6.8p1-1 + 0.9.3-5

2015-03-20 14:56:04 +01:00 · 2015-03-20 14:56:04 +01:00 · 132f8f8686
commit 132f8f8686
parent 7b82d087e1
26 changed files with 1345 additions and 3694 deletions
--- a/.gitignore
+++ b/.gitignore
@ -14,3 +14,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
 /openssh-6.4p1.tar.gz
 /openssh-6.6p1.tar.gz
 /openssh-6.7p1.tar.gz
 /openssh-6.8p1.tar.gz
--- a/openssh-5.8p1-packet.patch
+++ b/openssh-5.8p1-packet.patch
@ -1,12 +1,12 @@
-diff -up openssh-5.8p1/packet.c.packet openssh-5.8p1/packet.c
+diff -up openssh-6.8p1/packet.c.packet openssh-6.8p1/packet.c
--- openssh-5.8p1/packet.c.packet	2011-04-05 13:29:06.998648899 +0200
+--- openssh-6.8p1/packet.c.packet	2015-03-18 10:56:32.286930601 +0100
-+++ openssh-5.8p1/packet.c	2011-04-05 13:30:32.967648596 +0200
+++ openssh-6.8p1/packet.c	2015-03-18 10:58:38.535629739 +0100
-@@ -294,6 +294,8 @@ packet_connection_is_on_socket(void)
+@@ -371,6 +371,8 @@ ssh_packet_connection_is_on_socket(struc
 	struct sockaddr_storage from, to;
 	socklen_t fromlen, tolen;
-+	if (!active_state)
+	if (!state)
 +		return 0;
 	/* filedescriptors in and out are the same, so it's a socket */
- 	if (active_state->connection_in == active_state->connection_out)
+ 	if (state->connection_in == state->connection_out)
 		return 1;
--- a/openssh-6.1p1-askpass-ld.patch
+++ b/openssh-6.1p1-askpass-ld.patch
@ -1,18 +0,0 @@
 diff -up openssh-6.1p1/contrib/Makefile.askpass-ld openssh-6.1p1/contrib/Makefile
 --- openssh-6.1p1/contrib/Makefile.askpass-ld	2012-05-19 07:24:37.000000000 +0200
 +++ openssh-6.1p1/contrib/Makefile	2012-09-14 20:35:47.565704718 +0200
@@ -4,12 +4,12 @@ all:
 	@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
 gnome-ssh-askpass1: gnome-ssh-askpass1.c
 -	$(CC) `gnome-config --cflags gnome gnomeui` \
 +	$(CC) ${CFLAGS} `gnome-config --cflags gnome gnomeui` \
 		gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
 		`gnome-config --libs gnome gnomeui`
 gnome-ssh-askpass2: gnome-ssh-askpass2.c
 -	$(CC) `$(PKG_CONFIG) --cflags gtk+-2.0` \
 +	$(CC) ${CFLAGS} `$(PKG_CONFIG) --cflags gtk+-2.0` \
 		gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
 		`$(PKG_CONFIG) --libs gtk+-2.0 x11`
--- a/openssh-6.2p1-vendor.patch
+++ b/openssh-6.2p1-vendor.patch
@ -1,8 +1,7 @@
-diff --git a/configure.ac b/configure.ac
+diff -up openssh-6.8p1/configure.ac.vendor openssh-6.8p1/configure.ac
-index 6553074..8dedb95 100644
+--- openssh-6.8p1/configure.ac.vendor	2015-03-18 11:17:56.670880303 +0100
--- a/configure.ac
+++ openssh-6.8p1/configure.ac	2015-03-18 11:17:56.695880243 +0100
-+++ b/configure.ac
+@@ -4743,6 +4743,12 @@ AC_ARG_WITH([lastlog],
@@ -4676,6 +4676,12 @@ AC_ARG_WITH([lastlog],
 		fi
 	]
 )
@ -15,7 +14,7 @@ index 6553074..8dedb95 100644
 dnl lastlog, [uw]tmpx? detection
 dnl  NOTE: set the paths in the platform section to avoid the
-@@ -4938,6 +4944,7 @@ echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
+@@ -5005,6 +5011,7 @@ echo "           Translate v4 in v6 hack
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
 echo "             Privsep sandbox style: $SANDBOX_STYLE"
@ -23,11 +22,10 @@ index 6553074..8dedb95 100644
 echo ""
-diff --git a/servconf.c b/servconf.c
+diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
-index e3ebaac..c8a3f28 100644
+--- openssh-6.8p1/servconf.c.vendor	2015-03-17 06:49:20.000000000 +0100
--- a/servconf.c
+++ openssh-6.8p1/servconf.c	2015-03-18 11:19:16.279691126 +0100
-+++ b/servconf.c
+@@ -145,6 +145,7 @@ initialize_server_options(ServerOptions
@@ -141,6 +141,7 @@ initialize_server_options(ServerOptions *options)
 	options->max_authtries = -1;
 	options->max_sessions = -1;
 	options->banner = NULL;
@ -35,7 +33,7 @@ index e3ebaac..c8a3f28 100644
 	options->use_dns = -1;
 	options->client_alive_interval = -1;
 	options->client_alive_count_max = -1;
-@@ -310,6 +311,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -327,6 +328,8 @@ fill_default_server_options(ServerOption
 		options->ip_qos_bulk = IPTOS_THROUGHPUT;
 	if (options->version_addendum == NULL)
 		options->version_addendum = xstrdup("");
@ -44,16 +42,16 @@ index e3ebaac..c8a3f28 100644
 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
 		options->fwd_opts.streamlocal_bind_mask = 0177;
 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
-@@ -353,7 +356,7 @@ typedef enum {
+@@ -388,7 +391,7 @@ typedef enum {
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
- 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
+ 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
- 	sMaxStartups, sMaxAuthTries, sMaxSessions,
+ 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
 -	sBanner, sUseDNS, sHostbasedAuthentication,
 +	sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
- 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
+ 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
- 	sClientAliveCountMax, sAuthorizedKeysFile,
+ 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
-@@ -467,6 +470,7 @@ static struct {
+@@ -504,6 +507,7 @@ static struct {
 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
 	{ "banner", sBanner, SSHCFG_ALL },
@ -61,7 +59,7 @@ index e3ebaac..c8a3f28 100644
 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
-@@ -1263,6 +1267,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1320,6 +1324,10 @@ process_server_config_line(ServerOptions
 		multistate_ptr = multistate_privsep;
 		goto parse_multistate;
@ -72,7 +70,7 @@ index e3ebaac..c8a3f28 100644
 	case sAllowUsers:
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
 			if (options->num_allow_users >= MAX_ALLOW_USERS)
-@@ -2081,6 +2089,7 @@ dump_config(ServerOptions *o)
+@@ -2145,6 +2153,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sUseLogin, o->use_login);
 	dump_cfg_fmtint(sCompression, o->compression);
 	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
@ -80,11 +78,10 @@ index e3ebaac..c8a3f28 100644
 	dump_cfg_fmtint(sUseDNS, o->use_dns);
 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
-diff --git a/servconf.h b/servconf.h
+diff -up openssh-6.8p1/servconf.h.vendor openssh-6.8p1/servconf.h
-index 49b228b..21719e2 100644
+--- openssh-6.8p1/servconf.h.vendor	2015-03-17 06:49:20.000000000 +0100
--- a/servconf.h
+++ openssh-6.8p1/servconf.h	2015-03-18 11:17:56.696880241 +0100
-+++ b/servconf.h
+@@ -151,6 +151,7 @@ typedef struct {
@@ -149,6 +149,7 @@ typedef struct {
 	int	max_authtries;
 	int	max_sessions;
 	char   *banner;			/* SSH-2 banner message */
@ -92,11 +89,10 @@ index 49b228b..21719e2 100644
 	int	use_dns;
 	int	client_alive_interval;	/*
 					 * poke the client this often to
-diff --git a/sshd.c b/sshd.c
+diff -up openssh-6.8p1/sshd.c.vendor openssh-6.8p1/sshd.c
-index afe9afa..193b206 100644
+--- openssh-6.8p1/sshd.c.vendor	2015-03-18 11:17:56.669880305 +0100
--- a/sshd.c
+++ openssh-6.8p1/sshd.c	2015-03-18 11:17:56.697880239 +0100
-+++ b/sshd.c
+@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
@@ -432,7 +432,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
 	}
 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@ -105,7 +101,7 @@ index afe9afa..193b206 100644
 	    *options.version_addendum == '\0' ? "" : " ",
 	    options.version_addendum, newline);
-@@ -1677,7 +1677,8 @@ main(int ac, char **av)
+@@ -1737,7 +1737,8 @@ main(int ac, char **av)
 		exit(1);
 	}
@ -115,23 +111,21 @@ index afe9afa..193b206 100644
 #ifdef WITH_OPENSSL
 	    SSLeay_version(SSLEAY_VERSION)
 #else
-diff --git a/sshd_config b/sshd_config
+diff -up openssh-6.8p1/sshd_config.vendor openssh-6.8p1/sshd_config
-index 3092ac6..da3db5d 100644
+--- openssh-6.8p1/sshd_config.vendor	2015-03-18 11:17:56.697880239 +0100
--- a/sshd_config
+++ openssh-6.8p1/sshd_config	2015-03-18 11:20:15.552550274 +0100
-+++ b/sshd_config
+@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox		# Defaul
@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox		# Default for new installations.
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 +#ShowPatchLevel no
- #UseDNS yes
+ #UseDNS no
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
-diff --git a/sshd_config.0 b/sshd_config.0
+diff -up openssh-6.8p1/sshd_config.0.vendor openssh-6.8p1/sshd_config.0
-index 43867d3..a3898c3 100644
+--- openssh-6.8p1/sshd_config.0.vendor	2015-03-18 11:17:56.691880253 +0100
--- a/sshd_config.0
+++ openssh-6.8p1/sshd_config.0	2015-03-18 11:17:56.697880239 +0100
-+++ b/sshd_config.0
+@@ -740,6 +740,11 @@ DESCRIPTION
@@ -700,6 +700,11 @@ DESCRIPTION
              Defines the number of bits in the ephemeral protocol version 1
              server key.  The minimum value is 512, and the default is 1024.
@ -143,11 +137,10 @@ index 43867d3..a3898c3 100644
      StreamLocalBindMask
              Sets the octal file creation mode mask (umask) used when creating
              a Unix-domain socket file for local or remote port forwarding.
-diff --git a/sshd_config.5 b/sshd_config.5
+diff -up openssh-6.8p1/sshd_config.5.vendor openssh-6.8p1/sshd_config.5
-index 89a0cf2..cccb310 100644
+--- openssh-6.8p1/sshd_config.5.vendor	2015-03-18 11:17:56.691880253 +0100
--- a/sshd_config.5
+++ openssh-6.8p1/sshd_config.5	2015-03-18 11:17:56.697880239 +0100
-+++ b/sshd_config.5
+@@ -1276,6 +1276,13 @@ This option applies to protocol version
@@ -1200,6 +1200,13 @@ This option applies to protocol version 1 only.
 .It Cm ServerKeyBits
 Defines the number of bits in the ephemeral protocol version 1 server key.
 The minimum value is 512, and the default is 1024.
--- a/openssh-6.6.1p1-cisco-dh-keys.patch
+++ b/openssh-6.6.1p1-cisco-dh-keys.patch
@ -1,7 +1,6 @@
-diff --git a/compat.c b/compat.c
+diff -up openssh-6.8p1/compat.c.cisco-dh openssh-6.8p1/compat.c
-index 2709dc5..7412a54 100644
+--- openssh-6.8p1/compat.c.cisco-dh	2015-03-17 06:49:20.000000000 +0100
--- a/compat.c
+++ openssh-6.8p1/compat.c	2015-03-19 12:57:58.862606969 +0100
 +++ b/compat.c
@@ -167,6 +167,7 @@ compat_datafellows(const char *version)
 					SSH_BUG_SCANNER },
 		{ "Probe-*",
@ -10,10 +9,9 @@ index 2709dc5..7412a54 100644
 		{ NULL,			0 }
 	};
-diff --git a/compat.h b/compat.h
+diff -up openssh-6.8p1/compat.h.cisco-dh openssh-6.8p1/compat.h
-index a6c3f3d..d8def7d 100644
+--- openssh-6.8p1/compat.h.cisco-dh	2015-03-17 06:49:20.000000000 +0100
--- a/compat.h
+++ openssh-6.8p1/compat.h	2015-03-19 12:57:58.862606969 +0100
 +++ b/compat.h
@@ -60,6 +60,7 @@
 #define SSH_NEW_OPENSSH		0x04000000
 #define SSH_BUG_DYNAMIC_RPORT	0x08000000
@ -22,49 +20,35 @@ index a6c3f3d..d8def7d 100644
 void     enable_compat13(void);
 void     enable_compat20(void);
-diff --git a/kexgexc.c b/kexgexc.c
+diff -up openssh-6.8p1/kexgexc.c.cisco-dh openssh-6.8p1/kexgexc.c
-index 355b7ba..0a91bdd 100644
+--- openssh-6.8p1/kexgexc.c.cisco-dh	2015-03-19 12:57:58.862606969 +0100
--- a/kexgexc.c
+++ openssh-6.8p1/kexgexc.c	2015-03-19 13:11:52.320519969 +0100
-+++ b/kexgexc.c
+@@ -64,8 +64,27 @@ kexgex_client(struct ssh *ssh)
@@ -58,20 +58,37 @@ kexgex_client(Kex *kex)
 	int min, max, nbits;
 	DH *dh;
-+	min = DH_GRP_MIN;
+ 	kex->min = DH_GRP_MIN;
-+	max = DH_GRP_MAX;
+ 	kex->max = DH_GRP_MAX;
 +
 +	/* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
 + 	 * We need to also ensure that min < nbits < max */
 +
 +	if (datafellows & SSH_BUG_MAX4096DH) {
 +		/* The largest min for these servers is 4096 */
-+		min = MIN(min, 4096);
+		kex->min = MIN(kex->min, 4096);
 +	}
 +
- 	nbits = dh_estimate(kex->dh_need * 8);
+ 	kex->nbits = nbits;
-+	nbits = MIN(nbits, max);
+-	if (ssh->compat & SSH_OLD_DHGEX) {
-+	nbits = MAX(nbits, min);
+	kex->nbits = MIN(nbits, kex->max);
 +	kex->nbits = MAX(nbits, kex->min);
 +
-+	if (datafellows & SSH_BUG_MAX4096DH) {
+	if (ssh->compat & SSH_BUG_MAX4096DH) {
 +		/* Cannot have a nbits > 4096 for these servers */
-+		nbits = MIN(nbits, 4096);
+		kex->nbits = MIN(kex->nbits, 4096);
 +		/* nbits has to be powers of two */
-+		if (nbits == 3072)
+		if (kex->nbits == 3072)
-+			nbits = 4096;
+			kex->nbits = 4096;
 +	}
- 
+	if (ssh->compat & SSH_OLD_DHGEX) {	/* Old GEX request */
 	if (datafellows & SSH_OLD_DHGEX) {
 		/* Old GEX request */
- 		packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
+ 		if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST_OLD))
- 		packet_put_int(nbits);
+ 		    != 0 ||
 -		min = DH_GRP_MIN;
 -		max = DH_GRP_MAX;
 		debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
 	} else {
 		/* New GEX request */
 -		min = DH_GRP_MIN;
 -		max = DH_GRP_MAX;
 		packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
 		packet_put_int(min);
 		packet_put_int(nbits);
--- a/openssh-6.6.1p1-log-in-chroot.patch
+++ b/openssh-6.6.1p1-log-in-chroot.patch
@ -1,7 +1,6 @@
-diff --git a/log.c b/log.c
+diff -up openssh-6.8p1/log.c.log-in-chroot openssh-6.8p1/log.c
-index 32e1d2e..d4caeb5 100644
+--- openssh-6.8p1/log.c.log-in-chroot	2015-03-17 06:49:20.000000000 +0100
--- a/log.c
+++ openssh-6.8p1/log.c	2015-03-18 12:59:29.694022313 +0100
 +++ b/log.c
@@ -241,6 +241,11 @@ debug3(const char *fmt,...)
 void
 log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
@ -14,7 +13,7 @@ index 32e1d2e..d4caeb5 100644
 #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
 	struct syslog_data sdata = SYSLOG_DATA_INIT;
 #endif
-@@ -264,8 +269,10 @@ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
+@@ -264,8 +269,10 @@ log_init(char *av0, LogLevel level, Sysl
 		exit(1);
 	}
@ -27,10 +26,9 @@ index 32e1d2e..d4caeb5 100644
 	log_on_stderr = on_stderr;
 	if (on_stderr)
-diff --git a/log.h b/log.h
+diff -up openssh-6.8p1/log.h.log-in-chroot openssh-6.8p1/log.h
-index ae7df25..30c3310 100644
+--- openssh-6.8p1/log.h.log-in-chroot	2015-03-17 06:49:20.000000000 +0100
--- a/log.h
+++ openssh-6.8p1/log.h	2015-03-18 12:59:29.694022313 +0100
 +++ b/log.h
@@ -49,6 +49,7 @@ typedef enum {
 typedef void (log_handler_fn)(LogLevel, const char *, void *);
@ -39,11 +37,10 @@ index ae7df25..30c3310 100644
 void     log_change_level(LogLevel);
 int      log_is_on_stderr(void);
 void     log_redirect_stderr_to(const char *);
-diff --git a/monitor.c b/monitor.c
+diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
-index 7ebc76e..d97e640 100644
+--- openssh-6.8p1/monitor.c.log-in-chroot	2015-03-18 12:59:29.669022374 +0100
--- a/monitor.c
+++ openssh-6.8p1/monitor.c	2015-03-18 13:01:52.894671198 +0100
-+++ b/monitor.c
+@@ -357,6 +357,8 @@ monitor_child_preauth(Authctxt *_authctx
@@ -378,6 +378,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
 	close(pmonitor->m_log_sendfd);
 	pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
@ -52,7 +49,7 @@ index 7ebc76e..d97e640 100644
 	authctxt = _authctxt;
 	memset(authctxt, 0, sizeof(*authctxt));
-@@ -486,6 +488,8 @@ monitor_child_postauth(struct monitor *pmonitor)
+@@ -465,6 +467,8 @@ monitor_child_postauth(struct monitor *p
 	close(pmonitor->m_recvfd);
 	pmonitor->m_recvfd = -1;
@ -61,7 +58,7 @@ index 7ebc76e..d97e640 100644
 	monitor_set_child_handler(pmonitor->m_pid);
 	signal(SIGHUP, &monitor_child_handler);
 	signal(SIGTERM, &monitor_child_handler);
-@@ -566,7 +570,7 @@ monitor_read_log(struct monitor *pmonitor)
+@@ -566,7 +570,7 @@ monitor_read_log(struct monitor *pmonito
 	if (log_level_name(level) == NULL)
 		fatal("%s: invalid log level %u (corrupted message?)",
 		    __func__, level);
@ -70,8 +67,8 @@ index 7ebc76e..d97e640 100644
 	buffer_free(&logmsg);
 	free(msg);
-@@ -2107,13 +2111,28 @@ monitor_init(void)
+@@ -1998,13 +2002,28 @@ monitor_init(void)
- 		mm_init_compression(mon->m_zlib);
+ 		    (ssh_packet_comp_free_func *)mm_zfree);
 	}
 +	mon->m_state = "";
@ -101,13 +98,12 @@ index 7ebc76e..d97e640 100644
 }
 #ifdef GSSAPI
-diff --git a/monitor.h b/monitor.h
+diff -up openssh-6.8p1/monitor.h.log-in-chroot openssh-6.8p1/monitor.h
-index ff79fbb..00c2028 100644
+--- openssh-6.8p1/monitor.h.log-in-chroot	2015-03-18 12:59:29.695022310 +0100
--- a/monitor.h
+++ openssh-6.8p1/monitor.h	2015-03-18 13:02:56.926514197 +0100
 +++ b/monitor.h
@@ -83,10 +83,11 @@ struct monitor {
 	struct mm_master	*m_zlib;
- 	struct Kex		**m_pkex;
+ 	struct kex		**m_pkex;
 	pid_t			 m_pid;
 +	char		*m_state;
 };
@ -118,11 +114,10 @@ index ff79fbb..00c2028 100644
 void monitor_sync(struct monitor *);
 struct Authctxt;
-diff --git a/session.c b/session.c
+diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
-index 9c94d8e..40a681e 100644
+--- openssh-6.8p1/session.c.log-in-chroot	2015-03-18 12:59:29.675022359 +0100
--- a/session.c
+++ openssh-6.8p1/session.c	2015-03-18 12:59:29.696022308 +0100
-+++ b/session.c
+@@ -161,6 +161,8 @@ login_cap_t *lc;
@@ -160,6 +160,8 @@ login_cap_t *lc;
 static int is_child = 0;
@ -131,7 +126,7 @@ index 9c94d8e..40a681e 100644
 /* Name and directory of socket for authentication agent forwarding. */
 static char *auth_sock_name = NULL;
 static char *auth_sock_dir = NULL;
-@@ -505,8 +507,8 @@ do_exec_no_pty(Session *s, const char *command)
+@@ -506,8 +508,8 @@ do_exec_no_pty(Session *s, const char *c
 		is_child = 1;
 		/* Child.  Reinitialize the log since the pid has changed. */
@ -142,7 +137,7 @@ index 9c94d8e..40a681e 100644
 		/*
 		 * Create a new session and process group since the 4.4BSD
-@@ -674,8 +676,8 @@ do_exec_pty(Session *s, const char *command)
+@@ -675,8 +677,8 @@ do_exec_pty(Session *s, const char *comm
 		close(ptymaster);
 		/* Child.  Reinitialize the log because the pid has changed. */
@ -153,7 +148,7 @@ index 9c94d8e..40a681e 100644
 		/* Close the master side of the pseudo tty. */
 		close(ptyfd);
-@@ -779,6 +781,7 @@ do_exec(Session *s, const char *command)
+@@ -780,6 +782,7 @@ do_exec(Session *s, const char *command)
 	int ret;
 	const char *forced = NULL;
 	char session_type[1024], *tty = NULL;
@ -161,7 +156,7 @@ index 9c94d8e..40a681e 100644
 	if (options.adm_forced_command) {
 		original_command = command;
-@@ -836,6 +839,10 @@ do_exec(Session *s, const char *command)
+@@ -837,6 +840,10 @@ do_exec(Session *s, const char *command)
 			tty += 5;
 	}
@ -172,7 +167,7 @@ index 9c94d8e..40a681e 100644
 	verbose("Starting session: %s%s%s for %s from %.200s port %d",
 	    session_type,
 	    tty == NULL ? "" : " on ",
-@@ -1677,14 +1684,6 @@ child_close_fds(void)
+@@ -1678,14 +1685,6 @@ child_close_fds(void)
 	 * descriptors left by system functions.  They will be closed later.
