Upgrade to openssh-5.6p1

2010-08-03 02:41:49 +02:00 · 2010-08-03 02:41:49 +02:00 · 1b8a267cb9
commit 1b8a267cb9
parent 98ba34ae05
14 changed files with 419 additions and 664 deletions
--- a/openssh-4.0p1-exit-deadlock.patch
+++ b/openssh-4.0p1-exit-deadlock.patch
@ -1,13 +0,0 @@
 --- openssh-4.0p1/channels.c.exit-deadlock	2005-03-01 11:24:33.000000000 +0100
 +++ openssh-4.0p1/channels.c	2005-04-05 22:25:15.197226237 +0200
@@ -1403,6 +1403,10 @@
 	u_int dlen;
 	int len;
 +	if(c->wfd != -1 && buffer_len(&c->output) > 0 && c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
 +		debug("channel %d: forcing write", c->self);
 +		FD_SET(c->wfd, writeset);
 +	}
 	/* Send buffered output data to the socket. */
 	if (c->wfd != -1 &&
 	    FD_ISSET(c->wfd, writeset) &&
--- a/openssh-5.3p1-skip-initial.patch
+++ b/openssh-5.3p1-skip-initial.patch
@ -1,24 +0,0 @@
 diff -up openssh-5.3p1/auth1.c.skip-initial openssh-5.3p1/auth1.c
 --- openssh-5.3p1/auth1.c.skip-initial	2009-03-08 01:40:28.000000000 +0100
 +++ openssh-5.3p1/auth1.c	2009-10-02 13:55:00.000000000 +0200
@@ -244,7 +244,7 @@ do_authloop(Authctxt *authctxt)
 	    authctxt->valid ? "" : "invalid user ", authctxt->user);
 	/* If the user has no password, accept authentication immediately. */
 -	if (options.password_authentication &&
 +	if (options.permit_empty_passwd && options.password_authentication &&
 #ifdef KRB5
 	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
 #endif
 diff -up openssh-5.3p1/auth2-none.c.skip-initial openssh-5.3p1/auth2-none.c
 --- openssh-5.3p1/auth2-none.c.skip-initial	2009-03-08 01:40:28.000000000 +0100
 +++ openssh-5.3p1/auth2-none.c	2009-10-02 13:56:21.000000000 +0200
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
 {
 	none_enabled = 0;
 	packet_check_eom();
 -	if (options.password_authentication)
 +	if (options.permit_empty_passwd && options.password_authentication)
 		return (PRIVSEP(auth_password(authctxt, "")));
 	return (0);
 }
--- a/openssh-5.5p1-staterr.patch
+++ b/openssh-5.5p1-staterr.patch
@ -1,30 +0,0 @@
 diff -up openssh-5.5p1/ssh-keygen.c.staterr openssh-5.5p1/ssh-keygen.c
 --- openssh-5.5p1/ssh-keygen.c.staterr	2010-05-04 09:01:14.000000000 +0200
 +++ openssh-5.5p1/ssh-keygen.c	2010-05-04 09:03:32.000000000 +0200
@@ -1831,13 +1831,19 @@ main(int argc, char **argv)
 		ask_filename(pw, "Enter file in which to save the key");
 	/* Create ~/.ssh directory if it doesn't already exist. */
 -	snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR);
 -	if (strstr(identity_file, dotsshdir) != NULL &&
 -	    stat(dotsshdir, &st) < 0) {
 -		if (mkdir(dotsshdir, 0700) < 0)
 -			error("Could not create directory '%s'.", dotsshdir);
 -		else if (!quiet)
 -			printf("Created directory '%s'.\n", dotsshdir);
 +	snprintf(dotsshdir, sizeof dotsshdir, "%s/%s",
 +	    pw->pw_dir, _PATH_SSH_USER_DIR);
 +	if (strstr(identity_file, dotsshdir) != NULL) {
 +		if (stat(dotsshdir, &st) < 0) {
 +			if (errno != ENOENT) {
 +				error("Could not stat %s: %s", dotsshdir,
 +				    strerror(errno));
 +			} else if (mkdir(dotsshdir, 0700) < 0) {
 +				error("Could not create directory '%s': %s",
 +				    dotsshdir, strerror(errno));
 +			} else if (!quiet)
 +				printf("Created directory '%s'.\n", dotsshdir);
 +		}
 	}
 	/* If the file already exists, ask the user to confirm. */
 	if (!overwrite && stat(identity_file, &st) >= 0) {
--- a/openssh-5.5p1-stderr.patch
+++ b/openssh-5.5p1-stderr.patch
@ -1,171 +0,0 @@
 diff -up openssh-5.5p1/channels.c.stderr openssh-5.5p1/channels.c
 --- openssh-5.5p1/channels.c.stderr	2010-06-23 15:20:30.000000000 +0200
 +++ openssh-5.5p1/channels.c	2010-06-23 15:23:06.000000000 +0200
@@ -838,8 +838,9 @@ channel_pre_open(Channel *c, fd_set *rea
 		if (c->extended_usage == CHAN_EXTENDED_WRITE &&
 		    buffer_len(&c->extended) > 0)
 			FD_SET(c->efd, writeset);
 -		else if (!(c->flags & CHAN_EOF_SENT) &&
 -		    c->extended_usage == CHAN_EXTENDED_READ &&
 +		else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) &&
 +		    (c->extended_usage == CHAN_EXTENDED_READ ||
 +		    c->extended_usage == CHAN_EXTENDED_IGNORE) &&
 		    buffer_len(&c->extended) < c->remote_window)
 			FD_SET(c->efd, readset);
 	}
@@ -1759,7 +1760,9 @@ channel_handle_efd(Channel *c, fd_set *r
 				buffer_consume(&c->extended, len);
 				c->local_consumed += len;
 			}
 -		} else if (c->extended_usage == CHAN_EXTENDED_READ &&
 +		} else if (c->efd != -1 &&
 +		    (c->extended_usage == CHAN_EXTENDED_READ ||
 +		    c->extended_usage == CHAN_EXTENDED_IGNORE) &&
 		    (c->detach_close || FD_ISSET(c->efd, readset))) {
 			len = read(c->efd, buf, sizeof(buf));
 			debug2("channel %d: read %d from efd %d",
@@ -1772,7 +1775,11 @@ channel_handle_efd(Channel *c, fd_set *r
 				    c->self, c->efd);
 				channel_close_fd(&c->efd);
 			} else {
 -				buffer_append(&c->extended, buf, len);
 +				if (c->extended_usage == CHAN_EXTENDED_IGNORE) {
 +					debug3("channel %d: discard efd",
 +					    c->self);
 +				} else
 +					buffer_append(&c->extended, buf, len);
 			}
 		}
 	}
 diff -up openssh-5.5p1/session.c.stderr openssh-5.5p1/session.c
 --- openssh-5.5p1/session.c.stderr	2010-06-23 15:20:29.000000000 +0200
 +++ openssh-5.5p1/session.c	2010-06-23 15:23:55.000000000 +0200
@@ -47,6 +47,7 @@
 #include <arpa/inet.h>
 #include <errno.h>
 +#include <fcntl.h>
 #include <grp.h>
 #ifdef HAVE_PATHS_H
 #include <paths.h>
@@ -104,7 +105,7 @@
 /* func */
 Session *session_new(void);
 -void	session_set_fds(Session *, int, int, int, int);
 +void	session_set_fds(Session *, int, int, int, int, int);
 void	session_pty_cleanup(Session *);
 void	session_proctitle(Session *);
 int	session_setup_x11fwd(Session *);
@@ -443,10 +444,14 @@ int
 do_exec_no_pty(Session *s, const char *command)
 {
 	pid_t pid;
 +	int ignore_fderr = 0;
 #ifdef USE_PIPES
 	int pin[2], pout[2], perr[2];
 +	if (s == NULL)
 +		fatal("do_exec_no_pty: no session");
 +
 	/* Allocate pipes for communicating with the program. */
 	if (pipe(pin) < 0) {
 		error("%s: pipe in: %.100s", __func__, strerror(errno));
@@ -459,32 +464,38 @@ do_exec_no_pty(Session *s, const char *c
 		return -1;
 	}
 	if (pipe(perr) < 0) {
 -		error("%s: pipe err: %.100s", __func__, strerror(errno));
 +		error("%s: pipe err: %.100s", __func__,
 +		    strerror(errno));
 		close(pin[0]);
 		close(pin[1]);
 		close(pout[0]);
 		close(pout[1]);
 		return -1;
 	}
 +	if (s->is_subsystem)
 +		ignore_fderr = 1;
 #else
 	int inout[2], err[2];
 +	if (s == NULL)
 +		fatal("do_exec_no_pty: no session");
 +
 	/* Uses socket pairs to communicate with the program. */
 	if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) < 0) {
 		error("%s: socketpair #1: %.100s", __func__, strerror(errno));
 		return -1;
 	}
 	if (socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0) {
 -		error("%s: socketpair #2: %.100s", __func__, strerror(errno));
 +		error("%s: socketpair #2: %.100s", __func__,
 +		    strerror(errno));
 		close(inout[0]);
 		close(inout[1]);
 		return -1;
 	}
 +	if (s->is_subsystem)
 +		ignore_fderr = 1;
 #endif
 -	if (s == NULL)
 -		fatal("do_exec_no_pty: no session");
 -
 	session_proctitle(s);
 	/* Fork the child. */
@@ -595,11 +606,7 @@ do_exec_no_pty(Session *s, const char *c
 	close(perr[1]);
 	if (compat20) {
 -		if (s->is_subsystem) {
 -			close(perr[0]);
 -			perr[0] = -1;
 -		}
 -		session_set_fds(s, pin[1], pout[0], perr[0], 0);
 +		session_set_fds(s, pin[1], pout[0], perr[0], ignore_fderr, 0);
 	} else {
 		/* Enter the interactive session. */
 		server_loop(pid, pin[1], pout[0], perr[0]);
@@ -615,10 +622,7 @@ do_exec_no_pty(Session *s, const char *c
 	 * handle the case that fdin and fdout are the same.
 	 */
 	if (compat20) {
 -		session_set_fds(s, inout[1], inout[1],
 -		    s->is_subsystem ? -1 : err[1], 0);
 -		if (s->is_subsystem)
 -			close(err[1]);
 +		session_set_fds(s, inout[1], inout[1], err[1], ignore_fderr, 0);
 	} else {
 		server_loop(pid, inout[1], inout[1], err[1]);
 		/* server_loop has closed inout[1] and err[1]. */
@@ -740,7 +744,7 @@ do_exec_pty(Session *s, const char *comm
 	s->ptymaster = ptymaster;
 	packet_set_interactive(1);
 	if (compat20) {
 -		session_set_fds(s, ptyfd, fdout, -1, 1);
 +		session_set_fds(s, ptyfd, fdout, -1, 1, 1);
 	} else {
 		server_loop(pid, ptyfd, fdout, -1);
 		/* server_loop _has_ closed ptyfd and fdout. */
@@ -2321,7 +2325,8 @@ session_input_channel_req(Channel *c, co
 }
 void
 -session_set_fds(Session *s, int fdin, int fdout, int fderr, int is_tty)
 +session_set_fds(Session *s, int fdin, int fdout, int fderr, int ignore_fderr,
 +    int is_tty)
 {
 	if (!compat20)
 		fatal("session_set_fds: called for proto != 2.0");
@@ -2333,7 +2338,7 @@ session_set_fds(Session *s, int fdin, in
 		fatal("no channel for session %d", s->self);
 	channel_set_fds(s->chanid,
 	    fdout, fdin, fderr,
 -	    fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
 +	    ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
 	    1, is_tty, CHAN_SES_WINDOW_DEFAULT);
 }
--- a/openssh-5.6p1-authorized-keys-command.patch
+++ b/openssh-5.6p1-authorized-keys-command.patch
@ -1,6 +1,6 @@
-diff -ruN openssh-5.5p1.orig/auth2-pubkey.c openssh-5.5p1/auth2-pubkey.c
+diff -up openssh-5.6p1/auth2-pubkey.c.akc openssh-5.6p1/auth2-pubkey.c
--- openssh-5.5p1.orig/auth2-pubkey.c	2010-03-21 14:51:21.000000000 -0400
+--- openssh-5.6p1/auth2-pubkey.c.akc	2010-08-23 12:15:42.000000000 +0200
-+++ openssh-5.5p1/auth2-pubkey.c	2010-07-03 20:23:43.000000000 -0400
+++ openssh-5.6p1/auth2-pubkey.c	2010-08-23 12:15:42.000000000 +0200
@@ -27,6 +27,7 @@
 #include <sys/types.h>
@ -9,7 +9,7 @@ diff -ruN openssh-5.5p1.orig/auth2-pubkey.c openssh-5.5p1/auth2-pubkey.c
 #include <fcntl.h>
 #include <pwd.h>
-@@ -178,27 +178,15 @@
+@@ -264,27 +265,15 @@ match_principals_file(char *file, struct
 /* return 1 if user allows given key */
 static int
@ -38,7 +38,7 @@ diff -ruN openssh-5.5p1.orig/auth2-pubkey.c openssh-5.5p1/auth2-pubkey.c
 	found_key = 0;
 	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
-@@ -273,8 +261,6 @@
+@@ -377,8 +366,6 @@ user_key_allowed2(struct passwd *pw, Key
 			break;
 		}
 	}
@ -47,7 +47,7 @@ diff -ruN openssh-5.5p1.orig/auth2-pubkey.c openssh-5.5p1/auth2-pubkey.c
 	key_free(found);
 	if (!found_key)
 		debug2("key not found");
-@@ -321,13 +307,191 @@
+@@ -440,13 +427,191 @@ user_cert_trusted_ca(struct passwd *pw, 
 	return ret;
 }
@ -240,10 +240,10 @@ diff -ruN openssh-5.5p1.orig/auth2-pubkey.c openssh-5.5p1/auth2-pubkey.c
 	if (auth_key_is_revoked(key))
 		return 0;
 	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
-diff -ruN openssh-5.5p1.orig/configure.ac openssh-5.5p1/configure.ac
+diff -up openssh-5.6p1/configure.ac.akc openssh-5.6p1/configure.ac
--- openssh-5.5p1.orig/configure.ac	2010-04-10 08:58:01.000000000 -0400
+--- openssh-5.6p1/configure.ac.akc	2010-08-23 12:15:42.000000000 +0200
-+++ openssh-5.5p1/configure.ac	2010-07-03 19:57:42.000000000 -0400
+++ openssh-5.6p1/configure.ac	2010-08-23 12:15:42.000000000 +0200
-@@ -1346,6 +1346,18 @@
+@@ -1346,6 +1346,18 @@ AC_ARG_WITH(audit,
 	esac ]
 )
@ -262,7 +262,7 @@ diff -ruN openssh-5.5p1.orig/configure.ac openssh-5.5p1/configure.ac
 dnl    Checks for library functions. Please keep in alphabetical order
 AC_CHECK_FUNCS( \
 	arc4random \
-@@ -4181,6 +4193,7 @@
+@@ -4209,6 +4221,7 @@ echo "               Linux audit support
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
@ -270,10 +270,10 @@ diff -ruN openssh-5.5p1.orig/configure.ac openssh-5.5p1/configure.ac
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
-diff -ruN openssh-5.5p1.orig/servconf.c openssh-5.5p1/servconf.c
+diff -up openssh-5.6p1/servconf.c.akc openssh-5.6p1/servconf.c
