--- a/components/openssh/Makefile Wed Oct 28 12:22:49 2015 -0700
+++ b/components/openssh/Makefile Thu Oct 29 02:40:10 2015 -0700
@@ -23,22 +23,22 @@
include ../../make-rules/shared-macros.mk
COMPONENT_NAME= openssh
-COMPONENT_VERSION= 6.8p1
+COMPONENT_VERSION= 7.1p1
HUMAN_VERSION= $(COMPONENT_VERSION)
COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION)
# Version for IPS. The encoding rules are:
# OpenSSH <x>.<y>p<n> => IPS <x>.<y>.0.<n>
# OpenSSH <x>.<y>.<z>p<n> => IPS <x>.<y>.<z>.<n>
-IPS_COMPONENT_VERSION= 6.8.0.1
+IPS_COMPONENT_VERSION= 7.1.0.1
COMPONENT_PROJECT_URL= http://www.openssh.org/
COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz
-COMPONENT_ARCHIVE_HASH= sha256:3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e
+COMPONENT_ARCHIVE_HASH= sha256:fc0a6d2d1d063d5c66dffd952493d0cda256cad204f681de0f84ef85b2ad8428
COMPONENT_ARCHIVE_URL= http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/$(COMPONENT_ARCHIVE)
COMPONENT_BUGDB=utility/openssh
-TPNO_OPENSSH= 21980
+TPNO_OPENSSH= 24282
TPNO_GSSKEX= 20377
include $(WS_MAKE_RULES)/prep.mk
--- a/components/openssh/openssh.p5m Wed Oct 28 12:22:49 2015 -0700
+++ b/components/openssh/openssh.p5m Thu Oct 29 02:40:10 2015 -0700
@@ -20,7 +20,7 @@
#
# Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
#
-<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
+<transform file path=usr.*/man/.+ -> default mangler.man.stability "Pass-through Uncommitted">
set name=pkg.fmri \
value=pkg:/network/openssh@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
set name=pkg.summary value=OpenSSH
--- a/components/openssh/patches/003-last_login.patch Wed Oct 28 12:22:49 2015 -0700
+++ b/components/openssh/patches/003-last_login.patch Thu Oct 29 02:40:10 2015 -0700
@@ -12,58 +12,52 @@
# can't be changed so we update sshd's configuration parsing to flag
# this as unsupported and update the man page here.
#
-*** old/servconf.c Wed Sep 17 02:54:26 2014
---- new/servconf.c Wed Sep 17 02:56:55 2014
-***************
-*** 432,438 ****
---- 432,442 ----
- { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
- { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
- { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
-+ #ifdef DISABLE_LASTLOG
-+ { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
-+ #else
- { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
-+ #endif
- { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
- { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
- { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
-*** old/sshd_config.5 Tue Sep 16 06:24:13 2014
---- new/sshd_config.5 Tue Sep 16 06:47:47 2014
-***************
-*** 1008,1015 ****
- .Xr sshd 1M
- should print the date and time of the last user login when a user logs
- in interactively.
-! The default is
-! .Dq yes .
- .It Cm PrintMotd
- Specifies whether
- .Xr sshd 1M
---- 1008,1015 ----
- .Xr sshd 1M
- should print the date and time of the last user login when a user logs
- in interactively.
-! On Solaris this option is always ignored since pam_unix_session(5)
-! reports the last login time.
- .It Cm PrintMotd
- Specifies whether
- .Xr sshd 1M
-***************
-*** 1349,1355 ****
- (though not necessary) that it be world-readable.
- .El
- .Sh SEE ALSO
-! .Xr sshd 8
- .Sh AUTHORS
- OpenSSH is a derivative of the original and free
- ssh 1.2.12 release by Tatu Ylonen.
---- 1349,1356 ----
- (though not necessary) that it be world-readable.
- .El
- .Sh SEE ALSO
-! .Xr sshd 8 ,
-! .Xr pam_unix_session 5
- .Sh AUTHORS
- OpenSSH is a derivative of the original and free
- ssh 1.2.12 release by Tatu Ylonen.
+diff -pur old/servconf.c new/servconf.c
+--- old/servconf.c
++++ new/servconf.c
+@@ -504,7 +504,11 @@ static struct {
+ { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
+ { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
+ { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
++#ifdef DISABLE_LASTLOG
++ { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
++#else
+ { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
++#endif
+ { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
+ { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
+ { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
+@@ -2268,7 +2272,9 @@ dump_config(ServerOptions *o)
+ dump_cfg_fmtint(sChallengeResponseAuthentication,
+ o->challenge_response_authentication);
+ dump_cfg_fmtint(sPrintMotd, o->print_motd);
++#ifndef DISABLE_LASTLOG
+ dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
++#endif /* !DISABLE_LASTLOG */
+ dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
+ dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
+ dump_cfg_fmtint(sPermitTTY, o->permit_tty);
+diff -pur old/sshd_config.5 new/sshd_config.5
+--- old/sshd_config.5
++++ new/sshd_config.5
+@@ -1300,8 +1300,8 @@ Specifies whether
+ .Xr sshd 8
+ should print the date and time of the last user login when a user logs
+ in interactively.
+-The default is
+-.Dq yes .
++On Solaris this option is always ignored since pam_unix_session(5)
++reports the last login time.
+ .It Cm PrintMotd
+ Specifies whether
+ .Xr sshd 8
+@@ -1721,7 +1721,8 @@ This file should be writable by root onl
+ (though not necessary) that it be world-readable.
+ .El
+ .Sh SEE ALSO
+-.Xr sshd 8
++.Xr sshd 8 ,
++.Xr pam_unix_session 5
+ .Sh AUTHORS
+ OpenSSH is a derivative of the original and free
+ ssh 1.2.12 release by Tatu Ylonen.
--- a/components/openssh/patches/007-manpages.patch Wed Oct 28 12:22:49 2015 -0700
+++ b/components/openssh/patches/007-manpages.patch Thu Oct 29 02:40:10 2015 -0700
@@ -8,8 +8,8 @@
# same as their corresponding ones in SunSSH.
#
diff -pur old/moduli.5 new/moduli.5
---- old/moduli.5 2015-03-17 06:49:20.000000000 +0100
-+++ new/moduli.5 2015-03-28 05:37:09.205577491 +0100
+--- old/moduli.5
++++ new/moduli.5
@@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
@@ -67,8 +67,8 @@
.Rs
.%A M. Friedl
diff -pur old/sftp-server.8 new/sftp-server.8
---- old/sftp-server.8 2015-03-17 06:49:20.000000000 +0100
-+++ new/sftp-server.8 2015-03-28 05:38:55.972453415 +0100
+--- old/sftp-server.8
++++ new/sftp-server.8
@@ -23,7 +23,7 @@
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
@@ -117,8 +117,8 @@
.%A T. Ylonen
.%A S. Lehtinen
diff -pur old/ssh-keysign.8 new/ssh-keysign.8
---- old/ssh-keysign.8 2015-03-17 06:49:20.000000000 +0100
-+++ new/ssh-keysign.8 2015-03-28 05:37:09.206625270 +0100
+--- old/ssh-keysign.8
++++ new/ssh-keysign.8
@@ -23,7 +23,7 @@
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
@@ -149,8 +149,8 @@
.Nm
first appeared in
diff -pur old/ssh-pkcs11-helper.8 new/ssh-pkcs11-helper.8
---- old/ssh-pkcs11-helper.8 2015-03-17 06:49:20.000000000 +0100
-+++ new/ssh-pkcs11-helper.8 2015-03-28 05:37:09.206699277 +0100
+--- old/ssh-pkcs11-helper.8
++++ new/ssh-pkcs11-helper.8
@@ -15,7 +15,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
@@ -161,18 +161,18 @@
.Sh NAME
.Nm ssh-pkcs11-helper
diff -pur old/ssh_config.5 new/ssh_config.5
---- old/ssh_config.5 2015-03-17 06:49:20.000000000 +0100
-+++ new/ssh_config.5 2015-03-28 05:39:45.895250783 +0100
+--- old/ssh_config.5
++++ new/ssh_config.5
@@ -35,7 +35,7 @@
.\"
- .\" $OpenBSD: ssh_config.5,v 1.205 2015/02/20 22:17:21 djm Exp $
- .Dd $Mdocdate: February 20 2015 $
+ .\" $OpenBSD: ssh_config.5,v 1.215 2015/08/14 15:32:41 jmc Exp $
+ .Dd $Mdocdate: August 14 2015 $
-.Dt SSH_CONFIG 5
+.Dt SSH_CONFIG 4
.Os
.Sh NAME
.Nm ssh_config
-@@ -562,7 +562,7 @@ then the master connection will remain i
+@@ -568,7 +568,7 @@ then the master connection will remain i
.Dq Fl O No exit
option).
If set to a time in seconds, or a time in any of the formats documented in
@@ -181,7 +181,7 @@
then the backgrounded master connection will automatically terminate
after it has remained idle (with no client connections) for the
specified time.
-@@ -689,7 +689,7 @@ option is also enabled.
+@@ -695,7 +695,7 @@ option is also enabled.
Specify a timeout for untrusted X11 forwarding
using the format described in the
TIME FORMATS section of
@@ -190,7 +190,7 @@
X11 connections received by
.Xr ssh 1
after this time will be refused.
-@@ -756,7 +756,7 @@ should hash host names and addresses whe
+@@ -762,7 +762,7 @@ should hash host names and addresses whe
These hashed names may be used normally by
.Xr ssh 1
and
@@ -199,7 +199,7 @@
but they do not reveal identifying information should the file's contents
be disclosed.
The default is
-@@ -1233,7 +1233,7 @@ depending on the cipher.
+@@ -1286,7 +1286,7 @@ depending on the cipher.
The optional second value is specified in seconds and may use any of the
units documented in the
TIME FORMATS section of
@@ -208,7 +208,7 @@
The default value for
.Cm RekeyLimit
is
-@@ -1277,7 +1277,7 @@ Specifying a remote
+@@ -1330,7 +1330,7 @@ Specifying a remote
will only succeed if the server's
.Cm GatewayPorts
option is enabled (see
@@ -217,7 +217,7 @@
.It Cm RequestTTY
Specifies whether to request a pseudo-tty for the session.
The argument may be one of:
-@@ -1339,7 +1339,7 @@ accept these environment variables.
+@@ -1396,7 +1396,7 @@ pseudo-terminal is requested as it is re
Refer to
.Cm AcceptEnv
in
@@ -227,12 +227,12 @@
Variables are specified by name, which may contain wildcard characters.
Multiple environment variables may be separated by whitespace or spread
diff -pur old/sshd.8 new/sshd.8
---- old/sshd.8 2015-03-17 06:49:20.000000000 +0100
-+++ new/sshd.8 2015-03-28 05:41:50.762749417 +0100
+--- old/sshd.8
++++ new/sshd.8
@@ -35,7 +35,7 @@
.\"
- .\" $OpenBSD: sshd.8,v 1.278 2014/11/15 14:41:03 bentley Exp $
- .Dd $Mdocdate: November 15 2014 $
+ .\" $OpenBSD: sshd.8,v 1.280 2015/07/03 03:49:45 djm Exp $
+ .Dd $Mdocdate: July 3 2015 $
-.Dt SSHD 8
+.Dt SSHD 1M
.Os
@@ -247,7 +247,7 @@
command-line options override values specified in the
configuration file.
.Nm
-@@ -207,7 +207,7 @@ Can be used to give options in the forma
+@@ -204,7 +204,7 @@ Can be used to give options in the forma
This is useful for specifying options for which there is no separate
command-line flag.
For full details of the options, and their values, see
@@ -256,7 +256,7 @@
.It Fl p Ar port
Specifies the port on which the server listens for connections
(default 22).
-@@ -277,7 +277,7 @@ The default is to use protocol 2 only,
+@@ -274,7 +274,7 @@ The default is to use protocol 2 only,
though this can be changed via the
.Cm Protocol
option in
@@ -265,7 +265,7 @@
Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys;
protocol 1 only supports RSA keys.
For both protocols,
-@@ -402,7 +402,7 @@ if it exists, and users are allowed to c
+@@ -399,7 +399,7 @@ if it exists, and users are allowed to c
See the
.Cm PermitUserEnvironment
option in
@@ -274,7 +274,7 @@
.It
Changes to user's home directory.
.It
-@@ -550,7 +550,7 @@ The command originally supplied by the c
+@@ -549,7 +549,7 @@ The command originally supplied by the c
environment variable.
Note that this option applies to shell, command or subsystem execution.
Also note that this command may be superseded by either a
@@ -283,7 +283,7 @@
.Cm ForceCommand
directive or a command embedded in a certificate.
.It Cm environment="NAME=value"
-@@ -571,7 +571,7 @@ Specifies that in addition to public key
+@@ -570,7 +570,7 @@ Specifies that in addition to public key
name of the remote host or its IP address must be present in the
comma-separated list of patterns.
See PATTERNS in
@@ -292,7 +292,7 @@
for more information on patterns.
.Pp
In addition to the wildcard matching that may be applied to hostnames or
-@@ -859,7 +859,7 @@ It should only be writable by root.
+@@ -858,7 +858,7 @@ It should only be writable by root.
.It Pa /etc/moduli
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
The file format is described in
@@ -301,7 +301,7 @@
.Pp
.It Pa /etc/motd
See
-@@ -920,7 +920,7 @@ should be world-readable.
+@@ -919,7 +919,7 @@ should be world-readable.
Contains configuration data for
.Nm sshd .
The file format and configuration options are described in
@@ -310,7 +310,7 @@
.Pp
.It Pa /etc/ssh/sshrc
Similar to
-@@ -955,10 +955,10 @@ The content of this file is not sensitiv
+@@ -954,10 +954,10 @@ The content of this file is not sensitiv
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
.Xr login.conf 5 ,
@@ -326,12 +326,12 @@
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.
diff -pur old/sshd_config.5 new/sshd_config.5
---- old/sshd_config.5 2015-03-28 05:37:09.175994877 +0100
-+++ new/sshd_config.5 2015-03-28 05:42:07.245709990 +0100
+--- old/sshd_config.5
++++ new/sshd_config.5
@@ -35,7 +35,7 @@
.\"
- .\" $OpenBSD: sshd_config.5,v 1.194 2015/02/20 23:46:01 djm Exp $
- .Dd $Mdocdate: February 20 2015 $
+ .\" $OpenBSD: sshd_config.5,v 1.211 2015/08/14 15:32:41 jmc Exp $
+ .Dd $Mdocdate: August 14 2015 $
-.Dt SSHD_CONFIG 5
+.Dt SSHD_CONFIG 4
.Os
@@ -353,9 +353,9 @@
-.Xr ssh_config 5
+.Xr ssh_config 4
for how to configure the client.
- Note that environment passing is only supported for protocol 2.
- Variables are specified by name, which may contain the wildcard characters
-@@ -85,7 +85,7 @@ For this reason, care should be taken in
+ Note that environment passing is only supported for protocol 2, and
+ that the
+@@ -89,7 +89,7 @@ For this reason, care should be taken in
The default is not to accept any environment variables.
.It Cm AddressFamily
Specifies which address family should be used by
@@ -364,7 +364,7 @@
Valid arguments are
.Dq any ,
.Dq inet
-@@ -118,7 +118,7 @@ and finally
+@@ -122,7 +122,7 @@ and finally
.Cm AllowGroups .
.Pp
See PATTERNS in
@@ -373,7 +373,7 @@
for more information on patterns.
.It Cm AllowTcpForwarding
Specifies whether TCP forwarding is permitted.
-@@ -178,7 +178,7 @@ and finally
+@@ -182,7 +182,7 @@ and finally
.Cm AllowGroups .
.Pp
See PATTERNS in
@@ -382,16 +382,16 @@
for more information on patterns.
.It Cm AuthenticationMethods
Specifies the authentication methods that must be successfully completed
-@@ -234,7 +234,7 @@ The program must be owned by root and no
- It will be invoked with a single argument of the username
- being authenticated, and should produce on standard output zero or
+@@ -250,7 +250,7 @@ will be supplied.
+ .Pp
+ The program should produce on standard output zero or
more lines of authorized_keys output (see AUTHORIZED_KEYS in
-.Xr sshd 8 ) .
