18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH s11u3-sru 0.175.3.17.0.3.0 S11.3SRU17.3
authorTomas Kuthan <tomas.kuthan@oracle.com>
Fri, 27 Jan 2017 14:23:05 -0800
branchs11u3-sru
changeset 7621 c11a68c3a63d
parent 7620 c60efbddf9c8
child 7623 d89b1c5817f5
18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
components/openssh/Makefile
components/openssh/dtrace_sftp/sftp_provider.d
components/openssh/dtrace_sftp/sftp_provider_impl.h
components/openssh/patches/013-dtrace_sftp.patch
components/openssh/patches/023-gsskex.patch
--- a/components/openssh/Makefile	Fri Jan 27 13:46:43 2017 -0800
+++ b/components/openssh/Makefile	Fri Jan 27 14:23:05 2017 -0800
@@ -20,7 +20,7 @@
 #
 
 #
-# Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
 #
 COMPILER= gcc
 include ../../make-rules/shared-macros.mk
@@ -54,6 +54,7 @@
 CFLAGS += -DSET_USE_PAM
 CFLAGS += -DDEPRECATE_SUNSSH_OPT
 CFLAGS += -DKRB5_BUILD_FIX
+CFLAGS += -DDTRACE_SFTP
 CFLAGS += -DDISABLE_BANNER
 CFLAGS += -DPAM_ENHANCEMENT
 CFLAGS += -DPAM_BUGFIX
@@ -91,6 +92,12 @@
 CONFIGURE_OPTIONS += --bindir=$(USRBINDIR)
 CONFIGURE_OPTIONS += --disable-lastlog
 
