rebase to openssh-7.4p1-1

* Drop unaccepted (unapplying) coverity patches * Drop server support for SSH1 (server) * Workaround #2641 for systemd * UseLogin is gone * Drop upstream commit 28652bca * Tighten seccomp filter (cache credentials before entering sandbox) (#1395288)
2017-01-02 15:42:13 +01:00 · 2017-01-02 15:42:13 +01:00 · 6cf9b8e61b
parent 4189cebf7a
commit 6cf9b8e61b
29 changed files with 1777 additions and 2667 deletions
--- a/.gitignore
+++ b/.gitignore
@ -23,3 +23,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
 /openssh-7.2p1.tar.gz
 /openssh-7.2p2.tar.gz
 /openssh-7.3p1.tar.gz
 /openssh-7.4p1.tar.gz
--- a/openssh-4.3p2-askpass-grab-info.patch
+++ b/openssh-4.3p2-askpass-grab-info.patch
@ -1,7 +1,8 @@
--- openssh-4.3p2/contrib/gnome-ssh-askpass2.c.grab-info	2006-07-17 15:10:11.000000000 +0200
+diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-7.4p1/contrib/gnome-ssh-askpass2.c
-+++ openssh-4.3p2/contrib/gnome-ssh-askpass2.c	2006-07-17 15:25:04.000000000 +0200
+--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info	2016-12-23 13:31:22.645213115 +0100
-@@ -65,9 +65,12 @@
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c	2016-12-23 13:31:40.997216691 +0100
- 	err = gtk_message_dialog_new(NULL, 0,
+@@ -65,9 +65,12 @@ report_failed_grab (GtkWidget *parent_wi
 	err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
 				     GTK_MESSAGE_ERROR,
 				     GTK_BUTTONS_CLOSE,
 -				     "Could not grab %s. "
@ -14,5 +15,5 @@
 +				     "Either close the application which grabs the %s or "
 +				     "log out and log in again to prevent this from happening.", what, what);
 	gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
- 	gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label),
+ 
- 				TRUE);
+ 	gtk_dialog_run(GTK_DIALOG(err));
--- a/openssh-5.1p1-askpass-progress.patch
+++ b/openssh-5.1p1-askpass-progress.patch
@ -1,6 +1,6 @@
-diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contrib/gnome-ssh-askpass2.c
+diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contrib/gnome-ssh-askpass2.c
--- openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress	2008-07-23 19:05:26.000000000 +0200
+--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-5.1p1/contrib/gnome-ssh-askpass2.c	2008-07-23 19:05:26.000000000 +0200
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c	2016-12-23 13:31:16.545211926 +0100
@@ -53,6 +53,7 @@
 #include <string.h>
 #include <unistd.h>
@ -9,7 +9,7 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
 #include <gtk/gtk.h>
 #include <gdk/gdkx.h>
-@@ -83,13 +84,24 @@ ok_dialog(GtkWidget *entry, gpointer dia
+@@ -81,13 +82,24 @@ ok_dialog(GtkWidget *entry, gpointer dia
 	gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
 }
@ -30,12 +30,12 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
 	const char *failed;
 	char *passphrase, *local;
 	int result, grab_tries, grab_server, grab_pointer;
-	GtkWidget *dialog, *entry;
+-	GtkWidget *parent_window, *dialog, *entry;
-+	GtkWidget *dialog, *entry, *progress, *hbox;
+	GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
 	GdkGrabStatus status;
 	grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
-@@ -102,13 +114,31 @@ passphrase_dialog(char *message)
+@@ -104,14 +116,32 @@ passphrase_dialog(char *message)
 					"%s",
 					message);
@ -45,9 +45,11 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
 +	gtk_widget_show(hbox);
 +
 	entry = gtk_entry_new();
-	gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE,
+ 	gtk_box_pack_start(
-+	gtk_box_pack_start(GTK_BOX(hbox), entry, TRUE,
+-	    GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), entry,
- 	    FALSE, 0);
+-	    FALSE, FALSE, 0);
 +	    GTK_BOX(hbox), entry,
 +	    TRUE, FALSE, 0);
 +	gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
 	gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
 	gtk_widget_grab_focus(entry);
@ -68,7 +70,7 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
 	gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
 	gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
 	gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
-@@ -119,6 +149,8 @@ passphrase_dialog(char *message)
+@@ -120,6 +150,8 @@ passphrase_dialog(char *message)
 	gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
 	g_signal_connect(G_OBJECT(entry), "activate",
 			 G_CALLBACK(ok_dialog), dialog);
--- a/openssh-6.2p1-vendor.patch
+++ b/openssh-6.2p1-vendor.patch
@ -1,7 +1,7 @@
-diff -up openssh-7.0p1/configure.ac.vendor openssh-7.0p1/configure.ac
+diff -up openssh-7.4p1/configure.ac.vendor openssh-7.4p1/configure.ac
--- openssh-7.0p1/configure.ac.vendor	2015-08-12 11:14:54.102628399 +0200
+--- openssh-7.4p1/configure.ac.vendor	2016-12-23 13:34:51.681253844 +0100
-+++ openssh-7.0p1/configure.ac	2015-08-12 11:14:54.129628356 +0200
+++ openssh-7.4p1/configure.ac	2016-12-23 13:34:51.694253847 +0100
-@@ -4776,6 +4776,12 @@ AC_ARG_WITH([lastlog],
+@@ -4930,6 +4930,12 @@ AC_ARG_WITH([lastlog],
 		fi
 	]
 )
@ -14,7 +14,7 @@ diff -up openssh-7.0p1/configure.ac.vendor openssh-7.0p1/configure.ac
 dnl lastlog, [uw]tmpx? detection
 dnl  NOTE: set the paths in the platform section to avoid the
-@@ -5038,6 +5044,7 @@ echo "           Translate v4 in v6 hack
+@@ -5194,6 +5200,7 @@ echo "           Translate v4 in v6 hack
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
 echo "             Privsep sandbox style: $SANDBOX_STYLE"
@ -22,10 +22,10 @@ diff -up openssh-7.0p1/configure.ac.vendor openssh-7.0p1/configure.ac
