summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 08:20:06 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 08:20:06 +0000
commitd92ccc5852f34167429fdadb46294ea5527d8883 (patch)
tree9814bfc193fab03dcb43d6218721ef079ed01901
parentMerging upstream version 1:9.7p1. (diff)
downloadopenssh-d92ccc5852f34167429fdadb46294ea5527d8883.tar.xz
openssh-d92ccc5852f34167429fdadb46294ea5527d8883.zip
Adding debian version 1:9.7p1-1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--debian/.git-dpm16
-rw-r--r--debian/changelog33
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch2
-rw-r--r--debian/patches/broken-zero-call-used-regs.patch46
-rw-r--r--debian/patches/conch-ssh-rsa.patch6
-rw-r--r--debian/patches/debian-banner.patch24
-rw-r--r--debian/patches/debian-config.patch16
-rw-r--r--debian/patches/dnssec-sshfp.patch2
-rw-r--r--debian/patches/doc-hash-tab-completion.patch6
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch2
-rw-r--r--debian/patches/gssapi.patch117
-rw-r--r--debian/patches/keepalive-extensions.patch18
-rw-r--r--debian/patches/maxhostnamelen.patch2
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch4
-rw-r--r--debian/patches/no-openssl-version-status.patch2
-rw-r--r--debian/patches/openbsd-docs.patch18
-rw-r--r--debian/patches/package-versioning.patch10
-rw-r--r--debian/patches/restore-authorized_keys2.patch2
-rw-r--r--debian/patches/restore-tcp-wrappers.patch10
-rw-r--r--debian/patches/revert-ipqos-defaults.patch16
-rw-r--r--debian/patches/scp-quoting.patch2
-rw-r--r--debian/patches/selinux-role.patch6
-rw-r--r--debian/patches/series2
-rw-r--r--debian/patches/shell-path.patch6
-rw-r--r--debian/patches/skip-utimensat-test-on-zfs.patch55
-rw-r--r--debian/patches/ssh-agent-setgid.patch2
-rw-r--r--debian/patches/ssh-argv0.patch2
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch6
-rw-r--r--debian/patches/syslog-level-silent.patch4
-rw-r--r--debian/patches/systemd-readiness.patch10
-rw-r--r--debian/patches/systemd-socket-activation.patch4
-rw-r--r--debian/patches/user-group-modes.patch16
-rw-r--r--debian/tests/control2
-rwxr-xr-xdebian/tests/regress2
34 files changed, 249 insertions, 222 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index f176d51..be248d5 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,12 +1,12 @@
# see git-dpm(1) from git-dpm package
-66eb7a60b33a813422df2f9109aa328bd5027018
-66eb7a60b33a813422df2f9109aa328bd5027018
-82d0e0b4bd9f683e3d9f0e394155742fd2550fac
-82d0e0b4bd9f683e3d9f0e394155742fd2550fac
-openssh_9.6p1.orig.tar.gz
-de300d09ec79fdbf37de4e6672cce4161439f2c3
-1857862
+3a5a49f1a4355e7f75ec350cb13f46ea835058da
+3a5a49f1a4355e7f75ec350cb13f46ea835058da
+cf05e8418c088a6e5712344cecaf6ee2d5eb550f
+cf05e8418c088a6e5712344cecaf6ee2d5eb550f
+openssh_9.7p1.orig.tar.gz
+ce8985ea0ea2f16a5917fd982ade0972848373cc
+1848766
debianTag="debian/%e%%%V"
patchedTag="patched/%e%%%V"
upstreamTag="upstream/%U"
-signature:63c241035c665da9284965575cd96e0467bf09c1:833:openssh_9.6p1.orig.tar.gz.asc
+signature:6848845450c5d5776afd10f8217f870d320cc4d5:833:openssh_9.7p1.orig.tar.gz.asc
diff --git a/debian/changelog b/debian/changelog
index 8a838d6..01e430e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,36 @@
+openssh (1:9.7p1-1) unstable; urgency=medium
+
+ * Add the isolation-container restriction to the "regress" autopkgtest.
+ Our setup code wants to ensure that the haveged service is running, and
+ furthermore at least the agent-subprocess test assumes that there's an
+ init to reap zombie processes and doesn't work in (e.g.)
+ autopkgtest-virt-unshare.
+ * New upstream release (https://www.openssh.com/releasenotes.html#9.7p1):
+ - ssh(1), sshd(8): add a "global" ChannelTimeout type that watches all
+ open channels and will close all open channels if there is no traffic
+ on any of them for the specified interval. This is in addition to the
+ existing per-channel timeouts added recently.
+ This supports situations like having both session and x11 forwarding
+ channels open where one may be idle for an extended period but the
+ other is actively used. The global timeout could close both channels
+ when both have been idle for too long (closes: #165185).
+ - All: make DSA key support compile-time optional, defaulting to on.
+ - sshd(8): don't append an unnecessary space to the end of subsystem
+ arguments (bz3667)
+ - ssh(1): fix the multiplexing "channel proxy" mode, broken when
+ keystroke timing obfuscation was added. (GHPR#463)
+ - ssh(1), sshd(8): fix spurious configuration parsing errors when
+ options that accept array arguments are overridden (bz3657).
+ - ssh-agent(1): fix potential spin in signal handler (bz3670)
+ - Many fixes to manual pages and other documentation.
+ - Greatly improve interop testing against PuTTY.
+ * Skip utimensat test on ZFS, since it seems to leave the atime set to 0.
+ * Allow passing extra options to debian/tests/regress, for debugging.
+ * Fix gssapi-keyex declaration, broken when rebasing onto 8.9p1
+ (LP: #2053146).
