[gsi-openssh/f20] Based on openssh-6.4p1-8.fc20

Thu Jan 15 21:03:20 UTC 2015

commit ad74d68b5933003c5fafc8513aba1d5d8f341a18
Author: Mattias Ellert <mattias.ellert at fysast.uu.se>
Date:   Thu Jan 15 21:48:15 2015 +0100

    Based on openssh-6.4p1-8.fc20

 gsi-openssh.spec                                   |   23 ++-
 gsisshd.service                                    |    1 +
 gsisshd.socket                                     |    1 +
 gsisshd at .service                                   |    1 +
 openssh-6.3p1-ldap.patch                           |    4 +-
 openssh-6.4p1-GSSAPIEnablek5users.patch            |  137 ++++++++++++
 openssh-6.4p1-audit.patch                          |    2 +-
 openssh-6.4p1-cisco-dh-keys.patch                  |   67 ++++++
 openssh-6.4p1-gsissh.patch                         |  229 ++++++++++----------
 openssh-6.4p1-ip-port-config-parser.patch          |   24 ++
 openssh-6.4p1-scp-non-existing-directory.patch     |   14 ++
 ...6.4p1-sftp-symlink-prepend-relative-links.patch |   15 ++
 12 files changed, 400 insertions(+), 118 deletions(-)
---

diff --git a/gsi-openssh.spec b/gsi-openssh.spec
index 0cf6ff1..3705c3e 100644
--- a/gsi-openssh.spec
+++ b/gsi-openssh.spec
@@ -122,6 +122,9 @@ Patch713: openssh-6.3p1-ctr-cavstest.patch
 Patch800: openssh-6.3p1-gsskex.patch
 #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
 Patch801: openssh-6.3p1-force_krb.patch
+# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
+# CVE-2014-9278
+Patch802: openssh-6.4p1-GSSAPIEnablek5users.patch
 Patch900: openssh-6.1p1-gssapi-canohost.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1780
 Patch901: openssh-6.4p1-kuserok.patch
@@ -160,6 +163,14 @@ Patch914: openssh-6.4p1-servconf-parser.patch
 # Ignore SIGXFSZ in postauth monitor
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2263
 Patch915: openssh-6.4p1-ignore-SIGXFSZ-in-postauth.patch
+# use different values for DH for Cisco servers (#1026430)
+Patch916: openssh-6.4p1-cisco-dh-keys.patch
+# sftp: remote directory always prepended to relative symbolic links (#825538)
+Patch917: openssh-6.4p1-sftp-symlink-prepend-relative-links.patch
+# scp file into non-existing directory (#1142223)
+Patch918: openssh-6.4p1-scp-non-existing-directory.patch
+# Config parser shouldn't accept ip/port syntax (#1130733)
+Patch919: openssh-6.4p1-ip-port-config-parser.patch
 
 # This is the patch that adds GSI support
 # Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-6.4p1.patch
@@ -321,6 +332,11 @@ This version of OpenSSH has been modified to support GSI authentication.
 %patch913 -p1 -b .partial-success
 %patch914 -p1 -b .servconf
 %patch915 -p1 -b .SIGXFSZ
+%patch916 -p1 -b .cisco-dh
+%patch917 -p1 -b .sftp
+%patch918 -p1 -b .scp
+%patch919 -p1 -b .config
+%patch802 -p1 -b .GSSAPIEnablek5users
 
 %patch98 -p1 -b .gsi
 
@@ -369,7 +385,7 @@ fi
 	--with-default-path=/usr/local/bin:/usr/bin \
 	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
 	--with-privsep-path=%{_var}/empty/gsisshd \
-	--enable-vendor-patchlevel="FC-%{version}-%{release}" \
+	--enable-vendor-patchlevel="FC-%{openssh_ver}-%{openssh_rel}" \
 	--disable-strip \
 	--without-zlib-version-check \
 	--with-ssl-engine \
@@ -478,7 +494,7 @@ getent passwd sshd >/dev/null || \
 %systemd_preun gsisshd.service gsisshd.socket
 
 %postun server
-%systemd_postun_with_restart gsisshd.service gsisshd.socket
+%systemd_postun_with_restart gsisshd.service
 
 %triggerun server -- gsi-openssh-server < 5.8p2-1
 /usr/bin/systemd-sysv-convert --save gsisshd >/dev/null 2>&1 || :
@@ -534,6 +550,9 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_unitdir}/gsisshd-keygen.service
 
 %changelog
+* Thu Jan 15 2015 Mattias Ellert <mattias.ellert at fysast.uu.se> - 6.4p1-5
+- Based on openssh-6.4p1-8.fc20
+
 * Mon Nov 24 2014 Mattias Ellert <mattias.ellert at fysast.uu.se> - 6.4p1-5
 - Based on openssh-6.4p1-6.fc20
 
diff --git a/gsisshd.service b/gsisshd.service
index 2d685f9..d381a8d 100644
--- a/gsisshd.service
+++ b/gsisshd.service
@@ -1,5 +1,6 @@
 [Unit]
 Description=gsissh server daemon
+Documentation=man:gsisshd(8) man:gsisshd_config(5)
 After=syslog.target network.target auditd.service
 
 [Service]
diff --git a/gsisshd.socket b/gsisshd.socket
index eb295f5..28e40d1 100644
--- a/gsisshd.socket
+++ b/gsisshd.socket
@@ -1,5 +1,6 @@
 [Unit]
 Description=gsissh Server Socket
+Documentation=man:gsisshd(8) man:gsisshd_config(5)
 Conflicts=gsisshd.service
 
 [Socket]
diff --git a/gsisshd at .service b/gsisshd at .service
index 2030d9f..c160bfd 100644
--- a/gsisshd at .service
+++ b/gsisshd at .service
@@ -1,5 +1,6 @@
 [Unit]
 Description=gsissh per-connection server daemon
+Documentation=man:gsisshd(8) man:gsisshd_config(5)
 Wants=gsisshd-keygen.service
 After=auditd.service gsisshd-keygen.service
 