+# Copy the sftp dtrace provider file and the header file to source directory
+COMPONENT_PRE_BUILD_ACTION = \
+    ( echo "Copying dtrace sftp files..."; \
+      $(LN) -fs $(COMPONENT_DIR)/dtrace_sftp/*.[dh] $(SOURCE_DIR); \
+    )
+
 MANLIST= moduli.5 scp.1 sftp-server.8 sftp.1 ssh-add.1 ssh-agent.1 \
 	ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8 \
 	ssh.1 ssh_config.5 sshd.8 sshd_config.5
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/dtrace_sftp/sftp_provider.d	Fri Jan 27 14:23:05 2017 -0800
@@ -0,0 +1,61 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
+ */
+
+/*
+ * We seem currently unable to depend properly on existing D libraries (like
+ * sftp.d). But the definitions for conninfo_t and sftpinfo_t are stored there
+ * (and have to be, since that's where the real translators live). So we're
+ * forced to define something here to satisfy dtrace(1M), but none of the
+ * definitions or translators here are actually used.
+ */
+typedef struct sftpinfo {
+	int dummy;
+} sftpinfo_t;
+
+typedef struct sftpproto {
+	int dummy;
+} sftpproto_t;
+
+typedef struct conninfo {
+	int dummy;
+} conninfo_t;
+
+translator conninfo_t <sftpproto_t *dp> {
+};
+
+translator sftpinfo_t <sftpproto_t *dp> {
+};
+
+provider sftp {
+	probe transfer__start(sftpproto_t *p) :
+	    (conninfo_t *p, sftpinfo_t *p);
+	probe transfer__done(sftpproto_t *p) :
+	    (conninfo_t *p, sftpinfo_t *p);
+};
+
+#pragma D attributes Evolving/Evolving/ISA provider sftp provider
+#pragma D attributes Private/Private/Unknown provider sftp module
+#pragma D attributes Private/Private/Unknown provider sftp function
+#pragma D attributes Private/Private/ISA provider sftp name
+#pragma D attributes Evolving/Evolving/ISA provider sftp args
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/dtrace_sftp/sftp_provider_impl.h	Fri Jan 27 14:23:05 2017 -0800
@@ -0,0 +1,73 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
+ */
+
+#ifndef	_SFTP_PROVIDER_IMPL_H
+#define	_SFTP_PROVIDER_IMPL_H
+
+#ifdef	__cplusplus
+extern "C" {
+#endif
+
+/*
+ * This structure must match the definition of same in sftp.d.
+ */
+typedef struct sftpproto {
+	int64_t sftp_nbytes;		/* bytes writtten or read */
+	const char *sftp_user;		/* user name */
+	const char *sftp_operation;	/* SFTP Operation */
+	const char *sftp_raddr;		/* remote address */
+	const char *sftp_pathname;	/* path with file name */
+	int32_t sftp_fd;		/* fd for transfer, if any */
+} sftpproto_t;
+
+#define	SFTP_TRANSFER_PROTO(proto, op, fd, path, len) \
+	bzero((proto), sizeof (struct sftpproto)); \
+	(proto)->sftp_user = (pw->pw_name ? pw->pw_name : "UNKNOWN"); \
+	(proto)->sftp_operation = (op ? op : "UNKNOWN"); \
+	(proto)->sftp_raddr = (client_addr); \
+	(proto)->sftp_fd = (fd); \
+	(proto)->sftp_pathname = (path ? path : "UNKNOWN"); \
+	(proto)->sftp_nbytes = (len); \
+
+#define	SFTP_TRANSFER_START_OP(op, fd, path, len) \
+	if (SFTP_TRANSFER_START_ENABLED()) { \
+		sftpproto_t proto; \
+		SFTP_TRANSFER_PROTO(&proto, op, fd, path, len); \
+		SFTP_TRANSFER_START(&proto); \
+	} \
+
+#define	SFTP_TRANSFER_DONE_OP(op, fd, path, len) \
+	if (SFTP_TRANSFER_DONE_ENABLED()) { \
+		sftpproto_t proto; \
+		SFTP_TRANSFER_PROTO(&proto, op, fd, path, len); \
+		SFTP_TRANSFER_DONE(&proto); \
+	} \
+
+#include <sftp_provider.h>
+
+#ifdef	__cplusplus
+}
+#endif
+
+#endif /* _SFTP_PROVIDER_IMPL_H */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/013-dtrace_sftp.patch	Fri Jan 27 14:23:05 2017 -0800
@@ -0,0 +1,137 @@
+#
+# This patch is to provide a SFTP DTrace provider which offers an administrator
+# some observability of SFTP data transfer. This was developed in-house. 
+# Because this is Solaris-specific and not suitable for upstream, we will not
+# contribute the changes to the upstream community.
+#
+diff -pur old/Makefile.in new/Makefile.in
+--- old/Makefile.in
++++ new/Makefile.in
[email protected]@ -85,6 +85,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+ 	atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
+ 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
+ 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
++	sftp_provider.o \
+ 	ssh-pkcs11.o smult_curve25519_ref.o \
+ 	poly1305.o chacha.o cipher-chachapoly.o \
+ 	ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
[email protected]@ -107,7 +108,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
+ 	monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
+ 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
+-	sftp-server.o sftp-common.o \
++	sftp-server.o sftp-common.o sftp_provider.o \
+ 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
+ 	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
+ 	sandbox-solaris.o
[email protected]@ -187,8 +188,8 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
+ 	$(LD) -o [email protected] ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ 
+-sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
+-	$(LD) -o [email protected] sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o sftp_provider.o
++	$(LD) -o [email protected] sftp-server.o sftp-common.o sftp-server-main.o sftp_provider.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ 
+ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
+ 	$(LD) -o [email protected] progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
[email protected]@ -225,9 +226,18 @@ umac128.o:	umac.c
+ 	    -Dumac_update=umac128_update -Dumac_final=umac128_final \
+ 	    -Dumac_delete=umac128_delete -Dumac_ctx=umac128_ctx
+ 
++# dtrace sftp
++sftp_provider.h: $(srcdir)/sftp_provider.d
