summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/.git-dpm16
-rw-r--r--debian/NEWS57
-rw-r--r--debian/changelog61
-rw-r--r--debian/control202
-rwxr-xr-xdebian/openssh-server.install1
-rw-r--r--debian/openssh-server.postinst2
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch6
-rw-r--r--debian/patches/configure-cache-vars.patch2
-rw-r--r--debian/patches/debian-banner.patch82
-rw-r--r--debian/patches/debian-config.patch35
-rw-r--r--debian/patches/dnssec-sshfp.patch4
-rw-r--r--debian/patches/doc-hash-tab-completion.patch4
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch2
-rw-r--r--debian/patches/gssapi.patch604
-rw-r--r--debian/patches/keepalive-extensions.patch14
-rw-r--r--debian/patches/maxhostnamelen.patch2
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch8
-rw-r--r--debian/patches/no-openssl-version-status.patch2
-rw-r--r--debian/patches/openbsd-docs.patch54
-rw-r--r--debian/patches/package-versioning.patch10
-rw-r--r--debian/patches/pam-avoid-unknown-host.patch4
-rw-r--r--debian/patches/regress-conch-dev-zero.patch2
-rw-r--r--debian/patches/restore-authorized_keys2.patch2
-rw-r--r--debian/patches/restore-tcp-wrappers.patch78
-rw-r--r--debian/patches/revert-ipqos-defaults.patch14
-rw-r--r--debian/patches/scp-quoting.patch6
-rw-r--r--debian/patches/selinux-role.patch110
-rw-r--r--debian/patches/series3
-rw-r--r--debian/patches/shell-path.patch8
-rw-r--r--debian/patches/skip-utimensat-test-on-zfs.patch2
-rw-r--r--debian/patches/ssh-agent-setgid.patch2
-rw-r--r--debian/patches/ssh-argv0.patch6
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch8
-rw-r--r--debian/patches/sshsigdie-async-signal-unsafe.patch41
-rw-r--r--debian/patches/syslog-level-silent.patch4
-rw-r--r--debian/patches/systemd-readiness.patch224
-rw-r--r--debian/patches/systemd-socket-activation.patch24
-rw-r--r--debian/patches/user-group-modes.patch34
-rw-r--r--debian/patches/zero-call-used-regs-m68k.patch30
-rwxr-xr-xdebian/run-tests1
-rw-r--r--debian/tests/control42
-rwxr-xr-xdebian/tests/ssh-gssapi2
42 files changed, 732 insertions, 1083 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 881c43e..14852c6 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,12 +1,12 @@
# see git-dpm(1) from git-dpm package
-7f4a743171f9e6b283207d448de6562219774fbf
-7f4a743171f9e6b283207d448de6562219774fbf
-cf05e8418c088a6e5712344cecaf6ee2d5eb550f
-cf05e8418c088a6e5712344cecaf6ee2d5eb550f
-openssh_9.7p1.orig.tar.gz
-ce8985ea0ea2f16a5917fd982ade0972848373cc
-1848766
+7406e666efe2d19e93cf6f50735b3a927bc3dfce
+7406e666efe2d19e93cf6f50735b3a927bc3dfce
+725afb3e99dbbda1d8c34a3dfc031dc9b0bb5dbe
+725afb3e99dbbda1d8c34a3dfc031dc9b0bb5dbe
+openssh_9.8p1.orig.tar.gz
+a0bb501b11349f5c5c33a269351be091dc2c2727
+1910393
debianTag="debian/%e%%%V"
patchedTag="patched/%e%%%V"
upstreamTag="upstream/%U"
-signature:6848845450c5d5776afd10f8217f870d320cc4d5:833:openssh_9.7p1.orig.tar.gz.asc
+signature:2c8addecb3c6af8b3eb36742d2f6c66b8281c5c9:833:openssh_9.8p1.orig.tar.gz.asc
diff --git a/debian/NEWS b/debian/NEWS
index 79738c6..2898018 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,4 +1,55 @@
-openssh (1:9.7p1-6) UNRELEASED; urgency=medium
+openssh (1:9.8p1-1) unstable; urgency=medium
+
+ OpenSSH 9.8p1 includes a number of changes that may affect existing
+ configurations:
+
+ * DSA keys, as specified in the SSH protocol, are inherently weak: they
+ are limited to 160-bit private keys and the SHA-1 digest. The SSH
+ implementation provided by the openssh-client and openssh-server
+ packages has disabled support for DSA keys by default since OpenSSH
+ 7.0p1 in 2015, released with Debian 9 ("stretch"), although it could
+ still be enabled using the HostKeyAlgorithms and
+ PubkeyAcceptedAlgorithms configuration options for host and user keys
+ respectively.
+
+ The only remaining uses of DSA at this point should be connecting to
+ some very old devices. For all other purposes, the other key types
+ supported by OpenSSH (RSA, ECDSA, and Ed25519) are superior.
+
+ As of OpenSSH 9.8p1, DSA keys are no longer supported even with the
+ above configuration options. If you have a device that you can only
+ connect to using DSA, then you can use the ssh1 command provided by the
+ openssh-client-ssh1 package to do so.
+
+ In the unlikely event that you are still using DSA keys to connect to a
+ Debian server (if you are unsure, you can check by adding the -v option
+ to the ssh command line you use to connect to that server and looking
+ for the "Server accepts key:" line), then you must generate replacement
+ keys before upgrading.
+
+ * sshd(8): the server will now block client addresses that repeatedly
+ fail authentication, repeatedly connect without ever completing
+ authentication or that crash the server. Operators of servers that
+ accept connections from many users, or servers that accept connections
+ from addresses behind NAT or proxies may need to consider these
+ settings.
+
+ * sshd(8): several log messages have changed. In particular, some log
+ messages will be tagged with as originating from a process named
+ "sshd-session" rather than "sshd".
+
+ * ssh-keyscan(1): this tool previously emitted comment lines containing
+ the hostname and SSH protocol banner to standard error. This release
+ now emits them to standard output, but adds a new "-q" flag to silence
+ them altogether.
+
+ * sshd(8): sshd will no longer use argv[0] as the PAM service name. A
+ new "PAMServiceName" sshd_config(5) directive allows selecting the
+ service name at runtime. This defaults to "sshd".
+
+ -- Colin Watson <cjwatson@debian.org> Wed, 31 Jul 2024 17:16:04 +0100
+
+openssh (1:9.7p1-6) unstable; urgency=medium
Debian's PAM configuration for OpenSSH no longer reads the
~/.pam_environment file. The implementation of this in pam_env has a
@@ -12,7 +63,7 @@ openssh (1:9.7p1-6) UNRELEASED; urgency=medium
handled by the session process; for most users, this will be shell
initialization files such as ~/.bash_profile or ~/.bashrc.
- -- Colin Watson <cjwatson@debian.org> Thu, 23 May 2024 19:17:29 +0100
+ -- Colin Watson <cjwatson@debian.org> Tue, 25 Jun 2024 14:20:44 +0100
openssh (1:9.5p1-1) experimental; urgency=medium
@@ -241,7 +292,7 @@ openssh (1:8.4p1-1) unstable; urgency=medium
* ssh-keygen(1): the format of the attestation information optionally
recorded when a FIDO key is generated has changed. It now includes the
- authenticator data needed to validate attestation signatures.
+ authenticator data needed to validate attestation signatures.
* The API between OpenSSH and the FIDO token middleware has changed and
the SSH_SK_VERSION_MAJOR version has been incremented as a result.
diff --git a/debian/changelog b/debian/changelog
index e455121..36bb642 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,64 @@
+openssh (1:9.8p1-1) unstable; urgency=medium
+
+ * New upstream release (https://www.openssh.com/releasenotes.html#9.8p1):
+ - CVE-2024-39894: Fix Logic error in ssh(1) ObscureKeystrokeTiming that
+ made the feature ineffective.
+ - The DSA signature algorithm is now disabled at compile-time.
+ - sshd(8): the server has been split into a listener binary, sshd(8),
+ and a per-session binary "sshd-session". This allows for a much
+ smaller listener binary, as it no longer needs to support the SSH
+ protocol. As part of this work, support for disabling privilege
+ separation (which previously required code changes to disable) and
+ disabling re-execution of sshd(8) has been removed. Further
+ separation of sshd-session into additional, minimal binaries is
+ planned for the future.
+ - sshd(8): several log messages have changed. In particular, some log
+ messages will be tagged with as originating from a process named
+ "sshd-session" rather than "sshd".
+ - ssh-keyscan(1): this tool previously emitted comment lines containing
+ the hostname and SSH protocol banner to standard error. This release
+ now emits them to standard output, but adds a new "-q" flag to silence
+ them altogether.
+ - sshd(8): sshd will no longer use argv[0] as the PAM service name. A
+ new "PAMServiceName" sshd_config(5) directive allows selecting the
+ service name at runtime. This defaults to "sshd".
+ - sshd(8): penalise client addresses that, for various reasons, do not
+ successfully complete authentication. This feature is controlled by a
+ new sshd_config(5) PerSourcePenalties option and is on by default.
+ - ssh(8): allow the HostkeyAlgorithms directive to disable the implicit
+ fallback from certificate host key to plain host keys.
+ - misc: fix a number of inaccuracies in the PROTOCOL.* documentation
+ files.
+ - all: switch to strtonum(3) for more robust integer parsing in most
+ places.
+ - ssh(1), sshd(8): correctly restore sigprocmask around ppoll().
+ - ssh-keysign(8): stricter validation of messaging socket fd.
+ - sftp(1): flush stdout after writing "sftp>" prompt when not using
+ editline.
+ - sftp-server(8): fix home-directory extension implementation, it
+ previously always returned the current user's home directory contrary
+ to the spec.
+ - ssh-keyscan(1): do not close stdin to prevent error messages when
+ stdin is read multiple times.
+ - regression tests: fix rekey test that was testing the same KEX
+ algorithm repeatedly instead of testing all of them.
+ - ssh_config(5), sshd_config(5): clarify the KEXAlgorithms directive
+ documentation, especially around what is supported vs available
+ (closes: #1073065).
+ - sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
+ unconditionally. The previous behaviour was to expose it only when
+ particular authentication methods were in use.
+ - build: fix OpenSSL ED25519 support detection. An incorrect function
+ signature in configure.ac previously prevented enabling the recently
+ added support for ED25519 private keys in PEM PKCS8 format.
+ - ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
+ environment variable to enable SSH_ASKPASS, similarly to the X11
+ DISPLAY environment variable (closes: #1037515, #1068044).
+ * Stop generating DSA host key.
+ * Apply X-Style: black.
+
+ -- Colin Watson <cjwatson@debian.org> Wed, 31 Jul 2024 17:16:04 +0100
+
openssh (1:9.7p1-7) unstable; urgency=critical
[ Salvatore Bonaccorso ]
diff --git a/debian/control b/debian/control
index 4f8e0b9..3a84083 100644
--- a/debian/control
+++ b/debian/control
@@ -2,47 +2,57 @@ Source: openssh
Section: net
Priority: standard
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
-Build-Depends: debhelper (>= 13.1~),
- debhelper-compat (= 13),
- dh-exec,
- dh-runit (>= 2.8.8),
- dh-sequence-movetousr,
- libaudit-dev [linux-any],
- libedit-dev,
- libfido2-dev (>= 1.5.0) [linux-any],
- libgtk-3-dev <!pkg.openssh.nognome>,
- libkrb5-dev | heimdal-dev,
- libpam0g-dev | libpam-dev,
- libselinux1-dev [linux-any],
- libssl-dev (>= 1.1.1),
- libwrap0-dev | libwrap-dev,
- pkgconf,
- zlib1g-dev,
+Build-Depends:
+ debhelper (>= 13.1~),
+ debhelper-compat (= 13),
+ dh-exec,
+ dh-runit (>= 2.8.8),
+ dh-sequence-movetousr,
+ libaudit-dev [linux-any],
+ libedit-dev,
+ libfido2-dev (>= 1.5.0) [linux-any],
+ libgtk-3-dev <!pkg.openssh.nognome>,
+ libkrb5-dev | heimdal-dev,
+ libpam0g-dev | libpam-dev,
+ libselinux1-dev [linux-any],
+ libssl-dev (>= 1.1.1),
+ libwrap0-dev | libwrap-dev,
+ pkgconf,
+ zlib1g-dev,
Standards-Version: 4.6.2
-Uploaders: Colin Watson <cjwatson@debian.org>,
- Matthew Vernon <matthew@debian.org>,
+Uploaders:
+ Colin Watson <cjwatson@debian.org>,
+ Matthew Vernon <matthew@debian.org>,
Homepage: https://www.openssh.com/
Vcs-Git: https://salsa.debian.org/ssh-team/openssh.git
Vcs-Browser: https://salsa.debian.org/ssh-team/openssh
Rules-Requires-Root: no
+X-Style: black
Package: openssh-client
Architecture: any
-Depends: adduser,
- passwd,
- ${misc:Depends},
- ${shlibs:Depends},
-Recommends: xauth,
-Conflicts: sftp,
-Breaks: openssh-sk-helper
-Replaces: openssh-sk-helper,
- ssh,
- ssh-krb5,
-Suggests: keychain,
- libpam-ssh,
- monkeysphere,
- ssh-askpass,
-Provides: ssh-client,
+Depends:
+ adduser,
+ passwd,
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ xauth,
+Conflicts:
+ sftp,
+Breaks:
+ openssh-sk-helper,
+Replaces:
+ openssh-sk-helper,
+ ssh,
+ ssh-krb5,
+Suggests:
+ keychain,
+ libpam-ssh,
+ monkeysphere,
+ ssh-askpass,
+Provides:
+ ssh-client,
Multi-Arch: foreign
Description: secure shell (SSH) client, for secure access to remote machines
This is the portable version of OpenSSH, a free implementation of
@@ -70,33 +80,41 @@ Description: secure shell (SSH) client, for secure access to remote machines
Package: openssh-server
Priority: optional
Architecture: any
-Pre-Depends: ${misc:Pre-Depends},
-Depends: adduser,
- libpam-modules,
- libpam-runtime,
- lsb-base,
- openssh-client (= ${binary:Version}),
- openssh-sftp-server,
- procps,
- ucf,
- ${misc:Depends},
- ${shlibs:Depends},
-Recommends: default-logind | logind | libpam-systemd,
- ncurses-term,
- xauth,
- ${openssh-server:Recommends},
-Conflicts: sftp,
- ssh-socks,
- ssh2,
-Replaces: openssh-client (<< 1:7.9p1-8),
- ssh,
- ssh-krb5,
-Breaks: ${runit:Breaks},
-Suggests: molly-guard,
- monkeysphere,
- ssh-askpass,
- ufw,
-Provides: ssh-server,
+Pre-Depends:
+ ${misc:Pre-Depends},
+Depends:
+ adduser,
+ libpam-modules,
+ libpam-runtime,
+ lsb-base,
+ openssh-client (= ${binary:Version}),
+ openssh-sftp-server,
+ procps,
+ ucf,
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ default-logind | logind | libpam-systemd,
+ ncurses-term,
+ xauth,
+ ${openssh-server:Recommends},
+Conflicts:
+ sftp,
+ ssh-socks,
+ ssh2,
+Replaces:
+ openssh-client (<< 1:7.9p1-8),
+ ssh,
+ ssh-krb5,
+Breaks:
+ ${runit:Breaks},
+Suggests:
+ molly-guard,
+ monkeysphere,
+ ssh-askpass,
+ ufw,
+Provides:
+ ssh-server,
Multi-Arch: foreign
Description: secure shell (SSH) server, for secure access from remote machines
This is the portable version of OpenSSH, a free implementation of
@@ -122,13 +140,18 @@ Description: secure shell (SSH) server, for secure access from remote machines
Package: openssh-sftp-server
Priority: optional
Architecture: any
-Depends: ${misc:Depends},
- ${shlibs:Depends},
-Recommends: openssh-server | ssh-server,
-Breaks: openssh-server (<< 1:6.5p1-5),
-Replaces: openssh-server (<< 1:6.5p1-5),
-Enhances: openssh-server,
- ssh-server,
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends:
+ openssh-server | ssh-server,
+Breaks:
+ openssh-server (<< 1:6.5p1-5),
+Replaces:
+ openssh-server (<< 1:6.5p1-5),
+Enhances:
+ openssh-server,
+ ssh-server,
Multi-Arch: foreign
Description: secure shell (SSH) sftp server module, for SFTP access from remote machines
This is the portable version of OpenSSH, a free implementation of
@@ -158,14 +181,15 @@ Description: secure shell (SSH) sftp server module, for SFTP access from remote
Package: openssh-tests
Priority: optional
Architecture: any
-Depends: openssh-client (= ${binary:Version}),
- openssh-server (= ${binary:Version}),
- openssh-sftp-server (= ${binary:Version}),
- openssl,
- putty-tools (>= 0.67-2),
- python3-twisted,
- ${misc:Depends},
- ${shlibs:Depends},
+Depends:
+ openssh-client (= ${binary:Version}),
+ openssh-server (= ${binary:Version}),
+ openssh-sftp-server (= ${binary:Version}),
+ openssl,
+ putty-tools (>= 0.67-2),
+ python3-twisted,
+ ${misc:Depends},
+ ${shlibs:Depends},
Multi-Arch: foreign
Description: OpenSSH regression tests
This package provides OpenSSH's regression test suite. It is mainly
@@ -175,9 +199,10 @@ Description: OpenSSH regression tests
Package: ssh
Priority: optional
Architecture: all
-Depends: openssh-client (>= ${binary:Version}),
- openssh-server (>= ${binary:Version}),
- ${misc:Depends},
+Depends:
+ openssh-client (>= ${binary:Version}),
+ openssh-server (>= ${binary:Version}),
+ ${misc:Depends},
Multi-Arch: foreign
Description: secure shell client and server (metapackage)
This metapackage is a convenient way to install both the OpenSSH client
@@ -189,11 +214,14 @@ Build-Profiles: <!pkg.openssh.nognome>
Section: gnome
Priority: optional
Architecture: any
-Depends: openssh-client | ssh (>= 1:1.2pre7-4),
- ${misc:Depends},
- ${shlibs:Depends},
-Replaces: ssh (<< 1:3.5p1-3),
-Provides: ssh-askpass,
+Depends:
+ openssh-client | ssh (>= 1:1.2pre7-4),
+ ${misc:Depends},
+ ${shlibs:Depends},
+Replaces:
+ ssh (<< 1:3.5p1-3),
+Provides:
+ ssh-askpass,
Multi-Arch: foreign
Description: interactive X program to prompt users for a passphrase for ssh-add
This has been split out of the main openssh-client package so that
@@ -208,7 +236,9 @@ Package-Type: udeb
Section: debian-installer
Priority: optional
Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends},
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
XB-Installer-Menu-Item: 99999
Description: secure shell client for the Debian installer
This is the portable version of OpenSSH, a free implementation of
@@ -223,7 +253,9 @@ Package-Type: udeb
Section: debian-installer
Priority: optional
Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends},
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
Description: secure shell server for the Debian installer
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
diff --git a/debian/openssh-server.install b/debian/openssh-server.install
index 5bf99be..7936d27 100755
--- a/debian/openssh-server.install
+++ b/debian/openssh-server.install
@@ -1,6 +1,7 @@
#! /usr/bin/dh-exec
etc/ssh/moduli
+usr/lib/openssh/sshd-session
usr/sbin/sshd
usr/share/man/man5/authorized_keys.5
usr/share/man/man5/moduli.5
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 4114d35..a871eb1 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -44,8 +44,6 @@ create_keys() {
create_key "Creating SSH2 RSA key; this may take some time ..." \
"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
- create_key "Creating SSH2 DSA key; this may take some time ..." \
- "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
create_key "Creating SSH2 ECDSA key; this may take some time ..." \
"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
create_key "Creating SSH2 ED25519 key; this may take some time ..." \
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 2a183b1..2d8f535 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
-From 8c2f7f932f143c330a74389d094117d7c85f51f9 Mon Sep 17 00:00:00 2001
+From 7f7594950af2dac444ade5023a88acaa157d4824 Mon Sep 17 00:00:00 2001
From: Tomas Pospisek <tpo_deb@sourcepole.ch>
Date: Sun, 9 Feb 2014 16:10:07 +0000
Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
1 file changed, 1 insertion(+)
diff --git a/Makefile.in b/Makefile.in
-index f9488099a..e0e45c9b9 100644
+index 6635b5518..f08dd03d9 100644
--- a/Makefile.in
+++ b/Makefile.in
-@@ -415,6 +415,7 @@ install-files:
+@@ -427,6 +427,7 @@ install-files:
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
$(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/configure-cache-vars.patch b/debian/patches/configure-cache-vars.patch
index a79f5f1..0ec03e7 100644
--- a/debian/patches/configure-cache-vars.patch
+++ b/debian/patches/configure-cache-vars.patch
@@ -1,4 +1,4 @@
-From 1506d4bbf5fa2d7a3d2f8ae77914dd46b10c40ea Mon Sep 17 00:00:00 2001
+From 569bdb6931b8dba91036cf8dce41b56ca343e10f Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 3 Apr 2024 11:52:04 +0100
Subject: Add Autoconf cache variables for OSSH_CHECK_*FLAG_*
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index bfdf8ec..fd69273 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
-From 30df3f03ff91b648414b35bdc697ce9127a9fe90 Mon Sep 17 00:00:00 2001
+From be94b157653742db3310bc565356a8e553bfd741 Mon Sep 17 00:00:00 2001
From: Kees Cook <kees@debian.org>
Date: Sun, 9 Feb 2014 16:10:06 +0000
Subject: Add DebianBanner server configuration option
@@ -8,24 +8,24 @@ initial protocol handshake, for those scared by package-versioning.patch.
Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
-Last-Update: 2023-12-18
+Last-Update: 2024-07-03
Patch-Name: debian-banner.patch
---
- kex.c | 5 +++--
- kex.h | 2 +-
- servconf.c | 10 ++++++++++
- servconf.h | 2 ++
- sshconnect.c | 2 +-
- sshd.c | 2 +-
- sshd_config.5 | 5 +++++
+ kex.c | 5 +++--
+ kex.h | 2 +-
+ servconf.c | 10 ++++++++++
+ servconf.h | 2 ++
+ sshconnect.c | 2 +-
+ sshd-session.c | 2 +-
+ sshd_config.5 | 5 +++++
7 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/kex.c b/kex.c
-index 4e988e39b..30f2ce2b3 100644
+index 744fb27fb..e872ab02e 100644
--- a/kex.c
+++ b/kex.c
-@@ -1545,7 +1545,7 @@ send_error(struct ssh *ssh, char *msg)
+@@ -1239,7 +1239,7 @@ send_error(struct ssh *ssh, char *msg)
*/
int
kex_exchange_identification(struct ssh *ssh, int timeout_ms,
@@ -34,7 +34,7 @@ index 4e988e39b..30f2ce2b3 100644
{
int remote_major, remote_minor, mismatch, oerrno = 0;
size_t len, n;
-@@ -1563,7 +1563,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+@@ -1257,7 +1257,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n",
@@ -45,12 +45,12 @@ index 4e988e39b..30f2ce2b3 100644
version_addendum == NULL ? "" : version_addendum)) != 0) {
oerrno = errno;
diff --git a/kex.h b/kex.h
-index 32da837f8..41888c0d8 100644
+index d3c57a329..5ca4f9a5e 100644
--- a/kex.h
+++ b/kex.h
-@@ -208,7 +208,7 @@ void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
+@@ -213,7 +213,7 @@ void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
+ const char *, const char *, const char *, const char *, const char *);
void kex_proposal_free_entries(char *prop[PROPOSAL_MAX]);
- int kex_gss_names_valid(const char *);
-int kex_exchange_identification(struct ssh *, int, const char *);
+int kex_exchange_identification(struct ssh *, int, int, const char *);
@@ -58,45 +58,45 @@ index 32da837f8..41888c0d8 100644
struct kex *kex_new(void);
int kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
diff --git a/servconf.c b/servconf.c
-index 193d73cca..12aa1f4ad 100644
+index 169b9ff07..81511bc86 100644
--- a/servconf.c
+++ b/servconf.c
-@@ -201,6 +201,7 @@ initialize_server_options(ServerOptions *options)
- options->channel_timeouts = NULL;
+@@ -217,6 +217,7 @@ initialize_server_options(ServerOptions *options)
options->num_channel_timeouts = 0;
options->unused_connection_timeout = -1;
+ options->sshd_session_path = NULL;
+ options->debian_banner = -1;
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
-@@ -459,6 +460,8 @@ fill_default_server_options(ServerOptions *options)
- options->required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE;
- if (options->unused_connection_timeout == -1)
+@@ -501,6 +502,8 @@ fill_default_server_options(ServerOptions *options)
options->unused_connection_timeout = 0;
+ if (options->sshd_session_path == NULL)
+ options->sshd_session_path = xstrdup(_PATH_SSHD_SESSION);
+ if (options->debian_banner == -1)
+ options->debian_banner = 1;
assemble_algorithms(options);
-@@ -544,6 +547,7 @@ typedef enum {
- sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
+@@ -585,6 +588,7 @@ typedef enum {
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout,
+ sSshdSessionPath,
+ sDebianBanner,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
-@@ -717,6 +721,7 @@ static struct {
- { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
+@@ -763,6 +767,7 @@ static struct {
{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
+ { "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL },
+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
{ NULL, sBadOption, 0 }
};
-@@ -2637,6 +2642,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
- }
- goto parse_time;
+@@ -2702,6 +2707,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+ charptr = &options->sshd_session_path;
+ goto parse_filename;
+ case sDebianBanner:
+ intptr = &options->debian_banner;
@@ -105,7 +105,7 @@ index 193d73cca..12aa1f4ad 100644
case sDeprecated:
case sIgnore:
case sUnsupported:
-@@ -3185,6 +3194,7 @@ dump_config(ServerOptions *o)
+@@ -3251,6 +3260,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
@@ -114,23 +114,23 @@ index 193d73cca..12aa1f4ad 100644
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
diff --git a/servconf.h b/servconf.h
-index 2ce4ae0ad..e0c0af903 100644
+index c1e2751ee..1532e5420 100644
--- a/servconf.h
+++ b/servconf.h
-@@ -236,6 +236,8 @@ typedef struct {
- u_int num_channel_timeouts;
-
+@@ -251,6 +251,8 @@ typedef struct {
int unused_connection_timeout;
+
+ char *sshd_session_path;
+
+ int debian_banner;
} ServerOptions;
/* Information about the incoming connection as used by Match */
diff --git a/sshconnect.c b/sshconnect.c
-index 23f79ed2b..da20ecd88 100644
+index cbfc20735..f9d3a1ff2 100644
--- a/sshconnect.c
+++ b/sshconnect.c
-@@ -1581,7 +1581,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
+@@ -1611,7 +1611,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
lowercase(host);
/* Exchange protocol version identification strings with the server. */
@@ -139,11 +139,11 @@ index 23f79ed2b..da20ecd88 100644
sshpkt_fatal(ssh, r, "banner exchange");
/* Put the connection into non-blocking mode. */
-diff --git a/sshd.c b/sshd.c
-index 9c9f38e5b..8fab51ebb 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -2249,7 +2249,7 @@ main(int ac, char **av)
+diff --git a/sshd-session.c b/sshd-session.c
+index f0fd85367..1f38a0de9 100644
+--- a/sshd-session.c
++++ b/sshd-session.c
+@@ -1303,7 +1303,7 @@ main(int ac, char **av)
if (!debug_flag)
alarm(options.login_grace_time);
@@ -153,7 +153,7 @@ index 9c9f38e5b..8fab51ebb 100644
sshpkt_fatal(ssh, r, "banner exchange");
diff --git a/sshd_config.5 b/sshd_config.5
-index e06ef8abd..1a8febfa6 100644
+index 5dd656869..81671fb99 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -629,6 +629,11 @@ or
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index ce3c1c0..2add806 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 04acdcf452c7a88ac8c37ca6870a571125fbc8da Mon Sep 17 00:00:00 2001
+From 72b01845849043dbf3edde4d0b1a728ff05d8630 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:18 +0000
Subject: Various Debian-specific configuration changes
@@ -26,13 +26,15 @@ sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
sshd: Include /etc/ssh/sshd_config.d/*.conf.
+sshd: Document Debian's default for SshdSessionPath.
+
regress: Run tests with 'UsePAM yes', to match sshd_config.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
-Last-Update: 2023-01-03
+Last-Update: 2024-07-03
Patch-Name: debian-config.patch
---
@@ -42,11 +44,11 @@ Patch-Name: debian-config.patch
ssh_config | 8 +++++++-
ssh_config.5 | 26 +++++++++++++++++++++++++-
sshd_config | 18 ++++++++++++------
- sshd_config.5 | 29 +++++++++++++++++++++++++++++
- 7 files changed, 99 insertions(+), 9 deletions(-)
+ sshd_config.5 | 31 ++++++++++++++++++++++++++++++-
+ 7 files changed, 100 insertions(+), 10 deletions(-)
diff --git a/readconf.c b/readconf.c
-index d68658185..720062bcc 100644
+index eaca29ace..1b64b7af5 100644
--- a/readconf.c
+++ b/readconf.c
@@ -2739,7 +2739,7 @@ fill_default_options(Options * options)
@@ -59,19 +61,19 @@ index d68658185..720062bcc 100644
options->forward_x11_timeout = 1200;
/*
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
-index ad627941f..56e98159c 100644
+index 7afc28072..02b122a85 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
-@@ -609,6 +609,7 @@ cat << EOF > $OBJ/sshd_config
- AcceptEnv _XXX_TEST_*
- AcceptEnv _XXX_TEST
+@@ -622,6 +622,7 @@ cat << EOF > $OBJ/sshd_config
Subsystem sftp $SFTPSERVER
+ SshdSessionPath $SSHD_SESSION
+ PerSourcePenalties no
+ UsePAM yes
EOF
# This may be necessary if /usr/src and/or /usr/obj are group-writable,
diff --git a/ssh.1 b/ssh.1
-index 0d56f3dc1..ddfe75b95 100644
+index c8c5558e5..0697ec77d 100644
--- a/ssh.1
+++ b/ssh.1
@@ -861,6 +861,16 @@ directive in
@@ -138,7 +140,7 @@ index 16197d15d..92d06ef38 100644
+ HashKnownHosts yes
+ GSSAPIAuthentication yes
diff --git a/ssh_config.5 b/ssh_config.5
-index 41d4d7406..c2789a09d 100644
+index cb1bba1a7..091b933b4 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more
@@ -244,7 +246,7 @@ index ecfe8d026..677f97d5d 100644
# Example of overriding settings on a per-user basis
#Match User anoncvs
diff --git a/sshd_config.5 b/sshd_config.5
-index 0e8891c4f..12083e839 100644
+index 9d33cb472..1f6c42523 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes
@@ -283,3 +285,12 @@ index 0e8891c4f..12083e839 100644
The possible
keywords and their meanings are as follows (note that
keywords are case-insensitive and arguments are case-sensitive):
+@@ -1840,7 +1869,7 @@ Overrides the default path to the
+ .Cm sshd-session
+ binary that is invoked to handle each connection.
+ The default is
+-.Pa /usr/libexec/sshd-session .
++.Pa /usr/lib/openssh/sshd-session .
+ This option is intended for use by tests.
+ .It Cm StreamLocalBindMask
+ Sets the octal file creation mode mask
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 9d4cb3c..a2164e0 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
-From 2d07e4a73975fd8b478680e8a4490fc6c48a6390 Mon Sep 17 00:00:00 2001
+From 022ab25237b3da32705eb88d74f01590ca121625 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:01 +0000
Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
@@ -51,7 +51,7 @@ index 939241440..bf47a079f 100644
verbose("DNS lookup error: %s", dns_result_totext(result));
return -1;
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
-index 8f5939840..6091a2591 100644
+index ad35148c9..add519441 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -214,8 +214,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 6f648b0..4963bcd 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
-From a783425eb21dfb3e4432dbbdb7e4e0653a436e7e Mon Sep 17 00:00:00 2001
+From 51e122be591845078beddc2aa6734d83d4fbe7a1 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:11 +0000
Subject: Document that HashKnownHosts may break tab-completion
@@ -13,7 +13,7 @@ Patch-Name: doc-hash-tab-completion.patch
1 file changed, 3 insertions(+)
diff --git a/ssh_config.5 b/ssh_config.5
-index 4afb8fb7a..41d4d7406 100644
+index d1b1da95a..cb1bba1a7 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1020,6 +1020,9 @@ Note that existing names and addresses in known hosts files
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index e055cab..a32dac4 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
-From 808d4d2c8a93272e5ec08a27024e76efd491ce14 Mon Sep 17 00:00:00 2001
+From 63d6710f076590ec1672e95d19a2fced8bd34189 Mon Sep 17 00:00:00 2001
From: Vincent Untz <vuntz@ubuntu.com>
Date: Sun, 9 Feb 2014 16:10:16 +0000
Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 7c3ba4a..5f5f9ce 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From 4431708c5c325cdbcf802e5d86ea1f4da78c1b50 Mon Sep 17 00:00:00 2001
+From 19f6afb4e07135a843c2f5caaa663a1d3f3db6f1 Mon Sep 17 00:00:00 2001
From: Simon Wilkinson <simon@sxw.org.uk>
Date: Sun, 9 Feb 2014 16:09:48 +0000
Subject: GSSAPI key exchange support
@@ -21,23 +21,23 @@ Author: Colin Watson <cjwatson@debian.org>
Author: Jakub Jelen <jjelen@redhat.com>
Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/pull/23
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
-Last-Updated: 2024-03-14
+Last-Updated: 2024-07-31
Patch-Name: gssapi.patch
---
Makefile.in | 5 +-
README.md | 36 +++
- auth.c | 94 +-------
- auth2-gss.c | 57 ++++-
+ auth.c | 3 +-
+ auth2-gss.c | 54 ++++-
+ auth2-methods.c | 6 +
auth2.c | 2 +
- canohost.c | 91 ++++++++
- canohost.h | 3 +
clientloop.c | 13 ++
configure.ac | 24 ++
gss-genr.c | 297 +++++++++++++++++++++++-
gss-serv-krb5.c | 87 ++++++-
- gss-serv.c | 205 +++++++++++++++--
- kex.c | 66 +++++-
+ gss-serv.c | 200 ++++++++++++++--
+ kex-names.c | 62 ++++-
+ kex.c | 4 +
kex.h | 29 +++
kexdh.c | 10 +
kexgen.c | 2 +-
@@ -58,22 +58,23 @@ Patch-Name: gssapi.patch
ssh.c | 6 +-
ssh_config | 2 +
ssh_config.5 | 57 +++++
- sshconnect2.c | 146 +++++++++++-
- sshd.c | 62 ++++-
+ sshconnect2.c | 144 +++++++++++-
+ sshd-session.c | 59 ++++-
+ sshd.c | 3 +-
sshd_config | 2 +
sshd_config.5 | 30 +++
sshkey.c | 8 +-
sshkey.h | 1 +
- 39 files changed, 2763 insertions(+), 164 deletions(-)
+ 40 files changed, 2667 insertions(+), 71 deletions(-)
create mode 100644 kexgssc.c
create mode 100644 kexgsss.c
create mode 100644 ssh-null.c
diff --git a/Makefile.in b/Makefile.in
-index 1efe11f6f..f9488099a 100644
+index e1b77ebc6..6635b5518 100644
--- a/Makefile.in
+++ b/Makefile.in
-@@ -101,7 +101,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+@@ -103,7 +103,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
readpass.o ttymodes.o xmalloc.o addr.o addrmatch.o \
atomicio.o dispatch.o mac.o misc.o utf8.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o \
@@ -82,22 +83,22 @@ index 1efe11f6f..f9488099a 100644
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
ssh-pkcs11.o smult_curve25519_ref.o \
poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \
-@@ -110,6 +110,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
- kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
+@@ -112,6 +112,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+ kex.o kex-names.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexgexc.o kexgexs.o \
kexsntrup761x25519.o sntrup761.o kexgen.o \
+ kexgssc.o \
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
sshbuf-io.o
-@@ -126,7 +127,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
+@@ -134,7 +135,7 @@ SSHD_SESSION_OBJS=sshd-session.o auth-rhosts.o auth-passwd.o \
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-pubkeyfile.o \
monitor.o monitor_wrap.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o \
- srclimit.o sftp-server.o sftp-common.o \
+ sftp-server.o sftp-common.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
diff --git a/README.md b/README.md
index 9431b0ffd..e5051828c 100644
@@ -144,10 +145,10 @@ index 9431b0ffd..e5051828c 100644
[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml)
diff --git a/auth.c b/auth.c
-index 3b380d9bb..8ccf06370 100644
+index 2e4cbef07..407b32e78 100644
--- a/auth.c
+++ b/auth.c
-@@ -357,7 +357,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
+@@ -356,7 +356,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
case PERMIT_NO_PASSWD:
if (strcmp(method, "publickey") == 0 ||
strcmp(method, "hostbased") == 0 ||
@@ -157,110 +158,12 @@ index 3b380d9bb..8ccf06370 100644
return 1;
break;
case PERMIT_FORCED_ONLY:
-@@ -637,97 +638,6 @@ fakepw(void)
- return (&fake);
- }
-
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on based on conflation of hostnames and IP addresses.