+.Xr sshd 1M ) .
If a key supplied by AuthorizedKeysCommand does not successfully authenticate
and authorize the user then public key authentication continues using the usual
.Cm AuthorizedKeysFile
-@@ -257,7 +257,7 @@ for user authentication.
+@@ -273,7 +273,7 @@ for user authentication.
The format is described in the
AUTHORIZED_KEYS FILE FORMAT
section of
@@ -400,7 +400,7 @@
.Cm AuthorizedKeysFile
may contain tokens of the form %T which are substituted during connection
setup.
-@@ -280,7 +280,7 @@ this file lists names, one of which must
+@@ -332,7 +332,7 @@ this file lists names, one of which must
to be accepted for authentication.
Names are listed one per line preceded by key options (as described
in AUTHORIZED_KEYS FILE FORMAT in
@@ -409,7 +409,7 @@
Empty lines and comments starting with
.Ql #
are ignored.
-@@ -310,7 +310,7 @@ and is not consulted for certification a
+@@ -362,7 +362,7 @@ and is not consulted for certification a
though the
.Cm principals=
key option offers a similar facility (see
@@ -418,7 +418,7 @@
for details).
.It Cm Banner
The contents of the specified file are sent to the remote user before
-@@ -335,7 +335,7 @@ At session startup
+@@ -387,7 +387,7 @@ At session startup
checks that all components of the pathname are root-owned directories
which are not writable by any other user or group.
After the chroot,
@@ -427,7 +427,7 @@
changes the working directory to the user's home directory.
.Pp
The pathname may contain the following tokens that are expanded at runtime once
-@@ -433,7 +433,7 @@ with an argument of
+@@ -490,7 +490,7 @@ with an argument of
.It Cm ClientAliveCountMax
Sets the number of client alive messages (see below) which may be
sent without
@@ -436,7 +436,7 @@
receiving any messages back from the client.
If this threshold is reached while client alive messages are being sent,
sshd will disconnect the client, terminating the session.
-@@ -460,7 +460,7 @@ This option applies to protocol version
+@@ -517,7 +517,7 @@ This option applies to protocol version
.It Cm ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received
from the client,
@@ -445,7 +445,7 @@
will send a message through the encrypted
channel to request a response from the client.
The default
-@@ -491,7 +491,7 @@ and finally
+@@ -548,7 +548,7 @@ and finally
.Cm AllowGroups .
.Pp
See PATTERNS in
@@ -454,7 +454,7 @@
for more information on patterns.
.It Cm DenyUsers
This keyword can be followed by a list of user name patterns, separated
-@@ -510,7 +510,7 @@ and finally
+@@ -567,7 +567,7 @@ and finally
.Cm AllowGroups .
.Pp
See PATTERNS in
@@ -463,7 +463,7 @@
for more information on patterns.
.It Cm FingerprintHash
Specifies the hash algorithm used when logging key fingerprints.
-@@ -543,7 +543,7 @@ files when used with
+@@ -600,7 +600,7 @@ files when used with
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client.
By default,
@@ -472,7 +472,7 @@
binds remote port forwardings to the loopback address.
This prevents other remote hosts from connecting to forwarded ports.
.Cm GatewayPorts
-@@ -602,7 +602,7 @@ files during
+@@ -686,7 +686,7 @@ files during
A setting of
.Dq yes
means that
@@ -481,7 +481,7 @@
uses the name supplied by the client rather than
attempting to resolve the name from the TCP connection itself.
The default is
-@@ -613,7 +613,7 @@ The certificate's public key must match
+@@ -697,7 +697,7 @@ The certificate's public key must match
by
.Cm HostKey .
The default behaviour of
@@ -490,16 +490,7 @@
is not to load any certificates.
.It Cm HostKey
Specifies a file containing a private host key
-@@ -628,7 +628,7 @@ and
- .Pa /etc/ssh/ssh_host_rsa_key
- for protocol version 2.
- Note that
--.Xr sshd 8
-+.Xr sshd 1M
- will refuse to use a file if it is group/world-accessible.
- It is possible to have multiple host key files.
- .Dq rsa1
-@@ -669,7 +669,7 @@ The default is
+@@ -779,7 +779,7 @@ The default is
.Dq yes .
.It Cm IgnoreUserKnownHosts
Specifies whether
@@ -508,7 +499,7 @@
should ignore the user's
.Pa ~/.ssh/known_hosts
during
-@@ -800,7 +800,7 @@ If the value is 0, the key is never rege
+@@ -914,7 +914,7 @@ If the value is 0, the key is never rege
The default is 3600 (seconds).
.It Cm ListenAddress
Specifies the local addresses
@@ -517,7 +508,7 @@
should listen on.
The following forms may be used:
.Pp
-@@ -843,7 +843,7 @@ If the value is 0, there is no time limi
+@@ -954,7 +954,7 @@ If the value is 0, there is no time limi
The default is 120 seconds.
.It Cm LogLevel
Gives the verbosity level that is used when logging messages from
@@ -526,7 +517,7 @@
The possible values are:
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
The default is INFO.
-@@ -943,7 +943,7 @@ and
+@@ -1059,7 +1059,7 @@ and
The match patterns may consist of single entries or comma-separated
lists and may use the wildcard and negation operators described in the
PATTERNS section of
@@ -535,7 +526,7 @@
.Pp
The patterns in an
.Cm Address
-@@ -1032,7 +1032,7 @@ Alternatively, random early drop can be
+@@ -1148,7 +1148,7 @@ Alternatively, random early drop can be
the three colon separated values
.Dq start:rate:full
(e.g. "10:30:60").
@@ -544,7 +535,7 @@
will refuse connection attempts with a probability of
.Dq rate/100
(30%)
-@@ -1149,7 +1149,7 @@ and
+@@ -1268,7 +1268,7 @@ and
options in
.Pa ~/.ssh/authorized_keys
are processed by
@@ -553,7 +544,7 @@
The default is
.Dq no .
Enabling environment processing may enable users to bypass access
-@@ -1168,7 +1168,7 @@ The default is
+@@ -1289,7 +1289,7 @@ The default is
.Pa /var/run/sshd.pid .
.It Cm Port
Specifies the port number that
@@ -562,7 +553,7 @@
listens on.
The default is 22.
Multiple options of this type are permitted.
-@@ -1176,14 +1176,14 @@ See also
+@@ -1297,14 +1297,14 @@ See also
.Cm ListenAddress .
.It Cm PrintLastLog
Specifies whether
@@ -579,7 +570,7 @@
should print
.Pa /etc/motd
when a user logs in interactively.
-@@ -1194,7 +1194,7 @@ The default is
+@@ -1315,7 +1315,7 @@ The default is
.Dq yes .
.It Cm Protocol
Specifies the protocol versions
@@ -588,7 +579,7 @@
supports.
The possible values are
.Sq 1
-@@ -1305,7 +1305,7 @@ The default is
+@@ -1440,7 +1440,7 @@ The default is
.Dq no .
.It Cm StrictModes
Specifies whether
@@ -597,7 +588,7 @@
should check file modes and ownership of the
user's files and home directory before accepting login.
This is normally desirable because novices sometimes accidentally leave their
-@@ -1339,7 +1339,7 @@ By default no subsystems are defined.
+@@ -1474,7 +1474,7 @@ By default no subsystems are defined.
Note that this option applies to protocol version 2 only.
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
@@ -606,16 +597,7 @@
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
-@@ -1380,7 +1380,7 @@ For more details on certificates, see th
- .Xr ssh-keygen 1 .
- .It Cm UseDNS
- Specifies whether
--.Xr sshd 8
-+.Xr sshd 1M
- should look up the remote host name and check that
- the resolved host name for the remote IP address maps back to the
- very same IP address.
-@@ -1425,13 +1425,13 @@ or
+@@ -1571,13 +1571,13 @@ or
If
.Cm UsePAM
is enabled, you will not be able to run
@@ -631,7 +613,7 @@
separates privileges by creating an unprivileged child process
to deal with incoming network traffic.
After successful authentication, another process will be created that has
-@@ -1453,7 +1453,7 @@ The default is
+@@ -1599,7 +1599,7 @@ The default is
.Dq none .
.It Cm X11DisplayOffset
Specifies the first display number available for
@@ -640,7 +622,7 @@
X11 forwarding.
This prevents sshd from interfering with real X11 servers.
The default is 10.
-@@ -1468,7 +1468,7 @@ The default is
+@@ -1614,7 +1614,7 @@ The default is
.Pp
When X11 forwarding is enabled, there may be additional exposure to
the server and to client displays if the
@@ -649,7 +631,7 @@
proxy display is configured to listen on the wildcard address (see
.Cm X11UseLocalhost
below), though this is not the default.
-@@ -1479,7 +1479,7 @@ display server may be exposed to attack
+@@ -1625,7 +1625,7 @@ display server may be exposed to attack
forwarding (see the warnings for
.Cm ForwardX11
in
@@ -658,7 +640,7 @@
A system administrator may have a stance in which they want to
protect clients that may expose themselves to attack by unwittingly
requesting X11 forwarding, which can warrant a
-@@ -1493,7 +1493,7 @@ X11 forwarding is automatically disabled
+@@ -1639,7 +1639,7 @@ X11 forwarding is automatically disabled
is enabled.
.It Cm X11UseLocalhost
Specifies whether
@@ -667,7 +649,7 @@
should bind the X11 forwarding server to the loopback address or to
the wildcard address.
By default,
-@@ -1524,7 +1524,7 @@ The default is
+@@ -1672,7 +1672,7 @@ The default is
.Pa /usr/X11R6/bin/xauth .
.El
.Sh TIME FORMATS
@@ -676,7 +658,7 @@
command-line arguments and configuration file options that specify time
may be expressed using a sequence of the form:
.Sm off
-@@ -1568,12 +1568,12 @@ Time format examples:
+@@ -1716,12 +1716,12 @@ Time format examples:
.Bl -tag -width Ds
.It Pa /etc/ssh/sshd_config
Contains configuration data for
--- a/components/openssh/patches/010-gss_store_cred.patch Wed Oct 28 12:22:49 2015 -0700
+++ b/components/openssh/patches/010-gss_store_cred.patch Thu Oct 29 02:40:10 2015 -0700
@@ -16,9 +16,10 @@
# The patch is implemented as Solaris-specific using USE_GSS_STORE_CRED
# and GSSAPI_STORECREDS_NEEDS_RUID macros.
#
---- orig/config.h.in Fri Mar 21 11:42:17 2014
-+++ new/config.h.in Fri Mar 21 11:46:26 2014
-@@ -1616,6 +1616,12 @@
+diff -pur old/config.h.in new/config.h.in
+--- old/config.h.in
++++ new/config.h.in
+@@ -1623,6 +1623,12 @@
/* Use btmp to log bad logins */
#undef USE_BTMP
@@ -31,9 +32,10 @@
/* Use libedit for sftp */
#undef USE_LIBEDIT
---- orig/configure Fri Mar 21 11:42:24 2014
-+++ new/configure Fri Mar 21 11:49:51 2014
-@@ -7797,6 +7797,9 @@
+diff -pur old/configure new/configure
+--- old/configure
++++ new/configure
+@@ -10944,6 +10944,9 @@ fi
fi
@@ -43,9 +45,10 @@
TEST_SHELL=$SHELL # let configure find us a capable shell
;;
*-*-sunos4*)
---- orig/configure.ac Fri Mar 21 11:42:28 2014
-+++ new/configure.ac Fri Mar 21 16:32:28 2014
-@@ -866,6 +866,8 @@
+diff -pur old/configure.ac new/configure.ac
+--- old/configure.ac
++++ new/configure.ac
+@@ -910,6 +910,8 @@ mips-sony-bsd|mips-sony-newsos4)
],
)
TEST_SHELL=$SHELL # let configure find us a capable shell
@@ -54,9 +57,10 @@
;;
*-*-sunos4*)
CPPFLAGS="$CPPFLAGS -DSUNOS4"
---- orig/gss-serv-krb5.c Fri Mar 21 11:42:46 2014
-+++ new/gss-serv-krb5.c Fri Mar 21 11:54:48 2014
-@@ -109,7 +109,7 @@
+diff -pur old/gss-serv-krb5.c new/gss-serv-krb5.c
+--- old/gss-serv-krb5.c
++++ new/gss-serv-krb5.c
+@@ -110,7 +110,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
return retval;
}
@@ -65,7 +69,7 @@
/* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */
-@@ -195,6 +195,7 @@
+@@ -196,6 +196,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
return;
}
@@ -73,7 +77,7 @@
ssh_gssapi_mech gssapi_kerberos_mech = {
"toWM5Slw5Ew8Mqkay+al2g==",
-@@ -203,7 +204,11 @@
+@@ -204,7 +205,11 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
NULL,
&ssh_gssapi_krb5_userok,
NULL,
@@ -85,9 +89,10 @@
};
#endif /* KRB5 */
---- orig/gss-serv.c Fri Mar 21 11:42:53 2014
-+++ new/gss-serv.c Fri Mar 21 15:59:43 2014
-@@ -292,6 +292,9 @@
+diff -pur old/gss-serv.c new/gss-serv.c
+--- old/gss-serv.c
++++ new/gss-serv.c
+@@ -320,22 +320,66 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
void
ssh_gssapi_cleanup_creds(void)
{
@@ -97,7 +102,6 @@
if (gssapi_client.store.filename != NULL) {
/* Unlink probably isn't sufficient */
debug("removing gssapi cred file\"%s\"",
-@@ -298,6 +301,7 @@
gssapi_client.store.filename);
unlink(gssapi_client.store.filename);
}
@@ -105,7 +109,6 @@
}
/* As user */
-@@ -304,10 +308,50 @@
void
ssh_gssapi_storecreds(void)
{
@@ -156,23 +159,36 @@
}
/* This allows GSSAPI methods to do things to the childs environment based
---- orig/servconf.c Fri Mar 21 11:43:02 2014
-+++ new/servconf.c Fri Mar 21 16:02:54 2014
-@@ -409,7 +409,11 @@
+diff -pur old/servconf.c new/servconf.c
+--- old/servconf.c
++++ new/servconf.c
+@@ -489,7 +489,11 @@ static struct {
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
+- { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+#ifdef USE_GSS_STORE_CRED
+ { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+#else /* USE_GSS_STORE_CRED */
- { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
++ { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+#endif /* USE_GSS_STORE_CRED */
+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
- { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
---- orig/sshd.c Fri Mar 21 11:43:08 2014
-+++ new/sshd.c Mon Mar 24 15:05:30 2014
-@@ -2126,9 +2126,23 @@
+@@ -2264,7 +2268,9 @@ dump_config(ServerOptions *o)
+ #endif
+ #ifdef GSSAPI
+ dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
++#ifndef USE_GSS_STORE_CRED
+ dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
++#endif /* !USE_GSS_STORE_CRED */
+ #endif
+ dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
+ dump_cfg_fmtint(sKbdInteractiveAuthentication,
+diff -pur old/sshd.c new/sshd.c
+--- old/sshd.c
++++ new/sshd.c
+@@ -2228,9 +2228,23 @@ main(int ac, char **av)