diff --git a/openssh-6.3p1-ldap.patch b/openssh-6.3p1-ldap.patch
index 052973c..bc5331e 100644
--- a/openssh-6.3p1-ldap.patch
+++ b/openssh-6.3p1-ldap.patch
@@ -761,7 +761,7 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
 +
 --- openssh-6.4p1/ldapconf.c.ldap	2013-11-26 10:31:03.513794385 +0100
 +++ openssh-6.4p1/ldapconf.c	2013-11-26 10:38:15.474635149 +0100
-@@ -0,0 +1,720 @@
+@@ -0,0 +1,722 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
 + * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
@@ -1078,6 +1078,7 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
 +		else
 +			fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
 +		if (*intptr == -1)
++			*intptr = value;
 +		break;
 +
 +	case lSSLPath:
@@ -1142,6 +1143,7 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
 +		else
 +			fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
 +		if (*intptr == -1)
++			*intptr = value;
 +		break;
 +
 +	case lTLS_CaCertFile:
diff --git a/openssh-6.4p1-GSSAPIEnablek5users.patch b/openssh-6.4p1-GSSAPIEnablek5users.patch
new file mode 100644
index 0000000..d450f69
--- /dev/null
+++ b/openssh-6.4p1-GSSAPIEnablek5users.patch
@@ -0,0 +1,137 @@
+diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
+index 0a4930e..a7c0c5f 100644
+--- a/gss-serv-krb5.c
++++ b/gss-serv-krb5.c
+@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
+ 	FILE *fp;
+ 	char file[MAXPATHLEN];
+ 	char line[BUFSIZ];
+-	char kuser[65]; /* match krb5_kuserok() */
+ 	struct stat st;
+ 	struct passwd *pw = the_authctxt->pw;
+ 	int found_principal = 0;
+@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
+ 
+ 	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
+ 	/* If both .k5login and .k5users DNE, self-login is ok. */
+-	if (!k5login_exists && (access(file, F_OK) == -1)) {
++	if ( !options.enable_k5users || (!k5login_exists && (access(file, F_OK) == -1))) {
+                 return ssh_krb5_kuserok(krb_context, principal, luser,
+                                         k5login_exists);
+ 	}
+diff --git a/servconf.c b/servconf.c
+index d482e79..ad5869b 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -158,6 +158,7 @@ initialize_server_options(ServerOptions *options)
+ 	options->ip_qos_bulk = -1;
+ 	options->version_addendum = NULL;
+ 	options->use_kuserok = -1;
++	options->enable_k5users = -1;
+ }
+ 
+ void
+@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options)
+ 		options->show_patchlevel = 0;
+ 	if (options->use_kuserok == -1)
+ 		options->use_kuserok = 1;
++	if (options->enable_k5users == -1)
++		options->enable_k5users = 0;
+ 
+ 	/* Turn privilege separation on by default */
+ 	if (use_privsep == -1)
+@@ -356,7 +359,7 @@ typedef enum {
+ 	sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
+ 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
+ 	sClientAliveCountMax, sAuthorizedKeysFile,
+-	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
++	sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
+ 	sGssKeyEx, sGssStoreRekey,
+ 	sAcceptEnv, sPermitTunnel,
+ 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
+@@ -430,6 +433,7 @@ static struct {
+ 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+ 	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
+ 	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
++	{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
+ #else
+ 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+ 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+@@ -437,6 +441,7 @@ static struct {
+ 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
++	{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
+ #endif
+ 	{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
+@@ -1536,6 +1541,10 @@ process_server_config_line(ServerOptions *options, char *line,
+ 		intptr = &options->use_kuserok;
+ 		goto parse_flag;
+ 
++	case sGssEnablek5users:
++		intptr = &options->enable_k5users;
++		goto parse_flag;
++
+ 	case sPermitOpen:
+ 		arg = strdelim(&cp);
+ 		if (!arg || *arg == '\0')
+@@ -1824,6 +1833,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
+ 	M_CP_INTOPT(ip_qos_interactive);
+ 	M_CP_INTOPT(ip_qos_bulk);
+ 	M_CP_INTOPT(use_kuserok);
++	M_CP_INTOPT(enable_k5users);
+ 	M_CP_INTOPT(rekey_limit);
+ 	M_CP_INTOPT(rekey_interval);
+ 
+@@ -2076,6 +2086,7 @@ dump_config(ServerOptions *o)
+ 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
+ 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
+ 	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
++	dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
+ 
+ 	/* string arguments */
+ 	dump_cfg_string(sPidFile, o->pid_file);
+diff --git a/servconf.h b/servconf.h
+index 5117dfa..d63cb71 100644
+--- a/servconf.h
++++ b/servconf.h
+@@ -173,7 +173,8 @@ typedef struct {
+ 
+ 	int	num_permitted_opens;
+ 
+-	int	use_kuserok;
++	int		use_kuserok;
++	int		enable_k5users;
+ 	char   *chroot_directory;
+ 	char   *revoked_keys_file;
+ 	char   *trusted_user_ca_keys;
+diff --git a/sshd_config b/sshd_config
+index 43671f6..6ab00ed 100644
+--- a/sshd_config
++++ b/sshd_config
+@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
+ GSSAPICleanupCredentials no
+ #GSSAPIStrictAcceptorCheck yes
+ #GSSAPIKeyExchange no
++#GSSAPIEnablek5users no
+ 
+ # Set this to 'yes' to enable PAM authentication, account processing, 
+ # and session processing. If this is enabled, PAM authentication will 
+diff --git a/sshd_config.5 b/sshd_config.5
+index e0e5fff..aa9525d 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -505,6 +505,12 @@ on logout.
+ The default is
+ .Dq yes .
+ Note that this option applies to protocol version 2 only.
++.It Cm GSSAPIEnablek5users
++Specifies whether to look at .k5users file for GSSAPI authentication
++access control. Further details are described in
++.Xr ksu 1 .
++The default is
++.Dq no .
+ .It Cm GSSAPIStrictAcceptorCheck
+ Determines whether to be strict about the identity of the GSSAPI acceptor 
+ a client authenticates against. If
diff --git a/openssh-6.4p1-audit.patch b/openssh-6.4p1-audit.patch
index c1e7dfd..4ea6ea5 100644
--- a/openssh-6.4p1-audit.patch
+++ b/openssh-6.4p1-audit.patch
@@ -110,7 +110,7 @@ index b3ee2f4..946f7fa 100644
 +#include "packet.h"
 +#include "cipher.h"
  
-+#define AUDIT_LOG_SIZE 128
++#define AUDIT_LOG_SIZE 256
 +
 +extern ServerOptions options;
 +extern Authctxt *the_authctxt;
diff --git a/openssh-6.4p1-cisco-dh-keys.patch b/openssh-6.4p1-cisco-dh-keys.patch
new file mode 100644
index 0000000..9da99a4
--- /dev/null
+++ b/openssh-6.4p1-cisco-dh-keys.patch
@@ -0,0 +1,67 @@
+diff -up openssh-6.4p1/compat.c.cisco-dh openssh-6.4p1/compat.c
+--- openssh-6.4p1/compat.c.cisco-dh	2013-06-01 23:31:18.000000000 +0200
++++ openssh-6.4p1/compat.c	2014-12-04 13:28:03.717787655 +0100
+@@ -164,6 +164,7 @@ compat_datafellows(const char *version)
+ 					SSH_BUG_SCANNER },
+ 		{ "Probe-*",
+ 					SSH_BUG_PROBE },
++		{ "Cisco-*",		SSH_BUG_MAX4096DH },
+ 		{ NULL,			0 }
+ 	};
+ 
+diff -up openssh-6.4p1/compat.h.cisco-dh openssh-6.4p1/compat.h
+--- openssh-6.4p1/compat.h.cisco-dh	2014-12-04 13:28:03.717787655 +0100
++++ openssh-6.4p1/compat.h	2014-12-04 13:28:36.579658095 +0100
+@@ -59,6 +59,7 @@
+ #define SSH_BUG_RFWD_ADDR	0x02000000
+ #define SSH_NEW_OPENSSH		0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT	0x08000000
++#define SSH_BUG_MAX4096DH       0x20000000
+ 
+ void     enable_compat13(void);
+ void     enable_compat20(void);
+diff -up openssh-6.4p1/kexgexc.c.cisco-dh openssh-6.4p1/kexgexc.c
+--- openssh-6.4p1/kexgexc.c.cisco-dh	2014-12-04 13:28:03.717787655 +0100
++++ openssh-6.4p1/kexgexc.c	2014-12-04 13:31:03.270079756 +0100
+@@ -60,20 +60,36 @@ kexgex_client(Kex *kex)
+ 	int min, max, nbits;
+ 	DH *dh;
+ 
++	min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
++	max = DH_GRP_MAX;
++
++	/* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
++ 	 * We need to also ensure that min < nbits < max */
++
++	if (datafellows & SSH_BUG_MAX4096DH) {
++		/* The largest min for these servers is 4096 */
++		min = MIN(min, 4096);
++	}
++
+ 	nbits = dh_estimate(kex->we_need * 8);
++	nbits = MIN(nbits, max);
++	nbits = MAX(nbits, min);
++
++	if (datafellows & SSH_BUG_MAX4096DH) {
++		/* Cannot have a nbits > 4096 for these servers */
++		nbits = MIN(nbits, 4096);
++		/* nbits has to be powers of two */
++		if (nbits == 3072)
++			nbits = 4096;
++	}
+ 
+ 	if (datafellows & SSH_OLD_DHGEX) {
+ 		/* Old GEX request */
+ 		packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
+ 		packet_put_int(nbits);
+-		min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
+-		max = DH_GRP_MAX;
+-
+ 		debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
+ 	} else {
+ 		/* New GEX request */
+-		min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
+-		max = DH_GRP_MAX;
+ 		packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
+ 		packet_put_int(min);
+ 		packet_put_int(nbits);
diff --git a/openssh-6.4p1-gsissh.patch b/openssh-6.4p1-gsissh.patch
index 0e23d7f..717b3a1 100644
--- a/openssh-6.4p1-gsissh.patch
+++ b/openssh-6.4p1-gsissh.patch
@@ -1,6 +1,6 @@
 diff -Nur openssh-6.4p1.orig/auth2.c openssh-6.4p1/auth2.c
---- openssh-6.4p1.orig/auth2.c	2013-11-26 14:25:47.969371747 +0100
-+++ openssh-6.4p1/auth2.c	2013-11-26 14:26:35.169803216 +0100
+--- openssh-6.4p1.orig/auth2.c	2015-01-15 21:21:22.097268760 +0100
++++ openssh-6.4p1/auth2.c	2015-01-15 21:22:11.921733961 +0100
 @@ -234,7 +234,27 @@
  	user = packet_get_cstring(NULL);
  	service = packet_get_cstring(NULL);
@@ -97,8 +97,8 @@ diff -Nur openssh-6.4p1.orig/auth2.c openssh-6.4p1/auth2.c
  		    authctxt->user, authctxt->service, user, service);
  	}
 diff -Nur openssh-6.4p1.orig/auth2-gss.c openssh-6.4p1/auth2-gss.c
---- openssh-6.4p1.orig/auth2-gss.c	2013-11-26 14:25:47.969371747 +0100
-+++ openssh-6.4p1/auth2-gss.c	2013-11-26 14:26:35.169803216 +0100
+--- openssh-6.4p1.orig/auth2-gss.c	2015-01-15 21:21:22.023268069 +0100
++++ openssh-6.4p1/auth2-gss.c	2015-01-15 21:22:11.922733970 +0100
 @@ -47,6 +47,7 @@
  
