Ticket #42523: 002-Apple-keychain-integration-other-changes.patch.diff

File 002-Apple-keychain-integration-other-changes.patch.diff, 42.4 KB (added by arthurmesh@…, 11 years ago)
  • 0002-Apple-keychain-integration-other-changes.patch

    old new  
    1 # HG changeset patch
    2 # User Sean Farley <sean.michael.farley@gmail.com>
    3 # Date 1382624667 -28800
    4 #      Thu Oct 24 22:24:27 2013 +0800
    5 # Node ID dd6d51b7e12be5fab94a8779e890c5558e4d4001
    6 # Parent  86a3bc5c8ff689a291e86950a3d8fd327f42b870
    7 partial import
    8 
    9 
    10 wiggled scp
    11 
    12 
    13 wiggled readconf
    14 
    15 
    16 wiggled readconf.c
    17 
    18 diff --git a/Makefile.in b/Makefile.in
    19 --- a/Makefile.in
    20 +++ b/Makefile.in
    21 @@ -56,10 +56,11 @@
    22  PERL=@PERL@
    23  SED=@SED@
     1diff -urp openssh-6.5p1/Makefile.in openssh-6.5p1.patched/Makefile.in
     2--- openssh-6.5p1/Makefile.in   2014-01-26 22:35:04.000000000 -0800
     3+++ openssh-6.5p1.patched/Makefile.in   2014-02-15 16:27:53.000000000 -0800
     4@@ -58,6 +58,7 @@ SED=@SED@
    245 ENT=@ENT@
    256 XAUTH_PATH=@XAUTH_PATH@
    267 LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
     
    289 EXEEXT=@EXEEXT@
    2910 MANFMT=@MANFMT@
    3011 
    31  TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
    32  
    33 @@ -93,10 +94,12 @@
    34         sftp-server.o sftp-common.o \
    35         roaming_common.o roaming_serv.o \
     12@@ -98,6 +99,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
    3613        sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
    37         sandbox-seccomp-filter.o
     14        sandbox-seccomp-filter.o sandbox-capsicum.o
    3815 
    3916+KEYCHAINOBJS=keychain.o
    4017+
    4118 MANPAGES       = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
    4219 MANPAGES_IN    = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
    4320 MANTYPE                = @MANTYPE@
    44  
    45  CONFIGFILES=sshd_config.out ssh_config.out moduli.out
    46 @@ -127,10 +130,11 @@
    47  all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
    48  
     21@@ -133,6 +136,7 @@ all: $(CONFIGFILES) $(MANPAGES) $(TARGET
    4922 $(LIBSSH_OBJS): Makefile.in config.h
    5023 $(SSHOBJS): Makefile.in config.h
    5124 $(SSHDOBJS): Makefile.in config.h
     
    5326 
    5427 .c.o:
    5528        $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
    56  
    57  LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
    58 @@ -140,24 +144,24 @@
    59  
    60  libssh.a: $(LIBSSH_OBJS)
     29@@ -146,8 +150,8 @@ libssh.a: $(LIBSSH_OBJS)
    6130        $(AR) rv $@ $(LIBSSH_OBJS)
    6231        $(RANLIB) $@
    6332 
     
    6837 
    6938 sshd$(EXEEXT): libssh.a        $(LIBCOMPAT) $(SSHDOBJS)
    7039        $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
    71  
     40@@ -155,11 +159,11 @@ sshd$(EXEEXT): libssh.a   $(LIBCOMPAT) $(S
    7241 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
    7342        $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
    7443 
     
    8453 
    8554 ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
    8655        $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
    87  
    88  ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
    89 @@ -265,11 +269,11 @@
    90         $(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
    91         $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
     56@@ -271,7 +275,7 @@ install-files:
    9257        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
    9358        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
    9459        $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
     
    9762        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
    9863        $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
    9964        $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
    100         $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
    101         $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
    102 diff --git a/audit-bsm.c b/audit-bsm.c
    103 --- a/audit-bsm.c
    104 +++ b/audit-bsm.c
    105 @@ -261,11 +261,16 @@
    106         uid_t           uid = -1;
    107         gid_t           gid = -1;
     65Only in openssh-6.5p1.patched: Makefile.in.orig
     66Only in openssh-6.5p1.patched: Makefile.in.rej
     67diff -urp openssh-6.5p1/audit-bsm.c openssh-6.5p1.patched/audit-bsm.c
     68--- openssh-6.5p1/audit-bsm.c   2012-02-23 15:40:43.000000000 -0800
     69+++ openssh-6.5p1.patched/audit-bsm.c   2014-02-15 16:25:56.000000000 -0800
     70@@ -263,7 +263,12 @@ bsm_audit_record(int typ, char *string,
    10871        pid_t           pid = getpid();
    10972        AuditInfoTermID tid = ssh_bsm_tid;
    11073 
     
    11881                uid = the_authctxt->pw->pw_uid;
    11982                gid = the_authctxt->pw->pw_gid;
    12083        }
    121  
    122         rc = (typ == 0) ? 0 : -1;
    123 diff --git a/auth-pam.c b/auth-pam.c
    124 --- a/auth-pam.c
    125 +++ b/auth-pam.c
    126 @@ -789,14 +789,15 @@
    127                                 **echo_on = 0;
    128                                 ctxt->pam_done = 1;
     84diff -urp openssh-6.5p1/auth-pam.c openssh-6.5p1.patched/auth-pam.c
     85--- openssh-6.5p1/auth-pam.c    2013-12-18 16:31:45.000000000 -0800
     86+++ openssh-6.5p1.patched/auth-pam.c    2014-02-15 16:25:56.000000000 -0800
     87@@ -793,10 +793,11 @@ sshpam_query(void *ctx, char **name, cha
    12988                                free(msg);
    13089                                return (0);
    13190                        }
     
    13998                        /* FALLTHROUGH */
    14099                default:
    141100                        *num = 0;
    142                         **echo_on = 0;
    143                         free(msg);
    144 diff --git a/auth.c b/auth.c
    145 --- a/auth.c
    146 +++ b/auth.c
    147 @@ -209,11 +209,11 @@
    148                         return 0;
    149                 }
     101Only in openssh-6.5p1.patched: auth-pam.c.orig
     102diff -urp openssh-6.5p1/auth.c openssh-6.5p1.patched/auth.c
     103--- openssh-6.5p1/auth.c        2013-06-01 14:41:51.000000000 -0700
     104+++ openssh-6.5p1.patched/auth.c        2014-02-15 16:25:56.000000000 -0800
     105@@ -211,7 +211,7 @@ allowed_user(struct passwd * pw)
    150106        }
    151107        if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
    152108                /* Get the user's group access list (primary and supplementary) */
     
    155111                        logit("User %.100s from %.100s not allowed because "
    156112                            "not in any group", pw->pw_name, hostname);
    157113                        return 0;
    158                 }
    159  
    160 diff --git a/authfd.c b/authfd.c
    161 --- a/authfd.c
    162 +++ b/authfd.c
    163 @@ -687,10 +687,33 @@
    164         type = buffer_get_char(&msg);
    165         buffer_free(&msg);
     114diff -urp openssh-6.5p1/authfd.c openssh-6.5p1.patched/authfd.c
     115--- openssh-6.5p1/authfd.c      2013-12-28 22:49:56.000000000 -0800
     116+++ openssh-6.5p1.patched/authfd.c      2014-02-15 16:25:56.000000000 -0800
     117@@ -638,6 +638,29 @@ ssh_remove_all_identities(Authentication
    166118        return decode_reply(type);
    167119 }
    168120 
     
