Accepting request 226334 from home:pcerny:factory

- re-enabling the GSSAPI Key Exchange patch !!! currently breaks anythng else than Factory OBS-URL: https://build.opensuse.org/request/show/226334 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=72
2014-03-17 02:46:40 +00:00 · 2014-03-17 02:46:40 +00:00 · 5d4cc441c8
commit 5d4cc441c8
parent 25f021b853
7 changed files with 152 additions and 221 deletions
--- a/openssh-6.5p1-X_forward_with_disabled_ipv6.patch
+++ b/openssh-6.5p1-X_forward_with_disabled_ipv6.patch
@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent d7526bd96e81981aa3c94b7695a3f4009a2c176b
+# Parent bb0162afc928b3eeb69f11419e214e0737bb8034
 Do not throw away already open sockets for X11 forwarding if another socket
 family is not available for bind()
--- a/openssh-6.5p1-fips.patch
+++ b/openssh-6.5p1-fips.patch
@ -2,12 +2,12 @@
 # when OpenSSL is detected to be running in FIPS mode
 #
 # HG changeset patch
-# Parent 2a4df1014f286ec93a3e4dcf036f054745e4fee8
+# Parent df8b01308484dd9227b64c8bb820e52b56b89b4d
 diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
 --- a/openssh-6.5p1/Makefile.in
 +++ b/openssh-6.5p1/Makefile.in
-@@ -72,17 +72,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
+@@ -76,17 +76,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
 	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
 	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
--- a/openssh-6.5p1-gssapi_key_exchange.patch
+++ b/openssh-6.5p1-gssapi_key_exchange.patch
@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent a72dad36a987a441e9c92807b1d654e43ddee409
+# Parent fd62140898f5f8bfaa6d0b527c5893001322a662
 diff --git a/openssh-6.5p1/ChangeLog.gssapi b/openssh-6.5p1/ChangeLog.gssapi
 new file mode 100644
@ -122,7 +122,7 @@ new file mode 100644
 diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
 --- a/openssh-6.5p1/Makefile.in
 +++ b/openssh-6.5p1/Makefile.in
-@@ -71,33 +71,34 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
+@@ -71,16 +71,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
 	canohost.o channels.o cipher.o cipher-aes.o \
 	cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
 	compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
@ -133,13 +133,14 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
 	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
 +	kexgssc.o \
 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
- 	jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o
+ 	jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
 	kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
 	ssh-ed25519.o digest.o \
 	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
 	auditstub.o \
 	fips.o
- SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
+@@ -92,17 +93,17 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
 	sshconnect.o sshconnect1.o sshconnect2.o mux.o \
 	roaming_common.o roaming_client.o
 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
 	audit.o audit-bsm.o audit-linux.o platform.o \
 	sshpty.o sshlogin.o servconf.o serverloop.o \
 	auth.o auth1.o auth2.o auth-options.o session.o \
@ -147,21 +148,21 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
 	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
 	auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
 	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
- 	auth-krb5.o \
+ 	kexc25519s.o auth-krb5.o \
 -	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 +	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
 	sftp-server.o sftp-common.o \
 	roaming_common.o roaming_serv.o \
 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
- 	sandbox-seccomp-filter.o
+ 	sandbox-seccomp-filter.o sandbox-capsicum.o
 MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
 MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
 diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c
 --- a/openssh-6.5p1/auth-krb5.c
 +++ b/openssh-6.5p1/auth-krb5.c
-@@ -165,18 +165,23 @@ auth_krb5_password(Authctxt *authctxt, c
+@@ -177,18 +177,23 @@ auth_krb5_password(Authctxt *authctxt, c
 	if (problem)
 		goto out;
 #endif
@ -185,7 +186,7 @@ diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c
  out:
 	restore_uid();
-@@ -224,35 +229,42 @@ krb5_cleanup_proc(Authctxt *authctxt)
+@@ -238,35 +243,42 @@ krb5_cleanup_proc(Authctxt *authctxt)