 echo ""
-diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
+diff -up openssh-7.4p1/servconf.c.vendor openssh-7.4p1/servconf.c
--- openssh-7.0p1/servconf.c.vendor	2015-08-11 10:57:29.000000000 +0200
+--- openssh-7.4p1/servconf.c.vendor	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.0p1/servconf.c	2015-08-12 11:15:33.201565712 +0200
+++ openssh-7.4p1/servconf.c	2016-12-23 13:36:07.555268628 +0100
-@@ -149,6 +149,7 @@ initialize_server_options(ServerOptions
+@@ -143,6 +143,7 @@ initialize_server_options(ServerOptions
 	options->max_authtries = -1;
 	options->max_sessions = -1;
 	options->banner = NULL;
@ -33,7 +33,7 @@ diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
 	options->use_dns = -1;
 	options->client_alive_interval = -1;
 	options->client_alive_count_max = -1;
-@@ -335,6 +336,8 @@ fill_default_server_options(ServerOption
+@@ -325,6 +326,8 @@ fill_default_server_options(ServerOption
 		options->ip_qos_bulk = IPTOS_THROUGHPUT;
 	if (options->version_addendum == NULL)
 		options->version_addendum = xstrdup("");
@ -42,8 +42,8 @@ diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
 		options->fwd_opts.streamlocal_bind_mask = 0177;
 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
-@@ -407,7 +410,7 @@ typedef enum {
+@@ -402,7 +405,7 @@ typedef enum {
- 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
+ 	sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
 -	sBanner, sUseDNS, sHostbasedAuthentication,
@ -51,7 +51,7 @@ diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
 	sHostKeyAlgorithms,
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
-@@ -529,6 +532,7 @@ static struct {
+@@ -528,6 +531,7 @@ static struct {
 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
 	{ "banner", sBanner, SSHCFG_ALL },
@ -59,7 +59,7 @@ diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
-@@ -1389,6 +1393,10 @@ process_server_config_line(ServerOptions
+@@ -1369,6 +1373,10 @@ process_server_config_line(ServerOptions
 		multistate_ptr = multistate_privsep;
 		goto parse_multistate;
@ -70,18 +70,18 @@ diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
 	case sAllowUsers:
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
 			if (options->num_allow_users >= MAX_ALLOW_USERS)
-@@ -2266,6 +2274,7 @@ dump_config(ServerOptions *o)
+@@ -2269,6 +2277,7 @@ dump_config(ServerOptions *o)
- 	dump_cfg_fmtint(sUseLogin, o->use_login);
+ 	dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
 	dump_cfg_fmtint(sCompression, o->compression);
 	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
 +	dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
 	dump_cfg_fmtint(sUseDNS, o->use_dns);
 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
 	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
-diff -up openssh-7.0p1/servconf.h.vendor openssh-7.0p1/servconf.h
+diff -up openssh-7.4p1/servconf.h.vendor openssh-7.4p1/servconf.h
--- openssh-7.0p1/servconf.h.vendor	2015-08-11 10:57:29.000000000 +0200
+--- openssh-7.4p1/servconf.h.vendor	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.0p1/servconf.h	2015-08-12 11:14:54.130628355 +0200
+++ openssh-7.4p1/servconf.h	2016-12-23 13:34:51.694253847 +0100
-@@ -155,6 +155,7 @@ typedef struct {
+@@ -149,6 +149,7 @@ typedef struct {
 	int	max_authtries;
 	int	max_sessions;
 	char   *banner;			/* SSH-2 banner message */
@ -89,12 +89,12 @@ diff -up openssh-7.0p1/servconf.h.vendor openssh-7.0p1/servconf.h
 	int	use_dns;
 	int	client_alive_interval;	/*
 					 * poke the client this often to
-diff -up openssh-7.0p1/sshd_config.0.vendor openssh-7.0p1/sshd_config.0
+diff -up openssh-7.4p1/sshd_config.0.vendor openssh-7.4p1/sshd_config.0
--- openssh-7.0p1/sshd_config.0.vendor	2015-08-12 11:14:54.125628363 +0200
+--- openssh-7.4p1/sshd_config.0.vendor	2016-12-23 13:34:51.695253847 +0100
-+++ openssh-7.0p1/sshd_config.0	2015-08-12 11:14:54.130628355 +0200
+++ openssh-7.4p1/sshd_config.0	2016-12-23 13:36:53.146277511 +0100
-@@ -841,6 +841,11 @@ DESCRIPTION
+@@ -792,6 +792,11 @@ DESCRIPTION
-              Defines the number of bits in the ephemeral protocol version 1
+              ssh-keygen(1).  For more information on KRLs, see the KEY
-              server key.  The default and minimum value is 1024.
+              REVOCATION LISTS section in ssh-keygen(1).
 +     ShowPatchLevel
 +	     Specifies whether sshd will display the specific patch level of
@ -104,13 +104,13 @@ diff -up openssh-7.0p1/sshd_config.0.vendor openssh-7.0p1/sshd_config.0
      StreamLocalBindMask
              Sets the octal file creation mode mask (umask) used when creating
              a Unix-domain socket file for local or remote port forwarding.
-diff -up openssh-7.0p1/sshd_config.5.vendor openssh-7.0p1/sshd_config.5
+diff -up openssh-7.4p1/sshd_config.5.vendor openssh-7.4p1/sshd_config.5
--- openssh-7.0p1/sshd_config.5.vendor	2015-08-12 11:14:54.125628363 +0200
+--- openssh-7.4p1/sshd_config.5.vendor	2016-12-23 13:34:51.695253847 +0100
-+++ openssh-7.0p1/sshd_config.5	2015-08-12 11:14:54.131628353 +0200
+++ openssh-7.4p1/sshd_config.5	2016-12-23 13:37:17.482282253 +0100
-@@ -1411,6 +1411,13 @@ This option applies to protocol version
+@@ -1334,6 +1334,13 @@ an OpenSSH Key Revocation List (KRL) as
- .It Cm ServerKeyBits
+ .Xr ssh-keygen 1 .
- Defines the number of bits in the ephemeral protocol version 1 server key.
+ For more information on KRLs, see the KEY REVOCATION LISTS section in
- The default and minimum value is 1024.
+ .Xr ssh-keygen 1 .