++	/usr/sbin/dtrace -xnolibs -h -s $(srcdir)/sftp_provider.d \
++	    -o $(srcdir)/sftp_provider.h
++
++sftp_provider.o: sftp_provider.d sftp_provider.h sftp-server.o
++	/usr/sbin/dtrace -G -32 -xnolibs -s $(srcdir)/sftp_provider.d \
++	    sftp-server.o -o sftp_provider.o
++
+ clean:	regressclean
+ 	rm -f *.o *.a $(TARGETS) logintest config.cache config.log
+-	rm -f *.out core survey
++	rm -f *.out core survey sftp_provider.h
+ 	rm -f regress/unittests/test_helper/*.a
+ 	rm -f regress/unittests/test_helper/*.o
+ 	rm -f regress/unittests/sshbuf/*.o
+diff -pur old/sftp-server.c new/sftp-server.c
+--- old/sftp-server.c
++++ new/sftp-server.c
[email protected]@ -51,6 +51,9 @@
+ 
+ #include "sftp.h"
+ #include "sftp-common.h"
++#ifdef DTRACE_SFTP
++#include "sftp_provider_impl.h"
++#endif
+ 
+ /* Our verbosity */
+ static LogLevel log_level = SYSLOG_LEVEL_ERROR;
[email protected]@ -737,14 +740,17 @@ process_read(u_int32_t id)
+ 	u_int32_t len;
+ 	int r, handle, fd, ret, status = SSH2_FX_FAILURE;
+ 	u_int64_t off;
++	char *fpath;
+ 
+ 	if ((r = get_handle(iqueue, &handle)) != 0 ||
+ 	    (r = sshbuf_get_u64(iqueue, &off)) != 0 ||
+ 	    (r = sshbuf_get_u32(iqueue, &len)) != 0)
+ 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 
+-	debug("request %u: read \"%s\" (handle %d) off %llu len %d",
+-	    id, handle_to_name(handle), handle, (unsigned long long)off, len);
++	fpath = handle_to_name(handle);
++ 
++ 	debug("request %u: read \"%s\" (handle %d) off %llu len %d",
++	    id, fpath, handle, (unsigned long long)off, len);
+ 	if (len > sizeof buf) {
+ 		len = sizeof buf;
+ 		debug2("read change len %d", len);
[email protected]@ -755,7 +761,13 @@ process_read(u_int32_t id)
+ 			error("process_read: seek failed");
+ 			status = errno_to_portable(errno);
+ 		} else {
++#ifdef DTRACE_SFTP
++		        SFTP_TRANSFER_START_OP("read", fd, fpath, len);
++#endif
+ 			ret = read(fd, buf, len);
++#ifdef DTRACE_SFTP
++                        SFTP_TRANSFER_DONE_OP("read", fd, fpath, ret);
++#endif
+ 			if (ret < 0) {
+ 				status = errno_to_portable(errno);
+ 			} else if (ret == 0) {
[email protected]@ -778,14 +790,16 @@ process_write(u_int32_t id)
+ 	size_t len;
+ 	int r, handle, fd, ret, status;
+ 	u_char *data;
++	char *fpath;
+ 
+ 	if ((r = get_handle(iqueue, &handle)) != 0 ||
+ 	    (r = sshbuf_get_u64(iqueue, &off)) != 0 ||
+ 	    (r = sshbuf_get_string(iqueue, &data, &len)) != 0)
+ 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 
++	fpath = handle_to_name(handle);
+ 	debug("request %u: write \"%s\" (handle %d) off %llu len %zu",
+-	    id, handle_to_name(handle), handle, (unsigned long long)off, len);
++	    id, fpath, handle, (unsigned long long)off, len);
+ 	fd = handle_to_fd(handle);
+ 
+ 	if (fd < 0)
[email protected]@ -797,7 +811,14 @@ process_write(u_int32_t id)
+ 			error("process_write: seek failed");
+ 		} else {
+ /* XXX ATOMICIO ? */
++#ifdef DTRACE_SFTP
++		        SFTP_TRANSFER_START_OP("write", fd, fpath, len);
++#endif
+ 			ret = write(fd, data, len);
++#ifdef DTRACE_SFTP
++			SFTP_TRANSFER_DONE_OP("write", fd, fpath, ret);
++#endif
++
+ 			if (ret < 0) {
+ 				error("process_write: write failed");
+ 				status = errno_to_portable(errno);
--- a/components/openssh/patches/023-gsskex.patch	Fri Jan 27 13:46:43 2017 -0800
+++ b/components/openssh/patches/023-gsskex.patch	Fri Jan 27 14:23:05 2017 -0800
@@ -19,29 +19,29 @@
 #
 # Upstream rejected GSS-API key exchange several times before.
 #
-diff -rupN old/Makefile.in new/Makefile.in
---- old/Makefile.in	2016-09-21 19:40:34.495262333 -0700
-+++ new/Makefile.in	2016-09-21 20:20:17.560532505 -0700
+diff -pur old/Makefile.in new/Makefile.in
+--- old/Makefile.in
++++ new/Makefile.in
 @@ -85,6 +85,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
  	atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
  	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
  	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
 +	kexgssc.o \
+ 	sftp_provider.o \
  	ssh-pkcs11.o smult_curve25519_ref.o \
  	poly1305.o chacha.o cipher-chachapoly.o \
- 	ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
[email protected]@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
[email protected]@ -106,7 +107,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
  	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
  	auth2-none.o auth2-passwd.o auth2-pubkey.o \
  	monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
 -	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 +	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
  	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
- 	sftp-server.o sftp-common.o \
+ 	sftp-server.o sftp-common.o sftp_provider.o \
  	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
-diff -rupN old/auth.c new/auth.c
---- old/auth.c	2017-01-11 18:18:17.172126803 -0800
-+++ new/auth.c	2017-01-11 18:21:06.506811958 -0800
+diff -pur old/auth.c new/auth.c
+--- old/auth.c
++++ new/auth.c
 @@ -363,6 +363,7 @@ auth_root_allowed(const char *method)
  	case PERMIT_NO_PASSWD:
  		if (strcmp(method, "publickey") == 0 ||
@@ -150,9 +150,9 @@
   * Return the canonical name of the host in the other side of the current
   * connection.  The host name is cached, so it is efficient to call this
   * several times.
-diff -rupN old/auth2-gss.c new/auth2-gss.c
---- old/auth2-gss.c	2016-09-21 19:40:20.290128383 -0700
-+++ new/auth2-gss.c	2016-09-21 19:25:47.855250807 -0700
+diff -pur old/auth2-gss.c new/auth2-gss.c
+--- old/auth2-gss.c
++++ new/auth2-gss.c
 @@ -1,7 +1,7 @@
  /* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */
  
