Ticket #42523: 002-Apple-keychain-integration-other-changes.patch.diff

0002-Apple-keychain-integration-other-changes.patch

@@ -1 @@
-# HG changeset patch
-# User Sean Farley <sean.michael.farley@gmail.com>
-# Date 1382624667 -28800
-#      Thu Oct 24 22:24:27 2013 +0800
-# Node ID dd6d51b7e12be5fab94a8779e890c5558e4d4001
-# Parent  86a3bc5c8ff689a291e86950a3d8fd327f42b870
-partial import
-
-
-wiggled scp
-
-
-wiggled readconf
-
-
-wiggled readconf.c
-
-diff --git a/Makefile.in b/Makefile.in
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -56,10 +56,11 @@
- PERL=@PERL@
- SED=@SED@
+diff -urp openssh-6.5p1/Makefile.in openssh-6.5p1.patched/Makefile.in
+--- openssh-6.5p1/Makefile.in   2014-01-26 22:35:04.000000000 -0800
++++ openssh-6.5p1.patched/Makefile.in   2014-02-15 16:27:53.000000000 -0800
+@@ -58,6 +58,7 @@ SED=@SED@
  ENT=@ENT@
  XAUTH_PATH=@XAUTH_PATH@
  LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
@@ -28 +9 @@
  EXEEXT=@EXEEXT@
  MANFMT=@MANFMT@
  
- TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
- 
-@@ -93,10 +94,12 @@
-        sftp-server.o sftp-common.o \
-        roaming_common.o roaming_serv.o \
+@@ -98,6 +99,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
         sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
-        sandbox-seccomp-filter.o
+        sandbox-seccomp-filter.o sandbox-capsicum.o
  
 +KEYCHAINOBJS=keychain.o
 +
  MANPAGES       = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
  MANPAGES_IN    = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
  MANTYPE                = @MANTYPE@
- 
- CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -127,10 +130,11 @@
- all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
- 
+@@ -133,6 +136,7 @@ all: $(CONFIGFILES) $(MANPAGES) $(TARGET
  $(LIBSSH_OBJS): Makefile.in config.h
  $(SSHOBJS): Makefile.in config.h
  $(SSHDOBJS): Makefile.in config.h
@@ -53 +26 @@
  
  .c.o:
         $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
- 
- LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
-@@ -140,24 +144,24 @@
- 
- libssh.a: $(LIBSSH_OBJS)
+@@ -146,8 +150,8 @@ libssh.a: $(LIBSSH_OBJS)
         $(AR) rv $@ $(LIBSSH_OBJS)
         $(RANLIB) $@
  
@@ -68 +37 @@
  
  sshd$(EXEEXT): libssh.a        $(LIBCOMPAT) $(SSHDOBJS)
         $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
- 
+@@ -155,11 +159,11 @@ sshd$(EXEEXT): libssh.a   $(LIBCOMPAT) $(S
  scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
         $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
  
@@ -84 +53 @@
  
  ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
         $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
- 
- ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
-@@ -265,11 +269,11 @@
-        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
-        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
+@@ -271,7 +275,7 @@ install-files:
         $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
         $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
         $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
@@ -97 +62 @@
         $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
         $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
         $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-        $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-        $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-diff --git a/audit-bsm.c b/audit-bsm.c
---- a/audit-bsm.c
-+++ b/audit-bsm.c
-@@ -261,11 +261,16 @@
-        uid_t           uid = -1;
-        gid_t           gid = -1;
+Only in openssh-6.5p1.patched: Makefile.in.orig
+Only in openssh-6.5p1.patched: Makefile.in.rej
+diff -urp openssh-6.5p1/audit-bsm.c openssh-6.5p1.patched/audit-bsm.c
+--- openssh-6.5p1/audit-bsm.c   2012-02-23 15:40:43.000000000 -0800
++++ openssh-6.5p1.patched/audit-bsm.c   2014-02-15 16:25:56.000000000 -0800
+@@ -263,7 +263,12 @@ bsm_audit_record(int typ, char *string, 
         pid_t           pid = getpid();
         AuditInfoTermID tid = ssh_bsm_tid;
  
@@ -118 +81 @@
                 uid = the_authctxt->pw->pw_uid;
                 gid = the_authctxt->pw->pw_gid;
         }
- 
-        rc = (typ == 0) ? 0 : -1;
-diff --git a/auth-pam.c b/auth-pam.c
---- a/auth-pam.c
-+++ b/auth-pam.c
-@@ -789,14 +789,15 @@
-                                **echo_on = 0;
-                                ctxt->pam_done = 1;
+diff -urp openssh-6.5p1/auth-pam.c openssh-6.5p1.patched/auth-pam.c
+--- openssh-6.5p1/auth-pam.c    2013-12-18 16:31:45.000000000 -0800
++++ openssh-6.5p1.patched/auth-pam.c    2014-02-15 16:25:56.000000000 -0800
+@@ -793,10 +793,11 @@ sshpam_query(void *ctx, char **name, cha
                                 free(msg);
                                 return (0);
                         }
@@ -139 +98 @@
                         /* FALLTHROUGH */
                 default:
                         *num = 0;
-                        **echo_on = 0;
-                        free(msg);
-diff --git a/auth.c b/auth.c
---- a/auth.c
-+++ b/auth.c
-@@ -209,11 +209,11 @@
-                        return 0;
-                }
+Only in openssh-6.5p1.patched: auth-pam.c.orig
+diff -urp openssh-6.5p1/auth.c openssh-6.5p1.patched/auth.c
+--- openssh-6.5p1/auth.c        2013-06-01 14:41:51.000000000 -0700
++++ openssh-6.5p1.patched/auth.c        2014-02-15 16:25:56.000000000 -0800
+@@ -211,7 +211,7 @@ allowed_user(struct passwd * pw)
         }
         if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
                 /* Get the user's group access list (primary and supplementary) */
@@ -155 +111 @@
                         logit("User %.100s from %.100s not allowed because "
                             "not in any group", pw->pw_name, hostname);
                         return 0;
-                }
- 
-diff --git a/authfd.c b/authfd.c
---- a/authfd.c
-+++ b/authfd.c
-@@ -687,10 +687,33 @@
-        type = buffer_get_char(&msg);
-        buffer_free(&msg);
+diff -urp openssh-6.5p1/authfd.c openssh-6.5p1.patched/authfd.c
+--- openssh-6.5p1/authfd.c      2013-12-28 22:49:56.000000000 -0800
++++ openssh-6.5p1.patched/authfd.c      2014-02-15 16:25:56.000000000 -0800
+@@ -638,6 +638,29 @@ ssh_remove_all_identities(Authentication
         return decode_reply(type);
  }
  
