openssh-7.0p1-1 + 6.9.3-7

New upstream release (#1252639) - allow root login in default config Security: Use-after-free bug related to PAM support (#1252853) Security: Privilege separation weakness related to PAM support (#1252854) Security: Incorrectly set TTYs to be world-writable (#1252862)
2015-08-13 17:43:12 +02:00 · 2015-08-13 17:43:12 +02:00 · 3f55133c24
commit 3f55133c24
parent 2939c322fa
10 changed files with 507 additions and 597 deletions
--- a/openssh-6.2p1-vendor.patch
+++ b/openssh-6.2p1-vendor.patch
@ -1,7 +1,7 @@
-diff -up openssh/configure.ac.vendor openssh/configure.ac
+diff -up openssh-7.0p1/configure.ac.vendor openssh-7.0p1/configure.ac
--- openssh/configure.ac.vendor	2015-06-24 11:05:39.805679794 +0200
+--- openssh-7.0p1/configure.ac.vendor	2015-08-12 11:14:54.102628399 +0200
-+++ openssh/configure.ac	2015-06-24 11:05:39.835679719 +0200
+++ openssh-7.0p1/configure.ac	2015-08-12 11:14:54.129628356 +0200
-@@ -4751,6 +4751,12 @@ AC_ARG_WITH([lastlog],
+@@ -4776,6 +4776,12 @@ AC_ARG_WITH([lastlog],
 		fi
 	]
 )
@ -14,7 +14,7 @@ diff -up openssh/configure.ac.vendor openssh/configure.ac
 dnl lastlog, [uw]tmpx? detection
 dnl  NOTE: set the paths in the platform section to avoid the
-@@ -5013,6 +5019,7 @@ echo "           Translate v4 in v6 hack
+@@ -5038,6 +5044,7 @@ echo "           Translate v4 in v6 hack
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
 echo "             Privsep sandbox style: $SANDBOX_STYLE"
@ -22,10 +22,10 @@ diff -up openssh/configure.ac.vendor openssh/configure.ac
 echo ""
-diff -up openssh/servconf.c.vendor openssh/servconf.c
+diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
--- openssh/servconf.c.vendor	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/servconf.c.vendor	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/servconf.c	2015-06-24 11:07:07.689460890 +0200
+++ openssh-7.0p1/servconf.c	2015-08-12 11:15:33.201565712 +0200
-@@ -147,6 +147,7 @@ initialize_server_options(ServerOptions
+@@ -149,6 +149,7 @@ initialize_server_options(ServerOptions
 	options->max_authtries = -1;
 	options->max_sessions = -1;
 	options->banner = NULL;
@ -42,16 +42,16 @@ diff -up openssh/servconf.c.vendor openssh/servconf.c
 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
 		options->fwd_opts.streamlocal_bind_mask = 0177;
 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
-@@ -397,7 +400,7 @@ typedef enum {
+@@ -407,7 +410,7 @@ typedef enum {
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
 -	sBanner, sUseDNS, sHostbasedAuthentication,
 +	sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
 	sHostKeyAlgorithms,
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
- 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+@@ -529,6 +532,7 @@ static struct {
@@ -517,6 +520,7 @@ static struct {
 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
 	{ "banner", sBanner, SSHCFG_ALL },
@ -59,7 +59,7 @@ diff -up openssh/servconf.c.vendor openssh/servconf.c
 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
-@@ -1372,6 +1376,10 @@ process_server_config_line(ServerOptions
+@@ -1389,6 +1393,10 @@ process_server_config_line(ServerOptions
 		multistate_ptr = multistate_privsep;
 		goto parse_multistate;
@ -70,7 +70,7 @@ diff -up openssh/servconf.c.vendor openssh/servconf.c
 	case sAllowUsers:
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
 			if (options->num_allow_users >= MAX_ALLOW_USERS)
-@@ -2249,6 +2257,7 @@ dump_config(ServerOptions *o)
+@@ -2266,6 +2274,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sUseLogin, o->use_login);
 	dump_cfg_fmtint(sCompression, o->compression);
 	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
@ -78,10 +78,10 @@ diff -up openssh/servconf.c.vendor openssh/servconf.c
 	dump_cfg_fmtint(sUseDNS, o->use_dns);
 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
 	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
-diff -up openssh/servconf.h.vendor openssh/servconf.h
+diff -up openssh-7.0p1/servconf.h.vendor openssh-7.0p1/servconf.h
--- openssh/servconf.h.vendor	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/servconf.h.vendor	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/servconf.h	2015-06-24 11:05:39.837679714 +0200
+++ openssh-7.0p1/servconf.h	2015-08-12 11:14:54.130628355 +0200
-@@ -154,6 +154,7 @@ typedef struct {
+@@ -155,6 +155,7 @@ typedef struct {
 	int	max_authtries;
 	int	max_sessions;
 	char   *banner;			/* SSH-2 banner message */
@ -89,45 +89,12 @@ diff -up openssh/servconf.h.vendor openssh/servconf.h
 	int	use_dns;
 	int	client_alive_interval;	/*
 					 * poke the client this often to
-diff -up openssh-6.8p1/sshd.c.vendor openssh-6.8p1/sshd.c
+diff -up openssh-7.0p1/sshd_config.0.vendor openssh-7.0p1/sshd_config.0
--- openssh-6.8p1/sshd.c.vendor	2015-03-18 11:17:56.669880305 +0100
+--- openssh-7.0p1/sshd_config.0.vendor	2015-08-12 11:14:54.125628363 +0200
-+++ openssh-6.8p1/sshd.c	2015-03-18 11:17:56.697880239 +0100
+++ openssh-7.0p1/sshd_config.0	2015-08-12 11:14:54.130628355 +0200
-@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
+@@ -841,6 +841,11 @@ DESCRIPTION
 	}
 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
 -	    major, minor, SSH_VERSION,
 +	    major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
 	    *options.version_addendum == '\0' ? "" : " ",
 	    options.version_addendum, newline);
@@ -1737,7 +1737,8 @@ main(int ac, char **av)
 		exit(1);
 	}
 -	debug("sshd version %s, %s", SSH_VERSION,
 +	debug("sshd version %s, %s", 
 +		(options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
 #ifdef WITH_OPENSSL
 	    SSLeay_version(SSLEAY_VERSION)
 #else
 diff -up openssh-6.8p1/sshd_config.vendor openssh-6.8p1/sshd_config
 --- openssh-6.8p1/sshd_config.vendor	2015-03-18 11:17:56.697880239 +0100
 +++ openssh-6.8p1/sshd_config	2015-03-18 11:20:15.552550274 +0100
@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox		# Defaul
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 +#ShowPatchLevel no
 #UseDNS no
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
 diff -up openssh-6.8p1/sshd_config.0.vendor openssh-6.8p1/sshd_config.0
 --- openssh-6.8p1/sshd_config.0.vendor	2015-03-18 11:17:56.691880253 +0100
 +++ openssh-6.8p1/sshd_config.0	2015-03-18 11:17:56.697880239 +0100
@@ -740,6 +740,11 @@ DESCRIPTION
              Defines the number of bits in the ephemeral protocol version 1
-              server key.  The minimum value is 512, and the default is 1024.
+              server key.  The default and minimum value is 1024.
 +     ShowPatchLevel
 +	     Specifies whether sshd will display the specific patch level of
@ -137,13 +104,13 @@ diff -up openssh-6.8p1/sshd_config.0.vendor openssh-6.8p1/sshd_config.0
      StreamLocalBindMask
              Sets the octal file creation mode mask (umask) used when creating
              a Unix-domain socket file for local or remote port forwarding.
-diff -up openssh/sshd_config.5.vendor openssh/sshd_config.5
+diff -up openssh-7.0p1/sshd_config.5.vendor openssh-7.0p1/sshd_config.5
--- openssh/sshd_config.5.vendor	2015-06-24 11:05:39.831679729 +0200
+--- openssh-7.0p1/sshd_config.5.vendor	2015-08-12 11:14:54.125628363 +0200
-+++ openssh/sshd_config.5	2015-06-24 11:05:39.837679714 +0200
+++ openssh-7.0p1/sshd_config.5	2015-08-12 11:14:54.131628353 +0200
-@@ -1344,6 +1344,13 @@ This option applies to protocol version
+@@ -1411,6 +1411,13 @@ This option applies to protocol version
 .It Cm ServerKeyBits
 Defines the number of bits in the ephemeral protocol version 1 server key.
- The minimum value is 512, and the default is 1024.
+ The default and minimum value is 1024.
 +.It Cm ShowPatchLevel 
 +Specifies whether 
 +.Nm sshd 
@ -154,3 +121,36 @@ diff -up openssh/sshd_config.5.vendor openssh/sshd_config.5
 .It Cm StreamLocalBindMask
 Sets the octal file creation mode mask
 .Pq umask
 diff -up openssh-7.0p1/sshd_config.vendor openssh-7.0p1/sshd_config
 --- openssh-7.0p1/sshd_config.vendor	2015-08-12 11:14:54.125628363 +0200
 +++ openssh-7.0p1/sshd_config	2015-08-12 11:14:54.131628353 +0200
@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox		# Defaul
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 +#ShowPatchLevel no
 #UseDNS no
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
 diff -up openssh-7.0p1/sshd.c.vendor openssh-7.0p1/sshd.c
 --- openssh-7.0p1/sshd.c.vendor	2015-08-12 11:14:54.100628403 +0200
 +++ openssh-7.0p1/sshd.c	2015-08-12 11:14:54.131628353 +0200
@@ -432,7 +432,7 @@ sshd_exchange_identification(int sock_in
 	}
 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
 -	    major, minor, SSH_VERSION,
 +	    major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
 	    *options.version_addendum == '\0' ? "" : " ",
 	    options.version_addendum, newline);
@@ -1749,7 +1749,8 @@ main(int ac, char **av)
 		exit(1);
 	}
 -	debug("sshd version %s, %s", SSH_VERSION,
 +	debug("sshd version %s, %s", 
 +		(options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
 #ifdef WITH_OPENSSL
 	    SSLeay_version(SSLEAY_VERSION)
 #else
--- a/openssh-6.6p1-GSSAPIEnablek5users.patch
+++ b/openssh-6.6p1-GSSAPIEnablek5users.patch
@ -1,6 +1,6 @@
-diff -up openssh/gss-serv-krb5.c.GSSAPIEnablek5users openssh/gss-serv-krb5.c
+diff -up openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.0p1/gss-serv-krb5.c
--- openssh/gss-serv-krb5.c.GSSAPIEnablek5users	2015-06-24 11:40:03.716448353 +0200
+--- openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users	2015-08-12 11:27:44.022407951 +0200
-+++ openssh/gss-serv-krb5.c	2015-06-24 11:40:03.739448295 +0200
+++ openssh-7.0p1/gss-serv-krb5.c	2015-08-12 11:27:44.047407912 +0200
@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
 	FILE *fp;
 	char file[MAXPATHLEN];
@ -18,10 +18,10 @@ diff -up openssh/gss-serv-krb5.c.GSSAPIEnablek5users openssh/gss-serv-krb5.c
                 return ssh_krb5_kuserok(krb_context, principal, luser,
                                         k5login_exists);
 	}
-diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c
+diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
--- openssh/servconf.c.GSSAPIEnablek5users	2015-06-24 11:40:03.728448323 +0200
+--- openssh-7.0p1/servconf.c.GSSAPIEnablek5users	2015-08-12 11:27:44.036407930 +0200
-+++ openssh/servconf.c	2015-06-24 11:40:03.740448292 +0200
+++ openssh-7.0p1/servconf.c	2015-08-12 11:28:49.087306430 +0200
-@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions
+@@ -173,6 +173,7 @@ initialize_server_options(ServerOptions
 	options->version_addendum = NULL;
 	options->fingerprint_hash = -1;
 	options->use_kuserok = -1;
@ -29,25 +29,25 @@ diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c
 }
 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
-@@ -353,6 +354,8 @@ fill_default_server_options(ServerOption
+@@ -351,6 +352,8 @@ fill_default_server_options(ServerOption
 		options->fwd_opts.streamlocal_bind_unlink = 0;
 	if (options->fingerprint_hash == -1)
 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
 	if (options->use_kuserok == -1)
 		options->use_kuserok = 1;
 +	if (options->enable_k5users == -1)
 +		options->enable_k5users = 0;
- 	/* Turn privilege separation on by default */
+ 	if (options->use_kuserok == -1)
- 	if (use_privsep == -1)
+ 		options->use_kuserok = 1;
- 		use_privsep = PRIVSEP_NOSANDBOX;
+ 
-@@ -412,7 +415,7 @@ typedef enum {
+@@ -423,7 +426,7 @@ typedef enum {
 	sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
 	sHostKeyAlgorithms,
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
 -	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
 +	sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
 	sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
-@@ -490,12 +493,14 @@ static struct {
+@@ -502,12 +505,14 @@ static struct {
 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
 	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
 	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
@ -62,7 +62,7 @@ diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c
 #endif
 	{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
 	{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
-@@ -1663,6 +1668,10 @@ process_server_config_line(ServerOptions
+@@ -1680,6 +1685,10 @@ process_server_config_line(ServerOptions
 		intptr = &options->use_kuserok;
 		goto parse_flag;
@ -73,7 +73,7 @@ diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c
 	case sPermitOpen:
 		arg = strdelim(&cp);
 		if (!arg || *arg == '\0')
-@@ -2018,6 +2027,7 @@ copy_set_server_options(ServerOptions *d
+@@ -2035,6 +2044,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(ip_qos_interactive);
 	M_CP_INTOPT(ip_qos_bulk);
 	M_CP_INTOPT(use_kuserok);
@ -81,7 +81,7 @@ diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c
 	M_CP_INTOPT(rekey_limit);
 	M_CP_INTOPT(rekey_interval);
-@@ -2300,6 +2310,7 @@ dump_config(ServerOptions *o)
+@@ -2317,6 +2327,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
 	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
@ -89,10 +89,10 @@ diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
-diff -up openssh/servconf.h.GSSAPIEnablek5users openssh/servconf.h
+diff -up openssh-7.0p1/servconf.h.GSSAPIEnablek5users openssh-7.0p1/servconf.h
--- openssh/servconf.h.GSSAPIEnablek5users	2015-06-24 11:40:03.717448351 +0200
+--- openssh-7.0p1/servconf.h.GSSAPIEnablek5users	2015-08-12 11:27:44.022407951 +0200
-+++ openssh/servconf.h	2015-06-24 11:40:03.740448292 +0200
+++ openssh-7.0p1/servconf.h	2015-08-12 11:27:44.048407911 +0200
-@@ -179,7 +179,8 @@ typedef struct {
+@@ -180,7 +180,8 @@ typedef struct {
 	int	num_permitted_opens;
@ -102,10 +102,10 @@ diff -up openssh/servconf.h.GSSAPIEnablek5users openssh/servconf.h
 	char   *chroot_directory;
 	char   *revoked_keys_file;
 	char   *trusted_user_ca_keys;
-diff -up openssh/sshd_config.5.GSSAPIEnablek5users openssh/sshd_config.5
+diff -up openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users openssh-7.0p1/sshd_config.5
--- openssh/sshd_config.5.GSSAPIEnablek5users	2015-06-24 11:40:03.741448290 +0200
+--- openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users	2015-08-12 11:27:44.023407950 +0200
-+++ openssh/sshd_config.5	2015-06-24 11:40:40.707354263 +0200
+++ openssh-7.0p1/sshd_config.5	2015-08-12 11:27:44.048407911 +0200
-@@ -628,6 +628,12 @@ on logout.