    192144 int
    193145 decode_reply(int type)
    194146 {
    195         switch (type) {
    196         case SSH_AGENT_FAILURE:
    197 diff --git a/authfd.h b/authfd.h
    198 --- a/authfd.h
    199 +++ b/authfd.h
    200 @@ -47,10 +47,13 @@
    201  /* add key with constraints */
    202  #define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED      24
     147Only in openssh-6.5p1.patched: authfd.c.orig
     148diff -urp openssh-6.5p1/authfd.h openssh-6.5p1.patched/authfd.h
     149--- openssh-6.5p1/authfd.h      2009-10-06 14:47:02.000000000 -0700
     150+++ openssh-6.5p1.patched/authfd.h      2014-02-15 16:25:56.000000000 -0800
     151@@ -49,6 +49,9 @@
    203152 #define SSH2_AGENTC_ADD_ID_CONSTRAINED         25
    204153 #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
    205154 
     
    209158 #define        SSH_AGENT_CONSTRAIN_LIFETIME            1
    210159 #define        SSH_AGENT_CONSTRAIN_CONFIRM             2
    211160 
    212  /* extended failure messages */
    213  #define SSH2_AGENT_FAILURE                     30
    214 diff --git a/config.h.in b/config.h.in
    215 --- a/config.h.in
    216 +++ b/config.h.in
    217 @@ -75,10 +75,22 @@
    218  #undef BROKEN_SNPRINTF
    219  
    220  /* FreeBSD strnvis does not do what we need */
     161diff -urp openssh-6.5p1/config.h.in openssh-6.5p1.patched/config.h.in
     162--- openssh-6.5p1/config.h.in   2014-01-29 17:52:44.000000000 -0800
     163+++ openssh-6.5p1.patched/config.h.in   2014-02-15 16:28:51.000000000 -0800
     164@@ -81,6 +81,18 @@
     165 /* FreeBSD strnvis argument order is swapped compared to OpenBSD */
    221166 #undef BROKEN_STRNVIS
    222167 
    223168+/* platform uses an in-memory credentials cache */
     
    235180 /* tcgetattr with ICANON may hang */
    236181 #undef BROKEN_TCGETATTR_ICANON
    237182 
    238  /* updwtmpx is broken (if present) */
    239  #undef BROKEN_UPDWTMPX
    240 diff --git a/configure.ac b/configure.ac
    241 --- a/configure.ac
    242 +++ b/configure.ac
    243 @@ -4548,14 +4548,44 @@
    244  #ifdef HAVE_LASTLOG_H
    245  #include <lastlog.h>
     183Only in openssh-6.5p1.patched: config.h.in.orig
     184Only in openssh-6.5p1.patched: config.h.in.rej
     185diff -urp openssh-6.5p1/configure.ac openssh-6.5p1.patched/configure.ac
     186--- openssh-6.5p1/configure.ac  2014-01-29 16:26:46.000000000 -0800
     187+++ openssh-6.5p1.patched/configure.ac  2014-02-15 16:25:56.000000000 -0800
     188@@ -4779,10 +4779,40 @@ AC_CHECK_MEMBER([struct utmp.ut_line], [
    246189 #endif
    247190        ])
    248191 
     
    283226 if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
    284227        TEST_SSH_IPV6=no
    285228 else
    286         TEST_SSH_IPV6=yes
    287  fi
    288 diff --git a/groupaccess.c b/groupaccess.c
    289 --- a/groupaccess.c
    290 +++ b/groupaccess.c
    291 @@ -32,62 +32,107 @@
    292  #include <unistd.h>
    293  #include <stdarg.h>
     229Only in openssh-6.5p1.patched: configure.ac.orig
     230diff -urp openssh-6.5p1/groupaccess.c openssh-6.5p1.patched/groupaccess.c
     231--- openssh-6.5p1/groupaccess.c 2013-06-01 15:07:32.000000000 -0700
     232+++ openssh-6.5p1.patched/groupaccess.c 2014-02-15 16:25:56.000000000 -0800
     233@@ -34,38 +34,67 @@
    294234 #include <stdlib.h>
    295235 #include <string.h>
    296236 
     
    340280        ngroups = NGROUPS_MAX;
    341281 #if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX)
    342282        ngroups = MAX(NGROUPS_MAX, sysconf(_SC_NGROUPS_MAX));
     283-#endif
     284-
    343285+#endif
    344 +       groups_bygid = xcalloc(ngroups, sizeof(*groups_bygid));
     286        groups_bygid = xcalloc(ngroups, sizeof(*groups_bygid));
    345287+#else
    346288+       if (-1 == (ngroups = getgrouplist_2(pw->pw_name, pw->pw_gid,
    347289+           &groups_bygid))) {
    348290+               logit("getgrouplist_2 failed");
    349291+               return 0;
    350292+       }
    351  #endif
    352 -
    353 -       groups_bygid = xcalloc(ngroups, sizeof(*groups_bygid));
     293+#endif
    354294        groups_byname = xcalloc(ngroups, sizeof(*groups_byname));
    355295-
    356296-       if (getgrouplist(user, base, groups_bygid, &ngroups) == -1)
     
    365305        for (i = 0, j = 0; i < ngroups; i++)
    366306                if ((gr = getgrgid(groups_bygid[i])) != NULL)
    367307                        groups_byname[j++] = xstrdup(gr->gr_name);
    368         free(groups_bygid);
    369         return (ngroups = j);
    370  }
    371  
     308@@ -76,16 +105,32 @@ ga_init(const char *user, gid_t base)
    372309 /*
    373310  * Return 1 if one of user's groups is contained in groups.
    374311  * Return 0 otherwise.  Use match_pattern() for string comparison.
     
    401338        return 0;
    402339 }
    403340 
    404  /*
    405   * Return 1 if one of user's groups matches group_pattern list.
    406 diff --git a/groupaccess.h b/groupaccess.h
    407 --- a/groupaccess.h
    408 +++ b/groupaccess.h
    409 @@ -25,11 +25,11 @@
    410   */
    411  
     341diff -urp openssh-6.5p1/groupaccess.h openssh-6.5p1.patched/groupaccess.h
     342--- openssh-6.5p1/groupaccess.h 2008-07-03 20:51:12.000000000 -0700
     343+++ openssh-6.5p1.patched/groupaccess.h 2014-02-15 16:25:56.000000000 -0800
     344@@ -27,7 +27,7 @@
    412345 #ifndef GROUPACCESS_H
    413346 #define GROUPACCESS_H
    414347 
     
    417350 int     ga_match(char * const *, int);
    418351 int     ga_match_pattern_list(const char *);
    419352 void    ga_free(void);
    420  
    421  #endif
    422353diff --git a/keychain.c b/keychain.c
    423354new file mode 100644
    424355--- /dev/null
     