  extern ServerOptions options;
@@ -280,8 +280,8 @@ diff -Nur openssh-6.4p1.orig/auth2-gss.c openssh-6.4p1/auth2-gss.c
  	"gssapi-keyex",
  	userauth_gsskeyex,
 diff -Nur openssh-6.4p1.orig/auth.c openssh-6.4p1/auth.c
---- openssh-6.4p1.orig/auth.c	2013-11-26 14:25:47.970371735 +0100
-+++ openssh-6.4p1/auth.c	2013-11-26 14:26:35.170803204 +0100
+--- openssh-6.4p1.orig/auth.c	2015-01-15 21:21:21.901266930 +0100
++++ openssh-6.4p1/auth.c	2015-01-15 21:22:11.922733970 +0100
 @@ -74,6 +74,9 @@
  #include "krl.h"
  #include "compat.h"
@@ -346,8 +346,8 @@ diff -Nur openssh-6.4p1.orig/auth.c openssh-6.4p1/auth.c
  		record_failed_login(user,
  		    get_canonical_hostname(options.use_dns), "ssh");
 diff -Nur openssh-6.4p1.orig/auth.h openssh-6.4p1/auth.h
---- openssh-6.4p1.orig/auth.h	2013-11-26 14:25:47.970371735 +0100
-+++ openssh-6.4p1/auth.h	2013-11-26 14:26:35.170803204 +0100
+--- openssh-6.4p1.orig/auth.h	2015-01-15 21:21:21.913267042 +0100
++++ openssh-6.4p1/auth.h	2015-01-15 21:22:11.923733979 +0100
 @@ -160,6 +160,7 @@
  void	auth_log(Authctxt *, int, int, const char *, const char *);
  void	userauth_finish(Authctxt *, int, const char *, const char *);
@@ -357,8 +357,8 @@ diff -Nur openssh-6.4p1.orig/auth.h openssh-6.4p1/auth.h
  void	userauth_send_banner(const char *);
  
 diff -Nur openssh-6.4p1.orig/auth-pam.c openssh-6.4p1/auth-pam.c
---- openssh-6.4p1.orig/auth-pam.c	2013-11-26 14:25:47.971371723 +0100
-+++ openssh-6.4p1/auth-pam.c	2013-11-26 14:26:35.171803192 +0100
+--- openssh-6.4p1.orig/auth-pam.c	2015-01-15 21:21:21.913267042 +0100
++++ openssh-6.4p1/auth-pam.c	2015-01-15 21:22:11.924733989 +0100
 @@ -122,6 +122,10 @@
   */
  typedef pthread_t sp_pthread_t;
@@ -509,8 +509,8 @@ diff -Nur openssh-6.4p1.orig/auth-pam.c openssh-6.4p1/auth-pam.c
  	if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
  		debug("PAM: password authentication accepted for %.100s",
 diff -Nur openssh-6.4p1.orig/auth-pam.h openssh-6.4p1/auth-pam.h
---- openssh-6.4p1.orig/auth-pam.h	2013-11-26 14:25:47.971371723 +0100
-+++ openssh-6.4p1/auth-pam.h	2013-11-26 14:26:35.171803192 +0100
+--- openssh-6.4p1.orig/auth-pam.h	2015-01-15 21:21:21.913267042 +0100
++++ openssh-6.4p1/auth-pam.h	2015-01-15 21:22:11.924733989 +0100
 @@ -46,5 +46,6 @@
  void sshpam_cleanup(void);
  int sshpam_auth_passwd(Authctxt *, const char *);
@@ -519,8 +519,8 @@ diff -Nur openssh-6.4p1.orig/auth-pam.h openssh-6.4p1/auth-pam.h
  
  #endif /* USE_PAM */
 diff -Nur openssh-6.4p1.orig/canohost.c openssh-6.4p1/canohost.c
---- openssh-6.4p1.orig/canohost.c	2013-11-26 14:25:47.972371711 +0100
-+++ openssh-6.4p1/canohost.c	2013-11-26 14:26:35.171803192 +0100
+--- openssh-6.4p1.orig/canohost.c	2015-01-15 21:21:22.088268676 +0100
++++ openssh-6.4p1/canohost.c	2015-01-15 21:22:11.924733989 +0100
 @@ -16,6 +16,7 @@
  
  #include <sys/types.h>
@@ -529,7 +529,7 @@ diff -Nur openssh-6.4p1.orig/canohost.c openssh-6.4p1/canohost.c
  
  #include <netinet/in.h>
  #include <arpa/inet.h>
-@@ -451,3 +452,33 @@
+@@ -458,3 +459,33 @@
  {
  	return get_port(1);
  }
@@ -564,9 +564,9 @@ diff -Nur openssh-6.4p1.orig/canohost.c openssh-6.4p1/canohost.c
 +	}
 +}
 diff -Nur openssh-6.4p1.orig/canohost.h openssh-6.4p1/canohost.h
---- openssh-6.4p1.orig/canohost.h	2013-11-26 14:25:47.972371711 +0100
-+++ openssh-6.4p1/canohost.h	2013-11-26 14:26:35.172803180 +0100
-@@ -26,4 +26,6 @@
+--- openssh-6.4p1.orig/canohost.h	2015-01-15 21:21:22.088268676 +0100
++++ openssh-6.4p1/canohost.h	2015-01-15 21:22:11.925733998 +0100
+@@ -27,4 +27,6 @@
  int		 get_sock_port(int, int);
  void		 clear_cached_addr(void);
  
@@ -574,8 +574,8 @@ diff -Nur openssh-6.4p1.orig/canohost.h openssh-6.4p1/canohost.h
 +
  void		 ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
 diff -Nur openssh-6.4p1.orig/configure.ac openssh-6.4p1/configure.ac
---- openssh-6.4p1.orig/configure.ac	2013-11-26 14:25:47.973371699 +0100
-+++ openssh-6.4p1/configure.ac	2013-11-26 14:26:35.173803168 +0100
+--- openssh-6.4p1.orig/configure.ac	2015-01-15 21:21:22.026268097 +0100
++++ openssh-6.4p1/configure.ac	2015-01-15 21:22:11.927734017 +0100
 @@ -3902,6 +3902,14 @@
  			AC_CHECK_HEADER([gssapi_krb5.h], ,
  					[ CPPFLAGS="$oldCPP" ])
@@ -643,8 +643,8 @@ diff -Nur openssh-6.4p1.orig/configure.ac openssh-6.4p1/configure.ac
  