 }
 #ifndef HEIMDAL
@ -233,7 +234,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
 --- a/openssh-6.5p1/auth2-gss.c
 +++ b/openssh-6.5p1/auth2-gss.c
@@ -1,12 +1,12 @@
- /* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */
+ /* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
 /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -297,7 +298,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
 userauth_gssapi(Authctxt *authctxt)
 {
 	gss_OID_desc goid = {0, NULL};
-@@ -248,17 +282,18 @@ input_gssapi_exchange_complete(int type,
+@@ -244,17 +278,18 @@ input_gssapi_exchange_complete(int type,
 	/*
 	 * We don't need to check the status, because we're only enabled in
@ -317,7 +318,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
 	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
 }
-@@ -283,31 +318,38 @@ input_gssapi_mic(int type, u_int32_t ple
+@@ -279,31 +314,38 @@ input_gssapi_mic(int type, u_int32_t ple
 	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
 	    "gssapi-with-mic");
@ -414,7 +415,7 @@ diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c
 /* Flag indicating that no shell has been requested */
 extern int no_shell_flag;
-@@ -1594,16 +1598,25 @@ client_loop(int have_pty, int escape_cha
+@@ -1603,16 +1607,25 @@ client_loop(int have_pty, int escape_cha
 		    &max_fd2, &nalloc, rekeying);
 		if (quit_pending)
@ -443,7 +444,7 @@ diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c
 diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
 --- a/openssh-6.5p1/configure.ac
 +++ b/openssh-6.5p1/configure.ac
-@@ -528,16 +528,40 @@ main() { if (NSVersionOfRunTimeLibrary("
+@@ -579,16 +579,40 @@ main() { if (NSVersionOfRunTimeLibrary("
 	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
 	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
 		[Define if your resolver libs need this for getrrsetbyname])
@ -488,7 +489,7 @@ diff --git a/openssh-6.5p1/gss-genr.c b/openssh-6.5p1/gss-genr.c
 --- a/openssh-6.5p1/gss-genr.c
 +++ b/openssh-6.5p1/gss-genr.c
@@ -1,12 +1,12 @@
- /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
+ /* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */
 /*
 - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@ -878,7 +879,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
 --- a/openssh-6.5p1/gss-serv-krb5.c
 +++ b/openssh-6.5p1/gss-serv-krb5.c
@@ -1,12 +1,12 @@
- /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
+ /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
 /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -891,8 +892,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
-@@ -115,16 +115,17 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+@@ -117,16 +117,17 @@ static void
 static void
 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 {
 	krb5_ccache ccache;
@ -900,6 +900,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
 	krb5_principal princ;
 	OM_uint32 maj_status, min_status;
 	int len;
 	const char *errmsg;
 +	const char *new_ccname;
 	if (client->creds == NULL) {
@ -909,7 +910,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
 	if (ssh_gssapi_krb5_init() == 0)
 		return;
-@@ -163,37 +164,108 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
+@@ -175,37 +176,108 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
 	if ((maj_status = gss_krb5_copy_ccache(&min_status,
 	    client->creds, ccache))) {
@ -1027,7 +1028,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
 --- a/openssh-6.5p1/gss-serv.c
 +++ b/openssh-6.5p1/gss-serv.c
@@ -1,12 +1,12 @@
- /* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
+ /* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
 /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -1059,8 +1060,8 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
 static ssh_gssapi_client gssapi_client =
     { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
-    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
+-    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
-+    GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,  NULL, {NULL, NULL, NULL}, 0, 0};
+    GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,  NULL, {NULL, NULL, NULL, NULL, NULL}, 0, 0};
 ssh_gssapi_mech gssapi_null_mech =
 -    { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
@ -1415,19 +1416,15 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
 diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
 --- a/openssh-6.5p1/kex.c
 +++ b/openssh-6.5p1/kex.c
-@@ -46,16 +46,24 @@
+@@ -47,16 +47,20 @@
 #include "log.h"
 #include "mac.h"
 #include "match.h"
 #include "dispatch.h"
 #include "monitor.h"
 #include "roaming.h"
 #include "digest.h"
 #include "audit.h"
 +#ifdef GSSAPI
 +#include "ssh-gss.h"
 +#endif
 +
 +#ifdef GSSAPI
 +#include "ssh-gss.h"
 +#endif
@ -1440,42 +1437,32 @@ diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
 # endif
 #endif
-@@ -377,16 +385,30 @@ choose_kex(Kex *k, char *client, char *s
+@@ -86,16 +90,21 @@ static const struct kexalg kexalgs[] = {
- 	} else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) {
+ 	{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
- 		k->kex_type = KEX_DH_GEX_SHA256;
+ 	    SSH_DIGEST_SHA512 },
- 		k->evp_md = evp_ssh_sha256();
+ # endif
- 	} else if (strncmp(k->name, KEX_ECDH_SHA2_STEM,
+ #endif
- 	    sizeof(KEX_ECDH_SHA2_STEM) - 1) == 0) {
+ 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
-  		k->kex_type = KEX_ECDH_SHA2;
+ #ifdef HAVE_EVP_SHA256
- 		k->evp_md = kex_ecdh_name_to_evpmd(k->name);
+ 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
 #endif
 +#ifdef GSSAPI
-+	} else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID,
+    { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
-+	    sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) {
+    { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
-+		k->kex_type = KEX_GSS_GEX_SHA1;
+    { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
 +		k->evp_md = EVP_sha1();
 +	} else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID,
 +	    sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) {
 +		k->kex_type = KEX_GSS_GRP1_SHA1;
 +		k->evp_md = EVP_sha1();
 +	} else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID,
 +	    sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) {
 +		k->kex_type = KEX_GSS_GRP14_SHA1;
 +		k->evp_md = EVP_sha1();
 +#endif
- 	} else
+ 	{ NULL, -1, -1, -1},
- 		fatal("bad kex alg %s", k->name);
+ };
 }
- static void
+ char *
- choose_hostkeyalg(Kex *k, char *client, char *server)
+ kex_alg_list(char sep)
 {
- 	char *hostkeyalg = match_list(client, server, NULL);
+ 	char *ret = NULL;
 	size_t nlen, rlen = 0;
 diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
 --- a/openssh-6.5p1/kex.h
 +++ b/openssh-6.5p1/kex.h
-@@ -68,16 +68,19 @@ enum kex_modes {
+@@ -71,16 +71,19 @@ enum kex_modes {
 };
 enum kex_exchange {
 	KEX_DH_GRP1_SHA1,
@ -1483,6 +1470,7 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
 	KEX_DH_GEX_SHA1,
 	KEX_DH_GEX_SHA256,
 	KEX_ECDH_SHA2,
 	KEX_C25519_SHA256,
 +	KEX_GSS_GRP1_SHA1,
 +	KEX_GSS_GRP14_SHA1,
 +	KEX_GSS_GEX_SHA1,
@ -1494,15 +1482,15 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
 typedef struct Kex Kex;
 typedef struct Mac Mac;
 typedef struct Comp Comp;
-@@ -126,16 +129,22 @@ struct Kex {
+@@ -131,16 +134,22 @@ struct Kex {
 	int	hostkey_type;
 	int	kex_type;
 	int	roaming;
 	Buffer	my;
 	Buffer	peer;
 	sig_atomic_t done;
 	int	flags;
- 	const EVP_MD *evp_md;
+ 	int	hash_alg;
 	int	ec_nid;
 +#ifdef GSSAPI
 +	int	gss_deleg_creds;
 +	int	gss_trust_dns;
@ -1515,15 +1503,15 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
 	Key	*(*load_host_public_key)(int);
 	Key	*(*load_host_private_key)(int);
 	int	(*host_key_index)(Key *);
 	void    (*sign)(Key *, Key *, u_char **, u_int *, u_char *, u_int);
 	void	(*kex[KEX_MAX])(Kex *);
- };
+@@ -164,16 +173,21 @@ void	 kexdh_server(Kex *);
@@ -154,16 +163,21 @@ Newkeys *kex_get_newkeys(int);
 void	 kexdh_client(Kex *);
 void	 kexdh_server(Kex *);
 void	 kexgex_client(Kex *);
 void	 kexgex_server(Kex *);
 void	 kexecdh_client(Kex *);
 void	 kexecdh_server(Kex *);
 void	 kexc25519_client(Kex *);
 void	 kexc25519_server(Kex *);
 void	 newkeys_destroy(Newkeys *newkeys);
 + 
@ -1536,7 +1524,7 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
 kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
     BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
 void
- kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
+ kexgex_hash(int, char *, char *, char *, int, char *,
     int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
     BIGNUM *, BIGNUM *, u_char **, u_int *);
