24525860 upgrade OpenSSH to 7.3p1 s11u3-sru
authorJan Parcel <jan.parcel@oracle.com>
Wed, 16 Nov 2016 12:17:49 -0800
branchs11u3-sru
changeset 7320 edeb951aa980
parent 7319 0753ecc76d4d
child 7340 16972dd9074c
24525860 upgrade OpenSSH to 7.3p1 24320031 problem in UTILITY/OPENSSH 24461706 problem in UTILITY/OPENSSH 24752716 Eliminate hard-to-maintain manpages section-number patch in openssh 11.3SRU 15366793 sshd calls pam_authenticate() for none method if PermitEmptyPasswords=yes 24597931 PAM_BUGFIX by-passes fake password for timing attack avoidance 23223069 problem in UTILITY/OPENSSH 24923674 problem in UTILITY/OPENSSH 23577308 OpenSSH Makefile: -DWITHOUT_ED25519 left behind 23140756 openssh passes bad option to configure (--with-tcp-wrappers) 24301902 Log connections dropped when exceeding MaxStartups
components/openssh/Makefile
components/openssh/files/convert-man
components/openssh/openssh.p5m
components/openssh/patches/003-last_login.patch
components/openssh/patches/007-manpages.patch
components/openssh/patches/014-disable_banner.patch
components/openssh/patches/015-pam_conversation_fix.patch
components/openssh/patches/023-gsskex.patch
components/openssh/patches/033-without_cast128.patch
components/openssh/patches/034-getaddrinfo_with_ai_addrconfig.patch
components/openssh/patches/035-fips.patch
components/openssh/patches/036-fipsrandom.patch
components/openssh/patches/041-pam_ctx_preserve.patch
components/openssh/patches/046-73_solaris_build_issue.patch
components/openssh/patches/047-login_grace_time_watchdog.patch
components/openssh/patches/048-maxstartups-log_dropped.patch
components/openssh/patches/049-kexinit_mem_exhaust.patch
components/openssh/sources/kexgssc.c
components/openssh/sources/kexgsss.c
components/openssh/sources/sshd-none
--- a/components/openssh/Makefile	Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/Makefile	Wed Nov 16 12:17:49 2016 -0800
@@ -26,22 +26,22 @@
 include ../../make-rules/shared-macros.mk
 
 COMPONENT_NAME=		openssh
-COMPONENT_VERSION=	7.2p2
+COMPONENT_VERSION=      7.3p1
 HUMAN_VERSION=		$(COMPONENT_VERSION)
 COMPONENT_SRC=		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 
 # Version for IPS.  The encoding rules are:
 #   OpenSSH <x>.<y>p<n>     => IPS <x>.<y>.0.<n>
 #   OpenSSH <x>.<y>.<z>p<n> => IPS <x>.<y>.<z>.<n>
-IPS_COMPONENT_VERSION=	7.2.0.2
+IPS_COMPONENT_VERSION=	  7.3.0.1
 
 COMPONENT_PROJECT_URL=	http://www.openssh.org/
 COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.gz
-COMPONENT_ARCHIVE_HASH=	sha256:a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c
+COMPONENT_ARCHIVE_HASH= sha256:3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc
 COMPONENT_ARCHIVE_URL=	http://mirrors.sonic.net/pub/OpenBSD/OpenSSH/portable/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=utility/openssh
 
-TPNO_OPENSSH=		27414
+TPNO_OPENSSH=           30602
 TPNO_GSSKEX=		20377
 
 include $(WS_MAKE_RULES)/prep.mk
@@ -58,9 +58,8 @@
 CFLAGS += -DPAM_ENHANCEMENT
 CFLAGS += -DPAM_BUGFIX
 CFLAGS += -DOPTION_DEFAULT_VALUE
-CFLAGS += -DWITHOUT_ED25519
 CFLAGS += -DPER_SESSION_XAUTHFILE
-CFLAGS += -DWITHOUT_CAST128
+CFLAGS += -DOPENSSL_NO_CAST
 CFLAGS += -DENABLE_OPENSSL_FIPS
 
 CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS)" 
@@ -82,7 +81,6 @@
 CONFIGURE_OPTIONS += --with-pam
 CONFIGURE_OPTIONS += --with-sandbox=no
 CONFIGURE_OPTIONS += --with-solaris-contracts
-CONFIGURE_OPTIONS += --with-tcp-wrappers
 CONFIGURE_OPTIONS += --with-4in6
 CONFIGURE_OPTIONS += --with-xauth=$(USRBINDIR)/xauth
 CONFIGURE_OPTIONS += --disable-strip
@@ -93,12 +91,19 @@
 CONFIGURE_OPTIONS += --bindir=$(USRBINDIR)
 CONFIGURE_OPTIONS += --disable-lastlog
 
-# Copy Solaris specific source files and generate configuration script
-COMPONENT_PREP_ACTION += \
-    ( $(CP) sources/*.c $(@D)/; \
-      cd $(@D); autoconf; \
-    )
+MANLIST= moduli.5 scp.1 sftp-server.8 sftp.1 ssh-add.1 ssh-agent.1 \
+	ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8 \
+	ssh.1 ssh_config.5 sshd.8 sshd_config.5
 
+# To avoid complexity with updates, after patching for specific code-related
+# issues, auto-edit the man pages to meet Solaris legacy standards for
+# man page organization.
+# Then copy Solaris specific source files and generate configuration script
+COMPONENT_PREP_ACTION +=  (						\
+		files/convert-man $(SOURCE_DIR) $(MANLIST);		\
+	        $(CP) sources/*.c $(@D)/; 				\
+	        cd $(@D); autoconf; 					\
+	)								
 