    11681099+int     add_identities_using_keychain(
    11691100+            int (*add_identity)(const char *, const char *));
    11701101+char   *keychain_read_passphrase(const char *filename, int oAskPassGUI);
    1171 diff --git a/readconf.c b/readconf.c
    1172 --- a/readconf.c
    1173 +++ b/readconf.c
    1174 @@ -136,10 +136,13 @@
    1175         oSendEnv, oControlPath, oControlMaster, oControlPersist,
    1176         oHashKnownHosts,
    1177         oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
    1178         oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
    1179         oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
     1102diff -urp openssh-6.5p1/readconf.c openssh-6.5p1.patched/readconf.c
     1103--- openssh-6.5p1/readconf.c    2014-01-17 05:03:57.000000000 -0800
     1104+++ openssh-6.5p1.patched/readconf.c    2014-02-15 16:30:49.000000000 -0800
     1105@@ -148,6 +148,9 @@ typedef enum {
     1106        oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
     1107        oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
     1108        oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
    11801109+#ifdef __APPLE_KEYCHAIN__
    11811110+       oAskPassGUI,
    11821111+#endif
    11831112        oIgnoredUnknownOption, oDeprecated, oUnsupported
    11841113 } OpCodes;
    11851114 
    1186  /* Textual representations of the tokens. */
    1187  
    1188 @@ -248,11 +251,13 @@
    1189  #endif
    1190         { "kexalgorithms", oKexAlgorithms },
    1191         { "ipqos", oIPQoS },
    1192         { "requesttty", oRequestTTY },
     1115@@ -267,6 +270,9 @@ static struct {
     1116        { "canonicalizemaxdots", oCanonicalizeMaxDots },
     1117        { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
    11931118        { "ignoreunknown", oIgnoreUnknown },
    1194 -
    11951119+#ifdef __APPLE_KEYCHAIN__
    11961120+       { "askpassgui", oAskPassGUI },
    11971121+#endif
     1122 
    11981123        { NULL, oBadOption }
    11991124 };
    1200  
    1201  /*
    1202   * Adds a local TCP/IP port forward to options.  Never returns if there is an
    1203 @@ -1070,10 +1075,16 @@
    1204  
    1205         case oIgnoreUnknown:
     1125@@ -1332,6 +1338,12 @@ parse_int:
    12061126                charptr = &options->ignored_unknown;
    12071127                goto parse_string;
    12081128 
     
    12121132+               goto parse_flag;
    12131133+#endif
    12141134+
    1215         case oDeprecated:
    1216                 debug("%s line %d: Deprecated option \"%s\"",
    1217                     filename, linenum, keyword);
    1218                 return 0;
    1219  
    1220 @@ -1232,10 +1243,13 @@
    1221         options->zero_knowledge_password_authentication = -1;
    1222         options->ip_qos_interactive = -1;
    1223         options->ip_qos_bulk = -1;
     1135        case oProxyUseFdpass:
     1136                intptr = &options->proxy_use_fdpass;
     1137                goto parse_flag;
     1138@@ -1555,6 +1567,9 @@ initialize_options(Options * options)
    12241139        options->request_tty = -1;
     1140        options->proxy_use_fdpass = -1;
    12251141        options->ignored_unknown = NULL;
    12261142+#ifdef __APPLE_KEYCHAIN__
    12271143+       options->ask_pass_gui = -1;
    12281144+#endif
    1229  }
    1230  
    1231  /*
    1232   * Called after processing other sources of option data, this fills those
    1233   * options for which no value has been specified with their default values.
    1234 @@ -1383,10 +1397,14 @@
    1235                 options->ip_qos_interactive = IPTOS_LOWDELAY;
    1236         if (options->ip_qos_bulk == -1)
     1145        options->num_canonical_domains = 0;
     1146        options->num_permitted_cnames = 0;
     1147        options->canonicalize_max_dots = -1;
     1148@@ -1713,6 +1728,10 @@ fill_default_options(Options * options)
    12371149                options->ip_qos_bulk = IPTOS_THROUGHPUT;
    12381150        if (options->request_tty == -1)
    12391151                options->request_tty = REQUEST_TTY_AUTO;
     
    12411153+       if (options->ask_pass_gui == -1)
    12421154+               options->ask_pass_gui = 1;
    12431155+#endif
    1244         /* options->local_command should not be set by default */
    1245         /* options->proxy_command should not be set by default */
    1246         /* options->user will be set in the main program if appropriate */
    1247         /* options->hostname will be set in the main program if appropriate */
    1248         /* options->host_key_alias should not be set by default */
    1249 diff --git a/readconf.h b/readconf.h
    1250 --- a/readconf.h
    1251 +++ b/readconf.h
    1252 @@ -137,10 +137,14 @@
    1253         int     use_roaming;
    1254  
    1255         int     request_tty;
     1156        if (options->proxy_use_fdpass == -1)
     1157                options->proxy_use_fdpass = 0;
     1158        if (options->canonicalize_max_dots == -1)
     1159Only in openssh-6.5p1.patched: readconf.c.orig
     1160Only in openssh-6.5p1.patched: readconf.c.rej
     1161diff -urp openssh-6.5p1/readconf.h openssh-6.5p1.patched/readconf.h
     1162--- openssh-6.5p1/readconf.h    2013-10-16 17:48:14.000000000 -0700
     1163+++ openssh-6.5p1.patched/readconf.h    2014-02-15 16:31:29.000000000 -0800
     1164@@ -155,6 +155,10 @@ typedef struct {
     1165        struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS];
    12561166 
    12571167        char    *ignored_unknown; /* Pattern list of unknown tokens to ignore */
    12581168+
     
    12611171+#endif
    12621172 }       Options;
    12631173 
    1264  #define SSHCTL_MASTER_NO       0
    1265  #define SSHCTL_MASTER_YES      1
    1266  #define SSHCTL_MASTER_AUTO     2
    1267 diff --git a/scp.1 b/scp.1
    1268 --- a/scp.1
    1269 +++ b/scp.1
    1270 @@ -17,11 +17,11 @@
    1271  .Nm scp
    1272  .Nd secure copy (remote file copy program)
     1174 #define SSH_CANONICALISE_NO    0
     1175Only in openssh-6.5p1.patched: readconf.h.orig
     1176Only in openssh-6.5p1.patched: readconf.h.rej
     1177diff -urp openssh-6.5p1/scp.1 openssh-6.5p1.patched/scp.1
     1178--- openssh-6.5p1/scp.1 2013-10-22 22:30:00.000000000 -0700
     1179+++ openssh-6.5p1.patched/scp.1 2014-02-15 16:25:56.000000000 -0800
     1180@@ -19,7 +19,7 @@
    12731181 .Sh SYNOPSIS
    12741182 .Nm scp
    12751183 .Bk -words
     
    12781186 .Op Fl c Ar cipher
    12791187 .Op Fl F Ar ssh_config
    12801188 .Op Fl i Ar identity_file
    1281  .Op Fl l Ar limit
    1282  .Op Fl o Ar ssh_option
    1283 @@ -95,10 +95,12 @@
    1284  Passes the
    1285  .Fl C
     1189@@ -97,6 +97,8 @@ Passes the
    12861190 flag to
    12871191 .Xr ssh 1
    12881192 to enable compression.
     
    12911195 .It Fl c Ar cipher
    12921196 Selects the cipher to use for encrypting the data transfer.
    12931197 This option is directly passed to
    1294  .Xr ssh 1 .
    1295  .It Fl F Ar ssh_config
    1296 diff --git a/scp.c b/scp.c
    1297 --- a/scp.c
    1298 +++ b/scp.c
    1299 @@ -76,10 +76,13 @@
    1300  #include <sys/types.h>
    1301  #include <sys/param.h>
     1198diff -urp openssh-6.5p1/scp.c openssh-6.5p1.patched/scp.c
     1199--- openssh-6.5p1/scp.c 2013-11-20 18:56:49.000000000 -0800
     1200+++ openssh-6.5p1.patched/scp.c 2014-02-15 16:25:56.000000000 -0800
     1201@@ -78,6 +78,9 @@
    13021202 #ifdef HAVE_SYS_STAT_H
    13031203 # include <sys/stat.h>
    13041204 #endif
     
    13081208 #ifdef HAVE_POLL_H
    13091209 #include <poll.h>
    13101210 #else
    1311  # ifdef HAVE_SYS_POLL_H
    1312  #  include <sys/poll.h>
    1313 @@ -112,10 +115,15 @@
    1314  #include "pathnames.h"
    1315  #include "log.h"
     1211@@ -114,6 +117,11 @@
    13161212 #include "misc.h"
    13171213 #include "progressmeter.h"
    13181214 
     