 diff --git a/openssh-6.5p1/kexgssc.c b/openssh-6.5p1/kexgssc.c
@ -1825,7 +1813,7 @@ new file mode 100644
 +		break;
 +	case KEX_GSS_GEX_SHA1:
 +		kexgex_hash(
-+		    kex->evp_md,
+		    kex->hash_alg,
 +		    kex->client_version_string,
 +		    kex->server_version_string,
 +		    buffer_ptr(&kex->my), buffer_len(&kex->my),
@ -1872,7 +1860,7 @@ new file mode 100644
 +	else
 +		ssh_gssapi_delete_ctx(&ctxt);
 +
-+	kex_derive_keys(kex, hash, hashlen, shared_secret);
+	kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
 +	BN_clear_free(shared_secret);
 +	kex_finish(kex);
 +}
@ -2108,7 +2096,7 @@ new file mode 100644
 +		break;
 +	case KEX_GSS_GEX_SHA1:
 +		kexgex_hash(
-+		    kex->evp_md,
+		    kex->hash_alg,
 +		    kex->client_version_string, kex->server_version_string,
 +		    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
 +		    buffer_ptr(&kex->my), buffer_len(&kex->my),
@ -2161,7 +2149,7 @@ new file mode 100644
 +
 +	DH_free(dh);
 +
-+	kex_derive_keys(kex, hash, hashlen, shared_secret);
+	kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
 +	BN_clear_free(shared_secret);
 +	kex_finish(kex);
 +
@ -2174,54 +2162,35 @@ new file mode 100644
 diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
 --- a/openssh-6.5p1/key.c
 +++ b/openssh-6.5p1/key.c
-@@ -1038,16 +1038,18 @@ key_ssh_name_from_type_nid(int type, int
+@@ -1052,16 +1052,18 @@ static const struct keytype keytypes[] =
- 			return "ecdsa-sha2-nistp384-cert-v01@openssh.com";
+ # endif
 		case NID_secp521r1:
 			return "ecdsa-sha2-nistp521-cert-v01@openssh.com";
 		default:
 			break;
 		}
 		break;
 #endif /* OPENSSL_HAS_ECC */
-+	case KEY_NULL:
+ 	{ "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
-+		return "null";
+ 	    KEY_RSA_CERT_V00, 0, 1 },
- 	}
+ 	{ "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
- 	return "ssh-unknown";
+ 	    KEY_DSA_CERT_V00, 0, 1 },
- }
+ 	{ "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
 	    KEY_ED25519_CERT, 0, 1 },
 +	{ "null", "null",
 +	    KEY_NULL, 0, 0 },
 	{ NULL, NULL, -1, -1, 0 }
 };
 const char *
- key_ssh_name(const Key *k)
+ key_type(const Key *k)
 {
- 	return key_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
+ 	const struct keytype *kt;
@@ -1343,16 +1345,18 @@ key_type_from_name(char *name)
 	} else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
 		return KEY_DSA_CERT;
 #ifdef OPENSSL_HAS_ECC
 	} else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0 ||
 	    strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0 ||
 	    strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
 		return KEY_ECDSA_CERT;
 #endif
 +	} else if (strcmp(name, "null") == 0) {
 +		return KEY_NULL;
 	}
 	debug2("key_type_from_name: unknown key type '%s'", name);
 	return KEY_UNSPEC;
 }
 int
 key_ecdsa_nid_from_name(const char *name)
 diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
 --- a/openssh-6.5p1/key.h
 +++ b/openssh-6.5p1/key.h
-@@ -39,16 +39,17 @@ enum types {
+@@ -41,16 +41,17 @@ enum types {
 	KEY_RSA,
 	KEY_DSA,
 	KEY_ECDSA,
 	KEY_ED25519,
 	KEY_RSA_CERT,
 	KEY_DSA_CERT,
 	KEY_ECDSA_CERT,
 	KEY_ED25519_CERT,
 	KEY_RSA_CERT_V00,
 	KEY_DSA_CERT_V00,
 +	KEY_NULL,
@ -2236,7 +2205,7 @@ diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
 diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
 --- a/openssh-6.5p1/monitor.c
 +++ b/openssh-6.5p1/monitor.c
-@@ -178,16 +178,18 @@ int mm_answer_pam_respond(int, Buffer *)
+@@ -179,16 +179,18 @@ int mm_answer_pam_respond(int, Buffer *)
 int mm_answer_pam_free_ctx(int, Buffer *);
 #endif
@ -2255,7 +2224,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
 int mm_answer_audit_end_command(int, Buffer *);
 int mm_answer_audit_unsupported_body(int, Buffer *);
 int mm_answer_audit_kex_body(int, Buffer *);
-@@ -259,28 +261,35 @@ struct mon_table mon_dispatch_proto20[] 
+@@ -260,28 +262,35 @@ struct mon_table mon_dispatch_proto20[] 
 #endif
     {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
     {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
@ -2291,7 +2260,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
 #ifdef SSH_AUDIT_EVENTS
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
     {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
-@@ -393,16 +402,20 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -394,16 +403,20 @@ monitor_child_preauth(Authctxt *_authctx
