRIPTION
- 
-      The agent initially does not have any private keys.  Keys are added using
-      ssh-add(1).  When executed without arguments, ssh-add(1) adds the files
--     ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and
--     ~/.ssh/identity.  If the identity has a passphrase, ssh-add(1) asks for
-+     ~/.ssh/id_rsa, ~/.ssh/id_dsa ~/.ssh/identity.  
-+     If the identity has a passphrase, ssh-add(1) asks for
-      the passphrase on the terminal if it has one or from a small X11 program
-      if running under X11.  If neither of these is the case then the
-      authentication will fail.  It then sends the identity to the agent.
 @@ -97,14 +97,6 @@ FILES
               Contains the protocol version 2 DSA authentication identity of
               the user.
@@ -975,72 +467,107 @@
 -             the user.
 -
 -     ~/.ssh/id_ed25519
--             Contains the protocol version 2 ED25519 authentication identity
+-             Contains the protocol version 2 Ed25519 authentication identity
 -             of the user.
 -
       ~/.ssh/id_rsa
               Contains the protocol version 2 RSA authentication identity of
               the user.
-diff -pur old/ssh-agent.1 new/ssh-agent.1
---- old/ssh-agent.1	2013-12-17 22:46:28.000000000 -0800
-+++ new/ssh-agent.1	2015-04-10 02:43:51.173976932 -0700
[email protected]@ -53,7 +53,7 @@
- .Sh DESCRIPTION
- .Nm
- is a program to hold private keys used for public key authentication
--(RSA, DSA, ECDSA, ED25519).
-+(RSA, DSA).
- The idea is that
- .Nm
- is started in the beginning of an X-session or a login session, and
[email protected]@ -114,9 +114,7 @@ When executed without arguments,
- .Xr ssh-add 1
- adds the files
+diff -pur old/ssh-add.1 new/ssh-add.1
+--- old/ssh-add.1
++++ new/ssh-add.1
[email protected]@ -58,8 +58,6 @@ adds private key identities to the authe
+ When run without arguments, it adds the files
  .Pa ~/.ssh/id_rsa ,
--.Pa ~/.ssh/id_dsa ,
+ .Pa ~/.ssh/id_dsa ,
 -.Pa ~/.ssh/id_ecdsa ,
 -.Pa ~/.ssh/id_ed25519
-+.Pa ~/.ssh/id_dsa 
  and
  .Pa ~/.ssh/identity .
- If the identity has a passphrase,
[email protected]@ -189,10 +187,6 @@ line terminates.
+ After loading a private key,
[email protected]@ -178,10 +176,6 @@ socket used to communicate with the agen
  Contains the protocol version 1 RSA authentication identity of the user.
  .It Pa ~/.ssh/id_dsa
  Contains the protocol version 2 DSA authentication identity of the user.
 -.It Pa ~/.ssh/id_ecdsa
 -Contains the protocol version 2 ECDSA authentication identity of the user.
 -.It Pa ~/.ssh/id_ed25519
--Contains the protocol version 2 ED25519 authentication identity of the user.
+-Contains the protocol version 2 Ed25519 authentication identity of the user.
  .It Pa ~/.ssh/id_rsa
  Contains the protocol version 2 RSA authentication identity of the user.
- .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt
+ .El
+diff -pur old/ssh-add.c new/ssh-add.c
+--- old/ssh-add.c
++++ new/ssh-add.c
[email protected]@ -78,7 +78,9 @@ static char *default_files[] = {
+ 	_PATH_SSH_CLIENT_ID_ECDSA,
+ #endif
+ #endif /* WITH_OPENSSL */
+-	_PATH_SSH_CLIENT_ID_ED25519,
++#ifndef WITHOUT_ED25519
++ 	_PATH_SSH_CLIENT_ID_ED25519,
++#endif /* WITHOUT_ED25519 */
+ #ifdef WITH_SSH1
+ 	_PATH_SSH_CLIENT_IDENTITY,
+ #endif
+diff -pur old/ssh-agent.0 new/ssh-agent.0
+--- old/ssh-agent.0
++++ new/ssh-agent.0
[email protected]@ -10,7 +10,7 @@ SYNOPSIS
+ 
+ DESCRIPTION
+      ssh-agent is a program to hold private keys used for public key
+-     authentication (RSA, DSA, ECDSA, Ed25519).  ssh-agent is usually started
++     authentication (RSA, DSA).  ssh-agent is usually started
+      in the beginning of an X-session or a login session, and all other
+      windows or programs are started as clients to the ssh-agent program.
+      Through use of environment variables the agent can be located and
+diff -pur old/ssh-agent.1 new/ssh-agent.1
+--- old/ssh-agent.1
++++ new/ssh-agent.1
[email protected]@ -54,7 +54,7 @@
+ .Sh DESCRIPTION
+ .Nm
+ is a program to hold private keys used for public key authentication
+-(RSA, DSA, ECDSA, Ed25519).
++(RSA, DSA).
+ .Nm
+ is usually started in the beginning of an X-session or a login session, and
+ all other windows or programs are started as clients to the ssh-agent
 diff -pur old/ssh-ed25519.c new/ssh-ed25519.c
---- old/ssh-ed25519.c	2013-12-06 17:37:54.000000000 -0800
-+++ new/ssh-ed25519.c	2015-04-10 02:43:51.174245635 -0700
[email protected]@ -15,6 +15,8 @@
-  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-  */
+--- old/ssh-ed25519.c
++++ new/ssh-ed25519.c
[email protected]@ -17,6 +17,8 @@
+ 
+ #include "includes.h"
  
 +#ifndef WITHOUT_ED25519
 +
- #include "includes.h"
+ #include <sys/types.h>
+ #include <limits.h>
  
- #include <sys/types.h>
[email protected]@ -141,3 +143,5 @@ ssh_ed25519_verify(const Key *key, const
- 	/* translate return code carefully */
- 	return (ret == 0) ? 1 : -1;
[email protected]@ -164,3 +166,4 @@ ssh_ed25519_verify(const struct sshkey *
+ 	free(ktype);
+ 	return r;
  }
-+
 +#endif /* WITHOUT_ED25519 */
 diff -pur old/ssh-keygen.0 new/ssh-keygen.0
---- old/ssh-keygen.0	2014-01-29 17:52:47.000000000 -0800
-+++ new/ssh-keygen.0	2015-04-10 02:43:51.175019524 -0700
+--- old/ssh-keygen.0
++++ new/ssh-keygen.0
[email protected]@ -4,7 +4,7 @@ NAME
+      ssh-keygen M-bM-^@M-^S authentication key generation, management and conversion
+ 
+ SYNOPSIS
+-     ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
++     ssh-keygen [-q] [-b bits] [-t dsa | rsa | rsa1]
+                 [-N new_passphrase] [-C comment] [-f output_keyfile]
+      ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
+      ssh-keygen -i [-m key_format] [-f input_keyfile]
 @@ -32,7 +32,7 @@ SYNOPSIS
  DESCRIPTION
       ssh-keygen generates, manages and converts authentication keys for
       ssh(1).  ssh-keygen can create RSA keys for use by SSH protocol version 1
--     and DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2.
+-     and DSA, ECDSA, Ed25519 or RSA keys for use by SSH protocol version 2.
 +     and DSA or RSA keys for use by SSH protocol version 2.
       The type of key to be generated is specified with the -t option.  If
       invoked without any arguments, ssh-keygen will generate an RSA key for
@@ -1059,7 +586,7 @@
       The options are as follows:
  
 -     -A      For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for
-+     -A      For each of the key types (rsa1, rsa, and dsa) for
++     -A      For each of the key types (rsa1, rsa and dsa) for
               which host keys do not exist, generate the host keys with the
               default key file path, an empty passphrase, default bits for the
               key type, and default comment.  This is used by /etc/rc to
@@ -1067,25 +594,25 @@
  
       -a rounds
 -             When saving a new-format private key (i.e. an ed25519 key or any
-+             When saving a new-format private key (i.e. any
++             When saving a new-format private key (i.e. 
               SSH protocol 2 key when the -o flag is set), this option
               specifies the number of KDF (key derivation function) rounds
               used.  Higher numbers result in slower passphrase verification
 @@ -103,12 +103,7 @@ DESCRIPTION
               Specifies the number of bits in the key to create.  For RSA keys,
-              the minimum size is 768 bits and the default is 2048 bits.
+              the minimum size is 1024 bits and the default is 2048 bits.
               Generally, 2048 bits is considered sufficient.  DSA keys must be
 -             exactly 1024 bits as specified by FIPS 186-2.  For ECDSA keys,
 -             the -b flag determines the key length by selecting from one of
 -             three elliptic curve sizes: 256, 384 or 521 bits.  Attempting to
 -             use bit lengths other than these three values for ECDSA keys will
--             fail.  ED25519 keys have a fixed length and the -b flag will be
+-             fail.  Ed25519 keys have a fixed length and the -b flag will be
 -             ignored.
 +             exactly 1024 bits as specified by FIPS 186-2.
  
       -C comment
               Provides a new comment.
[email protected]@ -274,7 +269,7 @@ DESCRIPTION
[email protected]@ -279,7 +274,7 @@ DESCRIPTION
               new OpenSSH format rather than the more compatible PEM format.
               The new format has increased resistance to brute-force password
               cracking but is not supported by versions of OpenSSH prior to
@@ -1094,54 +621,64 @@
  
       -P passphrase
               Provides the (old) passphrase.
[email protected]@ -315,8 +310,8 @@ DESCRIPTION
[email protected]@ -318,9 +313,9 @@ DESCRIPTION
+              Test DH group exchange candidate primes (generated using the -G
+              option) for safety.
  
-      -t type
+-     -t dsa | ecdsa | ed25519 | rsa | rsa1
++     -t dsa |  rsa | rsa1
               Specifies the type of key to create.  The possible values are
--             ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'',
--             ``ed25519'', or ``rsa'' for protocol version 2.
-+             ``rsa1'' for protocol version 1 and ``dsa'' or ``rsa'' for 
-+             protocol version 2.
+-             M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or
++             M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], or
+              M-bM-^@M-^\rsaM-bM-^@M-^] for protocol version 2.
  
       -u      Update a KRL.  When specified with -k, keys listed via the
-              command line are added to the existing KRL rather than a new KRL
[email protected]@ -521,10 +516,8 @@ FILES
[email protected]@ -525,10 +520,8 @@ FILES
               contents of this file secret.
  
       ~/.ssh/id_dsa
 -     ~/.ssh/id_ecdsa
 -     ~/.ssh/id_ed25519
       ~/.ssh/id_rsa
--             Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA
+-             Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
 +             Contains the protocol version 2 DSA or RSA
               authentication identity of the user.  This file should not be
               readable by anyone but the user.  It is possible to specify a
               passphrase when generating the key; that passphrase will be used
[email protected]@ -534,10 +527,8 @@ FILES
[email protected]@ -538,10 +531,8 @@ FILES
               read this file when a login attempt is made.
  
       ~/.ssh/id_dsa.pub
 -     ~/.ssh/id_ecdsa.pub
 -     ~/.ssh/id_ed25519.pub
       ~/.ssh/id_rsa.pub
--             Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA public
+-             Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA public
 +             Contains the protocol version 2 DSA or RSA public
               key for authentication.  The contents of this file should be
               added to ~/.ssh/authorized_keys on all machines where the user
               wishes to log in using public key authentication.  There is no
 diff -pur old/ssh-keygen.1 new/ssh-keygen.1
---- old/ssh-keygen.1	2013-12-28 22:47:14.000000000 -0800
-+++ new/ssh-keygen.1	2015-04-10 02:43:51.175831546 -0700
[email protected]@ -140,7 +140,7 @@ generates, manages and converts authenti
+--- old/ssh-keygen.1
++++ new/ssh-keygen.1
[email protected]@ -46,7 +46,7 @@
+ .Nm ssh-keygen
+ .Op Fl q
+ .Op Fl b Ar bits
+-.Op Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1
++.Op Fl t Cm dsa | rsa | rsa1
+ .Op Fl N Ar new_passphrase
+ .Op Fl C Ar comment
+ .Op Fl f Ar output_keyfile
[email protected]@ -142,7 +142,7 @@ generates, manages and converts authenti
  .Xr ssh 1 .
  .Nm
  can create RSA keys for use by SSH protocol version 1 and
--DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2.
+-DSA, ECDSA, Ed25519 or RSA keys for use by SSH protocol version 2.
 +DSA or RSA keys for use by SSH protocol version 2.
  The type of key to be generated is specified with the
  .Fl t
  option.
[email protected]@ -168,8 +168,6 @@ with public key authentication runs this
[email protected]@ -170,8 +170,6 @@ with public key authentication runs this
  key in
  .Pa ~/.ssh/identity ,
  .Pa ~/.ssh/id_dsa ,
@@ -1150,27 +687,26 @@
  or
  .Pa ~/.ssh/id_rsa .
  Additionally, the system administrator may use this to generate host keys,
[email protected]@ -217,7 +215,7 @@ should be placed to be activated.
[email protected]@ -219,7 +217,7 @@ should be placed to be activated.
  The options are as follows:
  .Bl -tag -width Ds
  .It Fl A
 -For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
-+For each of the key types (rsa1, rsa, dsa)
++For each of the key types (rsa1, rsa and dsa)
  for which host keys
  do not exist, generate the host keys with the default key file path,
  an empty passphrase, default bits for the key type, and default comment.
[email protected]@ -225,8 +223,7 @@ This is used by
[email protected]@ -227,7 +225,7 @@ This is used by
  .Pa /etc/rc
  to generate new host keys.
  .It Fl a Ar rounds
 -When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
--2 key when the
-+When saving a new-format private key (i.e. any SSH protocol 2 key when the
++When saving a new-format private key (i.e. SSH protocol
+ 2 key when the
  .Fl o
  flag is set), this option specifies the number of KDF (key derivation function)
- rounds used.
[email protected]@ -245,15 +242,6 @@ Specifies the number of bits in the key 
- For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
[email protected]@ -247,15 +245,6 @@ Specifies the number of bits in the key
+ For RSA keys, the minimum size is 1024 bits and the default is 2048 bits.
  Generally, 2048 bits is considered sufficient.
  DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
 -For ECDSA keys, the
@@ -1179,13 +715,13 @@
 -curve sizes: 256, 384 or 521 bits.
 -Attempting to use bit lengths other than these three values for ECDSA keys
 -will fail.
--ED25519 keys have a fixed length and the
+-Ed25519 keys have a fixed length and the
 -.Fl b
 -flag will be ignored.
  .It Fl C Ar comment
  Provides a new comment.
  .It Fl c
[email protected]@ -468,7 +456,6 @@ to save SSH protocol 2 private keys usin
[email protected]@ -478,7 +467,6 @@ to save SSH protocol 2 private keys usin
  the more compatible PEM format.
  The new format has increased resistance to brute-force password cracking
  but is not supported by versions of OpenSSH prior to 6.5.
@@ -1193,7 +729,14 @@
  .It Fl P Ar passphrase
  Provides the (old) passphrase.
  .It Fl p
[email protected]@ -520,8 +507,6 @@ The possible values are
[email protected]@ -524,14 +512,12 @@ section for details.
+ Test DH group exchange candidate primes (generated using the
+ .Fl G
+ option) for safety.
+-.It Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1
++.It Fl t Cm dsa | rsa | rsa1
+ Specifies the type of key to create.
+ The possible values are
  .Dq rsa1
  for protocol version 1 and
  .Dq dsa ,
@@ -1202,46 +745,47 @@
  or
  .Dq rsa
  for protocol version 2.
[email protected]@ -800,10 +785,8 @@ where the user wishes to log in using RS
[email protected]@ -810,10 +796,8 @@ where the user wishes to log in using RS
  There is no need to keep the contents of this file secret.
  .Pp
  .It Pa ~/.ssh/id_dsa
 -.It Pa ~/.ssh/id_ecdsa
 -.It Pa ~/.ssh/id_ed25519
  .It Pa ~/.ssh/id_rsa
--Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA
+-Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
 +Contains the protocol version 2 DSA or RSA
  authentication identity of the user.
  This file should not be readable by anyone but the user.
  It is possible to
[email protected]@ -816,10 +799,8 @@ but it is offered as the default file fo
[email protected]@ -826,10 +810,8 @@ but it is offered as the default file fo
  will read this file when a login attempt is made.
  .Pp
  .It Pa ~/.ssh/id_dsa.pub
 -.It Pa ~/.ssh/id_ecdsa.pub
 -.It Pa ~/.ssh/id_ed25519.pub
  .It Pa ~/.ssh/id_rsa.pub
--Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA
+-Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
 +Contains the protocol version 2 DSA or RSA
  public key for authentication.
  The contents of this file should be added to
  .Pa ~/.ssh/authorized_keys
 diff -pur old/ssh-keygen.c new/ssh-keygen.c
---- old/ssh-keygen.c	2013-12-06 16:24:02.000000000 -0800
-+++ new/ssh-keygen.c	2015-04-10 02:43:51.176894394 -0700
[email protected]@ -197,7 +197,11 @@ type_bits_valid(int type, u_int32_t *bit
- 	}
+--- old/ssh-keygen.c
++++ new/ssh-keygen.c
[email protected]@ -217,7 +217,11 @@ type_bits_valid(int type, const char *na
+ 		fatal("key bits exceeds maximum %d", maxbits);
  	if (type == KEY_DSA && *bitsp != 1024)
  		fatal("DSA keys must be 1024 bits");
-+#ifdef WITHOUT_ED25519
-+	else if (type != KEY_ECDSA && *bitsp < 768)
-+#else /* WITHOUT_ED25519 */
- 	else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)
+-	else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 1024)
++	else if (type != KEY_ECDSA &&
++#ifndef WITHOUT_ED25519
++		 type != KEY_ED25519 &&
 +#endif /* WITHOUT_ED25519 */
- 		fatal("Key must at least be 768 bits");
- 	else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1)
++		 *bitsp < 1024)
+ 		fatal("Key must at least be 1024 bits");
+ 	else if (type == KEY_ECDSA && sshkey_ecdsa_bits_to_nid(*bitsp) == -1)
  		fatal("Invalid ECDSA key length - valid lengths are "
[email protected]@ -233,10 +237,12 @@ ask_filename(struct passwd *pw, const ch
[email protected]@ -252,10 +256,12 @@ ask_filename(struct passwd *pw, const ch
  		case KEY_RSA:
  			name = _PATH_SSH_CLIENT_ID_RSA;
  			break;
@@ -1252,42 +796,54 @@
  			break;
 +#endif /* WITHOUT_ED25519 */
  		default:
- 			fprintf(stderr, "bad key type\n");
- 			exit(1);
[email protected]@ -900,7 +906,9 @@ do_gen_all_hostkeys(struct passwd *pw)
- #ifdef OPENSSL_HAS_ECC
+ 			fatal("bad key type");
+ 		}
[email protected]@ -939,7 +945,9 @@ do_gen_all_hostkeys(struct passwd *pw)
  		{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
- #endif
+ #endif /* OPENSSL_HAS_ECC */
+ #endif /* WITH_OPENSSL */
+-		{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
 +#ifndef WITHOUT_ED25519
- 		{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
++ 		{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
 +#endif /* WITHOUT_ED25519 */
  		{ NULL, NULL, NULL }
  	};
  