    13241220 extern char *__progname;
    13251221 
    13261222 #define COPY_BUFLEN    16384
    1327  
    1328  int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout);
    1329 @@ -148,10 +156,16 @@
    1330  char *ssh_program = _PATH_SSH_PROGRAM;
    1331  
     1223@@ -150,6 +158,12 @@ char *ssh_program = _PATH_SSH_PROGRAM;
    13321224 /* This is used to store the pid of ssh_program */
    13331225 pid_t do_cmd_pid = -1;
    13341226 
     
    13411233 static void
    13421234 killchild(int signo)
    13431235 {
    1344         if (do_cmd_pid > 1) {
    1345                 kill(do_cmd_pid, signo ? signo : SIGTERM);
    1346 @@ -393,11 +407,15 @@
    1347         addargs(&args, "-oForwardAgent=no");
    1348         addargs(&args, "-oPermitLocalCommand=no");
     1236@@ -395,7 +409,11 @@ main(int argc, char **argv)
    13491237        addargs(&args, "-oClearAllForwardings=yes");
    13501238 
    13511239        fflag = tflag = 0;
     
    13571245                switch (ch) {
    13581246                /* User-visible flags. */
    13591247                case '1':
    1360                 case '2':
    1361                 case '4':
    1362 @@ -454,10 +472,15 @@
    1363                         addargs(&args, "-q");
    1364                         addargs(&remote_remote_args, "-q");
     1248@@ -456,6 +474,11 @@ main(int argc, char **argv)
    13651249                        showprogress = 0;
    13661250                        break;
    13671251 
     
    13731257                /* Server options. */
    13741258                case 'd':
    13751259                        targetshouldbedirectory = 1;
    1376                         break;
    1377                 case 'f':       /* "from" */
    1378 @@ -503,11 +526,16 @@
    1379                 targetshouldbedirectory = 1;
    1380  
     1260@@ -505,7 +528,12 @@ main(int argc, char **argv)
    13811261        remin = remout = -1;
    13821262        do_cmd_pid = -1;
    13831263        /* Command to be executed on remote system using "ssh". */
     
    13901270            verbose_mode ? " -v" : "",
    13911271            iamrecursive ? " -r" : "", pflag ? " -p" : "",
    13921272            targetshouldbedirectory ? " -d" : "");
    1393  
    1394         (void) signal(SIGPIPE, lostconn);
    1395 @@ -749,23 +777,41 @@
    1396         off_t i, statbytes;
    1397         size_t amt;
     1273@@ -751,6 +779,10 @@ source(int argc, char **argv)
    13981274        int fd = -1, haderr, indx;
    13991275        char *last, *name, buf[2048], encname[MAXPATHLEN];
    14001276        int len;
     
    14051281 
    14061282        for (indx = 0; indx < argc; ++indx) {
    14071283                name = argv[indx];
    1408                 statbytes = 0;
     1284@@ -758,12 +790,26 @@ source(int argc, char **argv)
    14091285                len = strlen(name);
    14101286                while (len > 1 && name[len-1] == '/')
    14111287                        name[--len] = '\0';
     
    14321308                if (fstat(fd, &stb) < 0) {
    14331309 syserr:                        run_err("%s: %s", name, strerror(errno));
    14341310                        goto next;
    1435                 }
    1436                 if (stb.st_size < 0) {
    1437 @@ -844,10 +890,40 @@
    1438                 if (!haderr)
    1439                         (void) atomicio(vwrite, remout, "", 1);
     1311@@ -846,6 +892,36 @@ next:                      if (fd != -1) {
    14401312                else
    14411313                        run_err("%s: %s", name, strerror(haderr));
    14421314                (void) response();
     
    14731345        }
    14741346 }
    14751347 
    1476  void
    1477  rsource(char *name, struct stat *statp)
    1478 @@ -935,10 +1011,14 @@
    1479  
    1480         (void) atomicio(vwrite, remout, "", 1);
     1348@@ -937,6 +1013,10 @@ sink(int argc, char **argv)
    14811349        if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
    14821350                targisdir = 1;
    14831351        for (first = 1;; first = 0) {
     
    14881356                cp = buf;
    14891357                if (atomicio(read, remin, cp, 1) != 1)
    14901358                        return;
    1491                 if (*cp++ == '\n')
    1492                         SCREWUP("unexpected <newline>");
    1493 @@ -1080,14 +1160,55 @@
    1494                         free(vect[0]);
    1495                         continue;
     1359@@ -1082,10 +1162,51 @@ sink(int argc, char **argv)
    14961360                }
    14971361                omode = mode;
    14981362                mode |= S_IWUSR;
     
    15441408                (void) atomicio(vwrite, remout, "", 1);
    15451409                if ((bp = allocbuf(&buffer, ofd, COPY_BUFLEN)) == NULL) {
    15461410                        (void) close(ofd);
    1547                         continue;
    1548                 }
    1549 @@ -1168,10 +1289,33 @@
    1550                 if (close(ofd) == -1) {
    1551                         wrerr = YES;
     1411@@ -1170,6 +1291,29 @@ bad:                     run_err("%s: %s", np, strerror(er
    15521412                        wrerrno = errno;
    15531413                }
    15541414                (void) response();
     
    15781438                if (setimes && wrerr == NO) {
    15791439                        setimes = 0;
    15801440                        if (utimes(np, tv) < 0) {
    1581                                 run_err("%s: set times: %s",
    1582                                     np, strerror(errno));
    1583 @@ -1229,11 +1373,15 @@
    1584  
    1585  void
     1441@@ -1231,7 +1375,11 @@ void
    15861442 usage(void)
    15871443 {
    15881444        (void) fprintf(stderr,
     
    15941450            "           [-l limit] [-o ssh_option] [-P port] [-S program]\n"
    15951451            "           [[user@]host1:]file1 ... [[user@]host2:]file2\n");
    15961452        exit(1);
    1597  }
    1598  
    1599 diff --git a/servconf.c b/servconf.c
    1600 --- a/servconf.c
    1601 +++ b/servconf.c
    1602 @@ -158,11 +158,11 @@
    1603  void
    1604  fill_default_server_options(ServerOptions *options)
    1605  {
    1606         /* Portable-specific options */
    1607         if (options->use_pam == -1)
    1608 -               options->use_pam = 0;
    1609 +               options->use_pam = 1;
    1610  
    1611         /* Standard Options */
    1612         if (options->protocol == SSH_PROTO_UNKNOWN)
    1613                 options->protocol = SSH_PROTO_2;
    1614         if (options->num_host_key_files == 0) {
    1615 @@ -241,11 +241,11 @@
    1616         if (options->gss_authentication == -1)
    1617                 options->gss_authentication = 0;
     1453diff -urp openssh-6.5p1/servconf.c openssh-6.5p1.patched/servconf.c
     1454--- openssh-6.5p1/servconf.c    2013-12-06 16:24:02.000000000 -0800
     1455+++ openssh-6.5p1.patched/servconf.c    2014-02-15 16:25:56.000000000 -0800
     1456@@ -248,7 +248,7 @@ fill_default_server_options(ServerOption
    16181457        if (options->gss_cleanup_creds == -1)
    16191458                options->gss_cleanup_creds = 1;
    16201459        if (options->password_authentication == -1)
     
    16231462        if (options->kbd_interactive_authentication == -1)
    16241463                options->kbd_interactive_authentication = 0;
    16251464        if (options->challenge_response_authentication == -1)
    1626                 options->challenge_response_authentication = 1;
    1627         if (options->permit_empty_passwd == -1)
    1628 @@ -621,11 +621,11 @@
    1629                 goto out;
    1630  
     1465@@ -629,7 +629,7 @@ match_cfg_line_group(const char *grps, i
    16311466        if ((pw = getpwnam(user)) == NULL) {
    16321467                debug("Can't match group at line %d because user %.100s does "
    16331468                    "not exist", line, user);
     