 # common targets
 configure:	$(CONFIGURE_32)
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/files/convert-man	Wed Nov 16 12:17:49 2016 -0800
@@ -0,0 +1,53 @@
+#!/bin/sh
+
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+
+# Each time upstream puts in new features, man pages change, and more
+# additional changes of our own go into man page patches.  This causes patch to
+# fail, requiring it to be re-hand-created.   This program will  fix the
+# man page section numbers at gmake prep time, after all other changes
+# and patches are applied.
+
+export SOURCE_DIR
+SOURCE_DIR=$1
+shift
+
+#set -x
+#echo $1
+
+for i in $* ; do
+	echo $SOURCE_DIR/$i
+	cat $SOURCE_DIR/$i | \
+	sed '
+	s/ssh_config 5/ssh_config 4/g
+	s/moduli 5/moduli 4/g
+	s/sshd_config 5/sshd_config 4/g
+	s/ssh-keysign 8/ssh-keysign 1M/g
+	s/sftp-server 8/sftp-server 1M/g
+	s/ssh-pkcs11-helper 8/ssh-pkcs11-helper 1M/g
+	s/sshd 8/sshd 1M/g'   > /tmp/$i.sed
+	cp /tmp/$i.sed $SOURCE_DIR/$i
+	rm /tmp/$i.sed 
+done
+
--- a/components/openssh/openssh.p5m	Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/openssh.p5m	Wed Nov 16 12:17:49 2016 -0800
@@ -36,6 +36,8 @@
 set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
 set name=org.opensolaris.arc-caseid value=PSARC/2012/335
 set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
+file sources/sshd-none path=etc/pam.d/sshd-none group=sys mode=0644 \
+    overlay=allow preserve=renamenew
 link path=usr/bin/scp target=../lib/openssh/bin/scp mediator=ssh \
     mediator-implementation=openssh
 link path=usr/bin/sftp target=../lib/openssh/bin/sftp mediator=ssh \
--- a/components/openssh/patches/003-last_login.patch	Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/patches/003-last_login.patch	Wed Nov 16 12:17:49 2016 -0800
@@ -18,24 +18,24 @@
 diff -pur old/sshd_config.5 new/sshd_config.5
 --- old/sshd_config.5
 +++ new/sshd_config.5
[email protected]@ -1308,8 +1308,8 @@ Specifies whether
[email protected]@ -1300,8 +1300,8 @@ Specifies whether
  .Xr sshd 8
  should print the date and time of the last user login when a user logs
  in interactively.
 -The default is
 -.Dq yes .
-+On Solaris this option is always ignored since pam_unix_session(5)
++On Solaris this option is always ignored since pam_unix_session(7)
 +reports the last login time.
  .It Cm PrintMotd
  Specifies whether
  .Xr sshd 8
[email protected]@ -1735,7 +1735,8 @@ This file should be writable by root onl
[email protected]@ -1721,7 +1721,8 @@ This file should be writable by root onl
  (though not necessary) that it be world-readable.
  .El
  .Sh SEE ALSO
 -.Xr sshd 8
 +.Xr sshd 8 ,
-+.Xr pam_unix_session 5
++.Xr pam_unix_session 7
  .Sh AUTHORS
  OpenSSH is a derivative of the original and free
  ssh 1.2.12 release by Tatu Ylonen.
--- a/components/openssh/patches/007-manpages.patch	Wed Nov 16 12:04:24 2016 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,789 +0,0 @@
-# This change is Solaris-specific and thus is not being contributed back
-# to the upstream community.  Details:
-#
-# OpenSSH uses the BSD/Linux man page scheme which is different from the SysV
-# man page scheme used in Solaris.  In order to comply to the Solaris man page
-# policy and also use the IPS mediator to switch between SunSSH and OpenSSH man
-# pages, the section numbers of some OpenSSH man pages are changed to be the
-# same as their corresponding ones in SunSSH.
-#
-
-diff -rupN old/moduli.5 new/moduli.5
---- old/moduli.5	2015-12-08 21:19:59.482474430 -0800
-+++ new/moduli.5	2015-12-08 21:15:53.128029200 -0800
[email protected]@ -14,7 +14,7 @@
- .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- .Dd $Mdocdate: September 26 2012 $
--.Dt MODULI 5
-+.Dt MODULI 4
- .Os
- .Sh NAME
- .Nm moduli
[email protected]@ -23,7 +23,7 @@
- The
- .Pa /etc/moduli
- file contains prime numbers and generators for use by
--.Xr sshd 8
-+.Xr sshd 1M
- in the Diffie-Hellman Group Exchange key exchange method.
- .Pp
- New moduli may be generated with
[email protected]@ -40,7 +40,7 @@ pass, using
- .Ic ssh-keygen -T ,
- provides a high degree of assurance that the numbers are prime and are
- safe for use in Diffie-Hellman operations by
--.Xr sshd 8 .
-+.Xr sshd 1M .
- This
- .Nm
- format is used as the output from each pass.
[email protected]@ -70,7 +70,7 @@ are Sophie Germain primes (type 4).
- Further primality testing with
- .Xr ssh-keygen 1
- produces safe prime moduli (type 2) that are ready for use in
--.Xr sshd 8 .
-+.Xr sshd 1M .
- Other types are not used by OpenSSH.
- .It tests
- Decimal number indicating the type of primality tests that the number
[email protected]@ -105,16 +105,16 @@ The modulus itself in hexadecimal.
- .El
- .Pp
- When performing Diffie-Hellman Group Exchange,
--.Xr sshd 8
-+.Xr sshd 1M
- first estimates the size of the modulus required to produce enough
- Diffie-Hellman output to sufficiently key the selected symmetric cipher.
--.Xr sshd 8
-+.Xr sshd 1M
- then randomly selects a modulus from
- .Fa /etc/moduli
- that best meets the size requirement.
- .Sh SEE ALSO
- .Xr ssh-keygen 1 ,
--.Xr sshd 8
-+.Xr sshd 1M
- .Sh STANDARDS
- .Rs
- .%A M. Friedl
-diff -rupN old/sftp-server.8 new/sftp-server.8
---- old/sftp-server.8	2015-12-08 21:04:19.872169630 -0800
-+++ new/sftp-server.8	2015-12-08 21:36:18.267186200 -0800
[email protected]@ -23,7 +23,7 @@
- .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- .\"
- .Dd $Mdocdate: December 11 2014 $
--.Dt SFTP-SERVER 8
-+.Dt SFTP-SERVER 1M 
- .Os
- .Sh NAME
- .Nm sftp-server
[email protected]@ -47,7 +47,7 @@ is a program that speaks the server side
- to stdout and expects client requests from stdin.
- .Nm
- is not intended to be called directly, but from
--.Xr sshd 8
-+.Xr sshd 1M
- using the
- .Cm Subsystem
- option.
[email protected]@ -58,7 +58,7 @@ should be specified in the
- .Cm Subsystem
- declaration.
- See
--.Xr sshd_config 5
-+.Xr sshd_config 4
- for more information.
- .Pp
- Valid options are:
[email protected]@ -71,7 +71,7 @@ The pathname may contain the following t
- and %u is replaced by the username of that user.
- The default is to use the user's home directory.
- This option is useful in conjunction with the
--.Xr sshd_config 5
-+.Xr sshd_config 4
- .Cm ChrootDirectory
- option.
- .It Fl e
[email protected]@ -147,13 +147,13 @@ must be able to access
- for logging to work, and use of
- .Nm
- in a chroot configuration therefore requires that
--.Xr syslogd 8
-+.Xr syslogd 1M
- establish a logging socket inside the chroot directory.
- .Sh SEE ALSO
- .Xr sftp 1 ,
- .Xr ssh 1 ,
--.Xr sshd_config 5 ,
--.Xr sshd 8
-+.Xr sshd_config 4 ,
-+.Xr sshd 1M
- .Rs
- .%A T. Ylonen
- .%A S. Lehtinen
-diff -rupN old/ssh-keysign.8 new/ssh-keysign.8
---- old/ssh-keysign.8	2015-12-08 21:20:45.638888550 -0800
-+++ new/ssh-keysign.8	2015-12-08 21:15:29.266139300 -0800
[email protected]@ -23,7 +23,7 @@
- .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- .\"
- .Dd $Mdocdate: February 17 2016 $
--.Dt SSH-KEYSIGN 8
-+.Dt SSH-KEYSIGN 1M
- .Os
- .Sh NAME
- .Nm ssh-keysign
[email protected]@ -52,7 +52,7 @@ is not intended to be invoked by the use
- See
- .Xr ssh 1
- and
--.Xr sshd 8
-+.Xr sshd 1M
- for more information about host-based authentication.
- .Sh FILES
- .Bl -tag -width Ds -compact
[email protected]@ -83,8 +83,8 @@ information corresponding with the priva
- .Sh SEE ALSO
- .Xr ssh 1 ,
- .Xr ssh-keygen 1 ,
--.Xr ssh_config 5 ,
--.Xr sshd 8
-+.Xr ssh_config 4 ,
-+.Xr sshd 1M
- .Sh HISTORY
- .Nm
- first appeared in
-diff -rupN old/ssh-pkcs11-helper.8 new/ssh-pkcs11-helper.8
---- old/ssh-pkcs11-helper.8	2015-12-08 21:18:49.511938140 -0800
-+++ new/ssh-pkcs11-helper.8	2015-12-08 21:16:10.866823750 -0800
[email protected]@ -15,7 +15,7 @@
- .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- .\"
- .Dd $Mdocdate: July 16 2013 $
--.Dt SSH-PKCS11-HELPER 8
-+.Dt SSH-PKCS11-HELPER 1M
- .Os
- .Sh NAME
- .Nm ssh-pkcs11-helper
---- old/sshd_config.5	2016-05-11 04:08:25.946753581 -0700
-+++ new/sshd_config.5	2016-05-11 04:20:10.025546205 -0700
[email protected]@ -35,7 +35,7 @@
- .\"
- .\" $OpenBSD: sshd_config.5,v 1.220 2016/02/17 08:57:34 djm Exp $
- .Dd $Mdocdate: February 17 2016 $
--.Dt SSHD_CONFIG 5
-+.Dt SSHD_CONFIG 4
- .Os
- .Sh NAME
- .Nm sshd_config
[email protected]@ -43,7 +43,7 @@
- .Sh SYNOPSIS
- .Nm /etc/ssh/sshd_config
- .Sh DESCRIPTION
--.Xr sshd 8
-+.Xr sshd 1M
- reads configuration data from
- .Pa /etc/ssh/sshd_config
- (or the file specified with
[email protected]@ -68,7 +68,7 @@
- See
- .Cm SendEnv
- in
--.Xr ssh_config 5
-+.Xr ssh_config 4
- for how to configure the client.
- The
- .Ev TERM
[email protected]@ -88,7 +88,7 @@
- The default is not to accept any environment variables.
- .It Cm AddressFamily
- Specifies which address family should be used by
--.Xr sshd 8 .
-+.Xr sshd 1M .
- Valid arguments are
- .Dq any ,
- .Dq inet
[email protected]@ -121,7 +121,7 @@
- .Cm AllowGroups .
- .Pp
- See PATTERNS in
--.Xr ssh_config 5
-+.Xr ssh_config 4
- for more information on patterns.
- .It Cm AllowTcpForwarding
- Specifies whether TCP forwarding is permitted.
[email protected]@ -181,7 +181,7 @@
- .Cm AllowGroups .
- .Pp
- See PATTERNS in
--.Xr ssh_config 5
-+.Xr ssh_config 4
- for more information on patterns.
- .It Cm AuthenticationMethods
- Specifies the authentication methods that must be successfully completed
[email protected]@ -216,7 +216,7 @@
- If the
- .Dq publickey
- method is listed more than once,
--.Xr sshd 8
-+.Xr sshd 1M
- verifies that keys that have been used successfully are not reused for
- subsequent authentications.
- For example, an
[email protected]@ -249,7 +249,7 @@
- .Pp
- The program should produce on standard output zero or
- more lines of authorized_keys output (see AUTHORIZED_KEYS in
--.Xr sshd 8 ) .
-+.Xr sshd 1M ) .
- If a key supplied by AuthorizedKeysCommand does not successfully authenticate
- and authorize the user then public key authentication continues using the usual
- .Cm AuthorizedKeysFile
[email protected]@ -264,7 +264,7 @@
- is specified but
- .Cm AuthorizedKeysCommandUser
- is not, then
--.Xr sshd 8
-+.Xr sshd 1M
- will refuse to start.
- .It Cm AuthorizedKeysFile
- Specifies the file that contains the public keys that can be used
[email protected]@ -272,7 +272,7 @@
- The format is described in the
- AUTHORIZED_KEYS FILE FORMAT
- section of
--.Xr sshd 8 .
-+.Xr sshd 1M .
- .Cm AuthorizedKeysFile
- may contain tokens of the form %T which are substituted during connection
- setup.
[email protected]@ -323,7 +323,7 @@
- is specified but
- .Cm AuthorizedPrincipalsCommandUser
- is not, then
--.Xr sshd 8
-+.Xr sshd 1M
- will refuse to start.
- .It Cm AuthorizedPrincipalsFile
- Specifies a file that lists principal names that are accepted for
[email protected]@ -334,7 +334,7 @@
- to be accepted for authentication.
- Names are listed one per line preceded by key options (as described
- in AUTHORIZED_KEYS FILE FORMAT in
--.Xr sshd 8 ) .
-+.Xr sshd 1M ) .
- Empty lines and comments starting with
- .Ql #
- are ignored.
[email protected]@ -364,7 +364,7 @@
- though the
- .Cm principals=
- key option offers a similar facility (see
--.Xr sshd 8
-+.Xr sshd 1M
- for details).
- .It Cm Banner
- The contents of the specified file are sent to the remote user before
[email protected]@ -384,11 +384,11 @@
- .Xr chroot 2
- to after authentication.
- At session startup
--.Xr sshd 8
-+.Xr sshd 1M
- checks that all components of the pathname are root-owned directories
- which are not writable by any other user or group.
- After the chroot,
--.Xr sshd 8
-+.Xr sshd 1M
- changes the working directory to the user's home directory.
- .Pp
- The pathname may contain the following tokens that are expanded at runtime once
[email protected]@ -420,14 +420,14 @@
- though sessions which use logging may require
- .Pa /dev/log
- inside the chroot directory on some operating systems (see
--.Xr sftp-server 8
-+.Xr sftp-server 1M
- for details).
- .Pp
- For safety, it is very important that the directory hierarchy be
- prevented from modification by other processes on the system (especially
- those outside the jail).
- Misconfiguration can lead to unsafe environments which
--.Xr sshd 8
-+.Xr sshd 1M
- cannot detect.
- .Pp
- The default is
[email protected]@ -493,7 +493,7 @@
- .It Cm ClientAliveCountMax
- Sets the number of client alive messages (see below) which may be
- sent without
--.Xr sshd 8
-+.Xr sshd 1M
- receiving any messages back from the client.
- If this threshold is reached while client alive messages are being sent,
- sshd will disconnect the client, terminating the session.
[email protected]@ -519,7 +519,7 @@
- .It Cm ClientAliveInterval
- Sets a timeout interval in seconds after which if no data has been received
- from the client,
--.Xr sshd 8
-+.Xr sshd 1M
- will send a message through the encrypted
- channel to request a response from the client.
- The default
[email protected]@ -549,7 +549,7 @@
- .Cm AllowGroups .
- .Pp
- See PATTERNS in
--.Xr ssh_config 5
-+.Xr ssh_config 4
- for more information on patterns.
- .It Cm DenyUsers
- This keyword can be followed by a list of user name patterns, separated
[email protected]@ -568,7 +568,7 @@
- .Cm AllowGroups .
- .Pp
- See PATTERNS in
--.Xr ssh_config 5
-+.Xr ssh_config 4
- for more information on patterns.
- .It Cm FingerprintHash
- Specifies the hash algorithm used when logging key fingerprints.
[email protected]@ -603,7 +603,7 @@
- Specifies whether remote hosts are allowed to connect to ports
- forwarded for the client.
- By default,
--.Xr sshd 8
-+.Xr sshd 1M
- binds remote port forwardings to the loopback address.
- This prevents other remote hosts from connecting to forwarded ports.
- .Cm GatewayPorts
[email protected]@ -684,7 +684,7 @@
- A setting of
- .Dq yes
- means that
--.Xr sshd 8
-+.Xr sshd 1M
- uses the name supplied by the client rather than
- attempting to resolve the name from the TCP connection itself.
- The default is
[email protected]@ -695,7 +695,7 @@
- by
- .Cm HostKey .
- The default behaviour of
--.Xr sshd 8
-+.Xr sshd 1M
- is not to load any certificates.
- .It Cm HostKey
- Specifies a file containing a private host key
[email protected]@ -711,12 +711,12 @@
- for protocol version 2.
- .Pp
- Note that
--.Xr sshd 8
-+.Xr sshd 1M
- will refuse to use a file if it is group/world-accessible
- and that the
- .Cm HostKeyAlgorithms
- option restricts which of the keys are actually used by
--.Xr sshd 8 .
-+.Xr sshd 1M .
- .Pp
- It is possible to have multiple host key files.
- .Dq rsa1
[email protected]@ -777,7 +777,7 @@
- .Dq yes .
- .It Cm IgnoreUserKnownHosts
- Specifies whether
--.Xr sshd 8
-+.Xr sshd 1M
- should ignore the user's
- .Pa ~/.ssh/known_hosts
- during
[email protected]@ -912,7 +912,7 @@
- The default is 3600 (seconds).
- .It Cm ListenAddress
- Specifies the local addresses
--.Xr sshd 8
-+.Xr sshd 1M
- should listen on.
- The following forms may be used:
- .Pp
[email protected]@ -952,7 +952,7 @@
- The default is 120 seconds.
- .It Cm LogLevel
- Gives the verbosity level that is used when logging messages from
--.Xr sshd 8 .
-+.Xr sshd 1M .
- The possible values are:
- QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
- The default is INFO.
[email protected]@ -1057,7 +1057,7 @@
- The match patterns may consist of single entries or comma-separated
- lists and may use the wildcard and negation operators described in the
- PATTERNS section of
--.Xr ssh_config 5 .
-+.Xr ssh_config 4 .
- .Pp
- The patterns in an
- .Cm Address
[email protected]@ -1156,7 +1156,7 @@
- the three colon separated values
- .Dq start:rate:full
- (e.g. "10:30:60").
--.Xr sshd 8
-+.Xr sshd 1M
- will refuse connection attempts with a probability of
- .Dq rate/100
- (30%)
[email protected]@ -1276,7 +1276,7 @@
- options in
- .Pa ~/.ssh/authorized_keys
- are processed by
--.Xr sshd 8 .
-+.Xr sshd 1M .
- The default is
- .Dq no .
- Enabling environment processing may enable users to bypass access
[email protected]@ -1297,7 +1297,7 @@
- .Pa /var/run/sshd.pid .
- .It Cm Port
- Specifies the port number that
--.Xr sshd 8
-+.Xr sshd 1M
- listens on.
- The default is 22.
- Multiple options of this type are permitted.
[email protected]@ -1305,14 +1305,14 @@
- .Cm ListenAddress .
- .It Cm PrintLastLog
- Specifies whether
--.Xr sshd 8
-+.Xr sshd 1M
- should print the date and time of the last user login when a user logs
- in interactively.
- On Solaris this option is always ignored since pam_unix_session(5)
- reports the last login time.
- .It Cm PrintMotd
- Specifies whether
--.Xr sshd 8
-+.Xr sshd 1M
- should print
- .Pa /etc/motd
- when a user logs in interactively.
[email protected]@ -1323,7 +1323,7 @@
- .Dq yes .
- .It Cm Protocol
- Specifies the protocol versions
--.Xr sshd 8
-+.Xr sshd 1M
- supports.
- The possible values are
- .Sq 1
[email protected]@ -1450,7 +1450,7 @@
- .Dq no .
- .It Cm StrictModes
- Specifies whether
--.Xr sshd 8
-+.Xr sshd 1M
- should check file modes and ownership of the
- user's files and home directory before accepting login.
- This is normally desirable because novices sometimes accidentally leave their
[email protected]@ -1466,7 +1466,7 @@
- to execute upon subsystem request.
- .Pp
- The command
--.Xr sftp-server 8
-+.Xr sftp-server 1M
- implements the
- .Dq sftp
- file transfer subsystem.
[email protected]@ -1483,7 +1483,7 @@
- By default no subsystems are defined.
- .It Cm SyslogFacility
- Gives the facility code that is used when logging messages from
--.Xr sshd 8 .
-+.Xr sshd 1M .
- The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
- LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
- The default is AUTH.
[email protected]@ -1526,7 +1526,7 @@
- .Xr ssh-keygen 1 .
- .It Cm UseDNS
- Specifies whether
--.Xr sshd 8
-+.Xr sshd 1M
- should look up the remote host name, and to check that
- the resolved host name for the remote IP address maps back to the
- very same IP address.
[email protected]@ -1580,13 +1580,13 @@
- If
- .Cm UsePAM
- is enabled, you will not be able to run
--.Xr sshd 8
-+.Xr sshd 1M
- as a non-root user.
- The default is
- .Dq no .
- .It Cm UsePrivilegeSeparation
- Specifies whether
--.Xr sshd 8
-+.Xr sshd 1M
- separates privileges by creating an unprivileged child process
- to deal with incoming network traffic.
- After successful authentication, another process will be created that has
[email protected]@ -1613,7 +1613,7 @@
- .Dq none .
- .It Cm X11DisplayOffset
- Specifies the first display number available for
--.Xr sshd 8 Ns 's
-+.Xr sshd 1M Ns 's
- X11 forwarding.
- This prevents sshd from interfering with real X11 servers.
- The default is 10.
[email protected]@ -1628,7 +1628,7 @@
- .Pp
- When X11 forwarding is enabled, there may be additional exposure to
- the server and to client displays if the
--.Xr sshd 8
-+.Xr sshd 1M
- proxy display is configured to listen on the wildcard address (see
- .Cm X11UseLocalhost
- below), though this is not the default.
[email protected]@ -1639,7 +1639,7 @@
- forwarding (see the warnings for
- .Cm ForwardX11
- in
--.Xr ssh_config 5 ) .
-+.Xr ssh_config 4 ) .
- A system administrator may have a stance in which they want to
- protect clients that may expose themselves to attack by unwittingly
- requesting X11 forwarding, which can warrant a
[email protected]@ -1653,7 +1653,7 @@
- is enabled.
- .It Cm X11UseLocalhost
- Specifies whether
--.Xr sshd 8
-+.Xr sshd 1M
- should bind the X11 forwarding server to the loopback address or to
- the wildcard address.
- By default,
[email protected]@ -1686,7 +1686,7 @@
- .Pa /usr/X11R6/bin/xauth .
- .El
- .Sh TIME FORMATS
--.Xr sshd 8
-+.Xr sshd 1M
- command-line arguments and configuration file options that specify time
- may be expressed using a sequence of the form:
- .Sm off
[email protected]@ -1730,12 +1730,12 @@
- .Bl -tag -width Ds
- .It Pa /etc/ssh/sshd_config
- Contains configuration data for
--.Xr sshd 8 .
-+.Xr sshd 1M .
- This file should be writable by root only, but it is recommended
- (though not necessary) that it be world-readable.
- .El
- .Sh SEE ALSO
--.Xr sshd 8 ,
-+.Xr sshd 1M ,
- .Xr pam_unix_session 5
- .Sh AUTHORS
- OpenSSH is a derivative of the original and free
---- old/ssh_config.5	2016-03-09 10:04:48.000000000 -0800
-+++ new/ssh_config.5	2016-05-11 04:27:03.379064284 -0700
[email protected]@ -35,7 +35,7 @@
- .\"
- .\" $OpenBSD: ssh_config.5,v 1.228 2016/02/20 23:01:46 sobrado Exp $
- .Dd $Mdocdate: February 20 2016 $
--.Dt SSH_CONFIG 5
-+.Dt SSH_CONFIG 4
- .Os
- .Sh NAME
- .Nm ssh_config
[email protected]@ -639,7 +639,7 @@
- .Dq Fl O No exit
- option).
- If set to a time in seconds, or a time in any of the formats documented in
--.Xr sshd_config 5 ,
-+.Xr sshd_config 4 ,
- then the backgrounded master connection will automatically terminate
- after it has remained idle (with no client connections) for the
- specified time.
[email protected]@ -681,7 +681,7 @@
- in the global client configuration file
- .Pa /etc/ssh/ssh_config
- enables the use of the helper program
--.Xr ssh-keysign 8
-+.Xr ssh-keysign 1M
- during
- .Cm HostbasedAuthentication .
- The argument must be
[email protected]@ -692,7 +692,7 @@
- .Dq no .
- This option should be placed in the non-hostspecific section.
- See
--.Xr ssh-keysign 8
-+.Xr ssh-keysign 1M
- for more information.
- .It Cm EscapeChar
- Sets the escape character (default:
[email protected]@ -773,7 +773,7 @@
- Specify a timeout for untrusted X11 forwarding
- using the format described in the
- TIME FORMATS section of
--.Xr sshd_config 5 .
-+.Xr sshd_config 4 .
- X11 connections received by
- .Xr ssh 1
- after this time will be refused.
[email protected]@ -838,7 +838,7 @@
- These hashed names may be used normally by
- .Xr ssh 1
- and
--.Xr sshd 8 ,
-+.Xr sshd 1M ,
- but they do not reveal identifying information should the file's contents
- be disclosed.
- The default is
[email protected]@ -1287,7 +1287,7 @@
- The command can be basically anything,
- and should read from its standard input and write to its standard output.
- It should eventually connect an
--.Xr sshd 8
-+.Xr sshd 1M
- server running on some machine, or execute
- .Ic sshd -i
- somewhere.
[email protected]@ -1366,7 +1366,7 @@
- The optional second value is specified in seconds and may use any of the
- units documented in the
- TIME FORMATS section of
--.Xr sshd_config 5 .
-+.Xr sshd_config 4 .
- The default value for
- .Cm RekeyLimit
- is
[email protected]@ -1409,7 +1409,7 @@
- will only succeed if the server's
- .Cm GatewayPorts
- option is enabled (see
--.Xr sshd_config 5 ) .
-+.Xr sshd_config 4 ) .
- .It Cm RequestTTY
- Specifies whether to request a pseudo-tty for the session.
- The argument may be one of:
[email protected]@ -1474,7 +1474,7 @@
- Refer to
- .Cm AcceptEnv
- in
--.Xr sshd_config 5
-+.Xr sshd_config 4
- for how to configure the server.
- Variables are specified by name, which may contain wildcard characters.
- Multiple environment variables may be separated by whitespace or spread
[email protected]@ -1662,7 +1662,7 @@
- and will be disabled if it is enabled.
- .Pp
- Presently, only
--.Xr sshd 8
-+.Xr sshd 1M
- from OpenSSH 6.8 and greater support the
- .Dq [email protected]
- protocol extension used to inform the client of all the server's hostkeys.
---- old/sshd.8	2016-03-09 10:04:48.000000000 -0800
-+++ new/sshd.8	2016-05-11 05:04:07.228783462 -0700
[email protected]@ -35,7 +35,7 @@
- .\"
- .\" $OpenBSD: sshd.8,v 1.284 2016/02/17 07:38:19 jmc Exp $
- .Dd $Mdocdate: February 17 2016 $
--.Dt SSHD 8
-+.Dt SSHD 1M
- .Os
- .Sh NAME
- .Nm sshd
[email protected]@ -77,7 +77,7 @@
- .Nm
- can be configured using command-line options or a configuration file
- (by default
--.Xr sshd_config 5 ) ;
-+.Xr sshd_config 4 ) ;
- command-line options override values specified in the
- configuration file.
- .Nm
[email protected]@ -204,7 +204,7 @@
- This is useful for specifying options for which there is no separate
- command-line flag.
- For full details of the options, and their values, see
--.Xr sshd_config 5 .
-+.Xr sshd_config 4 .
- .It Fl p Ar port
- Specifies the port on which the server listens for connections
- (default 22).
[email protected]@ -274,7 +274,7 @@
- though this can be changed via the
- .Cm Protocol
- option in
--.Xr sshd_config 5 .
-+.Xr sshd_config 4 .
- Protocol 1 should not be used
- and is only offered to support legacy devices.
- .Pp
[email protected]@ -397,14 +397,14 @@
- See the
- .Cm PermitUserEnvironment
- option in
--.Xr sshd_config 5 .
-+.Xr sshd_config 4 .
- .It
- Changes to user's home directory.
- .It
- If
- .Pa ~/.ssh/rc
- exists and the
--.Xr sshd_config 5
-+.Xr sshd_config 4
- .Cm PermitUserRC
- option is set, runs it; else if
- .Pa /etc/ssh/sshrc
[email protected]@ -551,7 +551,7 @@
- environment variable.
- Note that this option applies to shell, command or subsystem execution.
- Also note that this command may be superseded by either a
--.Xr sshd_config 5
-+.Xr sshd_config 4
- .Cm ForceCommand
- directive or a command embedded in a certificate.
- .It Cm environment="NAME=value"
[email protected]@ -952,7 +952,7 @@
- Contains configuration data for
- .Nm sshd .
- The file format and configuration options are described in
--.Xr sshd_config 5 .
-+.Xr sshd_config 4 .
- .Pp
- .It Pa /etc/ssh/sshrc
- Similar to
[email protected]@ -986,11 +986,12 @@
- .Xr ssh-keygen 1 ,
- .Xr ssh-keyscan 1 ,
- .Xr chroot 2 ,
-+.Xr hosts_access 5 ,
- .Xr login.conf 5 ,
--.Xr moduli 5 ,
--.Xr sshd_config 5 ,
--.Xr inetd 8 ,
--.Xr sftp-server 8
-+.Xr moduli 4 ,
-+.Xr sshd_config 4 ,
-+.Xr inetd 1M ,
-+.Xr sftp-server 1M
- .Sh AUTHORS
- OpenSSH is a derivative of the original and free
- ssh 1.2.12 release by Tatu Ylonen.
--- a/components/openssh/patches/014-disable_banner.patch	Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/patches/014-disable_banner.patch	Wed Nov 16 12:17:49 2016 -0800
@@ -6,54 +6,54 @@
 # In the future, if this feature is accepted by the upsteam in a later release,
 # we will remove this patch when we upgrade to that release.  
 #
-diff -pur old/readconf.c new/readconf.c
---- old/readconf.c	2015-03-28 21:57:35.551727235 +0100
-+++ new/readconf.c	2015-03-28 22:06:01.694836272 +0100
[email protected]@ -150,6 +150,9 @@ typedef enum {
+--- orig/readconf.c	Mon Aug 15 15:45:25 2016
++++ new/readconf.c	Mon Aug 15 15:53:23 2016
[email protected]@ -163,6 +163,9 @@
  	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
  	oSendEnv, oControlPath, oControlMaster, oControlPersist,
  	oHashKnownHosts,
 +#ifdef DISABLE_BANNER 
-+	oDisableBanner,
++        oDisableBanner,
 +#endif
  	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
- 	oVisualHostKey, oUseRoaming,
+ 	oVisualHostKey,
  	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
[email protected]@ -254,6 +257,9 @@ static struct {
[email protected]@ -271,6 +274,9 @@
  	{ "controlmaster", oControlMaster },
  	{ "controlpersist", oControlPersist },
  	{ "hashknownhosts", oHashKnownHosts },
 +#ifdef DISABLE_BANNER
-+	{ "disablebanner", oDisableBanner },
++        { "disablebanner", oDisableBanner },
 +#endif
+ 	{ "include", oInclude },
  	{ "tunnel", oTunnel },
  	{ "tunneldevice", oTunnelDevice },
- 	{ "localcommand", oLocalCommand },
[email protected]@ -754,6 +760,17 @@ static const struct multistate multistat
[email protected]@ -794,6 +800,18 @@
  	{ NULL, -1 }
  };
  