 	 */
 	endpwent();
@ -187,7 +182,7 @@ index 9c94d8e..40a681e 100644
 }
 /*
-@@ -1830,8 +1829,6 @@ do_child(Session *s, const char *command)
+@@ -1831,8 +1830,6 @@ do_child(Session *s, const char *command
 			exit(1);
 	}
@ -196,7 +191,7 @@ index 9c94d8e..40a681e 100644
 	if (!options.use_login)
 		do_rc_files(s, shell);
-@@ -1855,9 +1852,17 @@ do_child(Session *s, const char *command)
+@@ -1856,9 +1853,17 @@ do_child(Session *s, const char *command
 		argv[i] = NULL;
 		optind = optreset = 1;
 		__progname = argv[0];
@ -215,10 +210,9 @@ index 9c94d8e..40a681e 100644
 	fflush(NULL);
 	if (options.use_login) {
-diff --git a/sftp-server-main.c b/sftp-server-main.c
+diff -up openssh-6.8p1/sftp-server-main.c.log-in-chroot openssh-6.8p1/sftp-server-main.c
-index 7e644ab..e162b7a 100644
+--- openssh-6.8p1/sftp-server-main.c.log-in-chroot	2015-03-17 06:49:20.000000000 +0100
--- a/sftp-server-main.c
+++ openssh-6.8p1/sftp-server-main.c	2015-03-18 12:59:29.696022308 +0100
 +++ b/sftp-server-main.c
@@ -47,5 +47,5 @@ main(int argc, char **argv)
 		return 1;
 	}
@ -226,11 +220,10 @@ index 7e644ab..e162b7a 100644
 -	return (sftp_server_main(argc, argv, user_pw));
 +	return (sftp_server_main(argc, argv, user_pw, 0));
 }
-diff --git a/sftp-server.c b/sftp-server.c
+diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
-index 0177130..8fa7fc7 100644
+--- openssh-6.8p1/sftp-server.c.log-in-chroot	2015-03-17 06:49:20.000000000 +0100
--- a/sftp-server.c
+++ openssh-6.8p1/sftp-server.c	2015-03-18 13:03:52.510377911 +0100
-+++ b/sftp-server.c
+@@ -1502,7 +1502,7 @@ sftp_server_usage(void)
@@ -1440,7 +1440,7 @@ sftp_server_usage(void)
 }
 int
@ -238,8 +231,8 @@ index 0177130..8fa7fc7 100644
 +sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handler)
 {
 	fd_set *rset, *wset;
- 	int i, in, out, max, ch, skipargs = 0, log_stderr = 0;
+ 	int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
-@@ -1453,7 +1453,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
+@@ -1515,7 +1515,7 @@ sftp_server_main(int argc, char **argv,
 	extern char *__progname;
 	__progname = ssh_get_progname(argv[0]);
@ -248,7 +241,7 @@ index 0177130..8fa7fc7 100644
 	pw = pwcopy(user_pw);
-@@ -1524,7 +1524,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
+@@ -1586,7 +1586,7 @@ sftp_server_main(int argc, char **argv,
 		}
 	}
@ -257,10 +250,9 @@ index 0177130..8fa7fc7 100644
 #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
 	/*
-diff --git a/sftp.h b/sftp.h
+diff -up openssh-6.8p1/sftp.h.log-in-chroot openssh-6.8p1/sftp.h
-index 2bde8bb..ddf1a39 100644
+--- openssh-6.8p1/sftp.h.log-in-chroot	2015-03-17 06:49:20.000000000 +0100
--- a/sftp.h
+++ openssh-6.8p1/sftp.h	2015-03-18 12:59:29.696022308 +0100
 +++ b/sftp.h
@@ -97,5 +97,5 @@
 struct passwd;
@ -268,11 +260,10 @@ index 2bde8bb..ddf1a39 100644
 -int	sftp_server_main(int, char **, struct passwd *);
 +int	sftp_server_main(int, char **, struct passwd *, int);
 void	sftp_server_cleanup_exit(int) __attribute__((noreturn));
-diff --git a/sshd.c b/sshd.c
+diff -up openssh-6.8p1/sshd.c.log-in-chroot openssh-6.8p1/sshd.c
-index 39b9c08..ca55d7f 100644
+--- openssh-6.8p1/sshd.c.log-in-chroot	2015-03-18 12:59:29.691022320 +0100
--- a/sshd.c
+++ openssh-6.8p1/sshd.c	2015-03-18 12:59:29.697022305 +0100
-+++ b/sshd.c
+@@ -744,7 +744,7 @@ privsep_postauth(Authctxt *authctxt)
@@ -737,7 +737,7 @@ privsep_postauth(Authctxt *authctxt)
 	}
 	/* New socket pair */
@ -281,7 +272,7 @@ index 39b9c08..ca55d7f 100644
 	pmonitor->m_pid = fork();
 	if (pmonitor->m_pid == -1)
-@@ -755,6 +755,11 @@ privsep_postauth(Authctxt *authctxt)
+@@ -762,6 +762,11 @@ privsep_postauth(Authctxt *authctxt)
 	close(pmonitor->m_sendfd);
 	pmonitor->m_sendfd = -1;
--- a/openssh-6.6.1p1-partial-success.patch
+++ b/openssh-6.6.1p1-partial-success.patch
@ -1,16 +0,0 @@
 diff --git a/auth2.c b/auth2.c
 index d9b440a..ec0bf12 100644
 --- a/auth2.c
 +++ b/auth2.c
@@ -355,8 +355,9 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
 		authctxt->success = 1;
 	} else {
 -		/* Allow initial try of "none" auth without failure penalty */
 -		if (!authctxt->server_caused_failure &&
 +		/* Allow initial try of "none" auth without failure penalty
 +		 * Partial succes is not failure */
 +		if (!authctxt->server_caused_failure && !partial &&
 		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))
 			authctxt->failures++;
 		if (authctxt->failures >= options.max_authtries) {
--- a/openssh-6.6.1p1-utf8-banner.patch
+++ b/openssh-6.6.1p1-utf8-banner.patch
@ -1,21 +1,19 @@
-diff --git a/Makefile.in b/Makefile.in
+diff -up openssh-6.8p1/Makefile.in.utf8-banner openssh-6.8p1/Makefile.in
-index 2ad26ff..0f0d39f 100644
+--- openssh-6.8p1/Makefile.in.utf8-banner	2015-03-18 12:41:28.174713188 +0100
--- a/Makefile.in
+++ openssh-6.8p1/Makefile.in	2015-03-18 12:45:52.723048114 +0100
-+++ b/Makefile.in
+@@ -94,7 +94,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@@ -81,7 +81,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
- 	ssh-pkcs11.o krl.o smult_curve25519_ref.o \
+ 	ssh-pkcs11.o smult_curve25519_ref.o \
- 	kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
+ 	poly1305.o chacha.o cipher-chachapoly.o \
-	ssh-ed25519.o digest-openssl.o hmac.o \
+-	ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
-+	ssh-ed25519.o digest-openssl.o hmac.o utf8_stringprep.o \
+	ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o utf8_stringprep.o \
- 	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o
+ 	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
- 
+ 	kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
- SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
+ 	kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
-diff --git a/misc.h b/misc.h
+diff -up openssh-6.8p1/misc.h.utf8-banner openssh-6.8p1/misc.h
-index d4df619..d98b83d 100644
+--- openssh-6.8p1/misc.h.utf8-banner	2015-03-17 06:49:20.000000000 +0100
--- a/misc.h
+++ openssh-6.8p1/misc.h	2015-03-18 12:41:28.175713185 +0100
-+++ b/misc.h
+@@ -135,4 +135,7 @@ char	*read_passphrase(const char *, int)
@@ -106,4 +106,7 @@ char	*read_passphrase(const char *, int);
 int	 ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
 int	 read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
@ -23,10 +21,9 @@ index d4df619..d98b83d 100644
 +int utf8_stringprep(const char *, char *, size_t);
 +
 #endif /* _MISC_H */
-diff --git a/sshconnect2.c b/sshconnect2.c
+diff -up openssh-6.8p1/sshconnect2.c.utf8-banner openssh-6.8p1/sshconnect2.c
-index b00658b..08064f4 100644
+--- openssh-6.8p1/sshconnect2.c.utf8-banner	2015-03-18 12:41:28.161713220 +0100
--- a/sshconnect2.c
+++ openssh-6.8p1/sshconnect2.c	2015-03-18 12:44:05.483317714 +0100
 +++ b/sshconnect2.c
@@ -33,6 +33,8 @@
 #include <errno.h>
@ -36,8 +33,8 @@ index b00658b..08064f4 100644
 #include <netdb.h>
 #include <pwd.h>
 #include <signal.h>
-@@ -519,21 +521,51 @@ input_userauth_error(int type, u_int32_t seq, void *ctxt)
+@@ -532,21 +534,51 @@ input_userauth_error(int type, u_int32_t
- 	    "type %d", type);
+ 	return 0;
 }
 +/* Check whether we can display UTF-8 safely */
@ -56,7 +53,7 @@ index b00658b..08064f4 100644
 +}
 +
 /* ARGSUSED */
- void
+ int
 input_userauth_banner(int type, u_int32_t seq, void *ctxt)
 {
 	char *msg, *raw, *lang;
@ -90,11 +87,9 @@ index b00658b..08064f4 100644
 		fprintf(stderr, "%s", msg);
 		free(msg);
 	}
-diff --git a/stringprep-tables.c b/stringprep-tables.c
+diff -up openssh-6.8p1/stringprep-tables.c.utf8-banner openssh-6.8p1/stringprep-tables.c
-new file mode 100644
+--- openssh-6.8p1/stringprep-tables.c.utf8-banner	2015-03-18 12:41:28.175713185 +0100
-index 0000000..49f4d9d
+++ openssh-6.8p1/stringprep-tables.c	2015-03-18 12:41:28.175713185 +0100
 --- /dev/null
 +++ b/stringprep-tables.c
@@ -0,0 +1,661 @@
 +/* Public domain.  */
 +
@ -757,11 +752,9 @@ index 0000000..49f4d9d
 +	{ 0xE0020, 0xE007F },
 +};
 +
-diff --git a/utf8_stringprep.c b/utf8_stringprep.c
+diff -up openssh-6.8p1/utf8_stringprep.c.utf8-banner openssh-6.8p1/utf8_stringprep.c
-new file mode 100644
+--- openssh-6.8p1/utf8_stringprep.c.utf8-banner	2015-03-18 12:41:28.175713185 +0100
-index 0000000..bcafae7
+++ openssh-6.8p1/utf8_stringprep.c	2015-03-18 12:41:28.175713185 +0100
 --- /dev/null
 +++ b/utf8_stringprep.c
@@ -0,0 +1,229 @@
 +/*
 + * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
--- a/openssh-6.6p1-GSSAPIEnablek5users.patch
+++ b/openssh-6.6p1-GSSAPIEnablek5users.patch
@ -1,8 +1,7 @@
-diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
+diff -up openssh-6.8p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-6.8p1/gss-serv-krb5.c
-index 961c564..0fcfd7b 100644
+--- openssh-6.8p1/gss-serv-krb5.c.GSSAPIEnablek5users	2015-03-18 13:04:21.505306818 +0100
--- a/gss-serv-krb5.c
+++ openssh-6.8p1/gss-serv-krb5.c	2015-03-18 13:04:21.527306764 +0100
-+++ b/gss-serv-krb5.c
+@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
 	FILE *fp;
 	char file[MAXPATHLEN];
 	char line[BUFSIZ] = "";
@ -10,7 +9,7 @@ index 961c564..0fcfd7b 100644
 	struct stat st;
 	struct passwd *pw = the_authctxt->pw;
 	int found_principal = 0;
-@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
+@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
 	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
 	/* If both .k5login and .k5users DNE, self-login is ok. */
@ -19,19 +18,18 @@ index 961c564..0fcfd7b 100644
                 return ssh_krb5_kuserok(krb_context, principal, luser,
                                         k5login_exists);
 	}
-diff --git a/servconf.c b/servconf.c
+diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
-index e4164b1..87a311b 100644
+--- openssh-6.8p1/servconf.c.GSSAPIEnablek5users	2015-03-18 13:04:21.516306791 +0100
--- a/servconf.c
+++ openssh-6.8p1/servconf.c	2015-03-18 13:05:26.846146608 +0100
-+++ b/servconf.c
+@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
@@ -164,6 +164,7 @@ initialize_server_options(ServerOptions *options)
 	options->version_addendum = NULL;
 	options->fingerprint_hash = -1;
 	options->use_kuserok = -1;
 +	options->enable_k5users = -1;
 }
- void
+ /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
-@@ -331,6 +332,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -348,6 +349,8 @@ fill_default_server_options(ServerOption
 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
 	if (options->use_kuserok == -1)
 		options->use_kuserok = 1;
@ -40,16 +38,16 @@ index e4164b1..87a311b 100644
 	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
 		use_privsep = PRIVSEP_NOSANDBOX;
-@@ -371,7 +374,7 @@ typedef enum {
+@@ -406,7 +409,7 @@ typedef enum {
 	sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
- 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
+ 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
- 	sClientAliveCountMax, sAuthorizedKeysFile,
+ 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
 -	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
 +	sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
 	sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
-@@ -447,6 +450,7 @@ static struct {
+@@ -484,6 +487,7 @@ static struct {
 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
 	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
 	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
@ -57,7 +55,7 @@ index e4164b1..87a311b 100644
 #else
 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
-@@ -454,6 +458,7 @@ static struct {
+@@ -491,6 +495,7 @@ static struct {
 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
 	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
 	{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
@ -65,7 +63,7 @@ index e4164b1..87a311b 100644
 #endif
 	{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
 	{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
-@@ -1566,6 +1571,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1623,6 +1628,10 @@ process_server_config_line(ServerOptions
 		intptr = &options->use_kuserok;
 		goto parse_flag;
@ -76,7 +74,7 @@ index e4164b1..87a311b 100644
 	case sPermitOpen:
 		arg = strdelim(&cp);
 		if (!arg || *arg == '\0')
-@@ -1884,6 +1893,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
+@@ -1947,6 +1956,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(ip_qos_interactive);
 	M_CP_INTOPT(ip_qos_bulk);
 	M_CP_INTOPT(use_kuserok);
@ -84,7 +82,7 @@ index e4164b1..87a311b 100644
 	M_CP_INTOPT(rekey_limit);
 	M_CP_INTOPT(rekey_interval);
-@@ -2143,6 +2153,7 @@ dump_config(ServerOptions *o)
+@@ -2207,6 +2217,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
 	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
@ -92,11 +90,10 @@ index e4164b1..87a311b 100644
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
-diff --git a/servconf.h b/servconf.h
+diff -up openssh-6.8p1/servconf.h.GSSAPIEnablek5users openssh-6.8p1/servconf.h
-index cf2a505..070a8ed 100644
+--- openssh-6.8p1/servconf.h.GSSAPIEnablek5users	2015-03-18 13:04:21.506306815 +0100
--- a/servconf.h
+++ openssh-6.8p1/servconf.h	2015-03-18 13:04:21.528306762 +0100
-+++ b/servconf.h
+@@ -177,7 +177,8 @@ typedef struct {
@@ -175,7 +175,8 @@ typedef struct {
 	int	num_permitted_opens;
@ -106,10 +103,9 @@ index cf2a505..070a8ed 100644
 	char   *chroot_directory;
 	char   *revoked_keys_file;
 	char   *trusted_user_ca_keys;
-diff --git a/sshd_config b/sshd_config
+diff -up openssh-6.8p1/sshd_config.GSSAPIEnablek5users openssh-6.8p1/sshd_config
-index 0d9454d..e731de1 100644
+--- openssh-6.8p1/sshd_config.GSSAPIEnablek5users	2015-03-18 13:04:21.506306815 +0100
--- a/sshd_config
+++ openssh-6.8p1/sshd_config	2015-03-18 13:04:21.528306762 +0100
 +++ b/sshd_config
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
 GSSAPICleanupCredentials no
 #GSSAPIStrictAcceptorCheck yes
@ -118,11 +114,10 @@ index 0d9454d..e731de1 100644
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
-diff --git a/sshd_config.5 b/sshd_config.5
+diff -up openssh-6.8p1/sshd_config.5.GSSAPIEnablek5users openssh-6.8p1/sshd_config.5
-index eb4dd9e..ce1229b 100644
+--- openssh-6.8p1/sshd_config.5.GSSAPIEnablek5users	2015-03-18 13:04:21.506306815 +0100
--- a/sshd_config.5
+++ openssh-6.8p1/sshd_config.5	2015-03-18 13:04:21.528306762 +0100
-+++ b/sshd_config.5
+@@ -576,6 +576,12 @@ on logout.