+@@ -633,6 +633,12 @@ on logout.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
@ -118,9 +118,9 @@ diff -up openssh/sshd_config.5.GSSAPIEnablek5users openssh/sshd_config.5
 .It Cm GSSAPIStrictAcceptorCheck
 Determines whether to be strict about the identity of the GSSAPI acceptor
 a client authenticates against.
-diff -up openssh/sshd_config.GSSAPIEnablek5users openssh/sshd_config
+diff -up openssh-7.0p1/sshd_config.GSSAPIEnablek5users openssh-7.0p1/sshd_config
--- openssh/sshd_config.GSSAPIEnablek5users	2015-06-24 11:40:03.717448351 +0200
+--- openssh-7.0p1/sshd_config.GSSAPIEnablek5users	2015-08-12 11:27:44.023407950 +0200
-+++ openssh/sshd_config	2015-06-24 11:40:03.740448292 +0200
+++ openssh-7.0p1/sshd_config	2015-08-12 11:27:44.048407911 +0200
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
 GSSAPICleanupCredentials no
 #GSSAPIStrictAcceptorCheck yes
--- a/openssh-6.6p1-ctr-cavstest.patch
+++ b/openssh-6.6p1-ctr-cavstest.patch
@ -141,8 +141,8 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
 +int main (int argc, char *argv[])
 +{
 +
-+        const Cipher *c;
+        const struct sshcipher *c;
-+        CipherContext cc;
+        struct sshcipher_ctx cc;
 +        char *algo = "aes128-ctr";
 +        char *hexkey = NULL;
 +        char *hexiv = "00000000000000000000000000000000";
--- a/openssh-6.6p1-gsskex.patch
+++ b/openssh-6.6p1-gsskex.patch
@ -1,6 +1,6 @@
-diff -up openssh/auth2.c.gsskex openssh/auth2.c
+diff -up openssh-7.0p1/auth2.c.gsskex openssh-7.0p1/auth2.c
--- openssh/auth2.c.gsskex	2015-06-24 11:07:36.180389924 +0200
+--- openssh-7.0p1/auth2.c.gsskex	2015-08-12 11:15:43.625548999 +0200
-+++ openssh/auth2.c	2015-06-24 11:07:36.228389804 +0200
+++ openssh-7.0p1/auth2.c	2015-08-12 11:15:43.692548892 +0200
@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
 extern Authmethod method_kbdint;
 extern Authmethod method_hostbased;
@ -17,9 +17,9 @@ diff -up openssh/auth2.c.gsskex openssh/auth2.c
 	&method_gssapi,
 #endif
 	&method_passwd,
-diff -up openssh/auth2-gss.c.gsskex openssh/auth2-gss.c
+diff -up openssh-7.0p1/auth2-gss.c.gsskex openssh-7.0p1/auth2-gss.c
--- openssh/auth2-gss.c.gsskex	2015-06-24 11:07:36.179389926 +0200
+--- openssh-7.0p1/auth2-gss.c.gsskex	2015-08-12 11:15:43.624549001 +0200
-+++ openssh/auth2-gss.c	2015-06-24 11:07:36.228389804 +0200
+++ openssh-7.0p1/auth2-gss.c	2015-08-12 11:15:43.692548892 +0200
@@ -31,6 +31,7 @@
 #include <sys/types.h>
@ -102,10 +102,10 @@ diff -up openssh/auth2-gss.c.gsskex openssh/auth2-gss.c
 Authmethod method_gssapi = {
 	"gssapi-with-mic",
 	userauth_gssapi,
-diff -up openssh/clientloop.c.gsskex openssh/clientloop.c
+diff -up openssh-7.0p1/clientloop.c.gsskex openssh-7.0p1/clientloop.c
--- openssh/clientloop.c.gsskex	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/clientloop.c.gsskex	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/clientloop.c	2015-06-24 11:07:36.228389804 +0200
+++ openssh-7.0p1/clientloop.c	2015-08-12 11:15:43.693548890 +0200
-@@ -114,6 +114,10 @@
+@@ -115,6 +115,10 @@
 #include "ssherr.h"
 #include "hostfile.h"
@ -116,7 +116,7 @@ diff -up openssh/clientloop.c.gsskex openssh/clientloop.c
 /* import options */
 extern Options options;
-@@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_cha
+@@ -1610,6 +1614,15 @@ client_loop(int have_pty, int escape_cha
 		/* Do channel operations unless rekeying in progress. */
 		if (!rekeying) {
 			channel_after_select(readset, writeset);
@ -132,9 +132,9 @@ diff -up openssh/clientloop.c.gsskex openssh/clientloop.c
 			if (need_rekeying || packet_need_rekeying()) {
 				debug("need rekeying");
 				active_state->kex->done = 0;
-diff -up openssh/configure.ac.gsskex openssh/configure.ac
+diff -up openssh-7.0p1/configure.ac.gsskex openssh-7.0p1/configure.ac
--- openssh/configure.ac.gsskex	2015-06-24 11:07:36.214389839 +0200
+--- openssh-7.0p1/configure.ac.gsskex	2015-08-12 11:15:43.675548919 +0200
-+++ openssh/configure.ac	2015-06-24 11:07:36.229389802 +0200
+++ openssh-7.0p1/configure.ac	2015-08-12 11:15:43.694548889 +0200
@@ -625,6 +625,30 @@ main() { if (NSVersionOfRunTimeLibrary("
 	    [Use tunnel device compatibility to OpenBSD])
 	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
@ -166,9 +166,9 @@ diff -up openssh/configure.ac.gsskex openssh/configure.ac
 	m4_pattern_allow([AU_IPv])
 	AC_CHECK_DECL([AU_IPv4], [], 
 	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
-diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
+diff -up openssh-7.0p1/gss-genr.c.gsskex openssh-7.0p1/gss-genr.c
--- openssh/gss-genr.c.gsskex	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/gss-genr.c.gsskex	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/gss-genr.c	2015-06-24 11:07:36.229389802 +0200
+++ openssh-7.0p1/gss-genr.c	2015-08-12 11:15:43.694548889 +0200
@@ -41,12 +41,167 @@
 #include "buffer.h"
 #include "log.h"
@ -506,9 +506,9 @@ diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
 +}
 +
 #endif /* GSSAPI */
-diff -up openssh/gss-serv.c.gsskex openssh/gss-serv.c
+diff -up openssh-7.0p1/gss-serv.c.gsskex openssh-7.0p1/gss-serv.c
--- openssh/gss-serv.c.gsskex	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/gss-serv.c.gsskex	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/gss-serv.c	2015-06-24 11:11:53.171742794 +0200
+++ openssh-7.0p1/gss-serv.c	2015-08-12 11:15:43.694548889 +0200
@@ -45,17 +45,19 @@
 #include "session.h"
 #include "misc.h"
@ -791,9 +791,9 @@ diff -up openssh/gss-serv.c.gsskex openssh/gss-serv.c
 }
 #endif
-diff -up openssh/gss-serv-krb5.c.gsskex openssh/gss-serv-krb5.c
+diff -up openssh-7.0p1/gss-serv-krb5.c.gsskex openssh-7.0p1/gss-serv-krb5.c
--- openssh/gss-serv-krb5.c.gsskex	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/gss-serv-krb5.c.gsskex	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/gss-serv-krb5.c	2015-06-24 11:07:36.229389802 +0200
+++ openssh-7.0p1/gss-serv-krb5.c	2015-08-12 11:15:43.694548889 +0200
@@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
 	krb5_error_code problem;
 	krb5_principal princ;
@ -921,9 +921,9 @@ diff -up openssh/gss-serv-krb5.c.gsskex openssh/gss-serv-krb5.c
 };
 #endif /* KRB5 */
-diff -up openssh/kex.c.gsskex openssh/kex.c
+diff -up openssh-7.0p1/kex.c.gsskex openssh-7.0p1/kex.c
--- openssh/kex.c.gsskex	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/kex.c.gsskex	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/kex.c	2015-06-24 11:07:36.230389799 +0200
+++ openssh-7.0p1/kex.c	2015-08-12 11:15:43.695548887 +0200
@@ -55,6 +55,10 @@
 #include "sshbuf.h"
 #include "digest.h"
@ -960,9 +960,9 @@ diff -up openssh/kex.c.gsskex openssh/kex.c
 	}
 	return NULL;
 }
-diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
+diff -up openssh-7.0p1/kexgssc.c.gsskex openssh-7.0p1/kexgssc.c
--- openssh/kexgssc.c.gsskex	2015-06-24 11:07:36.231389797 +0200
+--- openssh-7.0p1/kexgssc.c.gsskex	2015-08-12 11:15:43.695548887 +0200
-+++ openssh/kexgssc.c	2015-06-24 11:07:36.230389799 +0200
+++ openssh-7.0p1/kexgssc.c	2015-08-12 11:15:43.695548887 +0200
@@ -0,0 +1,338 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1302,9 +1302,9 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
 +}
 +
 +#endif /* GSSAPI */
-diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
+diff -up openssh-7.0p1/kexgsss.c.gsskex openssh-7.0p1/kexgsss.c
--- openssh/kexgsss.c.gsskex	2015-06-24 11:07:36.231389797 +0200
+--- openssh-7.0p1/kexgsss.c.gsskex	2015-08-12 11:15:43.695548887 +0200
-+++ openssh/kexgsss.c	2015-06-24 11:07:36.231389797 +0200
+++ openssh-7.0p1/kexgsss.c	2015-08-12 11:15:43.695548887 +0200
@@ -0,0 +1,295 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1601,9 +1601,9 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
 +	return 0;
 +}
 +#endif /* GSSAPI */
-diff -up openssh/kex.h.gsskex openssh/kex.h
+diff -up openssh-7.0p1/kex.h.gsskex openssh-7.0p1/kex.h
--- openssh/kex.h.gsskex	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/kex.h.gsskex	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/kex.h	2015-06-24 11:07:36.230389799 +0200
+++ openssh-7.0p1/kex.h	2015-08-12 11:17:44.694354889 +0200
@@ -93,6 +93,11 @@ enum kex_exchange {
 	KEX_DH_GEX_SHA256,
 	KEX_ECDH_SHA2,
@ -1628,8 +1628,8 @@ diff -up openssh/kex.h.gsskex openssh/kex.h
 +#endif
 	char	*client_version_string;
 	char	*server_version_string;
- 	int	(*verify_host_key)(struct sshkey *, struct ssh *);
+ 	char	*failed_choice;
-@@ -183,6 +194,10 @@ int	 kexecdh_client(struct ssh *);
+@@ -186,6 +197,10 @@ int	 kexecdh_client(struct ssh *);
 int	 kexecdh_server(struct ssh *);
 int	 kexc25519_client(struct ssh *);
 int	 kexc25519_server(struct ssh *);
@ -1640,9 +1640,9 @@ diff -up openssh/kex.h.gsskex openssh/kex.h
 int	 kex_dh_hash(const char *, const char *,
     const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
-diff -up openssh/Makefile.in.gsskex openssh/Makefile.in
+diff -up openssh-7.0p1/Makefile.in.gsskex openssh-7.0p1/Makefile.in
--- openssh/Makefile.in.gsskex	2015-06-24 11:07:36.223389817 +0200
+--- openssh-7.0p1/Makefile.in.gsskex	2015-08-12 11:15:43.686548901 +0200
-+++ openssh/Makefile.in	2015-06-24 11:07:36.228389804 +0200
+++ openssh-7.0p1/Makefile.in	2015-08-12 11:15:43.695548887 +0200
@@ -90,6 +90,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 	readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
 	atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \
@ -1660,9 +1660,9 @@ diff -up openssh/Makefile.in.gsskex openssh/Makefile.in
 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
 	sftp-server.o sftp-common.o \
 	roaming_common.o roaming_serv.o \
-diff -up openssh/monitor.c.gsskex openssh/monitor.c
+diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
--- openssh/monitor.c.gsskex	2015-06-24 11:07:36.180389924 +0200
+--- openssh-7.0p1/monitor.c.gsskex	2015-08-12 11:15:43.626548998 +0200
-+++ openssh/monitor.c	2015-06-24 11:07:36.231389797 +0200
+++ openssh-7.0p1/monitor.c	2015-08-12 11:15:43.696548885 +0200
@@ -160,6 +160,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
@ -1852,9 +1852,9 @@ diff -up openssh/monitor.c.gsskex openssh/monitor.c
 +
 #endif /* GSSAPI */
-diff -up openssh/monitor.h.gsskex openssh/monitor.h
+diff -up openssh-7.0p1/monitor.h.gsskex openssh-7.0p1/monitor.h
--- openssh/monitor.h.gsskex	2015-06-24 11:07:36.181389921 +0200
+--- openssh-7.0p1/monitor.h.gsskex	2015-08-12 11:15:43.626548998 +0200
-+++ openssh/monitor.h	2015-06-24 11:07:36.231389797 +0200
+++ openssh-7.0p1/monitor.h	2015-08-12 11:15:43.696548885 +0200
@@ -60,6 +60,8 @@ enum monitor_reqtype {
 #ifdef WITH_SELINUX
 	MONITOR_REQ_AUTHROLE = 80,
@ -1864,10 +1864,10 @@ diff -up openssh/monitor.h.gsskex openssh/monitor.h
 	MONITOR_REQ_PAM_START = 100,
 	MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
-diff -up openssh/monitor_wrap.c.gsskex openssh/monitor_wrap.c
+diff -up openssh-7.0p1/monitor_wrap.c.gsskex openssh-7.0p1/monitor_wrap.c
--- openssh/monitor_wrap.c.gsskex	2015-06-24 11:07:36.181389921 +0200
+--- openssh-7.0p1/monitor_wrap.c.gsskex	2015-08-12 11:15:43.626548998 +0200
-+++ openssh/monitor_wrap.c	2015-06-24 11:07:36.231389797 +0200
+++ openssh-7.0p1/monitor_wrap.c	2015-08-12 11:15:43.697548884 +0200
-@@ -1088,7 +1088,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
+@@ -1087,7 +1087,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
 }
 int
@ -1876,7 +1876,7 @@ diff -up openssh/monitor_wrap.c.gsskex openssh/monitor_wrap.c
 {
 	Buffer m;
 	int authenticated = 0;
-@@ -1105,5 +1105,50 @@ mm_ssh_gssapi_userok(char *user)
+@@ -1104,5 +1104,50 @@ mm_ssh_gssapi_userok(char *user)
 	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
 	return (authenticated);
 }
@ -1927,9 +1927,9 @@ diff -up openssh/monitor_wrap.c.gsskex openssh/monitor_wrap.c
 +
 #endif /* GSSAPI */
-diff -up openssh/monitor_wrap.h.gsskex openssh/monitor_wrap.h
+diff -up openssh-7.0p1/monitor_wrap.h.gsskex openssh-7.0p1/monitor_wrap.h
--- openssh/monitor_wrap.h.gsskex	2015-06-24 11:07:36.181389921 +0200
+--- openssh-7.0p1/monitor_wrap.h.gsskex	2015-08-12 11:15:43.626548998 +0200
-+++ openssh/monitor_wrap.h	2015-06-24 11:07:36.232389794 +0200
+++ openssh-7.0p1/monitor_wrap.h	2015-08-12 11:15:43.697548884 +0200
@@ -61,8 +61,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@ -1942,9 +1942,9 @@ diff -up openssh/monitor_wrap.h.gsskex openssh/monitor_wrap.h
 #endif
 #ifdef USE_PAM
-diff -up openssh/readconf.c.gsskex openssh/readconf.c
+diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c
--- openssh/readconf.c.gsskex	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/readconf.c.gsskex	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/readconf.c	2015-06-24 11:07:36.232389794 +0200
+++ openssh-7.0p1/readconf.c	2015-08-12 11:15:43.697548884 +0200
@@ -147,6 +147,8 @@ typedef enum {
 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@ -1954,7 +1954,7 @@ diff -up openssh/readconf.c.gsskex openssh/readconf.c
 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
 	oHashKnownHosts,
-@@ -191,10 +193,19 @@ static struct {
+@@ -192,10 +194,19 @@ static struct {
 	{ "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
 	{ "gssapiauthentication", oGssAuthentication },
@ -1974,7 +1974,7 @@ diff -up openssh/readconf.c.gsskex openssh/readconf.c
 #endif
 	{ "fallbacktorsh", oDeprecated },
 	{ "usersh", oDeprecated },
-@@ -892,10 +903,30 @@ parse_time:
+@@ -894,10 +905,30 @@ parse_time:
 		intptr = &options->gss_authentication;
 		goto parse_flag;
@ -2018,7 +2018,7 @@ diff -up openssh/readconf.c.gsskex openssh/readconf.c
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->kbd_interactive_devices = NULL;
-@@ -1728,8 +1764,14 @@ fill_default_options(Options * options)
+@@ -1729,8 +1765,14 @@ fill_default_options(Options * options)
 		options->challenge_response_authentication = 1;
 	if (options->gss_authentication == -1)
 		options->gss_authentication = 0;
@ -2033,9 +2033,9 @@ diff -up openssh/readconf.c.gsskex openssh/readconf.c
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
-diff -up openssh/readconf.h.gsskex openssh/readconf.h