--- openssh-5.5p1.orig/servconf.c	2010-03-25 19:40:04.000000000 -0400
+--- openssh-5.6p1/servconf.c.akc	2010-08-23 12:15:41.000000000 +0200
-+++ openssh-5.5p1/servconf.c	2010-07-03 19:59:07.000000000 -0400
+++ openssh-5.6p1/servconf.c	2010-08-23 12:22:22.000000000 +0200
-@@ -128,6 +128,8 @@
+@@ -129,6 +129,8 @@ initialize_server_options(ServerOptions 
 	options->num_permitted_opens = -1;
 	options->adm_forced_command = NULL;
 	options->chroot_directory = NULL;
@ -282,18 +282,18 @@ diff -ruN openssh-5.5p1.orig/servconf.c openssh-5.5p1/servconf.c
 	options->zero_knowledge_password_authentication = -1;
 	options->revoked_keys_file = NULL;
 	options->trusted_user_ca_keys = NULL;
-@@ -311,6 +313,7 @@
+@@ -316,6 +318,7 @@ typedef enum {
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
- 	sRevokedKeys, sTrustedUserCAKeys,
+ 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
 +	sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
-@@ -432,6 +435,13 @@
+@@ -439,6 +442,13 @@ static struct {
 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
 +#ifdef WITH_AUTHORIZED_KEYS_COMMAND
 +	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
 +	{ "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL },
@ -304,7 +304,7 @@ diff -ruN openssh-5.5p1.orig/servconf.c openssh-5.5p1/servconf.c
 	{ NULL, sBadOption, 0 }
 };
-@@ -1345,6 +1355,20 @@
+@@ -1360,6 +1370,20 @@ process_server_config_line(ServerOptions
 		charptr = &options->revoked_keys_file;
 		goto parse_filename;
@ -325,7 +325,7 @@ diff -ruN openssh-5.5p1.orig/servconf.c openssh-5.5p1/servconf.c
 	case sDeprecated:
 		logit("%s line %d: Deprecated option %s",
 		    filename, linenum, arg);
-@@ -1438,6 +1462,8 @@
+@@ -1453,6 +1477,8 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(gss_authentication);
 	M_CP_INTOPT(rsa_authentication);
 	M_CP_INTOPT(pubkey_authentication);
@ -333,54 +333,42 @@ diff -ruN openssh-5.5p1.orig/servconf.c openssh-5.5p1/servconf.c
 +	M_CP_STROPT(authorized_keys_command_runas);
 	M_CP_INTOPT(kerberos_authentication);
 	M_CP_INTOPT(hostbased_authentication);
- 	M_CP_INTOPT(kbd_interactive_authentication);
+ 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
-@@ -1682,6 +1708,8 @@
+@@ -1705,6 +1731,8 @@ dump_config(ServerOptions *o)
 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
 	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
 	dump_cfg_string(sAuthorizedPrincipalsFile,
 	    o->authorized_principals_file);
 +	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
 +	dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas);
 	/* string arguments requiring a lookup */
 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
-diff -ruN openssh-5.5p1.orig/servconf.h openssh-5.5p1/servconf.h
+diff -up openssh-5.6p1/servconf.h.akc openssh-5.6p1/servconf.h
--- openssh-5.5p1.orig/servconf.h	2010-03-04 05:53:35.000000000 -0500
+--- openssh-5.6p1/servconf.h.akc	2010-08-23 12:15:41.000000000 +0200
-+++ openssh-5.5p1/servconf.h	2010-07-03 19:57:42.000000000 -0400
+++ openssh-5.6p1/servconf.h	2010-08-23 12:17:58.000000000 +0200
-@@ -156,6 +156,8 @@
+@@ -158,6 +158,8 @@ typedef struct {
 	char   *chroot_directory;
 	char   *revoked_keys_file;
 	char   *trusted_user_ca_keys;
 	char   *authorized_principals_file;
 +	char   *authorized_keys_command;
 +	char   *authorized_keys_command_runas;
 }       ServerOptions;
 void	 initialize_server_options(ServerOptions *);
-diff -ruN openssh-5.5p1.orig/sshd_config openssh-5.5p1/sshd_config
+diff -up openssh-5.6p1/sshd_config.0.akc openssh-5.6p1/sshd_config.0
--- openssh-5.5p1.orig/sshd_config	2009-10-11 06:51:09.000000000 -0400
+--- openssh-5.6p1/sshd_config.0.akc	2010-08-23 12:15:41.000000000 +0200
-+++ openssh-5.5p1/sshd_config	2010-07-03 19:57:42.000000000 -0400
+++ openssh-5.6p1/sshd_config.0	2010-08-23 12:25:18.000000000 +0200
-@@ -44,6 +44,8 @@
+@@ -374,7 +374,8 @@ DESCRIPTION
 #RSAAuthentication yes
 #PubkeyAuthentication yes
 #AuthorizedKeysFile	.ssh/authorized_keys
 +#AuthorizedKeysCommand none
 +#AuthorizedKeysCommandRunAs nobody
- # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+              Only a subset of keywords may be used on the lines following a
- #RhostsRSAAuthentication no
+              Match keyword.  Available keywords are AllowAgentForwarding,
-diff -ruN openssh-5.5p1.orig/sshd_config.0 openssh-5.5p1/sshd_config.0
+-             AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile,
--- openssh-5.5p1.orig/sshd_config.0	2010-04-15 20:17:12.000000000 -0400
+             AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysCommand,
-+++ openssh-5.5p1/sshd_config.0	2010-07-03 19:57:42.000000000 -0400
+             AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile,
-@@ -352,7 +352,8 @@
+              Banner, ChrootDirectory, ForceCommand, GatewayPorts,
-              KbdInteractiveAuthentication, KerberosAuthentication,
+              GSSAPIAuthentication, HostbasedAuthentication,
-              MaxAuthTries, MaxSessions, PasswordAuthentication,
+              HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
-              PermitEmptyPasswords, PermitOpen, PermitRootLogin,
+@@ -496,6 +497,23 @@ DESCRIPTION
 -             PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,
 +             PubkeyAuthentication, AuthorizedKeysCommand, AuthorizedKeysCommandRunAs,
 +             RhostsRSAAuthentication, RSAAuthentication,
              X11DisplayOffset, X11Forwarding and X11UseLocalHost.
      MaxAuthTries
@@ -467,6 +468,23 @@
              this file is not readable, then public key authentication will be
              refused for all users.
@ -404,20 +392,27 @@ diff -ruN openssh-5.5p1.orig/sshd_config.0 openssh-5.5p1/sshd_config.0
      RhostsRSAAuthentication
              Specifies whether rhosts or /etc/hosts.equiv authentication to-
              gether with successful RSA host authentication is allowed.  The
-diff -ruN openssh-5.5p1.orig/sshd_config.5 openssh-5.5p1/sshd_config.5
+diff -up openssh-5.6p1/sshd_config.5.akc openssh-5.6p1/sshd_config.5
--- openssh-5.5p1.orig/sshd_config.5	2010-03-04 18:41:45.000000000 -0500
+--- openssh-5.6p1/sshd_config.5.akc	2010-08-23 12:15:41.000000000 +0200
-+++ openssh-5.5p1/sshd_config.5	2010-07-03 19:57:42.000000000 -0400
+++ openssh-5.6p1/sshd_config.5	2010-08-23 12:25:46.000000000 +0200
-@@ -618,6 +618,9 @@
+@@ -654,6 +654,8 @@ Available keywords are
 .Cm AllowAgentForwarding ,
 .Cm AllowTcpForwarding ,
 .Cm AuthorizedKeysFile ,
 +.Cm AuthorizedKeysCommand ,
 +.Cm AuthorizedKeysCommandRunAs ,
 .Cm AuthorizedPrincipalsFile ,
 .Cm Banner ,
 .Cm ChrootDirectory ,
@@ -666,6 +668,7 @@ Available keywords are
 .Cm KerberosAuthentication ,
 .Cm MaxAuthTries ,
 .Cm MaxSessions ,
 +.Cm PubkeyAuthentication ,
 +.Cm AuthorizedKeysCommand ,
 +.Cm AuthorizedKeysCommandRunAs ,
 .Cm PasswordAuthentication ,
 .Cm PermitEmptyPasswords ,
 .Cm PermitOpen ,
-@@ -819,6 +822,20 @@
+@@ -868,6 +871,20 @@ Specifies a list of revoked public keys.
 Keys listed in this file will be refused for public key authentication.
 Note that if this file is not readable, then public key authentication will
 be refused for all users.
@ -438,3 +433,15 @@ diff -ruN openssh-5.5p1.orig/sshd_config.5 openssh-5.5p1/sshd_config.5
 .It Cm RhostsRSAAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful RSA host authentication is allowed.
 diff -up openssh-5.6p1/sshd_config.akc openssh-5.6p1/sshd_config
 --- openssh-5.6p1/sshd_config.akc	2010-08-23 12:15:41.000000000 +0200
 +++ openssh-5.6p1/sshd_config	2010-08-23 12:15:42.000000000 +0200
@@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV
 #RSAAuthentication yes
 #PubkeyAuthentication yes
 #AuthorizedKeysFile	.ssh/authorized_keys
 +#AuthorizedKeysCommand none
 +#AuthorizedKeysCommandRunAs nobody
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #RhostsRSAAuthentication no
--- a/openssh-5.6p1-exit-deadlock.patch
+++ b/openssh-5.6p1-exit-deadlock.patch
@ -0,0 +1,14 @@
 diff -up openssh-5.6p1/channels.c.exit-deadlock openssh-5.6p1/channels.c
 --- openssh-5.6p1/channels.c.exit-deadlock	2010-08-05 15:09:48.000000000 +0200
 +++ openssh-5.6p1/channels.c	2010-08-23 12:41:43.000000000 +0200
@@ -1647,6 +1647,10 @@ channel_handle_wfd(Channel *c, fd_set *r
 	u_int dlen, olen = 0;
 	int len;
 +	if(c->wfd != -1 && buffer_len(&c->output) > 0 && c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
 +		debug("channel %d: forcing write", c->self);
 +		FD_SET(c->wfd, writeset);
 +	}
 	/* Send buffered output data to the socket. */
 	if (c->wfd != -1 &&
 	    FD_ISSET(c->wfd, writeset) &&
--- a/openssh-5.6p1-fips.patch
+++ b/openssh-5.6p1-fips.patch
@ -1,7 +1,7 @@
-diff -up openssh-5.5p1/auth2-pubkey.c.fips openssh-5.5p1/auth2-pubkey.c
+diff -up openssh-5.6p1/auth2-pubkey.c.fips openssh-5.6p1/auth2-pubkey.c
--- openssh-5.5p1/auth2-pubkey.c.fips	2010-04-16 08:46:47.000000000 +0200
+--- openssh-5.6p1/auth2-pubkey.c.fips	2010-08-23 12:43:40.000000000 +0200
-+++ openssh-5.5p1/auth2-pubkey.c	2010-04-16 08:46:48.000000000 +0200
+++ openssh-5.6p1/auth2-pubkey.c	2010-08-23 12:43:41.000000000 +0200
-@@ -35,6 +35,7 @@
+@@ -36,6 +36,7 @@
 #include <string.h>
 #include <time.h>
 #include <unistd.h>
@ -9,7 +9,7 @@ diff -up openssh-5.5p1/auth2-pubkey.c.fips openssh-5.5p1/auth2-pubkey.c
 #include "xmalloc.h"
 #include "ssh.h"
-@@ -274,7 +275,7 @@ user_key_allowed2(struct passwd *pw, Key
+@@ -359,7 +360,7 @@ user_search_key_in_file(FILE *f, char *f
 			found_key = 1;
 			debug("matching key found: file %s, line %lu",
 			    file, linenum);
@ -18,9 +18,9 @@ diff -up openssh-5.5p1/auth2-pubkey.c.fips openssh-5.5p1/auth2-pubkey.c
 			verbose("Found matching %s key: %s",
 			    key_type(found), fp);
 			xfree(fp);
-diff -up openssh-5.5p1/authfile.c.fips openssh-5.5p1/authfile.c
+diff -up openssh-5.6p1/authfile.c.fips openssh-5.6p1/authfile.c
--- openssh-5.5p1/authfile.c.fips	2010-03-04 11:53:35.000000000 +0100
+--- openssh-5.6p1/authfile.c.fips	2010-08-05 05:05:16.000000000 +0200
-+++ openssh-5.5p1/authfile.c	2010-04-16 08:46:49.000000000 +0200
+++ openssh-5.6p1/authfile.c	2010-08-23 12:43:41.000000000 +0200
@@ -146,8 +146,14 @@ key_save_private_rsa1(Key *key, const ch
 	/* Allocate space for the private part of the key in the buffer. */
 	cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@ -55,9 +55,9 @@ diff -up openssh-5.5p1/authfile.c.fips openssh-5.5p1/authfile.c
 	cipher_crypt(&ciphercontext, cp,
 	    buffer_ptr(&buffer), buffer_len(&buffer));
 	cipher_cleanup(&ciphercontext);
-diff -up openssh-5.5p1/cipher.c.fips openssh-5.5p1/cipher.c
+diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c
--- openssh-5.5p1/cipher.c.fips	2010-04-16 08:34:06.000000000 +0200
+--- openssh-5.6p1/cipher.c.fips	2010-08-23 09:49:50.000000000 +0200
-+++ openssh-5.5p1/cipher.c	2010-04-16 08:46:49.000000000 +0200
+++ openssh-5.6p1/cipher.c	2010-08-23 12:43:41.000000000 +0200
@@ -40,6 +40,7 @@
 #include <sys/types.h>
@ -142,9 +142,9 @@ diff -up openssh-5.5p1/cipher.c.fips openssh-5.5p1/cipher.c
 }
 /*
-diff -up openssh-5.5p1/cipher-ctr.c.fips openssh-5.5p1/cipher-ctr.c
+diff -up openssh-5.6p1/cipher-ctr.c.fips openssh-5.6p1/cipher-ctr.c
--- openssh-5.5p1/cipher-ctr.c.fips	2007-06-14 15:21:33.000000000 +0200
+--- openssh-5.6p1/cipher-ctr.c.fips	2007-06-14 15:21:33.000000000 +0200
-+++ openssh-5.5p1/cipher-ctr.c	2010-04-16 08:46:49.000000000 +0200
+++ openssh-5.6p1/cipher-ctr.c	2010-08-23 12:43:41.000000000 +0200
@@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
 	aes_ctr.do_cipher = ssh_aes_ctr;
 #ifndef SSH_OLD_EVP
@ -155,9 +155,9 @@ diff -up openssh-5.5p1/cipher-ctr.c.fips openssh-5.5p1/cipher-ctr.c
 #endif
 	return (&aes_ctr);
 }
-diff -up openssh-5.5p1/cipher.h.fips openssh-5.5p1/cipher.h