 +.It Cm ShowPatchLevel 
 +Specifies whether 
 +.Nm sshd 
@ -121,10 +121,10 @@ diff -up openssh-7.0p1/sshd_config.5.vendor openssh-7.0p1/sshd_config.5
 .It Cm StreamLocalBindMask
 Sets the octal file creation mode mask
 .Pq umask
-diff -up openssh-7.0p1/sshd_config.vendor openssh-7.0p1/sshd_config
+diff -up openssh-7.4p1/sshd_config.vendor openssh-7.4p1/sshd_config
--- openssh-7.0p1/sshd_config.vendor	2015-08-12 11:14:54.125628363 +0200
+--- openssh-7.4p1/sshd_config.vendor	2016-12-23 13:34:51.690253846 +0100
-+++ openssh-7.0p1/sshd_config	2015-08-12 11:14:54.131628353 +0200
+++ openssh-7.4p1/sshd_config	2016-12-23 13:34:51.695253847 +0100
-@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox		# Defaul
+@@ -105,6 +105,7 @@ X11Forwarding yes
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
@ -132,19 +132,20 @@ diff -up openssh-7.0p1/sshd_config.vendor openssh-7.0p1/sshd_config
 #UseDNS no
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
-diff -up openssh-7.0p1/sshd.c.vendor openssh-7.0p1/sshd.c
+diff -up openssh-7.4p1/sshd.c.vendor openssh-7.4p1/sshd.c
--- openssh-7.0p1/sshd.c.vendor	2015-08-12 11:14:54.100628403 +0200
+--- openssh-7.4p1/sshd.c.vendor	2016-12-23 13:34:51.682253844 +0100
-+++ openssh-7.0p1/sshd.c	2015-08-12 11:14:54.131628353 +0200
+++ openssh-7.4p1/sshd.c	2016-12-23 13:38:32.434296856 +0100
-@@ -432,7 +432,7 @@ sshd_exchange_identification(int sock_in
+@@ -367,7 +367,8 @@ sshd_exchange_identification(struct ssh
- 	}
+ 	char remote_version[256];	/* Must be at least as big as buf. */
 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-	    major, minor, SSH_VERSION,
+-	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
-+	    major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
 +	    (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
 	    *options.version_addendum == '\0' ? "" : " ",
 	    options.version_addendum, newline);
-@@ -1749,7 +1749,8 @@ main(int ac, char **av)
+@@ -1650,7 +1651,8 @@ main(int ac, char **av)
 		exit(1);
 	}
--- a/openssh-6.6.1p1-log-in-chroot.patch
+++ b/openssh-6.6.1p1-log-in-chroot.patch
@ -1,7 +1,7 @@
-diff -up openssh-6.8p1/log.c.log-in-chroot openssh-6.8p1/log.c
+diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
--- openssh-6.8p1/log.c.log-in-chroot	2015-03-17 06:49:20.000000000 +0100
+--- openssh-7.4p1/log.c.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-6.8p1/log.c	2015-03-18 12:59:29.694022313 +0100
+++ openssh-7.4p1/log.c	2016-12-23 15:14:33.330168088 +0100
-@@ -241,6 +241,11 @@ debug3(const char *fmt,...)
+@@ -250,6 +250,11 @@ debug3(const char *fmt,...)
 void
 log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
 {
@ -13,7 +13,7 @@ diff -up openssh-6.8p1/log.c.log-in-chroot openssh-6.8p1/log.c
 #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
 	struct syslog_data sdata = SYSLOG_DATA_INIT;
 #endif
-@@ -264,8 +269,10 @@ log_init(char *av0, LogLevel level, Sysl
+@@ -273,8 +278,10 @@ log_init(char *av0, LogLevel level, Sysl
 		exit(1);
 	}
@ -26,9 +26,9 @@ diff -up openssh-6.8p1/log.c.log-in-chroot openssh-6.8p1/log.c
 	log_on_stderr = on_stderr;
 	if (on_stderr)
-diff -up openssh-6.8p1/log.h.log-in-chroot openssh-6.8p1/log.h
+diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
--- openssh-6.8p1/log.h.log-in-chroot	2015-03-17 06:49:20.000000000 +0100
+--- openssh-7.4p1/log.h.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-6.8p1/log.h	2015-03-18 12:59:29.694022313 +0100
+++ openssh-7.4p1/log.h	2016-12-23 15:14:33.330168088 +0100
@@ -49,6 +49,7 @@ typedef enum {
 typedef void (log_handler_fn)(LogLevel, const char *, void *);
@ -37,10 +37,10 @@ diff -up openssh-6.8p1/log.h.log-in-chroot openssh-6.8p1/log.h
 void     log_change_level(LogLevel);
 int      log_is_on_stderr(void);
 void     log_redirect_stderr_to(const char *);
-diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
+diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
--- openssh-6.8p1/monitor.c.log-in-chroot	2015-03-18 12:59:29.669022374 +0100
+--- openssh-7.4p1/monitor.c.log-in-chroot	2016-12-23 15:14:33.311168085 +0100
-+++ openssh-6.8p1/monitor.c	2015-03-18 13:01:52.894671198 +0100
+++ openssh-7.4p1/monitor.c	2016-12-23 15:16:42.154193100 +0100
-@@ -357,6 +357,8 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx
 	close(pmonitor->m_log_sendfd);
 	pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
@ -49,7 +49,7 @@ diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
 	authctxt = _authctxt;
 	memset(authctxt, 0, sizeof(*authctxt));
-@@ -465,6 +467,8 @@ monitor_child_postauth(struct monitor *p
+@@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p
 	close(pmonitor->m_recvfd);
 	pmonitor->m_recvfd = -1;
@ -58,7 +58,7 @@ diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
 	monitor_set_child_handler(pmonitor->m_pid);
 	signal(SIGHUP, &monitor_child_handler);
 	signal(SIGTERM, &monitor_child_handler);
-@@ -566,7 +570,7 @@ monitor_read_log(struct monitor *pmonito
+@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
 	if (log_level_name(level) == NULL)
 		fatal("%s: invalid log level %u (corrupted message?)",
 		    __func__, level);
@ -67,9 +67,9 @@ diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
 	buffer_free(&logmsg);
 	free(msg);
-@@ -1998,13 +2002,28 @@ monitor_init(void)
+@@ -1719,13 +1723,28 @@ monitor_init(void)
- 		    (ssh_packet_comp_free_func *)mm_zfree);