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
-- struct sockaddr_storage from;
-- socklen_t fromlen;
-- struct addrinfo hints, *ai, *aitop;
-- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-- const char *ntop = ssh_remote_ipaddr(ssh);
--
-- /* Get IP address of client. */
-- fromlen = sizeof(from);
-- memset(&from, 0, sizeof(from));
-- if (getpeername(ssh_packet_get_connection_in(ssh),
-- (struct sockaddr *)&from, &fromlen) == -1) {
-- debug("getpeername failed: %.100s", strerror(errno));
-- return xstrdup(ntop);
-- }
--
-- ipv64_normalise_mapped(&from, &fromlen);
-- if (from.ss_family == AF_INET6)
-- fromlen = sizeof(struct sockaddr_in6);
--
-- debug3("Trying to reverse map address %.100s.", ntop);
-- /* Map the IP address to a host name. */
-- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-- NULL, 0, NI_NAMEREQD) != 0) {
-- /* Host name not found. Use ip address. */
-- return xstrdup(ntop);
-- }
--
-- /*
-- * if reverse lookup result looks like a numeric hostname,
-- * someone is trying to trick us by PTR record like following:
-- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
-- */
-- memset(&hints, 0, sizeof(hints));
-- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
-- hints.ai_flags = AI_NUMERICHOST;
-- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-- name, ntop);
-- freeaddrinfo(ai);
-- return xstrdup(ntop);
-- }
--
-- /* Names are stored in lowercase. */
-- lowercase(name);
--
-- /*
-- * Map it back to an IP address and check that the given
-- * address actually is an address of this host. This is
-- * necessary because anyone with access to a name server can
-- * define arbitrary names for an IP address. Mapping from
-- * name to IP address can be trusted better (but can still be
-- * fooled if the intruder has access to the name server of
-- * the domain).
-- */
-- memset(&hints, 0, sizeof(hints));
-- hints.ai_family = from.ss_family;
-- hints.ai_socktype = SOCK_STREAM;
-- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-- logit("reverse mapping checking getaddrinfo for %.700s "
-- "[%s] failed.", name, ntop);
-- return xstrdup(ntop);
-- }
-- /* Look for the address from the list of addresses. */
-- for (ai = aitop; ai; ai = ai->ai_next) {
-- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-- (strcmp(ntop, ntop2) == 0))
-- break;
-- }
-- freeaddrinfo(aitop);
-- /* If we reached the end of the list, the address was not there. */
-- if (ai == NULL) {
-- /* Address not found for the host name. */
-- logit("Address %.100s maps to %.600s, but this does not "
-- "map back to the address.", ntop, name);
-- return xstrdup(ntop);
-- }
-- return xstrdup(name);
--}
--
- /*
- * Return the canonical name of the host in the other side of the current
- * connection. The host name is cached, so it is efficient to call this
diff --git a/auth2-gss.c b/auth2-gss.c
-index f72a38998..052c7b80f 100644
+index 75eb4e3a3..3e7d18fd2 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,7 +1,7 @@
- /* $OpenBSD: auth2-gss.c,v 1.34 2023/03/31 04:22:27 djm Exp $ */
+ /* $OpenBSD: auth2-gss.c,v 1.36 2024/05/17 04:42:13 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -268,7 +171,15 @@ index f72a38998..052c7b80f 100644
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
-@@ -57,6 +57,48 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh);
+@@ -51,6 +51,7 @@
+ #define SSH_GSSAPI_MAX_MECHS 2048
+
+ extern ServerOptions options;
++extern struct authmethod_cfg methodcfg_gsskeyex;
+ extern struct authmethod_cfg methodcfg_gssapi;
+
+ static int input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh);
+@@ -58,6 +59,47 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh);
static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh);
static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
@@ -303,10 +214,9 @@ index f72a38998..052c7b80f 100644
+ gssbuf.length = sshbuf_len(b);
+
+ /* gss_kex_context is NULL with privsep, so we can't check it here */
-+ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,
-+ &gssbuf, &mic))))
-+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
-+ authctxt->pw, 1));
++ if (!GSS_ERROR(mm_ssh_gssapi_checkmic(gss_kex_context, &gssbuf, &mic)))
++ authenticated = mm_ssh_gssapi_userok(authctxt->user,
++ authctxt->pw, 1);
+
+ sshbuf_free(b);
+ free(mic.value);
@@ -317,42 +227,63 @@ index f72a38998..052c7b80f 100644
/*
* We only support those mechanisms that we know about (ie ones that we know
* how to check local user kuserok and the like)
-@@ -267,7 +309,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
+@@ -267,7 +309,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
if ((r = sshpkt_get_end(ssh)) != 0)
fatal_fr(r, "parse packet");
-- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
-+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
-+ authctxt->pw, 1));
+- authenticated = mm_ssh_gssapi_userok(authctxt->user);
++ authenticated = mm_ssh_gssapi_userok(authctxt->user, authctxt->pw, 1);
- if ((!use_privsep || mm_is_monitor()) &&
- (displayname = ssh_gssapi_displayname()) != NULL)
-@@ -313,7 +356,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
+ authctxt->postponed = 0;
+ ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
+@@ -308,7 +350,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
gssbuf.length = sshbuf_len(b);
- if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
-- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
-+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
-+ authctxt->pw, 0));
+ if (!GSS_ERROR(mm_ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))
+- authenticated = mm_ssh_gssapi_userok(authctxt->user);
++ authenticated = mm_ssh_gssapi_userok(authctxt->user,
++ authctxt->pw, 0);
else
logit("GSSAPI MIC check failed");
-@@ -333,6 +377,13 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
+@@ -324,6 +367,11 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
return 0;
}
+Authmethod method_gsskeyex = {
-+ "gssapi-keyex",
-+ NULL,
++ &methodcfg_gsskeyex,
+ userauth_gsskeyex,
-+ &options.gss_authentication
+};
+
Authmethod method_gssapi = {
+ &methodcfg_gssapi,
+ userauth_gssapi,
+diff --git a/auth2-methods.c b/auth2-methods.c
+index 99637a89b..a05908cf3 100644
+--- a/auth2-methods.c
++++ b/auth2-methods.c
+@@ -50,6 +50,11 @@ struct authmethod_cfg methodcfg_pubkey = {
+ &options.pubkey_authentication
+ };
+ #ifdef GSSAPI
++struct authmethod_cfg methodcfg_gsskeyex = {
++ "gssapi-keyex",
++ NULL,
++ &options.gss_authentication
++};
+ struct authmethod_cfg methodcfg_gssapi = {
"gssapi-with-mic",
NULL,
+@@ -76,6 +81,7 @@ static struct authmethod_cfg *authmethod_cfgs[] = {
+ &methodcfg_none,
+ &methodcfg_pubkey,
+ #ifdef GSSAPI
++ &methodcfg_gsskeyex,
+ &methodcfg_gssapi,
+ #endif
+ &methodcfg_passwd,
diff --git a/auth2.c b/auth2.c
-index 271789a77..514a697ca 100644
+index 67dec88c3..f75f1d20d 100644
--- a/auth2.c
+++ b/auth2.c
@@ -71,6 +71,7 @@ extern Authmethod method_passwd;
@@ -371,124 +302,8 @@ index 271789a77..514a697ca 100644
&method_gssapi,
#endif
&method_passwd,
-diff --git a/canohost.c b/canohost.c
-index 28f086e5a..33213ab05 100644
---- a/canohost.c
-+++ b/canohost.c
-@@ -35,6 +35,97 @@
- #include "canohost.h"
- #include "misc.h"
-
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ */
-+
-+char *
-+remote_hostname(struct ssh *ssh)
-+{
-+ struct sockaddr_storage from;
-+ socklen_t fromlen;
-+ struct addrinfo hints, *ai, *aitop;
-+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+ const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+ /* Get IP address of client. */
-+ fromlen = sizeof(from);
-+ memset(&from, 0, sizeof(from));
-+ if (getpeername(ssh_packet_get_connection_in(ssh),
-+ (struct sockaddr *)&from, &fromlen) == -1) {
-+ debug("getpeername failed: %.100s", strerror(errno));
-+ return xstrdup(ntop);
-+ }
-+
-+ ipv64_normalise_mapped(&from, &fromlen);
-+ if (from.ss_family == AF_INET6)
-+ fromlen = sizeof(struct sockaddr_in6);
-+
-+ debug3("Trying to reverse map address %.100s.", ntop);
-+ /* Map the IP address to a host name. */
-+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+ NULL, 0, NI_NAMEREQD) != 0) {
-+ /* Host name not found. Use ip address. */
-+ return xstrdup(ntop);
-+ }
-+
-+ /*
-+ * if reverse lookup result looks like a numeric hostname,
-+ * someone is trying to trick us by PTR record like following:
-+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
-+ */
-+ memset(&hints, 0, sizeof(hints));
-+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
-+ hints.ai_flags = AI_NUMERICHOST;
-+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+ name, ntop);
-+ freeaddrinfo(ai);
-+ return xstrdup(ntop);
-+ }
-+
-+ /* Names are stored in lowercase. */
-+ lowercase(name);
-+
-+ /*
-+ * Map it back to an IP address and check that the given
-+ * address actually is an address of this host. This is
-+ * necessary because anyone with access to a name server can
-+ * define arbitrary names for an IP address. Mapping from
-+ * name to IP address can be trusted better (but can still be
-+ * fooled if the intruder has access to the name server of
-+ * the domain).