#ifdef GSSAPI
if (options.gss_authentication) {
--- a/components/openssh/patches/023-gsskex.patch Wed Oct 28 12:22:49 2015 -0700
+++ b/components/openssh/patches/023-gsskex.patch Thu Oct 29 02:40:10 2015 -0700
@@ -9,8 +9,8 @@
# Upstream rejected GSS-API key exchange several times before.
#
diff -pur old/Makefile.in new/Makefile.in
---- old/Makefile.in 2015-05-21 02:51:54.413234716 -0700
-+++ new/Makefile.in 2015-05-21 02:51:54.513293268 -0700
+--- old/Makefile.in
++++ new/Makefile.in
@@ -87,6 +87,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
@@ -29,8 +29,8 @@
sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \
diff -pur old/auth2-gss.c new/auth2-gss.c
---- old/auth2-gss.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/auth2-gss.c 2015-05-21 02:51:54.513863282 -0700
+--- old/auth2-gss.c
++++ new/auth2-gss.c
@@ -1,7 +1,7 @@
/* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */
@@ -94,8 +94,8 @@
"gssapi-with-mic",
userauth_gssapi,
diff -pur old/auth2.c new/auth2.c
---- old/auth2.c 2015-05-21 02:51:54.362963450 -0700
-+++ new/auth2.c 2015-05-21 02:51:54.514409021 -0700
+--- old/auth2.c
++++ new/auth2.c
@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
@@ -113,9 +113,9 @@
#endif
&method_passwd,
diff -pur old/configure new/configure
---- old/configure 2015-05-21 02:51:54.418977239 -0700
-+++ new/configure 2015-05-21 04:08:21.689628474 -0700
-@@ -10869,8 +10869,10 @@ fi
+--- old/configure
++++ new/configure
+@@ -10944,8 +10944,10 @@ fi
fi
@@ -129,8 +129,8 @@
TEST_SHELL=$SHELL # let configure find us a capable shell
;;
diff -pur old/gss-genr.c new/gss-genr.c
---- old/gss-genr.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/gss-genr.c 2015-05-21 02:51:54.515221154 -0700
+--- old/gss-genr.c
++++ new/gss-genr.c
@@ -1,7 +1,7 @@
/* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */
@@ -140,7 +140,7 @@
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
-@@ -40,12 +40,167 @@
+@@ -41,12 +41,167 @@
#include "buffer.h"
#include "log.h"
#include "ssh2.h"
@@ -308,7 +308,7 @@
/* Check that the OID in a data stream matches that in the context */
int
ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
-@@ -230,6 +385,9 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
+@@ -231,6 +386,9 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
OM_uint32
ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
{
@@ -318,7 +318,7 @@
if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
GSS_C_QOP_DEFAULT, buffer, hash)))
ssh_gssapi_error(ctx);
-@@ -237,6 +395,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
+@@ -238,6 +396,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
return (ctx->major);
}
@@ -338,7 +338,7 @@
void
ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
const char *context)
-@@ -255,6 +426,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
+@@ -256,6 +427,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
OM_uint32 major, minor;
gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
@@ -349,7 +349,7 @@
/* RFC 4462 says we MUST NOT do SPNEGO */
if (oid->length == spnego_oid.length &&
-@@ -273,7 +448,7 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
+@@ -274,7 +449,7 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
GSS_C_NO_BUFFER);
}
@@ -359,10 +359,10 @@
return (!GSS_ERROR(major));
diff -pur old/gss-serv.c new/gss-serv.c
---- old/gss-serv.c 2015-05-21 02:51:54.328370202 -0700
-+++ new/gss-serv.c 2015-05-21 02:51:54.515853684 -0700
+--- old/gss-serv.c
++++ new/gss-serv.c
@@ -1,7 +1,7 @@
- /* $OpenBSD: gss-serv.c,v 1.28 2015/01/20 23:14:00 deraadt Exp $ */
+ /* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -370,15 +370,15 @@
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
-@@ -46,6 +46,7 @@
- #include "misc.h"
+@@ -47,6 +47,7 @@
+ #include "servconf.h"
#include "ssh-gss.h"
+#include "monitor_wrap.h"
- static ssh_gssapi_client gssapi_client =
- { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
-@@ -132,6 +133,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss
+ extern ServerOptions options;
+
+@@ -142,6 +143,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss
}
/* Unprivileged */
@@ -407,7 +407,7 @@
void
ssh_gssapi_supported_oids(gss_OID_set *oidset)
{
-@@ -141,7 +164,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o
+@@ -151,7 +174,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o
gss_OID_set supported;
gss_create_empty_oid_set(&min_status, oidset);
@@ -418,7 +418,7 @@
while (supported_mechs[i]->name != NULL) {
if (GSS_ERROR(gss_test_oid_set_member(&min_status,
-@@ -417,14 +442,4 @@ ssh_gssapi_userok(char *user)
+@@ -427,14 +452,4 @@ ssh_gssapi_userok(char *user)
return (0);
}
@@ -434,8 +434,8 @@
-
#endif
diff -pur old/kex.c new/kex.c
---- old/kex.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/kex.c 2015-05-21 02:51:54.516546804 -0700
+--- old/kex.c
++++ new/kex.c
@@ -55,6 +55,10 @@
#include "sshbuf.h"
#include "digest.h"
@@ -469,8 +469,8 @@
}
return NULL;
diff -pur old/kex.h new/kex.h
---- old/kex.h 2015-03-16 22:49:20.000000000 -0700
-+++ new/kex.h 2015-05-21 04:13:55.764501761 -0700
+--- old/kex.h
++++ new/kex.h
@@ -93,6 +93,9 @@ enum kex_exchange {
KEX_DH_GEX_SHA256,
KEX_ECDH_SHA2,
@@ -491,8 +491,8 @@
+#endif
char *client_version_string;
char *server_version_string;
- int (*verify_host_key)(struct sshkey *, struct ssh *);
-@@ -183,6 +190,10 @@ int kexecdh_client(struct ssh *);
+ char *failed_choice;
+@@ -186,6 +193,10 @@ int kexecdh_client(struct ssh *);
int kexecdh_server(struct ssh *);
int kexc25519_client(struct ssh *);
int kexc25519_server(struct ssh *);
@@ -504,8 +504,8 @@
int kex_dh_hash(const char *, const char *,
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
diff -pur old/monitor.c new/monitor.c
---- old/monitor.c 2015-05-21 02:51:54.364298135 -0700
-+++ new/monitor.c 2015-05-21 02:51:54.518833104 -0700
+--- old/monitor.c
++++ new/monitor.c
@@ -160,6 +160,7 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
@@ -554,7 +554,7 @@
} else {
mon_dispatch = mon_dispatch_postauth15;
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1923,6 +1938,13 @@ monitor_apply_keystate(struct monitor *p
+@@ -1927,6 +1942,13 @@ monitor_apply_keystate(struct monitor *p
# endif
#endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -568,7 +568,7 @@
kex->load_host_public_key=&get_hostkey_public_by_type;
kex->load_host_private_key=&get_hostkey_private_by_type;
kex->host_key_index=&get_hostkey_index;
-@@ -2022,6 +2044,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
+@@ -2026,6 +2048,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
OM_uint32 major;
u_int len;
@@ -578,7 +578,7 @@
goid.elements = buffer_get_string(m, &len);
goid.length = len;
-@@ -2049,6 +2074,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -2053,6 +2078,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
OM_uint32 flags = 0; /* GSI needs this */
u_int len;
@@ -588,7 +588,7 @@
in.value = buffer_get_string(m, &len);
in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2066,6 +2094,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -2070,6 +2098,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -596,7 +596,7 @@
}
return (0);
}
-@@ -2077,6 +2106,9 @@ mm_answer_gss_checkmic(int sock, Buffer
+@@ -2081,6 +2110,9 @@ mm_answer_gss_checkmic(int sock, Buffer
OM_uint32 ret;
u_int len;
@@ -606,7 +606,7 @@
gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len;
mic.value = buffer_get_string(m, &len);
-@@ -2103,6 +2135,9 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2107,6 +2139,9 @@ mm_answer_gss_userok(int sock, Buffer *m
{
int authenticated;
@@ -616,7 +616,7 @@
authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
buffer_clear(m);
-@@ -2116,5 +2151,47 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2120,5 +2155,47 @@ mm_answer_gss_userok(int sock, Buffer *m
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
@@ -665,8 +665,8 @@
#endif /* GSSAPI */
diff -pur old/monitor.h new/monitor.h
---- old/monitor.h 2015-05-21 02:51:54.364660946 -0700
-+++ new/monitor.h 2015-05-21 02:51:54.519394748 -0700
+--- old/monitor.h
++++ new/monitor.h
@@ -68,6 +68,9 @@ enum monitor_reqtype {
#ifdef PAM_ENHANCEMENT
MONITOR_REQ_AUTHMETHOD = 114,
@@ -678,8 +678,8 @@
struct mm_master;
diff -pur old/monitor_wrap.c new/monitor_wrap.c
---- old/monitor_wrap.c 2015-05-21 02:51:54.365259156 -0700
-+++ new/monitor_wrap.c 2015-05-21 02:51:54.519982413 -0700
+--- old/monitor_wrap.c
++++ new/monitor_wrap.c
@@ -1103,5 +1103,28 @@ mm_ssh_gssapi_userok(char *user)
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
return (authenticated);
@@ -710,8 +710,8 @@
#endif /* GSSAPI */
diff -pur old/monitor_wrap.h new/monitor_wrap.h
---- old/monitor_wrap.h 2015-03-16 22:49:20.000000000 -0700
-+++ new/monitor_wrap.h 2015-05-21 02:51:54.520316939 -0700
+--- old/monitor_wrap.h
++++ new/monitor_wrap.h
@@ -60,6 +60,7 @@ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssct
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
int mm_ssh_gssapi_userok(char *user);
@@ -721,8 +721,8 @@
#ifdef USE_PAM
diff -pur old/readconf.c new/readconf.c
---- old/readconf.c 2015-05-21 02:51:54.384748072 -0700
-+++ new/readconf.c 2015-05-21 02:51:54.521602190 -0700
+--- old/readconf.c
++++ new/readconf.c
@@ -147,6 +147,7 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@@ -731,7 +731,7 @@
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
-@@ -195,9 +196,11 @@ static struct {
+@@ -196,9 +197,11 @@ static struct {
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
@@ -743,7 +743,7 @@
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
-@@ -927,6 +930,10 @@ parse_time:
+@@ -929,6 +932,10 @@ parse_time:
intptr = &options->gss_authentication;
goto parse_flag;
@@ -762,7 +762,7 @@
options->gss_deleg_creds = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
-@@ -1781,6 +1789,12 @@ fill_default_options(Options * options)
+@@ -1782,6 +1790,12 @@ fill_default_options(Options * options)
#else
options->gss_authentication = 0;
#endif
@@ -776,8 +776,8 @@
options->gss_deleg_creds = 0;
if (options->password_authentication == -1)
diff -pur old/readconf.h new/readconf.h
---- old/readconf.h 2015-05-21 02:51:54.348366942 -0700
-+++ new/readconf.h 2015-05-21 02:51:54.521966549 -0700
+--- old/readconf.h
++++ new/readconf.h
@@ -45,6 +45,7 @@ typedef struct {
int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
@@ -787,17 +787,17 @@
int password_authentication; /* Try password
* authentication. */
diff -pur old/servconf.c new/servconf.c
---- old/servconf.c 2015-05-21 02:51:54.410086670 -0700
-+++ new/servconf.c 2015-05-21 02:51:54.523417320 -0700
-@@ -114,6 +114,7 @@ initialize_server_options(ServerOptions
+--- old/servconf.c
++++ new/servconf.c
+@@ -117,6 +117,7 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
+ options->gss_keyex = -1;
options->gss_cleanup_creds = -1;
+ options->gss_strict_acceptor = -1;
options->password_authentication = -1;
- options->kbd_interactive_authentication = -1;
-@@ -294,6 +295,12 @@ fill_default_server_options(ServerOption
+@@ -300,6 +301,12 @@ fill_default_server_options(ServerOption
#else
options->gss_authentication = 0;
#endif
@@ -809,16 +809,16 @@
+#endif
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
- if (options->password_authentication == -1)
-@@ -422,6 +429,7 @@ typedef enum {
- sBanner, sUseDNS, sHostbasedAuthentication,
+ if (options->gss_strict_acceptor == -1)
+@@ -442,6 +449,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
+ sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
+ sGssKeyEx,
- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
- sUsePrivilegeSeparation, sAllowAgentForwarding,
-@@ -495,6 +503,7 @@ static struct {
+@@ -518,6 +526,7 @@ static struct {
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
@@ -826,15 +826,15 @@
#ifdef USE_GSS_STORE_CRED
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
#else /* USE_GSS_STORE_CRED */
-@@ -502,6 +511,7 @@ static struct {
- #endif /* USE_GSS_STORE_CRED */
+@@ -526,6 +535,7 @@ static struct {
+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+ { "gssapikeyexchange", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
#endif
- { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
-@@ -1243,6 +1253,10 @@ process_server_config_line(ServerOptions
+@@ -1309,6 +1319,10 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication;
goto parse_flag;
@@ -845,28 +845,28 @@
case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
-@@ -2233,6 +2247,7 @@ dump_config(ServerOptions *o)
+@@ -2355,6 +2369,7 @@ dump_config(ServerOptions *o)
#endif
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
+ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
+ #ifndef USE_GSS_STORE_CRED
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
- #endif
- dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
+ #endif /* !USE_GSS_STORE_CRED */
diff -pur old/servconf.h new/servconf.h
---- old/servconf.h 2015-05-21 02:51:54.367009782 -0700
-+++ new/servconf.h 2015-05-21 02:51:54.524007042 -0700
-@@ -119,6 +119,7 @@ typedef struct {
+--- old/servconf.h
++++ new/servconf.h
+@@ -122,6 +122,7 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
+ int gss_keyex; /* If true, permit GSSAPI key exchange */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
+ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
int password_authentication; /* If true, permit password
- * authentication. */
diff -pur old/ssh-gss.h new/ssh-gss.h
---- old/ssh-gss.h 2015-03-16 22:49:20.000000000 -0700
-+++ new/ssh-gss.h 2015-05-21 02:51:54.524497644 -0700
+--- old/ssh-gss.h
++++ new/ssh-gss.h
@@ -61,6 +61,17 @@
#define SSH_GSS_OIDTYPE 0x06
@@ -915,8 +915,8 @@
#endif /* _SSH_GSS_H */
diff -pur old/ssh_config new/ssh_config
---- old/ssh_config 2015-03-16 22:49:20.000000000 -0700
-+++ new/ssh_config 2015-05-21 02:51:54.524781493 -0700
+--- old/ssh_config
++++ new/ssh_config
@@ -26,6 +26,7 @@
# HostbasedAuthentication no
# GSSAPIAuthentication no
@@ -926,9 +926,9 @@
# CheckHostIP yes
# AddressFamily any
diff -pur old/ssh_config.5 new/ssh_config.5
---- old/ssh_config.5 2015-05-21 02:51:54.385795947 -0700
-+++ new/ssh_config.5 2015-05-21 02:51:54.525539849 -0700
-@@ -751,6 +751,12 @@ Specifies whether user authentication ba
+--- old/ssh_config.5
++++ new/ssh_config.5
+@@ -757,6 +757,12 @@ Specifies whether user authentication ba
The default on Solaris is
.Dq yes .
Note that this option applies to protocol version 2 only.
@@ -942,20 +942,24 @@
Forward (delegate) credentials to the server.