@@ -548,6 +548,12 @@ on logout.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
--- a/openssh-6.6p1-ctr-cavstest.patch
+++ b/openssh-6.6p1-ctr-cavstest.patch
@ -1,7 +1,6 @@
-diff --git a/Makefile.in b/Makefile.in
+diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
-index b225217..bbc3034 100644
+--- openssh-6.8p1/Makefile.in.ctr-cavs	2015-03-18 11:22:05.493289018 +0100
--- a/Makefile.in
+++ openssh-6.8p1/Makefile.in	2015-03-18 11:22:44.504196316 +0100
 +++ b/Makefile.in
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
 SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
 SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
@ -18,8 +17,8 @@ index b225217..bbc3034 100644
 +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
 LIBOPENSSH_OBJS=\
- 	ssherr.o \
+ 	ssh_api.o \
-@@ -190,6 +191,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o
+@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
 ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
 	$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS)
@ -29,7 +28,7 @@ index b225217..bbc3034 100644
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
 	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-@@ -310,6 +314,7 @@ install-files:
+@@ -326,6 +330,7 @@ install-files:
 		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
 	fi
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
@ -37,11 +36,9 @@ index b225217..bbc3034 100644
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-diff --git a/ctr-cavstest.c b/ctr-cavstest.c
+diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
-new file mode 100644
+--- openssh-6.8p1/ctr-cavstest.c.ctr-cavs	2015-03-18 11:22:05.521288952 +0100
-index 0000000..bbcbe8a
+++ openssh-6.8p1/ctr-cavstest.c	2015-03-18 11:22:05.521288952 +0100
 --- /dev/null
 +++ b/ctr-cavstest.c
@@ -0,0 +1,208 @@
 +/*
 + *
--- a/openssh-6.6p1-gsskex.patch
+++ b/openssh-6.6p1-gsskex.patch
--- a/openssh-6.6p1-keycat.patch
+++ b/openssh-6.6p1-keycat.patch
@ -1,8 +1,6 @@
-diff --git a/HOWTO.ssh-keycat b/HOWTO.ssh-keycat
+diff -up openssh-6.8p1/HOWTO.ssh-keycat.keycat openssh-6.8p1/HOWTO.ssh-keycat
-new file mode 100644
+--- openssh-6.8p1/HOWTO.ssh-keycat.keycat	2015-03-18 11:13:43.063482958 +0100
-index 0000000..630ec62
+++ openssh-6.8p1/HOWTO.ssh-keycat	2015-03-18 11:13:43.063482958 +0100
 --- /dev/null
 +++ b/HOWTO.ssh-keycat
@@ -0,0 +1,12 @@
 +The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
 +of an user in any environment. This includes environments with
@ -16,10 +14,9 @@ index 0000000..630ec62
 +        PubkeyAuthentication yes
 +
 +
-diff --git a/Makefile.in b/Makefile.in
+diff -up openssh-6.8p1/Makefile.in.keycat openssh-6.8p1/Makefile.in
-index f02aa1e..b225217 100644
+--- openssh-6.8p1/Makefile.in.keycat	2015-03-18 11:13:43.061482963 +0100
--- a/Makefile.in
+++ openssh-6.8p1/Makefile.in	2015-03-18 11:14:22.480389291 +0100
 +++ b/Makefile.in
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
 SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@ -36,10 +33,10 @@ index f02aa1e..b225217 100644
 +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
 LIBOPENSSH_OBJS=\
- 	ssherr.o \
+ 	ssh_api.o \
-@@ -186,6 +187,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
+@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
- ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
+ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o
- 	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ 	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
 +	$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS)
@ -47,7 +44,7 @@ index f02aa1e..b225217 100644
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
 	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-@@ -305,6 +309,7 @@ install-files:
+@@ -321,6 +325,7 @@ install-files:
 		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
 		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
 	fi
@ -55,11 +52,10 @@ index f02aa1e..b225217 100644
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+diff -up openssh-6.8p1/auth2-pubkey.c.keycat openssh-6.8p1/auth2-pubkey.c
-index 12f5afd..269e642 100644
+--- openssh-6.8p1/auth2-pubkey.c.keycat	2015-03-18 11:13:43.053482982 +0100
--- a/auth2-pubkey.c
+++ openssh-6.8p1/auth2-pubkey.c	2015-03-18 11:13:43.063482958 +0100
-+++ b/auth2-pubkey.c
+@@ -623,6 +623,14 @@ user_key_command_allowed2(struct passwd
@@ -602,6 +602,14 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
 			_exit(1);
 		}
@ -74,10 +70,9 @@ index 12f5afd..269e642 100644
 		execl(options.authorized_keys_command,
 		    options.authorized_keys_command, user_pw->pw_name, NULL);
-diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
+diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.keycat openssh-6.8p1/openbsd-compat/port-linux-sshd.c
-index 265bd3a..8f32464 100644
+--- openssh-6.8p1/openbsd-compat/port-linux-sshd.c.keycat	2015-03-18 11:13:43.057482972 +0100
--- a/openbsd-compat/port-linux-sshd.c
+++ openssh-6.8p1/openbsd-compat/port-linux-sshd.c	2015-03-18 11:13:43.063482958 +0100
 +++ b/openbsd-compat/port-linux-sshd.c
@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
 extern int inetd_flag;
 extern int rexeced_flag;
@ -153,7 +148,7 @@ index 265bd3a..8f32464 100644
 /* Set the execution context to the default for the specified user */
 void
 sshd_selinux_setup_exec_context(char *pwname)
-@@ -344,7 +376,7 @@ sshd_selinux_setup_exec_context(char *pwname)
+@@ -344,7 +376,7 @@ sshd_selinux_setup_exec_context(char *pw
 	int r = 0;
 	security_context_t default_ctx = NULL;
@ -171,11 +166,10 @@ index 265bd3a..8f32464 100644
 		return;
 	if (getexeccon((security_context_t *)&ctx) != 0) {
-diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+diff -up openssh-6.8p1/openbsd-compat/port-linux.h.keycat openssh-6.8p1/openbsd-compat/port-linux.h
-index b18893c..cb51f99 100644
+--- openssh-6.8p1/openbsd-compat/port-linux.h.keycat	2015-03-18 11:13:43.057482972 +0100
--- a/openbsd-compat/port-linux.h
+++ openssh-6.8p1/openbsd-compat/port-linux.h	2015-03-18 11:13:43.063482958 +0100
-+++ b/openbsd-compat/port-linux.h
+@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const
@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const char *);
 void ssh_selinux_change_context(const char *);
 void ssh_selinux_setfscreatecon(const char *);
@ -186,11 +180,10 @@ index b18893c..cb51f99 100644
 #endif
 #ifdef LINUX_OOM_ADJUST
-diff --git a/platform.c b/platform.c
+diff -up openssh-6.8p1/platform.c.keycat openssh-6.8p1/platform.c
-index 84c47fa..6d876cb 100644
+--- openssh-6.8p1/platform.c.keycat	2015-03-18 11:13:43.055482977 +0100
--- a/platform.c
+++ openssh-6.8p1/platform.c	2015-03-18 11:13:43.063482958 +0100
-+++ b/platform.c
+@@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *p
@@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *pw)
 {
 #ifdef WITH_SELINUX
 	/* Cache selinux status for later use */
@ -199,11 +192,9 @@ index 84c47fa..6d876cb 100644
 #endif
 #ifdef USE_SOLARIS_PROJECTS
-diff --git a/ssh-keycat.c b/ssh-keycat.c
+diff -up openssh-6.8p1/ssh-keycat.c.keycat openssh-6.8p1/ssh-keycat.c
-new file mode 100644
+--- openssh-6.8p1/ssh-keycat.c.keycat	2015-03-18 11:13:43.064482956 +0100
-index 0000000..f8ed7af
+++ openssh-6.8p1/ssh-keycat.c	2015-03-18 11:13:43.064482956 +0100
 --- /dev/null
 +++ b/ssh-keycat.c
@@ -0,0 +1,238 @@
 +/*
 + * Redistribution and use in source and binary forms, with or without
--- a/openssh-6.6p1-kuserok.patch
+++ b/openssh-6.6p1-kuserok.patch
@ -1,7 +1,6 @@
-diff --git a/auth-krb5.c b/auth-krb5.c
+diff -up openssh-6.8p1/auth-krb5.c.kuserok openssh-6.8p1/auth-krb5.c
-index 0089b18..8480261 100644
+--- openssh-6.8p1/auth-krb5.c.kuserok	2015-03-17 06:49:20.000000000 +0100
--- a/auth-krb5.c
+++ openssh-6.8p1/auth-krb5.c	2015-03-18 12:37:14.349351304 +0100
 +++ b/auth-krb5.c
@@ -55,6 +55,21 @@
 extern ServerOptions	 options;
@ -24,7 +23,7 @@ index 0089b18..8480261 100644
 static int
 krb5_init(void *context)
 {
-@@ -158,8 +173,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
+@@ -158,8 +173,9 @@ auth_krb5_password(Authctxt *authctxt, c
 	if (problem)
 		goto out;
@ -36,11 +35,10 @@ index 0089b18..8480261 100644
 		problem = -1;
 		goto out;
 	}
-diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
+diff -up openssh-6.8p1/gss-serv-krb5.c.kuserok openssh-6.8p1/gss-serv-krb5.c
-index 54dd383..961c564 100644
+--- openssh-6.8p1/gss-serv-krb5.c.kuserok	2015-03-18 12:37:14.346351312 +0100
--- a/gss-serv-krb5.c
+++ openssh-6.8p1/gss-serv-krb5.c	2015-03-18 12:37:14.349351304 +0100
-+++ b/gss-serv-krb5.c
+@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *,
     int);
 static krb5_context krb_context = NULL;
@ -152,7 +150,7 @@ index 54dd383..961c564 100644
 static int
 ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
 {
-@@ -116,7 +214,8 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
+@@ -116,7 +214,8 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
 	/* NOTE: .k5login and .k5users must opened as root, not the user,
 	 * because if they are on a krb5-protected filesystem, user credentials
 	 * to access these files aren't available yet. */
@ -162,7 +160,7 @@ index 54dd383..961c564 100644
 		retval = 1;
 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
 		    name, (char *)client->displayname.value);
-@@ -171,9 +270,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
+@@ -171,9 +270,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
 	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
 	/* If both .k5login and .k5users DNE, self-login is ok. */
 	if (!k5login_exists && (access(file, F_OK) == -1)) {
@ -174,19 +172,18 @@ index 54dd383..961c564 100644
 	}
 	if ((fp = fopen(file, "r")) == NULL) {
 		int saved_errno = errno;
-diff --git a/servconf.c b/servconf.c
+diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c
-index 179c20d..d17ed04 100644
+--- openssh-6.8p1/servconf.c.kuserok	2015-03-18 12:37:14.342351322 +0100
--- a/servconf.c
+++ openssh-6.8p1/servconf.c	2015-03-18 12:38:36.133145700 +0100
-+++ b/servconf.c
+@@ -167,6 +167,7 @@ initialize_server_options(ServerOptions
@@ -163,6 +163,7 @@ initialize_server_options(ServerOptions *options)
 	options->ip_qos_bulk = -1;
 	options->version_addendum = NULL;
 	options->fingerprint_hash = -1;
 +	options->use_kuserok = -1;
 }
- void
+ /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
-@@ -328,6 +329,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
 		options->fwd_opts.streamlocal_bind_unlink = 0;
 	if (options->fingerprint_hash == -1)
 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@ -195,8 +192,8 @@ index 179c20d..d17ed04 100644
 	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
 		use_privsep = PRIVSEP_NOSANDBOX;
-@@ -353,7 +356,7 @@ typedef enum {
+@@ -388,7 +391,7 @@ typedef enum {
- 	sPermitRootLogin, sLogFacility, sLogLevel,
+ 	sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
 	sRhostsRSAAuthentication, sRSAAuthentication,
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
 -	sKerberosGetAFSToken,
@ -204,7 +201,7 @@ index 179c20d..d17ed04 100644
 	sKerberosTgtPassing, sChallengeResponseAuthentication,
 	sPasswordAuthentication, sKbdInteractiveAuthentication,
 	sListenAddress, sAddressFamily,
-@@ -427,11 +430,13 @@ static struct {
+@@ -464,11 +467,13 @@ static struct {
 #else
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
 #endif
@ -218,7 +215,7 @@ index 179c20d..d17ed04 100644
 #endif
 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1557,6 +1562,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1614,6 +1619,10 @@ process_server_config_line(ServerOptions
 		*activep = value;
 		break;
@ -229,7 +226,7 @@ index 179c20d..d17ed04 100644
 	case sPermitOpen:
 		arg = strdelim(&cp);
 		if (!arg || *arg == '\0')
-@@ -1872,6 +1881,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
+@@ -1935,6 +1944,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(max_authtries);
 	M_CP_INTOPT(ip_qos_interactive);
 	M_CP_INTOPT(ip_qos_bulk);
@ -237,7 +234,7 @@ index 179c20d..d17ed04 100644
 	M_CP_INTOPT(rekey_limit);
 	M_CP_INTOPT(rekey_interval);
-@@ -2130,6 +2140,7 @@ dump_config(ServerOptions *o)
+@@ -2194,6 +2204,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
@ -245,11 +242,10 @@ index 179c20d..d17ed04 100644
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
-diff --git a/servconf.h b/servconf.h
+diff -up openssh-6.8p1/servconf.h.kuserok openssh-6.8p1/servconf.h
-index 397698b..cf2a505 100644
+--- openssh-6.8p1/servconf.h.kuserok	2015-03-18 12:37:14.342351322 +0100
--- a/servconf.h
+++ openssh-6.8p1/servconf.h	2015-03-18 12:37:14.350351302 +0100
-+++ b/servconf.h
+@@ -177,6 +177,7 @@ typedef struct {
@@ -175,6 +175,7 @@ typedef struct {
 	int	num_permitted_opens;
@ -257,10 +253,9 @@ index 397698b..cf2a505 100644
 	char   *chroot_directory;
 	char   *revoked_keys_file;
 	char   *trusted_user_ca_keys;
-diff --git a/sshd_config b/sshd_config
+diff -up openssh-6.8p1/sshd_config.kuserok openssh-6.8p1/sshd_config
-index f4796fc..0d9454d 100644
+--- openssh-6.8p1/sshd_config.kuserok	2015-03-18 12:37:14.344351317 +0100
--- a/sshd_config
+++ openssh-6.8p1/sshd_config	2015-03-18 12:37:14.350351302 +0100
 +++ b/sshd_config
@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
@ -269,11 +264,10 @@ index f4796fc..0d9454d 100644
 # GSSAPI options
 GSSAPIAuthentication yes
-diff --git a/sshd_config.5 b/sshd_config.5
+diff -up openssh-6.8p1/sshd_config.5.kuserok openssh-6.8p1/sshd_config.5
-index 8ad79d9..eb4dd9e 100644
+--- openssh-6.8p1/sshd_config.5.kuserok	2015-03-18 12:37:14.343351319 +0100
--- a/sshd_config.5
+++ openssh-6.8p1/sshd_config.5	2015-03-18 12:39:23.373026939 +0100
-+++ b/sshd_config.5
+@@ -779,6 +779,10 @@ Specifies whether to automatically destr
@@ -740,6 +740,10 @@ Specifies whether to automatically destroy the user's ticket cache
 file on logout.
 The default is
 .Dq yes .
@ -284,8 +278,8 @@ index 8ad79d9..eb4dd9e 100644
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
-@@ -961,6 +965,7 @@ Available keywords are
+@@ -1017,6 +1021,7 @@ Available keywords are
- .Cm HostbasedUsesNameFromPacketOnly ,
+ .Cm IPQoS ,
 .Cm KbdInteractiveAuthentication ,
 .Cm KerberosAuthentication ,
 +.Cm KerberosUseKuserok ,
--- a/openssh-6.6p1-role-mls.patch
+++ b/openssh-6.6p1-role-mls.patch
@ -1,7 +1,6 @@
-diff --git a/auth-pam.c b/auth-pam.c
+diff -up openssh-6.8p1/auth-pam.c.role-mls openssh-6.8p1/auth-pam.c
-index d789bad..cd1a775 100644
+--- openssh-6.8p1/auth-pam.c.role-mls	2015-03-17 06:49:20.000000000 +0100
--- a/auth-pam.c
+++ openssh-6.8p1/auth-pam.c	2015-03-18 11:04:21.045817122 +0100
 +++ b/auth-pam.c
@@ -1068,7 +1068,7 @@ is_pam_session_open(void)
  * during the ssh authentication process.
  */
@ -11,10 +10,9 @@ index d789bad..cd1a775 100644
 {
 	int ret = 1;
 #ifdef HAVE_PAM_PUTENV
-diff --git a/auth-pam.h b/auth-pam.h
+diff -up openssh-6.8p1/auth-pam.h.role-mls openssh-6.8p1/auth-pam.h
-index a1a2b52..b109a5a 100644
+--- openssh-6.8p1/auth-pam.h.role-mls	2015-03-17 06:49:20.000000000 +0100
--- a/auth-pam.h
+++ openssh-6.8p1/auth-pam.h	2015-03-18 11:04:21.045817122 +0100
 +++ b/auth-pam.h
@@ -38,7 +38,7 @@ void do_pam_session(void);
 void do_pam_set_tty(const char *);
 void do_pam_setcred(int );
@ -24,11 +22,10 @@ index a1a2b52..b109a5a 100644
 char ** fetch_pam_environment(void);
 char ** fetch_pam_child_environment(void);
 void free_pam_environment(char **);
-diff --git a/auth.h b/auth.h
+diff -up openssh-6.8p1/auth.h.role-mls openssh-6.8p1/auth.h
-index d081c94..847cffd 100644
+--- openssh-6.8p1/auth.h.role-mls	2015-03-17 06:49:20.000000000 +0100
--- a/auth.h
+++ openssh-6.8p1/auth.h	2015-03-18 11:04:21.045817122 +0100
-+++ b/auth.h
+@@ -62,6 +62,9 @@ struct Authctxt {
@@ -59,6 +59,9 @@ struct Authctxt {
 	char		*service;
 	struct passwd	*pw;		/* set if 'valid' */
 	char		*style;
@ -38,11 +35,10 @@ index d081c94..847cffd 100644
 	void		*kbdintctxt;
 	char		*info;		/* Extra info for next auth_log */
 #ifdef BSD_AUTH
-diff --git a/auth1.c b/auth1.c
+diff -up openssh-6.8p1/auth1.c.role-mls openssh-6.8p1/auth1.c
-index 5038828..f0a98d2 100644
+--- openssh-6.8p1/auth1.c.role-mls	2015-03-17 06:49:20.000000000 +0100
--- a/auth1.c
+++ openssh-6.8p1/auth1.c	2015-03-18 11:04:21.046817119 +0100
-+++ b/auth1.c
+@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
@@ -382,6 +382,9 @@ do_authentication(Authctxt *authctxt)
 {
 	u_int ulen;
 	char *user, *style = NULL;
@ -52,7 +48,7 @@ index 5038828..f0a98d2 100644
 	/* Get the name of the user that we wish to log in as. */
 	packet_read_expect(SSH_CMSG_USER);
-@@ -390,11 +393,24 @@ do_authentication(Authctxt *authctxt)
+@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt)
 	user = packet_get_cstring(&ulen);
 	packet_check_eom();
@ -77,11 +73,10 @@ index 5038828..f0a98d2 100644
 	/* Verify that the user is a valid user. */
 	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
-diff --git a/auth2-gss.c b/auth2-gss.c
+diff -up openssh-6.8p1/auth2-gss.c.role-mls openssh-6.8p1/auth2-gss.c
-index 447f896..4803e7e 100644
+--- openssh-6.8p1/auth2-gss.c.role-mls	2015-03-17 06:49:20.000000000 +0100
--- a/auth2-gss.c
+++ openssh-6.8p1/auth2-gss.c	2015-03-18 11:04:21.046817119 +0100
-+++ b/auth2-gss.c
+@@ -255,6 +255,7 @@ input_gssapi_mic(int type, u_int32_t ple
@@ -252,6 +252,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
 	Authctxt *authctxt = ctxt;
 	Gssctxt *gssctxt;
 	int authenticated = 0;
@ -89,7 +84,7 @@ index 447f896..4803e7e 100644
 	Buffer b;
 	gss_buffer_desc mic, gssbuf;
 	u_int len;
-@@ -264,7 +265,13 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
+@@ -267,7 +268,13 @@ input_gssapi_mic(int type, u_int32_t ple
 	mic.value = packet_get_string(&len);
 	mic.length = len;
@ -104,7 +99,7 @@ index 447f896..4803e7e 100644
 	    "gssapi-with-mic");
 	gssbuf.value = buffer_ptr(&b);
-@@ -276,6 +283,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
+@@ -279,6 +286,8 @@ input_gssapi_mic(int type, u_int32_t ple
 		logit("GSSAPI MIC check failed");
 	buffer_free(&b);
@ -113,11 +108,10 @@ index 447f896..4803e7e 100644
 	free(mic.value);
 	authctxt->postponed = 0;
-diff --git a/auth2-hostbased.c b/auth2-hostbased.c
+diff -up openssh-6.8p1/auth2-hostbased.c.role-mls openssh-6.8p1/auth2-hostbased.c
-index b7ae353..41f1a3f 100644
+--- openssh-6.8p1/auth2-hostbased.c.role-mls	2015-03-17 06:49:20.000000000 +0100
--- a/auth2-hostbased.c
+++ openssh-6.8p1/auth2-hostbased.c	2015-03-18 11:04:21.046817119 +0100
-+++ b/auth2-hostbased.c
+@@ -122,7 +122,15 @@ userauth_hostbased(Authctxt *authctxt)
@@ -113,7 +113,15 @@ userauth_hostbased(Authctxt *authctxt)
 	buffer_put_string(&b, session_id2, session_id2_len);
 	/* reconstruct packet */
 	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
@ -134,11 +128,10 @@ index b7ae353..41f1a3f 100644
 	buffer_put_cstring(&b, service);
 	buffer_put_cstring(&b, "hostbased");
 	buffer_put_string(&b, pkalg, alen);
-diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+diff -up openssh-6.8p1/auth2-pubkey.c.role-mls openssh-6.8p1/auth2-pubkey.c
-index 3f4f789..12f5afd 100644
+--- openssh-6.8p1/auth2-pubkey.c.role-mls	2015-03-17 06:49:20.000000000 +0100
--- a/auth2-pubkey.c
+++ openssh-6.8p1/auth2-pubkey.c	2015-03-18 11:04:21.046817119 +0100
-+++ b/auth2-pubkey.c
+@@ -145,9 +145,11 @@ userauth_pubkey(Authctxt *authctxt)
@@ -133,9 +133,11 @@ userauth_pubkey(Authctxt *authctxt)
 		}
 		/* reconstruct packet */
 		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
@ -152,11 +145,10 @@ index 3f4f789..12f5afd 100644
 		buffer_put_cstring(&b, userstyle);
 		free(userstyle);
 		buffer_put_cstring(&b,
-diff --git a/auth2.c b/auth2.c
+diff -up openssh-6.8p1/auth2.c.role-mls openssh-6.8p1/auth2.c
-index d9b440a..d6fbc93 100644
+--- openssh-6.8p1/auth2.c.role-mls	2015-03-17 06:49:20.000000000 +0100
--- a/auth2.c
+++ openssh-6.8p1/auth2.c	2015-03-18 11:04:21.046817119 +0100
-+++ b/auth2.c
+@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 	Authctxt *authctxt = ctxt;
 	Authmethod *m = NULL;
 	char *user, *service, *method, *style = NULL;
@ -166,7 +158,7 @@ index d9b440a..d6fbc93 100644
 	int authenticated = 0;
 	if (authctxt == NULL)
-@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+@@ -226,6 +229,11 @@ input_userauth_request(int type, u_int32
 	debug("userauth-request for user %s service %s method %s", user, service, method);
 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@ -178,7 +170,7 @@ index d9b440a..d6fbc93 100644
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = 0;
-@@ -252,8 +260,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32
 		    use_privsep ? " [net]" : "");
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
@ -195,10 +187,9 @@ index d9b440a..d6fbc93 100644
 		userauth_banner();
 		if (auth2_setup_methods_lists(authctxt) != 0)
 			packet_disconnect("no authentication methods enabled");
-diff --git a/misc.c b/misc.c
+diff -up openssh-6.8p1/misc.c.role-mls openssh-6.8p1/misc.c
-index 94b05b0..651c21b 100644
+--- openssh-6.8p1/misc.c.role-mls	2015-03-17 06:49:20.000000000 +0100
--- a/misc.c
+++ openssh-6.8p1/misc.c	2015-03-18 11:04:21.046817119 +0100
 +++ b/misc.c
@@ -431,6 +431,7 @@ char *
 colon(char *cp)
 {
@ -221,11 +212,10 @@ index 94b05b0..651c21b 100644
 	}
 	return NULL;
 }
-diff --git a/monitor.c b/monitor.c
+diff -up openssh-6.8p1/monitor.c.role-mls openssh-6.8p1/monitor.c
-index dbe29f1..d3f87e1 100644
+--- openssh-6.8p1/monitor.c.role-mls	2015-03-17 06:49:20.000000000 +0100
--- a/monitor.c
+++ openssh-6.8p1/monitor.c	2015-03-18 11:04:21.047817117 +0100
-+++ b/monitor.c
+@@ -127,6 +127,9 @@ int mm_answer_sign(int, Buffer *);
@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
 int mm_answer_authserv(int, Buffer *);
@ -235,7 +225,7 @@ index dbe29f1..d3f87e1 100644
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -227,6 +230,9 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -206,6 +209,9 @@ struct mon_table mon_dispatch_proto20[]
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -245,7 +235,7 @@ index dbe29f1..d3f87e1 100644
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
-@@ -824,6 +830,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