@@ -192 +144 @@
  int
  decode_reply(int type)
  {
-        switch (type) {
-        case SSH_AGENT_FAILURE:
-diff --git a/authfd.h b/authfd.h
---- a/authfd.h
-+++ b/authfd.h
-@@ -47,10 +47,13 @@
- /* add key with constraints */
- #define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED      24
+Only in openssh-6.5p1.patched: authfd.c.orig
+diff -urp openssh-6.5p1/authfd.h openssh-6.5p1.patched/authfd.h
+--- openssh-6.5p1/authfd.h      2009-10-06 14:47:02.000000000 -0700
++++ openssh-6.5p1.patched/authfd.h      2014-02-15 16:25:56.000000000 -0800
+@@ -49,6 +49,9 @@
  #define SSH2_AGENTC_ADD_ID_CONSTRAINED         25
  #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
  
@@ -209 +158 @@
  #define        SSH_AGENT_CONSTRAIN_LIFETIME            1
  #define        SSH_AGENT_CONSTRAIN_CONFIRM             2
  
- /* extended failure messages */
- #define SSH2_AGENT_FAILURE                     30
-diff --git a/config.h.in b/config.h.in
---- a/config.h.in
-+++ b/config.h.in
-@@ -75,10 +75,22 @@
- #undef BROKEN_SNPRINTF
- 
- /* FreeBSD strnvis does not do what we need */
+diff -urp openssh-6.5p1/config.h.in openssh-6.5p1.patched/config.h.in
+--- openssh-6.5p1/config.h.in   2014-01-29 17:52:44.000000000 -0800
++++ openssh-6.5p1.patched/config.h.in   2014-02-15 16:28:51.000000000 -0800
+@@ -81,6 +81,18 @@
+ /* FreeBSD strnvis argument order is swapped compared to OpenBSD */
  #undef BROKEN_STRNVIS
  
 +/* platform uses an in-memory credentials cache */
@@ -235 +180 @@
  /* tcgetattr with ICANON may hang */
  #undef BROKEN_TCGETATTR_ICANON
  
- /* updwtmpx is broken (if present) */
- #undef BROKEN_UPDWTMPX
-diff --git a/configure.ac b/configure.ac
---- a/configure.ac
-+++ b/configure.ac
-@@ -4548,14 +4548,44 @@
- #ifdef HAVE_LASTLOG_H
- #include <lastlog.h>
+Only in openssh-6.5p1.patched: config.h.in.orig
+Only in openssh-6.5p1.patched: config.h.in.rej
+diff -urp openssh-6.5p1/configure.ac openssh-6.5p1.patched/configure.ac
+--- openssh-6.5p1/configure.ac  2014-01-29 16:26:46.000000000 -0800
++++ openssh-6.5p1.patched/configure.ac  2014-02-15 16:25:56.000000000 -0800
+@@ -4779,10 +4779,40 @@ AC_CHECK_MEMBER([struct utmp.ut_line], [
  #endif
         ])
  
@@ -283 +226 @@
  if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
         TEST_SSH_IPV6=no
  else
-        TEST_SSH_IPV6=yes
- fi
-diff --git a/groupaccess.c b/groupaccess.c
---- a/groupaccess.c
-+++ b/groupaccess.c
-@@ -32,62 +32,107 @@
- #include <unistd.h>
- #include <stdarg.h>
+Only in openssh-6.5p1.patched: configure.ac.orig
+diff -urp openssh-6.5p1/groupaccess.c openssh-6.5p1.patched/groupaccess.c
+--- openssh-6.5p1/groupaccess.c 2013-06-01 15:07:32.000000000 -0700
++++ openssh-6.5p1.patched/groupaccess.c 2014-02-15 16:25:56.000000000 -0800
+@@ -34,38 +34,67 @@
  #include <stdlib.h>
  #include <string.h>
  
@@ -340 +280 @@
         ngroups = NGROUPS_MAX;
  #if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX)
         ngroups = MAX(NGROUPS_MAX, sysconf(_SC_NGROUPS_MAX));
+-#endif
+-
 +#endif 
-+       groups_bygid = xcalloc(ngroups, sizeof(*groups_bygid));
+        groups_bygid = xcalloc(ngroups, sizeof(*groups_bygid));
 +#else
 +       if (-1 == (ngroups = getgrouplist_2(pw->pw_name, pw->pw_gid,
 +           &groups_bygid))) {
 +               logit("getgrouplist_2 failed");
 +               return 0;
 +       }
- #endif
--
--       groups_bygid = xcalloc(ngroups, sizeof(*groups_bygid));
++#endif
         groups_byname = xcalloc(ngroups, sizeof(*groups_byname));
 -
 -       if (getgrouplist(user, base, groups_bygid, &ngroups) == -1)
@@ -365 +305 @@
         for (i = 0, j = 0; i < ngroups; i++)
                 if ((gr = getgrgid(groups_bygid[i])) != NULL)
                         groups_byname[j++] = xstrdup(gr->gr_name);
-        free(groups_bygid);
-        return (ngroups = j);
- }
- 
+@@ -76,16 +105,32 @@ ga_init(const char *user, gid_t base)
  /*
   * Return 1 if one of user's groups is contained in groups.
   * Return 0 otherwise.  Use match_pattern() for string comparison.
@@ -401 +338 @@
         return 0;
  }
  
- /*
-  * Return 1 if one of user's groups matches group_pattern list.
-diff --git a/groupaccess.h b/groupaccess.h
---- a/groupaccess.h
-+++ b/groupaccess.h
-@@ -25,11 +25,11 @@
-  */
- 
+diff -urp openssh-6.5p1/groupaccess.h openssh-6.5p1.patched/groupaccess.h
+--- openssh-6.5p1/groupaccess.h 2008-07-03 20:51:12.000000000 -0700
++++ openssh-6.5p1.patched/groupaccess.h 2014-02-15 16:25:56.000000000 -0800
+@@ -27,7 +27,7 @@
  #ifndef GROUPACCESS_H
  #define GROUPACCESS_H
  
@@ -417 +350 @@
  int     ga_match(char * const *, int);
  int     ga_match_pattern_list(const char *);
  void    ga_free(void);
- 
- #endif
 diff --git a/keychain.c b/keychain.c
 new file mode 100644
 --- /dev/null
@@ -1168 +1099 @@
 +int     add_identities_using_keychain(
 +            int (*add_identity)(const char *, const char *));
 +char   *keychain_read_passphrase(const char *filename, int oAskPassGUI);
-diff --git a/readconf.c b/readconf.c
---- a/readconf.c
-+++ b/readconf.c
-@@ -136,10 +136,13 @@
-        oSendEnv, oControlPath, oControlMaster, oControlPersist,
-        oHashKnownHosts,
-        oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
-        oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
-        oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
+diff -urp openssh-6.5p1/readconf.c openssh-6.5p1.patched/readconf.c
+--- openssh-6.5p1/readconf.c    2014-01-17 05:03:57.000000000 -0800
++++ openssh-6.5p1.patched/readconf.c    2014-02-15 16:30:49.000000000 -0800
+@@ -148,6 +148,9 @@ typedef enum {
+        oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+        oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
+        oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
 +#ifdef __APPLE_KEYCHAIN__
 +       oAskPassGUI,
 +#endif
         oIgnoredUnknownOption, oDeprecated, oUnsupported
  } OpCodes;
  
