summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-09-27 08:42:41 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-09-27 08:42:41 +0000
commit824f26a90b0875c5697e2adf05360c0193a7c88d (patch)
treecd6784bde264c1c08b1f84557ddeca819ae93a93
parentMerging upstream version 1:9.9p1. (diff)
downloadopenssh-824f26a90b0875c5697e2adf05360c0193a7c88d.tar.xz
openssh-824f26a90b0875c5697e2adf05360c0193a7c88d.zip
Merging debian version 1:9.9p1-1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
-rw-r--r--debian/.git-dpm16
-rw-r--r--debian/NEWS35
-rw-r--r--debian/README.Debian1
-rw-r--r--debian/changelog113
-rw-r--r--debian/control55
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch6
-rw-r--r--debian/patches/configure-cache-vars.patch2
-rw-r--r--debian/patches/debian-banner.patch62
-rw-r--r--debian/patches/debian-config.patch20
-rw-r--r--debian/patches/dnssec-sshfp.patch2
-rw-r--r--debian/patches/doc-hash-tab-completion.patch6
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch2
-rw-r--r--debian/patches/gssapi.patch161
-rw-r--r--debian/patches/keepalive-extensions.patch42
-rw-r--r--debian/patches/maxhostnamelen.patch4
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch2
-rw-r--r--debian/patches/no-openssl-version-status.patch4
-rw-r--r--debian/patches/openbsd-docs.patch26
-rw-r--r--debian/patches/package-versioning.patch10
-rw-r--r--debian/patches/pam-avoid-unknown-host.patch2
-rw-r--r--debian/patches/regress-conch-dev-zero.patch2
-rw-r--r--debian/patches/restore-authorized_keys2.patch2
-rw-r--r--debian/patches/restore-tcp-wrappers.patch18
-rw-r--r--debian/patches/revert-ipqos-defaults.patch16
-rw-r--r--debian/patches/scp-quoting.patch2
-rw-r--r--debian/patches/selinux-role.patch20
-rw-r--r--debian/patches/shell-path.patch2
-rw-r--r--debian/patches/skip-utimensat-test-on-zfs.patch2
-rw-r--r--debian/patches/ssh-agent-setgid.patch2
-rw-r--r--debian/patches/ssh-argv0.patch6
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch8
-rw-r--r--debian/patches/syslog-level-silent.patch2
-rw-r--r--debian/patches/systemd-socket-activation.patch16
-rw-r--r--debian/patches/user-group-modes.patch16
-rw-r--r--debian/tests/control13
-rwxr-xr-xdebian/tests/xinetd52
36 files changed, 516 insertions, 234 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 41261a9..10a9095 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,12 +1,12 @@
# see git-dpm(1) from git-dpm package
-97c671bccd4f923e2bb814516ad7bf1d9261709c
-97c671bccd4f923e2bb814516ad7bf1d9261709c
-725afb3e99dbbda1d8c34a3dfc031dc9b0bb5dbe
-725afb3e99dbbda1d8c34a3dfc031dc9b0bb5dbe
-openssh_9.8p1.orig.tar.gz
-a0bb501b11349f5c5c33a269351be091dc2c2727
-1910393
+2d1ea9f5f1100fa7c7e648ea976ceda005d5966c
+2d1ea9f5f1100fa7c7e648ea976ceda005d5966c
+7721b4ff7705034e809e2130d1a11be2bf42dbe9
+7721b4ff7705034e809e2130d1a11be2bf42dbe9
+openssh_9.9p1.orig.tar.gz
+5ded7eb0add0b02b5d1a1c4bf5cb2c89d2117b53
+1964864
debianTag="debian/%e%%%V"
patchedTag="patched/%e%%%V"
upstreamTag="upstream/%U"
-signature:2c8addecb3c6af8b3eb36742d2f6c66b8281c5c9:833:openssh_9.8p1.orig.tar.gz.asc
+signature:6f100e4757e1942d7b5e01310fcaf624b71f6740:833:openssh_9.9p1.orig.tar.gz.asc
diff --git a/debian/NEWS b/debian/NEWS
index 2898018..2ed0d9c 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,38 @@
+openssh (1:9.9p1-1) unstable; urgency=medium
+
+ OpenSSH 9.9p1 includes a number of changes that may affect existing
+ configurations:
+
+ * ssh(1): remove support for pre-authentication compression. OpenSSH has
+ only supported post-authentication compression in the server for some
+ years. Compression before authentication significantly increases the
+ attack surface of SSH servers and risks creating oracles that reveal
+ information about information sent during authentication.
+
+ * ssh(1), sshd(8): processing of the arguments to the "Match"
+ configuration directive now follows more shell-like rules for quoted
+ strings, including allowing nested quotes and \-escaped characters. If
+ configurations contained workarounds for the previous simplistic quote
+ handling then they may need to be adjusted. If this is the case, it's
+ most likely to be in the arguments to a "Match exec" condition. In this
+ case, moving the command to be evaluated from the Match line to an
+ external shell script is the easiest way to preserve compatibility with
+ both the old and new versions.
+
+ -- Colin Watson <cjwatson@debian.org> Mon, 23 Sep 2024 21:09:59 -0700
+
+openssh (1:9.8p1-5) unstable; urgency=medium
+
+ Future Debian releases will remove GSS-API authentication and key exchange
+ support from openssh-client and openssh-server; this adds
+ pre-authentication attack surface and should only be used where
+ specifically needed. Users of GSS-API authentication or key exchange
+ should install the new openssh-client-gssapi or openssh-server-gssapi
+ package now; these currently just depend on openssh-client and
+ openssh-server respectively, but this will change in the future.
+
+ -- Colin Watson <cjwatson@debian.org> Thu, 29 Aug 2024 12:13:32 +0100
+
openssh (1:9.8p1-1) unstable; urgency=medium
OpenSSH 9.8p1 includes a number of changes that may affect existing
diff --git a/debian/README.Debian b/debian/README.Debian
index 6aab9cb..32b535f 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -209,6 +209,7 @@ follows (modifying ListenStream to match your requirements):
mkdir -p /etc/systemd/system/ssh.socket.d
cat >/etc/systemd/system/ssh.socket.d/listen.conf <<EOF
[Socket]
+ ListenStream=
ListenStream=2222
EOF
systemctl daemon-reload
diff --git a/debian/changelog b/debian/changelog
index 9aa27f1..847915c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,116 @@
+openssh (1:9.9p1-1) unstable; urgency=medium
+
+ * Alias the old Debian-specific SetupTimeOut client option to
+ ConnectTimeout rather than to ServerAliveInterval.
+ * New upstream release (https://www.openssh.com/releasenotes.html#9.9p1):
+ - ssh(1): remove support for pre-authentication compression.
+ - ssh(1), sshd(8): processing of the arguments to the "Match"
+ configuration directive now follows more shell-like rules for quoted
+ strings, including allowing nested quotes and \-escaped characters.
+ - ssh(1), sshd(8): add support for a new hybrid post-quantum key
+ exchange based on the FIPS 203 Module-Lattice Key Enapsulation
+ mechanism (ML-KEM) combined with X25519 ECDH as described by
+ https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
+ This algorithm "mlkem768x25519-sha256" is available by default.
+ - ssh(1): the ssh_config "Include" directive can now expand environment
+ as well as the same set of %-tokens "Match Exec" supports.
+ - sshd(8): add a sshd_config "RefuseConnection" option that, if set will
+ terminate the connection at the first authentication request.
+ - sshd(8): add a "refuseconnection" penalty class to sshd_config
+ PerSourcePenalties that is applied when a connection is dropped by the
+ new RefuseConnection keyword.
+ - sshd(8): add a "Match invalid-user" predicate to sshd_config Match
+ options that matches when the target username is not valid on the
+ server.
+ - ssh(1), sshd(8): update the Streamlined NTRUPrime code to a
+ substantially faster implementation.
+ - ssh(1), sshd(8): the hybrid Streamlined NTRUPrime/X25519 key exchange
+ algorithm now has an IANA-assigned name in addition to the
+ "@openssh.com" vendor extension name. This algorithm is now also
+ available under this name "sntrup761x25519-sha512"
+ - ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
+ included in core dump files for most of their lifespans. This is in
+ addition to pre-existing controls in ssh-agent(1) and sshd(8) that
+ prevented coredumps.
+ - All: convert key handling to use the libcrypto EVP_PKEY API, with the
+ exception of DSA.
+ - sshd(8): add a random amount of jitter (up to 4 seconds) to the grace
+ login time to make its expiry unpredictable.
+ - sshd(8): fix regression introduced in openssh-9.8 that swapped the
+ order of source and destination addresses in some sshd log messages.
+ - sshd(8): do not apply authorized_keys options when signature
+ verification fails. Prevents more restrictive key options being
+ incorrectly applied to subsequent keys in authorized_keys.
+ - ssh-keygen(1): include pathname in some of ssh-keygen's passphrase
+ prompts. Helps the user know what's going on when ssh-keygen is
+ invoked via other tools.
+ - ssh(1), ssh-add(1): make parsing user@host consistently look for the
+ last '@' in the string rather than the first. This makes it possible
+ to more consistently use usernames that contain '@' characters.
+ - ssh(1), sshd(8): be more strict in parsing key type names. Only allow
+ short names (e.g "rsa") in user-interface code and require full SSH
+ protocol names (e.g. "ssh-rsa") everywhere else.
+ - regress: many performance and correctness improvements to the
+ re-keying regression test.
+ - ssh-keygen(1): clarify that ed25519 is the default key type generated
+ and clarify that rsa-sha2-512 is the default signature scheme when RSA
+ is in use.
+ - sshd(8): fix minor memory leak in Subsystem option parsing.
+ - All: additional hardening and consistency checks for the sshbuf code.
+ - sshd(8): reduce default logingrace penalty to ensure that a single
+ forgotten login that times out will be below the penalty threshold.
+ - ssh(1): fix proxy multiplexing (-O proxy) bug. If a mux started with
+ ControlPersist then later has a forwarding added using mux proxy
+ connection and the forwarding was used, then when the mux proxy
+ session terminated, the mux master process would issue a bad message
+ that terminated the connection.
+ - Sync contrib/ssh-copy-id to the latest upstream version.
+ - sshd(8): restore audit call before exit that regressed in openssh-9.8.
+ Fixes an issue where the SSH_CONNECTION_ABANDON event was not
+ recorded.
+ - Fix detection of setres*id on GNU/Hurd.
+
+ -- Colin Watson <cjwatson@debian.org> Mon, 23 Sep 2024 21:09:59 -0700
+
+openssh (1:9.8p1-8) unstable; urgency=medium
+
+ * Source-only reupload.