@@ -215,9 +215,9 @@
  Authmethod method_gssapi = {
  	"gssapi-with-mic",
  	userauth_gssapi,
-diff -rupN old/auth2.c new/auth2.c
---- old/auth2.c	2016-09-21 19:40:20.293020496 -0700
-+++ new/auth2.c	2016-09-21 19:25:47.497355321 -0700
+diff -pur old/auth2.c new/auth2.c
+--- old/auth2.c
++++ new/auth2.c
 @@ -70,6 +70,7 @@ extern Authmethod method_passwd;
  extern Authmethod method_kbdint;
  extern Authmethod method_hostbased;
@@ -234,9 +234,9 @@
  	&method_gssapi,
  #endif
  	&method_passwd,
-diff -rupN old/canohost.c new/canohost.c
---- old/canohost.c	2016-09-21 19:40:20.295936952 -0700
-+++ new/canohost.c	2016-09-21 19:25:47.908930173 -0700
+diff -pur old/canohost.c new/canohost.c
+--- old/canohost.c
++++ new/canohost.c
 @@ -202,3 +202,97 @@ get_local_port(int sock)
  {
  	return get_sock_port(sock, 1);
@@ -335,9 +335,9 @@
 +	}
 +	return strdup(name);
 +}
-diff -rupN old/canohost.h new/canohost.h
---- old/canohost.h	2016-09-21 19:40:20.298804941 -0700
-+++ new/canohost.h	2016-09-21 19:25:47.335129267 -0700
+diff -pur old/canohost.h new/canohost.h
+--- old/canohost.h
++++ new/canohost.h
 @@ -21,6 +21,9 @@ char		*get_local_ipaddr(int);
  char		*get_local_name(int);
  int		get_local_port(int);
@@ -348,9 +348,9 @@
  #endif /* _CANOHOST_H */
  