+diff -up openssh-7.0p1/readconf.h.gsskex openssh-7.0p1/readconf.h
--- openssh/readconf.h.gsskex	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/readconf.h.gsskex	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/readconf.h	2015-06-24 11:07:36.232389794 +0200
+++ openssh-7.0p1/readconf.h	2015-08-12 11:15:43.697548884 +0200
@@ -45,7 +45,12 @@ typedef struct {
 	int     challenge_response_authentication;
 					/* Try S/Key or TIS, authentication. */
@ -2049,33 +2049,33 @@ diff -up openssh/readconf.h.gsskex openssh/readconf.h
 	int     password_authentication;	/* Try password
 						 * authentication. */
 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff -up openssh/regress/cert-hostkey.sh.gsskex openssh/regress/cert-hostkey.sh
+diff -up openssh-7.0p1/regress/cert-hostkey.sh.gsskex openssh-7.0p1/regress/cert-hostkey.sh
--- openssh/regress/cert-hostkey.sh.gsskex	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/regress/cert-hostkey.sh.gsskex	2015-08-12 11:15:43.698548882 +0200
-+++ openssh/regress/cert-hostkey.sh	2015-06-24 11:07:36.232389794 +0200
+++ openssh-7.0p1/regress/cert-hostkey.sh	2015-08-12 11:16:52.511438554 +0200
-@@ -25,7 +25,7 @@ touch $OBJ/host_revoked_plain
+@@ -46,7 +46,7 @@ touch $OBJ/host_revoked_plain
 touch $OBJ/host_revoked_cert
 cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
 -PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
 +PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
- type_has_legacy() {
+ # Prepare certificate, plain key and CA KRLs
- 	case $1 in
+ ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
-diff -up openssh/regress/cert-userkey.sh.gsskex openssh/regress/cert-userkey.sh
+diff -up openssh-7.0p1/regress/cert-userkey.sh.gsskex openssh-7.0p1/regress/cert-userkey.sh
--- openssh/regress/cert-userkey.sh.gsskex	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/regress/cert-userkey.sh.gsskex	2015-08-12 11:15:43.698548882 +0200
-+++ openssh/regress/cert-userkey.sh	2015-06-24 11:07:36.232389794 +0200
+++ openssh-7.0p1/regress/cert-userkey.sh	2015-08-12 11:20:30.110089677 +0200
-@@ -6,7 +6,7 @@ tid="certified user keys"
+@@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us
 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
 -PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
 +PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
- type_has_legacy() {
+ kname() {
- 	case $1 in
+ 	n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'`
-diff -up openssh/regress/kextype.sh.gsskex openssh/regress/kextype.sh
+diff -up openssh-7.0p1/regress/kextype.sh.gsskex openssh-7.0p1/regress/kextype.sh
--- openssh/regress/kextype.sh.gsskex	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/regress/kextype.sh.gsskex	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/regress/kextype.sh	2015-06-24 11:07:36.233389792 +0200
+++ openssh-7.0p1/regress/kextype.sh	2015-08-12 11:15:43.698548882 +0200
@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh
 tries="1 2 3 4"
@ -2086,9 +2086,9 @@ diff -up openssh/regress/kextype.sh.gsskex openssh/regress/kextype.sh
 	verbose "kex $k"
 	for i in $tries; do
 		${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
-diff -up openssh/regress/rekey.sh.gsskex openssh/regress/rekey.sh
+diff -up openssh-7.0p1/regress/rekey.sh.gsskex openssh-7.0p1/regress/rekey.sh
--- openssh/regress/rekey.sh.gsskex	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/regress/rekey.sh.gsskex	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/regress/rekey.sh	2015-06-24 11:07:36.233389792 +0200
+++ openssh-7.0p1/regress/rekey.sh	2015-08-12 11:15:43.698548882 +0200
@@ -38,6 +38,9 @@ increase_datafile_size 300
 opts=""
@ -2109,10 +2109,10 @@ diff -up openssh/regress/rekey.sh.gsskex openssh/regress/rekey.sh
 	verbose "client rekey $c $kex"
 	ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
     done
-diff -up openssh/servconf.c.gsskex openssh/servconf.c
+diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c
--- openssh/servconf.c.gsskex	2015-06-24 11:07:36.214389839 +0200
+--- openssh-7.0p1/servconf.c.gsskex	2015-08-12 11:15:43.676548918 +0200
-+++ openssh/servconf.c	2015-06-24 11:20:08.026487223 +0200
+++ openssh-7.0p1/servconf.c	2015-08-12 11:22:32.686893730 +0200
-@@ -115,8 +115,10 @@ initialize_server_options(ServerOptions
+@@ -117,8 +117,10 @@ initialize_server_options(ServerOptions
 	options->kerberos_ticket_cleanup = -1;
 	options->kerberos_get_afs_token = -1;
 	options->gss_authentication=-1;
@ -2138,8 +2138,8 @@ diff -up openssh/servconf.c.gsskex openssh/servconf.c
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
-@@ -404,7 +410,7 @@ typedef enum {
+@@ -415,7 +421,7 @@ typedef enum {
- 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
+ 	sHostKeyAlgorithms,
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
 -	sAcceptEnv, sPermitTunnel,
@ -2147,7 +2147,7 @@ diff -up openssh/servconf.c.gsskex openssh/servconf.c
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
 	sHostCertificate,
-@@ -477,11 +483,17 @@ static struct {
+@@ -489,11 +495,17 @@ static struct {
 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
@ -2165,7 +2165,7 @@ diff -up openssh/servconf.c.gsskex openssh/servconf.c
 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
 	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1218,6 +1230,10 @@ process_server_config_line(ServerOptions
+@@ -1235,6 +1247,10 @@ process_server_config_line(ServerOptions
 		intptr = &options->gss_authentication;
 		goto parse_flag;
@ -2176,7 +2176,7 @@ diff -up openssh/servconf.c.gsskex openssh/servconf.c
 	case sGssCleanupCreds:
 		intptr = &options->gss_cleanup_creds;
 		goto parse_flag;
-@@ -1226,6 +1242,10 @@ process_server_config_line(ServerOptions
+@@ -1243,6 +1259,10 @@ process_server_config_line(ServerOptions
 		intptr = &options->gss_strict_acceptor;
 		goto parse_flag;
@ -2187,7 +2187,7 @@ diff -up openssh/servconf.c.gsskex openssh/servconf.c
 	case sPasswordAuthentication:
 		intptr = &options->password_authentication;
 		goto parse_flag;
-@@ -2238,6 +2258,9 @@ dump_config(ServerOptions *o)
+@@ -2255,6 +2275,9 @@ dump_config(ServerOptions *o)
 #ifdef GSSAPI
 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@ -2197,10 +2197,10 @@ diff -up openssh/servconf.c.gsskex openssh/servconf.c
 #endif
 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
-diff -up openssh/servconf.h.gsskex openssh/servconf.h
+diff -up openssh-7.0p1/servconf.h.gsskex openssh-7.0p1/servconf.h
--- openssh/servconf.h.gsskex	2015-06-24 11:07:36.233389792 +0200
+--- openssh-7.0p1/servconf.h.gsskex	2015-08-12 11:15:43.676548918 +0200
-+++ openssh/servconf.h	2015-06-24 11:21:20.888302354 +0200
+++ openssh-7.0p1/servconf.h	2015-08-12 11:15:43.700548879 +0200
-@@ -117,8 +117,10 @@ typedef struct {
+@@ -118,8 +118,10 @@ typedef struct {
 	int     kerberos_get_afs_token;		/* If true, try to get AFS token if
 						 * authenticated with Kerberos. */
 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
@ -2211,10 +2211,10 @@ diff -up openssh/servconf.h.gsskex openssh/servconf.h
 	int     password_authentication;	/* If true, permit password
 						 * authentication. */
 	int     kbd_interactive_authentication;	/* If true, permit */
-diff -up openssh/ssh_config.5.gsskex openssh/ssh_config.5
+diff -up openssh-7.0p1/ssh_config.5.gsskex openssh-7.0p1/ssh_config.5
--- openssh/ssh_config.5.gsskex	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/ssh_config.5.gsskex	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/ssh_config.5	2015-06-24 11:07:36.234389789 +0200
+++ openssh-7.0p1/ssh_config.5	2015-08-12 11:15:43.700548879 +0200
-@@ -744,11 +744,43 @@ Specifies whether user authentication ba
+@@ -749,11 +749,43 @@ Specifies whether user authentication ba
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
@ -2259,9 +2259,9 @@ diff -up openssh/ssh_config.5.gsskex openssh/ssh_config.5
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
-diff -up openssh/ssh_config.gsskex openssh/ssh_config
+diff -up openssh-7.0p1/ssh_config.gsskex openssh-7.0p1/ssh_config
--- openssh/ssh_config.gsskex	2015-06-24 11:07:36.209389852 +0200
+--- openssh-7.0p1/ssh_config.gsskex	2015-08-12 11:15:43.667548932 +0200
-+++ openssh/ssh_config	2015-06-24 11:07:36.234389789 +0200
+++ openssh-7.0p1/ssh_config	2015-08-12 11:15:43.700548879 +0200
@@ -26,6 +26,8 @@
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
@ -2271,9 +2271,9 @@ diff -up openssh/ssh_config.gsskex openssh/ssh_config
 #   BatchMode no
 #   CheckHostIP yes
 #   AddressFamily any
-diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
+diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
--- openssh/sshconnect2.c.gsskex	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/sshconnect2.c.gsskex	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/sshconnect2.c	2015-06-24 11:07:36.234389789 +0200
+++ openssh-7.0p1/sshconnect2.c	2015-08-12 11:25:12.486644393 +0200
@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *ho
 	struct kex *kex;
 	int r;
@ -2306,12 +2306,12 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
 +	}
 +#endif
 +
 	if (options.ciphers == (char *)-1) {
 		logit("No valid ciphers for protocol version 2 given, using defaults.");
 		options.ciphers = NULL;
@@ -200,6 +225,17 @@ ssh_kex2(char *host, struct sockaddr *ho
 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
- 	    myproposal[PROPOSAL_KEX_ALGS]);
+ 	    options.kex_algorithms);
 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
@@ -193,6 +218,17 @@ ssh_kex2(char *host, struct sockaddr *ho
 		    order_hostkeyalgs(host, hostaddr, port));
 	}
 +#ifdef GSSAPI
 +	/* If we've got GSSAPI algorithms, then we also support the
@ -2327,7 +2327,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
 	if (options.rekey_limit || options.rekey_interval)
 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
 		    (time_t)options.rekey_interval);
-@@ -217,11 +253,31 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -210,11 +246,31 @@ ssh_kex2(char *host, struct sockaddr *ho
 	kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
 # endif
 #endif
@ -2359,7 +2359,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
 	dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
 	if (options.use_roaming && !kex->roaming) {
-@@ -313,6 +369,7 @@ int	input_gssapi_token(int type, u_int32
+@@ -306,6 +362,7 @@ int	input_gssapi_token(int type, u_int32
 int	input_gssapi_hash(int type, u_int32_t, void *);
 int	input_gssapi_error(int, u_int32_t, void *);
 int	input_gssapi_errtok(int, u_int32_t, void *);
@ -2367,7 +2367,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
 #endif
 void	userauth(Authctxt *, char *);
-@@ -328,6 +385,11 @@ static char *authmethods_get(void);
+@@ -321,6 +378,11 @@ static char *authmethods_get(void);
 Authmethod authmethods[] = {
 #ifdef GSSAPI
@ -2379,7 +2379,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
 	{"gssapi-with-mic",
 		userauth_gssapi,
 		NULL,
-@@ -634,19 +696,31 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt)
 	static u_int mech = 0;
 	OM_uint32 min;
 	int ok = 0;
@ -2413,7 +2413,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
 			ok = 1; /* Mechanism works */
 		} else {
 			mech++;
-@@ -743,8 +817,8 @@ input_gssapi_response(int type, u_int32_
+@@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_
 {
 	Authctxt *authctxt = ctxt;
 	Gssctxt *gssctxt;
@ -2424,7 +2424,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
 	if (authctxt == NULL)
 		fatal("input_gssapi_response: no authentication context");
-@@ -857,6 +931,48 @@ input_gssapi_error(int type, u_int32_t p
+@@ -850,6 +924,48 @@ input_gssapi_error(int type, u_int32_t p
 	free(lang);
 	return 0;
 }
@ -2473,10 +2473,10 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
 #endif /* GSSAPI */
 int
-diff -up openssh/sshd.c.gsskex openssh/sshd.c
+diff -up openssh-7.0p1/sshd.c.gsskex openssh-7.0p1/sshd.c
--- openssh/sshd.c.gsskex	2015-06-24 11:07:36.217389832 +0200
+--- openssh-7.0p1/sshd.c.gsskex	2015-08-12 11:15:43.679548913 +0200
-+++ openssh/sshd.c	2015-06-24 11:07:36.235389787 +0200
+++ openssh-7.0p1/sshd.c	2015-08-12 11:15:43.702548876 +0200
-@@ -1839,10 +1839,13 @@ main(int ac, char **av)
+@@ -1843,10 +1843,13 @@ main(int ac, char **av)
 		logit("Disabling protocol version 1. Could not load host key");
 		options.protocol &= ~SSH_PROTO_1;
 	}
@ -2490,7 +2490,7 @@ diff -up openssh/sshd.c.gsskex openssh/sshd.c
 	if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
 		logit("sshd: no hostkeys available -- exiting.");
 		exit(1);
-@@ -2589,6 +2592,48 @@ do_ssh2_kex(void)
+@@ -2582,6 +2585,48 @@ do_ssh2_kex(void)
 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
 	    list_hostkey_types());
@ -2539,7 +2539,7 @@ diff -up openssh/sshd.c.gsskex openssh/sshd.c
 	/* start key exchange */
 	if ((r = kex_setup(active_state, myproposal)) != 0)
 		fatal("kex_setup: %s", ssh_err(r));
-@@ -2603,6 +2648,13 @@ do_ssh2_kex(void)
+@@ -2596,6 +2641,13 @@ do_ssh2_kex(void)
 # endif
 #endif
 	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@ -2553,10 +2553,10 @@ diff -up openssh/sshd.c.gsskex openssh/sshd.c
 	kex->server = 1;
 	kex->client_version_string=client_version_string;
 	kex->server_version_string=server_version_string;
-diff -up openssh/sshd_config.5.gsskex openssh/sshd_config.5
+diff -up openssh-7.0p1/sshd_config.5.gsskex openssh-7.0p1/sshd_config.5
--- openssh/sshd_config.5.gsskex	2015-06-24 11:07:36.235389787 +0200
+--- openssh-7.0p1/sshd_config.5.gsskex	2015-08-12 11:15:43.677548916 +0200
-+++ openssh/sshd_config.5	2015-06-24 11:23:13.490016656 +0200
+++ openssh-7.0p1/sshd_config.5	2015-08-12 11:15:43.702548876 +0200
-@@ -616,6 +616,12 @@ Specifies whether user authentication ba
+@@ -621,6 +621,12 @@ Specifies whether user authentication ba
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
@ -2569,7 +2569,7 @@ diff -up openssh/sshd_config.5.gsskex openssh/sshd_config.5
 .It Cm GSSAPICleanupCredentials
 Specifies whether to automatically destroy the user's credentials cache
 on logout.