- /* Textual representations of the tokens. */
- 
-@@ -248,11 +251,13 @@
- #endif
-        { "kexalgorithms", oKexAlgorithms },
-        { "ipqos", oIPQoS },
-        { "requesttty", oRequestTTY },
+@@ -267,6 +270,9 @@ static struct {
+        { "canonicalizemaxdots", oCanonicalizeMaxDots },
+        { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
         { "ignoreunknown", oIgnoreUnknown },
--
 +#ifdef __APPLE_KEYCHAIN__
 +       { "askpassgui", oAskPassGUI },
 +#endif
+ 
         { NULL, oBadOption }
  };
- 
- /*
-  * Adds a local TCP/IP port forward to options.  Never returns if there is an
-@@ -1070,10 +1075,16 @@
- 
-        case oIgnoreUnknown:
+@@ -1332,6 +1338,12 @@ parse_int:
                 charptr = &options->ignored_unknown;
                 goto parse_string;
  
@@ -1212 +1132 @@
 +               goto parse_flag;
 +#endif
 +
-        case oDeprecated:
-                debug("%s line %d: Deprecated option \"%s\"",
-                    filename, linenum, keyword);
-                return 0;
- 
-@@ -1232,10 +1243,13 @@
-        options->zero_knowledge_password_authentication = -1;
-        options->ip_qos_interactive = -1;
-        options->ip_qos_bulk = -1;
+        case oProxyUseFdpass:
+                intptr = &options->proxy_use_fdpass;
+                goto parse_flag;
+@@ -1555,6 +1567,9 @@ initialize_options(Options * options)
         options->request_tty = -1;
+        options->proxy_use_fdpass = -1;
         options->ignored_unknown = NULL;
 +#ifdef __APPLE_KEYCHAIN__
 +       options->ask_pass_gui = -1;
 +#endif
- }
- 
- /*
-  * Called after processing other sources of option data, this fills those
-  * options for which no value has been specified with their default values.
-@@ -1383,10 +1397,14 @@
-                options->ip_qos_interactive = IPTOS_LOWDELAY;
-        if (options->ip_qos_bulk == -1)
+        options->num_canonical_domains = 0;
+        options->num_permitted_cnames = 0;
+        options->canonicalize_max_dots = -1;
+@@ -1713,6 +1728,10 @@ fill_default_options(Options * options)
                 options->ip_qos_bulk = IPTOS_THROUGHPUT;
         if (options->request_tty == -1)
                 options->request_tty = REQUEST_TTY_AUTO;
@@ -1241 +1153 @@
 +       if (options->ask_pass_gui == -1)
 +               options->ask_pass_gui = 1;
 +#endif
-        /* options->local_command should not be set by default */
-        /* options->proxy_command should not be set by default */
-        /* options->user will be set in the main program if appropriate */
-        /* options->hostname will be set in the main program if appropriate */
-        /* options->host_key_alias should not be set by default */
-diff --git a/readconf.h b/readconf.h
---- a/readconf.h
-+++ b/readconf.h
-@@ -137,10 +137,14 @@
-        int     use_roaming;
- 
-        int     request_tty;
+        if (options->proxy_use_fdpass == -1)
+                options->proxy_use_fdpass = 0;
+        if (options->canonicalize_max_dots == -1)
+Only in openssh-6.5p1.patched: readconf.c.orig
+Only in openssh-6.5p1.patched: readconf.c.rej
+diff -urp openssh-6.5p1/readconf.h openssh-6.5p1.patched/readconf.h
+--- openssh-6.5p1/readconf.h    2013-10-16 17:48:14.000000000 -0700
++++ openssh-6.5p1.patched/readconf.h    2014-02-15 16:31:29.000000000 -0800
+@@ -155,6 +155,10 @@ typedef struct {
+        struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS];
  
         char    *ignored_unknown; /* Pattern list of unknown tokens to ignore */
 +
@@ -1261 +1171 @@
 +#endif
  }       Options;
  
- #define SSHCTL_MASTER_NO       0
- #define SSHCTL_MASTER_YES      1
- #define SSHCTL_MASTER_AUTO     2
-diff --git a/scp.1 b/scp.1
---- a/scp.1
-+++ b/scp.1
-@@ -17,11 +17,11 @@
- .Nm scp
- .Nd secure copy (remote file copy program)
+ #define SSH_CANONICALISE_NO    0
+Only in openssh-6.5p1.patched: readconf.h.orig
+Only in openssh-6.5p1.patched: readconf.h.rej
+diff -urp openssh-6.5p1/scp.1 openssh-6.5p1.patched/scp.1
+--- openssh-6.5p1/scp.1 2013-10-22 22:30:00.000000000 -0700
++++ openssh-6.5p1.patched/scp.1 2014-02-15 16:25:56.000000000 -0800
+@@ -19,7 +19,7 @@
  .Sh SYNOPSIS
  .Nm scp
  .Bk -words
@@ -1278 +1186 @@
  .Op Fl c Ar cipher
  .Op Fl F Ar ssh_config
  .Op Fl i Ar identity_file
- .Op Fl l Ar limit
- .Op Fl o Ar ssh_option
-@@ -95,10 +95,12 @@
- Passes the
- .Fl C
+@@ -97,6 +97,8 @@ Passes the
  flag to
  .Xr ssh 1
  to enable compression.
@@ -1291 +1195 @@
  .It Fl c Ar cipher
  Selects the cipher to use for encrypting the data transfer.
  This option is directly passed to
- .Xr ssh 1 .
- .It Fl F Ar ssh_config
-diff --git a/scp.c b/scp.c
---- a/scp.c
-+++ b/scp.c
-@@ -76,10 +76,13 @@
- #include <sys/types.h>
- #include <sys/param.h>
+diff -urp openssh-6.5p1/scp.c openssh-6.5p1.patched/scp.c
+--- openssh-6.5p1/scp.c 2013-11-20 18:56:49.000000000 -0800
++++ openssh-6.5p1.patched/scp.c 2014-02-15 16:25:56.000000000 -0800
+@@ -78,6 +78,9 @@
  #ifdef HAVE_SYS_STAT_H
  # include <sys/stat.h>
  #endif
@@ -1308 +1208 @@
  #ifdef HAVE_POLL_H
  #include <poll.h>
  #else
- # ifdef HAVE_SYS_POLL_H
- #  include <sys/poll.h>
-@@ -112,10 +115,15 @@
- #include "pathnames.h"
- #include "log.h"
+@@ -114,6 +117,11 @@
  #include "misc.h"
  #include "progressmeter.h"
  