The default is
diff -pur old/sshconnect2.c new/sshconnect2.c
---- old/sshconnect2.c 2015-05-21 02:51:54.349037357 -0700
-+++ new/sshconnect2.c 2015-05-21 02:51:54.526742914 -0700
-@@ -164,9 +164,31 @@ ssh_kex2(char *host, struct sockaddr *ho
+--- old/sshconnect2.c
++++ new/sshconnect2.c
+@@ -163,12 +163,37 @@ ssh_kex2(char *host, struct sockaddr *ho
+ char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
struct kex *kex;
int r;
-
+#ifdef GSSAPI
+ char *orig = NULL, *gss = NULL;
+ char *gss_host = NULL;
+#endif
+
+
xxx_host = host;
xxx_hostaddr = hostaddr;
++ if (options.kex_algorithms != NULL)
++ myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
++
+#ifdef GSSAPI
+ if (options.gss_keyex) {
+ /* Add the GSSAPI mechanisms currently supported on this
@@ -973,12 +977,15 @@
+ }
+#endif
+
- if (options.ciphers == (char *)-1) {
- logit("No valid ciphers for protocol version 2 given, using defaults.");
- options.ciphers = NULL;
-@@ -204,6 +226,17 @@ ssh_kex2(char *host, struct sockaddr *ho
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
- myproposal[PROPOSAL_KEX_ALGS]);
+- options.kex_algorithms);
++ myproposal[PROPOSAL_KEX_ALGS]);
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+ compat_cipher_proposal(options.ciphers);
+ myproposal[PROPOSAL_ENC_ALGS_STOC] =
+@@ -197,6 +222,17 @@ ssh_kex2(char *host, struct sockaddr *ho
+ order_hostkeyalgs(host, hostaddr, port));
+ }
+#ifdef GSSAPI
+ /* If we've got GSSAPI algorithms, then we also support the
@@ -994,7 +1001,7 @@
if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
(time_t)options.rekey_interval);
-@@ -222,9 +255,22 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -215,9 +251,22 @@ ssh_kex2(char *host, struct sockaddr *ho
# endif
#endif
kex->kex[KEX_C25519_SHA256] = kexc25519_client;
@@ -1017,7 +1024,7 @@
dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
-@@ -317,6 +363,7 @@ int input_gssapi_token(int type, u_int32
+@@ -310,6 +359,7 @@ int input_gssapi_token(int type, u_int32
int input_gssapi_hash(int type, u_int32_t, void *);
int input_gssapi_error(int, u_int32_t, void *);
int input_gssapi_errtok(int, u_int32_t, void *);
@@ -1025,7 +1032,7 @@
#endif
void userauth(Authctxt *, char *);
-@@ -332,6 +379,11 @@ static char *authmethods_get(void);
+@@ -325,6 +375,11 @@ static char *authmethods_get(void);
Authmethod authmethods[] = {
#ifdef GSSAPI
@@ -1037,7 +1044,7 @@
{"gssapi-with-mic",
userauth_gssapi,
NULL,
-@@ -656,7 +708,10 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -649,7 +704,10 @@ userauth_gssapi(Authctxt *authctxt)
* once. */
if (gss_supported == NULL)
@@ -1049,7 +1056,7 @@
/* Check to see if the mechanism is usable before we offer it */
while (mech < gss_supported->count && !ok) {
-@@ -760,8 +815,8 @@ input_gssapi_response(int type, u_int32_
+@@ -753,8 +811,8 @@ input_gssapi_response(int type, u_int32_
{
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
@@ -1060,7 +1067,7 @@
if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context");
-@@ -874,6 +929,48 @@ input_gssapi_error(int type, u_int32_t p
+@@ -867,6 +925,48 @@ input_gssapi_error(int type, u_int32_t p
free(lang);
return 0;
}
@@ -1110,9 +1117,9 @@
int
diff -pur old/sshd.c new/sshd.c
---- old/sshd.c 2015-05-21 02:51:54.419878113 -0700
-+++ new/sshd.c 2015-05-21 02:51:54.528004659 -0700
-@@ -1815,10 +1815,13 @@ main(int ac, char **av)
+--- old/sshd.c
++++ new/sshd.c
+@@ -1827,10 +1827,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
}
@@ -1126,7 +1133,7 @@
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting.");
exit(1);
-@@ -2586,6 +2589,48 @@ do_ssh2_kex(void)
+@@ -2588,6 +2591,48 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types());
@@ -1175,7 +1182,7 @@
/* start key exchange */
if ((r = kex_setup(active_state, myproposal)) != 0)
fatal("kex_setup: %s", ssh_err(r));
-@@ -2600,6 +2645,13 @@ do_ssh2_kex(void)
+@@ -2602,6 +2647,13 @@ do_ssh2_kex(void)
# endif
#endif
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -1190,8 +1197,8 @@
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
diff -pur old/sshd_config new/sshd_config
---- old/sshd_config 2015-03-16 22:49:20.000000000 -0700
-+++ new/sshd_config 2015-05-21 02:51:54.528526236 -0700
+--- old/sshd_config
++++ new/sshd_config
@@ -82,8 +82,9 @@ AuthorizedKeysFile .ssh/authorized_keys
#KerberosGetAFSToken no
@@ -1204,9 +1211,9 @@
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff -pur old/sshd_config.5 new/sshd_config.5
---- old/sshd_config.5 2015-05-21 02:51:54.386222371 -0700
-+++ new/sshd_config.5 2015-05-21 02:51:54.529252300 -0700
-@@ -564,6 +564,12 @@ Specifies whether user authentication ba
+--- old/sshd_config.5
++++ new/sshd_config.5
+@@ -621,6 +621,12 @@ Specifies whether user authentication ba
The default on Solaris is
.Dq yes .
Note that this option applies to protocol version 2 only.
@@ -1220,23 +1227,23 @@
Specifies whether to automatically destroy the user's credentials cache
on logout.
diff -pur old/sshkey.c new/sshkey.c
---- old/sshkey.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/sshkey.c 2015-05-21 02:51:54.530693373 -0700
-@@ -116,6 +116,7 @@ static const struct keytype keytypes[] =
- { "[email protected]", "DSA-CERT-V00",
- KEY_DSA_CERT_V00, 0, 1 },
+--- old/sshkey.c
++++ new/sshkey.c
+@@ -112,6 +112,7 @@ static const struct keytype keytypes[] =
+ # endif /* OPENSSL_HAS_NISTP521 */
+ # endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
+ { "null", "null", KEY_NULL, 0, 0 },
{ NULL, NULL, -1, -1, 0 }
};
diff -pur old/sshkey.h new/sshkey.h
---- old/sshkey.h 2015-03-16 22:49:20.000000000 -0700
-+++ new/sshkey.h 2015-05-21 02:51:54.531066246 -0700
-@@ -64,6 +64,7 @@ enum sshkey_types {
+--- old/sshkey.h
++++ new/sshkey.h
+@@ -62,6 +62,7 @@ enum sshkey_types {
+ KEY_DSA_CERT,
+ KEY_ECDSA_CERT,
KEY_ED25519_CERT,
- KEY_RSA_CERT_V00,
- KEY_DSA_CERT_V00,
+ KEY_NULL,
KEY_UNSPEC
};
--- a/components/openssh/patches/024-disable_ed25519.patch Wed Oct 28 12:22:49 2015 -0700
+++ b/components/openssh/patches/024-disable_ed25519.patch Thu Oct 29 02:40:10 2015 -0700
@@ -6,8 +6,8 @@
# https://bugzilla.mindrot.org/show_bug.cgi?id=2376
#
diff -pur old/Makefile.in new/Makefile.in
---- old/Makefile.in 2015-05-12 06:57:55.737824435 -0700
-+++ new/Makefile.in 2015-05-12 06:57:55.859410671 -0700
+--- old/Makefile.in
++++ new/Makefile.in
@@ -155,7 +155,7 @@ $(SSHDOBJS): Makefile.in config.h
$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
@@ -18,9 +18,9 @@
always:
diff -pur old/authfd.c new/authfd.c
---- old/authfd.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/authfd.c 2015-05-12 06:57:55.860206664 -0700
-@@ -569,8 +569,10 @@ ssh_add_identity_constrained(int sock, s
+--- old/authfd.c
++++ new/authfd.c
+@@ -565,8 +565,10 @@ ssh_add_identity_constrained(int sock, s
case KEY_ECDSA:
case KEY_ECDSA_CERT:
#endif
@@ -32,23 +32,21 @@
SSH2_AGENTC_ADD_ID_CONSTRAINED :
SSH2_AGENTC_ADD_IDENTITY;
diff -pur old/authfile.c new/authfile.c
---- old/authfile.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/authfile.c 2015-05-12 06:57:55.860669228 -0700
-@@ -446,8 +446,10 @@ sshkey_load_private_cert(int type, const
- case KEY_RSA:
+--- old/authfile.c
++++ new/authfile.c
+@@ -449,7 +449,9 @@ sshkey_load_private_cert(int type, const
case KEY_DSA:
case KEY_ECDSA:
-- case KEY_ED25519:
#endif /* WITH_OPENSSL */
+#ifndef WITHOUT_ED25519
-+ case KEY_ED25519:
+ case KEY_ED25519:
+#endif /* WITHOUT_ED25519 */
case KEY_UNSPEC:
break;
default:
diff -pur old/dns.c new/dns.c
---- old/dns.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/dns.c 2015-05-12 06:57:55.861065113 -0700
+--- old/dns.c
++++ new/dns.c
@@ -100,11 +100,13 @@ dns_read_key(u_int8_t *algorithm, u_int8
if (!*digest_type)
*digest_type = SSHFP_HASH_SHA256;
@@ -64,21 +62,22 @@
*algorithm = SSHFP_KEY_RESERVED; /* 0 */
*digest_type = SSHFP_HASH_RESERVED; /* 0 */
diff -pur old/dns.h new/dns.h
---- old/dns.h 2015-03-16 22:49:20.000000000 -0700
-+++ new/dns.h 2015-05-12 06:57:55.861358245 -0700
+--- old/dns.h
++++ new/dns.h
@@ -33,7 +33,9 @@ enum sshfp_types {
SSHFP_KEY_RSA = 1,
SSHFP_KEY_DSA = 2,
SSHFP_KEY_ECDSA = 3,
+- SSHFP_KEY_ED25519 = 4
+#ifndef WITHOUT_ED25519
- SSHFP_KEY_ED25519 = 4
++ SSHFP_KEY_ED25519 = 4
+#endif /* WITHOUT_ED25519 */
};
enum sshfp_hashes {
diff -pur old/ed25519.c new/ed25519.c
---- old/ed25519.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/ed25519.c 2015-05-12 06:57:55.861707517 -0700
+--- old/ed25519.c
++++ new/ed25519.c
@@ -7,6 +7,7 @@
*/
@@ -93,8 +92,8 @@
}
+#endif /* WITHOUT_ED25519 */
diff -pur old/fe25519.c new/fe25519.c
---- old/fe25519.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/fe25519.c 2015-05-12 06:57:55.862124169 -0700
+--- old/fe25519.c
++++ new/fe25519.c
@@ -8,6 +8,7 @@
#include "includes.h"
@@ -109,8 +108,8 @@
}
+#endif /* WITHOUT_ED25519 */
diff -pur old/fe25519.h new/fe25519.h
---- old/fe25519.h 2015-03-16 22:49:20.000000000 -0700
-+++ new/fe25519.h 2015-05-12 06:57:55.862460867 -0700
+--- old/fe25519.h
++++ new/fe25519.h
@@ -8,6 +8,7 @@
#ifndef FE25519_H
@@ -126,8 +125,8 @@
+#endif /* WITHOUT_ED25519 */
#endif
diff -pur old/ge25519.c new/ge25519.c
---- old/ge25519.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/ge25519.c 2015-05-12 06:57:55.862878000 -0700
+--- old/ge25519.c
++++ new/ge25519.c
@@ -7,6 +7,7 @@
*/
@@ -142,8 +141,8 @@
}
+#endif /* WITHOUT_ED25519 */
diff -pur old/ge25519.h new/ge25519.h
---- old/ge25519.h 2015-03-16 22:49:20.000000000 -0700
-+++ new/ge25519.h 2015-05-12 06:57:55.863212105 -0700
+--- old/ge25519.h
++++ new/ge25519.h
@@ -8,6 +8,7 @@
#ifndef GE25519_H
@@ -159,8 +158,8 @@
+#endif /* WITHOUT_ED25519 */
#endif
diff -pur old/kex.c new/kex.c
---- old/kex.c 2015-05-12 06:57:55.741193024 -0700
-+++ new/kex.c 2015-05-12 07:00:10.308904895 -0700
+--- old/kex.c
++++ new/kex.c
@@ -96,9 +96,11 @@ static const struct kexalg kexalgs[] = {
# endif /* OPENSSL_HAS_NISTP521 */
#endif /* OPENSSL_HAS_ECC */
@@ -174,8 +173,8 @@
{ KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
{ KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
diff -pur old/kex.h new/kex.h
---- old/kex.h 2015-05-12 06:57:55.741694192 -0700
-+++ new/kex.h 2015-05-12 07:01:49.320801815 -0700
+--- old/kex.h
++++ new/kex.h
@@ -58,13 +58,17 @@
#define KEX_ECDH_SHA2_NISTP256 "ecdh-sha2-nistp256"
#define KEX_ECDH_SHA2_NISTP384 "ecdh-sha2-nistp384"
@@ -204,7 +203,7 @@
KEX_GSS_GRP1_SHA1,
KEX_GSS_GRP14_SHA1,
KEX_GSS_GEX_SHA1,
-@@ -160,8 +166,10 @@ struct kex {
+@@ -161,8 +167,10 @@ struct kex {
u_int min, max, nbits; /* GEX */
EC_KEY *ec_client_key; /* ECDH */
const EC_GROUP *ec_group; /* ECDH */
@@ -215,7 +214,7 @@
};
int kex_names_valid(const char *);
-@@ -188,8 +196,10 @@ int kexgex_client(struct ssh *);
+@@ -191,8 +199,10 @@ int kexgex_client(struct ssh *);
int kexgex_server(struct ssh *);
int kexecdh_client(struct ssh *);
int kexecdh_server(struct ssh *);
@@ -224,9 +223,9 @@
int kexc25519_server(struct ssh *);
+#endif /* WITHOUT_ED25519 */
#ifdef GSSAPI
- int kexgss_client(Kex *);
- void kexgss_server(Kex *);
-@@ -210,6 +220,7 @@ int kex_ecdh_hash(int, const EC_GROUP *,
+ int kexgss_client(struct ssh *);
+ int kexgss_server(struct ssh *);
+@@ -213,6 +223,7 @@ int kex_ecdh_hash(int, const EC_GROUP *,
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
const EC_POINT *, const EC_POINT *, const BIGNUM *, u_char *, size_t *);
@@ -234,7 +233,7 @@
int kex_c25519_hash(int, const char *, const char *, const char *, size_t,
const char *, size_t, const u_char *, size_t, const u_char *, const u_char *,
const u_char *, size_t, u_char *, size_t *);
-@@ -221,6 +232,7 @@ int kexc25519_shared_key(const u_char ke
+@@ -224,6 +235,7 @@ int kexc25519_shared_key(const u_char ke
const u_char pub[CURVE25519_SIZE], struct sshbuf *out)
__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
@@ -243,8 +242,8 @@
int
derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);
diff -pur old/kexc25519.c new/kexc25519.c
---- old/kexc25519.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/kexc25519.c 2015-05-12 06:57:55.865837542 -0700
+--- old/kexc25519.c
++++ new/kexc25519.c
@@ -27,6 +27,7 @@
#include "includes.h"
@@ -253,14 +252,14 @@
#include <sys/types.h>
#include <signal.h>
-@@ -126,3 +127,4 @@ kex_c25519_hash(
+@@ -131,3 +132,4 @@ kex_c25519_hash(
#endif
return 0;
}
+#endif /* WITHOUT_ED25519 */
diff -pur old/kexc25519c.c new/kexc25519c.c
---- old/kexc25519c.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/kexc25519c.c 2015-05-12 06:57:55.866212606 -0700
+--- old/kexc25519c.c
++++ new/kexc25519c.c
@@ -27,6 +27,7 @@
#include "includes.h"
@@ -275,8 +274,8 @@
}
+#endif /* WITHOUT_ED25519 */
diff -pur old/kexc25519s.c new/kexc25519s.c
---- old/kexc25519s.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/kexc25519s.c 2015-05-12 06:57:55.866584623 -0700
+--- old/kexc25519s.c
++++ new/kexc25519s.c
@@ -26,6 +26,8 @@
#include "includes.h"
@@ -284,17 +283,17 @@
+#ifndef WITHOUT_ED25519
+
#include <sys/types.h>
+ #include <stdio.h>
#include <string.h>
- #include <signal.h>
-@@ -156,3 +158,4 @@ out:
+@@ -157,3 +159,4 @@ out:
sshbuf_free(shared_secret);
return r;
}
+#endif /* WITHOUT_ED25519 */
diff -pur old/monitor.c new/monitor.c
---- old/monitor.c 2015-05-12 06:57:55.743678816 -0700
-+++ new/monitor.c 2015-05-12 07:02:27.111640142 -0700
-@@ -1937,7 +1937,9 @@ monitor_apply_keystate(struct monitor *p
+--- old/monitor.c
++++ new/monitor.c
+@@ -1941,7 +1941,9 @@ monitor_apply_keystate(struct monitor *p
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
# endif
#endif /* WITH_OPENSSL */
@@ -305,8 +304,8 @@
if (options.gss_keyex) {
kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
diff -pur old/myproposal.h new/myproposal.h
---- old/myproposal.h 2015-03-16 22:49:20.000000000 -0700
-+++ new/myproposal.h 2015-06-05 02:29:36.569958448 -0700
+--- old/myproposal.h
++++ new/myproposal.h
@@ -59,6 +59,20 @@
# define HOSTKEY_ECDSA_METHODS
#endif
@@ -327,7 +326,7 @@
+
#ifdef OPENSSL_HAVE_EVPGCM
# define AESGCM_CIPHER_MODES \
- "[email protected],[email protected],"
+ ",[email protected],[email protected]"
@@ -78,11 +92,6 @@
#endif
@@ -337,26 +336,23 @@
-# else
-# define KEX_CURVE25519_METHODS ""
-# endif
- #define KEX_SERVER_KEX \
+ #define KEX_COMMON_KEX \
KEX_CURVE25519_METHODS \
KEX_ECDH_METHODS \
-@@ -95,13 +104,13 @@
+@@ -97,10 +106,10 @@
#define KEX_DEFAULT_PK_ALG \
HOSTKEY_ECDSA_CERT_METHODS \
- "[email protected]," \
+ HOSTKEY_CURVE25519_CERT_METHODS \
"[email protected]," \
- "[email protected]," \
- "[email protected]," \
- "[email protected]," \
HOSTKEY_ECDSA_METHODS \
- "ssh-ed25519," \
+ HOSTKEY_CURVE25519_METHODS \
- "ssh-rsa," \
- "ssh-dss"
+ "ssh-rsa" \
-@@ -143,10 +152,10 @@
+ /* the actual algorithms */
+@@ -141,10 +150,10 @@
#else
#define KEX_SERVER_KEX \
@@ -368,11 +364,11 @@
+ HOSTKEY_CURVE25519_CERT_METHODS \
+ HOSTKEY_CURVE25519_METHODS
#define KEX_SERVER_ENCRYPT \
- "aes128-ctr,aes192-ctr,aes256-ctr," \
- "[email protected]"
+ "[email protected]," \
+ "aes128-ctr,aes192-ctr,aes256-ctr"
diff -pur old/openbsd-compat/Makefile.in new/openbsd-compat/Makefile.in
---- old/openbsd-compat/Makefile.in 2015-03-16 22:49:20.000000000 -0700
-+++ new/openbsd-compat/Makefile.in 2015-05-12 06:57:55.869383953 -0700
+--- old/openbsd-compat/Makefile.in
++++ new/openbsd-compat/Makefile.in
@@ -32,7 +32,7 @@ $(OPENBSD): ../config.h
$(PORTS): ../config.h
@@ -383,8 +379,8 @@
clean:
diff -pur old/pathnames.h new/pathnames.h
---- old/pathnames.h 2015-03-16 22:49:20.000000000 -0700
-+++ new/pathnames.h 2015-05-12 06:57:55.869773325 -0700
+--- old/pathnames.h
++++ new/pathnames.h
@@ -39,7 +39,9 @@
#define _PATH_HOST_KEY_FILE SSHDIR "/ssh_host_key"
#define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key"
@@ -406,9 +402,9 @@
/*
* Configuration file in user's home directory. This file need not be
diff -pur old/readconf.c new/readconf.c
---- old/readconf.c 2015-05-12 06:57:55.746561528 -0700
-+++ new/readconf.c 2015-05-12 06:57:55.870873194 -0700
-@@ -1848,8 +1848,10 @@ fill_default_options(Options * options)
+--- old/readconf.c
++++ new/readconf.c
+@@ -1846,8 +1846,10 @@ fill_default_options(Options * options)
add_identity_file(options, "~/",
_PATH_SSH_CLIENT_ID_ECDSA, 0);
#endif
@@ -420,9 +416,9 @@
}
if (options->escape_char == -1)
diff -pur old/servconf.c new/servconf.c
---- old/servconf.c 2015-05-12 06:57:55.748493685 -0700
-+++ new/servconf.c 2015-05-12 06:57:55.872093181 -0700
-@@ -216,8 +216,10 @@ fill_default_server_options(ServerOption
+--- old/servconf.c
++++ new/servconf.c
+@@ -222,8 +222,10 @@ fill_default_server_options(ServerOption
options->host_key_files[options->num_host_key_files++] =
_PATH_HOST_ECDSA_KEY_FILE;
#endif
@@ -434,8 +430,8 @@
}
/* No certificates by default */
diff -pur old/smult_curve25519_ref.c new/smult_curve25519_ref.c
---- old/smult_curve25519_ref.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/smult_curve25519_ref.c 2015-05-12 06:57:55.872682983 -0700
+--- old/smult_curve25519_ref.c
++++ new/smult_curve25519_ref.c
@@ -6,6 +6,8 @@ Public domain.