+
+ -- Colin Watson <cjwatson@debian.org> Fri, 30 Aug 2024 00:38:26 +0100
+
+openssh (1:9.8p1-7) unstable; urgency=medium
+
+ * Adjust description line-wrapping so that lintian recognizes that
+ openssh-client-gssapi is an intentionally empty package.
+
+ -- Colin Watson <cjwatson@debian.org> Thu, 29 Aug 2024 14:17:13 +0100
+
+openssh (1:9.8p1-6) unstable; urgency=medium
+
+ * Upload with binaries to satisfy Debian archive NEW checks.
+
+ -- Colin Watson <cjwatson@debian.org> Thu, 29 Aug 2024 13:46:57 +0100
+
+openssh (1:9.8p1-5) unstable; urgency=medium
+
+ * Add openssh-client-gssapi and openssh-server-gssapi packages; these
+ currently just depend on their non-gssapi counterparts, but will become
+ different in future. See
+ https://lists.debian.org/debian-devel/2024/04/msg00044.html.
+
+ -- Colin Watson <cjwatson@debian.org> Thu, 29 Aug 2024 12:53:42 +0100
+
+openssh (1:9.8p1-4) unstable; urgency=medium
+
+ [ Grzegorz Szymaszek ]
+ * Disable listening on 22 in the port change example in README.Debian.
+
+ [ Colin Watson ]
+ * sshd: Allow exec without absolute path in inetd mode (closes: #1078429).
+ * Add an autopkgtest for running sshd from xinetd.
+
+ -- Colin Watson <cjwatson@debian.org> Mon, 26 Aug 2024 15:02:45 +0100
+
openssh (1:9.8p1-3~progress7.99u1) graograman-backports; urgency=medium
* Uploading to graograman-backports, remaining changes:
diff --git a/debian/control b/debian/control
index a5eb670..b1e752c 100644
--- a/debian/control
+++ b/debian/control
@@ -82,6 +82,33 @@ Description: secure shell (SSH) client, for secure access to remote machines
ssh replaces the insecure rsh, rcp and rlogin programs, which are
obsolete for most purposes.
+Package: openssh-client-gssapi
+Priority: optional
+Architecture: all
+Depends:
+ openssh-client (>= ${binary:Version}),
+ ${misc:Depends},
+Multi-Arch: foreign
+Description: secure shell (SSH) client, with GSS-API support
+ This is the portable version of OpenSSH, a free implementation of
+ the Secure Shell protocol as specified by the IETF secsh working
+ group.
+ .
+ Ssh (Secure Shell) is a program for logging into a remote machine
+ and for executing commands on a remote machine.
+ It provides secure encrypted communications between two untrusted
+ hosts over an insecure network. X11 connections and arbitrary TCP/IP
+ ports can also be forwarded over the secure channel.
+ It can be used to provide applications with a secure communication
+ channel.
+ .
+ This package provides versions of the ssh client and related programs
+ built with support for GSS-API authentication and key exchange, which
+ can be used with systems such as Kerberos.
+ It is currently an empty package depending on openssh-client, but
+ future releases will remove GSS-API support from openssh-client, so
+ users who need it should install this package.
+
Package: openssh-server
Priority: optional
Architecture: any
@@ -142,6 +169,34 @@ Description: secure shell (SSH) server, for secure access from remote machines
sshd replaces the insecure rshd program, which is obsolete for most
purposes.
+Package: openssh-server-gssapi
+Priority: optional
+Architecture: all
+Depends:
+ openssh-client-gssapi (>= ${binary:Version}),
+ openssh-server (>= ${binary:Version}),
+ ${misc:Depends},
+Multi-Arch: foreign
+Description: secure shell (SSH) server, with GSS-API key exchange
+ This is the portable version of OpenSSH, a free implementation of
+ the Secure Shell protocol as specified by the IETF secsh working
+ group.
+ .
+ Ssh (Secure Shell) is a program for logging into a remote machine
+ and for executing commands on a remote machine.
+ It provides secure encrypted communications between two untrusted
+ hosts over an insecure network. X11 connections and arbitrary TCP/IP
+ ports can also be forwarded over the secure channel.
+ It can be used to provide applications with a secure communication
+ channel.
+ .
+ This package provides a version of the sshd server built with support
+ for GSS-API authentication and key exchange, which can be used with
+ systems such as Kerberos.
+ It is currently an empty package depending on openssh-server, but
+ future releases will remove GSS-API support from openssh-server, so
+ users who need it should install this package.
+
Package: openssh-sftp-server
Priority: optional
Architecture: any
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index e014ae5..15229e0 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
-From fa2050cccface30a90effecf902ac69779e684a5 Mon Sep 17 00:00:00 2001
+From ec27bea14d45b10b31cc0cc8b8808977678890ad Mon Sep 17 00:00:00 2001
From: Tomas Pospisek <tpo_deb@sourcepole.ch>
Date: Sun, 9 Feb 2014 16:10:07 +0000
Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
1 file changed, 1 insertion(+)
diff --git a/Makefile.in b/Makefile.in
-index 6635b5518..f08dd03d9 100644
+index e92bf3e31..eeea95410 100644
--- a/Makefile.in
+++ b/Makefile.in
-@@ -427,6 +427,7 @@ install-files:
+@@ -426,6 +426,7 @@ install-files:
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
$(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/configure-cache-vars.patch b/debian/patches/configure-cache-vars.patch
index 86481d7..cf7c732 100644
--- a/debian/patches/configure-cache-vars.patch
+++ b/debian/patches/configure-cache-vars.patch
@@ -1,4 +1,4 @@
-From 322f3ff14422182dff32e0dc51c1d0b23b8cba0e Mon Sep 17 00:00:00 2001
+From 36643abfa8abe5cb3f8c52cecadb1e6675d1fe23 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 3 Apr 2024 11:52:04 +0100
Subject: Add Autoconf cache variables for OSSH_CHECK_*FLAG_*
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index fd0443b..9bbcf9d 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
-From 6bed4d1be79474891ebaa62259919f14acf28273 Mon Sep 17 00:00:00 2001
+From b054afdc85f743749259187c2cd8e396d76f442b Mon Sep 17 00:00:00 2001
From: Kees Cook <kees@debian.org>
Date: Sun, 9 Feb 2014 16:10:06 +0000
Subject: Add DebianBanner server configuration option
@@ -8,7 +8,7 @@ initial protocol handshake, for those scared by package-versioning.patch.
Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
-Last-Update: 2024-07-03
+Last-Update: 2024-09-22
Patch-Name: debian-banner.patch
---
@@ -22,10 +22,10 @@ Patch-Name: debian-banner.patch
7 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/kex.c b/kex.c
-index 744fb27fb..e872ab02e 100644
+index 19b1fcaa8..ca6d5b53d 100644
--- a/kex.c
+++ b/kex.c
-@@ -1239,7 +1239,7 @@ send_error(struct ssh *ssh, char *msg)
+@@ -1237,7 +1237,7 @@ send_error(struct ssh *ssh, char *msg)
*/
int
kex_exchange_identification(struct ssh *ssh, int timeout_ms,
@@ -34,7 +34,7 @@ index 744fb27fb..e872ab02e 100644
{
int remote_major, remote_minor, mismatch, oerrno = 0;
size_t len, n;
-@@ -1257,7 +1257,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+@@ -1255,7 +1255,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n",
@@ -45,10 +45,10 @@ index 744fb27fb..e872ab02e 100644
version_addendum == NULL ? "" : version_addendum)) != 0) {
oerrno = errno;
diff --git a/kex.h b/kex.h
-index d3c57a329..5ca4f9a5e 100644
+index cd6a40333..6a08023d0 100644
--- a/kex.h
+++ b/kex.h
-@@ -213,7 +213,7 @@ void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
+@@ -215,7 +215,7 @@ void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
const char *, const char *, const char *, const char *, const char *);
void kex_proposal_free_entries(char *prop[PROPOSAL_MAX]);
@@ -58,45 +58,45 @@ index d3c57a329..5ca4f9a5e 100644
struct kex *kex_new(void);
int kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
diff --git a/servconf.c b/servconf.c
-index 169b9ff07..81511bc86 100644
+index 1d5c143ba..49a066df8 100644
--- a/servconf.c
+++ b/servconf.c
-@@ -217,6 +217,7 @@ initialize_server_options(ServerOptions *options)
- options->num_channel_timeouts = 0;
+@@ -219,6 +219,7 @@ initialize_server_options(ServerOptions *options)
options->unused_connection_timeout = -1;
options->sshd_session_path = NULL;
+ options->refuse_connection = -1;
+ options->debian_banner = -1;
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
-@@ -501,6 +502,8 @@ fill_default_server_options(ServerOptions *options)
- options->unused_connection_timeout = 0;
- if (options->sshd_session_path == NULL)
+@@ -507,6 +508,8 @@ fill_default_server_options(ServerOptions *options)
options->sshd_session_path = xstrdup(_PATH_SSHD_SESSION);
+ if (options->refuse_connection == -1)
+ options->refuse_connection = 0;
+ if (options->debian_banner == -1)
+ options->debian_banner = 1;
assemble_algorithms(options);
-@@ -585,6 +588,7 @@ typedef enum {
+@@ -591,6 +594,7 @@ typedef enum {
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout,
- sSshdSessionPath,
+ sSshdSessionPath, sRefuseConnection,
+ sDebianBanner,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
-@@ -763,6 +767,7 @@ static struct {
- { "channeltimeout", sChannelTimeout, SSHCFG_ALL },
+@@ -770,6 +774,7 @@ static struct {
{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
{ "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL },
+ { "refuseconnection", sRefuseConnection, SSHCFG_ALL },
+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
{ NULL, sBadOption, 0 }
};
-@@ -2702,6 +2707,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
- charptr = &options->sshd_session_path;
- goto parse_filename;
+@@ -2725,6 +2730,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+ multistate_ptr = multistate_flag;
+ goto parse_multistate;
+ case sDebianBanner:
+ intptr = &options->debian_banner;
@@ -105,22 +105,22 @@ index 169b9ff07..81511bc86 100644
case sDeprecated:
case sIgnore:
case sUnsupported:
-@@ -3251,6 +3260,7 @@ dump_config(ServerOptions *o)
- dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
+@@ -3278,6 +3287,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
+ dump_cfg_fmtint(sRefuseConnection, o->refuse_connection);
+ dump_cfg_fmtint(sDebianBanner, o->debian_banner);
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
diff --git a/servconf.h b/servconf.h
-index c1e2751ee..1532e5420 100644
+index 26819aa92..00c834403 100644
--- a/servconf.h
+++ b/servconf.h
-@@ -251,6 +251,8 @@ typedef struct {
- int unused_connection_timeout;
-
+@@ -254,6 +254,8 @@ typedef struct {
char *sshd_session_path;
+
+ int refuse_connection;
+
+ int debian_banner;
} ServerOptions;
@@ -140,12 +140,12 @@ index cbfc20735..f9d3a1ff2 100644
/* Put the connection into non-blocking mode. */
diff --git a/sshd-session.c b/sshd-session.c
-index b6e544108..2a512dd74 100644
+index 1d7cdd00a..a9e1cf4f6 100644
--- a/sshd-session.c
+++ b/sshd-session.c
-@@ -1303,7 +1303,7 @@ main(int ac, char **av)
- if (!debug_flag)
- alarm(options.login_grace_time);
+@@ -1314,7 +1314,7 @@ main(int ac, char **av)
+ fatal("login grace time setitimer failed");
+ }
- if ((r = kex_exchange_identification(ssh, -1,
+ if ((r = kex_exchange_identification(ssh, -1, options.debian_banner,
@@ -153,7 +153,7 @@ index b6e544108..2a512dd74 100644
sshpkt_fatal(ssh, r, "banner exchange");
diff --git a/sshd_config.5 b/sshd_config.5
-index 5dd656869..81671fb99 100644
+index 11a8e922f..ed2f74060 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -629,6 +629,11 @@ or
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index ee3b297..f3840d9 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 8b067a754bdeac8fcdab1fbb2010651cf07b1b61 Mon Sep 17 00:00:00 2001
+From f0e3f2f89d93cc90cd2e03acb5294fba07058b27 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:18 +0000
Subject: Various Debian-specific configuration changes
@@ -48,10 +48,10 @@ Patch-Name: debian-config.patch
7 files changed, 100 insertions(+), 10 deletions(-)
diff --git a/readconf.c b/readconf.c
-index eaca29ace..1b64b7af5 100644
+index d3c3056ef..90bf74f32 100644
--- a/readconf.c
+++ b/readconf.c
-@@ -2739,7 +2739,7 @@ fill_default_options(Options * options)
+@@ -2773,7 +2773,7 @@ fill_default_options(Options * options)
if (options->forward_x11 == -1)
options->forward_x11 = 0;
if (options->forward_x11_trusted == -1)
@@ -73,10 +73,10 @@ index 7afc28072..02b122a85 100644
# This may be necessary if /usr/src and/or /usr/obj are group-writable,
diff --git a/ssh.1 b/ssh.1
-index c8c5558e5..0697ec77d 100644
+index 3ad246c27..9ca6e18e2 100644
--- a/ssh.1
+++ b/ssh.1
-@@ -861,6 +861,16 @@ directive in
+@@ -863,6 +863,16 @@ directive in
.Xr ssh_config 5
for more information.