@@ -1324 +1220 @@
  extern char *__progname;
  
  #define COPY_BUFLEN    16384
- 
- int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout);
-@@ -148,10 +156,16 @@
- char *ssh_program = _PATH_SSH_PROGRAM;
- 
+@@ -150,6 +158,12 @@ char *ssh_program = _PATH_SSH_PROGRAM;
  /* This is used to store the pid of ssh_program */
  pid_t do_cmd_pid = -1;
  
@@ -1341 +1233 @@
  static void
  killchild(int signo)
  {
-        if (do_cmd_pid > 1) {
-                kill(do_cmd_pid, signo ? signo : SIGTERM);
-@@ -393,11 +407,15 @@
-        addargs(&args, "-oForwardAgent=no");
-        addargs(&args, "-oPermitLocalCommand=no");
+@@ -395,7 +409,11 @@ main(int argc, char **argv)
         addargs(&args, "-oClearAllForwardings=yes");
  
         fflag = tflag = 0;
@@ -1357 +1245 @@
                 switch (ch) {
                 /* User-visible flags. */
                 case '1':
-                case '2':
-                case '4':
-@@ -454,10 +472,15 @@
-                        addargs(&args, "-q");
-                        addargs(&remote_remote_args, "-q");
+@@ -456,6 +474,11 @@ main(int argc, char **argv)
                         showprogress = 0;
                         break;
  
@@ -1373 +1257 @@
                 /* Server options. */
                 case 'd':
                         targetshouldbedirectory = 1;
-                        break;
-                case 'f':       /* "from" */
-@@ -503,11 +526,16 @@
-                targetshouldbedirectory = 1;
- 
+@@ -505,7 +528,12 @@ main(int argc, char **argv)
         remin = remout = -1;
         do_cmd_pid = -1;
         /* Command to be executed on remote system using "ssh". */
@@ -1390 +1270 @@
             verbose_mode ? " -v" : "",
             iamrecursive ? " -r" : "", pflag ? " -p" : "",
             targetshouldbedirectory ? " -d" : "");
- 
-        (void) signal(SIGPIPE, lostconn);
-@@ -749,23 +777,41 @@
-        off_t i, statbytes;
-        size_t amt;
+@@ -751,6 +779,10 @@ source(int argc, char **argv)
         int fd = -1, haderr, indx;
         char *last, *name, buf[2048], encname[MAXPATHLEN];
         int len;
@@ -1405 +1281 @@
  
         for (indx = 0; indx < argc; ++indx) {
                 name = argv[indx];
-                statbytes = 0;
+@@ -758,12 +790,26 @@ source(int argc, char **argv)
                 len = strlen(name);
                 while (len > 1 && name[len-1] == '/')
                         name[--len] = '\0';
@@ -1432 +1308 @@
                 if (fstat(fd, &stb) < 0) {
  syserr:                        run_err("%s: %s", name, strerror(errno));
                         goto next;
-                }
-                if (stb.st_size < 0) {
-@@ -844,10 +890,40 @@
-                if (!haderr)
-                        (void) atomicio(vwrite, remout, "", 1);
+@@ -846,6 +892,36 @@ next:                      if (fd != -1) {
                 else
                         run_err("%s: %s", name, strerror(haderr));
                 (void) response();
@@ -1473 +1345 @@
         }
  }
  
- void
- rsource(char *name, struct stat *statp)
-@@ -935,10 +1011,14 @@
- 
-        (void) atomicio(vwrite, remout, "", 1);
+@@ -937,6 +1013,10 @@ sink(int argc, char **argv)
         if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
                 targisdir = 1;
         for (first = 1;; first = 0) {
@@ -1488 +1356 @@
                 cp = buf;
                 if (atomicio(read, remin, cp, 1) != 1)
                         return;
-                if (*cp++ == '\n')
-                        SCREWUP("unexpected <newline>");
-@@ -1080,14 +1160,55 @@
-                        free(vect[0]);
-                        continue;
+@@ -1082,10 +1162,51 @@ sink(int argc, char **argv)
                 }
                 omode = mode;
                 mode |= S_IWUSR;
@@ -1544 +1408 @@
                 (void) atomicio(vwrite, remout, "", 1);
                 if ((bp = allocbuf(&buffer, ofd, COPY_BUFLEN)) == NULL) {
                         (void) close(ofd);
-                        continue;
-                }
-@@ -1168,10 +1289,33 @@
-                if (close(ofd) == -1) {
-                        wrerr = YES;
+@@ -1170,6 +1291,29 @@ bad:                     run_err("%s: %s", np, strerror(er
                         wrerrno = errno;
                 }
                 (void) response();
@@ -1578 +1438 @@
                 if (setimes && wrerr == NO) {
                         setimes = 0;
                         if (utimes(np, tv) < 0) {
-                                run_err("%s: set times: %s",
-                                    np, strerror(errno));
-@@ -1229,11 +1373,15 @@
- 
- void
+@@ -1231,7 +1375,11 @@ void
  usage(void)
  {
         (void) fprintf(stderr,
@@ -1594 +1450 @@
             "           [-l limit] [-o ssh_option] [-P port] [-S program]\n"
             "           [[user@]host1:]file1 ... [[user@]host2:]file2\n");
         exit(1);
- }
- 
-diff --git a/servconf.c b/servconf.c
---- a/servconf.c
-+++ b/servconf.c
-@@ -158,11 +158,11 @@
- void
- fill_default_server_options(ServerOptions *options)
- {
-        /* Portable-specific options */
-        if (options->use_pam == -1)
--               options->use_pam = 0;
-+               options->use_pam = 1;
- 
-        /* Standard Options */
-        if (options->protocol == SSH_PROTO_UNKNOWN)
-                options->protocol = SSH_PROTO_2;
-        if (options->num_host_key_files == 0) {
-@@ -241,11 +241,11 @@
-        if (options->gss_authentication == -1)
-                options->gss_authentication = 0;
+diff -urp openssh-6.5p1/servconf.c openssh-6.5p1.patched/servconf.c
+--- openssh-6.5p1/servconf.c    2013-12-06 16:24:02.000000000 -0800
++++ openssh-6.5p1.patched/servconf.c    2014-02-15 16:25:56.000000000 -0800
+@@ -248,7 +248,7 @@ fill_default_server_options(ServerOption
         if (options->gss_cleanup_creds == -1)
                 options->gss_cleanup_creds = 1;
         if (options->password_authentication == -1)
@@ -1623 +1462 @@
         if (options->kbd_interactive_authentication == -1)
                 options->kbd_interactive_authentication = 0;
         if (options->challenge_response_authentication == -1)
-                options->challenge_response_authentication = 1;
-        if (options->permit_empty_passwd == -1)
-@@ -621,11 +621,11 @@
-                goto out;
- 
+@@ -629,7 +629,7 @@ match_cfg_line_group(const char *grps, i
         if ((pw = getpwnam(user)) == NULL) {
                 debug("Can't match group at line %d because user %.100s does "
                     "not exist", line, user);
@@ -1636 +1471 @@
                 debug("Can't Match group because user %.100s not in any group "
                     "at line %d", user, line);
         } else if (ga_match_pattern_list(grps) != 1) {
-                debug("user %.100s does not match group list %.100s at line %d",
-                    user, grps, line);
-diff --git a/session.c b/session.c
---- a/session.c
-+++ b/session.c
-@@ -2081,12 +2081,14 @@
-        /* for SSH1 the tty modes length is not given */
-        if (!compat20)
+Only in openssh-6.5p1.patched: servconf.c.orig
+diff -urp openssh-6.5p1/session.c openssh-6.5p1.patched/session.c
+--- openssh-6.5p1/session.c     2014-01-22 19:16:10.000000000 -0800
++++ openssh-6.5p1.patched/session.c     2014-02-15 16:25:56.000000000 -0800
+@@ -2111,8 +2111,10 @@ session_pty_req(Session *s)
                 n_bytes = packet_remaining();
         tty_parse_modes(s->ttyfd, &n_bytes);
  