++ 
 +#ifdef DISABLE_BANNER
 +static const struct multistate multistate_disablebanner[] = {
-+	{ "true",			SSH_DISABLEBANNER_YES },
-+	{ "false",			SSH_DISABLEBANNER_NO },
-+	{ "yes",			SSH_DISABLEBANNER_YES },
-+	{ "no",				SSH_DISABLEBANNER_NO },
-+	{ "in-exec-mode",		SSH_DISABLEBANNER_INEXECMODE },
-+	{ NULL, -1 }
++        { "true",                       SSH_DISABLEBANNER_YES },
++        { "false",                      SSH_DISABLEBANNER_NO },
++        { "yes",                        SSH_DISABLEBANNER_YES },
++        { "no",                         SSH_DISABLEBANNER_NO },
++        { "in-exec-mode",               SSH_DISABLEBANNER_INEXECMODE },
++        { NULL, -1 }
 +}; 
 +#endif
 +
  /*
   * Processes a single option line as used in the configuration files. This
   * only sets those values that have not already been set.
[email protected]@ -1514,6 +1531,13 @@ parse_int:
- 			*charptr = xstrdup(arg);
- 		break;
[email protected]@ -1657,6 +1675,13 @@
+ 		charptr = &options->identity_agent;
+ 		goto parse_string;
  
 +#ifdef DISABLE_BANNER
-+	case oDisableBanner:
-+	        intptr = &options->disable_banner;
++        case oDisableBanner:
++                intptr = &options->disable_banner;
 +                multistate_ptr = multistate_disablebanner;
 +                goto parse_multistate; 
 +#endif
@@ -61,32 +61,31 @@
  	case oDeprecated:
  		debug("%s line %d: Deprecated option \"%s\"",
  		    filename, linenum, keyword);
[email protected]@ -1684,6 +1708,9 @@ initialize_options(Options * options)
[email protected]@ -1847,6 +1872,9 @@
  	options->ip_qos_bulk = -1;
  	options->request_tty = -1;
  	options->proxy_use_fdpass = -1;
 +#ifdef DISABLE_BANNER
-+	options->disable_banner = -1;
++        options->disable_banner = -1;
 +#endif
  	options->ignored_unknown = NULL;
  	options->num_canonical_domains = 0;
  	options->num_permitted_cnames = 0;
[email protected]@ -1871,6 +1898,10 @@ fill_default_options(Options * options)
[email protected]@ -2041,6 +2069,10 @@
  		options->canonicalize_fallback_local = 1;
  	if (options->canonicalize_hostname == -1)
  		options->canonicalize_hostname = SSH_CANONICALISE_NO;
 +#ifdef DISABLE_BANNER
-+	if (options->disable_banner == -1)
-+		options->disable_banner = 0;
++        if (options->disable_banner == -1)
++                options->disable_banner = 0;
 +#endif
  	if (options->fingerprint_hash == -1)
  		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
  	if (options->update_hostkeys == -1)
-diff -pur old/readconf.h new/readconf.h
---- old/readconf.h	2015-03-17 06:49:20.000000000 +0100
-+++ new/readconf.h	2015-03-28 21:57:35.684348892 +0100
[email protected]@ -153,6 +153,9 @@ typedef struct {
- 	char	*hostbased_key_types;
+--- orig/readconf.h	Mon Aug 15 15:45:28 2016
++++ new/readconf.h	Mon Aug 15 15:55:00 2016
[email protected]@ -169,6 +169,9 @@
+ 	char   *jump_extra;
  
  	char	*ignored_unknown; /* Pattern list of unknown tokens to ignore */
 +#ifdef DISABLE_BANNER
@@ -95,23 +94,22 @@
  }       Options;
  
  #define SSH_CANONICALISE_NO	0
[email protected]@ -178,6 +181,12 @@ typedef struct {
[email protected]@ -195,6 +198,12 @@
  #define SSH_UPDATE_HOSTKEYS_YES	1
  #define SSH_UPDATE_HOSTKEYS_ASK	2
  
 +#ifdef DISABLE_BANNER
-+#define SSH_DISABLEBANNER_NO		0
-+#define SSH_DISABLEBANNER_YES		1
-+#define SSH_DISABLEBANNER_INEXECMODE	2
++#define SSH_DISABLEBANNER_NO            0
++#define SSH_DISABLEBANNER_YES           1
++#define SSH_DISABLEBANNER_INEXECMODE    2
 +#endif
 +
  void     initialize_options(Options *);
  void     fill_default_options(Options *);
  void	 fill_default_options_for_canonicalization(Options *);
-diff -pur old/ssh_config.5 new/ssh_config.5
---- old/ssh_config.5	2015-03-28 21:57:35.544033907 +0100
-+++ new/ssh_config.5	2015-03-28 21:57:35.684635985 +0100
[email protected]@ -566,6 +566,14 @@ If set to a time in seconds, or a time i
+--- orig/ssh_config.5	Mon Aug 15 15:45:37 2016
++++ new/ssh_config.5	Mon Aug 15 15:57:36 2016
[email protected]@ -643,6 +643,14 @@
  then the backgrounded master connection will automatically terminate
  after it has remained idle (with no client connections) for the
  specified time.
@@ -122,14 +120,13 @@
 +.Pp
 +The default value is no, which means that the banner is displayed unless the 
 +log level  is  QUIET, FATAL, or ERROR. See also the Banner option in
-+.Xr sshd_config 4 . This option applies to protocol version 2 only.
+++.Xr sshd_config 5 . This option applies to protocol version 2 only.
  .It Cm DynamicForward
  Specifies that a TCP port on the local machine be forwarded
  over the secure channel, and the application
-diff -pur old/sshconnect2.c new/sshconnect2.c
---- old/sshconnect2.c	2015-03-17 06:49:20.000000000 +0100
-+++ new/sshconnect2.c	2015-03-28 21:57:35.684940995 +0100
[email protected]@ -81,6 +81,10 @@ extern char *client_version_string;
+--- orig/sshconnect2.c	Mon Aug 15 15:45:44 2016
++++ new/sshconnect2.c	Thu Aug 18 18:28:20 2016
[email protected]@ -82,6 +82,10 @@
  extern char *server_version_string;
  extern Options options;
  
@@ -140,24 +137,24 @@
  /*
   * SSH2 key exchange
   */
[email protected]@ -480,7 +484,20 @@ input_userauth_banner(int type, u_int32_
- 	debug3("input_userauth_banner");
- 	raw = packet_get_string(&len);
[email protected]@ -502,7 +506,20 @@
+ 	debug3("%s", __func__);
+ 	msg = packet_get_string(&len);
  	lang = packet_get_string(NULL);
 +
 +#ifdef DISABLE_BANNER
-+	/*
-+	 * Banner is a warning message according to RFC 4252. So, never print
-+	 * a banner in error log level or lower. If the log level is higher,
-+	 * use DisableBanner option to decide whether to display it or not.
-+	 */
-+	if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO && 
++        /*
++         * Banner is a warning message according to RFC 4252. So, never print
++         * a banner in error log level or lower. If the log level is higher,
++         * use DisableBanner option to decide whether to display it or not.
++         */
++        if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO && 
 +            (options.disable_banner == SSH_DISABLEBANNER_NO ||
 +            (options.disable_banner == SSH_DISABLEBANNER_INEXECMODE &&
-+            buffer_len(&command) == 0))) {
++            buffer_len(&command) == 0))) 
 +#else
- 	if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
+ 	if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO)
 +#endif
- 		if (len > 65536)
- 			len = 65536;
- 		msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
+ 		fmprintf(stderr, "%s", msg);
+ 	free(msg);
+ 	free(lang);
--- a/components/openssh/patches/015-pam_conversation_fix.patch	Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/patches/015-pam_conversation_fix.patch	Wed Nov 16 12:17:49 2016 -0800
@@ -4,9 +4,9 @@
 # 2009, but it was not accepted by the upstream.  For more information, see
 # https://bugzilla.mindrot.org/show_bug.cgi?id=1681.
 #
---- orig/auth-pam.c	Mon Oct 27 14:40:01 2014
-+++ new/auth-pam.c	Tue Oct 28 12:40:59 2014
[email protected]@ -1111,11 +1111,13 @@
+--- orig/auth-pam.c	Mon Aug 15 16:16:17 2016
++++ new/auth-pam.c	Mon Aug 15 16:26:40 2016
[email protected]@ -1138,11 +1138,13 @@
  	free(env);
  }
  
@@ -20,25 +20,25 @@
  static int
  sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
      struct pam_response **resp, void *data)
[email protected]@ -1137,6 +1139,17 @@
[email protected]@ -1164,6 +1166,17 @@
  	for (i = 0; i < n; ++i) {
  		switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
  		case PAM_PROMPT_ECHO_OFF:
 +#ifdef PAM_BUGFIX
 +                       /*
 +                        * PAM conversation function for the password userauth
-+			* method (non-interactive) really cannot do any 
-+			* prompting.  We set the PAM_AUTHTOK item in 
++                        * method (non-interactive) really cannot do any 
++                        * prompting.  We set the PAM_AUTHTOK item in 
 +                        * sshpam_auth_passwd()to avoid conversation. If some
-+			* modules still try to converse, then the password
-+			* userauth will fail.
-+			*/
-+			goto fail;
++                        * modules still try to converse, then the password
++                        * userauth will fail.
++                        */
++                        goto fail;
 +#else
  			if (sshpam_password == NULL)
  				goto fail;
  			if ((reply[i].resp = strdup(sshpam_password)) == NULL)
[email protected]@ -1143,6 +1156,7 @@
[email protected]@ -1170,6 +1183,7 @@
  				goto fail;
  			reply[i].resp_retcode = PAM_SUCCESS;
  			break;
@@ -46,7 +46,7 @@
  		case PAM_ERROR_MSG:
  		case PAM_TEXT_INFO:
  			len = strlen(PAM_MSG_MEMBER(msg, i, msg));
[email protected]@ -1178,6 +1192,9 @@
[email protected]@ -1205,6 +1219,9 @@
  int
  sshpam_auth_passwd(Authctxt *authctxt, const char *password)
  {
@@ -55,35 +55,35 @@
 +#endif
  	int flags = (options.permit_empty_passwd == 0 ?
  	    PAM_DISALLOW_NULL_AUTHTOK : 0);
- 
[email protected]@ -1197,6 +1214,15 @@
+ 	char *fake = NULL;
[email protected]@ -1225,6 +1242,15 @@
  	    options.permit_root_login != PERMIT_YES))
- 		sshpam_password = badpw;
+ 		sshpam_password = fake = fake_password(password);
  
 +#ifdef PAM_BUGFIX
-+  	sshpam_err = pam_set_item(sshpam_handle, PAM_AUTHTOK, password);
-+	if (sshpam_err != PAM_SUCCESS) {
-+		debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
-+		    pam_strerror(sshpam_handle, sshpam_err));
-+		return 0;
-+	}
++        sshpam_err = pam_set_item(sshpam_handle, PAM_AUTHTOK, sshpam_password);
++        if (sshpam_err != PAM_SUCCESS) {
++                debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
++                    pam_strerror(sshpam_handle, sshpam_err));
++                return 0;
++        }
 +#endif
 +
  	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
  	    (const void *)&passwd_conv);
  	if (sshpam_err != PAM_SUCCESS)
[email protected]@ -1205,6 +1231,16 @@
- 
- 	sshpam_err = pam_authenticate(sshpam_handle, flags);
- 	sshpam_password = NULL;
[email protected]@ -1236,6 +1262,16 @@
+ 	free(fake);
+ 	if (sshpam_err == PAM_MAXTRIES)
+ 		sshpam_set_maxtries_reached(1);
 +
 +#ifdef PAM_BUGFIX
 +        set_item_rtn = pam_set_item(sshpam_handle, PAM_AUTHTOK, NULL);
-+	if (set_item_rtn != PAM_SUCCESS) {
-+		debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
-+		    pam_strerror(sshpam_handle, set_item_rtn));
-+		return 0;
-+	}
++        if (set_item_rtn != PAM_SUCCESS) {
++                debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
++                    pam_strerror(sshpam_handle, set_item_rtn));
++                return 0;
++        }
 +#endif
 +
  	if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
--- a/components/openssh/patches/023-gsskex.patch	Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/patches/023-gsskex.patch	Wed Nov 16 12:17:49 2016 -0800
@@ -6,12 +6,24 @@
 # Default value for GSSAPIKeyExchange changed to yes to match SunSSH behavior.
 # New files kexgssc.c and kexgsss.c moved to ../sources/ and made cstyle clean.
 #
+# Update Sep 5, 2016:
+# Upstream renamed and moved canohost.c`get_canonical_hostname to sshd-specific
+# auth.c`auth_get_canonical_hostname. In Solaris specific GSS-API key exchange
+# code we need this functionality on the client side too, for canonicalizing
+# server hostbased service principal. We have moved remote_hostname back to
+# canohost.c.
+#
+# TODO:
+# When we upgrade Kerberos in Solaris to future version 1.15, we will use
+# krb5_expand_hostname for hostname canonicalization instead.
+#
 # Upstream rejected GSS-API key exchange several times before.
 #
-diff -pur old/Makefile.in new/Makefile.in
---- old/Makefile.in
-+++ new/Makefile.in
[email protected]@ -86,5 +86,6 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+diff -rupN old/Makefile.in new/Makefile.in
+--- old/Makefile.in	2016-09-21 19:40:34.495262333 -0700
++++ new/Makefile.in	2016-09-21 20:20:17.560532505 -0700
[email protected]@ -85,6 +85,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+ 	atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
  	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
  	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
 +	kexgssc.o \
@@ -25,11 +37,114 @@
 -	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 +	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
  	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
- 	sftp-server.o sftp-common.o sftp_provider.o \
+ 	sftp-server.o sftp-common.o \
  	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
-diff -pur old/auth2-gss.c new/auth2-gss.c
---- old/auth2-gss.c
-+++ new/auth2-gss.c
+diff -rupN old/auth.c new/auth.c
+--- old/auth.c	2016-09-21 19:40:20.287164940 -0700
++++ new/auth.c	2016-09-21 19:25:47.928961550 -0700
[email protected]@ -786,99 +786,6 @@ fakepw(void)
+ }
+ 
+ /*
+- * Returns the remote DNS hostname as a string. The returned string must not
+- * be freed. NB. this will usually trigger a DNS query the first time it is
+- * called.
+- * This function does additional checks on the hostname to mitigate some
+- * attacks on legacy rhosts-style authentication.
+- * XXX is RhostsRSAAuthentication vulnerable to these?
+- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
+- */
+-
+-static char *
+-remote_hostname(struct ssh *ssh)
+-{
+-	struct sockaddr_storage from;
+-	socklen_t fromlen;
+-	struct addrinfo hints, *ai, *aitop;
+-	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+-	const char *ntop = ssh_remote_ipaddr(ssh);
+-
+-	/* Get IP address of client. */
+-	fromlen = sizeof(from);
+-	memset(&from, 0, sizeof(from));
+-	if (getpeername(ssh_packet_get_connection_in(ssh),
+-	    (struct sockaddr *)&from, &fromlen) < 0) {
+-		debug("getpeername failed: %.100s", strerror(errno));
+-		return strdup(ntop);
+-	}
+-
+-	ipv64_normalise_mapped(&from, &fromlen);
+-	if (from.ss_family == AF_INET6)
+-		fromlen = sizeof(struct sockaddr_in6);
+-
+-	debug3("Trying to reverse map address %.100s.", ntop);
+-	/* Map the IP address to a host name. */
+-	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+-	    NULL, 0, NI_NAMEREQD) != 0) {
+-		/* Host name not found.  Use ip address. */
+-		return strdup(ntop);
+-	}
+-
+-	/*
+-	 * if reverse lookup result looks like a numeric hostname,
+-	 * someone is trying to trick us by PTR record like following:
+-	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
+-	 */
+-	memset(&hints, 0, sizeof(hints));
+-	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
+-	hints.ai_flags = AI_NUMERICHOST;
+-	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+-		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+-		    name, ntop);
+-		freeaddrinfo(ai);
+-		return strdup(ntop);
+-	}
+-
+-	/* Names are stored in lowercase. */
+-	lowercase(name);
+-
+-	/*
+-	 * Map it back to an IP address and check that the given
+-	 * address actually is an address of this host.  This is
+-	 * necessary because anyone with access to a name server can
+-	 * define arbitrary names for an IP address. Mapping from
+-	 * name to IP address can be trusted better (but can still be
+-	 * fooled if the intruder has access to the name server of
+-	 * the domain).
+-	 */
+-	memset(&hints, 0, sizeof(hints));
+-	hints.ai_family = from.ss_family;
+-	hints.ai_socktype = SOCK_STREAM;
+-	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+-		logit("reverse mapping checking getaddrinfo for %.700s "
+-		    "[%s] failed.", name, ntop);
+-		return strdup(ntop);
+-	}
+-	/* Look for the address from the list of addresses. */
+-	for (ai = aitop; ai; ai = ai->ai_next) {
+-		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+-		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+-		    (strcmp(ntop, ntop2) == 0))
+-				break;
+-	}
+-	freeaddrinfo(aitop);
+-	/* If we reached the end of the list, the address was not there. */
+-	if (ai == NULL) {
+-		/* Address not found for the host name. */
+-		logit("Address %.100s maps to %.600s, but this does not "
+-		    "map back to the address.", ntop, name);
+-		return strdup(ntop);
+-	}
+-	return strdup(name);
+-}
+-
+-/*
+  * Return the canonical name of the host in the other side of the current
+  * connection.  The host name is cached, so it is efficient to call this
+  * several times.
+diff -rupN old/auth2-gss.c new/auth2-gss.c
+--- old/auth2-gss.c	2016-09-21 19:40:20.290128383 -0700
++++ new/auth2-gss.c	2016-09-21 19:25:47.855250807 -0700
 @@ -1,7 +1,7 @@
  /* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */
  