-+ */
-+ memset(&hints, 0, sizeof(hints));
-+ hints.ai_family = from.ss_family;
-+ hints.ai_socktype = SOCK_STREAM;
-+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+ logit("reverse mapping checking getaddrinfo for %.700s "
-+ "[%s] failed.", name, ntop);
-+ return xstrdup(ntop);
-+ }
-+ /* Look for the address from the list of addresses. */
-+ for (ai = aitop; ai; ai = ai->ai_next) {
-+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+ (strcmp(ntop, ntop2) == 0))
-+ break;
-+ }
-+ freeaddrinfo(aitop);
-+ /* If we reached the end of the list, the address was not there. */
-+ if (ai == NULL) {
-+ /* Address not found for the host name. */
-+ logit("Address %.100s maps to %.600s, but this does not "
-+ "map back to the address.", ntop, name);
-+ return xstrdup(ntop);
-+ }
-+ return xstrdup(name);
-+}
-+
- void
- ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
- {
-diff --git a/canohost.h b/canohost.h
-index 26d62855a..0cadc9f18 100644
---- a/canohost.h
-+++ b/canohost.h
-@@ -15,6 +15,9 @@
- #ifndef _CANOHOST_H
- #define _CANOHOST_H
-
-+struct ssh;
-+
-+char *remote_hostname(struct ssh *);
- char *get_peer_ipaddr(int);
- int get_peer_port(int);
- char *get_local_ipaddr(int);
diff --git a/clientloop.c b/clientloop.c
-index 8ec36af94..a1f94a85a 100644
+index 8ed8b1c34..6d57339a1 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -115,6 +115,10 @@
@@ -502,7 +317,7 @@ index 8ec36af94..a1f94a85a 100644
/* Permitted RSA signature algorithms for UpdateHostkeys proofs */
#define HOSTKEY_PROOF_RSA_ALGS "rsa-sha2-512,rsa-sha2-256"
-@@ -1594,6 +1598,15 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
+@@ -1590,6 +1594,15 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
/* Do channel operations. */
channel_after_poll(ssh, pfd, npfd_active);
@@ -519,7 +334,7 @@ index 8ec36af94..a1f94a85a 100644
if (conn_in_ready)
client_process_net_input(ssh);
diff --git a/configure.ac b/configure.ac
-index 82e8bb7c1..bb3e644fe 100644
+index 5a865f8e1..dc274329f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -774,6 +774,30 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
@@ -1061,7 +876,7 @@ index a151bc1e4..ef20401ec 100644
#endif /* KRB5 */
diff --git a/gss-serv.c b/gss-serv.c
-index 00e3d118b..162fec447 100644
+index 00e3d118b..b761d12aa 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,7 +1,7 @@
@@ -1117,7 +932,7 @@ index 00e3d118b..162fec447 100644
+ Gssctxt *ctx = NULL;
+ int res;
+
-+ res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));
++ res = !GSS_ERROR(mm_ssh_gssapi_server_ctx(&ctx, oid));
+ ssh_gssapi_delete_ctx(&ctx);
+
+ return (res);
@@ -1152,15 +967,15 @@ index 00e3d118b..162fec447 100644
+ debug("Rekeyed credentials have different mechanism");
+ return GSS_S_COMPLETE;
+ }
-+
+
+- gss_buffer_desc ename;
+ if ((ctx->major = gss_inquire_cred_by_mech(&ctx->minor,
+ ctx->client_creds, ctx->oid, &new_name,
+ NULL, NULL, NULL))) {
+ ssh_gssapi_error(ctx);
+ return (ctx->major);
+ }
-
-- gss_buffer_desc ename;
++
+ ctx->major = gss_compare_name(&ctx->minor, client->name,
+ new_name, &equal);
+
@@ -1263,7 +1078,7 @@ index 00e3d118b..162fec447 100644
/* Destroy delegated credentials if userok fails */
gss_release_buffer(&lmin, &gssapi_client.displayname);
gss_release_buffer(&lmin, &gssapi_client.exportedname);
-@@ -382,14 +471,90 @@ ssh_gssapi_userok(char *user)
+@@ -382,14 +471,85 @@ ssh_gssapi_userok(char *user)
return (0);
}
@@ -1306,7 +1121,7 @@ index 00e3d118b..162fec447 100644
+ gssapi_client.store.envvar == NULL)
+ return;
+
-+ ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
++ ok = mm_ssh_gssapi_update_creds(&gssapi_client.store);
+
+ if (!ok)
+ return;
@@ -1318,11 +1133,6 @@ index 00e3d118b..162fec447 100644
+ * for rekeying. So, use our own :)
+ */
+#ifdef USE_PAM
-+ if (!use_privsep) {
-+ debug("Not even going to try and do PAM with privsep disabled");
-+ return;
-+ }
-+
+ ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name,
+ &pamconv, &pamh);
+ if (ret)
@@ -1360,29 +1170,22 @@ index 00e3d118b..162fec447 100644
}
/* Privileged */
-diff --git a/kex.c b/kex.c
-index 8a0f16513..e4a2362bd 100644
---- a/kex.c
-+++ b/kex.c
-@@ -58,12 +58,17 @@
- #include "dispatch.h"
- #include "monitor.h"
- #include "myproposal.h"
-+#include "xmalloc.h"
-
+diff --git a/kex-names.c b/kex-names.c
+index 339eb1c23..f077520bb 100644
+--- a/kex-names.c
++++ b/kex-names.c
+@@ -45,6 +45,10 @@
#include "ssherr.h"
- #include "sshbuf.h"
- #include "digest.h"
#include "xmalloc.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
+
- /* prototype */
- static int kex_choose_conf(struct ssh *, uint32_t seq);
- static int kex_input_newkeys(int, u_int32_t, struct ssh *);
-@@ -119,15 +124,28 @@ static const struct kexalg kexalgs[] = {
+ struct kexalg {
+ char *name;
+ u_int type;
+@@ -83,15 +87,28 @@ static const struct kexalg kexalgs[] = {
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
{ NULL, 0, -1, -1},
};
@@ -1414,7 +1217,7 @@ index 8a0f16513..e4a2362bd 100644
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(k->name);
-@@ -142,6 +160,18 @@ kex_alg_list(char sep)
+@@ -106,6 +123,18 @@ kex_alg_list(char sep)
return ret;
}
@@ -1433,7 +1236,7 @@ index 8a0f16513..e4a2362bd 100644
static const struct kexalg *
kex_alg_by_name(const char *name)
{
-@@ -151,6 +181,10 @@ kex_alg_by_name(const char *name)
+@@ -115,6 +144,10 @@ kex_alg_by_name(const char *name)
if (strcmp(k->name, name) == 0)
return k;
}
@@ -1444,8 +1247,8 @@ index 8a0f16513..e4a2362bd 100644
return NULL;
}
-@@ -393,6 +427,29 @@ kex_proposal_free_entries(char *prop[PROPOSAL_MAX])
- free(prop[i]);
+@@ -177,6 +210,29 @@ kex_names_valid(const char *names)
+ return 1;
}
+/* Validate GSS KEX method name list */
@@ -1471,10 +1274,22 @@ index 8a0f16513..e4a2362bd 100644
+ return 1;
+}
+
- /* put algorithm proposal into buffer */
+ /* returns non-zero if proposal contains any algorithm from algs */
int
- kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
-@@ -987,6 +1044,9 @@ kex_free(struct kex *kex)
+ kex_has_any_alg(const char *proposal, const char *algs)
+diff --git a/kex.c b/kex.c
+index 63aae5d71..fd018021e 100644
+--- a/kex.c
++++ b/kex.c
+@@ -58,6 +58,7 @@
+ #include "dispatch.h"
+ #include "monitor.h"
+ #include "myproposal.h"
++#include "xmalloc.h"
+
+ #include "ssherr.h"
+ #include "sshbuf.h"
+@@ -739,6 +740,9 @@ kex_free(struct kex *kex)
sshbuf_free(kex->session_id);
sshbuf_free(kex->initial_sig);
sshkey_free(kex->initial_hostkey);
@@ -1485,7 +1300,7 @@ index 8a0f16513..e4a2362bd 100644
free(kex->hostkey_alg);
free(kex->name);
diff --git a/kex.h b/kex.h
-index 0caf42b50..32da837f8 100644
+index 34665eb20..d3c57a329 100644
--- a/kex.h
+++ b/kex.h
@@ -102,6 +102,15 @@ enum kex_exchange {
@@ -1517,21 +1332,17 @@ index 0caf42b50..32da837f8 100644
char *failed_choice;
int (*verify_host_key)(struct sshkey *, struct ssh *);
struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
-@@ -185,11 +200,13 @@ struct kex {
-
+@@ -188,7 +203,9 @@ u_int kex_type_from_name(const char *);
+ int kex_hash_from_name(const char *);
+ int kex_nid_from_name(const char *);
int kex_names_valid(const char *);
++int kex_gss_names_valid(const char *);
char *kex_alg_list(char);
+char *kex_gss_alg_list(char);
char *kex_names_cat(const char *, const char *);
+ int kex_has_any_alg(const char *, const char *);
int kex_assemble_names(char **, const char *, const char *);
- void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
- const char *, const char *, const char *, const char *, const char *);
- void kex_proposal_free_entries(char *prop[PROPOSAL_MAX]);
-+int kex_gss_names_valid(const char *);
-
- int kex_exchange_identification(struct ssh *, int, const char *);
-
-@@ -219,6 +236,12 @@ int kexgex_client(struct ssh *);
+@@ -224,6 +241,12 @@ int kexgex_client(struct ssh *);
int kexgex_server(struct ssh *);
int kex_gen_client(struct ssh *);
int kex_gen_server(struct ssh *);
@@ -1544,7 +1355,7 @@ index 0caf42b50..32da837f8 100644
int kex_dh_keypair(struct kex *);
int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
-@@ -251,6 +274,12 @@ int kexgex_hash(int, const struct sshbuf *, const struct sshbuf *,
+@@ -256,6 +279,12 @@ int kexgex_hash(int, const struct sshbuf *, const struct sshbuf *,
const BIGNUM *, const u_char *, size_t,
u_char *, size_t *);
@@ -2208,7 +2019,7 @@ index 000000000..2da431428
+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
diff --git a/kexgsss.c b/kexgsss.c
new file mode 100644
-index 000000000..40d184170
+index 000000000..1fd1d1e48
--- /dev/null
+++ b/kexgsss.c
@@ -0,0 +1,478 @@
@@ -2310,7 +2121,7 @@ index 000000000..40d184170
+
+ debug2_f("Acquiring credentials");
+
-+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
++ if (GSS_ERROR(mm_ssh_gssapi_server_ctx(&ctxt, oid)))
+ fatal("Unable to acquire credentials for the server");
+
+ do {
@@ -2362,8 +2173,8 @@ index 000000000..40d184170
+ type);
+ }
+
-+ maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
-+ &send_tok, &ret_flags));
++ maj_status = mm_ssh_gssapi_accept_ctx(ctxt, &recv_tok,
++ &send_tok, &ret_flags);
+
+ gss_release_buffer(&min_status, &recv_tok);
+
@@ -2416,7 +2227,7 @@ index 000000000..40d184170
+ gssbuf.value = hash;
+ gssbuf.length = hashlen;
+
-+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok))))
++ if (GSS_ERROR(mm_ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok)))
+ fatal("Couldn't get MIC");
+
+ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_COMPLETE)) != 0 ||
@@ -2506,7 +2317,7 @@ index 000000000..40d184170
+
+ debug2_f("Acquiring credentials");
+
-+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
++ if (GSS_ERROR(mm_ssh_gssapi_server_ctx(&ctxt, oid)))
+ fatal("Unable to acquire credentials for the server");
+
+ /* 5. S generates an ephemeral key pair (do the allocations early) */
@@ -2532,7 +2343,7 @@ index 000000000..40d184170
+ if (max < min || nbits < min || max < nbits)
+ fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
+ min, nbits, max);
-+ kex->dh = PRIVSEP(choose_dh(min, nbits, max));
++ kex->dh = mm_choose_dh(min, nbits, max);
+ if (kex->dh == NULL) {
+ sshpkt_disconnect(ssh, "Protocol error: no matching group found");
+ fatal("Protocol error: no matching group found");
@@ -2579,8 +2390,8 @@ index 000000000..40d184170
+ type);
+ }
+
-+ maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
-+ &send_tok, &ret_flags));
++ maj_status = mm_ssh_gssapi_accept_ctx(ctxt, &recv_tok,
++ &send_tok, &ret_flags);
+
+ gss_release_buffer(&min_status, &recv_tok);
+
@@ -2645,7 +2456,7 @@ index 000000000..40d184170
+ gssbuf.value = hash;
+ gssbuf.length = hashlen;
+
-+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok))))
++ if (GSS_ERROR(mm_ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok)))
+ fatal("Couldn't get MIC");
+
+ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_COMPLETE)) != 0 ||
@@ -2691,10 +2502,10 @@ index 000000000..40d184170
+}
+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
diff --git a/monitor.c b/monitor.c
-index b3ed515ed..2bc152468 100644
+index 9e0e03ea2..92e2ca107 100644
--- a/monitor.c
+++ b/monitor.c
-@@ -142,6 +142,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
+@@ -140,6 +140,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *);
int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *);
int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *);
@@ -2703,7 +2514,7 @@ index b3ed515ed..2bc152468 100644
#endif
#ifdef SSH_AUDIT_EVENTS
-@@ -214,11 +216,18 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -213,11 +215,18 @@ struct mon_table mon_dispatch_proto20[] = {
{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
@@ -2722,7 +2533,7 @@ index b3ed515ed..2bc152468 100644
#ifdef WITH_OPENSSL
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
#endif
-@@ -287,6 +296,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
+@@ -286,6 +295,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
/* Permit requests for moduli and signatures */
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2733,7 +2544,7 @@ index b3ed515ed..2bc152468 100644
/* The first few requests do not require asynchronous access */
while (!authenticated) {
-@@ -403,6 +416,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor)
+@@ -407,6 +420,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor)
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2744,7 +2555,7 @@ index b3ed515ed..2bc152468 100644
if (auth_opts->permit_pty_flag) {
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
-@@ -1745,6 +1762,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
+@@ -1760,6 +1777,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
# ifdef OPENSSL_HAS_ECC
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
# endif
@@ -2762,7 +2573,7 @@ index b3ed515ed..2bc152468 100644
#endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
-@@ -1837,8 +1865,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1852,8 +1880,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
u_char *p;
int r;
@@ -2773,7 +2584,7 @@ index b3ed515ed..2bc152468 100644
if ((r = sshbuf_get_string(m, &p, &len)) != 0)
fatal_fr(r, "parse");
-@@ -1870,8 +1898,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1885,8 +1913,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
OM_uint32 flags = 0; /* GSI needs this */
int r;
@@ -2784,7 +2595,7 @@ index b3ed515ed..2bc152468 100644
if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
fatal_fr(r, "ssh_gssapi_get_buffer_desc");
-@@ -1891,6 +1919,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1906,6 +1934,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2792,7 +2603,7 @@ index b3ed515ed..2bc152468 100644
}
return (0);
}
-@@ -1902,8 +1931,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1917,8 +1946,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
OM_uint32 ret;
int r;
@@ -2803,7 +2614,7 @@ index b3ed515ed..2bc152468 100644
if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
-@@ -1929,13 +1958,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1944,13 +1973,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
int
mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
{
@@ -2825,7 +2636,7 @@ index b3ed515ed..2bc152468 100644
sshbuf_reset(m);
if ((r = sshbuf_put_u32(m, authenticated)) != 0)
-@@ -1944,7 +1977,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1959,7 +1992,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
debug3_f("sending result %d", authenticated);
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
@@ -2838,7 +2649,7 @@ index b3ed515ed..2bc152468 100644
if ((displayname = ssh_gssapi_displayname()) != NULL)
auth2_record_info(authctxt, "%s", displayname);
-@@ -1952,5 +1989,83 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1967,5 +2004,83 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
@@ -2924,7 +2735,7 @@ index b3ed515ed..2bc152468 100644
+
+#endif /* GSSAPI */
diff --git a/monitor.h b/monitor.h
-index 683e5e071..2b1a2d590 100644
+index fa48fc69b..7d8f3c6fa 100644
--- a/monitor.h
+++ b/monitor.h
@@ -63,6 +63,8 @@ enum monitor_reqtype {
@@ -2937,10 +2748,10 @@ index 683e5e071..2b1a2d590 100644
struct ssh;
diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 6270d1398..189467037 100644
+index 5358c77a1..cb3261b4d 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
-@@ -998,13 +998,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+@@ -1054,13 +1054,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
}
int
@@ -2957,7 +2768,7 @@ index 6270d1398..189467037 100644
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
mm_request_receive_expect(pmonitor->m_recvfd,
-@@ -1017,4 +1019,57 @@ mm_ssh_gssapi_userok(char *user)
+@@ -1073,6 +1075,59 @@ mm_ssh_gssapi_userok(char *user)
debug3_f("user %sauthenticated", authenticated ? "" : "not ");
return (authenticated);
}
@@ -3015,11 +2826,13 @@ index 6270d1398..189467037 100644
+}
+
#endif /* GSSAPI */
+
+ /*
diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 0df49c25b..830fdb308 100644
+index e768036ed..09b0ccaaa 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
-@@ -65,8 +65,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
+@@ -64,8 +64,10 @@ void mm_decode_activate_server_options(struct ssh *ssh, struct sshbuf *m);
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -3032,7 +2845,7 @@ index 0df49c25b..830fdb308 100644
#ifdef USE_PAM
diff --git a/readconf.c b/readconf.c
-index 3a64a0441..91d3c0aa0 100644
+index 4e3791cb7..8bdeb9d08 100644
--- a/readconf.c
+++ b/readconf.c
@@ -70,6 +70,7 @@
@@ -3189,7 +3002,7 @@ index 9447d5d6e..f039c11bd 100644
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/servconf.c b/servconf.c
-index 4b434909a..961cf9e45 100644
+index 5b32f0bfc..c1bfca258 100644
--- a/servconf.c
+++ b/servconf.c
@@ -68,6 +68,7 @@
@@ -3198,9 +3011,9 @@ index 4b434909a..961cf9e45 100644
#include "digest.h"
+#include "ssh-gss.h"
- static void add_listen_addr(ServerOptions *, const char *,
- const char *, int);
-@@ -134,8 +135,11 @@ initialize_server_options(ServerOptions *options)
+ #if !defined(SSHD_PAM_SERVICE)
+ # define SSHD_PAM_SERVICE "sshd"
+@@ -137,8 +138,11 @@ initialize_server_options(ServerOptions *options)
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
@@ -3212,7 +3025,7 @@ index 4b434909a..961cf9e45 100644
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->permit_empty_passwd = -1;
-@@ -358,10 +362,18 @@ fill_default_server_options(ServerOptions *options)
+@@ -376,10 +380,18 @@ fill_default_server_options(ServerOptions *options)
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@@ -3231,15 +3044,15 @@ index 4b434909a..961cf9e45 100644
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
-@@ -518,6 +530,7 @@ typedef enum {
- sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
+@@ -558,6 +570,7 @@ typedef enum {
+ sPerSourcePenalties, sPerSourcePenaltyExemptList,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
sAcceptEnv, sSetEnv, sPermitTunnel,
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
-@@ -600,12 +613,22 @@ static struct {
+@@ -643,12 +656,22 @@ static struct {
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -3262,7 +3075,7 @@ index 4b434909a..961cf9e45 100644
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
-@@ -1618,6 +1641,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -1585,6 +1608,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
intptr = &options->gss_authentication;
goto parse_flag;
@@ -3273,7 +3086,7 @@ index 4b434909a..961cf9e45 100644
