Accepting request 222365 from home:pcerny:factory

- Update of the underlying OpenSSH to 6.5p1 - Update to 6.5p1 Features since 6.4p1: * ssh(1), sshd(8): support for key exchange using ECDH in Daniel Bernstein's Curve25519; default when both the client and server support it. * ssh(1), sshd(8): support for Ed25519 as a public key type fo rboth server and client. Ed25519 is an EC signature offering better security than ECDSA and DSA and good performance. * Add a new private key format that uses a bcrypt KDF to better protect keys at rest. Used unconditionally for Ed25519 keys, on demand for other key types via the -o ssh-keygen(1) option. Intended to become default in the near future. Details documented in PROTOCOL.key. * ssh(1), sshd(8): new transport cipher "chacha20-poly1305@openssh.com" combining Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Details documented PROTOCOL.chacha20poly1305. * ssh(1), sshd(8): refuse RSA keys from old proprietary clients and servers that use the obsolete RSA+MD5 signature scheme. It will still be possible to connect with these clients/servers but only DSA keys will be accepted, and OpenSSH will refuse connection entirely in a future release. * ssh(1), sshd(8): refuse old proprietary clients and servers that use a weaker key exchange hash calculation. * ssh(1): increase the size of the Diffie-Hellman groups requested for each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by OBS-URL: https://build.opensuse.org/request/show/222365 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=63
2014-02-14 14:54:10 +00:00 · 2014-02-14 14:54:10 +00:00 · 08f9072513
commit 08f9072513
parent b189026b63
44 changed files with 1171 additions and 1002 deletions
--- a/openssh-6.4p1-forcepermissions.patch
+++ b/openssh-6.4p1-forcepermissions.patch
@ -1,81 +0,0 @@
 Index: openssh-6.4p1/sftp-server.8
 ===================================================================
 --- openssh-6.4p1.orig/sftp-server.8
 +++ openssh-6.4p1/sftp-server.8
@@ -35,6 +35,7 @@
 .Op Fl f Ar log_facility
 .Op Fl l Ar log_level
 .Op Fl u Ar umask
 +.Op Fl m Ar force_file_permissions
 .Sh DESCRIPTION
 .Nm
 is a program that speaks the server side of SFTP protocol
@@ -104,6 +105,10 @@ Sets an explicit
 .Xr umask 2
 to be applied to newly-created files and directories, instead of the
 user's default mask.
 +.It Fl m Ar force_file_permissions
 +Sets explicit file permissions to be applied to newly-created files instead
 +of the default or client requested mode.  Numeric values include:
 +777, 755, 750, 666, 644, 640, etc.  Option -u is ineffective if -m is set.
 .El
 .Pp
 For logging to work,
 Index: openssh-6.4p1/sftp-server.c
 ===================================================================
 --- openssh-6.4p1.orig/sftp-server.c
 +++ openssh-6.4p1/sftp-server.c
@@ -73,6 +73,10 @@ u_int version;
 /* Disable writes */
 int readonly;
 +/* Force file permissions */
 +int permforce = 0;
 +long permforcemode;
 +
 /* portable attributes, etc. */
 typedef struct Stat Stat;
@@ -557,6 +561,10 @@ process_open(void)
 	a = get_attrib();
 	flags = flags_from_portable(pflags);
 	mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666;
 +    if (permforce == 1) {
 +        mode = permforcemode;
 +        (void)umask(0); /* so umask does not interfere */
 +    }
 	logit("open \"%s\" flags %s mode 0%o",
 	    name, string_from_portable(pflags), mode);
 	if (readonly &&
@@ -1391,7 +1399,7 @@ sftp_server_usage(void)
 	fprintf(stderr,
 	    "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
 -	    "[-l log_level]\n\t[-u umask]\n",
 +	    "[-l log_level]\n\t[-u umask]\n[-m force_file_permissions]\n",
 	    __progname);
 	exit(1);
 }
@@ -1414,7 +1422,7 @@ sftp_server_main(int argc, char **argv,
 	pw = pwcopy(user_pw);
 -	while (!skipargs && (ch = getopt(argc, argv, "d:f:l:u:cehR")) != -1) {
 +	while (!skipargs && (ch = getopt(argc, argv, "d:f:l:u:m:cehR")) != -1) {
 		switch (ch) {
 		case 'R':
 			readonly = 1;
@@ -1453,6 +1461,13 @@ sftp_server_main(int argc, char **argv,
 				fatal("Invalid umask \"%s\"", optarg);
 			(void)umask((mode_t)mask);
 			break;
 +        case 'm':
 +            permforce = 1;
 +            permforcemode = strtol(optarg, &cp, 8);
 +            if (permforcemode < 0 || permforcemode > 0777 || *cp != '\0' ||
 +                cp == optarg || (permforcemode == 0 && errno != 0))
 +                fatal("Invalid umask \"%s\"", optarg);
 +            break;
 		case 'h':
 		default:
 			sftp_server_usage();
--- a/openssh-6.4p1-saveargv-fix.patch
+++ b/openssh-6.4p1-saveargv-fix.patch
@ -1,46 +0,0 @@
 # related to bnc#49845, upstream bug #529
 diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
 --- a/openssh-6.4p1/sshd.c
 +++ b/openssh-6.4p1/sshd.c
@@ -309,16 +309,17 @@ sighup_handler(int sig)
 /*
  * Called from the main program after receiving SIGHUP.
  * Restarts the server.
  */
 static void
 sighup_restart(void)
 {
 +	int i;
 	logit("Received SIGHUP; restarting.");
 	close_listen_socks();
 	close_startup_pipes();
 	alarm(0);  /* alarm timer persists across exec */
 	signal(SIGHUP, SIG_IGN); /* will be restored after exec */
 	execv(saved_argv[0], saved_argv);
 	logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
 	    strerror(errno));
@@ -1382,17 +1383,21 @@ main(int ac, char **av)
 	saved_argv = xcalloc(ac + 1, sizeof(*saved_argv));
 	for (i = 0; i < ac; i++)
 		saved_argv[i] = xstrdup(av[i]);
 	saved_argv[i] = NULL;
 #ifndef HAVE_SETPROCTITLE
 	/* Prepare for later setproctitle emulation */
 	compat_init_setproctitle(ac, av);
 -	av = saved_argv;
 +
 +	av = xmalloc(sizeof(*saved_argv) * (saved_argc + 1));
 +	for (i = 0; i < saved_argc; i++)
 +		av[i] = xstrdup(saved_argv[i]);
 +	av[i] = NULL;
 #endif
 	if (geteuid() == 0 && setgroups(0, NULL) == -1)
 		debug("setgroups(): %.200s", strerror(errno));
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
 	sanitise_stdfd();
--- a/openssh-6.4p1.tar.gz
+++ b/openssh-6.4p1.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:5530f616513b14aea3662c4c373bafd6a97a269938674c006377e381f68975d2
 size 1201402
--- a/openssh-6.5p1-X11-forwarding.patch
+++ b/openssh-6.5p1-X11-forwarding.patch
@ -2,9 +2,9 @@
 # configuration
 # bnc#50836 (was suse #35836)
-diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
+diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.4p1/ssh_config
+--- a/openssh-6.5p1/ssh_config
-+++ b/openssh-6.4p1/ssh_config
+++ b/openssh-6.5p1/ssh_config
@@ -12,19 +12,30 @@
 # Any configuration value is only changed the first time it is set.
 # Thus, host-specific definitions should be at the beginning of the
@ -37,10 +37,10 @@ diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
 #   GSSAPIDelegateCredentials no
 #   BatchMode no
 #   CheckHostIP yes
-diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
+diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.4p1/sshd_config
+--- a/openssh-6.5p1/sshd_config
-+++ b/openssh-6.4p1/sshd_config
+++ b/openssh-6.5p1/sshd_config
-@@ -93,17 +93,17 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -94,17 +94,17 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
@ -53,9 +53,9 @@ diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
 +X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
 #PrintMotd yes
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
 UsePrivilegeSeparation sandbox		# Default for new installations.
 #PermitUserEnvironment no
--- a/openssh-6.5p1-audit1-remove_duplicit_audit.patch
+++ b/openssh-6.5p1-audit1-remove_duplicit_audit.patch
@ -8,9 +8,9 @@
 #
 # PRIVSEP(getpwnamallow()) a few lines above already did this.
-diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c
+diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
--- a/openssh-6.4p1/auth2.c
+--- a/openssh-6.5p1/auth2.c
-+++ b/openssh-6.4p1/auth2.c
+++ b/openssh-6.5p1/auth2.c
@@ -242,19 +242,16 @@ input_userauth_request(int type, u_int32
 		authctxt->pw = PRIVSEP(getpwnamallow(user));
 		authctxt->user = xstrdup(user);
--- a/openssh-6.5p1-audit2-better_audit_of_user_actions.patch
+++ b/openssh-6.5p1-audit2-better_audit_of_user_actions.patch
@ -4,9 +4,9 @@
 #   https://bugzilla.mindrot.org/attachment.cgi?id=2011
 #   by jchadima@redhat.com
-diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
+diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.4p1/audit-bsm.c
+--- a/openssh-6.5p1/audit-bsm.c
-+++ b/openssh-6.4p1/audit-bsm.c
+++ b/openssh-6.5p1/audit-bsm.c
@@ -370,20 +370,33 @@ audit_connection_from(const char *host, 
 	/* this is used on IPv4-only machines */
 	tid->port = (dev_t)port;
@ -42,9 +42,9 @@ diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
 	/* not implemented */
 }
-diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
+diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c
+--- a/openssh-6.5p1/audit-linux.c
-+++ b/openssh-6.4p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
@@ -30,97 +30,210 @@
 #include "includes.h"
 #if defined(USE_LINUX_AUDIT)
@ -276,9 +276,9 @@ diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
 }
 #endif /* USE_LINUX_AUDIT */
-diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
+diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.4p1/audit.c
+--- a/openssh-6.5p1/audit.c
-+++ b/openssh-6.4p1/audit.c
+++ b/openssh-6.5p1/audit.c
@@ -135,16 +135,27 @@ audit_connection_from(const char *host, 
 void
 audit_event(ssh_audit_event_t event)
@ -344,9 +344,9 @@ diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
 +
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
-diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
+diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.4p1/audit.h
+--- a/openssh-6.5p1/audit.h
-+++ b/openssh-6.4p1/audit.h
+++ b/openssh-6.5p1/audit.h
@@ -44,14 +44,16 @@ enum ssh_audit_event_type {
 	SSH_CONNECTION_CLOSE,	/* closed after attempting auth or session */
 	SSH_CONNECTION_ABANDON,	/* closed without completing auth */
@ -365,9 +365,9 @@ diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
 ssh_audit_event_t audit_classify_auth(const char *);
 #endif /* _SSH_AUDIT_H */
-diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
+diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.4p1/monitor.c
+--- a/openssh-6.5p1/monitor.c
-+++ b/openssh-6.4p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
@@ -181,16 +181,17 @@ int mm_answer_gss_setup_ctx(int, Buffer 
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
@ -500,9 +500,9 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
 void
 monitor_apply_keystate(struct monitor *pmonitor)
 {
-diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
+diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.4p1/monitor.h
+--- a/openssh-6.5p1/monitor.h
-+++ b/openssh-6.4p1/monitor.h
+++ b/openssh-6.5p1/monitor.h
@@ -64,16 +64,17 @@ enum monitor_reqtype {
 	MONITOR_REQ_PAM_START = 100,
@ -521,9 +521,9 @@ diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
 	int			 m_recvfd;
 	int			 m_sendfd;
 	int			 m_log_recvfd;
-diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
+diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.4p1/monitor_wrap.c
+--- a/openssh-6.5p1/monitor_wrap.c
-+++ b/openssh-6.4p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -1186,27 +1186,48 @@ mm_audit_event(ssh_audit_event_t event)
 	buffer_init(&m);
@ -574,9 +574,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
 OM_uint32
 mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid)
 {
-diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
+diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.4p1/monitor_wrap.h
+--- a/openssh-6.5p1/monitor_wrap.h
-+++ b/openssh-6.4p1/monitor_wrap.h
+++ b/openssh-6.5p1/monitor_wrap.h
@@ -69,17 +69,18 @@ void *mm_sshpam_init_ctx(struct Authctxt
 int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
 int mm_sshpam_respond(void *, u_int, char **);
@ -597,9 +597,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
 void mm_session_pty_cleanup2(struct Session *);
 /* SSHv1 interfaces */
-diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
+diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.4p1/session.c
+--- a/openssh-6.5p1/session.c
-+++ b/openssh-6.4p1/session.c
+++ b/openssh-6.5p1/session.c
@@ -740,16 +740,24 @@ do_exec_pty(Session *s, const char *comm
 	cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
 #endif
@ -625,13 +625,13 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 		session_set_fds(s, ptyfd, fdout, -1, 1, 1);
 	} else {
 		server_loop(pid, ptyfd, fdout, -1);
-@@ -811,25 +819,29 @@ do_exec(Session *s, const char *command)
+@@ -834,25 +842,29 @@ do_exec(Session *s, const char *command)
- 			s->is_subsystem = s->is_subsystem ?
+ 	    session_type,
- 			    SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR;
+ 	    tty == NULL ? "" : " on ",
- 		} else if (s->is_subsystem)
+ 	    tty == NULL ? "" : tty,
- 			s->is_subsystem = SUBSYSTEM_EXT;
+ 	    s->pw->pw_name,
- 		debug("Forced command (key option) '%.900s'", command);
+ 	    get_remote_ipaddr(),
- 	}
+ 	    get_remote_port());
 #ifdef SSH_AUDIT_EVENTS
 +	if (s->command != NULL || s->command_handle != -1)
@ -657,7 +657,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 	original_command = NULL;
-@@ -1875,16 +1887,17 @@ session_unused(int id)
+@@ -1903,16 +1915,17 @@ session_unused(int id)
 	bzero(&sessions[id], sizeof(*sessions));
 	sessions[id].self = id;
 	sessions[id].used = 0;
@ -675,7 +675,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 session_new(void)
 {
 	Session *s, *tmp;
-@@ -1957,16 +1970,29 @@ session_open(Authctxt *authctxt, int cha
+@@ -1985,16 +1998,29 @@ session_open(Authctxt *authctxt, int cha
 	if (s->pw == NULL || !authctxt->valid)
 		fatal("no user for session %d", s->self);
 	debug("session_open: session %d: link with channel %d", s->self, chanid);
@ -705,7 +705,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 		if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) {
 			debug("session_by_tty: session %d tty %s", i, tty);
 			return s;
-@@ -2473,16 +2499,40 @@ session_exit_message(Session *s, int sta
+@@ -2501,16 +2527,40 @@ session_exit_message(Session *s, int sta
 	 * interested in data we write.
 	 * Note that we must not call 'chan_read_failed', since there could
 	 * be some more data waiting in the pipe.
@ -746,7 +746,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 	debug("session_close: session %d pid %ld", s->self, (long)s->pid);
-@@ -2513,16 +2563,20 @@ session_close(Session *s)
+@@ -2541,16 +2591,20 @@ session_close(Session *s)
 			int status;
 			waitpid(pid, &status, 0);
@ -765,9 +765,9 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 	free(s->auth_display);
 	free(s->auth_data);
 	free(s->auth_proto);
 	free(s->subsys);
 	if (s->env != NULL) {
- 		for (i = 0; i < s->num_env; i++) {
+@@ -2755,16 +2809,25 @@ session_setup_x11fwd(Session *s)
@@ -2726,16 +2780,25 @@ session_setup_x11fwd(Session *s)
 }
 static void
@ -793,7 +793,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 	debug("do_cleanup");
 	/* no cleanup if we're in the child for login shell */
-@@ -2774,10 +2837,10 @@ do_cleanup(Authctxt *authctxt)
+@@ -2803,10 +2866,10 @@ do_cleanup(Authctxt *authctxt)
 	/* remove agent socket */
 	auth_sock_cleanup_proc(authctxt->pw);
@ -805,13 +805,13 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 -		session_destroy_all(session_pty_cleanup2);
 +		session_destroy_all(do_cleanup_one_session);
 }
-diff --git a/openssh-6.4p1/session.h b/openssh-6.4p1/session.h
+diff --git a/openssh-6.5p1/session.h b/openssh-6.5p1/session.h
--- a/openssh-6.4p1/session.h
+--- a/openssh-6.5p1/session.h
-+++ b/openssh-6.4p1/session.h
+++ b/openssh-6.5p1/session.h
-@@ -55,29 +55,37 @@ struct Session {
+@@ -56,29 +56,37 @@ struct Session {
 	int	chanid;
 	int	*x11_chanids;
 	int	is_subsystem;
 	char	*subsys;
 	u_int	num_env;
 	struct {
 		char	*name;
@ -846,10 +846,10 @@ diff --git a/openssh-6.4p1/session.h b/openssh-6.4p1/session.h
 		       const char *value);
 #endif
-diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
+diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.4p1/sshd.c
+--- a/openssh-6.5p1/sshd.c
-+++ b/openssh-6.4p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
-@@ -2487,13 +2487,14 @@ cleanup_exit(int i)
+@@ -2504,13 +2504,14 @@ cleanup_exit(int i)
 			if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
 			    errno != ESRCH)
 				error("%s: kill(%d): %s", __func__,
--- a/openssh-6.5p1-audit3-key_auth_usage.patch
+++ b/openssh-6.5p1-audit3-key_auth_usage.patch
@ -5,9 +5,9 @@
 #   (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1975)
 #   by jchadima@redhat.com
-diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
+diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.4p1/audit-bsm.c
+--- a/openssh-6.5p1/audit-bsm.c
-+++ b/openssh-6.4p1/audit-bsm.c
+++ b/openssh-6.5p1/audit-bsm.c
@@ -401,16 +401,22 @@ audit_session_open(struct logininfo *li)
 }
@ -31,9 +31,9 @@ diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
 	const char *user = the_authctxt ? the_authctxt->user : "(unknown user)";
 	if (cannot_audit(0))
-diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
+diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c
+--- a/openssh-6.5p1/audit-linux.c
-+++ b/openssh-6.4p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
@@ -36,16 +36,18 @@
 #include "log.h"
 #include "audit.h"
@ -101,9 +101,9 @@ diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
 audit_connection_from(const char *host, int port)
 {
 	/* not implemented */
-diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
+diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.4p1/audit.c
+--- a/openssh-6.5p1/audit.c
-+++ b/openssh-6.4p1/audit.c
+++ b/openssh-6.5p1/audit.c
@@ -31,16 +31,17 @@
 #ifdef SSH_AUDIT_EVENTS
@ -178,9 +178,9 @@ diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
 +}
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
-diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
+diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.4p1/audit.h
+--- a/openssh-6.5p1/audit.h
-+++ b/openssh-6.4p1/audit.h
+++ b/openssh-6.5p1/audit.h
@@ -23,16 +23,17 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@ -212,9 +212,9 @@ diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
 +void	audit_key(int, int *, const Key *);
 #endif /* _SSH_AUDIT_H */
-diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c
+diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c
--- a/openssh-6.4p1/auth-rsa.c
+--- a/openssh-6.5p1/auth-rsa.c
-+++ b/openssh-6.4p1/auth-rsa.c
+++ b/openssh-6.5p1/auth-rsa.c
@@ -87,17 +87,20 @@ auth_rsa_generate_challenge(Key *key)
 	return challenge;
 }
@ -271,9 +271,9 @@ diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c
  * our challenge; returns zero if the client gives a wrong answer.