    16361471                debug("Can't Match group because user %.100s not in any group "
    16371472                    "at line %d", user, line);
    16381473        } else if (ga_match_pattern_list(grps) != 1) {
    1639                 debug("user %.100s does not match group list %.100s at line %d",
    1640                     user, grps, line);
    1641 diff --git a/session.c b/session.c
    1642 --- a/session.c
    1643 +++ b/session.c
    1644 @@ -2081,12 +2081,14 @@
    1645         /* for SSH1 the tty modes length is not given */
    1646         if (!compat20)
     1474Only in openssh-6.5p1.patched: servconf.c.orig
     1475diff -urp openssh-6.5p1/session.c openssh-6.5p1.patched/session.c
     1476--- openssh-6.5p1/session.c     2014-01-22 19:16:10.000000000 -0800
     1477+++ openssh-6.5p1.patched/session.c     2014-02-15 16:25:56.000000000 -0800
     1478@@ -2111,8 +2111,10 @@ session_pty_req(Session *s)
    16471479                n_bytes = packet_remaining();
    16481480        tty_parse_modes(s->ttyfd, &n_bytes);
    16491481 
     
    16541486 
    16551487        /* Set window size from the packet. */
    16561488        pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
    1657  
    1658         packet_check_eom();
    1659 @@ -2322,13 +2324,15 @@
    1660  
    1661         /* Record that the user has logged out. */
     1489@@ -2352,9 +2354,11 @@ session_pty_cleanup2(Session *s)
    16621490        if (s->pid != 0)
    16631491                record_logout(s->pid, s->tty, s->pw->pw_name);
    16641492 
     
    16701498 
    16711499        /*
    16721500         * Close the server side of the socket pairs.  We must do this after
    1673          * the pty cleanup, so that another process doesn't get this pty
    1674          * while we're still cleaning up.
    1675 diff --git a/ssh-add.0 b/ssh-add.0
    1676 --- a/ssh-add.0
    1677 +++ b/ssh-add.0
    1678 @@ -2,11 +2,11 @@
    1679  
    1680  NAME
     1501Only in openssh-6.5p1.patched: session.c.orig
     1502diff -urp openssh-6.5p1/ssh-add.0 openssh-6.5p1.patched/ssh-add.0
     1503--- openssh-6.5p1/ssh-add.0     2014-01-29 17:52:47.000000000 -0800
     1504+++ openssh-6.5p1.patched/ssh-add.0     2014-02-15 16:25:56.000000000 -0800
     1505@@ -4,7 +4,7 @@ NAME
    16811506      ssh-add - adds private key identities to the authentication agent
    16821507 
    16831508 SYNOPSIS
     
    16861511      ssh-add -s pkcs11
    16871512      ssh-add -e pkcs11
    16881513 
    1689  DESCRIPTION
    1690       ssh-add adds private key identities to the authentication agent,
    1691 @@ -53,10 +53,17 @@
    1692               represented by the agent.
    1693  
     1514@@ -55,6 +55,13 @@ DESCRIPTION
    16941515      -l      Lists fingerprints of all identities currently represented by the
    16951516              agent.
    16961517 
     
    17041525      -s pkcs11
    17051526              Add keys provided by the PKCS#11 shared library pkcs11.
    17061527 
    1707       -t life
    1708               Set a maximum lifetime when adding identities to an agent.  The
    1709 diff --git a/ssh-add.1 b/ssh-add.1
    1710 --- a/ssh-add.1
    1711 +++ b/ssh-add.1
    1712 @@ -41,11 +41,11 @@
    1713  .Sh NAME
    1714  .Nm ssh-add
     1528diff -urp openssh-6.5p1/ssh-add.1 openssh-6.5p1.patched/ssh-add.1
     1529--- openssh-6.5p1/ssh-add.1     2013-12-17 22:46:28.000000000 -0800
     1530+++ openssh-6.5p1.patched/ssh-add.1     2014-02-15 16:25:56.000000000 -0800
     1531@@ -43,7 +43,7 @@
    17151532 .Nd adds private key identities to the authentication agent
    17161533 .Sh SYNOPSIS
    17171534 .Nm ssh-add
     
    17201537 .Op Fl t Ar life
    17211538 .Op Ar
    17221539 .Nm ssh-add
    1723  .Fl s Ar pkcs11
    1724  .Nm ssh-add
    1725 @@ -116,10 +116,17 @@
    1726  .It Fl L
    1727  Lists public key parameters of all identities currently represented
     1540@@ -119,6 +119,13 @@ Lists public key parameters of all ident
    17281541 by the agent.
    17291542 .It Fl l
    17301543 Lists fingerprints of all identities currently represented by the agent.
     
    17381551 .It Fl s Ar pkcs11
    17391552 Add keys provided by the PKCS#11 shared library
    17401553 .Ar pkcs11 .
    1741  .It Fl t Ar life
    1742  Set a maximum lifetime when adding identities to an agent.
    1743 diff --git a/ssh-add.c b/ssh-add.c
    1744 --- a/ssh-add.c
    1745 +++ b/ssh-add.c
    1746 @@ -60,10 +60,11 @@
    1747  #include "buffer.h"
    1748  #include "authfd.h"
     1554Only in openssh-6.5p1.patched: ssh-add.1.orig
     1555diff -urp openssh-6.5p1/ssh-add.c openssh-6.5p1.patched/ssh-add.c
     1556--- openssh-6.5p1/ssh-add.c     2013-12-28 22:44:07.000000000 -0800
     1557+++ openssh-6.5p1.patched/ssh-add.c     2014-02-15 16:25:56.000000000 -0800
     1558@@ -62,6 +62,7 @@
    17491559 #include "authfile.h"
    17501560 #include "pathnames.h"
    17511561 #include "misc.h"
     
    17531563 
    17541564 /* argv0 */
    17551565 extern char *__progname;
    1756  
    1757  /* Default files to add */
    1758 @@ -94,16 +95,28 @@
    1759                 pass = NULL;
    1760         }
     1566@@ -97,12 +98,24 @@ clear_pass(void)
    17611567 }
    17621568 
    17631569 static int
     
    17831589        public = key_load_public(filename, &comment);
    17841590        if (public == NULL) {
    17851591                printf("Bad key file %s\n", filename);
    1786                 return -1;
    1787         }
    1788 @@ -162,11 +175,11 @@
    1789  
    1790         return ret;
     1592@@ -165,7 +178,7 @@ delete_all(AuthenticationConnection *ac)
    17911593 }
    17921594 
    17931595 static int
     
    17961598 {
    17971599        Key *private, *cert;
    17981600        char *comment = NULL;
    1799         char msg[1024], *certpath = NULL;
    1800         int fd, perms_ok, ret = -1;
    1801 @@ -199,15 +212,20 @@
    1802         }
    1803         close(fd);
     1601@@ -202,11 +215,16 @@ add_file(AuthenticationConnection *ac, c
    18041602 
    18051603        /* At first, try empty passphrase */
    18061604        private = key_parse_private(&keyblob, filename, "", &comment);
     
    18181616        if (private == NULL) {
    18191617                /* clear passphrase since it did not work */
    18201618                clear_pass();
    1821                 snprintf(msg, sizeof msg, "Enter passphrase for %.200s: ",
    1822                     comment);
    1823 @@ -219,12 +237,15 @@
    1824                                 buffer_free(&keyblob);
    1825                                 return -1;
     1619@@ -222,8 +240,11 @@ add_file(AuthenticationConnection *ac, c
    18261620                        }
    18271621                        private = key_parse_private(&keyblob, filename, pass,
    18281622                            &comment);
     