  void		 ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
-diff -rupN old/gss-genr.c new/gss-genr.c
---- old/gss-genr.c	2016-09-21 19:40:20.301650203 -0700
-+++ new/gss-genr.c	2016-09-21 19:25:47.301737088 -0700
+diff -pur old/gss-genr.c new/gss-genr.c
+--- old/gss-genr.c
++++ new/gss-genr.c
 @@ -1,7 +1,7 @@
  /* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */
  
@@ -578,9 +578,9 @@
  		ssh_gssapi_delete_ctx(ctx);
  
  	return (!GSS_ERROR(major));
-diff -rupN old/gss-serv.c new/gss-serv.c
---- old/gss-serv.c	2016-09-21 19:40:20.304525100 -0700
-+++ new/gss-serv.c	2016-09-21 19:25:47.229908522 -0700
+diff -pur old/gss-serv.c new/gss-serv.c
+--- old/gss-serv.c
++++ new/gss-serv.c
 @@ -1,7 +1,7 @@
  /* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */
  
@@ -653,9 +653,9 @@
 -}
 -
  #endif
-diff -rupN old/kex.c new/kex.c
---- old/kex.c	2016-09-21 19:40:20.307412118 -0700
-+++ new/kex.c	2016-09-21 19:25:47.559276736 -0700
+diff -pur old/kex.c new/kex.c
+--- old/kex.c
++++ new/kex.c
 @@ -55,6 +55,10 @@
  #include "sshbuf.h"
  #include "digest.h"
@@ -688,9 +688,9 @@
  			return k;
  	}
  	return NULL;
-diff -rupN old/kex.h new/kex.h
---- old/kex.h	2016-09-21 19:40:20.310245128 -0700
-+++ new/kex.h	2016-09-21 19:25:47.142516186 -0700
+diff -pur old/kex.h new/kex.h
+--- old/kex.h
++++ new/kex.h
 @@ -98,6 +98,9 @@ enum kex_exchange {
  	KEX_DH_GEX_SHA256,
  	KEX_ECDH_SHA2,
@@ -723,9 +723,9 @@
  
  int	 kex_dh_hash(int, const char *, const char *,
      const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
-diff -rupN old/monitor.c new/monitor.c
---- old/monitor.c	2016-09-21 19:40:20.313190151 -0700
-+++ new/monitor.c	2016-09-21 19:25:47.525137447 -0700
+diff -pur old/monitor.c new/monitor.c
+--- old/monitor.c
++++ new/monitor.c
 @@ -161,6 +161,7 @@ int mm_answer_gss_setup_ctx(int, Buffer 
  int mm_answer_gss_accept_ctx(int, Buffer *);
  int mm_answer_gss_userok(int, Buffer *);
@@ -884,9 +884,9 @@
 +
  #endif /* GSSAPI */
  
-diff -rupN old/monitor.h new/monitor.h
---- old/monitor.h	2016-09-21 19:40:20.316049455 -0700
-+++ new/monitor.h	2016-09-21 19:25:47.113344203 -0700
+diff -pur old/monitor.h new/monitor.h
+--- old/monitor.h
++++ new/monitor.h
 @@ -68,6 +68,9 @@ enum monitor_reqtype {
  #ifdef PAM_ENHANCEMENT
          MONITOR_REQ_AUTHMETHOD = 114,
@@ -897,9 +897,9 @@
  };
  
  struct mm_master;
-diff -rupN old/monitor_wrap.c new/monitor_wrap.c
---- old/monitor_wrap.c	2016-09-21 19:40:20.318913737 -0700
-+++ new/monitor_wrap.c	2016-09-21 19:25:47.668505812 -0700
+diff -pur old/monitor_wrap.c new/monitor_wrap.c
+--- old/monitor_wrap.c
++++ new/monitor_wrap.c
 @@ -1108,5 +1108,28 @@ mm_ssh_gssapi_userok(char *user)
  	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
  	return (authenticated);
@@ -929,9 +929,9 @@
 +
  #endif /* GSSAPI */
  