 	authctxt->loginmsg = &loginmsg;
 	if (compat20) {
@ -2333,8 +2302,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
 		monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
 		monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
 	}
-@@ -1912,16 +1929,23 @@ mm_get_kex(Buffer *m)
+@@ -1931,16 +1948,23 @@ mm_get_kex(Buffer *m)
 	    timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0)
 		fatal("mm_get_get: internal error: bad session id");
 	kex->we_need = buffer_get_int(m);
 	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
@ -2342,6 +2310,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
 	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
 	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
 	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
 +#ifdef GSSAPI
 +	if (options.gss_keyex) {
 +		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@ -2357,7 +2326,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
 	buffer_append(&kex->my, blob, bloblen);
 	free(blob);
 	blob = buffer_get_string(m, &bloblen);
-@@ -2135,16 +2159,19 @@ monitor_reinit(struct monitor *mon)
+@@ -2155,16 +2179,19 @@ monitor_reinit(struct monitor *mon)
 #ifdef GSSAPI
 int
 mm_answer_gss_setup_ctx(int sock, Buffer *m)
@ -2377,7 +2346,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
 	free(goid.elements);
 	buffer_clear(m);
-@@ -2162,16 +2189,19 @@ int
+@@ -2182,16 +2209,19 @@ int
 mm_answer_gss_accept_ctx(int sock, Buffer *m)
 {
 	gss_buffer_desc in;
@ -2397,7 +2366,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
 	buffer_clear(m);
 	buffer_put_int(m, major);
 	buffer_put_string(m, out.value, out.length);
-@@ -2179,27 +2209,31 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -2199,27 +2229,31 @@ mm_answer_gss_accept_ctx(int sock, Buffe
 	mm_request_send(sock, MONITOR_ANS_GSSSTEP, m);
 	gss_release_buffer(&minor, &out);
@ -2429,7 +2398,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
 	ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
 	free(gssbuf.value);
-@@ -2216,29 +2250,101 @@ mm_answer_gss_checkmic(int sock, Buffer 
+@@ -2236,29 +2270,101 @@ mm_answer_gss_checkmic(int sock, Buffer 
 	return (0);
 }
@ -2558,7 +2527,7 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
 diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
 --- a/openssh-6.5p1/monitor_wrap.c
 +++ b/openssh-6.5p1/monitor_wrap.c
-@@ -1303,33 +1303,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
+@@ -1305,33 +1305,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
 	    &m);
 	major = buffer_get_int(&m);
@ -2666,7 +2635,7 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
 diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
 --- a/openssh-6.5p1/readconf.c
 +++ b/openssh-6.5p1/readconf.c
-@@ -124,16 +124,18 @@ typedef enum {
+@@ -135,16 +135,18 @@ typedef enum {
 	oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
 	oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
 	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
@ -2682,10 +2651,10 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
 	oHashKnownHosts,
 	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
 	oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
- 	oKexAlgorithms, oIPQoS, oRequestTTY,
+ 	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
- 	oDeprecated, oUnsupported
+ 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
- } OpCodes;
+ 	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
-@@ -164,22 +166,31 @@ static struct {
+@@ -177,22 +179,31 @@ static struct {
 	{ "challengeresponseauthentication", oChallengeResponseAuthentication },
 	{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
 	{ "tisauthentication", oChallengeResponseAuthentication },  /* alias */
@ -2717,7 +2686,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
 	{ "identitiesonly", oIdentitiesOnly },
 	{ "hostname", oHostName },
 	{ "hostkeyalias", oHostKeyAlias },
-@@ -500,24 +511,44 @@ parse_flag:
+@@ -836,24 +847,44 @@ parse_time:
 	case oChallengeResponseAuthentication:
 		intptr = &options->challenge_response_authentication;
 		goto parse_flag;
@ -2762,7 +2731,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
 		intptr = &options->check_host_ip;
 		goto parse_flag;
-@@ -1159,18 +1190,23 @@ initialize_options(Options * options)
+@@ -1489,18 +1520,23 @@ initialize_options(Options * options)