  */
-diff --git a/openssh-6.4p1/auth.h b/openssh-6.4p1/auth.h
+diff --git a/openssh-6.5p1/auth.h b/openssh-6.5p1/auth.h
--- a/openssh-6.4p1/auth.h
+--- a/openssh-6.5p1/auth.h
-+++ b/openssh-6.4p1/auth.h
+++ b/openssh-6.5p1/auth.h
@@ -182,16 +182,17 @@ int	allowed_user(struct passwd *);
 struct passwd * getpwnamallow(const char *user);
@ -310,10 +310,10 @@ diff --git a/openssh-6.4p1/auth.h b/openssh-6.4p1/auth.h
 struct passwd *fakepw(void);
-diff --git a/openssh-6.4p1/auth2-hostbased.c b/openssh-6.4p1/auth2-hostbased.c
+diff --git a/openssh-6.5p1/auth2-hostbased.c b/openssh-6.5p1/auth2-hostbased.c
--- a/openssh-6.4p1/auth2-hostbased.c
+--- a/openssh-6.5p1/auth2-hostbased.c
-+++ b/openssh-6.4p1/auth2-hostbased.c
+++ b/openssh-6.5p1/auth2-hostbased.c
-@@ -118,33 +118,45 @@ userauth_hostbased(Authctxt *authctxt)
+@@ -124,33 +124,45 @@ userauth_hostbased(Authctxt *authctxt)
 #endif
 	pubkey_auth_info(authctxt, key,
@ -360,10 +360,10 @@ diff --git a/openssh-6.4p1/auth2-hostbased.c b/openssh-6.4p1/auth2-hostbased.c
 	const char *resolvedname, *ipaddr, *lookup, *reason;
 	HostStatus host_status;
 	int len;
-diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c
+diff --git a/openssh-6.5p1/auth2-pubkey.c b/openssh-6.5p1/auth2-pubkey.c
--- a/openssh-6.4p1/auth2-pubkey.c
+--- a/openssh-6.5p1/auth2-pubkey.c
-+++ b/openssh-6.4p1/auth2-pubkey.c
+++ b/openssh-6.5p1/auth2-pubkey.c
-@@ -147,17 +147,17 @@ userauth_pubkey(Authctxt *authctxt)
+@@ -153,17 +153,17 @@ userauth_pubkey(Authctxt *authctxt)
 #ifdef DEBUG_PK
 		buffer_dump(&b);
 #endif
@ -382,7 +382,7 @@ diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c
 		debug("test whether pkalg/pkblob are acceptable");
 		packet_check_eom();
-@@ -184,16 +184,28 @@ done:
+@@ -190,16 +190,28 @@ done:
 	debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
 	if (key != NULL)
 		key_free(key);
@ -411,9 +411,9 @@ diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c
 	int i;
 	extra = NULL;
-diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
+diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.4p1/monitor.c
+--- a/openssh-6.5p1/monitor.c
-+++ b/openssh-6.4p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
@@ -1362,26 +1362,30 @@ monitor_valid_hostbasedblob(u_char *data
 }
@ -474,9 +474,9 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
 	free(signature);
 	free(data);
-diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
+diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.4p1/monitor_wrap.c
+--- a/openssh-6.5p1/monitor_wrap.c
-+++ b/openssh-6.4p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -428,30 +428,31 @@ mm_key_allowed(enum mm_keytype type, cha
 /*
@ -540,9 +540,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
 	u_int len;
 	Newkeys *newkey = NULL;
 	Enc *enc;
-diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
+diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.4p1/monitor_wrap.h
+--- a/openssh-6.5p1/monitor_wrap.h
-+++ b/openssh-6.4p1/monitor_wrap.h
+++ b/openssh-6.5p1/monitor_wrap.h
@@ -44,17 +44,18 @@ int mm_key_sign(Key *, u_char **, u_int 
 void mm_inform_authserv(char *, char *);
 struct passwd *mm_getpwnamallow(const char *);
--- a/openssh-6.5p1-audit4-kex_results.patch
+++ b/openssh-6.5p1-audit4-kex_results.patch
@ -5,20 +5,21 @@
 #   (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1976)
 #   by jchadima@redhat.com
-diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
+diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.4p1/Makefile.in
+--- a/openssh-6.5p1/Makefile.in
-+++ b/openssh-6.4p1/Makefile.in
+++ b/openssh-6.5p1/Makefile.in
-@@ -68,17 +68,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
+@@ -71,17 +71,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
 	cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
 	compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
 	log.o match.o md-sha256.o moduli.o nchan.o packet.o \
 	readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
 	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
 	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
-	jpake.o schnorr.o ssh-pkcs11.o krl.o
+ 	jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
-+	jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o
+ 	kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
 	ssh-ed25519.o digest.o \
 -	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o
 +	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
 +	auditstub.o
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
 	sshconnect.o sshconnect1.o sshconnect2.o mux.o \
@ -27,9 +28,9 @@ diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
 	audit.o audit-bsm.o audit-linux.o platform.o \
 	sshpty.o sshlogin.o servconf.o serverloop.o \
-diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
+diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.4p1/audit-bsm.c
+--- a/openssh-6.5p1/audit-bsm.c
-+++ b/openssh-6.4p1/audit-bsm.c
+++ b/openssh-6.5p1/audit-bsm.c
@@ -468,9 +468,21 @@ audit_event(ssh_audit_event_t event)
 	case SSH_AUTH_FAIL_KBDINT:
 		bsm_audit_bad_login("interactive password entry");
@ -52,9 +53,9 @@ diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
 +	/* not implemented */
 +}
 #endif /* BSM */
-diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
+diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c
+--- a/openssh-6.5p1/audit-linux.c
-+++ b/openssh-6.4p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
@@ -35,16 +35,18 @@
 #include "log.h"
@ -140,9 +141,9 @@ diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
 +}
 +
 #endif /* USE_LINUX_AUDIT */
-diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
+diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.4p1/audit.c
+--- a/openssh-6.5p1/audit.c
-+++ b/openssh-6.4p1/audit.c
+++ b/openssh-6.5p1/audit.c
@@ -23,24 +23,27 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@ -232,9 +233,9 @@ diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
 +}
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
-diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
+diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.4p1/audit.h
+--- a/openssh-6.5p1/audit.h
-+++ b/openssh-6.4p1/audit.h
+++ b/openssh-6.5p1/audit.h
@@ -53,10 +53,14 @@ void	audit_event(ssh_audit_event_t);
 void	audit_count_session_open(void);
 void	audit_session_open(struct logininfo *);
@ -250,10 +251,10 @@ diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
 +void	audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
 #endif /* _SSH_AUDIT_H */
-diff --git a/openssh-6.4p1/auditstub.c b/openssh-6.4p1/auditstub.c
+diff --git a/openssh-6.5p1/auditstub.c b/openssh-6.5p1/auditstub.c
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/auditstub.c
+++ b/openssh-6.5p1/auditstub.c
@@ -0,0 +1,39 @@
 +/* $Id: auditstub.c,v 1.1 jfch Exp $ */
 +
@ -294,10 +295,10 @@ new file mode 100644
 +{
 +}
 +
-diff --git a/openssh-6.4p1/cipher.c b/openssh-6.4p1/cipher.c
+diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c
--- a/openssh-6.4p1/cipher.c
+--- a/openssh-6.5p1/cipher.c
-+++ b/openssh-6.4p1/cipher.c
+++ b/openssh-6.5p1/cipher.c
-@@ -50,29 +50,17 @@
+@@ -52,31 +52,17 @@
 /* compatibility with old or broken OpenSSL versions */
 #include "openbsd-compat/openssl-compat.h"
@ -314,7 +315,9 @@ diff --git a/openssh-6.4p1/cipher.c b/openssh-6.4p1/cipher.c
 -	u_int	iv_len;		/* defaults to block_size */
 -	u_int	auth_len;
 -	u_int	discard_len;
-	u_int	cbc_mode;
+-	u_int	flags;
 -#define CFLAG_CBC		(1<<0)
 -#define CFLAG_CHACHAPOLY	(1<<1)
 -	const EVP_CIPHER	*(*evptype)(void);
 -};
 -
@ -328,10 +331,10 @@ diff --git a/openssh-6.4p1/cipher.c b/openssh-6.4p1/cipher.c
 	{ "3des-cbc",	SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
 	{ "blowfish-cbc",
 			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
-diff --git a/openssh-6.4p1/cipher.h b/openssh-6.4p1/cipher.h
+diff --git a/openssh-6.5p1/cipher.h b/openssh-6.5p1/cipher.h
--- a/openssh-6.4p1/cipher.h
+--- a/openssh-6.5p1/cipher.h
-+++ b/openssh-6.4p1/cipher.h
+++ b/openssh-6.5p1/cipher.h
-@@ -56,17 +56,28 @@
+@@ -58,17 +58,30 @@
 #define SSH_CIPHER_MAX		31
 #define CIPHER_ENCRYPT		1
@ -349,7 +352,9 @@ diff --git a/openssh-6.4p1/cipher.h b/openssh-6.4p1/cipher.h
 +	u_int	iv_len;		/* defaults to block_size */
 +	u_int	auth_len;
 +	u_int	discard_len;
-+	u_int	cbc_mode;
+	u_int	flags;
 +#define CFLAG_CBC		(1<<0)
 +#define CFLAG_CHACHAPOLY	(1<<1)
 +	const EVP_CIPHER	*(*evptype)(void);
 +};
 +
@ -357,15 +362,14 @@ diff --git a/openssh-6.4p1/cipher.h b/openssh-6.4p1/cipher.h
 	int	plaintext;
 	int	encrypt;
 	EVP_CIPHER_CTX evp;
 	struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
 	const Cipher *cipher;
 };
- u_int	 cipher_mask_ssh1(int);
+diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
-diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
+--- a/openssh-6.5p1/kex.c
--- a/openssh-6.4p1/kex.c
+++ b/openssh-6.5p1/kex.c
-+++ b/openssh-6.4p1/kex.c
+@@ -45,16 +45,17 @@
@@ -44,16 +44,17 @@
 #include "key.h"
 #include "kex.h"
 #include "log.h"
 #include "mac.h"
@ -373,6 +377,7 @@ diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
 #include "dispatch.h"
 #include "monitor.h"
 #include "roaming.h"
 #include "digest.h"
 +#include "audit.h"
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
@ -382,7 +387,7 @@ diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
 extern const EVP_MD *evp_ssh_sha256(void);
 # endif
 #endif
-@@ -336,53 +337,65 @@ kex_kexinit_finish(Kex *kex)
+@@ -346,53 +347,65 @@ kex_kexinit_finish(Kex *kex)
 		fatal("Unsupported key exchange %d", kex->kex_type);
 	}
 }
@ -451,7 +456,7 @@ diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
 		comp->type = COMP_NONE;
 	} else {
 		fatal("unsupported comp %s", name);
-@@ -487,16 +500,19 @@ kex_choose_conf(Kex *kex)
+@@ -497,16 +510,19 @@ kex_choose_conf(Kex *kex)
 		if (authlen == 0)
 			choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]);
 		choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]);
@ -467,13 +472,13 @@ diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
 	choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
 	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
 	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]);
- 	need = 0;
+ 	need = dh_need = 0;
 	for (mode = 0; mode < MODE_MAX; mode++) {
 		newkeys = kex->newkeys[mode];
- 		if (need < newkeys->enc.key_len)
+ 		need = MAX(need, newkeys->enc.key_len);
-diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
+diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.4p1/monitor.c
+--- a/openssh-6.5p1/monitor.c
-+++ b/openssh-6.4p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
@@ -93,16 +93,17 @@
 #include "monitor_wrap.h"
 #include "monitor_fdpass.h"
@ -582,7 +587,7 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
 /* Specifies if a certain message is allowed at the moment */
-@@ -2410,8 +2421,52 @@ mm_answer_jpake_check_confirm(int sock, 
+@@ -2411,8 +2422,52 @@ mm_answer_jpake_check_confirm(int sock, 
 	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
@ -635,9 +640,9 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
 +}
 +
 +#endif /* SSH_AUDIT_EVENTS */
-diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
+diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.4p1/monitor.h
+--- a/openssh-6.5p1/monitor.h
-+++ b/openssh-6.4p1/monitor.h
+++ b/openssh-6.5p1/monitor.h
@@ -65,16 +65,18 @@ enum monitor_reqtype {
 	MONITOR_REQ_PAM_START = 100,
 	MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
@ -657,9 +662,9 @@ diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
 	int			 m_recvfd;
 	int			 m_sendfd;
 	int			 m_log_recvfd;
-diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
+diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.4p1/monitor_wrap.c
+--- a/openssh-6.5p1/monitor_wrap.c
-+++ b/openssh-6.4p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -1483,8 +1483,46 @@ mm_jpake_check_confirm(const BIGNUM *k,
 	success = buffer_get_int(&m);
@ -707,9 +712,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
 +	buffer_free(&m);
 +}
 +#endif /* SSH_AUDIT_EVENTS */
-diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
+diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.4p1/monitor_wrap.h
+--- a/openssh-6.5p1/monitor_wrap.h
-+++ b/openssh-6.4p1/monitor_wrap.h
+++ b/openssh-6.5p1/monitor_wrap.h
@@ -72,16 +72,18 @@ int mm_sshpam_respond(void *, u_int, cha
 void mm_sshpam_free_ctx(void *);
 #endif
@ -729,9 +734,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
 void mm_session_pty_cleanup2(struct Session *);
 /* SSHv1 interfaces */
-diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
+diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.4p1/sshd.c
+--- a/openssh-6.5p1/sshd.c
-+++ b/openssh-6.4p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -114,16 +114,17 @@
 #include "session.h"
 #include "monitor_mm.h"
@ -750,7 +755,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
 #include <syslog.h>
 int allow_severity;
 int deny_severity;
-@@ -2297,16 +2298,20 @@ do_ssh1_kex(void)
+@@ -2312,16 +2313,20 @@ do_ssh1_kex(void)
 		packet_disconnect("Warning: client selects unsupported cipher.");
 	/* Get check bytes from the packet.  These must match those we
--- a/openssh-6.5p1-audit5-session_key_destruction.patch
+++ b/openssh-6.5p1-audit5-session_key_destruction.patch
@ -4,9 +4,9 @@
 #   https://bugzilla.mindrot.org/attachment.cgi?id=2014
 #   by jchadima@redhat.com
-diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
+diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.4p1/audit-bsm.c
+--- a/openssh-6.5p1/audit-bsm.c
-+++ b/openssh-6.4p1/audit-bsm.c
+++ b/openssh-6.5p1/audit-bsm.c
@@ -480,9 +480,15 @@ audit_unsupported_body(int what)
 	/* not implemented */
 }
@ -23,9 +23,9 @@ diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
 +	/* not implemented */
 +}
 #endif /* BSM */
-diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
+diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c
+--- a/openssh-6.5p1/audit-linux.c
-+++ b/openssh-6.4p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
@@ -289,24 +289,25 @@ audit_unsupported_body(int what)
 		/* no problem, the next instruction will be fatal() */
 		return;
@ -91,9 +91,9 @@ diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
 +}
 +
 #endif /* USE_LINUX_AUDIT */
-diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
+diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.4p1/audit.c
+--- a/openssh-6.5p1/audit.c
-+++ b/openssh-6.4p1/audit.c
+++ b/openssh-6.5p1/audit.c
@@ -138,16 +138,22 @@ audit_unsupported(int what)
 }
@ -138,9 +138,9 @@ diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
 +}
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
-diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
+diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.4p1/audit.h
+--- a/openssh-6.5p1/audit.h
-+++ b/openssh-6.4p1/audit.h
+++ b/openssh-6.5p1/audit.h
@@ -57,10 +57,12 @@ int	audit_run_command(const char *);
 void 	audit_end_command(int, const char *);
 ssh_audit_event_t audit_classify_auth(const char *);
@ -154,9 +154,9 @@ diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
 +void	audit_session_key_free_body(int ctos, pid_t, uid_t);
 #endif /* _SSH_AUDIT_H */
-diff --git a/openssh-6.4p1/auditstub.c b/openssh-6.4p1/auditstub.c
+diff --git a/openssh-6.5p1/auditstub.c b/openssh-6.5p1/auditstub.c
--- a/openssh-6.4p1/auditstub.c
+--- a/openssh-6.5p1/auditstub.c
-+++ b/openssh-6.4p1/auditstub.c
+++ b/openssh-6.5p1/auditstub.c
@@ -22,18 +22,29 @@
  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
@ -187,10 +187,10 @@ diff --git a/openssh-6.4p1/auditstub.c b/openssh-6.4p1/auditstub.c
 +audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
 +{
 +}
-diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
+diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
--- a/openssh-6.4p1/kex.c
+--- a/openssh-6.5p1/kex.c
-+++ b/openssh-6.4p1/kex.c
+++ b/openssh-6.5p1/kex.c
-@@ -667,8 +667,39 @@ dump_digest(char *msg, u_char *digest, i
+@@ -698,8 +698,39 @@ dump_digest(char *msg, u_char *digest, i
 		if (i%32 == 31)
 			fprintf(stderr, "\n");
 		else if (i%8 == 7)
@ -230,17 +230,17 @@ diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
 +	memset(&newkeys->comp, 0, sizeof(newkeys->comp));
 +}
 +
-diff --git a/openssh-6.4p1/kex.h b/openssh-6.4p1/kex.h
+diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
--- a/openssh-6.4p1/kex.h
+--- a/openssh-6.5p1/kex.h
-+++ b/openssh-6.4p1/kex.h
+++ b/openssh-6.5p1/kex.h
-@@ -157,16 +157,18 @@ Newkeys *kex_get_newkeys(int);
+@@ -163,16 +163,18 @@ void	 kexdh_client(Kex *);
 void	 kexdh_client(Kex *);
 void	 kexdh_server(Kex *);
 void	 kexgex_client(Kex *);
 void	 kexgex_server(Kex *);
 void	 kexecdh_client(Kex *);
 void	 kexecdh_server(Kex *);
 void	 kexc25519_client(Kex *);
 void	 kexc25519_server(Kex *);
 +void	 newkeys_destroy(Newkeys *newkeys);
 +
@ -248,13 +248,13 @@ diff --git a/openssh-6.4p1/kex.h b/openssh-6.4p1/kex.h
 kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
     BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
 void
- kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
+ kexgex_hash(int, char *, char *, char *, int, char *,
     int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
     BIGNUM *, BIGNUM *, u_char **, u_int *);
 #ifdef OPENSSL_HAS_ECC
-diff --git a/openssh-6.4p1/mac.c b/openssh-6.4p1/mac.c
+diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c
--- a/openssh-6.4p1/mac.c
+--- a/openssh-6.5p1/mac.c
-+++ b/openssh-6.4p1/mac.c
+++ b/openssh-6.5p1/mac.c
@@ -219,16 +219,30 @@ mac_clear(Mac *mac)
 		if (mac->umac_ctx != NULL)
 			umac128_delete(mac->umac_ctx);
@ -286,22 +286,22 @@ diff --git a/openssh-6.4p1/mac.c b/openssh-6.4p1/mac.c
 	char *maclist, *cp, *p;
 	if (names == NULL || strcmp(names, "") == 0)
-diff --git a/openssh-6.4p1/mac.h b/openssh-6.4p1/mac.h
+diff --git a/openssh-6.5p1/mac.h b/openssh-6.5p1/mac.h
--- a/openssh-6.4p1/mac.h
+--- a/openssh-6.5p1/mac.h
-+++ b/openssh-6.4p1/mac.h
+++ b/openssh-6.5p1/mac.h
@@ -24,8 +24,9 @@
  */
 int	 mac_valid(const char *);
- char	*mac_alg_list(void);
+ char	*mac_alg_list(char);
 int	 mac_setup(Mac *, char *);
 int	 mac_init(Mac *);
 u_char	*mac_compute(Mac *, u_int32_t, u_char *, int);
 void	 mac_clear(Mac *);
 +void	 mac_destroy(Mac *);
-diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
+diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.4p1/monitor.c
+--- a/openssh-6.5p1/monitor.c
-+++ b/openssh-6.4p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
@@ -185,16 +185,17 @@ int mm_answer_gss_checkmic(int, Buffer *
 #endif
@ -389,7 +389,7 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
 /* Specifies if a certain message is allowed at the moment */
-@@ -1970,21 +1975,23 @@ mm_get_keystate(struct monitor *pmonitor
+@@ -1971,21 +1976,23 @@ mm_get_keystate(struct monitor *pmonitor
 		goto skip;
 	} else {
 		/* Get the Kex for rekeying */
@ -413,7 +413,7 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
 	packets = buffer_get_int(&m);
 	bytes = buffer_get_int64(&m);
 	packet_set_state(MODE_OUT, seqnr, blocks, packets, bytes);
-@@ -2020,16 +2027,31 @@ mm_get_keystate(struct monitor *pmonitor
+@@ -2021,16 +2028,31 @@ mm_get_keystate(struct monitor *pmonitor
 	/* Roaming */
 	if (compat20) {
@ -445,7 +445,7 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
 mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
 {
 	size_t len = (size_t) size * ncount;
-@@ -2464,9 +2486,27 @@ mm_answer_audit_kex_body(int sock, Buffe
+@@ -2465,9 +2487,27 @@ mm_answer_audit_kex_body(int sock, Buffe
 	free(mac);
 	free(compress);
 	buffer_clear(m);
@ -473,9 +473,9 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
 +	return 0;
 +}
 #endif /* SSH_AUDIT_EVENTS */
-diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
+diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.4p1/monitor.h
+--- a/openssh-6.5p1/monitor.h
-+++ b/openssh-6.4p1/monitor.h
+++ b/openssh-6.5p1/monitor.h
@@ -67,16 +67,17 @@ enum monitor_reqtype {
 	MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
 	MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
@ -494,9 +494,9 @@ diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
 	int			 m_recvfd;
 	int			 m_sendfd;
 	int			 m_log_recvfd;
-diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
+diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.4p1/monitor_wrap.c
+--- a/openssh-6.5p1/monitor_wrap.c
-+++ b/openssh-6.4p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -651,22 +651,24 @@ mm_send_keystate(struct monitor *monitor
 	    __func__, packet_get_newkeys(MODE_OUT),
 	    packet_get_newkeys(MODE_IN));
@ -547,9 +547,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
 +	buffer_free(&m);
 +}
 #endif /* SSH_AUDIT_EVENTS */
-diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
+diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.4p1/monitor_wrap.h
+--- a/openssh-6.5p1/monitor_wrap.h
-+++ b/openssh-6.4p1/monitor_wrap.h
+++ b/openssh-6.5p1/monitor_wrap.h
@@ -74,16 +74,17 @@ void mm_sshpam_free_ctx(void *);
 #ifdef SSH_AUDIT_EVENTS
@ -568,9 +568,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
 void mm_session_pty_cleanup2(struct Session *);
 /* SSHv1 interfaces */
-diff --git a/openssh-6.4p1/packet.c b/openssh-6.4p1/packet.c
+diff --git a/openssh-6.5p1/packet.c b/openssh-6.5p1/packet.c
--- a/openssh-6.4p1/packet.c
+--- a/openssh-6.5p1/packet.c
-+++ b/openssh-6.4p1/packet.c
+++ b/openssh-6.5p1/packet.c
@@ -56,16 +56,17 @@
 #include <stdio.h>
 #include <stdlib.h>
@ -650,7 +650,7 @@ diff --git a/openssh-6.4p1/packet.c b/openssh-6.4p1/packet.c
 packet_set_protocol_flags(u_int protocol_flags)
 {
 	active_state->remote_protocol_flags = protocol_flags;
-@@ -728,16 +739,35 @@ packet_send1(void)
+@@ -729,16 +740,35 @@ packet_send1(void)
 	/*
 	 * Note that the packet is now only buffered in output.  It won't be
@ -686,7 +686,7 @@ diff --git a/openssh-6.4p1/packet.c b/openssh-6.4p1/packet.c
 	Comp *comp;
 	CipherContext *cc;
 	u_int64_t *max_blocks;
-@@ -753,31 +783,19 @@ set_newkeys(int mode)
+@@ -754,31 +784,19 @@ set_newkeys(int mode)
 	} else {
 		cc = &active_state->receive_context;
 		crypt_type = CIPHER_DECRYPT;
@ -720,7 +720,7 @@ diff --git a/openssh-6.4p1/packet.c b/openssh-6.4p1/packet.c
 	mac  = &active_state->newkeys[mode]->mac;
 	comp = &active_state->newkeys[mode]->comp;
 	if (cipher_authlen(enc->cipher) == 0 && mac_init(mac) == 0)
-@@ -1995,54 +2013,93 @@ packet_get_output(void)
+@@ -2004,54 +2022,93 @@ packet_get_output(void)
 }
 void *
@ -823,9 +823,9 @@ diff --git a/openssh-6.4p1/packet.c b/openssh-6.4p1/packet.c
 +	backup_state = NULL;
 }
 +
-diff --git a/openssh-6.4p1/packet.h b/openssh-6.4p1/packet.h
+diff --git a/openssh-6.5p1/packet.h b/openssh-6.5p1/packet.h
--- a/openssh-6.4p1/packet.h
+--- a/openssh-6.5p1/packet.h
-+++ b/openssh-6.4p1/packet.h
+++ b/openssh-6.5p1/packet.h
@@ -119,9 +119,10 @@ void	 packet_set_rekey_limits(u_int32_t,
 time_t	 packet_get_rekey_timeout(void);
@ -837,10 +837,10 @@ diff --git a/openssh-6.4p1/packet.h b/openssh-6.4p1/packet.h
 +void	 packet_destroy_all(int, int);
 #endif				/* PACKET_H */
-diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
+diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.4p1/session.c
+--- a/openssh-6.5p1/session.c
-+++ b/openssh-6.4p1/session.c
+++ b/openssh-6.5p1/session.c
-@@ -1661,16 +1661,19 @@ do_child(Session *s, const char *command
+@@ -1689,16 +1689,19 @@ do_child(Session *s, const char *command
 	int env_size;
 	char *argv[ARGV_MAX];
 	const char *shell, *shell0, *hostname = NULL;
@ -860,10 +860,10 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 		do_pwchange(s);
 		exit(1);
 	}
-diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
+diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.4p1/sshd.c
+--- a/openssh-6.5p1/sshd.c
-+++ b/openssh-6.4p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
-@@ -703,16 +703,18 @@ privsep_preauth(Authctxt *authctxt)
+@@ -711,16 +711,18 @@ privsep_preauth(Authctxt *authctxt)
 		setproctitle("%s", "[net]");
 		if (box != NULL)
 			ssh_sandbox_child(box);
@ -882,7 +882,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
 #ifdef DISABLE_FD_PASSING
 	if (1) {
 #else
-@@ -727,16 +729,20 @@ privsep_postauth(Authctxt *authctxt)
+@@ -735,16 +737,20 @@ privsep_postauth(Authctxt *authctxt)
 	monitor_reinit(pmonitor);
 	pmonitor->m_pid = fork();
@ -903,7 +903,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
 	/* child */
-@@ -2089,16 +2095,17 @@ main(int ac, char **av)
+@@ -2104,16 +2110,17 @@ main(int ac, char **av)
 		do_authentication(authctxt);
 	}
 	/*
@ -921,7 +921,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
 	 * Cancel the alarm we set to limit the time taken for
 	 * authentication.