@@ -92,9 +207,9 @@
  Authmethod method_gssapi = {
  	"gssapi-with-mic",
  	userauth_gssapi,
-diff -pur old/auth2.c new/auth2.c
---- old/auth2.c
-+++ new/auth2.c
+diff -rupN old/auth2.c new/auth2.c
+--- old/auth2.c	2016-09-21 19:40:20.293020496 -0700
++++ new/auth2.c	2016-09-21 19:25:47.497355321 -0700
 @@ -70,6 +70,7 @@ extern Authmethod method_passwd;
  extern Authmethod method_kbdint;
  extern Authmethod method_hostbased;
@@ -111,9 +226,123 @@
  	&method_gssapi,
  #endif
  	&method_passwd,
-diff -pur old/gss-genr.c new/gss-genr.c
---- old/gss-genr.c
-+++ new/gss-genr.c
+diff -rupN old/canohost.c new/canohost.c
+--- old/canohost.c	2016-09-21 19:40:20.295936952 -0700
++++ new/canohost.c	2016-09-21 19:25:47.908930173 -0700
[email protected]@ -202,3 +202,97 @@ get_local_port(int sock)
+ {
+ 	return get_sock_port(sock, 1);
+ }
++
++/*
++ * Returns the remote DNS hostname as a string. The returned string must not
++ * be freed. NB. this will usually trigger a DNS query the first time it is
++ * called.
++ * This function does additional checks on the hostname to mitigate some
++ * attacks on legacy rhosts-style authentication.
++ * XXX is RhostsRSAAuthentication vulnerable to these?
++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
++ */
++
++/* Oracle Solaris - moved out of auth.c for use in GSSKEX in sshconnect2.c */
++char *
++remote_hostname(struct ssh *ssh)
++{
++	struct sockaddr_storage from;
++	socklen_t fromlen;
++	struct addrinfo hints, *ai, *aitop;
++	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
++	const char *ntop = ssh_remote_ipaddr(ssh);
++
++	/* Get IP address of client. */
++	fromlen = sizeof(from);
++	memset(&from, 0, sizeof(from));
++	if (getpeername(ssh_packet_get_connection_in(ssh),
++	    (struct sockaddr *)&from, &fromlen) < 0) {
++		debug("getpeername failed: %.100s", strerror(errno));
++		return strdup(ntop);
++	}
++
++	ipv64_normalise_mapped(&from, &fromlen);
++	if (from.ss_family == AF_INET6)
++		fromlen = sizeof(struct sockaddr_in6);
++
++	debug3("Trying to reverse map address %.100s.", ntop);
++	/* Map the IP address to a host name. */
++	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
++	    NULL, 0, NI_NAMEREQD) != 0) {
++		/* Host name not found.  Use ip address. */
++		return strdup(ntop);
++	}
++
++	/*
++	 * if reverse lookup result looks like a numeric hostname,
++	 * someone is trying to trick us by PTR record like following:
++	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
++	 */
++	memset(&hints, 0, sizeof(hints));
++	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
++	hints.ai_flags = AI_NUMERICHOST;
++	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
++		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
++		    name, ntop);
++		freeaddrinfo(ai);
++		return strdup(ntop);
++	}
++
++	/* Names are stored in lowercase. */
++	lowercase(name);
++
++	/*
++	 * Map it back to an IP address and check that the given
++	 * address actually is an address of this host.  This is
++	 * necessary because anyone with access to a name server can
++	 * define arbitrary names for an IP address. Mapping from
++	 * name to IP address can be trusted better (but can still be
++	 * fooled if the intruder has access to the name server of
++	 * the domain).
++	 */
++	memset(&hints, 0, sizeof(hints));
++	hints.ai_family = from.ss_family;
++	hints.ai_socktype = SOCK_STREAM;
++	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
++		logit("reverse mapping checking getaddrinfo for %.700s "
++		    "[%s] failed.", name, ntop);
++		return strdup(ntop);
++	}
++	/* Look for the address from the list of addresses. */
++	for (ai = aitop; ai; ai = ai->ai_next) {
++		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
++		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
++		    (strcmp(ntop, ntop2) == 0))
++				break;
++	}
++	freeaddrinfo(aitop);
++	/* If we reached the end of the list, the address was not there. */
++	if (ai == NULL) {
++		/* Address not found for the host name. */
++		logit("Address %.100s maps to %.600s, but this does not "
++		    "map back to the address.", ntop, name);
++		return strdup(ntop);
++	}
++	return strdup(name);
++}
+diff -rupN old/canohost.h new/canohost.h
+--- old/canohost.h	2016-09-21 19:40:20.298804941 -0700
++++ new/canohost.h	2016-09-21 19:25:47.335129267 -0700
[email protected]@ -21,6 +21,9 @@ char		*get_local_ipaddr(int);
+ char		*get_local_name(int);
+ int		get_local_port(int);
+ 
++#include "packet.h"
++char		*remote_hostname(struct ssh *);
++
+ #endif /* _CANOHOST_H */
+ 
+ void		 ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
+diff -rupN old/gss-genr.c new/gss-genr.c
+--- old/gss-genr.c	2016-09-21 19:40:20.301650203 -0700
++++ new/gss-genr.c	2016-09-21 19:25:47.301737088 -0700
 @@ -1,7 +1,7 @@
  /* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */
  
@@ -341,9 +570,9 @@
  		ssh_gssapi_delete_ctx(ctx);
  
  	return (!GSS_ERROR(major));
-diff -pur old/gss-serv.c new/gss-serv.c
---- old/gss-serv.c
-+++ new/gss-serv.c
+diff -rupN old/gss-serv.c new/gss-serv.c
+--- old/gss-serv.c	2016-09-21 19:40:20.304525100 -0700
++++ new/gss-serv.c	2016-09-21 19:25:47.229908522 -0700
 @@ -1,7 +1,7 @@
  /* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */
  
@@ -416,10 +645,10 @@
 -}
 -
  #endif
-diff -pur old/kex.c new/kex.c
---- old/kex.c
-+++ new/kex.c
[email protected]@ -54,6 +54,10 @@
+diff -rupN old/kex.c new/kex.c
+--- old/kex.c	2016-09-21 19:40:20.307412118 -0700
++++ new/kex.c	2016-09-21 19:25:47.559276736 -0700
[email protected]@ -55,6 +55,10 @@
  #include "sshbuf.h"
  #include "digest.h"
  
@@ -430,7 +659,7 @@
  #if OPENSSL_VERSION_NUMBER >= 0x00907000L
  # if defined(HAVE_EVP_SHA256)
  # define evp_ssh_sha256 EVP_sha256
[email protected]@ -107,6 +111,11 @@ static const struct kexalg kexalgs[] = {
[email protected]@ -111,6 +115,11 @@ static const struct kexalg kexalgs[] = {
  #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
  	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
  #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
@@ -442,7 +671,7 @@
  	{ NULL, -1, -1, -1},
  };
  
[email protected]@ -138,7 +147,7 @@ kex_alg_by_name(const char *name)
[email protected]@ -142,7 +151,7 @@ kex_alg_by_name(const char *name)
  	const struct kexalg *k;
  
  	for (k = kexalgs; k->name != NULL; k++) {
@@ -451,10 +680,10 @@
  			return k;
  	}
  	return NULL;
-diff -pur old/kex.h new/kex.h
---- old/kex.h
-+++ new/kex.h
[email protected]@ -92,6 +92,9 @@ enum kex_exchange {
+diff -rupN old/kex.h new/kex.h
+--- old/kex.h	2016-09-21 19:40:20.310245128 -0700
++++ new/kex.h	2016-09-21 19:25:47.142516186 -0700
[email protected]@ -98,6 +98,9 @@ enum kex_exchange {
  	KEX_DH_GEX_SHA256,
  	KEX_ECDH_SHA2,
  	KEX_C25519_SHA256,
@@ -464,7 +693,7 @@
  	KEX_MAX
  };
  
[email protected]@ -140,6 +143,10 @@ struct kex {
[email protected]@ -146,6 +149,10 @@ struct kex {
  	u_int	flags;
  	int	hash_alg;
  	int	ec_nid;
@@ -475,7 +704,7 @@
  	char	*client_version_string;
  	char	*server_version_string;
  	char	*failed_choice;
[email protected]@ -189,6 +196,10 @@ int	 kexecdh_client(struct ssh *);
[email protected]@ -195,6 +202,10 @@ int	 kexecdh_client(struct ssh *);
  int	 kexecdh_server(struct ssh *);
  int	 kexc25519_client(struct ssh *);
  int	 kexc25519_server(struct ssh *);
@@ -484,12 +713,12 @@
 +int	 kexgss_server(struct ssh *);
 +#endif
  
- int	 kex_dh_hash(const char *, const char *,
+ int	 kex_dh_hash(int, const char *, const char *,
      const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
-diff -pur old/monitor.c new/monitor.c
---- old/monitor.c
-+++ new/monitor.c
[email protected]@ -159,6 +159,7 @@ int mm_answer_gss_setup_ctx(int, Buffer
+diff -rupN old/monitor.c new/monitor.c
+--- old/monitor.c	2016-09-21 19:40:20.313190151 -0700
++++ new/monitor.c	2016-09-21 19:25:47.525137447 -0700
[email protected]@ -161,6 +161,7 @@ int mm_answer_gss_setup_ctx(int, Buffer 
  int mm_answer_gss_accept_ctx(int, Buffer *);
  int mm_answer_gss_userok(int, Buffer *);
  int mm_answer_gss_checkmic(int, Buffer *);
@@ -497,7 +726,7 @@
  #endif
  
  #ifdef SSH_AUDIT_EVENTS
[email protected]@ -243,11 +244,17 @@ struct mon_table mon_dispatch_proto20[]
[email protected]@ -245,11 +246,17 @@ struct mon_table mon_dispatch_proto20[] 
      {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
      {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
      {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -515,7 +744,7 @@
  #ifdef WITH_OPENSSL
      {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
  #endif
[email protected]@ -362,6 +369,10 @@ monitor_child_preauth(Authctxt *_authctx
[email protected]@ -364,6 +371,10 @@ monitor_child_preauth(Authctxt *_authctx
  		/* Permit requests for moduli and signatures */
  		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
  		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -526,7 +755,7 @@
  	} else {
  		mon_dispatch = mon_dispatch_proto15;
  
[email protected]@ -501,6 +512,10 @@ monitor_child_postauth(struct monitor *p
[email protected]@ -503,6 +514,10 @@ monitor_child_postauth(struct monitor *p
  		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
  		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
  		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -537,7 +766,7 @@
  	} else {
  		mon_dispatch = mon_dispatch_postauth15;
  		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
[email protected]@ -1924,6 +1939,13 @@ monitor_apply_keystate(struct monitor *p
[email protected]@ -1939,6 +1954,13 @@ monitor_apply_keystate(struct monitor *p
  # endif
  #endif /* WITH_OPENSSL */
  		kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -551,7 +780,7 @@
  		kex->load_host_public_key=&get_hostkey_public_by_type;
  		kex->load_host_private_key=&get_hostkey_private_by_type;
  		kex->host_key_index=&get_hostkey_index;
[email protected]@ -2023,6 +2045,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
[email protected]@ -2038,6 +2060,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
  	OM_uint32 major;
  	u_int len;
  
@@ -561,7 +790,7 @@
  	goid.elements = buffer_get_string(m, &len);
  	goid.length = len;
  
[email protected]@ -2050,6 +2075,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
[email protected]@ -2065,6 +2090,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
  	OM_uint32 flags = 0; /* GSI needs this */
  	u_int len;
  
@@ -571,7 +800,7 @@
  	in.value = buffer_get_string(m, &len);
  	in.length = len;
  	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
[email protected]@ -2067,6 +2095,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
[email protected]@ -2082,6 +2110,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
  		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
  		monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
  		monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -579,7 +808,7 @@
  	}
  	return (0);
  }
[email protected]@ -2078,6 +2107,9 @@ mm_answer_gss_checkmic(int sock, Buffer
[email protected]@ -2093,6 +2122,9 @@ mm_answer_gss_checkmic(int sock, Buffer 
  	OM_uint32 ret;
  	u_int len;
  
@@ -589,7 +818,7 @@
  	gssbuf.value = buffer_get_string(m, &len);
  	gssbuf.length = len;
  	mic.value = buffer_get_string(m, &len);
[email protected]@ -2104,6 +2136,9 @@ mm_answer_gss_userok(int sock, Buffer *m
[email protected]@ -2119,6 +2151,9 @@ mm_answer_gss_userok(int sock, Buffer *m
  {
  	int authenticated;
  
@@ -599,7 +828,7 @@
  	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
  
  	buffer_clear(m);
[email protected]@ -2117,5 +2152,47 @@ mm_answer_gss_userok(int sock, Buffer *m
[email protected]@ -2132,5 +2167,47 @@ mm_answer_gss_userok(int sock, Buffer *m
  	/* Monitor loop will terminate if authenticated */
  	return (authenticated);
  }
@@ -647,9 +876,9 @@
 +
  #endif /* GSSAPI */
  
-diff -pur old/monitor.h new/monitor.h
---- old/monitor.h
-+++ new/monitor.h
+diff -rupN old/monitor.h new/monitor.h
+--- old/monitor.h	2016-09-21 19:40:20.316049455 -0700
++++ new/monitor.h	2016-09-21 19:25:47.113344203 -0700
 @@ -68,6 +68,9 @@ enum monitor_reqtype {
  #ifdef PAM_ENHANCEMENT
          MONITOR_REQ_AUTHMETHOD = 114,
@@ -660,10 +889,10 @@
  };
  
  struct mm_master;
-diff -pur old/monitor_wrap.c new/monitor_wrap.c
---- old/monitor_wrap.c
-+++ new/monitor_wrap.c
[email protected]@ -1103,5 +1103,28 @@ mm_ssh_gssapi_userok(char *user)
+diff -rupN old/monitor_wrap.c new/monitor_wrap.c
+--- old/monitor_wrap.c	2016-09-21 19:40:20.318913737 -0700
++++ new/monitor_wrap.c	2016-09-21 19:25:47.668505812 -0700
[email protected]@ -1108,5 +1108,28 @@ mm_ssh_gssapi_userok(char *user)
  	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
  	return (authenticated);
  }
@@ -692,10 +921,10 @@
 +
  #endif /* GSSAPI */
  
-diff -pur old/monitor_wrap.h new/monitor_wrap.h
---- old/monitor_wrap.h
-+++ new/monitor_wrap.h
[email protected]@ -60,6 +60,7 @@ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssct
+diff -rupN old/monitor_wrap.h new/monitor_wrap.h
+--- old/monitor_wrap.h	2016-09-21 19:40:20.321783476 -0700
++++ new/monitor_wrap.h	2016-09-21 19:25:47.026452744 -0700
[email protected]@ -62,6 +62,7 @@ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssct
     gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
  int mm_ssh_gssapi_userok(char *user);
  OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
@@ -703,10 +932,10 @@
  #endif
  
  #ifdef USE_PAM
-diff -pur old/readconf.c new/readconf.c
---- old/readconf.c
-+++ new/readconf.c
[email protected]@ -148,6 +148,7 @@ typedef enum {
+diff -rupN old/readconf.c new/readconf.c
+--- old/readconf.c	2016-09-21 19:40:20.324827120 -0700
++++ new/readconf.c	2016-09-21 19:25:47.885753634 -0700
[email protected]@ -160,6 +160,7 @@ typedef enum {
  	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
  	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
  	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -714,7 +943,7 @@
  	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
  	oSendEnv, oControlPath, oControlMaster, oControlPersist,
  	oHashKnownHosts,
[email protected]@ -199,11 +200,15 @@ static struct {
[email protected]@ -211,11 +212,15 @@ static struct {
  	{ "gssauthentication", oGssAuthentication },                /* alias */
  	{ "gssapidelegatecredentials", oGssDelegateCreds },
  	{ "gssdelegatecreds", oGssDelegateCreds },                  /* alias */
@@ -730,7 +959,7 @@
  #endif
  	{ "fallbacktorsh", oDeprecated },
  	{ "usersh", oDeprecated },
[email protected]@ -965,6 +970,10 @@ parse_time:
[email protected]@ -1002,6 +1007,10 @@ parse_time:
  		intptr = &options->gss_authentication;
  		goto parse_flag;
  