  PRIVSEP_PATH=/var/empty
 diff -Nur openssh-6.4p1.orig/gss-genr.c openssh-6.4p1/gss-genr.c
---- openssh-6.4p1.orig/gss-genr.c	2013-11-26 14:25:47.974371687 +0100
-+++ openssh-6.4p1/gss-genr.c	2013-11-26 14:26:35.173803168 +0100
+--- openssh-6.4p1.orig/gss-genr.c	2015-01-15 21:21:22.027268106 +0100
++++ openssh-6.4p1/gss-genr.c	2015-01-15 21:22:11.928734026 +0100
 @@ -38,6 +38,7 @@
  #include "xmalloc.h"
  #include "buffer.h"
@@ -682,8 +682,8 @@ diff -Nur openssh-6.4p1.orig/gss-genr.c openssh-6.4p1/gss-genr.c
  	return (ctx->major);
  }
 diff -Nur openssh-6.4p1.orig/gss-serv.c openssh-6.4p1/gss-serv.c
---- openssh-6.4p1.orig/gss-serv.c	2013-11-26 14:25:47.974371687 +0100
-+++ openssh-6.4p1/gss-serv.c	2013-11-26 14:47:37.394667653 +0100
+--- openssh-6.4p1.orig/gss-serv.c	2015-01-15 21:21:22.083268629 +0100
++++ openssh-6.4p1/gss-serv.c	2015-01-15 21:22:11.928734026 +0100
 @@ -52,10 +52,12 @@
  #include "monitor_wrap.h"
  
@@ -928,7 +928,7 @@ diff -Nur openssh-6.4p1.orig/gss-serv.c openssh-6.4p1/gss-serv.c
  #endif
 diff -Nur openssh-6.4p1.orig/gss-serv-gsi.c openssh-6.4p1/gss-serv-gsi.c
 --- openssh-6.4p1.orig/gss-serv-gsi.c	1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.4p1/gss-serv-gsi.c	2013-11-26 14:26:35.175803144 +0100
++++ openssh-6.4p1/gss-serv-gsi.c	2015-01-15 21:22:11.929734035 +0100
 @@ -0,0 +1,238 @@
 +/*
 + * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1169,9 +1169,9 @@ diff -Nur openssh-6.4p1.orig/gss-serv-gsi.c openssh-6.4p1/gss-serv-gsi.c
 +#endif /* GSI */
 +#endif /* GSSAPI */
 diff -Nur openssh-6.4p1.orig/gss-serv-krb5.c openssh-6.4p1/gss-serv-krb5.c
---- openssh-6.4p1.orig/gss-serv-krb5.c	2013-11-26 14:25:47.976371663 +0100
-+++ openssh-6.4p1/gss-serv-krb5.c	2013-11-26 14:26:35.175803144 +0100
-@@ -263,6 +263,34 @@
+--- openssh-6.4p1.orig/gss-serv-krb5.c	2015-01-15 21:21:22.117268947 +0100
++++ openssh-6.4p1/gss-serv-krb5.c	2015-01-15 21:22:11.929734035 +0100
+@@ -359,6 +359,34 @@
  	return found_principal;
  }
   
@@ -1206,7 +1206,7 @@ diff -Nur openssh-6.4p1.orig/gss-serv-krb5.c openssh-6.4p1/gss-serv-krb5.c
  
  /* This writes out any forwarded credentials from the structure populated
   * during userauth. Called after we have setuid to the user */
-@@ -361,7 +389,7 @@
+@@ -457,7 +485,7 @@
  	return;
  }
  
@@ -1215,7 +1215,7 @@ diff -Nur openssh-6.4p1.orig/gss-serv-krb5.c openssh-6.4p1/gss-serv-krb5.c
  ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, 
      ssh_gssapi_client *client)
  {
-@@ -432,7 +460,7 @@
+@@ -528,7 +556,7 @@
  	{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
  	NULL,
  	&ssh_gssapi_krb5_userok,
@@ -1225,8 +1225,8 @@ diff -Nur openssh-6.4p1.orig/gss-serv-krb5.c openssh-6.4p1/gss-serv-krb5.c
  	&ssh_gssapi_krb5_updatecreds
  };
 diff -Nur openssh-6.4p1.orig/kexgsss.c openssh-6.4p1/kexgsss.c
---- openssh-6.4p1.orig/kexgsss.c	2013-11-26 14:25:47.976371663 +0100
-+++ openssh-6.4p1/kexgsss.c	2013-11-26 14:26:35.176803132 +0100
+--- openssh-6.4p1.orig/kexgsss.c	2015-01-15 21:21:22.030268134 +0100
++++ openssh-6.4p1/kexgsss.c	2015-01-15 21:22:11.931734054 +0100
 @@ -44,6 +44,7 @@
  #include "monitor_wrap.h"
  #include "servconf.h"
@@ -1288,7 +1288,7 @@ diff -Nur openssh-6.4p1.orig/kexgsss.c openssh-6.4p1/kexgsss.c
  #endif /* GSSAPI */
 diff -Nur openssh-6.4p1.orig/LICENSE.globus_usage openssh-6.4p1/LICENSE.globus_usage
 --- openssh-6.4p1.orig/LICENSE.globus_usage	1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.4p1/LICENSE.globus_usage	2013-11-26 14:26:35.176803132 +0100
++++ openssh-6.4p1/LICENSE.globus_usage	2015-01-15 21:22:11.931734054 +0100
 @@ -0,0 +1,18 @@
 +/*
 + * Portions of the Usage Metrics suport code are derived from the
@@ -1309,8 +1309,8 @@ diff -Nur openssh-6.4p1.orig/LICENSE.globus_usage openssh-6.4p1/LICENSE.globus_u
 + * limitations under the License.
 + */
 diff -Nur openssh-6.4p1.orig/Makefile.in openssh-6.4p1/Makefile.in
---- openssh-6.4p1.orig/Makefile.in	2013-11-26 14:25:47.977371651 +0100
-+++ openssh-6.4p1/Makefile.in	2013-11-26 14:26:35.177803120 +0100
+--- openssh-6.4p1.orig/Makefile.in	2015-01-15 21:21:22.092268713 +0100
++++ openssh-6.4p1/Makefile.in	2015-01-15 21:22:11.931734054 +0100
 @@ -95,8 +95,10 @@
  	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
  	auth-krb5.o \
@@ -1323,8 +1323,8 @@ diff -Nur openssh-6.4p1.orig/Makefile.in openssh-6.4p1/Makefile.in
  	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
  	sandbox-seccomp-filter.o
 diff -Nur openssh-6.4p1.orig/misc.c openssh-6.4p1/misc.c
---- openssh-6.4p1.orig/misc.c	2013-11-26 14:25:47.977371651 +0100
-+++ openssh-6.4p1/misc.c	2013-11-26 14:26:35.177803120 +0100
+--- openssh-6.4p1.orig/misc.c	2015-01-15 21:21:22.115268928 +0100
++++ openssh-6.4p1/misc.c	2015-01-15 21:22:11.932734063 +0100
 @@ -158,11 +158,14 @@
  #define WHITESPACE " \t\r\n"
  #define QUOTE	"\""
@@ -1385,8 +1385,8 @@ diff -Nur openssh-6.4p1.orig/misc.c openssh-6.4p1/misc.c
   * Convert ASCII string to TCP/IP port number.
   * Port must be >=0 and <=65535.
 diff -Nur openssh-6.4p1.orig/misc.h openssh-6.4p1/misc.h
---- openssh-6.4p1.orig/misc.h	2013-11-26 14:25:47.977371651 +0100
-+++ openssh-6.4p1/misc.h	2013-11-26 14:26:35.177803120 +0100
+--- openssh-6.4p1.orig/misc.h	2015-01-15 21:21:22.092268713 +0100
++++ openssh-6.4p1/misc.h	2015-01-15 21:22:11.932734063 +0100
 @@ -39,6 +39,7 @@
  void	 sock_set_v6only(int);
  