+
+ -- Colin Watson <cjwatson@debian.org> Thu, 14 Mar 2024 10:47:58 +0000
+
openssh (1:9.6p1-5) unstable; urgency=medium
* Restore systemd template unit for per-connection sshd instances,
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index beeafd6..70596b9 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
-From 9413092a071a763ffceb02b3df527032cdf74d71 Mon Sep 17 00:00:00 2001
+From 1714f9926d197f8015c17081bc582904b908aceb Mon Sep 17 00:00:00 2001
From: Tomas Pospisek <tpo_deb@sourcepole.ch>
Date: Sun, 9 Feb 2014 16:10:07 +0000
Subject: Install authorized_keys(5) as a symlink to sshd(8)
diff --git a/debian/patches/broken-zero-call-used-regs.patch b/debian/patches/broken-zero-call-used-regs.patch
deleted file mode 100644
index 96449e1..0000000
--- a/debian/patches/broken-zero-call-used-regs.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 66eb7a60b33a813422df2f9109aa328bd5027018 Mon Sep 17 00:00:00 2001
-From: Colin Watson <cjwatson@debian.org>
-Date: Thu, 21 Dec 2023 15:18:52 +0000
-Subject: Improve detection of broken -fzero-call-used-regs=used
-
-Origin: other, https://bugzilla.mindrot.org/attachment.cgi?id=3776&action=diff
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3645
-Last-Update: 2023-12-21
-
-Patch-Name: broken-zero-call-used-regs.patch
----
- m4/openssh.m4 | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/m4/openssh.m4 b/m4/openssh.m4
-index 5d4c56280..033df501c 100644
---- a/m4/openssh.m4
-+++ b/m4/openssh.m4
-@@ -20,18 +20,24 @@ char *f2(char *s, ...) {
- va_end(args);
- return strdup(ret);
- }
-+const char *f3(int s) {
-+ return s ? "good" : "gooder";
-+}
- int main(int argc, char **argv) {
-- (void)argv;
- char b[256], *cp;
-+ const char *s;
- /* Some math to catch -ftrapv problems in the toolchain */
- int i = 123 * argc, j = 456 + argc, k = 789 - argc;
- float l = i * 2.1;
- double m = l / 0.5;
- long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
-+ (void)argv;
- f(1);
-- snprintf(b, sizeof b, "%d %d %d %f %f %lld %lld\n", i,j,k,l,m,n,o);
-+ s = f3(f(2));
-+ snprintf(b, sizeof b, "%d %d %d %f %f %lld %lld %s\n", i,j,k,l,m,n,o,s);
- if (write(1, b, 0) == -1) exit(0);
-- cp = f2("%d %d %d %f %f %lld %lld\n", i,j,k,l,m,n,o);
-+ cp = f2("%d %d %d %f %f %lld %lld %s\n", i,j,k,l,m,n,o,s);
-+ if (write(1, cp, 0) == -1) exit(0);
- free(cp);
- /*
- * Test fallthrough behaviour. clang 10's -Wimplicit-fallthrough does
diff --git a/debian/patches/conch-ssh-rsa.patch b/debian/patches/conch-ssh-rsa.patch
index 4d913a0..1025adc 100644
--- a/debian/patches/conch-ssh-rsa.patch
+++ b/debian/patches/conch-ssh-rsa.patch
@@ -1,4 +1,4 @@
-From df5489f19fc05621a5902490692de3245528d424 Mon Sep 17 00:00:00 2001
+From 1a567ea25bebb83f7765cf05401e974f855e6938 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 15 Feb 2022 18:25:35 +0000
Subject: Work around RSA SHA-2 signature issues in conch
@@ -19,10 +19,10 @@ Patch-Name: conch-ssh-rsa.patch
1 file changed, 11 insertions(+)
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
-index 603848683..09d91e3b8 100644
+index 56e98159c..bec44adb5 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
-@@ -749,6 +749,17 @@ REGRESS_INTEROP_CONCH=no
+@@ -752,6 +752,17 @@ REGRESS_INTEROP_CONCH=no
if test -x "$CONCH" ; then
REGRESS_INTEROP_CONCH=yes
fi
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 94bee33..4873a86 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
-From a3b95c8a438d7d8eff92c62e2b8ea18af5a56466 Mon Sep 17 00:00:00 2001
+From 1ec718d6b26bebc1c2c8b8774097c2a3d4805542 Mon Sep 17 00:00:00 2001
From: Kees Cook <kees@debian.org>
Date: Sun, 9 Feb 2014 16:10:06 +0000
Subject: Add DebianBanner server configuration option
@@ -22,10 +22,10 @@ Patch-Name: debian-banner.patch
7 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/kex.c b/kex.c
-index a532d8cb0..db6717e9f 100644
+index 4e988e39b..30f2ce2b3 100644
--- a/kex.c
+++ b/kex.c
-@@ -1522,7 +1522,7 @@ send_error(struct ssh *ssh, char *msg)
+@@ -1545,7 +1545,7 @@ send_error(struct ssh *ssh, char *msg)
*/
int
kex_exchange_identification(struct ssh *ssh, int timeout_ms,
@@ -34,7 +34,7 @@ index a532d8cb0..db6717e9f 100644
{
int remote_major, remote_minor, mismatch, oerrno = 0;
size_t len, n;
-@@ -1540,7 +1540,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+@@ -1563,7 +1563,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n",
@@ -45,7 +45,7 @@ index a532d8cb0..db6717e9f 100644
version_addendum == NULL ? "" : version_addendum)) != 0) {
oerrno = errno;
diff --git a/kex.h b/kex.h
-index faee60f16..4aff3b756 100644
+index 32da837f8..41888c0d8 100644
--- a/kex.h
+++ b/kex.h
@@ -208,7 +208,7 @@ void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
@@ -58,7 +58,7 @@ index faee60f16..4aff3b756 100644
struct kex *kex_new(void);
int kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
diff --git a/servconf.c b/servconf.c
-index b61295758..cecbef9a1 100644
+index 193d73cca..12aa1f4ad 100644
--- a/servconf.c
+++ b/servconf.c
@@ -201,6 +201,7 @@ initialize_server_options(ServerOptions *options)
@@ -94,7 +94,7 @@ index b61295758..cecbef9a1 100644
{ NULL, sBadOption, 0 }
};
-@@ -2584,6 +2589,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -2637,6 +2642,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
}
goto parse_time;
@@ -105,7 +105,7 @@ index b61295758..cecbef9a1 100644
case sDeprecated:
case sIgnore:
case sUnsupported:
-@@ -3131,6 +3140,7 @@ dump_config(ServerOptions *o)
+@@ -3185,6 +3194,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
@@ -127,7 +127,7 @@ index 2ce4ae0ad..e0c0af903 100644
/* Information about the incoming connection as used by Match */
diff --git a/sshconnect.c b/sshconnect.c
-index f3096cad9..ccccb4a52 100644
+index 23f79ed2b..da20ecd88 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1581,7 +1581,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
@@ -140,7 +140,7 @@ index f3096cad9..ccccb4a52 100644
/* Put the connection into non-blocking mode. */
diff --git a/sshd.c b/sshd.c
-index 1895a9972..d56ba490b 100644
+index 9c9f38e5b..8fab51ebb 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2249,7 +2249,7 @@ main(int ac, char **av)
@@ -153,10 +153,10 @@ index 1895a9972..d56ba490b 100644
sshpkt_fatal(ssh, r, "banner exchange");
diff --git a/sshd_config.5 b/sshd_config.5
-index 5de2fd8cf..630c18736 100644
+index e06ef8abd..1a8febfa6 100644
--- a/sshd_config.5
+++ b/sshd_config.5
-@@ -621,6 +621,11 @@ or
+@@ -629,6 +629,11 @@ or
.Cm no .
The default is
.Cm yes .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index eb1f35b..362b630 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From c9eb9a51710efba1a6a6d344557c6a6b9c4e7866 Mon Sep 17 00:00:00 2001
+From 0790e776cbf191c6c621de01259dfe32623fd13e Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:18 +0000
Subject: Various Debian-specific configuration changes
@@ -46,10 +46,10 @@ Patch-Name: debian-config.patch
7 files changed, 99 insertions(+), 9 deletions(-)
diff --git a/readconf.c b/readconf.c
-index 6cf3612e7..2e6d3e726 100644
+index d68658185..720062bcc 100644
--- a/readconf.c
+++ b/readconf.c
-@@ -2702,7 +2702,7 @@ fill_default_options(Options * options)
+@@ -2739,7 +2739,7 @@ fill_default_options(Options * options)
if (options->forward_x11 == -1)
options->forward_x11 = 0;
if (options->forward_x11_trusted == -1)
@@ -59,10 +59,10 @@ index 6cf3612e7..2e6d3e726 100644
options->forward_x11_timeout = 1200;
/*
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
-index 089ef73c4..603848683 100644
+index ad627941f..56e98159c 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
-@@ -606,6 +606,7 @@ cat << EOF > $OBJ/sshd_config
+@@ -609,6 +609,7 @@ cat << EOF > $OBJ/sshd_config
AcceptEnv _XXX_TEST_*
AcceptEnv _XXX_TEST
Subsystem sftp $SFTPSERVER
@@ -138,7 +138,7 @@ index 16197d15d..92d06ef38 100644
+ HashKnownHosts yes
+ GSSAPIAuthentication yes
diff --git a/ssh_config.5 b/ssh_config.5
-index 943260617..4ec34d1a3 100644
+index 41d4d7406..c2789a09d 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more
@@ -171,7 +171,7 @@ index 943260617..4ec34d1a3 100644
The file contains keyword-argument pairs, one per line.
Lines starting with
.Ql #
-@@ -891,11 +914,12 @@ elapsed.
+@@ -901,11 +924,12 @@ elapsed.