[email protected]@ -1616,7 +1624,10 @@ do_ca_sign(struct passwd *pw, int argc, 
- 		if ((public = key_load_public(tmp, &comment)) == NULL)
- 			fatal("%s: unable to open \"%s\"", __func__, tmp);
[email protected]@ -1605,7 +1613,10 @@ do_ca_sign(struct passwd *pw, int argc,
+ 			fatal("%s: unable to open \"%s\": %s",
+ 			    __func__, tmp, ssh_err(r));
  		if (public->type != KEY_RSA && public->type != KEY_DSA &&
 -		    public->type != KEY_ECDSA && public->type != KEY_ED25519)
 +#ifndef WITHOUT_ED25519
-+		    public->type != KEY_ED25519 &&
++		    public->type != KEY_ED25519 && 
 +#endif /* WITHOUT_ED25519 */
 +		    public->type != KEY_ECDSA)
  			fatal("%s: key \"%s\" type %s cannot be certified",
- 			    __func__, tmp, key_type(public));
+ 			    __func__, tmp, sshkey_type(public));
  
[email protected]@ -2502,8 +2513,10 @@ main(int argc, char **argv)
+ 			    _PATH_HOST_DSA_KEY_FILE, rr_hostname);
+ 			n += do_print_resource_record(pw,
+ 			    _PATH_HOST_ECDSA_KEY_FILE, rr_hostname);
++#ifndef WITHOUT_ED25519
+ 			n += do_print_resource_record(pw,
+ 			    _PATH_HOST_ED25519_KEY_FILE, rr_hostname);
++#endif /* WITHOUT_ED25519 */
+ 			if (n == 0)
+ 				fatal("no keys found.");
+ 			exit(0);
 diff -pur old/ssh-keyscan.0 new/ssh-keyscan.0
---- old/ssh-keyscan.0	2014-01-29 17:52:47.000000000 -0800
-+++ new/ssh-keyscan.0	2015-04-10 02:43:51.177179968 -0700
+--- old/ssh-keyscan.0
++++ new/ssh-keyscan.0
 @@ -48,9 +48,9 @@ DESCRIPTION
       -t type
               Specifies the type of the key to fetch from the scanned hosts.
-              The possible values are ``rsa1'' for protocol version 1 and
--             ``dsa'', ``ecdsa'', ``ed25519'', or ``rsa'' for protocol version
-+             ``dsa'' or ``rsa'' for protocol version
-              2.  Multiple values may be specified by separating them with
--             commas.  The default is to fetch ``rsa'' and ``ecdsa'' keys.
-+             commas.  The default is to fetch ``rsa'' keys.
+              The possible values are M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\dsaM-bM-^@M-^],
+-             M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^] for protocol version 2.  Multiple
++             or M-bM-^@M-^\rsaM-bM-^@M-^] for protocol version 2.  Multiple
+              values may be specified by separating them with commas.  The
+-             default is to fetch M-bM-^@M-^\rsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], and M-bM-^@M-^\ed25519M-bM-^@M-^] keys.
++             default is to fetch M-bM-^@M-^\rsaM-bM-^@M-^] keys.
  
       -v      Verbose mode.  Causes ssh-keyscan to print debugging messages
               about its progress.
@@ -1295,14 +851,14 @@
  
       host-or-namelist bits exponent modulus
  
--     Output format for rsa, dsa and ecdsa keys:
-+     Output format for rsa and dsa keys:
+-     Output format for RSA, DSA, ECDSA, and Ed25519 keys:
++     Output format for RSA, and DSA keys:
  
       host-or-namelist keytype base64-encoded-key
  
--     Where keytype is either ``ecdsa-sha2-nistp256'', ``ecdsa-sha2-nistp384'',
--     ``ecdsa-sha2-nistp521'', ``ssh-ed25519'', ``ssh-dss'' or ``ssh-rsa''.
-+     Where keytype is either ``ssh-dss'' or ``ssh-rsa''.
+-     Where keytype is either M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^],
+-     M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or M-bM-^@M-^\ssh-rsaM-bM-^@M-^].
++     Where keytype is either M-bM-^@M-^\ssh-dssM-bM-^@M-^] or M-bM-^@M-^\ssh-rsaM-bM-^@M-^].
  
       /etc/ssh/ssh_known_hosts
  
@@ -1310,43 +866,47 @@
       Find all hosts from the file ssh_hosts which have new or different keys
       from those in the sorted file ssh_known_hosts:
  
--     $ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \
+-     $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \
 +     $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \
               sort -u - ssh_known_hosts | diff ssh_known_hosts -
  
  SEE ALSO
 diff -pur old/ssh-keyscan.1 new/ssh-keyscan.1
---- old/ssh-keyscan.1	2013-12-17 22:46:28.000000000 -0800
-+++ new/ssh-keyscan.1	2015-04-10 02:43:51.177539875 -0700
[email protected]@ -89,16 +89,12 @@ The possible values are
+--- old/ssh-keyscan.1
++++ new/ssh-keyscan.1
[email protected]@ -90,18 +90,13 @@ Specifies the type of the key to fetch f
+ The possible values are
  .Dq rsa1
  for protocol version 1 and
- .Dq dsa ,
+-.Dq dsa ,
 -.Dq ecdsa ,
 -.Dq ed25519 ,
++.Dq dsa 
  or
  .Dq rsa
  for protocol version 2.
  Multiple values may be specified by separating them with commas.
  The default is to fetch
- .Dq rsa
+-.Dq rsa ,
+-.Dq ecdsa ,
 -and
--.Dq ecdsa
+-.Dq ed25519
++.Dq rsa 
  keys.
  .It Fl v
  Verbose mode.
[email protected]@ -127,7 +123,7 @@ attacks which have begun after the ssh_k
[email protected]@ -130,7 +125,7 @@ Output format for RSA1 keys:
  host-or-namelist bits exponent modulus
  .Ed
  .Pp
--.Pa Output format for rsa, dsa and ecdsa keys:
-+.Pa Output format for rsa and dsa keys:
+-Output format for RSA, DSA, ECDSA, and Ed25519 keys:
++Output format for RSA and DSA keys:
  .Bd -literal
  host-or-namelist keytype base64-encoded-key
  .Ed
[email protected]@ -135,10 +131,6 @@ host-or-namelist keytype base64-encoded-
[email protected]@ -138,10 +133,6 @@ host-or-namelist keytype base64-encoded-
  Where
- .Pa keytype
+ .Ar keytype
  is either
 -.Dq ecdsa-sha2-nistp256 ,
 -.Dq ecdsa-sha2-nistp384 ,
@@ -1355,61 +915,37 @@
  .Dq ssh-dss
  or
  .Dq ssh-rsa .
[email protected]@ -158,7 +150,7 @@ Find all hosts from the file
[email protected]@ -159,7 +150,7 @@ Find all hosts from the file
  which have new or different keys from those in the sorted file
  .Pa ssh_known_hosts :
  .Bd -literal
--$ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \e
+-$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
 +$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e
  	sort -u - ssh_known_hosts | diff ssh_known_hosts -
  .Ed
  .Sh SEE ALSO
 diff -pur old/ssh-keyscan.c new/ssh-keyscan.c
---- old/ssh-keyscan.c	2013-12-06 16:24:02.000000000 -0800
-+++ new/ssh-keyscan.c	2015-04-10 02:43:51.178102053 -0700
[email protected]@ -56,7 +56,9 @@ int ssh_port = SSH_DEFAULT_PORT;
- #define KT_DSA		2
- #define KT_RSA		4
- #define KT_ECDSA	8
-+#ifndef WITHOUT_ED25519
- #define KT_ED25519	16
-+#endif /* WITHOUT_ED25519 */
- 
- int get_keytypes = KT_RSA|KT_ECDSA;/* Get RSA and ECDSA keys by default */
- 
[email protected]@ -247,9 +249,11 @@ keygrab_ssh2(con *c)
- 	packet_set_connection(c->c_fd, c->c_fd);
- 	enable_compat20();
- 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
--	    c->c_keytype == KT_DSA ?  "ssh-dss" :
+--- old/ssh-keyscan.c
++++ new/ssh-keyscan.c
[email protected]@ -286,7 +286,9 @@ keygrab_ssh2(con *c)
+ 	c->c_ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+ # endif
+ #endif
 +#ifndef WITHOUT_ED25519
-+	    c->c_keytype == KT_ED25519 ?  "ssh-ed25519" :
+ 	c->c_ssh->kex->kex[KEX_C25519_SHA256] = kexc25519_client;
 +#endif /* WITHOUT_ED25519 */
- 	    (c->c_keytype == KT_RSA ? "ssh-rsa" :
--	    (c->c_keytype == KT_ED25519 ? "ssh-ed25519" :
-+	    (c->c_keytype == KT_DSA ? "ssh-dss" :
- 	    "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"));
- 	c->c_kex = kex_setup(myproposal);
- 	c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
[email protected]@ -257,7 +261,9 @@ keygrab_ssh2(con *c)
- 	c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
- 	c->c_kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
- 	c->c_kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
-+#ifndef WITHOUT_ED25519
- 	c->c_kex->kex[KEX_C25519_SHA256] = kexc25519_client;
-+#endif /* WITHOUT_ED25519 */
- 	c->c_kex->verify_host_key = hostjump;
- 
- 	if (!(j = setjmp(kexjmp))) {
[email protected]@ -575,10 +581,15 @@ do_host(char *host)
+ 	ssh_set_verify_host_key_callback(c->c_ssh, key_print_wrapper);
+ 	/*
+ 	 * do the key-exchange until an error occurs or until
[email protected]@ -612,10 +614,15 @@ do_host(char *host)
  {
  	char *name = strnnsep(&host, " \t\n");
  	int j;
-+#ifdef WITHOUT_ED25519
-+	int max_kt = KT_ECDSA;
++#ifndef WITHOUT_ED25519
++	int max_kt = KT_ED25519;
 +#else
-+	int max_kt = KT_ED25519;
-+#endif
++	int max_kt = KT_ECDSA;
++#endif /* WITHOUT_ED25519 */
  
  	if (name == NULL)
  		return;
@@ -1418,7 +954,7 @@
  		if (get_keytypes & j) {
  			while (ncon >= MAXCON)
  				conloop();
[email protected]@ -685,9 +696,11 @@ main(int argc, char **argv)
[email protected]@ -719,9 +726,11 @@ main(int argc, char **argv)
  				case KEY_RSA:
  					get_keytypes |= KT_RSA;
  					break;
@@ -1431,8 +967,8 @@
  					fatal("unknown key type %s", tname);
  				}
 diff -pur old/ssh-keysign.0 new/ssh-keysign.0
---- old/ssh-keysign.0	2014-01-29 17:52:48.000000000 -0800
-+++ new/ssh-keysign.0	2015-04-10 02:43:51.178360839 -0700
+--- old/ssh-keysign.0
++++ new/ssh-keysign.0
 @@ -24,8 +24,6 @@ FILES
               Controls whether ssh-keysign is enabled.
  
@@ -1452,8 +988,8 @@
               If these files exist they are assumed to contain public
               certificate information corresponding with the private keys
 diff -pur old/ssh-keysign.8 new/ssh-keysign.8
---- old/ssh-keysign.8	2015-04-10 02:43:51.009217654 -0700
-+++ new/ssh-keysign.8	2015-04-10 02:43:51.178615438 -0700
+--- old/ssh-keysign.8
++++ new/ssh-keysign.8
 @@ -62,8 +62,6 @@ Controls whether
  is enabled.
  .Pp
@@ -1473,22 +1009,19 @@
  If these files exist they are assumed to contain public certificate
  information corresponding with the private keys above.
 diff -pur old/ssh-keysign.c new/ssh-keysign.c
---- old/ssh-keysign.c	2013-12-06 16:24:02.000000000 -0800
-+++ new/ssh-keysign.c	2015-04-10 02:43:51.178924008 -0700
[email protected]@ -150,7 +150,11 @@ main(int argc, char **argv)
+--- old/ssh-keysign.c
++++ new/ssh-keysign.c
[email protected]@ -168,7 +168,7 @@ main(int argc, char **argv)
  {
- 	Buffer b;
+ 	struct sshbuf *b;
  	Options options;
-+#ifdef WITHOUT_ED25519
+-#define NUM_KEYTYPES 4
 +#define NUM_KEYTYPES 3
-+#else
- #define NUM_KEYTYPES 4
-+#endif
- 	Key *keys[NUM_KEYTYPES], *key = NULL;
+ 	struct sshkey *keys[NUM_KEYTYPES], *key = NULL;
  	struct passwd *pw;
- 	int key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
[email protected]@ -169,7 +173,9 @@ main(int argc, char **argv)
- 	i = 0;
+ 	int r, key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
[email protected]@ -190,7 +190,9 @@ main(int argc, char **argv)
+ 	/* XXX This really needs to read sshd_config for the paths */
  	key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
  	key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
 +#ifndef WITHOUT_ED25519
@@ -1498,53 +1031,53 @@
  
  	original_real_uid = getuid();	/* XXX readconf.c needs this */
 diff -pur old/ssh.0 new/ssh.0
---- old/ssh.0	2014-01-29 17:52:47.000000000 -0800
-+++ new/ssh.0	2015-04-10 02:43:51.179753862 -0700
[email protected]@ -142,8 +142,8 @@ DESCRIPTION
+--- old/ssh.0
++++ new/ssh.0
[email protected]@ -140,8 +140,8 @@ DESCRIPTION
       -i identity_file
               Selects a file from which the identity (private key) for public
               key authentication is read.  The default is ~/.ssh/identity for
 -             protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa,
 -             ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2.
-+             protocol version 1, and ~/.ssh/id_dsa, and ~/.ssh/id_rsa for
-+             protocol version 2.
++             protocol version 1, and ~/.ssh/id_dsa
++             and ~/.ssh/id_rsa for protocol version 2.
               Identity files may also be specified on a per-host basis in the
               configuration file.  It is possible to have multiple -i options
               (and multiple identities specified in configuration files).  ssh
[email protected]@ -446,7 +446,7 @@ AUTHENTICATION
[email protected]@ -463,7 +463,7 @@ AUTHENTICATION
       creates a public/private key pair for authentication purposes.  The
       server knows the public key, and only the user knows the private key.
       ssh implements public key authentication protocol automatically, using
--     one of the DSA, ECDSA, ED25519 or RSA algorithms.  Protocol 1 is
+-     one of the DSA, ECDSA, Ed25519 or RSA algorithms.  Protocol 1 is
 +     one of the DSA or RSA algorithms.  Protocol 1 is
       restricted to using only RSA keys, but protocol 2 may use any.  The
       HISTORY section of ssl(8) contains a brief discussion of the DSA and RSA
       algorithms.
[email protected]@ -459,11 +459,9 @@ AUTHENTICATION
[email protected]@ -476,11 +476,9 @@ AUTHENTICATION
  
       The user creates his/her key pair by running ssh-keygen(1).  This stores
       the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol
 -     2 DSA), ~/.ssh/id_ecdsa (protocol 2 ECDSA), ~/.ssh/id_ed25519 (protocol 2
--     ED25519), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
+-     Ed25519), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
 -     ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA),
 -     ~/.ssh/id_ecdsa.pub (protocol 2 ECDSA), ~/.ssh/id_ed25519.pub (protocol 2
--     ED25519), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home
+-     Ed25519), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home
 +     2 DSA) or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
 +     ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA)
 +     or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home
       directory.  The user should then copy the public key to
       ~/.ssh/authorized_keys in his/her home directory on the remote machine.
       The authorized_keys file corresponds to the conventional ~/.rhosts file,
[email protected]@ -799,7 +797,7 @@ FILES
[email protected]@ -825,7 +823,7 @@ FILES
               for the user, and not accessible by others.
  