-@@ -637,6 +643,11 @@ machine's default store.
+@@ -642,6 +648,11 @@ machine's default store.
 This facility is provided to assist with operation on multi homed machines.
 The default is
 .Dq yes .
@ -2581,9 +2581,9 @@ diff -up openssh/sshd_config.5.gsskex openssh/sshd_config.5
 .It Cm HostbasedAcceptedKeyTypes
 Specifies the key types that will be accepted for hostbased authentication
 as a comma-separated pattern list.
-diff -up openssh/sshd_config.gsskex openssh/sshd_config
+diff -up openssh-7.0p1/sshd_config.gsskex openssh-7.0p1/sshd_config
--- openssh/sshd_config.gsskex	2015-06-24 11:07:36.217389832 +0200
+--- openssh-7.0p1/sshd_config.gsskex	2015-08-12 11:15:43.679548913 +0200
-+++ openssh/sshd_config	2015-06-24 11:07:36.235389787 +0200
+++ openssh-7.0p1/sshd_config	2015-08-12 11:15:43.702548876 +0200
@@ -91,6 +91,8 @@ ChallengeResponseAuthentication no
 # GSSAPI options
 GSSAPIAuthentication yes
@ -2593,9 +2593,9 @@ diff -up openssh/sshd_config.gsskex openssh/sshd_config
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
-diff -up openssh/ssh-gss.h.gsskex openssh/ssh-gss.h
+diff -up openssh-7.0p1/ssh-gss.h.gsskex openssh-7.0p1/ssh-gss.h
--- openssh/ssh-gss.h.gsskex	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/ssh-gss.h.gsskex	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/ssh-gss.h	2015-06-24 11:07:36.234389789 +0200
+++ openssh-7.0p1/ssh-gss.h	2015-08-12 11:15:43.702548876 +0200
@@ -1,6 +1,6 @@
 /* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */
 /*
--- a/openssh-6.6p1-kuserok.patch
+++ b/openssh-6.6p1-kuserok.patch
@ -1,6 +1,6 @@
-diff -up openssh-6.8p1/auth-krb5.c.kuserok openssh-6.8p1/auth-krb5.c
+diff -up openssh-7.0p1/auth-krb5.c.kuserok openssh-7.0p1/auth-krb5.c
--- openssh-6.8p1/auth-krb5.c.kuserok	2015-03-17 06:49:20.000000000 +0100
+--- openssh-7.0p1/auth-krb5.c.kuserok	2015-08-11 10:57:29.000000000 +0200
-+++ openssh-6.8p1/auth-krb5.c	2015-03-18 12:37:14.349351304 +0100
+++ openssh-7.0p1/auth-krb5.c	2015-08-12 11:26:21.874536127 +0200
@@ -55,6 +55,21 @@
 extern ServerOptions	 options;
@ -35,9 +35,9 @@ diff -up openssh-6.8p1/auth-krb5.c.kuserok openssh-6.8p1/auth-krb5.c
 		problem = -1;
 		goto out;
 	}
-diff -up openssh-6.8p1/gss-serv-krb5.c.kuserok openssh-6.8p1/gss-serv-krb5.c
+diff -up openssh-7.0p1/gss-serv-krb5.c.kuserok openssh-7.0p1/gss-serv-krb5.c
--- openssh-6.8p1/gss-serv-krb5.c.kuserok	2015-03-18 12:37:14.346351312 +0100
+--- openssh-7.0p1/gss-serv-krb5.c.kuserok	2015-08-12 11:26:21.868536137 +0200
-+++ openssh-6.8p1/gss-serv-krb5.c	2015-03-18 12:37:14.349351304 +0100
+++ openssh-7.0p1/gss-serv-krb5.c	2015-08-12 11:26:21.875536126 +0200
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
     int);
@ -172,10 +172,10 @@ diff -up openssh-6.8p1/gss-serv-krb5.c.kuserok openssh-6.8p1/gss-serv-krb5.c
 	}
 	if ((fp = fopen(file, "r")) == NULL) {
 		int saved_errno = errno;
-diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c
+diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
--- openssh-6.8p1/servconf.c.kuserok	2015-03-18 12:37:14.342351322 +0100
+--- openssh-7.0p1/servconf.c.kuserok	2015-08-12 11:26:21.865536141 +0200
-+++ openssh-6.8p1/servconf.c	2015-03-18 12:38:36.133145700 +0100
+++ openssh-7.0p1/servconf.c	2015-08-12 11:27:14.126454598 +0200
-@@ -167,6 +167,7 @@ initialize_server_options(ServerOptions
+@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions
 	options->ip_qos_bulk = -1;
 	options->version_addendum = NULL;
 	options->fingerprint_hash = -1;
@ -183,16 +183,16 @@ diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c
 }
 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
-@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
+@@ -350,6 +351,8 @@ fill_default_server_options(ServerOption
 		options->fwd_opts.streamlocal_bind_unlink = 0;
 	if (options->fingerprint_hash == -1)
 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
 +	if (options->use_kuserok == -1)
 +		options->use_kuserok = 1;
- 	/* Turn privilege separation on by default */
+ 
- 	if (use_privsep == -1)
+ 	if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 ||
- 		use_privsep = PRIVSEP_NOSANDBOX;
+ 	    kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
-@@ -388,7 +391,7 @@ typedef enum {
+@@ -404,7 +407,7 @@ typedef enum {
 	sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
 	sRhostsRSAAuthentication, sRSAAuthentication,
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@ -201,7 +201,7 @@ diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c
 	sKerberosTgtPassing, sChallengeResponseAuthentication,
 	sPasswordAuthentication, sKbdInteractiveAuthentication,
 	sListenAddress, sAddressFamily,
-@@ -464,11 +467,13 @@ static struct {
+@@ -483,11 +486,13 @@ static struct {
 #else
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
 #endif
@ -215,7 +215,7 @@ diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c
 #endif
 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1614,6 +1619,10 @@ process_server_config_line(ServerOptions
+@@ -1671,6 +1676,10 @@ process_server_config_line(ServerOptions
 		*activep = value;
 		break;
@ -226,7 +226,7 @@ diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c
 	case sPermitOpen:
 		arg = strdelim(&cp);
 		if (!arg || *arg == '\0')
-@@ -1935,6 +1944,7 @@ copy_set_server_options(ServerOptions *d
+@@ -2023,6 +2032,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(max_authtries);
 	M_CP_INTOPT(ip_qos_interactive);
 	M_CP_INTOPT(ip_qos_bulk);
@ -234,7 +234,7 @@ diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c
 	M_CP_INTOPT(rekey_limit);
 	M_CP_INTOPT(rekey_interval);
-@@ -2194,6 +2204,7 @@ dump_config(ServerOptions *o)
+@@ -2304,6 +2314,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
@ -242,10 +242,10 @@ diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
-diff -up openssh-6.8p1/servconf.h.kuserok openssh-6.8p1/servconf.h
+diff -up openssh-7.0p1/servconf.h.kuserok openssh-7.0p1/servconf.h
--- openssh-6.8p1/servconf.h.kuserok	2015-03-18 12:37:14.342351322 +0100
+--- openssh-7.0p1/servconf.h.kuserok	2015-08-12 11:26:21.865536141 +0200
-+++ openssh-6.8p1/servconf.h	2015-03-18 12:37:14.350351302 +0100
+++ openssh-7.0p1/servconf.h	2015-08-12 11:26:21.876536124 +0200
-@@ -177,6 +177,7 @@ typedef struct {
+@@ -180,6 +180,7 @@ typedef struct {
 	int	num_permitted_opens;
@ -253,21 +253,10 @@ diff -up openssh-6.8p1/servconf.h.kuserok openssh-6.8p1/servconf.h
 	char   *chroot_directory;
 	char   *revoked_keys_file;
 	char   *trusted_user_ca_keys;
-diff -up openssh-6.8p1/sshd_config.kuserok openssh-6.8p1/sshd_config
+diff -up openssh-7.0p1/sshd_config.5.kuserok openssh-7.0p1/sshd_config.5
--- openssh-6.8p1/sshd_config.kuserok	2015-03-18 12:37:14.344351317 +0100
+--- openssh-7.0p1/sshd_config.5.kuserok	2015-08-12 11:26:21.867536138 +0200
-+++ openssh-6.8p1/sshd_config	2015-03-18 12:37:14.350351302 +0100
+++ openssh-7.0p1/sshd_config.5	2015-08-12 11:26:21.877536123 +0200
-@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
+@@ -872,6 +872,10 @@ Specifies whether to automatically destr
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 +#KerberosUseKuserok yes
 # GSSAPI options
 GSSAPIAuthentication yes
 diff -up openssh-6.8p1/sshd_config.5.kuserok openssh-6.8p1/sshd_config.5
 --- openssh-6.8p1/sshd_config.5.kuserok	2015-03-18 12:37:14.343351319 +0100
 +++ openssh-6.8p1/sshd_config.5	2015-03-18 12:39:23.373026939 +0100
@@ -779,6 +779,10 @@ Specifies whether to automatically destr
 file on logout.
 The default is
 .Dq yes .
