Ticket #42523: openssh-6.3p1-gsskex-all-20130920.patch.diff

File openssh-6.3p1-gsskex-all-20130920.patch.diff, 46.6 KB (added by arthurmesh@…, 11 years ago)
  • openssh-6.3p1-gsskex-all-20130920.patch

    old new  
    1 diff --speed-large-files --minimal -Nru openssh-5.8p1/ChangeLog.gssapi openssh-5.8p1.new/ChangeLog.gssapi
    2 --- openssh-5.8p1/ChangeLog.gssapi      1970-01-01 01:00:00.000000000 +0100
    3 +++ openssh-5.8p1.new/ChangeLog.gssapi  2011-02-12 18:07:10.948345760 +0100
     1diff -Nrup openssh-6.5p1/ChangeLog.gssapi openssh-6.5p1.patched/ChangeLog.gssapi
     2--- openssh-6.5p1/ChangeLog.gssapi      1969-12-31 16:00:00.000000000 -0800
     3+++ openssh-6.5p1.patched/ChangeLog.gssapi      2014-02-15 16:50:46.000000000 -0800
    44@@ -0,0 +1,113 @@
    55+20110101
    66+  - Finally update for OpenSSH 5.6p1
     
    115115+    add support for GssapiTrustDns option for gssapi-with-mic
    116116+    (from jbasney AT ncsa.uiuc.edu)
    117117+    <gssapi-with-mic support is Bugzilla #1008>
    118 diff --speed-large-files --minimal -Nru openssh-5.8p1/Makefile.in openssh-5.8p1.new/Makefile.in
    119 --- openssh-5.8p1/Makefile.in   2011-02-04 01:42:13.000000000 +0100
    120 +++ openssh-5.8p1.new/Makefile.in       2011-02-12 18:07:10.990611445 +0100
    121 @@ -75,6 +75,7 @@
     118diff -Nrup openssh-6.5p1/Makefile.in openssh-6.5p1.patched/Makefile.in
     119--- openssh-6.5p1/Makefile.in   2014-01-26 22:35:04.000000000 -0800
     120+++ openssh-6.5p1.patched/Makefile.in   2014-02-15 16:51:24.000000000 -0800
     121@@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
    122122        atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
    123123        monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
    124124        kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
    125125+       kexgssc.o \
    126126        msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
    127         jpake.o schnorr.o ssh-pkcs11.o kr1.o
    128  
    129 @@ -91,7 +92,7 @@
     127        jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
     128        kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
     129@@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
    130130        auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
    131131        monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
    132         auth-krb5.o \
     132        kexc25519s.o auth-krb5.o \
    133133-       auth2-gss.o gss-serv.o gss-serv-krb5.o \
    134 +       auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
     134+       auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
    135135        loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
    136136        sftp-server.o sftp-common.o \
    137         roaming_common.o roaming_serv.o
    138 diff --speed-large-files --minimal -Nru openssh-5.8p1/auth-krb5.c openssh-5.8p1.new/auth-krb5.c
    139 --- openssh-5.8p1/auth-krb5.c   2009-12-21 00:49:22.000000000 +0100
    140 +++ openssh-5.8p1.new/auth-krb5.c       2011-02-12 18:07:11.002529804 +0100
    141 @@ -170,8 +170,13 @@
     137        roaming_common.o roaming_serv.o \
     138diff -Nrup openssh-6.5p1/auth-krb5.c openssh-6.5p1.patched/auth-krb5.c
     139--- openssh-6.5p1/auth-krb5.c   2013-10-23 16:53:02.000000000 -0700
     140+++ openssh-6.5p1.patched/auth-krb5.c   2014-02-15 16:50:46.000000000 -0800
     141@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, c
    142142 
    143143        len = strlen(authctxt->krb5_ticket_file) + 6;
    144144        authctxt->krb5_ccname = xmalloc(len);
     
    152152 
    153153 #ifdef USE_PAM
    154154        if (options.use_pam)
    155 @@ -226,15 +231,22 @@
     155@@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
    156156 #ifndef HEIMDAL
    157157 krb5_error_code
    158158 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
     
    177177        old_umask = umask(0177);
    178178        tmpfd = mkstemp(ccname + strlen("FILE:"));
    179179        oerrno = errno;
    180 @@ -249,6 +261,7 @@
     180@@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
    181181                return oerrno;
    182182        }
    183183        close(tmpfd);
     
    185185 
    186186        return (krb5_cc_resolve(ctx, ccname, ccache));
    187187 }
    188 diff --speed-large-files --minimal -Nru openssh-5.8p1/auth2-gss.c openssh-5.8p1.new/auth2-gss.c
    189 --- openssh-5.8p1/auth2-gss.c   2007-12-02 12:59:45.000000000 +0100
    190 +++ openssh-5.8p1.new/auth2-gss.c       2011-02-12 18:07:11.030761708 +0100
     188diff -Nrup openssh-6.5p1/auth2-gss.c openssh-6.5p1.patched/auth2-gss.c
     189--- openssh-6.5p1/auth2-gss.c   2013-06-01 14:31:18.000000000 -0700
     190+++ openssh-6.5p1.patched/auth2-gss.c   2014-02-15 16:50:46.000000000 -0800
    191191@@ -1,7 +1,7 @@
    192  /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
     192 /* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
    193193 
    194194 /*
    195195- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
     
    197197  *
    198198  * Redistribution and use in source and binary forms, with or without
    199199  * modification, are permitted provided that the following conditions
    200 @@ -52,6 +52,40 @@
     200@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u
    201201 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
    202202 static void input_gssapi_errtok(int, u_int32_t, void *);
    203203 
     
    238238 /*
    239239  * We only support those mechanisms that we know about (ie ones that we know
    240240  * how to check local user kuserok and the like)
    241 @@ -242,7 +278,8 @@
     241@@ -240,7 +274,8 @@ input_gssapi_exchange_complete(int type,
    242242 
    243243        packet_check_eom();
    244244 
     
    248248 
    249249        authctxt->postponed = 0;
    250250        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
    251 @@ -277,7 +314,8 @@
     251@@ -275,7 +310,8 @@ input_gssapi_mic(int type, u_int32_t ple
    252252        gssbuf.length = buffer_len(&b);
    253253 
    254254        if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
     
    258258        else
    259259                logit("GSSAPI MIC check failed");
    260260 
    261 @@ -292,6 +330,12 @@
    262         userauth_finish(authctxt, authenticated, "gssapi-with-mic");
     261@@ -290,6 +326,12 @@ input_gssapi_mic(int type, u_int32_t ple
     262        userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
    263263 }
    264264 
    265265+Authmethod method_gsskeyex = {
     
    271271 Authmethod method_gssapi = {
    272272        "gssapi-with-mic",
    273273        userauth_gssapi,
    274 diff --speed-large-files --minimal -Nru openssh-5.8p1/auth2.c openssh-5.8p1.new/auth2.c
    275 --- openssh-5.8p1/auth2.c       2010-08-31 14:36:39.000000000 +0200
    276 +++ openssh-5.8p1.new/auth2.c   2011-02-12 18:07:11.043418162 +0100
    277 @@ -69,6 +69,7 @@
     274diff -Nrup openssh-6.5p1/auth2.c openssh-6.5p1.patched/auth2.c
     275--- openssh-6.5p1/auth2.c       2013-06-01 14:41:51.000000000 -0700
     276+++ openssh-6.5p1.patched/auth2.c       2014-02-15 16:50:46.000000000 -0800
     277@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
    278278 extern Authmethod method_kbdint;
    279279 extern Authmethod method_hostbased;
    280280 #ifdef GSSAPI
     
    282282 extern Authmethod method_gssapi;
    283283 #endif
    284284 #ifdef JPAKE
    285 @@ -79,6 +80,7 @@
     285@@ -79,6 +80,7 @@ Authmethod *authmethods[] = {
    286286        &method_none,
    287287        &method_pubkey,
    288288 #ifdef GSSAPI
     