+@@ -862,6 +868,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
 	else {
 		/* Allow service/style information on the auth context */
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -255,7 +245,7 @@ index dbe29f1..d3f87e1 100644
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 	}
 #ifdef USE_PAM
-@@ -865,6 +874,25 @@ mm_answer_authserv(int sock, Buffer *m)
+@@ -903,6 +912,25 @@ mm_answer_authserv(int sock, Buffer *m)
 	return (0);
 }
@ -281,7 +271,7 @@ index dbe29f1..d3f87e1 100644
 int
 mm_answer_authpassword(int sock, Buffer *m)
 {
-@@ -1241,7 +1269,7 @@ static int
+@@ -1291,7 +1319,7 @@ static int
 monitor_valid_userblob(u_char *data, u_int datalen)
 {
 	Buffer b;
@ -290,7 +280,7 @@ index dbe29f1..d3f87e1 100644
 	u_int len;
 	int fail = 0;
-@@ -1267,6 +1295,8 @@ monitor_valid_userblob(u_char *data, u_int datalen)
+@@ -1317,6 +1345,8 @@ monitor_valid_userblob(u_char *data, u_i
 	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
 		fail++;
 	p = buffer_get_cstring(&b, NULL);
@ -299,7 +289,7 @@ index dbe29f1..d3f87e1 100644
 	xasprintf(&userstyle, "%s%s%s", authctxt->user,
 	    authctxt->style ? ":" : "",
 	    authctxt->style ? authctxt->style : "");
-@@ -1302,7 +1332,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
+@@ -1352,7 +1382,7 @@ monitor_valid_hostbasedblob(u_char *data
     char *chost)
 {
 	Buffer b;
@ -308,7 +298,7 @@ index dbe29f1..d3f87e1 100644
 	u_int len;
 	int fail = 0;
-@@ -1319,6 +1349,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
+@@ -1369,6 +1399,8 @@ monitor_valid_hostbasedblob(u_char *data
 	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
 		fail++;
 	p = buffer_get_cstring(&b, NULL);
@ -317,10 +307,9 @@ index dbe29f1..d3f87e1 100644
 	xasprintf(&userstyle, "%s%s%s", authctxt->user,
 	    authctxt->style ? ":" : "",
 	    authctxt->style ? authctxt->style : "");
-diff --git a/monitor.h b/monitor.h
+diff -up openssh-6.8p1/monitor.h.role-mls openssh-6.8p1/monitor.h
-index 5bc41b5..20e2b4a 100644
+--- openssh-6.8p1/monitor.h.role-mls	2015-03-17 06:49:20.000000000 +0100
--- a/monitor.h
+++ openssh-6.8p1/monitor.h	2015-03-18 11:04:21.047817117 +0100
 +++ b/monitor.h
@@ -57,6 +57,10 @@ enum monitor_reqtype {
 	MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
 	MONITOR_REQ_TERM = 50,
@ -332,11 +321,10 @@ index 5bc41b5..20e2b4a 100644
 	MONITOR_REQ_PAM_START = 100,
 	MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
 	MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
-diff --git a/monitor_wrap.c b/monitor_wrap.c
+diff -up openssh-6.8p1/monitor_wrap.c.role-mls openssh-6.8p1/monitor_wrap.c
-index 45dc169..82f114c 100644
+--- openssh-6.8p1/monitor_wrap.c.role-mls	2015-03-17 06:49:20.000000000 +0100
--- a/monitor_wrap.c
+++ openssh-6.8p1/monitor_wrap.c	2015-03-18 11:04:21.047817117 +0100
-+++ b/monitor_wrap.c
+@@ -347,6 +347,25 @@ mm_inform_authserv(char *service, char *
@@ -342,6 +342,25 @@ mm_inform_authserv(char *service, char *style)
 	buffer_free(&m);
 }
@ -362,13 +350,12 @@ index 45dc169..82f114c 100644
 /* Do the password authentication */
 int
 mm_auth_password(Authctxt *authctxt, char *password)
-diff --git a/monitor_wrap.h b/monitor_wrap.h
+diff -up openssh-6.8p1/monitor_wrap.h.role-mls openssh-6.8p1/monitor_wrap.h
-index 18c2501..9d5e5ba 100644
+--- openssh-6.8p1/monitor_wrap.h.role-mls	2015-03-18 11:04:21.047817117 +0100
--- a/monitor_wrap.h
+++ openssh-6.8p1/monitor_wrap.h	2015-03-18 11:10:32.343936171 +0100
 +++ b/monitor_wrap.h
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
 DH *mm_choose_dh(int, int, int);
- int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
+ int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int);
 void mm_inform_authserv(char *, char *);
 +#ifdef WITH_SELINUX
 +void mm_inform_authrole(char *);
@ -376,11 +363,10 @@ index 18c2501..9d5e5ba 100644
 struct passwd *mm_getpwnamallow(const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct Authctxt *, char *);
-diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
+diff -up openssh-6.8p1/openbsd-compat/Makefile.in.role-mls openssh-6.8p1/openbsd-compat/Makefile.in
-index ab1a3e3..843225d 100644
+--- openssh-6.8p1/openbsd-compat/Makefile.in.role-mls	2015-03-17 06:49:20.000000000 +0100
--- a/openbsd-compat/Makefile.in
+++ openssh-6.8p1/openbsd-compat/Makefile.in	2015-03-18 11:04:21.047817117 +0100
-+++ b/openbsd-compat/Makefile.in
+@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
 COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
@ -389,11 +375,9 @@ index ab1a3e3..843225d 100644
 .c.o:
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
-diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
+diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/openbsd-compat/port-linux-sshd.c
-new file mode 100644
+--- openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls	2015-03-18 11:04:21.048817114 +0100
-index 0000000..6310717
+++ openssh-6.8p1/openbsd-compat/port-linux-sshd.c	2015-03-18 11:04:21.048817114 +0100
 --- /dev/null
 +++ b/openbsd-compat/port-linux-sshd.c
@@ -0,0 +1,415 @@
 +/*
 + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@ -810,10 +794,9 @@ index 0000000..6310717
 +#endif
 +#endif
 +
-diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+diff -up openssh-6.8p1/openbsd-compat/port-linux.c.role-mls openssh-6.8p1/openbsd-compat/port-linux.c
-index 4637a7a..22ea8ef 100644
+--- openssh-6.8p1/openbsd-compat/port-linux.c.role-mls	2015-03-17 06:49:20.000000000 +0100
--- a/openbsd-compat/port-linux.c
+++ openssh-6.8p1/openbsd-compat/port-linux.c	2015-03-18 11:04:21.048817114 +0100
 +++ b/openbsd-compat/port-linux.c
@@ -103,37 +103,6 @@ ssh_selinux_getctxbyname(char *pwname)
 	return sc;
 }
@ -852,10 +835,9 @@ index 4637a7a..22ea8ef 100644
 /* Set the TTY context for the specified user */
 void
 ssh_selinux_setup_pty(char *pwname, const char *tty)
-diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+diff -up openssh-6.8p1/openbsd-compat/port-linux.h.role-mls openssh-6.8p1/openbsd-compat/port-linux.h
-index e3d1004..8ef6cc4 100644
+--- openssh-6.8p1/openbsd-compat/port-linux.h.role-mls	2015-03-17 06:49:20.000000000 +0100
--- a/openbsd-compat/port-linux.h
+++ openssh-6.8p1/openbsd-compat/port-linux.h	2015-03-18 11:04:21.048817114 +0100
 +++ b/openbsd-compat/port-linux.h
@@ -22,9 +22,10 @@
 #ifdef WITH_SELINUX
 int ssh_selinux_enabled(void);
@ -868,11 +850,10 @@ index e3d1004..8ef6cc4 100644
 #endif
 #ifdef LINUX_OOM_ADJUST
-diff --git a/platform.c b/platform.c
+diff -up openssh-6.8p1/platform.c.role-mls openssh-6.8p1/platform.c
-index ee313da..84c47fa 100644
+--- openssh-6.8p1/platform.c.role-mls	2015-03-17 06:49:20.000000000 +0100
--- a/platform.c
+++ openssh-6.8p1/platform.c	2015-03-18 11:04:21.048817114 +0100
-+++ b/platform.c
+@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(stru
@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
 	}
 #endif /* HAVE_SETPCRED */
 #ifdef WITH_SELINUX
@ -881,11 +862,10 @@ index ee313da..84c47fa 100644
 #endif
 }
-diff --git a/sshd.c b/sshd.c
+diff -up openssh-6.8p1/sshd.c.role-mls openssh-6.8p1/sshd.c
-index 481d001..41b317b 100644
+--- openssh-6.8p1/sshd.c.role-mls	2015-03-17 06:49:20.000000000 +0100
--- a/sshd.c
+++ openssh-6.8p1/sshd.c	2015-03-18 11:04:21.048817114 +0100
-+++ b/sshd.c
+@@ -2220,6 +2220,9 @@ main(int ac, char **av)
@@ -2144,6 +2144,9 @@ main(int ac, char **av)
 		restore_uid();
 	}
 #endif
--- a/openssh-6.6p1-set_remote_ipaddr.patch
+++ b/openssh-6.6p1-set_remote_ipaddr.patch
@ -1,8 +1,7 @@
-diff --git a/canohost.c b/canohost.c
+diff -up openssh-6.8p1/canohost.c.set_remote_ipaddr openssh-6.8p1/canohost.c
-index 97ce58c..1f9320a 100644
+--- openssh-6.8p1/canohost.c.set_remote_ipaddr	2015-03-18 12:40:03.702925550 +0100
--- a/canohost.c
+++ openssh-6.8p1/canohost.c	2015-03-18 12:40:03.749925432 +0100
-+++ b/canohost.c
+@@ -349,6 +349,21 @@ clear_cached_addr(void)
@@ -338,6 +338,21 @@ clear_cached_addr(void)
 	cached_port = -1;
 }
@ -24,7 +23,7 @@ index 97ce58c..1f9320a 100644
 /*
  * Returns the IP-address of the remote host as a string.  The returned
  * string must not be freed.
-@@ -347,17 +362,9 @@ const char *
+@@ -358,17 +373,9 @@ const char *
 get_remote_ipaddr(void)
 {
 	/* Check whether we have cached the ipaddr. */
@ -45,10 +44,9 @@ index 97ce58c..1f9320a 100644
 	return canonical_host_ip;
 }
-diff --git a/canohost.h b/canohost.h
+diff -up openssh-6.8p1/canohost.h.set_remote_ipaddr openssh-6.8p1/canohost.h
-index 4c8636f..4079953 100644
+--- openssh-6.8p1/canohost.h.set_remote_ipaddr	2015-03-17 06:49:20.000000000 +0100
--- a/canohost.h
+++ openssh-6.8p1/canohost.h	2015-03-18 12:40:03.749925432 +0100
 +++ b/canohost.h
@@ -13,6 +13,7 @@
  */
@ -57,19 +55,18 @@ index 4c8636f..4079953 100644
 const char	*get_remote_ipaddr(void);
 const char	*get_remote_name_or_ip(u_int, int);
-diff --git a/sshconnect.c b/sshconnect.c
+diff -up openssh-6.8p1/sshconnect.c.set_remote_ipaddr openssh-6.8p1/sshconnect.c
-index e636f33..451a58b 100644
+--- openssh-6.8p1/sshconnect.c.set_remote_ipaddr	2015-03-17 06:49:20.000000000 +0100
--- a/sshconnect.c
+++ openssh-6.8p1/sshconnect.c	2015-03-18 12:40:58.096788804 +0100
-+++ b/sshconnect.c
+@@ -65,6 +65,7 @@
@@ -62,6 +62,7 @@
 #include "monitor_fdpass.h"
 #include "ssh2.h"
 #include "version.h"
 #include "authfile.h"
 #include "ssherr.h"
 +#include "canohost.h"
 char *client_version_string = NULL;
 char *server_version_string = NULL;
-@@ -170,6 +171,7 @@ ssh_proxy_fdpass_connect(const char *host, u_short port,
+@@ -174,6 +175,7 @@ ssh_proxy_fdpass_connect(const char *hos
 	/* Set the connection file descriptors. */
 	packet_set_connection(sock, sock);
@ -77,7 +74,7 @@ index e636f33..451a58b 100644
 	return 0;
 }
-@@ -492,6 +494,7 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop,
+@@ -496,6 +498,7 @@ ssh_connect_direct(const char *host, str
 	/* Set the connection. */
 	packet_set_connection(sock, sock);
--- a/openssh-6.7p1-audit.patch
+++ b/openssh-6.7p1-audit.patch
--- a/openssh-6.7p1-coverity.patch
+++ b/openssh-6.7p1-coverity.patch
@ -1,8 +1,7 @@
-diff --git a/auth-pam.c b/auth-pam.c
+diff -up openssh-6.8p1/auth-pam.c.coverity openssh-6.8p1/auth-pam.c
-index cd1a775..2fff267 100644
+--- openssh-6.8p1/auth-pam.c.coverity	2015-03-18 17:21:51.792265051 +0100
--- a/auth-pam.c
+++ openssh-6.8p1/auth-pam.c	2015-03-18 17:21:51.895264835 +0100
-+++ b/auth-pam.c
+@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void **value)
 	if (sshpam_thread_status != -1)
 		return (sshpam_thread_status);
 	signal(SIGCHLD, sshpam_oldsig);
@ -16,11 +15,10 @@ index cd1a775..2fff267 100644
 	return (status);
 }
 #endif
-diff --git a/channels.c b/channels.c
+diff -up openssh-6.8p1/channels.c.coverity openssh-6.8p1/channels.c
-index 51a221d..0ef1d90 100644
+--- openssh-6.8p1/channels.c.coverity	2015-03-18 17:21:51.815265002 +0100
--- a/channels.c
+++ openssh-6.8p1/channels.c	2015-03-18 17:21:51.896264833 +0100
-+++ b/channels.c
+@@ -243,11 +243,11 @@ channel_register_fds(Channel *c, int rfd
@@ -239,11 +239,11 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd,
 	channel_max_fd = MAX(channel_max_fd, wfd);
 	channel_max_fd = MAX(channel_max_fd, efd);
@ -35,7 +33,7 @@ index 51a221d..0ef1d90 100644
 		fcntl(efd, F_SETFD, FD_CLOEXEC);
 	c->rfd = rfd;
-@@ -261,11 +261,11 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd,
+@@ -265,11 +265,11 @@ channel_register_fds(Channel *c, int rfd
 	/* enable nonblocking mode */
 	if (nonblock) {
@ -50,7 +48,7 @@ index 51a221d..0ef1d90 100644
 			set_nonblock(efd);
 	}
 }
-@@ -3959,13 +3959,13 @@ connect_local_xsocket_path(const char *pathname, int len)
+@@ -3972,13 +3972,13 @@ connect_local_xsocket_path(const char *p
 	int sock;
 	struct sockaddr_un addr;
@ -66,35 +64,10 @@ index 51a221d..0ef1d90 100644
 	if (len > sizeof addr.sun_path)
 		len = sizeof addr.sun_path;
 	memcpy(addr.sun_path, pathname, len);
-diff --git a/clientloop.c b/clientloop.c
+diff -up openssh-6.8p1/entropy.c.coverity openssh-6.8p1/entropy.c
-index 20ce0b5..65cb26a 100644
+--- openssh-6.8p1/entropy.c.coverity	2015-03-18 17:21:51.891264843 +0100
--- a/clientloop.c
+++ openssh-6.8p1/entropy.c	2015-03-18 17:21:51.897264831 +0100
-+++ b/clientloop.c
+@@ -46,6 +46,7 @@
@@ -2090,15 +2090,16 @@ client_input_global_request(int type, u_int32_t seq, void *ctxt)
 {
 	char *rtype;
 	int want_reply;
 -	int success = 0;
 +/*	int success = 0;
 + success is still 0 the packet is allways SSH2_MSG_REQUEST_FAILURE, isn't it? */
 	rtype = packet_get_string(NULL);
 	want_reply = packet_get_char();
 	debug("client_input_global_request: rtype %s want_reply %d",
 	    rtype, want_reply);
 	if (want_reply) {
 -		packet_start(success ?
 -		    SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);
 +		packet_start(/*success ?
 +		    SSH2_MSG_REQUEST_SUCCESS :*/ SSH2_MSG_REQUEST_FAILURE);
 		packet_send();
 		packet_write_wait();
 	}
 diff --git a/entropy.c b/entropy.c
 index 06b0095..a4097da 100644
 --- a/entropy.c
 +++ b/entropy.c
@@ -44,6 +44,7 @@
 #include <openssl/err.h>
 #include "openbsd-compat/openssl-compat.h"
@ -102,11 +75,10 @@ index 06b0095..a4097da 100644
 #include "ssh.h"
 #include "misc.h"
-diff --git a/monitor.c b/monitor.c
+diff -up openssh-6.8p1/monitor.c.coverity openssh-6.8p1/monitor.c
-index 07fa655..b8e6e06 100644
+--- openssh-6.8p1/monitor.c.coverity	2015-03-18 17:21:51.887264852 +0100
--- a/monitor.c
+++ openssh-6.8p1/monitor.c	2015-03-18 17:21:51.897264831 +0100
-+++ b/monitor.c
+@@ -444,7 +444,7 @@ monitor_child_preauth(Authctxt *_authctx
@@ -488,7 +488,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
 	mm_get_keystate(pmonitor);
 	/* Drain any buffered messages from the child */
@ -115,7 +87,7 @@ index 07fa655..b8e6e06 100644
 		;
 	close(pmonitor->m_sendfd);
-@@ -1276,6 +1276,10 @@ mm_answer_keyallowed(int sock, Buffer *m)
+@@ -1303,6 +1303,10 @@ mm_answer_keyallowed(int sock, Buffer *m
 			break;
 		}
 	}
@ -126,7 +98,7 @@ index 07fa655..b8e6e06 100644
 	if (key != NULL)
 		key_free(key);
-@@ -1297,9 +1301,6 @@ mm_answer_keyallowed(int sock, Buffer *m)
+@@ -1324,9 +1328,6 @@ mm_answer_keyallowed(int sock, Buffer *m
 		free(chost);
 	}
@ -136,11 +108,10 @@ index 07fa655..b8e6e06 100644
 	buffer_clear(m);
 	buffer_put_int(m, allowed);
 	buffer_put_int(m, forced_command != NULL);
-diff --git a/monitor_wrap.c b/monitor_wrap.c
+diff -up openssh-6.8p1/monitor_wrap.c.coverity openssh-6.8p1/monitor_wrap.c
-index ba4ecd7..b3e4ca1 100644
+--- openssh-6.8p1/monitor_wrap.c.coverity	2015-03-18 17:21:51.888264849 +0100
--- a/monitor_wrap.c
+++ openssh-6.8p1/monitor_wrap.c	2015-03-18 17:21:51.897264831 +0100
-+++ b/monitor_wrap.c
+@@ -533,10 +533,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
@@ -749,10 +749,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
 	if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
 	    (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
 		error("%s: cannot allocate fds for pty", __func__);
@ -154,11 +125,10 @@ index ba4ecd7..b3e4ca1 100644
 		return 0;
 	}
 	close(tmp1);
-diff --git a/openbsd-compat/bindresvport.c b/openbsd-compat/bindresvport.c
+diff -up openssh-6.8p1/openbsd-compat/bindresvport.c.coverity openssh-6.8p1/openbsd-compat/bindresvport.c
-index c89f214..80115c2 100644
+--- openssh-6.8p1/openbsd-compat/bindresvport.c.coverity	2015-03-17 06:49:20.000000000 +0100
--- a/openbsd-compat/bindresvport.c
+++ openssh-6.8p1/openbsd-compat/bindresvport.c	2015-03-18 17:21:51.897264831 +0100
-+++ b/openbsd-compat/bindresvport.c
+@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr *sa)
 	struct sockaddr_in6 *in6;
 	u_int16_t *portp;
 	u_int16_t port;
@ -167,10 +137,9 @@ index c89f214..80115c2 100644
 	int i;
 	if (sa == NULL) {
-diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+diff -up openssh-6.8p1/openbsd-compat/port-linux.h.coverity openssh-6.8p1/openbsd-compat/port-linux.h
-index 8b7cda2..e2ca8a1 100644
+--- openssh-6.8p1/openbsd-compat/port-linux.h.coverity	2015-03-18 17:21:51.861264906 +0100
--- a/openbsd-compat/port-linux.h
+++ openssh-6.8p1/openbsd-compat/port-linux.h	2015-03-18 17:21:51.897264831 +0100
 +++ b/openbsd-compat/port-linux.h
@@ -37,4 +37,6 @@ void oom_adjust_restore(void);
 void oom_adjust_setup(void);
 #endif
@ -178,23 +147,10 @@ index 8b7cda2..e2ca8a1 100644
 +void linux_seed(void);
 +
 #endif /* ! _PORT_LINUX_H */
-diff --git a/packet.c b/packet.c
+diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c.coverity openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
-index 8ec353e..dbc2c33 100644
+--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c.coverity	2015-03-18 17:21:51.788265059 +0100
--- a/packet.c
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c	2015-03-18 17:21:51.898264829 +0100
-+++ b/packet.c
+@@ -87,7 +87,7 @@ pam_user_key_allowed2(struct passwd *pw,
@@ -1246,6 +1246,7 @@ packet_read_poll1(void)
 		case DEATTACK_DETECTED:
 			packet_disconnect("crc32 compensation attack: "
 			    "network attack detected");
 +			break;
 		case DEATTACK_DOS_DETECTED:
 			packet_disconnect("deattack denial of "
 			    "service detected");
 diff --git a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
 index 8ba6d87..a7808c7 100644
 --- a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
 +++ b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
@@ -87,7 +87,7 @@ pam_user_key_allowed2(struct passwd *pw, Key *key, char *file)
 	found = key_new(key->type);
 	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
@ -203,7 +159,7 @@ index 8ba6d87..a7808c7 100644
 		/* Skip leading whitespace, empty and comment lines. */
 		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-@@ -99,7 +99,6 @@ pam_user_key_allowed2(struct passwd *pw, Key *key, char *file)
+@@ -99,7 +99,6 @@ pam_user_key_allowed2(struct passwd *pw,
 			/* no key?  check if there are options for this key */
 			int quoted = 0;
 			verbose("user_key_allowed: check options: '%s'", cp);
@ -211,10 +167,9 @@ index 8ba6d87..a7808c7 100644
 			for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
 				if (*cp == '\\' && cp[1] == '"')
 					cp++;	/* Skip both */
-diff --git a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
+diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.coverity openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
-index e14eb27..323817a 100644
+--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.coverity	2015-03-18 17:21:51.786265063 +0100
--- a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c	2015-03-18 17:21:51.898264829 +0100
 +++ b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
@@ -89,8 +89,7 @@ userauth_pubkey_from_id(Identity * id)
         authenticated = 1;
@ -225,44 +180,10 @@ index e14eb27..323817a 100644
     if(sig != NULL)
         free(sig);
     if(pkblob != NULL)
-diff --git a/progressmeter.c b/progressmeter.c
+diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c
-index bbbc706..ae6d1aa 100644
+--- openssh-6.8p1/scp.c.coverity	2015-03-18 17:21:51.868264891 +0100
--- a/progressmeter.c
+++ openssh-6.8p1/scp.c	2015-03-18 17:21:58.281251460 +0100
-+++ b/progressmeter.c
+@@ -156,7 +156,7 @@ killchild(int signo)
@@ -65,7 +65,7 @@ static void update_progress_meter(int);
 static time_t start;		/* start progress */
 static time_t last_update;	/* last progress update */
 -static char *file;		/* name of the file being transferred */
 +static const char *file;	/* name of the file being transferred */
 static off_t start_pos;		/* initial position of transfer */
 static off_t end_pos;		/* ending position of transfer */
 static off_t cur_pos;		/* transfer position as of last refresh */
@@ -248,7 +248,7 @@ update_progress_meter(int ignore)
 }
 void
 -start_progress_meter(char *f, off_t filesize, off_t *ctr)
 +start_progress_meter(const char *f, off_t filesize, off_t *ctr)
 {
 	start = last_update = monotime();
 	file = f;
 diff --git a/progressmeter.h b/progressmeter.h
 index 10bab99..e9ca8f0 100644
 --- a/progressmeter.h
 +++ b/progressmeter.h
@@ -23,5 +23,5 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 -void	start_progress_meter(char *, off_t, off_t *);
 +void	start_progress_meter(const char *, off_t, off_t *);
 void	stop_progress_meter(void);
 diff --git a/scp.c b/scp.c
 index cbd904d..e4e9fa1 100644
 --- a/scp.c
 +++ b/scp.c
@@ -155,7 +155,7 @@ killchild(int signo)
 {
 	if (do_cmd_pid > 1) {
 		kill(do_cmd_pid, signo ? signo : SIGTERM);
@ -271,11 +192,10 @@ index cbd904d..e4e9fa1 100644
 	}
 	if (signo)
-diff --git a/servconf.c b/servconf.c
+diff -up openssh-6.8p1/servconf.c.coverity openssh-6.8p1/servconf.c
-index 87a311b..895cdca 100644
+--- openssh-6.8p1/servconf.c.coverity	2015-03-18 17:21:51.893264839 +0100
--- a/servconf.c
+++ openssh-6.8p1/servconf.c	2015-03-18 17:21:58.281251460 +0100
-+++ b/servconf.c
+@@ -1475,7 +1475,7 @@ process_server_config_line(ServerOptions
@@ -1418,7 +1418,7 @@ process_server_config_line(ServerOptions *options, char *line,
 			fatal("%s line %d: Missing subsystem name.",
 			    filename, linenum);
 		if (!*activep) {
@ -284,7 +204,7 @@ index 87a311b..895cdca 100644
 			break;
 		}
 		for (i = 0; i < options->num_subsystems; i++)
-@@ -1509,8 +1509,9 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1566,8 +1566,9 @@ process_server_config_line(ServerOptions
 		if (*activep && *charptr == NULL) {
 			*charptr = tilde_expand_filename(arg, getuid());
 			/* increase optional counter */
@ -296,10 +216,9 @@ index 87a311b..895cdca 100644
 		}
 		break;
-diff --git a/serverloop.c b/serverloop.c
+diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c
-index e92f9e2..3cad041 100644
+--- openssh-6.8p1/serverloop.c.coverity	2015-03-17 06:49:20.000000000 +0100
--- a/serverloop.c
+++ openssh-6.8p1/serverloop.c	2015-03-18 17:28:45.616436080 +0100
 +++ b/serverloop.c
@@ -147,13 +147,13 @@ notify_setup(void)
 static void
 notify_parent(void)
@ -327,7 +246,7 @@ index e92f9e2..3cad041 100644
 			debug2("notify_done: reading");
 }
-@@ -337,7 +337,7 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
+@@ -337,7 +337,7 @@ wait_until_can_do_something(fd_set **rea
 		 * If we have buffered data, try to write some of that data
 		 * to the program.