@ -278,7 +267,7 @@ diff -up openssh-6.8p1/sshd_config.5.kuserok openssh-6.8p1/sshd_config.5
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
-@@ -1017,6 +1021,7 @@ Available keywords are
+@@ -1116,6 +1120,7 @@ Available keywords are
 .Cm IPQoS ,
 .Cm KbdInteractiveAuthentication ,
 .Cm KerberosAuthentication ,
@ -286,3 +275,14 @@ diff -up openssh-6.8p1/sshd_config.5.kuserok openssh-6.8p1/sshd_config.5
 .Cm MaxAuthTries ,
 .Cm MaxSessions ,
 .Cm PasswordAuthentication ,
 diff -up openssh-7.0p1/sshd_config.kuserok openssh-7.0p1/sshd_config
 --- openssh-7.0p1/sshd_config.kuserok	2015-08-12 11:26:21.867536138 +0200
 +++ openssh-7.0p1/sshd_config	2015-08-12 11:26:21.876536124 +0200
@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 +#KerberosUseKuserok yes
 # GSSAPI options
 GSSAPIAuthentication yes
--- a/openssh-6.7p1-audit.patch
+++ b/openssh-6.7p1-audit.patch
@ -1,6 +1,6 @@
-diff -up openssh/audit-bsm.c.audit openssh/audit-bsm.c
+diff -up openssh-7.0p1/audit-bsm.c.audit openssh-7.0p1/audit-bsm.c
--- openssh/audit-bsm.c.audit	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/audit-bsm.c.audit	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/audit-bsm.c	2015-06-24 11:53:29.780390469 +0200
+++ openssh-7.0p1/audit-bsm.c	2015-08-12 11:33:00.409914290 +0200
@@ -375,10 +375,23 @@ audit_connection_from(const char *host,
 #endif
 }
@ -80,9 +80,9 @@ diff -up openssh/audit-bsm.c.audit openssh/audit-bsm.c
 +	/* not implemented */
 +}
 #endif /* BSM */
-diff -up openssh/audit.c.audit openssh/audit.c
+diff -up openssh-7.0p1/audit.c.audit openssh-7.0p1/audit.c
--- openssh/audit.c.audit	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/audit.c.audit	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/audit.c	2015-06-24 11:53:29.781390467 +0200
+++ openssh-7.0p1/audit.c	2015-08-12 11:33:00.410914289 +0200
@@ -28,6 +28,7 @@
 #include <stdarg.h>
@ -280,9 +280,9 @@ diff -up openssh/audit.c.audit openssh/audit.c
 }
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
-diff -up openssh/audit.h.audit openssh/audit.h
+diff -up openssh-7.0p1/audit.h.audit openssh-7.0p1/audit.h
--- openssh/audit.h.audit	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/audit.h.audit	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/audit.h	2015-06-24 11:53:29.781390467 +0200
+++ openssh-7.0p1/audit.h	2015-08-12 11:33:00.410914289 +0200
@@ -28,6 +28,7 @@
 # define _SSH_AUDIT_H
@ -318,9 +318,9 @@ diff -up openssh/audit.h.audit openssh/audit.h
 +void	audit_generate_ephemeral_server_key(const char *);
 #endif /* _SSH_AUDIT_H */
-diff -up openssh/audit-linux.c.audit openssh/audit-linux.c
+diff -up openssh-7.0p1/audit-linux.c.audit openssh-7.0p1/audit-linux.c
--- openssh/audit-linux.c.audit	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/audit-linux.c.audit	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/audit-linux.c	2015-06-24 11:53:29.781390467 +0200
+++ openssh-7.0p1/audit-linux.c	2015-08-12 11:33:00.411914287 +0200
@@ -35,13 +35,25 @@
 #include "log.h"
@ -612,7 +612,7 @@ diff -up openssh/audit-linux.c.audit openssh/audit-linux.c
 +#ifdef AUDIT_CRYPTO_SESSION
 +	char buf[AUDIT_LOG_SIZE];
 +	int audit_fd, audit_ok;
-+	const Cipher *cipher = cipher_by_name(enc);
+	const struct sshcipher *cipher = cipher_by_name(enc);
 +	char *s;
 +
 +	snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d mac=%s pfs=%s spid=%jd suid=%jd rport=%d laddr=%s lport=%d ",
@ -712,9 +712,9 @@ diff -up openssh/audit-linux.c.audit openssh/audit-linux.c
 +		error("cannot write into audit");
 +}
 #endif /* USE_LINUX_AUDIT */
-diff -up openssh/auditstub.c.audit openssh/auditstub.c
+diff -up openssh-7.0p1/auditstub.c.audit openssh-7.0p1/auditstub.c
--- openssh/auditstub.c.audit	2015-06-24 11:53:29.782390464 +0200
+--- openssh-7.0p1/auditstub.c.audit	2015-08-12 11:33:00.411914287 +0200
-+++ openssh/auditstub.c	2015-06-24 11:53:29.782390464 +0200
+++ openssh-7.0p1/auditstub.c	2015-08-12 11:33:00.411914287 +0200
@@ -0,0 +1,50 @@
 +/* $Id: auditstub.c,v 1.1 jfch Exp $ */
 +
@ -766,9 +766,9 @@ diff -up openssh/auditstub.c.audit openssh/auditstub.c
 +audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
 +{
 +}
-diff -up openssh/auth2.c.audit openssh/auth2.c
+diff -up openssh-7.0p1/auth2.c.audit openssh-7.0p1/auth2.c
--- openssh/auth2.c.audit	2015-06-24 11:53:29.731390595 +0200
+--- openssh-7.0p1/auth2.c.audit	2015-08-12 11:33:00.349914384 +0200
-+++ openssh/auth2.c	2015-06-24 11:53:29.783390462 +0200
+++ openssh-7.0p1/auth2.c	2015-08-12 11:33:00.411914287 +0200
@@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32
 		} else {
 			logit("input_userauth_request: invalid user %s", user);
@ -779,9 +779,9 @@ diff -up openssh/auth2.c.audit openssh/auth2.c
 		}
 #ifdef USE_PAM
 		if (options.use_pam)
-diff -up openssh/auth2-hostbased.c.audit openssh/auth2-hostbased.c
+diff -up openssh-7.0p1/auth2-hostbased.c.audit openssh-7.0p1/auth2-hostbased.c
--- openssh/auth2-hostbased.c.audit	2015-06-24 11:53:29.682390720 +0200
+--- openssh-7.0p1/auth2-hostbased.c.audit	2015-08-12 11:33:00.303914456 +0200
-+++ openssh/auth2-hostbased.c	2015-06-24 11:53:29.782390464 +0200
+++ openssh-7.0p1/auth2-hostbased.c	2015-08-12 11:33:00.412914286 +0200
@@ -146,7 +146,7 @@ userauth_hostbased(Authctxt *authctxt)
 	/* test for allowed key and correct signature */
 	authenticated = 0;
@ -810,9 +810,9 @@ diff -up openssh/auth2-hostbased.c.audit openssh/auth2-hostbased.c
 /* return 1 if given hostkey is allowed */
 int
 hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
-diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c
+diff -up openssh-7.0p1/auth2-pubkey.c.audit openssh-7.0p1/auth2-pubkey.c
--- openssh/auth2-pubkey.c.audit	2015-06-24 11:53:29.783390462 +0200
+--- openssh-7.0p1/auth2-pubkey.c.audit	2015-08-12 11:33:00.318914432 +0200
-+++ openssh/auth2-pubkey.c	2015-06-24 11:58:49.547572821 +0200
+++ openssh-7.0p1/auth2-pubkey.c	2015-08-12 11:33:00.412914286 +0200
@@ -175,7 +175,7 @@ userauth_pubkey(Authctxt *authctxt)
 		/* test for correct signature */
 		authenticated = 0;
@ -841,10 +841,10 @@ diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c
 /*
  * Splits 's' into an argument vector. Handles quoted string and basic
  * escape characters (\\, \", \'). Caller must free the argument vector
-diff -up openssh/auth.c.audit openssh/auth.c
+diff -up openssh-7.0p1/auth.c.audit openssh-7.0p1/auth.c
--- openssh/auth.c.audit	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/auth.c.audit	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/auth.c	2015-06-24 11:53:29.782390464 +0200
+++ openssh-7.0p1/auth.c	2015-08-12 11:33:00.412914286 +0200
-@@ -643,9 +643,6 @@ getpwnamallow(const char *user)
+@@ -645,9 +645,6 @@ getpwnamallow(const char *user)
 		record_failed_login(user,
 		    get_canonical_hostname(options.use_dns), "ssh");
 #endif
@ -854,9 +854,9 @@ diff -up openssh/auth.c.audit openssh/auth.c
 		return (NULL);
 	}
 	if (!allowed_user(pw))
-diff -up openssh/auth.h.audit openssh/auth.h
+diff -up openssh-7.0p1/auth.h.audit openssh-7.0p1/auth.h
--- openssh/auth.h.audit	2015-06-24 11:53:29.682390720 +0200
+--- openssh-7.0p1/auth.h.audit	2015-08-12 11:33:00.302914457 +0200
-+++ openssh/auth.h	2015-06-24 11:53:29.782390464 +0200
+++ openssh-7.0p1/auth.h	2015-08-12 11:33:00.412914286 +0200
@@ -195,6 +195,7 @@ void	abandon_challenge_response(Authctxt
 char	*expand_authorized_keys(const char *, struct passwd *pw);
@ -873,9 +873,9 @@ diff -up openssh/auth.h.audit openssh/auth.h
 /* debug messages during authentication */
 void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
-diff -up openssh/auth-rsa.c.audit openssh/auth-rsa.c
+diff -up openssh-7.0p1/auth-rsa.c.audit openssh-7.0p1/auth-rsa.c
--- openssh/auth-rsa.c.audit	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/auth-rsa.c.audit	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/auth-rsa.c	2015-06-24 11:53:29.782390464 +0200
+++ openssh-7.0p1/auth-rsa.c	2015-08-12 11:33:00.412914286 +0200
@@ -95,7 +95,10 @@ auth_rsa_verify_response(Key *key, BIGNU
 {
 	u_char buf[32], mdbuf[16];
@ -912,9 +912,9 @@ diff -up openssh/auth-rsa.c.audit openssh/auth-rsa.c
 }
 /*
-diff -up openssh/cipher.c.audit openssh/cipher.c
+diff -up openssh-7.0p1/cipher.c.audit openssh-7.0p1/cipher.c
--- openssh/cipher.c.audit	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/cipher.c.audit	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/cipher.c	2015-06-24 11:53:29.783390462 +0200
+++ openssh-7.0p1/cipher.c	2015-08-12 11:33:00.412914286 +0200
@@ -57,26 +57,6 @@ extern const EVP_CIPHER *evp_ssh1_3des(v
 extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
 #endif
@ -942,9 +942,9 @@ diff -up openssh/cipher.c.audit openssh/cipher.c
 static const struct sshcipher ciphers[] = {
 #ifdef WITH_SSH1
 	{ "des",	SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
-diff -up openssh/cipher.h.audit openssh/cipher.h
+diff -up openssh-7.0p1/cipher.h.audit openssh-7.0p1/cipher.h
--- openssh/cipher.h.audit	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/cipher.h.audit	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/cipher.h	2015-06-24 11:53:29.783390462 +0200
+++ openssh-7.0p1/cipher.h	2015-08-12 11:33:00.413914284 +0200
@@ -62,7 +62,26 @@
 #define CIPHER_ENCRYPT		1
 #define CIPHER_DECRYPT		0
@ -973,9 +973,9 @@ diff -up openssh/cipher.h.audit openssh/cipher.h
 struct sshcipher_ctx {
 	int	plaintext;
 	int	encrypt;
-diff -up openssh/kex.c.audit openssh/kex.c
+diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c
--- openssh/kex.c.audit	2015-06-24 11:53:29.733390590 +0200
+--- openssh-7.0p1/kex.c.audit	2015-08-12 11:33:00.351914381 +0200
-+++ openssh/kex.c	2015-06-24 11:53:29.783390462 +0200
+++ openssh-7.0p1/kex.c	2015-08-12 11:33:00.413914284 +0200
@@ -54,6 +54,7 @@
 #include "ssherr.h"
 #include "sshbuf.h"
@ -984,7 +984,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
 #ifdef GSSAPI
 #include "ssh-gss.h"
-@@ -486,8 +487,12 @@ choose_enc(struct sshenc *enc, char *cli
+@@ -549,8 +550,12 @@ choose_enc(struct sshenc *enc, char *cli
 {
 	char *name = match_list(client, server, NULL);
@ -998,7 +998,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
 	if ((enc->cipher = cipher_by_name(name)) == NULL)
 		return SSH_ERR_INTERNAL_ERROR;
 	enc->name = name;
-@@ -505,8 +510,12 @@ choose_mac(struct ssh *ssh, struct sshma
+@@ -568,8 +573,12 @@ choose_mac(struct ssh *ssh, struct sshma
 {
 	char *name = match_list(client, server, NULL);
@ -1012,7 +1012,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
 	if (mac_setup(mac, name) < 0)
 		return SSH_ERR_INTERNAL_ERROR;
 	/* truncate the key */
-@@ -523,8 +532,12 @@ choose_comp(struct sshcomp *comp, char *
+@@ -586,8 +595,12 @@ choose_comp(struct sshcomp *comp, char *
 {
 	char *name = match_list(client, server, NULL);
@ -1026,7 +1026,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
 	if (strcmp(name, "zlib@openssh.com") == 0) {
 		comp->type = COMP_DELAYED;
 	} else if (strcmp(name, "zlib") == 0) {
-@@ -674,6 +687,10 @@ kex_choose_conf(struct ssh *ssh)
+@@ -753,6 +766,10 @@ kex_choose_conf(struct ssh *ssh)
 		dh_need = MAX(dh_need, newkeys->enc.block_size);
 		dh_need = MAX(dh_need, newkeys->enc.iv_len);
 		dh_need = MAX(dh_need, newkeys->mac.key_len);
@ -1037,7 +1037,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
 	}
 	/* XXX need runden? */
 	kex->we_need = need;
-@@ -849,3 +866,34 @@ dump_digest(char *msg, u_char *digest, i
+@@ -928,3 +945,34 @@ dump_digest(char *msg, u_char *digest, i
 	sshbuf_dump_data(digest, len, stderr);
 }
 #endif
@ -1072,10 +1072,10 @@ diff -up openssh/kex.c.audit openssh/kex.c
 +	memset(&newkeys->comp, 0, sizeof(newkeys->comp));
 +}
 +
-diff -up openssh/kex.h.audit openssh/kex.h
+diff -up openssh-7.0p1/kex.h.audit openssh-7.0p1/kex.h
--- openssh/kex.h.audit	2015-06-24 11:53:29.733390590 +0200
+--- openssh-7.0p1/kex.h.audit	2015-08-12 11:33:00.352914379 +0200
-+++ openssh/kex.h	2015-06-24 11:53:29.784390459 +0200
+++ openssh-7.0p1/kex.h	2015-08-12 11:33:00.413914284 +0200
-@@ -199,6 +199,8 @@ int	 kexgss_client(struct ssh *);
+@@ -202,6 +202,8 @@ int	 kexgss_client(struct ssh *);
 int	 kexgss_server(struct ssh *);
 #endif
@ -1084,20 +1084,20 @@ diff -up openssh/kex.h.audit openssh/kex.h
 int	 kex_dh_hash(const char *, const char *,
     const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
     const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
-diff -up openssh/key.h.audit openssh/key.h
+diff -up openssh-7.0p1/key.h.audit openssh-7.0p1/key.h
--- openssh/key.h.audit	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/key.h.audit	2015-08-12 11:33:00.413914284 +0200
-+++ openssh/key.h	2015-06-24 11:53:29.784390459 +0200
+++ openssh-7.0p1/key.h	2015-08-12 11:33:45.908843298 +0200
@@ -50,6 +50,7 @@ typedef struct sshkey Key;
 #define key_ecdsa_bits_to_nid	sshkey_ecdsa_bits_to_nid