    290290        &method_gssapi,
    291291 #endif
    292292 #ifdef JPAKE
    293 diff --speed-large-files --minimal -Nru openssh-5.8p1/clientloop.c openssh-5.8p1.new/clientloop.c
    294 --- openssh-5.8p1/clientloop.c  2011-01-16 13:18:35.000000000 +0100
    295 +++ openssh-5.8p1.new/clientloop.c      2011-02-12 18:07:11.063578136 +0100
     293diff -Nrup openssh-6.5p1/clientloop.c openssh-6.5p1.patched/clientloop.c
     294--- openssh-6.5p1/clientloop.c  2013-11-20 18:57:15.000000000 -0800
     295+++ openssh-6.5p1.patched/clientloop.c  2014-02-15 16:50:46.000000000 -0800
    296296@@ -111,6 +111,10 @@
    297297 #include "msg.h"
    298298 #include "roaming.h"
     
    304304 /* import options */
    305305 extern Options options;
    306306 
    307 @@ -1483,6 +1487,15 @@
     307@@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_cha
    308308                /* Do channel operations unless rekeying in progress. */
    309309                if (!rekeying) {
    310310                        channel_after_select(readset, writeset);
     
    320320                        if (need_rekeying || packet_need_rekeying()) {
    321321                                debug("need rekeying");
    322322                                xxx_kex->done = 0;
    323 diff --speed-large-files --minimal -Nru openssh-5.8p1/configure.ac openssh-5.8p1.new/configure.ac
    324 --- openssh-5.8p1/configure.ac  2011-02-04 01:42:14.000000000 +0100
    325 +++ openssh-5.8p1.new/configure.ac      2011-02-12 18:07:11.092748915 +0100
    326 @@ -514,6 +514,30 @@
     323diff -Nrup openssh-6.5p1/configure.ac openssh-6.5p1.patched/configure.ac
     324--- openssh-6.5p1/configure.ac  2014-01-29 16:26:46.000000000 -0800
     325+++ openssh-6.5p1.patched/configure.ac  2014-02-15 16:50:46.000000000 -0800
     326@@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("
    327327            [Use tunnel device compatibility to OpenBSD])
    328328        AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
    329329            [Prepend the address family to IP tunnel traffic])
     
    353353+       )
    354354        m4_pattern_allow([AU_IPv])
    355355        AC_CHECK_DECL([AU_IPv4], [],
    356             AC_DEFINE([AU_IPv4], 0, [System only supports IPv4 audit records])
    357 diff --speed-large-files --minimal -Nru openssh-5.8p1/gss-genr.c openssh-5.8p1.new/gss-genr.c
    358 --- openssh-5.8p1/gss-genr.c    2009-06-22 08:11:07.000000000 +0200
    359 +++ openssh-5.8p1.new/gss-genr.c        2011-02-12 18:07:11.108432434 +0100
     356            AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
     357diff -Nrup openssh-6.5p1/gss-genr.c openssh-6.5p1.patched/gss-genr.c
     358--- openssh-6.5p1/gss-genr.c    2013-11-07 17:19:57.000000000 -0800
     359+++ openssh-6.5p1.patched/gss-genr.c    2014-02-15 17:23:28.000000000 -0800
    360360@@ -1,7 +1,7 @@
    361  /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
     361 /* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */
    362362 
    363363 /*
    364364- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
     
    534534 /* Check that the OID in a data stream matches that in the context */
    535535 int
    536536 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
    537 @@ -197,7 +352,7 @@
     537@@ -197,7 +352,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
    538538        }
    539539 
    540540        ctx->major = gss_init_sec_context(&ctx->minor,
     
    543543            GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
    544544            0, NULL, recv_tok, NULL, send_tok, flags, NULL);
    545545 
    546 @@ -227,8 +382,42 @@
     546@@ -227,8 +382,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
    547547 }
    548548 
    549549 OM_uint32
     
    586586        if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
    587587            GSS_C_QOP_DEFAULT, buffer, hash)))
    588588                ssh_gssapi_error(ctx);
    589 @@ -236,6 +425,19 @@
     589@@ -236,6 +425,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
    590590        return (ctx->major);
    591591 }
    592592 
     
    606606 void
    607607 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
    608608     const char *context)
    609 @@ -249,11 +451,16 @@
     609@@ -249,11 +451,16 @@ ssh_gssapi_buildmic(Buffer *b, const cha
    610610 }
    611611 
    612612 int
     
    624624 
    625625        /* RFC 4462 says we MUST NOT do SPNEGO */
    626626        if (oid->length == spnego_oid.length &&
    627 @@ -263,6 +470,10 @@
     627@@ -263,6 +470,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
    628628        ssh_gssapi_build_ctx(ctx);
    629629        ssh_gssapi_set_oid(*ctx, oid);
    630630        major = ssh_gssapi_import_name(*ctx, host);
     
    635635        if (!GSS_ERROR(major)) {
    636636                major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
    637637                    NULL);
    638 @@ -272,10 +483,67 @@
     638@@ -272,10 +483,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
    639639                            GSS_C_NO_BUFFER);
    640640        }
    641641 
     
    655655+       static OM_uint32 last_call = 0;
    656656+       OM_uint32 lifetime, now, major, minor;
    657657+       int equal;
    658 +       gss_cred_usage_t usage = GSS_C_INITIATE;
    659 +       
     658+
    660659+       now = time(NULL);
    661660+
    662661+       if (ctxt) {
     
    704703+}
    705704+
    706705 #endif /* GSSAPI */
    707 diff --speed-large-files --minimal -Nru openssh-5.8p1/gss-serv-krb5.c openssh-5.8p1.new/gss-serv-krb5.c
    708 --- openssh-5.8p1/gss-serv-krb5.c       2006-09-01 07:38:36.000000000 +0200
    709 +++ openssh-5.8p1.new/gss-serv-krb5.c   2011-02-12 18:07:11.123072516 +0100
     706diff -Nrup openssh-6.5p1/gss-serv-krb5.c openssh-6.5p1.patched/gss-serv-krb5.c
     707--- openssh-6.5p1/gss-serv-krb5.c       2014-01-19 18:18:09.000000000 -0800
     708+++ openssh-6.5p1.patched/gss-serv-krb5.c       2014-02-15 16:50:46.000000000 -0800
    710709@@ -1,7 +1,7 @@
    711  /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
     710 /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
    712711 
    713712 /*
    714713- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
     
    716715  *
    717716  * Redistribution and use in source and binary forms, with or without
    718717  * modification, are permitted provided that the following conditions
    719 @@ -120,6 +120,7 @@
     718@@ -122,6 +122,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
    720719        OM_uint32 maj_status, min_status;
    721720        int len;
    722         const char *errmsg;
     721        const char *errmsg;
    723722+       const char *new_ccname;
    724723 
    725724        if (client->creds == NULL) {
    726725                debug("No credentials stored");
    727 @@ -168,11 +169,16 @@
     726@@ -180,11 +181,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
    728727                return;
    729728        }
    730729 
     
    745744 
    746745 #ifdef USE_PAM
    747746        if (options.use_pam)
    748 @@ -184,6 +190,71 @@
     747@@ -196,6 +202,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
    749748        return;
    750749 }
    751750 
     
    817816 ssh_gssapi_mech gssapi_kerberos_mech = {
    818817        "toWM5Slw5Ew8Mqkay+al2g==",
    819818        "Kerberos",
    820 @@ -191,7 +262,8 @@
     819@@ -203,7 +274,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
    821820        NULL,
    822821        &ssh_gssapi_krb5_userok,
    823822        NULL,
     