 	options->exit_on_forward_failure = -1;
 	options->xauth_location = NULL;
 	options->gateway_ports = -1;
@ -2786,7 +2755,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
 	options->batch_mode = -1;
 	options->check_host_ip = -1;
 	options->strict_host_key_checking = -1;
-@@ -1260,20 +1296,26 @@ fill_default_options(Options * options)
+@@ -1596,20 +1632,26 @@ fill_default_options(Options * options)
 	if (options->rsa_authentication == -1)
 		options->rsa_authentication = 1;
 	if (options->pubkey_authentication == -1)
@ -2816,7 +2785,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
 diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
 --- a/openssh-6.5p1/readconf.h
 +++ b/openssh-6.5p1/readconf.h
-@@ -43,18 +43,23 @@ typedef struct {
+@@ -49,18 +49,23 @@ typedef struct {
 	int     rhosts_rsa_authentication;	/* Try rhosts with RSA
 						 * authentication. */
 	int     rsa_authentication;	/* Try RSA authentication. */
@ -2843,7 +2812,7 @@ diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
 diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
 --- a/openssh-6.5p1/servconf.c
 +++ b/openssh-6.5p1/servconf.c
-@@ -98,18 +98,21 @@ initialize_server_options(ServerOptions 
+@@ -104,18 +104,21 @@ initialize_server_options(ServerOptions 
 	options->hostbased_uses_name_from_packet_only = -1;
 	options->rsa_authentication = -1;
 	options->pubkey_authentication = -1;
@ -2864,8 +2833,8 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
 	options->permit_user_env = -1;
 	options->use_login = -1;
 	options->compression = -1;
- 	options->allow_tcp_forwarding = -1;
+ 	options->rekey_limit = -1;
-@@ -232,20 +235,26 @@ fill_default_server_options(ServerOption
+@@ -244,20 +247,26 @@ fill_default_server_options(ServerOption
 	if (options->kerberos_or_local_passwd == -1)
 		options->kerberos_or_local_passwd = 1;
 	if (options->kerberos_ticket_cleanup == -1)
@ -2892,8 +2861,8 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
 		options->challenge_response_authentication = 1;
 	if (options->permit_empty_passwd == -1)
 		options->permit_empty_passwd = 0;
-@@ -329,16 +338,17 @@ typedef enum {
+@@ -345,16 +354,17 @@ typedef enum {
- 	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
+ 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
 	sMaxStartups, sMaxAuthTries, sMaxSessions,
@ -2908,9 +2877,9 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
 	sKexAlgorithms, sIPQoS, sVersionAddendum,
 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
- 	sAuthenticationMethods,
+ 	sAuthenticationMethods, sHostKeyAgent,
 	sDeprecated, sUnsupported
-@@ -397,21 +407,31 @@ static struct {
+@@ -414,21 +424,31 @@ static struct {
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
 #endif
 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
@ -2942,7 +2911,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
 	{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
 #else
 	{ "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
-@@ -1057,24 +1077,36 @@ process_server_config_line(ServerOptions
+@@ -1102,24 +1122,36 @@ process_server_config_line(ServerOptions
 	case sKerberosGetAFSToken:
 		intptr = &options->kerberos_get_afs_token;
 		goto parse_flag;
@ -2979,7 +2948,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
 		intptr = &options->zero_knowledge_password_authentication;
 		goto parse_flag;
-@@ -1939,17 +1971,20 @@ dump_config(ServerOptions *o)
+@@ -2020,17 +2052,20 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
 	dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
 # ifdef USE_AFS
@ -3003,7 +2972,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
 diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
 --- a/openssh-6.5p1/servconf.h
 +++ b/openssh-6.5p1/servconf.h
-@@ -105,18 +105,21 @@ typedef struct {
+@@ -107,18 +107,21 @@ typedef struct {
 						 * authentication mechanism,
 						 * such as SecurID or
 						 * /etc/passwd */
@ -3176,7 +3145,7 @@ diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
 diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5
 --- a/openssh-6.5p1/ssh_config.5
 +++ b/openssh-6.5p1/ssh_config.5
-@@ -525,21 +525,53 @@ host key database, separated by whitespa
+@@ -671,21 +671,53 @@ host key database, separated by whitespa
 The default is
 .Pa /etc/ssh/ssh_known_hosts ,
 .Pa /etc/ssh/ssh_known_hosts2 .