       ~/.ssh/authorized_keys
--             Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used
+-             Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used
 +             Lists the public keys (DSA, RSA) that can be used
               for logging in as this user.  The format of this file is
               described in the sshd(8) manual page.  This file is not highly
               sensitive, but the recommended permissions are read/write for the
[email protected]@ -817,8 +815,6 @@ FILES
[email protected]@ -843,8 +841,6 @@ FILES
  
       ~/.ssh/identity
       ~/.ssh/id_dsa
@@ -1553,7 +1086,7 @@
       ~/.ssh/id_rsa
               Contains the private key for authentication.  These files contain
               sensitive data and should be readable by the user but not
[email protected]@ -830,8 +826,6 @@ FILES
[email protected]@ -856,8 +852,6 @@ FILES
  
       ~/.ssh/identity.pub
       ~/.ssh/id_dsa.pub
@@ -1562,7 +1095,7 @@
       ~/.ssh/id_rsa.pub
               Contains the public key for authentication.  These files are not
               sensitive and can (but need not) be readable by anyone.
[email protected]@ -862,8 +856,6 @@ FILES
[email protected]@ -888,8 +882,6 @@ FILES
  
       /etc/ssh/ssh_host_key
       /etc/ssh/ssh_host_dsa_key
@@ -1572,58 +1105,60 @@
               These files contain the private parts of the host keys and are
               used for host-based authentication.  If protocol version 1 is
 diff -pur old/ssh.1 new/ssh.1
---- old/ssh.1	2013-12-17 22:46:28.000000000 -0800
-+++ new/ssh.1	2015-04-10 02:43:51.180632097 -0700
[email protected]@ -279,8 +279,6 @@ The default is
+--- old/ssh.1
++++ new/ssh.1
[email protected]@ -292,9 +292,7 @@ public key authentication is read.
+ The default is
  .Pa ~/.ssh/identity
  for protocol version 1, and
- .Pa ~/.ssh/id_dsa ,
+-.Pa ~/.ssh/id_dsa ,
 -.Pa ~/.ssh/id_ecdsa ,
 -.Pa ~/.ssh/id_ed25519
++.Pa ~/.ssh/id_dsa
  and
  .Pa ~/.ssh/id_rsa
  for protocol version 2.
[email protected]@ -758,7 +756,7 @@ key pair for authentication purposes.
[email protected]@ -848,7 +846,7 @@ key pair for authentication purposes.
  The server knows the public key, and only the user knows the private key.
  .Nm
  implements public key authentication protocol automatically,
--using one of the DSA, ECDSA, ED25519 or RSA algorithms.
+-using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
 +using one of the DSA or RSA algorithms.
  Protocol 1 is restricted to using only RSA keys,
  but protocol 2 may use any.
  The HISTORY section of
[email protected]@ -783,10 +781,6 @@ This stores the private key in
[email protected]@ -873,10 +871,6 @@ This stores the private key in
  (protocol 1),
  .Pa ~/.ssh/id_dsa
  (protocol 2 DSA),
 -.Pa ~/.ssh/id_ecdsa
 -(protocol 2 ECDSA),
 -.Pa ~/.ssh/id_ed25519
--(protocol 2 ED25519),
+-(protocol 2 Ed25519),
  or
  .Pa ~/.ssh/id_rsa
  (protocol 2 RSA)
[email protected]@ -795,10 +789,6 @@ and stores the public key in
[email protected]@ -885,10 +879,6 @@ and stores the public key in
  (protocol 1),
  .Pa ~/.ssh/id_dsa.pub
  (protocol 2 DSA),
 -.Pa ~/.ssh/id_ecdsa.pub
 -(protocol 2 ECDSA),
 -.Pa ~/.ssh/id_ed25519.pub
--(protocol 2 ED25519),
+-(protocol 2 Ed25519),
  or
  .Pa ~/.ssh/id_rsa.pub
  (protocol 2 RSA)
[email protected]@ -1338,7 +1328,7 @@ secret, but the recommended permissions 
[email protected]@ -1444,7 +1434,7 @@ secret, but the recommended permissions
  and not accessible by others.
  .Pp
  .It Pa ~/.ssh/authorized_keys
--Lists the public keys (DSA, ECDSA, ED25519, RSA)
+-Lists the public keys (DSA, ECDSA, Ed25519, RSA)
 +Lists the public keys (DSA, RSA)
  that can be used for logging in as this user.
  The format of this file is described in the
  .Xr sshd 8
[email protected]@ -1360,8 +1350,6 @@ above.
[email protected]@ -1466,8 +1456,6 @@ above.
  .Pp
  .It Pa ~/.ssh/identity
  .It Pa ~/.ssh/id_dsa
@@ -1632,7 +1167,7 @@
  .It Pa ~/.ssh/id_rsa
  Contains the private key for authentication.
  These files
[email protected]@ -1375,8 +1363,6 @@ sensitive part of this file using 3DES.
[email protected]@ -1481,8 +1469,6 @@ sensitive part of this file using 3DES.
  .Pp
  .It Pa ~/.ssh/identity.pub
  .It Pa ~/.ssh/id_dsa.pub
@@ -1641,7 +1176,7 @@
  .It Pa ~/.ssh/id_rsa.pub
  Contains the public key for authentication.
  These files are not
[email protected]@ -1415,8 +1401,6 @@ The file format and configuration option
[email protected]@ -1521,8 +1507,6 @@ The file format and configuration option
  .Pp
  .It Pa /etc/ssh/ssh_host_key
  .It Pa /etc/ssh/ssh_host_dsa_key
@@ -1651,118 +1186,183 @@
  These files contain the private parts of the host keys
  and are used for host-based authentication.
 diff -pur old/ssh.c new/ssh.c
---- old/ssh.c	2013-12-28 22:53:40.000000000 -0800
-+++ new/ssh.c	2015-04-10 02:43:51.181446718 -0700
[email protected]@ -1010,8 +1010,10 @@ main(int ac, char **av)
+--- old/ssh.c
++++ new/ssh.c
[email protected]@ -1233,8 +1233,10 @@ main(int ac, char **av)
+ 		sensitive_data.keys[1] = key_load_private_cert(KEY_ECDSA,
+ 		    _PATH_HOST_ECDSA_KEY_FILE, "", NULL);
  #endif
- 		sensitive_data.keys[3] = key_load_private_cert(KEY_RSA,
- 		    _PATH_HOST_RSA_KEY_FILE, "", NULL);
 +#ifndef WITHOUT_ED25519
- 		sensitive_data.keys[4] = key_load_private_cert(KEY_ED25519,
+ 		sensitive_data.keys[2] = key_load_private_cert(KEY_ED25519,
  		    _PATH_HOST_ED25519_KEY_FILE, "", NULL);
 +#endif /* WITHOUT_ED25519 */
- 		sensitive_data.keys[5] = key_load_private_type(KEY_DSA,
- 		    _PATH_HOST_DSA_KEY_FILE, "", NULL, NULL);
- #ifdef OPENSSL_HAS_ECC
[email protected]@ -1020,8 +1022,10 @@ main(int ac, char **av)
+ 		sensitive_data.keys[3] = key_load_private_cert(KEY_RSA,
+ 		    _PATH_HOST_RSA_KEY_FILE, "", NULL);
+ 		sensitive_data.keys[4] = key_load_private_cert(KEY_DSA,
[email protected]@ -1243,8 +1245,10 @@ main(int ac, char **av)
+ 		sensitive_data.keys[5] = key_load_private_type(KEY_ECDSA,
+ 		    _PATH_HOST_ECDSA_KEY_FILE, "", NULL, NULL);
  #endif
- 		sensitive_data.keys[7] = key_load_private_type(KEY_RSA,
- 		    _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);
 +#ifndef WITHOUT_ED25519
- 		sensitive_data.keys[8] = key_load_private_type(KEY_ED25519,
+ 		sensitive_data.keys[6] = key_load_private_type(KEY_ED25519,
  		    _PATH_HOST_ED25519_KEY_FILE, "", NULL, NULL);
 +#endif /* WITHOUT_ED25519 */
- 		PRIV_END;
- 
- 		if (options.hostbased_authentication == 1 &&
[email protected]@ -1038,8 +1042,10 @@ main(int ac, char **av)
+ 		sensitive_data.keys[7] = key_load_private_type(KEY_RSA,
+ 		    _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);
+ 		sensitive_data.keys[8] = key_load_private_type(KEY_DSA,
[email protected]@ -1261,8 +1265,10 @@ main(int ac, char **av)
+ 			sensitive_data.keys[1] = key_load_cert(
+ 			    _PATH_HOST_ECDSA_KEY_FILE);
  #endif
- 			sensitive_data.keys[3] = key_load_cert(
- 			    _PATH_HOST_RSA_KEY_FILE);
 +#ifndef WITHOUT_ED25519
- 			sensitive_data.keys[4] = key_load_cert(
+ 			sensitive_data.keys[2] = key_load_cert(
  			    _PATH_HOST_ED25519_KEY_FILE);
 +#endif /* WITHOUT_ED25519 */
+ 			sensitive_data.keys[3] = key_load_cert(
+ 			    _PATH_HOST_RSA_KEY_FILE);
+ 			sensitive_data.keys[4] = key_load_cert(
[email protected]@ -1271,8 +1277,10 @@ main(int ac, char **av)
  			sensitive_data.keys[5] = key_load_public(
- 			    _PATH_HOST_DSA_KEY_FILE, NULL);
- #ifdef OPENSSL_HAS_ECC
[email protected]@ -1048,8 +1054,10 @@ main(int ac, char **av)
+ 			    _PATH_HOST_ECDSA_KEY_FILE, NULL);
  #endif
++#ifndef WITHOUT_ED25519
+ 			sensitive_data.keys[6] = key_load_public(
+ 			    _PATH_HOST_ED25519_KEY_FILE, NULL);
++#endif /* WITHOUT_ED25519 */
  			sensitive_data.keys[7] = key_load_public(
  			    _PATH_HOST_RSA_KEY_FILE, NULL);
+ 			sensitive_data.keys[8] = key_load_public(
+diff -pur old/ssh_api.c new/ssh_api.c
+--- old/ssh_api.c
++++ new/ssh_api.c
[email protected]@ -109,7 +109,9 @@ ssh_init(struct ssh **sshp, int is_serve
+ 		ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+ # endif
+ #endif /* WITH_OPENSSL */
 +#ifndef WITHOUT_ED25519
- 			sensitive_data.keys[8] = key_load_public(
- 			    _PATH_HOST_ED25519_KEY_FILE, NULL);
+ 		ssh->kex->kex[KEX_C25519_SHA256] = kexc25519_server;
 +#endif /* WITHOUT_ED25519 */
- 			sensitive_data.external_keysign = 1;
- 		}
+ 		ssh->kex->load_host_public_key=&_ssh_host_public_key;
+ 		ssh->kex->load_host_private_key=&_ssh_host_private_key;
+ 		ssh->kex->sign=&_ssh_host_key_sign;
[email protected]@ -123,7 +125,9 @@ ssh_init(struct ssh **sshp, int is_serve
+ 		ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+ # endif
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 		ssh->kex->kex[KEX_C25519_SHA256] = kexc25519_client;
++#endif /* WITHOUT_ED25519 */
+ 		ssh->kex->verify_host_key =&_ssh_verify_host_key;
  	}
+ 	*sshp = ssh;
 diff -pur old/ssh_config.0 new/ssh_config.0
---- old/ssh_config.0	2014-01-29 17:52:48.000000000 -0800
-+++ new/ssh_config.0	2015-04-10 02:43:51.182117645 -0700
[email protected]@ -409,14 +409,9 @@ DESCRIPTION
-              client wants to use in order of preference.  The default for this
-              option is:
+--- old/ssh_config.0
++++ new/ssh_config.0
[email protected]@ -444,13 +444,8 @@ DESCRIPTION
+              specified key types will be appended to the default set instead
+              of replacing them.  The default for this option is:
  
 -                [email protected],
 -                [email protected],
 -                [email protected],
 -                [email protected],
-                 [email protected],[email protected],
-                 [email protected],[email protected],
+                 [email protected],
 -                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
--                ssh-ed25519,ssh-rsa,ssh-dss
-+                ssh-rsa,ssh-dss
+-                ssh-ed25519,ssh-rsa
++                ssh-rsa
+ 
+              The -Q option of ssh(1) may be used to list supported key types.
+ 
[email protected]@ -461,13 +456,8 @@ DESCRIPTION
+              key types will be appended to the default set instead of
+              replacing them.  The default for this option is:
+ 
+-                [email protected],
+-                [email protected],
+-                [email protected],
+-                [email protected],
+                 [email protected],
+-                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-                ssh-ed25519,ssh-rsa
++                ssh-rsa
  
               If hostkeys are known for the destination host then this default
               is modified to prefer their algorithms.
[email protected]@ -446,10 +441,10 @@ DESCRIPTION
-              default is ``no''.
[email protected]@ -503,10 +493,10 @@ DESCRIPTION
+              default is M-bM-^@M-^\noM-bM-^@M-^].
  
       IdentityFile
--             Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA
+-             Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA
 +             Specifies a file from which the user's DSA or RSA
               authentication identity is read.  The default is ~/.ssh/identity
 -             for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa,
 -             ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2.
-+             for protocol version 1, and ~/.ssh/id_dsa and ~/.ssh/id_rsa for
-+             protocol version 2.
++             for protocol version 1, and ~/.ssh/id_dsa
++             and ~/.ssh/id_rsa for protocol version 2.
               Additionally, any identities represented by the authentication
               agent will be used for authentication unless IdentitiesOnly is
               set.  ssh(1) will try to load certificate information from the
[email protected]@ -509,8 +504,6 @@ DESCRIPTION
-              Specifies the available KEX (Key Exchange) algorithms.  Multiple
-              algorithms must be comma-separated.  The default is:
[email protected]@ -569,7 +559,6 @@ DESCRIPTION
+              will be appended to the default set instead of replacing them.
+              The default is:
  