.Pp
@@ -93,7 +93,7 @@ index c8c5558e5..0697ec77d 100644
.It Fl x
Disables X11 forwarding.
.Pp
-@@ -869,6 +879,20 @@ Enables trusted X11 forwarding.
+@@ -871,6 +881,20 @@ Enables trusted X11 forwarding.
Trusted X11 forwardings are not subjected to the X11 SECURITY extension
controls.
.Pp
@@ -140,7 +140,7 @@ index 16197d15d..92d06ef38 100644
+ HashKnownHosts yes
+ GSSAPIAuthentication yes
diff --git a/ssh_config.5 b/ssh_config.5
-index cb1bba1a7..091b933b4 100644
+index 86258eb4f..9adc0fdb7 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more
@@ -173,7 +173,7 @@ index cb1bba1a7..091b933b4 100644
The file contains keyword-argument pairs, one per line.
Lines starting with
.Ql #
-@@ -901,11 +924,12 @@ elapsed.
+@@ -903,11 +926,12 @@ elapsed.
.It Cm ForwardX11Trusted
If this option is set to
.Cm yes ,
@@ -246,7 +246,7 @@ index ecfe8d026..677f97d5d 100644
# Example of overriding settings on a per-user basis
#Match User anoncvs
diff --git a/sshd_config.5 b/sshd_config.5
-index 9d33cb472..1f6c42523 100644
+index e177e4af8..2887ed531 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes
@@ -285,7 +285,7 @@ index 9d33cb472..1f6c42523 100644
The possible
keywords and their meanings are as follows (note that
keywords are case-insensitive and arguments are case-sensitive):
-@@ -1840,7 +1869,7 @@ Overrides the default path to the
+@@ -1865,7 +1894,7 @@ Overrides the default path to the
.Cm sshd-session
binary that is invoked to handle each connection.
The default is
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 6e78215..fd60549 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
-From 0d8aedb659c1c3892a9ba071ea003530ea8ca1b3 Mon Sep 17 00:00:00 2001
+From 2b058d79e79790dd2991ccd74463e7f28703dd05 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:01 +0000
Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 3c2b05b..c4d24be 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
-From cceb89a954534c1bed67d20613fe8aa82bec37e4 Mon Sep 17 00:00:00 2001
+From ae3314e7c7ba0ad3dfcb49e2dc2913b442a5f33c Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:11 +0000
Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
1 file changed, 3 insertions(+)
diff --git a/ssh_config.5 b/ssh_config.5
-index d1b1da95a..cb1bba1a7 100644
+index 073ef69e2..86258eb4f 100644
--- a/ssh_config.5
+++ b/ssh_config.5
-@@ -1020,6 +1020,9 @@ Note that existing names and addresses in known hosts files
+@@ -1022,6 +1022,9 @@ Note that existing names and addresses in known hosts files
will not be converted automatically,
but may be manually hashed using
.Xr ssh-keygen 1 .
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index b10014b..cfbb175 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
-From fac5d188210df34ace8c8f1f6f47c2a72e01c535 Mon Sep 17 00:00:00 2001
+From 9f8d5d786d80ef632c1531eb11ff83cc97b1d19c Mon Sep 17 00:00:00 2001
From: Vincent Untz <vuntz@ubuntu.com>
Date: Sun, 9 Feb 2014 16:10:16 +0000
Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 5f5f9ce..4950a16 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From 19f6afb4e07135a843c2f5caaa663a1d3f3db6f1 Mon Sep 17 00:00:00 2001
+From 25a0d098399b79a2ee544f17947829c01f13932c Mon Sep 17 00:00:00 2001
From: Simon Wilkinson <simon@sxw.org.uk>
Date: Sun, 9 Feb 2014 16:09:48 +0000
Subject: GSSAPI key exchange support
@@ -21,11 +21,11 @@ Author: Colin Watson <cjwatson@debian.org>
Author: Jakub Jelen <jjelen@redhat.com>
Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/pull/23
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
-Last-Updated: 2024-07-31
+Last-Updated: 2024-09-22
Patch-Name: gssapi.patch
---
- Makefile.in | 5 +-
+ Makefile.in | 6 +-
README.md | 36 +++
auth.c | 3 +-
auth2-gss.c | 54 ++++-
@@ -65,16 +65,16 @@ Patch-Name: gssapi.patch
sshd_config.5 | 30 +++
sshkey.c | 8 +-
sshkey.h | 1 +
- 40 files changed, 2667 insertions(+), 71 deletions(-)
+ 40 files changed, 2667 insertions(+), 72 deletions(-)
create mode 100644 kexgssc.c
create mode 100644 kexgsss.c
create mode 100644 ssh-null.c
diff --git a/Makefile.in b/Makefile.in
-index e1b77ebc6..6635b5518 100644
+index 4243006b0..e92bf3e31 100644
--- a/Makefile.in
+++ b/Makefile.in
-@@ -103,7 +103,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+@@ -103,14 +103,14 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
readpass.o ttymodes.o xmalloc.o addr.o addrmatch.o \
atomicio.o dispatch.o mac.o misc.o utf8.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o \
@@ -83,15 +83,15 @@ index e1b77ebc6..6635b5518 100644
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
ssh-pkcs11.o smult_curve25519_ref.o \
poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \
-@@ -112,6 +112,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+ ssh-ed25519.o digest-openssl.o digest-libc.o \
+ hmac.o ed25519.o hash.o \
kex.o kex-names.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
- kexgexc.o kexgexs.o \
- kexsntrup761x25519.o sntrup761.o kexgen.o \
-+ kexgssc.o \
+- kexgexc.o kexgexs.o \
++ kexgexc.o kexgexs.o kexgssc.o \
+ kexsntrup761x25519.o kexmlkem768x25519.o sntrup761.o kexgen.o \
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
sshbuf-io.o
-
-@@ -134,7 +135,7 @@ SSHD_SESSION_OBJS=sshd-session.o auth-rhosts.o auth-passwd.o \
+@@ -134,7 +134,7 @@ SSHD_SESSION_OBJS=sshd-session.o auth-rhosts.o auth-passwd.o \
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-pubkeyfile.o \
monitor.o monitor_wrap.o auth-krb5.o \
@@ -145,7 +145,7 @@ index 9431b0ffd..e5051828c 100644
[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml)
diff --git a/auth.c b/auth.c
-index 2e4cbef07..407b32e78 100644
+index 9a6e5a319..e4578169b 100644
--- a/auth.c
+++ b/auth.c
@@ -356,7 +356,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
@@ -334,7 +334,7 @@ index 8ed8b1c34..6d57339a1 100644
if (conn_in_ready)
client_process_net_input(ssh);
diff --git a/configure.ac b/configure.ac
-index 5a865f8e1..dc274329f 100644
+index 591d5a388..6a0140a9d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -774,6 +774,30 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
@@ -1171,7 +1171,7 @@ index 00e3d118b..b761d12aa 100644
/* Privileged */
diff --git a/kex-names.c b/kex-names.c
-index 339eb1c23..f077520bb 100644
+index ec840c1f9..081f78c94 100644
--- a/kex-names.c
+++ b/kex-names.c
@@ -45,6 +45,10 @@
@@ -1185,7 +1185,7 @@ index 339eb1c23..f077520bb 100644
struct kexalg {
char *name;
u_int type;
-@@ -83,15 +87,28 @@ static const struct kexalg kexalgs[] = {
+@@ -89,15 +93,28 @@ static const struct kexalg kexalgs[] = {
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
{ NULL, 0, -1, -1},
};
@@ -1217,7 +1217,7 @@ index 339eb1c23..f077520bb 100644
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(k->name);
-@@ -106,6 +123,18 @@ kex_alg_list(char sep)
+@@ -112,6 +129,18 @@ kex_alg_list(char sep)
return ret;
}
@@ -1236,7 +1236,7 @@ index 339eb1c23..f077520bb 100644
static const struct kexalg *
kex_alg_by_name(const char *name)
{
-@@ -115,6 +144,10 @@ kex_alg_by_name(const char *name)
+@@ -121,6 +150,10 @@ kex_alg_by_name(const char *name)
if (strcmp(k->name, name) == 0)
return k;
}
@@ -1247,7 +1247,7 @@ index 339eb1c23..f077520bb 100644
return NULL;
}
-@@ -177,6 +210,29 @@ kex_names_valid(const char *names)
+@@ -183,6 +216,29 @@ kex_names_valid(const char *names)
return 1;
}
@@ -1278,7 +1278,7 @@ index 339eb1c23..f077520bb 100644
int
kex_has_any_alg(const char *proposal, const char *algs)
diff --git a/kex.c b/kex.c
-index 63aae5d71..fd018021e 100644
+index 6b957e5e1..f09e79e6b 100644
--- a/kex.c
+++ b/kex.c
@@ -58,6 +58,7 @@
@@ -1300,13 +1300,13 @@ index 63aae5d71..fd018021e 100644
free(kex->hostkey_alg);
free(kex->name);
diff --git a/kex.h b/kex.h
-index 34665eb20..d3c57a329 100644
+index d08988b3e..cd6a40333 100644
--- a/kex.h
+++ b/kex.h
-@@ -102,6 +102,15 @@ enum kex_exchange {
- KEX_ECDH_SHA2,
+@@ -103,6 +103,15 @@ enum kex_exchange {
KEX_C25519_SHA256,
KEX_KEM_SNTRUP761X25519_SHA512,
+ KEX_KEM_MLKEM768X25519_SHA256,
+#ifdef GSSAPI
+ KEX_GSS_GRP1_SHA1,
+ KEX_GSS_GRP14_SHA1,
@@ -1319,7 +1319,7 @@ index 34665eb20..d3c57a329 100644
KEX_MAX
};
-@@ -164,6 +173,12 @@ struct kex {
+@@ -165,6 +174,12 @@ struct kex {
u_int flags;
int hash_alg;
int ec_nid;
@@ -1332,7 +1332,7 @@ index 34665eb20..d3c57a329 100644
char *failed_choice;
int (*verify_host_key)(struct sshkey *, struct ssh *);
struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
-@@ -188,7 +203,9 @@ u_int kex_type_from_name(const char *);
+@@ -190,7 +205,9 @@ u_int kex_type_from_name(const char *);
int kex_hash_from_name(const char *);
int kex_nid_from_name(const char *);
int kex_names_valid(const char *);
@@ -1342,7 +1342,7 @@ index 34665eb20..d3c57a329 100644
char *kex_names_cat(const char *, const char *);
int kex_has_any_alg(const char *, const char *);
int kex_assemble_names(char **, const char *, const char *);
-@@ -224,6 +241,12 @@ int kexgex_client(struct ssh *);
+@@ -226,6 +243,12 @@ int kexgex_client(struct ssh *);
int kexgex_server(struct ssh *);
int kex_gen_client(struct ssh *);