 	 */
-@@ -2141,16 +2148,18 @@ main(int ac, char **av)
+@@ -2156,16 +2163,18 @@ main(int ac, char **av)
 	packet_set_timeout(options.client_alive_interval,
 	    options.client_alive_count_max);
@ -940,7 +940,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
 	verbose("Closing connection to %.500s port %d", remote_ip, remote_port);
 #ifdef USE_PAM
-@@ -2480,26 +2489,38 @@ do_ssh2_kex(void)
+@@ -2497,26 +2506,38 @@ do_ssh2_kex(void)
 #endif
 	debug("KEX done");
 }
--- a/openssh-6.5p1-audit6-server_key_destruction.patch
+++ b/openssh-6.5p1-audit6-server_key_destruction.patch
@ -4,9 +4,9 @@
 #   https://bugzilla.mindrot.org/attachment.cgi?id=2015
 #   by jchadima@redhat.com
-diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
+diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.4p1/audit-bsm.c
+--- a/openssh-6.5p1/audit-bsm.c
-+++ b/openssh-6.4p1/audit-bsm.c
+++ b/openssh-6.5p1/audit-bsm.c
@@ -486,9 +486,27 @@ audit_kex_body(int ctos, char *enc, char
 	/* not implemented */
 }
@ -35,9 +35,9 @@ diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
 +	/* not implemented */
 +}
 #endif /* BSM */
-diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
+diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c
+--- a/openssh-6.5p1/audit-linux.c
-+++ b/openssh-6.4p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
@@ -351,9 +351,55 @@ audit_session_key_free_body(int ctos, pi
 	audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
 			buf, NULL, get_remote_ipaddr(), NULL, 1);
@ -94,9 +94,9 @@ diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
 +		error("cannot write into audit");
 +}
 #endif /* USE_LINUX_AUDIT */
-diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
+diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.4p1/audit.c
+--- a/openssh-6.5p1/audit.c
-+++ b/openssh-6.4p1/audit.c
+++ b/openssh-6.5p1/audit.c
@@ -285,10 +285,29 @@ audit_kex_body(int ctos, char *enc, char
  * This will be called on succesfull session key discard
  */
@ -127,9 +127,9 @@ diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
 +}
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
-diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
+diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.4p1/audit.h
+--- a/openssh-6.5p1/audit.h
-+++ b/openssh-6.4p1/audit.h
+++ b/openssh-6.5p1/audit.h
@@ -43,26 +43,30 @@ enum ssh_audit_event_type {
 	SSH_INVALID_USER,
 	SSH_NOLOGIN,		/* denied by /etc/nologin, not implemented */
@ -161,11 +161,11 @@ diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
 +void	audit_generate_ephemeral_server_key(const char *);
 #endif /* _SSH_AUDIT_H */
-diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
+diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
--- a/openssh-6.4p1/key.c
+--- a/openssh-6.5p1/key.c
-+++ b/openssh-6.4p1/key.c
+++ b/openssh-6.5p1/key.c
-@@ -1805,16 +1805,40 @@ key_demote(const Key *k)
+@@ -1959,16 +1959,41 @@ key_demote(const Key *k)
- 		fatal("key_free: bad key type %d", k->type);
+ 		fatal("key_demote: bad key type %d", k->type);
 		break;
 	}
@ -191,7 +191,8 @@ diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
 +		return EC_KEY_get0_private_key(k->ecdsa) != NULL;
 +#endif
 +	default:
-+		fatal("key_is_private: bad key type %d", k->type);
+		/* fatal("key_is_private: bad key type %d", k->type); */
 +		debug2("key_is_private: bad key type %d", k->type);
 +		return 1;
 +	}
 +}
@ -201,23 +202,24 @@ diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
 {
 	if (k == NULL)
 		return 0;
- 	switch (k->type) {
+ 	return key_type_is_cert(k->type);
- 	case KEY_RSA_CERT_V00:
+ }
- 	case KEY_DSA_CERT_V00:
+ 
- 	case KEY_RSA_CERT:
+ /* Return the cert-less equivalent to a certified key type */
-diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h
+diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
--- a/openssh-6.4p1/key.h
+--- a/openssh-6.5p1/key.h
-+++ b/openssh-6.4p1/key.h
+++ b/openssh-6.5p1/key.h
-@@ -106,16 +106,17 @@ int		 key_read(Key *, char **);
+@@ -113,16 +113,17 @@ int		 key_read(Key *, char **);
 u_int		 key_size(const Key *);
 enum fp_type	 key_fp_type_select(void);
- char			*key_fp_type_str(enum fp_type);
+ char		*key_fp_type_str(enum fp_type);
 Key	*key_generate(int, u_int);
 Key	*key_from_private(const Key *);
 int	 key_type_from_name(char *);
 int	 key_is_cert(const Key *);
 +int	 key_is_private(const Key *k);
 int	 key_type_is_cert(int);
 int	 key_type_plain(int);
 int	 key_to_certified(Key *, int);
 int	 key_drop_cert(Key *);
@ -225,10 +227,9 @@ diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h
 void	 key_cert_copy(const Key *, struct Key *);
 int	 key_cert_check_authority(const Key *, int, int, const char *,
 	    const char **);
- int	 key_cert_is_legacy(const Key *);
+diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
-diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
+--- a/openssh-6.5p1/monitor.c
--- a/openssh-6.4p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
 +++ b/openssh-6.4p1/monitor.c
@@ -110,16 +110,18 @@ extern u_int utmp_len;
 extern Newkeys *current_keys[];
 extern z_stream incoming_stream;
@ -355,7 +356,7 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
 	/* Terminate process */
 	exit(res);
-@@ -2504,9 +2513,30 @@ mm_answer_audit_session_key_free_body(in
+@@ -2505,9 +2514,30 @@ mm_answer_audit_session_key_free_body(in
 	audit_session_key_free_body(ctos, pid, uid);
@ -386,9 +387,9 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
 +	return 0;
 +}
 #endif /* SSH_AUDIT_EVENTS */
-diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
+diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.4p1/monitor.h
+--- a/openssh-6.5p1/monitor.h
-+++ b/openssh-6.4p1/monitor.h
+++ b/openssh-6.5p1/monitor.h
@@ -68,16 +68,17 @@ enum monitor_reqtype {
 	MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
 	MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@ -407,9 +408,9 @@ diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
 	int			 m_recvfd;
 	int			 m_sendfd;
 	int			 m_log_recvfd;
-diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
+diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.4p1/monitor_wrap.c
+--- a/openssh-6.5p1/monitor_wrap.c
-+++ b/openssh-6.4p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -1537,9 +1537,25 @@ mm_audit_session_key_free_body(int ctos,
 	buffer_put_int(&m, ctos);
 	buffer_put_int64(&m, pid);
@ -436,9 +437,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
 +	buffer_free(&m);
 +}
 #endif /* SSH_AUDIT_EVENTS */
-diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
+diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.4p1/monitor_wrap.h
+--- a/openssh-6.5p1/monitor_wrap.h
-+++ b/openssh-6.4p1/monitor_wrap.h
+++ b/openssh-6.5p1/monitor_wrap.h
@@ -75,16 +75,17 @@ void mm_sshpam_free_ctx(void *);
 #ifdef SSH_AUDIT_EVENTS
 #include "audit.h"
@ -457,9 +458,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
 void mm_session_pty_cleanup2(struct Session *);
 /* SSHv1 interfaces */
-diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
+diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.4p1/session.c
+--- a/openssh-6.5p1/session.c
-+++ b/openssh-6.4p1/session.c
+++ b/openssh-6.5p1/session.c
@@ -132,17 +132,17 @@ static int session_pty_req(Session *);
 /* import */
@ -479,7 +480,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 /* data */
 static int sessions_first_unused = -1;
 static int sessions_nalloc = 0;
-@@ -1660,17 +1660,17 @@ do_child(Session *s, const char *command
+@@ -1688,17 +1688,17 @@ do_child(Session *s, const char *command
 	char **env;
 	int env_size;
 	char *argv[ARGV_MAX];
@ -498,9 +499,9 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 	if (s->authctxt->force_pwchange) {
 		do_setusercontext(pw);
 		child_close_fds();
-diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
+diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.4p1/sshd.c
+--- a/openssh-6.5p1/sshd.c
-+++ b/openssh-6.4p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -256,17 +256,17 @@ Buffer cfg;
 /* message to be displayed after login */
@ -546,7 +547,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
 	if (startup_pipes)
 		for (i = 0; i < options.max_startups; i++)
 			if (startup_pipes[i] != -1)
-@@ -547,60 +556,99 @@ sshd_exchange_identification(int sock_in
+@@ -554,60 +563,99 @@ sshd_exchange_identification(int sock_in
 		close(sock_out);
 		logit("Protocol major versions differ for %s: %.200s vs. %.200s",
 		    get_remote_ipaddr(),
@ -649,7 +650,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
 }
 static void
-@@ -1179,16 +1227,17 @@ server_accept_loop(int *sock_in, int *so
+@@ -1192,16 +1240,17 @@ server_accept_loop(int *sock_in, int *so
 		/* Wait in select until there is a connection. */
 		ret = select(maxfd+1, fdset, NULL, NULL, NULL);
@ -667,7 +668,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
 			generate_ephemeral_server_key();
 			key_used = 0;
 			key_do_regen = 0;
-@@ -2138,27 +2187,28 @@ main(int ac, char **av)
+@@ -2153,27 +2202,28 @@ main(int ac, char **av)
 	/*
 	 * In privilege separation, we fork another child and prepare
 	 * file descriptor passing.
@ -697,7 +698,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
 	verbose("Closing connection to %.500s port %d", remote_ip, remote_port);
-@@ -2377,17 +2427,17 @@ do_ssh1_kex(void)
+@@ -2392,17 +2442,17 @@ do_ssh1_kex(void)
 		MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
 		MD5_Final(session_key + 16, &md);
 		memset(buf, 0, bytes);
@ -716,7 +717,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
 	BN_clear_free(session_key_int);
 	/* Set the session key.  From this on all communications will be encrypted. */
-@@ -2510,16 +2560,18 @@ cleanup_exit(int i)
+@@ -2527,16 +2577,18 @@ cleanup_exit(int i)
 			debug("Killing privsep child %d", pmonitor->m_pid);
 			if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
 			    errno != ESRCH)
--- a/openssh-6.5p1-audit7-libaudit_compat.patch
+++ b/openssh-6.5p1-audit7-libaudit_compat.patch
@ -1,8 +1,8 @@
 # definitions for AUDIT_CRYPTO_* symbols fom libaudit 2.x
-diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
+diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c
+--- a/openssh-6.5p1/audit-linux.c
-+++ b/openssh-6.4p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
@@ -25,16 +25,17 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
@ -21,10 +21,10 @@ diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
 #include "key.h"
 #include "hostfile.h"
 #include "auth.h"
-diff --git a/openssh-6.4p1/compat-libaudit.h b/openssh-6.4p1/compat-libaudit.h
+diff --git a/openssh-6.5p1/compat-libaudit.h b/openssh-6.5p1/compat-libaudit.h
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/compat-libaudit.h
+++ b/openssh-6.5p1/compat-libaudit.h
@@ -0,0 +1,79 @@
 +/* AUDIT_CRYPTO symbol definitions from libaudit 2.x */
 +/* libaudit.h -- 
--- a/openssh-6.5p1-audit8-libaudit_dns_timeouts.patch
+++ b/openssh-6.5p1-audit8-libaudit_dns_timeouts.patch
@ -4,9 +4,9 @@
 # Note that this particular solution causes the logs to always contain
 # "hostname=?, addr=?" when DNS lookups are disabled.
-diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
+diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c
+--- a/openssh-6.5p1/audit-linux.c
-+++ b/openssh-6.4p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
@@ -62,17 +62,17 @@ linux_audit_user_logxxx(int uid, const c
 		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
 		    errno == EAFNOSUPPORT)
--- a/openssh-6.5p1-blocksigalrm.patch
+++ b/openssh-6.5p1-blocksigalrm.patch
@ -2,9 +2,9 @@
 # grace_alarm_handler)
 # bnc#57354
-diff --git a/openssh-6.4p1/log.c b/openssh-6.4p1/log.c
+diff --git a/openssh-6.5p1/log.c b/openssh-6.5p1/log.c
--- a/openssh-6.4p1/log.c
+--- a/openssh-6.5p1/log.c
-+++ b/openssh-6.4p1/log.c
+++ b/openssh-6.5p1/log.c
@@ -47,16 +47,17 @@
 #include <unistd.h>
 #include <errno.h>
--- a/openssh-6.5p1-default-protocol.patch
+++ b/openssh-6.5p1-default-protocol.patch
@ -1,8 +1,8 @@
 # only enable SSHv2 protocol by default (upstream default is fallback to v1)
-diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
+diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.4p1/ssh_config
+--- a/openssh-6.5p1/ssh_config
-+++ b/openssh-6.4p1/ssh_config
+++ b/openssh-6.5p1/ssh_config
@@ -41,17 +41,17 @@ ForwardX11Trusted yes
 #   CheckHostIP yes
 #   AddressFamily any
--- a/openssh-6.5p1-disable-openssl-abi-check.patch
+++ b/openssh-6.5p1-disable-openssl-abi-check.patch
@ -2,9 +2,9 @@
 # reliable indicator of ABI changes and doesn't make much sense in a
 # distribution package
-diff --git a/openssh-6.4p1/entropy.c b/openssh-6.4p1/entropy.c
+diff --git a/openssh-6.5p1/entropy.c b/openssh-6.5p1/entropy.c
--- a/openssh-6.4p1/entropy.c
+--- a/openssh-6.5p1/entropy.c
-+++ b/openssh-6.4p1/entropy.c
+++ b/openssh-6.5p1/entropy.c
@@ -212,22 +212,23 @@ seed_rng(void)
 #endif
 	/*
--- a/openssh-6.5p1-eal3.patch
+++ b/openssh-6.5p1-eal3.patch
@ -1,9 +1,9 @@
 # fix paths and references in sshd man pages
-diff --git a/openssh-6.4p1/sshd.8 b/openssh-6.4p1/sshd.8
+diff --git a/openssh-6.5p1/sshd.8 b/openssh-6.5p1/sshd.8
--- a/openssh-6.4p1/sshd.8
+--- a/openssh-6.5p1/sshd.8
-+++ b/openssh-6.4p1/sshd.8
+++ b/openssh-6.5p1/sshd.8
-@@ -872,17 +872,17 @@ See
+@@ -875,17 +875,17 @@ See
 If this file exists,
 .Nm
 refuses to let anyone except root log in.
@ -22,7 +22,7 @@ diff --git a/openssh-6.4p1/sshd.8 b/openssh-6.4p1/sshd.8
 .It Pa /etc/ssh/ssh_host_key
 .It Pa /etc/ssh/ssh_host_dsa_key
 .It Pa /etc/ssh/ssh_host_ecdsa_key
-@@ -951,17 +951,17 @@ The content of this file is not sensitiv
+@@ -956,17 +956,17 @@ The content of this file is not sensitiv
 .Xr sftp 1 ,
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
@ -41,9 +41,9 @@ diff --git a/openssh-6.4p1/sshd.8 b/openssh-6.4p1/sshd.8
 OpenSSH is a derivative of the original and free
 ssh 1.2.12 release by Tatu Ylonen.
 Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5
+diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
--- a/openssh-6.4p1/sshd_config.5
+--- a/openssh-6.5p1/sshd_config.5
-+++ b/openssh-6.4p1/sshd_config.5
+++ b/openssh-6.5p1/sshd_config.5
@@ -278,18 +278,17 @@ The contents of the specified file are s
 authentication is allowed.
 If the argument is
@ -64,7 +64,7 @@ diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5
 to after authentication.
 All components of the pathname must be root-owned directories that are
 not writable by any other user or group.
-@@ -565,17 +564,17 @@ and
+@@ -576,17 +575,17 @@ and
 .Pa .shosts
 files will not be used in
 .Cm RhostsRSAAuthentication
--- a/openssh-6.5p1-fingerprint_hash.patch
+++ b/openssh-6.5p1-fingerprint_hash.patch
@ -1,13 +1,13 @@
 # HG changeset patch
-# Parent d41afe56fd49d0a9669738b1f4d53ddae0cb195a
+# Parent 450c3933f35c6801a682ea32c588e4c9ff73414a
 # select fingerprint hash algorithms based on the environment variable
 # SSH_FP_TYPE_ENVVAR and append it to hex and randomart fingerprints
 # Petr Cerny <pcerny@suse.cz>
-diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c
+diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c
--- a/openssh-6.4p1/auth-rsa.c
+--- a/openssh-6.5p1/auth-rsa.c
-+++ b/openssh-6.4p1/auth-rsa.c
+++ b/openssh-6.5p1/auth-rsa.c
@@ -226,17 +226,17 @@ rsa_key_allowed_in_file(struct passwd *p
 		/* check the real bits  */
@ -27,9 +27,9 @@ diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c
 		if (auth_key_is_revoked(key))
 			break;
-diff --git a/openssh-6.4p1/auth.c b/openssh-6.4p1/auth.c
+diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c
--- a/openssh-6.4p1/auth.c
+--- a/openssh-6.5p1/auth.c
-+++ b/openssh-6.4p1/auth.c
+++ b/openssh-6.5p1/auth.c
@@ -680,17 +680,17 @@ auth_key_is_revoked(Key *key)
 	case -1:
 		/* Error opening revoked_keys_file: refuse all keys */
@ -49,10 +49,10 @@ diff --git a/openssh-6.4p1/auth.c b/openssh-6.4p1/auth.c
 	fatal("key_in_file returned junk");
 }
-diff --git a/openssh-6.4p1/auth2-hostbased.c b/openssh-6.4p1/auth2-hostbased.c
+diff --git a/openssh-6.5p1/auth2-hostbased.c b/openssh-6.5p1/auth2-hostbased.c
--- a/openssh-6.4p1/auth2-hostbased.c
+--- a/openssh-6.5p1/auth2-hostbased.c
-+++ b/openssh-6.4p1/auth2-hostbased.c
+++ b/openssh-6.5p1/auth2-hostbased.c
-@@ -196,23 +196,23 @@ hostbased_key_allowed(struct passwd *pw,
+@@ -202,23 +202,23 @@ hostbased_key_allowed(struct passwd *pw,
 		    _PATH_SSH_SYSTEM_HOSTFILE2,
 		    options.ignore_user_known_hosts ? NULL :
 		    _PATH_SSH_USER_HOSTFILE2);
@ -78,10 +78,10 @@ diff --git a/openssh-6.4p1/auth2-hostbased.c b/openssh-6.4p1/auth2-hostbased.c
 	return (host_status == HOST_OK);
 }
-diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c
+diff --git a/openssh-6.5p1/auth2-pubkey.c b/openssh-6.5p1/auth2-pubkey.c
--- a/openssh-6.4p1/auth2-pubkey.c
+--- a/openssh-6.5p1/auth2-pubkey.c
-+++ b/openssh-6.4p1/auth2-pubkey.c
+++ b/openssh-6.5p1/auth2-pubkey.c
-@@ -202,25 +202,25 @@ pubkey_auth_info(Authctxt *authctxt, con
+@@ -208,25 +208,25 @@ pubkey_auth_info(Authctxt *authctxt, con
 		i = vasprintf(&extra, fmt, ap);
 		va_end(ap);
 		if (i < 0 || extra == NULL)
@ -109,7 +109,7 @@ diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c
 }
 static int
-@@ -354,17 +354,17 @@ check_authkeys_file(FILE *f, char *file,
+@@ -360,17 +360,17 @@ check_authkeys_file(FILE *f, char *file,
 		if (key_is_cert(key)) {
 			if (!key_equal(found, key->cert->signature_key))
 				continue;
@ -128,7 +128,7 @@ diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c
 			 * a key option, then prefer that list to matching
 			 * their username in the certificate principals list.
 			 */
-@@ -395,17 +395,17 @@ check_authkeys_file(FILE *f, char *file,
+@@ -401,17 +401,17 @@ check_authkeys_file(FILE *f, char *file,
 			break;
 		} else if (key_equal(found, key)) {
 			if (auth_parse_options(pw, key_options, file,
@ -147,7 +147,7 @@ diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c
 	}
 	if (found != NULL)
 		key_free(found);
-@@ -421,17 +421,17 @@ user_cert_trusted_ca(struct passwd *pw, 
+@@ -427,17 +427,17 @@ user_cert_trusted_ca(struct passwd *pw, 
 	char *ca_fp, *principals_file = NULL;
 	const char *reason;
 	int ret = 0;
@ -166,13 +166,13 @@ diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c
 		    options.trusted_user_ca_keys);
 		goto out;
 	}
-diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
+diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
--- a/openssh-6.4p1/key.c
+--- a/openssh-6.5p1/key.c
-+++ b/openssh-6.4p1/key.c
+++ b/openssh-6.5p1/key.c
-@@ -390,30 +390,38 @@ key_fingerprint_raw(const Key *k, enum f
+@@ -420,30 +420,39 @@ key_fingerprint_raw(const Key *k, enum f
- 		free(blob);
+ 		*dgst_raw_length = ssh_digest_bytes(hash_alg);
 	} else {
- 		fatal("key_fingerprint_raw: blob is null");
+ 		fatal("%s: blob is null", __func__);
 	}
 	return retval;
 }
@ -185,6 +185,7 @@ diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
 	u_int i;
 -	retval = xcalloc(1, dgst_raw_len * 3 + 1);
 +	/* reserve space for both the key hash and the string for the hash type */
 +	retval = xcalloc(1, dgst_raw_len * 3 + 1 + SSH_FP_TYPE_STRLEN + 2);
 	for (i = 0; i < dgst_raw_len; i++) {
 		char hex[4];
@ -211,7 +212,7 @@ diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
 {
 	char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
 	char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
-@@ -488,17 +496,18 @@ key_fingerprint_bubblebabble(u_char *dgs
+@@ -518,17 +527,18 @@ key_fingerprint_bubblebabble(u_char *dgs
  * can be in the exact middle of the picture, and FLDBASE should be >=8 .
  * Else pictures would be too dense, and drawing the frame would
  * fail, too, because the key type would not fit in anymore.
@ -231,7 +232,7 @@ diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
 	char	*augmentation_string = " .o+=*BOX@%&#/^SE";
 	char	*retval, *p;
 	u_char	 field[FLDSIZE_X][FLDSIZE_Y];
-@@ -555,18 +564,19 @@ key_fingerprint_randomart(u_char *dgst_r
+@@ -585,18 +595,19 @@ key_fingerprint_randomart(u_char *dgst_r
 		*p++ = '|';
 		for (x = 0; x < FLDSIZE_X; x++)
 			*p++ = augmentation_string[MIN(field[x][y], len)];
@ -253,7 +254,7 @@ diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
 char *
 key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
-@@ -575,34 +585,91 @@ key_fingerprint(const Key *k, enum fp_ty
+@@ -605,34 +616,91 @@ key_fingerprint(const Key *k, enum fp_ty
 	u_char *dgst_raw;
 	u_int dgst_raw_len;
@ -347,10 +348,10 @@ diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
  * the buffer containing the number.