+ 	mon = xcalloc(1, sizeof(*mon));
- 	}
+ 	monitor_openfds(mon, 1);
 +	mon->m_state = "";
 +
@ -98,11 +98,11 @@ diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
 }
 #ifdef GSSAPI
-diff -up openssh-6.8p1/monitor.h.log-in-chroot openssh-6.8p1/monitor.h
+diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
--- openssh-6.8p1/monitor.h.log-in-chroot	2015-03-18 12:59:29.695022310 +0100
+--- openssh-7.4p1/monitor.h.log-in-chroot	2016-12-23 15:14:33.330168088 +0100
-+++ openssh-6.8p1/monitor.h	2015-03-18 13:02:56.926514197 +0100
+++ openssh-7.4p1/monitor.h	2016-12-23 15:16:28.372190424 +0100
@@ -83,10 +83,11 @@ struct monitor {
- 	struct mm_master	*m_zlib;
+ 	int			 m_log_sendfd;
 	struct kex		**m_pkex;
 	pid_t			 m_pid;
 +	char		*m_state;
@ -111,13 +111,13 @@ diff -up openssh-6.8p1/monitor.h.log-in-chroot openssh-6.8p1/monitor.h
 struct monitor *monitor_init(void);
 -void monitor_reinit(struct monitor *);
 +void monitor_reinit(struct monitor *, const char *);
 void monitor_sync(struct monitor *);
 struct Authctxt;
-diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
+ void monitor_child_preauth(struct Authctxt *, struct monitor *);
--- openssh-6.8p1/session.c.log-in-chroot	2015-03-18 12:59:29.675022359 +0100
+diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
-+++ openssh-6.8p1/session.c	2015-03-18 12:59:29.696022308 +0100
+--- openssh-7.4p1/session.c.log-in-chroot	2016-12-23 15:14:33.319168086 +0100
-@@ -161,6 +161,7 @@ login_cap_t *lc;
+++ openssh-7.4p1/session.c	2016-12-23 15:18:18.742211853 +0100
@@ -160,6 +160,7 @@ login_cap_t *lc;
 static int is_child = 0;
 static int in_chroot = 0;
@ -125,7 +125,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
 /* Name and directory of socket for authentication agent forwarding. */
 static char *auth_sock_name = NULL;
-@@ -506,8 +508,8 @@ do_exec_no_pty(Session *s, const char *c
+@@ -365,8 +366,8 @@ do_exec_no_pty(Session *s, const char *c
 		is_child = 1;
 		/* Child.  Reinitialize the log since the pid has changed. */
@ -136,7 +136,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
 		/*
 		 * Create a new session and process group since the 4.4BSD
-@@ -675,8 +677,8 @@ do_exec_pty(Session *s, const char *comm
+@@ -523,8 +524,8 @@ do_exec_pty(Session *s, const char *comm
 		close(ptymaster);
 		/* Child.  Reinitialize the log because the pid has changed. */
@ -147,7 +147,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
 		/* Close the master side of the pseudo tty. */
 		close(ptyfd);
-@@ -780,6 +782,7 @@ do_exec(Session *s, const char *command)
+@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command)
 	int ret;
 	const char *forced = NULL, *tty = NULL;
 	char session_type[1024];
@ -155,7 +155,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
 	if (options.adm_forced_command) {
 		original_command = command;
-@@ -837,6 +840,10 @@ do_exec(Session *s, const char *command)
+@@ -676,6 +678,10 @@ do_exec(Session *s, const char *command)
 			tty += 5;
 	}
@ -166,7 +166,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
 	verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
 	    session_type,
 	    tty == NULL ? "" : " on ",
-@@ -1678,14 +1685,6 @@ child_close_fds(void)
+@@ -1486,14 +1492,6 @@ child_close_fds(void)
 	 * descriptors left by system functions.  They will be closed later.
 	 */
 	endpwent();
@ -181,16 +181,16 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
 }
 /*
-@@ -1831,8 +1830,6 @@ do_child(Session *s, const char *command
+@@ -1629,8 +1627,6 @@ do_child(Session *s, const char *command
 			exit(1);
 	}
 -	closefrom(STDERR_FILENO + 1);
 -
- 	if (!options.use_login)
+ 	do_rc_files(s, shell);
 		do_rc_files(s, shell);
-@@ -1856,9 +1853,17 @@ do_child(Session *s, const char *command
+ 	/* restore SIGPIPE for child */
@@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command
 		argv[i] = NULL;
 		optind = optreset = 1;
 		__progname = argv[0];
@ -208,21 +208,21 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
 +
 	fflush(NULL);
- 	if (options.use_login) {
+ 	/* Get the last component of the shell name. */
-diff -up openssh-6.8p1/sftp-server-main.c.log-in-chroot openssh-6.8p1/sftp-server-main.c
+diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
--- openssh-6.8p1/sftp-server-main.c.log-in-chroot	2015-03-17 06:49:20.000000000 +0100
+--- openssh-7.4p1/sftp.h.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-6.8p1/sftp-server-main.c	2015-03-18 12:59:29.696022308 +0100
+++ openssh-7.4p1/sftp.h	2016-12-23 15:14:33.331168088 +0100
-@@ -47,5 +47,5 @@ main(int argc, char **argv)
+@@ -97,5 +97,5 @@
 		return 1;
 	}
-	return (sftp_server_main(argc, argv, user_pw));
+ struct passwd;
-+	return (sftp_server_main(argc, argv, user_pw, 0));
+ 
- }
+-int	sftp_server_main(int, char **, struct passwd *);
-diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
+int	sftp_server_main(int, char **, struct passwd *, int);
--- openssh-6.8p1/sftp-server.c.log-in-chroot	2015-03-17 06:49:20.000000000 +0100
+ void	sftp_server_cleanup_exit(int) __attribute__((noreturn));
-+++ openssh-6.8p1/sftp-server.c	2015-03-18 13:03:52.510377911 +0100
+diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
-@@ -1502,7 +1502,7 @@ sftp_server_usage(void)
+--- openssh-7.4p1/sftp-server.c.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/sftp-server.c	2016-12-23 15:14:33.331168088 +0100
@@ -1497,7 +1497,7 @@ sftp_server_usage(void)