@@ -741,7 +970,7 @@
  	case oGssDelegateCreds:
  		intptr = &options->gss_deleg_creds;
  		goto parse_flag;
[email protected]@ -1694,6 +1703,7 @@ initialize_options(Options * options)
[email protected]@ -1824,6 +1833,7 @@ initialize_options(Options * options)
  	options->pubkey_authentication = -1;
  	options->challenge_response_authentication = -1;
  	options->gss_authentication = -1;
@@ -749,7 +978,7 @@
  	options->gss_deleg_creds = -1;
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
[email protected]@ -1834,6 +1844,12 @@ fill_default_options(Options * options)
[email protected]@ -1979,6 +1989,12 @@ fill_default_options(Options * options)
  #else
  		options->gss_authentication = 0;
  #endif
@@ -762,9 +991,9 @@
  	if (options->gss_deleg_creds == -1)
  		options->gss_deleg_creds = 0;
  	if (options->password_authentication == -1)
-diff -pur old/readconf.h new/readconf.h
---- old/readconf.h
-+++ new/readconf.h
+diff -rupN old/readconf.h new/readconf.h
+--- old/readconf.h	2016-09-21 19:40:20.327689956 -0700
++++ new/readconf.h	2016-09-21 19:25:47.449284716 -0700
 @@ -45,6 +45,7 @@ typedef struct {
  	int     challenge_response_authentication;
  					/* Try S/Key or TIS, authentication. */
@@ -773,10 +1002,10 @@
  	int     gss_deleg_creds;	/* Delegate GSS credentials */
  	int     password_authentication;	/* Try password
  						 * authentication. */
-diff -pur old/servconf.c new/servconf.c
---- old/servconf.c
-+++ new/servconf.c
[email protected]@ -117,6 +117,7 @@ initialize_server_options(ServerOptions
+diff -rupN old/servconf.c new/servconf.c
+--- old/servconf.c	2016-09-21 19:40:20.330699306 -0700
++++ new/servconf.c	2016-09-21 19:25:47.054209571 -0700
[email protected]@ -117,6 +117,7 @@ initialize_server_options(ServerOptions 
  	options->kerberos_ticket_cleanup = -1;
  	options->kerberos_get_afs_token = -1;
  	options->gss_authentication=-1;
@@ -797,7 +1026,7 @@
  	if (options->gss_cleanup_creds == -1)
  		options->gss_cleanup_creds = 1;
  	if (options->gss_strict_acceptor == -1)
[email protected]@ -449,6 +456,7 @@ typedef enum {
[email protected]@ -457,6 +464,7 @@ typedef enum {
  	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
  	sHostKeyAlgorithms,
  	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
@@ -805,7 +1034,7 @@
  	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
  	sAcceptEnv, sPermitTunnel,
  	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
[email protected]@ -526,6 +534,8 @@ static struct {
[email protected]@ -534,6 +542,8 @@ static struct {
  #ifdef GSSAPI
  	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
  	{ "gssauthentication", sGssAuthentication, SSHCFG_ALL },   /* alias */
@@ -814,7 +1043,7 @@
  #ifdef USE_GSS_STORE_CRED
  	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
  #else /* USE_GSS_STORE_CRED */
[email protected]@ -535,6 +545,8 @@ static struct {
[email protected]@ -543,6 +553,8 @@ static struct {
  #else
  	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
  	{ "gssauthentication", sUnsupported, SSHCFG_ALL },          /* alias */
@@ -823,7 +1052,7 @@
  	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
  	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
  #endif
[email protected]@ -1319,6 +1331,10 @@ process_server_config_line(ServerOptions
[email protected]@ -1328,6 +1340,10 @@ process_server_config_line(ServerOptions
  		intptr = &options->gss_authentication;
  		goto parse_flag;
  
@@ -834,7 +1063,7 @@
  	case sGssCleanupCreds:
  		intptr = &options->gss_cleanup_creds;
  		goto parse_flag;
[email protected]@ -2373,6 +2389,7 @@ dump_config(ServerOptions *o)
[email protected]@ -2416,6 +2432,7 @@ dump_config(ServerOptions *o)
  #endif
  #ifdef GSSAPI
  	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -842,9 +1071,9 @@
  #ifndef USE_GSS_STORE_CRED
  	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
  #endif /* !USE_GSS_STORE_CRED */
-diff -pur old/servconf.h new/servconf.h
---- old/servconf.h
-+++ new/servconf.h
+diff -rupN old/servconf.h new/servconf.h
+--- old/servconf.h	2016-09-21 19:40:20.333544958 -0700
++++ new/servconf.h	2016-09-21 19:25:47.739063955 -0700
 @@ -122,6 +122,7 @@ typedef struct {
  	int     kerberos_get_afs_token;		/* If true, try to get AFS token if
  						 * authenticated with Kerberos. */
@@ -853,9 +1082,9 @@
  	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
  	int     gss_strict_acceptor;	/* If true, restrict the GSSAPI acceptor name */
  	int     password_authentication;	/* If true, permit password
-diff -pur old/ssh-gss.h new/ssh-gss.h
---- old/ssh-gss.h
-+++ new/ssh-gss.h
+diff -rupN old/ssh-gss.h new/ssh-gss.h
+--- old/ssh-gss.h	2016-09-21 19:40:20.336386442 -0700
++++ new/ssh-gss.h	2016-09-21 19:25:47.600702960 -0700
 @@ -61,6 +61,17 @@
  
  #define SSH_GSS_OIDTYPE 0x06
@@ -903,9 +1132,9 @@
  #endif /* GSSAPI */
  
  #endif /* _SSH_GSS_H */
-diff -pur old/ssh_config.5 new/ssh_config.5
---- old/ssh_config.5
-+++ new/ssh_config.5
+diff -rupN old/ssh_config.5 new/ssh_config.5
+--- old/ssh_config.5	2016-09-21 19:40:20.339307715 -0700
++++ new/ssh_config.5	2016-09-21 19:25:47.188814608 -0700
 @@ -834,6 +834,12 @@ The default is
  Specifies whether user authentication based on GSSAPI is allowed.
  The default on Solaris is
@@ -919,10 +1148,10 @@
  .It Cm GSSAPIDelegateCredentials
  Forward (delegate) credentials to the server.
  The default is
-diff -pur old/sshconnect2.c new/sshconnect2.c
---- old/sshconnect2.c
-+++ new/sshconnect2.c
[email protected]@ -164,11 +164,35 @@ ssh_kex2(char *host, struct sockaddr *ho
+diff -rupN old/sshconnect2.c new/sshconnect2.c
+--- old/sshconnect2.c	2016-09-21 19:40:20.342249196 -0700
++++ new/sshconnect2.c	2016-09-21 19:25:47.810679787 -0700
[email protected]@ -165,11 +165,35 @@ ssh_kex2(char *host, struct sockaddr *ho
  	char *s;
  	struct kex *kex;
  	int r;
@@ -944,7 +1173,7 @@
 +		 * client to the key exchange algorithm proposal */
 +		orig = myproposal[PROPOSAL_KEX_ALGS];
 +
-+		gss_host = (char *)get_canonical_hostname(1);
++		gss_host = (char *)remote_hostname(active_state);
 +
 +		gss = ssh_gssapi_client_mechanisms(gss_host);
 +		if (gss) {
@@ -959,7 +1188,7 @@
  		fatal("%s: kex_names_cat", __func__);
  	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
  	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
[email protected]@ -199,6 +223,17 @@ ssh_kex2(char *host, struct sockaddr *ho
[email protected]@ -196,6 +220,17 @@ ssh_kex2(char *host, struct sockaddr *ho
  		    order_hostkeyalgs(host, hostaddr, port));
  	}
  
@@ -1020,7 +1249,7 @@
  	{"gssapi-with-mic",
  		userauth_gssapi,
  		NULL,
[email protected]@ -678,7 +732,10 @@ userauth_gssapi(Authctxt *authctxt)
[email protected]@ -672,7 +726,10 @@ userauth_gssapi(Authctxt *authctxt)
  	 * once. */
  
  	if (gss_supported == NULL)
@@ -1032,7 +1261,7 @@
  
  	/* Check to see if the mechanism is usable before we offer it */
  	while (mech < gss_supported->count && !ok) {
[email protected]@ -782,8 +839,8 @@ input_gssapi_response(int type, u_int32_
[email protected]@ -776,8 +833,8 @@ input_gssapi_response(int type, u_int32_
  {
  	Authctxt *authctxt = ctxt;
  	Gssctxt *gssctxt;
@@ -1043,7 +1272,7 @@
  
  	if (authctxt == NULL)
  		fatal("input_gssapi_response: no authentication context");
[email protected]@ -896,6 +953,48 @@ input_gssapi_error(int type, u_int32_t p
[email protected]@ -890,6 +947,48 @@ input_gssapi_error(int type, u_int32_t p
  	free(lang);
  	return 0;
  }
@@ -1092,10 +1321,10 @@
  #endif /* GSSAPI */
  
  int
-diff -pur old/sshd.c new/sshd.c
---- old/sshd.c
-+++ new/sshd.c
[email protected]@ -1833,10 +1833,13 @@ main(int ac, char **av)
+diff -rupN old/sshd.c new/sshd.c
+--- old/sshd.c	2016-09-21 19:40:20.345291027 -0700
++++ new/sshd.c	2016-09-21 19:25:47.376369649 -0700
[email protected]@ -1892,10 +1892,13 @@ main(int ac, char **av)
  		logit("Disabling protocol version 1. Could not load host key");
  		options.protocol &= ~SSH_PROTO_1;
  	}
@@ -1109,7 +1338,7 @@
  	if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
  		logit("sshd: no hostkeys available -- exiting.");
  		exit(1);
[email protected]@ -2596,6 +2599,48 @@ do_ssh2_kex(void)
[email protected]@ -2656,6 +2659,48 @@ do_ssh2_kex(void)
  	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
  	    list_hostkey_types());
  
@@ -1158,7 +1387,7 @@
  	/* start key exchange */
  	if ((r = kex_setup(active_state, myproposal)) != 0)
  		fatal("kex_setup: %s", ssh_err(r));
[email protected]@ -2610,6 +2655,13 @@ do_ssh2_kex(void)
[email protected]@ -2673,6 +2718,13 @@ do_ssh2_kex(void)
  # endif
  #endif
  	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -1172,10 +1401,10 @@
  	kex->server = 1;
  	kex->client_version_string=client_version_string;
  	kex->server_version_string=server_version_string;
-diff -pur old/sshd_config.5 new/sshd_config.5
---- old/sshd_config.5
-+++ new/sshd_config.5
[email protected]@ -623,6 +623,11 @@ The default is
+diff -rupN old/sshd_config.5 new/sshd_config.5
+--- old/sshd_config.5	2016-09-21 19:40:20.348225013 -0700
++++ new/sshd_config.5	2016-09-21 19:25:47.433470021 -0700
[email protected]@ -632,6 +632,11 @@ The default is
  Specifies whether user authentication based on GSSAPI is allowed.
  The default on Solaris is
  .Dq yes .
@@ -1187,9 +1416,9 @@
  .It Cm GSSAPICleanupCredentials
  Specifies whether to automatically destroy the user's credentials cache
  on logout.
-diff -pur old/sshkey.c new/sshkey.c
---- old/sshkey.c
-+++ new/sshkey.c
+diff -rupN old/sshkey.c new/sshkey.c
+--- old/sshkey.c	2016-09-21 19:40:20.351243462 -0700
++++ new/sshkey.c	2016-09-21 19:25:47.271519675 -0700
 @@ -115,6 +115,7 @@ static const struct keytype keytypes[] =
  #  endif /* OPENSSL_HAS_NISTP521 */
  # endif /* OPENSSL_HAS_ECC */
@@ -1198,9 +1427,9 @@
  	{ NULL, NULL, -1, -1, 0, 0 }
  };
  
-diff -pur old/sshkey.h new/sshkey.h
---- old/sshkey.h
-+++ new/sshkey.h
+diff -rupN old/sshkey.h new/sshkey.h
+--- old/sshkey.h	2016-09-21 19:40:20.354147713 -0700
++++ new/sshkey.h	2016-09-21 19:25:47.934179627 -0700
 @@ -62,6 +62,7 @@ enum sshkey_types {
  	KEY_DSA_CERT,
  	KEY_ECDSA_CERT,
--- a/components/openssh/patches/033-without_cast128.patch	Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/patches/033-without_cast128.patch	Wed Nov 16 12:17:49 2016 -0800
@@ -12,26 +12,16 @@
 # relevant ssh implementations also provide several more common encryption
 # algorithms (aes256-ctr, aes128-cbc, ...) on top of cast128-cbc.
 #
+# Update Aug 29, 2016:
+# This used to be implemented by Solaris specific macro WITHOUT_CAST,
+# but now upstream OPENSSL_NO_CAST is used instead. This patch now just
+# removes cast references from manpages.
+#
 # This is a Solaris specific patch and it is not likely to be accepted upstream.
 #
-diff -pur old/cipher.c new/cipher.c
---- old/cipher.c
-+++ new/cipher.c
[email protected]@ -88,8 +88,10 @@ static const struct sshcipher ciphers[]
- 	{ "3des-cbc",	SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
- 	{ "blowfish-cbc",
- 			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
-+#ifndef WITHOUT_CAST128
- 	{ "cast128-cbc",
- 			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc },
-+#endif
- 	{ "arcfour",	SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 },
- 	{ "arcfour128",	SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 },
- 	{ "arcfour256",	SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 },
-diff -pur old/ssh_config.5 new/ssh_config.5
---- old/ssh_config.5
-+++ new/ssh_config.5
[email protected]@ -478,8 +478,6 @@ arcfour256
+--- orig/ssh_config.5	Mon Aug 15 17:22:20 2016
++++ new/ssh_config.5	Mon Aug 15 17:25:28 2016
[email protected]@ -478,8 +478,6 @@
  .It
  blowfish-cbc
  .It
@@ -40,10 +30,20 @@
  [email protected]
  .El
  .Pp
-diff -pur old/sshd.8 new/sshd.8
---- old/sshd.8
-+++ new/sshd.8
[email protected]@ -307,7 +307,7 @@ For protocol 2,
+--- orig/sshd_config.5	Mon Aug 15 17:22:29 2016
++++ new/sshd_config.5	Mon Aug 15 17:25:58 2016
[email protected]@ -479,8 +479,6 @@
+ .It
+ blowfish-cbc
+ .It
+-cast128-cbc
+-.It
+ [email protected]
+ .El
+ .Pp
+--- orig/sshd.8	Mon Aug 15 17:22:36 2016
++++ new/sshd.8	Mon Aug 15 17:26:48 2016
[email protected]@ -307,7 +307,7 @@
  forward security is provided through a Diffie-Hellman key agreement.
  This key agreement results in a shared session key.
  The rest of the session is encrypted using a symmetric cipher, currently
@@ -52,15 +52,3 @@
  The client selects the encryption algorithm
  to use from those offered by the server.
  Additionally, session integrity is provided
-diff -pur old/sshd_config.5 new/sshd_config.5
---- old/sshd_config.5
-+++ new/sshd_config.5
[email protected]@ -472,8 +472,6 @@ arcfour256
- .It
- blowfish-cbc
- .It
--cast128-cbc
--.It
- [email protected]
- .El
- .Pp
--- a/components/openssh/patches/034-getaddrinfo_with_ai_addrconfig.patch	Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/patches/034-getaddrinfo_with_ai_addrconfig.patch	Wed Nov 16 12:17:49 2016 -0800
@@ -8,9 +8,10 @@
 # In the future, if this fix is accepted by the upsteam in a later release, we
 # will remove this patch when we upgrade to that release.
 #
---- a/canohost.c	Sun Oct 25 20:11:35 2015
-+++ b/canohost.c	Sun Oct 25 20:11:57 2015
[email protected]@ -113,6 +113,10 @@
+diff -pur old/canohost.c new/canohost.c
+--- old/canohost.c
++++ new/canohost.c
[email protected]@ -274,6 +274,10 @@ remote_hostname(struct ssh *ssh)
  	memset(&hints, 0, sizeof(hints));
  	hints.ai_family = from.ss_family;
  	hints.ai_socktype = SOCK_STREAM;
@@ -20,10 +21,11 @@
 +#endif /* AI_ADDRCONFIG */
  	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
  		logit("reverse mapping checking getaddrinfo for %.700s "
- 		    "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop);
---- a/channels.c	Sun Oct 25 19:30:33 2015
-+++ b/channels.c	Sun Oct 25 19:54:36 2015
[email protected]@ -2853,8 +2853,12 @@
+ 		    "[%s] failed.", name, ntop);
+diff -pur old/channels.c new/channels.c
+--- old/channels.c
++++ new/channels.c
[email protected]@ -2856,8 +2856,12 @@ channel_setup_fwd_listener_tcpip(int typ
  	 */
  	memset(&hints, 0, sizeof(hints));
  	hints.ai_family = IPv4or6;
@@ -37,7 +39,7 @@
  	snprintf(strport, sizeof strport, "%d", fwd->listen_port);
  	if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) {
  		if (addr == NULL) {
[email protected]@ -3736,6 +3740,10 @@
[email protected]@ -3740,6 +3744,10 @@ connect_to(const char *name, int port, c
  		memset(&hints, 0, sizeof(hints));
  		hints.ai_family = IPv4or6;
  		hints.ai_socktype = SOCK_STREAM;
@@ -48,7 +50,7 @@
  		snprintf(strport, sizeof strport, "%d", port);
  		if ((gaierr = getaddrinfo(name, strport, &hints, &cctx.aitop)) != 0) {
  			error("connect_to %.100s: unknown host (%s)", name,
[email protected]@ -3908,8 +3916,12 @@
[email protected]@ -3912,8 +3920,12 @@ x11_create_display_inet(int x11_display_
  		port = 6000 + display_number;
  		memset(&hints, 0, sizeof(hints));
  		hints.ai_family = IPv4or6;
@@ -62,7 +64,7 @@
  		snprintf(strport, sizeof strport, "%d", port);
  		if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
  			error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr));
[email protected]@ -4090,6 +4102,10 @@
[email protected]@ -4094,6 +4106,10 @@ x11_connect_display(void)
  	memset(&hints, 0, sizeof(hints));
  	hints.ai_family = IPv4or6;
  	hints.ai_socktype = SOCK_STREAM;
@@ -73,72 +75,10 @@
  	snprintf(strport, sizeof strport, "%u", 6000 + display_number);
  	if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
  		error("%.100s: unknown host. (%s)", buf,
---- a/servconf.c	Sun Oct 25 19:39:38 2015
-+++ b/servconf.c	Sun Oct 25 19:45:16 2015
[email protected]@ -722,6 +722,10 @@
- 	hints.ai_family = options->address_family;
- 	hints.ai_socktype = SOCK_STREAM;
- 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
-+#ifdef AI_ADDRCONFIG
-+	if (hints.ai_family == AF_UNSPEC)
-+		hints.ai_flags |= AI_ADDRCONFIG;
-+#endif /* AI_ADDRCONFIG */
- 	snprintf(strport, sizeof strport, "%d", port);
- 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
- 		fatal("bad addr or host: %s (%s)",
---- a/ssh-keyscan.c	Sun Oct 25 19:46:28 2015
-+++ b/ssh-keyscan.c	Sun Oct 25 19:54:55 2015
[email protected]@ -326,6 +326,10 @@
- 	memset(&hints, 0, sizeof(hints));
- 	hints.ai_family = IPv4or6;
- 	hints.ai_socktype = SOCK_STREAM;
-+#ifdef AI_ADDRCONFIG
-+	if (hints.ai_family == AF_UNSPEC)
-+		hints.ai_flags = AI_ADDRCONFIG;
-+#endif /* AI_ADDRCONFIG */
- 	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
- 		error("getaddrinfo %s: %s", host, ssh_gai_strerror(gaierr));
- 		return -1;
---- a/ssh.c	Sun Oct 25 19:49:46 2015
-+++ b/ssh.c	Sun Oct 25 19:55:15 2015
[email protected]@ -259,6 +259,10 @@
- 	hints.ai_socktype = SOCK_STREAM;
- 	if (cname != NULL)
- 		hints.ai_flags = AI_CANONNAME;
-+#ifdef AI_ADDRCONFIG
-+	if (hints.ai_family == AF_UNSPEC)
-+		hints.ai_flags |= AI_ADDRCONFIG;
-+#endif /* AI_ADDRCONFIG */
- 	if ((gaierr = getaddrinfo(name, strport, &hints, &res)) != 0) {
- 		if (logerr || (gaierr != EAI_NONAME && gaierr != EAI_NODATA))
- 			loglevel = SYSLOG_LEVEL_ERROR;
[email protected]@ -298,6 +302,10 @@
- 	    AF_UNSPEC : options.address_family;
- 	hints.ai_socktype = SOCK_STREAM;
- 	hints.ai_flags = AI_NUMERICHOST|AI_NUMERICSERV;
-+#ifdef AI_ADDRCONFIG
-+	if (hints.ai_family == AF_UNSPEC)
-+		hints.ai_flags |= AI_ADDRCONFIG;
-+#endif /* AI_ADDRCONFIG */
- 	if ((gaierr = getaddrinfo(name, strport, &hints, &res)) != 0) {
- 		debug2("%s: could not resolve name %.100s as address: %s",
- 		    __func__, name, ssh_gai_strerror(gaierr));
---- a/sshconnect.c	Sun Oct 25 19:57:46 2015
-+++ b/sshconnect.c	Sun Oct 25 19:58:19 2015
[email protected]@ -292,6 +292,10 @@
- 		hints.ai_socktype = ai->ai_socktype;
- 		hints.ai_protocol = ai->ai_protocol;
- 		hints.ai_flags = AI_PASSIVE;
-+#ifdef AI_ADDRCONFIG
-+		if (hints.ai_family == AF_UNSPEC)
-+			hints.ai_flags |= AI_ADDRCONFIG;
-+#endif /* AI_ADDRCONFIG */
- 		gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
- 		if (gaierr) {
- 			error("getaddrinfo: %s: %s", options.bind_address,
---- a/regress/netcat.c	Sun Oct 25 19:59:44 2015
-+++ b/regress/netcat.c	Sun Oct 25 20:07:05 2015
[email protected]@ -371,6 +371,10 @@
+diff -pur old/regress/netcat.c new/regress/netcat.c
+--- old/regress/netcat.c
++++ new/regress/netcat.c
[email protected]@ -334,6 +334,10 @@ main(int argc, char *argv[])
  		hints.ai_protocol = uflag ? IPPROTO_UDP : IPPROTO_TCP;
  		if (nflag)
  			hints.ai_flags |= AI_NUMERICHOST;
@@ -149,7 +89,7 @@
  	}
  