 #define key_ecdsa_key_to_nid	sshkey_ecdsa_key_to_nid
 #define key_is_cert		sshkey_is_cert
 +#define key_is_private		sshkey_is_private
 #define key_type_plain		sshkey_type_plain
 #define key_cert_is_legacy	sshkey_cert_is_legacy
 #define key_curve_name_to_nid	sshkey_curve_name_to_nid
-diff -up openssh/mac.c.audit openssh/mac.c
+ #define key_curve_nid_to_bits	sshkey_curve_nid_to_bits
--- openssh/mac.c.audit	2015-06-23 02:34:47.000000000 +0200
+diff -up openssh-7.0p1/mac.c.audit openssh-7.0p1/mac.c
-+++ openssh/mac.c	2015-06-24 11:53:29.784390459 +0200
+--- openssh-7.0p1/mac.c.audit	2015-08-11 10:57:29.000000000 +0200
 +++ openssh-7.0p1/mac.c	2015-08-12 11:33:00.413914284 +0200
@@ -226,6 +226,20 @@ mac_clear(struct sshmac *mac)
 	mac->umac_ctx = NULL;
 }
@ -1119,9 +1119,9 @@ diff -up openssh/mac.c.audit openssh/mac.c
 /* XXX copied from ciphers_valid */
 #define	MAC_SEP	","
 int
-diff -up openssh/mac.h.audit openssh/mac.h
+diff -up openssh-7.0p1/mac.h.audit openssh-7.0p1/mac.h
--- openssh/mac.h.audit	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/mac.h.audit	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/mac.h	2015-06-24 11:53:29.784390459 +0200
+++ openssh-7.0p1/mac.h	2015-08-12 11:33:00.413914284 +0200
@@ -47,5 +47,6 @@ int	 mac_init(struct sshmac *);
 int	 mac_compute(struct sshmac *, u_int32_t, const u_char *, int,
     u_char *, size_t);
@ -1129,9 +1129,9 @@ diff -up openssh/mac.h.audit openssh/mac.h
 +void	 mac_destroy(struct sshmac *);
 #endif /* SSHMAC_H */
-diff -up openssh/Makefile.in.audit openssh/Makefile.in
+diff -up openssh-7.0p1/Makefile.in.audit openssh-7.0p1/Makefile.in
--- openssh/Makefile.in.audit	2015-06-24 11:53:29.752390541 +0200
+--- openssh-7.0p1/Makefile.in.audit	2015-08-12 11:33:00.402914301 +0200
-+++ openssh/Makefile.in	2015-06-24 11:53:29.780390469 +0200
+++ openssh-7.0p1/Makefile.in	2015-08-12 11:33:00.414914283 +0200
@@ -98,7 +98,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
 	kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
@ -1141,9 +1141,9 @@ diff -up openssh/Makefile.in.audit openssh/Makefile.in
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
 	sshconnect.o sshconnect1.o sshconnect2.o mux.o \
-diff -up openssh/monitor.c.audit openssh/monitor.c
+diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
--- openssh/monitor.c.audit	2015-06-24 11:53:29.759390523 +0200
+--- openssh-7.0p1/monitor.c.audit	2015-08-12 11:33:00.378914339 +0200
-+++ openssh/monitor.c	2015-06-24 11:53:29.784390459 +0200
+++ openssh-7.0p1/monitor.c	2015-08-12 11:33:00.414914283 +0200
@@ -102,6 +102,7 @@
 #include "ssh2.h"
 #include "roaming.h"
@ -1443,9 +1443,9 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 +	return 0;
 +}
 +#endif /* SSH_AUDIT_EVENTS */
-diff -up openssh/monitor.h.audit openssh/monitor.h
+diff -up openssh-7.0p1/monitor.h.audit openssh-7.0p1/monitor.h
--- openssh/monitor.h.audit	2015-06-24 11:53:29.759390523 +0200
+--- openssh-7.0p1/monitor.h.audit	2015-08-12 11:33:00.378914339 +0200
-+++ openssh/monitor.h	2015-06-24 11:53:29.785390457 +0200
+++ openssh-7.0p1/monitor.h	2015-08-12 11:33:00.414914283 +0200
@@ -69,7 +69,13 @@ enum monitor_reqtype {
 	MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
 	MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@ -1461,9 +1461,9 @@ diff -up openssh/monitor.h.audit openssh/monitor.h
 };
-diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
+diff -up openssh-7.0p1/monitor_wrap.c.audit openssh-7.0p1/monitor_wrap.c
--- openssh/monitor_wrap.c.audit	2015-06-24 11:53:29.734390587 +0200
+--- openssh-7.0p1/monitor_wrap.c.audit	2015-08-12 11:33:00.353914378 +0200
-+++ openssh/monitor_wrap.c	2015-06-24 11:53:29.785390457 +0200
+++ openssh-7.0p1/monitor_wrap.c	2015-08-12 11:33:00.414914283 +0200
@@ -462,7 +462,7 @@ mm_key_allowed(enum mm_keytype type, cha
  */
@ -1500,7 +1500,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
 void
 mm_send_keystate(struct monitor *monitor)
 {
-@@ -1006,10 +1019,11 @@ mm_audit_event(ssh_audit_event_t event)
+@@ -1005,10 +1018,11 @@ mm_audit_event(ssh_audit_event_t event)
 	buffer_free(&m);
 }
@ -1513,7 +1513,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
 	debug3("%s entering command %s", __func__, command);
-@@ -1017,6 +1031,26 @@ mm_audit_run_command(const char *command
+@@ -1016,6 +1030,26 @@ mm_audit_run_command(const char *command
 	buffer_put_cstring(&m, command);
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
@ -1540,7 +1540,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
 	buffer_free(&m);
 }
 #endif /* SSH_AUDIT_EVENTS */
-@@ -1152,3 +1186,70 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
+@@ -1151,3 +1185,70 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
 #endif /* GSSAPI */
@ -1611,9 +1611,9 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
 +	buffer_free(&m);
 +}
 +#endif /* SSH_AUDIT_EVENTS */
-diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h
+diff -up openssh-7.0p1/monitor_wrap.h.audit openssh-7.0p1/monitor_wrap.h
--- openssh/monitor_wrap.h.audit	2015-06-24 11:53:29.734390587 +0200
+--- openssh-7.0p1/monitor_wrap.h.audit	2015-08-12 11:33:00.353914378 +0200
-+++ openssh/monitor_wrap.h	2015-06-24 11:59:45.086430808 +0200
+++ openssh-7.0p1/monitor_wrap.h	2015-08-12 11:33:00.415914281 +0200
@@ -52,7 +52,8 @@ int mm_key_allowed(enum mm_keytype, char
 int mm_user_key_allowed(struct passwd *, Key *, int);
 int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *);
@ -1638,9 +1638,9 @@ diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h
 #endif
 struct Session;
-diff -up openssh/packet.c.audit openssh/packet.c
+diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c
--- openssh/packet.c.audit	2015-06-24 11:53:29.665390763 +0200
+--- openssh-7.0p1/packet.c.audit	2015-08-12 11:33:00.288914479 +0200
-+++ openssh/packet.c	2015-06-24 11:53:29.786390454 +0200
+++ openssh-7.0p1/packet.c	2015-08-12 11:33:00.415914281 +0200
@@ -67,6 +67,7 @@
 #include "key.h"	/* typedefs XXX */
@ -1714,7 +1714,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
 		if ((r = cipher_cleanup(cc)) != 0)
 			return r;
 		enc  = &state->newkeys[mode]->enc;
-@@ -2281,6 +2293,75 @@ ssh_packet_get_output(struct ssh *ssh)
+@@ -2292,6 +2304,75 @@ ssh_packet_get_output(struct ssh *ssh)
 	return (void *)ssh->state->output;
 }
@ -1790,7 +1790,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
 /* XXX TODO update roaming to new API (does not work anyway) */
 /*
  * Save the state for the real connection, and use a separate state when
-@@ -2290,18 +2371,12 @@ void
+@@ -2301,18 +2382,12 @@ void
 ssh_packet_backup_state(struct ssh *ssh,
     struct ssh *backup_state)
 {
@ -1810,7 +1810,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
 }
 /* XXX FIXME FIXME FIXME */
-@@ -2320,9 +2395,7 @@ ssh_packet_restore_state(struct ssh *ssh
+@@ -2331,9 +2406,7 @@ ssh_packet_restore_state(struct ssh *ssh
 	backup_state = ssh;
 	ssh = tmp;
 	ssh->state->connection_in = backup_state->state->connection_in;
@ -1820,7 +1820,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
 	len = sshbuf_len(backup_state->state->input);
 	if (len > 0) {
 		if ((r = sshbuf_putb(ssh->state->input,
-@@ -2331,6 +2404,11 @@ ssh_packet_restore_state(struct ssh *ssh
+@@ -2342,6 +2415,11 @@ ssh_packet_restore_state(struct ssh *ssh
 		sshbuf_reset(backup_state->state->input);
 		add_recv_bytes(len);
 	}
@ -1832,9 +1832,9 @@ diff -up openssh/packet.c.audit openssh/packet.c
 }
 /* Reset after_authentication and reset compression in post-auth privsep */
-diff -up openssh/packet.h.audit openssh/packet.h
+diff -up openssh-7.0p1/packet.h.audit openssh-7.0p1/packet.h
--- openssh/packet.h.audit	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/packet.h.audit	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/packet.h	2015-06-24 11:53:29.786390454 +0200
+++ openssh-7.0p1/packet.h	2015-08-12 11:33:00.415914281 +0200
@@ -189,7 +189,7 @@ int	sshpkt_get_end(struct ssh *ssh);
 const u_char	*sshpkt_ptr(struct ssh *, size_t *lenp);
@ -1850,10 +1850,10 @@ diff -up openssh/packet.h.audit openssh/packet.h
 +void	 packet_destroy_all(int, int);
 #endif				/* PACKET_H */
-diff -up openssh/sandbox-seccomp-filter.c.audit openssh/sandbox-seccomp-filter.c
+diff -up openssh-7.0p1/sandbox-seccomp-filter.c.audit openssh-7.0p1/sandbox-seccomp-filter.c
--- openssh/sandbox-seccomp-filter.c.audit	2015-06-24 11:53:29.788390449 +0200
+--- openssh-7.0p1/sandbox-seccomp-filter.c.audit	2015-08-12 11:33:00.394914314 +0200
-+++ openssh/sandbox-seccomp-filter.c	2015-06-24 12:00:37.459296890 +0200
+++ openssh-7.0p1/sandbox-seccomp-filter.c	2015-08-12 11:33:00.415914281 +0200
-@@ -147,6 +147,12 @@ static const struct sock_filter preauth_
+@@ -150,6 +150,12 @@ static const struct sock_filter preauth_
 #ifdef __NR_gettimeofday
 	SC_ALLOW(gettimeofday),
 #endif
@ -1866,9 +1866,9 @@ diff -up openssh/sandbox-seccomp-filter.c.audit openssh/sandbox-seccomp-filter.c
 #ifdef __NR_madvise
 	SC_ALLOW(madvise),
 #endif
-diff -up openssh/session.c.audit openssh/session.c
+diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
--- openssh/session.c.audit	2015-06-24 11:53:29.760390520 +0200
+--- openssh-7.0p1/session.c.audit	2015-08-12 11:33:00.379914337 +0200
-+++ openssh/session.c	2015-06-24 11:53:29.786390454 +0200
+++ openssh-7.0p1/session.c	2015-08-12 11:33:00.416914280 +0200
@@ -139,7 +139,7 @@ extern int log_stderr;
 extern int debug_flag;
 extern u_int utmp_len;
@ -2022,9 +2022,9 @@ diff -up openssh/session.c.audit openssh/session.c
 -		session_destroy_all(session_pty_cleanup2);
 +		session_destroy_all(do_cleanup_one_session);
 }
-diff -up openssh/session.h.audit openssh/session.h
+diff -up openssh-7.0p1/session.h.audit openssh-7.0p1/session.h
--- openssh/session.h.audit	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/session.h.audit	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/session.h	2015-06-24 11:53:29.786390454 +0200
+++ openssh-7.0p1/session.h	2015-08-12 11:33:00.416914280 +0200
@@ -61,6 +61,12 @@ struct Session {
 		char	*name;
 		char	*val;
@ -2049,10 +2049,10 @@ diff -up openssh/session.h.audit openssh/session.h
 Session	*session_by_tty(char *);
 void	 session_close(Session *);
 void	 do_setusercontext(struct passwd *);
-diff -up openssh/sshd.c.audit openssh/sshd.c
+diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
--- openssh/sshd.c.audit	2015-06-24 11:53:29.770390495 +0200
+--- openssh-7.0p1/sshd.c.audit	2015-08-12 11:33:00.388914323 +0200
-+++ openssh/sshd.c	2015-06-24 11:53:29.787390451 +0200
+++ openssh-7.0p1/sshd.c	2015-08-12 11:33:00.417914278 +0200
-@@ -121,6 +121,7 @@
+@@ -122,6 +122,7 @@
 #endif
 #include "monitor_wrap.h"
 #include "roaming.h"
@ -2060,7 +2060,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 #include "ssh-sandbox.h"
 #include "version.h"
 #include "ssherr.h"
-@@ -260,7 +261,7 @@ Buffer loginmsg;
+@@ -261,7 +262,7 @@ Buffer loginmsg;
 struct passwd *privsep_pw = NULL;
 /* Prototypes for various functions defined later in this file. */
@ -2069,7 +2069,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 void demote_sensitive_data(void);
 #ifdef WITH_SSH1
-@@ -281,6 +282,15 @@ close_listen_socks(void)
+@@ -282,6 +283,15 @@ close_listen_socks(void)
 	num_listen_socks = -1;
 }
@ -2085,7 +2085,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 static void
 close_startup_pipes(void)
 {
-@@ -560,22 +570,45 @@ sshd_exchange_identification(int sock_in
+@@ -561,22 +571,45 @@ sshd_exchange_identification(int sock_in
 	}
 }
@ -2134,7 +2134,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 			key_free(sensitive_data.host_certificates[i]);
 			sensitive_data.host_certificates[i] = NULL;
 		}
-@@ -589,6 +622,8 @@ void
+@@ -590,6 +623,8 @@ void
 demote_sensitive_data(void)
 {
 	Key *tmp;
@ -2143,7 +2143,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 	int i;
 	if (sensitive_data.server_key) {
-@@ -597,13 +632,25 @@ demote_sensitive_data(void)
+@@ -598,13 +633,25 @@ demote_sensitive_data(void)
 		sensitive_data.server_key = tmp;
 	}
@ -2169,7 +2169,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 		}
 		/* Certs do not need demotion */
 	}
-@@ -675,7 +722,7 @@ privsep_preauth(Authctxt *authctxt)
+@@ -676,7 +723,7 @@ privsep_preauth(Authctxt *authctxt)
 	if (use_privsep == PRIVSEP_ON)
 		box = ssh_sandbox_init(pmonitor);
@ -2178,7 +2178,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 	if (pid == -1) {
 		fatal("fork of unprivileged child failed");
 	} else if (pid != 0) {
-@@ -759,6 +806,12 @@ privsep_postauth(Authctxt *authctxt)
+@@ -760,6 +807,12 @@ privsep_postauth(Authctxt *authctxt)
 	else if (pmonitor->m_pid != 0) {
 		verbose("User child is on pid %ld", (long)pmonitor->m_pid);
 		buffer_clear(&loginmsg);
@ -2191,7 +2191,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 		monitor_child_postauth(pmonitor);