case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
-@@ -1626,6 +1653,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -1593,6 +1620,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
intptr = &options->gss_strict_acceptor;
goto parse_flag;
@@ -3296,7 +3109,7 @@ index 4b434909a..961cf9e45 100644
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
-@@ -3112,6 +3155,10 @@ dump_config(ServerOptions *o)
+@@ -3178,6 +3221,10 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@@ -3308,10 +3121,10 @@ index 4b434909a..961cf9e45 100644
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication,
diff --git a/servconf.h b/servconf.h
-index ed7b72e8e..2ce4ae0ad 100644
+index 22b158d10..c1e2751ee 100644
--- a/servconf.h
+++ b/servconf.h
-@@ -139,8 +139,11 @@ typedef struct {
+@@ -149,8 +149,11 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -3324,10 +3137,10 @@ index ed7b72e8e..2ce4ae0ad 100644
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
diff --git a/session.c b/session.c
-index c821dcd44..cbb4edac5 100644
+index c9415114d..3d9a16b1e 100644
--- a/session.c
+++ b/session.c
-@@ -2687,13 +2687,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
+@@ -2672,13 +2672,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
#ifdef KRB5
if (options.kerberos_ticket_cleanup &&
@@ -3350,11 +3163,11 @@ index c821dcd44..cbb4edac5 100644
/* remove agent socket */
diff --git a/ssh-gss.h b/ssh-gss.h
-index a8af117d2..6303ce185 100644
+index 7b14e74a8..0fd77cd45 100644
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -1,6 +1,6 @@
- /* $OpenBSD: ssh-gss.h,v 1.15 2021/01/27 10:05:28 djm Exp $ */
+ /* $OpenBSD: ssh-gss.h,v 1.16 2024/05/17 06:42:04 jsg Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -3429,7 +3242,7 @@ index a8af117d2..6303ce185 100644
int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
-@@ -109,6 +138,7 @@ OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *);
+@@ -108,6 +137,7 @@ OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *);
struct sshbuf;
int ssh_gssapi_get_buffer_desc(struct sshbuf *, gss_buffer_desc *);
@@ -3437,7 +3250,7 @@ index a8af117d2..6303ce185 100644
OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int,
-@@ -123,17 +153,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
+@@ -122,17 +152,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_buildmic(struct sshbuf *, const char *,
const char *, const char *, const struct sshbuf *);
@@ -3588,7 +3401,7 @@ index 000000000..a934bda77
+
+#endif /* GSSAPI */
diff --git a/ssh.1 b/ssh.1
-index 936c995ba..877c3bc64 100644
+index f871ff4e4..dc382cd49 100644
--- a/ssh.1
+++ b/ssh.1
@@ -536,7 +536,13 @@ For full details of the options listed below, and their possible values, see
@@ -3652,7 +3465,7 @@ index cc5663562..16197d15d 100644
# CheckHostIP no
# AddressFamily any
diff --git a/ssh_config.5 b/ssh_config.5
-index 2931d807e..8e8aeb640 100644
+index 2e1902283..255577462 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -938,10 +938,67 @@ The default is
@@ -3724,19 +3537,10 @@ index 2931d807e..8e8aeb640 100644
Indicates that
.Xr ssh 1
diff --git a/sshconnect2.c b/sshconnect2.c
-index 745c2a051..b7c376116 100644
+index e63bb5ec6..e27139adf 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
-@@ -80,8 +80,6 @@
- #endif
-
- /* import */
--extern char *client_version_string;
--extern char *server_version_string;
- extern Options options;
-
- /*
-@@ -224,6 +222,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
+@@ -222,6 +222,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
char *all_key, *hkalgs = NULL;
int r, use_known_hosts_order = 0;
@@ -3748,7 +3552,7 @@ index 745c2a051..b7c376116 100644
xxx_host = host;
xxx_hostaddr = hostaddr;
xxx_conn_info = cinfo;
-@@ -259,6 +262,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
+@@ -257,6 +262,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
free(hkalgs);
@@ -3761,7 +3565,7 @@ index 745c2a051..b7c376116 100644
+ if (options.gss_server_identity) {
+ gss_host = xstrdup(options.gss_server_identity);
+ } else if (options.gss_trust_dns) {
-+ gss_host = remote_hostname(ssh);
++ gss_host = ssh_remote_hostname(ssh);
+ /* Fall back to specified host if we are using proxy command
+ * and can not use DNS on that socket */
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
@@ -3791,7 +3595,7 @@ index 745c2a051..b7c376116 100644
/* start key exchange */
if ((r = kex_setup(ssh, myproposal)) != 0)
fatal_r(r, "kex_setup");
-@@ -273,11 +312,31 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
+@@ -271,11 +312,31 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
# ifdef OPENSSL_HAS_ECC
ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
# endif
@@ -3824,7 +3628,7 @@ index 745c2a051..b7c376116 100644
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
kex_proposal_free_entries(myproposal);
-@@ -370,6 +429,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
+@@ -368,6 +429,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
static int input_gssapi_token(int type, u_int32_t, struct ssh *);
static int input_gssapi_error(int, u_int32_t, struct ssh *);
static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
@@ -3832,7 +3636,7 @@ index 745c2a051..b7c376116 100644
#endif
void userauth(struct ssh *, char *);
-@@ -386,6 +446,11 @@ static char *authmethods_get(void);
+@@ -384,6 +446,11 @@ static char *authmethods_get(void);
Authmethod authmethods[] = {
#ifdef GSSAPI
@@ -3844,7 +3648,7 @@ index 745c2a051..b7c376116 100644
{"gssapi-with-mic",
userauth_gssapi,
userauth_gssapi_cleanup,
-@@ -757,12 +822,32 @@ userauth_gssapi(struct ssh *ssh)
+@@ -755,12 +822,32 @@ userauth_gssapi(struct ssh *ssh)
OM_uint32 min;
int r, ok = 0;
gss_OID mech = NULL;
@@ -3853,7 +3657,7 @@ index 745c2a051..b7c376116 100644
+ if (options.gss_server_identity) {
+ gss_host = xstrdup(options.gss_server_identity);
+ } else if (options.gss_trust_dns) {
-+ gss_host = remote_hostname(ssh);
++ gss_host = ssh_remote_hostname(ssh);
+ /* Fall back to specified host if we are using proxy command
+ * and can not use DNS on that socket */
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
@@ -3878,7 +3682,7 @@ index 745c2a051..b7c376116 100644
/* Check to see whether the mechanism is usable before we offer it */
while (authctxt->mech_tried < authctxt->gss_supported_mechs->count &&
-@@ -771,13 +856,15 @@ userauth_gssapi(struct ssh *ssh)
+@@ -769,13 +856,15 @@ userauth_gssapi(struct ssh *ssh)
elements[authctxt->mech_tried];
/* My DER encoding requires length<128 */
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
@@ -3895,7 +3699,7 @@ index 745c2a051..b7c376116 100644
if (!ok || mech == NULL)
return 0;
-@@ -1011,6 +1098,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
+@@ -1009,6 +1098,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
free(lang);
return r;
}
@@ -3951,11 +3755,11 @@ index 745c2a051..b7c376116 100644
#endif /* GSSAPI */
static int
-diff --git a/sshd.c b/sshd.c
-index b4f2b9742..d5c3dfe57 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -798,8 +798,8 @@ notify_hostkeys(struct ssh *ssh)
+diff --git a/sshd-session.c b/sshd-session.c
+index fe6ae7f32..ab88db7c5 100644
+--- a/sshd-session.c
++++ b/sshd-session.c
+@@ -656,8 +656,8 @@ notify_hostkeys(struct ssh *ssh)
}
debug3_f("sent %u hostkeys", nkeys);
if (nkeys == 0)
@@ -3966,17 +3770,7 @@ index b4f2b9742..d5c3dfe57 100644
sshpkt_fatal(ssh, r, "%s: send", __func__);
sshbuf_free(buf);
}
-@@ -1930,7 +1930,8 @@ main(int ac, char **av)
- free(fp);
- }
- accumulate_host_timing_secret(cfg, NULL);
-- if (!sensitive_data.have_ssh2_key) {
-+ /* The GSSAPI key exchange can run without a host key */
-+ if (!sensitive_data.have_ssh2_key && !options.gss_keyex) {
- logit("sshd: no hostkeys available -- exiting.");
- exit(1);
- }
-@@ -2402,6 +2403,48 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -1431,6 +1431,48 @@ do_ssh2_kex(struct ssh *ssh)
free(hkalgs);
@@ -4025,10 +3819,10 @@ index b4f2b9742..d5c3dfe57 100644
/* start key exchange */
if ((r = kex_setup(ssh, myproposal)) != 0)
fatal_r(r, "kex_setup");
-@@ -2419,7 +2462,18 @@ do_ssh2_kex(struct ssh *ssh)
- # ifdef OPENSSL_HAS_ECC
+@@ -1448,7 +1490,18 @@ do_ssh2_kex(struct ssh *ssh)
+ #ifdef OPENSSL_HAS_ECC
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
- # endif
+ #endif
-#endif
+# ifdef GSSAPI
+ if (options.gss_keyex) {
@@ -4045,6 +3839,20 @@ index b4f2b9742..d5c3dfe57 100644
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
kex->load_host_public_key=&get_hostkey_public_by_type;
+diff --git a/sshd.c b/sshd.c
+index ed54fc6d6..54c65dfe6 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -1551,7 +1551,8 @@ main(int ac, char **av)
+ free(fp);
+ }
+ accumulate_host_timing_secret(cfg, NULL);
+- if (!sensitive_data.have_ssh2_key) {
++ /* The GSSAPI key exchange can run without a host key */
++ if (!sensitive_data.have_ssh2_key && !options.gss_keyex) {
+ logit("sshd: no hostkeys available -- exiting.");
+ exit(1);
+ }
diff --git a/sshd_config b/sshd_config
index 36894ace5..ecfe8d026 100644
--- a/sshd_config
@@ -4059,7 +3867,7 @@ index 36894ace5..ecfe8d026 100644
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff --git a/sshd_config.5 b/sshd_config.5
-index a0f16874f..c0c1b0d9a 100644
+index 1ab0f41d9..5e41f0478 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -739,6 +739,11 @@ Specifies whether to automatically destroy the user's credentials cache
@@ -4140,7 +3948,7 @@ index d4356e72c..c7abbe298 100644
if (!include_sigonly && impl->sigonly)
continue;
diff --git a/sshkey.h b/sshkey.h
-index 708f2da86..dddb40fe2 100644
+index 32933bbbd..dc5d3051b 100644
--- a/sshkey.h
+++ b/sshkey.h
@@ -71,6 +71,7 @@ enum sshkey_types {
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 3b207db..a828ce2 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
-From 50a68a21649c42d5587e78cab2c63ee3add81dd4 Mon Sep 17 00:00:00 2001
+From fb7c10aae7ed2d9216b16ae5e172f45a2bdcd336 Mon Sep 17 00:00:00 2001
From: Richard Kettlewell <rjk@greenend.org.uk>
Date: Sun, 9 Feb 2014 16:09:52 +0000
Subject: Various keepalive extensions
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch
3 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/readconf.c b/readconf.c
-index 0f0fb67a5..c6e609fca 100644
+index cd1ebc85d..7d7296960 100644
--- a/readconf.c
+++ b/readconf.c
@@ -182,6 +182,7 @@ typedef enum {
@@ -72,7 +72,7 @@ index 0f0fb67a5..c6e609fca 100644
options->server_alive_count_max = 3;
if (options->control_master == -1)
diff --git a/ssh_config.5 b/ssh_config.5
-index 8e8aeb640..6b482ee15 100644
+index 255577462..c6041339b 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -297,9 +297,13 @@ If set to
@@ -90,7 +90,7 @@ index 8e8aeb640..6b482ee15 100644
The argument must be
.Cm yes
or
-@@ -1923,7 +1927,14 @@ from the server,
+@@ -1927,7 +1931,14 @@ from the server,
will send a message through the encrypted
channel to request a response from the server.
The default
@@ -106,7 +106,7 @@ index 8e8aeb640..6b482ee15 100644
.It Cm SessionType
May be used to either request invocation of a subsystem on the remote system,
or to prevent the execution of a remote command at all.
-@@ -2037,6 +2048,12 @@ Specifies whether the system should send TCP keepalive messages to the
+@@ -2041,6 +2052,12 @@ Specifies whether the system should send TCP keepalive messages to the
other side.
If they are sent, death of the connection or crash of one
of the machines will be properly noticed.
@@ -120,10 +120,10 @@ index 8e8aeb640..6b482ee15 100644
connections will die if the route is down temporarily, and some people
find it annoying.
diff --git a/sshd_config.5 b/sshd_config.5
-index c0c1b0d9a..e06ef8abd 100644
+index 5e41f0478..5dd656869 100644
--- a/sshd_config.5
+++ b/sshd_config.5
-@@ -1859,6 +1859,9 @@ This avoids infinitely hanging sessions.
+@@ -1959,6 +1959,9 @@ This avoids infinitely hanging sessions.
.Pp
To disable TCP keepalive messages, the value should be set to
.Cm no .
diff --git a/debian/patches/maxhostnamelen.patch b/debian/patches/maxhostnamelen.patch
index bd5733b..d7f37fc 100644
--- a/debian/patches/maxhostnamelen.patch
+++ b/debian/patches/maxhostnamelen.patch
@@ -1,4 +1,4 @@
-From 8bc03da34ff88845e6b10631719f872e81eaea74 Mon Sep 17 00:00:00 2001
+From 95b7dc366c3f27e7bd524a64bae2754eef9935d5 Mon Sep 17 00:00:00 2001
From: Svante Signell <svante.signell@gmail.com>
Date: Fri, 5 Nov 2021 23:22:53 +0000
Subject: Define MAXHOSTNAMELEN on GNU/Hurd
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index a26d2b1..4c2aab3 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
-From 60c7e9102d69c1b2a50fd58c9a322d8e6d1d2117 Mon Sep 17 00:00:00 2001
+From 63207b21b9f33cf60e79a9c0484e609c5bf4c08b Mon Sep 17 00:00:00 2001
From: Scott Moser <smoser@ubuntu.com>
Date: Sun, 9 Feb 2014 16:10:03 +0000
Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -14,10 +14,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/sshconnect.c b/sshconnect.c
-index 1d5bcc782..23f79ed2b 100644
+index 1b7e804fb..cbfc20735 100644
--- a/sshconnect.c
+++ b/sshconnect.c
-@@ -1277,9 +1277,13 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo,
+@@ -1307,9 +1307,13 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo,
error("%s. This could either mean that", key_msg);
error("DNS SPOOFING is happening or the IP address for the host");
error("and its host key have changed at the same time.");
@@ -32,7 +32,7 @@ index 1d5bcc782..23f79ed2b 100644
}
/* The host key has changed. */
warn_changed_key(host_key);
-@@ -1291,6 +1295,9 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo,
+@@ -1321,6 +1325,9 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo,
error("Offending %s key in %s:%lu",
sshkey_type(host_found->key),
host_found->file, host_found->line);
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index 1fc4765..4f937be 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
-From 03ba0382a8ac499aba50aa0203d89586fa785628 Mon Sep 17 00:00:00 2001
+From 302f656d6976c077f55f75a339f63b0c30a6c447 Mon Sep 17 00:00:00 2001
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 9 Feb 2014 16:10:14 +0000
Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index b8eb435..dfbbade 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
-From 5ec3ad9b1f13f624244f7dea20d43e8972ce9e97 Mon Sep 17 00:00:00 2001
+From 8fb4b76677be4fdb1ce0e45148b4c2d40f177964 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:09 +0000
Subject: Adjust various OpenBSD-specific references in manual pages
@@ -6,21 +6,18 @@ Subject: Adjust various OpenBSD-specific references in manual pages
No single bug reference for this patch, but history includes:
https://bugs.debian.org/154434 (login.conf(5))
https://bugs.debian.org/513417 (/etc/rc)
- https://bugs.debian.org/530692 (ssl(8))
- https://bugs.launchpad.net/bugs/456660 (ssl(8))
https://bugs.debian.org/998069 (rdomain(4))
Forwarded: not-needed
-Last-Update: 2023-09-02
+Last-Update: 2024-07-03
Patch-Name: openbsd-docs.patch
---
moduli.5 | 4 ++--
ssh-keygen.1 | 12 ++++--------
- ssh.1 | 4 ++++
sshd.8 | 5 ++---
sshd_config.5 | 40 ++--------------------------------------
- 5 files changed, 14 insertions(+), 51 deletions(-)
+ 4 files changed, 10 insertions(+), 51 deletions(-)
diff --git a/moduli.5 b/moduli.5
index 5086a6d42..6dffdc7e6 100644
@@ -45,10 +42,10 @@ index 5086a6d42..6dffdc7e6 100644
.Sh SEE ALSO
.Xr ssh-keygen 1 ,
diff --git a/ssh-keygen.1 b/ssh-keygen.1
-index c392141ea..1155cf555 100644
+index df6803fd9..0617d0dc2 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
-@@ -212,9 +212,7 @@ key in
+@@ -211,9 +211,7 @@ key in
.Pa ~/.ssh/id_ed25519_sk
or
.Pa ~/.ssh/id_rsa .
@@ -59,7 +56,7 @@ index c392141ea..1155cf555 100644
.Pp
Normally this program generates the key and asks for a file in which
to store the private key.
-@@ -279,9 +277,7 @@ If
+@@ -278,9 +276,7 @@ If
.Fl f
has also been specified, its argument is used as a prefix to the
default path for the resulting host key files.
@@ -70,7 +67,7 @@ index c392141ea..1155cf555 100644
.It Fl a Ar rounds
When saving a private key, this option specifies the number of KDF
(key derivation function, currently
-@@ -864,7 +860,7 @@ option.
+@@ -860,7 +856,7 @@ option.
Valid generator values are 2, 3, and 5.
.Pp
Screened DH groups may be installed in
@@ -79,7 +76,7 @@ index c392141ea..1155cf555 100644
It is important that this file contains moduli of a range of bit lengths.
.Pp
A number of options are available for moduli generation and screening via the
-@@ -1322,7 +1318,7 @@ on all machines
+@@ -1316,7 +1312,7 @@ on all machines
where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret.
.Pp
@@ -88,23 +85,8 @@ index c392141ea..1155cf555 100644
Contains Diffie-Hellman groups used for DH-GEX.
The file format is described in
.Xr moduli 5 .
-diff --git a/ssh.1 b/ssh.1
-index 2d07c919e..60e97dc62 100644
---- a/ssh.1
-+++ b/ssh.1
-@@ -939,6 +939,10 @@ implements public key authentication protocol automatically,
- using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
- The HISTORY section of
- .Xr ssl 8
-+(on non-OpenBSD systems, see
-+.nh
-+http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY)
-+.hy
- contains a brief discussion of the DSA and RSA algorithms.
- .Pp
- The file
diff --git a/sshd.8 b/sshd.8
-index 8efeacdf1..6527e28a3 100644
+index e2a621950..2469bfff8 100644
--- a/sshd.8
+++ b/sshd.8
@@ -64,7 +64,7 @@ over an insecure network.
@@ -116,7 +98,7 @@ index 8efeacdf1..6527e28a3 100644
It forks a new
daemon for each incoming connection.
The forked daemons handle
-@@ -935,7 +935,7 @@ This file is for host-based authentication (see
+@@ -932,7 +932,7 @@ This file is for host-based authentication (see
.Xr ssh 1 ) .
It should only be writable by root.
.Pp
@@ -125,7 +107,7 @@ index 8efeacdf1..6527e28a3 100644
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
key exchange method.
The file format is described in
-@@ -1033,7 +1033,6 @@ The content of this file is not sensitive; it can be world-readable.
+@@ -1030,7 +1030,6 @@ The content of this file is not sensitive; it can be world-readable.
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
.Xr hosts_access 5 ,
@@ -134,7 +116,7 @@ index 8efeacdf1..6527e28a3 100644
.Xr sshd_config 5 ,
.Xr inetd 8 ,
diff --git a/sshd_config.5 b/sshd_config.5
-index 1a8febfa6..0e8891c4f 100644
+index 81671fb99..9d33cb472 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1001,9 +1001,6 @@ for interactive sessions and
@@ -147,7 +129,7 @@ index 1a8febfa6..0e8891c4f 100644
The default is
.Cm yes .