  */
 static int
-diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h
+diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
--- a/openssh-6.4p1/key.h
+--- a/openssh-6.5p1/key.h
-+++ b/openssh-6.4p1/key.h
+++ b/openssh-6.5p1/key.h
-@@ -51,16 +51,18 @@ enum fp_type {
+@@ -53,16 +53,18 @@ enum fp_type {
 	SSH_FP_MD5,
 	SSH_FP_SHA256
 };
@ -369,7 +370,7 @@ diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h
 struct KeyCert {
 	Buffer		 certblob; /* Kept around for use on wire */
 	u_int		 type; /* SSH2_CERT_TYPE_USER or SSH2_CERT_TYPE_HOST */
-@@ -97,16 +99,18 @@ int		 key_equal_public(const Key *, cons
+@@ -104,16 +106,18 @@ int		 key_equal_public(const Key *, cons
 int		 key_equal(const Key *, const Key *);
 char		*key_fingerprint(const Key *, enum fp_type, enum fp_rep);
 u_char		*key_fingerprint_raw(const Key *, enum fp_type, u_int *);
@ -379,19 +380,19 @@ diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h
 int		 key_read(Key *, char **);
 u_int		 key_size(const Key *);
 +enum fp_type	 key_fp_type_select(void);
-+char			*key_fp_type_str(enum fp_type);
+char		*key_fp_type_str(enum fp_type);
 Key	*key_generate(int, u_int);
 Key	*key_from_private(const Key *);
 int	 key_type_from_name(char *);
 int	 key_is_cert(const Key *);
 int	 key_type_is_cert(int);
 int	 key_type_plain(int);
 int	 key_to_certified(Key *, int);
- int	 key_drop_cert(Key *);
+diff --git a/openssh-6.5p1/ssh-add.c b/openssh-6.5p1/ssh-add.c
-diff --git a/openssh-6.4p1/ssh-add.c b/openssh-6.4p1/ssh-add.c
+--- a/openssh-6.5p1/ssh-add.c
--- a/openssh-6.4p1/ssh-add.c
+++ b/openssh-6.5p1/ssh-add.c
-+++ b/openssh-6.4p1/ssh-add.c
+@@ -325,17 +325,17 @@ list_identities(AuthenticationConnection
@@ -321,17 +321,17 @@ list_identities(AuthenticationConnection
 	int version;
 	for (version = 1; version <= 2; version++) {
@ -410,9 +411,9 @@ diff --git a/openssh-6.4p1/ssh-add.c b/openssh-6.4p1/ssh-add.c
 				if (!key_write(key, stdout))
 					fprintf(stderr, "key_write failed");
 				fprintf(stdout, " %s\n", comment);
-diff --git a/openssh-6.4p1/ssh-agent.c b/openssh-6.4p1/ssh-agent.c
+diff --git a/openssh-6.5p1/ssh-agent.c b/openssh-6.5p1/ssh-agent.c
--- a/openssh-6.4p1/ssh-agent.c
+--- a/openssh-6.5p1/ssh-agent.c
-+++ b/openssh-6.4p1/ssh-agent.c
+++ b/openssh-6.5p1/ssh-agent.c
@@ -193,17 +193,17 @@ lookup_identity(Key *key, int version)
 /* Check confirmation of keysign request */
@ -432,10 +433,10 @@ diff --git a/openssh-6.4p1/ssh-agent.c b/openssh-6.4p1/ssh-agent.c
 	return (ret);
 }
-diff --git a/openssh-6.4p1/ssh-keygen.c b/openssh-6.4p1/ssh-keygen.c
+diff --git a/openssh-6.5p1/ssh-keygen.c b/openssh-6.5p1/ssh-keygen.c
--- a/openssh-6.4p1/ssh-keygen.c
+--- a/openssh-6.5p1/ssh-keygen.c
-+++ b/openssh-6.4p1/ssh-keygen.c
+++ b/openssh-6.5p1/ssh-keygen.c
-@@ -725,27 +725,27 @@ do_download(struct passwd *pw)
+@@ -741,27 +741,27 @@ do_download(struct passwd *pw)
 {
 #ifdef ENABLE_PKCS11
 	Key **keys = NULL;
@ -465,7 +466,7 @@ diff --git a/openssh-6.4p1/ssh-keygen.c b/openssh-6.4p1/ssh-keygen.c
 			free(ra);
 			free(fp);
 		} else {
-@@ -768,29 +768,29 @@ do_fingerprint(struct passwd *pw)
+@@ -784,29 +784,29 @@ do_fingerprint(struct passwd *pw)
 	FILE *f;
 	Key *public;
 	char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;
@ -497,7 +498,7 @@ diff --git a/openssh-6.4p1/ssh-keygen.c b/openssh-6.4p1/ssh-keygen.c
 		free(comment);
 		free(ra);
 		free(fp);
-@@ -846,17 +846,17 @@ do_fingerprint(struct passwd *pw)
+@@ -862,17 +862,17 @@ do_fingerprint(struct passwd *pw)
 			public = key_new(KEY_UNSPEC);
 			if (key_read(public, &cp) != 1) {
 				key_free(public);
@ -516,7 +517,7 @@ diff --git a/openssh-6.4p1/ssh-keygen.c b/openssh-6.4p1/ssh-keygen.c
 		free(fp);
 		key_free(public);
 		invalid = 0;
-@@ -967,20 +967,20 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -983,20 +983,20 @@ do_gen_all_hostkeys(struct passwd *pw)
 static void
 printhost(FILE *f, const char *name, Key *public, int ca, int hash)
 {
@ -539,7 +540,7 @@ diff --git a/openssh-6.4p1/ssh-keygen.c b/openssh-6.4p1/ssh-keygen.c
 		free(fp);
 	} else {
 		if (hash && (name = host_hash(name, NULL, 0)) == NULL)
-@@ -1850,19 +1850,19 @@ do_show_cert(struct passwd *pw)
+@@ -1873,19 +1873,19 @@ do_show_cert(struct passwd *pw)
 	if (stat(identity_file, &st) < 0)
 		fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
 	if ((key = key_load_public(identity_file, NULL)) == NULL)
@ -561,7 +562,7 @@ diff --git a/openssh-6.4p1/ssh-keygen.c b/openssh-6.4p1/ssh-keygen.c
 	printf("        Signing CA: %s %s\n",
 	    key_type(key->cert->signature_key), ca_fp);
 	printf("        Key ID: \"%s\"\n", key->cert->key_id);
-@@ -2650,18 +2650,18 @@ passphrase_again:
+@@ -2681,18 +2681,18 @@ passphrase_again:
 		exit(1);
 	}
 	if (!key_write(public, f))
@ -582,10 +583,10 @@ diff --git a/openssh-6.4p1/ssh-keygen.c b/openssh-6.4p1/ssh-keygen.c
 		printf("The key's randomart image is:\n");
 		printf("%s\n", ra);
 		free(ra);
-diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c
+diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
--- a/openssh-6.4p1/sshconnect.c
+--- a/openssh-6.5p1/sshconnect.c
-+++ b/openssh-6.4p1/sshconnect.c
+++ b/openssh-6.5p1/sshconnect.c
-@@ -825,18 +825,18 @@ check_host_key(char *hostname, struct so
+@@ -906,18 +906,18 @@ check_host_key(char *hostname, struct so
 				    "address '%.128s' to the list of known "
 				    "hosts (%.30s).", type, ip,
 				    user_hostfiles[0]);
@ -606,7 +607,7 @@ diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c
 		break;
 	case HOST_NEW:
 		if (options.host_key_alias == NULL && port != 0 &&
-@@ -866,18 +866,18 @@ check_host_key(char *hostname, struct so
+@@ -947,18 +947,18 @@ check_host_key(char *hostname, struct so
 			if (show_other_keys(host_hostkeys, host_key))
 				snprintf(msg1, sizeof(msg1),
@ -627,7 +628,7 @@ diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c
 					    "Matching host key fingerprint"
 					    " found in DNS.\n");
 				else
-@@ -1131,17 +1131,17 @@ fail:
+@@ -1212,17 +1212,17 @@ fail:
 /* returns 0 if key verifies or -1 if key does NOT verify */
 int
@ -646,7 +647,7 @@ diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c
 	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
 		if (flags & DNS_VERIFY_FOUND) {
-@@ -1233,18 +1233,18 @@ show_other_keys(struct hostkeys *hostkey
+@@ -1319,18 +1319,18 @@ show_other_keys(struct hostkeys *hostkey
 	char *fp, *ra;
 	const struct hostkey_entry *found;
@ -667,7 +668,7 @@ diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c
 		    key_type(found->key), fp);
 		if (options.visual_host_key)
 			logit("%s", ra);
-@@ -1255,17 +1255,17 @@ show_other_keys(struct hostkeys *hostkey
+@@ -1341,17 +1341,17 @@ show_other_keys(struct hostkeys *hostkey
 	return ret;
 }
@ -686,10 +687,10 @@ diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c
 	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
 	error("It is also possible that a host key has just been changed.");
 	error("The fingerprint for the %s key sent by the remote host is\n%s.",
-diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
+diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
--- a/openssh-6.4p1/sshconnect2.c
+--- a/openssh-6.5p1/sshconnect2.c
-+++ b/openssh-6.4p1/sshconnect2.c
+++ b/openssh-6.5p1/sshconnect2.c
-@@ -590,17 +590,17 @@ input_userauth_pk_ok(int type, u_int32_t
+@@ -592,17 +592,17 @@ input_userauth_pk_ok(int type, u_int32_t
 		goto done;
 	}
 	if (key->type != pktype) {
@ -708,7 +709,7 @@ diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
 	 * moved to the end of the queue.  this also avoids confusion by
 	 * duplicate keys
 	 */
-@@ -1204,17 +1204,17 @@ sign_and_send_pubkey(Authctxt *authctxt,
+@@ -1206,17 +1206,17 @@ sign_and_send_pubkey(Authctxt *authctxt,
 	Buffer b;
 	u_char *blob, *signature;
 	u_int bloblen, slen;
--- a/openssh-6.5p1-fips.patch
+++ b/openssh-6.5p1-fips.patch
@ -4,9 +4,9 @@
 # HG changeset patch
 # Parent 6536ed881743cbf05afe962021b985f9b1eab495
-diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
+diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.4p1/Makefile.in
+--- a/openssh-6.5p1/Makefile.in
-+++ b/openssh-6.4p1/Makefile.in
+++ b/openssh-6.5p1/Makefile.in
@@ -72,17 +72,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
 	cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
 	compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
@ -26,9 +26,9 @@ diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
 	audit.o audit-bsm.o audit-linux.o platform.o \
 	sshpty.o sshlogin.o servconf.o serverloop.o \
-diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c
+diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c
--- a/openssh-6.4p1/auth-rsa.c
+--- a/openssh-6.5p1/auth-rsa.c
-+++ b/openssh-6.4p1/auth-rsa.c
+++ b/openssh-6.5p1/auth-rsa.c
@@ -15,17 +15,17 @@
  */
@ -171,9 +171,9 @@ diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c
 	return (success);
 }
-diff --git a/openssh-6.4p1/cipher-ctr.c b/openssh-6.4p1/cipher-ctr.c
+diff --git a/openssh-6.5p1/cipher-ctr.c b/openssh-6.5p1/cipher-ctr.c
--- a/openssh-6.4p1/cipher-ctr.c
+--- a/openssh-6.5p1/cipher-ctr.c
-+++ b/openssh-6.4p1/cipher-ctr.c
+++ b/openssh-6.5p1/cipher-ctr.c
@@ -21,16 +21,17 @@
 #include <stdarg.h>
@ -208,9 +208,9 @@ diff --git a/openssh-6.4p1/cipher-ctr.c b/openssh-6.4p1/cipher-ctr.c
 }
 #endif /* OPENSSL_HAVE_EVPCTR */
-diff --git a/openssh-6.4p1/cipher.c b/openssh-6.4p1/cipher.c
+diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c
--- a/openssh-6.4p1/cipher.c
+--- a/openssh-6.5p1/cipher.c
-+++ b/openssh-6.4p1/cipher.c
+++ b/openssh-6.5p1/cipher.c
@@ -42,16 +42,17 @@
 #include <openssl/md5.h>
@ -373,10 +373,10 @@ diff --git a/openssh-6.4p1/cipher.c b/openssh-6.4p1/cipher.c
 /*
  * Exports an IV from the CipherContext required to export the key
  * state back from the unprivileged child to the privileged parent
-diff --git a/openssh-6.4p1/fips.c b/openssh-6.4p1/fips.c
+diff --git a/openssh-6.5p1/fips.c b/openssh-6.5p1/fips.c
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/fips.c
+++ b/openssh-6.5p1/fips.c
@@ -0,0 +1,176 @@
 +/*
 + * Copyright (c) 2012 Petr Cerny.  All rights reserved.
@ -554,10 +554,10 @@ new file mode 100644
 +	return EVP_get_digestbynid(fips_hash_nid_min());
 +}
 +
-diff --git a/openssh-6.4p1/fips.h b/openssh-6.4p1/fips.h
+diff --git a/openssh-6.5p1/fips.h b/openssh-6.5p1/fips.h
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/fips.h
+++ b/openssh-6.5p1/fips.h
@@ -0,0 +1,54 @@
 +/*
 + * Copyright (c) 2012 Petr Cerny.  All rights reserved.
@ -613,9 +613,9 @@ new file mode 100644
 +
 +#endif
 +
-diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
+diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
--- a/openssh-6.4p1/key.c
+--- a/openssh-6.5p1/key.c
-+++ b/openssh-6.4p1/key.c
+++ b/openssh-6.5p1/key.c
@@ -49,16 +49,17 @@
 #include "xmalloc.h"
 #include "key.h"
@ -654,9 +654,9 @@ diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
 /* 
  * string lengths must be less or equal to SSH_FP_TYPE_STRLEN (defined in
  * key.h) as to fit into the fingerprint string buffer
-diff --git a/openssh-6.4p1/mac.c b/openssh-6.4p1/mac.c
+diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c
--- a/openssh-6.4p1/mac.c
+--- a/openssh-6.5p1/mac.c
-+++ b/openssh-6.4p1/mac.c
+++ b/openssh-6.5p1/mac.c
@@ -36,34 +36,35 @@
 #include "xmalloc.h"
 #include "log.h"
@ -760,9 +760,9 @@ diff --git a/openssh-6.4p1/mac.c b/openssh-6.4p1/mac.c
 				mac_setup_by_id(mac, i);
 			debug2("mac_setup: found %s", name);
 			return (0);
-diff --git a/openssh-6.4p1/myproposal.h b/openssh-6.4p1/myproposal.h
+diff --git a/openssh-6.5p1/myproposal.h b/openssh-6.5p1/myproposal.h
--- a/openssh-6.4p1/myproposal.h
+--- a/openssh-6.5p1/myproposal.h
-+++ b/openssh-6.4p1/myproposal.h
+++ b/openssh-6.5p1/myproposal.h
@@ -71,16 +71,20 @@
 	"ssh-dss"
@ -804,9 +804,9 @@ diff --git a/openssh-6.4p1/myproposal.h b/openssh-6.4p1/myproposal.h
 static char *myproposal[PROPOSAL_MAX] = {
 	KEX_DEFAULT_KEX,
 	KEX_DEFAULT_PK_ALG,
-diff --git a/openssh-6.4p1/openbsd-compat/bsd-arc4random.c b/openssh-6.4p1/openbsd-compat/bsd-arc4random.c
+diff --git a/openssh-6.5p1/openbsd-compat/bsd-arc4random.c b/openssh-6.5p1/openbsd-compat/bsd-arc4random.c
--- a/openssh-6.4p1/openbsd-compat/bsd-arc4random.c
+--- a/openssh-6.5p1/openbsd-compat/bsd-arc4random.c
-+++ b/openssh-6.4p1/openbsd-compat/bsd-arc4random.c
+++ b/openssh-6.5p1/openbsd-compat/bsd-arc4random.c
@@ -18,34 +18,35 @@
 #include <sys/types.h>
@ -930,9 +930,9 @@ diff --git a/openssh-6.4p1/openbsd-compat/bsd-arc4random.c b/openssh-6.4p1/openb
 {
 	size_t i;
 	u_int32_t r = 0;
-diff --git a/openssh-6.4p1/ssh-rsa.c b/openssh-6.4p1/ssh-rsa.c
+diff --git a/openssh-6.5p1/ssh-rsa.c b/openssh-6.5p1/ssh-rsa.c
--- a/openssh-6.4p1/ssh-rsa.c
+--- a/openssh-6.5p1/ssh-rsa.c
-+++ b/openssh-6.4p1/ssh-rsa.c
+++ b/openssh-6.5p1/ssh-rsa.c
@@ -27,16 +27,17 @@
 #include "xmalloc.h"
@ -987,9 +987,9 @@ diff --git a/openssh-6.4p1/ssh-rsa.c b/openssh-6.4p1/ssh-rsa.c
 	EVP_DigestInit(&md, evp_md);
 	EVP_DigestUpdate(&md, data, datalen);
 	EVP_DigestFinal(&md, digest, &dlen);
-diff --git a/openssh-6.4p1/ssh.c b/openssh-6.4p1/ssh.c
+diff --git a/openssh-6.5p1/ssh.c b/openssh-6.5p1/ssh.c
--- a/openssh-6.4p1/ssh.c
+--- a/openssh-6.5p1/ssh.c
-+++ b/openssh-6.4p1/ssh.c
+++ b/openssh-6.5p1/ssh.c
@@ -99,16 +99,17 @@
 #include "kex.h"
 #include "mac.h"
@ -1051,9 +1051,9 @@ diff --git a/openssh-6.4p1/ssh.c b/openssh-6.4p1/ssh.c
 	    options.use_privileged_port,
 #else
 	    original_effective_uid == 0 && options.use_privileged_port,
-diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
+diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
--- a/openssh-6.4p1/sshconnect2.c
+--- a/openssh-6.5p1/sshconnect2.c
-+++ b/openssh-6.4p1/sshconnect2.c
+++ b/openssh-6.5p1/sshconnect2.c
@@ -67,16 +67,17 @@
 #include "dispatch.h"
 #include "canohost.h"
@ -1110,9 +1110,9 @@ diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
 		/* Prefer algorithms that we already have keys for */
 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
 		    order_hostkeyalgs(host, hostaddr, port);
-diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
+diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.4p1/sshd.c
+--- a/openssh-6.5p1/sshd.c
-+++ b/openssh-6.4p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -118,16 +118,17 @@
 #ifdef GSSAPI
 #include "ssh-gss.h"
--- a/openssh-6.5p1-gssapi_key_exchange.patch
+++ b/openssh-6.5p1-gssapi_key_exchange.patch
@ -1,10 +1,10 @@
 # HG changeset patch
 # Parent a72dad36a987a441e9c92807b1d654e43ddee409
-diff --git a/openssh-6.4p1/ChangeLog.gssapi b/openssh-6.4p1/ChangeLog.gssapi
+diff --git a/openssh-6.5p1/ChangeLog.gssapi b/openssh-6.5p1/ChangeLog.gssapi
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/ChangeLog.gssapi
+++ b/openssh-6.5p1/ChangeLog.gssapi
@@ -0,0 +1,113 @@
 +20110101
 +  - Finally update for OpenSSH 5.6p1
@ -119,9 +119,9 @@ new file mode 100644
 +    add support for GssapiTrustDns option for gssapi-with-mic
 +    (from jbasney AT ncsa.uiuc.edu)
 +    <gssapi-with-mic support is Bugzilla #1008>
-diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
+diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.4p1/Makefile.in
+--- a/openssh-6.5p1/Makefile.in
-+++ b/openssh-6.4p1/Makefile.in
+++ b/openssh-6.5p1/Makefile.in
@@ -71,33 +71,34 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
 	canohost.o channels.o cipher.o cipher-aes.o \
 	cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
@ -158,9 +158,9 @@ diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
 MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
 MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
-diff --git a/openssh-6.4p1/auth-krb5.c b/openssh-6.4p1/auth-krb5.c
+diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c
--- a/openssh-6.4p1/auth-krb5.c
+--- a/openssh-6.5p1/auth-krb5.c
-+++ b/openssh-6.4p1/auth-krb5.c
+++ b/openssh-6.5p1/auth-krb5.c
@@ -165,18 +165,23 @@ auth_krb5_password(Authctxt *authctxt, c
 	if (problem)
 		goto out;
@ -229,9 +229,9 @@ diff --git a/openssh-6.4p1/auth-krb5.c b/openssh-6.4p1/auth-krb5.c
 }
 #endif /* !HEIMDAL */
 #endif /* KRB5 */
-diff --git a/openssh-6.4p1/auth2-gss.c b/openssh-6.4p1/auth2-gss.c
+diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
--- a/openssh-6.4p1/auth2-gss.c
+--- a/openssh-6.5p1/auth2-gss.c
-+++ b/openssh-6.4p1/auth2-gss.c
+++ b/openssh-6.5p1/auth2-gss.c
@@ -1,12 +1,12 @@
 /* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */
@ -357,9 +357,9 @@ diff --git a/openssh-6.4p1/auth2-gss.c b/openssh-6.4p1/auth2-gss.c
 Authmethod method_gssapi_old = {
 	"gssapi",
-diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c
+diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
--- a/openssh-6.4p1/auth2.c
+--- a/openssh-6.5p1/auth2.c
-+++ b/openssh-6.4p1/auth2.c
+++ b/openssh-6.5p1/auth2.c
@@ -64,27 +64,29 @@ extern Buffer loginmsg;
 /* methods */
@ -390,9 +390,9 @@ diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c
 #endif
 	&method_passwd,
 	&method_kbdint,
-diff --git a/openssh-6.4p1/clientloop.c b/openssh-6.4p1/clientloop.c
+diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c
--- a/openssh-6.4p1/clientloop.c
+--- a/openssh-6.5p1/clientloop.c
-+++ b/openssh-6.4p1/clientloop.c
+++ b/openssh-6.5p1/clientloop.c
@@ -106,16 +106,20 @@
 #include "authfd.h"
 #include "atomicio.h"
@ -440,9 +440,9 @@ diff --git a/openssh-6.4p1/clientloop.c b/openssh-6.4p1/clientloop.c
 			}
 		}
-diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac
+diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
--- a/openssh-6.4p1/configure.ac
+--- a/openssh-6.5p1/configure.ac
-+++ b/openssh-6.4p1/configure.ac
+++ b/openssh-6.5p1/configure.ac
@@ -528,16 +528,40 @@ main() { if (NSVersionOfRunTimeLibrary("
 	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
 	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
@ -484,9 +484,9 @@ diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac
 	    [Define if pututxline updates lastlog too])
 	)
 	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
-diff --git a/openssh-6.4p1/gss-genr.c b/openssh-6.4p1/gss-genr.c
+diff --git a/openssh-6.5p1/gss-genr.c b/openssh-6.5p1/gss-genr.c
--- a/openssh-6.4p1/gss-genr.c
+--- a/openssh-6.5p1/gss-genr.c
-+++ b/openssh-6.4p1/gss-genr.c
+++ b/openssh-6.5p1/gss-genr.c
@@ -1,12 +1,12 @@
 /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
@ -874,9 +874,9 @@ diff --git a/openssh-6.4p1/gss-genr.c b/openssh-6.4p1/gss-genr.c
 +}
 +
 #endif /* GSSAPI */
-diff --git a/openssh-6.4p1/gss-serv-krb5.c b/openssh-6.4p1/gss-serv-krb5.c
+diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
--- a/openssh-6.4p1/gss-serv-krb5.c
+--- a/openssh-6.5p1/gss-serv-krb5.c
-+++ b/openssh-6.4p1/gss-serv-krb5.c
+++ b/openssh-6.5p1/gss-serv-krb5.c
@@ -1,12 +1,12 @@
 /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
@ -1023,9 +1023,9 @@ diff --git a/openssh-6.4p1/gss-serv-krb5.c b/openssh-6.4p1/gss-serv-krb5.c
 #endif /* KRB5 */
 #endif /* GSSAPI */
-diff --git a/openssh-6.4p1/gss-serv.c b/openssh-6.4p1/gss-serv.c
+diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
--- a/openssh-6.4p1/gss-serv.c
+--- a/openssh-6.5p1/gss-serv.c
-+++ b/openssh-6.4p1/gss-serv.c
+++ b/openssh-6.5p1/gss-serv.c
@@ -1,12 +1,12 @@
 /* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
@ -1412,9 +1412,9 @@ diff --git a/openssh-6.4p1/gss-serv.c b/openssh-6.4p1/gss-serv.c
 }
 #endif
-diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
+diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
--- a/openssh-6.4p1/kex.c
+--- a/openssh-6.5p1/kex.c
-+++ b/openssh-6.4p1/kex.c
+++ b/openssh-6.5p1/kex.c
@@ -46,16 +46,24 @@
 #include "log.h"
 #include "mac.h"
@ -1471,9 +1471,9 @@ diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c
 choose_hostkeyalg(Kex *k, char *client, char *server)
 {
 	char *hostkeyalg = match_list(client, server, NULL);
-diff --git a/openssh-6.4p1/kex.h b/openssh-6.4p1/kex.h
+diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
--- a/openssh-6.4p1/kex.h
+--- a/openssh-6.5p1/kex.h
-+++ b/openssh-6.4p1/kex.h
+++ b/openssh-6.5p1/kex.h
@@ -68,16 +68,19 @@ enum kex_modes {
 };
@ -1539,10 +1539,10 @@ diff --git a/openssh-6.4p1/kex.h b/openssh-6.4p1/kex.h
 kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
     int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
     BIGNUM *, BIGNUM *, u_char **, u_int *);
-diff --git a/openssh-6.4p1/kexgssc.c b/openssh-6.4p1/kexgssc.c
+diff --git a/openssh-6.5p1/kexgssc.c b/openssh-6.5p1/kexgssc.c
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/kexgssc.c
+++ b/openssh-6.5p1/kexgssc.c
@@ -0,0 +1,334 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1878,10 +1878,10 @@ new file mode 100644
 +}
 +
 +#endif /* GSSAPI */
-diff --git a/openssh-6.4p1/kexgsss.c b/openssh-6.4p1/kexgsss.c
+diff --git a/openssh-6.5p1/kexgsss.c b/openssh-6.5p1/kexgsss.c
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/kexgsss.c
+++ b/openssh-6.5p1/kexgsss.c
@@ -0,0 +1,288 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -2171,9 +2171,9 @@ new file mode 100644
 +		ssh_gssapi_rekey_creds();
 +}
 +#endif /* GSSAPI */
-diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
+diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
--- a/openssh-6.4p1/key.c
+--- a/openssh-6.5p1/key.c
-+++ b/openssh-6.4p1/key.c
+++ b/openssh-6.5p1/key.c
@@ -1038,16 +1038,18 @@ key_ssh_name_from_type_nid(int type, int
 			return "ecdsa-sha2-nistp384-cert-v01@openssh.com";
 		case NID_secp521r1:
@ -2212,9 +2212,9 @@ diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c