@@ -1654 +1486 @@
  
         /* Set window size from the packet. */
         pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
- 
-        packet_check_eom();
-@@ -2322,13 +2324,15 @@
- 
-        /* Record that the user has logged out. */
+@@ -2352,9 +2354,11 @@ session_pty_cleanup2(Session *s)
         if (s->pid != 0)
                 record_logout(s->pid, s->tty, s->pw->pw_name);
  
@@ -1670 +1498 @@
  
         /*
          * Close the server side of the socket pairs.  We must do this after
-         * the pty cleanup, so that another process doesn't get this pty
-         * while we're still cleaning up.
-diff --git a/ssh-add.0 b/ssh-add.0
---- a/ssh-add.0
-+++ b/ssh-add.0
-@@ -2,11 +2,11 @@
- 
- NAME
+Only in openssh-6.5p1.patched: session.c.orig
+diff -urp openssh-6.5p1/ssh-add.0 openssh-6.5p1.patched/ssh-add.0
+--- openssh-6.5p1/ssh-add.0     2014-01-29 17:52:47.000000000 -0800
++++ openssh-6.5p1.patched/ssh-add.0     2014-02-15 16:25:56.000000000 -0800
+@@ -4,7 +4,7 @@ NAME
       ssh-add - adds private key identities to the authentication agent
  
  SYNOPSIS
@@ -1686 +1511 @@
       ssh-add -s pkcs11
       ssh-add -e pkcs11
  
- DESCRIPTION
-      ssh-add adds private key identities to the authentication agent,
-@@ -53,10 +53,17 @@
-              represented by the agent.
- 
+@@ -55,6 +55,13 @@ DESCRIPTION
       -l      Lists fingerprints of all identities currently represented by the
               agent.
  
@@ -1704 +1525 @@
       -s pkcs11
               Add keys provided by the PKCS#11 shared library pkcs11.
  
-      -t life
-              Set a maximum lifetime when adding identities to an agent.  The
-diff --git a/ssh-add.1 b/ssh-add.1
---- a/ssh-add.1
-+++ b/ssh-add.1
-@@ -41,11 +41,11 @@
- .Sh NAME
- .Nm ssh-add
+diff -urp openssh-6.5p1/ssh-add.1 openssh-6.5p1.patched/ssh-add.1
+--- openssh-6.5p1/ssh-add.1     2013-12-17 22:46:28.000000000 -0800
++++ openssh-6.5p1.patched/ssh-add.1     2014-02-15 16:25:56.000000000 -0800
+@@ -43,7 +43,7 @@
  .Nd adds private key identities to the authentication agent
  .Sh SYNOPSIS
  .Nm ssh-add
@@ -1720 +1537 @@
  .Op Fl t Ar life
  .Op Ar
  .Nm ssh-add
- .Fl s Ar pkcs11
- .Nm ssh-add
-@@ -116,10 +116,17 @@
- .It Fl L
- Lists public key parameters of all identities currently represented
+@@ -119,6 +119,13 @@ Lists public key parameters of all ident
  by the agent.
  .It Fl l
  Lists fingerprints of all identities currently represented by the agent.
@@ -1738 +1551 @@
  .It Fl s Ar pkcs11
  Add keys provided by the PKCS#11 shared library
  .Ar pkcs11 .
- .It Fl t Ar life
- Set a maximum lifetime when adding identities to an agent.
-diff --git a/ssh-add.c b/ssh-add.c
---- a/ssh-add.c
-+++ b/ssh-add.c
-@@ -60,10 +60,11 @@
- #include "buffer.h"
- #include "authfd.h"
+Only in openssh-6.5p1.patched: ssh-add.1.orig
+diff -urp openssh-6.5p1/ssh-add.c openssh-6.5p1.patched/ssh-add.c
+--- openssh-6.5p1/ssh-add.c     2013-12-28 22:44:07.000000000 -0800
++++ openssh-6.5p1.patched/ssh-add.c     2014-02-15 16:25:56.000000000 -0800
+@@ -62,6 +62,7 @@
  #include "authfile.h"
  #include "pathnames.h"
  #include "misc.h"
@@ -1753 +1563 @@
  
  /* argv0 */
  extern char *__progname;
- 
- /* Default files to add */
-@@ -94,16 +95,28 @@
-                pass = NULL;
-        }
+@@ -97,12 +98,24 @@ clear_pass(void)
  }
  
  static int
@@ -1783 +1589 @@
         public = key_load_public(filename, &comment);
         if (public == NULL) {
                 printf("Bad key file %s\n", filename);
-                return -1;
-        }
-@@ -162,11 +175,11 @@
- 
-        return ret;
+@@ -165,7 +178,7 @@ delete_all(AuthenticationConnection *ac)
  }
  
  static int
@@ -1796 +1598 @@
  {
         Key *private, *cert;
         char *comment = NULL;
-        char msg[1024], *certpath = NULL;
-        int fd, perms_ok, ret = -1;
-@@ -199,15 +212,20 @@
-        }
-        close(fd);
+@@ -202,11 +215,16 @@ add_file(AuthenticationConnection *ac, c
  