    827826 };
    828827 
    829828 #endif /* KRB5 */
    830 diff --speed-large-files --minimal -Nru openssh-5.8p1/gss-serv.c openssh-5.8p1.new/gss-serv.c
    831 --- openssh-5.8p1/gss-serv.c    2008-05-19 07:05:07.000000000 +0200
    832 +++ openssh-5.8p1.new/gss-serv.c        2011-02-12 18:07:11.135178913 +0100
     829diff -Nrup openssh-6.5p1/gss-serv.c openssh-6.5p1.patched/gss-serv.c
     830--- openssh-6.5p1/gss-serv.c    2013-07-19 20:35:45.000000000 -0700
     831+++ openssh-6.5p1.patched/gss-serv.c    2014-02-15 16:50:46.000000000 -0800
    833832@@ -1,7 +1,7 @@
    834  /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
     833 /* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
    835834 
    836835 /*
    837836- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
     
    862861 
    863862 #ifdef KRB5
    864863 extern ssh_gssapi_mech gssapi_kerberos_mech;
    865 @@ -81,25 +86,32 @@
     864@@ -81,25 +86,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
    866865        char lname[MAXHOSTNAMELEN];
    867866        gss_OID_set oidset;
    868867 
     
    871870+       if (options.gss_strict_acceptor) {
    872871+               gss_create_empty_oid_set(&status, &oidset);
    873872+               gss_add_oid_set_member(&status, ctx->oid, &oidset);
     873+
     874+               if (gethostname(lname, MAXHOSTNAMELEN)) {
     875+                       gss_release_oid_set(&status, &oidset);
     876+                       return (-1);
     877+               }
    874878 
    875879-       if (gethostname(lname, MAXHOSTNAMELEN)) {
    876880-               gss_release_oid_set(&status, &oidset);
    877881-               return (-1);
    878882-       }
    879 +               if (gethostname(lname, MAXHOSTNAMELEN)) {
    880 +                       gss_release_oid_set(&status, &oidset);
    881 +                       return (-1);
    882 +               }
    883 +
    884883+               if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
    885884+                       gss_release_oid_set(&status, &oidset);
    886885+                       return (ctx->major);
     
    909908 }
    910909 
    911910 /* Privileged */
    912 @@ -114,6 +126,29 @@
     911@@ -114,6 +126,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss
    913912 }
    914913 
    915914 /* Unprivileged */
     
    939938 void
    940939 ssh_gssapi_supported_oids(gss_OID_set *oidset)
    941940 {
    942 @@ -123,7 +158,9 @@
     941@@ -123,7 +158,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o
    943942        gss_OID_set supported;
    944943 
    945944        gss_create_empty_oid_set(&min_status, oidset);
     
    950949 
    951950        while (supported_mechs[i]->name != NULL) {
    952951                if (GSS_ERROR(gss_test_oid_set_member(&min_status,
    953 @@ -247,8 +284,48 @@
     952@@ -249,8 +286,48 @@ OM_uint32
    954953 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
    955954 {
    956955        int i = 0;
    957956+       int equal = 0;
    958957+       gss_name_t new_name = GSS_C_NO_NAME;
    959958+       gss_buffer_desc ename = GSS_C_EMPTY_BUFFER;
    960  
    961 -       gss_buffer_desc ename;
     959+
    962960+       if (options.gss_store_rekey && client->used && ctx->client_creds) {
    963961+               if (client->mech->oid.length != ctx->oid->length ||
    964962+                   (memcmp(client->mech->oid.elements,
     
    976974+
    977975+               ctx->major = gss_compare_name(&ctx->minor, client->name,
    978976+                   new_name, &equal);
    979 +
     977 
     978-       gss_buffer_desc ename;
    980979+               if (GSS_ERROR(ctx->major)) {
    981980+                       ssh_gssapi_error(ctx);
    982981+                       return (ctx->major);
     
    1000999 
    10011000        client->mech = NULL;
    10021001 
    1003 @@ -263,6 +340,13 @@
     1002@@ -265,6 +342,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
    10041003        if (client->mech == NULL)
    10051004                return GSS_S_FAILURE;
    10061005 
     
    10141013        if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
    10151014            &client->displayname, NULL))) {
    10161015                ssh_gssapi_error(ctx);
    1017 @@ -280,6 +364,8 @@
     1016@@ -282,6 +366,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
    10181017                return (ctx->major);
    10191018        }
    10201019 
     
    10231022        /* We can't copy this structure, so we just move the pointer to it */
    10241023        client->creds = ctx->client_creds;
    10251024        ctx->client_creds = GSS_C_NO_CREDENTIAL;
    1026 @@ -327,7 +413,7 @@
     1025@@ -329,7 +415,7 @@ ssh_gssapi_do_child(char ***envp, u_int
    10271026 
    10281027 /* Privileged */
    10291028 int
     
    10321031 {
    10331032        OM_uint32 lmin;
    10341033 
    1035 @@ -337,9 +423,11 @@
     1034@@ -339,9 +425,11 @@ ssh_gssapi_userok(char *user)
    10361035                return 0;
    10371036        }
    10381037        if (gssapi_client.mech && gssapi_client.mech->userok)
     
    10461045                        /* Destroy delegated credentials if userok fails */
    10471046                        gss_release_buffer(&lmin, &gssapi_client.displayname);
    10481047                        gss_release_buffer(&lmin, &gssapi_client.exportedname);
    1049 @@ -352,14 +440,90 @@
     1048@@ -354,14 +442,90 @@ ssh_gssapi_userok(char *user)
    10501049        return (0);
    10511050 }
    10521051 
     
    11431142 }
    11441143 
    11451144 #endif
    1146 diff --speed-large-files --minimal -Nru openssh-5.8p1/kex.c openssh-5.8p1.new/kex.c
    1147 --- openssh-5.8p1/kex.c 2010-09-24 14:11:14.000000000 +0200
    1148 +++ openssh-5.8p1.new/kex.c     2011-02-12 18:07:11.149564726 +0100
    1149 @@ -50,6 +50,10 @@
    1150  #include "monitor.h"
     1145diff -Nrup openssh-6.5p1/kex.c openssh-6.5p1.patched/kex.c
     1146--- openssh-6.5p1/kex.c 2014-01-25 14:38:04.000000000 -0800
     1147+++ openssh-6.5p1.patched/kex.c 2014-02-15 17:24:33.000000000 -0800
     1148@@ -51,6 +51,10 @@
    11511149 #include "roaming.h"
     1150 #include "digest.h"
    11521151 
    11531152+#ifdef GSSAPI
    11541153+#include "ssh-gss.h"
     
    11571156 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
    11581157 # if defined(HAVE_EVP_SHA256)
    11591158 # define evp_ssh_sha256 EVP_sha256
    1160 @@ -80,6 +84,11 @@
    1161         { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 },
    1162         { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 },
     1159@@ -90,6 +94,11 @@ static const struct kexalg kexalgs[] = {
     1160 #ifdef HAVE_EVP_SHA256
     1161        { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
    11631162 #endif
    11641163+#ifdef GSSAPI
    1165 +       { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, EVP_sha1 },
    1166 +       { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, EVP_sha1 },
    1167 +       { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, EVP_sha1 },
     1164+       { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
     1165+       { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
     1166+       { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
    11681167+#endif
    1169         { NULL, -1, -1, NULL},
     1168        { NULL, -1, -1, -1},
    11701169 };
    11711170 
    1172 diff --speed-large-files --minimal -Nru openssh-5.8p1/kex.h openssh-5.8p1.new/kex.h
    1173 --- openssh-5.8p1/kex.h 2010-09-24 14:11:14.000000000 +0200
    1174 +++ openssh-5.8p1.new/kex.h     2011-02-12 18:07:11.161650596 +0100
    1175 @@ -73,6 +73,9 @@
    1176         KEX_DH_GEX_SHA1,
     1171diff -Nrup openssh-6.5p1/kex.h openssh-6.5p1.patched/kex.h
     1172--- openssh-6.5p1/kex.h 2014-01-25 14:37:26.000000000 -0800
     1173+++ openssh-6.5p1.patched/kex.h 2014-02-15 16:52:30.000000000 -0800
     1174@@ -76,6 +76,9 @@ enum kex_exchange {
    11771175        KEX_DH_GEX_SHA256,
    11781176        KEX_ECDH_SHA2,
     1177        KEX_C25519_SHA256,
    11791178+       KEX_GSS_GRP1_SHA1,
    11801179+       KEX_GSS_GRP14_SHA1,
    11811180+       KEX_GSS_GEX_SHA1,
    11821181        KEX_MAX
    11831182 };
    11841183 
    1185 @@ -129,6 +132,12 @@
     1184@@ -136,6 +139,12 @@ struct Kex {
    11861185        int     flags;
    1187         const EVP_MD *evp_md;
     1186        int     hash_alg;
    11881187        int     ec_nid;
    11891188+#ifdef GSSAPI
    11901189+       int     gss_deleg_creds;
     