-diff -rupN old/monitor_wrap.h new/monitor_wrap.h
---- old/monitor_wrap.h	2016-09-21 19:40:20.321783476 -0700
-+++ new/monitor_wrap.h	2016-09-21 19:25:47.026452744 -0700
+diff -pur old/monitor_wrap.h new/monitor_wrap.h
+--- old/monitor_wrap.h
++++ new/monitor_wrap.h
 @@ -62,6 +62,7 @@ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssct
     gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
  int mm_ssh_gssapi_userok(char *user);
@@ -940,9 +940,9 @@
  #endif
  
  #ifdef USE_PAM
-diff -rupN old/readconf.c new/readconf.c
---- old/readconf.c	2016-09-21 19:40:20.324827120 -0700
-+++ new/readconf.c	2016-09-21 19:25:47.885753634 -0700
+diff -pur old/readconf.c new/readconf.c
+--- old/readconf.c
++++ new/readconf.c
 @@ -160,6 +160,7 @@ typedef enum {
  	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
  	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@@ -999,9 +999,9 @@
  	if (options->gss_deleg_creds == -1)
  		options->gss_deleg_creds = 0;
  	if (options->password_authentication == -1)
-diff -rupN old/readconf.h new/readconf.h
---- old/readconf.h	2016-09-21 19:40:20.327689956 -0700
-+++ new/readconf.h	2016-09-21 19:25:47.449284716 -0700
+diff -pur old/readconf.h new/readconf.h
+--- old/readconf.h
++++ new/readconf.h
 @@ -45,6 +45,7 @@ typedef struct {
  	int     challenge_response_authentication;
  					/* Try S/Key or TIS, authentication. */
@@ -1010,9 +1010,9 @@
  	int     gss_deleg_creds;	/* Delegate GSS credentials */
  	int     password_authentication;	/* Try password
  						 * authentication. */
-diff -rupN old/servconf.c new/servconf.c
---- old/servconf.c	2016-09-21 19:40:20.330699306 -0700
-+++ new/servconf.c	2016-09-21 19:25:47.054209571 -0700
+diff -pur old/servconf.c new/servconf.c
+--- old/servconf.c
++++ new/servconf.c
 @@ -117,6 +117,7 @@ initialize_server_options(ServerOptions 
  	options->kerberos_ticket_cleanup = -1;
  	options->kerberos_get_afs_token = -1;
@@ -1079,9 +1079,9 @@
  #ifndef USE_GSS_STORE_CRED
  	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
  #endif /* !USE_GSS_STORE_CRED */
-diff -rupN old/servconf.h new/servconf.h
---- old/servconf.h	2016-09-21 19:40:20.333544958 -0700
-+++ new/servconf.h	2016-09-21 19:25:47.739063955 -0700
+diff -pur old/servconf.h new/servconf.h
+--- old/servconf.h
++++ new/servconf.h
 @@ -122,6 +122,7 @@ typedef struct {
  	int     kerberos_get_afs_token;		/* If true, try to get AFS token if
  						 * authenticated with Kerberos. */
@@ -1090,9 +1090,9 @@
  	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
  	int     gss_strict_acceptor;	/* If true, restrict the GSSAPI acceptor name */
  	int     password_authentication;	/* If true, permit password
-diff -rupN old/ssh-gss.h new/ssh-gss.h
---- old/ssh-gss.h	2016-09-21 19:40:20.336386442 -0700
-+++ new/ssh-gss.h	2016-09-21 19:25:47.600702960 -0700
+diff -pur old/ssh-gss.h new/ssh-gss.h
+--- old/ssh-gss.h
++++ new/ssh-gss.h
 @@ -61,6 +61,17 @@
  