.It Cm ForwardX11Trusted
If this option is set to
.Cm yes ,
@@ -244,7 +244,7 @@ index ecfe8d026..677f97d5d 100644
# Example of overriding settings on a per-user basis
#Match User anoncvs
diff --git a/sshd_config.5 b/sshd_config.5
-index 98bd201b0..d0bf6d641 100644
+index 0e8891c4f..12083e839 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 90bf812..6de17c8 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
-From bdf9d563e4ecfcf17de88d67df844af469c3d77e Mon Sep 17 00:00:00 2001
+From 95996e9626ca13ca67e75e0158bb50057fadfa3b Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:01 +0000
Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index ba7559f..4e9f5ba 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
-From 395ff5777853680af3372975add24fde69399ba3 Mon Sep 17 00:00:00 2001
+From 9932c1a0e0a092767e8084d24b2efcab590910d1 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:11 +0000
Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
1 file changed, 3 insertions(+)
diff --git a/ssh_config.5 b/ssh_config.5
-index bebfe1cee..943260617 100644
+index 4afb8fb7a..41d4d7406 100644
--- a/ssh_config.5
+++ b/ssh_config.5
-@@ -1010,6 +1010,9 @@ Note that existing names and addresses in known hosts files
+@@ -1020,6 +1020,9 @@ Note that existing names and addresses in known hosts files
will not be converted automatically,
but may be manually hashed using
.Xr ssh-keygen 1 .
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 21a5115..da85da8 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
-From 872a2374d3af341b9cf1c76b3d009f715f6220fb Mon Sep 17 00:00:00 2001
+From 88b6d6e61aa61bae505ab5ce332380be4fe1b1b3 Mon Sep 17 00:00:00 2001
From: Vincent Untz <vuntz@ubuntu.com>
Date: Sun, 9 Feb 2014 16:10:16 +0000
Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 0590558..b943ba7 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From cabc0eedcbd5c1aa3e09c56968ecdc8b47317c37 Mon Sep 17 00:00:00 2001
+From 156d561811630c66f06068ee7892b3cbf90f0d1a Mon Sep 17 00:00:00 2001
From: Simon Wilkinson <simon@sxw.org.uk>
Date: Sun, 9 Feb 2014 16:09:48 +0000
Subject: GSSAPI key exchange support
@@ -21,14 +21,14 @@ Author: Colin Watson <cjwatson@debian.org>
Author: Jakub Jelen <jjelen@redhat.com>
Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/pull/23
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
-Last-Updated: 2023-12-18
+Last-Updated: 2024-03-14
Patch-Name: gssapi.patch
---
Makefile.in | 5 +-
README.md | 36 +++
auth.c | 94 +-------
- auth2-gss.c | 56 ++++-
+ auth2-gss.c | 57 ++++-
auth2.c | 2 +
canohost.c | 91 ++++++++
canohost.h | 3 +
@@ -58,13 +58,13 @@ Patch-Name: gssapi.patch
ssh.c | 6 +-
ssh_config | 2 +
ssh_config.5 | 57 +++++
- sshconnect2.c | 156 ++++++++++++-
+ sshconnect2.c | 146 +++++++++++-
sshd.c | 62 ++++-
sshd_config | 2 +
sshd_config.5 | 30 +++
sshkey.c | 8 +-
sshkey.h | 1 +
- 39 files changed, 2772 insertions(+), 164 deletions(-)
+ 39 files changed, 2763 insertions(+), 164 deletions(-)
create mode 100644 kexgssc.c
create mode 100644 kexgsss.c
create mode 100644 ssh-null.c
@@ -256,7 +256,7 @@ index 3b380d9bb..8ccf06370 100644
* Return the canonical name of the host in the other side of the current
* connection. The host name is cached, so it is efficient to call this
diff --git a/auth2-gss.c b/auth2-gss.c
-index f72a38998..da3bf99c1 100644
+index f72a38998..c3b8e6288 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,7 +1,7 @@
@@ -337,12 +337,13 @@ index f72a38998..da3bf99c1 100644
else
logit("GSSAPI MIC check failed");
-@@ -333,6 +377,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
+@@ -333,6 +377,13 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
return 0;
}
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
++ NULL,
+ userauth_gsskeyex,
+ &options.gss_authentication
+};
@@ -487,7 +488,7 @@ index 26d62855a..0cadc9f18 100644
int get_peer_port(int);
char *get_local_ipaddr(int);
diff --git a/clientloop.c b/clientloop.c
-index eb4902905..1ffe685a3 100644
+index 8ec36af94..a1f94a85a 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -115,6 +115,10 @@
@@ -518,10 +519,10 @@ index eb4902905..1ffe685a3 100644
if (conn_in_ready)
client_process_net_input(ssh);
diff --git a/configure.ac b/configure.ac
-index 379cd746b..2aeab040c 100644
+index 82e8bb7c1..bb3e644fe 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -766,6 +766,30 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+@@ -774,6 +774,30 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
[Use tunnel device compatibility to OpenBSD])
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
[Prepend the address family to IP tunnel traffic])
@@ -553,11 +554,11 @@ index 379cd746b..2aeab040c 100644
AC_CHECK_DECL([AU_IPv4], [],
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
diff --git a/gss-genr.c b/gss-genr.c
-index 2cd695e54..9f9745b7f 100644
+index aa34b71c5..3aa14333a 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -1,7 +1,7 @@
- /* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */
+ /* $OpenBSD: gss-genr.c,v 1.29 2024/02/01 02:37:33 djm Exp $ */
/*
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -849,7 +850,7 @@ index 2cd695e54..9f9745b7f 100644
+ ctx = &intctx;
/* RFC 4462 says we MUST NOT do SPNEGO */
- if (oid->length == spnego_oid.length &&
+ if (oid->length == spnego_oid.length &&
@@ -285,6 +514,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
ssh_gssapi_build_ctx(ctx);
ssh_gssapi_set_oid(*ctx, oid);
@@ -859,13 +860,13 @@ index 2cd695e54..9f9745b7f 100644
+ major = ssh_gssapi_client_identity(*ctx, client);
+
if (!GSS_ERROR(major)) {
- major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
+ major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
NULL);
@@ -294,10 +527,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
GSS_C_NO_BUFFER);
}
-- if (GSS_ERROR(major))
+- if (GSS_ERROR(major))
+ if (GSS_ERROR(major) || intctx != NULL)
ssh_gssapi_delete_ctx(ctx);
@@ -1360,7 +1361,7 @@ index 00e3d118b..162fec447 100644
/* Privileged */
diff --git a/kex.c b/kex.c
-index cbb2af596..acab53195 100644
+index 8a0f16513..e4a2362bd 100644
--- a/kex.c
+++ b/kex.c
@@ -58,12 +58,17 @@
@@ -1473,7 +1474,7 @@ index cbb2af596..acab53195 100644
/* put algorithm proposal into buffer */
int
kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
-@@ -964,6 +1021,9 @@ kex_free(struct kex *kex)
+@@ -987,6 +1044,9 @@ kex_free(struct kex *kex)
sshbuf_free(kex->session_id);
sshbuf_free(kex->initial_sig);
sshkey_free(kex->initial_hostkey);
@@ -1484,7 +1485,7 @@ index cbb2af596..acab53195 100644
free(kex->hostkey_alg);
free(kex->name);
diff --git a/kex.h b/kex.h
-index ba3a6a4ea..faee60f16 100644
+index 0caf42b50..32da837f8 100644
--- a/kex.h
+++ b/kex.h
@@ -102,6 +102,15 @@ enum kex_exchange {
@@ -3031,7 +3032,7 @@ index 0df49c25b..830fdb308 100644
#ifdef USE_PAM
diff --git a/readconf.c b/readconf.c
-index a2282b562..ef67ab20f 100644
+index 3a64a0441..91d3c0aa0 100644
--- a/readconf.c
+++ b/readconf.c
@@ -70,6 +70,7 @@
@@ -3074,7 +3075,7 @@ index a2282b562..ef67ab20f 100644
#endif
#ifdef ENABLE_PKCS11
{ "pkcs11provider", oPKCS11Provider },
-@@ -1210,10 +1225,46 @@ parse_time:
+@@ -1227,10 +1242,46 @@ parse_time:
intptr = &options->gss_authentication;
goto parse_flag;
@@ -3121,7 +3122,7 @@ index a2282b562..ef67ab20f 100644
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
-@@ -2505,7 +2556,13 @@ initialize_options(Options * options)
+@@ -2542,7 +2593,13 @@ initialize_options(Options * options)