         /* At first, try empty passphrase */
         private = key_parse_private(&keyblob, filename, "", &comment);
@@ -1818 +1616 @@
         if (private == NULL) {
                 /* clear passphrase since it did not work */
                 clear_pass();
-                snprintf(msg, sizeof msg, "Enter passphrase for %.200s: ",
-                    comment);
-@@ -219,12 +237,15 @@
-                                buffer_free(&keyblob);
-                                return -1;
+@@ -222,8 +240,11 @@ add_file(AuthenticationConnection *ac, c
                         }
                         private = key_parse_private(&keyblob, filename, pass,
                             &comment);
@@ -1835 +1629 @@
                         clear_pass();
                         snprintf(msg, sizeof msg,
                             "Bad passphrase, try again for %.200s: ", comment);
-                }
-        }
-@@ -374,17 +395,17 @@
-        free(p1);
-        return (ret);
+@@ -380,13 +401,13 @@ lock_agent(AuthenticationConnection *ac,
  }
  
  static int
@@ -1856 +1646 @@
                         return -1;
         }
         return 0;
- }
- 
-@@ -402,20 +423,26 @@
-        fprintf(stderr, "  -D          Delete all identities.\n");
-        fprintf(stderr, "  -x          Lock agent.\n");
+@@ -408,6 +429,11 @@ usage(void)
         fprintf(stderr, "  -X          Unlock agent.\n");
         fprintf(stderr, "  -s pkcs11   Add keys from PKCS#11 provider.\n");
         fprintf(stderr, "  -e pkcs11   Remove keys provided by PKCS#11 provider.\n");
@@ -1872 +1658 @@
  }
  
  int
- main(int argc, char **argv)
- {
-        extern char *optarg;
-        extern int optind;
+@@ -418,6 +444,7 @@ main(int argc, char **argv)
         AuthenticationConnection *ac = NULL;
         char *pkcs11provider = NULL;
         int i, ch, deleting = 0, ret = 0, key_only = 0;
@@ -1883 +1666 @@
  
         /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
         sanitise_stdfd();
- 
-        __progname = ssh_get_progname(argv[0]);
-@@ -428,11 +455,11 @@
-        if (ac == NULL) {
-                fprintf(stderr,
+@@ -434,7 +461,7 @@ main(int argc, char **argv)
                     "Could not open a connection to your authentication agent.\n");
                 exit(2);
         }
@@ -1896 +1675 @@
                 switch (ch) {
                 case 'k':
                         key_only = 1;
-                        break;
-                case 'l':
-@@ -467,10 +494,17 @@
-                                fprintf(stderr, "Invalid lifetime\n");
-                                ret = 1;
+@@ -473,6 +500,13 @@ main(int argc, char **argv)
                                 goto done;
                         }
                         break;
@@ -1914 +1689 @@
                 default:
                         usage();
                         ret = 1;
-                        goto done;
-                }
-@@ -498,20 +532,20 @@
-                for (i = 0; default_files[i]; i++) {
-                        snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir,
+@@ -504,7 +538,7 @@ main(int argc, char **argv)
                             default_files[i]);
                         if (stat(buf, &st) < 0)
                                 continue;
@@ -1927 +1698 @@
                                 ret = 1;
                         else
                                 count++;
-                }
-                if (count == 0)
+@@ -513,7 +547,7 @@ main(int argc, char **argv)
                         ret = 1;
         } else {
                 for (i = 0; i < argc; i++) {
@@ -1937 +1707 @@
                                 ret = 1;
                 }
         }
-        clear_pass();
- 
-diff --git a/ssh-agent.c b/ssh-agent.c
---- a/ssh-agent.c
-+++ b/ssh-agent.c
-@@ -63,20 +63,25 @@
- #include <stdio.h>
- #include <stdlib.h>
+Only in openssh-6.5p1.patched: ssh-add.c.orig
+diff -urp openssh-6.5p1/ssh-agent.c openssh-6.5p1.patched/ssh-agent.c
+--- openssh-6.5p1/ssh-agent.c   2013-12-28 22:45:52.000000000 -0800
++++ openssh-6.5p1.patched/ssh-agent.c   2014-02-15 16:25:56.000000000 -0800
+@@ -65,6 +65,9 @@
  #include <time.h>
  #include <string.h>
  #include <unistd.h>
@@ -1954 +1721 @@
  
  #include "xmalloc.h"
  #include "ssh.h"
- #include "rsa.h"
+@@ -72,9 +75,11 @@
  #include "buffer.h"
  #include "key.h"
  #include "authfd.h"
@@ -1966 +1733 @@
  
  #ifdef ENABLE_PKCS11
  #include "ssh-pkcs11.h"
- #endif
- 
-@@ -788,10 +793,65 @@
-        buffer_put_char(&e->output,
-            success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
+@@ -682,6 +687,61 @@ process_remove_smartcard_key(SocketEntry
  }
  #endif /* ENABLE_PKCS11 */
  
@@ -2032 +1795 @@
  /* dispatch incoming messages */
  
  static void
- process_message(SocketEntry *e)
- {
-@@ -880,10 +940,13 @@
-                break;
-        case SSH_AGENTC_REMOVE_SMARTCARD_KEY:
+@@ -774,6 +834,9 @@ process_message(SocketEntry *e)
                 process_remove_smartcard_key(e);
                 break;
  #endif /* ENABLE_PKCS11 */
@@ -2046 +1805 @@
         default:
                 /* Unknown message.  Respond with failure. */
                 error("Unknown message %d", type);
-                buffer_clear(&e->request);
-                buffer_put_int(&e->output, 1);
-@@ -1120,11 +1183,15 @@
- }
- 
+@@ -1014,7 +1077,11 @@ usage(void)
  int
  main(int ac, char **av)
  {
@@ -2062 +1817 @@
         int sock, fd, ch, result, saved_errno;
         u_int nalloc;
         char *shell, *format, *pidstr, *agentsocket = NULL;
-        fd_set *readsetp = NULL, *writesetp = NULL;
-        struct sockaddr_un sunaddr;
-@@ -1154,20 +1221,29 @@
-        OpenSSL_add_all_algorithms();
- 
+@@ -1048,7 +1115,11 @@ main(int ac, char **av)
         __progname = ssh_get_progname(av[0]);
         seed_rng();
  
@@ -2078 +1829 @@
                 switch (ch) {
                 case 'c':
                         if (s_flag)
-                                usage();
-                        c_flag++;
-                        break;
+@@ -1058,6 +1129,11 @@ main(int ac, char **av)
                 case 'k':
                         k_flag++;
                         break;
@@ -2092 +1841 @@
                 case 's':
                         if (c_flag)
                                 usage();
-                        s_flag++;
-                        break;
-@@ -1190,11 +1266,15 @@
-                }
-        }
+@@ -1084,7 +1160,11 @@ main(int ac, char **av)
         ac -= optind;
         av += optind;
  