 int
 key_ecdsa_nid_from_name(const char *name)
-diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h
+diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
--- a/openssh-6.4p1/key.h
+--- a/openssh-6.5p1/key.h
-+++ b/openssh-6.4p1/key.h
+++ b/openssh-6.5p1/key.h
@@ -39,16 +39,17 @@ enum types {
 	KEY_RSA,
 	KEY_DSA,
@ -2233,9 +2233,9 @@ diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h
 	SSH_FP_SHA256
 };
 enum fp_rep {
-diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
+diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
--- a/openssh-6.4p1/monitor.c
+--- a/openssh-6.5p1/monitor.c
-+++ b/openssh-6.4p1/monitor.c
+++ b/openssh-6.5p1/monitor.c
@@ -178,16 +178,18 @@ int mm_answer_pam_respond(int, Buffer *)
 int mm_answer_pam_free_ctx(int, Buffer *);
 #endif
@ -2532,9 +2532,9 @@ diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c
 {
 	struct jpake_ctx *pctx;
 	u_char *x3_proof, *x4_proof;
-diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
+diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
--- a/openssh-6.4p1/monitor.h
+--- a/openssh-6.5p1/monitor.h
-+++ b/openssh-6.4p1/monitor.h
+++ b/openssh-6.5p1/monitor.h
@@ -70,16 +70,19 @@ enum monitor_reqtype {
 	MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
 	MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
@ -2555,9 +2555,9 @@ diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h
 	int			 m_sendfd;
 	int			 m_log_recvfd;
 	int			 m_log_sendfd;
-diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
+diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
--- a/openssh-6.4p1/monitor_wrap.c
+--- a/openssh-6.5p1/monitor_wrap.c
-+++ b/openssh-6.4p1/monitor_wrap.c
+++ b/openssh-6.5p1/monitor_wrap.c
@@ -1303,33 +1303,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
 	    &m);
@ -2638,9 +2638,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c
     char **hash_scheme, char **salt)
 {
 	Buffer m;
-diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
+diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
--- a/openssh-6.4p1/monitor_wrap.h
+--- a/openssh-6.5p1/monitor_wrap.h
-+++ b/openssh-6.4p1/monitor_wrap.h
+++ b/openssh-6.5p1/monitor_wrap.h
@@ -54,18 +54,20 @@ int mm_user_key_verify(Key *, u_char *, 
 int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
 int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
@ -2663,9 +2663,9 @@ diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h
 void *mm_sshpam_init_ctx(struct Authctxt *);
 int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
 int mm_sshpam_respond(void *, u_int, char **);
-diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c
+diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
--- a/openssh-6.4p1/readconf.c
+--- a/openssh-6.5p1/readconf.c
-+++ b/openssh-6.4p1/readconf.c
+++ b/openssh-6.5p1/readconf.c
@@ -124,16 +124,18 @@ typedef enum {
 	oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
 	oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
@ -2813,9 +2813,9 @@ diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c
 		options->rhosts_rsa_authentication = 0;
 	if (options->hostbased_authentication == -1)
 		options->hostbased_authentication = 0;
-diff --git a/openssh-6.4p1/readconf.h b/openssh-6.4p1/readconf.h
+diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
--- a/openssh-6.4p1/readconf.h
+--- a/openssh-6.5p1/readconf.h
-+++ b/openssh-6.4p1/readconf.h
+++ b/openssh-6.5p1/readconf.h
@@ -43,18 +43,23 @@ typedef struct {
 	int     rhosts_rsa_authentication;	/* Try rhosts with RSA
 						 * authentication. */
@ -2840,9 +2840,9 @@ diff --git a/openssh-6.4p1/readconf.h b/openssh-6.4p1/readconf.h
 	int     batch_mode;	/* Batch mode: do not ask for passwords. */
 	int     check_host_ip;	/* Also keep track of keys for IP address */
 	int     strict_host_key_checking;	/* Strict host key checking. */
-diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
+diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
--- a/openssh-6.4p1/servconf.c
+--- a/openssh-6.5p1/servconf.c
-+++ b/openssh-6.4p1/servconf.c
+++ b/openssh-6.5p1/servconf.c
@@ -98,18 +98,21 @@ initialize_server_options(ServerOptions 
 	options->hostbased_uses_name_from_packet_only = -1;
 	options->rsa_authentication = -1;
@ -3000,9 +3000,9 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
 	    o->kbd_interactive_authentication);
-diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h
+diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
--- a/openssh-6.4p1/servconf.h
+--- a/openssh-6.5p1/servconf.h
-+++ b/openssh-6.4p1/servconf.h
+++ b/openssh-6.5p1/servconf.h
@@ -105,18 +105,21 @@ typedef struct {
 						 * authentication mechanism,
 						 * such as SecurID or
@ -3025,9 +3025,9 @@ diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h
 					/* If true, permit jpake auth */
 	int     permit_empty_passwd;	/* If false, do not permit empty
 					 * passwords. */
-diff --git a/openssh-6.4p1/ssh-gss.h b/openssh-6.4p1/ssh-gss.h
+diff --git a/openssh-6.5p1/ssh-gss.h b/openssh-6.5p1/ssh-gss.h
--- a/openssh-6.4p1/ssh-gss.h
+--- a/openssh-6.5p1/ssh-gss.h
-+++ b/openssh-6.4p1/ssh-gss.h
+++ b/openssh-6.5p1/ssh-gss.h
@@ -1,11 +1,11 @@
 /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
 /*
@ -3151,9 +3151,9 @@ diff --git a/openssh-6.4p1/ssh-gss.h b/openssh-6.4p1/ssh-gss.h
 #endif /* GSSAPI */
 #endif /* _SSH_GSS_H */
-diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
+diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.4p1/ssh_config
+--- a/openssh-6.5p1/ssh_config
-+++ b/openssh-6.4p1/ssh_config
+++ b/openssh-6.5p1/ssh_config
@@ -32,16 +32,18 @@ Host *
 ForwardX11Trusted yes
@ -3173,9 +3173,9 @@ diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
 #   IdentityFile ~/.ssh/identity
 #   IdentityFile ~/.ssh/id_rsa
 #   IdentityFile ~/.ssh/id_dsa
-diff --git a/openssh-6.4p1/ssh_config.5 b/openssh-6.4p1/ssh_config.5
+diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5
--- a/openssh-6.4p1/ssh_config.5
+--- a/openssh-6.5p1/ssh_config.5
-+++ b/openssh-6.4p1/ssh_config.5
+++ b/openssh-6.5p1/ssh_config.5
@@ -525,21 +525,53 @@ host key database, separated by whitespa
 The default is
 .Pa /etc/ssh/ssh_known_hosts ,
@ -3231,9 +3231,9 @@ diff --git a/openssh-6.4p1/ssh_config.5 b/openssh-6.4p1/ssh_config.5
 These hashed names may be used normally by
 .Xr ssh 1
 and
-diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
+diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
--- a/openssh-6.4p1/sshconnect2.c
+--- a/openssh-6.5p1/sshconnect2.c
-+++ b/openssh-6.4p1/sshconnect2.c
+++ b/openssh-6.5p1/sshconnect2.c
@@ -155,19 +155,44 @@ order_hostkeyalgs(char *host, struct soc
 	return ret;
 }
@ -3503,9 +3503,9 @@ diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
 	/* initial userauth request */
 	packet_start(SSH2_MSG_USERAUTH_REQUEST);
 	packet_put_cstring(authctxt->server_user);
-diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
+diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.4p1/sshd.c
+--- a/openssh-6.5p1/sshd.c
-+++ b/openssh-6.4p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -119,16 +119,24 @@
 #include "ssh-gss.h"
 #endif
@ -3812,9 +3812,9 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
 	kex->host_key_index=&get_hostkey_index;
 	xxx_kex = kex;
-diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
+diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.4p1/sshd_config
+--- a/openssh-6.5p1/sshd_config
-+++ b/openssh-6.4p1/sshd_config
+++ b/openssh-6.5p1/sshd_config
@@ -75,16 +75,18 @@ PasswordAuthentication no
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
@ -3834,9 +3834,9 @@ diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
 #GSSAPIEnableMITMAttack no
-diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5
+diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
--- a/openssh-6.4p1/sshd_config.5
+--- a/openssh-6.5p1/sshd_config.5
-+++ b/openssh-6.4p1/sshd_config.5
+++ b/openssh-6.5p1/sshd_config.5
@@ -475,22 +475,50 @@ to force remote port forwardings to bind
 to allow the client to select the address to which the forwarding is bound.
 The default is
--- a/openssh-6.5p1-gssapimitm.patch
+++ b/openssh-6.5p1-gssapimitm.patch
@ -13,9 +13,9 @@
 # recommended to use the 'gssapi-with-mic' mechanism. Existing installations
 # are encouraged to upgrade as soon as possible.
-diff --git a/openssh-6.4p1/auth2-gss.c b/openssh-6.4p1/auth2-gss.c
+diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
--- a/openssh-6.4p1/auth2-gss.c
+--- a/openssh-6.5p1/auth2-gss.c
-+++ b/openssh-6.4p1/auth2-gss.c
+++ b/openssh-6.5p1/auth2-gss.c
@@ -173,16 +173,25 @@ input_gssapi_token(int type, u_int32_t p
 			dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
 			if (flags & GSS_C_INTEG_FLAG)
@ -58,9 +58,9 @@ diff --git a/openssh-6.4p1/auth2-gss.c b/openssh-6.4p1/auth2-gss.c
 +};
 +
 #endif /* GSSAPI */
-diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c
+diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c
--- a/openssh-6.4p1/auth2.c
+--- a/openssh-6.5p1/auth2.c
-+++ b/openssh-6.4p1/auth2.c
+++ b/openssh-6.5p1/auth2.c
@@ -65,26 +65,28 @@ extern Buffer loginmsg;
 extern Authmethod method_none;
@ -90,10 +90,10 @@ diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c
 	&method_kbdint,
 	&method_hostbased,
 	NULL
-diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c
+diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
--- a/openssh-6.4p1/readconf.c
+--- a/openssh-6.5p1/readconf.c
-+++ b/openssh-6.4p1/readconf.c
+++ b/openssh-6.5p1/readconf.c
-@@ -126,17 +126,17 @@ typedef enum {
+@@ -134,17 +134,17 @@ typedef enum {
 	oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
 	oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
 	oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
@ -109,10 +109,10 @@ diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c
 	oHashKnownHosts,
 	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
 	oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
- 	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
+ 	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
- 	oIgnoredUnknownOption, oDeprecated, oUnsupported
+ 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
- } OpCodes;
+ 	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
-@@ -168,19 +168,21 @@ static struct {
+@@ -178,19 +178,21 @@ static struct {
 	{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
 	{ "tisauthentication", oChallengeResponseAuthentication },  /* alias */
 	{ "kerberosauthentication", oUnsupported },
@ -134,7 +134,7 @@ diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c
 	{ "identitiesonly", oIdentitiesOnly },
 	{ "hostname", oHostName },
 	{ "hostkeyalias", oHostKeyAlias },
-@@ -514,16 +516,20 @@ parse_flag:
+@@ -837,16 +839,20 @@ parse_time:
 	case oGssAuthentication:
 		intptr = &options->gss_authentication;
@ -155,7 +155,7 @@ diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c
 	case oCheckHostIP:
 		intptr = &options->check_host_ip;
 		goto parse_flag;
-@@ -1164,16 +1170,17 @@ initialize_options(Options * options)
+@@ -1484,16 +1490,17 @@ initialize_options(Options * options)
 	options->xauth_location = NULL;
 	options->gateway_ports = -1;
 	options->use_privileged_port = -1;
@ -173,7 +173,7 @@ diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c
 	options->batch_mode = -1;
 	options->check_host_ip = -1;
 	options->strict_host_key_checking = -1;
-@@ -1265,16 +1272,18 @@ fill_default_options(Options * options)
+@@ -1591,16 +1598,18 @@ fill_default_options(Options * options)
 	if (options->pubkey_authentication == -1)
 		options->pubkey_authentication = 1;
 	if (options->challenge_response_authentication == -1)
@ -192,10 +192,10 @@ diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c
 		options->rhosts_rsa_authentication = 0;
 	if (options->hostbased_authentication == -1)
 		options->hostbased_authentication = 0;
-diff --git a/openssh-6.4p1/readconf.h b/openssh-6.4p1/readconf.h
+diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
--- a/openssh-6.4p1/readconf.h
+--- a/openssh-6.5p1/readconf.h
-+++ b/openssh-6.4p1/readconf.h
+++ b/openssh-6.5p1/readconf.h
-@@ -44,16 +44,17 @@ typedef struct {
+@@ -50,16 +50,17 @@ typedef struct {
 						 * authentication. */
 	int     rsa_authentication;	/* Try RSA authentication. */
 	int     pubkey_authentication;	/* Try ssh2 pubkey authentication. */
@ -213,10 +213,10 @@ diff --git a/openssh-6.4p1/readconf.h b/openssh-6.4p1/readconf.h
 	int     batch_mode;	/* Batch mode: do not ask for passwords. */
 	int     check_host_ip;	/* Also keep track of keys for IP address */
 	int     strict_host_key_checking;	/* Strict host key checking. */
-diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
+diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
--- a/openssh-6.4p1/servconf.c
+--- a/openssh-6.5p1/servconf.c
-+++ b/openssh-6.4p1/servconf.c
+++ b/openssh-6.5p1/servconf.c
-@@ -103,16 +103,17 @@ initialize_server_options(ServerOptions 
+@@ -104,16 +104,17 @@ initialize_server_options(ServerOptions 
 	options->rsa_authentication = -1;
 	options->pubkey_authentication = -1;
 	options->kerberos_authentication = -1;
@ -234,7 +234,7 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
 	options->use_login = -1;
 	options->compression = -1;
 	options->rekey_limit = -1;
-@@ -237,16 +238,18 @@ fill_default_server_options(ServerOption
+@@ -242,16 +243,18 @@ fill_default_server_options(ServerOption
 	if (options->kerberos_ticket_cleanup == -1)
 		options->kerberos_ticket_cleanup = 1;
 	if (options->kerberos_get_afs_token == -1)
@ -253,7 +253,7 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
 		options->challenge_response_authentication = 1;
 	if (options->permit_empty_passwd == -1)
 		options->permit_empty_passwd = 0;
-@@ -333,17 +336,17 @@ typedef enum {
+@@ -338,17 +341,17 @@ typedef enum {
 	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
@ -272,7 +272,7 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
 	sAuthenticationMethods, sHostKeyAgent,
 	sDeprecated, sUnsupported
-@@ -400,19 +403,21 @@ static struct {
+@@ -405,19 +408,21 @@ static struct {
 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
 #endif
@ -294,7 +294,7 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
 #ifdef JPAKE
 	{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
 #else
-@@ -1072,16 +1077,20 @@ process_server_config_line(ServerOptions
+@@ -1093,16 +1098,20 @@ process_server_config_line(ServerOptions
 	case sGssAuthentication:
 		intptr = &options->gss_authentication;
 		goto parse_flag;
@ -315,10 +315,10 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
 		intptr = &options->zero_knowledge_password_authentication;
 		goto parse_flag;
-diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h
+diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
--- a/openssh-6.4p1/servconf.h
+--- a/openssh-6.5p1/servconf.h
-+++ b/openssh-6.4p1/servconf.h
+++ b/openssh-6.5p1/servconf.h
-@@ -107,16 +107,17 @@ typedef struct {
+@@ -108,16 +108,17 @@ typedef struct {
 						 * such as SecurID or
 						 * /etc/passwd */
 	int     kerberos_ticket_cleanup;	/* If true, destroy ticket
@ -336,9 +336,9 @@ diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h
 					/* If true, permit jpake auth */
 	int     permit_empty_passwd;	/* If false, do not permit empty
 					 * passwords. */
-diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
+diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.4p1/ssh_config
+--- a/openssh-6.5p1/ssh_config
-+++ b/openssh-6.4p1/ssh_config
+++ b/openssh-6.5p1/ssh_config
@@ -51,9 +51,16 @@ ForwardX11Trusted yes
 #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
 #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
@ -356,10 +356,10 @@ diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
 +#   GSSAPIEnableMITMAttack no
 +
 #   RekeyLimit 1G 1h
-diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
+diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
--- a/openssh-6.4p1/sshconnect2.c
+--- a/openssh-6.5p1/sshconnect2.c
-+++ b/openssh-6.4p1/sshconnect2.c
+++ b/openssh-6.5p1/sshconnect2.c
-@@ -322,16 +322,21 @@ static char *authmethods_get(void);
+@@ -324,16 +324,21 @@ static char *authmethods_get(void);
 Authmethod authmethods[] = {
 #ifdef GSSAPI
@ -381,7 +381,7 @@ diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
 		NULL},
 	{"publickey",
 		userauth_pubkey,
-@@ -696,17 +701,19 @@ process_gssapi_token(void *ctxt, gss_buf
+@@ -698,17 +703,19 @@ process_gssapi_token(void *ctxt, gss_buf
 		packet_put_string(send_tok.value, send_tok.length);
 		packet_send();
@ -402,10 +402,10 @@ diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c
 			gssbuf.value = buffer_ptr(&b);
 			gssbuf.length = buffer_len(&b);
-diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
+diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.4p1/sshd_config
+--- a/openssh-6.5p1/sshd_config
-+++ b/openssh-6.4p1/sshd_config
+++ b/openssh-6.5p1/sshd_config
-@@ -79,16 +79,23 @@ PasswordAuthentication no
+@@ -80,16 +80,23 @@ PasswordAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
@ -421,8 +421,8 @@ diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
 +#GSSAPIEnableMITMAttack no
 + 
 +
- # Set this to 'yes' to enable PAM authentication, account processing, 
+ # Set this to 'yes' to enable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will 
+ # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
--- a/openssh-6.5p1-host_ident.patch
+++ b/openssh-6.5p1-host_ident.patch
@ -1,10 +1,10 @@
 # identify hashed hosts in known_hosts and suggest command line for their
 # removal
-diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c
+diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
--- a/openssh-6.4p1/sshconnect.c
+--- a/openssh-6.5p1/sshconnect.c
-+++ b/openssh-6.4p1/sshconnect.c
+++ b/openssh-6.5p1/sshconnect.c
-@@ -986,16 +986,21 @@ check_host_key(char *hostname, struct so
+@@ -1067,16 +1067,21 @@ check_host_key(char *hostname, struct so
 				    ip_found->file, ip_found->line);
 		}
 		/* The host key has changed. */
--- a/openssh-6.5p1-key-converter.patch
+++ b/openssh-6.5p1-key-converter.patch
@ -1,9 +1,9 @@
 # SSHv1 to SSHv2 RSA keys converter
-diff --git a/openssh-6.4p1/converter/Makefile b/openssh-6.4p1/converter/Makefile
+diff --git a/openssh-6.5p1/converter/Makefile b/openssh-6.5p1/converter/Makefile
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/converter/Makefile
+++ b/openssh-6.5p1/converter/Makefile
@@ -0,0 +1,17 @@
 +
 +bindir=/usr/bin
@ -12,20 +12,20 @@ new file mode 100644
 +all :	ssh-keyconverter
 +
 +ssh-keyconverter.o: ssh-keyconverter.c ../key.h ../authfile.h ../misc.h ../xmalloc.h
-+	gcc $(CFLAGS) $(RPM_OPT_FLAGS) -c -I../ $< -o $@
+	gcc $(RPM_OPT_FLAGS) -c -I../ $< -o $@
 +
 +ssh-keyconverter: ssh-keyconverter.o ../libssh.a ../openbsd-compat/libopenbsd-compat.a
-+	gcc $< $(LDFLAGS) $(RPM_OPT_FLAGS) -L../ -L../openbsd-compat/ -lcrypto -lssh -lopenbsd-compat -lcrypto -lssh -lopenbsd-compat -lpam -ldl -lwrap -lutil -lz -lnsl -lcrypt -lssl -o $@
+	gcc $< -Wl,--no-as-needed $(RPM_OPT_FLAGS) -L../ -L../openbsd-compat/ -lcrypto -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lpam -ldl -lwrap -lutil -lz -lnsl -lcrypt -lssl -o $@
 +
 +install: ssh-keyconverter ssh-keyconverter.1
 +	if [ ! -d $(DESTDIR)$(bindir) ]; then install -d -m 755 $(DESTDIR)$(bindir); fi
 +	install -m 755 ssh-keyconverter $(DESTDIR)$(bindir)
 +	if [ ! -d $(DESTDIR)$(mandir)/man1 ]; then install -d -m 755 $(DESTDIR)$(mandir)/man1; fi
 +	install -m 644 ssh-keyconverter.1 $(DESTDIR)$(mandir)/man1
-diff --git a/openssh-6.4p1/converter/ssh-keyconverter.1 b/openssh-6.4p1/converter/ssh-keyconverter.1
+diff --git a/openssh-6.5p1/converter/ssh-keyconverter.1 b/openssh-6.5p1/converter/ssh-keyconverter.1
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/converter/ssh-keyconverter.1
+++ b/openssh-6.5p1/converter/ssh-keyconverter.1
@@ -0,0 +1,155 @@
 +.\" Manpage for ssh-keyconverter
 +.\"
@ -182,10 +182,10 @@ new file mode 100644
 +.%D March 2001
 +.%O work in progress material
 +.Re
-diff --git a/openssh-6.4p1/converter/ssh-keyconverter.c b/openssh-6.4p1/converter/ssh-keyconverter.c
+diff --git a/openssh-6.5p1/converter/ssh-keyconverter.c b/openssh-6.5p1/converter/ssh-keyconverter.c
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/converter/ssh-keyconverter.c
+++ b/openssh-6.5p1/converter/ssh-keyconverter.c
@@ -0,0 +1,345 @@
 +/*
 + * SSH v1 to v2 RSA key converter.
--- a/openssh-6.5p1-lastlog.patch
+++ b/openssh-6.5p1-lastlog.patch
@ -1,9 +1,9 @@
 # set uid for functions that use it to seek in lastlog and wtmp files
 # bnc#18024 (was suse #3024)
-diff --git a/openssh-6.4p1/sshlogin.c b/openssh-6.4p1/sshlogin.c
+diff --git a/openssh-6.5p1/sshlogin.c b/openssh-6.5p1/sshlogin.c
--- a/openssh-6.4p1/sshlogin.c
+--- a/openssh-6.5p1/sshlogin.c
-+++ b/openssh-6.4p1/sshlogin.c
+++ b/openssh-6.5p1/sshlogin.c
@@ -128,16 +128,17 @@ record_login(pid_t pid, const char *tty,
 {
 	struct logininfo *li;
--- a/openssh-6.5p1-ldap.patch
+++ b/openssh-6.5p1-ldap.patch
@ -8,10 +8,10 @@
 # internal versions. ssh-keyconverter consequently fails to link as it lacks
 # the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
-diff --git a/openssh-6.4p1/HOWTO.ldap-keys b/openssh-6.4p1/HOWTO.ldap-keys
+diff --git a/openssh-6.5p1/HOWTO.ldap-keys b/openssh-6.5p1/HOWTO.ldap-keys
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/HOWTO.ldap-keys
+++ b/openssh-6.5p1/HOWTO.ldap-keys
@@ -0,0 +1,108 @@
 +
 +HOW TO START
@ -121,9 +121,9 @@ new file mode 100644
 +  - frederic peters.