@@ -1396,8 +1396,8 @@ diff -Nur openssh-6.4p1.orig/misc.h openssh-6.4p1/misc.h
  
  typedef struct arglist arglist;
 diff -Nur openssh-6.4p1.orig/monitor.c openssh-6.4p1/monitor.c
---- openssh-6.4p1.orig/monitor.c	2013-11-26 14:25:47.978371639 +0100
-+++ openssh-6.4p1/monitor.c	2013-11-26 14:26:35.178803108 +0100
+--- openssh-6.4p1.orig/monitor.c	2015-01-15 21:21:22.103268816 +0100
++++ openssh-6.4p1/monitor.c	2015-01-15 21:22:11.933734073 +0100
 @@ -188,6 +188,9 @@
  int mm_answer_gss_userok(int, Buffer *);
  int mm_answer_gss_checkmic(int, Buffer *);
@@ -1463,7 +1463,7 @@ diff -Nur openssh-6.4p1.orig/monitor.c openssh-6.4p1/monitor.c
  #endif
  	} else {
  		mon_dispatch = mon_dispatch_proto15;
-@@ -535,6 +545,8 @@
+@@ -538,6 +548,8 @@
  #ifdef GSSAPI
  		/* and for the GSSAPI key exchange */
  		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
@@ -1472,7 +1472,7 @@ diff -Nur openssh-6.4p1.orig/monitor.c openssh-6.4p1/monitor.c
  #endif		
  	} else {
  		mon_dispatch = mon_dispatch_postauth15;
-@@ -805,14 +817,17 @@
+@@ -808,14 +820,17 @@
  
  	debug3("%s", __func__);
  
@@ -1493,7 +1493,7 @@ diff -Nur openssh-6.4p1.orig/monitor.c openssh-6.4p1/monitor.c
  	setproctitle("%s [priv]", pwent ? username : "unknown");
  	free(username);
  
-@@ -2306,12 +2321,15 @@
+@@ -2309,12 +2324,15 @@
  mm_answer_gss_userok(int sock, Buffer *m)
  {
  	int authenticated;
@@ -1510,7 +1510,7 @@ diff -Nur openssh-6.4p1.orig/monitor.c openssh-6.4p1/monitor.c
  
  	buffer_clear(m);
  	buffer_put_int(m, authenticated);
-@@ -2319,12 +2337,77 @@
+@@ -2322,12 +2340,77 @@
  	debug3("%s: sending result %d", __func__, authenticated);
  	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
  
@@ -1590,8 +1590,8 @@ diff -Nur openssh-6.4p1.orig/monitor.c openssh-6.4p1/monitor.c
  mm_answer_gss_sign(int socket, Buffer *m)
  {
 diff -Nur openssh-6.4p1.orig/monitor.h openssh-6.4p1/monitor.h
---- openssh-6.4p1.orig/monitor.h	2013-11-26 14:25:47.978371639 +0100
-+++ openssh-6.4p1/monitor.h	2013-11-26 14:26:35.178803108 +0100
+--- openssh-6.4p1.orig/monitor.h	2015-01-15 21:21:22.032268153 +0100
++++ openssh-6.4p1/monitor.h	2015-01-15 21:22:11.933734073 +0100
 @@ -79,8 +79,10 @@
  	MONITOR_REQ_AUDIT_UNSUPPORTED = 118, MONITOR_ANS_AUDIT_UNSUPPORTED = 119,
  	MONITOR_REQ_AUDIT_KEX = 120, MONITOR_ANS_AUDIT_KEX = 121,
@@ -1606,8 +1606,8 @@ diff -Nur openssh-6.4p1.orig/monitor.h openssh-6.4p1/monitor.h
  
  struct mm_master;
 diff -Nur openssh-6.4p1.orig/monitor_wrap.c openssh-6.4p1/monitor_wrap.c
---- openssh-6.4p1.orig/monitor_wrap.c	2013-11-26 14:25:47.979371627 +0100
-+++ openssh-6.4p1/monitor_wrap.c	2013-11-26 14:26:35.179803095 +0100
+--- openssh-6.4p1.orig/monitor_wrap.c	2015-01-15 21:21:22.032268153 +0100
++++ openssh-6.4p1/monitor_wrap.c	2015-01-15 21:22:11.934734082 +0100
 @@ -1329,12 +1329,13 @@
  }
  
@@ -1708,8 +1708,8 @@ diff -Nur openssh-6.4p1.orig/monitor_wrap.c openssh-6.4p1/monitor_wrap.c
  mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
  {
 diff -Nur openssh-6.4p1.orig/monitor_wrap.h openssh-6.4p1/monitor_wrap.h
---- openssh-6.4p1.orig/monitor_wrap.h	2013-11-26 14:25:47.979371627 +0100
-+++ openssh-6.4p1/monitor_wrap.h	2013-11-26 14:26:35.179803095 +0100
+--- openssh-6.4p1.orig/monitor_wrap.h	2015-01-15 21:21:22.033268162 +0100
++++ openssh-6.4p1/monitor_wrap.h	2015-01-15 21:22:11.934734082 +0100
 @@ -62,9 +62,13 @@
  OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
  OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@@ -1726,8 +1726,8 @@ diff -Nur openssh-6.4p1.orig/monitor_wrap.h openssh-6.4p1/monitor_wrap.h
  #endif
  
 diff -Nur openssh-6.4p1.orig/readconf.c openssh-6.4p1/readconf.c
---- openssh-6.4p1.orig/readconf.c	2013-11-26 14:25:47.979371627 +0100
-+++ openssh-6.4p1/readconf.c	2013-11-26 14:26:35.179803095 +0100
+--- openssh-6.4p1.orig/readconf.c	2015-01-15 21:21:22.033268162 +0100
++++ openssh-6.4p1/readconf.c	2015-01-15 21:22:11.935734091 +0100
 @@ -1303,13 +1303,13 @@
  	if (options->challenge_response_authentication == -1)
  		options->challenge_response_authentication = 1;
@@ -1747,8 +1747,8 @@ diff -Nur openssh-6.4p1.orig/readconf.c openssh-6.4p1/readconf.c
  		options->gss_renewal_rekey = 0;
  	if (options->password_authentication == -1)
 diff -Nur openssh-6.4p1.orig/readconf.h openssh-6.4p1/readconf.h
---- openssh-6.4p1.orig/readconf.h	2013-11-26 14:25:47.980371615 +0100
-+++ openssh-6.4p1/readconf.h	2013-11-26 14:26:35.179803095 +0100
+--- openssh-6.4p1.orig/readconf.h	2015-01-15 21:21:22.033268162 +0100
++++ openssh-6.4p1/readconf.h	2015-01-15 21:22:11.935734091 +0100
 @@ -88,6 +88,8 @@
  	char   *host_key_alias;	/* hostname alias for .ssh/known_hosts */
  	char   *proxy_command;	/* Proxy command for connecting the host. */
@@ -1759,8 +1759,8 @@ diff -Nur openssh-6.4p1.orig/readconf.h openssh-6.4p1/readconf.h
  
  	u_int	num_system_hostfiles;	/* Paths for /etc/ssh/ssh_known_hosts */
 diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
---- openssh-6.4p1.orig/servconf.c	2013-11-26 14:25:47.980371615 +0100
-+++ openssh-6.4p1/servconf.c	2013-11-26 14:26:35.180803083 +0100
+--- openssh-6.4p1.orig/servconf.c	2015-01-15 21:21:22.118268956 +0100
++++ openssh-6.4p1/servconf.c	2015-01-15 21:28:16.004109681 +0100
 @@ -71,6 +71,7 @@
  
  	/* Portable-specific options */
@@ -1790,7 +1790,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
  	options->revoked_keys_file = NULL;
  	options->trusted_user_ca_keys = NULL;
  	options->authorized_principals_file = NULL;
-@@ -166,6 +171,8 @@
+@@ -167,6 +172,8 @@
  	/* Portable-specific options */
  	if (options->use_pam == -1)
  		options->use_pam = 0;
@@ -1799,7 +1799,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
  