  	if (xflag) {
[email protected]@ -399,6 +403,10 @@
[email protected]@ -362,6 +366,10 @@ main(int argc, char *argv[])
  		proxyhints.ai_protocol = IPPROTO_TCP;
  		if (nflag)
  			proxyhints.ai_flags |= AI_NUMERICHOST;
@@ -160,7 +100,7 @@
  	}
  
  	if (lflag) {
[email protected]@ -673,6 +681,10 @@
[email protected]@ -636,6 +644,10 @@ remote_connect(const char *host, const c
  			ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
  			ahints.ai_protocol = uflag ? IPPROTO_UDP : IPPROTO_TCP;
  			ahints.ai_flags = AI_PASSIVE;
@@ -171,7 +111,7 @@
  			if ((error = getaddrinfo(sflag, pflag, &ahints, &ares)))
  				errx(1, "getaddrinfo: %s", gai_strerror(error));
  
[email protected]@ -1422,8 +1434,12 @@
[email protected]@ -1385,8 +1397,12 @@ decode_addrport(const char *h, const cha
  
  	bzero(&hints, sizeof(hints));
  	hints.ai_family = v4only ? PF_INET : PF_UNSPEC;
@@ -185,3 +125,70 @@
  	r = getaddrinfo(h, p, &hints, &res);
  	/* Don't fatal when attempting to convert a numeric address */
  	if (r != 0) {
+diff -pur old/servconf.c new/servconf.c
+--- old/servconf.c
++++ new/servconf.c
[email protected]@ -735,6 +735,10 @@ add_one_listen_addr(ServerOptions *optio
+ 	hints.ai_family = options->address_family;
+ 	hints.ai_socktype = SOCK_STREAM;
+ 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
++#ifdef AI_ADDRCONFIG
++        if (hints.ai_family == AF_UNSPEC)
++                hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 	snprintf(strport, sizeof strport, "%d", port);
+ 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
+ 		fatal("bad addr or host: %s (%s)",
+diff -pur old/ssh-keyscan.c new/ssh-keyscan.c
+--- old/ssh-keyscan.c
++++ new/ssh-keyscan.c
[email protected]@ -365,6 +365,10 @@ tcpconnect(char *host)
+ 	memset(&hints, 0, sizeof(hints));
+ 	hints.ai_family = IPv4or6;
+ 	hints.ai_socktype = SOCK_STREAM;
++#ifdef AI_ADDRCONFIG
++	if (hints.ai_family == AF_UNSPEC)
++		hints.ai_flags = AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
+ 		error("getaddrinfo %s: %s", host, ssh_gai_strerror(gaierr));
+ 		return -1;
+diff -pur old/ssh.c new/ssh.c
+--- old/ssh.c
++++ new/ssh.c
[email protected]@ -254,6 +254,10 @@ resolve_host(const char *name, int port,
+ 	hints.ai_socktype = SOCK_STREAM;
+ 	if (cname != NULL)
+ 		hints.ai_flags = AI_CANONNAME;
++#ifdef AI_ADDRCONFIG
++	if (hints.ai_family == AF_UNSPEC)
++		hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 	if ((gaierr = getaddrinfo(name, strport, &hints, &res)) != 0) {
+ 		if (logerr || (gaierr != EAI_NONAME && gaierr != EAI_NODATA))
+ 			loglevel = SYSLOG_LEVEL_ERROR;
[email protected]@ -293,6 +297,10 @@ resolve_addr(const char *name, int port,
+ 	    AF_UNSPEC : options.address_family;
+ 	hints.ai_socktype = SOCK_STREAM;
+ 	hints.ai_flags = AI_NUMERICHOST|AI_NUMERICSERV;
++#ifdef AI_ADDRCONFIG
++	if (hints.ai_family == AF_UNSPEC)
++		hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 	if ((gaierr = getaddrinfo(name, strport, &hints, &res)) != 0) {
+ 		debug2("%s: could not resolve name %.100s as address: %s",
+ 		    __func__, name, ssh_gai_strerror(gaierr));
+diff -pur old/sshconnect.c new/sshconnect.c
+--- old/sshconnect.c
++++ new/sshconnect.c
[email protected]@ -293,6 +293,10 @@ ssh_create_socket(int privileged, struct
+ 		hints.ai_socktype = ai->ai_socktype;
+ 		hints.ai_protocol = ai->ai_protocol;
+ 		hints.ai_flags = AI_PASSIVE;
++#ifdef AI_ADDRCONFIG
++		if (hints.ai_family == AF_UNSPEC)
++			hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ 		gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
+ 		if (gaierr) {
+ 			error("getaddrinfo: %s: %s", options.bind_address,
--- a/components/openssh/patches/035-fips.patch	Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/patches/035-fips.patch	Wed Nov 16 12:17:49 2016 -0800
@@ -45,7 +45,15 @@
 diff -pur old/digest-openssl.c new/digest-openssl.c
 --- old/digest-openssl.c
 +++ new/digest-openssl.c
[email protected]@ -53,8 +53,22 @@ struct ssh_digest {
[email protected]@ -31,6 +31,7 @@
+ #include "sshbuf.h"
+ #include "digest.h"
+ #include "ssherr.h"
++#include "misc.h"
+ 
+ #ifndef HAVE_EVP_RIPEMD160
+ # define EVP_ripemd160 NULL
[email protected]@ -53,8 +54,22 @@ struct ssh_digest {
  	const EVP_MD *(*mdfunc)(void);
  };
  
@@ -68,7 +76,7 @@
  	{ SSH_DIGEST_MD5,	"MD5",	 	16,	EVP_md5 },
  	{ SSH_DIGEST_RIPEMD160,	"RIPEMD160",	20,	EVP_ripemd160 },
  	{ SSH_DIGEST_SHA1,	"SHA1",	 	20,	EVP_sha1 },
[email protected]@ -67,6 +81,9 @@ const struct ssh_digest digests[] = {
[email protected]@ -67,6 +82,9 @@ const struct ssh_digest digests[] = {
  static const struct ssh_digest *
  ssh_digest_by_alg(int alg)
  {
@@ -78,7 +86,7 @@
  	if (alg < 0 || alg >= SSH_DIGEST_MAX)
  		return NULL;
  	if (digests[alg].id != alg) /* sanity */
[email protected]@ -79,6 +96,9 @@ ssh_digest_by_alg(int alg)
[email protected]@ -79,6 +97,9 @@ ssh_digest_by_alg(int alg)
  int
  ssh_digest_alg_by_name(const char *name)
  {
@@ -91,7 +99,15 @@
 diff -pur old/gss-genr.c new/gss-genr.c
 --- old/gss-genr.c
 +++ new/gss-genr.c
[email protected]@ -100,6 +100,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
[email protected]@ -44,6 +44,7 @@
+ #include "cipher.h"
+ #include "key.h"
+ #include "kex.h"
++#include "misc.h"
+ #include <openssl/evp.h>
+ 
+ #include "ssh-gss.h"
[email protected]@ -100,6 +101,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
  	char deroid[2];
  	const EVP_MD *evp_md = EVP_md5();
  	EVP_MD_CTX md;
@@ -99,7 +115,7 @@
  
  	if (gss_enc2oid != NULL) {
  		for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
[email protected]@ -112,6 +113,14 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
[email protected]@ -112,6 +114,14 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
  
  	buffer_init(&buf);
  
@@ -114,7 +130,7 @@
  	oidpos = 0;
  	for (i = 0; i < gss_supported->count; i++) {
  		if (gss_supported->elements[i].length < 128 &&
[email protected]@ -119,7 +128,6 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
[email protected]@ -119,7 +129,6 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
  
  			deroid[0] = SSH_GSS_OIDTYPE;
  			deroid[1] = gss_supported->elements[i].length;
@@ -122,7 +138,7 @@
  			EVP_DigestInit(&md, evp_md);
  			EVP_DigestUpdate(&md, deroid, 2);
  			EVP_DigestUpdate(&md,
[email protected]@ -151,6 +159,12 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
[email protected]@ -151,6 +160,12 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
  			oidpos++;
  		}
  	}
@@ -138,7 +154,7 @@
 diff -pur old/kex.c new/kex.c
 --- old/kex.c
 +++ new/kex.c
[email protected]@ -89,7 +89,40 @@ struct kexalg {
[email protected]@ -90,7 +90,43 @@ struct kexalg {
  	int ec_nid;
  	int hash_alg;
  };
@@ -149,7 +165,10 @@
 +static const struct kexalg kexalgs_fips[] = {
 +#ifdef WITH_OPENSSL
 +	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
-+	{ KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
++	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
++	{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
++	{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
++	{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
 +	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
 +#ifdef HAVE_EVP_SHA256
 +	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
@@ -178,7 +197,7 @@
 +#endif 
  #ifdef WITH_OPENSSL
  	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
- 	{ KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
+ 	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
 diff -pur old/mac.c new/mac.c
 --- old/mac.c
 +++ new/mac.c
@@ -219,7 +238,7 @@
 diff -pur old/misc.c new/misc.c
 --- old/misc.c
 +++ new/misc.c
[email protected]@ -39,12 +39,15 @@
[email protected]@ -39,12 +39,16 @@
  #include <string.h>
  #include <time.h>
  #include <unistd.h>
@@ -231,11 +250,12 @@
  #include <netinet/tcp.h>
  
 +#include <openssl/crypto.h>
++#include <openssl/err.h>
 +
  #include <ctype.h>
  #include <errno.h>
  #include <fcntl.h>
[email protected]@ -78,6 +81,60 @@ chop(char *s)
[email protected]@ -78,6 +82,60 @@ chop(char *s)
  
  }
  
@@ -299,7 +319,7 @@
 diff -pur old/misc.h new/misc.h
 --- old/misc.h
 +++ new/misc.h
[email protected]@ -38,6 +38,11 @@ struct ForwardOptions {
[email protected]@ -40,6 +40,11 @@ struct ForwardOptions {
  
  char	*chop(char *);
  char	*strdelim(char **);
@@ -314,7 +334,7 @@
 diff -pur old/myproposal.h new/myproposal.h
 --- old/myproposal.h
 +++ new/myproposal.h
[email protected]@ -83,19 +83,31 @@
[email protected]@ -88,21 +88,33 @@
  # else
  #  define KEX_CURVE25519_METHODS ""
  # endif
@@ -323,21 +343,23 @@
 +#define KEX_COMMON_KEX_DFLT \
  	KEX_CURVE25519_METHODS \
  	KEX_ECDH_METHODS \
- 	KEX_SHA256_METHODS
+ 	KEX_SHA2_METHODS
  
 -#define KEX_SERVER_KEX KEX_COMMON_KEX \
 +#define KEX_SERVER_KEX_DFLT KEX_COMMON_KEX_DFLT \
+ 	KEX_SHA2_GROUP14 \
  	"diffie-hellman-group14-sha1" \
  
 -#define KEX_CLIENT_KEX KEX_COMMON_KEX \
 +#define KEX_CLIENT_KEX_DFLT KEX_COMMON_KEX_DFLT \
  	"diffie-hellman-group-exchange-sha1," \
+ 	KEX_SHA2_GROUP14 \
  	"diffie-hellman-group14-sha1"
  
 -#define	KEX_DEFAULT_PK_ALG	\
 +#define KEX_COMMON_KEX_FIPS \
 +	KEX_ECDH_METHODS \
-+	KEX_SHA256_METHODS
++	KEX_SHA2_METHODS
 +
 +#define KEX_SERVER_KEX_FIPS KEX_COMMON_KEX_FIPS \
 +	"diffie-hellman-group14-sha1" \
@@ -350,7 +372,7 @@
  	HOSTKEY_ECDSA_CERT_METHODS \
  	"[email protected]," \
  	"[email protected]," \
[email protected]@ -105,17 +117,32 @@
[email protected]@ -112,17 +124,32 @@
  	"rsa-sha2-256," \
  	"ssh-rsa"
  
@@ -386,7 +408,7 @@
  	"[email protected]," \
  	"[email protected]," \
  	"[email protected]," \
[email protected]@ -127,7 +154,42 @@
[email protected]@ -134,7 +161,42 @@
  	"hmac-sha2-512," \
  	"hmac-sha1"
  
@@ -473,7 +495,7 @@
 diff -pur old/ssh-agent.c new/ssh-agent.c
 --- old/ssh-agent.c
 +++ new/ssh-agent.c
[email protected]@ -1199,6 +1199,7 @@ main(int ac, char **av)
[email protected]@ -1196,6 +1196,7 @@ main(int ac, char **av)
  	struct timeval *tvp = NULL;
  	size_t len;
  	mode_t prev_mask;
@@ -481,9 +503,9 @@
  
  	ssh_malloc_init();	/* must be called before any mallocs */
  	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
[email protected]@ -1213,6 +1214,9 @@ main(int ac, char **av)
- 	prctl(PR_SET_DUMPABLE, 0);
- #endif
[email protected]@ -1207,6 +1208,9 @@ main(int ac, char **av)
+ 
+ 	platform_disable_tracing(0);	/* strict=no */
  
 +#ifdef ENABLE_OPENSSL_FIPS
 +	fips_err = ssh_FIPS_mode_set_if_capable();
@@ -491,7 +513,7 @@
  #ifdef WITH_OPENSSL
  	OpenSSL_add_all_algorithms();
  #endif
[email protected]@ -1343,8 +1347,19 @@ main(int ac, char **av)
[email protected]@ -1337,8 +1341,19 @@ main(int ac, char **av)
  		printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,
  		    SSH_AUTHSOCKET_ENV_NAME);
  		printf("echo Agent pid %ld;\n", (long)parent_pid);
@@ -514,7 +536,7 @@
 diff -pur old/ssh-keygen.1 new/ssh-keygen.1
 --- old/ssh-keygen.1
 +++ new/ssh-keygen.1
[email protected]@ -283,6 +283,8 @@ and
[email protected]@ -284,6 +284,8 @@ and
  .Dq sha256 .
  The default is
  .Dq sha256 .
@@ -526,7 +548,7 @@
 diff -pur old/ssh-keygen.c new/ssh-keygen.c
 --- old/ssh-keygen.c
 +++ new/ssh-keygen.c
[email protected]@ -2267,11 +2267,18 @@ main(int argc, char **argv)
[email protected]@ -2273,11 +2273,18 @@ main(int argc, char **argv)
  