int kex_gen_server(struct ssh *);
@@ -1355,7 +1355,7 @@ index 34665eb20..d3c57a329 100644
int kex_dh_keypair(struct kex *);
int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
-@@ -256,6 +279,12 @@ int kexgex_hash(int, const struct sshbuf *, const struct sshbuf *,
+@@ -264,6 +287,12 @@ int kexgex_hash(int, const struct sshbuf *, const struct sshbuf *,
const BIGNUM *, const u_char *, size_t,
u_char *, size_t *);
@@ -1397,7 +1397,7 @@ index c1084f214..0faab21b0 100644
break;
case KEX_DH_GRP18_SHA512:
diff --git a/kexgen.c b/kexgen.c
-index 20f3c5711..ca704844e 100644
+index 40d688d62..15df591ca 100644
--- a/kexgen.c
+++ b/kexgen.c
@@ -44,7 +44,7 @@
@@ -2502,10 +2502,10 @@ index 000000000..1fd1d1e48
+}
+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
diff --git a/monitor.c b/monitor.c
-index 9e0e03ea2..92e2ca107 100644
+index 5966b4f96..ad7fef5a9 100644
--- a/monitor.c
+++ b/monitor.c
-@@ -140,6 +140,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
+@@ -141,6 +141,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *);
int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *);
int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *);
@@ -2514,7 +2514,7 @@ index 9e0e03ea2..92e2ca107 100644
#endif
#ifdef SSH_AUDIT_EVENTS
-@@ -213,11 +215,18 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -214,11 +216,18 @@ struct mon_table mon_dispatch_proto20[] = {
{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
@@ -2533,7 +2533,7 @@ index 9e0e03ea2..92e2ca107 100644
#ifdef WITH_OPENSSL
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
#endif
-@@ -286,6 +295,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
+@@ -287,6 +296,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
/* Permit requests for moduli and signatures */
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2544,7 +2544,7 @@ index 9e0e03ea2..92e2ca107 100644
/* The first few requests do not require asynchronous access */
while (!authenticated) {
-@@ -407,6 +420,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor)
+@@ -408,6 +421,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor)
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2555,7 +2555,7 @@ index 9e0e03ea2..92e2ca107 100644
if (auth_opts->permit_pty_flag) {
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
-@@ -1760,6 +1777,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
+@@ -1770,6 +1787,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
# ifdef OPENSSL_HAS_ECC
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
# endif
@@ -2573,7 +2573,7 @@ index 9e0e03ea2..92e2ca107 100644
#endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
-@@ -1852,8 +1880,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1863,8 +1891,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
u_char *p;
int r;
@@ -2584,7 +2584,7 @@ index 9e0e03ea2..92e2ca107 100644
if ((r = sshbuf_get_string(m, &p, &len)) != 0)
fatal_fr(r, "parse");
-@@ -1885,8 +1913,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1896,8 +1924,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
OM_uint32 flags = 0; /* GSI needs this */
int r;
@@ -2595,7 +2595,7 @@ index 9e0e03ea2..92e2ca107 100644
if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
fatal_fr(r, "ssh_gssapi_get_buffer_desc");
-@@ -1906,6 +1934,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1917,6 +1945,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2603,7 +2603,7 @@ index 9e0e03ea2..92e2ca107 100644
}
return (0);
}
-@@ -1917,8 +1946,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1928,8 +1957,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
OM_uint32 ret;
int r;
@@ -2614,7 +2614,7 @@ index 9e0e03ea2..92e2ca107 100644
if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
-@@ -1944,13 +1973,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1955,13 +1984,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
int
mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
{
@@ -2636,7 +2636,7 @@ index 9e0e03ea2..92e2ca107 100644
sshbuf_reset(m);
if ((r = sshbuf_put_u32(m, authenticated)) != 0)
-@@ -1959,7 +1992,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1970,7 +2003,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
debug3_f("sending result %d", authenticated);
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
@@ -2649,7 +2649,7 @@ index 9e0e03ea2..92e2ca107 100644
if ((displayname = ssh_gssapi_displayname()) != NULL)
auth2_record_info(authctxt, "%s", displayname);
-@@ -1967,5 +2004,83 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1978,5 +2015,83 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
@@ -2845,7 +2845,7 @@ index e768036ed..09b0ccaaa 100644
#ifdef USE_PAM
diff --git a/readconf.c b/readconf.c
-index 4e3791cb7..8bdeb9d08 100644
+index 3d9cc6dbb..0ce392538 100644
--- a/readconf.c
+++ b/readconf.c
@@ -70,6 +70,7 @@
@@ -2888,7 +2888,7 @@ index 4e3791cb7..8bdeb9d08 100644
#endif
#ifdef ENABLE_PKCS11
{ "pkcs11provider", oPKCS11Provider },
-@@ -1227,10 +1242,46 @@ parse_time:
+@@ -1256,10 +1271,46 @@ parse_time:
intptr = &options->gss_authentication;
goto parse_flag;
@@ -2935,7 +2935,7 @@ index 4e3791cb7..8bdeb9d08 100644
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
-@@ -2542,7 +2593,13 @@ initialize_options(Options * options)
+@@ -2576,7 +2627,13 @@ initialize_options(Options * options)
options->fwd_opts.streamlocal_bind_unlink = -1;
options->pubkey_authentication = -1;
options->gss_authentication = -1;
@@ -2949,7 +2949,7 @@ index 4e3791cb7..8bdeb9d08 100644
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
-@@ -2705,8 +2762,18 @@ fill_default_options(Options * options)
+@@ -2739,8 +2796,18 @@ fill_default_options(Options * options)
options->pubkey_authentication = SSH_PUBKEY_AUTH_ALL;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@@ -2968,7 +2968,7 @@ index 4e3791cb7..8bdeb9d08 100644
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
-@@ -3533,7 +3600,14 @@ dump_client_config(Options *o, const char *host)
+@@ -3567,7 +3634,14 @@ dump_client_config(Options *o, const char *host)
dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
#ifdef GSSAPI
dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
@@ -3002,7 +3002,7 @@ index 9447d5d6e..f039c11bd 100644
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/servconf.c b/servconf.c
-index 5b32f0bfc..c1bfca258 100644
+index 89b8413e8..731f208be 100644
--- a/servconf.c
+++ b/servconf.c
@@ -68,6 +68,7 @@
@@ -3025,7 +3025,7 @@ index 5b32f0bfc..c1bfca258 100644
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->permit_empty_passwd = -1;
-@@ -376,10 +380,18 @@ fill_default_server_options(ServerOptions *options)
+@@ -378,10 +382,18 @@ fill_default_server_options(ServerOptions *options)
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@@ -3044,7 +3044,7 @@ index 5b32f0bfc..c1bfca258 100644
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
-@@ -558,6 +570,7 @@ typedef enum {
+@@ -564,6 +576,7 @@ typedef enum {
sPerSourcePenalties, sPerSourcePenaltyExemptList,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@@ -3052,7 +3052,7 @@ index 5b32f0bfc..c1bfca258 100644
sAcceptEnv, sSetEnv, sPermitTunnel,
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
-@@ -643,12 +656,22 @@ static struct {
+@@ -649,12 +662,22 @@ static struct {
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -3075,7 +3075,7 @@ index 5b32f0bfc..c1bfca258 100644
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
-@@ -1585,6 +1608,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -1605,6 +1628,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
intptr = &options->gss_authentication;
goto parse_flag;
@@ -3086,7 +3086,7 @@ index 5b32f0bfc..c1bfca258 100644
case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
-@@ -1593,6 +1620,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -1613,6 +1640,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
intptr = &options->gss_strict_acceptor;
goto parse_flag;
@@ -3109,7 +3109,7 @@ index 5b32f0bfc..c1bfca258 100644
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
-@@ -3178,6 +3221,10 @@ dump_config(ServerOptions *o)
+@@ -3204,6 +3247,10 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@@ -3121,10 +3121,10 @@ index 5b32f0bfc..c1bfca258 100644
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication,
diff --git a/servconf.h b/servconf.h
-index 22b158d10..c1e2751ee 100644
+index 5089bc9ea..26819aa92 100644
--- a/servconf.h
+++ b/servconf.h
-@@ -149,8 +149,11 @@ typedef struct {
+@@ -150,8 +150,11 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -3401,10 +3401,10 @@ index 000000000..a934bda77
+
+#endif /* GSSAPI */
diff --git a/ssh.1 b/ssh.1
-index f871ff4e4..dc382cd49 100644
+index 710d3d4e6..8f78b3a1e 100644
--- a/ssh.1
+++ b/ssh.1
-@@ -536,7 +536,13 @@ For full details of the options listed below, and their possible values, see
+@@ -538,7 +538,13 @@ For full details of the options listed below, and their possible values, see
.It GatewayPorts
.It GlobalKnownHostsFile
.It GSSAPIAuthentication