 -                   [email protected],
--                   ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+                    ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
                     diffie-hellman-group-exchange-sha256,
                     diffie-hellman-group-exchange-sha1,
-                    diffie-hellman-group14-sha1,
[email protected]@ -727,13 +716,8 @@ DESCRIPTION
+              types after it will be appended to the default instead of
+              replacing it.  The default for this option is:
+ 
+-                [email protected],
+-                [email protected],
+-                [email protected],
+-                [email protected],
+                 [email protected],
+-                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-                ssh-ed25519,ssh-rsa
++                ssh-rsa
+ 
+              The -Q option of ssh(1) may be used to list supported key types.
+ 
 diff -pur old/ssh_config.5 new/ssh_config.5
---- old/ssh_config.5	2015-04-10 02:43:51.077725535 -0700
-+++ new/ssh_config.5	2015-04-10 02:43:51.182862658 -0700
[email protected]@ -723,14 +723,9 @@ Specifies the protocol version 2 host ke
- that the client wants to use in order of preference.
+--- old/ssh_config.5
++++ new/ssh_config.5
[email protected]@ -806,13 +806,8 @@ character, then the specified key types
+ instead of replacing them.
  The default for this option is:
  .Bd -literal -offset 3n
 [email protected],
 [email protected],
 [email protected],
 [email protected],
- [email protected],[email protected],
- [email protected],[email protected],
+ [email protected],
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
--ssh-ed25519,ssh-rsa,ssh-dss
-+ssh-rsa,ssh-dss
+-ssh-ed25519,ssh-rsa
++ssh-rsa
+ .Ed
+ .Pp
+ The
[email protected]@ -829,13 +824,8 @@ character, then the specified key types
+ instead of replacing them.
+ The default for this option is:
+ .Bd -literal -offset 3n
[email protected],
[email protected],
[email protected],
[email protected],
+ [email protected],
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-ssh-ed25519,ssh-rsa
++ssh-rsa
  .Ed
  .Pp
  If hostkeys are known for the destination host then this default is modified
[email protected]@ -772,14 +767,12 @@ offers many different identities.
[email protected]@ -890,14 +880,12 @@ offers many different identities.
  The default is
  .Dq no .
  .It Cm IdentityFile
--Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA authentication
+-Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication
 +Specifies a file from which the user's DSA or RSA authentication
  identity is read.
  The default is
@@ -1774,20 +1374,33 @@
  and
  .Pa ~/.ssh/id_rsa
  for protocol version 2.
[email protected]@ -892,8 +885,6 @@ Specifies the available KEX (Key Exchang
- Multiple algorithms must be comma-separated.
[email protected]@ -1014,7 +1002,6 @@ character, then the specified methods wi
+ instead of replacing them.
  The default is:
  .Bd -literal -offset indent
 [email protected],
--ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
  diffie-hellman-group-exchange-sha256,
  diffie-hellman-group-exchange-sha1,
- diffie-hellman-group14-sha1,
-Only in new: ssh_config.5.orig
[email protected]@ -1259,13 +1246,8 @@ character, then the key types after it w
+ instead of replacing it.
+ The default for this option is:
+ .Bd -literal -offset 3n
[email protected],
[email protected],
[email protected],
[email protected],
+ [email protected],
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-ssh-ed25519,ssh-rsa
++ssh-rsa
+ .Ed
+ .Pp
+ The
 diff -pur old/sshconnect.c new/sshconnect.c
---- old/sshconnect.c	2015-04-10 02:43:51.092987117 -0700
-+++ new/sshconnect.c	2015-04-10 02:43:51.183586425 -0700
[email protected]@ -1325,7 +1325,9 @@ show_other_keys(struct hostkeys *hostkey
+--- old/sshconnect.c
++++ new/sshconnect.c
[email protected]@ -1392,7 +1392,9 @@ show_other_keys(struct hostkeys *hostkey
  		KEY_RSA,
  		KEY_DSA,
  		KEY_ECDSA,
@@ -1797,26 +1410,23 @@
  		-1
  	};
  	int i, ret = 0;
-Only in new: sshconnect.c.orig
 diff -pur old/sshconnect2.c new/sshconnect2.c
---- old/sshconnect2.c	2015-04-10 02:43:51.055621784 -0700
-+++ new/sshconnect2.c	2015-04-10 02:49:31.451117756 -0700
[email protected]@ -213,7 +213,9 @@ ssh_kex2(char *host, struct sockaddr *ho
- 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
- 	kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
+--- old/sshconnect2.c
++++ new/sshconnect2.c
[email protected]@ -247,7 +247,9 @@ ssh_kex2(char *host, struct sockaddr *ho
  	kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+ # endif
+ #endif
 +#ifndef WITHOUT_ED25519
  	kex->kex[KEX_C25519_SHA256] = kexc25519_client;
 +#endif /* WITHOUT_ED25519 */
- 	kex->client_version_string=client_version_string;
- 	kex->server_version_string=server_version_string;
- 	kex->verify_host_key=&verify_host_key_callback;
-Only in new: sshconnect2.c.orig
-Only in new: sshconnect2.c.rej
+ #ifdef GSSAPI
+ 	if (options.gss_keyex) {
+ 		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
 diff -pur old/sshd.0 new/sshd.0
---- old/sshd.0	2014-01-29 17:52:47.000000000 -0800
-+++ new/sshd.0	2015-04-10 02:43:51.185708016 -0700
[email protected]@ -82,8 +82,7 @@ DESCRIPTION
+--- old/sshd.0
++++ new/sshd.0
[email protected]@ -81,8 +81,7 @@ DESCRIPTION
               be given if sshd is not run as root (as the normal host key files
               are normally not readable by anyone but root).  The default is
               /etc/ssh/ssh_host_key for protocol version 1, and
@@ -1826,23 +1436,23 @@
               protocol version 2.  It is possible to have multiple host key
               files for the different protocol versions and host key
               algorithms.
[email protected]@ -148,7 +147,7 @@ DESCRIPTION
[email protected]@ -146,7 +145,7 @@ DESCRIPTION
  AUTHENTICATION
       The OpenSSH SSH daemon supports SSH protocols 1 and 2.  The default is to
       use protocol 2 only, though this can be changed via the Protocol option
--     in sshd_config(5).  Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys;
+-     in sshd_config(5).  Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys;
 +     in sshd_config(5).  Protocol 2 supports DSA and RSA keys;
       protocol 1 only supports RSA keys.  For both protocols, each host has a
       host-specific key, normally 2048 bits, used to identify the host.
  
[email protected]@ -278,15 +277,13 @@ AUTHORIZED_KEYS FILE FORMAT
[email protected]@ -279,15 +278,13 @@ AUTHORIZED_KEYS FILE FORMAT
       starts with a number).  The bits, exponent, modulus, and comment fields
       give the RSA key for protocol version 1; the comment field is not used
       for anything (but may be convenient for the user to identify the key).
--     For protocol version 2 the keytype is ``ecdsa-sha2-nistp256'',
--     ``ecdsa-sha2-nistp384'', ``ecdsa-sha2-nistp521'', ``ssh-ed25519'',
--     ``ssh-dss'' or ``ssh-rsa''.
-+     For protocol version 2 the keytype is ``ssh-dss'' or ``ssh-rsa''.
+-     For protocol version 2 the keytype is M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^],
+-     M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or
+-     M-bM-^@M-^\ssh-rsaM-bM-^@M-^].
++     For protocol version 2 the keytype is M-bM-^@M-^\ssh-dssM-bM-^@M-^] or M-bM-^@M-^\ssh-rsaM-bM-^@M-^].
  
       Note that lines in this file are usually several hundred bytes long
       (because of the size of the public key encoding) up to a limit of 8
@@ -1853,16 +1463,16 @@
       file and edit it.
  
       sshd enforces a minimum RSA key modulus size for protocol 1 and protocol
[email protected]@ -513,7 +510,7 @@ FILES
[email protected]@ -514,7 +511,7 @@ FILES
               for the user, and not accessible by others.
  
       ~/.ssh/authorized_keys
--             Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used
+-             Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used
 +             Lists the public keys (DSA, RSA) that can be used
               for logging in as this user.  The format of this file is
               described above.  The content of the file is not highly
               sensitive, but the recommended permissions are read/write for the
[email protected]@ -574,8 +571,6 @@ FILES
[email protected]@ -570,8 +567,6 @@ FILES
  
       /etc/ssh/ssh_host_key
       /etc/ssh/ssh_host_dsa_key
@@ -1871,7 +1481,7 @@
       /etc/ssh/ssh_host_rsa_key
               These files contain the private parts of the host keys.  These
               files should only be owned by root, readable only by root, and
[email protected]@ -584,8 +579,6 @@ FILES
[email protected]@ -580,8 +575,6 @@ FILES
  
       /etc/ssh/ssh_host_key.pub
       /etc/ssh/ssh_host_dsa_key.pub
@@ -1881,9 +1491,9 @@
               These files contain the public parts of the host keys.  These
               files should be world-readable but writable only by root.  Their
 diff -pur old/sshd.8 new/sshd.8
---- old/sshd.8	2015-04-10 02:43:51.068793178 -0700
-+++ new/sshd.8	2015-04-10 02:43:51.186397825 -0700
[email protected]@ -175,8 +175,6 @@ The default is
+--- old/sshd.8	2015-12-10 12:36:52.040393250 -0800
++++ new/sshd.8	2015-12-10 12:40:30.706984900 -0800
[email protected]@ -172,8 +172,6 @@ The default is
  .Pa /etc/ssh/ssh_host_key
  for protocol version 1, and
  .Pa /etc/ssh/ssh_host_dsa_key ,
@@ -1892,16 +1502,16 @@
  and
  .Pa /etc/ssh/ssh_host_rsa_key
  for protocol version 2.
[email protected]@ -281,7 +279,7 @@ though this can be changed via the
[email protected]@ -275,7 +273,7 @@ though this can be changed via the
  .Cm Protocol
  option in
  .Xr sshd_config 4 .
--Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys;
+-Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys;
 +Protocol 2 supports DSA and RSA keys;
  protocol 1 only supports RSA keys.
  For both protocols,
  each host has a host-specific key,
[email protected]@ -492,10 +490,6 @@ protocol version 1; the
[email protected]@ -491,10 +489,6 @@ protocol version 1; the
  comment field is not used for anything (but may be convenient for the
  user to identify the key).
  For protocol version 2 the keytype is
@@ -1912,7 +1522,7 @@
  .Dq ssh-dss
  or
  .Dq ssh-rsa .
[email protected]@ -507,8 +501,6 @@ keys up to 16 kilobits.
[email protected]@ -506,8 +500,6 @@ keys up to 16 kilobits.
  You don't want to type them in; instead, copy the
  .Pa identity.pub ,
  .Pa id_dsa.pub ,
@@ -1921,16 +1531,16 @@
  or the
  .Pa id_rsa.pub
  file and edit it.
[email protected]@ -808,7 +800,7 @@ secret, but the recommended permissions 
[email protected]@ -807,7 +799,7 @@ secret, but the recommended permissions 
  and not accessible by others.
  .Pp
  .It Pa ~/.ssh/authorized_keys
--Lists the public keys (DSA, ECDSA, ED25519, RSA)
+-Lists the public keys (DSA, ECDSA, Ed25519, RSA)
 +Lists the public keys (DSA, RSA)
  that can be used for logging in as this user.
  The format of this file is described above.
  The content of the file is not highly sensitive, but the recommended
[email protected]@ -888,8 +880,6 @@ rlogin/rsh.
[email protected]@ -881,8 +873,6 @@ rlogin/rsh.
  .Pp
  .It Pa /etc/ssh/ssh_host_key
  .It Pa /etc/ssh/ssh_host_dsa_key
@@ -1939,7 +1549,7 @@
  .It Pa /etc/ssh/ssh_host_rsa_key
  These files contain the private parts of the host keys.
  These files should only be owned by root, readable only by root, and not
[email protected]@ -900,8 +890,6 @@ does not start if these files are group/
[email protected]@ -893,8 +883,6 @@ does not start if these files are group/
  .Pp
  .It Pa /etc/ssh/ssh_host_key.pub
  .It Pa /etc/ssh/ssh_host_dsa_key.pub
@@ -1949,9 +1559,9 @@
  These files contain the public parts of the host keys.
  These files should be world-readable but writable only by
 diff -pur old/sshd.c new/sshd.c
---- old/sshd.c	2015-04-10 02:43:51.101980137 -0700
-+++ new/sshd.c	2015-04-10 02:49:46.274593753 -0700
[email protected]@ -797,7 +797,9 @@ list_hostkey_types(void)
+--- old/sshd.c
++++ new/sshd.c
[email protected]@ -811,7 +811,9 @@ list_hostkey_types(void)
  		case KEY_RSA:
  		case KEY_DSA:
  		case KEY_ECDSA:
@@ -1961,7 +1571,7 @@
  			if (buffer_len(&b) > 0)
  				buffer_append(&b, ",", 1);
  			p = key_ssh_name(key);
[email protected]@ -814,7 +816,9 @@ list_hostkey_types(void)
[email protected]@ -826,7 +828,9 @@ list_hostkey_types(void)
  		case KEY_RSA_CERT:
  		case KEY_DSA_CERT:
  		case KEY_ECDSA_CERT:
@@ -1971,7 +1581,7 @@
  			if (buffer_len(&b) > 0)
  				buffer_append(&b, ",", 1);
  			p = key_ssh_name(key);
[email protected]@ -842,7 +846,9 @@ get_hostkey_by_type(int type, int need_p
[email protected]@ -852,7 +856,9 @@ get_hostkey_by_type(int type, int nid, i
  		case KEY_RSA_CERT:
  		case KEY_DSA_CERT:
  		case KEY_ECDSA_CERT:
@@ -1981,59 +1591,113 @@
  			key = sensitive_data.host_certificates[i];
  			break;
  		default:
[email protected]@ -1719,7 +1725,9 @@ main(int ac, char **av)
[email protected]@ -1810,7 +1816,9 @@ main(int ac, char **av)
  		case KEY_RSA:
  		case KEY_DSA:
  		case KEY_ECDSA:
 +#ifndef WITHOUT_ED25519
  		case KEY_ED25519:
 +#endif /* WITHOUT_ED25519 */
- 			sensitive_data.have_ssh2_key = 1;
+ 			if (have_agent || key != NULL)
+ 				sensitive_data.have_ssh2_key = 1;
  			break;
- 		}
[email protected]@ -2501,7 +2509,9 @@ do_ssh2_kex(void)
- 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
- 	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
[email protected]@ -2646,7 +2654,9 @@ do_ssh2_kex(void)
  	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+ # endif
+ #endif
 +#ifndef WITHOUT_ED25519
  	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
 +#endif /* WITHOUT_ED25519 */
- 	kex->server = 1;
- 	kex->client_version_string=client_version_string;
- 	kex->server_version_string=server_version_string;
-Only in new: sshd.c.orig
-Only in new: sshd.c.rej
+ #ifdef GSSAPI
+ 	if (options.gss_keyex) {
+ 		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
 diff -pur old/sshd_config.0 new/sshd_config.0
---- old/sshd_config.0	2014-01-29 17:52:48.000000000 -0800
-+++ new/sshd_config.0	2015-04-10 02:43:51.188313577 -0700
[email protected]@ -332,12 +332,11 @@ DESCRIPTION
+--- old/sshd_config.0
++++ new/sshd_config.0
[email protected]@ -403,13 +403,8 @@ DESCRIPTION
+              specified key types will be appended to the default set instead
+              of replacing them.  The default for this option is:
+ 
+-                [email protected],
+-                [email protected],
+-                [email protected],
+-                [email protected],
+                 [email protected],
+-                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-                ssh-ed25519,ssh-rsa
++                ssh-rsa
+ 
+              The -Q option of ssh(1) may be used to list supported key types.
+ 
[email protected]@ -438,8 +433,7 @@ DESCRIPTION
       HostKey
               Specifies a file containing a private host key used by SSH.  The
               default is /etc/ssh/ssh_host_key for protocol version 1, and
 -             /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key,
 -             /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
-+             /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key for
-              protocol version 2.  Note that sshd(8) will refuse to use a file
-              if it is group/world-accessible.  It is possible to have multiple
-              host key files.  ``rsa1'' keys are used for version 1 and
--             ``dsa'', ``ecdsa'', ``ed25519'' or ``rsa'' are used for version 2
-+             ``dsa'' or ``rsa'' are used for version 2
-              of the SSH protocol.  It is also possible to specify public host
-              key files instead.  In this case operations on the private key
-              will be delegated to an ssh-agent(1).
[email protected]@ -399,8 +398,6 @@ DESCRIPTION
-              Specifies the available KEX (Key Exchange) algorithms.  Multiple
-              algorithms must be comma-separated.  The default is
++             /etc/ssh/ssh_host_dsa_key, and /etc/ssh/ssh_host_rsa_key for
+              protocol version 2.
+ 
+              Note that sshd(8) will refuse to use a file if it is group/world-
[email protected]@ -447,7 +441,7 @@ DESCRIPTION
+              of the keys are actually used by sshd(8).
+ 
+              It is possible to have multiple host key files.  M-bM-^@M-^\rsa1M-bM-^@M-^] keys are
+-             used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] are
++             used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^] are
+              used for version 2 of the SSH protocol.  It is also possible to
+              specify public host key files instead.  In this case operations
+              on the private key will be delegated to an ssh-agent(1).
[email protected]@ -462,13 +456,8 @@ DESCRIPTION
+              Specifies the protocol version 2 host key algorithms that the
+              server offers.  The default for this option is:
+ 
+-                [email protected],
+-                [email protected],
+-                [email protected],
+-                [email protected],
+                 [email protected],
+-                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-                ssh-ed25519,ssh-rsa
++                ssh-rsa
+ 
+              The list of available key types may also be obtained using the -Q
+              option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^].
[email protected]@ -532,7 +521,6 @@ DESCRIPTION
+              will be appended to the default set instead of replacing them.
+              The supported algorithms are:
+ 
+-                   [email protected]
+                    diffie-hellman-group1-sha1
+                    diffie-hellman-group14-sha1
+                    diffie-hellman-group-exchange-sha1
[email protected]@ -543,7 +531,6 @@ DESCRIPTION
+ 
+              The default is:
  