options->fwd_opts.streamlocal_bind_unlink = -1;
options->pubkey_authentication = -1;
options->gss_authentication = -1;
@@ -3135,7 +3136,7 @@ index a2282b562..ef67ab20f 100644
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
-@@ -2668,8 +2725,18 @@ fill_default_options(Options * options)
+@@ -2705,8 +2762,18 @@ fill_default_options(Options * options)
options->pubkey_authentication = SSH_PUBKEY_AUTH_ALL;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@@ -3154,7 +3155,7 @@ index a2282b562..ef67ab20f 100644
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
-@@ -3494,7 +3561,14 @@ dump_client_config(Options *o, const char *host)
+@@ -3533,7 +3600,14 @@ dump_client_config(Options *o, const char *host)
dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
#ifdef GSSAPI
dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
@@ -3170,7 +3171,7 @@ index a2282b562..ef67ab20f 100644
dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
diff --git a/readconf.h b/readconf.h
-index ff7180cd0..0d2ad44f9 100644
+index 9447d5d6e..f039c11bd 100644
--- a/readconf.h
+++ b/readconf.h
@@ -40,7 +40,13 @@ typedef struct {
@@ -3188,7 +3189,7 @@ index ff7180cd0..0d2ad44f9 100644
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/servconf.c b/servconf.c
-index 86c297936..940e1d50a 100644
+index 4b434909a..961cf9e45 100644
--- a/servconf.c
+++ b/servconf.c
@@ -68,6 +68,7 @@
@@ -3261,7 +3262,7 @@ index 86c297936..940e1d50a 100644
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
-@@ -1616,6 +1639,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -1618,6 +1641,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
intptr = &options->gss_authentication;
goto parse_flag;
@@ -3272,7 +3273,7 @@ index 86c297936..940e1d50a 100644
case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
-@@ -1624,6 +1651,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -1626,6 +1653,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
intptr = &options->gss_strict_acceptor;
goto parse_flag;
@@ -3295,7 +3296,7 @@ index 86c297936..940e1d50a 100644
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
-@@ -3058,6 +3101,10 @@ dump_config(ServerOptions *o)
+@@ -3112,6 +3155,10 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@@ -3323,7 +3324,7 @@ index ed7b72e8e..2ce4ae0ad 100644
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
diff --git a/session.c b/session.c
-index aa342e84d..f985b8177 100644
+index c821dcd44..cbb4edac5 100644
--- a/session.c
+++ b/session.c
@@ -2687,13 +2687,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
@@ -3614,7 +3615,7 @@ index 936c995ba..877c3bc64 100644
(key types),
.Ar key-ca-sign
diff --git a/ssh.c b/ssh.c
-index 48d93ddf2..f50cecdbb 100644
+index 0019281f4..484a26528 100644
--- a/ssh.c
+++ b/ssh.c
@@ -827,6 +827,8 @@ main(int ac, char **av)
@@ -3651,10 +3652,10 @@ index cc5663562..16197d15d 100644
# CheckHostIP no
# AddressFamily any
diff --git a/ssh_config.5 b/ssh_config.5
-index 4bbdfefd1..7ca72aedf 100644
+index 2931d807e..8e8aeb640 100644
--- a/ssh_config.5
+++ b/ssh_config.5
-@@ -928,10 +928,67 @@ The default is
+@@ -938,10 +938,67 @@ The default is
Specifies whether user authentication based on GSSAPI is allowed.
The default is
.Cm no .
@@ -3723,7 +3724,7 @@ index 4bbdfefd1..7ca72aedf 100644
Indicates that
.Xr ssh 1
diff --git a/sshconnect2.c b/sshconnect2.c
-index fab1e36be..cb584ad27 100644
+index 745c2a051..b7c376116 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -80,8 +80,6 @@
@@ -3736,7 +3737,7 @@ index fab1e36be..cb584ad27 100644
/*
@@ -224,6 +222,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
- char *s, *all_key, *hkalgs = NULL;
+ char *all_key, *hkalgs = NULL;
int r, use_known_hosts_order = 0;
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -3747,7 +3748,7 @@ index fab1e36be..cb584ad27 100644
xxx_host = host;
xxx_hostaddr = hostaddr;
xxx_conn_info = cinfo;
-@@ -261,6 +264,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
+@@ -259,6 +262,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
free(hkalgs);
@@ -3790,7 +3791,7 @@ index fab1e36be..cb584ad27 100644
/* start key exchange */
if ((r = kex_setup(ssh, myproposal)) != 0)
fatal_r(r, "kex_setup");
-@@ -275,17 +314,47 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
+@@ -273,11 +312,31 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
# ifdef OPENSSL_HAS_ECC
ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
# endif
@@ -3821,25 +3822,9 @@ index fab1e36be..cb584ad27 100644
+#endif
+
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
+ kex_proposal_free_entries(myproposal);
- /* remove ext-info from the KEX proposals for rekeying */
- free(myproposal[PROPOSAL_KEX_ALGS]);
- myproposal[PROPOSAL_KEX_ALGS] =
- compat_kex_proposal(ssh, options.kex_algorithms);
-+#if defined(GSSAPI) && defined(WITH_OPENSSL)
-+ /* repair myproposal after it was crumpled by the */
-+ /* ext-info removal above */
-+ if (gss) {
-+ orig = myproposal[PROPOSAL_KEX_ALGS];
-+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
-+ "%s,%s", gss, orig);
-+ free(gss);
-+ }
-+#endif
- if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
- fatal_r(r, "kex_prop2buf");
-
-@@ -379,6 +448,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
+@@ -370,6 +429,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
static int input_gssapi_token(int type, u_int32_t, struct ssh *);
static int input_gssapi_error(int, u_int32_t, struct ssh *);
static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
@@ -3847,7 +3832,7 @@ index fab1e36be..cb584ad27 100644
#endif
void userauth(struct ssh *, char *);
-@@ -395,6 +465,11 @@ static char *authmethods_get(void);
+@@ -386,6 +446,11 @@ static char *authmethods_get(void);
Authmethod authmethods[] = {
#ifdef GSSAPI
@@ -3859,7 +3844,7 @@ index fab1e36be..cb584ad27 100644
{"gssapi-with-mic",
userauth_gssapi,
userauth_gssapi_cleanup,
-@@ -766,12 +841,32 @@ userauth_gssapi(struct ssh *ssh)
+@@ -757,12 +822,32 @@ userauth_gssapi(struct ssh *ssh)
OM_uint32 min;
int r, ok = 0;
gss_OID mech = NULL;
@@ -3893,7 +3878,7 @@ index fab1e36be..cb584ad27 100644
/* Check to see whether the mechanism is usable before we offer it */
while (authctxt->mech_tried < authctxt->gss_supported_mechs->count &&
-@@ -780,13 +875,15 @@ userauth_gssapi(struct ssh *ssh)
+@@ -771,13 +856,15 @@ userauth_gssapi(struct ssh *ssh)
elements[authctxt->mech_tried];
/* My DER encoding requires length<128 */
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
@@ -3910,7 +3895,7 @@ index fab1e36be..cb584ad27 100644
if (!ok || mech == NULL)
return 0;
-@@ -1020,6 +1117,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
+@@ -1011,6 +1098,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
free(lang);
return r;
}
@@ -3967,7 +3952,7 @@ index fab1e36be..cb584ad27 100644
static int
diff --git a/sshd.c b/sshd.c
-index 9cbe92293..fee5cac64 100644
+index b4f2b9742..d5c3dfe57 100644
--- a/sshd.c
+++ b/sshd.c
@@ -798,8 +798,8 @@ notify_hostkeys(struct ssh *ssh)
@@ -4074,10 +4059,10 @@ index 36894ace5..ecfe8d026 100644
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff --git a/sshd_config.5 b/sshd_config.5
-index 7e1a56cd0..d2f09de9b 100644
+index a0f16874f..c0c1b0d9a 100644
--- a/sshd_config.5
+++ b/sshd_config.5
-@@ -731,6 +731,11 @@ Specifies whether to automatically destroy the user's credentials cache
+@@ -739,6 +739,11 @@ Specifies whether to automatically destroy the user's credentials cache
on logout.