  	__progname = ssh_get_progname(argv[0]);
  
@@ -576,7 +598,7 @@
 diff -pur old/ssh.1 new/ssh.1
 --- old/ssh.1
 +++ new/ssh.1
[email protected]@ -91,6 +91,9 @@ If
[email protected]@ -92,6 +92,9 @@ If
  is specified,
  it is executed on the remote host instead of a login shell.
  .Pp
@@ -589,7 +611,7 @@
 diff -pur old/ssh.c new/ssh.c
 --- old/ssh.c
 +++ new/ssh.c
[email protected]@ -606,6 +606,11 @@ main(int ac, char **av)
[email protected]@ -609,6 +609,11 @@ main(int ac, char **av)
  	 */
  	initialize_options(&options);
  
@@ -601,7 +623,7 @@
  	/* Parse command-line arguments. */
  	host = NULL;
  	use_syslog = 0;
[email protected]@ -1016,6 +1021,10 @@ main(int ac, char **av)
[email protected]@ -1028,6 +1033,10 @@ main(int ac, char **av)
  #endif
  		);
  
@@ -615,7 +637,7 @@
 diff -pur old/ssh_api.c new/ssh_api.c
 --- old/ssh_api.c
 +++ new/ssh_api.c
[email protected]@ -81,6 +81,10 @@ ssh_init(struct ssh **sshp, int is_serve
[email protected]@ -79,6 +79,10 @@ ssh_init(struct ssh **sshp, int is_serve
  	int r;
  
  	if (!called) {
@@ -652,7 +674,7 @@
  .It Cm ForwardAgent
  Specifies whether the connection to the authentication agent (if any)
  will be forwarded to the remote machine.
[email protected]@ -1200,6 +1209,16 @@ [email protected],[email protected]
[email protected]@ -1249,6 +1258,16 @@ [email protected],[email protected]
  hmac-sha2-256,hmac-sha2-512,hmac-sha1
  .Ed
  .Pp
@@ -703,7 +725,7 @@
 diff -pur old/sshd.c new/sshd.c
 --- old/sshd.c
 +++ new/sshd.c
[email protected]@ -430,10 +430,18 @@ sshd_exchange_identification(int sock_in
[email protected]@ -431,10 +431,18 @@ sshd_exchange_identification(struct ssh
  		minor = PROTOCOL_MINOR_1;
  	}
  
@@ -722,7 +744,7 @@
  
  	/* Send our protocol version identification. */
  	if (atomicio(vwrite, sock_out, server_version_string,
[email protected]@ -1503,6 +1511,10 @@ main(int ac, char **av)
[email protected]@ -1562,6 +1570,10 @@ main(int ac, char **av)
  	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
  	sanitise_stdfd();
  
@@ -733,7 +755,7 @@
  	/* Initialize configuration options to their default values. */
  	initialize_server_options(&options);
  
[email protected]@ -1653,6 +1665,10 @@ main(int ac, char **av)
[email protected]@ -1712,6 +1724,10 @@ main(int ac, char **av)
  	    SYSLOG_FACILITY_AUTH : options.log_facility,
  	    log_stderr || !inetd_flag);
  
@@ -747,7 +769,7 @@
 diff -pur old/sshd_config.5 new/sshd_config.5
 --- old/sshd_config.5
 +++ new/sshd_config.5
[email protected]@ -482,6 +482,13 @@ aes128-ctr,aes192-ctr,aes256-ctr,
[email protected]@ -489,6 +489,13 @@ aes128-ctr,aes192-ctr,aes256-ctr,
  [email protected],[email protected]
  .Ed
  .Pp
@@ -761,7 +783,7 @@
  The list of available ciphers may also be obtained using the
  .Fl Q
  option of
[email protected]@ -576,6 +583,8 @@ and
[email protected]@ -585,6 +592,8 @@ and
  .Dq sha256 .
  The default is
  .Dq sha256 .
@@ -770,7 +792,7 @@
  .It Cm ForceCommand
  Forces the execution of the command specified by
  .Cm ForceCommand ,
[email protected]@ -1025,6 +1034,16 @@ [email protected],[email protected]
[email protected]@ -1034,6 +1043,16 @@ [email protected],[email protected]
  hmac-sha2-256,hmac-sha2-512,hmac-sha1
  .Ed
  .Pp
--- a/components/openssh/patches/036-fipsrandom.patch	Wed Nov 16 12:04:24 2016 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,119 +0,0 @@
-#
-# Replace arc4random* calls with FIPS compliant implementation in FIPS mode.
-#
-# Once libc:arc4random* are FIPS compliant (20816957), this patch will be
-# dropped.
-#
-# This is a temporary patch and is not intented for upstream contribution.
-#
-diff -pur old/misc.c new/misc.c
---- old/misc.c
-+++ new/misc.c
[email protected]@ -1164,3 +1164,87 @@ sock_set_v6only(int s)
- 		error("setsockopt IPV6_V6ONLY: %s", strerror(errno));
- #endif
- }
-+
-+#ifdef ENABLE_OPENSSL_FIPS
-+/* cancel arc4random* -> fips_arc4random* defines from misc.h */
-+#undef	arc4random
-+#undef	arc4random_buf
-+#undef	arc4random_stir
-+#undef	arc4random_uniform
-+
-+/* FIPS compliant alternative for arc4random */
-+static uint32_t
-+fips_arc4random_impl()
-+{
-+	unsigned int r = 0;
-+
-+	if (RAND_bytes((unsigned char *)&r, sizeof (r)) <= 0) {
-+		fatal("RAND_bytes() failed. Aborting the process");
-+	}
-+
-+	return (r);
-+}
-+
-+uint32_t
-+fips_arc4random()
-+{
-+	if (!ssh_FIPS_mode())
-+		return arc4random();
-+	else
-+		return fips_arc4random_impl();
-+}
-+
-+/* implementation taken from openbsd-compat/arc4random.c */
-+void
-+fips_arc4random_buf(void *_buf, size_t n)
-+{
-+	size_t i;
-+	uint32_t r = 0;
-+	char *buf = (char *)_buf;
-+
-+	if (!ssh_FIPS_mode())
-+		return arc4random_buf(_buf, n);
-+
-+	for (i = 0; i < n; i++) {
-+		if (i % 4 == 0)
-+			r = fips_arc4random_impl();
-+		buf[i] = r & 0xff;
-+		r >>= 8;
-+	}
-+	explicit_bzero(&r, sizeof(r));
-+}
-+
-+void
-+fips_arc4random_stir(void)
-+{
-+	if (!ssh_FIPS_mode())
-+		return arc4random_stir();
-+}
-+
-+/* implementation taken from openbsd-compat/arc4random.c */
-+uint32_t
-+fips_arc4random_uniform(uint32_t upper_bound)
-+{
-+	uint32_t r, min;
-+
-+	if (upper_bound < 2)
-+		return 0;
-+
-+	/* 2**32 % x == (2**32 - x) % x */
-+	min = -upper_bound % upper_bound;
-+
-+	/*
-+	 * This could theoretically loop forever but each retry has
-+	 * p > 0.5 (worst case, usually far better) of selecting a
-+	 * number inside the range we need, so it should rarely need
-+	 * to re-roll.
-+	 */
-+	for (;;) {
-+		r = fips_arc4random_impl();
-+		if (r >= min)
-+			break;
-+	}
-+
-+	return r % upper_bound;
-+}
-+#endif /* ENABLE_OPENSSL_FIPS */
-diff -pur old/misc.h new/misc.h
---- old/misc.h
-+++ new/misc.h
[email protected]@ -140,4 +140,16 @@ char	*read_passphrase(const char *, int)
- int	 ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
- int	 read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
- 
-+#ifdef ENABLE_OPENSSL_FIPS
-+/* arc4random* FIPS alternatives */
-+uint32_t fips_arc4random(void);
-+void	 fips_arc4random_buf(void *, size_t);
-+void	 fips_arc4random_stir(void);
-+uint32_t fips_arc4random_uniform(uint32_t upper_bound);
-+#define	arc4random fips_arc4random
-+#define	arc4random_buf fips_arc4random_buf
-+#define	arc4random_stir fips_arc4random_stir
-+#define	arc4random_uniform fips_arc4random_uniform
-+#endif /* ENABLE_OPENSSL_FIPS */
-+
- #endif /* _MISC_H */
--- a/components/openssh/patches/041-pam_ctx_preserve.patch	Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/patches/041-pam_ctx_preserve.patch	Wed Nov 16 12:17:49 2016 -0800
@@ -22,11 +22,10 @@
 # Reported upstream:
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2548
 #
-
 diff -pur old/auth-pam.c new/auth-pam.c
 --- old/auth-pam.c
 +++ new/auth-pam.c
[email protected]@ -97,6 +97,7 @@
[email protected]@ -98,6 +98,7 @@
  #include "ssh-gss.h"
  #endif
  #include "monitor_wrap.h"
@@ -34,7 +33,7 @@
  
  extern ServerOptions options;
  extern Buffer loginmsg;
[email protected]@ -109,38 +110,26 @@ extern u_int utmp_len;
[email protected]@ -110,38 +111,26 @@ extern u_int utmp_len;
  #endif
  
  /*
@@ -83,7 +82,7 @@
  static mysig_t sshpam_oldsig;
  
  static void
[email protected]@ -149,78 +138,22 @@ sshpam_sigchld_handler(int sig)
[email protected]@ -150,85 +139,25 @@ sshpam_sigchld_handler(int sig)
  	signal(SIGCHLD, SIG_DFL);
  	if (cleanup_ctxt == NULL)
  		return;	/* handler called after PAM cleanup, shouldn't happen */
@@ -92,12 +91,16 @@
  	    <= 0) {
 -		/* PAM thread has not exitted, privsep slave must have */
 -		kill(cleanup_ctxt->pam_thread, SIGTERM);
--		if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0)
+-		while (waitpid(cleanup_ctxt->pam_thread,
+-		    &sshpam_thread_status, 0) == -1) {
 +		/* callback child has not exited, privsep slave must have */
 +		kill(cleanup_ctxt->pam_child, SIGTERM);
-+		if (waitpid(cleanup_ctxt->pam_child, &sshpam_child_status, 0)
- 		    <= 0)
- 			return; /* could not wait */
++		while (waitpid(cleanup_ctxt->pam_child,
++		    &sshpam_child_status, 0) == -1) {
+ 			if (errno == EINTR)
+ 				continue;
+ 			return;
+ 		}
  	}
 -	if (WIFSIGNALED(sshpam_thread_status) &&
 -	    WTERMSIG(sshpam_thread_status) == SIGTERM)
@@ -158,7 +161,11 @@
 -	if (sshpam_thread_status != -1)
 -		return (sshpam_thread_status);
 -	signal(SIGCHLD, sshpam_oldsig);
--	waitpid(thread, &status, 0);
+-	while (waitpid(thread, &status, 0) == -1) {
+-		if (errno == EINTR)
+-			continue;
+-		fatal("%s: waitpid: %s", __func__, strerror(errno));
+-	}
 -	return (status);
 +	if (WIFSIGNALED(sshpam_child_status) &&
 +	    WTERMSIG(sshpam_child_status) == SIGTERM)
@@ -173,7 +180,7 @@
  
  static pam_handle_t *sshpam_handle = NULL;
  static int sshpam_err = 0;
[email protected]@ -290,55 +223,11 @@ sshpam_password_change_required(int reqd
[email protected]@ -298,55 +227,11 @@ sshpam_password_change_required(int reqd
  	}
  }
  
@@ -231,7 +238,7 @@
      struct pam_response **resp, void *data)
  {
  	Buffer buffer;
[email protected]@ -420,48 +309,84 @@ sshpam_thread_conv(int n, sshpam_const s
[email protected]@ -411,48 +296,85 @@ sshpam_thread_conv(int n, sshpam_const s
  }
  
  /*
@@ -310,15 +317,15 @@
 +	close(ctxt->pam_csock);
 +	ctxt->pam_csock = -1;
 +}
-+
+ 
+-	sshpam_conv.conv = sshpam_thread_conv;
 +int
 +get_pam_done(void *ctxt)
 +{
 +	struct pam_ctxt *pctxt = (struct pam_ctxt *)ctxt;
 +	return (pctxt->pam_done);
 +}
- 
--	sshpam_conv.conv = sshpam_thread_conv;
++
 +/*
 + * Perform PAM authentication.
 + *
@@ -333,6 +340,7 @@
 +	struct pam_conv sshpam_conv;
 +	int flags = (options.permit_empty_passwd == 0 ?
 +	    PAM_DISALLOW_NULL_AUTHTOK : 0);
++	struct ssh *ssh = active_state; /* XXX */
 +
 +	sshpam_conv.conv = sshpam_child_conv;
  	sshpam_conv.appdata_ptr = ctxt;
@@ -346,7 +354,7 @@
  	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
  	    (const void *)&sshpam_conv);
  	if (sshpam_err != PAM_SUCCESS)
[email protected]@ -484,60 +409,34 @@ sshpam_thread(void *ctxtp)
[email protected]@ -477,63 +399,35 @@ sshpam_thread(void *ctxtp)
  		}
  	}
  
@@ -385,6 +393,8 @@
 -	/* XXX - can't do much about an error here */
 -	if (sshpam_err == PAM_ACCT_EXPIRED)
 -		ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer);
+-	else if (sshpam_maxtries_reached)
+-		ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, &buffer);
 -	else
 -		ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
 -	buffer_free(&buffer);
@@ -396,7 +406,7 @@
 +		    pam_strerror(sshpam_handle, sshpam_err),
 +		    sshpam_authctxt->valid ? "" : "illegal user ",
 +		    sshpam_authctxt->user,
-+		    get_remote_name_or_ip(utmp_len, options.use_dns));
++		    auth_get_canonical_hostname(ssh, options.use_dns));
 +	relieve_from_duty(ctxt);
  }
  
@@ -413,6 +423,7 @@
 -		close(ctxt->pam_psock);
 -		close(ctxt->pam_csock);
 -		memset(ctxt, 0, sizeof(*ctxt));
+-		cleanup_ctxt = NULL;
 +	if (ctxt != NULL && ctxt->pam_child != 0) {
 +		signal(SIGCHLD, sshpam_oldsig);
 +		/* callback child should have had exited by now */
@@ -423,18 +434,19 @@
 +			close(ctxt->pam_csock);
 +		if (sshpam_child_status == -1)
 +			waitpid(ctxt->pam_child, &sshpam_child_status, 0);
- 		cleanup_ctxt = NULL;
++ 		cleanup_ctxt = NULL;
  	}
  }
[email protected]@ -686,7 +585,6 @@ derive_pam_service_name(Authctxt *authct
+ 
[email protected]@ -681,7 +575,6 @@ derive_pam_service_name(Authctxt *authct
  static int
  sshpam_init(Authctxt *authctxt)
  {
 -	extern char *__progname;
  	const char *pam_rhost, *pam_user, *user = authctxt->user;
  	const char **ptr_pam_user = &pam_user;
- 
[email protected]@ -792,6 +690,7 @@ sshpam_init_ctx(Authctxt *authctxt)
+ 	struct ssh *ssh = active_state; /* XXX */
[email protected]@ -788,6 +681,7 @@ sshpam_init_ctx(Authctxt *authctxt)
  {
  	struct pam_ctxt *ctxt;
  	int socks[2];
@@ -442,7 +454,7 @@
  
  	debug3("PAM: %s entering", __func__);
  	/*
[email protected]@ -809,7 +708,7 @@ sshpam_init_ctx(Authctxt *authctxt)
[email protected]@ -805,7 +699,7 @@ sshpam_init_ctx(Authctxt *authctxt)
  
  	ctxt = xcalloc(1, sizeof *ctxt);
  
@@ -451,7 +463,7 @@
  	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
  		error("PAM: failed create sockets: %s", strerror(errno));
  		free(ctxt);
[email protected]@ -817,15 +716,29 @@ sshpam_init_ctx(Authctxt *authctxt)
[email protected]@ -813,15 +707,29 @@ sshpam_init_ctx(Authctxt *authctxt)
  	}
  	ctxt->pam_psock = socks[0];
  	ctxt->pam_csock = socks[1];
@@ -485,11 +497,10 @@
  	return (ctxt);
  }
  