 		 */
@ -345,7 +264,7 @@ index e92f9e2..3cad041 100644
 		data = buffer_ptr(&stdin_buffer);
 		dlen = buffer_len(&stdin_buffer);
 		len = write(fdin, data, dlen);
-@@ -590,7 +590,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
+@@ -590,7 +590,7 @@ server_loop(pid_t pid, int fdin_arg, int
 	set_nonblock(fdin);
 	set_nonblock(fdout);
 	/* we don't have stderr for interactive terminal sessions, see below */
@ -354,7 +273,7 @@ index e92f9e2..3cad041 100644
 		set_nonblock(fderr);
 	if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
-@@ -614,7 +614,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
+@@ -614,7 +614,7 @@ server_loop(pid_t pid, int fdin_arg, int
 	max_fd = MAX(connection_in, connection_out);
 	max_fd = MAX(max_fd, fdin);
 	max_fd = MAX(max_fd, fdout);
@ -363,7 +282,7 @@ index e92f9e2..3cad041 100644
 		max_fd = MAX(max_fd, fderr);
 #endif
-@@ -644,7 +644,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
+@@ -644,7 +644,7 @@ server_loop(pid_t pid, int fdin_arg, int
 		 * If we have received eof, and there is no more pending
 		 * input data, cause a real eof by closing fdin.
 		 */
@ -372,7 +291,7 @@ index e92f9e2..3cad041 100644
 			if (fdin != fdout)
 				close(fdin);
 			else
-@@ -740,15 +740,15 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
+@@ -740,15 +740,15 @@ server_loop(pid_t pid, int fdin_arg, int
 	buffer_free(&stderr_buffer);
 	/* Close the file descriptors. */
@ -391,16 +310,16 @@ index e92f9e2..3cad041 100644
 		close(fdin);
 	fdin = -1;
-@@ -947,7 +947,7 @@ server_input_window_size(int type, u_int32_t seq, void *ctxt)
+@@ -950,7 +950,7 @@ server_input_window_size(int type, u_int
 	debug("Window change received.");
 	packet_check_eom();
 -	if (fdin != -1)
 +	if (fdin >= 0)
 		pty_change_window_size(fdin, row, col, xpixel, ypixel);
 	return 0;
 }
- 
+@@ -1043,7 +1043,7 @@ server_request_tun(void)
@@ -1039,7 +1039,7 @@ server_request_tun(void)
 	}
 	tun = packet_get_int();
@ -409,361 +328,10 @@ index e92f9e2..3cad041 100644
 		if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
 			goto done;
 		tun = forced_tun_device;
-diff --git a/sftp-client.c b/sftp-client.c
+diff -up openssh-6.8p1/sftp.c.coverity openssh-6.8p1/sftp.c
-index 990b58d..3d0f22b 100644
+--- openssh-6.8p1/sftp.c.coverity	2015-03-17 06:49:20.000000000 +0100
--- a/sftp-client.c
+++ openssh-6.8p1/sftp.c	2015-03-18 17:21:58.283251456 +0100
-+++ b/sftp-client.c
+@@ -223,7 +223,7 @@ killchild(int signo)
@@ -151,7 +151,7 @@ get_msg(struct sftp_conn *conn, Buffer *m)
 }
 static void
 -send_string_request(struct sftp_conn *conn, u_int id, u_int code, char *s,
 +send_string_request(struct sftp_conn *conn, u_int id, u_int code, const char *s,
     u_int len)
 {
 	Buffer msg;
@@ -167,7 +167,7 @@ send_string_request(struct sftp_conn *conn, u_int id, u_int code, char *s,
 static void
 send_string_attrs_request(struct sftp_conn *conn, u_int id, u_int code,
 -    char *s, u_int len, Attrib *a)
 +    const char *s, u_int len, Attrib *a)
 {
 	Buffer msg;
@@ -429,7 +429,7 @@ sftp_proto_version(struct sftp_conn *conn)
 }
 int
 -do_close(struct sftp_conn *conn, char *handle, u_int handle_len)
 +do_close(struct sftp_conn *conn, const char *handle, u_int handle_len)
 {
 	u_int id, status;
 	Buffer msg;
@@ -454,7 +454,7 @@ do_close(struct sftp_conn *conn, char *handle, u_int handle_len)
 static int
 -do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag,
 +do_lsreaddir(struct sftp_conn *conn, const char *path, int print_flag,
     SFTP_DIRENT ***dir)
 {
 	Buffer msg;
@@ -577,7 +577,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag,
 }
 int
 -do_readdir(struct sftp_conn *conn, char *path, SFTP_DIRENT ***dir)
 +do_readdir(struct sftp_conn *conn, const char *path, SFTP_DIRENT ***dir)
 {
 	return(do_lsreaddir(conn, path, 0, dir));
 }
@@ -597,7 +597,7 @@ void free_sftp_dirents(SFTP_DIRENT **s)
 }
 int
 -do_rm(struct sftp_conn *conn, char *path)
 +do_rm(struct sftp_conn *conn, const char *path)
 {
 	u_int status, id;
@@ -612,7 +612,7 @@ do_rm(struct sftp_conn *conn, char *path)
 }
 int
 -do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int print_flag)
 +do_mkdir(struct sftp_conn *conn, const char *path, Attrib *a, int print_flag)
 {
 	u_int status, id;
@@ -628,7 +628,7 @@ do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int print_flag)
 }
 int
 -do_rmdir(struct sftp_conn *conn, char *path)
 +do_rmdir(struct sftp_conn *conn, const char *path)
 {
 	u_int status, id;
@@ -644,7 +644,7 @@ do_rmdir(struct sftp_conn *conn, char *path)
 }
 Attrib *
 -do_stat(struct sftp_conn *conn, char *path, int quiet)
 +do_stat(struct sftp_conn *conn, const char *path, int quiet)
 {
 	u_int id;
@@ -658,7 +658,7 @@ do_stat(struct sftp_conn *conn, char *path, int quiet)
 }
 Attrib *
 -do_lstat(struct sftp_conn *conn, char *path, int quiet)
 +do_lstat(struct sftp_conn *conn, const char *path, int quiet)
 {
 	u_int id;
@@ -679,7 +679,7 @@ do_lstat(struct sftp_conn *conn, char *path, int quiet)
 #ifdef notyet
 Attrib *
 -do_fstat(struct sftp_conn *conn, char *handle, u_int handle_len, int quiet)
 +do_fstat(struct sftp_conn *conn, const char *handle, u_int handle_len, int quiet)
 {
 	u_int id;
@@ -692,7 +692,7 @@ do_fstat(struct sftp_conn *conn, char *handle, u_int handle_len, int quiet)
 #endif
 int
 -do_setstat(struct sftp_conn *conn, char *path, Attrib *a)
 +do_setstat(struct sftp_conn *conn, const char *path, Attrib *a)
 {
 	u_int status, id;
@@ -709,7 +709,7 @@ do_setstat(struct sftp_conn *conn, char *path, Attrib *a)
 }
 int
 -do_fsetstat(struct sftp_conn *conn, char *handle, u_int handle_len,
 +do_fsetstat(struct sftp_conn *conn, const char *handle, u_int handle_len,
     Attrib *a)
 {
 	u_int status, id;
@@ -726,7 +726,7 @@ do_fsetstat(struct sftp_conn *conn, char *handle, u_int handle_len,
 }
 char *
 -do_realpath(struct sftp_conn *conn, char *path)
 +do_realpath(struct sftp_conn *conn, const char *path)
 {
 	Buffer msg;
 	u_int type, expected_id, count, id;
@@ -775,7 +775,7 @@ do_realpath(struct sftp_conn *conn, char *path)
 }
 int
 -do_rename(struct sftp_conn *conn, char *oldpath, char *newpath,
 +do_rename(struct sftp_conn *conn, const char *oldpath, const char *newpath,
     int force_legacy)
 {
 	Buffer msg;
@@ -811,7 +811,7 @@ do_rename(struct sftp_conn *conn, char *oldpath, char *newpath,
 }
 int
 -do_hardlink(struct sftp_conn *conn, char *oldpath, char *newpath)
 +do_hardlink(struct sftp_conn *conn, const char *oldpath, const char *newpath)
 {
 	Buffer msg;
 	u_int status, id;
@@ -844,7 +844,7 @@ do_hardlink(struct sftp_conn *conn, char *oldpath, char *newpath)
 }
 int
 -do_symlink(struct sftp_conn *conn, char *oldpath, char *newpath)
 +do_symlink(struct sftp_conn *conn, const char *oldpath, const char *newpath)
 {
 	Buffer msg;
 	u_int status, id;
@@ -876,7 +876,7 @@ do_symlink(struct sftp_conn *conn, char *oldpath, char *newpath)
 }
 int
 -do_fsync(struct sftp_conn *conn, char *handle, u_int handle_len)
 +do_fsync(struct sftp_conn *conn, const char *handle, u_int handle_len)
 {
 	Buffer msg;
 	u_int status, id;
@@ -907,7 +907,7 @@ do_fsync(struct sftp_conn *conn, char *handle, u_int handle_len)
 #ifdef notyet
 char *
 -do_readlink(struct sftp_conn *conn, char *path)
 +do_readlink(struct sftp_conn *conn, const char *path)
 {
 	Buffer msg;
 	u_int type, expected_id, count, id;
@@ -1010,7 +1010,7 @@ do_fstatvfs(struct sftp_conn *conn, const char *handle, u_int handle_len,
 static void
 send_read_request(struct sftp_conn *conn, u_int id, u_int64_t offset,
 -    u_int len, char *handle, u_int handle_len)
 +    u_int len, const char *handle, u_int handle_len)
 {
 	Buffer msg;
@@ -1026,7 +1026,7 @@ send_read_request(struct sftp_conn *conn, u_int id, u_int64_t offset,
 }
 int
 -do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
 +do_download(struct sftp_conn *conn, const char *remote_path, const char *local_path,
     Attrib *a, int preserve_flag, int resume_flag, int fsync_flag)
 {
 	Attrib junk;
@@ -1308,7 +1308,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
 }
 static int
 -download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
 +download_dir_internal(struct sftp_conn *conn, const char *src, const char *dst, int depth,
     Attrib *dirattrib, int preserve_flag, int print_flag, int resume_flag,
     int fsync_flag)
 {
@@ -1400,7 +1400,7 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
 }
 int
 -download_dir(struct sftp_conn *conn, char *src, char *dst,
 +download_dir(struct sftp_conn *conn, const char *src, const char *dst,
     Attrib *dirattrib, int preserve_flag, int print_flag,
     int resume_flag, int fsync_flag)
 {
@@ -1419,7 +1419,7 @@ download_dir(struct sftp_conn *conn, char *src, char *dst,
 }
 int
 -do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
 +do_upload(struct sftp_conn *conn, const char *local_path, const char *remote_path,
     int preserve_flag, int resume, int fsync_flag)
 {
 	int local_fd;
@@ -1628,7 +1628,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
 }
 static int
 -upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
 +upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst, int depth,
     int preserve_flag, int print_flag, int resume, int fsync_flag)
 {
 	int ret = 0, status;
@@ -1721,7 +1721,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
 }
 int
 -upload_dir(struct sftp_conn *conn, char *src, char *dst, int preserve_flag,
 +upload_dir(struct sftp_conn *conn, const char *src, const char *dst, int preserve_flag,
     int print_flag, int resume, int fsync_flag)
 {
 	char *dst_canon;
@@ -1740,7 +1740,7 @@ upload_dir(struct sftp_conn *conn, char *src, char *dst, int preserve_flag,
 }
 char *
 -path_append(char *p1, char *p2)
 +path_append(const char *p1, const char *p2)
 {
 	char *ret;
 	size_t len = strlen(p1) + strlen(p2) + 2;
 diff --git a/sftp-client.h b/sftp-client.h
 index 967840b..ffbcade 100644
 --- a/sftp-client.h
 +++ b/sftp-client.h
@@ -56,79 +56,79 @@ struct sftp_conn *do_init(int, int, u_int, u_int, u_int64_t);
 u_int sftp_proto_version(struct sftp_conn *);
 /* Close file referred to by 'handle' */
 -int do_close(struct sftp_conn *, char *, u_int);
 +int do_close(struct sftp_conn *, const char *, u_int);
 /* Read contents of 'path' to NULL-terminated array 'dir' */
 -int do_readdir(struct sftp_conn *, char *, SFTP_DIRENT ***);
 +int do_readdir(struct sftp_conn *, const char *, SFTP_DIRENT ***);
 /* Frees a NULL-terminated array of SFTP_DIRENTs (eg. from do_readdir) */
 void free_sftp_dirents(SFTP_DIRENT **);
 /* Delete file 'path' */
 -int do_rm(struct sftp_conn *, char *);
 +int do_rm(struct sftp_conn *, const char *);
 /* Create directory 'path' */
 -int do_mkdir(struct sftp_conn *, char *, Attrib *, int);
 +int do_mkdir(struct sftp_conn *, const char *, Attrib *, int);
 /* Remove directory 'path' */
 -int do_rmdir(struct sftp_conn *, char *);
 +int do_rmdir(struct sftp_conn *, const char *);
 /* Get file attributes of 'path' (follows symlinks) */
 -Attrib *do_stat(struct sftp_conn *, char *, int);
 +Attrib *do_stat(struct sftp_conn *, const char *, int);
 /* Get file attributes of 'path' (does not follow symlinks) */
 -Attrib *do_lstat(struct sftp_conn *, char *, int);
 +Attrib *do_lstat(struct sftp_conn *, const char *, int);
 /* Set file attributes of 'path' */
 -int do_setstat(struct sftp_conn *, char *, Attrib *);
 +int do_setstat(struct sftp_conn *, const char *, Attrib *);
 /* Set file attributes of open file 'handle' */
 -int do_fsetstat(struct sftp_conn *, char *, u_int, Attrib *);
 +int do_fsetstat(struct sftp_conn *, const char *, u_int, Attrib *);
 /* Canonicalise 'path' - caller must free result */
 -char *do_realpath(struct sftp_conn *, char *);
 +char *do_realpath(struct sftp_conn *, const char *);
 /* Get statistics for filesystem hosting file at "path" */
 int do_statvfs(struct sftp_conn *, const char *, struct sftp_statvfs *, int);
 /* Rename 'oldpath' to 'newpath' */
 -int do_rename(struct sftp_conn *, char *, char *m, int force_legacy);
 +int do_rename(struct sftp_conn *, const char *, const char *m, int force_legacy);
 /* Link 'oldpath' to 'newpath' */
 -int do_hardlink(struct sftp_conn *, char *, char *);
 +int do_hardlink(struct sftp_conn *, const char *, const char *);
 /* Rename 'oldpath' to 'newpath' */
 -int do_symlink(struct sftp_conn *, char *, char *);
 +int do_symlink(struct sftp_conn *, const char *, const char *);
 /* Call fsync() on open file 'handle' */
 -int do_fsync(struct sftp_conn *conn, char *, u_int);
 +int do_fsync(struct sftp_conn *conn, const char *, u_int);
 /*
  * Download 'remote_path' to 'local_path'. Preserve permissions and times
  * if 'pflag' is set
  */
 -int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int, int);
 +int do_download(struct sftp_conn *, const char *, const char *, Attrib *, int, int, int);
 /*
  * Recursively download 'remote_directory' to 'local_directory'. Preserve 
  * times if 'pflag' is set
  */
 -int download_dir(struct sftp_conn *, char *, char *, Attrib *, int,
 +int download_dir(struct sftp_conn *, const char *, const char *, Attrib *, int,
     int, int, int);
 /*
  * Upload 'local_path' to 'remote_path'. Preserve permissions and times
  * if 'pflag' is set
  */
 -int do_upload(struct sftp_conn *, char *, char *, int, int, int);
 +int do_upload(struct sftp_conn *, const char *, const char *, int, int, int);
 /*
  * Recursively upload 'local_directory' to 'remote_directory'. Preserve 
  * times if 'pflag' is set
  */
 -int upload_dir(struct sftp_conn *, char *, char *, int, int, int, int);
 +int upload_dir(struct sftp_conn *, const char *, const char *, int, int, int, int);
 /* Concatenate paths, taking care of slashes. Caller must free result. */
 -char *path_append(char *, char *);
 +char *path_append(const char *, const char *);
 #endif
 diff --git a/sftp.c b/sftp.c
 index ff4d63d..4439100 100644
 --- a/sftp.c
 +++ b/sftp.c
@@ -220,7 +220,7 @@ killchild(int signo)
 {
 	if (sshpid > 1) {
 		kill(sshpid, SIGTERM);
@ -772,7 +340,7 @@ index ff4d63d..4439100 100644
 	}
 	_exit(1);
-@@ -332,7 +332,7 @@ local_do_ls(const char *args)
+@@ -335,7 +335,7 @@ local_do_ls(const char *args)
 /* Strip one path (usually the pwd) from the start of another */
 static char *
@ -781,7 +349,7 @@ index ff4d63d..4439100 100644
 {
 	size_t len;
-@@ -350,7 +350,7 @@ path_strip(char *path, char *strip)
+@@ -353,7 +353,7 @@ path_strip(char *path, char *strip)
 }
 static char *
@ -790,7 +358,7 @@ index ff4d63d..4439100 100644
 {
 	char *abs_str;
-@@ -548,7 +548,7 @@ parse_no_flags(const char *cmd, char **argv, int argc)
+@@ -551,7 +551,7 @@ parse_no_flags(const char *cmd, char **a
 }
 static int
@ -799,7 +367,7 @@ index ff4d63d..4439100 100644
 {
 	struct stat sb;
-@@ -560,7 +560,7 @@ is_dir(char *path)
+@@ -563,7 +563,7 @@ is_dir(char *path)
 }
 static int
@ -808,7 +376,7 @@ index ff4d63d..4439100 100644
 {
 	Attrib *a;
-@@ -574,7 +574,7 @@ remote_is_dir(struct sftp_conn *conn, char *path)
+@@ -577,7 +577,7 @@ remote_is_dir(struct sftp_conn *conn, ch
 /* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
 static int
@ -817,7 +385,7 @@ index ff4d63d..4439100 100644
 {
 	size_t l = strlen(pathname);
-@@ -582,7 +582,7 @@ pathname_is_dir(char *pathname)
+@@ -585,7 +585,7 @@ pathname_is_dir(char *pathname)
 }
 static int
@ -826,7 +394,7 @@ index ff4d63d..4439100 100644
     int pflag, int rflag, int resume, int fflag)
 {
 	char *abs_src = NULL;
-@@ -666,7 +666,7 @@ out:
+@@ -669,7 +669,7 @@ out:
 }
 static int
@ -835,7 +403,7 @@ index ff4d63d..4439100 100644
     int pflag, int rflag, int resume, int fflag)
 {
 	char *tmp_dst = NULL;
-@@ -776,7 +776,7 @@ sdirent_comp(const void *aa, const void *bb)
+@@ -779,7 +779,7 @@ sdirent_comp(const void *aa, const void
 /* sftp ls.1 replacement for directories */
 static int
@ -844,7 +412,7 @@ index ff4d63d..4439100 100644
 {
 	int n;
 	u_int c = 1, colspace = 0, columns = 1;
-@@ -861,7 +861,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
+@@ -864,7 +864,7 @@ do_ls_dir(struct sftp_conn *conn, char *
 /* sftp ls.1 replacement which handles path globs */
 static int
@ -853,7 +421,7 @@ index ff4d63d..4439100 100644
     int lflag)
 {
 	char *fname, *lname;
-@@ -946,7 +946,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
+@@ -949,7 +949,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
 }
 static int
@ -862,11 +430,10 @@ index ff4d63d..4439100 100644
 {
 	struct sftp_statvfs st;
 	char s_used[FMT_SCALED_STRSIZE];
-diff --git a/ssh-agent.c b/ssh-agent.c
+diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c
-index c8036c8..4da3bb6 100644
+--- openssh-6.8p1/ssh-agent.c.coverity	2015-03-17 06:49:20.000000000 +0100