@@ -3418,7 +3418,7 @@ index f871ff4e4..dc382cd49 100644
.It HashKnownHosts
.It Host
.It HostbasedAcceptedAlgorithms
-@@ -624,6 +630,8 @@ flag),
+@@ -626,6 +632,8 @@ flag),
(supported message integrity codes),
.Ar kex
(key exchange algorithms),
@@ -3465,7 +3465,7 @@ index cc5663562..16197d15d 100644
# CheckHostIP no
# AddressFamily any
diff --git a/ssh_config.5 b/ssh_config.5
-index 2e1902283..255577462 100644
+index 7c7c5c50d..4a48c5775 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -938,10 +938,67 @@ The default is
@@ -3537,7 +3537,7 @@ index 2e1902283..255577462 100644
Indicates that
.Xr ssh 1
diff --git a/sshconnect2.c b/sshconnect2.c
-index e63bb5ec6..e27139adf 100644
+index 11fcdea8a..d809a6507 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -222,6 +222,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
@@ -3595,7 +3595,7 @@ index e63bb5ec6..e27139adf 100644
/* start key exchange */
if ((r = kex_setup(ssh, myproposal)) != 0)
fatal_r(r, "kex_setup");
-@@ -271,11 +312,31 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
+@@ -271,12 +312,32 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
# ifdef OPENSSL_HAS_ECC
ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
# endif
@@ -3614,6 +3614,7 @@ index e63bb5ec6..e27139adf 100644
+#endif /* WITH_OPENSSL */
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
+ ssh->kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_client;
ssh->kex->verify_host_key=&verify_host_key_callback;
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -3628,7 +3629,7 @@ index e63bb5ec6..e27139adf 100644
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
kex_proposal_free_entries(myproposal);
-@@ -368,6 +429,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
+@@ -369,6 +430,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
static int input_gssapi_token(int type, u_int32_t, struct ssh *);
static int input_gssapi_error(int, u_int32_t, struct ssh *);
static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
@@ -3636,7 +3637,7 @@ index e63bb5ec6..e27139adf 100644
#endif
void userauth(struct ssh *, char *);
-@@ -384,6 +446,11 @@ static char *authmethods_get(void);
+@@ -385,6 +447,11 @@ static char *authmethods_get(void);
Authmethod authmethods[] = {
#ifdef GSSAPI
@@ -3648,7 +3649,7 @@ index e63bb5ec6..e27139adf 100644
{"gssapi-with-mic",
userauth_gssapi,
userauth_gssapi_cleanup,
-@@ -755,12 +822,32 @@ userauth_gssapi(struct ssh *ssh)
+@@ -756,12 +823,32 @@ userauth_gssapi(struct ssh *ssh)
OM_uint32 min;
int r, ok = 0;
gss_OID mech = NULL;
@@ -3682,7 +3683,7 @@ index e63bb5ec6..e27139adf 100644
/* Check to see whether the mechanism is usable before we offer it */
while (authctxt->mech_tried < authctxt->gss_supported_mechs->count &&
-@@ -769,13 +856,15 @@ userauth_gssapi(struct ssh *ssh)
+@@ -770,13 +857,15 @@ userauth_gssapi(struct ssh *ssh)
elements[authctxt->mech_tried];
/* My DER encoding requires length<128 */
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
@@ -3699,7 +3700,7 @@ index e63bb5ec6..e27139adf 100644
if (!ok || mech == NULL)
return 0;
-@@ -1009,6 +1098,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
+@@ -1010,6 +1099,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
free(lang);
return r;
}
@@ -3756,10 +3757,10 @@ index e63bb5ec6..e27139adf 100644
static int
diff --git a/sshd-session.c b/sshd-session.c
-index fe6ae7f32..ab88db7c5 100644
+index 4b79b9ba6..03a028c82 100644
--- a/sshd-session.c
+++ b/sshd-session.c
-@@ -656,8 +656,8 @@ notify_hostkeys(struct ssh *ssh)
+@@ -658,8 +658,8 @@ notify_hostkeys(struct ssh *ssh)
}
debug3_f("sent %u hostkeys", nkeys);
if (nkeys == 0)
@@ -3770,7 +3771,7 @@ index fe6ae7f32..ab88db7c5 100644
sshpkt_fatal(ssh, r, "%s: send", __func__);
sshbuf_free(buf);
}
-@@ -1431,6 +1431,48 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -1445,6 +1445,48 @@ do_ssh2_kex(struct ssh *ssh)
free(hkalgs);
@@ -3819,7 +3820,7 @@ index fe6ae7f32..ab88db7c5 100644
/* start key exchange */
if ((r = kex_setup(ssh, myproposal)) != 0)
fatal_r(r, "kex_setup");
-@@ -1448,7 +1490,18 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -1462,7 +1504,18 @@ do_ssh2_kex(struct ssh *ssh)
#ifdef OPENSSL_HAS_ECC
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
#endif
@@ -3838,12 +3839,12 @@ index fe6ae7f32..ab88db7c5 100644
+#endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
- kex->load_host_public_key=&get_hostkey_public_by_type;
+ kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_server;
diff --git a/sshd.c b/sshd.c
-index ed54fc6d6..54c65dfe6 100644
+index df76dc78c..48b334c68 100644
--- a/sshd.c
+++ b/sshd.c
-@@ -1551,7 +1551,8 @@ main(int ac, char **av)
+@@ -1558,7 +1558,8 @@ main(int ac, char **av)
free(fp);
}
accumulate_host_timing_secret(cfg, NULL);
@@ -3867,7 +3868,7 @@ index 36894ace5..ecfe8d026 100644
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff --git a/sshd_config.5 b/sshd_config.5
-index 1ab0f41d9..5e41f0478 100644
+index dbed44f2a..6959d5f6c 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -739,6 +739,11 @@ Specifies whether to automatically destroy the user's credentials cache
@@ -3915,10 +3916,10 @@ index 1ab0f41d9..5e41f0478 100644
Specifies the signature algorithms that will be accepted for hostbased
authentication as a list of comma-separated patterns.
diff --git a/sshkey.c b/sshkey.c
-index d4356e72c..c7abbe298 100644
+index 1db83788d..c3acd4e09 100644
--- a/sshkey.c
+++ b/sshkey.c
-@@ -130,6 +130,9 @@ extern const struct sshkey_impl sshkey_dsa_cert_impl;
+@@ -131,6 +131,9 @@ extern const struct sshkey_impl sshkey_dsa_cert_impl;
extern const struct sshkey_impl sshkey_xmss_impl;
extern const struct sshkey_impl sshkey_xmss_cert_impl;
#endif
@@ -3928,7 +3929,7 @@ index d4356e72c..c7abbe298 100644
const struct sshkey_impl * const keyimpls[] = {
&sshkey_ed25519_impl,
-@@ -169,6 +172,9 @@ const struct sshkey_impl * const keyimpls[] = {
+@@ -170,6 +173,9 @@ const struct sshkey_impl * const keyimpls[] = {
&sshkey_xmss_impl,
&sshkey_xmss_cert_impl,
#endif
@@ -3938,7 +3939,7 @@ index d4356e72c..c7abbe298 100644
NULL
};
-@@ -324,7 +330,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
+@@ -339,7 +345,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
for (i = 0; keyimpls[i] != NULL; i++) {
impl = keyimpls[i];
@@ -3948,10 +3949,10 @@ index d4356e72c..c7abbe298 100644
if (!include_sigonly && impl->sigonly)
continue;
diff --git a/sshkey.h b/sshkey.h
-index 32933bbbd..dc5d3051b 100644
+index d0cdea0ce..cce4b93c0 100644
--- a/sshkey.h
+++ b/sshkey.h
-@@ -71,6 +71,7 @@ enum sshkey_types {
+@@ -73,6 +73,7 @@ enum sshkey_types {
KEY_ECDSA_SK_CERT,
KEY_ED25519_SK,
KEY_ED25519_SK_CERT,
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index a5f8c57..c38b7d7 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
-From 92c7e83658c40484aa7a0fa977a45de38461beef Mon Sep 17 00:00:00 2001
+From 1f9b181b1f2af9c29468f7a3ab2f51fb354e51ec Mon Sep 17 00:00:00 2001
From: Richard Kettlewell <rjk@greenend.org.uk>
Date: Sun, 9 Feb 2014 16:09:52 +0000
Subject: Various keepalive extensions
@@ -16,7 +16,7 @@ keepalives.
Author: Ian Jackson <ian@chiark.greenend.org.uk>
Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
-Last-Update: 2023-12-18
+Last-Update: 2024-09-13
Patch-Name: keepalive-extensions.patch
---
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch
3 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/readconf.c b/readconf.c
-index cd1ebc85d..7d7296960 100644
+index 08342f2a2..f78786964 100644
--- a/readconf.c
+++ b/readconf.c
@@ -182,6 +182,7 @@ typedef enum {
@@ -46,16 +46,23 @@ index cd1ebc85d..7d7296960 100644
{ NULL, oBadOption }
};
-@@ -1886,6 +1889,8 @@ parse_pubkey_algos:
+@@ -1166,6 +1169,7 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host,
+ argv_consume(&ac);
+ break;
+ case oConnectTimeout:
++ case oSetupTimeOut: /* Debian-specific compatibility alias */
+ intptr = &options->connection_timeout;
+ parse_time:
+ arg = argv_next(&ac, &av);
+@@ -1908,6 +1912,7 @@ parse_pubkey_algos:
goto parse_flag;
case oServerAliveInterval:
+ case oProtocolKeepAlives: /* Debian-specific compatibility alias */
-+ case oSetupTimeOut: /* Debian-specific compatibility alias */
intptr = &options->server_alive_interval;
goto parse_time;
-@@ -2859,8 +2864,13 @@ fill_default_options(Options * options)
+@@ -2893,8 +2898,13 @@ fill_default_options(Options * options)
options->rekey_interval = 0;
if (options->verify_host_key_dns == -1)
options->verify_host_key_dns = 0;
@@ -72,7 +79,7 @@ index cd1ebc85d..7d7296960 100644
options->server_alive_count_max = 3;
if (options->control_master == -1)
diff --git a/ssh_config.5 b/ssh_config.5
-index 255577462..c6041339b 100644
+index 4a48c5775..31142f8c5 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -297,9 +297,13 @@ If set to
@@ -90,7 +97,16 @@ index 255577462..c6041339b 100644
The argument must be
.Cm yes
or
-@@ -1927,7 +1931,14 @@ from the server,
+@@ -620,6 +624,8 @@ Specifies the timeout (in seconds) used when connecting to the
+ SSH server, instead of using the default system TCP timeout.