Derived from public domain code by D. J. Bernstein.
*/
@@ -451,8 +447,8 @@
}
+#endif /* WITHOUT_ED25519 */
diff -pur old/ssh-add.0 new/ssh-add.0
---- old/ssh-add.0 2015-03-17 21:26:35.000000000 -0700
-+++ new/ssh-add.0 2015-05-12 07:37:37.356166396 -0700
+--- old/ssh-add.0
++++ new/ssh-add.0
@@ -11,7 +11,7 @@ SYNOPSIS
DESCRIPTION
ssh-add adds private key identities to the authentication agent,
@@ -462,7 +458,7 @@
~/.ssh/identity. After loading a private key, ssh-add will try to load
corresponding certificate information from the filename obtained by
appending -cert.pub to the name of the private key file. Alternative
-@@ -96,14 +96,6 @@ FILES
+@@ -97,14 +97,6 @@ FILES
Contains the protocol version 2 DSA authentication identity of
the user.
@@ -478,8 +474,8 @@
Contains the protocol version 2 RSA authentication identity of
the user.
diff -pur old/ssh-add.1 new/ssh-add.1
---- old/ssh-add.1 2015-03-16 22:49:20.000000000 -0700
-+++ new/ssh-add.1 2015-05-12 07:47:42.099918141 -0700
+--- old/ssh-add.1
++++ new/ssh-add.1
@@ -58,8 +58,6 @@ adds private key identities to the authe
When run without arguments, it adds the files
.Pa ~/.ssh/id_rsa ,
@@ -489,7 +485,7 @@
and
.Pa ~/.ssh/identity .
After loading a private key,
-@@ -177,10 +175,6 @@ socket used to communicate with the agen
+@@ -178,10 +176,6 @@ socket used to communicate with the agen
Contains the protocol version 1 RSA authentication identity of the user.
.It Pa ~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.
@@ -501,21 +497,22 @@
Contains the protocol version 2 RSA authentication identity of the user.
.El
diff -pur old/ssh-add.c new/ssh-add.c
---- old/ssh-add.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/ssh-add.c 2015-05-12 06:57:55.873128238 -0700
+--- old/ssh-add.c
++++ new/ssh-add.c
@@ -78,7 +78,9 @@ static char *default_files[] = {
_PATH_SSH_CLIENT_ID_ECDSA,
#endif
#endif /* WITH_OPENSSL */
+- _PATH_SSH_CLIENT_ID_ED25519,
+#ifndef WITHOUT_ED25519
- _PATH_SSH_CLIENT_ID_ED25519,
++ _PATH_SSH_CLIENT_ID_ED25519,
+#endif /* WITHOUT_ED25519 */
+ #ifdef WITH_SSH1
_PATH_SSH_CLIENT_IDENTITY,
- NULL
- };
+ #endif
diff -pur old/ssh-agent.0 new/ssh-agent.0
---- old/ssh-agent.0 2015-03-17 21:26:35.000000000 -0700
-+++ new/ssh-agent.0 2015-05-12 07:37:55.617194120 -0700
+--- old/ssh-agent.0
++++ new/ssh-agent.0
@@ -10,7 +10,7 @@ SYNOPSIS
DESCRIPTION
@@ -526,8 +523,8 @@
windows or programs are started as clients to the ssh-agent program.
Through use of environment variables the agent can be located and
diff -pur old/ssh-agent.1 new/ssh-agent.1
---- old/ssh-agent.1 2015-03-16 22:49:20.000000000 -0700
-+++ new/ssh-agent.1 2015-05-12 07:47:53.707510271 -0700
+--- old/ssh-agent.1
++++ new/ssh-agent.1
@@ -54,7 +54,7 @@
.Sh DESCRIPTION
.Nm
@@ -538,8 +535,8 @@
is usually started in the beginning of an X-session or a login session, and
all other windows or programs are started as clients to the ssh-agent
diff -pur old/ssh-ed25519.c new/ssh-ed25519.c
---- old/ssh-ed25519.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/ssh-ed25519.c 2015-05-12 06:57:55.873512963 -0700
+--- old/ssh-ed25519.c
++++ new/ssh-ed25519.c
@@ -17,6 +17,8 @@
#include "includes.h"
@@ -555,8 +552,8 @@
}
+#endif /* WITHOUT_ED25519 */
diff -pur old/ssh-keygen.0 new/ssh-keygen.0
---- old/ssh-keygen.0 2015-03-17 21:26:35.000000000 -0700
-+++ new/ssh-keygen.0 2015-05-12 07:40:51.445122062 -0700
+--- old/ssh-keygen.0
++++ new/ssh-keygen.0
@@ -4,7 +4,7 @@ NAME
ssh-keygen M-bM-^@M-^S authentication key generation, management and conversion
@@ -603,7 +600,7 @@
used. Higher numbers result in slower passphrase verification
@@ -103,12 +103,7 @@ DESCRIPTION
Specifies the number of bits in the key to create. For RSA keys,
- the minimum size is 768 bits and the default is 2048 bits.
+ the minimum size is 1024 bits and the default is 2048 bits.
Generally, 2048 bits is considered sufficient. DSA keys must be
- exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys,
- the -b flag determines the key length by selecting from one of
@@ -661,8 +658,8 @@
added to ~/.ssh/authorized_keys on all machines where the user
wishes to log in using public key authentication. There is no
diff -pur old/ssh-keygen.1 new/ssh-keygen.1
---- old/ssh-keygen.1 2015-03-16 22:49:20.000000000 -0700
-+++ new/ssh-keygen.1 2015-05-12 07:49:52.125219558 -0700
+--- old/ssh-keygen.1
++++ new/ssh-keygen.1
@@ -46,7 +46,7 @@
.Nm ssh-keygen
.Op Fl q
@@ -709,7 +706,7 @@
.Fl o
flag is set), this option specifies the number of KDF (key derivation function)
@@ -247,15 +245,6 @@ Specifies the number of bits in the key
- For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
+ For RSA keys, the minimum size is 1024 bits and the default is 2048 bits.
Generally, 2048 bits is considered sufficient.
DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
-For ECDSA keys, the
@@ -773,22 +770,22 @@
The contents of this file should be added to
.Pa ~/.ssh/authorized_keys
diff -pur old/ssh-keygen.c new/ssh-keygen.c
---- old/ssh-keygen.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/ssh-keygen.c 2015-05-12 06:57:55.874834232 -0700
-@@ -214,7 +214,11 @@ type_bits_valid(int type, const char *na
- }
+--- old/ssh-keygen.c
++++ new/ssh-keygen.c
+@@ -217,7 +217,11 @@ type_bits_valid(int type, const char *na
+ fatal("key bits exceeds maximum %d", maxbits);
if (type == KEY_DSA && *bitsp != 1024)
fatal("DSA keys must be 1024 bits");
-- else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)
+- else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 1024)
+ else if (type != KEY_ECDSA &&
+#ifndef WITHOUT_ED25519
+ type != KEY_ED25519 &&
+#endif /* WITHOUT_ED25519 */
-+ *bitsp < 768)
- fatal("Key must at least be 768 bits");
++ *bitsp < 1024)
+ fatal("Key must at least be 1024 bits");
else if (type == KEY_ECDSA && sshkey_ecdsa_bits_to_nid(*bitsp) == -1)
fatal("Invalid ECDSA key length - valid lengths are "
-@@ -251,10 +255,12 @@ ask_filename(struct passwd *pw, const ch
+@@ -252,10 +256,12 @@ ask_filename(struct passwd *pw, const ch
case KEY_RSA:
name = _PATH_SSH_CLIENT_ID_RSA;
break;
@@ -799,19 +796,20 @@
break;
+#endif /* WITHOUT_ED25519 */
default:
- fprintf(stderr, "bad key type\n");
- exit(1);
-@@ -954,7 +960,9 @@ do_gen_all_hostkeys(struct passwd *pw)
- #ifdef OPENSSL_HAS_ECC
+ fatal("bad key type");
+ }
+@@ -939,7 +945,9 @@ do_gen_all_hostkeys(struct passwd *pw)
{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
- #endif
+ #endif /* OPENSSL_HAS_ECC */
+ #endif /* WITH_OPENSSL */
+- { "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
+#ifndef WITHOUT_ED25519
- { "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
++ { "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
+#endif /* WITHOUT_ED25519 */
{ NULL, NULL, NULL }
};
-@@ -1643,7 +1651,10 @@ do_ca_sign(struct passwd *pw, int argc,
+@@ -1605,7 +1613,10 @@ do_ca_sign(struct passwd *pw, int argc,
fatal("%s: unable to open \"%s\": %s",
__func__, tmp, ssh_err(r));
if (public->type != KEY_RSA && public->type != KEY_DSA &&
@@ -823,7 +821,7 @@
fatal("%s: key \"%s\" type %s cannot be certified",
__func__, tmp, sshkey_type(public));
-@@ -2558,8 +2569,10 @@ main(int argc, char **argv)
+@@ -2502,8 +2513,10 @@ main(int argc, char **argv)
_PATH_HOST_DSA_KEY_FILE, rr_hostname);
n += do_print_resource_record(pw,
_PATH_HOST_ECDSA_KEY_FILE, rr_hostname);
@@ -835,8 +833,8 @@
fatal("no keys found.");
exit(0);
diff -pur old/ssh-keyscan.0 new/ssh-keyscan.0
---- old/ssh-keyscan.0 2015-03-17 21:26:35.000000000 -0700
-+++ new/ssh-keyscan.0 2015-05-12 07:42:45.592281964 -0700
+--- old/ssh-keyscan.0
++++ new/ssh-keyscan.0
@@ -48,9 +48,9 @@ DESCRIPTION
-t type
Specifies the type of the key to fetch from the scanned hosts.
@@ -874,8 +872,8 @@
SEE ALSO
diff -pur old/ssh-keyscan.1 new/ssh-keyscan.1
---- old/ssh-keyscan.1 2015-03-16 22:49:20.000000000 -0700
-+++ new/ssh-keyscan.1 2015-05-12 07:50:53.173745820 -0700
+--- old/ssh-keyscan.1
++++ new/ssh-keyscan.1
@@ -90,18 +90,13 @@ Specifies the type of the key to fetch f
The possible values are
.Dq rsa1
@@ -927,8 +925,8 @@
.Ed
.Sh SEE ALSO
diff -pur old/ssh-keyscan.c new/ssh-keyscan.c
---- old/ssh-keyscan.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/ssh-keyscan.c 2015-05-12 06:57:55.875467494 -0700
+--- old/ssh-keyscan.c
++++ new/ssh-keyscan.c
@@ -286,7 +286,9 @@ keygrab_ssh2(con *c)
c->c_ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
# endif
@@ -939,7 +937,7 @@
ssh_set_verify_host_key_callback(c->c_ssh, key_print_wrapper);
/*
* do the key-exchange until an error occurs or until
-@@ -609,10 +611,15 @@ do_host(char *host)
+@@ -612,10 +614,15 @@ do_host(char *host)
{
char *name = strnnsep(&host, " \t\n");
int j;
@@ -956,7 +954,7 @@
if (get_keytypes & j) {
while (ncon >= MAXCON)
conloop();
-@@ -716,9 +723,11 @@ main(int argc, char **argv)
+@@ -719,9 +726,11 @@ main(int argc, char **argv)
case KEY_RSA:
get_keytypes |= KT_RSA;
break;
@@ -969,8 +967,8 @@
fatal("unknown key type %s", tname);
}
diff -pur old/ssh-keysign.0 new/ssh-keysign.0
---- old/ssh-keysign.0 2015-03-17 21:26:36.000000000 -0700
-+++ new/ssh-keysign.0 2015-05-12 07:42:57.261187576 -0700
+--- old/ssh-keysign.0
++++ new/ssh-keysign.0
@@ -24,8 +24,6 @@ FILES
Controls whether ssh-keysign is enabled.