--- a/ssh-agent.c
+++ openssh-6.8p1/ssh-agent.c	2015-03-18 17:21:58.284251454 +0100
-+++ b/ssh-agent.c
+@@ -1166,8 +1166,8 @@ main(int ac, char **av)
@@ -1056,8 +1056,8 @@ main(int ac, char **av)
 	sanitise_stdfd();
 	/* drop */
@ -877,29 +444,10 @@ index c8036c8..4da3bb6 100644
 #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
 	/* Disable ptrace on Linux without sgid bit */
-diff --git a/ssh-keygen.c b/ssh-keygen.c
+diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
-index 64fa217..635e8fd 100644
+--- openssh-6.8p1/sshd.c.coverity	2015-03-18 17:21:51.893264839 +0100
--- a/ssh-keygen.c
+++ openssh-6.8p1/sshd.c	2015-03-18 17:21:58.284251454 +0100
-+++ b/ssh-keygen.c
+@@ -778,8 +778,10 @@ privsep_preauth(Authctxt *authctxt)
@@ -687,11 +687,11 @@ do_convert_from(struct passwd *pw)
 		fatal("%s: unknown key format %d", __func__, convert_format);
 	}
 -	if (!private)
 +	if (!private) {
 		ok = key_write(k, stdout);
 		if (ok)
 			fprintf(stdout, "\n");
 -	else {
 +	} else {
 		switch (k->type) {
 		case KEY_DSA:
 			ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL,
 diff --git a/sshd.c b/sshd.c
 index 783abe3..eaade2a 100644
 --- a/sshd.c
 +++ b/sshd.c
@@ -771,8 +771,10 @@ privsep_preauth(Authctxt *authctxt)
 		if (getuid() == 0 || geteuid() == 0)
 			privsep_preauth_child();
 		setproctitle("%s", "[net]");
@ -911,7 +459,7 @@ index 783abe3..eaade2a 100644
 		return 0;
 	}
-@@ -1458,6 +1460,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
+@@ -1518,6 +1520,9 @@ server_accept_loop(int *sock_in, int *so
 		if (num_listen_socks < 0)
 			break;
 	}
@ -921,15 +469,14 @@ index 783abe3..eaade2a 100644
 }
-diff --git a/sshkey.c b/sshkey.c
+diff -up openssh-6.8p1/sshkey.c.coverity openssh-6.8p1/sshkey.c
-index 5e3d97f..dae8270 100644
+--- openssh-6.8p1/sshkey.c.coverity	2015-03-18 17:21:58.285251452 +0100
--- a/sshkey.c
+++ openssh-6.8p1/sshkey.c	2015-03-18 17:45:32.232705363 +0100
-+++ b/sshkey.c
+@@ -58,6 +58,7 @@
@@ -54,6 +54,7 @@
 #include "digest.h"
 #define SSHKEY_INTERNAL
 #include "sshkey.h"
 +#include "log.h"
 #include "match.h"
 /* openssh private key file format */
 #define MARK_BEGIN		"-----BEGIN OPENSSH PRIVATE KEY-----\n"
--- a/openssh-6.7p1-debian-restore-tcp-wrappers.patch
+++ b/openssh-6.7p1-debian-restore-tcp-wrappers.patch
@ -1,7 +1,7 @@
-diff -up openssh-6.7p1/configure.ac.tcp_wrappers openssh-6.7p1/configure.ac
+diff -up openssh-6.8p1/configure.ac.tcp_wrappers openssh-6.8p1/configure.ac
--- openssh-6.7p1/configure.ac.tcp_wrappers	2015-01-20 16:58:39.829111746 +0100
+--- openssh-6.8p1/configure.ac.tcp_wrappers	2015-03-18 13:05:57.365071779 +0100
-+++ openssh-6.7p1/configure.ac	2015-01-20 16:58:39.870111159 +0100
+++ openssh-6.8p1/configure.ac	2015-03-18 13:05:57.408071673 +0100
-@@ -1404,6 +1404,62 @@ AC_ARG_WITH([skey],
+@@ -1440,6 +1440,62 @@ AC_ARG_WITH([skey],
 	]
 )
@ -64,7 +64,7 @@ diff -up openssh-6.7p1/configure.ac.tcp_wrappers openssh-6.7p1/configure.ac
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
-@@ -4959,6 +5015,7 @@ echo "                 KerberosV support
+@@ -5026,6 +5082,7 @@ echo "                 KerberosV support
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
@ -72,9 +72,9 @@ diff -up openssh-6.7p1/configure.ac.tcp_wrappers openssh-6.7p1/configure.ac
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
-diff -up openssh-6.7p1/sshd.8.tcp_wrappers openssh-6.7p1/sshd.8
+diff -up openssh-6.8p1/sshd.8.tcp_wrappers openssh-6.8p1/sshd.8
--- openssh-6.7p1/sshd.8.tcp_wrappers	2015-01-20 16:58:39.838111617 +0100
+--- openssh-6.8p1/sshd.8.tcp_wrappers	2015-03-18 13:05:57.377071749 +0100
-+++ openssh-6.7p1/sshd.8	2015-01-20 16:58:39.871111145 +0100
+++ openssh-6.8p1/sshd.8	2015-03-18 13:05:57.408071673 +0100
@@ -858,6 +858,12 @@ the user's home directory becomes access
 This file should be writable only by the user, and need not be
 readable by anyone else.
@ -96,12 +96,12 @@ diff -up openssh-6.7p1/sshd.8.tcp_wrappers openssh-6.7p1/sshd.8
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
-diff -up openssh-6.7p1/sshd.c.tcp_wrappers openssh-6.7p1/sshd.c
+diff -up openssh-6.8p1/sshd.c.tcp_wrappers openssh-6.8p1/sshd.c
--- openssh-6.7p1/sshd.c.tcp_wrappers	2015-01-20 16:58:39.863111259 +0100
+--- openssh-6.8p1/sshd.c.tcp_wrappers	2015-03-18 13:05:57.402071688 +0100
-+++ openssh-6.7p1/sshd.c	2015-01-20 16:59:12.992636776 +0100
+++ openssh-6.8p1/sshd.c	2015-03-18 13:06:48.199947136 +0100
-@@ -123,6 +123,13 @@
+@@ -125,6 +125,13 @@
 #include "ssh-sandbox.h"
 #include "version.h"
 #include "ssherr.h"
 +#ifdef LIBWRAP
 +#include <tcpd.h>
@ -113,7 +113,7 @@ diff -up openssh-6.7p1/sshd.c.tcp_wrappers openssh-6.7p1/sshd.c
 #ifndef O_NOCTTY
 #define O_NOCTTY	0
 #endif
-@@ -2078,6 +2085,24 @@ main(int ac, char **av)
+@@ -2150,6 +2157,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
 	audit_connection_from(remote_ip, remote_port);
 #endif
--- a/openssh-6.7p1-fingerprint.patch
+++ b/openssh-6.7p1-fingerprint.patch
--- a/openssh-6.7p1-fips.patch
+++ b/openssh-6.7p1-fips.patch
@ -1,8 +1,7 @@
-diff --git a/Makefile.in b/Makefile.in
+diff -up openssh-6.8p1/Makefile.in.fips openssh-6.8p1/Makefile.in
-index 9311e16..1eb2b45 100644
+--- openssh-6.8p1/Makefile.in.fips	2015-03-19 13:14:22.221212174 +0100
--- a/Makefile.in
+++ openssh-6.8p1/Makefile.in	2015-03-19 13:14:22.230212157 +0100
-+++ b/Makefile.in
+@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
@@ -164,25 +164,25 @@ libssh.a: $(LIBSSH_OBJS)
 	$(RANLIB) $@
 ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@ -34,7 +33,7 @@ index 9311e16..1eb2b45 100644
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-@@ -197,7 +197,7 @@ ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
+@@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
 	$(LD) -o $@ ssh-cavs.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
@ -43,10 +42,9 @@ index 9311e16..1eb2b45 100644
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-diff --git a/cipher-ctr.c b/cipher-ctr.c
+diff -up openssh-6.8p1/cipher-ctr.c.fips openssh-6.8p1/cipher-ctr.c
-index 73e9c7c..40ee395 100644
+--- openssh-6.8p1/cipher-ctr.c.fips	2015-03-19 13:14:22.155212302 +0100
--- a/cipher-ctr.c
+++ openssh-6.8p1/cipher-ctr.c	2015-03-19 13:14:22.230212157 +0100
 +++ b/cipher-ctr.c
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
 	aes_ctr.do_cipher = ssh_aes_ctr;
 #ifndef SSH_OLD_EVP
@ -57,10 +55,9 @@ index 73e9c7c..40ee395 100644
 #endif
 	return (&aes_ctr);
 }
-diff --git a/cipher.c b/cipher.c
+diff -up openssh-6.8p1/cipher.c.fips openssh-6.8p1/cipher.c
-index 9cc7cf8..5ebfa84 100644
+--- openssh-6.8p1/cipher.c.fips	2015-03-19 13:14:22.224212169 +0100
--- a/cipher.c
+++ openssh-6.8p1/cipher.c	2015-03-19 13:14:22.230212157 +0100
 +++ b/cipher.c
@@ -39,6 +39,8 @@
 #include <sys/types.h>
@ -70,7 +67,7 @@ index 9cc7cf8..5ebfa84 100644
 #include <string.h>
 #include <stdarg.h>
 #include <stdio.h>
-@@ -99,6 +101,26 @@ static const struct sshcipher ciphers[] = {
+@@ -99,6 +101,26 @@ static const struct sshcipher ciphers[]
 	{ NULL,		SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
 };
@ -133,11 +130,10 @@ index 9cc7cf8..5ebfa84 100644
 		if (strcasecmp(c->name, name) == 0)
 			return c->number;
 	return -1;
-diff --git a/dh.h b/dh.h
+diff -up openssh-6.8p1/dh.h.fips openssh-6.8p1/dh.h
-index 48f7b68..9ff39f4 100644
+--- openssh-6.8p1/dh.h.fips	2015-03-17 06:49:20.000000000 +0100
--- a/dh.h
+++ openssh-6.8p1/dh.h	2015-03-19 13:14:22.230212157 +0100
-+++ b/dh.h
+@@ -45,6 +45,7 @@ u_int	 dh_estimate(int);
@@ -45,6 +45,7 @@ int	 dh_estimate(int);
 /* Min and max values from RFC4419. */
 #define DH_GRP_MIN	1024
@ -145,11 +141,10 @@ index 48f7b68..9ff39f4 100644
 #define DH_GRP_MAX	8192
 /*
-diff --git a/entropy.c b/entropy.c
+diff -up openssh-6.8p1/entropy.c.fips openssh-6.8p1/entropy.c
-index d24e724..06b0095 100644
+--- openssh-6.8p1/entropy.c.fips	2015-03-19 13:14:22.147212317 +0100
--- a/entropy.c
+++ openssh-6.8p1/entropy.c	2015-03-19 13:14:22.230212157 +0100
-+++ b/entropy.c
+@@ -217,6 +217,9 @@ seed_rng(void)
@@ -215,6 +215,9 @@ seed_rng(void)
 		fatal("OpenSSL version mismatch. Built against %lx, you "
 		    "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
@ -159,10 +154,9 @@ index d24e724..06b0095 100644
 #ifndef OPENSSL_PRNG_ONLY
 	if (RAND_status() == 1) {
 		debug3("RNG is ready, skipping seeding");
-diff --git a/kex.c b/kex.c
+diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c
-index e0cf3de..e11198f 100644
+--- openssh-6.8p1/kex.c.fips	2015-03-19 13:14:22.165212282 +0100
--- a/kex.c
+++ openssh-6.8p1/kex.c	2015-03-19 13:14:22.230212157 +0100
 +++ b/kex.c
@@ -35,6 +35,7 @@
 #ifdef WITH_OPENSSL
@ -170,7 +164,7 @@ index e0cf3de..e11198f 100644
 +#include <openssl/fips.h>
 #endif
- #include "xmalloc.h"
+ #include "ssh2.h"
@@ -107,6 +108,25 @@ static const struct kexalg kexalgs[] = {
 	{ NULL, -1, -1, -1},
 };
@ -197,7 +191,7 @@ index e0cf3de..e11198f 100644
 char *
 kex_alg_list(char sep)
 {
-@@ -130,7 +150,7 @@ kex_alg_by_name(const char *name)
+@@ -134,7 +154,7 @@ kex_alg_by_name(const char *name)
 {
 	const struct kexalg *k;
@ -206,7 +200,7 @@ index e0cf3de..e11198f 100644
 		if (strcmp(k->name, name) == 0)
 			return k;
 #ifdef GSSAPI
-@@ -155,7 +175,10 @@ kex_names_valid(const char *names)
+@@ -160,7 +180,10 @@ kex_names_valid(const char *names)
 	for ((p = strsep(&cp, ",")); p && *p != '\0';
 	    (p = strsep(&cp, ","))) {
 		if (kex_alg_by_name(p) == NULL) {
@ -218,60 +212,34 @@ index e0cf3de..e11198f 100644
 			free(s);
 			return 0;
 		}
-diff --git a/kexecdhc.c b/kexecdhc.c
+diff -up openssh-6.8p1/kexgexc.c.fips openssh-6.8p1/kexgexc.c
-index 2f7629c..20c9946 100644
+--- openssh-6.8p1/kexgexc.c.fips	2015-03-19 13:14:22.196212223 +0100
--- a/kexecdhc.c
+++ openssh-6.8p1/kexgexc.c	2015-03-19 13:15:11.462117016 +0100
-+++ b/kexecdhc.c
+@@ -28,6 +28,8 @@
@@ -154,6 +154,7 @@ kexecdh_client(Kex *kex)
- 	kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
+ #ifdef WITH_OPENSSL
 	BN_clear_free(shared_secret);
 +	memset(hash, 0, hashlen);
 	kex_finish(kex);
 }
 #else /* OPENSSL_HAS_ECC */
 diff --git a/kexecdhs.c b/kexecdhs.c
 index 2700b72..0820894 100644
 --- a/kexecdhs.c
 +++ b/kexecdhs.c
@@ -150,6 +150,7 @@ kexecdh_server(Kex *kex)
 	kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
 	BN_clear_free(shared_secret);
 +	memset(hash, 0, hashlen);
 	kex_finish(kex);
 }
 #else /* OPENSSL_HAS_ECC */
 diff --git a/kexgexc.c b/kexgexc.c
 index 0a91bdd..b75930b 100644
 --- a/kexgexc.c
 +++ b/kexgexc.c
@@ -26,6 +26,8 @@
 #include "includes.h"
 +#include <openssl/fips.h>
 +
 #include <sys/types.h>
 #include <openssl/dh.h>
-@@ -58,7 +60,7 @@ kexgex_client(Kex *kex)
+@@ -62,7 +64,7 @@ kexgex_client(struct ssh *ssh)
 	int min, max, nbits;
 	DH *dh;
-	min = DH_GRP_MIN;
+ 	nbits = dh_estimate(kex->dh_need * 8);
-+	min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
+ 
- 	max = DH_GRP_MAX;
+-	kex->min = DH_GRP_MIN;
 +	kex->min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
 	kex->max = DH_GRP_MAX;
 	/* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
-diff --git a/kexgexs.c b/kexgexs.c
+diff -up openssh-6.8p1/kexgexs.c.fips openssh-6.8p1/kexgexs.c
-index 770ad28..9d4fc6d 100644
+--- openssh-6.8p1/kexgexs.c.fips	2015-03-17 06:49:20.000000000 +0100
--- a/kexgexs.c
+++ openssh-6.8p1/kexgexs.c	2015-03-19 13:14:22.231212155 +0100
-+++ b/kexgexs.c
+@@ -87,9 +87,9 @@ input_kex_dh_gex_request(int type, u_int
-@@ -76,16 +76,16 @@ kexgex_server(Kex *kex)
+ 		kex->nbits = nbits;
- 		omin = min = packet_get_int();
+ 		kex->min = min;
- 		onbits = nbits = packet_get_int();
+ 		kex->max = max;
 		omax = max = packet_get_int();
 -		min = MAX(DH_GRP_MIN, min);
 +		min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
 		max = MIN(DH_GRP_MAX, max);
@ -280,28 +248,28 @@ index 770ad28..9d4fc6d 100644
 		nbits = MIN(DH_GRP_MAX, nbits);
 		break;
 	case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD:
- 		debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received");
+@@ -99,7 +99,7 @@ input_kex_dh_gex_request(int type, u_int
- 		onbits = nbits = packet_get_int();
+ 			goto out;
 		kex->nbits = nbits;
 		/* unused for old GEX */
-		omin = min = DH_GRP_MIN;
+-		kex->min = min = DH_GRP_MIN;
-+		omin = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
+		kex->min = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
- 		omax = max = DH_GRP_MAX;
+ 		kex->max = max = DH_GRP_MAX;
 		break;
 	default:
-diff --git a/mac.c b/mac.c
+diff -up openssh-6.8p1/mac.c.fips openssh-6.8p1/mac.c
-index fd07bf2..fedfbb2 100644
+--- openssh-6.8p1/mac.c.fips	2015-03-19 13:14:22.224212169 +0100
--- a/mac.c
+++ openssh-6.8p1/mac.c	2015-03-19 13:14:22.231212155 +0100
 +++ b/mac.c
@@ -27,6 +27,8 @@
 #include <sys/types.h>
 +#include <openssl/fips.h>
 +
 #include <stdarg.h>
 #include <string.h>
- #include <signal.h>
+ #include <stdio.h>
-@@ -60,7 +62,7 @@ struct macalg {
+ 
@@ -54,7 +56,7 @@ struct macalg {
 	int		etm;		/* Encrypt-then-MAC */
 };
@ -310,7 +278,7 @@ index fd07bf2..fedfbb2 100644
 	/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
 	{ "hmac-sha1",				SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
 	{ "hmac-sha1-96",			SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
-@@ -91,6 +93,24 @@ static const struct macalg macs[] = {
+@@ -85,6 +87,24 @@ static const struct macalg macs[] = {
 	{ NULL,					0, 0, 0, 0, 0, 0 }
 };
@ -335,7 +303,7 @@ index fd07bf2..fedfbb2 100644
 /* Returns a list of supported MACs separated by the specified char. */
 char *
 mac_alg_list(char sep)
-@@ -99,7 +119,7 @@ mac_alg_list(char sep)
+@@ -93,7 +113,7 @@ mac_alg_list(char sep)
 	size_t nlen, rlen = 0;
 	const struct macalg *m;
@ -344,7 +312,7 @@ index fd07bf2..fedfbb2 100644
 		if (ret != NULL)
 			ret[rlen++] = sep;
 		nlen = strlen(m->name);
-@@ -133,7 +153,7 @@ mac_setup(Mac *mac, char *name)
+@@ -132,7 +152,7 @@ mac_setup(struct sshmac *mac, char *name
 {
 	const struct macalg *m;
@ -352,11 +320,10 @@ index fd07bf2..fedfbb2 100644
 +	for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
 		if (strcmp(name, m->name) != 0)
 			continue;
- 		if (mac != NULL) {
+ 		if (mac != NULL)
-diff --git a/myproposal.h b/myproposal.h
+diff -up openssh-6.8p1/myproposal.h.fips openssh-6.8p1/myproposal.h
-index b35b2b8..a608d27 100644
+--- openssh-6.8p1/myproposal.h.fips	2015-03-17 06:49:20.000000000 +0100
--- a/myproposal.h
+++ openssh-6.8p1/myproposal.h	2015-03-19 13:14:22.231212155 +0100
 +++ b/myproposal.h
@@ -140,6 +140,28 @@
 	"hmac-sha1-96," \
 	"hmac-md5-96"
@ -386,10 +353,9 @@ index b35b2b8..a608d27 100644
 #else
 #define KEX_SERVER_KEX		\
-diff --git a/ssh.c b/ssh.c
+diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
-index 26e9681..a0a7c29 100644
+--- openssh-6.8p1/ssh.c.fips	2015-03-17 06:49:20.000000000 +0100
--- a/ssh.c
+++ openssh-6.8p1/ssh.c	2015-03-19 13:14:22.232212153 +0100
 +++ b/ssh.c
@@ -75,6 +75,8 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
@ -399,7 +365,7 @@ index 26e9681..a0a7c29 100644
 #include "openbsd-compat/openssl-compat.h"
 #include "openbsd-compat/sys-queue.h"
-@@ -433,6 +435,14 @@ main(int ac, char **av)
+@@ -523,6 +525,14 @@ main(int ac, char **av)
 	sanitise_stdfd();
 	__progname = ssh_get_progname(av[0]);
@ -414,8 +380,8 @@ index 26e9681..a0a7c29 100644
 #ifndef HAVE_SETPROCTITLE
 	/* Prepare for later setproctitle emulation */
-@@ -510,6 +519,9 @@ main(int ac, char **av)
+@@ -600,6 +610,9 @@ main(int ac, char **av)
- 	    "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
+ 	    "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
 		switch (opt) {
 		case '1':
 +			if (FIPS_mode()) {
@ -424,7 +390,7 @@ index 26e9681..a0a7c29 100644
 			options.protocol = SSH_PROTO_1;
 			break;
 		case '2':
-@@ -841,7 +853,6 @@ main(int ac, char **av)
+@@ -941,7 +954,6 @@ main(int ac, char **av)
 	host_arg = xstrdup(host);
 #ifdef WITH_OPENSSL
@ -432,7 +398,7 @@ index 26e9681..a0a7c29 100644
 	ERR_load_crypto_strings();
 #endif
-@@ -997,6 +1008,10 @@ main(int ac, char **av)
+@@ -1115,6 +1127,10 @@ main(int ac, char **av)
 	seed_rng();
@ -443,7 +409,7 @@ index 26e9681..a0a7c29 100644
 	if (options.user == NULL)
 		options.user = xstrdup(pw->pw_name);
-@@ -1069,6 +1084,12 @@ main(int ac, char **av)
+@@ -1192,6 +1208,12 @@ main(int ac, char **av)
 	timeout_ms = options.connection_timeout * 1000;
@ -456,10 +422,9 @@ index 26e9681..a0a7c29 100644
 	/* Open a connection to the remote host. */
 	if (ssh_connect(host, addrs, &hostaddr, options.port,
 	    options.address_family, options.connection_attempts,
-diff --git a/sshconnect2.c b/sshconnect2.c
+diff -up openssh-6.8p1/sshconnect2.c.fips openssh-6.8p1/sshconnect2.c