    11951194        char    *client_version_string;
    11961195        char    *server_version_string;
    11971196        int     (*verify_host_key)(Key *);
    1198 @@ -156,6 +165,11 @@
    1199  void    kexecdh_client(Kex *);
    1200  void    kexecdh_server(Kex *);
     1197@@ -168,6 +177,11 @@ void        kexecdh_server(Kex *);
     1198 void    kexc25519_client(Kex *);
     1199 void    kexc25519_server(Kex *);
    12011200 
    12021201+#ifdef GSSAPI
    12031202+void   kexgss_client(Kex *);
     
    12071206 void
    12081207 kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
    12091208     BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
    1210 diff --speed-large-files --minimal -Nru openssh-5.8p1/kexgssc.c openssh-5.8p1.new/kexgssc.c
    1211 --- openssh-5.8p1/kexgssc.c     1970-01-01 01:00:00.000000000 +0100
    1212 +++ openssh-5.8p1.new/kexgssc.c 2011-02-12 18:07:11.176741991 +0100
    1213 @@ -0,0 +1,334 @@
     1209diff -Nrup openssh-6.5p1/kexgssc.c openssh-6.5p1.patched/kexgssc.c
     1210--- openssh-6.5p1/kexgssc.c     1969-12-31 16:00:00.000000000 -0800
     1211+++ openssh-6.5p1.patched/kexgssc.c     2014-02-15 17:17:35.000000000 -0800
     1212@@ -0,0 +1,339 @@
    12141213+/*
    12151214+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
    12161215+ *
     
    12681267+       DH *dh;
    12691268+       BIGNUM *dh_server_pub = NULL;
    12701269+       BIGNUM *shared_secret = NULL;
     1270+       Buffer shared_secret_buffer;
    12711271+       BIGNUM *p = NULL;
    12721272+       BIGNUM *g = NULL;       
    12731273+       u_char *kbuf, *hash;
     
    14921492+               break;
    14931493+       case KEX_GSS_GEX_SHA1:
    14941494+               kexgex_hash(
    1495 +                   kex->evp_md,
     1495+                   kex->hash_alg,
    14961496+                   kex->client_version_string,
    14971497+                   kex->server_version_string,
    14981498+                   buffer_ptr(&kex->my), buffer_len(&kex->my),
     
    15391539+       else
    15401540+               ssh_gssapi_delete_ctx(&ctxt);
    15411541+
    1542 +       kex_derive_keys(kex, hash, hashlen, shared_secret);
     1542+       buffer_init(&shared_secret_buffer);
     1543+       buffer_put_bignum2(&shared_secret_buffer, shared_secret);
     1544+       kex_derive_keys(kex, hash, hashlen, buffer_ptr(&shared_secret_buffer),
     1545+                       buffer_len(&shared_secret_buffer));
     1546+       buffer_free(&shared_secret_buffer);
    15431547+       BN_clear_free(shared_secret);
    15441548+       kex_finish(kex);
    15451549+}
    15461550+
    15471551+#endif /* GSSAPI */
    1548 diff --speed-large-files --minimal -Nru openssh-5.8p1/kexgsss.c openssh-5.8p1.new/kexgsss.c
    1549 --- openssh-5.8p1/kexgsss.c     1970-01-01 01:00:00.000000000 +0100
    1550 +++ openssh-5.8p1.new/kexgsss.c 2011-02-12 18:07:11.186584789 +0100
    1551 @@ -0,0 +1,288 @@
     1552diff -Nrup openssh-6.5p1/kexgsss.c openssh-6.5p1.patched/kexgsss.c
     1553--- openssh-6.5p1/kexgsss.c     1969-12-31 16:00:00.000000000 -0800
     1554+++ openssh-6.5p1.patched/kexgsss.c     2014-02-15 17:31:24.000000000 -0800
     1555@@ -0,0 +1,293 @@
    15521556+/*
    15531557+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
    15541558+ *
     
    16181622+       DH *dh;
    16191623+       int min = -1, max = -1, nbits = -1;
    16201624+       BIGNUM *shared_secret = NULL;
     1625+       Buffer shared_secret_buffer;
    16211626+       BIGNUM *dh_client_pub = NULL;
    16221627+       int type = 0;
    16231628+       gss_OID oid;
     
    17741779+               break;
    17751780+       case KEX_GSS_GEX_SHA1:
    17761781+               kexgex_hash(
    1777 +                   kex->evp_md,
     1782+                   kex->hash_alg,
    17781783+                   kex->client_version_string, kex->server_version_string,
    17791784+                   buffer_ptr(&kex->peer), buffer_len(&kex->peer),
    17801785+                   buffer_ptr(&kex->my), buffer_len(&kex->my),
     
    18271832+
    18281833+       DH_free(dh);
    18291834+
    1830 +       kex_derive_keys(kex, hash, hashlen, shared_secret);
     1835+       buffer_init(&shared_secret_buffer);
     1836+       buffer_put_bignum2(&shared_secret_buffer, shared_secret);
     1837+       kex_derive_keys(kex, hash, hashlen, buffer_ptr(&shared_secret_buffer),
     1838+                       buffer_len(&shared_secret_buffer));
     1839+       buffer_free(&shared_secret_buffer);
    18311840+       BN_clear_free(shared_secret);
    18321841+       kex_finish(kex);
    18331842+
     
    18371846+               ssh_gssapi_rekey_creds();
    18381847+}
    18391848+#endif /* GSSAPI */
    1840 diff --speed-large-files --minimal -Nru openssh-5.8p1/key.c openssh-5.8p1.new/key.c
    1841 --- openssh-5.8p1/key.c 2011-02-04 01:48:34.000000000 +0100
    1842 +++ openssh-5.8p1.new/key.c     2011-02-12 18:07:11.202089386 +0100
    1843 @@ -929,6 +929,7 @@
    1844         { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
     1849diff -Nrup openssh-6.5p1/key.c openssh-6.5p1.patched/key.c
     1850--- openssh-6.5p1/key.c 2014-01-09 15:58:53.000000000 -0800
     1851+++ openssh-6.5p1.patched/key.c 2014-02-15 16:50:46.000000000 -0800
     1852@@ -979,6 +979,7 @@ static const struct keytype keytypes[] =
    18451853            KEY_ECDSA_CERT, NID_secp521r1, 1 },
     1854 # endif
    18461855 #endif /* OPENSSL_HAS_ECC */
    18471856+       { "null", "null", KEY_NULL, 0, 0 },
    18481857        { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
    18491858            KEY_RSA_CERT_V00, 0, 1 },
    18501859        { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
    1851 diff --speed-large-files --minimal -Nru openssh-5.8p1/key.h openssh-5.8p1.new/key.h
    1852 --- openssh-5.8p1/key.h 2010-11-05 00:19:49.000000000 +0100
    1853 +++ openssh-5.8p1.new/key.h     2011-02-12 18:07:11.216270794 +0100
    1854 @@ -44,6 +44,7 @@
    1855         KEY_ECDSA_CERT,
     1860diff -Nrup openssh-6.5p1/key.h openssh-6.5p1.patched/key.h
     1861--- openssh-6.5p1/key.h 2014-01-09 15:58:53.000000000 -0800
     1862+++ openssh-6.5p1.patched/key.h 2014-02-15 16:50:46.000000000 -0800
     1863@@ -46,6 +46,7 @@ enum types {
     1864        KEY_ED25519_CERT,
    18561865        KEY_RSA_CERT_V00,
    18571866        KEY_DSA_CERT_V00,
    18581867+       KEY_NULL,
    18591868        KEY_UNSPEC
    18601869 };
    18611870 enum fp_type {
    1862 diff --speed-large-files --minimal -Nru openssh-5.8p1/monitor.c openssh-5.8p1.new/monitor.c
    1863 --- openssh-5.8p1/monitor.c     2010-09-10 03:23:34.000000000 +0200
    1864 +++ openssh-5.8p1.new/monitor.c 2011-02-12 18:07:11.241713537 +0100
    1865 @@ -172,6 +172,8 @@
     1871diff -Nrup openssh-6.5p1/monitor.c openssh-6.5p1.patched/monitor.c
     1872--- openssh-6.5p1/monitor.c     2013-11-06 18:32:52.000000000 -0800
     1873+++ openssh-6.5p1.patched/monitor.c     2014-02-15 16:53:04.000000000 -0800
     1874@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
    18661875 int mm_answer_gss_accept_ctx(int, Buffer *);
    18671876 int mm_answer_gss_userok(int, Buffer *);
    18681877 int mm_answer_gss_checkmic(int, Buffer *);
     