The argument to this keyword must be
-@@ -1107,45 +1104,33 @@ The following forms may be used:
+@@ -1112,45 +1109,33 @@ The following forms may be used:
.Sm off
.Ar hostname | address
.Sm on
@@ -194,7 +176,7 @@ index 1a8febfa6..0e8891c4f 100644
.It Cm LoginGraceTime
The server disconnects after this time if the user has not
successfully logged in.
-@@ -1271,14 +1256,8 @@ The available criteria are
+@@ -1276,14 +1261,8 @@ The available criteria are
.Cm Host ,
.Cm LocalAddress ,
.Cm LocalPort ,
@@ -210,7 +192,7 @@ index 1a8febfa6..0e8891c4f 100644
.Pp
The match patterns may consist of single entries or comma-separated
lists and may use the wildcard and negation operators described in the
-@@ -1350,7 +1329,6 @@ Available keywords are
+@@ -1356,7 +1335,6 @@ Available keywords are
.Cm PubkeyAuthOptions ,
.Cm RekeyLimit ,
.Cm RevokedKeys ,
@@ -218,7 +200,7 @@ index 1a8febfa6..0e8891c4f 100644
.Cm SetEnv ,
.Cm StreamLocalBindMask ,
.Cm StreamLocalBindUnlink ,
-@@ -1745,15 +1723,6 @@ an OpenSSH Key Revocation List (KRL) as generated by
+@@ -1838,15 +1816,6 @@ an OpenSSH Key Revocation List (KRL) as generated by
.Xr ssh-keygen 1 .
For more information on KRLs, see the KEY REVOCATION LISTS section in
.Xr ssh-keygen 1 .
@@ -234,7 +216,7 @@ index 1a8febfa6..0e8891c4f 100644
.It Cm SecurityKeyProvider
Specifies a path to a library that will be used when loading
FIDO authenticator-hosted keys, overriding the default of using
-@@ -2080,8 +2049,6 @@ A literal
+@@ -2180,8 +2149,6 @@ A literal
Identifies the connection endpoints, containing
four space-separated values: client address, client port number,
server address, and server port number.
@@ -243,7 +225,7 @@ index 1a8febfa6..0e8891c4f 100644
.It %F
The fingerprint of the CA key.
.It %f
-@@ -2120,9 +2087,6 @@ accepts the tokens %%, %h, %U, and %u.
+@@ -2220,9 +2187,6 @@ accepts the tokens %%, %h, %U, and %u.
.Pp
.Cm ChrootDirectory
accepts the tokens %%, %h, %U, and %u.
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 1a81e91..dd905fc 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
-From eb68bf3cb81031d4a765b9c7745842bb49b7b3bb Mon Sep 17 00:00:00 2001
+From 4d194d912805d3314bd610cca3eca2e6a927ab7f Mon Sep 17 00:00:00 2001
From: Matthew Vernon <matthew@debian.org>
Date: Sun, 9 Feb 2014 16:10:05 +0000
Subject: Include the Debian version in our identification
@@ -18,10 +18,10 @@ Patch-Name: package-versioning.patch
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/kex.c b/kex.c
-index e4a2362bd..4e988e39b 100644
+index fd018021e..744fb27fb 100644
--- a/kex.c
+++ b/kex.c
-@@ -1563,7 +1563,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+@@ -1257,7 +1257,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n",
@@ -31,11 +31,11 @@ index e4a2362bd..4e988e39b 100644
version_addendum == NULL ? "" : version_addendum)) != 0) {
oerrno = errno;
diff --git a/version.h b/version.h
-index 052a5817b..0124a77d3 100644
+index 81b7645a7..3b43b47e5 100644
--- a/version.h
+++ b/version.h
@@ -3,4 +3,9 @@
- #define SSH_VERSION "OpenSSH_9.7"
+ #define SSH_VERSION "OpenSSH_9.8"
#define SSH_PORTABLE "p1"
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/pam-avoid-unknown-host.patch b/debian/patches/pam-avoid-unknown-host.patch
index 2887ee4..f034a8d 100644
--- a/debian/patches/pam-avoid-unknown-host.patch
+++ b/debian/patches/pam-avoid-unknown-host.patch
@@ -1,4 +1,4 @@
-From d4ae5b68870bf65747084f4ed3060bb13c586c9e Mon Sep 17 00:00:00 2001
+From 7406e666efe2d19e93cf6f50735b3a927bc3dfce Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 20 Mar 2023 20:22:14 +0100
Subject: Only set PAM_RHOST if the remote host is not "UNKNOWN"
@@ -20,7 +20,7 @@ Patch-Name: pam-avoid-unknown-host.patch
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auth-pam.c b/auth-pam.c
-index b49d415e7..81de88bba 100644
+index 13c0a792e..b22883b95 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -735,7 +735,7 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
diff --git a/debian/patches/regress-conch-dev-zero.patch b/debian/patches/regress-conch-dev-zero.patch
index bdf1449..a1f8670 100644
--- a/debian/patches/regress-conch-dev-zero.patch
+++ b/debian/patches/regress-conch-dev-zero.patch
@@ -1,4 +1,4 @@
-From 6bd1413e583b16d600b39b15203b5b78a4e77f0a Mon Sep 17 00:00:00 2001
+From 5f5e44903a2dbd0381d4395e53444d17b2d1b494 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 31 Mar 2024 00:24:11 +0000
Subject: regress: Redirect conch stdin from /dev/zero
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index 9e540cf..015efa8 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
-From 06af6b2c9be423445bab0c964f4e85f439a91278 Mon Sep 17 00:00:00 2001
+From 48001bae6c31c7d0e1c73a134456ccd109041892 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 5 Mar 2017 02:02:11 +0000
Subject: Restore reading authorized_keys2 by default
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index ee53872..7ea30ff 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
-From f6856e554804e6bd6c93fb48bea73a26f912ad7f Mon Sep 17 00:00:00 2001
+From 33df9974b50dda9718f7e31ca8568432edd97168 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 7 Oct 2014 13:22:41 +0100
Subject: Restore TCP wrappers support
@@ -18,20 +18,20 @@ but it at least probably doesn't involve dropping this feature shortly
before a freeze.
Forwarded: not-needed
-Last-Update: 2022-02-23
+Last-Update: 2024-07-03
Patch-Name: restore-tcp-wrappers.patch
---
- configure.ac | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++
- sshd.8 | 7 +++++++
- sshd.c | 25 +++++++++++++++++++++++
+ configure.ac | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ sshd-session.c | 25 ++++++++++++++++++++++
+ sshd.8 | 7 +++++++
3 files changed, 89 insertions(+)
diff --git a/configure.ac b/configure.ac
-index bb3e644fe..2b2c4f086 100644
+index dc274329f..f6bca2631 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -1685,6 +1685,62 @@ else
+@@ -1686,6 +1686,62 @@ else
AC_MSG_RESULT([no])
fi
@@ -94,7 +94,7 @@ index bb3e644fe..2b2c4f086 100644
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
-@@ -5707,6 +5763,7 @@ echo " PAM support: $PAM_MSG"
+@@ -5723,6 +5779,7 @@ echo " PAM support: $PAM_MSG"
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
@@ -102,36 +102,11 @@ index bb3e644fe..2b2c4f086 100644
echo " libedit support: $LIBEDIT_MSG"
echo " libldns support: $LDNS_MSG"
echo " Solaris process contract support: $SPC_MSG"
-diff --git a/sshd.8 b/sshd.8
-index 73d5e9232..8efeacdf1 100644
---- a/sshd.8
-+++ b/sshd.8
-@@ -924,6 +924,12 @@ the user's home directory becomes accessible.
- This file should be writable only by the user, and need not be
- readable by anyone else.
- .Pp
-+.It Pa /etc/hosts.allow
-+.It Pa /etc/hosts.deny
-+Access controls that should be enforced by tcp-wrappers are defined here.
-+Further details are described in
-+.Xr hosts_access 5 .
-+.Pp
- .It Pa /etc/hosts.equiv
- This file is for host-based authentication (see
- .Xr ssh 1 ) .
-@@ -1026,6 +1032,7 @@ The content of this file is not sensitive; it can be world-readable.
- .Xr ssh-keygen 1 ,
- .Xr ssh-keyscan 1 ,
- .Xr chroot 2 ,
-+.Xr hosts_access 5 ,
- .Xr login.conf 5 ,
- .Xr moduli 5 ,
- .Xr sshd_config 5 ,
-diff --git a/sshd.c b/sshd.c
-index d5c3dfe57..87e25d19b 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -128,6 +128,13 @@
+diff --git a/sshd-session.c b/sshd-session.c
+index ab88db7c5..a9fa63224 100644
+--- a/sshd-session.c
++++ b/sshd-session.c
+@@ -110,6 +110,13 @@
#include "srclimit.h"
#include "dh.h"
@@ -145,7 +120,7 @@ index d5c3dfe57..87e25d19b 100644
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
-@@ -2200,6 +2207,24 @@ main(int ac, char **av)
+@@ -1254,6 +1261,24 @@ main(int ac, char **av)
#ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port);
#endif
@@ -170,3 +145,28 @@ index d5c3dfe57..87e25d19b 100644
rdomain = ssh_packet_rdomain_in(ssh);
+diff --git a/sshd.8 b/sshd.8
+index c0f095ca4..e2a621950 100644
+--- a/sshd.8
++++ b/sshd.8
+@@ -921,6 +921,12 @@ the user's home directory becomes accessible.
+ This file should be writable only by the user, and need not be
+ readable by anyone else.
+ .Pp
++.It Pa /etc/hosts.allow
++.It Pa /etc/hosts.deny
++Access controls that should be enforced by tcp-wrappers are defined here.
++Further details are described in
++.Xr hosts_access 5 .
++.Pp
+ .It Pa /etc/hosts.equiv
+ This file is for host-based authentication (see
+ .Xr ssh 1 ) .
+@@ -1023,6 +1029,7 @@ The content of this file is not sensitive; it can be world-readable.
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+ .Xr chroot 2 ,
++.Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+ .Xr moduli 5 ,
+ .Xr sshd_config 5 ,
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch
index 0b33aee..6a19674 100644
--- a/debian/patches/revert-ipqos-defaults.patch
+++ b/debian/patches/revert-ipqos-defaults.patch
@@ -1,4 +1,4 @@
-From d9fbfaf30a64cff9b4fdad1ff0974e239f29f7db Mon Sep 17 00:00:00 2001
+From 32d1b39b53a11db1efbb6ac84ea589bc7b699e35 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 8 Apr 2019 10:46:29 +0100
Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
@@ -24,7 +24,7 @@ Patch-Name: revert-ipqos-defaults.patch
4 files changed, 8 insertions(+), 12 deletions(-)
diff --git a/readconf.c b/readconf.c
-index 720062bcc..f1d4566e2 100644
+index 1b64b7af5..a60aed047 100644
--- a/readconf.c
+++ b/readconf.c
@@ -2891,9 +2891,9 @@ fill_default_options(Options * options)
@@ -40,10 +40,10 @@ index 720062bcc..f1d4566e2 100644
options->request_tty = REQUEST_TTY_AUTO;
if (options->session_type == -1)
diff --git a/servconf.c b/servconf.c
-index 12aa1f4ad..23828a62d 100644
+index 81511bc86..86c798b34 100644
--- a/servconf.c
+++ b/servconf.c
-@@ -439,9 +439,9 @@ fill_default_server_options(ServerOptions *options)
+@@ -479,9 +479,9 @@ fill_default_server_options(ServerOptions *options)
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
if (options->ip_qos_interactive == -1)
@@ -56,10 +56,10 @@ index 12aa1f4ad..23828a62d 100644
options->version_addendum = xstrdup("");
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
diff --git a/ssh_config.5 b/ssh_config.5
-index c2789a09d..a793b1ddb 100644
+index 091b933b4..98a2ef60b 100644
--- a/ssh_config.5
+++ b/ssh_config.5
-@@ -1323,11 +1323,9 @@ If one argument is specified, it is used as the packet class unconditionally.
+@@ -1322,11 +1322,9 @@ If one argument is specified, it is used as the packet class unconditionally.
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
@@ -74,7 +74,7 @@ index c2789a09d..a793b1ddb 100644
.It Cm KbdInteractiveAuthentication
Specifies whether to use keyboard-interactive authentication.
diff --git a/sshd_config.5 b/sshd_config.5
-index 12083e839..beb12acef 100644
+index 1f6c42523..1edd6c812 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1022,11 +1022,9 @@ If one argument is specified, it is used as the packet class unconditionally.