 +  - Finlay dobbie.
 +  - Stefan Fisher.
-diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
+diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.4p1/Makefile.in
+--- a/openssh-6.5p1/Makefile.in
-+++ b/openssh-6.4p1/Makefile.in
+++ b/openssh-6.5p1/Makefile.in
@@ -20,16 +20,18 @@ srcdir=@srcdir@
 top_srcdir=@top_srcdir@
@ -164,14 +164,14 @@ diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
 	log.o match.o md-sha256.o moduli.o nchan.o packet.o \
 	readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
 	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
-@@ -90,18 +94,18 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
+@@ -94,18 +98,18 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
- 	auth-krb5.o \
+ 	kexc25519s.o auth-krb5.o \
 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
 	sftp-server.o sftp-common.o \
 	roaming_common.o roaming_serv.o \
 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
- 	sandbox-seccomp-filter.o
+ 	sandbox-seccomp-filter.o sandbox-capsicum.o
 -MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
 -MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
@ -185,7 +185,7 @@ diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
 PATHSUBS	= \
 	-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
 	-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
-@@ -164,16 +168,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
+@@ -169,16 +173,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
 	$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
@ -205,7 +205,7 @@ diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
 # test driver for the loginrec code - not built by default
 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
-@@ -266,30 +273,38 @@ install-files:
+@@ -271,30 +278,38 @@ install-files:
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@ -244,7 +244,7 @@ diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
 install-sysconf:
 	if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
 		$(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
-@@ -309,16 +324,23 @@ install-sysconf:
+@@ -314,16 +329,23 @@ install-sysconf:
 			echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \
 			mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \
 		else \
@ -268,7 +268,7 @@ diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
 		else \
 			./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \
 		fi ; \
-@@ -366,27 +388,30 @@ uninstall:
+@@ -377,27 +399,30 @@ uninstall:
 	-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
 	-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
 	-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@ -299,10 +299,10 @@ diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in
 	    ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
 	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
 	$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac
+diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
--- a/openssh-6.4p1/configure.ac
+--- a/openssh-6.5p1/configure.ac
-+++ b/openssh-6.4p1/configure.ac
+++ b/openssh-6.5p1/configure.ac
-@@ -1519,16 +1519,116 @@ AC_ARG_WITH([audit],
+@@ -1573,16 +1573,116 @@ AC_ARG_WITH([audit],
 		AC_MSG_RESULT([no])
 		;;
 	  *)
@ -411,18 +411,18 @@ diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac
 +)
 +AC_SUBST(INSTALL_SSH_LDAP_HELPER)
 +
- dnl    Checks for library functions. Please keep in alphabetical order
+ AC_ARG_WITH([pie],
- AC_CHECK_FUNCS([ \
+     [  --with-pie           Build Position Independent Executables if possible], [
- 	arc4random \
+ 	if test "x$withval" = "xno"; then
- 	arc4random_buf \
+ 		use_pie=no
- 	arc4random_uniform \
+ 	fi
- 	asprintf \
+ 	if test "x$withval" = "xyes"; then
- 	b64_ntop \
+ 		use_pie=yes
- 	__b64_ntop \
+ 	fi
-diff --git a/openssh-6.4p1/ldap-helper.c b/openssh-6.4p1/ldap-helper.c
+diff --git a/openssh-6.5p1/ldap-helper.c b/openssh-6.5p1/ldap-helper.c
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/ldap-helper.c
+++ b/openssh-6.5p1/ldap-helper.c
@@ -0,0 +1,155 @@
 +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -579,10 +579,10 @@ new file mode 100644
 +void   *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
 +void    buffer_put_string(Buffer *b, const void *f, u_int l) {}
 +
-diff --git a/openssh-6.4p1/ldap-helper.h b/openssh-6.4p1/ldap-helper.h
+diff --git a/openssh-6.5p1/ldap-helper.h b/openssh-6.5p1/ldap-helper.h
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/ldap-helper.h
+++ b/openssh-6.5p1/ldap-helper.h
@@ -0,0 +1,32 @@
 +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -616,10 +616,10 @@ new file mode 100644
 +extern int config_warning_config_file;
 +
 +#endif /* LDAP_HELPER_H */
-diff --git a/openssh-6.4p1/ldap.conf b/openssh-6.4p1/ldap.conf
+diff --git a/openssh-6.5p1/ldap.conf b/openssh-6.5p1/ldap.conf
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/ldap.conf
+++ b/openssh-6.5p1/ldap.conf
@@ -0,0 +1,88 @@
 +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
 +#
@ -709,10 +709,10 @@ new file mode 100644
 +#tls_cert
 +#tls_key
 +
-diff --git a/openssh-6.4p1/ldapbody.c b/openssh-6.4p1/ldapbody.c
+diff --git a/openssh-6.5p1/ldapbody.c b/openssh-6.5p1/ldapbody.c
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/ldapbody.c
+++ b/openssh-6.5p1/ldapbody.c
@@ -0,0 +1,494 @@
 +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1208,10 +1208,10 @@ new file mode 100644
 +	return;
 +}
 +
-diff --git a/openssh-6.4p1/ldapbody.h b/openssh-6.4p1/ldapbody.h
+diff --git a/openssh-6.5p1/ldapbody.h b/openssh-6.5p1/ldapbody.h
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/ldapbody.h
+++ b/openssh-6.5p1/ldapbody.h
@@ -0,0 +1,37 @@
 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1250,10 +1250,10 @@ new file mode 100644
 +
 +#endif /* LDAPBODY_H */
 +
-diff --git a/openssh-6.4p1/ldapconf.c b/openssh-6.4p1/ldapconf.c
+diff --git a/openssh-6.5p1/ldapconf.c b/openssh-6.5p1/ldapconf.c
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/ldapconf.c
+++ b/openssh-6.5p1/ldapconf.c
@@ -0,0 +1,682 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1937,10 +1937,10 @@ new file mode 100644
 +	dump_cfg_string(lSSH_Filter, options.ssh_filter);
 +}
 +
-diff --git a/openssh-6.4p1/ldapconf.h b/openssh-6.4p1/ldapconf.h
+diff --git a/openssh-6.5p1/ldapconf.h b/openssh-6.5p1/ldapconf.h
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/ldapconf.h
+++ b/openssh-6.5p1/ldapconf.h
@@ -0,0 +1,71 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -2013,10 +2013,10 @@ new file mode 100644
 +void dump_config(void);
 +
 +#endif /* LDAPCONF_H */
-diff --git a/openssh-6.4p1/ldapincludes.h b/openssh-6.4p1/ldapincludes.h
+diff --git a/openssh-6.5p1/ldapincludes.h b/openssh-6.5p1/ldapincludes.h
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/ldapincludes.h
+++ b/openssh-6.5p1/ldapincludes.h
@@ -0,0 +1,41 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -2059,10 +2059,10 @@ new file mode 100644
 +#endif
 +
 +#endif /* LDAPINCLUDES_H */
-diff --git a/openssh-6.4p1/ldapmisc.c b/openssh-6.4p1/ldapmisc.c
+diff --git a/openssh-6.5p1/ldapmisc.c b/openssh-6.5p1/ldapmisc.c
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/ldapmisc.c
+++ b/openssh-6.5p1/ldapmisc.c
@@ -0,0 +1,79 @@
 +
 +#include "ldapincludes.h"
@ -2143,10 +2143,10 @@ new file mode 100644
 +}
 +#endif
 +
-diff --git a/openssh-6.4p1/ldapmisc.h b/openssh-6.4p1/ldapmisc.h
+diff --git a/openssh-6.5p1/ldapmisc.h b/openssh-6.5p1/ldapmisc.h
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/ldapmisc.h
+++ b/openssh-6.5p1/ldapmisc.h
@@ -0,0 +1,35 @@
 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -2183,9 +2183,9 @@ new file mode 100644
 +
 +#endif /* LDAPMISC_H */
 +
-diff --git a/openssh-6.4p1/openbsd-compat/base64.c b/openssh-6.4p1/openbsd-compat/base64.c
+diff --git a/openssh-6.5p1/openbsd-compat/base64.c b/openssh-6.5p1/openbsd-compat/base64.c
--- a/openssh-6.4p1/openbsd-compat/base64.c
+--- a/openssh-6.5p1/openbsd-compat/base64.c
-+++ b/openssh-6.4p1/openbsd-compat/base64.c
+++ b/openssh-6.5p1/openbsd-compat/base64.c
@@ -41,17 +41,17 @@
  * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
  * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
@ -2243,9 +2243,9 @@ diff --git a/openssh-6.4p1/openbsd-compat/base64.c b/openssh-6.4p1/openbsd-compa
  */
 int
-diff --git a/openssh-6.4p1/openbsd-compat/base64.h b/openssh-6.4p1/openbsd-compat/base64.h
+diff --git a/openssh-6.5p1/openbsd-compat/base64.h b/openssh-6.5p1/openbsd-compat/base64.h
--- a/openssh-6.4p1/openbsd-compat/base64.h
+--- a/openssh-6.5p1/openbsd-compat/base64.h
-+++ b/openssh-6.4p1/openbsd-compat/base64.h
+++ b/openssh-6.5p1/openbsd-compat/base64.h
@@ -42,24 +42,24 @@
  * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
  */
@ -2275,10 +2275,10 @@ diff --git a/openssh-6.4p1/openbsd-compat/base64.h b/openssh-6.4p1/openbsd-compa
 #endif /* HAVE___B64_PTON */
 #endif /* _BSD_BASE64_H */
-diff --git a/openssh-6.4p1/openssh-lpk-openldap.schema b/openssh-6.4p1/openssh-lpk-openldap.schema
+diff --git a/openssh-6.5p1/openssh-lpk-openldap.schema b/openssh-6.5p1/openssh-lpk-openldap.schema
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/openssh-lpk-openldap.schema
+++ b/openssh-6.5p1/openssh-lpk-openldap.schema
@@ -0,0 +1,21 @@
 +#
 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2301,10 +2301,10 @@ new file mode 100644
 +	DESC 'MANDATORY: OpenSSH LPK objectclass'
 +	MUST ( sshPublicKey $ uid ) 
 +	)
-diff --git a/openssh-6.4p1/openssh-lpk-sun.schema b/openssh-6.4p1/openssh-lpk-sun.schema
+diff --git a/openssh-6.5p1/openssh-lpk-sun.schema b/openssh-6.5p1/openssh-lpk-sun.schema
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/openssh-lpk-sun.schema
+++ b/openssh-6.5p1/openssh-lpk-sun.schema
@@ -0,0 +1,23 @@
 +#
 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2329,10 +2329,10 @@ new file mode 100644
 +	DESC 'MANDATORY: OpenSSH LPK objectclass'
 +	MUST ( sshPublicKey $ uid ) 
 +	)
-diff --git a/openssh-6.4p1/ssh-ldap-helper.8 b/openssh-6.4p1/ssh-ldap-helper.8
+diff --git a/openssh-6.5p1/ssh-ldap-helper.8 b/openssh-6.5p1/ssh-ldap-helper.8
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/ssh-ldap-helper.8
+++ b/openssh-6.5p1/ssh-ldap-helper.8
@@ -0,0 +1,79 @@
 +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
 +.\"
@ -2413,19 +2413,19 @@ new file mode 100644
 +OpenSSH 5.5 + PKA-LDAP .
 +.Sh AUTHORS
 +.An Jan F. Chadima Aq jchadima@redhat.com
-diff --git a/openssh-6.4p1/ssh-ldap-wrapper b/openssh-6.4p1/ssh-ldap-wrapper
+diff --git a/openssh-6.5p1/ssh-ldap-wrapper b/openssh-6.5p1/ssh-ldap-wrapper
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/ssh-ldap-wrapper
+++ b/openssh-6.5p1/ssh-ldap-wrapper
@@ -0,0 +1,4 @@
 +#!/bin/sh
 +
 +exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
 +
-diff --git a/openssh-6.4p1/ssh-ldap.conf.5 b/openssh-6.4p1/ssh-ldap.conf.5
+diff --git a/openssh-6.5p1/ssh-ldap.conf.5 b/openssh-6.5p1/ssh-ldap.conf.5
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/ssh-ldap.conf.5
+++ b/openssh-6.5p1/ssh-ldap.conf.5
@@ -0,0 +1,376 @@
 +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
 +.\"
--- a/openssh-6.5p1-login_options.patch
+++ b/openssh-6.5p1-login_options.patch
@ -4,16 +4,16 @@
 #
 # bnc#833605
-diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac
+diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
--- a/openssh-6.4p1/configure.ac
+--- a/openssh-6.5p1/configure.ac
-+++ b/openssh-6.4p1/configure.ac
+++ b/openssh-6.5p1/configure.ac
-@@ -657,16 +657,18 @@ main() { if (NSVersionOfRunTimeLibrary("
+@@ -695,16 +695,18 @@ main() { if (NSVersionOfRunTimeLibrary("
 	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
 	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
 	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
 	;;
 *-*-linux*)
 	no_dev_ptmx=1
 	use_pie=auto
 	check_for_libcrypt_later=1
 	check_for_openpty_ctty_bug=1
 +	AC_DEFINE([LOGIN_NO_ENDOPT], [1],
--- a/openssh-6.5p1-no_fork-no_pid_file.patch
+++ b/openssh-6.5p1-no_fork-no_pid_file.patch
@ -1,9 +1,9 @@
 # Do not write a PID file when not daemonizing (e.g. when running from systemd)
-diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
+diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.4p1/sshd.c
+--- a/openssh-6.5p1/sshd.c
-+++ b/openssh-6.4p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
-@@ -1959,17 +1959,17 @@ main(int ac, char **av)
+@@ -1973,17 +1973,17 @@ main(int ac, char **av)
 		signal(SIGCHLD, main_sigchld_handler);
 		signal(SIGTERM, sigterm_handler);
 		signal(SIGQUIT, sigterm_handler);
--- a/openssh-6.5p1-pam-check-locks.patch
+++ b/openssh-6.5p1-pam-check-locks.patch
@ -2,9 +2,9 @@
 # UsePAM is used
 # bnc#708678, FATE#312033
-diff --git a/openssh-6.4p1/auth.c b/openssh-6.4p1/auth.c
+diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c
--- a/openssh-6.4p1/auth.c
+--- a/openssh-6.5p1/auth.c
-+++ b/openssh-6.4p1/auth.c
+++ b/openssh-6.5p1/auth.c
@@ -103,17 +103,17 @@ allowed_user(struct passwd * pw)
 	struct spwd *spw = NULL;
 #endif
@ -43,9 +43,9 @@ diff --git a/openssh-6.4p1/auth.c b/openssh-6.4p1/auth.c
 #endif
 #ifdef LOCKED_PASSWD_PREFIX
 		if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
-diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
+diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
--- a/openssh-6.4p1/servconf.c
+--- a/openssh-6.5p1/servconf.c
-+++ b/openssh-6.4p1/servconf.c
+++ b/openssh-6.5p1/servconf.c
@@ -66,16 +66,17 @@ extern Buffer cfg;
 void
@ -64,7 +64,7 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
 	options->address_family = -1;
 	options->num_host_key_files = 0;
 	options->num_host_cert_files = 0;
-@@ -157,16 +158,18 @@ initialize_server_options(ServerOptions 
+@@ -158,16 +159,18 @@ initialize_server_options(ServerOptions 
 }
 void
@ -83,7 +83,7 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
 		/* fill default hostkeys for protocols */
 		if (options->protocol & SSH_PROTO_1)
 			options->host_key_files[options->num_host_key_files++] =
-@@ -315,17 +318,17 @@ fill_default_server_options(ServerOption
+@@ -320,17 +323,17 @@ fill_default_server_options(ServerOption
 #endif
 }
@ -102,7 +102,7 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
 	sKerberosGetAFSToken,
 	sKerberosTgtPassing, sChallengeResponseAuthentication,
 	sPasswordAuthentication, sKbdInteractiveAuthentication,
-@@ -360,18 +363,20 @@ typedef enum {
+@@ -365,18 +368,20 @@ typedef enum {
 static struct {
 	const char *name;
 	ServerOpCodes opcode;
@ -123,7 +123,7 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
 	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
 	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
-@@ -857,16 +862,19 @@ process_server_config_line(ServerOptions
+@@ -878,16 +883,19 @@ process_server_config_line(ServerOptions
 		}
 	}
@ -143,10 +143,10 @@ diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c
 		/* ignore ports from configfile if cmdline specifies ports */
 		if (options->ports_from_cmdline)
 			return 0;
-diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h
+diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
--- a/openssh-6.4p1/servconf.h
+--- a/openssh-6.5p1/servconf.h
-+++ b/openssh-6.4p1/servconf.h
+++ b/openssh-6.5p1/servconf.h
-@@ -161,16 +161,17 @@ typedef struct {
+@@ -162,16 +162,17 @@ typedef struct {
 					 */
 	u_int num_authkeys_files;	/* Files containing public keys */
@ -164,10 +164,10 @@ diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h
 	char   *chroot_directory;
 	char   *revoked_keys_file;
 	char   *trusted_user_ca_keys;
-diff --git a/openssh-6.4p1/sshd_config.0 b/openssh-6.4p1/sshd_config.0
+diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0
--- a/openssh-6.4p1/sshd_config.0
+--- a/openssh-6.5p1/sshd_config.0
-+++ b/openssh-6.4p1/sshd_config.0
+++ b/openssh-6.5p1/sshd_config.0
-@@ -706,16 +706,24 @@ DESCRIPTION
+@@ -720,16 +720,24 @@ DESCRIPTION
              Because PAM challenge-response authentication usually serves an
              equivalent role to password authentication, you should disable
@ -192,10 +192,10 @@ diff --git a/openssh-6.4p1/sshd_config.0 b/openssh-6.4p1/sshd_config.0
              privilege separation is to prevent privilege escalation by
              containing any corruption within the unprivileged processes.  The
              default is ``yes''.  If UsePrivilegeSeparation is set to
-diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5
+diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
--- a/openssh-6.4p1/sshd_config.5
+--- a/openssh-6.5p1/sshd_config.5
-+++ b/openssh-6.4p1/sshd_config.5
+++ b/openssh-6.5p1/sshd_config.5
-@@ -1178,16 +1178,28 @@ or
+@@ -1199,16 +1199,28 @@ or
 .Pp
 If
 .Cm UsePAM
--- a/openssh-6.5p1-pam-fix2.patch
+++ b/openssh-6.5p1-pam-fix2.patch
@ -1,10 +1,10 @@
 # force PAM in defaullt install (this was removed from upstream in 3.8p1)
 # bnc#46749
-diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
+diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.4p1/sshd_config
+--- a/openssh-6.5p1/sshd_config
-+++ b/openssh-6.4p1/sshd_config
+++ b/openssh-6.5p1/sshd_config
-@@ -63,17 +63,17 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -64,17 +64,17 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
@ -23,8 +23,8 @@ diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
 # Kerberos options
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
-@@ -88,17 +88,17 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -89,17 +89,17 @@ AuthorizedKeysFile	.ssh/authorized_keys
- # and session processing. If this is enabled, PAM authentication will 
+ # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
@ -41,4 +41,4 @@ diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
 X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
- #PrintMotd yes
+ #PermitTTY yes
--- a/openssh-6.5p1-pam-fix3.patch
+++ b/openssh-6.5p1-pam-fix3.patch
@ -1,10 +1,10 @@
 # posix threads are generally not supported nor safe
 # (see upstream log from 2005-05-24)
-diff --git a/openssh-6.4p1/auth-pam.c b/openssh-6.4p1/auth-pam.c
+diff --git a/openssh-6.5p1/auth-pam.c b/openssh-6.5p1/auth-pam.c
--- a/openssh-6.4p1/auth-pam.c
+--- a/openssh-6.5p1/auth-pam.c
-+++ b/openssh-6.4p1/auth-pam.c
+++ b/openssh-6.5p1/auth-pam.c
-@@ -779,17 +779,19 @@ sshpam_query(void *ctx, char **name, cha
+@@ -781,17 +781,19 @@ sshpam_query(void *ctx, char **name, cha
 			}
 			if (type == PAM_SUCCESS) {
 				if (!sshpam_authctxt->valid ||
--- a/openssh-6.5p1-pts.patch
+++ b/openssh-6.5p1-pts.patch
@ -1,10 +1,10 @@
 # use same lines naming as utempter (prevents problems with using different
 # formats in ?tmp? files)
-diff --git a/openssh-6.4p1/loginrec.c b/openssh-6.4p1/loginrec.c
+diff --git a/openssh-6.5p1/loginrec.c b/openssh-6.5p1/loginrec.c
--- a/openssh-6.4p1/loginrec.c
+--- a/openssh-6.5p1/loginrec.c
-+++ b/openssh-6.4p1/loginrec.c
+++ b/openssh-6.5p1/loginrec.c
-@@ -535,17 +535,17 @@ getlast_entry(struct logininfo *li)
+@@ -538,17 +538,17 @@ getlast_entry(struct logininfo *li)
 /*
  * 'line' string utility functions
  *
@ -23,7 +23,7 @@ diff --git a/openssh-6.4p1/loginrec.c b/openssh-6.4p1/loginrec.c
  */
-@@ -596,16 +596,20 @@ line_abbrevname(char *dst, const char *s
+@@ -599,16 +599,20 @@ line_abbrevname(char *dst, const char *s
 	/* Always skip prefix if present */
 	if (strncmp(src, "/dev/", 5) == 0)
 		src += 5;
--- a/openssh-6.5p1-saveargv-fix.patch
+++ b/openssh-6.5p1-saveargv-fix.patch
@ -0,0 +1,28 @@
 # related to bnc#49845, upstream bug #529
 diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
 --- a/openssh-6.5p1/sshd.c
 +++ b/openssh-6.5p1/sshd.c
@@ -1399,17 +1399,21 @@ main(int ac, char **av)
 	saved_argv = xcalloc(ac + 1, sizeof(*saved_argv));
 	for (i = 0; i < ac; i++)
 		saved_argv[i] = xstrdup(av[i]);
 	saved_argv[i] = NULL;
 #ifndef HAVE_SETPROCTITLE
 	/* Prepare for later setproctitle emulation */
 	compat_init_setproctitle(ac, av);
 -	av = saved_argv;
 +
 +	av = xmalloc(sizeof(*saved_argv) * (saved_argc + 1));
 +	for (i = 0; i < saved_argc; i++)
 +		av[i] = xstrdup(saved_argv[i]);
 +	av[i] = NULL;
 #endif
 	if (geteuid() == 0 && setgroups(0, NULL) == -1)
 		debug("setgroups(): %.200s", strerror(errno));
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
 	sanitise_stdfd();
--- a/openssh-6.5p1-seed-prng.patch
+++ b/openssh-6.5p1-seed-prng.patch
@ -1,9 +1,9 @@
 # extended support for (re-)seeding the OpenSSL PRNG from /dev/random
 # bnc#703221, FATE#312172
-diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
+diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c
--- a/openssh-6.4p1/audit-bsm.c
+--- a/openssh-6.5p1/audit-bsm.c
-+++ b/openssh-6.4p1/audit-bsm.c
+++ b/openssh-6.5p1/audit-bsm.c
@@ -504,9 +504,15 @@ audit_destroy_sensitive_data(const char 
 	/* not implemented */
 }
@ -20,9 +20,9 @@ diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c
 +	/* not implemented */
 +}
 #endif /* BSM */
-diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
+diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c
--- a/openssh-6.4p1/audit-linux.c
+--- a/openssh-6.5p1/audit-linux.c
-+++ b/openssh-6.4p1/audit-linux.c
+++ b/openssh-6.5p1/audit-linux.c
@@ -398,9 +398,31 @@ audit_generate_ephemeral_server_key(cons
 	}
 	audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
@ -55,9 +55,9 @@ diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c
 +		error("cannot write into audit");
 +}
 #endif /* USE_LINUX_AUDIT */
-diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
+diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c
--- a/openssh-6.4p1/audit.c
+--- a/openssh-6.5p1/audit.c
-+++ b/openssh-6.4p1/audit.c
+++ b/openssh-6.5p1/audit.c
@@ -304,10 +304,16 @@ audit_destroy_sensitive_data(const char 
 /*
  * This will be called on generation of the ephemeral server key
@ -75,9 +75,9 @@ diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c
 +}
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
-diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
+diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
--- a/openssh-6.4p1/audit.h
+--- a/openssh-6.5p1/audit.h
-+++ b/openssh-6.4p1/audit.h
+++ b/openssh-6.5p1/audit.h
@@ -63,10 +63,11 @@ void	audit_key(int, int *, const Key *);
 void	audit_unsupported(int);
 void	audit_kex(int, char *, char *, char *);
@ -90,9 +90,9 @@ diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h
 +void	audit_linux_prng_seed(long, const char *);
 #endif /* _SSH_AUDIT_H */
-diff --git a/openssh-6.4p1/entropy.c b/openssh-6.4p1/entropy.c
+diff --git a/openssh-6.5p1/entropy.c b/openssh-6.5p1/entropy.c
--- a/openssh-6.4p1/entropy.c
+--- a/openssh-6.5p1/entropy.c
-+++ b/openssh-6.4p1/entropy.c
+++ b/openssh-6.5p1/entropy.c
@@ -45,16 +45,17 @@
 #include "ssh.h"
@ -126,17 +126,17 @@ diff --git a/openssh-6.4p1/entropy.c b/openssh-6.4p1/entropy.c
 	if (RAND_status() != 1)
 		fatal("PRNG is not seeded");
 }
-diff --git a/openssh-6.4p1/openbsd-compat/Makefile.in b/openssh-6.4p1/openbsd-compat/Makefile.in
+diff --git a/openssh-6.5p1/openbsd-compat/Makefile.in b/openssh-6.5p1/openbsd-compat/Makefile.in
--- a/openssh-6.4p1/openbsd-compat/Makefile.in
+--- a/openssh-6.5p1/openbsd-compat/Makefile.in
-+++ b/openssh-6.4p1/openbsd-compat/Makefile.in
+++ b/openssh-6.5p1/openbsd-compat/Makefile.in
@@ -15,17 +15,17 @@ AR=@AR@
 RANLIB=@RANLIB@
 INSTALL=@INSTALL@
 LDFLAGS=-L. @LDFLAGS@
- OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o
+ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o
- COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
+ COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
 -PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
 +PORTS=port-aix.o port-irix.o port-linux.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
@ -148,10 +148,10 @@ diff --git a/openssh-6.4p1/openbsd-compat/Makefile.in b/openssh-6.4p1/openbsd-co
 $(COMPAT): ../config.h
 $(OPENBSD): ../config.h
-diff --git a/openssh-6.4p1/openbsd-compat/port-linux-prng.c b/openssh-6.4p1/openbsd-compat/port-linux-prng.c
+diff --git a/openssh-6.5p1/openbsd-compat/port-linux-prng.c b/openssh-6.5p1/openbsd-compat/port-linux-prng.c
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/openbsd-compat/port-linux-prng.c
+++ b/openssh-6.5p1/openbsd-compat/port-linux-prng.c
@@ -0,0 +1,79 @@
 +/*
 + * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
@ -232,9 +232,9 @@ new file mode 100644
 +			fatal ("EOF reading %s", random);
 +	}
 +}
-diff --git a/openssh-6.4p1/openbsd-compat/port-linux.h b/openssh-6.4p1/openbsd-compat/port-linux.h
+diff --git a/openssh-6.5p1/openbsd-compat/port-linux.h b/openssh-6.5p1/openbsd-compat/port-linux.h
--- a/openssh-6.4p1/openbsd-compat/port-linux.h
+--- a/openssh-6.5p1/openbsd-compat/port-linux.h
-+++ b/openssh-6.4p1/openbsd-compat/port-linux.h
+++ b/openssh-6.5p1/openbsd-compat/port-linux.h
@@ -14,16 +14,20 @@
  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
@ -256,10 +256,10 @@ diff --git a/openssh-6.4p1/openbsd-compat/port-linux.h b/openssh-6.4p1/openbsd-c
 void ssh_selinux_setfscreatecon(const char *);
 #endif
-diff --git a/openssh-6.4p1/ssh-add.1 b/openssh-6.4p1/ssh-add.1
+diff --git a/openssh-6.5p1/ssh-add.1 b/openssh-6.5p1/ssh-add.1
--- a/openssh-6.4p1/ssh-add.1
+--- a/openssh-6.5p1/ssh-add.1
-+++ b/openssh-6.4p1/ssh-add.1
+++ b/openssh-6.5p1/ssh-add.1
-@@ -155,16 +155,30 @@ or related script.