-index efe6158..5631f39 100644
+--- openssh-6.8p1/sshconnect2.c.fips	2015-03-19 13:14:22.188212238 +0100
--- a/sshconnect2.c
+++ openssh-6.8p1/sshconnect2.c	2015-03-19 13:14:22.232212153 +0100
 +++ b/sshconnect2.c
@@ -46,6 +46,8 @@
 #include <vis.h>
 #endif
@ -469,13 +434,24 @@ index efe6158..5631f39 100644
 #include "openbsd-compat/sys-queue.h"
 #include "xmalloc.h"
-@@ -171,20 +173,25 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -172,20 +174,25 @@ ssh_kex2(char *host, struct sockaddr *ho
 #ifdef GSSAPI
 	if (options.gss_keyex) {
 -		/* Add the GSSAPI mechanisms currently supported on this 
 -		 * client to the key exchange algorithm proposal */
 -		orig = myproposal[PROPOSAL_KEX_ALGS];
 -
 -		if (options.gss_trust_dns)
 -			gss_host = (char *)get_canonical_hostname(1);
 -		else
 -			gss_host = host;
 -
 -		gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
 -		if (gss) {
 -			debug("Offering GSSAPI proposal: %s", gss);
 -			xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
 -			    "%s,%s", gss, orig);
 +		if (FIPS_mode()) {
 +			logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
 +			options.gss_keyex = 0;
@ -483,21 +459,12 @@ index efe6158..5631f39 100644
 +			/* Add the GSSAPI mechanisms currently supported on this
 +			 * client to the key exchange algorithm proposal */
 +			orig = myproposal[PROPOSAL_KEX_ALGS];
- 
+
 -		if (options.gss_trust_dns)
 -			gss_host = (char *)get_canonical_hostname(1);
 -		else
 -			gss_host = host;
 +			if (options.gss_trust_dns)
 +				gss_host = (char *)get_canonical_hostname(1);
 +			else
 +				gss_host = host;
- 
+
 -		gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
 -		if (gss) {
 -			debug("Offering GSSAPI proposal: %s", gss);
 -			xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
 -			    "%s,%s", gss, orig);
 +			gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
 +			if (gss) {
 +				debug("Offering GSSAPI proposal: %s", gss);
@ -507,7 +474,7 @@ index efe6158..5631f39 100644
 		}
 	}
 #endif
-@@ -196,6 +203,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -197,6 +204,10 @@ ssh_kex2(char *host, struct sockaddr *ho
 	if (options.ciphers != NULL) {
 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -518,7 +485,7 @@ index efe6158..5631f39 100644
 	}
 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -211,7 +222,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -212,7 +223,11 @@ ssh_kex2(char *host, struct sockaddr *ho
 	if (options.macs != NULL) {
 		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
 		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@ -530,7 +497,7 @@ index efe6158..5631f39 100644
 	if (options.hostkeyalgorithms != NULL)
 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
 		    compat_pkalg_proposal(options.hostkeyalgorithms);
-@@ -223,9 +238,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -224,9 +239,11 @@ ssh_kex2(char *host, struct sockaddr *ho
 	}
 	if (options.kex_algorithms != NULL)
 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@ -543,10 +510,9 @@ index efe6158..5631f39 100644
 #ifdef GSSAPI
 	/* If we've got GSSAPI algorithms, then we also support the
 	 * 'null' hostkey, as a last resort */
-diff --git a/sshd.c b/sshd.c
+diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
-index db23ce2..3ce59f0 100644
+--- openssh-6.8p1/sshd.c.fips	2015-03-19 13:14:22.226212165 +0100
--- a/sshd.c
+++ openssh-6.8p1/sshd.c	2015-03-19 13:14:22.232212153 +0100
 +++ b/sshd.c
@@ -66,6 +66,7 @@
 #include <grp.h>
 #include <pwd.h>
@ -555,7 +521,7 @@ index db23ce2..3ce59f0 100644
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
-@@ -76,6 +77,8 @@
+@@ -77,6 +78,8 @@
 #include <openssl/dh.h>
 #include <openssl/bn.h>
 #include <openssl/rand.h>
@ -564,7 +530,7 @@ index db23ce2..3ce59f0 100644
 #include "openbsd-compat/openssl-compat.h"
 #endif
-@@ -1479,6 +1482,18 @@ main(int ac, char **av)
+@@ -1543,6 +1546,18 @@ main(int ac, char **av)
 #endif
 	__progname = ssh_get_progname(av[0]);
@ -583,7 +549,7 @@ index db23ce2..3ce59f0 100644
 	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
 	saved_argc = ac;
 	rexec_argc = ac;
-@@ -1630,7 +1645,7 @@ main(int ac, char **av)
+@@ -1694,7 +1709,7 @@ main(int ac, char **av)
 	else
 		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@ -592,9 +558,9 @@ index db23ce2..3ce59f0 100644
 	OpenSSL_add_all_algorithms();
 #endif
-@@ -1816,6 +1831,10 @@ main(int ac, char **av)
+@@ -1890,6 +1905,10 @@ main(int ac, char **av)
- 		debug("private host key: #%d type %d %s", i, keytype,
+ 		    sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp);
- 		    key_type(key ? key : pubkey));
+ 		free(fp);
 	}
 +	if ((options.protocol & SSH_PROTO_1) && FIPS_mode()) {
 +		logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
@ -603,7 +569,7 @@ index db23ce2..3ce59f0 100644
 	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
 		logit("Disabling protocol version 1. Could not load host key");
 		options.protocol &= ~SSH_PROTO_1;
-@@ -1982,6 +2001,10 @@ main(int ac, char **av)
+@@ -2058,6 +2077,10 @@ main(int ac, char **av)
 	/* Reinitialize the log (because of the fork above). */
 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -614,7 +580,7 @@ index db23ce2..3ce59f0 100644
 	/* Chdir to the root directory so that the current disk can be
 	   unmounted if desired. */
 	if (chdir("/") == -1)
-@@ -2541,6 +2564,9 @@ do_ssh2_kex(void)
+@@ -2642,6 +2665,9 @@ do_ssh2_kex(void)
 	if (options.ciphers != NULL) {
 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -624,7 +590,7 @@ index db23ce2..3ce59f0 100644
 	}
 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -2550,6 +2576,9 @@ do_ssh2_kex(void)
+@@ -2651,6 +2677,9 @@ do_ssh2_kex(void)
 	if (options.macs != NULL) {
 		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
 		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@ -634,7 +600,7 @@ index db23ce2..3ce59f0 100644
 	}
 	if (options.compression == COMP_NONE) {
 		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
-@@ -2560,6 +2589,8 @@ do_ssh2_kex(void)
+@@ -2661,6 +2690,8 @@ do_ssh2_kex(void)
 	}
 	if (options.kex_algorithms != NULL)
 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@ -643,7 +609,7 @@ index db23ce2..3ce59f0 100644
 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
 	    myproposal[PROPOSAL_KEX_ALGS]);
-@@ -2586,10 +2617,14 @@ do_ssh2_kex(void)
+@@ -2687,10 +2718,14 @@ do_ssh2_kex(void)
 	if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
 		orig = NULL;
@ -662,19 +628,18 @@ index db23ce2..3ce59f0 100644
 	if (gss && orig)
 		xasprintf(&newstr, "%s,%s", gss, orig);
-diff --git a/sshkey.c b/sshkey.c
+diff -up openssh-6.8p1/sshkey.c.fips openssh-6.8p1/sshkey.c
-index f078e11..5e3d97f 100644
+--- openssh-6.8p1/sshkey.c.fips	2015-03-19 13:14:22.227212163 +0100
--- a/sshkey.c
+++ openssh-6.8p1/sshkey.c	2015-03-19 13:14:22.233212151 +0100
-+++ b/sshkey.c
+@@ -35,6 +35,7 @@
@@ -34,6 +34,7 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
 +#include <openssl/fips.h>
 #endif
 #include "crypto_api.h"
- 
+@@ -1562,6 +1563,8 @@ rsa_generate_private_key(u_int bits, RSA
@@ -1523,6 +1524,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
 	}
 	if (!BN_set_word(f4, RSA_F4) ||
 	    !RSA_generate_key_ex(private, bits, f4, NULL)) {
@ -683,9 +648,10 @@ index f078e11..5e3d97f 100644
 		ret = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
--- a/servconf.c    2015-01-30 12:24:12.388337643 +0100
+diff -up openssh-6.8p1/servconf.c.fips openssh-6.8p1/servconf.c
-+++ b/servconf.c    2015-01-30 12:26:36.229229751 +0100
+--- openssh-6.8p1/servconf.c.fips	2015-03-19 13:14:22.210212196 +0100
-@@ -2159,8 +2162,10 @@
+++ openssh-6.8p1/servconf.c	2015-03-19 13:14:22.233212151 +0100
@@ -2226,8 +2226,10 @@ dump_config(ServerOptions *o)
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
 	dump_cfg_string(sXAuthLocation, o->xauth_location);
@ -698,12 +664,14 @@ index f078e11..5e3d97f 100644
 	dump_cfg_string(sBanner, o->banner);
 	dump_cfg_string(sForceCommand, o->adm_forced_command);
 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
-@@ -2180,7 +2180,7 @@
+@@ -2240,8 +2242,8 @@ dump_config(ServerOptions *o)
 	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
 	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
- 	dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
+-	dump_cfg_string(sKexAlgorithms,
-  	    KEX_SERVER_KEX);
+-	    o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
 + 	dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
 +		FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX);
- 
+ 	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
- 	/* string arguments requiring a lookup */
+ 	    o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
- 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
+ 	dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
--- a/openssh-6.7p1-kdf-cavs.patch
+++ b/openssh-6.7p1-kdf-cavs.patch
@ -1,8 +1,7 @@
-diff --git a/Makefile.in b/Makefile.in
+diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
-index 1eb2b45..cfa89a1 100644
+--- openssh-6.8p1/Makefile.in.kdf-cavs	2015-03-18 11:23:46.346049359 +0100
--- a/Makefile.in
+++ openssh-6.8p1/Makefile.in	2015-03-18 11:24:20.395968445 +0100
-+++ b/Makefile.in
+@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h
@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
 SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
 SSH_KEYCAT=$(libexecdir)/ssh-keycat
 CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
@ -18,8 +17,8 @@ index 1eb2b45..cfa89a1 100644
 +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
 LIBOPENSSH_OBJS=\
- 	ssherr.o \
+ 	ssh_api.o \
-@@ -196,6 +196,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
+@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
 ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
 	$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
@ -29,7 +28,7 @@ index 1eb2b45..cfa89a1 100644
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
 	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-@@ -320,6 +321,8 @@ install-files:
+@@ -331,6 +335,8 @@ install-files:
 	fi
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
@ -38,12 +37,10 @@ index 1eb2b45..cfa89a1 100644
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-diff --git a/ssh-cavs.c b/ssh-cavs.c
+diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
-new file mode 100644
+--- openssh-6.8p1/ssh-cavs.c.kdf-cavs	2015-03-18 11:23:46.348049354 +0100
-index 0000000..928ff80
+++ openssh-6.8p1/ssh-cavs.c	2015-03-18 11:23:46.348049354 +0100
--- /dev/null
+@@ -0,0 +1,383 @@
 +++ b/ssh-cavs.c
@@ -0,0 +1,374 @@
 +/*
 + * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
 + *
@ -95,6 +92,7 @@ index 0000000..928ff80
 +#include "key.h"
 +#include "cipher.h"
 +#include "kex.h"
 +#include "packet.h"
 +
 +static int bin_char(unsigned char hex)
 +{
@ -208,16 +206,17 @@ index 0000000..928ff80
 +static int sshkdf_cavs(struct kdf_cavs *test)
 +{
 +	int ret = 0;
-+	Kex kex;
+	struct kex kex;
 +	BIGNUM *Kbn = NULL;
 +	int mode = 0;
-+	Newkeys *ctoskeys;
+	struct newkeys *ctoskeys;
-+	Newkeys *stockeys;
+	struct newkeys *stockeys;
 +	struct ssh *ssh = NULL;
 +
 +#define HEXOUTLEN 500
 +	char hex[HEXOUTLEN];
 +
-+	memset(&kex, 0, sizeof(Kex));
+	memset(&kex, 0, sizeof(struct kex));
 +
 +	Kbn = BN_new();
 +	BN_bin2bn(test->K, test->Klen, Kbn);
@ -254,7 +253,7 @@ index 0000000..928ff80
 +
 +	/* implement choose_enc */
 +	for (mode = 0; mode < 2; mode++) {
-+		kex.newkeys[mode] = calloc(1, sizeof(Newkeys));
+		kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
 +		if (!kex.newkeys[mode]) {
 +			printf("allocation of newkeys failed\n");
 +			ret = 1;
@ -280,10 +279,15 @@ index 0000000..928ff80
 +	kex.server = 1;
 +
 +	/* do it */
-+	kex_derive_keys_bn(&kex, test->H, test->Hlen, Kbn);
+	if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){
 +		printf("Allocation error\n");
 +		goto out;
 +	}
 +	ssh->kex = &kex;
 +	kex_derive_keys_bn(ssh, test->H, test->Hlen, Kbn);
 +
-+	ctoskeys = kex_get_newkeys(0);
+	ctoskeys = kex.newkeys[0];
-+	stockeys = kex_get_newkeys(1);
+	stockeys = kex.newkeys[1];
 +
 +	/* get data */
 +	memset(hex, 0, HEXOUTLEN);
@ -323,6 +327,8 @@ index 0000000..928ff80
 +		free(kex.newkeys[0]);
 +	if (kex.newkeys[1])
 +		free(kex.newkeys[1]);
 +	if (ssh)
 +		ssh_packet_close(ssh);
 +	return ret;
 +}
 +
@ -418,11 +424,9 @@ index 0000000..928ff80
 +	return ret;
 +
 +}
-diff --git a/ssh-cavs_driver.pl b/ssh-cavs_driver.pl
+diff -up openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs openssh-6.8p1/ssh-cavs_driver.pl
-new file mode 100644
+--- openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs	2015-03-18 11:23:46.348049354 +0100
-index 0000000..6ed8f26
+++ openssh-6.8p1/ssh-cavs_driver.pl	2015-03-18 11:23:46.348049354 +0100
 --- /dev/null
 +++ b/ssh-cavs_driver.pl
@@ -0,0 +1,184 @@
 +#!/usr/bin/env perl
 +#
--- a/openssh-6.7p1-ldap.patch
+++ b/openssh-6.7p1-ldap.patch
@ -1,8 +1,6 @@
-diff --git a/HOWTO.ldap-keys b/HOWTO.ldap-keys
+diff -up openssh-6.8p1/HOWTO.ldap-keys.ldap openssh-6.8p1/HOWTO.ldap-keys
-new file mode 100644
+--- openssh-6.8p1/HOWTO.ldap-keys.ldap	2015-03-18 11:11:29.029801467 +0100
-index 0000000..dd5f5cc
+++ openssh-6.8p1/HOWTO.ldap-keys	2015-03-18 11:11:29.029801467 +0100
 --- /dev/null
 +++ b/HOWTO.ldap-keys
@@ -0,0 +1,119 @@
 +
 +HOW TO START
@ -123,10 +121,9 @@ index 0000000..dd5f5cc
 +5) Author
 +    Jan F. Chadima <jchadima@redhat.com>
 +
-diff --git a/Makefile.in b/Makefile.in
+diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
-index 06be3d5..f02aa1e 100644
+--- openssh-6.8p1/Makefile.in.ldap	2015-03-17 06:49:20.000000000 +0100
--- a/Makefile.in
+++ openssh-6.8p1/Makefile.in	2015-03-18 11:13:10.147561177 +0100
 +++ b/Makefile.in
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
 ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
 SFTP_SERVER=$(libexecdir)/sftp-server
@ -146,8 +143,8 @@ index 06be3d5..f02aa1e 100644
 +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
 LIBOPENSSH_OBJS=\
- 	ssherr.o \
+ 	ssh_api.o \
-@@ -108,8 +111,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
+@@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
 	sandbox-seccomp-filter.o sandbox-capsicum.o
@ -158,17 +155,17 @@ index 06be3d5..f02aa1e 100644
 MANTYPE		= @MANTYPE@
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -180,6 +183,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readco
+@@ -184,6 +187,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o
-+	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 +
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
 	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-@@ -295,6 +301,10 @@ install-files:
+@@ -311,6 +317,10 @@ install-files:
 	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -179,7 +176,7 @@ index 06be3d5..f02aa1e 100644
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-@@ -311,6 +321,10 @@ install-files:
+@@ -327,6 +337,10 @@ install-files:
 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -190,7 +187,7 @@ index 06be3d5..f02aa1e 100644
 	-rm -f $(DESTDIR)$(bindir)/slogin
 	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-@@ -340,6 +354,13 @@ install-sysconf:
+@@ -356,6 +370,13 @@ install-sysconf:
 	else \
 		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
 	fi
@ -204,7 +201,7 @@ index 06be3d5..f02aa1e 100644
 host-key: ssh-keygen$(EXEEXT)
 	@if [ -z "$(DESTDIR)" ] ; then \
-@@ -403,6 +424,8 @@ uninstall:
+@@ -419,6 +440,8 @@ uninstall:
 	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
 	-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
 	-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -213,7 +210,7 @@ index 06be3d5..f02aa1e 100644
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -414,6 +437,7 @@ uninstall:
+@@ -430,6 +453,7 @@ uninstall:
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -221,11 +218,10 @@ index 06be3d5..f02aa1e 100644
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
 regress-prep:
-diff --git a/configure.ac b/configure.ac
+diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac
-index 67c4486..6553074 100644
+--- openssh-6.8p1/configure.ac.ldap	2015-03-17 06:49:20.000000000 +0100
--- a/configure.ac
+++ openssh-6.8p1/configure.ac	2015-03-18 11:11:29.030801464 +0100
-+++ b/configure.ac
+@@ -1605,6 +1605,106 @@ if test "x$use_pie" != "xno"; then
@@ -1569,6 +1569,106 @@ if test "x$use_pie" != "xno"; then
 	fi
 fi
@ -332,11 +328,9 @@ index 67c4486..6553074 100644
 dnl    Checks for library functions. Please keep in alphabetical order
 AC_CHECK_FUNCS([ \
 	Blowfish_initstate \
-diff --git a/ldap-helper.c b/ldap-helper.c