@@ -990,8 +988,8 @@
If these files exist they are assumed to contain public
certificate information corresponding with the private keys
diff -pur old/ssh-keysign.8 new/ssh-keysign.8
---- old/ssh-keysign.8 2015-05-12 06:57:55.609219058 -0700
-+++ new/ssh-keysign.8 2015-05-12 07:52:35.880504667 -0700
+--- old/ssh-keysign.8
++++ new/ssh-keysign.8
@@ -62,8 +62,6 @@ Controls whether
is enabled.
.Pp
@@ -1011,8 +1009,8 @@
If these files exist they are assumed to contain public certificate
information corresponding with the private keys above.
diff -pur old/ssh-keysign.c new/ssh-keysign.c
---- old/ssh-keysign.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/ssh-keysign.c 2015-05-25 04:37:07.788045828 -0700
+--- old/ssh-keysign.c
++++ new/ssh-keysign.c
@@ -168,7 +168,7 @@ main(int argc, char **argv)
{
struct sshbuf *b;
@@ -1022,8 +1020,8 @@
struct sshkey *keys[NUM_KEYTYPES], *key = NULL;
struct passwd *pw;
int r, key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
-@@ -189,7 +189,9 @@ main(int argc, char **argv)
- i = 0;
+@@ -190,7 +190,9 @@ main(int argc, char **argv)
+ /* XXX This really needs to read sshd_config for the paths */
key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
+#ifndef WITHOUT_ED25519
@@ -1033,9 +1031,9 @@
original_real_uid = getuid(); /* XXX readconf.c needs this */
diff -pur old/ssh.0 new/ssh.0
---- old/ssh.0 2015-03-17 21:26:35.000000000 -0700
-+++ new/ssh.0 2015-05-12 07:44:32.393217723 -0700
-@@ -141,8 +141,8 @@ DESCRIPTION
+--- old/ssh.0
++++ new/ssh.0
+@@ -140,8 +140,8 @@ DESCRIPTION
-i identity_file
Selects a file from which the identity (private key) for public
key authentication is read. The default is ~/.ssh/identity for
@@ -1046,7 +1044,7 @@
Identity files may also be specified on a per-host basis in the
configuration file. It is possible to have multiple -i options
(and multiple identities specified in configuration files). ssh
-@@ -451,7 +451,7 @@ AUTHENTICATION
+@@ -463,7 +463,7 @@ AUTHENTICATION
creates a public/private key pair for authentication purposes. The
server knows the public key, and only the user knows the private key.
ssh implements public key authentication protocol automatically, using
@@ -1055,7 +1053,7 @@
restricted to using only RSA keys, but protocol 2 may use any. The
HISTORY section of ssl(8) contains a brief discussion of the DSA and RSA
algorithms.
-@@ -464,11 +464,9 @@ AUTHENTICATION
+@@ -476,11 +476,9 @@ AUTHENTICATION
The user creates his/her key pair by running ssh-keygen(1). This stores
the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol
@@ -1070,7 +1068,7 @@
directory. The user should then copy the public key to
~/.ssh/authorized_keys in his/her home directory on the remote machine.
The authorized_keys file corresponds to the conventional ~/.rhosts file,
-@@ -804,7 +802,7 @@ FILES
+@@ -825,7 +823,7 @@ FILES
for the user, and not accessible by others.
~/.ssh/authorized_keys
@@ -1079,7 +1077,7 @@
for logging in as this user. The format of this file is
described in the sshd(8) manual page. This file is not highly
sensitive, but the recommended permissions are read/write for the
-@@ -822,8 +820,6 @@ FILES
+@@ -843,8 +841,6 @@ FILES
~/.ssh/identity
~/.ssh/id_dsa
@@ -1088,7 +1086,7 @@
~/.ssh/id_rsa
Contains the private key for authentication. These files contain
sensitive data and should be readable by the user but not
-@@ -835,8 +831,6 @@ FILES
+@@ -856,8 +852,6 @@ FILES
~/.ssh/identity.pub
~/.ssh/id_dsa.pub
@@ -1097,7 +1095,7 @@
~/.ssh/id_rsa.pub
Contains the public key for authentication. These files are not
sensitive and can (but need not) be readable by anyone.
-@@ -867,8 +861,6 @@ FILES
+@@ -888,8 +882,6 @@ FILES
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_dsa_key
@@ -1107,9 +1105,9 @@
These files contain the private parts of the host keys and are
used for host-based authentication. If protocol version 1 is
diff -pur old/ssh.1 new/ssh.1
---- old/ssh.1 2015-03-16 22:49:20.000000000 -0700
-+++ new/ssh.1 2015-05-12 07:51:38.403098490 -0700
-@@ -274,9 +274,7 @@ public key authentication is read.
+--- old/ssh.1
++++ new/ssh.1
+@@ -292,9 +292,7 @@ public key authentication is read.
The default is
.Pa ~/.ssh/identity
for protocol version 1, and
@@ -1120,7 +1118,7 @@
and
.Pa ~/.ssh/id_rsa
for protocol version 2.
-@@ -761,7 +759,7 @@ key pair for authentication purposes.
+@@ -848,7 +846,7 @@ key pair for authentication purposes.
The server knows the public key, and only the user knows the private key.
.Nm
implements public key authentication protocol automatically,
@@ -1129,7 +1127,7 @@
Protocol 1 is restricted to using only RSA keys,
but protocol 2 may use any.
The HISTORY section of
-@@ -786,10 +784,6 @@ This stores the private key in
+@@ -873,10 +871,6 @@ This stores the private key in
(protocol 1),
.Pa ~/.ssh/id_dsa
(protocol 2 DSA),
@@ -1140,7 +1138,7 @@
or
.Pa ~/.ssh/id_rsa
(protocol 2 RSA)
-@@ -798,10 +792,6 @@ and stores the public key in
+@@ -885,10 +879,6 @@ and stores the public key in
(protocol 1),
.Pa ~/.ssh/id_dsa.pub
(protocol 2 DSA),
@@ -1151,7 +1149,7 @@
or
.Pa ~/.ssh/id_rsa.pub
(protocol 2 RSA)
-@@ -1341,7 +1331,7 @@ secret, but the recommended permissions
+@@ -1444,7 +1434,7 @@ secret, but the recommended permissions
and not accessible by others.
.Pp
.It Pa ~/.ssh/authorized_keys
@@ -1160,7 +1158,7 @@
that can be used for logging in as this user.
The format of this file is described in the
.Xr sshd 8
-@@ -1363,8 +1353,6 @@ above.
+@@ -1466,8 +1456,6 @@ above.
.Pp
.It Pa ~/.ssh/identity
.It Pa ~/.ssh/id_dsa
@@ -1169,7 +1167,7 @@
.It Pa ~/.ssh/id_rsa
Contains the private key for authentication.
These files
-@@ -1378,8 +1366,6 @@ sensitive part of this file using 3DES.
+@@ -1481,8 +1469,6 @@ sensitive part of this file using 3DES.
.Pp
.It Pa ~/.ssh/identity.pub
.It Pa ~/.ssh/id_dsa.pub
@@ -1178,7 +1176,7 @@
.It Pa ~/.ssh/id_rsa.pub
Contains the public key for authentication.
These files are not
-@@ -1418,8 +1404,6 @@ The file format and configuration option
+@@ -1521,8 +1507,6 @@ The file format and configuration option
.Pp
.It Pa /etc/ssh/ssh_host_key
.It Pa /etc/ssh/ssh_host_dsa_key
@@ -1188,9 +1186,9 @@
These files contain the private parts of the host keys
and are used for host-based authentication.
diff -pur old/ssh.c new/ssh.c
---- old/ssh.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/ssh.c 2015-05-12 06:57:55.876878130 -0700
-@@ -1234,8 +1234,10 @@ main(int ac, char **av)
+--- old/ssh.c
++++ new/ssh.c
+@@ -1233,8 +1233,10 @@ main(int ac, char **av)
sensitive_data.keys[1] = key_load_private_cert(KEY_ECDSA,
_PATH_HOST_ECDSA_KEY_FILE, "", NULL);
#endif
@@ -1201,7 +1199,7 @@
sensitive_data.keys[3] = key_load_private_cert(KEY_RSA,
_PATH_HOST_RSA_KEY_FILE, "", NULL);
sensitive_data.keys[4] = key_load_private_cert(KEY_DSA,
-@@ -1244,8 +1246,10 @@ main(int ac, char **av)
+@@ -1243,8 +1245,10 @@ main(int ac, char **av)
sensitive_data.keys[5] = key_load_private_type(KEY_ECDSA,
_PATH_HOST_ECDSA_KEY_FILE, "", NULL, NULL);
#endif
@@ -1212,7 +1210,7 @@
sensitive_data.keys[7] = key_load_private_type(KEY_RSA,
_PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);
sensitive_data.keys[8] = key_load_private_type(KEY_DSA,
-@@ -1262,8 +1266,10 @@ main(int ac, char **av)
+@@ -1261,8 +1265,10 @@ main(int ac, char **av)
sensitive_data.keys[1] = key_load_cert(
_PATH_HOST_ECDSA_KEY_FILE);
#endif
@@ -1223,7 +1221,7 @@
sensitive_data.keys[3] = key_load_cert(
_PATH_HOST_RSA_KEY_FILE);
sensitive_data.keys[4] = key_load_cert(
-@@ -1272,8 +1278,10 @@ main(int ac, char **av)
+@@ -1271,8 +1277,10 @@ main(int ac, char **av)
sensitive_data.keys[5] = key_load_public(
_PATH_HOST_ECDSA_KEY_FILE, NULL);
#endif
@@ -1235,8 +1233,8 @@
_PATH_HOST_RSA_KEY_FILE, NULL);
sensitive_data.keys[8] = key_load_public(
diff -pur old/ssh_api.c new/ssh_api.c
---- old/ssh_api.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/ssh_api.c 2015-05-12 06:57:55.877368137 -0700
+--- old/ssh_api.c
++++ new/ssh_api.c
@@ -109,7 +109,9 @@ ssh_init(struct ssh **sshp, int is_serve
ssh->kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
# endif
@@ -1258,24 +1256,39 @@
}
*sshp = ssh;
diff -pur old/ssh_config.0 new/ssh_config.0
---- old/ssh_config.0 2015-03-17 21:26:36.000000000 -0700
-+++ new/ssh_config.0 2015-05-12 07:45:14.754320503 -0700
-@@ -443,14 +443,8 @@ DESCRIPTION
- client wants to use in order of preference. The default for this
- option is:
+--- old/ssh_config.0
++++ new/ssh_config.0
+@@ -444,13 +444,8 @@ DESCRIPTION
+ specified key types will be appended to the default set instead
+ of replacing them. The default for this option is:
- [email protected],
- [email protected],
- [email protected],
- [email protected],
- [email protected],[email protected],
- [email protected],[email protected],
+ [email protected],
- ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-- ssh-ed25519,ssh-rsa,ssh-dss
+- ssh-ed25519,ssh-rsa
++ ssh-rsa
+
+ The -Q option of ssh(1) may be used to list supported key types.
+
+@@ -461,13 +456,8 @@ DESCRIPTION
+ key types will be appended to the default set instead of
+ replacing them. The default for this option is:
+
+- [email protected],
+- [email protected],
+- [email protected],
+- [email protected],
+ [email protected],
+- ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+- ssh-ed25519,ssh-rsa
++ ssh-rsa
If hostkeys are known for the destination host then this default
is modified to prefer their algorithms.
-@@ -486,10 +480,10 @@ DESCRIPTION
+@@ -503,10 +493,10 @@ DESCRIPTION
default is M-bM-^@M-^\noM-bM-^@M-^].
IdentityFile
@@ -1289,33 +1302,63 @@
Additionally, any identities represented by the authentication
agent will be used for authentication unless IdentitiesOnly is
set. ssh(1) will try to load certificate information from the
-@@ -549,7 +543,6 @@ DESCRIPTION
- Specifies the available KEX (Key Exchange) algorithms. Multiple
- algorithms must be comma-separated. The default is:
+@@ -569,7 +559,6 @@ DESCRIPTION
+ will be appended to the default set instead of replacing them.
+ The default is:
- [email protected],
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
- diffie-hellman-group14-sha1,
+ diffie-hellman-group-exchange-sha1,
+@@ -727,13 +716,8 @@ DESCRIPTION
+ types after it will be appended to the default instead of
+ replacing it. The default for this option is:
+
+- [email protected],
+- [email protected],
+- [email protected],
+- [email protected],
+ [email protected],
+- ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+- ssh-ed25519,ssh-rsa
++ ssh-rsa
+
+ The -Q option of ssh(1) may be used to list supported key types.
+
diff -pur old/ssh_config.5 new/ssh_config.5
---- old/ssh_config.5 2015-05-12 06:57:55.750682668 -0700
-+++ new/ssh_config.5 2015-05-12 07:52:05.483411337 -0700
-@@ -807,14 +807,8 @@ Specifies the protocol version 2 host ke
- that the client wants to use in order of preference.
+--- old/ssh_config.5
++++ new/ssh_config.5
+@@ -806,13 +806,8 @@ character, then the specified key types
+ instead of replacing them.
The default for this option is:
.Bd -literal -offset 3n
[email protected],
[email protected],
[email protected],
[email protected],
- [email protected],[email protected],
- [email protected],[email protected],
+ [email protected],
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
--ssh-ed25519,ssh-rsa,ssh-dss
+-ssh-ed25519,ssh-rsa
++ssh-rsa
+ .Ed
+ .Pp
+ The
+@@ -829,13 +824,8 @@ character, then the specified key types
+ instead of replacing them.
+ The default for this option is:
+ .Bd -literal -offset 3n
[email protected],
[email protected],
[email protected],
[email protected],
+ [email protected],
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-ssh-ed25519,ssh-rsa
++ssh-rsa
.Ed
.Pp
If hostkeys are known for the destination host then this default is modified
-@@ -869,14 +863,12 @@ offers many different identities.
+@@ -890,14 +880,12 @@ offers many different identities.
The default is
.Dq no .
.It Cm IdentityFile
@@ -1331,18 +1374,33 @@
and
.Pa ~/.ssh/id_rsa
for protocol version 2.
-@@ -989,7 +981,6 @@ Specifies the available KEX (Key Exchang
- Multiple algorithms must be comma-separated.
+@@ -1014,7 +1002,6 @@ character, then the specified methods wi
+ instead of replacing them.
The default is:
.Bd -literal -offset indent
[email protected],
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
- diffie-hellman-group14-sha1,
+ diffie-hellman-group-exchange-sha1,
+@@ -1259,13 +1246,8 @@ character, then the key types after it w
+ instead of replacing it.
+ The default for this option is:
+ .Bd -literal -offset 3n
[email protected],
[email protected],
[email protected],
[email protected],
+ [email protected],
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-ssh-ed25519,ssh-rsa
++ssh-rsa
+ .Ed
+ .Pp
+ The
diff -pur old/sshconnect.c new/sshconnect.c
---- old/sshconnect.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/sshconnect.c 2015-05-12 06:57:55.878078115 -0700
-@@ -1391,7 +1391,9 @@ show_other_keys(struct hostkeys *hostkey
+--- old/sshconnect.c
++++ new/sshconnect.c
+@@ -1392,7 +1392,9 @@ show_other_keys(struct hostkeys *hostkey
KEY_RSA,
KEY_DSA,
KEY_ECDSA,
@@ -1353,9 +1411,9 @@
};
int i, ret = 0;
diff -pur old/sshconnect2.c new/sshconnect2.c
---- old/sshconnect2.c 2015-05-12 06:57:55.751927078 -0700
-+++ new/sshconnect2.c 2015-05-12 07:03:03.597484825 -0700
-@@ -254,7 +254,9 @@ ssh_kex2(char *host, struct sockaddr *ho
+--- old/sshconnect2.c
++++ new/sshconnect2.c
+@@ -247,7 +247,9 @@ ssh_kex2(char *host, struct sockaddr *ho
kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
# endif
#endif
@@ -1366,8 +1424,8 @@
if (options.gss_keyex) {
kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
diff -pur old/sshd.0 new/sshd.0
---- old/sshd.0 2015-03-17 21:26:35.000000000 -0700
-+++ new/sshd.0 2015-05-12 07:46:43.700877984 -0700
+--- old/sshd.0
++++ new/sshd.0
@@ -81,8 +81,7 @@ DESCRIPTION
be given if sshd is not run as root (as the normal host key files
are normally not readable by anyone but root). The default is
@@ -1378,7 +1436,7 @@
protocol version 2. It is possible to have multiple host key
files for the different protocol versions and host key
algorithms.