@@ -2108 +1853 @@
                 usage();
  
         if (ac == 0 && !c_flag && !s_flag) {
-                shell = getenv("SHELL");
-                if (shell != NULL && (len = strlen(shell)) > 2 &&
-@@ -1246,10 +1326,57 @@
- 
-        /*
+@@ -1140,6 +1220,53 @@ main(int ac, char **av)
          * Create socket early so it will exist before command gets run from
          * the parent.
          */
@@ -2166 +1907 @@
         sock = socket(AF_UNIX, SOCK_STREAM, 0);
         if (sock < 0) {
                 perror("socket");
-                *socket_name = '\0'; /* Don't unlink any existing file */
-                cleanup_exit(1);
-@@ -1267,10 +1394,18 @@
-        umask(prev_mask);
-        if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
+@@ -1161,6 +1288,14 @@ main(int ac, char **av)
                 perror("listen");
                 cleanup_exit(1);
         }
@@ -2185 +1922 @@
  
         /*
          * Fork, and have the parent execute the command, if any, or present
-         * the socket data.  The child continues as the authentication agent.
-         */
-@@ -1339,19 +1474,24 @@
- 
- #ifdef ENABLE_PKCS11
+@@ -1233,6 +1368,7 @@ skip:
         pkcs11_init(0);
  #endif
         new_socket(AUTH_SOCKET, sock);
@@ -2197 +1930 @@
         if (ac > 0)
                 parent_alive_interval = 10;
         idtab_init();
-        signal(SIGPIPE, SIG_IGN);
-        signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN);
-        signal(SIGHUP, cleanup_handler);
+@@ -1242,6 +1378,10 @@ skip:
         signal(SIGTERM, cleanup_handler);
         nalloc = 0;
  
@@ -2210 +1941 @@
         while (1) {
                 prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp);
                 result = select(max_fd + 1, readsetp, writesetp, NULL, tvp);
-                saved_errno = errno;
-                if (parent_alive_interval != 0)
-diff --git a/ssh-keysign.8 b/ssh-keysign.8
---- a/ssh-keysign.8
-+++ b/ssh-keysign.8
-@@ -69,10 +69,13 @@
- They should be owned by root, readable only by root, and not
- accessible to others.
+Only in openssh-6.5p1.patched: ssh-agent.c.orig
+diff -urp openssh-6.5p1/ssh-keysign.8 openssh-6.5p1.patched/ssh-keysign.8
+--- openssh-6.5p1/ssh-keysign.8 2013-12-17 22:46:28.000000000 -0800
++++ openssh-6.5p1.patched/ssh-keysign.8 2014-02-15 16:25:56.000000000 -0800
+@@ -72,6 +72,9 @@ accessible to others.
  Since they are readable only by root,
  .Nm
  must be set-uid root if host-based authentication is used.
@@ -2227 +1955 @@
  .Pp
  .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
  .It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
- .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
- If these files exist they are assumed to contain public certificate
-diff --git a/sshconnect1.c b/sshconnect1.c
---- a/sshconnect1.c
-+++ b/sshconnect1.c
-@@ -45,10 +45,11 @@
- #include "authfile.h"
- #include "misc.h"
+Only in openssh-6.5p1.patched: ssh-keysign.8.orig
+diff -urp openssh-6.5p1/sshconnect1.c openssh-6.5p1.patched/sshconnect1.c
+--- openssh-6.5p1/sshconnect1.c 2013-10-25 16:05:47.000000000 -0700
++++ openssh-6.5p1.patched/sshconnect1.c 2014-02-15 16:25:56.000000000 -0800
+@@ -47,6 +47,7 @@
  #include "canohost.h"
  #include "hostfile.h"
  #include "auth.h"
@@ -2242 +1967 @@
  
  /* Session id for the current session. */
  u_char session_id[16];
- u_int supported_authentications = 0;
- 
-@@ -258,10 +259,14 @@
-                    &perm_ok);
-        if (private == NULL && !options.batch_mode && perm_ok) {
+@@ -260,6 +261,10 @@ try_rsa_authentication(int idx)
                 snprintf(buf, sizeof(buf),
                     "Enter passphrase for RSA key '%.100s': ", comment);
                 for (i = 0; i < options.number_of_password_prompts; i++) {
@@ -2257 +1978 @@
                         passphrase = read_passphrase(buf, 0);
                         if (strcmp(passphrase, "") != 0) {
                                 private = key_load_private_type(KEY_RSA1,
-                                    authfile, passphrase, NULL, NULL);
-                                quit = 0;
-diff --git a/sshconnect2.c b/sshconnect2.c
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -70,10 +70,11 @@
- #include "pathnames.h"
- #include "uidswap.h"
+diff -urp openssh-6.5p1/sshconnect2.c openssh-6.5p1.patched/sshconnect2.c
+--- openssh-6.5p1/sshconnect2.c 2014-01-09 15:58:53.000000000 -0800
++++ openssh-6.5p1.patched/sshconnect2.c 2014-02-15 16:25:56.000000000 -0800
+@@ -72,6 +72,7 @@
  #include "hostfile.h"
  #include "schnorr.h"
  #include "jpake.h"
@@ -2272 +1989 @@
  
  #ifdef GSSAPI
  #include "ssh-gss.h"
- #endif
- 
-@@ -1331,10 +1332,14 @@
-                if (options.batch_mode)
-                        return NULL;
+@@ -1335,6 +1336,10 @@ load_identity_file(char *filename, int u
                 snprintf(prompt, sizeof prompt,
                     "Enter passphrase for key '%.100s': ", filename);
                 for (i = 0; i < options.number_of_password_prompts; i++) {
@@ -2287 +2000 @@
                         passphrase = read_passphrase(prompt, 0);
                         if (strcmp(passphrase, "") != 0) {
                                 private = key_load_private_type(KEY_UNSPEC,
-                                    filename, passphrase, NULL, NULL);
-                                quit = 0;
-diff --git a/sshd.0 b/sshd.0
---- a/sshd.0
-+++ b/sshd.0
-@@ -620,12 +620,12 @@
-              The content of this file is not sensitive; it can be world-
-              readable.
+Only in openssh-6.5p1.patched: sshconnect2.c.orig
+diff -urp openssh-6.5p1/sshd.0 openssh-6.5p1.patched/sshd.0
+--- openssh-6.5p1/sshd.0        2014-01-29 17:52:47.000000000 -0800
++++ openssh-6.5p1.patched/sshd.0        2014-02-15 16:25:56.000000000 -0800
+@@ -625,8 +625,8 @@ FILES
  
  SEE ALSO
       scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
@@ -2305 +2015 @@
  