  	/* Standard Options */
  	if (options->protocol == SSH_PROTO_UNKNOWN)
-@@ -244,13 +251,17 @@
+@@ -245,13 +252,17 @@
  	if (options->kerberos_get_afs_token == -1)
  		options->kerberos_get_afs_token = 0;
  	if (options->gss_authentication == -1)
@@ -1819,7 +1819,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
  	if (options->gss_store_rekey == -1)
  		options->gss_store_rekey = 0;
  	if (options->password_authentication == -1)
-@@ -333,7 +344,7 @@
+@@ -336,7 +347,7 @@
  typedef enum {
  	sBadOption,		/* == unknown option */
  	/* Portable-specific options */
@@ -1828,14 +1828,14 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
  	/* Standard Options */
  	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
  	sPermitRootLogin, sLogFacility, sLogLevel,
-@@ -354,11 +365,15 @@
+@@ -357,11 +368,15 @@
  	sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
  	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
  	sClientAliveCountMax, sAuthorizedKeysFile,
 +	sGssDelegateCreds,
 +	sGssCredsPath,
 +	sGsiAllowLimitedProxy,
- 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ 	sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
  	sGssKeyEx, sGssStoreRekey,
  	sAcceptEnv, sPermitTunnel,
  	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
@@ -1844,7 +1844,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
  	sZeroKnowledgePasswordAuthentication, sHostCertificate,
  	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
  	sKexAlgorithms, sIPQoS, sVersionAddendum,
-@@ -380,8 +395,10 @@
+@@ -383,8 +398,10 @@
  	/* Portable-specific options */
  #ifdef USE_PAM
  	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
@@ -1855,7 +1855,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
  #endif
  	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
  	/* Standard Options */
-@@ -424,15 +441,25 @@
+@@ -427,16 +444,26 @@
  	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
  #ifdef GSSAPI
  	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
@@ -1871,6 +1871,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
  	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
  	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
  	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
+ 	{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
  #else
  	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
 +	{ "gssapidelegatecredentials", sUnsupported, SSHCFG_ALL },
@@ -1881,7 +1882,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
  	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
  	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
  	{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
-@@ -497,6 +524,8 @@
+@@ -502,6 +529,8 @@
  	{ "permitopen", sPermitOpen, SSHCFG_ALL },
  	{ "forcecommand", sForceCommand, SSHCFG_ALL },
  	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
@@ -1890,7 +1891,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
  	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
  	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
  	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
-@@ -889,6 +918,10 @@
+@@ -894,6 +923,10 @@
  		intptr = &options->use_pam;
  		goto parse_flag;
  
@@ -1901,7 +1902,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
  	/* Standard Options */
  	case sBadOption:
  		return -1;
-@@ -1104,6 +1137,10 @@
+@@ -1109,6 +1142,10 @@
  		intptr = &options->gss_authentication;
  		goto parse_flag;
  
@@ -1912,7 +1913,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
  	case sGssKeyEx:
  		intptr = &options->gss_keyex;
  		goto parse_flag;
-@@ -1112,6 +1149,10 @@
+@@ -1117,6 +1154,10 @@
  		intptr = &options->gss_cleanup_creds;
  		goto parse_flag;
  
@@ -1923,7 +1924,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
  	case sGssStrictAcceptor:
  		intptr = &options->gss_strict_acceptor;
  		goto parse_flag;
-@@ -1120,6 +1161,12 @@
+@@ -1125,6 +1166,12 @@
  		intptr = &options->gss_store_rekey;
  		goto parse_flag;
  
@@ -1936,7 +1937,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
  	case sPasswordAuthentication:
  		intptr = &options->password_authentication;
  		goto parse_flag;
-@@ -1581,6 +1628,18 @@
+@@ -1590,6 +1637,18 @@
  			*charptr = xstrdup(arg);
  		break;
  
@@ -1955,7 +1956,7 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
  	case sTrustedUserCAKeys:
  		charptr = &options->trusted_user_ca_keys;
  		goto parse_filename;
-@@ -1801,6 +1860,7 @@
+@@ -1812,6 +1871,7 @@
  {
  	M_CP_INTOPT(password_authentication);
  	M_CP_INTOPT(gss_authentication);
@@ -1964,8 +1965,8 @@ diff -Nur openssh-6.4p1.orig/servconf.c openssh-6.4p1/servconf.c
  	M_CP_INTOPT(pubkey_authentication);
  	M_CP_INTOPT(kerberos_authentication);
 diff -Nur openssh-6.4p1.orig/servconf.h openssh-6.4p1/servconf.h
---- openssh-6.4p1.orig/servconf.h	2013-11-26 14:25:47.980371615 +0100
-+++ openssh-6.4p1/servconf.h	2013-11-26 14:26:35.180803083 +0100
+--- openssh-6.4p1.orig/servconf.h	2015-01-15 21:21:22.119268965 +0100
++++ openssh-6.4p1/servconf.h	2015-01-15 21:22:11.937734110 +0100
 @@ -110,9 +110,12 @@
  						 * file on logout. */
  	int     kerberos_get_afs_token;		/* If true, try to get AFS token if
@@ -1987,9 +1988,9 @@ diff -Nur openssh-6.4p1.orig/servconf.h openssh-6.4p1/servconf.h
  
  	int	permit_tun;
  
-@@ -176,6 +180,10 @@
- 
- 	int	use_kuserok;
+@@ -177,6 +181,10 @@
+ 	int		use_kuserok;
+ 	int		enable_k5users;
  	char   *chroot_directory;
 +
 +	int	disable_usage_stats;
@@ -1999,8 +2000,8 @@ diff -Nur openssh-6.4p1.orig/servconf.h openssh-6.4p1/servconf.h
  	char   *trusted_user_ca_keys;
  	char   *authorized_principals_file;
 diff -Nur openssh-6.4p1.orig/ssh.1 openssh-6.4p1/ssh.1
---- openssh-6.4p1.orig/ssh.1	2013-11-26 14:25:47.981371603 +0100
-+++ openssh-6.4p1/ssh.1	2013-11-26 14:26:35.181803071 +0100
+--- openssh-6.4p1.orig/ssh.1	2015-01-15 21:21:22.004267891 +0100
++++ openssh-6.4p1/ssh.1	2015-01-15 21:22:11.938734119 +0100
 @@ -1281,6 +1281,18 @@
  on to new connections).
  .It Ev USER
@@ -2021,8 +2022,8 @@ diff -Nur openssh-6.4p1.orig/ssh.1 openssh-6.4p1/ssh.1
  .Pp
  Additionally,
 diff -Nur openssh-6.4p1.orig/ssh.c openssh-6.4p1/ssh.c
---- openssh-6.4p1.orig/ssh.c	2013-11-26 14:25:47.981371603 +0100
-+++ openssh-6.4p1/ssh.c	2013-11-26 14:26:35.181803071 +0100
+--- openssh-6.4p1.orig/ssh.c	2015-01-15 21:21:21.974267611 +0100
++++ openssh-6.4p1/ssh.c	2015-01-15 21:22:11.938734119 +0100
 @@ -718,6 +718,32 @@
  			fatal("Can't open user config file %.100s: "
  			    "%.100s", config, strerror(errno));
@@ -2071,8 +2072,8 @@ diff -Nur openssh-6.4p1.orig/ssh.c openssh-6.4p1/ssh.c
  	/* Get default port if port has not been set. */
  	if (options.port == 0) {
 diff -Nur openssh-6.4p1.orig/ssh_config openssh-6.4p1/ssh_config
---- openssh-6.4p1.orig/ssh_config	2013-11-26 14:25:47.981371603 +0100
-+++ openssh-6.4p1/ssh_config	2013-11-26 14:26:35.181803071 +0100
+--- openssh-6.4p1.orig/ssh_config	2015-01-15 21:21:22.035268181 +0100
++++ openssh-6.4p1/ssh_config	2015-01-15 21:22:11.938734119 +0100
 @@ -24,10 +24,10 @@
  #   RSAAuthentication yes
  #   PasswordAuthentication yes
@@ -2089,8 +2090,8 @@ diff -Nur openssh-6.4p1.orig/ssh_config openssh-6.4p1/ssh_config
  #   CheckHostIP yes
  #   AddressFamily any
 diff -Nur openssh-6.4p1.orig/ssh_config.5 openssh-6.4p1/ssh_config.5
---- openssh-6.4p1.orig/ssh_config.5	2013-11-26 14:25:47.982371591 +0100
-+++ openssh-6.4p1/ssh_config.5	2013-11-26 14:26:35.182803059 +0100
+--- openssh-6.4p1.orig/ssh_config.5	2015-01-15 21:21:22.035268181 +0100
++++ openssh-6.4p1/ssh_config.5	2015-01-15 21:22:11.939734129 +0100
 @@ -55,6 +55,12 @@
  user's configuration file
  .Pq Pa ~/.ssh/config
@@ -2105,9 +2106,9 @@ diff -Nur openssh-6.4p1.orig/ssh_config.5 openssh-6.4p1/ssh_config.5
  .Pq Pa /etc/ssh/ssh_config
  .El
 diff -Nur openssh-6.4p1.orig/sshconnect2.c openssh-6.4p1/sshconnect2.c
---- openssh-6.4p1.orig/sshconnect2.c	2013-11-26 14:25:47.982371591 +0100
-+++ openssh-6.4p1/sshconnect2.c	2013-11-26 14:26:35.182803059 +0100
-@@ -700,6 +700,11 @@
+--- openssh-6.4p1.orig/sshconnect2.c	2015-01-15 21:21:22.093268722 +0100
++++ openssh-6.4p1/sshconnect2.c	2015-01-15 21:22:11.939734129 +0100
+@@ -734,6 +734,11 @@
  	int ok = 0;
  	const char *gss_host = NULL;
  