-@@ -147,7 +146,7 @@ DESCRIPTION
+@@ -146,7 +145,7 @@ DESCRIPTION
AUTHENTICATION
The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to
use protocol 2 only, though this can be changed via the Protocol option
@@ -1387,7 +1445,7 @@
protocol 1 only supports RSA keys. For both protocols, each host has a
host-specific key, normally 2048 bits, used to identify the host.
-@@ -278,15 +277,13 @@ AUTHORIZED_KEYS FILE FORMAT
+@@ -279,15 +278,13 @@ AUTHORIZED_KEYS FILE FORMAT
starts with a number). The bits, exponent, modulus, and comment fields
give the RSA key for protocol version 1; the comment field is not used
for anything (but may be convenient for the user to identify the key).
@@ -1405,7 +1463,7 @@
file and edit it.
sshd enforces a minimum RSA key modulus size for protocol 1 and protocol
-@@ -513,7 +510,7 @@ FILES
+@@ -514,7 +511,7 @@ FILES
for the user, and not accessible by others.
~/.ssh/authorized_keys
@@ -1414,7 +1472,7 @@
for logging in as this user. The format of this file is
described above. The content of the file is not highly
sensitive, but the recommended permissions are read/write for the
-@@ -569,8 +566,6 @@ FILES
+@@ -570,8 +567,6 @@ FILES
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_dsa_key
@@ -1423,7 +1481,7 @@
/etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys. These
files should only be owned by root, readable only by root, and
-@@ -579,8 +574,6 @@ FILES
+@@ -580,8 +575,6 @@ FILES
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_dsa_key.pub
@@ -1433,8 +1491,8 @@
These files contain the public parts of the host keys. These
files should be world-readable but writable only by root. Their
diff -pur old/sshd.8 new/sshd.8
---- old/sshd.8 2015-05-12 06:57:55.682941332 -0700
-+++ new/sshd.8 2015-05-12 07:53:14.229250081 -0700
+--- old/sshd.8
++++ new/sshd.8
@@ -172,8 +172,6 @@ The default is
.Pa /etc/ssh/ssh_host_key
for protocol version 1, and
@@ -1444,7 +1502,7 @@
and
.Pa /etc/ssh/ssh_host_rsa_key
for protocol version 2.
-@@ -278,7 +276,7 @@ though this can be changed via the
+@@ -275,7 +273,7 @@ though this can be changed via the
.Cm Protocol
option in
.Xr sshd_config 4 .
@@ -1453,7 +1511,7 @@
protocol 1 only supports RSA keys.
For both protocols,
each host has a host-specific key,
-@@ -492,10 +490,6 @@ protocol version 1; the
+@@ -491,10 +489,6 @@ protocol version 1; the
comment field is not used for anything (but may be convenient for the
user to identify the key).
For protocol version 2 the keytype is
@@ -1464,7 +1522,7 @@
.Dq ssh-dss
or
.Dq ssh-rsa .
-@@ -507,8 +501,6 @@ keys up to 16 kilobits.
+@@ -506,8 +500,6 @@ keys up to 16 kilobits.
You don't want to type them in; instead, copy the
.Pa identity.pub ,
.Pa id_dsa.pub ,
@@ -1473,7 +1531,7 @@
or the
.Pa id_rsa.pub
file and edit it.
-@@ -808,7 +800,7 @@ secret, but the recommended permissions
+@@ -807,7 +799,7 @@ secret, but the recommended permissions
and not accessible by others.
.Pp
.It Pa ~/.ssh/authorized_keys
@@ -1482,7 +1540,7 @@
that can be used for logging in as this user.
The format of this file is described above.
The content of the file is not highly sensitive, but the recommended
-@@ -882,8 +874,6 @@ rlogin/rsh.
+@@ -881,8 +873,6 @@ rlogin/rsh.
.Pp
.It Pa /etc/ssh/ssh_host_key
.It Pa /etc/ssh/ssh_host_dsa_key
@@ -1491,7 +1549,7 @@
.It Pa /etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys.
These files should only be owned by root, readable only by root, and not
-@@ -894,8 +884,6 @@ does not start if these files are group/
+@@ -893,8 +883,6 @@ does not start if these files are group/
.Pp
.It Pa /etc/ssh/ssh_host_key.pub
.It Pa /etc/ssh/ssh_host_dsa_key.pub
@@ -1501,9 +1559,9 @@
These files contain the public parts of the host keys.
These files should be world-readable but writable only by
diff -pur old/sshd.c new/sshd.c
---- old/sshd.c 2015-05-12 06:57:55.753246429 -0700
-+++ new/sshd.c 2015-05-12 07:03:44.715843663 -0700
-@@ -803,7 +803,9 @@ list_hostkey_types(void)
+--- old/sshd.c
++++ new/sshd.c
+@@ -811,7 +811,9 @@ list_hostkey_types(void)
case KEY_RSA:
case KEY_DSA:
case KEY_ECDSA:
@@ -1513,7 +1571,7 @@
if (buffer_len(&b) > 0)
buffer_append(&b, ",", 1);
p = key_ssh_name(key);
-@@ -820,7 +822,9 @@ list_hostkey_types(void)
+@@ -826,7 +828,9 @@ list_hostkey_types(void)
case KEY_RSA_CERT:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
@@ -1523,7 +1581,7 @@
if (buffer_len(&b) > 0)
buffer_append(&b, ",", 1);
p = key_ssh_name(key);
-@@ -848,7 +852,9 @@ get_hostkey_by_type(int type, int nid, i
+@@ -852,7 +856,9 @@ get_hostkey_by_type(int type, int nid, i
case KEY_RSA_CERT:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
@@ -1533,7 +1591,7 @@
key = sensitive_data.host_certificates[i];
break;
default:
-@@ -1798,7 +1804,9 @@ main(int ac, char **av)
+@@ -1810,7 +1816,9 @@ main(int ac, char **av)
case KEY_RSA:
case KEY_DSA:
case KEY_ECDSA:
@@ -1543,7 +1601,7 @@
if (have_agent || key != NULL)
sensitive_data.have_ssh2_key = 1;
break;
-@@ -2644,7 +2652,9 @@ do_ssh2_kex(void)
+@@ -2646,7 +2654,9 @@ do_ssh2_kex(void)
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
# endif
#endif
@@ -1554,33 +1612,66 @@
if (options.gss_keyex) {
kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
diff -pur old/sshd_config.0 new/sshd_config.0
---- old/sshd_config.0 2015-03-17 21:26:36.000000000 -0700
-+++ new/sshd_config.0 2015-05-12 07:47:28.488941581 -0700
-@@ -375,12 +375,11 @@ DESCRIPTION
+--- old/sshd_config.0
++++ new/sshd_config.0
+@@ -403,13 +403,8 @@ DESCRIPTION
+ specified key types will be appended to the default set instead
+ of replacing them. The default for this option is:
+
+- [email protected],
+- [email protected],
+- [email protected],
+- [email protected],
+ [email protected],
+- ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+- ssh-ed25519,ssh-rsa
++ ssh-rsa
+
+ The -Q option of ssh(1) may be used to list supported key types.
+
+@@ -438,8 +433,7 @@ DESCRIPTION
HostKey
Specifies a file containing a private host key used by SSH. The
default is /etc/ssh/ssh_host_key for protocol version 1, and
- /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key,
- /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
-+ /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key for
- protocol version 2. Note that sshd(8) will refuse to use a file
- if it is group/world-accessible. It is possible to have multiple
-- host key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^],
-- M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] are used for version 2 of the SSH
-+ host key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^]
-+ or M-bM-^@M-^\rsaM-bM-^@M-^] are used for version 2 of the SSH
- protocol. It is also possible to specify public host key files
- instead. In this case operations on the private key will be
- delegated to an ssh-agent(1).
-@@ -448,7 +447,6 @@ DESCRIPTION
- algorithms must be comma-separated. The supported algorithms
- are:
++ /etc/ssh/ssh_host_dsa_key, and /etc/ssh/ssh_host_rsa_key for
+ protocol version 2.
+
+ Note that sshd(8) will refuse to use a file if it is group/world-
+@@ -447,7 +441,7 @@ DESCRIPTION
+ of the keys are actually used by sshd(8).
+
+ It is possible to have multiple host key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are
+- used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] are
++ used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^] are
+ used for version 2 of the SSH protocol. It is also possible to
+ specify public host key files instead. In this case operations
+ on the private key will be delegated to an ssh-agent(1).
+@@ -462,13 +456,8 @@ DESCRIPTION
+ Specifies the protocol version 2 host key algorithms that the
+ server offers. The default for this option is:
+
+- [email protected],
+- [email protected],
+- [email protected],
+- [email protected],
+ [email protected],
+- ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+- ssh-ed25519,ssh-rsa
++ ssh-rsa
+
+ The list of available key types may also be obtained using the -Q
+ option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^].
+@@ -532,7 +521,6 @@ DESCRIPTION
+ will be appended to the default set instead of replacing them.
+ The supported algorithms are:
- [email protected]
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
-@@ -459,7 +457,6 @@ DESCRIPTION
+@@ -543,7 +531,6 @@ DESCRIPTION
The default is:
@@ -1588,10 +1679,25 @@
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group14-sha1
+@@ -787,13 +774,8 @@ DESCRIPTION
+ specified key types will be appended to the default set instead
+ of replacing them. The default for this option is:
+
+- [email protected],
+- [email protected],
+- [email protected],
+- [email protected],
+ [email protected],
+- ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+- ssh-ed25519,ssh-rsa
++ ssh-rsa
+
+ The -Q option of ssh(1) may be used to list supported key types.
+
diff -pur old/sshd_config.5 new/sshd_config.5
---- old/sshd_config.5 2015-05-12 06:57:55.754541097 -0700
-+++ new/sshd_config.5 2015-05-12 07:52:26.170307089 -0700
-@@ -628,8 +628,6 @@ The default is
+--- old/sshd_config.5
++++ new/sshd_config.5
+@@ -712,8 +712,6 @@ The default is
.Pa /etc/ssh/ssh_host_key
for protocol version 1, and
.Pa /etc/ssh/ssh_host_dsa_key ,
@@ -1600,7 +1706,7 @@
and
.Pa /etc/ssh/ssh_host_rsa_key
for protocol version 2.
-@@ -640,8 +638,6 @@ It is possible to have multiple host key
+@@ -730,8 +728,6 @@ It is possible to have multiple host key
.Dq rsa1
keys are used for version 1 and
.Dq dsa ,
@@ -1609,7 +1715,7 @@
or
.Dq rsa
are used for version 2 of the SSH protocol.
-@@ -764,8 +760,6 @@ The supported algorithms are:
+@@ -878,8 +874,6 @@ The supported algorithms are:
.Pp
.Bl -item -compact -offset indent
.It
@@ -1618,7 +1724,7 @@
diffie-hellman-group1-sha1
.It
diffie-hellman-group14-sha1
-@@ -783,7 +777,6 @@ ecdh-sha2-nistp521
+@@ -897,7 +891,6 @@ ecdh-sha2-nistp521
.Pp
The default is:
.Bd -literal -offset indent
@@ -1627,8 +1733,8 @@
diffie-hellman-group-exchange-sha256,
diffie-hellman-group14-sha1
diff -pur old/sshkey.c new/sshkey.c
---- old/sshkey.c 2015-05-12 06:57:55.756061267 -0700
-+++ new/sshkey.c 2015-05-27 03:34:57.475875579 -0700
+--- old/sshkey.c
++++ new/sshkey.c
@@ -85,9 +85,11 @@ struct keytype {
int cert;
};
@@ -1641,7 +1747,7 @@
#ifdef WITH_OPENSSL
{ NULL, "RSA1", KEY_RSA1, 0, 0 },
{ "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
-@@ -284,8 +286,10 @@ sshkey_size(const struct sshkey *k)
+@@ -278,8 +280,10 @@ sshkey_size(const struct sshkey *k)
case KEY_ECDSA_CERT:
return sshkey_curve_nid_to_bits(k->ecdsa_nid);
#endif /* WITH_OPENSSL */
@@ -1652,7 +1758,7 @@
return 256; /* XXX */
}
return 0;
-@@ -310,7 +314,9 @@ sshkey_type_is_valid_ca(int type)
+@@ -292,7 +296,9 @@ sshkey_type_is_valid_ca(int type)
case KEY_RSA:
case KEY_DSA:
case KEY_ECDSA:
@@ -1662,7 +1768,7 @@
return 1;
default:
return 0;
-@@ -338,8 +344,10 @@ sshkey_type_plain(int type)
+@@ -318,8 +324,10 @@ sshkey_type_plain(int type)
return KEY_DSA;
case KEY_ECDSA_CERT:
return KEY_ECDSA;
@@ -1673,7 +1779,7 @@
default:
return type;
}
-@@ -492,8 +500,10 @@ sshkey_new(int type)
+@@ -472,8 +480,10 @@ sshkey_new(int type)
k->dsa = NULL;
k->rsa = NULL;
k->cert = NULL;
@@ -1684,7 +1790,7 @@
switch (k->type) {
#ifdef WITH_OPENSSL
case KEY_RSA1:
-@@ -530,10 +540,12 @@ sshkey_new(int type)
+@@ -508,10 +518,12 @@ sshkey_new(int type)
/* Cannot do anything until we know the group */
break;
#endif /* WITH_OPENSSL */
@@ -1697,7 +1803,7 @@
case KEY_UNSPEC:
break;
default:
-@@ -582,10 +594,12 @@ sshkey_add_private(struct sshkey *k)
+@@ -558,10 +570,12 @@ sshkey_add_private(struct sshkey *k)
/* Cannot do anything until we know the group */
break;
#endif /* WITH_OPENSSL */
@@ -1710,7 +1816,7 @@
case KEY_UNSPEC:
break;
default:
-@@ -639,6 +653,7 @@ sshkey_free(struct sshkey *k)
+@@ -613,6 +627,7 @@ sshkey_free(struct sshkey *k)
break;
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
@@ -1718,7 +1824,7 @@
case KEY_ED25519:
case KEY_ED25519_CERT:
if (k->ed25519_pk) {
-@@ -652,6 +667,7 @@ sshkey_free(struct sshkey *k)
+@@ -626,6 +641,7 @@ sshkey_free(struct sshkey *k)
k->ed25519_sk = NULL;
}
break;
@@ -1726,7 +1832,7 @@
case KEY_UNSPEC:
break;
default:
-@@ -731,10 +747,12 @@ sshkey_equal_public(const struct sshkey
+@@ -703,10 +719,12 @@ sshkey_equal_public(const struct sshkey
return 1;
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
@@ -1739,7 +1845,7 @@
default:
return 0;
}
-@@ -773,7 +791,9 @@ to_blob_buf(const struct sshkey *key, st
+@@ -749,7 +767,9 @@ to_blob_buf(const struct sshkey *key, st
case KEY_ECDSA_CERT:
case KEY_RSA_CERT:
#endif /* WITH_OPENSSL */
@@ -1749,7 +1855,7 @@
/* Use the existing blob */
/* XXX modified flag? */
if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)