+ This timeout is applied both to establishing the connection and to performing
+ the initial SSH protocol handshake and key exchange.
++.Cm SetupTimeOut
++is a Debian-specific compatibility alias for this option.
+ .It Cm ControlMaster
+ Enables the sharing of multiple sessions over a single network connection.
+ When set to
+@@ -1933,7 +1939,12 @@ from the server,
will send a message through the encrypted
channel to request a response from the server.
The default
@@ -100,13 +116,11 @@ index 255577462..c6041339b 100644
+.Cm BatchMode
+option is set (Debian-specific).
+.Cm ProtocolKeepAlives
-+and
-+.Cm SetupTimeOut
-+are Debian-specific compatibility aliases for this option.
++is a Debian-specific compatibility alias for this option.
.It Cm SessionType
May be used to either request invocation of a subsystem on the remote system,
or to prevent the execution of a remote command at all.
-@@ -2041,6 +2052,12 @@ Specifies whether the system should send TCP keepalive messages to the
+@@ -2047,6 +2058,12 @@ Specifies whether the system should send TCP keepalive messages to the
other side.
If they are sent, death of the connection or crash of one
of the machines will be properly noticed.
@@ -120,10 +134,10 @@ index 255577462..c6041339b 100644
connections will die if the route is down temporarily, and some people
find it annoying.
diff --git a/sshd_config.5 b/sshd_config.5
-index 5e41f0478..5dd656869 100644
+index 6959d5f6c..11a8e922f 100644
--- a/sshd_config.5
+++ b/sshd_config.5
-@@ -1959,6 +1959,9 @@ This avoids infinitely hanging sessions.
+@@ -1984,6 +1984,9 @@ This avoids infinitely hanging sessions.
.Pp
To disable TCP keepalive messages, the value should be set to
.Cm no .
diff --git a/debian/patches/maxhostnamelen.patch b/debian/patches/maxhostnamelen.patch
index af2bf16..b34d772 100644
--- a/debian/patches/maxhostnamelen.patch
+++ b/debian/patches/maxhostnamelen.patch
@@ -1,4 +1,4 @@
-From 5ffb02dd0478b1ceb24dd356d0ccad7cb7ec728b Mon Sep 17 00:00:00 2001
+From d4e17cdc03d060ca67e4f6628c90cc40c2eaa022 Mon Sep 17 00:00:00 2001
From: Svante Signell <svante.signell@gmail.com>
Date: Fri, 5 Nov 2021 23:22:53 +0000
Subject: Define MAXHOSTNAMELEN on GNU/Hurd
@@ -12,7 +12,7 @@ Patch-Name: maxhostnamelen.patch
1 file changed, 6 insertions(+)
diff --git a/defines.h b/defines.h
-index 279e509aa..7225cbfab 100644
+index ed860e78b..aa3518732 100644
--- a/defines.h
+++ b/defines.h
@@ -136,6 +136,12 @@ enum
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 393de6f..6df2e8f 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
-From 1c3c2c02b1d68675b121d87d1ffee84113659c93 Mon Sep 17 00:00:00 2001
+From 7001f10dfce73dfee2a9d56c63eca74bebdbebb1 Mon Sep 17 00:00:00 2001
From: Scott Moser <smoser@ubuntu.com>
Date: Sun, 9 Feb 2014 16:10:03 +0000
Subject: Mention ssh-keygen in ssh fingerprint changed warning
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index 3f2ca27..86550be 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
-From d03bde90030a339d7e4e39273cb3eadadfb99320 Mon Sep 17 00:00:00 2001
+From f1374ee189355c4ff510c5b817ecccb5306a1410 Mon Sep 17 00:00:00 2001
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 9 Feb 2014 16:10:14 +0000
Subject: Don't check the status field of the OpenSSL version
@@ -23,7 +23,7 @@ Patch-Name: no-openssl-version-status.patch
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
-index 6c65003f2..30e97c464 100644
+index 14865077e..0cea08c03 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -49,18 +49,18 @@ ssh_compatible_openssl(long headerver, long libver)
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 8774599..f1fa958 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
-From 169d164b95c9f068cbf5fc9860029690f9bf19d3 Mon Sep 17 00:00:00 2001
+From 672018a74977e165fc82c47d64b8cbd420b95fb8 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:09 +0000
Subject: Adjust various OpenBSD-specific references in manual pages
@@ -42,7 +42,7 @@ index 5086a6d42..6dffdc7e6 100644
.Sh SEE ALSO
.Xr ssh-keygen 1 ,
diff --git a/ssh-keygen.1 b/ssh-keygen.1
-index df6803fd9..0617d0dc2 100644
+index 06f0555a4..76239bcdf 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -211,9 +211,7 @@ key in
@@ -86,7 +86,7 @@ index df6803fd9..0617d0dc2 100644
The file format is described in
.Xr moduli 5 .
diff --git a/sshd.8 b/sshd.8
-index e2a621950..2469bfff8 100644
+index 464d402f6..bd1117bfe 100644
--- a/sshd.8
+++ b/sshd.8
@@ -64,7 +64,7 @@ over an insecure network.
@@ -98,7 +98,7 @@ index e2a621950..2469bfff8 100644
It forks a new
daemon for each incoming connection.
The forked daemons handle
-@@ -932,7 +932,7 @@ This file is for host-based authentication (see
+@@ -936,7 +936,7 @@ This file is for host-based authentication (see
.Xr ssh 1 ) .
It should only be writable by root.
.Pp
@@ -107,7 +107,7 @@ index e2a621950..2469bfff8 100644
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
key exchange method.
The file format is described in
-@@ -1030,7 +1030,6 @@ The content of this file is not sensitive; it can be world-readable.
+@@ -1034,7 +1034,6 @@ The content of this file is not sensitive; it can be world-readable.
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
.Xr hosts_access 5 ,
@@ -116,7 +116,7 @@ index e2a621950..2469bfff8 100644
.Xr sshd_config 5 ,
.Xr inetd 8 ,
diff --git a/sshd_config.5 b/sshd_config.5
-index 81671fb99..9d33cb472 100644
+index ed2f74060..e177e4af8 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1001,9 +1001,6 @@ for interactive sessions and
@@ -129,7 +129,7 @@ index 81671fb99..9d33cb472 100644
The default is
.Cm yes .
The argument to this keyword must be
-@@ -1112,45 +1109,33 @@ The following forms may be used:
+@@ -1117,45 +1114,33 @@ The following forms may be used:
.Sm off
.Ar hostname | address
.Sm on
@@ -176,7 +176,7 @@ index 81671fb99..9d33cb472 100644
.It Cm LoginGraceTime
The server disconnects after this time if the user has not
successfully logged in.
-@@ -1276,14 +1261,8 @@ The available criteria are
+@@ -1283,14 +1268,8 @@ The available criteria are
.Cm Host ,
.Cm LocalAddress ,
.Cm LocalPort ,
@@ -192,15 +192,15 @@ index 81671fb99..9d33cb472 100644
.Pp
The match patterns may consist of single entries or comma-separated
lists and may use the wildcard and negation operators described in the
-@@ -1356,7 +1335,6 @@ Available keywords are
- .Cm PubkeyAuthOptions ,
+@@ -1364,7 +1343,6 @@ Available keywords are
+ .Cm RefuseConnection ,
.Cm RekeyLimit ,
.Cm RevokedKeys ,
-.Cm RDomain ,
.Cm SetEnv ,
.Cm StreamLocalBindMask ,
.Cm StreamLocalBindUnlink ,
-@@ -1838,15 +1816,6 @@ an OpenSSH Key Revocation List (KRL) as generated by
+@@ -1863,15 +1841,6 @@ an OpenSSH Key Revocation List (KRL) as generated by
.Xr ssh-keygen 1 .
For more information on KRLs, see the KEY REVOCATION LISTS section in
.Xr ssh-keygen 1 .
@@ -216,7 +216,7 @@ index 81671fb99..9d33cb472 100644
.It Cm SecurityKeyProvider
Specifies a path to a library that will be used when loading
FIDO authenticator-hosted keys, overriding the default of using
-@@ -2180,8 +2149,6 @@ A literal
+@@ -2205,8 +2174,6 @@ A literal
Identifies the connection endpoints, containing
four space-separated values: client address, client port number,
server address, and server port number.
@@ -225,7 +225,7 @@ index 81671fb99..9d33cb472 100644
.It %F
The fingerprint of the CA key.
.It %f
-@@ -2220,9 +2187,6 @@ accepts the tokens %%, %h, %U, and %u.
+@@ -2245,9 +2212,6 @@ accepts the tokens %%, %h, %U, and %u.
.Pp
.Cm ChrootDirectory
accepts the tokens %%, %h, %U, and %u.