The default is
.Cm yes .
@@ -4089,7 +4074,7 @@ index 7e1a56cd0..d2f09de9b 100644
.It Cm GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor
a client authenticates against.
-@@ -745,6 +750,31 @@ machine's default store.
+@@ -753,6 +758,31 @@ machine's default store.
This facility is provided to assist with operation on multi homed machines.
The default is
.Cm yes .
@@ -4122,10 +4107,10 @@ index 7e1a56cd0..d2f09de9b 100644
Specifies the signature algorithms that will be accepted for hostbased
authentication as a list of comma-separated patterns.
diff --git a/sshkey.c b/sshkey.c
-index 06db9b5da..1e7810337 100644
+index d4356e72c..c7abbe298 100644
--- a/sshkey.c
+++ b/sshkey.c
-@@ -128,6 +128,9 @@ extern const struct sshkey_impl sshkey_dsa_cert_impl;
+@@ -130,6 +130,9 @@ extern const struct sshkey_impl sshkey_dsa_cert_impl;
extern const struct sshkey_impl sshkey_xmss_impl;
extern const struct sshkey_impl sshkey_xmss_cert_impl;
#endif
@@ -4135,7 +4120,7 @@ index 06db9b5da..1e7810337 100644
const struct sshkey_impl * const keyimpls[] = {
&sshkey_ed25519_impl,
-@@ -165,6 +168,9 @@ const struct sshkey_impl * const keyimpls[] = {
+@@ -169,6 +172,9 @@ const struct sshkey_impl * const keyimpls[] = {
&sshkey_xmss_impl,
&sshkey_xmss_cert_impl,
#endif
@@ -4145,7 +4130,7 @@ index 06db9b5da..1e7810337 100644
NULL
};
-@@ -320,7 +326,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
+@@ -324,7 +330,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
for (i = 0; keyimpls[i] != NULL; i++) {
impl = keyimpls[i];
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index b271f71..139084a 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
-From 07b232eaa2b9236e66282d4f126f1023d41efc0e Mon Sep 17 00:00:00 2001
+From 2b4e16a9212c0c8924e528e45871c75bfb0662b3 Mon Sep 17 00:00:00 2001
From: Richard Kettlewell <rjk@greenend.org.uk>
Date: Sun, 9 Feb 2014 16:09:52 +0000
Subject: Various keepalive extensions
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch
3 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/readconf.c b/readconf.c
-index 93e431d71..bd2e78ab7 100644
+index 0f0fb67a5..c6e609fca 100644
--- a/readconf.c
+++ b/readconf.c
@@ -182,6 +182,7 @@ typedef enum {
@@ -46,7 +46,7 @@ index 93e431d71..bd2e78ab7 100644
{ NULL, oBadOption }
};
-@@ -1867,6 +1870,8 @@ parse_pubkey_algos:
+@@ -1886,6 +1889,8 @@ parse_pubkey_algos:
goto parse_flag;
case oServerAliveInterval:
@@ -55,7 +55,7 @@ index 93e431d71..bd2e78ab7 100644
intptr = &options->server_alive_interval;
goto parse_time;
-@@ -2820,8 +2825,13 @@ fill_default_options(Options * options)
+@@ -2859,8 +2864,13 @@ fill_default_options(Options * options)
options->rekey_interval = 0;
if (options->verify_host_key_dns == -1)
options->verify_host_key_dns = 0;
@@ -72,7 +72,7 @@ index 93e431d71..bd2e78ab7 100644
options->server_alive_count_max = 3;
if (options->control_master == -1)
diff --git a/ssh_config.5 b/ssh_config.5
-index 7ca72aedf..25ccbed28 100644
+index 8e8aeb640..6b482ee15 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -297,9 +297,13 @@ If set to
@@ -90,7 +90,7 @@ index 7ca72aedf..25ccbed28 100644
The argument must be
.Cm yes
or
-@@ -1913,7 +1917,14 @@ from the server,
+@@ -1923,7 +1927,14 @@ from the server,
will send a message through the encrypted
channel to request a response from the server.
The default
@@ -106,7 +106,7 @@ index 7ca72aedf..25ccbed28 100644
.It Cm SessionType
May be used to either request invocation of a subsystem on the remote system,
or to prevent the execution of a remote command at all.
-@@ -2027,6 +2038,12 @@ Specifies whether the system should send TCP keepalive messages to the
+@@ -2037,6 +2048,12 @@ Specifies whether the system should send TCP keepalive messages to the
other side.
If they are sent, death of the connection or crash of one
of the machines will be properly noticed.
@@ -120,10 +120,10 @@ index 7ca72aedf..25ccbed28 100644
connections will die if the route is down temporarily, and some people
find it annoying.
diff --git a/sshd_config.5 b/sshd_config.5
-index d2f09de9b..5de2fd8cf 100644
+index c0c1b0d9a..e06ef8abd 100644
--- a/sshd_config.5
+++ b/sshd_config.5
-@@ -1842,6 +1842,9 @@ This avoids infinitely hanging sessions.
+@@ -1859,6 +1859,9 @@ This avoids infinitely hanging sessions.
.Pp
To disable TCP keepalive messages, the value should be set to
.Cm no .
diff --git a/debian/patches/maxhostnamelen.patch b/debian/patches/maxhostnamelen.patch
index c45fe52..a09bb86 100644
--- a/debian/patches/maxhostnamelen.patch
+++ b/debian/patches/maxhostnamelen.patch
@@ -1,4 +1,4 @@
-From 32443f45af302ef1f1b48a06942b64b9a9bcc55a Mon Sep 17 00:00:00 2001
+From 50bdc8330d6fa86723d493e0d6a2a4fd7ebdccd9 Mon Sep 17 00:00:00 2001
From: Svante Signell <svante.signell@gmail.com>
Date: Fri, 5 Nov 2021 23:22:53 +0000
Subject: Define MAXHOSTNAMELEN on GNU/Hurd
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 0aec751..7a0ab27 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
-From d0ff89bd8fd3212fbfaaac8e116150c82bd76ca3 Mon Sep 17 00:00:00 2001
+From d063a438467f31908ef2cfa124f7e648237926d2 Mon Sep 17 00:00:00 2001
From: Scott Moser <smoser@ubuntu.com>
Date: Sun, 9 Feb 2014 16:10:03 +0000
Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -14,7 +14,7 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/sshconnect.c b/sshconnect.c
-index 69256c354..f3096cad9 100644
+index 1d5bcc782..23f79ed2b 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1277,9 +1277,13 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo,
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index dacefcc..313e61e 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
-From 2c598ce2acb40df7a9275f245e375071a7fb9d7c Mon Sep 17 00:00:00 2001
+From 4c461060f1d0477b582b7b2ee112c8d8925bf446 Mon Sep 17 00:00:00 2001
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 9 Feb 2014 16:10:14 +0000
Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 785d181..a21fcfd 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
-From 92fdda49286532870c424f93f3d157583a921cbe Mon Sep 17 00:00:00 2001
+From 469b4b6649073a7d42ad897db0985c74c776c8ad Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:09 +0000
Subject: Adjust various OpenBSD-specific references in manual pages
@@ -134,10 +134,10 @@ index 8efeacdf1..6527e28a3 100644
.Xr sshd_config 5 ,
.Xr inetd 8 ,
diff --git a/sshd_config.5 b/sshd_config.5
-index 630c18736..98bd201b0 100644
+index 1a8febfa6..0e8891c4f 100644
--- a/sshd_config.5
+++ b/sshd_config.5
-@@ -993,9 +993,6 @@ for interactive sessions and
+@@ -1001,9 +1001,6 @@ for interactive sessions and
for non-interactive sessions.