+@@ -156,16 +156,30 @@ or related script.
 (Note that on some machines it
 may be necessary to redirect the input from
 .Pa /dev/null
@ -290,10 +290,10 @@ diff --git a/openssh-6.4p1/ssh-add.1 b/openssh-6.4p1/ssh-add.1
 .It Pa ~/.ssh/id_dsa
 Contains the protocol version 2 DSA authentication identity of the user.
 .It Pa ~/.ssh/id_ecdsa
-diff --git a/openssh-6.4p1/ssh-agent.1 b/openssh-6.4p1/ssh-agent.1
+diff --git a/openssh-6.5p1/ssh-agent.1 b/openssh-6.5p1/ssh-agent.1
--- a/openssh-6.4p1/ssh-agent.1
+--- a/openssh-6.5p1/ssh-agent.1
-+++ b/openssh-6.4p1/ssh-agent.1
+++ b/openssh-6.5p1/ssh-agent.1
-@@ -193,16 +193,33 @@ Contains the protocol version 2 ECDSA au
+@@ -196,16 +196,33 @@ Contains the protocol version 2 ED25519 
 .It Pa ~/.ssh/id_rsa
 Contains the protocol version 2 RSA authentication identity of the user.
 .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt
@ -327,10 +327,10 @@ diff --git a/openssh-6.4p1/ssh-agent.1 b/openssh-6.4p1/ssh-agent.1
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free
 ssh 1.2.12 release by Tatu Ylonen.
-diff --git a/openssh-6.4p1/ssh-keygen.1 b/openssh-6.4p1/ssh-keygen.1
+diff --git a/openssh-6.5p1/ssh-keygen.1 b/openssh-6.5p1/ssh-keygen.1
--- a/openssh-6.4p1/ssh-keygen.1
+--- a/openssh-6.5p1/ssh-keygen.1
-+++ b/openssh-6.4p1/ssh-keygen.1
+++ b/openssh-6.5p1/ssh-keygen.1
-@@ -800,16 +800,33 @@ on all machines
+@@ -827,16 +827,33 @@ on all machines
 where the user wishes to log in using public key authentication.
 There is no need to keep the contents of this file secret.
 .Pp
@ -364,14 +364,14 @@ diff --git a/openssh-6.4p1/ssh-keygen.1 b/openssh-6.4p1/ssh-keygen.1
 .Xr sshd 8
 .Rs
 .%R RFC 4716
-diff --git a/openssh-6.4p1/ssh-keysign.8 b/openssh-6.4p1/ssh-keysign.8
+diff --git a/openssh-6.5p1/ssh-keysign.8 b/openssh-6.5p1/ssh-keysign.8
--- a/openssh-6.4p1/ssh-keysign.8
+--- a/openssh-6.5p1/ssh-keysign.8
-+++ b/openssh-6.4p1/ssh-keysign.8
+++ b/openssh-6.5p1/ssh-keysign.8
-@@ -73,16 +73,33 @@ Since they are readable only by root,
+@@ -75,16 +75,33 @@ must be set-uid root if host-based authe
 must be set-uid root if host-based authentication is used.
 .Pp
 .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
 .It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
 .It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
 .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
 If these files exist they are assumed to contain public certificate
 information corresponding with the private keys above.
@ -401,10 +401,10 @@ diff --git a/openssh-6.4p1/ssh-keysign.8 b/openssh-6.4p1/ssh-keysign.8
 .Sh HISTORY
 .Nm
 first appeared in
-diff --git a/openssh-6.4p1/ssh.1 b/openssh-6.4p1/ssh.1
+diff --git a/openssh-6.5p1/ssh.1 b/openssh-6.5p1/ssh.1
--- a/openssh-6.4p1/ssh.1
+--- a/openssh-6.5p1/ssh.1
-+++ b/openssh-6.4p1/ssh.1
+++ b/openssh-6.5p1/ssh.1
-@@ -1290,16 +1290,30 @@ reads
+@@ -1304,16 +1304,30 @@ reads
 and adds lines of the format
 .Dq VARNAME=value
 to the environment if the file exists and users are allowed to
@ -435,10 +435,10 @@ diff --git a/openssh-6.4p1/ssh.1 b/openssh-6.4p1/ssh.1
 world-readable if the user's home directory is on an NFS partition,
 because
 .Xr sshd 8
-diff --git a/openssh-6.4p1/sshd.8 b/openssh-6.4p1/sshd.8
+diff --git a/openssh-6.5p1/sshd.8 b/openssh-6.5p1/sshd.8
--- a/openssh-6.4p1/sshd.8
+--- a/openssh-6.5p1/sshd.8
-+++ b/openssh-6.4p1/sshd.8
+++ b/openssh-6.5p1/sshd.8
-@@ -941,16 +941,33 @@ and not group or world-writable.
+@@ -946,16 +946,33 @@ and not group or world-writable.
 .It Pa /var/run/sshd.pid
 Contains the process ID of the
 .Nm
@ -472,9 +472,9 @@ diff --git a/openssh-6.4p1/sshd.8 b/openssh-6.4p1/sshd.8
 .Xr ssh-agent 1 ,
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
-diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
+diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.4p1/sshd.c
+--- a/openssh-6.5p1/sshd.c
-+++ b/openssh-6.4p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -50,16 +50,18 @@
 #ifdef HAVE_SYS_STAT_H
 # include <sys/stat.h>
@ -518,7 +518,7 @@ diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c
 /* This is set to true when a signal is received. */
 static volatile sig_atomic_t received_sighup = 0;
 static volatile sig_atomic_t received_sigterm = 0;
-@@ -1300,16 +1309,21 @@ server_accept_loop(int *sock_in, int *so
+@@ -1313,16 +1322,21 @@ server_accept_loop(int *sock_in, int *so
 			for (j = 0; j < options.max_startups; j++)
 				if (startup_pipes[j] == -1) {
 					startup_pipes[j] = startup_p[0];
--- a/openssh-6.5p1-send_locale.patch
+++ b/openssh-6.5p1-send_locale.patch
@ -1,9 +1,9 @@
 # send locales in default configuration
 # bnc#65747
-diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
+diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
--- a/openssh-6.4p1/ssh_config
+--- a/openssh-6.5p1/ssh_config
-+++ b/openssh-6.4p1/ssh_config
+++ b/openssh-6.5p1/ssh_config
@@ -58,9 +58,14 @@ ForwardX11Trusted yes
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
@ -19,10 +19,10 @@ diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config
 +SendEnv LC_IDENTIFICATION LC_ALL
 +
 #   RekeyLimit 1G 1h
-diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
+diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
--- a/openssh-6.4p1/sshd_config
+--- a/openssh-6.5p1/sshd_config
-+++ b/openssh-6.4p1/sshd_config
+++ b/openssh-6.5p1/sshd_config
-@@ -125,13 +125,18 @@ UsePrivilegeSeparation sandbox		# Defaul
+@@ -127,14 +127,19 @@ UsePrivilegeSeparation sandbox		# Defaul
 #VersionAddendum none
 # no default banner path
@ -40,4 +40,5 @@ diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
--- a/openssh-6.5p1-sftp_force_permissions.patch
+++ b/openssh-6.5p1-sftp_force_permissions.patch
@ -0,0 +1,155 @@
 # additional option for sftp-server to force file mode for new files
 # FATE#312774
 # http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
 # http://marc.info/?l=openssh-unix-dev&m=128896838930893
 diff --git a/openssh-6.5p1/sftp-server.8 b/openssh-6.5p1/sftp-server.8
 --- a/openssh-6.5p1/sftp-server.8
 +++ b/openssh-6.5p1/sftp-server.8
@@ -33,16 +33,17 @@
 .Bk -words
 .Op Fl ehR
 .Op Fl d Ar start_directory
 .Op Fl f Ar log_facility
 .Op Fl l Ar log_level
 .Op Fl P Ar blacklisted_requests
 .Op Fl p Ar whitelisted_requests
 .Op Fl u Ar umask
 +.Op Fl m Ar force_file_permissions
 .Ek
 .Nm
 .Fl Q Ar protocol_feature
 .Sh DESCRIPTION
 .Nm
 is a program that speaks the server side of SFTP protocol
 to stdout and expects client requests from stdin.
 .Nm
@@ -133,16 +134,20 @@ Places this instance of
 into a read-only mode.
 Attempts to open files for writing, as well as other operations that change
 the state of the filesystem, will be denied.
 .It Fl u Ar umask
 Sets an explicit
 .Xr umask 2
 to be applied to newly-created files and directories, instead of the
 user's default mask.
 +.It Fl m Ar force_file_permissions
 +Sets explicit file permissions to be applied to newly-created files instead
 +of the default or client requested mode.  Numeric values include:
 +777, 755, 750, 666, 644, 640, etc.  Option -u is ineffective if -m is set.
 .El
 .Pp
 For logging to work,
 .Nm
 must be able to access
 .Pa /dev/log .
 Use of
 .Nm
 diff --git a/openssh-6.5p1/sftp-server.c b/openssh-6.5p1/sftp-server.c
 --- a/openssh-6.5p1/sftp-server.c
 +++ b/openssh-6.5p1/sftp-server.c
@@ -75,16 +75,20 @@ static u_int version;
 static int init_done;
 /* Disable writes */
 static int readonly;
 /* Requests that are allowed/denied */
 static char *request_whitelist, *request_blacklist;
 +/* Force file permissions */
 +int permforce = 0;
 +long permforcemode;
 +
 /* portable attributes, etc. */
 typedef struct Stat Stat;
 struct Stat {
 	char *name;
 	char *long_name;
 	Attrib attrib;
 };
@@ -670,16 +674,20 @@ process_open(u_int32_t id)
 	int handle, fd, flags, mode, status = SSH2_FX_FAILURE;
 	name = get_string(NULL);
 	pflags = get_int();		/* portable flags */
 	debug3("request %u: open flags %d", id, pflags);
 	a = get_attrib();
 	flags = flags_from_portable(pflags);
 	mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666;
 +    if (permforce == 1) {
 +        mode = permforcemode;
 +        (void)umask(0); /* so umask does not interfere */
 +    }
 	logit("open \"%s\" flags %s mode 0%o",
 	    name, string_from_portable(pflags), mode);
 	if (readonly &&
 	    ((flags & O_ACCMODE) == O_WRONLY ||
 	    (flags & O_ACCMODE) == O_RDWR)) {
 		verbose("Refusing open request in read-only mode");
 	  	status = SSH2_FX_PERMISSION_DENIED;
 	} else {
@@ -1425,17 +1433,18 @@ sftp_server_cleanup_exit(int i)
 static void
 sftp_server_usage(void)
 {
 	extern char *__progname;
 	fprintf(stderr,
 	    "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
 	    "[-l log_level]\n\t[-P blacklisted_requests] "
 -	    "[-p whitelisted_requests] [-u umask]\n"
 +	    "[-p whitelisted_requests] [-u umask]\n\t"
 +	    "[-m force_file_permissions]\n",
 	    "       %s -Q protocol_feature\n",
 	    __progname, __progname);
 	exit(1);
 }
 int
 sftp_server_main(int argc, char **argv, struct passwd *user_pw)
 {
@@ -1450,17 +1459,17 @@ sftp_server_main(int argc, char **argv, 
 	extern char *__progname;
 	__progname = ssh_get_progname(argv[0]);
 	log_init(__progname, log_level, log_facility, log_stderr);
 	pw = pwcopy(user_pw);
 	while (!skipargs && (ch = getopt(argc, argv,
 -	    "d:f:l:P:p:Q:u:cehR")) != -1) {
 +	    "d:f:l:P:p:Q:u:m:cehR")) != -1) {
 		switch (ch) {
 		case 'Q':
 			if (strcasecmp(optarg, "requests") != 0) {
 				fprintf(stderr, "Invalid query type\n");
 				exit(1);
 			}
 			for (i = 0; handlers[i].handler != NULL; i++)
 				printf("%s\n", handlers[i].name);
@@ -1510,16 +1519,23 @@ sftp_server_main(int argc, char **argv, 
 		case 'u':
 			errno = 0;
 			mask = strtol(optarg, &cp, 8);
 			if (mask < 0 || mask > 0777 || *cp != '\0' ||
 			    cp == optarg || (mask == 0 && errno != 0))
 				fatal("Invalid umask \"%s\"", optarg);
 			(void)umask((mode_t)mask);
 			break;
 +        case 'm':
 +            permforce = 1;
 +            permforcemode = strtol(optarg, &cp, 8);
 +            if (permforcemode < 0 || permforcemode > 0777 || *cp != '\0' ||
 +                cp == optarg || (permforcemode == 0 && errno != 0))
 +                fatal("Invalid umask \"%s\"", optarg);
 +            break;
 		case 'h':
 		default:
 			sftp_server_usage();
 		}
 	}
 	log_init(__progname, log_level, log_facility, log_stderr);
--- a/openssh-6.5p1-sftp_homechroot.patch
+++ b/openssh-6.5p1-sftp_homechroot.patch
@ -1,8 +1,8 @@
 # run sftp sessions inside a chroot
-diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
+diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.4p1/session.c
+--- a/openssh-6.5p1/session.c
-+++ b/openssh-6.4p1/session.c
+++ b/openssh-6.5p1/session.c
@@ -120,16 +120,18 @@ int	do_exec(Session *, const char *);
 void	do_login(Session *, const char *);
 #ifdef LOGIN_NEEDS_UTMPX
@ -22,13 +22,13 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 /* import */
 extern ServerOptions options;
 extern char *__progname;
-@@ -818,16 +820,21 @@ do_exec(Session *s, const char *command)
+@@ -827,16 +829,21 @@ do_exec(Session *s, const char *command)
- 		if (IS_INTERNAL_SFTP(command)) {
+ 		    "subsystem '%.900s'", s->subsys);
- 			s->is_subsystem = s->is_subsystem ?
+ 	} else if (command == NULL) {
- 			    SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR;
+ 		snprintf(session_type, sizeof(session_type), "shell");
- 		} else if (s->is_subsystem)
+ 	} else {
- 			s->is_subsystem = SUBSYSTEM_EXT;
+ 		/* NB. we don't log unforced commands to preserve privacy */
- 		debug("Forced command (key option) '%.900s'", command);
+ 		snprintf(session_type, sizeof(session_type), "command");
 	}
 +	if ((s->is_subsystem != SUBSYSTEM_INT_SFTP) && chroot_no_tree) {
@ -36,15 +36,15 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 +		exit (1);
 +	}
 +
- #ifdef SSH_AUDIT_EVENTS
+ 	if (s->ttyfd != -1) {
- 	if (s->command != NULL || s->command_handle != -1)
+ 		tty = s->tty;
- 		fatal("do_exec: command already set");
+ 		if (strncmp(tty, "/dev/", 5) == 0)
- 	if (command != NULL)
+ 			tty += 5;
- 		s->command = xstrdup(command);
+ 	}
 	else if (s->ttyfd == -1) {
 		char *shell = s->pw->pw_shell;
-@@ -1435,67 +1442,132 @@ do_nologin(struct passwd *pw)
+ 	verbose("Starting session: %s%s%s for %s from %.200s port %d",
 	    session_type,
@@ -1458,67 +1465,132 @@ do_nologin(struct passwd *pw)
  		while (fgets(buf, sizeof(buf), f))
  			fputs(buf, stderr);
  		fclose(f);
@ -179,10 +179,10 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 do_setusercontext(struct passwd *pw)
 {
 	char *chroot_path, *tmp;
-diff --git a/openssh-6.4p1/sftp-chrootenv.h b/openssh-6.4p1/sftp-chrootenv.h
+diff --git a/openssh-6.5p1/sftp-chrootenv.h b/openssh-6.5p1/sftp-chrootenv.h
 new file mode 100644
 --- /dev/null
-+++ b/openssh-6.4p1/sftp-chrootenv.h
+++ b/openssh-6.5p1/sftp-chrootenv.h
@@ -0,0 +1,30 @@
 +/*
 + * Copyright (c) 2009 Jan F Chadima.  All rights reserved.
@ -214,10 +214,10 @@ new file mode 100644
 +
 +#endif
 +
-diff --git a/openssh-6.4p1/sftp-common.c b/openssh-6.4p1/sftp-common.c
+diff --git a/openssh-6.5p1/sftp-common.c b/openssh-6.5p1/sftp-common.c
--- a/openssh-6.4p1/sftp-common.c
+--- a/openssh-6.5p1/sftp-common.c
-+++ b/openssh-6.4p1/sftp-common.c
+++ b/openssh-6.5p1/sftp-common.c
-@@ -41,16 +41,17 @@
+@@ -42,16 +42,17 @@
 #endif
 #include "xmalloc.h"
@ -235,13 +235,13 @@ diff --git a/openssh-6.4p1/sftp-common.c b/openssh-6.4p1/sftp-common.c
 	a->flags = 0;
 	a->size = 0;
 	a->uid = 0;
-@@ -191,23 +192,23 @@ ls_file(const char *name, const struct s
+@@ -193,23 +194,23 @@ ls_file(const char *name, const struct s
 {
 	int ulen, glen, sz = 0;
 	struct tm *ltime = localtime(&st->st_mtime);
 	char *user, *group;
 	char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1];
 	char sbuf[FMT_SCALED_STRSIZE];
 	time_t now;
 	strmode(st->st_mode, mode);
 -	if (!remote) {
@ -259,11 +259,11 @@ diff --git a/openssh-6.4p1/sftp-common.c b/openssh-6.4p1/sftp-common.c
 		group = gbuf;
 	}
 	if (ltime != NULL) {
- 		if (time(NULL) - st->st_mtime < (365*24*60*60)/2)
+ 		now = time(NULL);
- 			sz = strftime(tbuf, sizeof tbuf, "%b %e %H:%M", ltime);
+ 		if (now - (365*24*60*60)/2 < st->st_mtime &&
-diff --git a/openssh-6.4p1/sftp-server-main.c b/openssh-6.4p1/sftp-server-main.c
+diff --git a/openssh-6.5p1/sftp-server-main.c b/openssh-6.5p1/sftp-server-main.c
--- a/openssh-6.4p1/sftp-server-main.c
+--- a/openssh-6.5p1/sftp-server-main.c
-+++ b/openssh-6.4p1/sftp-server-main.c
+++ b/openssh-6.5p1/sftp-server-main.c
@@ -17,21 +17,24 @@
 #include "includes.h"
@ -289,10 +289,10 @@ diff --git a/openssh-6.4p1/sftp-server-main.c b/openssh-6.4p1/sftp-server-main.c
 int
 main(int argc, char **argv)
-diff --git a/openssh-6.4p1/sftp.c b/openssh-6.4p1/sftp.c
+diff --git a/openssh-6.5p1/sftp.c b/openssh-6.5p1/sftp.c
--- a/openssh-6.4p1/sftp.c
+--- a/openssh-6.5p1/sftp.c
-+++ b/openssh-6.4p1/sftp.c
+++ b/openssh-6.5p1/sftp.c
-@@ -106,16 +106,18 @@ struct complete_ctx {
+@@ -109,16 +109,18 @@ struct complete_ctx {
 	char **remote_pathp;
 };
@ -311,9 +311,9 @@ diff --git a/openssh-6.4p1/sftp.c b/openssh-6.4p1/sftp.c
 #define LS_SHORT_VIEW	0x0002	/* Single row view ala ls -1 */
 #define LS_NUMERIC_VIEW	0x0004	/* Long view with numeric uid/gid */
 #define LS_NAME_SORT	0x0008	/* Sort by name (default) */
-diff --git a/openssh-6.4p1/sshd_config.0 b/openssh-6.4p1/sshd_config.0
+diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0
--- a/openssh-6.4p1/sshd_config.0
+--- a/openssh-6.5p1/sshd_config.0
-+++ b/openssh-6.4p1/sshd_config.0
+++ b/openssh-6.5p1/sshd_config.0
@@ -189,16 +189,24 @@ DESCRIPTION
              session this requires at least a shell, typically sh(1), and
              basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4),
@ -335,13 +335,13 @@ diff --git a/openssh-6.4p1/sshd_config.0 b/openssh-6.4p1/sshd_config.0
      Ciphers
              Specifies the ciphers allowed for protocol version 2.  Multiple
-              ciphers must be comma-separated.  The supported ciphers are
+              ciphers must be comma-separated.  The supported ciphers are:
              ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
              ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
-              ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'',
+diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
-diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5
+--- a/openssh-6.5p1/sshd_config.5
--- a/openssh-6.4p1/sshd_config.5
+++ b/openssh-6.5p1/sshd_config.5
 +++ b/openssh-6.4p1/sshd_config.5
@@ -324,16 +324,27 @@ For file transfer sessions using
 no additional configuration of the environment is necessary if the
 in-process sftp server is used,
@ -367,6 +367,6 @@ diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5
 .It Cm Ciphers
 Specifies the ciphers allowed for protocol version 2.