 -                   [email protected],
--                   ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+                    ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
                     diffie-hellman-group-exchange-sha256,
-                    diffie-hellman-group-exchange-sha1,
-                    diffie-hellman-group14-sha1,
+                    diffie-hellman-group14-sha1
[email protected]@ -787,13 +774,8 @@ DESCRIPTION
+              specified key types will be appended to the default set instead
+              of replacing them.  The default for this option is:
+ 
+-                [email protected],
+-                [email protected],
+-                [email protected],
+-                [email protected],
+                 [email protected],
+-                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-                ssh-ed25519,ssh-rsa
++                ssh-rsa
+ 
+              The -Q option of ssh(1) may be used to list supported key types.
+ 
 diff -pur old/sshd_config.5 new/sshd_config.5
---- old/sshd_config.5	2015-04-10 02:43:51.078482159 -0700
-+++ new/sshd_config.5	2015-04-10 02:43:51.189013912 -0700
[email protected]@ -540,8 +540,6 @@ The default is
+--- old/sshd_config.5
++++ new/sshd_config.5
[email protected]@ -712,8 +712,6 @@ The default is
  .Pa /etc/ssh/ssh_host_key
  for protocol version 1, and
  .Pa /etc/ssh/ssh_host_dsa_key ,
@@ -2042,7 +1706,7 @@
  and
  .Pa /etc/ssh/ssh_host_rsa_key
  for protocol version 2.
[email protected]@ -552,8 +550,6 @@ It is possible to have multiple host key
[email protected]@ -730,8 +728,6 @@ It is possible to have multiple host key
  .Dq rsa1
  keys are used for version 1 and
  .Dq dsa ,
@@ -2051,30 +1715,426 @@
  or
  .Dq rsa
  are used for version 2 of the SSH protocol.
[email protected]@ -663,8 +659,6 @@ Specifies the available KEX (Key Exchang
- Multiple algorithms must be comma-separated.
- The default is
[email protected]@ -878,8 +874,6 @@ The supported algorithms are:
+ .Pp
+ .Bl -item -compact -offset indent
+ .It
[email protected]
+-.It
+ diffie-hellman-group1-sha1
+ .It
+ diffie-hellman-group14-sha1
[email protected]@ -897,7 +891,6 @@ ecdh-sha2-nistp521
+ .Pp
+ The default is:
  .Bd -literal -offset indent
 [email protected],
--ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
  diffie-hellman-group-exchange-sha256,
- diffie-hellman-group-exchange-sha1,
- diffie-hellman-group14-sha1,
-Only in new: sshd_config.5.orig
-diff -pur old/verify.c new/verify.c
---- old/verify.c	2014-01-16 17:43:44.000000000 -0800
-+++ new/verify.c	2015-04-10 02:43:51.189372783 -0700
[email protected]@ -9,6 +9,8 @@
+ diffie-hellman-group14-sha1
+diff -pur old/sshkey.c new/sshkey.c
+--- old/sshkey.c
++++ new/sshkey.c
[email protected]@ -85,9 +85,11 @@ struct keytype {
+ 	int cert;
+ };
+ static const struct keytype keytypes[] = {
++#ifndef WITHOUT_ED25519
+ 	{ "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 },
+ 	{ "[email protected]", "ED25519-CERT",
+ 	    KEY_ED25519_CERT, 0, 1 },
++#endif /* WITHOUT_ED25519 */
+ #ifdef WITH_OPENSSL
+ 	{ NULL, "RSA1", KEY_RSA1, 0, 0 },
+ 	{ "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
[email protected]@ -278,8 +280,10 @@ sshkey_size(const struct sshkey *k)
+ 	case KEY_ECDSA_CERT:
+ 		return sshkey_curve_nid_to_bits(k->ecdsa_nid);
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 	case KEY_ED25519_CERT:
++#endif /* WITHOUT_ED25519 */
+ 		return 256;	/* XXX */
+ 	}
+ 	return 0;
[email protected]@ -292,7 +296,9 @@ sshkey_type_is_valid_ca(int type)
+ 	case KEY_RSA:
+ 	case KEY_DSA:
+ 	case KEY_ECDSA:
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
++#endif /* WITHOUT_ED25519 */
+ 		return 1;
+ 	default:
+ 		return 0;
[email protected]@ -318,8 +324,10 @@ sshkey_type_plain(int type)
+ 		return KEY_DSA;
+ 	case KEY_ECDSA_CERT:
+ 		return KEY_ECDSA;
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519_CERT:
+ 		return KEY_ED25519;
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		return type;
+ 	}
[email protected]@ -472,8 +480,10 @@ sshkey_new(int type)
+ 	k->dsa = NULL;
+ 	k->rsa = NULL;
+ 	k->cert = NULL;
++#ifndef WITHOUT_ED25519
+ 	k->ed25519_sk = NULL;
+ 	k->ed25519_pk = NULL;
++#endif /* WITHOUT_ED25519 */
+ 	switch (k->type) {
+ #ifdef WITH_OPENSSL
+ 	case KEY_RSA1:
[email protected]@ -508,10 +518,12 @@ sshkey_new(int type)
+ 		/* Cannot do anything until we know the group */
+ 		break;
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 	case KEY_ED25519_CERT:
+ 		/* no need to prealloc */
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	case KEY_UNSPEC:
+ 		break;
+ 	default:
[email protected]@ -558,10 +570,12 @@ sshkey_add_private(struct sshkey *k)
+ 		/* Cannot do anything until we know the group */
+ 		break;
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 	case KEY_ED25519_CERT:
+ 		/* no need to prealloc */
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	case KEY_UNSPEC:
+ 		break;
+ 	default:
[email protected]@ -613,6 +627,7 @@ sshkey_free(struct sshkey *k)
+ 		break;
+ # endif /* OPENSSL_HAS_ECC */
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 	case KEY_ED25519_CERT:
+ 		if (k->ed25519_pk) {
[email protected]@ -626,6 +641,7 @@ sshkey_free(struct sshkey *k)
+ 			k->ed25519_sk = NULL;
+ 		}
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	case KEY_UNSPEC:
+ 		break;
+ 	default:
[email protected]@ -703,10 +719,12 @@ sshkey_equal_public(const struct sshkey
+ 		return 1;
+ # endif /* OPENSSL_HAS_ECC */
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 	case KEY_ED25519_CERT:
+ 		return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
+ 		    memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		return 0;
+ 	}
[email protected]@ -749,7 +767,9 @@ to_blob_buf(const struct sshkey *key, st
+ 	case KEY_ECDSA_CERT:
+ 	case KEY_RSA_CERT:
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519_CERT:
++#endif /* WITHOUT_ED25519 */
+ 		/* Use the existing blob */
+ 		/* XXX modified flag? */
+ 		if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)
[email protected]@ -786,6 +806,7 @@ to_blob_buf(const struct sshkey *key, st
+ 			return ret;
+ 		break;
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 		if (key->ed25519_pk == NULL)
+ 			return SSH_ERR_INVALID_ARGUMENT;
[email protected]@ -794,6 +815,7 @@ to_blob_buf(const struct sshkey *key, st
+ 		    key->ed25519_pk, ED25519_PK_SZ)) != 0)
+ 			return ret;
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		return SSH_ERR_KEY_TYPE_UNKNOWN;
+ 	}
[email protected]@ -1267,11 +1289,13 @@ sshkey_read(struct sshkey *ret, char **c
+ 	case KEY_RSA:
+ 	case KEY_DSA:
+ 	case KEY_ECDSA:
+-	case KEY_ED25519:
++#ifndef WITHOUT_ED25519
++ 	case KEY_ED25519:
++	case KEY_ED25519_CERT:
++#endif /* WITHOUT_ED25519 */
+ 	case KEY_DSA_CERT:
+ 	case KEY_ECDSA_CERT:
+ 	case KEY_RSA_CERT:
+-	case KEY_ED25519_CERT:
+ 		space = strchr(cp, ' ');
+ 		if (space == NULL)
+ 			return SSH_ERR_INVALID_FORMAT;
[email protected]@ -1363,6 +1387,7 @@ sshkey_read(struct sshkey *ret, char **c
+ 		}
+ # endif /* OPENSSL_HAS_ECC */
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 		if (sshkey_type_plain(ret->type) == KEY_ED25519) {
+ 			free(ret->ed25519_pk);
+ 			ret->ed25519_pk = k->ed25519_pk;
[email protected]@ -1371,6 +1396,7 @@ sshkey_read(struct sshkey *ret, char **c
+ 			/* XXX */
+ #endif
+ 		}
++#endif /* WITHOUT_ED25519 */
+ 		retval = 0;
+ /*XXXX*/
+ 		sshkey_free(k);
[email protected]@ -1662,7 +1688,8 @@ sshkey_generate(int type, u_int bits, st
+ 	if ((k = sshkey_new(KEY_UNSPEC)) == NULL)
+ 		return SSH_ERR_ALLOC_FAIL;
+ 	switch (type) {
+-	case KEY_ED25519:
++#ifndef WITHOUT_ED25519
++		case KEY_ED25519:
+ 		if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL ||
+ 		    (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) {
+ 			ret = SSH_ERR_ALLOC_FAIL;
[email protected]@ -1671,6 +1698,7 @@ sshkey_generate(int type, u_int bits, st
+ 		crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
+ 		ret = 0;
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ #ifdef WITH_OPENSSL
+ 	case KEY_DSA:
+ 		ret = dsa_generate_private_key(bits, &k->dsa);
[email protected]@ -1806,6 +1834,7 @@ sshkey_from_private(const struct sshkey
+ 		}
+ 		break;
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 	case KEY_ED25519_CERT:
+ 		if ((n = sshkey_new(k->type)) == NULL)
[email protected]@ -1818,6 +1847,7 @@ sshkey_from_private(const struct sshkey
+ 			memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
+ 		}
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		return SSH_ERR_KEY_TYPE_UNKNOWN;
+ 	}
[email protected]@ -2084,6 +2114,7 @@ sshkey_from_blob_internal(struct sshbuf
+ 		break;
+ # endif /* OPENSSL_HAS_ECC */
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519_CERT:
+ 		/* Skip nonce */
+ 		if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
[email protected]@ -2105,6 +2136,7 @@ sshkey_from_blob_internal(struct sshbuf
+ 		key->ed25519_pk = pk;
+ 		pk = NULL;
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	case KEY_UNSPEC:
+ 		if ((key = sshkey_new(type)) == NULL) {
+ 			ret = SSH_ERR_ALLOC_FAIL;
[email protected]@ -2197,9 +2229,11 @@ sshkey_sign(const struct sshkey *key,
+ 	case KEY_RSA:
+ 		return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat);
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 	case KEY_ED25519_CERT:
+ 		return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		return SSH_ERR_KEY_TYPE_UNKNOWN;
+ 	}
[email protected]@ -2229,9 +2263,11 @@ sshkey_verify(const struct sshkey *key,
+ 	case KEY_RSA:
+ 		return ssh_rsa_verify(key, sig, siglen, data, dlen, compat);
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 	case KEY_ED25519_CERT:
+ 		return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		return SSH_ERR_KEY_TYPE_UNKNOWN;
+ 	}
[email protected]@ -2255,8 +2291,10 @@ sshkey_demote(const struct sshkey *k, st
+ 	pk->dsa = NULL;
+ 	pk->ecdsa = NULL;
+ 	pk->rsa = NULL;
++#ifndef WITHOUT_ED25519
+ 	pk->ed25519_pk = NULL;
+ 	pk->ed25519_sk = NULL;
++#endif /* WITHOUT_ED25519 */
  
- #include "crypto_api.h"
+ 	switch (k->type) {
+ #ifdef WITH_OPENSSL
[email protected]@ -2306,6 +2344,7 @@ sshkey_demote(const struct sshkey *k, st
+ 		break;
+ # endif /* OPENSSL_HAS_ECC */
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519_CERT:
+ 		if ((ret = sshkey_cert_copy(k, pk)) != 0)
+ 			goto fail;
[email protected]@ -2319,6 +2358,7 @@ sshkey_demote(const struct sshkey *k, st
+ 			memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
+ 		}
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		ret = SSH_ERR_KEY_TYPE_UNKNOWN;
+  fail:
[email protected]@ -2347,9 +2387,11 @@ sshkey_to_certified(struct sshkey *k)
+ 		newtype = KEY_ECDSA_CERT;
+ 		break;
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 		newtype = KEY_ED25519_CERT;
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		return SSH_ERR_INVALID_ARGUMENT;
+ 	}
[email protected]@ -2428,11 +2470,13 @@ sshkey_certify(struct sshkey *k, struct
+ 			goto out;
+ 		break;
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519_CERT:
+ 		if ((ret = sshbuf_put_string(cert,
+ 		    k->ed25519_pk, ED25519_PK_SZ)) != 0)
+ 			goto out;
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		ret = SSH_ERR_INVALID_ARGUMENT;
+ 		goto out;
[email protected]@ -2607,6 +2651,7 @@ sshkey_private_serialize(const struct ss
+ 		break;
+ # endif /* OPENSSL_HAS_ECC */
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 		if ((r = sshbuf_put_string(b, key->ed25519_pk,
+ 		    ED25519_PK_SZ)) != 0 ||
[email protected]@ -2626,6 +2671,7 @@ sshkey_private_serialize(const struct ss
+ 		    ED25519_SK_SZ)) != 0)
+ 			goto out;
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		r = SSH_ERR_INVALID_ARGUMENT;
+ 		goto out;
[email protected]@ -2750,6 +2796,7 @@ sshkey_private_deserialize(struct sshbuf
+ 			goto out;
+ 		break;
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 		if ((k = sshkey_new_private(type)) == NULL) {
+ 			r = SSH_ERR_ALLOC_FAIL;
[email protected]@ -2780,6 +2827,7 @@ sshkey_private_deserialize(struct sshbuf
+ 		k->ed25519_sk = ed25519_sk;
+ 		ed25519_pk = ed25519_sk = NULL;
+ 		break;
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		r = SSH_ERR_KEY_TYPE_UNKNOWN;
+ 		goto out;
[email protected]@ -3545,9 +3593,11 @@ sshkey_private_to_fileblob(struct sshkey
+ 		return sshkey_private_pem_to_blob(key, blob,
+ 		    passphrase, comment);
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 		return sshkey_private_to_blob2(key, blob, passphrase,
+ 		    comment, new_format_cipher, new_format_rounds);
++#endif /* WITHOUT_ED25519 */
+ 	default:
+ 		return SSH_ERR_KEY_TYPE_UNKNOWN;
+ 	}
[email protected]@ -3853,9 +3903,11 @@ sshkey_parse_private_fileblob_type(struc
+ 		return sshkey_parse_private_pem_fileblob(blob, type,
+ 		    passphrase, keyp);
+ #endif /* WITH_OPENSSL */
++#ifndef WITHOUT_ED25519
+ 	case KEY_ED25519:
+ 		return sshkey_parse_private2(blob, type, passphrase,
+ 		    keyp, commentp);
++#endif /* WITHOUT_ED25519 */
+ 	case KEY_UNSPEC:
+ 		if ((r = sshkey_parse_private2(blob, type, passphrase, keyp,
+ 		    commentp)) == 0)
+diff -pur old/sshkey.h new/sshkey.h
+--- old/sshkey.h
++++ new/sshkey.h
[email protected]@ -57,11 +57,15 @@ enum sshkey_types {
+ 	KEY_RSA,
+ 	KEY_DSA,
+ 	KEY_ECDSA,
+-	KEY_ED25519,
++#ifndef WITHOUT_ED25519
++ 	KEY_ED25519,
++#endif /* WITHOUT_ED25519 */
+ 	KEY_RSA_CERT,
+ 	KEY_DSA_CERT,
+ 	KEY_ECDSA_CERT,
++#ifndef WITHOUT_ED25519
+ 	KEY_ED25519_CERT,
++#endif /* WITHOUT_ED25519 */
+ 	KEY_NULL,
+ 	KEY_UNSPEC
+ };
[email protected]@ -104,13 +108,17 @@ struct sshkey {
+ 	DSA	*dsa;
+ 	int	 ecdsa_nid;	/* NID of curve */
+ 	EC_KEY	*ecdsa;
++#ifndef WITHOUT_ED25519
+ 	u_char	*ed25519_sk;
+ 	u_char	*ed25519_pk;
++#endif /* WITHOUT_ED25519 */
+ 	struct sshkey_cert *cert;
+ };
  