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 0caca0d..d3d4810 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
-From 184037a22103428f83d1e8d14c09631aef14dc2f Mon Sep 17 00:00:00 2001
+From 756ba4bb63a1d4a7547ae0a2ba1fdc135b8c829f Mon Sep 17 00:00:00 2001
From: Matthew Vernon <matthew@debian.org>
Date: Sun, 9 Feb 2014 16:10:05 +0000
Subject: Include the Debian version in our identification
@@ -18,10 +18,10 @@ Patch-Name: package-versioning.patch
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/kex.c b/kex.c
-index fd018021e..744fb27fb 100644
+index f09e79e6b..19b1fcaa8 100644
--- a/kex.c
+++ b/kex.c
-@@ -1257,7 +1257,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+@@ -1255,7 +1255,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n",
@@ -31,11 +31,11 @@ index fd018021e..744fb27fb 100644
version_addendum == NULL ? "" : version_addendum)) != 0) {
oerrno = errno;
diff --git a/version.h b/version.h
-index 81b7645a7..3b43b47e5 100644
+index 8c7e37e7d..7e0cac99f 100644
--- a/version.h
+++ b/version.h
@@ -3,4 +3,9 @@
- #define SSH_VERSION "OpenSSH_9.8"
+ #define SSH_VERSION "OpenSSH_9.9"
#define SSH_PORTABLE "p1"
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/pam-avoid-unknown-host.patch b/debian/patches/pam-avoid-unknown-host.patch
index 8c8d78a..234cb1d 100644
--- a/debian/patches/pam-avoid-unknown-host.patch
+++ b/debian/patches/pam-avoid-unknown-host.patch
@@ -1,4 +1,4 @@
-From 97c671bccd4f923e2bb814516ad7bf1d9261709c Mon Sep 17 00:00:00 2001
+From 2d1ea9f5f1100fa7c7e648ea976ceda005d5966c Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 20 Mar 2023 20:22:14 +0100
Subject: Only set PAM_RHOST if the remote host is not "UNKNOWN"
diff --git a/debian/patches/regress-conch-dev-zero.patch b/debian/patches/regress-conch-dev-zero.patch
index 95f7aab..51f4557 100644
--- a/debian/patches/regress-conch-dev-zero.patch
+++ b/debian/patches/regress-conch-dev-zero.patch
@@ -1,4 +1,4 @@
-From e3d47eadb58dda63a125eecaa722ce7891c75356 Mon Sep 17 00:00:00 2001
+From e307b199fed9b07cfaf92ab3d653fab49108c0e0 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 31 Mar 2024 00:24:11 +0000
Subject: regress: Redirect conch stdin from /dev/zero
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index b061307..b68b44b 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
-From 69f63b1e4919e4a51cb199fa81fa318bc517bbd2 Mon Sep 17 00:00:00 2001
+From 5bba205e4762e28f6b127f64fd30870aedae3fd1 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 5 Mar 2017 02:02:11 +0000
Subject: Restore reading authorized_keys2 by default
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index fdd3c61..b4a8543 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
-From 0ff8d4f5356adbdebdbdbf951713d22b1e8e264e Mon Sep 17 00:00:00 2001
+From 20df52e18eb28e8e50e475d85bb652e8fdc5f588 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 7 Oct 2014 13:22:41 +0100
Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
3 files changed, 89 insertions(+)
diff --git a/configure.ac b/configure.ac
-index dc274329f..f6bca2631 100644
+index 6a0140a9d..90548dcfc 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -1686,6 +1686,62 @@ else
+@@ -1693,6 +1693,62 @@ else
AC_MSG_RESULT([no])
fi
@@ -94,7 +94,7 @@ index dc274329f..f6bca2631 100644
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
-@@ -5723,6 +5779,7 @@ echo " PAM support: $PAM_MSG"
+@@ -5734,6 +5790,7 @@ echo " PAM support: $PAM_MSG"
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
@@ -103,7 +103,7 @@ index dc274329f..f6bca2631 100644
echo " libldns support: $LDNS_MSG"
echo " Solaris process contract support: $SPC_MSG"
diff --git a/sshd-session.c b/sshd-session.c
-index ab88db7c5..dff1fefbe 100644
+index 03a028c82..f36d58b1b 100644
--- a/sshd-session.c
+++ b/sshd-session.c
@@ -110,6 +110,13 @@
@@ -120,7 +120,7 @@ index ab88db7c5..dff1fefbe 100644
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
-@@ -1254,6 +1261,24 @@ main(int ac, char **av)
+@@ -1256,6 +1263,24 @@ main(int ac, char **av)
#ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port);
#endif
@@ -146,10 +146,10 @@ index ab88db7c5..dff1fefbe 100644
rdomain = ssh_packet_rdomain_in(ssh);
diff --git a/sshd.8 b/sshd.8
-index c0f095ca4..e2a621950 100644
+index 08ebf53a1..464d402f6 100644
--- a/sshd.8
+++ b/sshd.8
-@@ -921,6 +921,12 @@ the user's home directory becomes accessible.
+@@ -925,6 +925,12 @@ the user's home directory becomes accessible.
This file should be writable only by the user, and need not be
readable by anyone else.
.Pp
@@ -162,7 +162,7 @@ index c0f095ca4..e2a621950 100644
.It Pa /etc/hosts.equiv
This file is for host-based authentication (see
.Xr ssh 1 ) .
-@@ -1023,6 +1029,7 @@ The content of this file is not sensitive; it can be world-readable.
+@@ -1027,6 +1033,7 @@ The content of this file is not sensitive; it can be world-readable.
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch
index 2758571..0ad35c6 100644
--- a/debian/patches/revert-ipqos-defaults.patch
+++ b/debian/patches/revert-ipqos-defaults.patch
@@ -1,4 +1,4 @@
-From 91663a43be78a3b33c0cc055033d648269a4f98c Mon Sep 17 00:00:00 2001
+From 5fefa8a7853e96cb7a143432690212f4d1fbfc1a Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 8 Apr 2019 10:46:29 +0100
Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
@@ -24,10 +24,10 @@ Patch-Name: revert-ipqos-defaults.patch
4 files changed, 8 insertions(+), 12 deletions(-)
diff --git a/readconf.c b/readconf.c
-index 1b64b7af5..a60aed047 100644
+index 90bf74f32..a321e6d8f 100644
--- a/readconf.c
+++ b/readconf.c
-@@ -2891,9 +2891,9 @@ fill_default_options(Options * options)
+@@ -2925,9 +2925,9 @@ fill_default_options(Options * options)
if (options->visual_host_key == -1)
options->visual_host_key = 0;
if (options->ip_qos_interactive == -1)
@@ -40,10 +40,10 @@ index 1b64b7af5..a60aed047 100644
options->request_tty = REQUEST_TTY_AUTO;
if (options->session_type == -1)
diff --git a/servconf.c b/servconf.c
-index 81511bc86..86c798b34 100644
+index 49a066df8..3c7ca3287 100644
--- a/servconf.c
+++ b/servconf.c
-@@ -479,9 +479,9 @@ fill_default_server_options(ServerOptions *options)
+@@ -483,9 +483,9 @@ fill_default_server_options(ServerOptions *options)
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
if (options->ip_qos_interactive == -1)
@@ -56,10 +56,10 @@ index 81511bc86..86c798b34 100644
options->version_addendum = xstrdup("");
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
diff --git a/ssh_config.5 b/ssh_config.5
-index 091b933b4..98a2ef60b 100644
+index 9adc0fdb7..14042dce5 100644
--- a/ssh_config.5
+++ b/ssh_config.5
-@@ -1322,11 +1322,9 @@ If one argument is specified, it is used as the packet class unconditionally.
+@@ -1329,11 +1329,9 @@ If one argument is specified, it is used as the packet class unconditionally.
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
@@ -74,7 +74,7 @@ index 091b933b4..98a2ef60b 100644
.It Cm KbdInteractiveAuthentication
Specifies whether to use keyboard-interactive authentication.
diff --git a/sshd_config.5 b/sshd_config.5
-index 1f6c42523..1edd6c812 100644
+index 2887ed531..70d57bfdb 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1022,11 +1022,9 @@ If one argument is specified, it is used as the packet class unconditionally.
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index 2c64f53..ce8ce8d 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
-From 75bbbbd155147a06ebf5bcc1b2ae9bf08c127cf0 Mon Sep 17 00:00:00 2001
+From 9435f6fe82fc57fac0e6efb9c76923eeee80fe22 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
Date: Sun, 9 Feb 2014 16:09:59 +0000
Subject: Adjust scp quoting in verbose mode
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index c481c3b..c28562a 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From 1003c8e9926862f7f01fad4a9004766aa47948d1 Mon Sep 17 00:00:00 2001
+From 7b503b507e60ba714732f10ea46a00fd0896baa9 Mon Sep 17 00:00:00 2001
From: Manoj Srivastava <srivasta@debian.org>
Date: Sun, 9 Feb 2014 16:09:49 +0000
Subject: Handle SELinux authorisation roles
@@ -80,10 +80,10 @@ index f75f1d20d..44558851e 100644
if ((r = kex_server_update_ext_info(ssh)) != 0)
fatal_fr(r, "kex_server_update_ext_info failed");
diff --git a/monitor.c b/monitor.c
-index 92e2ca107..62cc2da6b 100644
+index ad7fef5a9..05d63a8ee 100644
--- a/monitor.c
+++ b/monitor.c
-@@ -117,6 +117,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *);
+@@ -118,6 +118,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *);
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
@@ -91,7 +91,7 @@ index 92e2ca107..62cc2da6b 100644
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
-@@ -191,6 +192,7 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -192,6 +193,7 @@ struct mon_table mon_dispatch_proto20[] = {
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -99,7 +99,7 @@ index 92e2ca107..62cc2da6b 100644
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
-@@ -832,6 +834,7 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -842,6 +844,7 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -107,7 +107,7 @@ index 92e2ca107..62cc2da6b 100644
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
#ifdef USE_PAM
-@@ -865,15 +868,42 @@ mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -875,15 +878,42 @@ mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m)
monitor_permit_authentications(1);
if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 ||
@@ -152,7 +152,7 @@ index 92e2ca107..62cc2da6b 100644
return (0);
}
-@@ -1594,7 +1624,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1604,7 +1634,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
if (res == 0)
goto error;
@@ -243,7 +243,7 @@ index 09b0ccaaa..2493da591 100644
char *mm_auth2_read_banner(void);
int mm_auth_password(struct ssh *, char *);
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
-index 4c024c6d2..4fe61f020 100644
+index 8adfec5a7..61e239561 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -65,7 +65,7 @@ ssh_selinux_enabled(void)
@@ -414,10 +414,10 @@ index 344a1ddf9..20ea822a7 100644
const char *session_get_remote_name_or_ip(struct ssh *, u_int, int);
diff --git a/sshd-session.c b/sshd-session.c
-index dff1fefbe..b6e544108 100644
+index f36d58b1b..1d7cdd00a 100644
--- a/sshd-session.c
+++ b/sshd-session.c
-@@ -438,7 +438,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
+@@ -440,7 +440,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
/* Drop privileges */
if (!skip_privdrop)
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 0fb8602..9819925 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
-From 693e1ad72a8bc084f804451beaad6f941921b435 Mon Sep 17 00:00:00 2001
+From 4d7555c76af470ce9c85600497629e3ffe8c6448 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:00 +0000
Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
diff --git a/debian/patches/skip-utimensat-test-on-zfs.patch b/debian/patches/skip-utimensat-test-on-zfs.patch
index 5a9a489..055b12b 100644
--- a/debian/patches/skip-utimensat-test-on-zfs.patch
+++ b/debian/patches/skip-utimensat-test-on-zfs.patch
@@ -1,4 +1,4 @@
-From 1cf8791cab882050d43f539da1464eb308eca92e Mon Sep 17 00:00:00 2001
+From dadf16cb45c44f62f1c6c66bc537f6bda066292c Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 11 Mar 2024 16:24:49 +0000
Subject: Skip utimensat test on ZFS
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 4c5641e..da82776 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
-From 2e73396b1e30fed205ad9daf4575f26e24b6cf63 Mon Sep 17 00:00:00 2001
+From 0c398b704de5f588e6c41cf21d2d1f2cbfda5f11 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:13 +0000
Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 7b45493..a108a70 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
-From b53a7a6dc0eb0375ef367780fd66c86e182bc67c Mon Sep 17 00:00:00 2001
+From aba90adf0199191cca06cea519233ef9cf67df75 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:10 +0000
Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
1 file changed, 1 insertion(+)
diff --git a/ssh.1 b/ssh.1
-index 55bc1faef..c8c5558e5 100644
+index d80ce6bfc..3ad246c27 100644
--- a/ssh.1
+++ b/ssh.1
-@@ -1666,6 +1666,7 @@ if an error occurred.