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index f450ef7..2a6fb1f 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
-From 5c274c836094e9091ebad95435d79780a4316020 Mon Sep 17 00:00:00 2001
+From 2dd3363f6032ac203829e941bdac111e1dcf7012 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
Date: Sun, 9 Feb 2014 16:09:59 +0000
Subject: Adjust scp quoting in verbose mode
@@ -17,10 +17,10 @@ Patch-Name: scp-quoting.patch
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/scp.c b/scp.c
-index 492dace12..49c86b66c 100644
+index 0779c3c2b..4f8c691b3 100644
--- a/scp.c
+++ b/scp.c
-@@ -239,8 +239,16 @@ do_local_cmd(arglist *a)
+@@ -241,8 +241,16 @@ do_local_cmd(arglist *a)
if (verbose_mode) {
fprintf(stderr, "Executing:");
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 4287d28..c160e00 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From 13a9ed0149b0861aac9c6c6f078ff42a5d8839f0 Mon Sep 17 00:00:00 2001
+From 1b327bbfa9728e3e2f9ec02371b94069c9664f2f Mon Sep 17 00:00:00 2001
From: Manoj Srivastava <srivasta@debian.org>
Date: Sun, 9 Feb 2014 16:09:49 +0000
Subject: Handle SELinux authorisation roles
@@ -9,7 +9,7 @@ SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
-Last-Update: 2021-11-05
+Last-Update: 2024-07-03
Patch-Name: selinux-role.patch
---
@@ -23,15 +23,15 @@ Patch-Name: selinux-role.patch
openbsd-compat/port-linux.h | 4 ++--
platform.c | 4 ++--
platform.h | 2 +-
- session.c | 10 +++++-----
+ session.c | 8 ++++----
session.h | 2 +-
- sshd.c | 2 +-
+ sshd-session.c | 2 +-
sshpty.c | 4 ++--
sshpty.h | 2 +-
- 15 files changed, 99 insertions(+), 31 deletions(-)
+ 15 files changed, 98 insertions(+), 30 deletions(-)
diff --git a/auth.h b/auth.h
-index 6d2d39762..d16dc66b8 100644
+index 98bb23d4c..59799a812 100644
--- a/auth.h
+++ b/auth.h
@@ -65,6 +65,7 @@ struct Authctxt {
@@ -43,7 +43,7 @@ index 6d2d39762..d16dc66b8 100644
/* Method lists for multiple authentication */
char **auth_methods; /* modified from server config */
diff --git a/auth2.c b/auth2.c
-index 514a697ca..12210c043 100644
+index f75f1d20d..44558851e 100644
--- a/auth2.c
+++ b/auth2.c
@@ -272,7 +272,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
@@ -69,19 +69,18 @@ index 514a697ca..12210c043 100644
if (authctxt->attempt >= 1024)
auth_maxtries_exceeded(ssh);
-@@ -316,8 +321,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
- use_privsep ? " [net]" : "");
+@@ -315,7 +320,8 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
+ setproctitle("%s [net]", authctxt->valid ? user : "unknown");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
+- mm_inform_authserv(service, style);
+ authctxt->role = role ? xstrdup(role) : NULL;
- if (use_privsep)
-- mm_inform_authserv(service, style);
-+ mm_inform_authserv(service, style, role);
++ mm_inform_authserv(service, style, role);
userauth_banner(ssh);
if ((r = kex_server_update_ext_info(ssh)) != 0)
fatal_fr(r, "kex_server_update_ext_info failed");
diff --git a/monitor.c b/monitor.c
-index 2bc152468..c7e6f25d7 100644
+index 92e2ca107..62cc2da6b 100644
--- a/monitor.c
+++ b/monitor.c
@@ -117,6 +117,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *);
@@ -92,7 +91,7 @@ index 2bc152468..c7e6f25d7 100644
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
-@@ -192,6 +193,7 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -191,6 +192,7 @@ struct mon_table mon_dispatch_proto20[] = {
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -100,7 +99,7 @@ index 2bc152468..c7e6f25d7 100644
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
-@@ -817,6 +819,7 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -832,6 +834,7 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -108,7 +107,7 @@ index 2bc152468..c7e6f25d7 100644
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
#ifdef USE_PAM
-@@ -850,15 +853,42 @@ mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -865,15 +868,42 @@ mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m)
monitor_permit_authentications(1);
if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 ||
@@ -153,7 +152,7 @@ index 2bc152468..c7e6f25d7 100644
return (0);
}
-@@ -1579,7 +1609,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1594,7 +1624,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
if (res == 0)
goto error;
@@ -163,7 +162,7 @@ index 2bc152468..c7e6f25d7 100644
if ((r = sshbuf_put_u32(m, 1)) != 0 ||
(r = sshbuf_put_cstring(m, s->tty)) != 0)
diff --git a/monitor.h b/monitor.h
-index 2b1a2d590..4d87284aa 100644
+index 7d8f3c6fa..d84415fe2 100644
--- a/monitor.h
+++ b/monitor.h
@@ -65,6 +65,8 @@ enum monitor_reqtype {
@@ -176,10 +175,10 @@ index 2b1a2d590..4d87284aa 100644
struct ssh;
diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 189467037..4b986ded6 100644
+index cb3261b4d..60c339d02 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
-@@ -375,10 +375,10 @@ mm_auth2_read_banner(void)
+@@ -431,10 +431,10 @@ mm_auth2_read_banner(void)
return (banner);
}
@@ -192,7 +191,7 @@ index 189467037..4b986ded6 100644
{
struct sshbuf *m;
int r;
-@@ -388,7 +388,8 @@ mm_inform_authserv(char *service, char *style)
+@@ -444,7 +444,8 @@ mm_inform_authserv(char *service, char *style)
if ((m = sshbuf_new()) == NULL)
fatal_f("sshbuf_new failed");
if ((r = sshbuf_put_cstring(m, service)) != 0 ||
@@ -202,7 +201,7 @@ index 189467037..4b986ded6 100644
fatal_fr(r, "assemble");
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m);
-@@ -396,6 +397,26 @@ mm_inform_authserv(char *service, char *style)
+@@ -452,6 +453,26 @@ mm_inform_authserv(char *service, char *style)
sshbuf_free(m);
}
@@ -230,10 +229,10 @@ index 189467037..4b986ded6 100644
int
mm_auth_password(struct ssh *ssh, char *password)
diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 830fdb308..c84f96d0c 100644
+index 09b0ccaaa..2493da591 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
-@@ -48,7 +48,8 @@ DH *mm_choose_dh(int, int, int);
+@@ -45,7 +45,8 @@ DH *mm_choose_dh(int, int, int);
int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
const u_char *, size_t, const char *, const char *,
const char *, u_int compat);
@@ -244,10 +243,10 @@ index 830fdb308..c84f96d0c 100644
char *mm_auth2_read_banner(void);
int mm_auth_password(struct ssh *, char *);
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
-index 0457e28d0..0394f4808 100644
+index 4c024c6d2..4fe61f020 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
-@@ -57,7 +57,7 @@ ssh_selinux_enabled(void)
+@@ -65,7 +65,7 @@ ssh_selinux_enabled(void)
/* Return the default security context for the given username */
static char *
@@ -256,7 +255,7 @@ index 0457e28d0..0394f4808 100644
{
char *sc = NULL, *sename = NULL, *lvl = NULL;
int r;
-@@ -71,9 +71,16 @@ ssh_selinux_getctxbyname(char *pwname)
+@@ -79,9 +79,16 @@ ssh_selinux_getctxbyname(char *pwname)
#endif
#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
@@ -275,7 +274,7 @@ index 0457e28d0..0394f4808 100644
#endif
if (r != 0) {
-@@ -103,7 +110,7 @@ ssh_selinux_getctxbyname(char *pwname)
+@@ -111,7 +118,7 @@ ssh_selinux_getctxbyname(char *pwname)
/* Set the execution context to the default for the specified user */
void
@@ -284,7 +283,7 @@ index 0457e28d0..0394f4808 100644
{
char *user_ctx = NULL;
-@@ -112,7 +119,7 @@ ssh_selinux_setup_exec_context(char *pwname)
+@@ -120,7 +127,7 @@ ssh_selinux_setup_exec_context(char *pwname)
debug3("%s: setting execution context", __func__);
@@ -293,7 +292,7 @@ index 0457e28d0..0394f4808 100644
if (setexeccon(user_ctx) != 0) {
switch (security_getenforce()) {
case -1:
-@@ -134,7 +141,7 @@ ssh_selinux_setup_exec_context(char *pwname)
+@@ -142,7 +149,7 @@ ssh_selinux_setup_exec_context(char *pwname)
/* Set the TTY context for the specified user */
void
@@ -302,7 +301,7 @@ index 0457e28d0..0394f4808 100644
{
char *new_tty_ctx = NULL, *user_ctx = NULL, *old_tty_ctx = NULL;
security_class_t chrclass;
-@@ -144,7 +151,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
+@@ -152,7 +159,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
debug3("%s: setting TTY context on %s", __func__, tty);
@@ -312,7 +311,7 @@ index 0457e28d0..0394f4808 100644
/* XXX: should these calls fatal() upon failure in enforcing mode? */
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
-index 3c22a854d..c88129428 100644
+index 14064f87d..6c4c37115 100644
--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
@@ -19,8 +19,8 @@
@@ -327,10 +326,10 @@ index 3c22a854d..c88129428 100644
void ssh_selinux_setfscreatecon(const char *);
#endif
diff --git a/platform.c b/platform.c
-index 4fe8744ee..70c3a9b58 100644
+index 4c4fe57ea..f3dc7c3a8 100644
--- a/platform.c
+++ b/platform.c
-@@ -144,7 +144,7 @@ platform_setusercontext(struct passwd *pw)
+@@ -99,7 +99,7 @@ platform_setusercontext(struct passwd *pw)
* called if sshd is running as root.
*/
void
@@ -339,7 +338,7 @@ index 4fe8744ee..70c3a9b58 100644
{
#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
/*
-@@ -185,7 +185,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
+@@ -140,7 +140,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
}
#endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX
@@ -349,10 +348,10 @@ index 4fe8744ee..70c3a9b58 100644
}
diff --git a/platform.h b/platform.h
-index 7fef8c983..027fdfb51 100644
+index 5dec23276..1b77c3e3d 100644
--- a/platform.h
+++ b/platform.h
-@@ -25,7 +25,7 @@ void platform_post_fork_parent(pid_t child_pid);
+@@ -26,7 +26,7 @@ void platform_post_fork_parent(pid_t child_pid);
void platform_post_fork_child(void);
int platform_privileged_uidswap(void);
void platform_setusercontext(struct passwd *);
@@ -362,10 +361,10 @@ index 7fef8c983..027fdfb51 100644
char *platform_krb5_get_principal_name(const char *);
int platform_locked_account(struct passwd *);
diff --git a/session.c b/session.c
-index cbb4edac5..2cb7d0c71 100644
+index 3d9a16b1e..1c67f9fd1 100644
--- a/session.c
+++ b/session.c
-@@ -1355,7 +1355,7 @@ safely_chroot(const char *path, uid_t uid)
+@@ -1344,7 +1344,7 @@ safely_chroot(const char *path, uid_t uid)
/* Set login name, uid, gid, and groups. */
void
@@ -374,7 +373,7 @@ index cbb4edac5..2cb7d0c71 100644
{
char uidstr[32], *chroot_path, *tmp;
-@@ -1383,7 +1383,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1372,7 +1372,7 @@ do_setusercontext(struct passwd *pw)
endgrent();
#endif
@@ -383,7 +382,7 @@ index cbb4edac5..2cb7d0c71 100644
if (!in_chroot && options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) {
-@@ -1527,7 +1527,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
+@@ -1516,7 +1516,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
/* Force a password change */
if (s->authctxt->force_pwchange) {
@@ -392,7 +391,7 @@ index cbb4edac5..2cb7d0c71 100644
child_close_fds(ssh);
do_pwchange(s);
exit(1);
-@@ -1545,7 +1545,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
+@@ -1534,7 +1534,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
/* When PAM is enabled we rely on it to do the nologin check */
if (!options.use_pam)
do_nologin(pw);
@@ -401,15 +400,6 @@ index cbb4edac5..2cb7d0c71 100644
/*
* PAM session modules in do_setusercontext may have
* generated messages, so if this in an interactive
-@@ -1941,7 +1941,7 @@ session_pty_req(struct ssh *ssh, Session *s)
- sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
-
- if (!use_privsep)
-- pty_setowner(s->pw, s->tty);
-+ pty_setowner(s->pw, s->tty, s->authctxt->role);
-
- /* Set window size from the packet. */
- pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
diff --git a/session.h b/session.h
index 344a1ddf9..20ea822a7 100644
--- a/session.h
@@ -423,19 +413,19 @@ index 344a1ddf9..20ea822a7 100644
const char *session_get_remote_name_or_ip(struct ssh *, u_int, int);
-diff --git a/sshd.c b/sshd.c
-index 87e25d19b..9c9f38e5b 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -579,7 +579,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
- reseed_prngs();
+diff --git a/sshd-session.c b/sshd-session.c
+index a9fa63224..f0fd85367 100644
+--- a/sshd-session.c
++++ b/sshd-session.c
+@@ -438,7 +438,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
/* Drop privileges */
-- do_setusercontext(authctxt->pw);
-+ do_setusercontext(authctxt->pw, authctxt->role);
+ if (!skip_privdrop)
+- do_setusercontext(authctxt->pw);
++ do_setusercontext(authctxt->pw, authctxt->role);
- skip:
/* It is safe now to apply the key state */
+ monitor_apply_keystate(ssh, pmonitor);
diff --git a/sshpty.c b/sshpty.c
index cae0b977a..7870c6482 100644
--- a/sshpty.c
diff --git a/debian/patches/series b/debian/patches/series
index d15e32f..d3f0413 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -18,15 +18,12 @@ doc-hash-tab-completion.patch
ssh-agent-setgid.patch
no-openssl-version-status.patch
gnome-ssh-askpass2-icon.patch
-systemd-readiness.patch
debian-config.patch
restore-authorized_keys2.patch
revert-ipqos-defaults.patch
maxhostnamelen.patch
systemd-socket-activation.patch
skip-utimensat-test-on-zfs.patch
-zero-call-used-regs-m68k.patch
regress-conch-dev-zero.patch
configure-cache-vars.patch
pam-avoid-unknown-host.patch
-sshsigdie-async-signal-unsafe.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 40fec93..8bb7463 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
-From 09466af13847aea5aa2ff17c29181c6e55e31dc2 Mon Sep 17 00:00:00 2001
+From 71863958087495c9d4a4c83ca6e3fbed58ae4e81 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:00 +0000
Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sshconnect.c b/sshconnect.c
-index d8efc50ce..1d5bcc782 100644
+index 7cf6b6386..1b7e804fb 100644
--- a/sshconnect.c
+++ b/sshconnect.c
-@@ -247,7 +247,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg,
+@@ -248,7 +248,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg,
* extra privileges above.
*/
ssh_signal(SIGPIPE, SIG_DFL);
@@ -28,7 +28,7 @@ index d8efc50ce..1d5bcc782 100644
perror(argv[0]);
exit(1);
}
-@@ -1680,7 +1680,7 @@ ssh_local_cmd(const char *args)
+@@ -1710,7 +1710,7 @@ ssh_local_cmd(const char *args)
if (pid == 0) {
ssh_signal(SIGPIPE, SIG_DFL);
debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/skip-utimensat-test-on-zfs.patch b/debian/patches/skip-utimensat-test-on-zfs.patch
index 6a50e08..c6cf03c 100644
--- a/debian/patches/skip-utimensat-test-on-zfs.patch
+++ b/debian/patches/skip-utimensat-test-on-zfs.patch
@@ -1,4 +1,4 @@
-From c295622811895faaf4c0be0820cbb919c80b1143 Mon Sep 17 00:00:00 2001
+From 2c0e4142af77c5c70cc81a87f5d263cef3c73ac2 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 11 Mar 2024 16:24:49 +0000
Subject: Skip utimensat test on ZFS
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 1f78cef..04b283a 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
-From 93c14bbee1fee649dd5b8f0e5fa7f8904b1a2a71 Mon Sep 17 00:00:00 2001
+From 0b96d5e106fc2e4bc1ff04c7527c731f1a0d0aea Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:13 +0000
Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index b2e7bbf..6679961 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
-From 50eb278261460a0ddc942b72b1542910c17966ad Mon Sep 17 00:00:00 2001
+From 9d91d0ec92d7b3e6cd5404fa447fc9eea35bb870 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:10 +0000
Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
1 file changed, 1 insertion(+)
diff --git a/ssh.1 b/ssh.1
-index 60e97dc62..0d56f3dc1 100644
+index 55bc1faef..c8c5558e5 100644
--- a/ssh.1
+++ b/ssh.1
-@@ -1681,6 +1681,7 @@ if an error occurred.
+@@ -1666,6 +1666,7 @@ if an error occurred.
.Xr sftp 1 ,
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index f517596..d0c82ea 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
-From 2d6d05de518be9a3b3724a951e9dcb57e4c6124e Mon Sep 17 00:00:00 2001
+From 996f025eb2f6521e3fb4a7b527ec4eaceebe8156 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@ubuntu.com>
Date: Sun, 9 Feb 2014 16:09:50 +0000
Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch
2 files changed, 2 insertions(+)
diff --git a/readconf.c b/readconf.c
-index 91d3c0aa0..0f0fb67a5 100644
+index 8bdeb9d08..cd1ebc85d 100644
--- a/readconf.c
+++ b/readconf.c
@@ -197,6 +197,7 @@ static struct {
@@ -29,10 +29,10 @@ index 91d3c0aa0..0f0fb67a5 100644
{ "useroaming", oDeprecated },
{ "usersh", oDeprecated },
diff --git a/servconf.c b/servconf.c
-index 961cf9e45..193d73cca 100644
+index c1bfca258..169b9ff07 100644
--- a/servconf.c
+++ b/servconf.c
-@@ -649,6 +649,7 @@ static struct {
+@@ -692,6 +692,7 @@ static struct {
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/sshsigdie-async-signal-unsafe.patch b/debian/patches/sshsigdie-async-signal-unsafe.patch
deleted file mode 100644
index 2d27ecb..0000000
--- a/debian/patches/sshsigdie-async-signal-unsafe.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 7f4a743171f9e6b283207d448de6562219774fbf Mon Sep 17 00:00:00 2001
-From: Salvatore Bonaccorso <carnil@debian.org>
-Date: Tue, 25 Jun 2024 12:24:29 +0100
-Subject: Disable async-signal-unsafe code from the sshsigdie() function
-
-Address signal handler race condition: if a client does not authenticate
-within LoginGraceTime seconds (120 by default, 600 in old OpenSSH
-versions), then sshd's SIGALRM handler is called asynchronously, but
-this signal handler calls various functions that are not
-async-signal-safe (for example, syslog()).
-
-This is a regression from CVE-2006-5051 ("Signal handler race condition
-in OpenSSH before 4.4 allows remote attackers to cause a denial of
-service (crash), and possibly execute arbitrary code")
-
-Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
-
-Patch-Name: sshsigdie-async-signal-unsafe.patch
----
- log.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/log.c b/log.c
-index 6a8b1fc4a..57256660f 100644
---- a/log.c
-+++ b/log.c
-@@ -452,12 +452,14 @@ void
- sshsigdie(const char *file, const char *func, int line, int showfunc,
- LogLevel level, const char *suffix, const char *fmt, ...)
- {
-+#if 0
- va_list args;
-
- va_start(args, fmt);
- sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
- suffix, fmt, args);
- va_end(args);
-+#endif
- _exit(1);
- }
-
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 7704549..d6f5d84 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
-From 1b1705fba0225804c8ecec8b3a911d4407248c91 Mon Sep 17 00:00:00 2001
+From 0b5e808eb7513943a5270563729da56c66ece9ad Mon Sep 17 00:00:00 2001
From: Natalie Amery <nmamery@chiark.greenend.org.uk>
Date: Sun, 9 Feb 2014 16:09:54 +0000
Subject: "LogLevel SILENT" compatibility
@@ -21,7 +21,7 @@ Patch-Name: syslog-level-silent.patch
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/log.c b/log.c
-index 9fc1a2e2e..6a8b1fc4a 100644
+index 23ad10c02..133b5fa7d 100644
--- a/log.c
+++ b/log.c
@@ -96,6 +96,7 @@ static struct {
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
deleted file mode 100644
index 883e35b..0000000
--- a/debian/patches/systemd-readiness.patch
+++ /dev/null
@@ -1,224 +0,0 @@
-From 3d48cca71737962972c5bbd0171919ecbc348443 Mon Sep 17 00:00:00 2001
-From: Damien Miller <djm@mindrot.org>
-Date: Wed, 3 Apr 2024 14:40:32 +1100
-Subject: notify systemd on listen and reload
-
-Standalone implementation that does not depend on libsystemd.
-With assistance from Luca Boccassi, and feedback/testing from Colin
-Watson. bz2641
-
-Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c
-Bug-Debian: https://bugs.debian.org/778913
-Last-Update: 2024-04-03
-
-Patch-Name: systemd-readiness.patch
----
- configure.ac | 1 +
- openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++-
- openbsd-compat/port-linux.h | 5 ++
- platform.c | 11 +++++
- platform.h | 1 +
- sshd.c | 2 +
- 6 files changed, 115 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 2b2c4f086..c7b563ef2 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -939,6 +939,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
- AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
- AC_DEFINE([USE_BTMP])
- AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
-+ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
- inet6_default_4in6=yes
- case `uname -r` in
- 1.*|2.0.*)
-diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
-index 0394f4808..8e2824594 100644
---- a/openbsd-compat/port-linux.c
-+++ b/openbsd-compat/port-linux.c
-@@ -21,16 +21,23 @@
-
- #include "includes.h"
-
--#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
-+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \
-+ defined(SYSTEMD_NOTIFY)
-+#include <sys/socket.h>
-+#include <sys/un.h>
-+
- #include <errno.h>
-+#include <inttypes.h>
- #include <stdarg.h>
- #include <string.h>
- #include <stdio.h>
- #include <stdlib.h>
-+#include <time.h>
-
- #include "log.h"
- #include "xmalloc.h"
- #include "port-linux.h"
-+#include "misc.h"
-
- #ifdef WITH_SELINUX
- #include <selinux/selinux.h>
-@@ -317,4 +324,90 @@ oom_adjust_restore(void)
- return;
- }
- #endif /* LINUX_OOM_ADJUST */
--#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
-+
-+#ifdef SYSTEMD_NOTIFY
-+
-+static void ssh_systemd_notify(const char *, ...)