    18711880 #endif
    18721881 
    18731882 #ifdef SSH_AUDIT_EVENTS
    1874 @@ -241,6 +243,7 @@
     1883@@ -253,6 +255,7 @@ struct mon_table mon_dispatch_proto20[]
    18751884     {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
    18761885     {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
    18771886     {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
     
    18791888 #endif
    18801889 #ifdef JPAKE
    18811890     {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
    1882 @@ -253,6 +256,12 @@
     1891@@ -265,6 +268,12 @@ struct mon_table mon_dispatch_proto20[]
    18831892 };
    18841893 
    18851894 struct mon_table mon_dispatch_postauth20[] = {
     
    18921901     {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
    18931902     {MONITOR_REQ_SIGN, 0, mm_answer_sign},
    18941903     {MONITOR_REQ_PTY, 0, mm_answer_pty},
    1895 @@ -357,6 +366,10 @@
     1904@@ -373,6 +382,10 @@ monitor_child_preauth(Authctxt *_authctx
    18961905                /* Permit requests for moduli and signatures */
    18971906                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
    18981907                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
     
    19031912        } else {
    19041913                mon_dispatch = mon_dispatch_proto15;
    19051914 
    1906 @@ -443,6 +456,10 @@
     1915@@ -487,6 +500,10 @@ monitor_child_postauth(struct monitor *p
    19071916                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
    19081917                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
    19091918                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
     
    19141923        } else {
    19151924                mon_dispatch = mon_dispatch_postauth15;
    19161925                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
    1917 @@ -1692,6 +1709,13 @@
    1918         kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
     1926@@ -1856,6 +1873,13 @@ mm_get_kex(Buffer *m)
    19191927        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
    19201928        kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
     1929        kex->kex[KEX_C25519_SHA256] = kexc25519_server;
    19211930+#ifdef GSSAPI
    19221931+       if (options.gss_keyex) {
    19231932+               kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
     
    19281937        kex->server = 1;
    19291938        kex->hostkey_type = buffer_get_int(m);
    19301939        kex->kex_type = buffer_get_int(m);
    1931 @@ -1898,6 +1922,9 @@
     1940@@ -2063,6 +2087,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
    19321941        OM_uint32 major;
    19331942        u_int len;
    19341943 
     
    19381947        goid.elements = buffer_get_string(m, &len);
    19391948        goid.length = len;
    19401949 
    1941 @@ -1925,6 +1952,9 @@
     1950@@ -2090,6 +2117,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
    19421951        OM_uint32 flags = 0; /* GSI needs this */
    19431952        u_int len;
    19441953 
     
    19481957        in.value = buffer_get_string(m, &len);
    19491958        in.length = len;
    19501959        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
    1951 @@ -1942,6 +1972,7 @@
     1960@@ -2107,6 +2137,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
    19521961                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
    19531962                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
    19541963                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
     
    19561965        }
    19571966        return (0);
    19581967 }
    1959 @@ -1953,6 +1984,9 @@
     1968@@ -2118,6 +2149,9 @@ mm_answer_gss_checkmic(int sock, Buffer
    19601969        OM_uint32 ret;
    19611970        u_int len;
    19621971 
     
    19661975        gssbuf.value = buffer_get_string(m, &len);
    19671976        gssbuf.length = len;
    19681977        mic.value = buffer_get_string(m, &len);
    1969 @@ -1979,7 +2013,11 @@
     1978@@ -2144,7 +2178,11 @@ mm_answer_gss_userok(int sock, Buffer *m
    19701979 {
    19711980        int authenticated;
    19721981 
     
    19791988 
    19801989        buffer_clear(m);
    19811990        buffer_put_int(m, authenticated);
    1982 @@ -1992,6 +2030,74 @@
     1991@@ -2157,6 +2195,74 @@ mm_answer_gss_userok(int sock, Buffer *m
    19831992        /* Monitor loop will terminate if authenticated */
    19841993        return (authenticated);
    19851994 }
     
    20542063 #endif /* GSSAPI */
    20552064 
    20562065 #ifdef JPAKE
    2057 diff --speed-large-files --minimal -Nru openssh-5.8p1/monitor.h openssh-5.8p1.new/monitor.h
    2058 --- openssh-5.8p1/monitor.h     2008-11-05 06:20:46.000000000 +0100
    2059 +++ openssh-5.8p1.new/monitor.h 2011-02-12 18:07:11.311728071 +0100
    2060 @@ -53,6 +53,9 @@
    2061         MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57,
    2062         MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59,
    2063         MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61,
    2064 +
     2066diff -Nrup openssh-6.5p1/monitor.h openssh-6.5p1.patched/monitor.h
     2067--- openssh-6.5p1/monitor.h     2012-12-02 14:53:21.000000000 -0800
     2068+++ openssh-6.5p1.patched/monitor.h     2014-02-15 16:50:46.000000000 -0800
     2069@@ -62,6 +62,9 @@ enum monitor_reqtype {
     2070        MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59,
     2071        MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61,
     2072 
    20652073+       MONITOR_REQ_GSSSIGN = 62, MONITOR_ANS_GSSSIGN = 63,
    20662074+       MONITOR_REQ_GSSUPCREDS = 64, MONITOR_ANS_GSSUPCREDS = 65,
    2067 
    2068         MONITOR_REQ_PAM_START = 100,
    2069         MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
    2070         MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
    2071 diff --speed-large-files --minimal -Nru openssh-5.8p1/monitor_wrap.c openssh-5.8p1.new/monitor_wrap.c
    2072 --- openssh-5.8p1/monitor_wrap.c        2010-08-31 14:41:14.000000000 +0200
    2073 +++ openssh-5.8p1.new/monitor_wrap.c    2011-02-12 18:07:11.359631731 +0100
    2074 @@ -1232,7 +1232,7 @@
     2075+
     2076        MONITOR_REQ_PAM_START = 100,
     2077        MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
     2078        MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
     2079diff -Nrup openssh-6.5p1/monitor_wrap.c openssh-6.5p1.patched/monitor_wrap.c
     2080--- openssh-6.5p1/monitor_wrap.c        2013-11-06 18:35:39.000000000 -0800
     2081+++ openssh-6.5p1.patched/monitor_wrap.c        2014-02-15 16:50:46.000000000 -0800
     2082@@ -1273,7 +1273,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
    20752083 }
    20762084 
    20772085 int
     