 }
 int
@ -231,7 +231,7 @@ diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
 {
 	fd_set *rset, *wset;
 	int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
-@@ -1515,7 +1515,7 @@ sftp_server_main(int argc, char **argv,
+@@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv,
 	ssh_malloc_init();	/* must be called before any mallocs */
 	__progname = ssh_get_progname(argv[0]);
@ -240,7 +240,7 @@ diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
 	pw = pwcopy(user_pw);
-@@ -1586,7 +1586,7 @@ sftp_server_main(int argc, char **argv,
+@@ -1582,7 +1582,7 @@ sftp_server_main(int argc, char **argv,
 		}
 	}
@ -249,20 +249,20 @@ diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
 	/*
 	 * On platforms where we can, avoid making /proc/self/{mem,maps}
-diff -up openssh-6.8p1/sftp.h.log-in-chroot openssh-6.8p1/sftp.h
+diff -up openssh-7.4p1/sftp-server-main.c.log-in-chroot openssh-7.4p1/sftp-server-main.c
--- openssh-6.8p1/sftp.h.log-in-chroot	2015-03-17 06:49:20.000000000 +0100
+--- openssh-7.4p1/sftp-server-main.c.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-6.8p1/sftp.h	2015-03-18 12:59:29.696022308 +0100
+++ openssh-7.4p1/sftp-server-main.c	2016-12-23 15:14:33.331168088 +0100
-@@ -97,5 +97,5 @@
+@@ -49,5 +49,5 @@ main(int argc, char **argv)
 		return 1;
 	}
- struct passwd;
+-	return (sftp_server_main(argc, argv, user_pw));
- 
+	return (sftp_server_main(argc, argv, user_pw, 0));
-int	sftp_server_main(int, char **, struct passwd *);
+ }
-+int	sftp_server_main(int, char **, struct passwd *, int);
+diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
- void	sftp_server_cleanup_exit(int) __attribute__((noreturn));
+--- openssh-7.4p1/sshd.c.log-in-chroot	2016-12-23 15:14:33.328168088 +0100
-diff -up openssh-6.8p1/sshd.c.log-in-chroot openssh-6.8p1/sshd.c
+++ openssh-7.4p1/sshd.c	2016-12-23 15:14:33.332168088 +0100
--- openssh-6.8p1/sshd.c.log-in-chroot	2015-03-18 12:59:29.691022320 +0100
+@@ -650,7 +650,7 @@ privsep_postauth(Authctxt *authctxt)
 +++ openssh-6.8p1/sshd.c	2015-03-18 12:59:29.697022305 +0100
@@ -744,7 +744,7 @@ privsep_postauth(Authctxt *authctxt)
 	}
 	/* New socket pair */
@ -271,7 +271,7 @@ diff -up openssh-6.8p1/sshd.c.log-in-chroot openssh-6.8p1/sshd.c
 	pmonitor->m_pid = fork();
 	if (pmonitor->m_pid == -1)
-@@ -762,6 +762,11 @@ privsep_postauth(Authctxt *authctxt)
+@@ -668,6 +668,11 @@ privsep_postauth(Authctxt *authctxt)
 	close(pmonitor->m_sendfd);
 	pmonitor->m_sendfd = -1;
--- a/openssh-6.6p1-GSSAPIEnablek5users.patch
+++ b/openssh-6.6p1-GSSAPIEnablek5users.patch
@ -1,7 +1,7 @@
-diff -up openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.0p1/gss-serv-krb5.c
+diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-serv-krb5.c
--- openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users	2015-08-12 11:27:44.022407951 +0200
+--- openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users	2016-12-23 15:18:40.615216100 +0100
-+++ openssh-7.0p1/gss-serv-krb5.c	2015-08-12 11:27:44.047407912 +0200
+++ openssh-7.4p1/gss-serv-krb5.c	2016-12-23 15:18:40.628216102 +0100
-@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
+@@ -279,7 +279,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
 	FILE *fp;
 	char file[MAXPATHLEN];
 	char line[BUFSIZ] = "";
@ -9,7 +9,7 @@ diff -up openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.0p1/gss-ser
 	struct stat st;
 	struct passwd *pw = the_authctxt->pw;
 	int found_principal = 0;
-@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
+@@ -288,7 +287,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
 	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
 	/* If both .k5login and .k5users DNE, self-login is ok. */
@ -18,27 +18,27 @@ diff -up openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.0p1/gss-ser
                 return ssh_krb5_kuserok(krb_context, principal, luser,
                                         k5login_exists);
 	}
-diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
+diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
--- openssh-7.0p1/servconf.c.GSSAPIEnablek5users	2015-08-12 11:27:44.036407930 +0200
+--- openssh-7.4p1/servconf.c.GSSAPIEnablek5users	2016-12-23 15:18:40.615216100 +0100
-+++ openssh-7.0p1/servconf.c	2015-08-12 11:28:49.087306430 +0200
+++ openssh-7.4p1/servconf.c	2016-12-23 15:35:36.354401156 +0100
-@@ -173,6 +173,7 @@ initialize_server_options(ServerOptions
+@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
 	options->version_addendum = NULL;
 	options->fingerprint_hash = -1;
 	options->disable_forwarding = -1;
 	options->use_kuserok = -1;
 +	options->enable_k5users = -1;
 }
 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
-@@ -351,6 +352,8 @@ fill_default_server_options(ServerOption
+@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
- 		options->fwd_opts.streamlocal_bind_unlink = 0;
+ 		options->disable_forwarding = 0;
 	if (options->fingerprint_hash == -1)
 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
 +	if (options->enable_k5users == -1)
 +		options->enable_k5users = 0;
 	if (options->use_kuserok == -1)
 		options->use_kuserok = 1;
 +	if (options->enable_k5users == -1)
 +		options->enable_k5users = 0;
-@@ -423,7 +426,7 @@ typedef enum {
+ 	assemble_algorithms(options);
@@ -418,7 +421,7 @@ typedef enum {
 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
 	sHostKeyAlgorithms,