-+ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1)));
-+
-+static void
-+ssh_systemd_notify(const char *fmt, ...)
-+{
-+ char *s = NULL;
-+ const char *path;
-+ struct stat sb;
-+ struct sockaddr_un addr;
-+ int fd = -1;
-+ va_list ap;
-+
-+ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0)
-+ return;
-+
-+ va_start(ap, fmt);
-+ xvasprintf(&s, fmt, ap);
-+ va_end(ap);
-+
-+ /* Only AF_UNIX is supported, with path or abstract sockets */
-+ if (path[0] != '/' && path[0] != '@') {
-+ error_f("socket \"%s\" is not compatible with AF_UNIX", path);
-+ goto out;
-+ }
-+
-+ if (path[0] == '/' && stat(path, &sb) != 0) {
-+ error_f("socket \"%s\" stat: %s", path, strerror(errno));
-+ goto out;
-+ }
-+
-+ memset(&addr, 0, sizeof(addr));
-+ addr.sun_family = AF_UNIX;
-+ if (strlcpy(addr.sun_path, path,
-+ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) {
-+ error_f("socket path \"%s\" too long", path);
-+ goto out;
-+ }
-+ /* Support for abstract socket */
-+ if (addr.sun_path[0] == '@')
-+ addr.sun_path[0] = 0;
-+ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
-+ error_f("socket \"%s\": %s", path, strerror(errno));
-+ goto out;
-+ }
-+ if (connect(fd, &addr, sizeof(addr)) != 0) {
-+ error_f("socket \"%s\" connect: %s", path, strerror(errno));
-+ goto out;
-+ }
-+ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) {
-+ error_f("socket \"%s\" write: %s", path, strerror(errno));
-+ goto out;
-+ }
-+ debug_f("socket \"%s\" notified %s", path, s);
-+ out:
-+ if (fd != -1)
-+ close(fd);
-+ free(s);
-+}
-+
-+void
-+ssh_systemd_notify_ready(void)
-+{
-+ ssh_systemd_notify("READY=1");
-+}
-+
-+void
-+ssh_systemd_notify_reload(void)
-+{
-+ struct timespec now;
-+
-+ monotime_ts(&now);
-+ if (now.tv_sec < 0 || now.tv_nsec < 0) {
-+ error_f("monotime returned negative value");
-+ ssh_systemd_notify("RELOADING=1");
-+ } else {
-+ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu",
-+ ((uint64_t)now.tv_sec * 1000000ULL) +
-+ ((uint64_t)now.tv_nsec / 1000ULL));
-+ }
-+}
-+#endif /* SYSTEMD_NOTIFY */
-+
-+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */
-diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
-index c88129428..6c4c37115 100644
---- a/openbsd-compat/port-linux.h
-+++ b/openbsd-compat/port-linux.h
-@@ -30,4 +30,9 @@ void oom_adjust_restore(void);
- void oom_adjust_setup(void);
- #endif
-
-+#ifdef SYSTEMD_NOTIFY
-+void ssh_systemd_notify_ready(void);
-+void ssh_systemd_notify_reload(void);
-+#endif
-+
- #endif /* ! _PORT_LINUX_H */
-diff --git a/platform.c b/platform.c
-index 70c3a9b58..163a54a46 100644
---- a/platform.c
-+++ b/platform.c
-@@ -44,6 +44,14 @@ platform_pre_listen(void)
- #endif
- }
-
-+void
-+platform_post_listen(void)
-+{
-+#ifdef SYSTEMD_NOTIFY
-+ ssh_systemd_notify_ready();
-+#endif
-+}
-+
- void
- platform_pre_fork(void)
- {
-@@ -55,6 +63,9 @@ platform_pre_fork(void)
- void
- platform_pre_restart(void)
- {
-+#ifdef SYSTEMD_NOTIFY
-+ ssh_systemd_notify_reload();
-+#endif
- #ifdef LINUX_OOM_ADJUST
- oom_adjust_restore();
- #endif
-diff --git a/platform.h b/platform.h
-index 027fdfb51..1b77c3e3d 100644
---- a/platform.h
-+++ b/platform.h
-@@ -21,6 +21,7 @@
- void platform_pre_listen(void);
- void platform_pre_fork(void);
- void platform_pre_restart(void);
-+void platform_post_listen(void);
- void platform_post_fork_parent(pid_t child_pid);
- void platform_post_fork_child(void);
- int platform_privileged_uidswap(void);
-diff --git a/sshd.c b/sshd.c
-index 8fab51ebb..a18b85d1d 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -2085,6 +2085,8 @@ main(int ac, char **av)
- ssh_signal(SIGTERM, sigterm_handler);
- ssh_signal(SIGQUIT, sigterm_handler);
-
-+ platform_post_listen();
-+
- /*
- * Write out the pid file after the sigterm handler
- * is setup and the listen sockets are bound
diff --git a/debian/patches/systemd-socket-activation.patch b/debian/patches/systemd-socket-activation.patch
index d2c5284..bd7aca3 100644
--- a/debian/patches/systemd-socket-activation.patch
+++ b/debian/patches/systemd-socket-activation.patch
@@ -1,4 +1,4 @@
-From f01545e3f9350c080a525c246b9d46ba71cb0d09 Mon Sep 17 00:00:00 2001
+From 496d8d99583423c054311e85738102a5d9185016 Mon Sep 17 00:00:00 2001
From: Steve Langasek <steve.langasek@ubuntu.com>
Date: Thu, 1 Sep 2022 16:03:37 +0100
Subject: Support systemd socket activation
@@ -10,7 +10,7 @@ of the sshd daemon without becoming incompatible with config options
like ClientAliveCountMax.
Author: Colin Watson <cjwatson@debian.org>
-Last-Update: 2024-04-03
+Last-Update: 2024-07-03
Patch-Name: systemd-socket-activation.patch
---
@@ -19,7 +19,7 @@ Patch-Name: systemd-socket-activation.patch
2 files changed, 118 insertions(+), 14 deletions(-)
diff --git a/configure.ac b/configure.ac
-index c7b563ef2..cdfb505bf 100644
+index f6bca2631..ee6aca972 100644
--- a/configure.ac
+++ b/configure.ac
@@ -940,6 +940,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
@@ -31,11 +31,11 @@ index c7b563ef2..cdfb505bf 100644
case `uname -r` in
1.*|2.0.*)
diff --git a/sshd.c b/sshd.c
-index a18b85d1d..105c688e4 100644
+index 54c65dfe6..bc0127c9c 100644
--- a/sshd.c
+++ b/sshd.c
-@@ -136,10 +136,18 @@ int deny_severity;
- #endif /* LIBWRAP */
+@@ -93,10 +93,18 @@
+ #include "srclimit.h"
/* Re-exec fds */
-#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
@@ -57,8 +57,8 @@ index a18b85d1d..105c688e4 100644
extern char *__progname;
-@@ -1016,6 +1024,88 @@ server_accept_inetd(int *sock_in, int *sock_out)
- debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out);
+@@ -733,6 +741,88 @@ send_rexec_state(int fd, struct sshbuf *conf)
+ debug3_f("done");
}
+#ifdef SYSTEMD_SOCKET_ACTIVATION
@@ -146,7 +146,7 @@ index a18b85d1d..105c688e4 100644
/*
* Listen for TCP connections
*/
-@@ -1095,22 +1185,35 @@ static void
+@@ -812,6 +902,9 @@ static void
server_listen(void)
{
u_int i;
@@ -155,8 +155,10 @@ index a18b85d1d..105c688e4 100644
+#endif
/* Initialise per-source limit tracking. */
- srclimit_init(options.max_startups, options.per_source_max_startups,
- options.per_source_masklen_ipv4, options.per_source_masklen_ipv6);
+ srclimit_init(options.max_startups,
+@@ -821,17 +914,27 @@ server_listen(void)
+ &options.per_source_penalty,
+ options.per_source_penalty_exempt);
- for (i = 0; i < options.num_listen_addrs; i++) {
- listen_on_addrs(&options.listen_addrs[i]);
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 163039d..194c730 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
-From 673c225f85e2666e10be71a1d87225de2bb2aeb2 Mon Sep 17 00:00:00 2001
+From 04ef461f5d8a7ec8840db50ccb841aaa26687b6e Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:09:58 +0000
Subject: Allow harmless group-writability
@@ -27,10 +27,10 @@ Patch-Name: user-group-modes.patch
7 files changed, 62 insertions(+), 13 deletions(-)
diff --git a/auth-rhosts.c b/auth-rhosts.c
-index 56724677a..e15f5bc5a 100644
+index d5d2c7a12..13c3c201b 100644
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
-@@ -266,8 +266,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
+@@ -265,8 +265,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
return 0;
}
if (options.strict_modes &&
@@ -40,7 +40,7 @@ index 56724677a..e15f5bc5a 100644
logit("Rhosts authentication refused for %.100s: "
"bad ownership or modes for home directory.", pw->pw_name);
auth_debug_add("Rhosts authentication refused for %.100s: "
-@@ -296,8 +295,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
+@@ -295,8 +294,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
* allowing access to their account by anyone.
*/
if (options.strict_modes &&
@@ -51,10 +51,10 @@ index 56724677a..e15f5bc5a 100644
"bad modes for %.200s", pw->pw_name, path);
auth_debug_add("Bad file modes for %.200s", path);
diff --git a/auth.c b/auth.c
-index 8ccf06370..08a75fc4e 100644
+index 407b32e78..ec692715e 100644
--- a/auth.c
+++ b/auth.c
-@@ -431,8 +431,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
+@@ -430,8 +430,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
if (options.strict_modes &&
(stat(user_hostfile, &st) == 0) &&
@@ -65,7 +65,7 @@ index 8ccf06370..08a75fc4e 100644
"bad owner or modes for %.200s",
pw->pw_name, user_hostfile);
diff --git a/misc.c b/misc.c
-index 5dc9d54a2..d0d9301d7 100644
+index afdf5142e..8776fc1dc 100644
--- a/misc.c
+++ b/misc.c
@@ -62,9 +62,9 @@
@@ -79,7 +79,7 @@ index 5dc9d54a2..d0d9301d7 100644
#ifdef SSH_TUN_OPENBSD
#include <net/if.h>
#endif
-@@ -1414,6 +1414,55 @@ percent_dollar_expand(const char *string, ...)
+@@ -1428,6 +1428,55 @@ percent_dollar_expand(const char *string, ...)
return ret;
}
@@ -135,7 +135,7 @@ index 5dc9d54a2..d0d9301d7 100644
int
tun_open(int tun, int mode, char **ifname)
{
-@@ -2223,8 +2272,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
+@@ -2250,8 +2299,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
snprintf(err, errlen, "%s is not a regular file", buf);
return -1;
}
@@ -145,7 +145,7 @@ index 5dc9d54a2..d0d9301d7 100644
snprintf(err, errlen, "bad ownership or modes for file %s",
buf);
return -1;
-@@ -2239,8 +2287,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
+@@ -2266,8 +2314,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
strlcpy(buf, cp, sizeof(buf));
if (stat(buf, &st) == -1 ||
@@ -156,10 +156,10 @@ index 5dc9d54a2..d0d9301d7 100644
"bad ownership or modes for directory %s", buf);
return -1;
diff --git a/misc.h b/misc.h
-index 9bacce520..a1fb74579 100644
+index 113403896..4681f79f7 100644
--- a/misc.h
+++ b/misc.h
-@@ -238,6 +238,8 @@ struct notifier_ctx *notify_start(int, const char *, ...)
+@@ -246,6 +246,8 @@ struct notifier_ctx *notify_start(int, const char *, ...)
void notify_complete(struct notifier_ctx *, const char *, ...)
__attribute__((format(printf, 2, 3)));
@@ -169,7 +169,7 @@ index 9bacce520..a1fb74579 100644
#define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b))
#define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
diff --git a/readconf.c b/readconf.c
-index c6e609fca..d68658185 100644
+index 7d7296960..eaca29ace 100644
--- a/readconf.c
+++ b/readconf.c
@@ -2518,8 +2518,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
@@ -183,10 +183,10 @@ index c6e609fca..d68658185 100644
}
diff --git a/ssh.1 b/ssh.1
-index 877c3bc64..2d07c919e 100644
+index dc382cd49..55bc1faef 100644
--- a/ssh.1
+++ b/ssh.1
-@@ -1577,6 +1577,8 @@ The file format and configuration options are described in
+@@ -1570,6 +1570,8 @@ The file format and configuration options are described in
.Xr ssh_config 5 .
Because of the potential for abuse, this file must have strict permissions:
read/write for the user, and not writable by others.
@@ -196,10 +196,10 @@ index 877c3bc64..2d07c919e 100644
.It Pa ~/.ssh/environment
Contains additional definitions for environment variables; see
diff --git a/ssh_config.5 b/ssh_config.5
-index 6b482ee15..4afb8fb7a 100644
+index c6041339b..d1b1da95a 100644
--- a/ssh_config.5
+++ b/ssh_config.5
-@@ -2405,6 +2405,8 @@ The format of this file is described above.
+@@ -2409,6 +2409,8 @@ The format of this file is described above.
This file is used by the SSH client.
Because of the potential for abuse, this file must have strict permissions:
read/write for the user, and not writable by others.
diff --git a/debian/patches/zero-call-used-regs-m68k.patch b/debian/patches/zero-call-used-regs-m68k.patch
deleted file mode 100644
index 84cd0a8..0000000
--- a/debian/patches/zero-call-used-regs-m68k.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From f81c7307956c509e0638e8272454677d59961950 Mon Sep 17 00:00:00 2001
-From: Colin Watson <cjwatson@debian.org>
-Date: Thu, 21 Mar 2024 10:20:21 +0000
-Subject: Extend -fzero-call-used-regs check to catch m68k gcc bug
-
-Bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110934
-Bug-Debian: https://bugs.debian.org/1067243
-Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=3673
-Last-Update: 2024-03-24
-
-Patch-Name: zero-call-used-regs-m68k.patch
----
- m4/openssh.m4 | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/m4/openssh.m4 b/m4/openssh.m4
-index 033df501c..176a8d1c9 100644
---- a/m4/openssh.m4
-+++ b/m4/openssh.m4
-@@ -20,7 +20,10 @@ char *f2(char *s, ...) {
- va_end(args);
- return strdup(ret);
- }
-+int i;
-+double d;
- const char *f3(int s) {
-+ i = (int)d;
- return s ? "good" : "gooder";
- }
- int main(int argc, char **argv) {
diff --git a/debian/run-tests b/debian/run-tests
index def9494..df76b7f 100755
--- a/debian/run-tests
+++ b/debian/run-tests
@@ -27,6 +27,7 @@ make -C "$tmp/regress" \
SUDO=sudo \
TEST_SHELL=/bin/sh \
TEST_SSH_SSH=/usr/bin/ssh \
+ TEST_SSH_SSHD_SESSION=/usr/lib/openssh/sshd-session \
TEST_SSH_SFTPSERVER=/usr/lib/openssh/sftp-server \
TEST_SSH_PLINK=/usr/bin/plink \
TEST_SSH_PUTTYGEN=/usr/bin/puttygen \
diff --git a/debian/tests/control b/debian/tests/control
index efd6c45..f7c0afb 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,17 +1,27 @@
-Tests: regress
-Restrictions: needs-root allow-stderr isolation-container
-Depends: devscripts,
- dropbear,
- haveged,
- openssh-tests,
- openssl,
- putty-tools,
- python3-twisted,
- sudo,
- sysvinit-utils,
+Tests:
+ regress,
+Restrictions:
+ allow-stderr,
+ isolation-container,
+ needs-root,
+Depends:
+ devscripts,
+ dropbear,
+ haveged,
+ openssh-tests,
+ openssl,
+ putty-tools,
+ python3-twisted,
+ sudo,
+ sysvinit-utils,
-Tests: ssh-gssapi
-Restrictions: needs-root allow-stderr isolation-container
-Depends: openssh-server,
- krb5-kdc,
- krb5-admin-server
+Tests:
+ ssh-gssapi,
+Restrictions:
+ allow-stderr,
+ isolation-container,
+ needs-root,
+Depends:
+ krb5-admin-server,
+ krb5-kdc,
+ openssh-server,
diff --git a/debian/tests/ssh-gssapi b/debian/tests/ssh-gssapi
index a9c18d9..b2c136c 100755
--- a/debian/tests/ssh-gssapi
+++ b/debian/tests/ssh-gssapi
@@ -63,7 +63,7 @@ EOF
default_realm = ${realm}
rdns = false
forwardable = true
- dns_lookup_kdc = falase
+ dns_lookup_kdc = false
dns_uri_lookup = false
dns_lookup_realm = false