+diff -up openssh-6.8p1/ldap-helper.c.ldap openssh-6.8p1/ldap-helper.c
-new file mode 100644
+--- openssh-6.8p1/ldap-helper.c.ldap	2015-03-18 11:11:29.030801464 +0100
-index 0000000..e95a94a
+++ openssh-6.8p1/ldap-helper.c	2015-03-18 11:11:29.030801464 +0100
 --- /dev/null
 +++ b/ldap-helper.c
@@ -0,0 +1,155 @@
 +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -493,11 +487,9 @@ index 0000000..e95a94a
 +void   *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
 +void    buffer_put_string(Buffer *b, const void *f, u_int l) {}
 +
-diff --git a/ldap-helper.h b/ldap-helper.h
+diff -up openssh-6.8p1/ldap-helper.h.ldap openssh-6.8p1/ldap-helper.h
-new file mode 100644
+--- openssh-6.8p1/ldap-helper.h.ldap	2015-03-18 11:11:29.031801462 +0100
-index 0000000..14cb29a
+++ openssh-6.8p1/ldap-helper.h	2015-03-18 11:11:29.031801462 +0100
 --- /dev/null
 +++ b/ldap-helper.h
@@ -0,0 +1,32 @@
 +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -531,11 +523,9 @@ index 0000000..14cb29a
 +extern int config_warning_config_file;
 +
 +#endif /* LDAP_HELPER_H */
-diff --git a/ldap.conf b/ldap.conf
+diff -up openssh-6.8p1/ldap.conf.ldap openssh-6.8p1/ldap.conf
-new file mode 100644
+--- openssh-6.8p1/ldap.conf.ldap	2015-03-18 11:11:29.031801462 +0100
-index 0000000..42e38d3
+++ openssh-6.8p1/ldap.conf	2015-03-18 11:11:29.031801462 +0100
 --- /dev/null
 +++ b/ldap.conf
@@ -0,0 +1,95 @@
 +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
 +#
@ -632,11 +622,9 @@ index 0000000..42e38d3
 +
 +#AccountClass posixAccount
 +
-diff --git a/ldapbody.c b/ldapbody.c
+diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
-new file mode 100644
+--- openssh-6.8p1/ldapbody.c.ldap	2015-03-18 11:11:29.031801462 +0100
-index 0000000..3029108
+++ openssh-6.8p1/ldapbody.c	2015-03-18 11:11:29.031801462 +0100
 --- /dev/null
 +++ b/ldapbody.c
@@ -0,0 +1,493 @@
 +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1131,11 +1119,9 @@ index 0000000..3029108
 +	return;
 +}
 +
-diff --git a/ldapbody.h b/ldapbody.h
+diff -up openssh-6.8p1/ldapbody.h.ldap openssh-6.8p1/ldapbody.h
-new file mode 100644
+--- openssh-6.8p1/ldapbody.h.ldap	2015-03-18 11:11:29.031801462 +0100
-index 0000000..665dca2
+++ openssh-6.8p1/ldapbody.h	2015-03-18 11:11:29.031801462 +0100
 --- /dev/null
 +++ b/ldapbody.h
@@ -0,0 +1,37 @@
 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1174,11 +1160,9 @@ index 0000000..665dca2
 +
 +#endif /* LDAPBODY_H */
 +
-diff --git a/ldapconf.c b/ldapconf.c
+diff -up openssh-6.8p1/ldapconf.c.ldap openssh-6.8p1/ldapconf.c
-new file mode 100644
+--- openssh-6.8p1/ldapconf.c.ldap	2015-03-18 11:11:29.032801460 +0100
-index 0000000..b49cae6
+++ openssh-6.8p1/ldapconf.c	2015-03-18 11:11:29.032801460 +0100
 --- /dev/null
 +++ b/ldapconf.c
@@ -0,0 +1,728 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1908,11 +1892,9 @@ index 0000000..b49cae6
 +	dump_cfg_string(lAccountClass, options.account_class);
 +}
 +
-diff --git a/ldapconf.h b/ldapconf.h
+diff -up openssh-6.8p1/ldapconf.h.ldap openssh-6.8p1/ldapconf.h
-new file mode 100644
+--- openssh-6.8p1/ldapconf.h.ldap	2015-03-18 11:11:29.032801460 +0100
-index 0000000..2cb550c
+++ openssh-6.8p1/ldapconf.h	2015-03-18 11:11:29.032801460 +0100
 --- /dev/null
 +++ b/ldapconf.h
@@ -0,0 +1,73 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1987,11 +1969,9 @@ index 0000000..2cb550c
 +void dump_config(void);
 +
 +#endif /* LDAPCONF_H */
-diff --git a/ldapincludes.h b/ldapincludes.h
+diff -up openssh-6.8p1/ldapincludes.h.ldap openssh-6.8p1/ldapincludes.h
-new file mode 100644
+--- openssh-6.8p1/ldapincludes.h.ldap	2015-03-18 11:11:29.032801460 +0100
-index 0000000..8539bdc
+++ openssh-6.8p1/ldapincludes.h	2015-03-18 11:11:29.032801460 +0100
 --- /dev/null
 +++ b/ldapincludes.h
@@ -0,0 +1,41 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -2034,11 +2014,9 @@ index 0000000..8539bdc
 +#endif
 +
 +#endif /* LDAPINCLUDES_H */
-diff --git a/ldapmisc.c b/ldapmisc.c
+diff -up openssh-6.8p1/ldapmisc.c.ldap openssh-6.8p1/ldapmisc.c
-new file mode 100644
+--- openssh-6.8p1/ldapmisc.c.ldap	2015-03-18 11:11:29.032801460 +0100
-index 0000000..de23c0c
+++ openssh-6.8p1/ldapmisc.c	2015-03-18 11:11:29.032801460 +0100
 --- /dev/null
 +++ b/ldapmisc.c
@@ -0,0 +1,79 @@
 +
 +#include "ldapincludes.h"
@ -2119,11 +2097,9 @@ index 0000000..de23c0c
 +}
 +#endif
 +
-diff --git a/ldapmisc.h b/ldapmisc.h
+diff -up openssh-6.8p1/ldapmisc.h.ldap openssh-6.8p1/ldapmisc.h
-new file mode 100644
+--- openssh-6.8p1/ldapmisc.h.ldap	2015-03-18 11:11:29.032801460 +0100
-index 0000000..4c271df
+++ openssh-6.8p1/ldapmisc.h	2015-03-18 11:11:29.032801460 +0100
 --- /dev/null
 +++ b/ldapmisc.h
@@ -0,0 +1,35 @@
 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -2160,11 +2136,9 @@ index 0000000..4c271df
 +
 +#endif /* LDAPMISC_H */
 +
-diff --git a/openssh-lpk-openldap.schema b/openssh-lpk-openldap.schema
+diff -up openssh-6.8p1/openssh-lpk-openldap.schema.ldap openssh-6.8p1/openssh-lpk-openldap.schema
-new file mode 100644
+--- openssh-6.8p1/openssh-lpk-openldap.schema.ldap	2015-03-18 11:11:29.033801457 +0100
-index 0000000..c84f90f
+++ openssh-6.8p1/openssh-lpk-openldap.schema	2015-03-18 11:11:29.033801457 +0100
 --- /dev/null
 +++ b/openssh-lpk-openldap.schema
@@ -0,0 +1,21 @@
 +#
 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2187,11 +2161,9 @@ index 0000000..c84f90f
 +	DESC 'MANDATORY: OpenSSH LPK objectclass'
 +	MUST ( sshPublicKey $ uid ) 
 +	)
-diff --git a/openssh-lpk-sun.schema b/openssh-lpk-sun.schema
+diff -up openssh-6.8p1/openssh-lpk-sun.schema.ldap openssh-6.8p1/openssh-lpk-sun.schema
-new file mode 100644
+--- openssh-6.8p1/openssh-lpk-sun.schema.ldap	2015-03-18 11:11:29.033801457 +0100
-index 0000000..3136673
+++ openssh-6.8p1/openssh-lpk-sun.schema	2015-03-18 11:11:29.033801457 +0100
 --- /dev/null
 +++ b/openssh-lpk-sun.schema
@@ -0,0 +1,23 @@
 +#
 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2216,11 +2188,9 @@ index 0000000..3136673
 +	DESC 'MANDATORY: OpenSSH LPK objectclass'
 +	MUST ( sshPublicKey $ uid ) 
 +	)
-diff --git a/ssh-ldap-helper.8 b/ssh-ldap-helper.8
+diff -up openssh-6.8p1/ssh-ldap-helper.8.ldap openssh-6.8p1/ssh-ldap-helper.8
-new file mode 100644
+--- openssh-6.8p1/ssh-ldap-helper.8.ldap	2015-03-18 11:11:29.033801457 +0100
-index 0000000..5d2d7be
+++ openssh-6.8p1/ssh-ldap-helper.8	2015-03-18 11:11:29.033801457 +0100
 --- /dev/null
 +++ b/ssh-ldap-helper.8
@@ -0,0 +1,79 @@
 +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
 +.\"
@ -2301,21 +2271,17 @@ index 0000000..5d2d7be
 +OpenSSH 5.5 + PKA-LDAP .
 +.Sh AUTHORS
 +.An Jan F. Chadima Aq jchadima@redhat.com
-diff --git a/ssh-ldap-wrapper b/ssh-ldap-wrapper
+diff -up openssh-6.8p1/ssh-ldap-wrapper.ldap openssh-6.8p1/ssh-ldap-wrapper
-new file mode 100644
+--- openssh-6.8p1/ssh-ldap-wrapper.ldap	2015-03-18 11:11:29.033801457 +0100
-index 0000000..cb500aa
+++ openssh-6.8p1/ssh-ldap-wrapper	2015-03-18 11:11:29.033801457 +0100
 --- /dev/null
 +++ b/ssh-ldap-wrapper
@@ -0,0 +1,4 @@
 +#!/bin/sh
 +
 +exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
 +
-diff --git a/ssh-ldap.conf.5 b/ssh-ldap.conf.5
+diff -up openssh-6.8p1/ssh-ldap.conf.5.ldap openssh-6.8p1/ssh-ldap.conf.5
-new file mode 100644
+--- openssh-6.8p1/ssh-ldap.conf.5.ldap	2015-03-18 11:11:29.033801457 +0100
-index 0000000..f7081b8
+++ openssh-6.8p1/ssh-ldap.conf.5	2015-03-18 11:11:29.033801457 +0100
 --- /dev/null
 +++ b/ssh-ldap.conf.5
@@ -0,0 +1,385 @@
 +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
 +.\"
--- a/openssh-6.7p1-sftp-force-permission.patch
+++ b/openssh-6.7p1-sftp-force-permission.patch
@ -1,6 +1,7 @@
--- openssh-5.3p1/sftp-server.8	2015-02-10 10:08:09.611849984 +0100
+diff -up openssh-6.8p1/sftp-server.8.sftp-force-mode openssh-6.8p1/sftp-server.8
-+++ openssh-5.3p1/sftp-server.8.perms	2015-02-10 10:08:52.204120509 +0100
+--- openssh-6.8p1/sftp-server.8.sftp-force-mode	2015-03-17 06:49:20.000000000 +0100
-@@ -33,6 +33,7 @@ 
+++ openssh-6.8p1/sftp-server.8	2015-03-18 13:18:05.898306477 +0100
@@ -38,6 +38,7 @@
 .Op Fl P Ar blacklisted_requests
 .Op Fl p Ar whitelisted_requests
 .Op Fl u Ar umask
@ -8,7 +9,7 @@
 .Ek
 .Nm
 .Fl Q Ar protocol_feature
-@@ -77,6 +78,10 @@ Sets an explicit
+@@ -138,6 +139,10 @@ Sets an explicit
 .Xr umask 2
 to be applied to newly-created files and directories, instead of the
 user's default mask.
@ -19,9 +20,10 @@
 .El
 .Pp
 On some systems,
--- openssh-5.3p1/sftp-server.c	2015-02-10 10:08:09.611849984 +0100
+diff -up openssh-6.8p1/sftp-server.c.sftp-force-mode openssh-6.8p1/sftp-server.c
-+++ openssh-5.3p1/sftp-server.c.perms	2015-02-10 10:39:00.855453028 +0100
+--- openssh-6.8p1/sftp-server.c.sftp-force-mode	2015-03-18 13:18:05.883306513 +0100
-@@ -70,6 +70,10 @@ Buffer oqueue;
+++ openssh-6.8p1/sftp-server.c	2015-03-18 13:18:36.697232193 +0100
@@ -70,6 +70,10 @@ struct sshbuf *oqueue;
 /* Version of client */
 static u_int version;
@ -32,10 +34,10 @@
 /* SSH2_FXP_INIT received */
 static int init_done;
-@@ -551,6 +555,10 @@ process_open(void)
+@@ -693,6 +697,10 @@ process_open(u_int32_t id)
- 	a = get_attrib();
+ 	debug3("request %u: open flags %d", id, pflags);
 	flags = flags_from_portable(pflags);
- 	mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666;
+ 	mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
 +	if (permforce == 1) {   /* Force perm if -m is set */
 +		mode = permforcemode;
 +		(void)umask(0); /* so umask does not interfere		 */
@ -43,7 +45,7 @@
 	logit("open \"%s\" flags %s mode 0%o",
 	    name, string_from_portable(pflags), mode);
 	if (readonly &&
-@@ -1322,7 +1330,7 @@ sftp_server_usage(void)
+@@ -1495,7 +1503,7 @@ sftp_server_usage(void)
 	fprintf(stderr,
 	    "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
 	    "[-l log_level]\n\t[-P blacklisted_requests] "
@ -52,7 +54,7 @@
 	    "       %s -Q protocol_feature\n",
 	    __progname, __progname);
 	exit(1);
-@@ -1343,7 +1351,7 @@ sftp_server_main(int argc, char **argv,
+@@ -1520,7 +1528,7 @@ sftp_server_main(int argc, char **argv,
 	pw = pwcopy(user_pw);
 	while (!skipargs && (ch = getopt(argc, argv,
@ -61,7 +63,7 @@
 		switch (ch) {
 		case 'Q':
 			if (strcasecmp(optarg, "requests") != 0) {
-@@ -1373,6 +1381,15 @@ sftp_server_main(int argc, char **argv,
+@@ -1580,6 +1588,15 @@ sftp_server_main(int argc, char **argv,
 				fatal("Invalid umask \"%s\"", optarg);
 			(void)umask((mode_t)mask);
 			break;
--- a/openssh-6.7p1-sshdT-output.patch
+++ b/openssh-6.7p1-sshdT-output.patch
@ -1,14 +1,7 @@
--- a/servconf.c	2015-01-30 12:24:12.388337643 +0100
+diff -up openssh-6.8p1/servconf.c.sshdt openssh-6.8p1/servconf.c
-+++ b/servconf.c	2015-01-30 12:26:36.229229751 +0100
+--- openssh-6.8p1/servconf.c.sshdt	2015-03-18 13:07:24.457858235 +0100
-@@ -55,6 +55,7 @@
+++ openssh-6.8p1/servconf.c	2015-03-18 13:09:27.253557396 +0100
- #include "hostfile.h"
+@@ -2118,6 +2118,8 @@ dump_cfg_strarray_oneline(ServerOpCodes
 #include "auth.h"
 #include "digest.h"
 +#include "myproposal.h"
 static void add_listen_addr(ServerOptions *, char *, int);
 static void add_one_listen_addr(ServerOptions *, char *, int);
@@ -1974,6 +1974,8 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
 {
 	u_int i;
@ -17,7 +10,7 @@
 	printf("%s", lookup_opcode_name(code));
 	for (i = 0; i < count; i++)
 		printf(" %s",  vals[i]);
-@@ -2093,7 +2094,7 @@
+@@ -2156,7 +2158,7 @@ dump_config(ServerOptions *o)
 	/* integer arguments */
 #ifdef USE_PAM
@ -26,7 +19,7 @@
 #endif
 	dump_cfg_int(sServerKeyBits, o->server_key_bits);
 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
-@@ -2103,6 +2104,7 @@
+@@ -2166,6 +2168,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_int(sMaxSessions, o->max_sessions);
 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
 	dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
@ -34,7 +27,7 @@
 	/* formatted integer arguments */
 	dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
-@@ -2150,6 +2152,7 @@
+@@ -2213,6 +2216,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
 	dump_cfg_fmtint(sUseDNS, o->use_dns);
 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
@ -42,19 +35,7 @@
 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
-@@ -2159,9 +2162,8 @@
+@@ -2231,7 +2235,8 @@ dump_config(ServerOptions *o)
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
 	dump_cfg_string(sXAuthLocation, o->xauth_location);
 -	dump_cfg_string(sCiphers, o->ciphers ? o->ciphers :
 -	    cipher_alg_list(',', 0));
 -	dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(','));
 +	dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
 +	dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
 	dump_cfg_string(sBanner, o->banner);
 	dump_cfg_string(sForceCommand, o->adm_forced_command);
 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
@@ -2169,12 +2171,13 @@
 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
 	dump_cfg_string(sAuthorizedPrincipalsFile,
 	    o->authorized_principals_file);
@ -64,14 +45,7 @@
 	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
 	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
-	dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
+@@ -2251,7 +2256,7 @@ dump_config(ServerOptions *o)
 -	    kex_alg_list(','));
 +	dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
 +  	    KEX_SERVER_KEX);
 	/* string arguments requiring a lookup */
 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
@@ -2096,7 +2101,7 @@ dump_config(ServerOptions *o)
 	    o->authorized_keys_files);
 	dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
 	     o->host_key_files);
--- a/openssh.spec
+++ b/openssh.spec
@ -65,10 +65,10 @@
 %endif
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%define openssh_ver 6.7p1
+%define openssh_ver 6.8p1
-%define openssh_rel 11
+%define openssh_rel 1
 %define pam_ssh_agent_ver 0.9.3
-%define pam_ssh_agent_rel 4
+%define pam_ssh_agent_rel 5
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
@ -96,8 +96,6 @@ Patch0: openssh-5.9p1-wIm.patch
 #?
 Patch100: openssh-6.7p1-coverity.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1872
 Patch101: openssh-6.7p1-fingerprint.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1894
 #https://bugzilla.redhat.com/show_bug.cgi?id=735889
 Patch102: openssh-5.8p1-getaddrinfo.patch
@ -140,8 +138,6 @@ Patch604: openssh-6.6p1-keyperm.patch
 Patch606: openssh-5.9p1-ipv6man.patch
 #?
 Patch607: openssh-5.8p2-sigpipe.patch
 #?
 Patch608: openssh-6.1p1-askpass-ld.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1789
 Patch609: openssh-5.5p1-x11.patch
@ -193,9 +189,6 @@ Patch911: openssh-6.6p1-set_remote_ipaddr.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2058
 # slightly changed patch from comment 10
 Patch912: openssh-6.6.1p1-utf8-banner.patch
 # don't consider a partial success as a failure
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2270
 Patch913: openssh-6.6.1p1-partial-success.patch
 # fix parsing of empty options in sshd_conf
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2281
 Patch914: openssh-6.6.1p1-servconf-parser.patch
@ -377,7 +370,6 @@ The module is most useful for su and sudo service stacks.
 %patch0 -p1 -b .wIm
 %endif
 %patch101 -p1 -b .fingerprint
 # investigate %patch102 -p1 -b .getaddrinfo
 %patch103 -p1 -b .packet
@ -408,7 +400,6 @@ popd
 %patch604 -p1 -b .keyperm
 %patch606 -p1 -b .ipv6man
 %patch607 -p1 -b .sigpipe
 %patch608 -p1 -b .askpass-ld
 %patch609 -p1 -b .x11
 %patch702 -p1 -b .progress
 %patch703 -p1 -b .grab-info
@ -431,7 +422,6 @@ popd
 %patch906 -p1 -b .fromto-remote
 %patch911 -p1 -b .set_remote_ipaddr
 %patch912 -p1 -b .utf8-banner
 %patch913 -p1 -b .partial-success
 %patch914 -p1 -b .servconf
 %patch916 -p1 -b .contexts
 %patch917 -p1 -b .cisco-dh
@ -764,6 +754,9 @@ getent passwd sshd >/dev/null || \
 %endif
 %changelog
 * Fri Mar 20 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-1 + 0.9.3.5
 - new upstream release openssh-6.8p1
 * Thu Mar 12 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-11 + 0.9.3-4
 - Ability to specify LDAP filter in ldap.conf for ssh-ldap-helper
 - Fix auditing when using combination of ForceCommand and PTY
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 9872ca1983e566ff5a89c240529e223d  pam_ssh_agent_auth-0.9.3.tar.bz2
-3246aa79317b1d23cae783a3bf8275d6  openssh-6.7p1.tar.gz
+08f72de6751acfbd0892b5f003922701  openssh-6.8p1.tar.gz
`@ -1,2 +1,2 @@`
	`9872ca1983e566ff5a89c240529e223d pam_ssh_agent_auth-0.9.3.tar.bz2`	`9872ca1983e566ff5a89c240529e223d pam_ssh_agent_auth-0.9.3.tar.bz2`
	`3246aa79317b1d23cae783a3bf8275d6 openssh-6.7p1.tar.gz`	`08f72de6751acfbd0892b5f003922701 openssh-6.8p1.tar.gz`