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
@ -47,7 +47,7 @@ diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
 	sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
-@@ -502,12 +505,14 @@ static struct {
+@@ -497,12 +500,14 @@ static struct {
 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
 	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
 	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
@ -62,7 +62,7 @@ diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
 #endif
 	{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
 	{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
-@@ -1680,6 +1685,10 @@ process_server_config_line(ServerOptions
+@@ -1653,6 +1658,10 @@ process_server_config_line(ServerOptions
 		intptr = &options->use_kuserok;
 		goto parse_flag;
@ -73,7 +73,7 @@ diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
 	case sPermitOpen:
 		arg = strdelim(&cp);
 		if (!arg || *arg == '\0')
-@@ -2035,6 +2044,7 @@ copy_set_server_options(ServerOptions *d
+@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(ip_qos_interactive);
 	M_CP_INTOPT(ip_qos_bulk);
 	M_CP_INTOPT(use_kuserok);
@ -81,7 +81,7 @@ diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
 	M_CP_INTOPT(rekey_limit);
 	M_CP_INTOPT(rekey_interval);
-@@ -2317,6 +2327,7 @@ dump_config(ServerOptions *o)
+@@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
 	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
@ -89,10 +89,10 @@ diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
-diff -up openssh-7.0p1/servconf.h.GSSAPIEnablek5users openssh-7.0p1/servconf.h
+diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
--- openssh-7.0p1/servconf.h.GSSAPIEnablek5users	2015-08-12 11:27:44.022407951 +0200
+--- openssh-7.4p1/servconf.h.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
-+++ openssh-7.0p1/servconf.h	2015-08-12 11:27:44.048407911 +0200
+++ openssh-7.4p1/servconf.h	2016-12-23 15:18:40.629216102 +0100
-@@ -180,7 +180,8 @@ typedef struct {
+@@ -174,7 +174,8 @@ typedef struct {
 	int	num_permitted_opens;
@ -102,26 +102,26 @@ diff -up openssh-7.0p1/servconf.h.GSSAPIEnablek5users openssh-7.0p1/servconf.h
 	char   *chroot_directory;
 	char   *revoked_keys_file;
 	char   *trusted_user_ca_keys;
-diff -up openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users openssh-7.0p1/sshd_config.5
+diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_config.5
--- openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users	2015-08-12 11:27:44.023407950 +0200
+--- openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users	2016-12-23 15:18:40.630216103 +0100
-+++ openssh-7.0p1/sshd_config.5	2015-08-12 11:27:44.048407911 +0200
+++ openssh-7.4p1/sshd_config.5	2016-12-23 15:36:21.607408435 +0100
-@@ -633,6 +633,12 @@ on logout.
+@@ -628,6 +628,12 @@ Specifies whether to automatically destr
 on logout.
 The default is
- .Dq yes .
+ .Cm yes .
 +.It Cm GSSAPIEnablek5users
 +Specifies whether to look at .k5users file for GSSAPI authentication
 +access control. Further details are described in
 +.Xr ksu 1 .
 +The default is
-+.Dq no .
+.Cm no .
- .It Cm GSSAPIStrictAcceptorCheck
+ .It Cm GSSAPIKeyExchange
- Determines whether to be strict about the identity of the GSSAPI acceptor
+ Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
- a client authenticates against.
+ doesn't rely on ssh keys to verify host identity.
-diff -up openssh-7.0p1/sshd_config.GSSAPIEnablek5users openssh-7.0p1/sshd_config
+diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
--- openssh-7.0p1/sshd_config.GSSAPIEnablek5users	2015-08-12 11:27:44.023407950 +0200
+--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
-+++ openssh-7.0p1/sshd_config	2015-08-12 11:27:44.048407911 +0200
+++ openssh-7.4p1/sshd_config	2016-12-23 15:18:40.631216103 +0100
-@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
+@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
 GSSAPICleanupCredentials no
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange no
--- a/openssh-6.6p1-ctr-cavstest.patch
+++ b/openssh-6.6p1-ctr-cavstest.patch
@ -142,7 +142,7 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
 +{
 +
 +        const struct sshcipher *c;
-+        struct sshcipher_ctx cc;
+        struct sshcipher_ctx *cc;
 +        char *algo = "aes128-ctr";
 +        char *hexkey = NULL;
 +        char *hexiv = "00000000000000000000000000000000";
@ -232,11 +232,11 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
 +		return 2;
 +	}
 +
-+	cipher_crypt(&cc, 0, outdata, data, datalen, 0, 0);
+	cipher_crypt(cc, 0, outdata, data, datalen, 0, 0);
 +
 +        free(data);
 +
-+	cipher_cleanup(&cc);
+	cipher_free(cc);
 +
 +        for (p = outdata; datalen > 0; ++p, --datalen) {
 +		printf("%02X", (unsigned char)*p);
--- a/openssh-6.6p1-entropy.patch
+++ b/openssh-6.6p1-entropy.patch
@ -1,8 +1,7 @@
-diff --git a/entropy.c b/entropy.c
+diff -up openssh-7.4p1/entropy.c.entropy openssh-7.4p1/entropy.c
-index 1e9d52a..d24e724 100644
+--- openssh-7.4p1/entropy.c.entropy	2016-12-19 05:59:41.000000000 +0100
--- a/entropy.c
+++ openssh-7.4p1/entropy.c	2016-12-23 18:34:27.769753570 +0100
-+++ b/entropy.c
+@@ -229,6 +229,9 @@ seed_rng(void)
@@ -227,6 +227,9 @@ seed_rng(void)
 	memset(buf, '\0', sizeof(buf));
 #endif /* OPENSSL_PRNG_ONLY */
@ -12,24 +11,31 @@ index 1e9d52a..d24e724 100644
 	if (RAND_status() != 1)