@ -3234,7 +3203,7 @@ diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5
 diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
 --- a/openssh-6.5p1/sshconnect2.c
 +++ b/openssh-6.5p1/sshconnect2.c
-@@ -155,19 +155,44 @@ order_hostkeyalgs(char *host, struct soc
+@@ -156,19 +156,44 @@ order_hostkeyalgs(char *host, struct soc
 	return ret;
 }
@ -3278,12 +3247,12 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
 	if (options.ciphers != NULL) {
 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
- 	}
+ 	} else if (fips_mode()) {
-@@ -192,30 +217,61 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -204,32 +229,63 @@ ssh_kex2(char *host, struct sockaddr *ho
 	else {
 		/* Prefer algorithms that we already have keys for */
 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- 		    order_hostkeyalgs(host, hostaddr, port);
+ 		    compat_pkalg_proposal(
 		    order_hostkeyalgs(host, hostaddr, port));
 	}
 	if (options.kex_algorithms != NULL)
 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@ -3299,8 +3268,9 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
 +	}
 +#endif
 +
- 	if (options.rekey_limit)
+ 	if (options.rekey_limit || options.rekey_interval)
- 		packet_set_rekey_limit((u_int32_t)options.rekey_limit);
+ 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
 		    (time_t)options.rekey_interval);
 	/* start key exchange */
 	kex = kex_setup(myproposal);
@ -3309,6 +3279,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
 	kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
 	kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
 	kex->kex[KEX_C25519_SHA256] = kexc25519_client;
 +#ifdef GSSAPI
 +	if (options.gss_keyex) {
 +		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
@ -3341,7 +3312,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
 		debug("Roaming not allowed by server");
 		options.use_roaming = 0;
 	}
-@@ -301,31 +357,37 @@ void	userauth_jpake_cleanup(Authctxt *);
+@@ -315,31 +371,37 @@ void	userauth_jpake_cleanup(Authctxt *);
 #ifdef GSSAPI
 int	userauth_gssapi(Authctxt *authctxt);
@ -3379,7 +3350,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
 	{"gssapi",
 		userauth_gssapi,
 		NULL,
-@@ -627,29 +689,41 @@ done:
+@@ -638,29 +700,41 @@ done:
 int
 userauth_gssapi(Authctxt *authctxt)
 {
@ -3423,7 +3394,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
 	if (!ok)
 		return 0;
-@@ -738,18 +812,18 @@ process_gssapi_token(void *ctxt, gss_buf
+@@ -749,18 +823,18 @@ process_gssapi_token(void *ctxt, gss_buf
 }
 /* ARGSUSED */
@ -3444,7 +3415,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
 	/* Setup our OID */
 	oidv = packet_get_string(&oidlen);
-@@ -849,16 +923,58 @@ input_gssapi_error(int type, u_int32_t p
+@@ -859,16 +933,58 @@ input_gssapi_error(int type, u_int32_t p
 	lang=packet_get_string(NULL);
 	packet_check_eom();
@ -3506,19 +3477,15 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
 diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
 --- a/openssh-6.5p1/sshd.c
 +++ b/openssh-6.5p1/sshd.c
-@@ -119,16 +119,24 @@
+@@ -121,16 +121,20 @@
 #include "ssh-gss.h"
 #endif
 #include "monitor_wrap.h"
 #include "roaming.h"
 #include "audit.h"
 #include "ssh-sandbox.h"
 #include "version.h"
 #include "fips.h"
 +#ifdef USE_SECURITY_SESSION_API
 +#include <Security/AuthSession.h>
 +#endif
 +
 +#ifdef USE_SECURITY_SESSION_API
 +#include <Security/AuthSession.h>
 +#endif
@ -3531,10 +3498,10 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
 #endif /* LIBWRAP */
 #ifndef O_NOCTTY
-@@ -1715,20 +1723,23 @@ main(int ac, char **av)
+@@ -1795,20 +1799,23 @@ main(int ac, char **av)
- 		}
+ 	if ((options.protocol & SSH_PROTO_1) && fips_mode()) {
- 		debug("private host key: #%d type %d %s", i, key->type,
+ 		logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
- 		    key_type(key));
+ 		options.protocol &= ~SSH_PROTO_1;
 	}
 	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
 		logit("Disabling protocol version 1. Could not load host key");
@ -3555,7 +3522,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
 	/*
 	 * Load certificates. They are stored in an array at identical
 	 * indices to the public keys that they relate to.
-@@ -1920,16 +1931,70 @@ main(int ac, char **av)
+@@ -1998,16 +2005,70 @@ main(int ac, char **av)
 		/* Accept a connection and return in a forked child */
 		server_accept_loop(&sock_in, &sock_out,
 		    &newsock, config_s);
@ -3626,14 +3593,14 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
 #if !defined(SSHD_ACQUIRES_CTTY)
 	/*
 	 * If setsid is called, on some platforms sshd will later acquire a
-@@ -2046,16 +2111,70 @@ main(int ac, char **av)
+@@ -2125,16 +2186,70 @@ main(int ac, char **av)
 			fatal("libwrap refuse returns");
 		}
 	}
 #endif /* LIBWRAP */
 	/* Log the connection. */
- 	verbose("Connection from %.500s port %d", remote_ip, remote_port);
+ 	verbose("Connection from %s port %d on %s port %d",
 	    remote_ip, remote_port,
 	    get_local_ipaddr(sock_in), get_local_port());
 +#ifdef USE_SECURITY_SESSION_API
 +	/*
@ -3697,57 +3664,15 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
 	 * mode; it is just annoying to have the server exit just when you
 	 * are about to discover the bug.