    20802088 {
    20812089        Buffer m;
    20822090        int authenticated = 0;
    2083 @@ -1249,6 +1249,51 @@
     2091@@ -1290,6 +1290,51 @@ mm_ssh_gssapi_userok(char *user)
    20842092        debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
    20852093        return (authenticated);
    20862094 }
     
    21322140 #endif /* GSSAPI */
    21332141 
    21342142 #ifdef JPAKE
    2135 diff --speed-large-files --minimal -Nru openssh-5.8p1/monitor_wrap.h openssh-5.8p1.new/monitor_wrap.h
    2136 --- openssh-5.8p1/monitor_wrap.h        2009-03-05 14:58:22.000000000 +0100
    2137 +++ openssh-5.8p1.new/monitor_wrap.h    2011-02-12 18:07:11.407619296 +0100
    2138 @@ -57,8 +57,10 @@
     2143diff -Nrup openssh-6.5p1/monitor_wrap.h openssh-6.5p1.patched/monitor_wrap.h
     2144--- openssh-6.5p1/monitor_wrap.h        2011-06-19 21:42:23.000000000 -0700
     2145+++ openssh-6.5p1.patched/monitor_wrap.h        2014-02-15 16:50:46.000000000 -0800
     2146@@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
    21392147 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
    21402148 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
    21412149    gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
     
    21472155 #endif
    21482156 
    21492157 #ifdef USE_PAM
    2150 diff --speed-large-files --minimal -Nru openssh-5.8p1/readconf.c openssh-5.8p1.new/readconf.c
    2151 --- openssh-5.8p1/readconf.c    2010-11-20 05:19:38.000000000 +0100
    2152 +++ openssh-5.8p1.new/readconf.c        2011-02-12 18:07:11.460306621 +0100
    2153 @@ -129,6 +129,8 @@
     2158diff -Nrup openssh-6.5p1/readconf.c openssh-6.5p1.patched/readconf.c
     2159--- openssh-6.5p1/readconf.c    2014-01-17 05:03:57.000000000 -0800
     2160+++ openssh-6.5p1.patched/readconf.c    2014-02-15 16:50:46.000000000 -0800
     2161@@ -140,6 +140,8 @@ typedef enum {
    21542162        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
    21552163        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
    21562164        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
     
    21592167        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
    21602168        oSendEnv, oControlPath, oControlMaster, oControlPersist,
    21612169        oHashKnownHosts,
    2162 @@ -169,10 +171,19 @@
     2170@@ -182,10 +184,19 @@ static struct {
    21632171        { "afstokenpassing", oUnsupported },
    21642172 #if defined(GSSAPI)
    21652173        { "gssapiauthentication", oGssAuthentication },
     
    21792187 #endif
    21802188        { "fallbacktorsh", oDeprecated },
    21812189        { "usersh", oDeprecated },
    2182 @@ -479,10 +490,30 @@
     2190@@ -839,10 +850,30 @@ parse_time:
    21832191                intptr = &options->gss_authentication;
    21842192                goto parse_flag;
    21852193 
     
    22102218        case oBatchMode:
    22112219                intptr = &options->batch_mode;
    22122220                goto parse_flag;
    2213 @@ -1092,7 +1123,12 @@
     2221@@ -1488,7 +1519,12 @@ initialize_options(Options * options)
    22142222        options->pubkey_authentication = -1;
    22152223        options->challenge_response_authentication = -1;
    22162224        options->gss_authentication = -1;
     
    22232231        options->password_authentication = -1;
    22242232        options->kbd_interactive_authentication = -1;
    22252233        options->kbd_interactive_devices = NULL;
    2226 @@ -1193,8 +1229,14 @@
     2234@@ -1594,8 +1630,14 @@ fill_default_options(Options * options)
    22272235                options->challenge_response_authentication = 1;
    22282236        if (options->gss_authentication == -1)
    22292237                options->gss_authentication = 0;
     
    22382246        if (options->password_authentication == -1)
    22392247                options->password_authentication = 1;
    22402248        if (options->kbd_interactive_authentication == -1)
    2241 diff --speed-large-files --minimal -Nru openssh-5.8p1/readconf.h openssh-5.8p1.new/readconf.h
    2242 --- openssh-5.8p1/readconf.h    2010-11-20 05:19:38.000000000 +0100
    2243 +++ openssh-5.8p1.new/readconf.h        2011-02-12 18:07:11.507187275 +0100
    2244 @@ -46,7 +46,12 @@
     2249diff -Nrup openssh-6.5p1/readconf.h openssh-6.5p1.patched/readconf.h
     2250--- openssh-6.5p1/readconf.h    2013-10-16 17:48:14.000000000 -0700
     2251+++ openssh-6.5p1.patched/readconf.h    2014-02-15 16:50:46.000000000 -0800
     2252@@ -54,7 +54,12 @@ typedef struct {
    22452253        int     challenge_response_authentication;
    22462254                                        /* Try S/Key or TIS, authentication. */
    22472255        int     gss_authentication;     /* Try GSS authentication */
     
    22542262        int     password_authentication;        /* Try password
    22552263                                                 * authentication. */
    22562264        int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
    2257 diff --speed-large-files --minimal -Nru openssh-5.8p1/servconf.c openssh-5.8p1.new/servconf.c
    2258 --- openssh-5.8p1/servconf.c    2010-11-20 05:19:38.000000000 +0100
    2259 +++ openssh-5.8p1.new/servconf.c        2011-02-12 18:07:11.533252334 +0100
    2260 @@ -97,7 +97,10 @@
     2265diff -Nrup openssh-6.5p1/servconf.c openssh-6.5p1.patched/servconf.c
     2266--- openssh-6.5p1/servconf.c    2013-12-06 16:24:02.000000000 -0800
     2267+++ openssh-6.5p1.patched/servconf.c    2014-02-15 16:50:46.000000000 -0800
     2268@@ -108,7 +108,10 @@ initialize_server_options(ServerOptions
    22612269        options->kerberos_ticket_cleanup = -1;
    22622270        options->kerberos_get_afs_token = -1;
    22632271        options->gss_authentication=-1;
     
    22682276        options->password_authentication = -1;
    22692277        options->kbd_interactive_authentication = -1;
    22702278        options->challenge_response_authentication = -1;
    2271 @@ -226,8 +229,14 @@
     2279@@ -245,8 +248,14 @@ fill_default_server_options(ServerOption
    22722280                options->kerberos_get_afs_token = 0;
    22732281        if (options->gss_authentication == -1)
    22742282                options->gss_authentication = 0;
     
    22832291        if (options->password_authentication == -1)
    22842292                options->password_authentication = 1;
    22852293        if (options->kbd_interactive_authentication == -1)
    2286 @@ -322,7 +331,9 @@
     2294@@ -343,7 +352,9 @@ typedef enum {
    22872295        sBanner, sUseDNS, sHostbasedAuthentication,
    22882296        sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
    22892297        sClientAliveCountMax, sAuthorizedKeysFile,
     
    22942302        sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
    22952303        sUsePrivilegeSeparation, sAllowAgentForwarding,
    22962304        sZeroKnowledgePasswordAuthentication, sHostCertificate,
    2297 @@ -386,10 +397,20 @@
     2305@@ -410,10 +421,20 @@ static struct {
    22982306 #ifdef GSSAPI
    22992307        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
    23002308        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
     
    23152323        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
    23162324        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
    23172325        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
    2318 @@ -944,10 +965,22 @@
     2326@@ -1094,10 +1115,22 @@ process_server_config_line(ServerOptions
    23192327                intptr = &options->gss_authentication;
    23202328                goto parse_flag;
    23212329 
     
    23382346        case sPasswordAuthentication:
    23392347                intptr = &options->password_authentication;
    23402348                goto parse_flag;
    2341 @@ -1704,7 +1737,10 @@
     2349@@ -2008,7 +2041,10 @@ dump_config(ServerOptions *o)
    23422350 #endif
    23432351 #ifdef GSSAPI
    23442352        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
     