-@@ -810,6 +830,7 @@ to_blob_buf(const struct sshkey *key, st
+@@ -786,6 +806,7 @@ to_blob_buf(const struct sshkey *key, st
return ret;
break;
#endif /* WITH_OPENSSL */
@@ -1757,7 +1863,7 @@
case KEY_ED25519:
if (key->ed25519_pk == NULL)
return SSH_ERR_INVALID_ARGUMENT;
-@@ -818,6 +839,7 @@ to_blob_buf(const struct sshkey *key, st
+@@ -794,6 +815,7 @@ to_blob_buf(const struct sshkey *key, st
key->ed25519_pk, ED25519_PK_SZ)) != 0)
return ret;
break;
@@ -1765,25 +1871,23 @@
default:
return SSH_ERR_KEY_TYPE_UNKNOWN;
}
-@@ -1291,13 +1313,17 @@ sshkey_read(struct sshkey *ret, char **c
+@@ -1267,11 +1289,13 @@ sshkey_read(struct sshkey *ret, char **c
case KEY_RSA:
case KEY_DSA:
case KEY_ECDSA:
+- case KEY_ED25519:
+#ifndef WITHOUT_ED25519
- case KEY_ED25519:
++ case KEY_ED25519:
++ case KEY_ED25519_CERT:
+#endif /* WITHOUT_ED25519 */
- case KEY_DSA_CERT_V00:
- case KEY_RSA_CERT_V00:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
case KEY_RSA_CERT:
-+#ifndef WITHOUT_ED25519
- case KEY_ED25519_CERT:
-+#endif /* WITHOUT_ED25519 */
+- case KEY_ED25519_CERT:
space = strchr(cp, ' ');
if (space == NULL)
return SSH_ERR_INVALID_FORMAT;
-@@ -1389,6 +1415,7 @@ sshkey_read(struct sshkey *ret, char **c
+@@ -1363,6 +1387,7 @@ sshkey_read(struct sshkey *ret, char **c
}
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
@@ -1791,7 +1895,7 @@
if (sshkey_type_plain(ret->type) == KEY_ED25519) {
free(ret->ed25519_pk);
ret->ed25519_pk = k->ed25519_pk;
-@@ -1397,6 +1424,7 @@ sshkey_read(struct sshkey *ret, char **c
+@@ -1371,6 +1396,7 @@ sshkey_read(struct sshkey *ret, char **c
/* XXX */
#endif
}
@@ -1799,18 +1903,7 @@
retval = 0;
/*XXXX*/
sshkey_free(k);
-@@ -1460,8 +1488,10 @@ sshkey_write(const struct sshkey *key, F
- case KEY_RSA_CERT_V00:
- case KEY_RSA_CERT:
- #endif /* WITH_OPENSSL */
-+#ifndef WITHOUT_ED25519
- case KEY_ED25519:
- case KEY_ED25519_CERT:
-+#endif /* WITHOUT_ED25519 */
- if ((bb = sshbuf_new()) == NULL) {
- ret = SSH_ERR_ALLOC_FAIL;
- goto out;
-@@ -1671,7 +1701,8 @@ sshkey_generate(int type, u_int bits, st
+@@ -1662,7 +1688,8 @@ sshkey_generate(int type, u_int bits, st
if ((k = sshkey_new(KEY_UNSPEC)) == NULL)
return SSH_ERR_ALLOC_FAIL;
switch (type) {
@@ -1820,7 +1913,7 @@
if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL ||
(k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
-@@ -1680,6 +1711,7 @@ sshkey_generate(int type, u_int bits, st
+@@ -1671,6 +1698,7 @@ sshkey_generate(int type, u_int bits, st
crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
ret = 0;
break;
@@ -1828,7 +1921,7 @@
#ifdef WITH_OPENSSL
case KEY_DSA:
ret = dsa_generate_private_key(bits, &k->dsa);
-@@ -1817,6 +1849,7 @@ sshkey_from_private(const struct sshkey
+@@ -1806,6 +1834,7 @@ sshkey_from_private(const struct sshkey
}
break;
#endif /* WITH_OPENSSL */
@@ -1836,7 +1929,7 @@
case KEY_ED25519:
case KEY_ED25519_CERT:
if ((n = sshkey_new(k->type)) == NULL)
-@@ -1829,6 +1862,7 @@ sshkey_from_private(const struct sshkey
+@@ -1818,6 +1847,7 @@ sshkey_from_private(const struct sshkey
memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
}
break;
@@ -1844,7 +1937,7 @@
default:
return SSH_ERR_KEY_TYPE_UNKNOWN;
}
-@@ -2100,6 +2134,7 @@ sshkey_from_blob_internal(struct sshbuf
+@@ -2084,6 +2114,7 @@ sshkey_from_blob_internal(struct sshbuf
break;
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
@@ -1852,7 +1945,7 @@
case KEY_ED25519_CERT:
/* Skip nonce */
if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
-@@ -2121,6 +2156,7 @@ sshkey_from_blob_internal(struct sshbuf
+@@ -2105,6 +2136,7 @@ sshkey_from_blob_internal(struct sshbuf
key->ed25519_pk = pk;
pk = NULL;
break;
@@ -1860,7 +1953,7 @@
case KEY_UNSPEC:
if ((key = sshkey_new(type)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
-@@ -2215,9 +2251,11 @@ sshkey_sign(const struct sshkey *key,
+@@ -2197,9 +2229,11 @@ sshkey_sign(const struct sshkey *key,
case KEY_RSA:
return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat);
#endif /* WITH_OPENSSL */
@@ -1872,7 +1965,7 @@
default:
return SSH_ERR_KEY_TYPE_UNKNOWN;
}
-@@ -2249,9 +2287,11 @@ sshkey_verify(const struct sshkey *key,
+@@ -2229,9 +2263,11 @@ sshkey_verify(const struct sshkey *key,
case KEY_RSA:
return ssh_rsa_verify(key, sig, siglen, data, dlen, compat);
#endif /* WITH_OPENSSL */
@@ -1884,7 +1977,7 @@
default:
return SSH_ERR_KEY_TYPE_UNKNOWN;
}
-@@ -2275,8 +2315,10 @@ sshkey_demote(const struct sshkey *k, st
+@@ -2255,8 +2291,10 @@ sshkey_demote(const struct sshkey *k, st
pk->dsa = NULL;
pk->ecdsa = NULL;
pk->rsa = NULL;
@@ -1895,7 +1988,7 @@
switch (k->type) {
#ifdef WITH_OPENSSL
-@@ -2328,6 +2370,7 @@ sshkey_demote(const struct sshkey *k, st
+@@ -2306,6 +2344,7 @@ sshkey_demote(const struct sshkey *k, st
break;
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
@@ -1903,7 +1996,7 @@
case KEY_ED25519_CERT:
if ((ret = sshkey_cert_copy(k, pk)) != 0)
goto fail;
-@@ -2341,6 +2384,7 @@ sshkey_demote(const struct sshkey *k, st
+@@ -2319,6 +2358,7 @@ sshkey_demote(const struct sshkey *k, st
memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
}
break;
@@ -1911,21 +2004,19 @@
default:
ret = SSH_ERR_KEY_TYPE_UNKNOWN;
fail:
-@@ -2371,11 +2415,13 @@ sshkey_to_certified(struct sshkey *k, in
+@@ -2347,9 +2387,11 @@ sshkey_to_certified(struct sshkey *k)
newtype = KEY_ECDSA_CERT;
break;
#endif /* WITH_OPENSSL */
+#ifndef WITHOUT_ED25519
case KEY_ED25519:
- if (legacy)
- return SSH_ERR_INVALID_ARGUMENT;
newtype = KEY_ED25519_CERT;
break;
+#endif /* WITHOUT_ED25519 */
default:
return SSH_ERR_INVALID_ARGUMENT;
}
-@@ -2458,11 +2504,13 @@ sshkey_certify(struct sshkey *k, struct
+@@ -2428,11 +2470,13 @@ sshkey_certify(struct sshkey *k, struct
goto out;
break;
#endif /* WITH_OPENSSL */
@@ -1939,7 +2030,7 @@
default:
ret = SSH_ERR_INVALID_ARGUMENT;
goto out;
-@@ -2657,6 +2705,7 @@ sshkey_private_serialize(const struct ss
+@@ -2607,6 +2651,7 @@ sshkey_private_serialize(const struct ss
break;
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
@@ -1947,7 +2038,7 @@
case KEY_ED25519:
if ((r = sshbuf_put_string(b, key->ed25519_pk,
ED25519_PK_SZ)) != 0 ||
-@@ -2676,6 +2725,7 @@ sshkey_private_serialize(const struct ss
+@@ -2626,6 +2671,7 @@ sshkey_private_serialize(const struct ss
ED25519_SK_SZ)) != 0)
goto out;
break;
@@ -1955,7 +2046,7 @@
default:
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
-@@ -2802,6 +2852,7 @@ sshkey_private_deserialize(struct sshbuf
+@@ -2750,6 +2796,7 @@ sshkey_private_deserialize(struct sshbuf
goto out;
break;
#endif /* WITH_OPENSSL */
@@ -1963,7 +2054,7 @@
case KEY_ED25519:
if ((k = sshkey_new_private(type)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
-@@ -2832,6 +2883,7 @@ sshkey_private_deserialize(struct sshbuf
+@@ -2780,6 +2827,7 @@ sshkey_private_deserialize(struct sshbuf
k->ed25519_sk = ed25519_sk;
ed25519_pk = ed25519_sk = NULL;
break;
@@ -1971,7 +2062,7 @@
default:
r = SSH_ERR_KEY_TYPE_UNKNOWN;
goto out;
-@@ -3591,9 +3643,11 @@ sshkey_private_to_fileblob(struct sshkey
+@@ -3545,9 +3593,11 @@ sshkey_private_to_fileblob(struct sshkey
return sshkey_private_pem_to_blob(key, blob,
passphrase, comment);
#endif /* WITH_OPENSSL */
@@ -1983,7 +2074,7 @@
default:
return SSH_ERR_KEY_TYPE_UNKNOWN;
}
-@@ -3899,9 +3953,11 @@ sshkey_parse_private_fileblob_type(struc
+@@ -3853,9 +3903,11 @@ sshkey_parse_private_fileblob_type(struc
return sshkey_parse_private_pem_fileblob(blob, type,
passphrase, keyp);
#endif /* WITH_OPENSSL */
@@ -1996,14 +2087,15 @@
if ((r = sshkey_parse_private2(blob, type, passphrase, keyp,
commentp)) == 0)
diff -pur old/sshkey.h new/sshkey.h
---- old/sshkey.h 2015-05-12 06:57:55.756485788 -0700
-+++ new/sshkey.h 2015-05-12 06:57:55.885805405 -0700
+--- old/sshkey.h
++++ new/sshkey.h
@@ -57,11 +57,15 @@ enum sshkey_types {
KEY_RSA,
KEY_DSA,
KEY_ECDSA,
+- KEY_ED25519,
+#ifndef WITHOUT_ED25519
- KEY_ED25519,
++ KEY_ED25519,
+#endif /* WITHOUT_ED25519 */
KEY_RSA_CERT,
KEY_DSA_CERT,
@@ -2011,10 +2103,10 @@
+#ifndef WITHOUT_ED25519
KEY_ED25519_CERT,
+#endif /* WITHOUT_ED25519 */
- KEY_RSA_CERT_V00,
- KEY_DSA_CERT_V00,
KEY_NULL,
-@@ -106,13 +110,17 @@ struct sshkey {
+ KEY_UNSPEC
+ };
+@@ -104,13 +108,17 @@ struct sshkey {
DSA *dsa;
int ecdsa_nid; /* NID of curve */
EC_KEY *ecdsa;
@@ -2032,7 +2124,7 @@
struct sshkey *sshkey_new(int);
int sshkey_add_private(struct sshkey *);
-@@ -210,11 +218,13 @@ int ssh_ecdsa_sign(const struct sshkey *
+@@ -208,11 +216,13 @@ int ssh_ecdsa_sign(const struct sshkey *
int ssh_ecdsa_verify(const struct sshkey *key,
const u_char *signature, size_t signaturelen,
const u_char *data, size_t datalen, u_int compat);
--- a/components/openssh/patches/027-missing_include.patch Wed Oct 28 12:22:49 2015 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,27 +0,0 @@
-#
-# This patch adds a missing include to avoid compilation error.
-#
-# Recently, OpenSSH includes were refactored, so that header files no longer
-# include system header files. System header files are now included in
-# sources only.
-#
-# kex.h references sig_atomic_t, but no longer includes signal.h.
-# Now every file including kex.h must include signal.h. gss-genr.c failed
-# to do so, which resulted in unknown type compilation error.
-#
-# The patch has been accepted by upstream and will be part of 6.9 release.
-# https://bugzilla.mindrot.org/show_bug.cgi?id=2402
-#
-# When upgrading to some release >=6.9, this patch will be dropped.
-#
---- a/gss-genr.c
-+++ a/gss-genr.c
-@@ -34,6 +34,7 @@
- #include <limits.h>
- #include <stdarg.h>
- #include <string.h>
-+#include <signal.h>
- #include <unistd.h>
-
- #include "xmalloc.h"
-
--- a/components/openssh/patches/028-relax_bits_needed_check.patch Wed Oct 28 12:22:49 2015 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,23 +0,0 @@
-#
-# Relax bits needed check to allow diffie-hellman-group1-sha1 key exchange to
-# complete when chacha20-poly1305 was selected as the cipher.
-#
-# OpenSSH 6.8 regression causing test case failure.
-#
-# Fixed in 6.9:
-# https://github.com/openssh/openssh-portable/commit/b8afbe2c1aaf573565e4da775261dfafc8b1ba9c
-#
-# This patch will be removed when upgrading to 6.9 or higher.
-#
-diff -pur old/dh.c new/dh.c
---- old/dh.c 2015-03-16 22:49:20.000000000 -0700
-+++ new/dh.c 2015-06-01 05:24:39.007860187 -0700
-@@ -261,7 +261,7 @@ dh_gen_key(DH *dh, int need)
-
- if (need < 0 || dh->p == NULL ||
- (pbits = BN_num_bits(dh->p)) <= 0 ||
-- need > INT_MAX / 2 || 2 * need >= pbits)
-+ need > INT_MAX / 2 || 2 * need > pbits)
- return SSH_ERR_INVALID_ARGUMENT;
- dh->length = MIN(need * 2, pbits - 1);
- if (DH_generate_key(dh) == 0 ||
--- a/components/openssh/patches/030-auth_limits_bypass_fix.patch Wed Oct 28 12:22:49 2015 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,35 +0,0 @@
-#
-# This is to fix a keyboard-interactive authentication brute force
-# vulnerability (MaxAuthTries bypass). A CVE number (CVE-2015-5600) has been
-# reserved for this problem, but not officially issued yet. This fix came from
-# OpenSSH upstream, which will be included in the future OpenSSH 7.0p1 release.
-# When we upgrade OpenSSH to 7.0 in the future, we will remove this patch.
-#
---- orig/auth2-chall.c Fri Jul 24 17:36:37 2015
-+++ new/auth2-chall.c Fri Jul 24 17:47:21 2015
-@@ -83,6 +83,7 @@
- void *ctxt;
- KbdintDevice *device;
- u_int nreq;
-+ u_int devices_done;
- };
-
- #ifdef USE_PAM
-@@ -169,11 +170,15 @@
- if (len == 0)
- break;
- for (i = 0; devices[i]; i++) {
-- if (!auth2_method_allowed(authctxt,
-+ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
-+ !auth2_method_allowed(authctxt,
- "keyboard-interactive", devices[i]->name))
- continue;
-- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
-+ if (strncmp(kbdintctxt->devices, devices[i]->name,
-+ len) == 0) {
- kbdintctxt->device = devices[i];
-+ kbdintctxt->devices_done |= 1 << i;
-+ }
- }
- t = kbdintctxt->devices;
- kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
--- a/components/openssh/patches/033-superfluous_error.patch Wed Oct 28 12:22:49 2015 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,22 +0,0 @@
-Remove error() accidentally inserted for debugging.
-
-OpenSSH 6.8 regression, already fixed in OpenSSH 6.9:
-https://github.com/openssh/openssh-portable/commit/4d24b3b6
-
-Remove this patch when upgrading to OpenSSH 6.9 or higher.
-
-diff -pur old/monitor_wrap.c new/monitor_wrap.c
---- old/monitor_wrap.c
-+++ new/monitor_wrap.c
-@@ -153,10 +153,8 @@ mm_request_receive(int sock, Buffer *m)
- debug3("%s entering", __func__);
-
- if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) {
-- if (errno == EPIPE) {
-- error("%s: socket closed", __func__);
-+ if (errno == EPIPE)
- cleanup_exit(255);
-- }
- fatal("%s: read: %s", __func__, strerror(errno));
- }
- msg_len = get_u32(buf);