@@ -2119,7 +2120,7 @@ diff -Nur openssh-6.4p1.orig/sshconnect2.c openssh-6.4p1/sshconnect2.c
  	if (options.gss_server_identity)
  		gss_host = options.gss_server_identity;
  	else if (options.gss_trust_dns) {
-@@ -933,6 +938,15 @@
+@@ -967,6 +972,15 @@
  	free(lang);
  }
  
@@ -2135,7 +2136,7 @@ diff -Nur openssh-6.4p1.orig/sshconnect2.c openssh-6.4p1/sshconnect2.c
  int
  userauth_gsskeyex(Authctxt *authctxt)
  {
-@@ -950,8 +964,16 @@
+@@ -984,8 +998,16 @@
  		return (0);
  	}
  
@@ -2152,7 +2153,7 @@ diff -Nur openssh-6.4p1.orig/sshconnect2.c openssh-6.4p1/sshconnect2.c
  
  	gssbuf.value = buffer_ptr(&b);
  	gssbuf.length = buffer_len(&b);
-@@ -962,7 +984,15 @@
+@@ -996,7 +1018,15 @@
  	}
  
  	packet_start(SSH2_MSG_USERAUTH_REQUEST);
@@ -2169,8 +2170,8 @@ diff -Nur openssh-6.4p1.orig/sshconnect2.c openssh-6.4p1/sshconnect2.c
  	packet_put_cstring(authctxt->method->name);
  	packet_put_string(mic.value, mic.length);
 diff -Nur openssh-6.4p1.orig/sshd.8 openssh-6.4p1/sshd.8
---- openssh-6.4p1.orig/sshd.8	2013-11-26 14:25:47.983371579 +0100
-+++ openssh-6.4p1/sshd.8	2013-11-26 14:26:35.183803047 +0100
+--- openssh-6.4p1.orig/sshd.8	2015-01-15 21:21:22.041268237 +0100
++++ openssh-6.4p1/sshd.8	2015-01-15 21:22:11.940734138 +0100
 @@ -763,6 +763,44 @@
  # A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
  @cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
@@ -2217,8 +2218,8 @@ diff -Nur openssh-6.4p1.orig/sshd.8 openssh-6.4p1/sshd.8
  .Bl -tag -width Ds -compact
  .It Pa ~/.hushlogin
 diff -Nur openssh-6.4p1.orig/sshd.c openssh-6.4p1/sshd.c
---- openssh-6.4p1.orig/sshd.c	2013-11-26 14:25:47.983371579 +0100
-+++ openssh-6.4p1/sshd.c	2013-11-26 14:26:35.183803047 +0100
+--- openssh-6.4p1.orig/sshd.c	2015-01-15 21:21:22.063268442 +0100
++++ openssh-6.4p1/sshd.c	2015-01-15 21:22:11.940734138 +0100
 @@ -124,6 +124,7 @@
  #include "audit.h"
  #include "ssh-sandbox.h"
@@ -2227,7 +2228,7 @@ diff -Nur openssh-6.4p1.orig/sshd.c openssh-6.4p1/sshd.c
  
  #ifdef USE_SECURITY_SESSION_API
  #include <Security/AuthSession.h>
-@@ -1681,6 +1682,13 @@
+@@ -1685,6 +1686,13 @@
  	/* Fill in default values for those options not explicitly set. */
  	fill_default_server_options(&options);
  
@@ -2241,7 +2242,7 @@ diff -Nur openssh-6.4p1.orig/sshd.c openssh-6.4p1/sshd.c
  	/* challenge-response is implemented via keyboard interactive */
  	if (options.challenge_response_authentication)
  		options.kbd_interactive_authentication = 1;
-@@ -2266,7 +2274,7 @@
+@@ -2270,7 +2278,7 @@
  #endif
  
  #ifdef GSSAPI
@@ -2251,8 +2252,8 @@ diff -Nur openssh-6.4p1.orig/sshd.c openssh-6.4p1/sshd.c
  		ssh_gssapi_storecreds();
  		restore_uid();
 diff -Nur openssh-6.4p1.orig/sshd_config openssh-6.4p1/sshd_config
---- openssh-6.4p1.orig/sshd_config	2013-11-26 14:25:47.983371579 +0100
-+++ openssh-6.4p1/sshd_config	2013-11-26 14:26:35.183803047 +0100
+--- openssh-6.4p1.orig/sshd_config	2015-01-15 21:21:22.119268965 +0100
++++ openssh-6.4p1/sshd_config	2015-01-15 21:24:59.805301455 +0100
 @@ -89,12 +89,12 @@
  #KerberosUseKuserok yes
  
@@ -2266,10 +2267,10 @@ diff -Nur openssh-6.4p1.orig/sshd_config openssh-6.4p1/sshd_config
  #GSSAPIStrictAcceptorCheck yes
 -#GSSAPIKeyExchange no
 +#GSSAPIKeyExchange yes
+ #GSSAPIEnablek5users no
  
  # Set this to 'yes' to enable PAM authentication, account processing, 
- # and session processing. If this is enabled, PAM authentication will 
-@@ -110,6 +109,10 @@
+@@ -111,6 +111,10 @@
  #UsePAM no
  UsePAM yes
  