    18351629                        clear_pass();
    18361630                        snprintf(msg, sizeof msg,
    18371631                            "Bad passphrase, try again for %.200s: ", comment);
    1838                 }
    1839         }
    1840 @@ -374,17 +395,17 @@
    1841         free(p1);
    1842         return (ret);
     1632@@ -380,13 +401,13 @@ lock_agent(AuthenticationConnection *ac,
    18431633 }
    18441634 
    18451635 static int
     
    18561646                        return -1;
    18571647        }
    18581648        return 0;
    1859  }
    1860  
    1861 @@ -402,20 +423,26 @@
    1862         fprintf(stderr, "  -D          Delete all identities.\n");
    1863         fprintf(stderr, "  -x          Lock agent.\n");
     1649@@ -408,6 +429,11 @@ usage(void)
    18641650        fprintf(stderr, "  -X          Unlock agent.\n");
    18651651        fprintf(stderr, "  -s pkcs11   Add keys from PKCS#11 provider.\n");
    18661652        fprintf(stderr, "  -e pkcs11   Remove keys provided by PKCS#11 provider.\n");
     
    18721658 }
    18731659 
    18741660 int
    1875  main(int argc, char **argv)
    1876  {
    1877         extern char *optarg;
    1878         extern int optind;
     1661@@ -418,6 +444,7 @@ main(int argc, char **argv)
    18791662        AuthenticationConnection *ac = NULL;
    18801663        char *pkcs11provider = NULL;
    18811664        int i, ch, deleting = 0, ret = 0, key_only = 0;
     
    18831666 
    18841667        /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
    18851668        sanitise_stdfd();
    1886  
    1887         __progname = ssh_get_progname(argv[0]);
    1888 @@ -428,11 +455,11 @@
    1889         if (ac == NULL) {
    1890                 fprintf(stderr,
     1669@@ -434,7 +461,7 @@ main(int argc, char **argv)
    18911670                    "Could not open a connection to your authentication agent.\n");
    18921671                exit(2);
    18931672        }
     
    18961675                switch (ch) {
    18971676                case 'k':
    18981677                        key_only = 1;
    1899                         break;
    1900                 case 'l':
    1901 @@ -467,10 +494,17 @@
    1902                                 fprintf(stderr, "Invalid lifetime\n");
    1903                                 ret = 1;
     1678@@ -473,6 +500,13 @@ main(int argc, char **argv)
    19041679                                goto done;
    19051680                        }
    19061681                        break;
     
    19141689                default:
    19151690                        usage();
    19161691                        ret = 1;
    1917                         goto done;
    1918                 }
    1919 @@ -498,20 +532,20 @@
    1920                 for (i = 0; default_files[i]; i++) {
    1921                         snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir,
     1692@@ -504,7 +538,7 @@ main(int argc, char **argv)
    19221693                            default_files[i]);
    19231694                        if (stat(buf, &st) < 0)
    19241695                                continue;
     
    19271698                                ret = 1;
    19281699                        else
    19291700                                count++;
    1930                 }
    1931                 if (count == 0)
     1701@@ -513,7 +547,7 @@ main(int argc, char **argv)
    19321702                        ret = 1;
    19331703        } else {
    19341704                for (i = 0; i < argc; i++) {
     
    19371707                                ret = 1;
    19381708                }
    19391709        }
    1940         clear_pass();
    1941  
    1942 diff --git a/ssh-agent.c b/ssh-agent.c
    1943 --- a/ssh-agent.c
    1944 +++ b/ssh-agent.c
    1945 @@ -63,20 +63,25 @@
    1946  #include <stdio.h>
    1947  #include <stdlib.h>
     1710Only in openssh-6.5p1.patched: ssh-add.c.orig
     1711diff -urp openssh-6.5p1/ssh-agent.c openssh-6.5p1.patched/ssh-agent.c
     1712--- openssh-6.5p1/ssh-agent.c   2013-12-28 22:45:52.000000000 -0800
     1713+++ openssh-6.5p1.patched/ssh-agent.c   2014-02-15 16:25:56.000000000 -0800
     1714@@ -65,6 +65,9 @@
    19481715 #include <time.h>
    19491716 #include <string.h>
    19501717 #include <unistd.h>
     
    19541721 
    19551722 #include "xmalloc.h"
    19561723 #include "ssh.h"
    1957  #include "rsa.h"
     1724@@ -72,9 +75,11 @@
    19581725 #include "buffer.h"
    19591726 #include "key.h"
    19601727 #include "authfd.h"
     
    19661733 
    19671734 #ifdef ENABLE_PKCS11
    19681735 #include "ssh-pkcs11.h"
    1969  #endif
    1970  
    1971 @@ -788,10 +793,65 @@
    1972         buffer_put_char(&e->output,
    1973             success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
     1736@@ -682,6 +687,61 @@ process_remove_smartcard_key(SocketEntry
    19741737 }
    19751738 #endif /* ENABLE_PKCS11 */
    19761739 
     
    20321795 /* dispatch incoming messages */
    20331796 
    20341797 static void
    2035  process_message(SocketEntry *e)
    2036  {
    2037 @@ -880,10 +940,13 @@
    2038                 break;
    2039         case SSH_AGENTC_REMOVE_SMARTCARD_KEY:
     1798@@ -774,6 +834,9 @@ process_message(SocketEntry *e)
    20401799                process_remove_smartcard_key(e);
    20411800                break;
    20421801 #endif /* ENABLE_PKCS11 */
     
    20461805        default:
    20471806                /* Unknown message.  Respond with failure. */
    20481807                error("Unknown message %d", type);
    2049                 buffer_clear(&e->request);
    2050                 buffer_put_int(&e->output, 1);
    2051 @@ -1120,11 +1183,15 @@
    2052  }
    2053  
     1808@@ -1014,7 +1077,11 @@ usage(void)
    20541809 int
    20551810 main(int ac, char **av)
    20561811 {
     
    20621817        int sock, fd, ch, result, saved_errno;
    20631818        u_int nalloc;
    20641819        char *shell, *format, *pidstr, *agentsocket = NULL;
    2065         fd_set *readsetp = NULL, *writesetp = NULL;
    2066         struct sockaddr_un sunaddr;
    2067 @@ -1154,20 +1221,29 @@
    2068         OpenSSL_add_all_algorithms();
    2069  
     1820@@ -1048,7 +1115,11 @@ main(int ac, char **av)
    20701821        __progname = ssh_get_progname(av[0]);
    20711822        seed_rng();
    20721823 
     
    20781829                switch (ch) {
    20791830                case 'c':
    20801831                        if (s_flag)
    2081                                 usage();
    2082                         c_flag++;
    2083                         break;
     1832@@ -1058,6 +1129,11 @@ main(int ac, char **av)
    20841833                case 'k':
    20851834                        k_flag++;
    20861835                        break;
     
    20921841                case 's':
    20931842                        if (c_flag)
    20941843                                usage();
    2095                         s_flag++;
    2096                         break;
    2097 @@ -1190,11 +1266,15 @@
    2098                 }
    2099         }
     1844@@ -1084,7 +1160,11 @@ main(int ac, char **av)
    21001845        ac -= optind;
    21011846        av += optind;
    21021847 
     
    21081853                usage();
    21091854 
    21101855        if (ac == 0 && !c_flag && !s_flag) {
    2111                 shell = getenv("SHELL");
    2112                 if (shell != NULL && (len = strlen(shell)) > 2 &&
    2113 @@ -1246,10 +1326,57 @@
    2114  
    2115         /*
     1856@@ -1140,6 +1220,53 @@ main(int ac, char **av)
    21161857         * Create socket early so it will exist before command gets run from
    21171858         * the parent.
    21181859         */
     