 +#ifndef WITHOUT_ED25519
-+
- int crypto_verify_32(const unsigned char *x,const unsigned char *y)
- {
-   unsigned int differentbits = 0;
[email protected]@ -47,3 +49,4 @@ int crypto_verify_32(const unsigned char
-   F(31)
-   return (1 & ((differentbits - 1) >> 8)) - 1;
- }
+ #define	ED25519_SK_SZ	crypto_sign_ed25519_SECRETKEYBYTES
+ #define	ED25519_PK_SZ	crypto_sign_ed25519_PUBLICKEYBYTES
 +#endif /* WITHOUT_ED25519 */
+ 
+ struct sshkey	*sshkey_new(int);
+ int		 sshkey_add_private(struct sshkey *);
[email protected]@ -208,11 +216,13 @@ int ssh_ecdsa_sign(const struct sshkey *
+ int ssh_ecdsa_verify(const struct sshkey *key,
+     const u_char *signature, size_t signaturelen,
+     const u_char *data, size_t datalen, u_int compat);
++#ifndef WITHOUT_ED25519
+ int ssh_ed25519_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
+     const u_char *data, size_t datalen, u_int compat);
+ int ssh_ed25519_verify(const struct sshkey *key,
+     const u_char *signature, size_t signaturelen,
+     const u_char *data, size_t datalen, u_int compat);
++#endif /* WITHOUT_ED25519 */
+ #endif
+ 
+ #if !defined(WITH_OPENSSL)
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/025-login_to_a_role.patch	Mon Jan 25 10:57:40 2016 -0800
@@ -0,0 +1,185 @@
+#
+# Enable login to a role for hostbased authentication if allowed by PAM.
+#
+# Sets PAM_AUSER item to user who is asserting a new identity before
+# calling do_pam_account(). Implemented using existing static variable
+# hostbased_cuser. The change is protected by new HAVE_PAM_AUSER ifdef-guard,
+# which is set to defined on Solaris.
+#
+# Patch offered upstream:
+#     https://bugzilla.mindrot.org/show_bug.cgi?id=2378
+#
+diff -pur old/auth-pam.c new/auth-pam.c
+--- old/auth-pam.c	2015-05-21 04:08:41.910932322 -0700
++++ new/auth-pam.c	2015-05-21 04:08:42.024831668 -0700
[email protected]@ -1038,6 +1038,20 @@ do_pam_account(void)
+ 	return (sshpam_account_status);
+ }
+ 
++#ifdef HAVE_PAM_AUSER
++void
++do_pam_set_auser(const char* auser)
++{
++	if (auser != NULL) {
++		debug("PAM: setting PAM_AUSER to \"%s\"", auser);
++		sshpam_err = pam_set_item(sshpam_handle, PAM_AUSER, auser);
++		if (sshpam_err != PAM_SUCCESS)
++			error("PAM: failed to set PAM_AUSER: %s",
++			    pam_strerror(sshpam_handle, sshpam_err));
++	}
++}
++#endif
++
+ void
+ do_pam_set_tty(const char *tty)
+ {
+diff -pur old/auth-pam.h new/auth-pam.h
+--- old/auth-pam.h	2015-03-16 22:49:20.000000000 -0700
++++ new/auth-pam.h	2015-05-21 04:08:42.025160216 -0700
[email protected]@ -35,6 +35,9 @@ void start_pam(Authctxt *);
+ void finish_pam(void);
+ u_int do_pam_account(void);
+ void do_pam_session(void);
++#ifdef HAVE_PAM_AUSER
++void do_pam_set_auser(const char *);
++#endif
+ void do_pam_set_tty(const char *);
+ void do_pam_setcred(int );
+ void do_pam_chauthtok(void);
+diff -pur old/auth.h new/auth.h
+--- old/auth.h	2015-05-21 04:08:41.911346027 -0700
++++ new/auth.h	2015-05-21 04:08:42.025504068 -0700
[email protected]@ -84,6 +84,9 @@ struct Authctxt {
+ #ifdef PAM_ENHANCEMENT
+         char            *authmethod_name;
+ #endif 
++#ifdef HAVE_PAM_AUSER
++	char		*auser;
++#endif 
+ };
+ /*
+  * Every authentication method has to handle authentication requests for
+diff -pur old/auth2-hostbased.c new/auth2-hostbased.c
+--- old/auth2-hostbased.c	2015-03-16 22:49:20.000000000 -0700
++++ new/auth2-hostbased.c	2015-05-21 04:08:42.026208843 -0700
[email protected]@ -85,6 +85,9 @@ userauth_hostbased(Authctxt *authctxt)
+ 	buffer_dump(&b);
+ 	buffer_free(&b);
+ #endif
++#ifdef HAVE_PAM_AUSER
++	authctxt->auser = NULL;
++#endif
+ 	pktype = key_type_from_name(pkalg);
+ 	if (pktype == KEY_UNSPEC) {
+ 		/* this is perfectly legal */
[email protected]@ -143,6 +146,13 @@ userauth_hostbased(Authctxt *authctxt)
+ 			buffer_len(&b))) == 1)
+ 		authenticated = 1;
+ 
++#ifdef HAVE_PAM_AUSER
++	if (authenticated) {
++		authctxt->auser = cuser;
++		cuser = NULL;
++	}
++#endif
++
+ 	buffer_free(&b);
+ done:
+ 	debug2("userauth_hostbased: authenticated %d", authenticated);
+diff -pur old/auth2.c new/auth2.c
+--- old/auth2.c	2015-05-21 04:08:41.947286493 -0700
++++ new/auth2.c	2015-05-21 04:08:42.026846014 -0700
[email protected]@ -339,6 +339,14 @@ userauth_finish(Authctxt *authctxt, int
+ #endif
+ 	}
+ 
++#ifdef HAVE_PAM_AUSER
++	if (!use_privsep) {
++		do_pam_set_auser(authctxt->auser);
++		free(authctxt->auser);
++		authctxt->auser = NULL;	
++	}
++#endif
++
+ 	if (authenticated && options.num_auth_methods != 0) {
+ 
+ #if defined(USE_PAM) && defined(PAM_ENHANCEMENT)
+diff -pur old/config.h.in new/config.h.in
+--- old/config.h.in	2015-05-21 04:08:41.938119429 -0700
++++ new/config.h.in	2015-05-21 04:08:42.027796887 -0700
[email protected]@ -827,6 +827,9 @@
+ /* Define if you have Digital Unix Security Integration Architecture */
+ #undef HAVE_OSF_SIA
+ 
++/* Define if you have PAM_AUSER PAM item */
++#undef HAVE_PAM_AUSER
++
+ /* Define to 1 if you have the `pam_getenvlist' function. */
+ #undef HAVE_PAM_GETENVLIST
+ 
+diff -pur old/configure new/configure
+--- old/configure	2015-05-21 04:08:41.952127851 -0700
++++ new/configure	2015-05-21 04:09:34.214165539 -0700
[email protected]@ -10872,6 +10872,7 @@ fi
+ cat >>confdefs.h <<\_ACEOF
+ #define	USE_GSS_STORE_CRED 1
+ #define	GSSAPI_STORECREDS_NEEDS_RUID 1
++#define HAVE_PAM_AUSER 1
+ _ACEOF
+ 
+ 	TEST_SHELL=$SHELL	# let configure find us a capable shell
+diff -pur old/configure.ac new/configure.ac
+--- old/configure.ac	2015-05-21 04:08:41.886514252 -0700
++++ new/configure.ac	2015-05-21 04:08:42.052981088 -0700
[email protected]@ -904,6 +904,7 @@ mips-sony-bsd|mips-sony-newsos4)
+ 	TEST_SHELL=$SHELL	# let configure find us a capable shell
+         AC_DEFINE([USE_GSS_STORE_CRED])
+         AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID])
++        AC_DEFINE([HAVE_PAM_AUSER])
+ 	;;
+ *-*-sunos4*)
+ 	CPPFLAGS="$CPPFLAGS -DSUNOS4"
+diff -pur old/monitor.c new/monitor.c
+--- old/monitor.c	2015-05-21 04:08:41.964048305 -0700
++++ new/monitor.c	2015-05-21 04:08:42.054374639 -0700
[email protected]@ -461,6 +461,12 @@ monitor_child_preauth(Authctxt *_authctx
+ 		}
+ 	}
+ 
++#if defined(HAVE_PAM_AUSER) && defined(USE_PAM)
++	if (hostbased_cuser != NULL) {
++		free(hostbased_cuser);
++		hostbased_cuser = NULL;
++	}
++#endif
+ 	if (!authctxt->valid)
+ 		fatal("%s: authenticated invalid user", __func__);
+ 	if (strcmp(auth_method, "unknown") == 0)
[email protected]@ -694,12 +700,14 @@ monitor_reset_key_state(void)
+ {
+ 	/* reset state */
+ 	free(key_blob);
++#if !defined(HAVE_PAM_AUSER) || !defined(USE_PAM)
+ 	free(hostbased_cuser);
++	hostbased_cuser = NULL;
++#endif
+ 	free(hostbased_chost);
+ 	key_blob = NULL;
+ 	key_bloblen = 0;
+ 	key_blobtype = MM_NOKEY;
+-	hostbased_cuser = NULL;
+ 	hostbased_chost = NULL;
+ }
+ 
[email protected]@ -1146,6 +1154,11 @@ mm_answer_pam_account(int sock, Buffer *
+ 	if (!options.use_pam)
+ 		fatal("UsePAM not set, but ended up in %s anyway", __func__);
+ 
++#ifdef HAVE_PAM_AUSER
++	if (hostbased_cuser != NULL)
++		do_pam_set_auser(hostbased_cuser);
++#endif
++
+ 	ret = do_pam_account();
+ 
+ 	buffer_put_int(m, ret);
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/029-disable-redundant-pam_setcred.patch	Mon Jan 25 10:57:40 2016 -0800
@@ -0,0 +1,34 @@
+# This issue has been raised with the upstream OpenSSH community:
+#
+# 2426 OpenSSH doesn't need the second call to do_pam_setcred() on non-Linux
+#      platforms
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2426
+#
+# The OpenSSH maintainers added a call to do_pam_setcred() in
+# platform_setusercontext_post_groups() with no corresponding bugID along with
+# a befuddling comment that initgroups(3C) wipes out supplementary groups:
+#
+#https://anongit.mindrot.org/openssh.git/commit/platform.c?id=cc12418e18242ce1f61d7035da4956274ba13a96
+#
+# This only applies in the Linux world if the LinuxPAM pam_group(8) module
+# has been installed and configured which allows one to assign additional
+# secondary groups to a user using /etc/security/group.conf in addition to
+# /etc/group.  To confuse things a bit more, there is an OpenPAM PAM module
+# of the same name, pam_group(8), which has different functionality, it
+# performs access control based on group membership.
+#
+# In short, this additional call to do_pam_setcred() is Linux-specific and
+# shouldn't be called on Solaris.
+#
+diff -pur old/platform.c new/platform.c
+--- old/platform.c	2015-07-02 04:21:38.155790601 -0700
++++ new/platform.c	2015-07-02 05:11:06.302125686 -0700
[email protected]@ -145,7 +145,7 @@ platform_setusercontext(struct passwd *p
+ void
+ platform_setusercontext_post_groups(struct passwd *pw)
+ {
+-#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
++#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) && !defined(PAM_SUN_CODEBASE)
+ 	/*
+ 	 * PAM credentials may take the form of supplementary groups.
+ 	 * These will have been wiped by the above initgroups() call.
--- a/components/openssh/patches/030-auth_limits_bypass_fix.patch	Thu Jan 14 09:14:14 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,35 +0,0 @@
-#
-# This is to fix a keyboard-interactive authentication brute force
-# vulnerability (MaxAuthTries bypass). A CVE number (CVE-2015-5600) has been
-# reserved for this problem, but not officially issued yet. This fix came from
-# OpenSSH upstream, which will be included in the future OpenSSH 7.0p1 release.
-# When we upgrade OpenSSH to 7.0 in the future, we will remove this patch.
-#
---- a/auth2-chall.c	Mon Aug  3 15:25:43 2015
-+++ b/auth2-chall.c	Mon Aug  3 15:28:17 2015
[email protected]@ -82,6 +82,7 @@
- 	void *ctxt;
- 	KbdintDevice *device;
- 	u_int nreq;
-+	u_int devices_done;
- };
- 
- #ifdef USE_PAM
[email protected]@ -168,11 +169,15 @@
- 		if (len == 0)
- 			break;
- 		for (i = 0; devices[i]; i++) {
--			if (!auth2_method_allowed(authctxt,
-+			if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
-+			    !auth2_method_allowed(authctxt,
- 			    "keyboard-interactive", devices[i]->name))
- 				continue;
--			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
-+			if (strncmp(kbdintctxt->devices, devices[i]->name,
-+			    len) == 0) {
- 				kbdintctxt->device = devices[i];
-+				kbdintctxt->devices_done |= 1 << i;
-+			}
- 		}
- 		t = kbdintctxt->devices;
- 		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/031-per_session_xauthfile.patch	Mon Jan 25 10:57:40 2016 -0800
@@ -0,0 +1,191 @@
+#
+# This patch is to fix a X11 connection failure when a user's home directory
+# is read-only. 
+#
+# We have contributed back this fix to the OpenSSH upstream community. For
+# more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2440
+# In the future, if this fix is accepted by the upsteam in a later release, we
+# will remove this patch when we upgrade to that release.
+#
+--- orig/session.c	Thu Jul 30 10:35:15 2015
++++ new/session.c	Tue Aug  4 11:29:22 2015
[email protected]@ -62,6 +62,10 @@
+ #include <unistd.h>
+ #include <limits.h>
+ 
++#ifdef PER_SESSION_XAUTHFILE
++#include <libgen.h>
++#endif
++
+ #include "openbsd-compat/sys-queue.h"
+ #include "xmalloc.h"
+ #include "ssh.h"
[email protected]@ -132,6 +136,11 @@
+ 
+ static int session_pty_req(Session *);
+ 
++#ifdef PER_SESSION_XAUTHFILE
++void   session_xauthfile_cleanup(Session *);
++void   cleanup_all_session_xauthfile();
++#endif
++
+ /* import */
+ extern ServerOptions options;
+ extern char *__progname;
[email protected]@ -1218,6 +1227,11 @@
+ 	if (getenv("TZ"))
+ 		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+ 
++#ifdef PER_SESSION_XAUTHFILE
++        if (s->auth_file != NULL)
++                child_set_env(&env, &envsize, "XAUTHORITY", s->auth_file);
++#endif
++
+ 	/* Set custom environment options from RSA authentication. */
+ 	if (!options.use_login) {
+ 		while (custom_environment) {
[email protected]@ -2170,6 +2184,11 @@
+ {
+ 	int success;
+ 
++#ifdef PER_SESSION_XAUTHFILE
++	int fd;
++        char xauthdir[] = "/tmp/ssh-xauth-XXXXXX";
++#endif
++
+ 	if (s->auth_proto != NULL || s->auth_data != NULL) {
+ 		error("session_x11_req: session %d: "
+ 		    "x11 forwarding already active", s->self);
[email protected]@ -2188,6 +2207,48 @@
+ 		s->auth_proto = NULL;
+ 		s->auth_data = NULL;
+ 	}
++
++#ifdef PER_SESSION_XAUTHFILE
++	/*
++	 * Create per session X authority file in the /tmp directory.
++	 *
++	 * If mkdtemp() or open() fails then s->auth_file remains NULL which
++	 * means that we won't set XAUTHORITY variable in child's environment
++	 * and xauth(1) will use the default location for the authority file.
++	 */
++	if (mkdtemp(xauthdir) != NULL) {
++		s->auth_file = xmalloc(MAXPATHLEN);
++		snprintf(s->auth_file, MAXPATHLEN, "%s/xauthfile",
++		    xauthdir);
++		/*
++		 * we don't want that "creating new authority file" message to
++                 * be printed by xauth(1) so we must create that file
++		 * beforehand.
++		 */
++		if ((fd = open(s->auth_file, O_CREAT | O_EXCL | O_RDONLY,
++		    S_IRUSR | S_IWUSR)) == -1) {
++			error("failed to create the temporary X authority "
++			    "file %s: %.100s; will use the default one",
++			    s->auth_file, strerror(errno));
++			free(s->auth_file);
++			s->auth_file = NULL;
++			if (rmdir(xauthdir) == -1) {
++				error("cannot remove xauth directory "
++				    "%s: %.100s", xauthdir, strerror(errno));
++			}
++		} else {
++			close(fd);
++			debug("temporary X authority file %s created",
++			    s->auth_file);
++                        debug("session number = %d", s->self);
++		}
++	}
++	else {
++		error("failed to create a directory for the temporary X "
++		    "authority file: %.100s; will use the default xauth file",
++		    strerror(errno));
++	}
++#endif
+ 	return success;
+ }
+ 
[email protected]@ -2378,6 +2439,50 @@
+ 	PRIVSEP(session_pty_cleanup2(s));
+ }
+ 
++#ifdef PER_SESSION_XAUTHFILE
++/*
++ * We use a different temporary X authority file per session so we should
++ * remove those files when cleanup_exit() is called.
++ */
++void
++session_xauthfile_cleanup(Session *s)
++{
++	if (s == NULL || s->auth_file == NULL) {
++		return;
++	}
++
++	debug("session_xauthfile_cleanup: session %d removing %s", s->self,
++	    s->auth_file);
++
++	if (unlink(s->auth_file) == -1) {
++		error("session_xauthfile_cleanup: cannot remove xauth file: "
++		    "%.100s", strerror(errno));
++		return;
++	}
++
++	/* dirname() will modify s->auth_file but that's ok */
++	if (rmdir(dirname(s->auth_file)) == -1) {
++		error("session_xauthfile_cleanup: "
++		    "cannot remove xauth directory: %.100s", strerror(errno));
++		return;
++	}
++	free(s->auth_file);
++	s->auth_file = NULL;
++}
++
++/*
++ * This is called by do_cleanup() when cleanup_exit() is called. 
++ */
++void
++cleanup_all_session_xauthfile()
++{
++	int i;
++	for (i = 0; i < sessions_nalloc; i++) {
++                session_xauthfile_cleanup(&sessions[i]);
++	}
++}
++#endif
++
+ static char *
+ sig2name(int sig)
+ {