@@ -2280,7 +2281,7 @@ diff -Nur openssh-6.4p1.orig/sshd_config openssh-6.4p1/sshd_config
  #AllowAgentForwarding yes
  #AllowTcpForwarding yes
  #GatewayPorts no
-@@ -155,3 +158,7 @@
+@@ -156,3 +160,7 @@
  #	X11Forwarding no
  #	AllowTcpForwarding no
  #	ForceCommand cvs server
@@ -2289,8 +2290,8 @@ diff -Nur openssh-6.4p1.orig/sshd_config openssh-6.4p1/sshd_config
 +#UsageStatsTargets usage-stats.cilogon.org:4810
 +#DisableUsageStats no
 diff -Nur openssh-6.4p1.orig/sshd_config.5 openssh-6.4p1/sshd_config.5
---- openssh-6.4p1.orig/sshd_config.5	2013-11-26 14:25:47.984371567 +0100
-+++ openssh-6.4p1/sshd_config.5	2013-11-26 14:26:35.184803035 +0100
+--- openssh-6.4p1.orig/sshd_config.5	2015-01-15 21:21:22.119268965 +0100
++++ openssh-6.4p1/sshd_config.5	2015-01-15 21:23:37.940537101 +0100
 @@ -440,6 +440,15 @@
  See PATTERNS in
  .Xr ssh_config 5
@@ -2318,10 +2319,10 @@ diff -Nur openssh-6.4p1.orig/sshd_config.5 openssh-6.4p1/sshd_config.5
  .It Cm GSSAPIKeyExchange
  Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
  doesn't rely on ssh keys to verify host identity.
-@@ -496,6 +509,22 @@
+@@ -502,6 +515,22 @@
+ .Xr ksu 1 .
  The default is
- .Dq yes .
- Note that this option applies to protocol version 2 only.
+ .Dq no .
 +.It Cm GSSAPICredentialsPath
 +If specified, the delegated GSSAPI credential is stored in the
 +given path, overwriting any existing credentials.  
@@ -2341,7 +2342,7 @@ diff -Nur openssh-6.4p1.orig/sshd_config.5 openssh-6.4p1/sshd_config.5
  .It Cm GSSAPIStrictAcceptorCheck
  Determines whether to be strict about the identity of the GSSAPI acceptor 
  a client authenticates against. If
-@@ -1160,6 +1189,121 @@
+@@ -1166,6 +1195,121 @@
  .Pp
  To disable TCP keepalive messages, the value should be set to
  .Dq no .
@@ -2463,7 +2464,7 @@ diff -Nur openssh-6.4p1.orig/sshd_config.5 openssh-6.4p1/sshd_config.5
  .It Cm TrustedUserCAKeys
  Specifies a file containing public keys of certificate authorities that are
  trusted to sign user certificates for authentication.
-@@ -1225,6 +1369,12 @@
+@@ -1231,6 +1375,12 @@
  as a non-root user.
  The default is
  .Dq no .
@@ -2478,7 +2479,7 @@ diff -Nur openssh-6.4p1.orig/sshd_config.5 openssh-6.4p1/sshd_config.5
  .Xr sshd 8
 diff -Nur openssh-6.4p1.orig/ssh-globus-usage.c openssh-6.4p1/ssh-globus-usage.c
 --- openssh-6.4p1.orig/ssh-globus-usage.c	1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.4p1/ssh-globus-usage.c	2013-11-26 14:26:35.184803035 +0100
++++ openssh-6.4p1/ssh-globus-usage.c	2015-01-15 21:22:11.942734157 +0100
 @@ -0,0 +1,396 @@
 +/*
 + * Copyright 2009 The Board of Trustees of the University
@@ -2878,7 +2879,7 @@ diff -Nur openssh-6.4p1.orig/ssh-globus-usage.c openssh-6.4p1/ssh-globus-usage.c
 +}
 diff -Nur openssh-6.4p1.orig/ssh-globus-usage.h openssh-6.4p1/ssh-globus-usage.h
 --- openssh-6.4p1.orig/ssh-globus-usage.h	1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.4p1/ssh-globus-usage.h	2013-11-26 14:26:35.184803035 +0100
++++ openssh-6.4p1/ssh-globus-usage.h	2015-01-15 21:22:11.943734166 +0100
 @@ -0,0 +1,46 @@
 +/*
 + * Copyright 2009 The Board of Trustees of the University
@@ -2927,8 +2928,8 @@ diff -Nur openssh-6.4p1.orig/ssh-globus-usage.h openssh-6.4p1/ssh-globus-usage.h
 +
 +#endif /* __SSH_GLOBUS_USAGE_H */
 diff -Nur openssh-6.4p1.orig/ssh-gss.h openssh-6.4p1/ssh-gss.h
---- openssh-6.4p1.orig/ssh-gss.h	2013-11-26 14:25:47.985371555 +0100
-+++ openssh-6.4p1/ssh-gss.h	2013-11-26 14:26:35.185803023 +0100
+--- openssh-6.4p1.orig/ssh-gss.h	2015-01-15 21:21:22.041268237 +0100
++++ openssh-6.4p1/ssh-gss.h	2015-01-15 21:22:11.943734166 +0100
 @@ -91,6 +91,7 @@
  	gss_name_t name;
  	struct ssh_gssapi_mech_struct *mech;
@@ -2974,8 +2975,8 @@ diff -Nur openssh-6.4p1.orig/ssh-gss.h openssh-6.4p1/ssh-gss.h
  
  #endif /* _SSH_GSS_H */
 diff -Nur openssh-6.4p1.orig/version.h openssh-6.4p1/version.h
---- openssh-6.4p1.orig/version.h	2013-11-26 14:25:47.985371555 +0100
-+++ openssh-6.4p1/version.h	2013-11-26 14:26:35.185803023 +0100
+--- openssh-6.4p1.orig/version.h	2013-11-08 02:40:07.000000000 +0100
++++ openssh-6.4p1/version.h	2015-01-15 21:22:11.943734166 +0100
 @@ -1,6 +1,21 @@
  /* $OpenBSD: version.h,v 1.68 2013/11/08 01:38:11 djm Exp $ */
  
diff --git a/openssh-6.4p1-ip-port-config-parser.patch b/openssh-6.4p1-ip-port-config-parser.patch
new file mode 100644
index 0000000..d2746bf
--- /dev/null
+++ b/openssh-6.4p1-ip-port-config-parser.patch
@@ -0,0 +1,24 @@
+diff --git a/misc.c b/misc.c
+index 2f11de4..36402d1 100644
+--- a/misc.c
++++ b/misc.c
+@@ -396,7 +396,7 @@ hpdelim(char **cp)
+ 			return NULL;
+ 		else
+ 			s++;
+-	} else if ((s = strpbrk(s, ":/")) == NULL)
++	} else if ((s = strpbrk(s, ":")) == NULL)
+ 		s = *cp + strlen(*cp); /* skip to end (see first case below) */
+ 
+ 	switch (*s) {
+@@ -405,7 +405,6 @@ hpdelim(char **cp)
+ 		break;
+ 
+ 	case ':':
+-	case '/':
+ 		*s = '\0';	/* terminate */
+ 		*cp = s + 1;
+ 		break;
+-- 
+2.1.0
+
diff --git a/openssh-6.4p1-scp-non-existing-directory.patch b/openssh-6.4p1-scp-non-existing-directory.patch
new file mode 100644
index 0000000..5412bc5
--- /dev/null
+++ b/openssh-6.4p1-scp-non-existing-directory.patch
@@ -0,0 +1,14 @@
+--- a/scp.c	
++++ a/scp.c	
+@@ -1084,6 +1084,10 @@ sink(int argc, char **argv)
+ 			free(vect[0]);
+ 			continue;
+ 		}
++		if (buf[0] == 'C' && ! exists && np[strlen(np)-1] == '/') {
++			errno = ENOTDIR;
++			goto bad;
++		}
+ 		omode = mode;
+ 		mode |= S_IWUSR;
+ 		if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
+-- 
diff --git a/openssh-6.4p1-sftp-symlink-prepend-relative-links.patch b/openssh-6.4p1-sftp-symlink-prepend-relative-links.patch
new file mode 100644
index 0000000..ba40655
--- /dev/null
+++ b/openssh-6.4p1-sftp-symlink-prepend-relative-links.patch
@@ -0,0 +1,15 @@
+diff --git a/sftp.c b/sftp.c
+index 4e1a026..6f16f7c 100644
+--- a/sftp.c
++++ b/sftp.c
+@@ -1356,7 +1356,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
+ 	case I_SYMLINK:
+ 		sflag = 1;
+ 	case I_LINK:
+-		path1 = make_absolute(path1, *pwd);
++		if (!sflag)
++			path1 = make_absolute(path1, *pwd);
+ 		path2 = make_absolute(path2, *pwd);
+ 		err = (sflag ? do_symlink : do_hardlink)(conn, path1, path2);
+ 		break;
+--