    21661907        sock = socket(AF_UNIX, SOCK_STREAM, 0);
    21671908        if (sock < 0) {
    21681909                perror("socket");
    2169                 *socket_name = '\0'; /* Don't unlink any existing file */
    2170                 cleanup_exit(1);
    2171 @@ -1267,10 +1394,18 @@
    2172         umask(prev_mask);
    2173         if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
     1910@@ -1161,6 +1288,14 @@ main(int ac, char **av)
    21741911                perror("listen");
    21751912                cleanup_exit(1);
    21761913        }
     
    21851922 
    21861923        /*
    21871924         * Fork, and have the parent execute the command, if any, or present
    2188          * the socket data.  The child continues as the authentication agent.
    2189          */
    2190 @@ -1339,19 +1474,24 @@
    2191  
    2192  #ifdef ENABLE_PKCS11
     1925@@ -1233,6 +1368,7 @@ skip:
    21931926        pkcs11_init(0);
    21941927 #endif
    21951928        new_socket(AUTH_SOCKET, sock);
     
    21971930        if (ac > 0)
    21981931                parent_alive_interval = 10;
    21991932        idtab_init();
    2200         signal(SIGPIPE, SIG_IGN);
    2201         signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN);
    2202         signal(SIGHUP, cleanup_handler);
     1933@@ -1242,6 +1378,10 @@ skip:
    22031934        signal(SIGTERM, cleanup_handler);
    22041935        nalloc = 0;
    22051936 
     
    22101941        while (1) {
    22111942                prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp);
    22121943                result = select(max_fd + 1, readsetp, writesetp, NULL, tvp);
    2213                 saved_errno = errno;
    2214                 if (parent_alive_interval != 0)
    2215 diff --git a/ssh-keysign.8 b/ssh-keysign.8
    2216 --- a/ssh-keysign.8
    2217 +++ b/ssh-keysign.8
    2218 @@ -69,10 +69,13 @@
    2219  They should be owned by root, readable only by root, and not
    2220  accessible to others.
     1944Only in openssh-6.5p1.patched: ssh-agent.c.orig
     1945diff -urp openssh-6.5p1/ssh-keysign.8 openssh-6.5p1.patched/ssh-keysign.8
     1946--- openssh-6.5p1/ssh-keysign.8 2013-12-17 22:46:28.000000000 -0800
     1947+++ openssh-6.5p1.patched/ssh-keysign.8 2014-02-15 16:25:56.000000000 -0800
     1948@@ -72,6 +72,9 @@ accessible to others.
    22211949 Since they are readable only by root,
    22221950 .Nm
    22231951 must be set-uid root if host-based authentication is used.
     
    22271955 .Pp
    22281956 .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
    22291957 .It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
    2230  .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
    2231  If these files exist they are assumed to contain public certificate
    2232 diff --git a/sshconnect1.c b/sshconnect1.c
    2233 --- a/sshconnect1.c
    2234 +++ b/sshconnect1.c
    2235 @@ -45,10 +45,11 @@
    2236  #include "authfile.h"
    2237  #include "misc.h"
     1958Only in openssh-6.5p1.patched: ssh-keysign.8.orig
     1959diff -urp openssh-6.5p1/sshconnect1.c openssh-6.5p1.patched/sshconnect1.c
     1960--- openssh-6.5p1/sshconnect1.c 2013-10-25 16:05:47.000000000 -0700
     1961+++ openssh-6.5p1.patched/sshconnect1.c 2014-02-15 16:25:56.000000000 -0800
     1962@@ -47,6 +47,7 @@
    22381963 #include "canohost.h"
    22391964 #include "hostfile.h"
    22401965 #include "auth.h"
     
    22421967 
    22431968 /* Session id for the current session. */
    22441969 u_char session_id[16];
    2245  u_int supported_authentications = 0;
    2246  
    2247 @@ -258,10 +259,14 @@
    2248                     &perm_ok);
    2249         if (private == NULL && !options.batch_mode && perm_ok) {
     1970@@ -260,6 +261,10 @@ try_rsa_authentication(int idx)
    22501971                snprintf(buf, sizeof(buf),
    22511972                    "Enter passphrase for RSA key '%.100s': ", comment);
    22521973                for (i = 0; i < options.number_of_password_prompts; i++) {
     
    22571978                        passphrase = read_passphrase(buf, 0);
    22581979                        if (strcmp(passphrase, "") != 0) {
    22591980                                private = key_load_private_type(KEY_RSA1,
    2260                                     authfile, passphrase, NULL, NULL);
    2261                                 quit = 0;
    2262 diff --git a/sshconnect2.c b/sshconnect2.c
    2263 --- a/sshconnect2.c
    2264 +++ b/sshconnect2.c
    2265 @@ -70,10 +70,11 @@
    2266  #include "pathnames.h"
    2267  #include "uidswap.h"
     1981diff -urp openssh-6.5p1/sshconnect2.c openssh-6.5p1.patched/sshconnect2.c
     1982--- openssh-6.5p1/sshconnect2.c 2014-01-09 15:58:53.000000000 -0800
     1983+++ openssh-6.5p1.patched/sshconnect2.c 2014-02-15 16:25:56.000000000 -0800
     1984@@ -72,6 +72,7 @@
    22681985 #include "hostfile.h"
    22691986 #include "schnorr.h"
    22701987 #include "jpake.h"
     
    22721989 
    22731990 #ifdef GSSAPI
    22741991 #include "ssh-gss.h"
    2275  #endif
    2276  
    2277 @@ -1331,10 +1332,14 @@
    2278                 if (options.batch_mode)
    2279                         return NULL;
     1992@@ -1335,6 +1336,10 @@ load_identity_file(char *filename, int u
    22801993                snprintf(prompt, sizeof prompt,
    22811994                    "Enter passphrase for key '%.100s': ", filename);
    22821995                for (i = 0; i < options.number_of_password_prompts; i++) {
     
    22872000                        passphrase = read_passphrase(prompt, 0);
    22882001                        if (strcmp(passphrase, "") != 0) {
    22892002                                private = key_load_private_type(KEY_UNSPEC,
    2290                                     filename, passphrase, NULL, NULL);
    2291                                 quit = 0;
    2292 diff --git a/sshd.0 b/sshd.0
    2293 --- a/sshd.0
    2294 +++ b/sshd.0
    2295 @@ -620,12 +620,12 @@
    2296               The content of this file is not sensitive; it can be world-
    2297               readable.
     2003Only in openssh-6.5p1.patched: sshconnect2.c.orig
     2004diff -urp openssh-6.5p1/sshd.0 openssh-6.5p1.patched/sshd.0
     2005--- openssh-6.5p1/sshd.0        2014-01-29 17:52:47.000000000 -0800
     2006+++ openssh-6.5p1.patched/sshd.0        2014-02-15 16:25:56.000000000 -0800
     2007@@ -625,8 +625,8 @@ FILES
    22982008 
    22992009 SEE ALSO
    23002010      scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
     
    23052015 
    23062016 AUTHORS
    23072017      OpenSSH is a derivative of the original and free ssh 1.2.12 release by
    2308       Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
    2309       de Raadt and Dug Song removed many bugs, re-added newer features and
    2310 diff --git a/sshd.8 b/sshd.8
    2311 --- a/sshd.8
    2312 +++ b/sshd.8
    2313 @@ -954,14 +954,11 @@
    2314  .Xr ssh-agent 1 ,
    2315  .Xr ssh-keygen 1 ,
     2018Only in openssh-6.5p1.patched: sshd.0.orig
     2019diff -urp openssh-6.5p1/sshd.8 openssh-6.5p1.patched/sshd.8
     2020--- openssh-6.5p1/sshd.8        2013-12-17 22:46:28.000000000 -0800
     2021+++ openssh-6.5p1.patched/sshd.8        2014-02-15 16:25:56.000000000 -0800
     2022@@ -961,10 +961,7 @@ The content of this file is not sensitiv
    23162023 .Xr ssh-keyscan 1 ,
    23172024 .Xr chroot 2 ,
    23182025 .Xr hosts_access 5 ,
     