 		/* NEVERREACHED */
-@@ -1288,6 +1341,7 @@ server_accept_loop(int *sock_in, int *so
+@@ -1292,6 +1345,7 @@ server_accept_loop(int *sock_in, int *so
 		if (received_sigterm) {
 			logit("Received signal %d; terminating.",
 			    (int) received_sigterm);
@ -2199,7 +2199,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 			close_listen_socks();
 			if (options.pid_file != NULL)
 				unlink(options.pid_file);
-@@ -2251,6 +2305,7 @@ main(int ac, char **av)
+@@ -2255,6 +2309,7 @@ main(int ac, char **av)
 	 */
 	if (use_privsep) {
 		mm_send_keystate(pmonitor);
@ -2207,7 +2207,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 		exit(0);
 	}
-@@ -2296,7 +2351,7 @@ main(int ac, char **av)
+@@ -2300,7 +2355,7 @@ main(int ac, char **av)
 		privsep_postauth(authctxt);
 		/* the monitor process [priv] will not return */
 		if (!compat20)
@ -2216,7 +2216,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 	}
 	packet_set_timeout(options.client_alive_interval,
-@@ -2310,6 +2365,9 @@ main(int ac, char **av)
+@@ -2314,6 +2369,9 @@ main(int ac, char **av)
 	do_authenticated(authctxt);
 	/* The connection has been terminated. */
@ -2226,7 +2226,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 	packet_get_bytes(&ibytes, &obytes);
 	verbose("Transferred: sent %llu, received %llu bytes",
 	    (unsigned long long)obytes, (unsigned long long)ibytes);
-@@ -2470,6 +2528,10 @@ do_ssh1_kex(void)
+@@ -2474,6 +2532,10 @@ do_ssh1_kex(void)
 		if (cookie[i] != packet_get_char())
 			packet_disconnect("IP Spoofing check bytes do not match.");
@ -2237,7 +2237,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 	debug("Encryption type: %.200s", cipher_name(cipher_type));
 	/* Get the encrypted integer. */
-@@ -2529,7 +2591,7 @@ do_ssh1_kex(void)
+@@ -2533,7 +2595,7 @@ do_ssh1_kex(void)
 	}
 	/* Destroy the private and public keys. No longer. */
@ -2246,7 +2246,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 	if (use_privsep)
 		mm_ssh1_session_id(session_id);
-@@ -2712,6 +2774,16 @@ do_ssh2_kex(void)
+@@ -2705,6 +2767,16 @@ do_ssh2_kex(void)
 void
 cleanup_exit(int i)
 {
@ -2263,7 +2263,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 	if (the_authctxt) {
 		do_cleanup(the_authctxt);
 		if (use_privsep && privsep_is_preauth &&
-@@ -2723,9 +2795,14 @@ cleanup_exit(int i)
+@@ -2716,9 +2788,14 @@ cleanup_exit(int i)
 				    pmonitor->m_pid, strerror(errno));
 		}
 	}
@ -2279,22 +2279,20 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 		audit_event(SSH_CONNECTION_ABANDON);
 #endif
 	_exit(i);
-diff -up openssh/sshkey.c.audit openssh/sshkey.c
+diff -up openssh-7.0p1/sshkey.c.audit openssh-7.0p1/sshkey.c
--- openssh/sshkey.c.audit	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/sshkey.c.audit	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/sshkey.c	2015-06-24 11:53:29.787390451 +0200
+++ openssh-7.0p1/sshkey.c	2015-08-12 11:33:00.417914278 +0200
-@@ -317,6 +317,33 @@ sshkey_type_is_valid_ca(int type)
+@@ -299,6 +299,31 @@ sshkey_type_is_valid_ca(int type)
 }
 int
 +sshkey_is_private(const struct sshkey *k)
 +{
 +      switch (k->type) {
 +      case KEY_RSA_CERT_V00:
 +      case KEY_RSA_CERT:
 +      case KEY_RSA1:
 +      case KEY_RSA:
 +              return k->rsa->d != NULL;
 +      case KEY_DSA_CERT_V00:
 +      case KEY_DSA_CERT:
 +      case KEY_DSA:
 +              return k->dsa->priv_key != NULL;
@ -2316,10 +2314,10 @@ diff -up openssh/sshkey.c.audit openssh/sshkey.c
 sshkey_is_cert(const struct sshkey *k)
 {
 	if (k == NULL)
-diff -up openssh/sshkey.h.audit openssh/sshkey.h
+diff -up openssh-7.0p1/sshkey.h.audit openssh-7.0p1/sshkey.h
--- openssh/sshkey.h.audit	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/sshkey.h.audit	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/sshkey.h	2015-06-24 11:53:29.787390451 +0200
+++ openssh-7.0p1/sshkey.h	2015-08-12 11:33:00.417914278 +0200
-@@ -134,6 +134,7 @@ u_int		 sshkey_size(const struct sshkey
+@@ -132,6 +132,7 @@ u_int		 sshkey_size(const struct sshkey
 int		 sshkey_generate(int type, u_int bits, struct sshkey **keyp);
 int		 sshkey_from_private(const struct sshkey *, struct sshkey **);
 int	 sshkey_type_from_name(const char *);
--- a/openssh-6.7p1-fips.patch
+++ b/openssh-6.7p1-fips.patch
@ -1,6 +1,6 @@
-diff -up openssh/cipher.c.fips openssh/cipher.c
+diff -up openssh-7.0p1/cipher.c.fips openssh-7.0p1/cipher.c
--- openssh/cipher.c.fips	2015-06-24 12:00:58.730242500 +0200
+--- openssh-7.0p1/cipher.c.fips	2015-08-12 11:34:11.722803020 +0200
-+++ openssh/cipher.c	2015-06-24 12:00:58.737242482 +0200
+++ openssh-7.0p1/cipher.c	2015-08-12 11:34:11.733803003 +0200
@@ -39,6 +39,8 @@
 #include <sys/types.h>
@ -73,9 +73,9 @@ diff -up openssh/cipher.c.fips openssh/cipher.c
 		if (strcasecmp(c->name, name) == 0)
 			return c->number;
 	return -1;
-diff -up openssh/cipher-ctr.c.fips openssh/cipher-ctr.c
+diff -up openssh-7.0p1/cipher-ctr.c.fips openssh-7.0p1/cipher-ctr.c
--- openssh/cipher-ctr.c.fips	2015-06-24 12:00:58.669242656 +0200
+--- openssh-7.0p1/cipher-ctr.c.fips	2015-08-12 11:34:11.650803133 +0200
-+++ openssh/cipher-ctr.c	2015-06-24 12:00:58.736242484 +0200
+++ openssh-7.0p1/cipher-ctr.c	2015-08-12 11:34:11.734803002 +0200
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
 	aes_ctr.do_cipher = ssh_aes_ctr;
 #ifndef SSH_OLD_EVP
@ -86,9 +86,9 @@ diff -up openssh/cipher-ctr.c.fips openssh/cipher-ctr.c
 #endif
 	return (&aes_ctr);
 }
-diff -up openssh/dh.h.fips openssh/dh.h
+diff -up openssh-7.0p1/dh.h.fips openssh-7.0p1/dh.h
--- openssh/dh.h.fips	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/dh.h.fips	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/dh.h	2015-06-24 12:00:58.737242482 +0200
+++ openssh-7.0p1/dh.h	2015-08-12 11:34:11.734803002 +0200
@@ -46,6 +46,7 @@ u_int	 dh_estimate(int);
 /* Min and max values from RFC4419. */
@ -97,9 +97,9 @@ diff -up openssh/dh.h.fips openssh/dh.h
 #define DH_GRP_MAX	8192
 /*
-diff -up openssh/entropy.c.fips openssh/entropy.c
+diff -up openssh-7.0p1/entropy.c.fips openssh-7.0p1/entropy.c
--- openssh/entropy.c.fips	2015-06-24 12:00:58.662242674 +0200
+--- openssh-7.0p1/entropy.c.fips	2015-08-12 11:34:11.643803144 +0200
-+++ openssh/entropy.c	2015-06-24 12:00:58.737242482 +0200
+++ openssh-7.0p1/entropy.c	2015-08-12 11:34:11.734803002 +0200
@@ -217,6 +217,9 @@ seed_rng(void)
 		fatal("OpenSSL version mismatch. Built against %lx, you "
 		    "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
@ -110,9 +110,9 @@ diff -up openssh/entropy.c.fips openssh/entropy.c
 #ifndef OPENSSL_PRNG_ONLY
 	if (RAND_status() == 1) {
 		debug3("RNG is ready, skipping seeding");
-diff -up openssh/kex.c.fips openssh/kex.c
+diff -up openssh-7.0p1/kex.c.fips openssh-7.0p1/kex.c
--- openssh/kex.c.fips	2015-06-24 12:00:58.730242500 +0200
+--- openssh-7.0p1/kex.c.fips	2015-08-12 11:34:11.723803019 +0200
-+++ openssh/kex.c	2015-06-24 12:00:58.737242482 +0200
+++ openssh-7.0p1/kex.c	2015-08-12 11:34:11.734803002 +0200
@@ -35,6 +35,7 @@
 #ifdef WITH_OPENSSL
@ -168,9 +168,9 @@ diff -up openssh/kex.c.fips openssh/kex.c
 			free(s);
 			return 0;
 		}
-diff -up openssh/kexgexc.c.fips openssh/kexgexc.c
+diff -up openssh-7.0p1/kexgexc.c.fips openssh-7.0p1/kexgexc.c
--- openssh/kexgexc.c.fips	2015-06-24 12:00:58.737242482 +0200
+--- openssh-7.0p1/kexgexc.c.fips	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/kexgexc.c	2015-06-24 12:02:26.996015709 +0200
+++ openssh-7.0p1/kexgexc.c	2015-08-12 11:34:11.734803002 +0200
@@ -28,6 +28,7 @@
 #ifdef WITH_OPENSSL
@ -188,9 +188,9 @@ diff -up openssh/kexgexc.c.fips openssh/kexgexc.c
 	kex->max = DH_GRP_MAX;
 	kex->nbits = nbits;
 	if (datafellows & SSH_BUG_DHGEX_LARGE)
-diff -up openssh/kexgexs.c.fips openssh/kexgexs.c
+diff -up openssh-7.0p1/kexgexs.c.fips openssh-7.0p1/kexgexs.c
--- openssh/kexgexs.c.fips	2015-06-24 12:00:58.738242479 +0200
+--- openssh-7.0p1/kexgexs.c.fips	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/kexgexs.c	2015-06-24 13:48:23.735320199 +0200
+++ openssh-7.0p1/kexgexs.c	2015-08-12 11:34:11.735803000 +0200
@@ -81,11 +81,11 @@ input_kex_dh_gex_request(int type, u_int
 	    (r = sshpkt_get_end(ssh)) != 0)
 		goto out;
@ -206,9 +206,9 @@ diff -up openssh/kexgexs.c.fips openssh/kexgexs.c
 	nbits = MIN(DH_GRP_MAX, nbits);
 	if (kex->max < kex->min || kex->nbits < kex->min ||
-diff -up openssh/mac.c.fips openssh/mac.c
+diff -up openssh-7.0p1/mac.c.fips openssh-7.0p1/mac.c
--- openssh/mac.c.fips	2015-06-24 12:00:58.731242497 +0200
+--- openssh-7.0p1/mac.c.fips	2015-08-12 11:34:11.725803016 +0200
-+++ openssh/mac.c	2015-06-24 12:00:58.738242479 +0200
+++ openssh-7.0p1/mac.c	2015-08-12 11:34:11.735803000 +0200
@@ -27,6 +27,8 @@
 #include <sys/types.h>
@ -270,9 +270,9 @@ diff -up openssh/mac.c.fips openssh/mac.c
 		if (strcmp(name, m->name) != 0)
 			continue;
 		if (mac != NULL)
-diff -up openssh/Makefile.in.fips openssh/Makefile.in
+diff -up openssh-7.0p1/Makefile.in.fips openssh-7.0p1/Makefile.in
--- openssh/Makefile.in.fips	2015-06-24 12:00:58.731242497 +0200
+--- openssh-7.0p1/Makefile.in.fips	2015-08-12 11:34:11.725803016 +0200
-+++ openssh/Makefile.in	2015-06-24 12:00:58.736242484 +0200
+++ openssh-7.0p1/Makefile.in	2015-08-12 11:34:11.735803000 +0200
@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
 	$(RANLIB) $@
@ -314,10 +314,10 @@ diff -up openssh/Makefile.in.fips openssh/Makefile.in
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-diff -up openssh/myproposal.h.fips openssh/myproposal.h
+diff -up openssh-7.0p1/myproposal.h.fips openssh-7.0p1/myproposal.h
--- openssh/myproposal.h.fips	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/myproposal.h.fips	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/myproposal.h	2015-06-24 12:00:58.738242479 +0200
+++ openssh-7.0p1/myproposal.h	2015-08-12 11:34:11.735803000 +0200
-@@ -143,6 +143,28 @@
+@@ -138,6 +138,28 @@
 	"hmac-sha1-96," \
 	"hmac-md5-96"
@ -346,10 +346,45 @@ diff -up openssh/myproposal.h.fips openssh/myproposal.h
 #else
 #define KEX_SERVER_KEX		\
-diff -up openssh/servconf.c.fips openssh/servconf.c
+diff -up openssh-7.0p1/readconf.c.fips openssh-7.0p1/readconf.c
--- openssh/servconf.c.fips	2015-06-24 12:00:58.726242510 +0200
+--- openssh-7.0p1/readconf.c.fips	2015-08-12 14:37:39.206466634 +0200
-+++ openssh/servconf.c	2015-06-24 13:49:40.164085648 +0200
+++ openssh-7.0p1/readconf.c	2015-08-12 14:47:00.342350208 +0200
-@@ -2319,8 +2319,10 @@ dump_config(ServerOptions *o)
+@@ -1897,9 +1897,12 @@ fill_default_options(Options * options)
 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
 	if (options->update_hostkeys == -1)
 		options->update_hostkeys = 0;
 -	if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
 -	    kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 ||
 -	    kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 ||
 +	if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT
 +	        : KEX_CLIENT_ENCRYPT), &options->ciphers) != 0 ||
 +	    kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC
 +	        : KEX_CLIENT_MAC), &options->macs) != 0 ||
 +	    kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
 +	        : KEX_CLIENT_KEX), &options->kex_algorithms) != 0 ||
 	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
 	    &options->hostbased_key_types) != 0 ||
 	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
 diff -up openssh-7.0p1/servconf.c.fips openssh-7.0p1/servconf.c
 --- openssh-7.0p1/servconf.c.fips	2015-08-12 11:34:11.714803033 +0200
 +++ openssh-7.0p1/servconf.c	2015-08-12 14:50:14.608951396 +0200
@@ -357,9 +357,12 @@ fill_default_server_options(ServerOption
 	if (options->use_kuserok == -1)
 		options->use_kuserok = 1;
 -	if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 ||
 -	    kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
 -	    kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 ||
 +	if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT
 +	        : KEX_SERVER_ENCRYPT), &options->ciphers) != 0 ||
 +	    kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC
 +	        : KEX_SERVER_MAC), &options->macs) != 0 ||
 +	    kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
 +	        : KEX_SERVER_KEX), &options->kex_algorithms) != 0 ||
 	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
 	    &options->hostbased_key_types) != 0 ||
 	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
@@ -2336,8 +2339,10 @@ dump_config(ServerOptions *o)
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
 	dump_cfg_string(sXAuthLocation, o->xauth_location);
@ -362,7 +397,7 @@ diff -up openssh/servconf.c.fips openssh/servconf.c
 	dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
 	dump_cfg_string(sForceCommand, o->adm_forced_command);
 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