+diff -up openssh-5.6p1/cipher.h.fips openssh-5.6p1/cipher.h
--- openssh-5.5p1/cipher.h.fips	2009-01-28 06:38:41.000000000 +0100
+--- openssh-5.6p1/cipher.h.fips	2009-01-28 06:38:41.000000000 +0100
-+++ openssh-5.5p1/cipher.h	2010-04-16 08:46:49.000000000 +0200
+++ openssh-5.6p1/cipher.h	2010-08-23 12:43:41.000000000 +0200
@@ -78,7 +78,7 @@ void	 cipher_init(CipherContext *, Ciphe
     const u_char *, u_int, int);
 void	 cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
@ -167,9 +167,9 @@ diff -up openssh-5.5p1/cipher.h.fips openssh-5.5p1/cipher.h
 u_int	 cipher_blocksize(const Cipher *);
 u_int	 cipher_keylen(const Cipher *);
 u_int	 cipher_is_cbc(const Cipher *);
-diff -up openssh-5.5p1/mac.c.fips openssh-5.5p1/mac.c
+diff -up openssh-5.6p1/mac.c.fips openssh-5.6p1/mac.c
--- openssh-5.5p1/mac.c.fips	2008-06-13 02:58:50.000000000 +0200
+--- openssh-5.6p1/mac.c.fips	2008-06-13 02:58:50.000000000 +0200
-+++ openssh-5.5p1/mac.c	2010-04-16 08:46:49.000000000 +0200
+++ openssh-5.6p1/mac.c	2010-08-23 12:43:41.000000000 +0200
@@ -28,6 +28,7 @@
 #include <sys/types.h>
@ -219,10 +219,10 @@ diff -up openssh-5.5p1/mac.c.fips openssh-5.5p1/mac.c
 	for (i = 0; macs[i].name; i++) {
 		if (strcmp(name, macs[i].name) == 0) {
-diff -up openssh-5.5p1/Makefile.in.fips openssh-5.5p1/Makefile.in
+diff -up openssh-5.6p1/Makefile.in.fips openssh-5.6p1/Makefile.in
--- openssh-5.5p1/Makefile.in.fips	2010-03-13 22:41:34.000000000 +0100
+--- openssh-5.6p1/Makefile.in.fips	2010-08-23 12:43:40.000000000 +0200
-+++ openssh-5.5p1/Makefile.in	2010-04-16 09:48:16.000000000 +0200
+++ openssh-5.6p1/Makefile.in	2010-08-23 12:46:24.000000000 +0200
-@@ -141,25 +141,25 @@
+@@ -141,25 +141,25 @@ libssh.a: $(LIBSSH_OBJS)
 	$(RANLIB) $@
 ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@ -253,8 +253,8 @@ diff -up openssh-5.5p1/Makefile.in.fips openssh-5.5p1/Makefile.in
 +	$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
- 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-@@ -168,7 +168,7 @@
+@@ -168,7 +168,7 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
 	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
@ -263,10 +263,10 @@ diff -up openssh-5.5p1/Makefile.in.fips openssh-5.5p1/Makefile.in
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-diff -up openssh-5.5p1/myproposal.h.fips openssh-5.5p1/myproposal.h
+diff -up openssh-5.6p1/myproposal.h.fips openssh-5.6p1/myproposal.h
--- openssh-5.5p1/myproposal.h.fips	2010-02-26 21:55:05.000000000 +0100
+--- openssh-5.6p1/myproposal.h.fips	2010-04-16 07:56:22.000000000 +0200
-+++ openssh-5.5p1/myproposal.h	2010-04-16 08:46:49.000000000 +0200
+++ openssh-5.6p1/myproposal.h	2010-08-23 12:43:41.000000000 +0200
-@@ -55,7 +55,12 @@
+@@ -58,7 +58,12 @@
 	"hmac-sha1-96,hmac-md5-96"
 #define	KEX_DEFAULT_COMP	"none,zlib@openssh.com,zlib"
 #define	KEX_DEFAULT_LANG	""
@ -280,9 +280,9 @@ diff -up openssh-5.5p1/myproposal.h.fips openssh-5.5p1/myproposal.h
 static char *myproposal[PROPOSAL_MAX] = {
 	KEX_DEFAULT_KEX,
-diff -up openssh-5.5p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.5p1/openbsd-compat/bsd-arc4random.c
+diff -up openssh-5.6p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.6p1/openbsd-compat/bsd-arc4random.c
--- openssh-5.5p1/openbsd-compat/bsd-arc4random.c.fips	2010-03-25 22:52:02.000000000 +0100
+--- openssh-5.6p1/openbsd-compat/bsd-arc4random.c.fips	2010-03-25 22:52:02.000000000 +0100
-+++ openssh-5.5p1/openbsd-compat/bsd-arc4random.c	2010-04-16 09:17:30.000000000 +0200
+++ openssh-5.6p1/openbsd-compat/bsd-arc4random.c	2010-08-23 12:43:41.000000000 +0200
@@ -39,6 +39,7 @@
 static int rc4_ready = 0;
 static RC4_KEY rc4;
@ -324,9 +324,9 @@ diff -up openssh-5.5p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.5p1/openbs
 #endif /* !HAVE_ARC4RANDOM */
 #ifndef HAVE_ARC4RANDOM_BUF
-diff -up openssh-5.5p1/ssh-add.c.fips openssh-5.5p1/ssh-add.c
+diff -up openssh-5.6p1/ssh-add.c.fips openssh-5.6p1/ssh-add.c
--- openssh-5.5p1/ssh-add.c.fips	2010-03-03 00:25:42.000000000 +0100
+--- openssh-5.6p1/ssh-add.c.fips	2010-05-21 06:56:47.000000000 +0200
-+++ openssh-5.5p1/ssh-add.c	2010-04-16 08:46:49.000000000 +0200
+++ openssh-5.6p1/ssh-add.c	2010-08-23 12:43:41.000000000 +0200
@@ -42,6 +42,7 @@
 #include <sys/param.h>
@ -335,7 +335,7 @@ diff -up openssh-5.5p1/ssh-add.c.fips openssh-5.5p1/ssh-add.c
 #include "openbsd-compat/openssl-compat.h"
 #include <fcntl.h>
-@@ -269,7 +270,7 @@ list_identities(AuthenticationConnection
+@@ -277,7 +278,7 @@ list_identities(AuthenticationConnection
 		    key = ssh_get_next_identity(ac, &comment, version)) {
 			had_identities = 1;
 			if (do_fp) {
@ -344,9 +344,9 @@ diff -up openssh-5.5p1/ssh-add.c.fips openssh-5.5p1/ssh-add.c
 				    SSH_FP_HEX);
 				printf("%d %s %s (%s)\n",
 				    key_size(key), fp, comment, key_type(key));
-diff -up openssh-5.5p1/ssh-agent.c.fips openssh-5.5p1/ssh-agent.c
+diff -up openssh-5.6p1/ssh-agent.c.fips openssh-5.6p1/ssh-agent.c
--- openssh-5.5p1/ssh-agent.c.fips	2010-02-26 21:55:06.000000000 +0100
+--- openssh-5.6p1/ssh-agent.c.fips	2010-04-16 07:56:22.000000000 +0200
-+++ openssh-5.5p1/ssh-agent.c	2010-04-16 08:46:49.000000000 +0200
+++ openssh-5.6p1/ssh-agent.c	2010-08-23 12:43:41.000000000 +0200
@@ -51,6 +51,7 @@
 #include <openssl/evp.h>
@ -368,9 +368,9 @@ diff -up openssh-5.5p1/ssh-agent.c.fips openssh-5.5p1/ssh-agent.c
 		ret = 0;
 	xfree(p);
-diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c
+diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c
--- openssh-5.5p1/ssh.c.fips	2010-02-26 21:55:06.000000000 +0100
+--- openssh-5.6p1/ssh.c.fips	2010-08-16 17:59:31.000000000 +0200
-+++ openssh-5.5p1/ssh.c	2010-04-16 08:46:49.000000000 +0200
+++ openssh-5.6p1/ssh.c	2010-08-23 12:43:41.000000000 +0200
@@ -72,6 +72,8 @@
 #include <openssl/evp.h>
@ -380,7 +380,7 @@ diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c
 #include "openbsd-compat/openssl-compat.h"
 #include "openbsd-compat/sys-queue.h"
-@@ -225,6 +227,10 @@ main(int ac, char **av)
+@@ -235,6 +237,10 @@ main(int ac, char **av)
 	sanitise_stdfd();
 	__progname = ssh_get_progname(av[0]);
@ -391,7 +391,7 @@ diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c
 	init_rng();
 	/*
-@@ -285,6 +291,9 @@ main(int ac, char **av)
+@@ -301,6 +307,9 @@ main(int ac, char **av)
 	    "ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) {
 		switch (opt) {
 		case '1':
@ -401,7 +401,7 @@ diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c
 			options.protocol = SSH_PROTO_1;
 			break;
 		case '2':
-@@ -581,7 +590,6 @@ main(int ac, char **av)
+@@ -599,7 +608,6 @@ main(int ac, char **av)
 	if (!host)
 		usage();
@ -409,7 +409,7 @@ diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c
 	ERR_load_crypto_strings();
 	/* Initialize the command to execute on remote host. */
-@@ -667,6 +675,10 @@ main(int ac, char **av)
+@@ -685,6 +693,10 @@ main(int ac, char **av)
 	seed_rng();
@ -420,7 +420,7 @@ diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c
 	if (options.user == NULL)
 		options.user = xstrdup(pw->pw_name);
-@@ -733,6 +745,12 @@ main(int ac, char **av)
+@@ -752,6 +764,12 @@ main(int ac, char **av)
 	timeout_ms = options.connection_timeout * 1000;
@ -433,9 +433,9 @@ diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c
 	/* Open a connection to the remote host. */
 	if (ssh_connect(host, &hostaddr, options.port,
 	    options.address_family, options.connection_attempts, &timeout_ms,
-diff -up openssh-5.5p1/sshconnect2.c.fips openssh-5.5p1/sshconnect2.c
+diff -up openssh-5.6p1/sshconnect2.c.fips openssh-5.6p1/sshconnect2.c
--- openssh-5.5p1/sshconnect2.c.fips	2010-04-16 08:46:48.000000000 +0200
+--- openssh-5.6p1/sshconnect2.c.fips	2010-08-23 12:43:41.000000000 +0200
-+++ openssh-5.5p1/sshconnect2.c	2010-04-16 08:46:49.000000000 +0200
+++ openssh-5.6p1/sshconnect2.c	2010-08-23 12:43:41.000000000 +0200
@@ -44,6 +44,8 @@
 #include <vis.h>
 #endif
@ -479,9 +479,9 @@ diff -up openssh-5.5p1/sshconnect2.c.fips openssh-5.5p1/sshconnect2.c
 	xfree(fp);
 	/*
-diff -up openssh-5.5p1/sshconnect.c.fips openssh-5.5p1/sshconnect.c
+diff -up openssh-5.6p1/sshconnect.c.fips openssh-5.6p1/sshconnect.c
--- openssh-5.5p1/sshconnect.c.fips	2010-03-04 11:53:36.000000000 +0100
+--- openssh-5.6p1/sshconnect.c.fips	2010-04-18 00:08:21.000000000 +0200
-+++ openssh-5.5p1/sshconnect.c	2010-04-16 08:46:49.000000000 +0200
+++ openssh-5.6p1/sshconnect.c	2010-08-23 12:43:41.000000000 +0200
@@ -40,6 +40,8 @@
 #include <string.h>
 #include <unistd.h>
@ -568,9 +568,9 @@ diff -up openssh-5.5p1/sshconnect.c.fips openssh-5.5p1/sshconnect.c
 	error("Please contact your system administrator.");
 	xfree(fp);
-diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c
+diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
--- openssh-5.5p1/sshd.c.fips	2010-04-16 08:46:48.000000000 +0200
+--- openssh-5.6p1/sshd.c.fips	2010-08-23 12:43:40.000000000 +0200
-+++ openssh-5.5p1/sshd.c	2010-04-16 08:46:49.000000000 +0200
+++ openssh-5.6p1/sshd.c	2010-08-23 12:43:41.000000000 +0200
@@ -76,6 +76,8 @@
 #include <openssl/bn.h>
 #include <openssl/md5.h>
@ -580,7 +580,7 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c
 #include "openbsd-compat/openssl-compat.h"
 #ifdef HAVE_SECUREWARE
-@@ -1298,6 +1300,12 @@ main(int ac, char **av)
+@@ -1307,6 +1309,12 @@ main(int ac, char **av)
 	(void)set_auth_parameters(ac, av);
 #endif
 	__progname = ssh_get_progname(av[0]);
@ -593,7 +593,7 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c
 	init_rng();
 	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
-@@ -1459,8 +1467,6 @@ main(int ac, char **av)
+@@ -1468,8 +1476,6 @@ main(int ac, char **av)
 	else
 		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@ -602,7 +602,7 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c
 	/*
 	 * Force logging to stderr until we have loaded the private host
 	 * key (unless started from inetd)
-@@ -1578,6 +1584,10 @@ main(int ac, char **av)
+@@ -1587,6 +1593,10 @@ main(int ac, char **av)
 		debug("private host key: #%d type %d %s", i, key->type,
 		    key_type(key));
 	}
@ -613,7 +613,7 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c
 	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
 		logit("Disabling protocol version 1. Could not load host key");
 		options.protocol &= ~SSH_PROTO_1;
-@@ -1742,6 +1752,10 @@ main(int ac, char **av)
+@@ -1751,6 +1761,10 @@ main(int ac, char **av)
 	/* Initialize the random number generator. */
 	arc4random_stir();
@ -624,7 +624,7 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c
 	/* Chdir to the root directory so that the current disk can be
 	   unmounted if desired. */
 	chdir("/");
-@@ -2275,6 +2289,9 @@ do_ssh2_kex(void)
+@@ -2284,6 +2298,9 @@ do_ssh2_kex(void)
 	if (options.ciphers != NULL) {
 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -634,7 +634,7 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c
 	}
 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -2284,6 +2301,9 @@ do_ssh2_kex(void)
+@@ -2293,6 +2310,9 @@ do_ssh2_kex(void)
 	if (options.macs != NULL) {
 		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
 		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@ -644,9 +644,9 @@ diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c
 	}
 	if (options.compression == COMP_NONE) {
 		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
-diff -up openssh-5.5p1/ssh-keygen.c.fips openssh-5.5p1/ssh-keygen.c
+diff -up openssh-5.6p1/ssh-keygen.c.fips openssh-5.6p1/ssh-keygen.c
--- openssh-5.5p1/ssh-keygen.c.fips	2010-03-21 19:58:24.000000000 +0100
+--- openssh-5.6p1/ssh-keygen.c.fips	2010-08-23 12:43:40.000000000 +0200
-+++ openssh-5.5p1/ssh-keygen.c	2010-04-16 08:46:49.000000000 +0200