.It Cm KbdInteractiveAuthentication
Specifies whether to allow keyboard-interactive authentication.
@@ -147,7 +147,7 @@ index 630c18736..98bd201b0 100644
The default is
.Cm yes .
The argument to this keyword must be
-@@ -1099,45 +1096,33 @@ The following forms may be used:
+@@ -1107,45 +1104,33 @@ The following forms may be used:
.Sm off
.Ar hostname | address
.Sm on
@@ -194,7 +194,7 @@ index 630c18736..98bd201b0 100644
.It Cm LoginGraceTime
The server disconnects after this time if the user has not
successfully logged in.
-@@ -1262,14 +1247,8 @@ The available criteria are
+@@ -1271,14 +1256,8 @@ The available criteria are
.Cm Host ,
.Cm LocalAddress ,
.Cm LocalPort ,
@@ -210,7 +210,7 @@ index 630c18736..98bd201b0 100644
.Pp
The match patterns may consist of single entries or comma-separated
lists and may use the wildcard and negation operators described in the
-@@ -1341,7 +1320,6 @@ Available keywords are
+@@ -1350,7 +1329,6 @@ Available keywords are
.Cm PubkeyAuthOptions ,
.Cm RekeyLimit ,
.Cm RevokedKeys ,
@@ -218,7 +218,7 @@ index 630c18736..98bd201b0 100644
.Cm SetEnv ,
.Cm StreamLocalBindMask ,
.Cm StreamLocalBindUnlink ,
-@@ -1736,15 +1714,6 @@ an OpenSSH Key Revocation List (KRL) as generated by
+@@ -1745,15 +1723,6 @@ an OpenSSH Key Revocation List (KRL) as generated by
.Xr ssh-keygen 1 .
For more information on KRLs, see the KEY REVOCATION LISTS section in
.Xr ssh-keygen 1 .
@@ -234,7 +234,7 @@ index 630c18736..98bd201b0 100644
.It Cm SecurityKeyProvider
Specifies a path to a library that will be used when loading
FIDO authenticator-hosted keys, overriding the default of using
-@@ -2063,8 +2032,6 @@ A literal
+@@ -2080,8 +2049,6 @@ A literal
Identifies the connection endpoints, containing
four space-separated values: client address, client port number,
server address, and server port number.
@@ -243,7 +243,7 @@ index 630c18736..98bd201b0 100644
.It %F
The fingerprint of the CA key.
.It %f
-@@ -2103,9 +2070,6 @@ accepts the tokens %%, %h, %U, and %u.
+@@ -2120,9 +2087,6 @@ accepts the tokens %%, %h, %U, and %u.
.Pp
.Cm ChrootDirectory
accepts the tokens %%, %h, %U, and %u.
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 7f185ed..1507190 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
-From 7cb16dcd8f8ef171515f125b3557d01712f58bbb Mon Sep 17 00:00:00 2001
+From 1a1c5dad468ae8bc92ab599c5fb31e0ecff8b291 Mon Sep 17 00:00:00 2001
From: Matthew Vernon <matthew@debian.org>
Date: Sun, 9 Feb 2014 16:10:05 +0000
Subject: Include the Debian version in our identification
@@ -18,10 +18,10 @@ Patch-Name: package-versioning.patch
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/kex.c b/kex.c
-index acab53195..a532d8cb0 100644
+index e4a2362bd..4e988e39b 100644
--- a/kex.c
+++ b/kex.c
-@@ -1540,7 +1540,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+@@ -1563,7 +1563,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n",
@@ -31,11 +31,11 @@ index acab53195..a532d8cb0 100644
version_addendum == NULL ? "" : version_addendum)) != 0) {
oerrno = errno;
diff --git a/version.h b/version.h
-index a4b7b594c..9e9ab037f 100644
+index 052a5817b..0124a77d3 100644
--- a/version.h
+++ b/version.h
@@ -3,4 +3,9 @@
- #define SSH_VERSION "OpenSSH_9.6"
+ #define SSH_VERSION "OpenSSH_9.7"
#define SSH_PORTABLE "p1"
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index 910e606..0593a62 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
-From 0d37b950036d682883ed4b3c2d07946649698123 Mon Sep 17 00:00:00 2001
+From b384c589793e821d84beb06517a7a2a57252fe08 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 5 Mar 2017 02:02:11 +0000
Subject: Restore reading authorized_keys2 by default
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index 0e6df41..08f409f 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
-From e79b4cebc0d5e1b8fb5083aed781df70c4db021d Mon Sep 17 00:00:00 2001
+From eb0b8c59654fd04802c6a558027bbe3d9c22e3ff Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 7 Oct 2014 13:22:41 +0100
Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
3 files changed, 89 insertions(+)
diff --git a/configure.ac b/configure.ac
-index 2aeab040c..badfacf8f 100644
+index bb3e644fe..2b2c4f086 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -1677,6 +1677,62 @@ else
+@@ -1685,6 +1685,62 @@ else
AC_MSG_RESULT([no])
fi
@@ -94,7 +94,7 @@ index 2aeab040c..badfacf8f 100644
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
-@@ -5669,6 +5725,7 @@ echo " PAM support: $PAM_MSG"
+@@ -5707,6 +5763,7 @@ echo " PAM support: $PAM_MSG"
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
@@ -128,7 +128,7 @@ index 73d5e9232..8efeacdf1 100644
.Xr moduli 5 ,
.Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
-index fee5cac64..c57ab9628 100644
+index d5c3dfe57..87e25d19b 100644
--- a/sshd.c
+++ b/sshd.c
@@ -128,6 +128,13 @@
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch
index 204f524..c371708 100644
--- a/debian/patches/revert-ipqos-defaults.patch
+++ b/debian/patches/revert-ipqos-defaults.patch
@@ -1,4 +1,4 @@
-From fc28a869ee5cedb1122d6171049fd3373e74a169 Mon Sep 17 00:00:00 2001
+From 24c6df47a8a17754e4d23fd4331c3fb35290a09d Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 8 Apr 2019 10:46:29 +0100
Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
@@ -24,10 +24,10 @@ Patch-Name: revert-ipqos-defaults.patch
4 files changed, 8 insertions(+), 12 deletions(-)
diff --git a/readconf.c b/readconf.c
-index 2e6d3e726..95517f15f 100644
+index 720062bcc..f1d4566e2 100644
--- a/readconf.c
+++ b/readconf.c
-@@ -2852,9 +2852,9 @@ fill_default_options(Options * options)
+@@ -2891,9 +2891,9 @@ fill_default_options(Options * options)
if (options->visual_host_key == -1)
options->visual_host_key = 0;
if (options->ip_qos_interactive == -1)
@@ -40,7 +40,7 @@ index 2e6d3e726..95517f15f 100644
options->request_tty = REQUEST_TTY_AUTO;
if (options->session_type == -1)
diff --git a/servconf.c b/servconf.c
-index cecbef9a1..ab6198e6e 100644
+index 12aa1f4ad..23828a62d 100644
--- a/servconf.c
+++ b/servconf.c
@@ -439,9 +439,9 @@ fill_default_server_options(ServerOptions *options)
@@ -56,10 +56,10 @@ index cecbef9a1..ab6198e6e 100644
options->version_addendum = xstrdup("");
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
diff --git a/ssh_config.5 b/ssh_config.5
-index 4ec34d1a3..fe144ce29 100644
+index c2789a09d..a793b1ddb 100644
--- a/ssh_config.5
+++ b/ssh_config.5
-@@ -1313,11 +1313,9 @@ If one argument is specified, it is used as the packet class unconditionally.