[email protected]@ -2512,6 +2617,9 @@
+ 	free(s->auth_display);
+ 	free(s->auth_data);
+ 	free(s->auth_proto);
++#ifdef PER_SESSION_XAUTHFILE
++	session_xauthfile_cleanup(s);
++#endif
+ 	free(s->subsys);
+ 	if (s->env != NULL) {
+ 		for (i = 0; i < s->num_env; i++) {
[email protected]@ -2763,6 +2871,10 @@
+ 	/* remove agent socket */
+ 	auth_sock_cleanup_proc(authctxt->pw);
+ 
++#ifdef PER_SESSION_XAUTHFILE
++	cleanup_all_session_xauthfile();
++#endif
++
+ 	/*
+ 	 * Cleanup ptys/utmp only if privsep is disabled,
+ 	 * or if running in monitor.
+--- orig/session.h	Thu Jul 30 10:35:12 2015
++++ new/session.h	Tue Aug  4 11:30:04 2015
[email protected]@ -49,6 +49,9 @@
+ 	char	*auth_display;
+ 	char	*auth_proto;
+ 	char	*auth_data;
++#ifdef PER_SESSION_XAUTHFILE
++	char    *auth_file;	/* xauth(1) authority file */
++#endif
+ 	int	single_connection;
+ 
+ 	/* proto 2 */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/032-hang_on_closed_output.patch	Mon Jan 25 10:57:40 2016 -0800
@@ -0,0 +1,25 @@
+#
+# Fix possible hang on closed output.
+#
+# When there is a connectivity problem between the server and the client
+# (network outage, server crash or reboot), the client indefinitely hangs.
+#
+# This patch fixes the issue by checking ssh_packet_write_poll return value
+# in ssh_packet_write_wait and passing it through.
+#
+# The (updated) patch has been accepted upstream and will be part of 7.2
+# https://github.com/openssh/openssh-portable/commit/8408218
+#
+diff -pur old/packet.c new/packet.c
+--- old/packet.c
++++ new/packet.c
[email protected]@ -2040,7 +2040,8 @@ ssh_packet_write_wait(struct ssh *ssh)
+ 	    NFDBITS), sizeof(fd_mask));
+ 	if (setp == NULL)
+ 		return SSH_ERR_ALLOC_FAIL;
+-	ssh_packet_write_poll(ssh);
++	if ((r = ssh_packet_write_poll(ssh)) != 0)
++		return r;
+ 	while (ssh_packet_have_data_to_write(ssh)) {
+ 		memset(setp, 0, howmany(state->connection_out + 1,
+ 		    NFDBITS) * sizeof(fd_mask));
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/033-without_cast128.patch	Mon Jan 25 10:57:40 2016 -0800
@@ -0,0 +1,108 @@
+#
+# Removes cast128-cbc support.
+#
+# At this moment this algorithm is not listed in Approved Security
+# Technologies: Standards Details at all. Eventually it will be added as
+# deprecated.
+#
+# SunSSH did not support cast128-cbc. In this respect removing cast128-cbc from
+# OpenSSH doesn't constitute a regression in functionality from SunSSH.
+#
+# Interoperability gain provided by cast128-cbc is negligible, because all
+# relevant ssh implementations also provide several more common encryption
+# algorithms (aes256-ctr, aes128-cbc, ...) on top of cast128-cbc.
+#
+# This is a Solaris specific patch and it is not likely to be accepted upstream.
+#
+diff -pur old/cipher.c new/cipher.c
+--- old/cipher.c
++++ new/cipher.c
[email protected]@ -88,8 +88,10 @@ static const struct sshcipher ciphers[]
+ 	{ "3des-cbc",	SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
+ 	{ "blowfish-cbc",
+ 			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
++#ifndef WITHOUT_CAST128
+ 	{ "cast128-cbc",
+ 			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc },
++#endif
+ 	{ "arcfour",	SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 },
+ 	{ "arcfour128",	SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 },
+ 	{ "arcfour256",	SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 },
+diff -pur old/myproposal.h new/myproposal.h
+--- old/myproposal.h
++++ new/myproposal.h
[email protected]@ -119,9 +119,16 @@
+ 	"aes128-ctr,aes192-ctr,aes256-ctr" \
+ 	AESGCM_CIPHER_MODES
+ 
++#ifdef WITHOUT_CAST128
++# define CAST128
++#else
++# define CAST128 "cast128-cbc"
++#endif
++
+ #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
+ 	"arcfour256,arcfour128," \
+-	"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
++	"aes128-cbc,3des-cbc,blowfish-cbc," \
++	CAST128 \
+ 	"aes192-cbc,aes256-cbc,arcfour,[email protected]"
+ 
+ #define KEX_SERVER_MAC \
+diff -pur old/ssh.1 new/ssh.1
+--- old/ssh.1	2016-01-20 13:49:25.822403799 -0800
++++ new/ssh.1	2016-01-20 13:52:04.664954014 -0800
[email protected]@ -788,7 +788,7 @@ options (see above).
+ Both protocols support similar authentication methods,
+ but protocol 2 is the default since
+ it provides additional mechanisms for confidentiality
+-(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
++(the traffic is encrypted using AES, 3DES, Blowfish, or Arcfour)
+ and integrity (hmac-md5, hmac-sha1,
+ hmac-sha2-256, hmac-sha2-512,
+ umac-64, umac-128, hmac-ripemd160).
+diff -pur old/ssh_config.5 new/ssh_config.5
+--- old/ssh_config.5	2016-01-20 13:49:33.670445077 -0800
++++ new/ssh_config.5	2016-01-20 13:53:00.137039489 -0800
[email protected]@ -408,8 +408,6 @@ arcfour256
+ .It
+ blowfish-cbc
+ .It
+-cast128-cbc
+-.It
+ [email protected]
+ .El
+ .Pp
[email protected]@ -419,7 +417,7 @@ [email protected],
+ aes128-ctr,aes192-ctr,aes256-ctr,
+ [email protected],[email protected],
+ arcfour256,arcfour128,
+-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
++aes128-cbc,3des-cbc,blowfish-cbc,
+ aes192-cbc,aes256-cbc,arcfour
+ .Ed
+ .Pp
+diff -pur old/sshd.8 new/sshd.8
+--- old/sshd.8	2016-01-20 13:49:48.116460059 -0800
++++ new/sshd.8	2016-01-20 13:54:11.984168556 -0800
[email protected]@ -307,7 +307,7 @@ For protocol 2,
+ forward security is provided through a Diffie-Hellman key agreement.
+ This key agreement results in a shared session key.
+ The rest of the session is encrypted using a symmetric cipher, currently
+-128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
++128-bit AES, Blowfish, 3DES, Arcfour, 192-bit AES, or 256-bit AES.
+ The client selects the encryption algorithm
+ to use from those offered by the server.
+ Additionally, session integrity is provided
+diff -pur old/sshd_config.5 new/sshd_config.5
+--- old/sshd_config.5	2016-01-20 13:49:40.842997029 -0800
++++ new/sshd_config.5	2016-01-20 13:53:50.533090678 -0800
[email protected]@ -469,8 +469,6 @@ arcfour256
+ .It
+ blowfish-cbc
+ .It
+-cast128-cbc
+-.It
+ [email protected]
+ .El
+ .Pp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/034-getaddrinfo_with_ai_addrconfig.patch	Mon Jan 25 10:57:40 2016 -0800
@@ -0,0 +1,187 @@
+#
+# Use AI_ADDRCONFIG flag for getaddrinfo() hints where
+# the address family is AF_UNSPEC. See description of AI_ADDRCONFIG
+# in getaddrinfo(3C).
+# 
+# We have contributed back this fix to the OpenSSH upstream community. For
+# more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2483
+# In the future, if this fix is accepted by the upsteam in a later release, we
+# will remove this patch when we upgrade to that release.
+#
+--- a/canohost.c	Sun Oct 25 20:11:35 2015
++++ b/canohost.c	Sun Oct 25 20:11:57 2015
[email protected]@ -113,6 +113,10 @@
+ 	memset(&hints, 0, sizeof(hints));
+ 	hints.ai_family = from.ss_family;
+ 	hints.ai_socktype = SOCK_STREAM;
++#ifdef AI_ADDRCONFIG
++	if (hints.ai_family == AF_UNSPEC)
++		hints.ai_flags = AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+ 		logit("reverse mapping checking getaddrinfo for %.700s "
+ 		    "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop);
+--- a/channels.c	Sun Oct 25 19:30:33 2015
++++ b/channels.c	Sun Oct 25 19:54:36 2015
[email protected]@ -2853,8 +2853,12 @@
+ 	 */
+ 	memset(&hints, 0, sizeof(hints));
+ 	hints.ai_family = IPv4or6;
+-	hints.ai_flags = wildcard ? AI_PASSIVE : 0;
+ 	hints.ai_socktype = SOCK_STREAM;
++	hints.ai_flags = wildcard ? AI_PASSIVE : 0;
++#ifdef AI_ADDRCONFIG
++	if (hints.ai_family == AF_UNSPEC)
++		hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 	snprintf(strport, sizeof strport, "%d", fwd->listen_port);
+ 	if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) {
+ 		if (addr == NULL) {
[email protected]@ -3736,6 +3740,10 @@
+ 		memset(&hints, 0, sizeof(hints));
+ 		hints.ai_family = IPv4or6;
+ 		hints.ai_socktype = SOCK_STREAM;
++#ifdef AI_ADDRCONFIG
++		if (hints.ai_family == AF_UNSPEC)
++			hints.ai_flags = AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 		snprintf(strport, sizeof strport, "%d", port);
+ 		if ((gaierr = getaddrinfo(name, strport, &hints, &cctx.aitop)) != 0) {
+ 			error("connect_to %.100s: unknown host (%s)", name,
[email protected]@ -3908,8 +3916,12 @@
+ 		port = 6000 + display_number;
+ 		memset(&hints, 0, sizeof(hints));
+ 		hints.ai_family = IPv4or6;
+-		hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
+ 		hints.ai_socktype = SOCK_STREAM;
++		hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
++#ifdef AI_ADDRCONFIG
++		if (hints.ai_family == AF_UNSPEC)
++			hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 		snprintf(strport, sizeof strport, "%d", port);
+ 		if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
+ 			error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr));
[email protected]@ -4090,6 +4102,10 @@
+ 	memset(&hints, 0, sizeof(hints));
+ 	hints.ai_family = IPv4or6;
+ 	hints.ai_socktype = SOCK_STREAM;
++#ifdef AI_ADDRCONFIG
++	if (hints.ai_family == AF_UNSPEC)
++		hints.ai_flags = AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 	snprintf(strport, sizeof strport, "%u", 6000 + display_number);
+ 	if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
+ 		error("%.100s: unknown host. (%s)", buf,
+--- a/servconf.c	Sun Oct 25 19:39:38 2015
++++ b/servconf.c	Sun Oct 25 19:45:16 2015
[email protected]@ -722,6 +722,10 @@
+ 	hints.ai_family = options->address_family;
+ 	hints.ai_socktype = SOCK_STREAM;
+ 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
++#ifdef AI_ADDRCONFIG
++	if (hints.ai_family == AF_UNSPEC)
++		hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 	snprintf(strport, sizeof strport, "%d", port);
+ 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
+ 		fatal("bad addr or host: %s (%s)",
+--- a/ssh-keyscan.c	Sun Oct 25 19:46:28 2015
++++ b/ssh-keyscan.c	Sun Oct 25 19:54:55 2015
[email protected]@ -326,6 +326,10 @@
+ 	memset(&hints, 0, sizeof(hints));
+ 	hints.ai_family = IPv4or6;
+ 	hints.ai_socktype = SOCK_STREAM;
++#ifdef AI_ADDRCONFIG
++	if (hints.ai_family == AF_UNSPEC)
++		hints.ai_flags = AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
+ 		error("getaddrinfo %s: %s", host, ssh_gai_strerror(gaierr));
+ 		return -1;
+--- a/ssh.c	Sun Oct 25 19:49:46 2015
++++ b/ssh.c	Sun Oct 25 19:55:15 2015
[email protected]@ -259,6 +259,10 @@
+ 	hints.ai_socktype = SOCK_STREAM;
+ 	if (cname != NULL)
+ 		hints.ai_flags = AI_CANONNAME;
++#ifdef AI_ADDRCONFIG
++	if (hints.ai_family == AF_UNSPEC)
++		hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 	if ((gaierr = getaddrinfo(name, strport, &hints, &res)) != 0) {
+ 		if (logerr || (gaierr != EAI_NONAME && gaierr != EAI_NODATA))
+ 			loglevel = SYSLOG_LEVEL_ERROR;
[email protected]@ -298,6 +302,10 @@
+ 	    AF_UNSPEC : options.address_family;
+ 	hints.ai_socktype = SOCK_STREAM;
+ 	hints.ai_flags = AI_NUMERICHOST|AI_NUMERICSERV;
++#ifdef AI_ADDRCONFIG
++	if (hints.ai_family == AF_UNSPEC)
++		hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 	if ((gaierr = getaddrinfo(name, strport, &hints, &res)) != 0) {
+ 		debug2("%s: could not resolve name %.100s as address: %s",
+ 		    __func__, name, ssh_gai_strerror(gaierr));
+--- a/sshconnect.c	Sun Oct 25 19:57:46 2015
++++ b/sshconnect.c	Sun Oct 25 19:58:19 2015
[email protected]@ -292,6 +292,10 @@
+ 		hints.ai_socktype = ai->ai_socktype;
+ 		hints.ai_protocol = ai->ai_protocol;
+ 		hints.ai_flags = AI_PASSIVE;
++#ifdef AI_ADDRCONFIG
++		if (hints.ai_family == AF_UNSPEC)
++			hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 		gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
+ 		if (gaierr) {
+ 			error("getaddrinfo: %s: %s", options.bind_address,
+--- a/regress/netcat.c	Sun Oct 25 19:59:44 2015
++++ b/regress/netcat.c	Sun Oct 25 20:07:05 2015
[email protected]@ -371,6 +371,10 @@
+ 		hints.ai_protocol = uflag ? IPPROTO_UDP : IPPROTO_TCP;
+ 		if (nflag)
+ 			hints.ai_flags |= AI_NUMERICHOST;
++#ifdef AI_ADDRCONFIG
++		if (hints.ai_family == AF_UNSPEC)
++			hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 	}
+ 
+ 	if (xflag) {
[email protected]@ -399,6 +403,10 @@
+ 		proxyhints.ai_protocol = IPPROTO_TCP;
+ 		if (nflag)
+ 			proxyhints.ai_flags |= AI_NUMERICHOST;
++#ifdef AI_ADDRCONFIG
++		if (proxyhints.ai_family == AF_UNSPEC)
++			proxyhints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 	}
+ 
+ 	if (lflag) {
[email protected]@ -673,6 +681,10 @@
+ 			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
+ 			ahints.ai_protocol = uflag ? IPPROTO_UDP : IPPROTO_TCP;
+ 			ahints.ai_flags = AI_PASSIVE;
++#ifdef AI_ADDRCONFIG
++			if (ahints.ai_family == AF_UNSPEC)
++				ahints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 			if ((error = getaddrinfo(sflag, pflag, &ahints, &ares)))
+ 				errx(1, "getaddrinfo: %s", gai_strerror(error));
+ 
[email protected]@ -1422,8 +1434,12 @@
+ 
+ 	bzero(&hints, sizeof(hints));
+ 	hints.ai_family = v4only ? PF_INET : PF_UNSPEC;
+-	hints.ai_flags = numeric ? AI_NUMERICHOST : 0;
+ 	hints.ai_socktype = SOCK_STREAM;
++	hints.ai_flags = numeric ? AI_NUMERICHOST : 0;
++#ifdef AI_ADDRCONFIG
++	if (hints.ai_family == AF_UNSPEC)
++		hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 	r = getaddrinfo(h, p, &hints, &res);
+ 	/* Don't fatal when attempting to convert a numeric address */
+ 	if (r != 0) {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/sources/kexgssc.c	Mon Jan 25 10:57:40 2016 -0800
@@ -0,0 +1,347 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * May 22, 2015
+ * In version 6.8 a new packet interface has been introduced to OpenSSH,
+ * while the old packet API has been provided in opacket.c.
+ * At this moment we are not rewritting GSS-API key exchange code to the new
+ * API, just adjusting it to still work with new struct ssh.
+ * Rewritting to the new API can be considered in the future.
+ */
+
+#include "includes.h"
+
+#ifdef GSSAPI
+
+#include "includes.h"
+
+#include <openssl/crypto.h>
+#include <openssl/bn.h>
+
+#include <signal.h>	/* for sig_atomic_t in kex.h */
+#include <string.h>
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "ssh2.h"
+#include "key.h"
+#include "cipher.h"
+#include "digest.h"
+#include "kex.h"
+#include "log.h"
+#include "packet.h"
+#include "dh.h"
+
+#include "ssh-gss.h"
+
+int
+kexgss_client(struct ssh *ssh) {
+	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+	gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
+	Gssctxt *ctxt;
+	OM_uint32 maj_status, min_status, ret_flags;
+	uint_t klen, kout, slen = 0, strlen;
+	DH *dh;
+	BIGNUM *dh_server_pub = NULL;
+	BIGNUM *shared_secret = NULL;
+	BIGNUM *p = NULL;
+	BIGNUM *g = NULL;
+	uchar_t *kbuf;
+	uchar_t *serverhostkey = NULL;
+	uchar_t *empty = "";
+	char *msg;
+	char *lang;
+	int type = 0;
+	int first = 1;
+	int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
+	struct kex *kex = ssh->kex;
+	int r;
+	uchar_t hash[SSH_DIGEST_MAX_LENGTH];
+	size_t hashlen;
+
+	/* Initialise our GSSAPI world */
+	ssh_gssapi_build_ctx(&ctxt);