  AUTHORS
       OpenSSH is a derivative of the original and free ssh 1.2.12 release by
-      Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
-      de Raadt and Dug Song removed many bugs, re-added newer features and
-diff --git a/sshd.8 b/sshd.8
---- a/sshd.8
-+++ b/sshd.8
-@@ -954,14 +954,11 @@
- .Xr ssh-agent 1 ,
- .Xr ssh-keygen 1 ,
+Only in openssh-6.5p1.patched: sshd.0.orig
+diff -urp openssh-6.5p1/sshd.8 openssh-6.5p1.patched/sshd.8
+--- openssh-6.5p1/sshd.8        2013-12-17 22:46:28.000000000 -0800
++++ openssh-6.5p1.patched/sshd.8        2014-02-15 16:25:56.000000000 -0800
+@@ -961,10 +961,7 @@ The content of this file is not sensitiv
  .Xr ssh-keyscan 1 ,
  .Xr chroot 2 ,
  .Xr hosts_access 5 ,
@@ -2323 +2030 @@
  .Xr sftp-server 8
  .Sh AUTHORS
  OpenSSH is a derivative of the original and free
- ssh 1.2.12 release by Tatu Ylonen.
- Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-diff --git a/sshd.c b/sshd.c
---- a/sshd.c
-+++ b/sshd.c
-@@ -2106,23 +2106,23 @@
- 
- #ifdef SSH_AUDIT_EVENTS
+Only in openssh-6.5p1.patched: sshd.8.orig
+diff -urp openssh-6.5p1/sshd.c openssh-6.5p1.patched/sshd.c
+--- openssh-6.5p1/sshd.c        2014-01-27 20:08:13.000000000 -0800
++++ openssh-6.5p1.patched/sshd.c        2014-02-15 16:25:56.000000000 -0800
+@@ -2124,6 +2124,12 @@ main(int ac, char **av)
         audit_event(SSH_AUTH_SUCCESS);
  #endif
  
@@ -2343 +2047 @@
  #ifdef GSSAPI
         if (options.gss_authentication) {
                 temporarily_use_uid(authctxt->pw);
-                ssh_gssapi_storecreds();
+@@ -2131,12 +2137,6 @@ main(int ac, char **av)
                 restore_uid();
         }
  #endif
@@ -2356 +2060 @@
  
         /*
          * In privilege separation, we fork another child and prepare
-         * file descriptor passing.
-         */
-diff --git a/sshd_config b/sshd_config
---- a/sshd_config
-+++ b/sshd_config
-@@ -32,11 +32,11 @@
- # Ciphers and keying
- #RekeyLimit default none
+Only in openssh-6.5p1.patched: sshd.c.orig
+diff -urp openssh-6.5p1/sshd_config openssh-6.5p1.patched/sshd_config
+--- openssh-6.5p1/sshd_config   2014-01-12 00:20:47.000000000 -0800
++++ openssh-6.5p1.patched/sshd_config   2014-02-15 16:25:56.000000000 -0800
+@@ -35,7 +35,7 @@
  
  # Logging
  # obsoletes QuietMode and FascistLogging
@@ -2372 +2073 @@
  #LogLevel INFO
  
  # Authentication:
- 
- #LoginGraceTime 2m
-@@ -65,12 +65,13 @@
- # RhostsRSAAuthentication and HostbasedAuthentication
- #IgnoreUserKnownHosts no
+@@ -68,8 +68,9 @@ AuthorizedKeysFile    .ssh/authorized_keys
  # Don't read the user's ~/.rhosts and ~/.shosts files
  #IgnoreRhosts yes
  
@@ -2388 +2085 @@
  #PermitEmptyPasswords no
  
  # Change to no to disable s/key passwords
- #ChallengeResponseAuthentication yes
- 
-@@ -91,11 +92,14 @@
- # PAM authentication via ChallengeResponseAuthentication may bypass
- # the setting of "PermitRootLogin without-password".
+@@ -94,7 +95,10 @@ AuthorizedKeysFile   .ssh/authorized_keys
  # If you just want the PAM account and session checks to run without
  # PAM authentication, then enable this but set PasswordAuthentication
  # and ChallengeResponseAuthentication to 'no'.
@@ -2404 +2097 @@
  
  #AllowAgentForwarding yes
  #AllowTcpForwarding yes
- #GatewayPorts no
- #X11Forwarding no
-diff --git a/sshd_config.0 b/sshd_config.0
---- a/sshd_config.0
-+++ b/sshd_config.0
-@@ -505,11 +505,11 @@
-              increases linearly and all connection attempts are refused if the
-              number of unauthenticated connections reaches ``full'' (60).
+diff -urp openssh-6.5p1/sshd_config.0 openssh-6.5p1.patched/sshd_config.0
+--- openssh-6.5p1/sshd_config.0 2014-01-29 17:52:48.000000000 -0800
++++ openssh-6.5p1.patched/sshd_config.0 2014-02-15 16:25:56.000000000 -0800
+@@ -517,7 +517,7 @@ DESCRIPTION
  
       PasswordAuthentication
               Specifies whether password authentication is allowed.  The
@@ -2420 +2109 @@
  
       PermitEmptyPasswords
               When password authentication is allowed, it specifies whether the
-              server allows login to accounts with empty password strings.  The
-              default is ``no''.
-@@ -707,11 +707,11 @@
-              Because PAM challenge-response authentication usually serves an
-              equivalent role to password authentication, you should disable
+@@ -723,7 +723,7 @@ DESCRIPTION
               either PasswordAuthentication or ChallengeResponseAuthentication.
  
               If UsePAM is enabled, you will not be able to run sshd(8) as a
@@ -2433 +2118 @@
  
       UsePrivilegeSeparation
               Specifies whether sshd(8) separates privileges by creating an
-              unprivileged child process to deal with incoming network traffic.
-              After successful authentication, another process will be created
-diff --git a/sshd_config.5 b/sshd_config.5
---- a/sshd_config.5
-+++ b/sshd_config.5
-@@ -854,11 +854,11 @@
- .Dq full
- (60).
+Only in openssh-6.5p1.patched: sshd_config.0.orig
+diff -urp openssh-6.5p1/sshd_config.5 openssh-6.5p1.patched/sshd_config.5
+--- openssh-6.5p1/sshd_config.5 2013-12-17 22:47:03.000000000 -0800
++++ openssh-6.5p1.patched/sshd_config.5 2014-02-15 16:25:56.000000000 -0800
+@@ -871,7 +871,7 @@ are refused if the number of unauthentic
  .It Cm PasswordAuthentication
  Specifies whether password authentication is allowed.
  The default is
@@ -2449 +2131 @@
  .It Cm PermitEmptyPasswords
  When password authentication is allowed, it specifies whether the
  server allows login to accounts with empty password strings.
- The default is
- .Dq no .
-@@ -1181,11 +1181,11 @@
- .Cm UsePAM
- is enabled, you will not be able to run
+@@ -1204,7 +1204,7 @@ is enabled, you will not be able to run
  .Xr sshd 8
  as a non-root user.
  The default is
@@ -2462 +2140 @@
  .It Cm UsePrivilegeSeparation
  Specifies whether
  .Xr sshd 8
- separates privileges by creating an unprivileged child process
- to deal with incoming network traffic.
+Only in openssh-6.5p1.patched: sshd_config.5.orig
+Only in openssh-6.5p1.patched: sshd_config.orig