+++ openssh-5.6p1/ssh-keygen.c	2010-08-23 12:43:41.000000000 +0200
@@ -21,6 +21,7 @@
 #include <openssl/evp.h>
@ -655,7 +655,7 @@ diff -up openssh-5.5p1/ssh-keygen.c.fips openssh-5.5p1/ssh-keygen.c
 #include "openbsd-compat/openssl-compat.h"
 #include <errno.h>
-@@ -527,7 +528,7 @@ do_fingerprint(struct passwd *pw)
+@@ -692,7 +693,7 @@ do_fingerprint(struct passwd *pw)
 	enum fp_type fptype;
 	struct stat st;
@ -664,7 +664,7 @@ diff -up openssh-5.5p1/ssh-keygen.c.fips openssh-5.5p1/ssh-keygen.c
 	rep =    print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
 	if (!have_identity)
-@@ -1916,14 +1917,15 @@ passphrase_again:
+@@ -2209,14 +2210,15 @@ passphrase_again:
 	fclose(f);
 	if (!quiet) {
--- a/openssh-5.6p1-gsskex.patch
+++ b/openssh-5.6p1-gsskex.patch
@ -1,6 +1,6 @@
-diff -up openssh-5.5p1/auth2.c.gsskex openssh-5.5p1/auth2.c
+diff -up openssh-5.6p1/auth2.c.gsskex openssh-5.6p1/auth2.c
--- openssh-5.5p1/auth2.c.gsskex	2010-05-13 15:59:50.000000000 +0200
+--- openssh-5.6p1/auth2.c.gsskex	2010-08-23 12:51:56.000000000 +0200
-+++ openssh-5.5p1/auth2.c	2010-05-13 15:59:58.000000000 +0200
+++ openssh-5.6p1/auth2.c	2010-08-23 12:51:58.000000000 +0200
@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
 extern Authmethod method_kbdint;
 extern Authmethod method_hostbased;
@ -35,9 +35,9 @@ diff -up openssh-5.5p1/auth2.c.gsskex openssh-5.5p1/auth2.c
 			authctxt->failures++;
 		if (authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
-diff -up openssh-5.5p1/auth2-gss.c.gsskex openssh-5.5p1/auth2-gss.c
+diff -up openssh-5.6p1/auth2-gss.c.gsskex openssh-5.6p1/auth2-gss.c
--- openssh-5.5p1/auth2-gss.c.gsskex	2010-05-13 15:59:50.000000000 +0200
+--- openssh-5.6p1/auth2-gss.c.gsskex	2010-08-23 12:51:56.000000000 +0200
-+++ openssh-5.5p1/auth2-gss.c	2010-05-13 15:59:58.000000000 +0200
+++ openssh-5.6p1/auth2-gss.c	2010-08-23 12:51:58.000000000 +0200
@@ -1,7 +1,7 @@
 /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
@ -137,9 +137,9 @@ diff -up openssh-5.5p1/auth2-gss.c.gsskex openssh-5.5p1/auth2-gss.c
 Authmethod method_gssapi = {
 	"gssapi-with-mic",
 	userauth_gssapi,
-diff -up openssh-5.5p1/auth.h.gsskex openssh-5.5p1/auth.h
+diff -up openssh-5.6p1/auth.h.gsskex openssh-5.6p1/auth.h
--- openssh-5.5p1/auth.h.gsskex	2010-05-13 15:59:50.000000000 +0200
+--- openssh-5.6p1/auth.h.gsskex	2010-08-23 12:51:56.000000000 +0200
-+++ openssh-5.5p1/auth.h	2010-05-13 15:59:58.000000000 +0200
+++ openssh-5.6p1/auth.h	2010-08-23 12:51:58.000000000 +0200
@@ -53,6 +53,7 @@ struct Authctxt {
 	int		 valid;		/* user exists and is allowed to login */
 	int		 attempt;
@ -148,9 +148,9 @@ diff -up openssh-5.5p1/auth.h.gsskex openssh-5.5p1/auth.h
 	int		 force_pwchange;
 	char		*user;		/* username sent by the client */
 	char		*service;
-diff -up openssh-5.5p1/auth-krb5.c.gsskex openssh-5.5p1/auth-krb5.c
+diff -up openssh-5.6p1/auth-krb5.c.gsskex openssh-5.6p1/auth-krb5.c
--- openssh-5.5p1/auth-krb5.c.gsskex	2009-12-21 00:49:22.000000000 +0100
+--- openssh-5.6p1/auth-krb5.c.gsskex	2009-12-21 00:49:22.000000000 +0100
-+++ openssh-5.5p1/auth-krb5.c	2010-05-13 15:59:58.000000000 +0200
+++ openssh-5.6p1/auth-krb5.c	2010-08-23 12:51:58.000000000 +0200
@@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c
 	len = strlen(authctxt->krb5_ticket_file) + 6;
@ -198,9 +198,9 @@ diff -up openssh-5.5p1/auth-krb5.c.gsskex openssh-5.5p1/auth-krb5.c
 	return (krb5_cc_resolve(ctx, ccname, ccache));
 }
-diff -up openssh-5.5p1/ChangeLog.gssapi.gsskex openssh-5.5p1/ChangeLog.gssapi
+diff -up openssh-5.6p1/ChangeLog.gssapi.gsskex openssh-5.6p1/ChangeLog.gssapi
--- openssh-5.5p1/ChangeLog.gssapi.gsskex	2010-05-13 15:59:58.000000000 +0200
+--- openssh-5.6p1/ChangeLog.gssapi.gsskex	2010-08-23 12:51:58.000000000 +0200
-+++ openssh-5.5p1/ChangeLog.gssapi	2010-05-13 15:59:58.000000000 +0200
+++ openssh-5.6p1/ChangeLog.gssapi	2010-08-23 12:51:58.000000000 +0200
@@ -0,0 +1,95 @@
 +20090615
 +  - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
@ -297,9 +297,9 @@ diff -up openssh-5.5p1/ChangeLog.gssapi.gsskex openssh-5.5p1/ChangeLog.gssapi
 +    add support for GssapiTrustDns option for gssapi-with-mic
 +    (from jbasney AT ncsa.uiuc.edu)
 +    <gssapi-with-mic support is Bugzilla #1008>
-diff -up openssh-5.5p1/clientloop.c.gsskex openssh-5.5p1/clientloop.c
+diff -up openssh-5.6p1/clientloop.c.gsskex openssh-5.6p1/clientloop.c
--- openssh-5.5p1/clientloop.c.gsskex	2010-03-21 19:54:02.000000000 +0100
+--- openssh-5.6p1/clientloop.c.gsskex	2010-08-03 08:04:46.000000000 +0200
-+++ openssh-5.5p1/clientloop.c	2010-05-13 15:59:58.000000000 +0200
+++ openssh-5.6p1/clientloop.c	2010-08-23 12:51:58.000000000 +0200
@@ -111,6 +111,10 @@
 #include "msg.h"
 #include "roaming.h"
@ -311,7 +311,7 @@ diff -up openssh-5.5p1/clientloop.c.gsskex openssh-5.5p1/clientloop.c
 /* import options */
 extern Options options;
-@@ -1431,6 +1435,13 @@ client_loop(int have_pty, int escape_cha
+@@ -1483,6 +1487,13 @@ client_loop(int have_pty, int escape_cha
 		/* Do channel operations unless rekeying in progress. */
 		if (!rekeying) {
 			channel_after_select(readset, writeset);
@ -325,9 +325,9 @@ diff -up openssh-5.5p1/clientloop.c.gsskex openssh-5.5p1/clientloop.c
 			if (need_rekeying || packet_need_rekeying()) {
 				debug("need rekeying");
 				xxx_kex->done = 0;
-diff -up openssh-5.5p1/configure.ac.gsskex openssh-5.5p1/configure.ac
+diff -up openssh-5.6p1/configure.ac.gsskex openssh-5.6p1/configure.ac
--- openssh-5.5p1/configure.ac.gsskex	2010-05-13 15:59:52.000000000 +0200
+--- openssh-5.6p1/configure.ac.gsskex	2010-08-23 12:51:57.000000000 +0200
-+++ openssh-5.5p1/configure.ac	2010-05-13 15:59:58.000000000 +0200
+++ openssh-5.6p1/configure.ac	2010-08-23 12:51:58.000000000 +0200
@@ -477,6 +477,30 @@ main() { if (NSVersionOfRunTimeLibrary("
 	    [Use tunnel device compatibility to OpenBSD])
 	AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
@ -359,9 +359,9 @@ diff -up openssh-5.5p1/configure.ac.gsskex openssh-5.5p1/configure.ac
 	m4_pattern_allow(AU_IPv)
 	AC_CHECK_DECL(AU_IPv4, [], 
 	    AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records])
-diff -up openssh-5.5p1/gss-genr.c.gsskex openssh-5.5p1/gss-genr.c
+diff -up openssh-5.6p1/gss-genr.c.gsskex openssh-5.6p1/gss-genr.c
--- openssh-5.5p1/gss-genr.c.gsskex	2009-06-22 08:11:07.000000000 +0200
+--- openssh-5.6p1/gss-genr.c.gsskex	2009-06-22 08:11:07.000000000 +0200
-+++ openssh-5.5p1/gss-genr.c	2010-05-13 15:59:58.000000000 +0200
+++ openssh-5.6p1/gss-genr.c	2010-08-23 12:51:58.000000000 +0200
@@ -39,12 +39,167 @@
 #include "buffer.h"
 #include "log.h"
@ -700,9 +700,9 @@ diff -up openssh-5.5p1/gss-genr.c.gsskex openssh-5.5p1/gss-genr.c
 +}
 +
 #endif /* GSSAPI */
-diff -up openssh-5.5p1/gss-serv.c.gsskex openssh-5.5p1/gss-serv.c
+diff -up openssh-5.6p1/gss-serv.c.gsskex openssh-5.6p1/gss-serv.c
--- openssh-5.5p1/gss-serv.c.gsskex	2008-05-19 07:05:07.000000000 +0200
+--- openssh-5.6p1/gss-serv.c.gsskex	2008-05-19 07:05:07.000000000 +0200
-+++ openssh-5.5p1/gss-serv.c	2010-05-13 15:59:58.000000000 +0200
+++ openssh-5.6p1/gss-serv.c	2010-08-23 12:51:58.000000000 +0200
@@ -1,7 +1,7 @@
 /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
@ -1016,9 +1016,9 @@ diff -up openssh-5.5p1/gss-serv.c.gsskex openssh-5.5p1/gss-serv.c
 }
 #endif
-diff -up openssh-5.5p1/gss-serv-krb5.c.gsskex openssh-5.5p1/gss-serv-krb5.c
+diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c
--- openssh-5.5p1/gss-serv-krb5.c.gsskex	2006-09-01 07:38:36.000000000 +0200
+--- openssh-5.6p1/gss-serv-krb5.c.gsskex	2006-09-01 07:38:36.000000000 +0200
-+++ openssh-5.5p1/gss-serv-krb5.c	2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.6p1/gss-serv-krb5.c	2010-08-23 12:51:58.000000000 +0200
@@ -1,7 +1,7 @@
 /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
@ -1139,9 +1139,9 @@ diff -up openssh-5.5p1/gss-serv-krb5.c.gsskex openssh-5.5p1/gss-serv-krb5.c
 };
 #endif /* KRB5 */
-diff -up openssh-5.5p1/kex.c.gsskex openssh-5.5p1/kex.c
+diff -up openssh-5.6p1/kex.c.gsskex openssh-5.6p1/kex.c
--- openssh-5.5p1/kex.c.gsskex	2010-01-08 06:50:41.000000000 +0100
+--- openssh-5.6p1/kex.c.gsskex	2010-01-08 06:50:41.000000000 +0100
-+++ openssh-5.5p1/kex.c	2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.6p1/kex.c	2010-08-23 12:51:58.000000000 +0200
@@ -50,6 +50,10 @@
 #include "monitor.h"
 #include "roaming.h"
@ -1174,9 +1174,9 @@ diff -up openssh-5.5p1/kex.c.gsskex openssh-5.5p1/kex.c
 	} else
 		fatal("bad kex alg %s", k->name);
 }
-diff -up openssh-5.5p1/kexgssc.c.gsskex openssh-5.5p1/kexgssc.c
+diff -up openssh-5.6p1/kexgssc.c.gsskex openssh-5.6p1/kexgssc.c
--- openssh-5.5p1/kexgssc.c.gsskex	2010-05-13 15:59:59.000000000 +0200
+--- openssh-5.6p1/kexgssc.c.gsskex	2010-08-23 12:51:58.000000000 +0200
-+++ openssh-5.5p1/kexgssc.c	2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.6p1/kexgssc.c	2010-08-23 12:51:58.000000000 +0200
@@ -0,0 +1,334 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1512,9 +1512,9 @@ diff -up openssh-5.5p1/kexgssc.c.gsskex openssh-5.5p1/kexgssc.c
 +}
 +
 +#endif /* GSSAPI */
-diff -up openssh-5.5p1/kexgsss.c.gsskex openssh-5.5p1/kexgsss.c
+diff -up openssh-5.6p1/kexgsss.c.gsskex openssh-5.6p1/kexgsss.c
--- openssh-5.5p1/kexgsss.c.gsskex	2010-05-13 15:59:59.000000000 +0200
+--- openssh-5.6p1/kexgsss.c.gsskex	2010-08-23 12:51:58.000000000 +0200
-+++ openssh-5.5p1/kexgsss.c	2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.6p1/kexgsss.c	2010-08-23 12:51:58.000000000 +0200
@@ -0,0 +1,288 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1804,9 +1804,9 @@ diff -up openssh-5.5p1/kexgsss.c.gsskex openssh-5.5p1/kexgsss.c
 +		ssh_gssapi_rekey_creds();
 +}
 +#endif /* GSSAPI */
-diff -up openssh-5.5p1/kex.h.gsskex openssh-5.5p1/kex.h
+diff -up openssh-5.6p1/kex.h.gsskex openssh-5.6p1/kex.h
--- openssh-5.5p1/kex.h.gsskex	2010-02-26 21:55:05.000000000 +0100
+--- openssh-5.6p1/kex.h.gsskex	2010-02-26 21:55:05.000000000 +0100
-+++ openssh-5.5p1/kex.h	2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.6p1/kex.h	2010-08-23 12:51:58.000000000 +0200
@@ -67,6 +67,9 @@ enum kex_exchange {
 	KEX_DH_GRP14_SHA1,
 	KEX_DH_GEX_SHA1,
@ -1842,32 +1842,32 @@ diff -up openssh-5.5p1/kex.h.gsskex openssh-5.5p1/kex.h
 void
 kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
     BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
-diff -up openssh-5.5p1/key.c.gsskex openssh-5.5p1/key.c
+diff -up openssh-5.6p1/key.c.gsskex openssh-5.6p1/key.c
--- openssh-5.5p1/key.c.gsskex	2010-03-21 19:58:24.000000000 +0100
+--- openssh-5.6p1/key.c.gsskex	2010-07-16 05:58:37.000000000 +0200
-+++ openssh-5.5p1/key.c	2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.6p1/key.c	2010-08-23 12:56:03.000000000 +0200
-@@ -982,6 +982,8 @@ key_type_from_name(char *name)
+@@ -1020,6 +1020,8 @@ key_type_from_name(char *name)
 		return KEY_RSA_CERT;
- 	} else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) {
+ 	} else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
 		return KEY_DSA_CERT;
 +	} else if (strcmp(name, "null") == 0) {
 +		return KEY_NULL;
 	}
 	debug2("key_type_from_name: unknown key type '%s'", name);
 	return KEY_UNSPEC;
-diff -up openssh-5.5p1/key.h.gsskex openssh-5.5p1/key.h
+diff -up openssh-5.6p1/key.h.gsskex openssh-5.6p1/key.h
--- openssh-5.5p1/key.h.gsskex	2010-03-21 19:58:24.000000000 +0100
+--- openssh-5.6p1/key.h.gsskex	2010-04-16 07:56:22.000000000 +0200
-+++ openssh-5.5p1/key.h	2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.6p1/key.h	2010-08-23 12:56:32.000000000 +0200
-@@ -37,6 +37,7 @@ enum types {
+@@ -39,6 +39,7 @@ enum types {
 	KEY_DSA,
 	KEY_RSA_CERT,
 	KEY_DSA_CERT,
 	KEY_RSA_CERT_V00,
 	KEY_DSA_CERT_V00,
 +	KEY_NULL,
 	KEY_UNSPEC
 };
 enum fp_type {