+@@ -1323,11 +1323,9 @@ If one argument is specified, it is used as the packet class unconditionally.
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
@@ -74,10 +74,10 @@ index 4ec34d1a3..fe144ce29 100644
.It Cm KbdInteractiveAuthentication
Specifies whether to use keyboard-interactive authentication.
diff --git a/sshd_config.5 b/sshd_config.5
-index d0bf6d641..7cc68f4d4 100644
+index 12083e839..beb12acef 100644
--- a/sshd_config.5
+++ b/sshd_config.5
-@@ -1014,11 +1014,9 @@ If one argument is specified, it is used as the packet class unconditionally.
+@@ -1022,11 +1022,9 @@ If one argument is specified, it is used as the packet class unconditionally.
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index d6d0b5d..4885406 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
-From 50542fa19bcac94a20d86470324a878c19e4e726 Mon Sep 17 00:00:00 2001
+From c598a3560a7962dfe0d121e34d18e5e099d6199f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
Date: Sun, 9 Feb 2014 16:09:59 +0000
Subject: Adjust scp quoting in verbose mode
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 063ed7d..ab745cc 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From 42e6d9d59082e75efe0ce7fca91c4297137cfb93 Mon Sep 17 00:00:00 2001
+From 600da3fe528ebd7d07e40c064af332f447ece282 Mon Sep 17 00:00:00 2001
From: Manoj Srivastava <srivasta@debian.org>
Date: Sun, 9 Feb 2014 16:09:49 +0000
Subject: Handle SELinux authorisation roles
@@ -362,7 +362,7 @@ index 7fef8c983..027fdfb51 100644
char *platform_krb5_get_principal_name(const char *);
int platform_locked_account(struct passwd *);
diff --git a/session.c b/session.c
-index f985b8177..cc6b6714d 100644
+index cbb4edac5..2cb7d0c71 100644
--- a/session.c
+++ b/session.c
@@ -1355,7 +1355,7 @@ safely_chroot(const char *path, uid_t uid)
@@ -424,7 +424,7 @@ index 344a1ddf9..20ea822a7 100644
const char *session_get_remote_name_or_ip(struct ssh *, u_int, int);
diff --git a/sshd.c b/sshd.c
-index c57ab9628..1895a9972 100644
+index 87e25d19b..9c9f38e5b 100644
--- a/sshd.c
+++ b/sshd.c
@@ -579,7 +579,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
diff --git a/debian/patches/series b/debian/patches/series
index 2170a6a..def4639 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -25,4 +25,4 @@ revert-ipqos-defaults.patch
maxhostnamelen.patch
conch-ssh-rsa.patch
systemd-socket-activation.patch
-broken-zero-call-used-regs.patch
+skip-utimensat-test-on-zfs.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 381122e..ce44ea4 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
-From b2e4df6aa3245d06c318d8977612d863ee427289 Mon Sep 17 00:00:00 2001
+From 3f074c0c57936f7a8f30a3b29231b52e640156b7 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:00 +0000
Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,7 +16,7 @@ Patch-Name: shell-path.patch
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sshconnect.c b/sshconnect.c
-index bd077c75c..69256c354 100644
+index d8efc50ce..1d5bcc782 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -247,7 +247,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg,
@@ -28,7 +28,7 @@ index bd077c75c..69256c354 100644
perror(argv[0]);
exit(1);
}
-@@ -1678,7 +1678,7 @@ ssh_local_cmd(const char *args)
+@@ -1680,7 +1680,7 @@ ssh_local_cmd(const char *args)
if (pid == 0) {
ssh_signal(SIGPIPE, SIG_DFL);
debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/skip-utimensat-test-on-zfs.patch b/debian/patches/skip-utimensat-test-on-zfs.patch
new file mode 100644
index 0000000..9a4440f
--- /dev/null
+++ b/debian/patches/skip-utimensat-test-on-zfs.patch
@@ -0,0 +1,55 @@
+From 3a5a49f1a4355e7f75ec350cb13f46ea835058da Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Mon, 11 Mar 2024 16:24:49 +0000
+Subject: Skip utimensat test on ZFS
+
+On ZFS (which may be used by e.g. `autopkgtest-virt-incus`), `utimensat`
+seems to leave the access time set to 0. It's not clear why.
+
+Forwarded: no
+Last-Update: 2024-03-11
+
+Patch-Name: skip-utimensat-test-on-zfs.patch
+---
+ openbsd-compat/regress/utimensattest.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/openbsd-compat/regress/utimensattest.c b/openbsd-compat/regress/utimensattest.c
+index bbc66c485..662d58146 100644
+--- a/openbsd-compat/regress/utimensattest.c
++++ b/openbsd-compat/regress/utimensattest.c
+@@ -33,6 +33,12 @@
+ # define AT_SYMLINK_NOFOLLOW 0x80000000
+ #endif
+
++#if defined(HAVE_SYS_VFS_H) && defined(HAVE_STATFS) && defined(HAVE_STRUCT_STATFS_F_FILES)
++# include <sys/vfs.h>
++# define ZFS_SUPER_MAGIC 0x2fc12fc1
++# define HAVE_ZFS_CHECK
++#endif
++
+ int utimensat(int, const char *, const struct timespec[2], int);
+
+ static void
+@@ -60,10 +66,21 @@ fail(char *msg, long expect, long got)
+ int
+ main(void)
+ {
++#ifdef HAVE_ZFS_CHECK
++ struct statfs sfsb;
++#endif
+ int fd;
+ struct stat sb;
+ struct timespec ts[2];
+
++#ifdef HAVE_ZFS_CHECK
++ /* On ZFS, utimensat seems to leave the atime set to 0. */
++ if (statfs(".", &sfsb) == 0 && sfsb.f_type == ZFS_SUPER_MAGIC) {
++ fprintf(stderr, "utimensat: skipping test on ZFS\n");
++ exit(0);
++ }
++#endif
++
+ cleanup();
+ if ((fd = open(TMPFILE, O_CREAT, 0600)) == -1)
+ fail("open", 0, 0);
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index b126b41..44faed9 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
-From 3ca56081fc6ec90eea7f20e36b281a8fd0cf43f2 Mon Sep 17 00:00:00 2001
+From c6bcbc31b9d32bf7245b986ca2faee3ef232a63d Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:13 +0000
Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 78946ad..e1b1a42 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
-From ba303e6c64ee2abd705de92b5155d4fc8ba4d4d3 Mon Sep 17 00:00:00 2001
+From be35ece5eed3d3848aee30edae9cd7b05fa8f351 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:10 +0000
Subject: ssh(1): Refer to ssh-argv0(1)
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 7ec9870..a5196da 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
-From 9c36b0b02fe0e6af1553e93bdc7c2e6e97e6514c Mon Sep 17 00:00:00 2001
+From 3058f5b885688bb8f660b97506080e67856f8422 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@ubuntu.com>
Date: Sun, 9 Feb 2014 16:09:50 +0000
Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch
2 files changed, 2 insertions(+)