+	if (ssh_gssapi_id_kex(ctxt, kex->name, kex->kex_type)
+	    == GSS_C_NO_OID)
+		fatal("Couldn't identify host exchange");
+
+	if (ssh_gssapi_import_name(ctxt, kex->gss_host))
+		fatal("Couldn't import hostname");
+
+	switch (kex->kex_type) {
+	case KEX_GSS_GRP1_SHA1:
+		kex->dh = dh_new_group1();
+		break;
+	case KEX_GSS_GRP14_SHA1:
+		kex->dh = dh_new_group14();
+		break;
+	case KEX_GSS_GEX_SHA1:
+		debug("Doing group exchange\n");
+		nbits = dh_estimate(kex->we_need * 8);
+		packet_start(SSH2_MSG_KEXGSS_GROUPREQ);
+		packet_put_int(min);
+		packet_put_int(nbits);
+		packet_put_int(max);
+
+		packet_send();
+
+		packet_read_expect(SSH2_MSG_KEXGSS_GROUP);
+
+		if ((p = BN_new()) == NULL)
+			fatal("BN_new() failed");
+		packet_get_bignum2(p);
+		if ((g = BN_new()) == NULL)
+			fatal("BN_new() failed");
+		packet_get_bignum2(g);
+		packet_check_eom();
+
+		if (BN_num_bits(p) < min || BN_num_bits(p) > max)
+			fatal("GSSGRP_GEX group out of range: %d !< %d !< %d",
+			    min, BN_num_bits(p), max);
+
+		kex->dh = dh_new_group(g, p);
+		break;
+	default:
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+	}
+
+	/* Step 1 - e is dh->pub_key */
+	dh_gen_key(kex->dh, kex->we_need * 8);
+
+	/* This is f, we initialise it now to make life easier */
+	dh_server_pub = BN_new();
+	if (dh_server_pub == NULL)
+		fatal("dh_server_pub == NULL");
+
+	token_ptr = GSS_C_NO_BUFFER;
+
+	do {
+		debug("Calling gss_init_sec_context");
+
+		maj_status = ssh_gssapi_init_ctx(ctxt,
+		    kex->gss_deleg_creds, token_ptr, &send_tok,
+		    &ret_flags);
+
+		if (GSS_ERROR(maj_status)) {
+			if (send_tok.length != 0) {
+				packet_start(SSH2_MSG_KEXGSS_CONTINUE);
+				packet_put_string(send_tok.value,
+				    send_tok.length);
+			}
+			fatal("gss_init_context failed");
+		}
+
+		/* If we've got an old receive buffer get rid of it */
+		if (token_ptr != GSS_C_NO_BUFFER)
+			free(recv_tok.value);
+
+		if (maj_status == GSS_S_COMPLETE) {
+			/* If mutual state flag is not true, kex fails */
+			if (!(ret_flags & GSS_C_MUTUAL_FLAG))
+				fatal("Mutual authentication failed");
+
+			/* If integ avail flag is not true kex fails */
+			if (!(ret_flags & GSS_C_INTEG_FLAG))
+				fatal("Integrity check failed");
+		}
+
+		/*
+		 * If we have data to send, then the last message that we
+		 * received cannot have been a 'complete'.
+		 */
+		if (send_tok.length != 0) {
+			if (first) {
+				packet_start(SSH2_MSG_KEXGSS_INIT);
+				packet_put_string(send_tok.value,
+				    send_tok.length);
+				packet_put_bignum2(kex->dh->pub_key);
+				first = 0;
+			} else {
+				packet_start(SSH2_MSG_KEXGSS_CONTINUE);
+				packet_put_string(send_tok.value,
+				    send_tok.length);
+			}
+			packet_send();
+			gss_release_buffer(&min_status, &send_tok);
+
+			/* If we've sent them data, they should reply */
+			do {
+				type = packet_read();
+				if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
+					debug("Received KEXGSS_HOSTKEY");
+					if (serverhostkey)
+						fatal("Server host key received"
+						    "more than once");
+					serverhostkey =
+					    packet_get_string(&slen);
+				}
+			} while (type == SSH2_MSG_KEXGSS_HOSTKEY);
+
+			switch (type) {
+			case SSH2_MSG_KEXGSS_CONTINUE:
+				debug("Received GSSAPI_CONTINUE");
+				if (maj_status == GSS_S_COMPLETE)
+					fatal("GSSAPI Continue received from"
+					    "server when complete");
+				recv_tok.value = packet_get_string(&strlen);
+				recv_tok.length = strlen;
+				break;
+			case SSH2_MSG_KEXGSS_COMPLETE:
+				debug("Received GSSAPI_COMPLETE");
+				packet_get_bignum2(dh_server_pub);
+				msg_tok.value =  packet_get_string(&strlen);
+				msg_tok.length = strlen;
+
+				/* Is there a token included? */
+				if (packet_get_char()) {
+					recv_tok.value=
+					    packet_get_string(&strlen);
+					recv_tok.length = strlen;
+					/* If complete - protocol error */
+					if (maj_status == GSS_S_COMPLETE)
+						packet_disconnect("Protocol"
+						    " error: received token"
+						    " when complete");
+				} else {
+					/* No token included */
+					if (maj_status != GSS_S_COMPLETE)
+						packet_disconnect("Protocol"
+						    " error: did not receive"
+						    " final token");
+				}
+				break;
+			case SSH2_MSG_KEXGSS_ERROR:
+				debug("Received Error");
+				maj_status = packet_get_int();
+				min_status = packet_get_int();
+				msg = packet_get_string(NULL);
+				lang = packet_get_string(NULL);
+				fatal("GSSAPI Error: \n%.400s", msg);
+			default:
+				packet_disconnect("Protocol error: didn't"
+				    " expect packet type %d", type);
+			}
+			token_ptr = &recv_tok;
+		} else {
+			/* No data, and not complete */
+			if (maj_status != GSS_S_COMPLETE)
+				fatal("Not complete, and no token output");
+		}
+	} while (maj_status & GSS_S_CONTINUE_NEEDED);
+
+	/*
+	 * We _must_ have received a COMPLETE message in reply from the
+	 * server, which will have set dh_server_pub and msg_tok
+	 */
+
+	if (type != SSH2_MSG_KEXGSS_COMPLETE)
+		fatal("Didn't receive SSH2_MSG_KEXGSS_COMPLETE when expected");
+
+	/* Check f in range [1, p-1] */
+	if (!dh_pub_is_valid(kex->dh, dh_server_pub))
+		packet_disconnect("bad server public DH value");
+
+	/* compute K=f^x mod p */
+	klen = DH_size(kex->dh);
+	kbuf = xmalloc(klen);
+	kout = DH_compute_key(kbuf, dh_server_pub, kex->dh);
+	if (kout < 0)
+		fatal("DH_compute_key: failed");
+
+	shared_secret = BN_new();
+	if (shared_secret == NULL)
+		fatal("kexgss_client: BN_new failed");
+
+	if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
+		fatal("kexdh_client: BN_bin2bn failed");
+
+	memset(kbuf, 0, klen);
+	free(kbuf);
+
+	hashlen = sizeof (hash);
+	switch (kex->kex_type) {
+	case KEX_GSS_GRP1_SHA1:
+	case KEX_GSS_GRP14_SHA1:
+		kex_dh_hash(kex->client_version_string,
+		    kex->server_version_string,
+		    buffer_ptr(kex->my), buffer_len(kex->my),
+		    buffer_ptr(kex->peer), buffer_len(kex->peer),
+		    (serverhostkey ? serverhostkey : empty), slen,
+		    kex->dh->pub_key,	/* e */
+		    dh_server_pub,	/* f */
+		    shared_secret,	/* K */
+		    hash, &hashlen);
+		break;
+	case KEX_GSS_GEX_SHA1:
+		kexgex_hash(
+		    kex->hash_alg,
+		    kex->client_version_string,
+		    kex->server_version_string,
+		    buffer_ptr(kex->my), buffer_len(kex->my),
+		    buffer_ptr(kex->peer), buffer_len(kex->peer),
+		    (serverhostkey ? serverhostkey : empty), slen,
+		    min, nbits, max,
+		    kex->dh->p, kex->dh->g,
+		    kex->dh->pub_key,
+		    dh_server_pub,
+		    shared_secret,
+		    hash, &hashlen);
+		break;
+	default:
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+	}
+
+	gssbuf.value = hash;
+	gssbuf.length = hashlen;
+
+	/* Verify that the hash matches the MIC we just got. */
+	if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
+		packet_disconnect("Hash's MIC didn't verify");
+
+	free(msg_tok.value);
+
+	DH_free(kex->dh);
+	if (serverhostkey)
+		free(serverhostkey);
+	BN_clear_free(dh_server_pub);
+
+	/* save session id */
+	if (kex->session_id == NULL) {
+		kex->session_id_len = hashlen;
+		kex->session_id = xmalloc(kex->session_id_len);
+		memcpy(kex->session_id, hash, kex->session_id_len);
+	}
+
+	if (gss_kex_context == NULL)
+		gss_kex_context = ctxt;
+	else
+		ssh_gssapi_delete_ctx(&ctxt);
+
+	if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
+		r = kex_send_newkeys(ssh);
+	return (r);
+}
+
+#endif /* GSSAPI */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/sources/kexgsss.c	Mon Jan 25 10:57:40 2016 -0800
@@ -0,0 +1,297 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * May 22, 2015
+ * In version 6.8 a new packet interface has been introduced to OpenSSH,
+ * while the old packet API has been provided in opacket.c.
+ * At this moment we are not rewritting GSS-API key exchange code to the new
+ * API, just adjusting it to still work with new struct ssh.
+ * Rewritting to the new API can be considered in the future.
+ */
+
+#include "includes.h"
+
+#ifdef GSSAPI
+
+#include <signal.h>	/* for sig_atomic_t in kex.h */
+#include <string.h>
+
+#include <openssl/crypto.h>
+#include <openssl/bn.h>
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "ssh2.h"
+#include "key.h"
+#include "cipher.h"
+#include "digest.h"
+#include "kex.h"
+#include "log.h"
+#include "packet.h"
+#include "dh.h"
+#include "ssh-gss.h"
+#include "monitor_wrap.h"
+
+int
+kexgss_server(struct ssh *ssh)
+{
+	OM_uint32 maj_status, min_status;
+
+	/*
+	 * Some GSSAPI implementations use the input value of ret_flags (an
+	 * output variable) as a means of triggering mechanism specific
+	 * features. Initializing it to zero avoids inadvertently
+	 * activating this non-standard behaviour.
+	 */
+
+	OM_uint32 ret_flags = 0;
+	gss_buffer_desc gssbuf, recv_tok, msg_tok;
+	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+	Gssctxt *ctxt = NULL;
+	uint_t slen, klen, kout;
+	uchar_t *kbuf;
+	DH *dh;
+	int min = -1, max = -1, nbits = -1;
+	BIGNUM *shared_secret = NULL;
+	BIGNUM *dh_client_pub = NULL;
+	int type = 0;
+	gss_OID oid;
+	char *mechs;
+	struct kex *kex = ssh->kex;
+	int r;
+	uchar_t hash[SSH_DIGEST_MAX_LENGTH];
+	size_t hashlen;
+
+	/* Initialise GSSAPI */
+
+	/*
+	 * If we're rekeying, privsep means that some of the private structures
+	 * in the GSSAPI code are no longer available. This kludges them back
+	 * into life
+	 */
+	if (!ssh_gssapi_oid_table_ok())
+		if ((mechs = ssh_gssapi_server_mechanisms()))
+			free(mechs);
+
+	debug2("%s: Identifying %s", __func__, kex->name);
+	oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
+	if (oid == GSS_C_NO_OID)
+		fatal("Unknown gssapi mechanism");
+
+	debug2("%s: Acquiring credentials", __func__);
+
+	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
+		fatal("Unable to acquire credentials for the server");
+
+	switch (kex->kex_type) {
+	case KEX_GSS_GRP1_SHA1:
+		kex->dh = dh_new_group1();
+		break;
+	case KEX_GSS_GRP14_SHA1:
+		kex->dh = dh_new_group14();
+		break;
+	case KEX_GSS_GEX_SHA1:
+		debug("Doing group exchange");
+		packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
+		min = packet_get_int();
+		nbits = packet_get_int();
+		max = packet_get_int();
+		min = MAX(DH_GRP_MIN, min);
+		max = MIN(DH_GRP_MAX, max);
+		packet_check_eom();
+		if (max < min || nbits < min || max < nbits)
+			fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
+			    min, nbits, max);
+		kex->dh = PRIVSEP(choose_dh(min, nbits, max));
+		if (kex->dh == NULL)
+			packet_disconnect("Protocol error:"
+			    " no matching group found");
+
+		packet_start(SSH2_MSG_KEXGSS_GROUP);
+		packet_put_bignum2(kex->dh->p);
+		packet_put_bignum2(kex->dh->g);
+		packet_send();
+
+		packet_write_wait();
+		break;
+	default:
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+	}
+
+	dh_gen_key(kex->dh, kex->we_need * 8);
+
+	do {
+		debug("Wait SSH2_MSG_GSSAPI_INIT");
+		type = packet_read();
+		switch (type) {
+		case SSH2_MSG_KEXGSS_INIT:
+			if (dh_client_pub != NULL)
+				fatal("Received KEXGSS_INIT after"
+				    " initialising");
+			recv_tok.value = packet_get_string(&slen);
+			recv_tok.length = slen;
+
+			if ((dh_client_pub = BN_new()) == NULL)
+				fatal("dh_client_pub == NULL");
+
+			packet_get_bignum2(dh_client_pub);
+
+			/* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
+			break;
+		case SSH2_MSG_KEXGSS_CONTINUE:
+			recv_tok.value = packet_get_string(&slen);
+			recv_tok.length = slen;
+			break;
+		default:
+			packet_disconnect(
+			    "Protocol error: didn't expect packet type %d",
+			    type);
+		}
+
+		maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
+		    &send_tok, &ret_flags));
+
+		free(recv_tok.value);
+
+		if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
+			fatal("Zero length token output when incomplete");
+
+		if (dh_client_pub == NULL)
+			fatal("No client public key");
+
+		if (maj_status & GSS_S_CONTINUE_NEEDED) {
+			debug("Sending GSSAPI_CONTINUE");
+			packet_start(SSH2_MSG_KEXGSS_CONTINUE);
+			packet_put_string(send_tok.value, send_tok.length);
+			packet_send();
+			gss_release_buffer(&min_status, &send_tok);
+		}
+	} while (maj_status & GSS_S_CONTINUE_NEEDED);
+
+	if (GSS_ERROR(maj_status)) {
+		if (send_tok.length > 0) {
+			packet_start(SSH2_MSG_KEXGSS_CONTINUE);
+			packet_put_string(send_tok.value, send_tok.length);
+			packet_send();
+		}
+		fatal("accept_ctx died");
+	}
+
+	if (!(ret_flags & GSS_C_MUTUAL_FLAG))
+		fatal("Mutual Authentication flag wasn't set");
+
+	if (!(ret_flags & GSS_C_INTEG_FLAG))
+		fatal("Integrity flag wasn't set");
+
+	if (!dh_pub_is_valid(kex->dh, dh_client_pub))
+		packet_disconnect("bad client public DH value");
+
+	klen = DH_size(kex->dh);
+	kbuf = xmalloc(klen);
+	kout = DH_compute_key(kbuf, dh_client_pub, kex->dh);
+	if (kout < 0)
+		fatal("DH_compute_key: failed");
+
+	shared_secret = BN_new();
+	if (shared_secret == NULL)
+		fatal("kexgss_server: BN_new failed");
+
+	if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
+		fatal("kexgss_server: BN_bin2bn failed");
+
+	memset(kbuf, 0, klen);
+	free(kbuf);
+
+	hashlen = sizeof (hash);
+	switch (kex->kex_type) {
+	case KEX_GSS_GRP1_SHA1:
+	case KEX_GSS_GRP14_SHA1:
+		kex_dh_hash(
+		    kex->client_version_string, kex->server_version_string,
+		    buffer_ptr(kex->peer), buffer_len(kex->peer),
+		    buffer_ptr(kex->my), buffer_len(kex->my),
+		    NULL, 0, /* Change this if we start sending host keys */
+		    dh_client_pub, kex->dh->pub_key, shared_secret,
+		    hash, &hashlen);
+		break;
+	case KEX_GSS_GEX_SHA1:
+		kexgex_hash(
+		    kex->hash_alg,
+		    kex->client_version_string, kex->server_version_string,
+		    buffer_ptr(kex->peer), buffer_len(kex->peer),
+		    buffer_ptr(kex->my), buffer_len(kex->my),
+		    NULL, 0,
+		    min, nbits, max,
+		    kex->dh->p, kex->dh->g,
+		    dh_client_pub,
+		    kex->dh->pub_key,
+		    shared_secret,
+		    hash, &hashlen);
+		break;
+	default:
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+	}
+
+	BN_clear_free(dh_client_pub);
+
+	if (kex->session_id == NULL) {
+		kex->session_id_len = hashlen;
+		kex->session_id = xmalloc(kex->session_id_len);
+		memcpy(kex->session_id, hash, kex->session_id_len);
+	}
+
+	gssbuf.value = hash;
+	gssbuf.length = hashlen;
+
+	if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok))))
+		fatal("Couldn't get MIC");
+
+	packet_start(SSH2_MSG_KEXGSS_COMPLETE);
+	packet_put_bignum2(kex->dh->pub_key);
+	packet_put_string(msg_tok.value, msg_tok.length);
+
+	if (send_tok.length != 0) {
+		packet_put_char(1); /* true */
+		packet_put_string(send_tok.value, send_tok.length);
+	} else {
+		packet_put_char(0); /* false */
+	}
+	packet_send();
+
+	gss_release_buffer(&min_status, &send_tok);
+	gss_release_buffer(&min_status, &msg_tok);
+
+	if (gss_kex_context == NULL)
+		gss_kex_context = ctxt;
+	else
+		ssh_gssapi_delete_ctx(&ctxt);
+
+	DH_free(kex->dh);
+
+	if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
+		r = kex_send_newkeys(ssh);
+	return (r);
+}
+#endif /* GSSAPI */