-diff -up openssh-5.5p1/Makefile.in.gsskex openssh-5.5p1/Makefile.in
+diff -up openssh-5.6p1/Makefile.in.gsskex openssh-5.6p1/Makefile.in
--- openssh-5.5p1/Makefile.in.gsskex	2010-05-13 15:59:57.000000000 +0200
+--- openssh-5.6p1/Makefile.in.gsskex	2010-08-23 12:51:58.000000000 +0200
-+++ openssh-5.5p1/Makefile.in	2010-05-13 16:01:34.000000000 +0200
+++ openssh-5.6p1/Makefile.in	2010-08-23 12:51:58.000000000 +0200
@@ -76,11 +76,11 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
 	kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
@ -1891,9 +1891,9 @@ diff -up openssh-5.5p1/Makefile.in.gsskex openssh-5.5p1/Makefile.in
 MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
 MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
-diff -up openssh-5.5p1/monitor.c.gsskex openssh-5.5p1/monitor.c
+diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
--- openssh-5.5p1/monitor.c.gsskex	2010-05-13 15:59:50.000000000 +0200
+--- openssh-5.6p1/monitor.c.gsskex	2010-08-23 12:51:56.000000000 +0200
-+++ openssh-5.5p1/monitor.c	2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.6p1/monitor.c	2010-08-23 12:51:58.000000000 +0200
@@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer 
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
@ -2086,9 +2086,9 @@ diff -up openssh-5.5p1/monitor.c.gsskex openssh-5.5p1/monitor.c
 #endif /* GSSAPI */
 #ifdef JPAKE
-diff -up openssh-5.5p1/monitor.h.gsskex openssh-5.5p1/monitor.h
+diff -up openssh-5.6p1/monitor.h.gsskex openssh-5.6p1/monitor.h
--- openssh-5.5p1/monitor.h.gsskex	2010-05-13 15:59:50.000000000 +0200
+--- openssh-5.6p1/monitor.h.gsskex	2010-08-23 12:51:56.000000000 +0200
-+++ openssh-5.5p1/monitor.h	2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.6p1/monitor.h	2010-08-23 12:51:58.000000000 +0200
@@ -56,6 +56,8 @@ enum monitor_reqtype {
 	MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
 	MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
@ -2098,9 +2098,9 @@ diff -up openssh-5.5p1/monitor.h.gsskex openssh-5.5p1/monitor.h
 	MONITOR_REQ_PAM_START,
 	MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
 	MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
-diff -up openssh-5.5p1/monitor_wrap.c.gsskex openssh-5.5p1/monitor_wrap.c
+diff -up openssh-5.6p1/monitor_wrap.c.gsskex openssh-5.6p1/monitor_wrap.c
--- openssh-5.5p1/monitor_wrap.c.gsskex	2010-05-13 15:59:51.000000000 +0200
+--- openssh-5.6p1/monitor_wrap.c.gsskex	2010-08-23 12:51:56.000000000 +0200
-+++ openssh-5.5p1/monitor_wrap.c	2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.6p1/monitor_wrap.c	2010-08-23 12:51:58.000000000 +0200
@@ -1250,7 +1250,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
 }
@ -2162,9 +2162,9 @@ diff -up openssh-5.5p1/monitor_wrap.c.gsskex openssh-5.5p1/monitor_wrap.c
 #endif /* GSSAPI */
 #ifdef JPAKE
-diff -up openssh-5.5p1/monitor_wrap.h.gsskex openssh-5.5p1/monitor_wrap.h
+diff -up openssh-5.6p1/monitor_wrap.h.gsskex openssh-5.6p1/monitor_wrap.h
--- openssh-5.5p1/monitor_wrap.h.gsskex	2010-05-13 15:59:51.000000000 +0200
+--- openssh-5.6p1/monitor_wrap.h.gsskex	2010-08-23 12:51:56.000000000 +0200
-+++ openssh-5.5p1/monitor_wrap.h	2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.6p1/monitor_wrap.h	2010-08-23 12:51:58.000000000 +0200
@@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@ -2177,18 +2177,18 @@ diff -up openssh-5.5p1/monitor_wrap.h.gsskex openssh-5.5p1/monitor_wrap.h
 #endif
 #ifdef USE_PAM
-diff -up openssh-5.5p1/readconf.c.gsskex openssh-5.5p1/readconf.c
+diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c
--- openssh-5.5p1/readconf.c.gsskex	2010-02-11 23:21:03.000000000 +0100
+--- openssh-5.6p1/readconf.c.gsskex	2010-08-03 08:04:46.000000000 +0200
-+++ openssh-5.5p1/readconf.c	2010-05-13 15:59:59.000000000 +0200
+++ openssh-5.6p1/readconf.c	2010-08-23 12:57:26.000000000 +0200
@@ -127,6 +127,7 @@ typedef enum {
 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
 +	oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- 	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
+ 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
- 	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
+ 	oHashKnownHosts,
-@@ -164,10 +165,18 @@ static struct {
+@@ -166,10 +167,18 @@ static struct {
 	{ "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
 	{ "gssapiauthentication", oGssAuthentication },
@ -2207,7 +2207,7 @@ diff -up openssh-5.5p1/readconf.c.gsskex openssh-5.5p1/readconf.c
 #endif
 	{ "fallbacktorsh", oDeprecated },
 	{ "usersh", oDeprecated },
-@@ -456,10 +465,26 @@ parse_flag:
+@@ -474,10 +483,26 @@ parse_flag:
 		intptr = &options->gss_authentication;
 		goto parse_flag;
@ -2234,7 +2234,7 @@ diff -up openssh-5.5p1/readconf.c.gsskex openssh-5.5p1/readconf.c
 	case oBatchMode:
 		intptr = &options->batch_mode;
 		goto parse_flag;
-@@ -1015,7 +1040,11 @@ initialize_options(Options * options)
+@@ -1058,7 +1083,11 @@ initialize_options(Options * options)
 	options->pubkey_authentication = -1;
 	options->challenge_response_authentication = -1;
 	options->gss_authentication = -1;
@ -2246,7 +2246,7 @@ diff -up openssh-5.5p1/readconf.c.gsskex openssh-5.5p1/readconf.c
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->kbd_interactive_devices = NULL;
-@@ -1107,8 +1136,14 @@ fill_default_options(Options * options)
+@@ -1156,8 +1185,14 @@ fill_default_options(Options * options)
 		options->challenge_response_authentication = 1;
 	if (options->gss_authentication == -1)
 		options->gss_authentication = 0;
@ -2261,10 +2261,10 @@ diff -up openssh-5.5p1/readconf.c.gsskex openssh-5.5p1/readconf.c
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
-diff -up openssh-5.5p1/readconf.h.gsskex openssh-5.5p1/readconf.h
+diff -up openssh-5.6p1/readconf.h.gsskex openssh-5.6p1/readconf.h
--- openssh-5.5p1/readconf.h.gsskex	2010-02-11 23:21:03.000000000 +0100
+--- openssh-5.6p1/readconf.h.gsskex	2010-08-03 08:04:46.000000000 +0200
-+++ openssh-5.5p1/readconf.h	2010-05-13 16:00:00.000000000 +0200
+++ openssh-5.6p1/readconf.h	2010-08-23 12:51:59.000000000 +0200
-@@ -44,7 +44,11 @@ typedef struct {
+@@ -46,7 +46,11 @@ typedef struct {
 	int     challenge_response_authentication;
 					/* Try S/Key or TIS, authentication. */
 	int     gss_authentication;	/* Try GSS authentication */
@ -2276,9 +2276,9 @@ diff -up openssh-5.5p1/readconf.h.gsskex openssh-5.5p1/readconf.h
 	int     password_authentication;	/* Try password
 						 * authentication. */
 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c
+diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c
--- openssh-5.5p1/servconf.c.gsskex	2010-05-13 15:59:54.000000000 +0200
+--- openssh-5.6p1/servconf.c.gsskex	2010-08-23 12:51:56.000000000 +0200
-+++ openssh-5.5p1/servconf.c	2010-05-13 16:00:00.000000000 +0200
+++ openssh-5.6p1/servconf.c	2010-08-23 12:51:59.000000000 +0200
@@ -93,7 +93,10 @@ initialize_server_options(ServerOptions 
 	options->kerberos_ticket_cleanup = -1;
 	options->kerberos_get_afs_token = -1;
@ -2290,7 +2290,7 @@ diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->challenge_response_authentication = -1;
-@@ -217,8 +220,14 @@ fill_default_server_options(ServerOption
+@@ -218,8 +221,14 @@ fill_default_server_options(ServerOption
 		options->kerberos_get_afs_token = 0;
 	if (options->gss_authentication == -1)
 		options->gss_authentication = 0;
@ -2305,7 +2305,7 @@ diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
-@@ -312,7 +321,9 @@ typedef enum {
+@@ -313,7 +322,9 @@ typedef enum {
 	sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@ -2316,7 +2316,7 @@ diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -376,9 +387,15 @@ static struct {
+@@ -377,9 +388,15 @@ static struct {
 #ifdef GSSAPI
 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@ -2332,7 +2332,7 @@ diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c
 #endif
 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -939,10 +956,22 @@ process_server_config_line(ServerOptions
+@@ -941,10 +958,22 @@ process_server_config_line(ServerOptions
 		intptr = &options->gss_authentication;
 		goto parse_flag;
@ -2355,9 +2355,9 @@ diff -up openssh-5.5p1/servconf.c.gsskex openssh-5.5p1/servconf.c
 	case sPasswordAuthentication:
 		intptr = &options->password_authentication;
 		goto parse_flag;
-diff -up openssh-5.5p1/servconf.h.gsskex openssh-5.5p1/servconf.h
+diff -up openssh-5.6p1/servconf.h.gsskex openssh-5.6p1/servconf.h
--- openssh-5.5p1/servconf.h.gsskex	2010-05-13 15:59:54.000000000 +0200
+--- openssh-5.6p1/servconf.h.gsskex	2010-08-23 12:51:56.000000000 +0200
-+++ openssh-5.5p1/servconf.h	2010-05-13 16:00:00.000000000 +0200
+++ openssh-5.6p1/servconf.h	2010-08-23 12:51:59.000000000 +0200
@@ -94,7 +94,10 @@ typedef struct {
 	int     kerberos_get_afs_token;		/* If true, try to get AFS token if
 						 * authenticated with Kerberos. */
@ -2369,10 +2369,10 @@ diff -up openssh-5.5p1/servconf.h.gsskex openssh-5.5p1/servconf.h
 	int     password_authentication;	/* If true, permit password
 						 * authentication. */
 	int     kbd_interactive_authentication;	/* If true, permit */
-diff -up openssh-5.5p1/ssh_config.5.gsskex openssh-5.5p1/ssh_config.5
+diff -up openssh-5.6p1/ssh_config.5.gsskex openssh-5.6p1/ssh_config.5
--- openssh-5.5p1/ssh_config.5.gsskex	2010-03-26 02:09:13.000000000 +0100
+--- openssh-5.6p1/ssh_config.5.gsskex	2010-08-05 05:03:13.000000000 +0200
-+++ openssh-5.5p1/ssh_config.5	2010-05-13 16:00:00.000000000 +0200
+++ openssh-5.6p1/ssh_config.5	2010-08-23 12:51:59.000000000 +0200
-@@ -478,11 +478,38 @@ Specifies whether user authentication ba
+@@ -509,11 +509,38 @@ Specifies whether user authentication ba
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
@ -2412,9 +2412,9 @@ diff -up openssh-5.5p1/ssh_config.5.gsskex openssh-5.5p1/ssh_config.5
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
-diff -up openssh-5.5p1/ssh_config.gsskex openssh-5.5p1/ssh_config
+diff -up openssh-5.6p1/ssh_config.gsskex openssh-5.6p1/ssh_config
--- openssh-5.5p1/ssh_config.gsskex	2010-05-13 15:59:48.000000000 +0200
+--- openssh-5.6p1/ssh_config.gsskex	2010-08-23 12:51:55.000000000 +0200
-+++ openssh-5.5p1/ssh_config	2010-05-13 16:00:00.000000000 +0200
+++ openssh-5.6p1/ssh_config	2010-08-23 12:51:59.000000000 +0200
@@ -26,6 +26,8 @@
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
@ -2424,9 +2424,9 @@ diff -up openssh-5.5p1/ssh_config.gsskex openssh-5.5p1/ssh_config
 #   BatchMode no
 #   CheckHostIP yes
 #   AddressFamily any
-diff -up openssh-5.5p1/sshconnect2.c.gsskex openssh-5.5p1/sshconnect2.c
+diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
--- openssh-5.5p1/sshconnect2.c.gsskex	2010-05-13 15:59:57.000000000 +0200
+--- openssh-5.6p1/sshconnect2.c.gsskex	2010-08-23 12:51:58.000000000 +0200
-+++ openssh-5.5p1/sshconnect2.c	2010-05-13 16:00:00.000000000 +0200
+++ openssh-5.6p1/sshconnect2.c	2010-08-23 12:51:59.000000000 +0200
@@ -108,9 +108,34 @@ ssh_kex2(char *host, struct sockaddr *ho
 {
 	Kex *kex;
@ -2624,9 +2624,9 @@ diff -up openssh-5.5p1/sshconnect2.c.gsskex openssh-5.5p1/sshconnect2.c
 #endif /* GSSAPI */
 int
-diff -up openssh-5.5p1/sshd.c.gsskex openssh-5.5p1/sshd.c
+diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c
--- openssh-5.5p1/sshd.c.gsskex	2010-05-13 15:59:57.000000000 +0200
+--- openssh-5.6p1/sshd.c.gsskex	2010-08-23 12:51:58.000000000 +0200
-+++ openssh-5.5p1/sshd.c	2010-05-13 16:00:00.000000000 +0200
+++ openssh-5.6p1/sshd.c	2010-08-23 12:51:59.000000000 +0200
@@ -129,6 +129,10 @@ int allow_severity;
 int deny_severity;
 #endif /* LIBWRAP */
@ -2638,7 +2638,7 @@ diff -up openssh-5.5p1/sshd.c.gsskex openssh-5.5p1/sshd.c
 #ifndef O_NOCTTY
 #define O_NOCTTY	0
 #endif
-@@ -1592,10 +1596,13 @@ main(int ac, char **av)