 	 */
-@@ -2435,23 +2554,114 @@ do_ssh2_kex(void)
+@@ -2544,24 +2659,73 @@ do_ssh2_kex(void)
 		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
 		myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";
 	}
 	if (options.kex_algorithms != NULL)
 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
- 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
+ 	if (options.rekey_limit || options.rekey_interval)
 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
 		    (time_t)options.rekey_interval);
 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
 	    list_hostkey_types());
 +#ifdef GSSAPI
 +	{
 +	char *orig;
 +	char *gss = NULL;
 +	char *newstr = NULL;
 +	orig = myproposal[PROPOSAL_KEX_ALGS];
 +
 +	/* 
 +	 * If we don't have a host key, then there's no point advertising
 +	 * the other key exchange algorithms
 +	 */
 +
 +	if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
 +		orig = NULL;
 +
 +	if (options.gss_keyex)
 +		gss = ssh_gssapi_server_mechanisms();
 +	else
 +		gss = NULL;
 +
 +	if (gss && orig)
 +		xasprintf(&newstr, "%s,%s", gss, orig);
 +	else if (gss)
 +		newstr = gss;
 +	else if (orig)
 +		newstr = orig;
 +
 +	/* 
 +	 * If we've got GSSAPI mechanisms, then we've got the 'null' host
 +	 * key alg, but we can't tell people about it unless its the only
 +  	 * host key algorithm we support
 +	 */
 +	if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0)
 +		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null";
 +
 +	if (newstr)
 +		myproposal[PROPOSAL_KEX_ALGS] = newstr;
 +	else
 +		fatal("No supported key exchange algorithms");
 +	}
 +#endif
 +
 +#ifdef GSSAPI
 +	{
 +	char *orig;
@ -3797,6 +3722,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
 	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
 	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
 	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
 +#ifdef GSSAPI
 +	if (options.gss_keyex) {
 +		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@ -3810,12 +3736,12 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
 	kex->load_host_public_key=&get_hostkey_public_by_type;
 	kex->load_host_private_key=&get_hostkey_private_by_type;
 	kex->host_key_index=&get_hostkey_index;
 	kex->sign = sshd_hostkey_sign;
 	xxx_kex = kex;
 diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
 --- a/openssh-6.5p1/sshd_config
 +++ b/openssh-6.5p1/sshd_config
-@@ -75,16 +75,18 @@ PasswordAuthentication no
+@@ -79,16 +79,18 @@ PasswordAuthentication no
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
@ -3837,7 +3763,7 @@ diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
 diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
 --- a/openssh-6.5p1/sshd_config.5
 +++ b/openssh-6.5p1/sshd_config.5
-@@ -475,22 +475,50 @@ to force remote port forwardings to bind
+@@ -487,22 +487,50 @@ to force remote port forwardings to bind
 to allow the client to select the address to which the forwarding is bound.
 The default is
 .Dq no .
--- a/openssh-6.5p1-login_options.patch
+++ b/openssh-6.5p1-login_options.patch
@ -7,7 +7,7 @@
 diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
 --- a/openssh-6.5p1/configure.ac
 +++ b/openssh-6.5p1/configure.ac
-@@ -695,16 +695,18 @@ main() { if (NSVersionOfRunTimeLibrary("
+@@ -719,16 +719,18 @@ main() { if (NSVersionOfRunTimeLibrary("
 	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
 	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
 	;;
--- a/openssh-6.5p1-no_fork-no_pid_file.patch
+++ b/openssh-6.5p1-no_fork-no_pid_file.patch
@ -3,7 +3,7 @@
 diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
 --- a/openssh-6.5p1/sshd.c
 +++ b/openssh-6.5p1/sshd.c
-@@ -1973,17 +1973,17 @@ main(int ac, char **av)
+@@ -1985,17 +1985,17 @@ main(int ac, char **av)
 		signal(SIGCHLD, main_sigchld_handler);
 		signal(SIGTERM, sigterm_handler);
 		signal(SIGQUIT, sigterm_handler);
--- a/openssh.changes
+++ b/openssh.changes
@ -1,3 +1,8 @@
 -------------------------------------------------------------------
 Mon Mar 17 02:21:13 UTC 2014 - pcerny@suse.com
 - re-enabling the GSSAPI Key Exchange patch 
 -------------------------------------------------------------------
 Fri Feb 28 12:59:27 UTC 2014 - pcerny@suse.com
--- a/openssh.spec
+++ b/openssh.spec
@ -198,7 +198,7 @@ Helper applications for OpenSSH which retrieve keys from various sources.
 %if 0%{?suse_version} > 1310
 %patch27 -p2
 %endif
-#patch28 -p2
+%patch28 -p2
 %patch29 -p2
 %patch30 -p2
 %patch31 -p2