 		fatal("PRNG is not seeded");
 }
-diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
+diff -up openssh-7.4p1/openbsd-compat/Makefile.in.entropy openssh-7.4p1/openbsd-compat/Makefile.in
-index 843225d..041bbab 100644
+--- openssh-7.4p1/openbsd-compat/Makefile.in.entropy	2016-12-23 18:34:53.715762155 +0100
--- a/openbsd-compat/Makefile.in
+++ openssh-7.4p1/openbsd-compat/Makefile.in	2016-12-23 18:35:15.890769493 +0100
-+++ b/openbsd-compat/Makefile.in
+@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
- COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
+ COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
 -PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
 +PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
 .c.o:
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
-diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c
+diff -up openssh-7.4p1/openbsd-compat/port-linux.h.entropy openssh-7.4p1/openbsd-compat/port-linux.h
-new file mode 100644
+--- openssh-7.4p1/openbsd-compat/port-linux.h.entropy	2016-12-23 18:34:27.747753563 +0100
-index 0000000..da84bf2
+++ openssh-7.4p1/openbsd-compat/port-linux.h	2016-12-23 18:34:27.769753570 +0100
--- /dev/null
+@@ -34,4 +34,6 @@ void oom_adjust_restore(void);
-+++ b/openbsd-compat/port-linux-prng.c
+ void oom_adjust_setup(void);
 #endif
 +void linux_seed(void);
 +
 #endif /* ! _PORT_LINUX_H */
 diff -up openssh-7.4p1/openbsd-compat/port-linux-prng.c.entropy openssh-7.4p1/openbsd-compat/port-linux-prng.c
 --- openssh-7.4p1/openbsd-compat/port-linux-prng.c.entropy	2016-12-23 18:34:27.769753570 +0100
 +++ openssh-7.4p1/openbsd-compat/port-linux-prng.c	2016-12-23 18:34:27.769753570 +0100
@@ -0,0 +1,59 @@
 +/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
 +
@ -90,11 +96,37 @@ index 0000000..da84bf2
 +			fatal ("EOF reading %s", random);
 +	}
 +}
-diff --git a/ssh-add.0 b/ssh-add.0
+diff -up openssh-7.4p1/ssh.1.entropy openssh-7.4p1/ssh.1
-index f16165a..17d22cf 100644
+--- openssh-7.4p1/ssh.1.entropy	2016-12-23 18:34:27.754753565 +0100
--- a/ssh-add.0
+++ openssh-7.4p1/ssh.1	2016-12-23 18:34:27.770753571 +0100
-+++ b/ssh-add.0
+@@ -1441,6 +1441,23 @@ For more information, see the
-@@ -82,6 +82,16 @@ ENVIRONMENT
+ .Cm PermitUserEnvironment
 option in
 .Xr sshd_config 5 .
 +.Sh ENVIRONMENT
 +.Bl -tag -width Ds -compact
 +.It Ev SSH_USE_STRONG_RNG
 +The reseeding of the OpenSSL random generator is usually done from
 +.Cm /dev/urandom .
 +If the 
 +.Cm SSH_USE_STRONG_RNG
 +environment variable is set to value other than
 +.Cm 0
 +the OpenSSL random generator is reseeded from
 +.Cm /dev/random .
 +The number of bytes read is defined by the SSH_USE_STRONG_RNG value. 
 +Minimum is 14 bytes.
 +This setting is not recommended on the computers without the hardware
 +random generator because insufficient entropy causes the connection to 
 +be blocked until enough entropy is available.
 +.El
 .Sh FILES
 .Bl -tag -width Ds -compact
 .It Pa ~/.rhosts
 diff -up openssh-7.4p1/ssh-add.0.entropy openssh-7.4p1/ssh-add.0
 --- openssh-7.4p1/ssh-add.0.entropy	2016-12-19 06:21:21.000000000 +0100
 +++ openssh-7.4p1/ssh-add.0	2016-12-23 18:34:27.770753571 +0100
@@ -88,6 +88,16 @@ ENVIRONMENT
              Identifies the path of a UNIX-domain socket used to communicate
              with the agent.
@ -111,11 +143,10 @@ index f16165a..17d22cf 100644
 FILES
      ~/.ssh/identity
              Contains the protocol version 1 RSA authentication identity of
-diff --git a/ssh-add.1 b/ssh-add.1
+diff -up openssh-7.4p1/ssh-add.1.entropy openssh-7.4p1/ssh-add.1
-index 04d1840..db883a4 100644
+--- openssh-7.4p1/ssh-add.1.entropy	2016-12-19 05:59:41.000000000 +0100
--- a/ssh-add.1
+++ openssh-7.4p1/ssh-add.1	2016-12-23 18:34:27.770753571 +0100
-+++ b/ssh-add.1
+@@ -171,6 +171,20 @@ to make this work.)
@@ -170,6 +170,20 @@ to make this work.)
 Identifies the path of a
 .Ux Ns -domain
 socket used to communicate with the agent.
@ -136,11 +167,10 @@ index 04d1840..db883a4 100644
 .El
 .Sh FILES
 .Bl -tag -width Ds
-diff --git a/ssh-agent.1 b/ssh-agent.1
+diff -up openssh-7.4p1/ssh-agent.1.entropy openssh-7.4p1/ssh-agent.1
-index d7e791b..7332f0d 100644
+--- openssh-7.4p1/ssh-agent.1.entropy	2016-12-19 05:59:41.000000000 +0100
--- a/ssh-agent.1
+++ openssh-7.4p1/ssh-agent.1	2016-12-23 18:34:27.770753571 +0100
-+++ b/ssh-agent.1
+@@ -214,6 +214,24 @@ sockets used to contain the connection t
@@ -189,6 +189,24 @@ sockets used to contain the connection to the authentication agent.
 These sockets should only be readable by the owner.
 The sockets should get automatically removed when the agent exits.
 .El
@ -165,97 +195,10 @@ index d7e791b..7332f0d 100644
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
-diff --git a/ssh-keygen.1 b/ssh-keygen.1
+diff -up openssh-7.4p1/sshd.8.entropy openssh-7.4p1/sshd.8
-index 276dacc..a09d9b1 100644
+--- openssh-7.4p1/sshd.8.entropy	2016-12-23 18:34:27.755753566 +0100
--- a/ssh-keygen.1
+++ openssh-7.4p1/sshd.8	2016-12-23 18:34:27.770753571 +0100
-+++ b/ssh-keygen.1
+@@ -920,6 +920,24 @@ concurrently for different ports, this c
@@ -841,6 +841,24 @@ Contains Diffie-Hellman groups used for DH-GEX.
 The file format is described in
 .Xr moduli 5 .
 .El
 +.Sh ENVIRONMENT
 +.Bl -tag -width Ds -compact
 +.Pp
 +.It Pa SSH_USE_STRONG_RNG
 +The reseeding of the OpenSSL random generator is usually done from
 +.Cm /dev/urandom .