    23492357 #endif
    23502358 #ifdef JPAKE
    23512359        dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
    2352 diff --speed-large-files --minimal -Nru openssh-5.8p1/servconf.h openssh-5.8p1.new/servconf.h
    2353 --- openssh-5.8p1/servconf.h    2010-11-20 05:19:38.000000000 +0100
    2354 +++ openssh-5.8p1.new/servconf.h        2011-02-12 18:07:11.548572408 +0100
    2355 @@ -97,7 +97,10 @@
     2360diff -Nrup openssh-6.5p1/servconf.h openssh-6.5p1.patched/servconf.h
     2361--- openssh-6.5p1/servconf.h    2013-12-04 19:07:28.000000000 -0800
     2362+++ openssh-6.5p1.patched/servconf.h    2014-02-15 16:50:46.000000000 -0800
     2363@@ -112,7 +112,10 @@ typedef struct {
    23562364        int     kerberos_get_afs_token;         /* If true, try to get AFS token if
    23572365                                                 * authenticated with Kerberos. */
    23582366        int     gss_authentication;     /* If true, permit GSSAPI authentication */
     
    23632371        int     password_authentication;        /* If true, permit password
    23642372                                                 * authentication. */
    23652373        int     kbd_interactive_authentication; /* If true, permit */
    2366 diff --speed-large-files --minimal -Nru openssh-5.8p1/ssh-gss.h openssh-5.8p1.new/ssh-gss.h
    2367 --- openssh-5.8p1/ssh-gss.h     2007-06-12 15:40:39.000000000 +0200
    2368 +++ openssh-5.8p1.new/ssh-gss.h 2011-02-12 18:07:11.567306608 +0100
     2374diff -Nrup openssh-6.5p1/ssh-gss.h openssh-6.5p1.patched/ssh-gss.h
     2375--- openssh-6.5p1/ssh-gss.h     2013-02-24 16:24:44.000000000 -0800
     2376+++ openssh-6.5p1.patched/ssh-gss.h     2014-02-15 16:50:46.000000000 -0800
    23692377@@ -1,6 +1,6 @@
    23702378 /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
    23712379 /*
     
    23742382  *
    23752383  * Redistribution and use in source and binary forms, with or without
    23762384  * modification, are permitted provided that the following conditions
    2377 @@ -60,10 +60,22 @@
     2385@@ -61,10 +61,22 @@
    23782386 
    23792387 #define SSH_GSS_OIDTYPE 0x06
    23802388 
     
    23972405        void *data;
    23982406 } ssh_gssapi_ccache;
    23992407 
    2400 @@ -71,8 +83,11 @@
     2408@@ -72,8 +84,11 @@ typedef struct {
    24012409        gss_buffer_desc displayname;
    24022410        gss_buffer_desc exportedname;
    24032411        gss_cred_id_t creds;
     
    24092417 } ssh_gssapi_client;
    24102418 
    24112419 typedef struct ssh_gssapi_mech_struct {
    2412 @@ -83,6 +98,7 @@
     2420@@ -84,6 +99,7 @@ typedef struct ssh_gssapi_mech_struct {
    24132421        int (*userok) (ssh_gssapi_client *, char *);
    24142422        int (*localname) (ssh_gssapi_client *, char **);
    24152423        void (*storecreds) (ssh_gssapi_client *);
     
    24172425 } ssh_gssapi_mech;
    24182426 
    24192427 typedef struct {
    2420 @@ -93,10 +109,11 @@
     2428@@ -94,10 +110,11 @@ typedef struct {
    24212429        gss_OID         oid; /* client */
    24222430        gss_cred_id_t   creds; /* server */
    24232431        gss_name_t      client; /* server */
     
    24302438 
    24312439 int  ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
    24322440 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
    2433 @@ -116,16 +133,30 @@
     2441@@ -117,16 +134,30 @@ void ssh_gssapi_build_ctx(Gssctxt **);
    24342442 void ssh_gssapi_delete_ctx(Gssctxt **);
    24352443 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
    24362444 void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
     
    24632471 #endif /* GSSAPI */
    24642472 
    24652473 #endif /* _SSH_GSS_H */
    2466 diff --speed-large-files --minimal -Nru openssh-5.8p1/ssh_config openssh-5.8p1.new/ssh_config
    2467 --- openssh-5.8p1/ssh_config    2010-01-12 09:40:27.000000000 +0100
    2468 +++ openssh-5.8p1.new/ssh_config        2011-02-12 18:07:11.580240516 +0100
     2474diff -Nrup openssh-6.5p1/ssh_config openssh-6.5p1.patched/ssh_config
     2475--- openssh-6.5p1/ssh_config    2013-10-09 16:24:12.000000000 -0700
     2476+++ openssh-6.5p1.patched/ssh_config    2014-02-15 16:50:46.000000000 -0800
    24692477@@ -26,6 +26,8 @@
    24702478 #   HostbasedAuthentication no
    24712479 #   GSSAPIAuthentication no
     
    24752483 #   BatchMode no
    24762484 #   CheckHostIP yes
    24772485 #   AddressFamily any
    2478 diff --speed-large-files --minimal -Nru openssh-5.8p1/ssh_config.5 openssh-5.8p1.new/ssh_config.5
    2479 --- openssh-5.8p1/ssh_config.5  2010-12-26 04:26:48.000000000 +0100
    2480 +++ openssh-5.8p1.new/ssh_config.5      2011-02-12 18:07:11.600266821 +0100
    2481 @@ -508,11 +508,43 @@
     2486diff -Nrup openssh-6.5p1/ssh_config.5 openssh-6.5p1.patched/ssh_config.5
     2487--- openssh-6.5p1/ssh_config.5  2014-01-19 03:36:14.000000000 -0800
     2488+++ openssh-6.5p1.patched/ssh_config.5  2014-02-15 16:50:46.000000000 -0800
     2489@@ -676,11 +676,43 @@ Specifies whether user authentication ba
    24822490 The default is
    24832491 .Dq no .
    24842492 Note that this option applies to protocol version 2 only.
     
    25232531 .It Cm HashKnownHosts
    25242532 Indicates that
    25252533 .Xr ssh 1
    2526 diff --speed-large-files --minimal -Nru openssh-5.8p1/sshconnect2.c openssh-5.8p1.new/sshconnect2.c
    2527 --- openssh-5.8p1/sshconnect2.c 2010-12-01 02:21:51.000000000 +0100
    2528 +++ openssh-5.8p1.new/sshconnect2.c     2011-02-12 18:07:11.623078773 +0100
    2529 @@ -159,9 +159,34 @@
     2534diff -Nrup openssh-6.5p1/sshconnect2.c openssh-6.5p1.patched/sshconnect2.c
     2535--- openssh-6.5p1/sshconnect2.c 2014-01-09 15:58:53.000000000 -0800
     2536+++ openssh-6.5p1.patched/sshconnect2.c 2014-02-15 16:54:12.000000000 -0800
     2537@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *ho
    25302538 {
    25312539        Kex *kex;
    25322540 
     
    25612569        if (options.ciphers == (char *)-1) {
    25622570                logit("No valid ciphers for protocol version 2 given, using defaults.");
    25632571                options.ciphers = NULL;
    2564 @@ -196,6 +221,17 @@
     2572@@ -198,6 +223,17 @@ ssh_kex2(char *host, struct sockaddr *ho
    25652573        if (options.kex_algorithms != NULL)
    25662574                myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
    25672575 
     
    25782586+
    25792587        if (options.rekey_limit || options.rekey_interval)
    25802588                packet_set_rekey_limits((u_int32_t)options.rekey_limit,
    2581  
    2582 @@ -206,10 +242,30 @@
     2589                    (time_t)options.rekey_interval);
     2590@@ -209,11 +245,31 @@ ssh_kex2(char *host, struct sockaddr *ho
    25832591        kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
    25842592        kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
    25852593        kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
     