[email protected]@ -839,8 +752,11 @@ sshpam_query(void *ctx, char **name, cha
[email protected]@ -836,8 +744,10 @@ sshpam_query(void *ctx, char **name, cha
  	u_char type;
  	char *msg;
  	size_t len, mlen;
-+	struct ssh *ssh;
 +	int r;
  
  	debug3("PAM: %s entering", __func__);
@@ -497,7 +508,7 @@
  	buffer_init(&buffer);
  	*name = xstrdup("");
  	*info = xstrdup("");
[email protected]@ -848,6 +764,17 @@ sshpam_query(void *ctx, char **name, cha
[email protected]@ -845,6 +755,17 @@ sshpam_query(void *ctx, char **name, cha
  	**prompts = NULL;
  	plen = 0;
  	*echo_on = xmalloc(sizeof(u_int));
@@ -515,7 +526,7 @@
  	while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) {
  		type = buffer_get_char(&buffer);
  		msg = buffer_get_string(&buffer, NULL);
[email protected]@ -879,15 +806,6 @@ sshpam_query(void *ctx, char **name, cha
[email protected]@ -880,15 +801,6 @@ sshpam_query(void *ctx, char **name, cha
  			/* FALLTHROUGH */
  		case PAM_AUTH_ERR:
  			debug3("PAM: %s", pam_strerror(sshpam_handle, type));
@@ -531,7 +542,7 @@
  			/* FALLTHROUGH */
  		case PAM_SUCCESS:
  			if (**prompts != NULL) {
[email protected]@ -898,25 +816,21 @@ sshpam_query(void *ctx, char **name, cha
[email protected]@ -899,25 +811,20 @@ sshpam_query(void *ctx, char **name, cha
  				free(**prompts);
  				**prompts = NULL;
  			}
@@ -553,16 +564,15 @@
 +			buffer_put_cstring(&buffer, buffer_ptr(&loginmsg));
 +			if (!use_privsep) {
 +				/* sync packet state with parrent */
-+				ssh = active_state;
 +				r = ssh_packet_get_state(ssh, &buffer);
 +				if (r != 0)
 +					fatal("%s: get_state failed: %s",
-+					   __func__, ssh_err(r));
++					    __func__, ssh_err(r));
  			}
 -			error("PAM: %s for %s%.100s from %.100s", msg,
 -			    sshpam_authctxt->valid ? "" : "illegal user ",
 -			    sshpam_authctxt->user,
--			    get_remote_name_or_ip(utmp_len, options.use_dns));
+-			    auth_get_canonical_hostname(ssh, options.use_dns));
 -			/* FALLTHROUGH */
 +			ssh_msg_send(ctxt->pam_psock, type, &buffer);
 +			/* callback child ends here */
@@ -571,7 +581,7 @@
  		default:
  			*num = 0;
  			**echo_on = 0;
[email protected]@ -970,7 +884,7 @@ sshpam_free_ctx(void *ctxtp)
[email protected]@ -997,7 +904,7 @@ sshpam_free_ctx(void *ctxtp)
  	struct pam_ctxt *ctxt = ctxtp;
  
  	debug3("PAM: %s entering", __func__);
@@ -583,22 +593,20 @@
 diff -pur old/auth-pam.h new/auth-pam.h
 --- old/auth-pam.h
 +++ new/auth-pam.h
[email protected]@ -45,9 +45,10 @@ int do_pam_putenv(char *, char *);
[email protected]@ -45,7 +45,8 @@ int do_pam_putenv(char *, char *);
  char ** fetch_pam_environment(void);
  char ** fetch_pam_child_environment(void);
  void free_pam_environment(char **);
 -void sshpam_thread_cleanup(void);
 +void sshpam_child_cleanup(void);
++int get_pam_done(void *);
  void sshpam_cleanup(void);
  int sshpam_auth_passwd(Authctxt *, const char *);
- int is_pam_session_open(void);
-+int get_pam_done(void *);
- 
- #endif /* USE_PAM */
+ int sshpam_get_maxtries_reached(void);
 diff -pur old/monitor.c new/monitor.c
 --- old/monitor.c
 +++ new/monitor.c
[email protected]@ -1179,12 +1179,38 @@ mm_answer_pam_init_ctx(int sock, Buffer
[email protected]@ -1184,12 +1184,39 @@ mm_answer_pam_init_ctx(int sock, Buffer
  	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
  	sshpam_authok = NULL;
  	buffer_clear(m);
@@ -629,6 +637,7 @@
 +			    buffer_len(&loginmsg));
 +			buffer_clear(&loginmsg);
 +		}
++		buffer_put_int(m, sshpam_get_maxtries_reached());
 +		buffer_put_int(m, 0);		/* num */
 +		mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
 +		return (0);
@@ -637,7 +646,7 @@
  	mm_request_send(sock, MONITOR_ANS_PAM_INIT_CTX, m);
  	return (0);
  }
[email protected]@ -1938,7 +1964,8 @@ monitor_apply_keystate(struct monitor *p
[email protected]@ -1947,7 +1974,8 @@ monitor_apply_keystate(struct monitor *p
  	int r;
  
  	debug3("%s: packet_set_state", __func__);
@@ -650,7 +659,7 @@
 diff -pur old/packet.c new/packet.c
 --- old/packet.c
 +++ new/packet.c
[email protected]@ -2345,7 +2345,7 @@ ssh_packet_restore_state(struct ssh *ssh
[email protected]@ -2449,7 +2449,7 @@ ssh_packet_get_output(struct ssh *ssh)
  }
  
  /* Reset after_authentication and reset compression in post-auth privsep */
@@ -659,7 +668,7 @@
  ssh_packet_set_postauth(struct ssh *ssh)
  {
  	struct sshcomp *comp;
[email protected]@ -2682,8 +2682,7 @@ ssh_packet_set_state(struct ssh *ssh, st
[email protected]@ -2775,8 +2775,7 @@ ssh_packet_set_state(struct ssh *ssh, st
  	cipher_set_keycontext(&state->send_context, keyout);
  	cipher_set_keycontext(&state->receive_context, keyin);
  
@@ -672,18 +681,18 @@
 diff -pur old/packet.h new/packet.h
 --- old/packet.h
 +++ new/packet.h
[email protected]@ -141,6 +141,7 @@ u_int	 ssh_packet_get_maxsize(struct ssh
[email protected]@ -144,6 +144,7 @@ u_int	 ssh_packet_get_maxsize(struct ssh
  
  int	 ssh_packet_get_state(struct ssh *, struct sshbuf *);
  int	 ssh_packet_set_state(struct ssh *, struct sshbuf *);
 +int	 ssh_packet_set_postauth(struct ssh *ssh);
  
  const char *ssh_remote_ipaddr(struct ssh *);
- 
+ int	 ssh_remote_port(struct ssh *);
 diff -pur old/servconf.c new/servconf.c
 --- old/servconf.c
 +++ new/servconf.c
[email protected]@ -433,6 +433,18 @@ fill_default_server_options(ServerOption
[email protected]@ -435,6 +435,18 @@ fill_default_server_options(ServerOption
  		options->compression = 0;
  	}
  #endif
@@ -705,7 +714,7 @@
 diff -pur old/session.c new/session.c
 --- old/session.c
 +++ new/session.c
[email protected]@ -2850,7 +2850,7 @@ do_cleanup(Authctxt *authctxt)
[email protected]@ -2890,7 +2890,7 @@ do_cleanup(Authctxt *authctxt)
  #ifdef USE_PAM
  	if (options.use_pam) {
  		sshpam_cleanup();
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/046-73_solaris_build_issue.patch	Wed Nov 16 12:17:49 2016 -0800
@@ -0,0 +1,31 @@
+#
+# Unbreak ./configure on Solaris.
+#
+# Patch source: upstream
+# https://marc.info/?l=openssh-unix-dev&m=147011381114561&w=2
+#
+--- orig/configure.ac	Thu Aug 18 14:41:57 2016
++++ new/configure.ac	Thu Aug 18 14:44:59 2016
[email protected]@ -751,6 +751,9 @@
+ 	use_pie=auto
+ 	check_for_libcrypt_later=1
+ 	check_for_openpty_ctty_bug=1
++        dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
++        dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
++        CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
+ 	AC_DEFINE([PAM_TTY_KLUDGE], [1],
+ 		[Work around problematic Linux PAM modules handling of PAM_TTY])
+ 	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
[email protected]@ -1790,11 +1793,8 @@
+ 	warn \
+ ])
+ 
+-dnl Wide character support.  Linux man page says it needs _XOPEN_SOURCE.
+-saved_CFLAGS="$CFLAGS"
+-CFLAGS="$CFLAGS -D_XOPEN_SOURCE"
++dnl Wide character support.
+ AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
+-CFLAGS="$saved_CFLAGS"
+ 
+ AC_LINK_IFELSE(
+         [AC_LANG_PROGRAM(
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/047-login_grace_time_watchdog.patch	Wed Nov 16 12:17:49 2016 -0800
@@ -0,0 +1,165 @@
+#
+# Implements watchdog process, which backs up login_grace_time alarm.
+#
+# If the main process is hung in a syscall, SIGALRM is queued but not
+# delivered and the connection stays unauthenticated for too long.
+#
+# Function start_grace_watchdog forks of a watchdog process, that sends the
+# main process a SIGTERM, if it does neither authenticate nor exit before
+# (login_grace_time + GRACE_WATCHDOG_THRESHOLD).
+# If the main process does not react to SIGTERM, SIGKILL is sent after
+# additional GRACE_WATCHDOG_THRESHOLD seconds.
+#
+# Patch source: in-house
+# Reported to [email protected] as security issue.
+#
+# Per agreement with upstream developers, filed:
+#    https://bugzilla.mindrot.org/show_bug.cgi?id=2615
+#
+diff -pur old/sshd.c new/sshd.c
+--- old/sshd.c
++++ new/sshd.c
[email protected]@ -252,9 +252,16 @@ Buffer loginmsg;
+ /* Unprivileged user */
+ struct passwd *privsep_pw = NULL;
+ 
++/* Pid of process backing up login_grace_time alarm. */
++pid_t grace_watchdog_pid = -1;
++
++/* Time in seconds */
++#define	GRACE_WATCHDOG_THRESHOLD 10
++
+ /* Prototypes for various functions defined later in this file. */
+ void destroy_sensitive_data(void);
+ void demote_sensitive_data(void);
++static void stop_grace_watchdog(void);
+ 
+ #ifdef WITH_SSH1
+ static void do_ssh1_kex(void);
[email protected]@ -369,12 +376,98 @@ grace_alarm_handler(int sig)
+ 		signal(SIGTERM, SIG_IGN);
+ 		kill(0, SIGTERM);
+ 	}
++	stop_grace_watchdog();
+ 
+ 	/* Log error and exit. */
+ 	sigdie("Timeout before authentication for %s port %d",
+ 	    ssh_remote_ipaddr(active_state), ssh_remote_port(active_state));
+ }
+ 
++static inline void
++sleep_reliably(unsigned int seconds)
++{
++	while (seconds > 0)
++		seconds = sleep(seconds);
++}
++
++/*
++ * Implements watchdog process, which backs up login_grace_time alarm.
++ *
++ * If the main process is hung in a syscall, SIGALRM is queued but not
++ * delivered and the connection stays unauthenticated for too long.
++ *
++ * This function forks off a watchdog process, which sends the main process
++ * a SIGTERM, if it does neither authenticate nor exit before
++ * (login_grace_time + GRACE_WATCHDOG_THRESHOLD).
++ * If the main process does not react to SIGTERM, SIGKILL is sent after
++ * additional GRACE_WATCHDOG_THRESHOLD seconds.
++ */
++static void
++start_grace_watchdog(int login_grace_time)
++{
++	pid_t ppid = getpid();
++
++	if (login_grace_time == 0)
++		return;
++
++	if (grace_watchdog_pid != -1) {
++		error("login_grace_time watchdog process already running");
++		return;
++	}
++
++	grace_watchdog_pid = fork();
++	if (grace_watchdog_pid == -1)
++		fatal("fork of login_grace_time watchdog process failed");
++	else if (grace_watchdog_pid > 0)
++		return;
++
++	/* child */
++
++	/* close open fds, including client socket and startup_pipe */
++	closefrom(3);
++
++	/* kill the monitor with SIGTERM after timeout + threshold */
++	sleep_reliably(login_grace_time + GRACE_WATCHDOG_THRESHOLD);
++	if (getppid() != ppid) {
++		debug("login_grace_time watchdog still active, "
++		    "but watched process %d already exited.", (int)ppid);
++		exit(0);
++	}
++	error("Timeout before authentication for %s. Killing process %d "
++	    "with SIGTERM.", ssh_remote_ipaddr(active_state), (int)ppid);
++	kill(ppid, SIGTERM);
++
++	/* if neccessary, kill it with SIGKILL */
++	sleep_reliably(GRACE_WATCHDOG_THRESHOLD);
++	if (getppid() != ppid)
++		exit(0);
++	error("Watched process %d did not respond to SIGTERM. "
++	    "Killing it with SIGKILL.", (int)ppid);
++	kill(ppid, SIGKILL);
++
++	/* give up */
++	sleep_reliably(GRACE_WATCHDOG_THRESHOLD);
++	if (getppid() == ppid) {
++		error("login_grace_time watchdog failed to kill %d", (int)ppid);
++		exit(255);
++	}
++	exit(0);
++}
++
++/* kill grace watchdog process */
++static void
++stop_grace_watchdog()
++{
++	if (grace_watchdog_pid == -1) {
++		debug3("login_grace_time watchdog process not running");
++		return;
++	}
++
++	kill(grace_watchdog_pid, SIGTERM);
++	grace_watchdog_pid = -1;
++}
++
++
+ /*
+  * Signal handler for the key regeneration alarm.  Note that this
+  * alarm only occurs in the daemon waiting for connections, and it does not
[email protected]@ -723,6 +816,7 @@ privsep_preauth(Authctxt *authctxt)
+ 		/* child */
+ 		close(pmonitor->m_sendfd);
+ 		close(pmonitor->m_log_recvfd);
++		grace_watchdog_pid = -1;
+ 
+ 		/* Arrange for logging to be sent to the monitor */
+ 		set_log_handler(mm_log_handler, pmonitor);
[email protected]@ -2235,8 +2329,10 @@ main(int ac, char **av)
+ 	 * are about to discover the bug.
+ 	 */
+ 	signal(SIGALRM, grace_alarm_handler);
+-	if (!debug_flag)
++	if (!debug_flag) {
+ 		alarm(options.login_grace_time);
++		start_grace_watchdog(options.login_grace_time);
++	}
+ 
+ 	sshd_exchange_identification(ssh, sock_in, sock_out);
+ 
[email protected]@ -2302,6 +2398,7 @@ main(int ac, char **av)
+ 	 */
+ 	alarm(0);
+ 	signal(SIGALRM, SIG_DFL);
++	stop_grace_watchdog();
+ 	authctxt->authenticated = 1;
+ 	if (startup_pipe != -1) {
+ 		close(startup_pipe);
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/048-maxstartups-log_dropped.patch	Wed Nov 16 12:17:49 2016 -0800
@@ -0,0 +1,24 @@
+#
+# When MaxStartups of unauthenticated concurrent connections is hit,
+# additional connections are dropped.
+#
+# Dropped connections should be logged. Server administrator should be able to
+# find this information and might be interested in details. 
+#
+# Patch source: in-house
+# Offered upstream:
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2613
+#
+diff -pur old/sshd.c new/sshd.c
+--- old/sshd.c
++++ new/sshd.c
[email protected]@ -1419,7 +1419,8 @@ server_accept_loop(int *sock_in, int *so
+ 				continue;
+ 			}
+ 			if (drop_connection(startups) == 1) {
+-				debug("drop connection #%d", startups);
++				logit("MaxStartups: dropping connection #%d",
++				    startups);
+ 				close(*newsock);
+ 				continue;
+ 			}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/049-kexinit_mem_exhaust.patch	Wed Nov 16 12:17:49 2016 -0800
@@ -0,0 +1,21 @@
+#
+# Unregister the KEXINIT handler after message has been received.
+#
+# CVE-2016-8858
+#
+# Patch source: upstream
+# https://github.com/openssh/openssh-portable/commit/ec165c392ca54317dbe
+#
+# We will drop this patch when upgrading to OpenSSH 7.4 or later.
+#
+diff -pur old/kex.c new/kex.c
+--- old/kex.c
++++ new/kex.c
[email protected]@ -517,6 +517,7 @@ kex_input_kexinit(int type, u_int32_t se
+ 	if (kex == NULL)
+ 		return SSH_ERR_INVALID_ARGUMENT;
+ 
++	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ 	ptr = sshpkt_ptr(ssh, &dlen);
+ 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ 		return r;
--- a/components/openssh/sources/kexgssc.c	Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/sources/kexgssc.c	Wed Nov 16 12:17:49 2016 -0800
@@ -63,7 +63,6 @@
 	Gssctxt *ctxt;
 	OM_uint32 maj_status, min_status, ret_flags;
 	uint_t klen, kout, slen = 0, strlen;
-	DH *dh;
 	BIGNUM *dh_server_pub = NULL;
 	BIGNUM *shared_secret = NULL;
 	BIGNUM *p = NULL;
@@ -284,7 +283,9 @@
 	switch (kex->kex_type) {
 	case KEX_GSS_GRP1_SHA1:
 	case KEX_GSS_GRP14_SHA1:
-		kex_dh_hash(kex->client_version_string,
+		kex_dh_hash(
+		    kex->hash_alg,
+		    kex->client_version_string,
 		    kex->server_version_string,
 		    buffer_ptr(kex->my), buffer_len(kex->my),
 		    buffer_ptr(kex->peer), buffer_len(kex->peer),
--- a/components/openssh/sources/kexgsss.c	Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/sources/kexgsss.c	Wed Nov 16 12:17:49 2016 -0800
@@ -76,7 +76,6 @@
 	Gssctxt *ctxt = NULL;
 	uint_t slen, klen, kout;
 	uchar_t *kbuf;
-	DH *dh;
 	int min = -1, max = -1, nbits = -1;
 	BIGNUM *shared_secret = NULL;
 	BIGNUM *dh_client_pub = NULL;
@@ -236,6 +235,7 @@
 	case KEX_GSS_GRP1_SHA1:
 	case KEX_GSS_GRP14_SHA1:
 		kex_dh_hash(
+		    kex->hash_alg,
 		    kex->client_version_string, kex->server_version_string,
 		    buffer_ptr(kex->peer), buffer_len(kex->peer),
 		    buffer_ptr(kex->my), buffer_len(kex->my),
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/sources/sshd-none	Wed Nov 16 12:17:49 2016 -0800
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+# PAM configuration for the SSH user authentication type of 'none' which is
+# used when no authentication is required at all.  This PAM fragment prevents 
+# authentication using sshd-none to avoid unnecessary interaction with
+# failed logins tracking in certain SSH and PAM configurations.  If SSH
+# logins are desired without any authentication then this is possible by
+# configuring both the sshd_config(5) options 'PasswordAuthentication' and
+# 'PermitEmptyPasswords' to be 'yes' and using either the 'password' or
+# 'keyboard-interactive' user authentication methods.
+#
+auth		definitive	pam_deny.so.1
+account		definitive	pam_deny.so.1
+session		definitive	pam_deny.so.1
+password	definitive	pam_deny.so.1