+@@ -1601,10 +1605,13 @@ main(int ac, char **av)
 		logit("Disabling protocol version 1. Could not load host key");
 		options.protocol &= ~SSH_PROTO_1;
 	}
@ -2652,7 +2652,7 @@ diff -up openssh-5.5p1/sshd.c.gsskex openssh-5.5p1/sshd.c
 	if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
 		logit("sshd: no hostkeys available -- exiting.");
 		exit(1);
-@@ -1928,6 +1935,60 @@ main(int ac, char **av)
+@@ -1937,6 +1944,60 @@ main(int ac, char **av)
 	/* Log the connection. */
 	verbose("Connection from %.500s port %d", remote_ip, remote_port);
@ -2713,7 +2713,7 @@ diff -up openssh-5.5p1/sshd.c.gsskex openssh-5.5p1/sshd.c
 	/*
 	 * We don't want to listen forever unless the other side
 	 * successfully authenticates itself.  So we set up an alarm which is
-@@ -2315,12 +2376,61 @@ do_ssh2_kex(void)
+@@ -2324,12 +2385,61 @@ do_ssh2_kex(void)
 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
@ -2775,10 +2775,10 @@ diff -up openssh-5.5p1/sshd.c.gsskex openssh-5.5p1/sshd.c
 	kex->server = 1;
 	kex->client_version_string=client_version_string;
 	kex->server_version_string=server_version_string;
-diff -up openssh-5.5p1/sshd_config.5.gsskex openssh-5.5p1/sshd_config.5
+diff -up openssh-5.6p1/sshd_config.5.gsskex openssh-5.6p1/sshd_config.5
--- openssh-5.5p1/sshd_config.5.gsskex	2010-05-13 15:59:54.000000000 +0200
+--- openssh-5.6p1/sshd_config.5.gsskex	2010-08-23 12:51:56.000000000 +0200
-+++ openssh-5.5p1/sshd_config.5	2010-05-13 16:00:00.000000000 +0200
+++ openssh-5.6p1/sshd_config.5	2010-08-23 12:51:59.000000000 +0200
-@@ -379,12 +379,40 @@ Specifies whether user authentication ba
+@@ -424,12 +424,40 @@ Specifies whether user authentication ba
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
@ -2819,9 +2819,9 @@ diff -up openssh-5.5p1/sshd_config.5.gsskex openssh-5.5p1/sshd_config.5
 .It Cm HostbasedAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful public key client host authentication is allowed
-diff -up openssh-5.5p1/sshd_config.gsskex openssh-5.5p1/sshd_config
+diff -up openssh-5.6p1/sshd_config.gsskex openssh-5.6p1/sshd_config
--- openssh-5.5p1/sshd_config.gsskex	2010-05-13 15:59:54.000000000 +0200
+--- openssh-5.6p1/sshd_config.gsskex	2010-08-23 12:51:56.000000000 +0200
-+++ openssh-5.5p1/sshd_config	2010-05-13 16:00:00.000000000 +0200
+++ openssh-5.6p1/sshd_config	2010-08-23 12:51:59.000000000 +0200
@@ -78,6 +78,8 @@ ChallengeResponseAuthentication no
 GSSAPIAuthentication yes
 #GSSAPICleanupCredentials yes
@ -2831,9 +2831,9 @@ diff -up openssh-5.5p1/sshd_config.gsskex openssh-5.5p1/sshd_config
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
-diff -up openssh-5.5p1/ssh-gss.h.gsskex openssh-5.5p1/ssh-gss.h
+diff -up openssh-5.6p1/ssh-gss.h.gsskex openssh-5.6p1/ssh-gss.h
--- openssh-5.5p1/ssh-gss.h.gsskex	2007-06-12 15:40:39.000000000 +0200
+--- openssh-5.6p1/ssh-gss.h.gsskex	2007-06-12 15:40:39.000000000 +0200
-+++ openssh-5.5p1/ssh-gss.h	2010-05-13 16:00:00.000000000 +0200
+++ openssh-5.6p1/ssh-gss.h	2010-08-23 12:51:59.000000000 +0200
@@ -1,6 +1,6 @@
 /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
 /*
--- a/openssh-5.6p1-keygen.patch
+++ b/openssh-5.6p1-keygen.patch
@ -1,6 +1,6 @@
-diff -up openssh-5.5p1/ssh-keygen.0.keygen openssh-5.5p1/ssh-keygen.0
+diff -up openssh-5.6p1/ssh-keygen.0.keygen openssh-5.6p1/ssh-keygen.0
--- openssh-5.5p1/ssh-keygen.0.keygen	2010-04-16 02:17:11.000000000 +0200
+--- openssh-5.6p1/ssh-keygen.0.keygen	2010-08-22 16:30:03.000000000 +0200
-+++ openssh-5.5p1/ssh-keygen.0	2010-05-04 08:19:22.000000000 +0200
+++ openssh-5.6p1/ssh-keygen.0	2010-08-23 12:37:19.000000000 +0200
@@ -4,7 +4,7 @@ NAME
      ssh-keygen - authentication key generation, management and conversion
@ -9,8 +9,8 @@ diff -up openssh-5.5p1/ssh-keygen.0.keygen openssh-5.5p1/ssh-keygen.0
 +     ssh-keygen [-q] [-o] [-b bits] -t type [-N new_passphrase] [-C comment]
                 [-f output_keyfile]
      ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
-      ssh-keygen -i [-f input_keyfile]
+      ssh-keygen -i [-m key_format] [-f input_keyfile]
-@@ -222,6 +222,8 @@ DESCRIPTION
+@@ -232,6 +232,8 @@ DESCRIPTION
      -q      Silence ssh-keygen.  Used by /etc/rc when creating a new key.
@ -19,18 +19,18 @@ diff -up openssh-5.5p1/ssh-keygen.0.keygen openssh-5.5p1/ssh-keygen.0
      -R hostname
              Removes all keys belonging to hostname from a known_hosts file.
              This option is useful to delete hashed hosts (see the -H option
-diff -up openssh-5.5p1/ssh-keygen.1.keygen openssh-5.5p1/ssh-keygen.1
+diff -up openssh-5.6p1/ssh-keygen.1.keygen openssh-5.6p1/ssh-keygen.1
--- openssh-5.5p1/ssh-keygen.1.keygen	2010-03-21 19:57:49.000000000 +0100
+--- openssh-5.6p1/ssh-keygen.1.keygen	2010-08-05 05:05:32.000000000 +0200
-+++ openssh-5.5p1/ssh-keygen.1	2010-05-04 08:19:22.000000000 +0200
+++ openssh-5.6p1/ssh-keygen.1	2010-08-23 12:36:25.000000000 +0200
@@ -47,6 +47,7 @@
 .Nm ssh-keygen
 .Bk -words
 .Nm ssh-keygen
 .Op Fl q
 +.Op Fl o
 .Op Fl b Ar bits
 .Fl t Ar type
 .Op Fl N Ar new_passphrase
-@@ -370,6 +371,8 @@ Silence
+@@ -397,6 +398,8 @@ Silence
 Used by
 .Pa /etc/rc
 when creating a new key.
@ -39,9 +39,9 @@ diff -up openssh-5.5p1/ssh-keygen.1.keygen openssh-5.5p1/ssh-keygen.1
 .It Fl R Ar hostname
 Removes all keys belonging to
 .Ar hostname
-diff -up openssh-5.5p1/ssh-keygen.c.keygen openssh-5.5p1/ssh-keygen.c
+diff -up openssh-5.6p1/ssh-keygen.c.keygen openssh-5.6p1/ssh-keygen.c
--- openssh-5.5p1/ssh-keygen.c.keygen	2010-03-21 19:58:24.000000000 +0100
+--- openssh-5.6p1/ssh-keygen.c.keygen	2010-08-05 05:05:32.000000000 +0200
-+++ openssh-5.5p1/ssh-keygen.c	2010-05-04 08:22:22.000000000 +0200
+++ openssh-5.6p1/ssh-keygen.c	2010-08-23 12:34:40.000000000 +0200
@@ -72,6 +72,7 @@ int change_passphrase = 0;
 int change_comment = 0;
@ -50,16 +50,16 @@ diff -up openssh-5.5p1/ssh-keygen.c.keygen openssh-5.5p1/ssh-keygen.c
 int log_level = SYSLOG_LEVEL_INFO;
-@@ -1540,7 +1541,7 @@ main(int argc, char **argv)
+@@ -1798,7 +1799,7 @@ main(int argc, char **argv)
 		exit(1);
 	}
-	while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:N:n:"
+-	while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:"
-+	while ((opt = getopt(argc, argv, "degiqopclBHLhvxXyF:b:f:t:D:I:P:N:n:"
+	while ((opt = getopt(argc, argv, "degiqopclBHLhvxXyF:b:f:t:D:I:P:m:N:n:"
- 	    "O:C:r:g:R:T:G:M:S:s:a:V:W:")) != -1) {
+ 	    "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) {
 		switch (opt) {
 		case 'b':
-@@ -1605,6 +1606,9 @@ main(int argc, char **argv)
+@@ -1878,6 +1879,9 @@ main(int argc, char **argv)
 		case 'q':
 			quiet = 1;
 			break;
@ -69,8 +69,8 @@ diff -up openssh-5.5p1/ssh-keygen.c.keygen openssh-5.5p1/ssh-keygen.c
 		case 'e':
 		case 'x':
 			/* export key */
-@@ -1835,7 +1839,7 @@ main(int argc, char **argv)
+@@ -2124,7 +2128,7 @@ main(int argc, char **argv)
- 			printf("Created directory '%s'.\n", dotsshdir);
+ 		}
 	}
 	/* If the file already exists, ask the user to confirm. */
 -	if (stat(identity_file, &st) >= 0) {
--- a/openssh-5.6p1-kuserok.patch
+++ b/openssh-5.6p1-kuserok.patch
@ -1,6 +1,6 @@
-diff -up openssh-5.5p1/auth-krb5.c.kuserok openssh-5.5p1/auth-krb5.c
+diff -up openssh-5.6p1/auth-krb5.c.kuserok openssh-5.6p1/auth-krb5.c
--- openssh-5.5p1/auth-krb5.c.kuserok	2010-07-07 13:12:01.000000000 +0200
+--- openssh-5.6p1/auth-krb5.c.kuserok	2010-08-23 13:01:19.000000000 +0200
-+++ openssh-5.5p1/auth-krb5.c	2010-07-07 13:12:03.000000000 +0200
+++ openssh-5.6p1/auth-krb5.c	2010-08-23 13:01:21.000000000 +0200
@@ -146,9 +146,11 @@ auth_krb5_password(Authctxt *authctxt, c
 	if (problem)
 		goto out;
@ -16,18 +16,18 @@ diff -up openssh-5.5p1/auth-krb5.c.kuserok openssh-5.5p1/auth-krb5.c
 	}
 	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
-diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c
+diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c
--- openssh-5.5p1/servconf.c.kuserok	2010-07-07 13:12:02.000000000 +0200
+--- openssh-5.6p1/servconf.c.kuserok	2010-08-23 13:01:20.000000000 +0200
-+++ openssh-5.5p1/servconf.c	2010-07-07 13:12:04.000000000 +0200
+++ openssh-5.6p1/servconf.c	2010-08-23 13:02:14.000000000 +0200
-@@ -137,6 +137,7 @@ initialize_server_options(ServerOptions 
+@@ -138,6 +138,7 @@ initialize_server_options(ServerOptions 
 	options->zero_knowledge_password_authentication = -1;
 	options->revoked_keys_file = NULL;
 	options->trusted_user_ca_keys = NULL;
 	options->authorized_principals_file = NULL;
 +	options->use_kuserok = -1;
 }
 void
-@@ -285,6 +286,8 @@ fill_default_server_options(ServerOption
+@@ -286,6 +287,8 @@ fill_default_server_options(ServerOption
 	if (use_privsep == -1)
 		use_privsep = 1;
@ -36,7 +36,7 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c
 #ifndef HAVE_MMAP
 	if (use_privsep && options->compression == 1) {
 		error("This platform does not support both privilege "
-@@ -306,7 +309,7 @@ typedef enum {
+@@ -307,7 +310,7 @@ typedef enum {
 	sPermitRootLogin, sLogFacility, sLogLevel,
 	sRhostsRSAAuthentication, sRSAAuthentication,
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@ -45,7 +45,7 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c
 	sKerberosTgtPassing, sChallengeResponseAuthentication,
 	sPasswordAuthentication, sKbdInteractiveAuthentication,
 	sListenAddress, sAddressFamily,
-@@ -376,11 +379,13 @@ static struct {
+@@ -377,11 +380,13 @@ static struct {
 #else
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
 #endif
@ -59,7 +59,7 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c
 #endif
 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1335,6 +1340,10 @@ process_server_config_line(ServerOptions
+@@ -1341,6 +1346,10 @@ process_server_config_line(ServerOptions
 		*activep = value;
 		break;
@ -70,7 +70,7 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c
 	case sPermitOpen:
 		arg = strdelim(&cp);
 		if (!arg || *arg == '\0')
-@@ -1517,6 +1526,7 @@ copy_set_server_options(ServerOptions *d
+@@ -1525,6 +1534,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(x11_use_localhost);
 	M_CP_INTOPT(max_sessions);
 	M_CP_INTOPT(max_authtries);
@ -78,7 +78,7 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c
 	M_CP_STROPT(banner);
 	if (preauth)
-@@ -1734,6 +1744,7 @@ dump_config(ServerOptions *o)
+@@ -1745,6 +1755,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sUseDNS, o->use_dns);
 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
@ -86,9 +86,9 @@ diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
-diff -up openssh-5.5p1/servconf.h.kuserok openssh-5.5p1/servconf.h
+diff -up openssh-5.6p1/servconf.h.kuserok openssh-5.6p1/servconf.h
--- openssh-5.5p1/servconf.h.kuserok	2010-07-07 13:12:02.000000000 +0200
+--- openssh-5.6p1/servconf.h.kuserok	2010-08-23 13:01:20.000000000 +0200
-+++ openssh-5.5p1/servconf.h	2010-07-07 13:12:04.000000000 +0200
+++ openssh-5.6p1/servconf.h	2010-08-23 13:01:21.000000000 +0200
@@ -157,6 +157,7 @@ typedef struct {
 	int	num_permitted_opens;
@ -97,10 +97,10 @@ diff -up openssh-5.5p1/servconf.h.kuserok openssh-5.5p1/servconf.h
 	char   *chroot_directory;
 	char   *revoked_keys_file;
 	char   *trusted_user_ca_keys;
-diff -up openssh-5.5p1/sshd_config.5.kuserok openssh-5.5p1/sshd_config.5
+diff -up openssh-5.6p1/sshd_config.5.kuserok openssh-5.6p1/sshd_config.5
--- openssh-5.5p1/sshd_config.5.kuserok	2010-07-07 13:12:03.000000000 +0200
+--- openssh-5.6p1/sshd_config.5.kuserok	2010-08-23 13:01:21.000000000 +0200
-+++ openssh-5.5p1/sshd_config.5	2010-07-07 13:21:02.000000000 +0200
+++ openssh-5.6p1/sshd_config.5	2010-08-23 13:03:15.000000000 +0200
-@@ -519,6 +519,10 @@ Specifies whether to automatically destr
+@@ -564,6 +564,10 @@ Specifies whether to automatically destr
 file on logout.