    23232030 .Xr sftp-server 8
    23242031 .Sh AUTHORS
    23252032 OpenSSH is a derivative of the original and free
    2326  ssh 1.2.12 release by Tatu Ylonen.
    2327  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
    2328 diff --git a/sshd.c b/sshd.c
    2329 --- a/sshd.c
    2330 +++ b/sshd.c
    2331 @@ -2106,23 +2106,23 @@
    2332  
    2333  #ifdef SSH_AUDIT_EVENTS
     2033Only in openssh-6.5p1.patched: sshd.8.orig
     2034diff -urp openssh-6.5p1/sshd.c openssh-6.5p1.patched/sshd.c
     2035--- openssh-6.5p1/sshd.c        2014-01-27 20:08:13.000000000 -0800
     2036+++ openssh-6.5p1.patched/sshd.c        2014-02-15 16:25:56.000000000 -0800
     2037@@ -2124,6 +2124,12 @@ main(int ac, char **av)
    23342038        audit_event(SSH_AUTH_SUCCESS);
    23352039 #endif
    23362040 
     
    23432047 #ifdef GSSAPI
    23442048        if (options.gss_authentication) {
    23452049                temporarily_use_uid(authctxt->pw);
    2346                 ssh_gssapi_storecreds();
     2050@@ -2131,12 +2137,6 @@ main(int ac, char **av)
    23472051                restore_uid();
    23482052        }
    23492053 #endif
     
    23562060 
    23572061        /*
    23582062         * In privilege separation, we fork another child and prepare
    2359          * file descriptor passing.
    2360          */
    2361 diff --git a/sshd_config b/sshd_config
    2362 --- a/sshd_config
    2363 +++ b/sshd_config
    2364 @@ -32,11 +32,11 @@
    2365  # Ciphers and keying
    2366  #RekeyLimit default none
     2063Only in openssh-6.5p1.patched: sshd.c.orig
     2064diff -urp openssh-6.5p1/sshd_config openssh-6.5p1.patched/sshd_config
     2065--- openssh-6.5p1/sshd_config   2014-01-12 00:20:47.000000000 -0800
     2066+++ openssh-6.5p1.patched/sshd_config   2014-02-15 16:25:56.000000000 -0800
     2067@@ -35,7 +35,7 @@
    23672068 
    23682069 # Logging
    23692070 # obsoletes QuietMode and FascistLogging
     
    23722073 #LogLevel INFO
    23732074 
    23742075 # Authentication:
    2375  
    2376  #LoginGraceTime 2m
    2377 @@ -65,12 +65,13 @@
    2378  # RhostsRSAAuthentication and HostbasedAuthentication
    2379  #IgnoreUserKnownHosts no
     2076@@ -68,8 +68,9 @@ AuthorizedKeysFile    .ssh/authorized_keys
    23802077 # Don't read the user's ~/.rhosts and ~/.shosts files
    23812078 #IgnoreRhosts yes
    23822079 
     
    23882085 #PermitEmptyPasswords no
    23892086 
    23902087 # Change to no to disable s/key passwords
    2391  #ChallengeResponseAuthentication yes
    2392  
    2393 @@ -91,11 +92,14 @@
    2394  # PAM authentication via ChallengeResponseAuthentication may bypass
    2395  # the setting of "PermitRootLogin without-password".
     2088@@ -94,7 +95,10 @@ AuthorizedKeysFile   .ssh/authorized_keys
    23962089 # If you just want the PAM account and session checks to run without
    23972090 # PAM authentication, then enable this but set PasswordAuthentication
    23982091 # and ChallengeResponseAuthentication to 'no'.
     
    24042097 
    24052098 #AllowAgentForwarding yes
    24062099 #AllowTcpForwarding yes
    2407  #GatewayPorts no
    2408  #X11Forwarding no
    2409 diff --git a/sshd_config.0 b/sshd_config.0
    2410 --- a/sshd_config.0
    2411 +++ b/sshd_config.0
    2412 @@ -505,11 +505,11 @@
    2413               increases linearly and all connection attempts are refused if the
    2414               number of unauthenticated connections reaches ``full'' (60).
     2100diff -urp openssh-6.5p1/sshd_config.0 openssh-6.5p1.patched/sshd_config.0
     2101--- openssh-6.5p1/sshd_config.0 2014-01-29 17:52:48.000000000 -0800
     2102+++ openssh-6.5p1.patched/sshd_config.0 2014-02-15 16:25:56.000000000 -0800
     2103@@ -517,7 +517,7 @@ DESCRIPTION
    24152104 
    24162105      PasswordAuthentication
    24172106              Specifies whether password authentication is allowed.  The
     
    24202109 
    24212110      PermitEmptyPasswords
    24222111              When password authentication is allowed, it specifies whether the
    2423               server allows login to accounts with empty password strings.  The
    2424               default is ``no''.
    2425 @@ -707,11 +707,11 @@
    2426               Because PAM challenge-response authentication usually serves an
    2427               equivalent role to password authentication, you should disable
     2112@@ -723,7 +723,7 @@ DESCRIPTION
    24282113              either PasswordAuthentication or ChallengeResponseAuthentication.
    24292114 
    24302115              If UsePAM is enabled, you will not be able to run sshd(8) as a
     
    24332118 
    24342119      UsePrivilegeSeparation
    24352120              Specifies whether sshd(8) separates privileges by creating an
    2436               unprivileged child process to deal with incoming network traffic.
    2437               After successful authentication, another process will be created
    2438 diff --git a/sshd_config.5 b/sshd_config.5
    2439 --- a/sshd_config.5
    2440 +++ b/sshd_config.5
    2441 @@ -854,11 +854,11 @@
    2442  .Dq full
    2443  (60).
     2121Only in openssh-6.5p1.patched: sshd_config.0.orig
     2122diff -urp openssh-6.5p1/sshd_config.5 openssh-6.5p1.patched/sshd_config.5
     2123--- openssh-6.5p1/sshd_config.5 2013-12-17 22:47:03.000000000 -0800
     2124+++ openssh-6.5p1.patched/sshd_config.5 2014-02-15 16:25:56.000000000 -0800
     2125@@ -871,7 +871,7 @@ are refused if the number of unauthentic
    24442126 .It Cm PasswordAuthentication
    24452127 Specifies whether password authentication is allowed.
    24462128 The default is
     
    24492131 .It Cm PermitEmptyPasswords
    24502132 When password authentication is allowed, it specifies whether the
    24512133 server allows login to accounts with empty password strings.
    2452  The default is
    2453  .Dq no .
    2454 @@ -1181,11 +1181,11 @@
    2455  .Cm UsePAM
    2456  is enabled, you will not be able to run
     2134@@ -1204,7 +1204,7 @@ is enabled, you will not be able to run
    24572135 .Xr sshd 8
    24582136 as a non-root user.
    24592137 The default is
     
    24622140 .It Cm UsePrivilegeSeparation
    24632141 Specifies whether
    24642142 .Xr sshd 8
    2465  separates privileges by creating an unprivileged child process
    2466  to deal with incoming network traffic.
     2143Only in openssh-6.5p1.patched: sshd_config.5.orig
     2144Only in openssh-6.5p1.patched: sshd_config.orig