diff --git a/readconf.c b/readconf.c
-index ef67ab20f..93e431d71 100644
+index 91d3c0aa0..0f0fb67a5 100644
--- a/readconf.c
+++ b/readconf.c
@@ -197,6 +197,7 @@ static struct {
@@ -29,7 +29,7 @@ index ef67ab20f..93e431d71 100644
{ "useroaming", oDeprecated },
{ "usersh", oDeprecated },
diff --git a/servconf.c b/servconf.c
-index 940e1d50a..b61295758 100644
+index 961cf9e45..193d73cca 100644
--- a/servconf.c
+++ b/servconf.c
@@ -649,6 +649,7 @@ static struct {
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index db8b789..3281b3a 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
-From 4e61619999ed5b3822b81773693d5b773858b927 Mon Sep 17 00:00:00 2001
+From 289063d080305b43743ba16c0fef2c0d96068993 Mon Sep 17 00:00:00 2001
From: Natalie Amery <nmamery@chiark.greenend.org.uk>
Date: Sun, 9 Feb 2014 16:09:54 +0000
Subject: "LogLevel SILENT" compatibility
@@ -33,7 +33,7 @@ index 9fc1a2e2e..6a8b1fc4a 100644
{ "FATAL", SYSLOG_LEVEL_FATAL },
{ "ERROR", SYSLOG_LEVEL_ERROR },
diff --git a/ssh.c b/ssh.c
-index f50cecdbb..160c403c8 100644
+index 484a26528..925d5c0f6 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1412,7 +1412,7 @@ main(int ac, char **av)
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index 59f63ab..c2120d0 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
-From 997c7d972b8ad436dff3b9a482f7ce988b50114c Mon Sep 17 00:00:00 2001
+From e53b37df6356d224810f083e79ff662206243889 Mon Sep 17 00:00:00 2001
From: Michael Biebl <biebl@debian.org>
Date: Mon, 21 Dec 2015 16:08:47 +0000
Subject: Add systemd readiness notification support
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch
2 files changed, 33 insertions(+)
diff --git a/configure.ac b/configure.ac
-index badfacf8f..5662c9e3a 100644
+index 2b2c4f086..81f75eb85 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -4922,6 +4922,29 @@ AC_SUBST([GSSLIBS])
+@@ -4950,6 +4950,29 @@ AC_SUBST([GSSLIBS])
AC_SUBST([K5LIBS])
AC_SUBST([CHANNELLIBS])
@@ -47,7 +47,7 @@ index badfacf8f..5662c9e3a 100644
# Looking for programs, paths and files
PRIVSEP_PATH=/var/empty
-@@ -5731,6 +5754,7 @@ echo " libldns support: $LDNS_MSG"
+@@ -5769,6 +5792,7 @@ echo " libldns support: $LDNS_MSG"
echo " Solaris process contract support: $SPC_MSG"
echo " Solaris project support: $SP_MSG"
echo " Solaris privilege support: $SPP_MSG"
@@ -56,7 +56,7 @@ index badfacf8f..5662c9e3a 100644
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG"
diff --git a/sshd.c b/sshd.c
-index d56ba490b..356bd6c02 100644
+index 8fab51ebb..b981e7758 100644
--- a/sshd.c
+++ b/sshd.c
@@ -88,6 +88,10 @@
diff --git a/debian/patches/systemd-socket-activation.patch b/debian/patches/systemd-socket-activation.patch
index 73afb88..80b3860 100644
--- a/debian/patches/systemd-socket-activation.patch
+++ b/debian/patches/systemd-socket-activation.patch
@@ -1,4 +1,4 @@
-From 7fa10262be3c7d9fd2fca9c9710ac4ef3f788b08 Mon Sep 17 00:00:00 2001
+From 3b17dcc797febf6d8ebf0474a4fa835b14a6ec11 Mon Sep 17 00:00:00 2001
From: Steve Langasek <steve.langasek@ubuntu.com>
Date: Thu, 1 Sep 2022 16:03:37 +0100
Subject: Support systemd socket activation
@@ -17,7 +17,7 @@ Patch-Name: systemd-socket-activation.patch
1 file changed, 75 insertions(+), 14 deletions(-)
diff --git a/sshd.c b/sshd.c
-index 356bd6c02..6dfa5fffe 100644
+index b981e7758..565e17b16 100644
--- a/sshd.c
+++ b/sshd.c
@@ -140,10 +140,16 @@ int deny_severity;
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 42d5b18..dc443de 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
-From 44f9b28b1c8adaf00af6e011928141cfbd729b9a Mon Sep 17 00:00:00 2001
+From 191cadd9a252e1b53aea3e65ae5d348b73e96b8a Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:09:58 +0000
Subject: Allow harmless group-writability
@@ -65,7 +65,7 @@ index 8ccf06370..08a75fc4e 100644
"bad owner or modes for %.200s",
pw->pw_name, user_hostfile);
diff --git a/misc.c b/misc.c
-index 3db2e4d0b..f667a99f8 100644
+index 5dc9d54a2..d0d9301d7 100644
--- a/misc.c
+++ b/misc.c
@@ -62,9 +62,9 @@
@@ -156,10 +156,10 @@ index 3db2e4d0b..f667a99f8 100644
"bad ownership or modes for directory %s", buf);
return -1;
diff --git a/misc.h b/misc.h
-index 74c6f832c..0aabe84ad 100644
+index 9bacce520..a1fb74579 100644
--- a/misc.h
+++ b/misc.h
-@@ -237,6 +237,8 @@ struct notifier_ctx *notify_start(int, const char *, ...)
+@@ -238,6 +238,8 @@ struct notifier_ctx *notify_start(int, const char *, ...)
void notify_complete(struct notifier_ctx *, const char *, ...)
__attribute__((format(printf, 2, 3)));
@@ -169,10 +169,10 @@ index 74c6f832c..0aabe84ad 100644
#define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b))
#define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
diff --git a/readconf.c b/readconf.c
-index bd2e78ab7..6cf3612e7 100644
+index c6e609fca..d68658185 100644
--- a/readconf.c
+++ b/readconf.c
-@@ -2481,8 +2481,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
+@@ -2518,8 +2518,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
if (fstat(fileno(f), &sb) == -1)
fatal("fstat %s: %s", filename, strerror(errno));
@@ -196,10 +196,10 @@ index 877c3bc64..2d07c919e 100644
.It Pa ~/.ssh/environment
Contains additional definitions for environment variables; see
diff --git a/ssh_config.5 b/ssh_config.5
-index 25ccbed28..bebfe1cee 100644
+index 6b482ee15..4afb8fb7a 100644
--- a/ssh_config.5
+++ b/ssh_config.5
-@@ -2395,6 +2395,8 @@ The format of this file is described above.
+@@ -2405,6 +2405,8 @@ The format of this file is described above.
This file is used by the SSH client.
Because of the potential for abuse, this file must have strict permissions:
read/write for the user, and not writable by others.
diff --git a/debian/tests/control b/debian/tests/control
index 22d443d..3c7b14d 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,5 +1,5 @@
Tests: regress
-Restrictions: needs-root allow-stderr
+Restrictions: needs-root allow-stderr isolation-container
Depends: devscripts,
dropbear,
haveged,
diff --git a/debian/tests/regress b/debian/tests/regress
index 40a73b2..41108ce 100755
--- a/debian/tests/regress
+++ b/debian/tests/regress
@@ -81,4 +81,4 @@ EOF
exit "$?"
fi
-annotate-output +%H:%M:%S.%N /usr/lib/openssh/regress/run-tests "$TMP"
+annotate-output +%H:%M:%S.%N /usr/lib/openssh/regress/run-tests "$TMP" "$@"