 The default is
 .Dq yes .
@ -111,17 +111,17 @@ diff -up openssh-5.5p1/sshd_config.5.kuserok openssh-5.5p1/sshd_config.5
 .It Cm KeyRegenerationInterval
 In protocol version 1, the ephemeral server key is automatically regenerated
 after this many seconds (if it has been used).
-@@ -644,6 +648,7 @@ Available keywords are
+@@ -694,6 +698,7 @@ Available keywords are
- .Cm HostbasedAuthentication ,
+ .Cm HostbasedUsesNameFromPacketOnly ,
 .Cm KbdInteractiveAuthentication ,
 .Cm KerberosAuthentication ,
 +.Cm KerberosUseKuserok ,
 .Cm MaxAuthTries ,
 .Cm MaxSessions ,
 .Cm PubkeyAuthentication ,
-diff -up openssh-5.5p1/sshd_config.kuserok openssh-5.5p1/sshd_config
+diff -up openssh-5.6p1/sshd_config.kuserok openssh-5.6p1/sshd_config
--- openssh-5.5p1/sshd_config.kuserok	2010-07-07 13:12:03.000000000 +0200
+--- openssh-5.6p1/sshd_config.kuserok	2010-08-23 13:01:21.000000000 +0200
-+++ openssh-5.5p1/sshd_config	2010-07-07 13:12:04.000000000 +0200
+++ openssh-5.6p1/sshd_config	2010-08-23 13:01:21.000000000 +0200
@@ -72,6 +72,7 @@ ChallengeResponseAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
--- a/openssh-5.6p1-ldap.patch
+++ b/openssh-5.6p1-ldap.patch
@ -1,6 +1,6 @@
-diff -up openssh-5.5p1/configure.ac.ldap openssh-5.5p1/configure.ac
+diff -up openssh-5.6p1/configure.ac.ldap openssh-5.6p1/configure.ac
--- openssh-5.5p1/configure.ac.ldap	2010-07-07 14:36:34.000000000 +0200
+--- openssh-5.6p1/configure.ac.ldap	2010-08-23 12:28:11.000000000 +0200
-+++ openssh-5.5p1/configure.ac	2010-07-07 14:36:34.000000000 +0200
+++ openssh-5.6p1/configure.ac	2010-08-23 12:28:11.000000000 +0200
@@ -1358,6 +1358,106 @@ AC_ARG_WITH(authorized-keys-command,
 	]
 )
@ -108,9 +108,9 @@ diff -up openssh-5.5p1/configure.ac.ldap openssh-5.5p1/configure.ac
 dnl    Checks for library functions. Please keep in alphabetical order
 AC_CHECK_FUNCS( \
 	arc4random \
-diff -up openssh-5.5p1/ldapbody.c.ldap openssh-5.5p1/ldapbody.c
+diff -up openssh-5.6p1/ldapbody.c.ldap openssh-5.6p1/ldapbody.c
--- openssh-5.5p1/ldapbody.c.ldap	2010-07-07 14:36:34.000000000 +0200
+--- openssh-5.6p1/ldapbody.c.ldap	2010-08-23 12:28:11.000000000 +0200
-+++ openssh-5.5p1/ldapbody.c	2010-07-07 14:36:34.000000000 +0200
+++ openssh-5.6p1/ldapbody.c	2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,494 @@
 +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -606,9 +606,9 @@ diff -up openssh-5.5p1/ldapbody.c.ldap openssh-5.5p1/ldapbody.c
 +	return;
 +}
 +
-diff -up openssh-5.5p1/ldapbody.h.ldap openssh-5.5p1/ldapbody.h
+diff -up openssh-5.6p1/ldapbody.h.ldap openssh-5.6p1/ldapbody.h
--- openssh-5.5p1/ldapbody.h.ldap	2010-07-07 14:36:34.000000000 +0200
+--- openssh-5.6p1/ldapbody.h.ldap	2010-08-23 12:28:11.000000000 +0200
-+++ openssh-5.5p1/ldapbody.h	2010-07-07 14:36:34.000000000 +0200
+++ openssh-5.6p1/ldapbody.h	2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,37 @@
 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -647,9 +647,9 @@ diff -up openssh-5.5p1/ldapbody.h.ldap openssh-5.5p1/ldapbody.h
 +
 +#endif /* LDAPBODY_H */
 +
-diff -up openssh-5.5p1/ldapconf.c.ldap openssh-5.5p1/ldapconf.c
+diff -up openssh-5.6p1/ldapconf.c.ldap openssh-5.6p1/ldapconf.c
--- openssh-5.5p1/ldapconf.c.ldap	2010-07-07 14:36:34.000000000 +0200
+--- openssh-5.6p1/ldapconf.c.ldap	2010-08-23 12:28:11.000000000 +0200
-+++ openssh-5.5p1/ldapconf.c	2010-07-07 14:36:34.000000000 +0200
+++ openssh-5.6p1/ldapconf.c	2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,682 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1333,9 +1333,9 @@ diff -up openssh-5.5p1/ldapconf.c.ldap openssh-5.5p1/ldapconf.c
 +	dump_cfg_string(lSSH_Filter, options.ssh_filter);
 +}
 +
-diff -up openssh-5.5p1/ldapconf.h.ldap openssh-5.5p1/ldapconf.h
+diff -up openssh-5.6p1/ldapconf.h.ldap openssh-5.6p1/ldapconf.h
--- openssh-5.5p1/ldapconf.h.ldap	2010-07-07 14:36:34.000000000 +0200
+--- openssh-5.6p1/ldapconf.h.ldap	2010-08-23 12:28:11.000000000 +0200
-+++ openssh-5.5p1/ldapconf.h	2010-07-07 14:36:34.000000000 +0200
+++ openssh-5.6p1/ldapconf.h	2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,71 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1408,9 +1408,9 @@ diff -up openssh-5.5p1/ldapconf.h.ldap openssh-5.5p1/ldapconf.h
 +void dump_config(void);
 +
 +#endif /* LDAPCONF_H */
-diff -up openssh-5.5p1/ldap.conf.ldap openssh-5.5p1/ldap.conf
+diff -up openssh-5.6p1/ldap.conf.ldap openssh-5.6p1/ldap.conf
--- openssh-5.5p1/ldap.conf.ldap	2010-07-07 14:36:34.000000000 +0200
+--- openssh-5.6p1/ldap.conf.ldap	2010-08-23 12:28:11.000000000 +0200
-+++ openssh-5.5p1/ldap.conf	2010-07-07 14:36:34.000000000 +0200
+++ openssh-5.6p1/ldap.conf	2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,88 @@
 +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
 +#
@ -1500,9 +1500,9 @@ diff -up openssh-5.5p1/ldap.conf.ldap openssh-5.5p1/ldap.conf
 +#tls_cert
 +#tls_key
 +
-diff -up openssh-5.5p1/ldap-helper.c.ldap openssh-5.5p1/ldap-helper.c
+diff -up openssh-5.6p1/ldap-helper.c.ldap openssh-5.6p1/ldap-helper.c
--- openssh-5.5p1/ldap-helper.c.ldap	2010-07-07 14:36:34.000000000 +0200
+--- openssh-5.6p1/ldap-helper.c.ldap	2010-08-23 12:28:11.000000000 +0200
-+++ openssh-5.5p1/ldap-helper.c	2010-07-07 14:36:34.000000000 +0200
+++ openssh-5.6p1/ldap-helper.c	2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,154 @@
 +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1658,9 +1658,9 @@ diff -up openssh-5.5p1/ldap-helper.c.ldap openssh-5.5p1/ldap-helper.c
 +void   *buffer_get_string(Buffer *b, u_int *l) {}
 +void    buffer_put_string(Buffer *b, const void *f, u_int l) {}
 +
-diff -up openssh-5.5p1/ldap-helper.h.ldap openssh-5.5p1/ldap-helper.h
+diff -up openssh-5.6p1/ldap-helper.h.ldap openssh-5.6p1/ldap-helper.h
--- openssh-5.5p1/ldap-helper.h.ldap	2010-07-07 14:36:34.000000000 +0200
+--- openssh-5.6p1/ldap-helper.h.ldap	2010-08-23 12:28:11.000000000 +0200
-+++ openssh-5.5p1/ldap-helper.h	2010-07-07 14:36:34.000000000 +0200
+++ openssh-5.6p1/ldap-helper.h	2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,32 @@
 +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1694,9 +1694,9 @@ diff -up openssh-5.5p1/ldap-helper.h.ldap openssh-5.5p1/ldap-helper.h
 +extern int config_warning_config_file;
 +
 +#endif /* LDAP_HELPER_H */
-diff -up openssh-5.5p1/ldapincludes.h.ldap openssh-5.5p1/ldapincludes.h
+diff -up openssh-5.6p1/ldapincludes.h.ldap openssh-5.6p1/ldapincludes.h
--- openssh-5.5p1/ldapincludes.h.ldap	2010-07-07 14:36:34.000000000 +0200
+--- openssh-5.6p1/ldapincludes.h.ldap	2010-08-23 12:28:11.000000000 +0200
-+++ openssh-5.5p1/ldapincludes.h	2010-07-07 14:36:34.000000000 +0200
+++ openssh-5.6p1/ldapincludes.h	2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,41 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1739,9 +1739,9 @@ diff -up openssh-5.5p1/ldapincludes.h.ldap openssh-5.5p1/ldapincludes.h
 +#endif
 +
 +#endif /* LDAPINCLUDES_H */
-diff -up openssh-5.5p1/ldapmisc.c.ldap openssh-5.5p1/ldapmisc.c
+diff -up openssh-5.6p1/ldapmisc.c.ldap openssh-5.6p1/ldapmisc.c
--- openssh-5.5p1/ldapmisc.c.ldap	2010-07-07 14:36:34.000000000 +0200
+--- openssh-5.6p1/ldapmisc.c.ldap	2010-08-23 12:28:11.000000000 +0200
-+++ openssh-5.5p1/ldapmisc.c	2010-07-07 14:36:34.000000000 +0200
+++ openssh-5.6p1/ldapmisc.c	2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,79 @@
 +
 +#include "ldapincludes.h"
@ -1822,9 +1822,9 @@ diff -up openssh-5.5p1/ldapmisc.c.ldap openssh-5.5p1/ldapmisc.c
 +}
 +#endif
 +
-diff -up openssh-5.5p1/ldapmisc.h.ldap openssh-5.5p1/ldapmisc.h
+diff -up openssh-5.6p1/ldapmisc.h.ldap openssh-5.6p1/ldapmisc.h
--- openssh-5.5p1/ldapmisc.h.ldap	2010-07-07 14:36:35.000000000 +0200
+--- openssh-5.6p1/ldapmisc.h.ldap	2010-08-23 12:28:11.000000000 +0200
-+++ openssh-5.5p1/ldapmisc.h	2010-07-07 14:36:35.000000000 +0200
+++ openssh-5.6p1/ldapmisc.h	2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,35 @@
 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1861,9 +1861,9 @@ diff -up openssh-5.5p1/ldapmisc.h.ldap openssh-5.5p1/ldapmisc.h
 +
 +#endif /* LDAPMISC_H */
 +
-diff -up openssh-5.5p1/lpk-user-example.txt.ldap openssh-5.5p1/lpk-user-example.txt
+diff -up openssh-5.6p1/lpk-user-example.txt.ldap openssh-5.6p1/lpk-user-example.txt
--- openssh-5.5p1/lpk-user-example.txt.ldap	2010-07-07 14:36:35.000000000 +0200
+--- openssh-5.6p1/lpk-user-example.txt.ldap	2010-08-23 12:28:11.000000000 +0200
-+++ openssh-5.5p1/lpk-user-example.txt	2010-07-07 14:36:35.000000000 +0200
+++ openssh-5.6p1/lpk-user-example.txt	2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,117 @@
 +
 +Post to ML -> User Made Quick Install Doc.
@ -1982,9 +1982,9 @@ diff -up openssh-5.5p1/lpk-user-example.txt.ldap openssh-5.5p1/lpk-user-example.
 +puTTY). Login should succeed.
 +
 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-diff -up openssh-5.5p1/Makefile.in.ldap openssh-5.5p1/Makefile.in
+diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in
--- openssh-5.5p1/Makefile.in.ldap	2010-03-13 22:41:34.000000000 +0100
+--- openssh-5.6p1/Makefile.in.ldap	2010-05-12 08:51:39.000000000 +0200
-+++ openssh-5.5p1/Makefile.in	2010-07-07 14:36:35.000000000 +0200
+++ openssh-5.6p1/Makefile.in	2010-08-23 12:29:24.000000000 +0200
@@ -26,6 +26,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
 SFTP_SERVER=$(libexecdir)/sftp-server
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
@ -2004,26 +2004,9 @@ diff -up openssh-5.5p1/Makefile.in.ldap openssh-5.5p1/Makefile.in
 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
 	canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
-@@ -74,11 +76,11 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
+@@ -93,8 +95,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
 	kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
 	entropy.o gss-genr.o umac.o jpake.o schnorr.o \
 -	ssh-pkcs11.o
 +	ssh-pkcs11.o
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
 	sshconnect.o sshconnect1.o sshconnect2.o mux.o \
 -	roaming_common.o roaming_client.o
 +	roaming_common.o roaming_client.o
 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
 	sshpty.o sshlogin.o servconf.o serverloop.o \
@@ -91,10 +93,10 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
 	audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
-	roaming_common.o roaming_serv.o
+ 	roaming_common.o roaming_serv.o
 +	roaming_common.o roaming_serv.o
 -MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
 -MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
@ -2034,7 +2017,7 @@ diff -up openssh-5.5p1/Makefile.in.ldap openssh-5.5p1/Makefile.in
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
@@ -162,6 +164,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
- 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
 +	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
@ -2085,9 +2068,9 @@ diff -up openssh-5.5p1/Makefile.in.ldap openssh-5.5p1/Makefile.in
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
 tests interop-tests:	$(TARGETS)
-diff -up openssh-5.5p1/openssh-lpk-openldap.schema.ldap openssh-5.5p1/openssh-lpk-openldap.schema
+diff -up openssh-5.6p1/openssh-lpk-openldap.schema.ldap openssh-5.6p1/openssh-lpk-openldap.schema
--- openssh-5.5p1/openssh-lpk-openldap.schema.ldap	2010-07-07 14:36:35.000000000 +0200
+--- openssh-5.6p1/openssh-lpk-openldap.schema.ldap	2010-08-23 12:28:11.000000000 +0200
-+++ openssh-5.5p1/openssh-lpk-openldap.schema	2010-07-07 14:36:35.000000000 +0200
+++ openssh-5.6p1/openssh-lpk-openldap.schema	2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,21 @@
 +#
 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2110,9 +2093,9 @@ diff -up openssh-5.5p1/openssh-lpk-openldap.schema.ldap openssh-5.5p1/openssh-lp
 +	DESC 'MANDATORY: OpenSSH LPK objectclass'
 +	MUST ( sshPublicKey $ uid ) 
 +	)
-diff -up openssh-5.5p1/openssh-lpk-sun.schema.ldap openssh-5.5p1/openssh-lpk-sun.schema
+diff -up openssh-5.6p1/openssh-lpk-sun.schema.ldap openssh-5.6p1/openssh-lpk-sun.schema
--- openssh-5.5p1/openssh-lpk-sun.schema.ldap	2010-07-07 14:36:35.000000000 +0200
+--- openssh-5.6p1/openssh-lpk-sun.schema.ldap	2010-08-23 12:28:11.000000000 +0200
-+++ openssh-5.5p1/openssh-lpk-sun.schema	2010-07-07 14:36:35.000000000 +0200
+++ openssh-5.6p1/openssh-lpk-sun.schema	2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,23 @@
 +#
 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2137,9 +2120,9 @@ diff -up openssh-5.5p1/openssh-lpk-sun.schema.ldap openssh-5.5p1/openssh-lpk-sun
 +	DESC 'MANDATORY: OpenSSH LPK objectclass'
 +	MUST ( sshPublicKey $ uid ) 
 +	)
-diff -up openssh-5.5p1/README.lpk.ldap openssh-5.5p1/README.lpk
+diff -up openssh-5.6p1/README.lpk.ldap openssh-5.6p1/README.lpk
--- openssh-5.5p1/README.lpk.ldap	2010-07-07 14:36:35.000000000 +0200
+--- openssh-5.6p1/README.lpk.ldap	2010-08-23 12:28:11.000000000 +0200
-+++ openssh-5.5p1/README.lpk	2010-07-07 14:36:35.000000000 +0200
+++ openssh-5.6p1/README.lpk	2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,274 @@
 +OpenSSH LDAP PUBLIC KEY PATCH 
 +Copyright (c) 2003 Eric AUGE (eau@phear.org)
@ -2415,9 +2398,9 @@ diff -up openssh-5.5p1/README.lpk.ldap openssh-5.5p1/README.lpk
 +- CONTACT :
 +    Jan F. Chadima <jchadima@redhat.com>
 +
-diff -up openssh-5.5p1/ssh-ldap.conf.5.ldap openssh-5.5p1/ssh-ldap.conf.5
+diff -up openssh-5.6p1/ssh-ldap.conf.5.ldap openssh-5.6p1/ssh-ldap.conf.5
--- openssh-5.5p1/ssh-ldap.conf.5.ldap	2010-07-07 14:36:35.000000000 +0200
+--- openssh-5.6p1/ssh-ldap.conf.5.ldap	2010-08-23 12:28:11.000000000 +0200
-+++ openssh-5.5p1/ssh-ldap.conf.5	2010-07-07 14:36:35.000000000 +0200
+++ openssh-5.6p1/ssh-ldap.conf.5	2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,373 @@
 +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
 +.\"
@ -2792,9 +2775,9 @@ diff -up openssh-5.5p1/ssh-ldap.conf.5.ldap openssh-5.5p1/ssh-ldap.conf.5
 +OpenSSH 5.5 + PKA-LDAP .