 Multiple ciphers must be comma-separated.
- The supported ciphers are
+ The supported ciphers are:
 .Pp
 .Dq 3des-cbc ,
 .Dq aes128-cbc ,
--- a/openssh-6.5p1-xauth.patch
+++ b/openssh-6.5p1-xauth.patch
@ -1,10 +1,10 @@
 # try to remove xauth cookies on logout
 # bnc#98815
-diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
+diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.4p1/session.c
+--- a/openssh-6.5p1/session.c
-+++ b/openssh-6.4p1/session.c
+++ b/openssh-6.5p1/session.c
-@@ -2477,18 +2477,50 @@ session_exit_message(Session *s, int sta
+@@ -2505,18 +2505,50 @@ session_exit_message(Session *s, int sta
 	if (c->ostate != CHAN_OUTPUT_CLOSED)
 		chan_write_failed(c);
 }
--- a/openssh-6.5p1-xauthlocalhostname.patch
+++ b/openssh-6.5p1-xauthlocalhostname.patch
@ -1,10 +1,10 @@
 # handle hostname changes when forwarding X
 # bnc#98627
-diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
+diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c
--- a/openssh-6.4p1/session.c
+--- a/openssh-6.5p1/session.c
-+++ b/openssh-6.4p1/session.c
+++ b/openssh-6.5p1/session.c
-@@ -1118,17 +1118,17 @@ copy_environment(char **source, char ***
+@@ -1141,17 +1141,17 @@ copy_environment(char **source, char ***
 		debug3("Copy environment: %s=%s", var_name, var_val);
 		child_set_env(env, envsize, var_name, var_val);
@ -23,7 +23,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
 	char *path = NULL;
 #endif
-@@ -1305,25 +1305,27 @@ do_setup_env(Session *s, const char *she
+@@ -1328,25 +1328,27 @@ do_setup_env(Session *s, const char *she
 		read_environment_file(&env, &envsize, buf);
 	}
 	if (debug_flag) {
@ -52,7 +52,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 	do_xauth =
 	    s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
-@@ -1367,22 +1369,30 @@ do_rc_files(Session *s, const char *shel
+@@ -1390,22 +1392,30 @@ do_rc_files(Session *s, const char *shel
 			    "%.500s add %.100s %.100s %.100s\n",
 			    options.xauth_location, s->auth_display,
 			    s->auth_proto, s->auth_data);
@ -83,7 +83,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 }
 static void
-@@ -1631,16 +1641,17 @@ child_close_fds(void)
+@@ -1659,16 +1669,17 @@ child_close_fds(void)
  * ids, and executing the command or shell.
  */
 #define ARGV_MAX 10
@ -101,7 +101,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 	/* remove hostkey from the child's memory */
 	destroy_sensitive_data();
-@@ -1697,17 +1708,17 @@ do_child(Session *s, const char *command
+@@ -1725,17 +1736,17 @@ do_child(Session *s, const char *command
 	 * legal, and means /bin/sh.
 	 */
 	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
@ -120,7 +120,7 @@ diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c
 	/* we have to stash the hostname before we close our socket. */
 	if (options.use_login)
 		hostname = get_remote_name_or_ip(utmp_len,
-@@ -1766,17 +1777,17 @@ do_child(Session *s, const char *command
+@@ -1794,17 +1805,17 @@ do_child(Session *s, const char *command
 			    strerror(errno));
 		if (r)
 			exit(1);
--- a/openssh-6.5p1.tar.gz
+++ b/openssh-6.5p1.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:a1195ed55db945252d5a1730d4a2a2a5c1c9a6aa01ef2e5af750a962623d9027
 size 1293187
--- a/openssh-askpass-gnome.changes
+++ b/openssh-askpass-gnome.changes
@ -1,3 +1,8 @@
 -------------------------------------------------------------------
 Wed Feb 12 01:24:16 UTC 2014 - pcerny@suse.com
 - Update of the underlying OpenSSH to 6.5p1
 -------------------------------------------------------------------
 Fri Jan 24 15:13:09 UTC 2014 - pcerny@suse.com
--- a/openssh-askpass-gnome.spec
+++ b/openssh-askpass-gnome.spec
@ -26,7 +26,7 @@ BuildRequires:  openssl-devel
 BuildRequires:  pam-devel
 BuildRequires:  tcpd-devel
 BuildRequires:  update-desktop-files
-Version:        6.4p1
+Version:        6.5p1
 Release:        0
 Requires:       openssh = %{version}
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH
--- a/openssh.changes
+++ b/openssh.changes
@ -1,3 +1,98 @@
 -------------------------------------------------------------------
 Wed Feb 12 01:24:16 UTC 2014 - pcerny@suse.com
 - Update to 6.5p1
  Features since 6.4p1:
  * ssh(1), sshd(8): support for key exchange using ECDH in
    Daniel Bernstein's Curve25519; default when both the client
    and server support it.
  * ssh(1), sshd(8): support for Ed25519 as a public key type fo
    rboth server and client.  Ed25519 is an EC signature offering
    better security than ECDSA and DSA and good performance.
  * Add a new private key format that uses a bcrypt KDF to better
    protect keys at rest. Used unconditionally for Ed25519 keys,
    on demand for other key types via the -o ssh-keygen(1)
    option.  Intended to become default in the near future.
    Details documented in PROTOCOL.key.
  * ssh(1), sshd(8): new transport cipher
    "chacha20-poly1305@openssh.com" combining Daniel Bernstein's
    ChaCha20 stream cipher and Poly1305 MAC to build an
    authenticated encryption mode. Details documented
    PROTOCOL.chacha20poly1305.
  * ssh(1), sshd(8): refuse RSA keys from old proprietary clients
    and servers that use the obsolete RSA+MD5 signature scheme.
    It will still be possible to connect with these
    clients/servers but only DSA keys will be accepted, and
    OpenSSH will refuse connection entirely in a future release.
  * ssh(1), sshd(8): refuse old proprietary clients and servers
    that use a weaker key exchange hash calculation.
  * ssh(1): increase the size of the Diffie-Hellman groups
    requested for each symmetric key size. New values from NIST
    Special Publication 800-57 with the upper limit specified by
    RFC4419.
  * ssh(1), ssh-agent(1): support pkcs#11 tokens that only
    provide X.509 certs instead of raw public keys (requested as
    bz#1908).
  * ssh(1): new ssh_config(5) "Match" keyword that allows
    conditional configuration to be applied by matching on
    hostname, user and result of arbitrary commands.
  * ssh(1): support for client-side hostname canonicalisation
    using a set of DNS suffixes and rules in ssh_config(5). This
    allows unqualified names to be canonicalised to
    fully-qualified domain names to eliminate ambiguity when
    looking up keys in known_hosts or checking host certificate
    names.
  * sftp-server(8): ability to whitelist and/or blacklist sftp
    protocol requests by name.
  * sftp-server(8): sftp "fsync@openssh.com" to support calling
    fsync(2) on an open file handle.
  * sshd(8): ssh_config(5) PermitTTY to disallow TTY allocation,
    mirroring the longstanding no-pty authorized_keys option.
  * ssh(1): ssh_config ProxyUseFDPass option that supports the
    use of ProxyCommands that establish a connection and then
    pass a connected file descriptor back to ssh(1). This allows
    the ProxyCommand to exit rather than staying around to
    transfer data.
  Bugfixes since 6.4p1:
  * ssh(1), sshd(8): fix potential stack exhaustion caused by
    nested certificates.
  * ssh(1): bz#1211: make BindAddress work with
    UsePrivilegedPort.
  * sftp(1): bz#2137: fix the progress meter for resumed
    transfer.
  * ssh-add(1): bz#2187: do not request smartcard PIN when
    removing keys from ssh-agent.
  * sshd(8): bz#2139: fix re-exec fallback when original sshd
    binary cannot be executed.
  * ssh-keygen(1): make relative-specified certificate expiry
    times relative to current time and not the validity start
    time.
  * sshd(8): bz#2161: fix AuthorizedKeysCommand inside a Match
    block.
  * sftp(1): bz#2129: symlinking a file would incorrectly
    canonicalise the target path.
  * ssh-agent(1): bz#2175: fix a use-after-free in the PKCS#11
    agent helper executable.
  * sshd(8): improve logging of sessions to include the user
    name, remote host and port, the session type (shell, command,
    etc.) and allocated TTY (if any).
  * sshd(8): bz#1297: tell the client (via a debug message) when
    their preferred listen address has been overridden by the
    server's GatewayPorts setting.
  * sshd(8): bz#2162: include report port in bad protocol banner
    message.
  * sftp(1): bz#2163: fix memory leak in error path in
    do_readdir().
  * sftp(1): bz#2171: don't leak file descriptor on error.
  * sshd(8): include the local address and port in "Connection
    from ..." message (only shown at loglevel>=verbose).
 - systemd systems
  * create sysconfig file on systemd systems as well, yet do not
    require it at run-time (bnc#862600)
  * symlink rcsshd to /usr/bin/service
 - rename "-forcepermissions" patch to "-sftp_force_permissions"
 - disable key converter - ssh-keygen is able to do the same
 -------------------------------------------------------------------
 Tue Feb 11 07:42:09 UTC 2014 - meissner@suse.com
--- a/openssh.spec
+++ b/openssh.spec
@ -41,17 +41,22 @@
 %endif
 %if 0%{?suse_version} > 1140
 %define has_systemd 1
 %define has_krb_mini 1
 %else
 %define has_systemd 0
 %define has_krb_mini 0
 %endif
-%if 0%{?suse_version} >= 1230
+%if 0%{?suse_version} > 1220
-%define init_script_allowed 0
+%define uses_systemd 1
 %else
-%define init_script_allowed 1
+%define uses_systemd 0
 %endif
 %define sandbox_seccomp 0
 %ifarch %ix86 x86_64
 %if 0%{?suse_version} > 1220
 %define sandbox_seccomp 1
 %endif
 %endif
 %define _fwdir   %{_sysconfdir}/sysconfig/SuSEfirewall2.d
@ -77,17 +82,16 @@ BuildRequires:  libselinux-devel
 BuildRequires:  openldap2-devel
 BuildRequires:  openssl-devel
 BuildRequires:  pam-devel
-%if %{has_systemd}
+%if %{uses_systemd}
 BuildRequires:  pkgconfig(systemd)
 %{?systemd_requires}
 %endif
 BuildRequires:  tcpd-devel
 Requires:       /bin/netstat
 PreReq:         pwdutils %{insserv_prereq} %{fillup_prereq} coreutils
 Conflicts:      nonfreessh
 Recommends:     xauth
 Recommends:     %{name}-helpers
-Version:        6.4p1
+Version:        6.5p1
 Release:        0
 Summary:        Secure Shell Client and Server (Remote Login Program)
 License:        BSD-3-Clause and MIT
@ -104,40 +108,41 @@ Source7:        sshd.fw
 Source8:        sysconfig.ssh
 Source9:        sshd-gen-keys-start
 Source10:       sshd.service
-Patch1:         openssh-6.4p1-key-converter.patch
+Patch1:         openssh-6.5p1-key-converter.patch
-Patch2:         openssh-6.4p1-X11-forwarding.patch
+Patch2:         openssh-6.5p1-X11-forwarding.patch
-Patch3:         openssh-6.4p1-lastlog.patch
+Patch3:         openssh-6.5p1-lastlog.patch
-Patch4:         openssh-6.4p1-pam-fix2.patch
+Patch4:         openssh-6.5p1-pam-fix2.patch
-Patch5:         openssh-6.4p1-saveargv-fix.patch
+Patch5:         openssh-6.5p1-saveargv-fix.patch
-Patch6:         openssh-6.4p1-pam-fix3.patch
+Patch6:         openssh-6.5p1-pam-fix3.patch
-Patch7:         openssh-6.4p1-gssapimitm.patch
+Patch7:         openssh-6.5p1-gssapimitm.patch
-Patch8:         openssh-6.4p1-eal3.patch
+Patch8:         openssh-6.5p1-eal3.patch
-Patch9:         openssh-6.4p1-blocksigalrm.patch
+Patch9:         openssh-6.5p1-blocksigalrm.patch
-Patch10:        openssh-6.4p1-send_locale.patch
+Patch10:        openssh-6.5p1-send_locale.patch
-Patch11:        openssh-6.4p1-xauthlocalhostname.patch
+Patch11:        openssh-6.5p1-xauthlocalhostname.patch
-Patch12:        openssh-6.4p1-xauth.patch
+Patch12:        openssh-6.5p1-xauth.patch
-Patch13:        openssh-6.4p1-default-protocol.patch
+Patch13:        openssh-6.5p1-default-protocol.patch
-Patch14:        openssh-6.4p1-pts.patch
+Patch14:        openssh-6.5p1-pts.patch
-Patch15:        openssh-6.4p1-pam-check-locks.patch
+Patch15:        openssh-6.5p1-pam-check-locks.patch
-Patch16:        openssh-6.4p1-fingerprint_hash.patch
+Patch16:        openssh-6.5p1-fingerprint_hash.patch
-Patch17:        openssh-6.4p1-audit1-remove_duplicit_audit.patch
+Patch17:        openssh-6.5p1-audit1-remove_duplicit_audit.patch
-Patch18:        openssh-6.4p1-audit2-better_audit_of_user_actions.patch
+Patch18:        openssh-6.5p1-audit2-better_audit_of_user_actions.patch
-Patch19:        openssh-6.4p1-audit3-key_auth_usage.patch
+Patch19:        openssh-6.5p1-audit3-key_auth_usage.patch
-Patch20:        openssh-6.4p1-audit4-kex_results.patch
+Patch20:        openssh-6.5p1-audit4-kex_results.patch
-Patch21:        openssh-6.4p1-audit5-session_key_destruction.patch
+Patch21:        openssh-6.5p1-audit5-session_key_destruction.patch
-Patch22:        openssh-6.4p1-audit6-server_key_destruction.patch
+Patch22:        openssh-6.5p1-audit6-server_key_destruction.patch
-Patch23:        openssh-6.4p1-audit7-libaudit_compat.patch
+Patch23:        openssh-6.5p1-audit7-libaudit_compat.patch
-Patch24:        openssh-6.4p1-audit8-libaudit_dns_timeouts.patch
+Patch24:        openssh-6.5p1-audit8-libaudit_dns_timeouts.patch
-Patch25:        openssh-6.4p1-seed-prng.patch
+Patch25:        openssh-6.5p1-seed-prng.patch
-Patch26:        openssh-6.4p1-ldap.patch
+Patch26:        openssh-6.5p1-ldap.patch
-Patch27:        openssh-6.4p1-fips.patch
+Patch27:        openssh-6.5p1-fips.patch
-Patch28:        openssh-6.4p1-gssapi_key_exchange.patch
+Patch28:        openssh-6.5p1-gssapi_key_exchange.patch
-Patch29:        openssh-6.4p1-login_options.patch
+Patch29:        openssh-6.5p1-login_options.patch
-Patch30:        openssh-6.4p1-disable-openssl-abi-check.patch
+Patch30:        openssh-6.5p1-disable-openssl-abi-check.patch
-Patch31:        openssh-6.4p1-no_fork-no_pid_file.patch
+Patch31:        openssh-6.5p1-no_fork-no_pid_file.patch
-Patch32:        openssh-6.4p1-host_ident.patch
+Patch32:        openssh-6.5p1-host_ident.patch
-Patch33:        openssh-6.4p1-sftp_homechroot.patch
+Patch33:        openssh-6.5p1-sftp_homechroot.patch
-Patch34:        openssh-6.4p1-forcepermissions.patch
+Patch34:        openssh-6.5p1-sftp_force_permissions.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %description
@ -162,7 +167,7 @@ Helper applications for OpenSSH which retrieve keys from various sources.
 %prep
 %setup -q
-%patch1 -p2
+#patch1 -p2
 %patch2 -p2
 %patch3 -p2
 %patch4 -p2
@ -195,7 +200,7 @@ Helper applications for OpenSSH which retrieve keys from various sources.
 %patch31 -p2
 %patch32 -p2
 %patch33 -p2
-%patch34 -p1
+%patch34 -p2
 cp %{SOURCE3} %{SOURCE4} .
 %build
@ -212,14 +217,14 @@ PIEFLAGS="-fPIE"
 PIEFLAGS="-fpie"
 %endif
 CFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
-%if 0%{?suse_version} < 1230
+#%if 0%{?suse_version} < 1230
-CFLAGS="-lrt $CFLAGS"
+#CFLAGS="-lrt $CFLAGS"
-%endif
+#%endif
 CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector"
 LDFLAGS="-pie -Wl,--as-needed"
-%if 0%{?suse_version} < 1230
+#%if 0%{?suse_version} < 1230
-LDFLAGS="-lrt $LDFLAGS"
+#LDFLAGS="-lrt $LDFLAGS"
-%endif
+#%endif
 #CPPFLAGS="%{optflags} -DUSE_INTERNAL_B64"
 export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
 ./configure \
@ -232,14 +237,18 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
 %if %{has_libselinux}
    --with-selinux \
 %endif
-%if %{has_systemd}
+%if %{uses_systemd}
    --with-pid-dir=/run \
 %endif
    --with-ssl-engine \
    --with-pam \
    --with-kerberos5=%{_prefix} \
    --with-privsep-path=/var/lib/empty \
 %if %{sandbox_seccomp}
    --with-sandbox=seccomp_filter \
 %else
    --with-sandbox=rlimit \
 %endif
 %ifnarch s390 s390x
    --with-opensc \
 %endif
@ -253,24 +262,28 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
    --target=%{_target_cpu}-suse-linux \
 ### configure end
-make -j 1
+make %{?_smp_mflags}
-make -j 1 -C converter
+#make %{?_smp_mflags} -C converter
 %install
 make install DESTDIR=%{buildroot}
-make install DESTDIR=%{buildroot} -C converter
+#make install DESTDIR=%{buildroot} -C converter
 install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
 install -d -m 755 %{buildroot}/var/lib/sshd
 install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sshd
 install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
 install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
 install -d -m 755 %{buildroot}%{_initddir}
-%if %{init_script_allowed}
+%if %{uses_systemd}
-install -m 755 %{SOURCE1} %{buildroot}%{_initddir}/sshd
+install -m 0755 %{SOURCE1} .
-ln -vs ../..%{_initddir}/sshd %{buildroot}%{_sbindir}/rcsshd
+install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
 ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcsshd
 %else
-install -m 755 %{SOURCE1} .
+install -D -m 0755 %{SOURCE1} %{buildroot}%{_initddir}/sshd
 install -m 0644 %{SOURCE10} .
 ln -s ../..%{_initddir}/sshd %{buildroot}%{_sbindir}/rcsshd
 %endif
 install -d -m 755 %{buildroot}/var/adm/fillup-templates
 install -m 644 %{SOURCE8} %{buildroot}/var/adm/fillup-templates
@ -289,44 +302,38 @@ install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd
 # askpass wrapper
 sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass
 rm -f %{buildroot}%{_datadir}/Ssh.bin
-
+# sshd keys generator wrapper
 %if %{has_systemd}
 install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
 install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
 ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcsshd
 %endif
 %pre
 getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd
 getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd -s /bin/false -c "SSH daemon" sshd
-%if %{has_systemd}
+%if %{uses_systemd}
 %service_add_pre sshd.service
 %endif
 %post
-%if %{init_script_allowed}
+%if %{uses_systemd}
-%{fillup_and_insserv -n ssh sshd}
+%{fillup_only -n ssh sshd}
 %endif
 %if %{has_systemd}
 %service_add_post sshd.service
 %else
 %{fillup_and_insserv -n ssh sshd}
 %endif
 %preun
-%if %{init_script_allowed}
+%if %{uses_systemd}
 %stop_on_removal sshd
 %endif
 %if %{has_systemd}
 %service_del_preun sshd.service
 %else
 %stop_on_removal sshd
 %endif
 %postun
-%if %{init_script_allowed}
+%if %{uses_systemd}
 %service_del_postun sshd.service
 %else
 %restart_on_update sshd
 %{insserv_cleanup}
 %endif
 %if %{has_systemd}
 %service_del_postun sshd.service
 %endif
 %files
 %defattr(-,root,root)
@ -337,10 +344,12 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd
 %verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
 %verify(not mode) %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
-%if %{init_script_allowed}
+%if %{uses_systemd}
 %attr(0755,root,root) %config %{_initddir}/sshd
 %else
 %doc sshd.init
 %attr(0644,root,root) %config %{_unitdir}/sshd.service
 %else
 %attr(0755,root,root) %config %{_initddir}/sshd
 %doc sshd.service
 %endif
 %attr(0755,root,root) %{_bindir}/*
 %attr(0755,root,root) %{_sbindir}/*
@ -353,10 +362,6 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd
 %dir %{_sysconfdir}/slp.reg.d
 %config %{_sysconfdir}/slp.reg.d/ssh.reg
 /var/adm/fillup-templates/sysconfig.ssh
 %if %{has_systemd}
 %{_sbindir}/sshd-gen-keys-start
 %{_unitdir}/sshd.service
 %endif
 %if %{has_fw_dir}
 %if %{needs_all_dirs}
 %dir %{_fwdir}
--- a/sshd.init
+++ b/sshd.init
@ -56,7 +56,7 @@ rc_reset
 case "$1" in
    start)
-        ssh-keygen -A
+        /usr/sbin/sshd-gen-keys-start
        echo -n "Starting SSH daemon"
        ## Start daemon with startproc(8). If this fails
        ## the echo return value is set appropriate.
--- a/sshd.service
+++ b/sshd.service
@ -3,7 +3,7 @@ Description=OpenSSH Daemon
 After=network.target
 [Service]
-EnvironmentFile=/etc/sysconfig/ssh
+EnvironmentFile=-/etc/sysconfig/ssh
 ExecStartPre=/usr/sbin/sshd-gen-keys-start
 ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
 ExecReload=/bin/kill -HUP $MAINPID