+@@ -1668,6 +1668,7 @@ if an error occurred.
.Xr sftp 1 ,
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index b63fe3c..329841e 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
-From 127ffecd39fa5f1b61506e6060c4a4cdec64f019 Mon Sep 17 00:00:00 2001
+From 439f5f7701cfc92af75c471df81e269dce8ab321 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@ubuntu.com>
Date: Sun, 9 Feb 2014 16:09:50 +0000
Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch
2 files changed, 2 insertions(+)
diff --git a/readconf.c b/readconf.c
-index 8bdeb9d08..cd1ebc85d 100644
+index 0ce392538..08342f2a2 100644
--- a/readconf.c
+++ b/readconf.c
@@ -197,6 +197,7 @@ static struct {
@@ -29,10 +29,10 @@ index 8bdeb9d08..cd1ebc85d 100644
{ "useroaming", oDeprecated },
{ "usersh", oDeprecated },
diff --git a/servconf.c b/servconf.c
-index c1bfca258..169b9ff07 100644
+index 731f208be..1d5c143ba 100644
--- a/servconf.c
+++ b/servconf.c
-@@ -692,6 +692,7 @@ static struct {
+@@ -698,6 +698,7 @@ static struct {
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index e32e7fd..bd386c5 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
-From 297eb3e9ae97bdd2e944efd9fdbdcf7f78514b79 Mon Sep 17 00:00:00 2001
+From 55ee34a4dce90532d19dddc56cb77d11703f0288 Mon Sep 17 00:00:00 2001
From: Natalie Amery <nmamery@chiark.greenend.org.uk>
Date: Sun, 9 Feb 2014 16:09:54 +0000
Subject: "LogLevel SILENT" compatibility
diff --git a/debian/patches/systemd-socket-activation.patch b/debian/patches/systemd-socket-activation.patch
index 7a9c0ca..9a8fd42 100644
--- a/debian/patches/systemd-socket-activation.patch
+++ b/debian/patches/systemd-socket-activation.patch
@@ -1,4 +1,4 @@
-From 05c8e02a8f6df17722a95fc11cf315865f90e024 Mon Sep 17 00:00:00 2001
+From 8616cd415d778b058f6c27064e52364e90fc6418 Mon Sep 17 00:00:00 2001
From: Steve Langasek <steve.langasek@ubuntu.com>
Date: Thu, 1 Sep 2022 16:03:37 +0100
Subject: Support systemd socket activation
@@ -19,7 +19,7 @@ Patch-Name: systemd-socket-activation.patch
2 files changed, 119 insertions(+), 15 deletions(-)
diff --git a/configure.ac b/configure.ac
-index f6bca2631..ee6aca972 100644
+index 90548dcfc..8b3a9776b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -940,6 +940,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
@@ -31,7 +31,7 @@ index f6bca2631..ee6aca972 100644
case `uname -r` in
1.*|2.0.*)
diff --git a/sshd.c b/sshd.c
-index 54c65dfe6..51d5357b9 100644
+index 48b334c68..142310c07 100644
--- a/sshd.c
+++ b/sshd.c
@@ -93,10 +93,18 @@
@@ -57,7 +57,7 @@ index 54c65dfe6..51d5357b9 100644
extern char *__progname;
-@@ -733,6 +741,88 @@ send_rexec_state(int fd, struct sshbuf *conf)
+@@ -740,6 +748,88 @@ send_rexec_state(int fd, struct sshbuf *conf)
debug3_f("done");
}
@@ -146,7 +146,7 @@ index 54c65dfe6..51d5357b9 100644
/*
* Listen for TCP connections
*/
-@@ -812,6 +902,9 @@ static void
+@@ -819,6 +909,9 @@ static void
server_listen(void)
{
u_int i;
@@ -156,7 +156,7 @@ index 54c65dfe6..51d5357b9 100644
/* Initialise per-source limit tracking. */
srclimit_init(options.max_startups,
-@@ -821,17 +914,27 @@ server_listen(void)
+@@ -828,17 +921,27 @@ server_listen(void)
&options.per_source_penalty,
options.per_source_penalty_exempt);
@@ -194,8 +194,8 @@ index 54c65dfe6..51d5357b9 100644
if (!num_listen_socks)
fatal("Cannot bind any address.");
}
-@@ -1344,7 +1447,7 @@ main(int ac, char **av)
- if (!test_flag && !do_dump_cfg && !path_absolute(av[0]))
+@@ -1351,7 +1454,7 @@ main(int ac, char **av)
+ if (!test_flag && !inetd_flag && !do_dump_cfg && !path_absolute(av[0]))
fatal("sshd requires execution with an absolute path");
- closefrom(STDERR_FILENO + 1);
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index b649927..8b53864 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
-From c02212390140a127d47873d8d27081466bd5daeb Mon Sep 17 00:00:00 2001
+From 2bf33ed3e0d641de721a055f7ea6af01be212cff Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:09:58 +0000
Subject: Allow harmless group-writability
@@ -51,7 +51,7 @@ index d5d2c7a12..13c3c201b 100644
"bad modes for %.200s", pw->pw_name, path);
auth_debug_add("Bad file modes for %.200s", path);
diff --git a/auth.c b/auth.c
-index 407b32e78..ec692715e 100644
+index e4578169b..4b878865f 100644
--- a/auth.c
+++ b/auth.c
@@ -430,8 +430,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
@@ -169,10 +169,10 @@ index 113403896..4681f79f7 100644
#define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b))
#define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
diff --git a/readconf.c b/readconf.c
-index 7d7296960..eaca29ace 100644
+index f78786964..d3c3056ef 100644
--- a/readconf.c
+++ b/readconf.c
-@@ -2518,8 +2518,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
+@@ -2552,8 +2552,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
if (fstat(fileno(f), &sb) == -1)
fatal("fstat %s: %s", filename, strerror(errno));
@@ -183,10 +183,10 @@ index 7d7296960..eaca29ace 100644
}
diff --git a/ssh.1 b/ssh.1
-index dc382cd49..55bc1faef 100644
+index 8f78b3a1e..d80ce6bfc 100644
--- a/ssh.1
+++ b/ssh.1
-@@ -1570,6 +1570,8 @@ The file format and configuration options are described in
+@@ -1572,6 +1572,8 @@ The file format and configuration options are described in
.Xr ssh_config 5 .
Because of the potential for abuse, this file must have strict permissions:
read/write for the user, and not writable by others.
@@ -196,10 +196,10 @@ index dc382cd49..55bc1faef 100644
.It Pa ~/.ssh/environment
Contains additional definitions for environment variables; see
diff --git a/ssh_config.5 b/ssh_config.5
-index c6041339b..d1b1da95a 100644
+index 31142f8c5..073ef69e2 100644
--- a/ssh_config.5
+++ b/ssh_config.5
-@@ -2409,6 +2409,8 @@ The format of this file is described above.
+@@ -2417,6 +2417,8 @@ The format of this file is described above.
This file is used by the SSH client.
Because of the potential for abuse, this file must have strict permissions:
read/write for the user, and not writable by others.
diff --git a/debian/tests/control b/debian/tests/control
index 0f5a493..a09633a 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -24,7 +24,7 @@ Restrictions:
Depends:
krb5-admin-server,
krb5-kdc,
- openssh-server,
+ openssh-server-gssapi,
Tests:
socket-activation,
@@ -35,3 +35,14 @@ Restrictions:
Depends:
openssh-server,
sudo,
+
+Tests:
+ xinetd,
+Restrictions:
+ allow-stderr,
+ isolation-container,
+ needs-root,
+Depends:
+ openssh-server,
+ sudo,
+ xinetd,
diff --git a/debian/tests/xinetd b/debian/tests/xinetd
new file mode 100755
index 0000000..b63fbd7
--- /dev/null
+++ b/debian/tests/xinetd
@@ -0,0 +1,52 @@
+#! /bin/sh
+set -e
+
+testuser="testuser$$"
+adduser --quiet --disabled-password --gecos "" "$testuser"
+sudo -u "$testuser" mkdir -m700 "/home/$testuser/.ssh"
+sudo -u "$testuser" \
+ ssh-keygen -t ed25519 -N '' -f "/home/$testuser/.ssh/id_ed25519"
+sudo -u "$testuser" \
+ cp "/home/$testuser/.ssh/id_ed25519.pub" \
+ "/home/$testuser/.ssh/authorized_keys"
+
+cleanup () {
+ if [ $? -ne 0 ]; then
+ echo "## Something failed"
+ echo
+ echo "## ssh server log"
+ journalctl -b -u ssh.service --lines 100
+ fi
+}
+
+trap cleanup EXIT
+
+cat >/etc/xinetd.d/sshd <<EOF
+service ssh
+{
+ id = sshd
+ disable = no
+ type = UNLISTED
+ port = 22
+ socket_type = stream
+ wait = no
+ user = root
+ server = /usr/sbin/sshd
+ server_args = -i -4
+ log_on_success += DURATION USERID
+ log_on_failure += USERID
+ nice = 10
+}
+EOF
+
+mkdir -p /etc/systemd/system/xinetd.service.d
+cat >/etc/systemd/system/xinetd.service.d/sshd.conf <<EOF
+[Service]
+RuntimeDirectory=sshd
+EOF
+
+systemctl daemon-reload
+systemctl disable --now ssh.service
+systemctl reload xinetd.service
+sudo -u "$testuser" \
+ ssh -oStrictHostKeyChecking=accept-new "$testuser@localhost" date