 +.Sh AUTHORS
 +.An Jan F. Chadima Aq jchadima@redhat.com
-diff -up openssh-5.5p1/ssh-ldap-helper.8.ldap openssh-5.5p1/ssh-ldap-helper.8
+diff -up openssh-5.6p1/ssh-ldap-helper.8.ldap openssh-5.6p1/ssh-ldap-helper.8
--- openssh-5.5p1/ssh-ldap-helper.8.ldap	2010-07-07 14:36:35.000000000 +0200
+--- openssh-5.6p1/ssh-ldap-helper.8.ldap	2010-08-23 12:28:11.000000000 +0200
-+++ openssh-5.5p1/ssh-ldap-helper.8	2010-07-07 14:36:35.000000000 +0200
+++ openssh-5.6p1/ssh-ldap-helper.8	2010-08-23 12:28:11.000000000 +0200
@@ -0,0 +1,78 @@
 +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
 +.\"
--- a/openssh-5.6p1-mls.patch
+++ b/openssh-5.6p1-mls.patch
@ -1,7 +1,7 @@
-diff -up openssh-5.4p1/configure.ac.mls openssh-5.4p1/configure.ac
+diff -up openssh-5.6p1/configure.ac.mls openssh-5.6p1/configure.ac
--- openssh-5.4p1/configure.ac.mls	2010-03-01 15:24:27.000000000 +0100
+--- openssh-5.6p1/configure.ac.mls	2010-08-23 12:11:36.000000000 +0200
-+++ openssh-5.4p1/configure.ac	2010-03-01 15:24:28.000000000 +0100
+++ openssh-5.6p1/configure.ac	2010-08-23 12:11:36.000000000 +0200
-@@ -3360,6 +3360,7 @@ AC_ARG_WITH(selinux,
+@@ -3390,6 +3390,7 @@ AC_ARG_WITH(selinux,
 		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
 		LIBS="$LIBS $LIBSELINUX"
 		AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
@ -9,23 +9,21 @@ diff -up openssh-5.4p1/configure.ac.mls openssh-5.4p1/configure.ac
 		LIBS="$save_LIBS"
 	fi ]
 )
-diff -up openssh-5.4p1/misc.c.mls openssh-5.4p1/misc.c
+diff -up openssh-5.6p1/misc.c.mls openssh-5.6p1/misc.c
--- openssh-5.4p1/misc.c.mls	2010-01-10 00:31:12.000000000 +0100
+--- openssh-5.6p1/misc.c.mls	2010-08-03 08:05:05.000000000 +0200
-+++ openssh-5.4p1/misc.c	2010-03-01 15:24:28.000000000 +0100
+++ openssh-5.6p1/misc.c	2010-08-23 12:14:16.000000000 +0200
-@@ -423,6 +423,7 @@ char *
+@@ -424,6 +424,7 @@ char *
 colon(char *cp)
 {
 	int flag = 0;
 +	int start = 1;
 	if (*cp == ':')		/* Leading colon is part of file name. */
- 		return (0);
+ 		return NULL;
-@@ -436,8 +437,13 @@ colon(char *cp)
+@@ -439,6 +440,13 @@ colon(char *cp)
 			return (cp+1);
 		if (*cp == ':' && !flag)
 			return (cp);
-		if (*cp == '/')
+ 		if (*cp == '/')
-			return (0);
+ 			return NULL;
 +		if (start) {
 +		/* Slash on beginning or after dots only denotes file name. */
 +			if (*cp == '/')
@ -34,11 +32,11 @@ diff -up openssh-5.4p1/misc.c.mls openssh-5.4p1/misc.c
 +				start = 0;
 +		}
 	}
- 	return (0);
+ 	return NULL;
 }
-diff -up openssh-5.4p1/openbsd-compat/port-linux.c.mls openssh-5.4p1/openbsd-compat/port-linux.c
+diff -up openssh-5.6p1/openbsd-compat/port-linux.c.mls openssh-5.6p1/openbsd-compat/port-linux.c
--- openssh-5.4p1/openbsd-compat/port-linux.c.mls	2010-03-01 15:24:27.000000000 +0100
+--- openssh-5.6p1/openbsd-compat/port-linux.c.mls	2010-08-23 12:11:36.000000000 +0200
-+++ openssh-5.4p1/openbsd-compat/port-linux.c	2010-03-01 15:25:50.000000000 +0100
+++ openssh-5.6p1/openbsd-compat/port-linux.c	2010-08-23 12:11:37.000000000 +0200
@@ -35,13 +35,24 @@
 #include "key.h"
 #include "hostfile.h"
@ -417,10 +415,10 @@ diff -up openssh-5.4p1/openbsd-compat/port-linux.c.mls openssh-5.4p1/openbsd-com
 	/* XXX: should these calls fatal() upon failure in enforcing mode? */
-diff -up openssh-5.4p1/sshd.c.mls openssh-5.4p1/sshd.c
+diff -up openssh-5.6p1/sshd.c.mls openssh-5.6p1/sshd.c
--- openssh-5.4p1/sshd.c.mls	2010-03-01 15:24:27.000000000 +0100
+--- openssh-5.6p1/sshd.c.mls	2010-08-23 12:11:36.000000000 +0200
-+++ openssh-5.4p1/sshd.c	2010-03-01 15:24:28.000000000 +0100
+++ openssh-5.6p1/sshd.c	2010-08-23 12:11:37.000000000 +0200
-@@ -1987,6 +1987,9 @@ main(int ac, char **av)
+@@ -1997,6 +1997,9 @@ main(int ac, char **av)
 		restore_uid();
 	}
 #endif
--- a/openssh-5.6p1-selabel.patch
+++ b/openssh-5.6p1-selabel.patch
@ -1,19 +1,19 @@
-diff -up openssh-5.3p1/contrib/ssh-copy-id.selabel openssh-5.3p1/contrib/ssh-copy-id
+diff -up openssh-5.6p1/contrib/ssh-copy-id.selabel openssh-5.6p1/contrib/ssh-copy-id
--- openssh-5.3p1/contrib/ssh-copy-id.selabel	2009-01-21 10:29:21.000000000 +0100
+--- openssh-5.6p1/contrib/ssh-copy-id.selabel	2010-08-10 05:36:09.000000000 +0200
-+++ openssh-5.3p1/contrib/ssh-copy-id	2009-10-02 14:21:54.000000000 +0200
+++ openssh-5.6p1/contrib/ssh-copy-id	2010-08-23 12:50:20.000000000 +0200
-@@ -38,7 +38,7 @@ if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || 
+@@ -41,7 +41,7 @@ fi
-   exit 1
+ # strip any trailing colon
- fi
+ host=`echo $1 | sed 's/:$//'`
-{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1
+-{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1
-+{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys; test -x /sbin/restorecon && /sbin/restorecon .ssh .ssh/authorized_keys" || exit 1
+{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys; test -x /sbin/restorecon && /sbin/restorecon ~/.ssh ~/.ssh/authorized_keys" || exit 1
 cat <<EOF
- Now try logging into the machine, with "ssh '$1'", and check in:
+ Now try logging into the machine, with "ssh '$host'", and check in:
-diff -up openssh-5.3p1/Makefile.in.selabel openssh-5.3p1/Makefile.in
+diff -up openssh-5.6p1/Makefile.in.selabel openssh-5.6p1/Makefile.in
--- openssh-5.3p1/Makefile.in.selabel	2009-10-02 14:21:54.000000000 +0200
+--- openssh-5.6p1/Makefile.in.selabel	2010-08-23 12:47:39.000000000 +0200
-+++ openssh-5.3p1/Makefile.in	2009-10-02 14:23:23.000000000 +0200
+++ openssh-5.6p1/Makefile.in	2010-08-23 12:47:39.000000000 +0200
-@@ -136,7 +136,7 @@ libssh.a: $(LIBSSH_OBJS)
+@@ -141,7 +141,7 @@ libssh.a: $(LIBSSH_OBJS)
 	$(RANLIB) $@
 ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@ -22,9 +22,9 @@ diff -up openssh-5.3p1/Makefile.in.selabel openssh-5.3p1/Makefile.in
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
 	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS)
-diff -up openssh-5.3p1/ssh.c.selabel openssh-5.3p1/ssh.c
+diff -up openssh-5.6p1/ssh.c.selabel openssh-5.6p1/ssh.c
--- openssh-5.3p1/ssh.c.selabel	2009-10-02 14:21:54.000000000 +0200
+--- openssh-5.6p1/ssh.c.selabel	2010-08-23 12:47:39.000000000 +0200
-+++ openssh-5.3p1/ssh.c	2009-10-02 14:21:54.000000000 +0200
+++ openssh-5.6p1/ssh.c	2010-08-23 12:47:39.000000000 +0200
@@ -74,6 +74,7 @@
 #include <openssl/err.h>
 #include <openssl/fips.h>
@ -33,7 +33,7 @@ diff -up openssh-5.3p1/ssh.c.selabel openssh-5.3p1/ssh.c
 #include "openbsd-compat/openssl-compat.h"
 #include "openbsd-compat/sys-queue.h"
-@@ -792,10 +793,15 @@ main(int ac, char **av)
+@@ -848,10 +849,15 @@ main(int ac, char **av)
 	 */
 	r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
 	    strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
--- a/openssh.spec
+++ b/openssh.spec
@ -73,7 +73,7 @@
 %define openssh_ver 5.6p1
 %define openssh_rel 1
 %define pam_ssh_agent_ver 0.9.2
-%define pam_ssh_agent_rel 26
+%define pam_ssh_agent_rel 27
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
@ -94,44 +94,38 @@ Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/p
 Source5: pam_ssh_agent-rmheaders
 Patch0: openssh-5.4p1-redhat.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1638
 Patch2: openssh-5.3p1-skip-initial.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1640
 Patch4: openssh-5.2p1-vendor.patch
 Patch10: pam_ssh_agent_auth-0.9-build.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1641
 Patch12: openssh-5.4p1-selinux.patch
-Patch13: openssh-5.5p1-mls.patch
+Patch13: openssh-5.6p1-mls.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
 Patch16: openssh-5.3p1-audit.patch
 Patch18: openssh-5.4p1-pam_selinux.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1663
-Patch20: openssh-5.5p1-authorized-keys-command.patch
+Patch20: openssh-5.6p1-authorized-keys-command.patch
-Patch21: openssh-5.5p1-ldap.patch
+Patch21: openssh-5.6p1-ldap.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1668
-Patch23: openssh-5.5p1-keygen.patch
+Patch23: openssh-5.6p1-keygen.patch
 Patch24: openssh-4.3p1-fromto-remote.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1636
 Patch27: openssh-5.1p1-log-in-chroot.patch
-Patch30: openssh-4.0p1-exit-deadlock.patch
+Patch30: openssh-5.6p1-exit-deadlock.patch
 Patch35: openssh-5.1p1-askpass-progress.patch
 Patch38: openssh-4.3p2-askpass-grab-info.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1644
 Patch44: openssh-5.2p1-allow-ip-opts.patch
 Patch49: openssh-4.3p2-gssapi-canohost.patch
 Patch62: openssh-5.1p1-scp-manpage.patch
-Patch65: openssh-5.5p1-fips.patch
+Patch65: openssh-5.6p1-fips.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1614
-Patch69: openssh-5.3p1-selabel.patch
+Patch69: openssh-5.6p1-selabel.patch
 Patch71: openssh-5.2p1-edns.patch
-Patch73: openssh-5.5p1-gsskex.patch
+Patch73: openssh-5.6p1-gsskex.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1701
 Patch74: openssh-5.3p1-randclean.patch
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1740
+Patch78: openssh-5.6p1-kuserok.patch
 Patch76: openssh-5.5p1-staterr.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1750
 Patch77: openssh-5.5p1-stderr.patch
 Patch78: openssh-5.5p1-kuserok.patch
 Patch79: openssh-5.5p1-x11.patch
 License: BSD
@ -268,7 +262,6 @@ The module is most useful for su and sudo service stacks.
 %prep
 %setup -q -a 4
 %patch0 -p1 -b .redhat
 %patch2 -p1 -b .skip-initial
 %patch4 -p1 -b .vendor
 %if %{pam_ssh_agent}
@ -303,8 +296,6 @@ popd
 %patch71 -p1 -b .edns
 %patch73 -p1 -b .gsskex
 %patch74 -p1 -b .randclean
 %patch76 -p1 -b .staterr
 %patch77 -p1 -b .stderr
 %patch78 -p1 -b .kuserok
 %patch79 -p1 -b .x11