    25902598+               kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
    25912599+       }
    25922600+#endif
     2601        kex->kex[KEX_C25519_SHA256] = kexc25519_client;
    25932602        kex->client_version_string=client_version_string;
    25942603        kex->server_version_string=server_version_string;
    25952604        kex->verify_host_key=&verify_host_key_callback;
     
    26032612+                       kex->gss_host = options.gss_server_identity;
    26042613+               } else {
    26052614+                       kex->gss_host = gss_host;
    2606 +        }
     2615+               }
    26072616+       }
    26082617+#endif
    26092618+
    26102619        xxx_kex = kex;
    26112620 
    26122621        dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
    2613 @@ -304,6 +360,7 @@
     2622@@ -309,6 +365,7 @@ void        input_gssapi_token(int type, u_int3
    26142623 void   input_gssapi_hash(int type, u_int32_t, void *);
    26152624 void   input_gssapi_error(int, u_int32_t, void *);
    26162625 void   input_gssapi_errtok(int, u_int32_t, void *);
     
    26182627 #endif
    26192628 
    26202629 void   userauth(Authctxt *, char *);
    2621 @@ -319,6 +376,11 @@
     2630@@ -324,6 +381,11 @@ static char *authmethods_get(void);
    26222631 
    26232632 Authmethod authmethods[] = {
    26242633 #ifdef GSSAPI
     
    26302639        {"gssapi-with-mic",
    26312640                userauth_gssapi,
    26322641                NULL,
    2633 @@ -625,19 +687,31 @@
     2642@@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt)
    26342643        static u_int mech = 0;
    26352644        OM_uint32 min;
    26362645        int ok = 0;
     
    26642673                        ok = 1; /* Mechanism works */
    26652674                } else {
    26662675                        mech++;
    2667 @@ -734,8 +808,8 @@
     2676@@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_
    26682677 {
    26692678        Authctxt *authctxt = ctxt;
    26702679        Gssctxt *gssctxt;
     
    26752684 
    26762685        if (authctxt == NULL)
    26772686                fatal("input_gssapi_response: no authentication context");
    2678 @@ -845,6 +919,48 @@
     2687@@ -846,6 +920,48 @@ input_gssapi_error(int type, u_int32_t p
    26792688        free(msg);
    26802689        free(lang);
    26812690 }
     
    27242733 #endif /* GSSAPI */
    27252734 
    27262735 int
    2727 diff --speed-large-files --minimal -Nru openssh-5.8p1/sshd.c openssh-5.8p1.new/sshd.c
    2728 --- openssh-5.8p1/sshd.c        2011-01-11 07:20:31.000000000 +0100
    2729 +++ openssh-5.8p1.new/sshd.c    2011-02-12 18:07:11.656005267 +0100
    2730 @@ -120,6 +120,10 @@
    2731  #include "roaming.h"
     2736diff -Nrup openssh-6.5p1/sshd.c openssh-6.5p1.patched/sshd.c
     2737--- openssh-6.5p1/sshd.c        2014-01-27 20:08:13.000000000 -0800
     2738+++ openssh-6.5p1.patched/sshd.c        2014-02-15 16:54:54.000000000 -0800
     2739@@ -122,6 +122,10 @@
     2740 #include "ssh-sandbox.h"
    27322741 #include "version.h"
    27332742 
    27342743+#ifdef USE_SECURITY_SESSION_API
     
    27382747 #ifdef LIBWRAP
    27392748 #include <tcpd.h>
    27402749 #include <syslog.h>
    2741 @@ -1590,10 +1594,13 @@
     2750@@ -1721,10 +1725,13 @@ main(int ac, char **av)
    27422751                logit("Disabling protocol version 1. Could not load host key");
    27432752                options.protocol &= ~SSH_PROTO_1;
    27442753        }
     
    27522761        if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
    27532762                logit("sshd: no hostkeys available -- exiting.");
    27542763                exit(1);
    2755 @@ -1922,6 +1929,60 @@
    2756         /* Log the connection. */
    2757         verbose("Connection from %.500s port %d", remote_ip, remote_port);
     2764@@ -2051,6 +2058,60 @@ main(int ac, char **av)
     2765            remote_ip, remote_port,
     2766            get_local_ipaddr(sock_in), get_local_port());
    27582767 
    27592768+#ifdef USE_SECURITY_SESSION_API
    27602769+       /*
     
    28132822        /*
    28142823         * We don't want to listen forever unless the other side
    28152824         * successfully authenticates itself.  So we set up an alarm which is
    2816 @@ -2303,6 +2364,48 @@
    2817  
    2818         myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
     2825@@ -2456,6 +2517,48 @@ do_ssh2_kex(void)
     2826        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
     2827            list_hostkey_types());
    28192828 
    28202829+#ifdef GSSAPI
    28212830+       {
     
    28622871        /* start key exchange */
    28632872        kex = kex_setup(myproposal);
    28642873        kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
    2865 @@ -2310,6 +2413,13 @@
    2866         kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
     2874@@ -2464,6 +2567,13 @@ do_ssh2_kex(void)
    28672875        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
    28682876        kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
     2877        kex->kex[KEX_C25519_SHA256] = kexc25519_server;
    28692878+#ifdef GSSAPI
    28702879+       if (options.gss_keyex) {
    28712880+               kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
     
    28762885        kex->server = 1;
    28772886        kex->client_version_string=client_version_string;
    28782887        kex->server_version_string=server_version_string;
    2879 diff --speed-large-files --minimal -Nru openssh-5.8p1/sshd_config openssh-5.8p1.new/sshd_config
    2880 --- openssh-5.8p1/sshd_config   2010-09-10 03:20:12.000000000 +0200
    2881 +++ openssh-5.8p1.new/sshd_config       2011-02-12 18:07:11.668077725 +0100
    2882 @@ -72,6 +72,8 @@
     2888diff -Nrup openssh-6.5p1/sshd_config openssh-6.5p1.patched/sshd_config
     2889--- openssh-6.5p1/sshd_config   2014-01-12 00:20:47.000000000 -0800
     2890+++ openssh-6.5p1.patched/sshd_config   2014-02-15 16:50:46.000000000 -0800
     2891@@ -84,6 +84,8 @@ AuthorizedKeysFile    .ssh/authorized_keys
    28832892 # GSSAPI options
    28842893 #GSSAPIAuthentication no
    28852894 #GSSAPICleanupCredentials yes
    28862895+#GSSAPIStrictAcceptorCheck yes
    28872896+#GSSAPIKeyExchange no
    28882897 
    2889  # Set this to 'yes' to enable PAM authentication, account processing, 
    2890  # and session processing. If this is enabled, PAM authentication will 
    2891 diff --speed-large-files --minimal -Nru openssh-5.8p1/sshd_config.5 openssh-5.8p1.new/sshd_config.5
    2892 --- openssh-5.8p1/sshd_config.5 2010-12-26 04:26:48.000000000 +0100
    2893 +++ openssh-5.8p1.new/sshd_config.5     2011-02-12 18:07:11.685676774 +0100
    2894 @@ -423,12 +423,40 @@
     2898 # Set this to 'yes' to enable PAM authentication, account processing,
     2899 # and session processing. If this is enabled, PAM authentication will
     2900diff -Nrup openssh-6.5p1/sshd_config.5 openssh-6.5p1.patched/sshd_config.5
     2901--- openssh-6.5p1/sshd_config.5 2013-12-17 22:47:03.000000000 -0800
     2902+++ openssh-6.5p1.patched/sshd_config.5 2014-02-15 16:50:46.000000000 -0800
     2903@@ -493,12 +493,40 @@ Specifies whether user authentication ba
    28952904 The default is
    28962905 .Dq no .
    28972906 Note that this option applies to protocol version 2 only.