-@@ -2335,8 +2337,8 @@ dump_config(ServerOptions *o)
+@@ -2352,8 +2357,8 @@ dump_config(ServerOptions *o)
 	dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
 	dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
@ -372,10 +407,10 @@ diff -up openssh/servconf.c.fips openssh/servconf.c
 +		FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX);
 	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
 	    o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
- 	dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
+ 	dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
-diff -up openssh/ssh.c.fips openssh/ssh.c
+diff -up openssh-7.0p1/ssh.c.fips openssh-7.0p1/ssh.c
--- openssh/ssh.c.fips	2015-06-23 02:34:47.000000000 +0200
+--- openssh-7.0p1/ssh.c.fips	2015-08-11 10:57:29.000000000 +0200
-+++ openssh/ssh.c	2015-06-24 12:00:58.738242479 +0200
+++ openssh-7.0p1/ssh.c	2015-08-12 11:34:11.736802999 +0200
@@ -75,6 +75,8 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
@ -385,7 +420,7 @@ diff -up openssh/ssh.c.fips openssh/ssh.c
 #include "openbsd-compat/openssl-compat.h"
 #include "openbsd-compat/sys-queue.h"
-@@ -521,6 +523,14 @@ main(int ac, char **av)
+@@ -522,6 +524,14 @@ main(int ac, char **av)
 	sanitise_stdfd();
 	__progname = ssh_get_progname(av[0]);
@ -400,7 +435,7 @@ diff -up openssh/ssh.c.fips openssh/ssh.c
 #ifndef HAVE_SETPROCTITLE
 	/* Prepare for later setproctitle emulation */
-@@ -598,6 +608,9 @@ main(int ac, char **av)
+@@ -599,6 +609,9 @@ main(int ac, char **av)
 	    "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
 		switch (opt) {
 		case '1':
@ -410,7 +445,7 @@ diff -up openssh/ssh.c.fips openssh/ssh.c
 			options.protocol = SSH_PROTO_1;
 			break;
 		case '2':
-@@ -939,7 +952,6 @@ main(int ac, char **av)
+@@ -940,7 +953,6 @@ main(int ac, char **av)
 	host_arg = xstrdup(host);
 #ifdef WITH_OPENSSL
@ -418,7 +453,7 @@ diff -up openssh/ssh.c.fips openssh/ssh.c
 	ERR_load_crypto_strings();
 #endif
-@@ -1113,6 +1125,10 @@ main(int ac, char **av)
+@@ -1114,6 +1126,10 @@ main(int ac, char **av)
 	seed_rng();
@ -429,7 +464,7 @@ diff -up openssh/ssh.c.fips openssh/ssh.c
 	if (options.user == NULL)
 		options.user = xstrdup(pw->pw_name);
-@@ -1190,6 +1206,12 @@ main(int ac, char **av)
+@@ -1191,6 +1207,12 @@ main(int ac, char **av)
 	timeout_ms = options.connection_timeout * 1000;
@ -442,10 +477,10 @@ diff -up openssh/ssh.c.fips openssh/ssh.c
 	/* Open a connection to the remote host. */
 	if (ssh_connect(host, addrs, &hostaddr, options.port,
 	    options.address_family, options.connection_attempts,
-diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
+diff -up openssh-7.0p1/sshconnect2.c.fips openssh-7.0p1/sshconnect2.c
--- openssh/sshconnect2.c.fips	2015-06-24 12:00:58.698242582 +0200
+--- openssh-7.0p1/sshconnect2.c.fips	2015-08-12 11:34:11.678803089 +0200
-+++ openssh/sshconnect2.c	2015-06-24 12:00:58.739242477 +0200
+++ openssh-7.0p1/sshconnect2.c	2015-08-12 11:34:11.737802997 +0200
-@@ -46,6 +46,8 @@
+@@ -44,6 +44,8 @@
 #include <vis.h>
 #endif
@ -454,7 +489,7 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
 #include "openbsd-compat/sys-queue.h"
 #include "xmalloc.h"
-@@ -172,20 +174,25 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -170,20 +172,25 @@ ssh_kex2(char *host, struct sockaddr *ho
 #ifdef GSSAPI
 	if (options.gss_keyex) {
@ -494,45 +529,9 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
 		}
 	}
 #endif
-@@ -197,6 +204,10 @@ ssh_kex2(char *host, struct sockaddr *ho
+diff -up openssh-7.0p1/sshd.c.fips openssh-7.0p1/sshd.c
- 	if (options.ciphers != NULL) {
+--- openssh-7.0p1/sshd.c.fips	2015-08-12 11:34:11.729803010 +0200
- 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+++ openssh-7.0p1/sshd.c	2015-08-12 11:34:11.738802995 +0200
 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
 +	} else if (FIPS_mode()) {
 +		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 +		myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
 +
 	}
 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -212,7 +223,11 @@ ssh_kex2(char *host, struct sockaddr *ho
 	if (options.macs != NULL) {
 		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
 		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
 +	} else if (FIPS_mode()) {
 +		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
 +		myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
 	}
 +
 	if (options.hostkeyalgorithms != NULL)
 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
 		    compat_pkalg_proposal(options.hostkeyalgorithms);
@@ -224,9 +239,11 @@ ssh_kex2(char *host, struct sockaddr *ho
 	}
 	if (options.kex_algorithms != NULL)
 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
 +	else if (FIPS_mode())
 +		myproposal[PROPOSAL_KEX_ALGS] = KEX_DEFAULT_KEX_FIPS;
 +
 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
 	    myproposal[PROPOSAL_KEX_ALGS]);
 -
 #ifdef GSSAPI
 	/* If we've got GSSAPI algorithms, then we also support the
 	 * 'null' hostkey, as a last resort */
 diff -up openssh/sshd.c.fips openssh/sshd.c
 --- openssh/sshd.c.fips	2015-06-24 12:00:58.734242489 +0200
 +++ openssh/sshd.c	2015-06-24 12:00:58.739242477 +0200
@@ -66,6 +66,7 @@
 #include <grp.h>
 #include <pwd.h>
@ -550,7 +549,7 @@ diff -up openssh/sshd.c.fips openssh/sshd.c
 #include "openbsd-compat/openssl-compat.h"
 #endif
-@@ -1548,6 +1551,18 @@ main(int ac, char **av)
+@@ -1552,6 +1555,18 @@ main(int ac, char **av)
 #endif
 	__progname = ssh_get_progname(av[0]);
@ -569,7 +568,7 @@ diff -up openssh/sshd.c.fips openssh/sshd.c
 	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
 	saved_argc = ac;
 	rexec_argc = ac;
-@@ -1700,7 +1715,7 @@ main(int ac, char **av)
+@@ -1704,7 +1719,7 @@ main(int ac, char **av)
 	else
 		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@ -578,7 +577,7 @@ diff -up openssh/sshd.c.fips openssh/sshd.c
 	OpenSSL_add_all_algorithms();
 #endif
-@@ -1901,6 +1916,10 @@ main(int ac, char **av)
+@@ -1905,6 +1920,10 @@ main(int ac, char **av)
 		    sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp);
 		free(fp);
 	}
@ -589,7 +588,7 @@ diff -up openssh/sshd.c.fips openssh/sshd.c
 	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
 		logit("Disabling protocol version 1. Could not load host key");
 		options.protocol &= ~SSH_PROTO_1;
-@@ -2069,6 +2088,10 @@ main(int ac, char **av)
+@@ -2073,6 +2092,10 @@ main(int ac, char **av)
 	/* Reinitialize the log (because of the fork above). */
 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -600,36 +599,7 @@ diff -up openssh/sshd.c.fips openssh/sshd.c
 	/* Chdir to the root directory so that the current disk can be
 	   unmounted if desired. */
 	if (chdir("/") == -1)
-@@ -2654,6 +2677,9 @@ do_ssh2_kex(void)
+@@ -2692,10 +2715,14 @@ do_ssh2_kex(void)
 	if (options.ciphers != NULL) {
 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
 +	} else if (FIPS_mode()) {
 +		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 +		myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
 	}
 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -2663,6 +2689,9 @@ do_ssh2_kex(void)
 	if (options.macs != NULL) {
 		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
 		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
 +	} else if (FIPS_mode()) {
 +		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
 +		myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
 	}
 	if (options.compression == COMP_NONE) {
 		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
@@ -2673,6 +2702,8 @@ do_ssh2_kex(void)
 	}
 	if (options.kex_algorithms != NULL)
 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
 +	else if (FIPS_mode())
 +		myproposal[PROPOSAL_KEX_ALGS] = KEX_DEFAULT_KEX_FIPS;
 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
 	    myproposal[PROPOSAL_KEX_ALGS]);
@@ -2699,10 +2730,14 @@ do_ssh2_kex(void)
 	if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
 		orig = NULL;
@ -648,9 +618,9 @@ diff -up openssh/sshd.c.fips openssh/sshd.c
 	if (gss && orig)
 		xasprintf(&newstr, "%s,%s", gss, orig);
-diff -up openssh/sshkey.c.fips openssh/sshkey.c
+diff -up openssh-7.0p1/sshkey.c.fips openssh-7.0p1/sshkey.c
--- openssh/sshkey.c.fips	2015-06-24 12:00:58.735242487 +0200
+--- openssh-7.0p1/sshkey.c.fips	2015-08-12 11:34:11.729803010 +0200
-+++ openssh/sshkey.c	2015-06-24 12:00:58.740242474 +0200
+++ openssh-7.0p1/sshkey.c	2015-08-12 11:34:11.738802995 +0200
@@ -35,6 +35,7 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
@ -659,7 +629,7 @@ diff -up openssh/sshkey.c.fips openssh/sshkey.c
 #endif
 #include "crypto_api.h"
-@@ -1586,6 +1587,8 @@ rsa_generate_private_key(u_int bits, RSA
+@@ -1554,6 +1555,8 @@ rsa_generate_private_key(u_int bits, RSA
 	}
 	if (!BN_set_word(f4, RSA_F4) ||
 	    !RSA_generate_key_ex(private, bits, f4, NULL)) {
--- a/openssh-6.9p1-authentication-limits-bypass.patch
+++ b/openssh-6.9p1-authentication-limits-bypass.patch
@ -1,47 +0,0 @@
 From 5b64f85bb811246c59ebab70aed331f26ba37b18 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Sat, 18 Jul 2015 07:57:14 +0000
 Subject: upstream commit
 only query each keyboard-interactive device once per
 authentication request regardless of how many times it is listed; ok markus@
 Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
 ---
 auth2-chall.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)
 diff --git a/auth2-chall.c b/auth2-chall.c
 index ddabe1a..4aff09d 100644
 --- a/auth2-chall.c
 +++ b/auth2-chall.c
@@ -83,6 +83,7 @@ struct KbdintAuthctxt
 	void *ctxt;
 	KbdintDevice *device;
 	u_int nreq;
 +	u_int devices_done;
 };
 #ifdef USE_PAM
@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
 		if (len == 0)
 			break;
 		for (i = 0; devices[i]; i++) {
 -			if (!auth2_method_allowed(authctxt,
 +			if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
 +			    !auth2_method_allowed(authctxt,
 			    "keyboard-interactive", devices[i]->name))
 				continue;
 -			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
 +			if (strncmp(kbdintctxt->devices, devices[i]->name,
 +			    len) == 0) {
 				kbdintctxt->device = devices[i];
 +				kbdintctxt->devices_done |= 1 << i;
 +			}
 		}
 		t = kbdintctxt->devices;
 		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
 -- 
 cgit v0.11.2
--- a/openssh-6.9p1-permit-root-login.patch
+++ b/openssh-6.9p1-permit-root-login.patch
@ -1,27 +1,12 @@
-diff --git a/sshd_config b/sshd_config
+diff -up openssh-7.0p1/sshd_config.root-login openssh-7.0p1/sshd_config
-index c9042ac..cf7d8e1 100644
+--- openssh-7.0p1/sshd_config.root-login	2015-08-12 11:29:12.919269245 +0200
--- a/sshd_config
+++ openssh-7.0p1/sshd_config	2015-08-12 11:31:03.653096466 +0200
-+++ b/sshd_config
+@@ -46,7 +46,7 @@ SyslogFacility AUTHPRIV
@@ -41,7 +41,7 @@
 # Authentication:
 #LoginGraceTime 2m
-#PermitRootLogin no
+-#PermitRootLogin prohibit-password
-+#PermitRootLogin yes
+PermitRootLogin yes
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
 diff --git a/sshd_config.5 b/sshd_config.5
 index 2bc9360..d3148c2 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
@@ -1093,7 +1093,7 @@ The argument must be
 or
 .Dq no .
 The default is
 -.Dq no .
 +.Dq yes .
 .Pp
 If this option is set to
 .Dq without-password ,
--- a/openssh.spec
+++ b/openssh.spec
@ -65,10 +65,10 @@
 %endif
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%define openssh_ver 6.9p1
+%define openssh_ver 7.0p1
-%define openssh_rel 4
+%define openssh_rel 1
 %define pam_ssh_agent_ver 0.9.3
-%define pam_ssh_agent_rel 6
+%define pam_ssh_agent_rel 7
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
@ -223,8 +223,6 @@ Patch926: openssh-6.7p1-sftp-force-permission.patch
 Patch928: openssh-6.8p1-memory-problems.patch
 # Restore compatible default (#89216)
 Patch929: openssh-6.9p1-permit-root-login.patch
 # authentication limits (MaxAuthTries) bypass [security] (#1245971)
 Patch930: openssh-6.9p1-authentication-limits-bypass.patch
 # Handle terminal control characters in scp progressmeter (#1247204)
 Patch931: openssh-6.9p1-scp-progressmeter.patch
@ -462,7 +460,6 @@ popd
 %patch926 -p1 -b .sftp-force-mode
 %patch928 -p1 -b .memory
 %patch929 -p1 -b .root-login
 %patch930 -p1 -b .kbd
 %patch931 -p1 -b .progressmeter
 %patch200 -p1 -b .audit
@ -810,6 +807,13 @@ getent passwd sshd >/dev/null || \
 %endif
 %changelog
 * Wed Aug 12 2015 Jakub Jelen <jjelen@redhat.com> 7.0p1-1 + 0.9.3.7
 - New upstream release (#1252639)
 - Fix pam_ssh_agent_auth package (#1251777)
 - Security: Use-after-free bug related to PAM support (#1252853)
 - Security: Privilege separation weakness related to PAM support (#1252854)
 - Security: Incorrectly set TTYs to be world-writable (#1252862)
 * Tue Jul 28 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-4 + 0.9.3-6
 - Handle terminal control characters in scp progressmeter (#1247204)