  #define SSH_GSS_OIDTYPE 0x06
@@ -1140,9 +1140,9 @@
  #endif /* GSSAPI */
  
  #endif /* _SSH_GSS_H */
-diff -rupN old/ssh_config.5 new/ssh_config.5
---- old/ssh_config.5	2016-09-21 19:40:20.339307715 -0700
-+++ new/ssh_config.5	2016-09-21 19:25:47.188814608 -0700
+diff -pur old/ssh_config.5 new/ssh_config.5
+--- old/ssh_config.5
++++ new/ssh_config.5
 @@ -834,6 +834,12 @@ The default is
  Specifies whether user authentication based on GSSAPI is allowed.
  The default on Solaris is
@@ -1156,9 +1156,9 @@
  .It Cm GSSAPIDelegateCredentials
  Forward (delegate) credentials to the server.
  The default is
-diff -rupN old/sshconnect2.c new/sshconnect2.c
---- old/sshconnect2.c	2016-09-21 19:40:20.342249196 -0700
-+++ new/sshconnect2.c	2016-09-21 19:25:47.810679787 -0700
+diff -pur old/sshconnect2.c new/sshconnect2.c
+--- old/sshconnect2.c
++++ new/sshconnect2.c
 @@ -165,11 +165,35 @@ ssh_kex2(char *host, struct sockaddr *ho
  	char *s;
  	struct kex *kex;
@@ -1329,9 +1329,9 @@
  #endif /* GSSAPI */
  
  int
-diff -rupN old/sshd.c new/sshd.c
---- old/sshd.c	2016-09-21 19:40:20.345291027 -0700
-+++ new/sshd.c	2016-09-21 19:25:47.376369649 -0700
+diff -pur old/sshd.c new/sshd.c
+--- old/sshd.c
++++ new/sshd.c
 @@ -1892,10 +1892,13 @@ main(int ac, char **av)
  		logit("Disabling protocol version 1. Could not load host key");
  		options.protocol &= ~SSH_PROTO_1;
@@ -1409,9 +1409,9 @@
  	kex->server = 1;
  	kex->client_version_string=client_version_string;
  	kex->server_version_string=server_version_string;
-diff -rupN old/sshd_config.5 new/sshd_config.5
---- old/sshd_config.5	2016-09-21 19:40:20.348225013 -0700
-+++ new/sshd_config.5	2016-09-21 19:25:47.433470021 -0700
+diff -pur old/sshd_config.5 new/sshd_config.5
+--- old/sshd_config.5
++++ new/sshd_config.5
 @@ -632,6 +632,11 @@ The default is
  Specifies whether user authentication based on GSSAPI is allowed.
  The default on Solaris is
@@ -1424,9 +1424,9 @@
  .It Cm GSSAPICleanupCredentials
  Specifies whether to automatically destroy the user's credentials cache
  on logout.
-diff -rupN old/sshkey.c new/sshkey.c
---- old/sshkey.c	2016-09-21 19:40:20.351243462 -0700
-+++ new/sshkey.c	2016-09-21 19:25:47.271519675 -0700
+diff -pur old/sshkey.c new/sshkey.c
+--- old/sshkey.c
++++ new/sshkey.c
 @@ -115,6 +115,7 @@ static const struct keytype keytypes[] =
  #  endif /* OPENSSL_HAS_NISTP521 */
  # endif /* OPENSSL_HAS_ECC */
@@ -1435,9 +1435,9 @@
  	{ NULL, NULL, -1, -1, 0, 0 }
  };
  
-diff -rupN old/sshkey.h new/sshkey.h
---- old/sshkey.h	2016-09-21 19:40:20.354147713 -0700
-+++ new/sshkey.h	2016-09-21 19:25:47.934179627 -0700
+diff -pur old/sshkey.h new/sshkey.h
+--- old/sshkey.h
++++ new/sshkey.h
 @@ -62,6 +62,7 @@ enum sshkey_types {
  	KEY_DSA_CERT,
  	KEY_ECDSA_CERT,