 +If the 
 +.Cm SSH_USE_STRONG_RNG
 +environment variable is set to value other than
 +.Cm 0
 +the OpenSSL random generator is reseeded from
 +.Cm /dev/random .
 +The number of bytes read is defined by the SSH_USE_STRONG_RNG value. 
 +Minimum is 14 bytes.
 +This setting is not recommended on the computers without the hardware
 +random generator because insufficient entropy causes the connection to 
 +be blocked until enough entropy is available.
 +.El
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
 diff --git a/ssh-keysign.8 b/ssh-keysign.8
 index 69d0829..02d79f8 100644
 --- a/ssh-keysign.8
 +++ b/ssh-keysign.8
@@ -80,6 +80,24 @@ must be set-uid root if host-based authentication is used.
 If these files exist they are assumed to contain public certificate
 information corresponding with the private keys above.
 .El
 +.Sh ENVIRONMENT
 +.Bl -tag -width Ds -compact
 +.Pp
 +.It Pa SSH_USE_STRONG_RNG
 +The reseeding of the OpenSSL random generator is usually done from
 +.Cm /dev/urandom .
 +If the 
 +.Cm SSH_USE_STRONG_RNG
 +environment variable is set to value other than
 +.Cm 0
 +the OpenSSL random generator is reseeded from
 +.Cm /dev/random .
 +The number of bytes read is defined by the SSH_USE_STRONG_RNG value. 
 +Minimum is 14 bytes.
 +This setting is not recommended on the computers without the hardware
 +random generator because insufficient entropy causes the connection to 
 +be blocked until enough entropy is available.
 +.El
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr ssh-keygen 1 ,
 diff --git a/ssh.1 b/ssh.1
 index 4a476c2..410a04a 100644
 --- a/ssh.1
 +++ b/ssh.1
@@ -1299,6 +1299,23 @@ For more information, see the
 .Cm PermitUserEnvironment
 option in
 .Xr sshd_config 5 .
 +.Sh ENVIRONMENT
 +.Bl -tag -width Ds -compact
 +.It Ev SSH_USE_STRONG_RNG
 +The reseeding of the OpenSSL random generator is usually done from
 +.Cm /dev/urandom .
 +If the 
 +.Cm SSH_USE_STRONG_RNG
 +environment variable is set to value other than
 +.Cm 0
 +the OpenSSL random generator is reseeded from
 +.Cm /dev/random .
 +The number of bytes read is defined by the SSH_USE_STRONG_RNG value. 
 +Minimum is 14 bytes.
 +This setting is not recommended on the computers without the hardware
 +random generator because insufficient entropy causes the connection to 
 +be blocked until enough entropy is available.
 +.El
 .Sh FILES
 .Bl -tag -width Ds -compact
 .It Pa ~/.rhosts
 diff --git a/sshd.8 b/sshd.8
 index cb866b5..adcaaf9 100644
 --- a/sshd.8
 +++ b/sshd.8
@@ -945,6 +945,24 @@ concurrently for different ports, this contains the process ID of the one
 started last).
 The content of this file is not sensitive; it can be world-readable.
 .El
@ -280,13 +223,59 @@ index cb866b5..adcaaf9 100644
 .Sh IPV6
 IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
 .Sh SEE ALSO
-diff -up openssh-6.8p1/openbsd-compat/port-linux.h.coverity openssh-6.8p1/openbsd-compat/port-linux.h
+diff -up openssh-7.4p1/ssh-keygen.1.entropy openssh-7.4p1/ssh-keygen.1
--- openssh-6.8p1/openbsd-compat/port-linux.h.coverity	2015-03-18 17:21:51.861264906 +0100
+--- openssh-7.4p1/ssh-keygen.1.entropy	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-6.8p1/openbsd-compat/port-linux.h	2015-03-18 17:21:51.897264831 +0100
+++ openssh-7.4p1/ssh-keygen.1	2016-12-23 18:34:27.770753571 +0100
-@@ -37,4 +37,6 @@ void oom_adjust_restore(void);
+@@ -848,6 +848,24 @@ Contains Diffie-Hellman groups used for
- void oom_adjust_setup(void);
+ The file format is described in
- #endif
+ .Xr moduli 5 .
- 
+ .El
-+void linux_seed(void);
+.Sh ENVIRONMENT
-+
+.Bl -tag -width Ds -compact
- #endif /* ! _PORT_LINUX_H */
+.Pp
 +.It Pa SSH_USE_STRONG_RNG
 +The reseeding of the OpenSSL random generator is usually done from
 +.Cm /dev/urandom .
 +If the 
 +.Cm SSH_USE_STRONG_RNG
 +environment variable is set to value other than
 +.Cm 0
 +the OpenSSL random generator is reseeded from
 +.Cm /dev/random .
 +The number of bytes read is defined by the SSH_USE_STRONG_RNG value. 
 +Minimum is 14 bytes.
 +This setting is not recommended on the computers without the hardware
 +random generator because insufficient entropy causes the connection to 
 +be blocked until enough entropy is available.
 +.El
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
 diff -up openssh-7.4p1/ssh-keysign.8.entropy openssh-7.4p1/ssh-keysign.8
 --- openssh-7.4p1/ssh-keysign.8.entropy	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/ssh-keysign.8	2016-12-23 18:34:27.770753571 +0100
@@ -80,6 +80,24 @@ must be set-uid root if host-based authe
 If these files exist they are assumed to contain public certificate
 information corresponding with the private keys above.
 .El
 +.Sh ENVIRONMENT
 +.Bl -tag -width Ds -compact
 +.Pp
 +.It Pa SSH_USE_STRONG_RNG
 +The reseeding of the OpenSSL random generator is usually done from
 +.Cm /dev/urandom .
 +If the 
 +.Cm SSH_USE_STRONG_RNG
 +environment variable is set to value other than
 +.Cm 0
 +the OpenSSL random generator is reseeded from
 +.Cm /dev/random .
 +The number of bytes read is defined by the SSH_USE_STRONG_RNG value. 
 +Minimum is 14 bytes.
 +This setting is not recommended on the computers without the hardware
 +random generator because insufficient entropy causes the connection to 
 +be blocked until enough entropy is available.
 +.El
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr ssh-keygen 1 ,
--- a/openssh-6.6p1-kuserok.patch
+++ b/openssh-6.6p1-kuserok.patch
@ -1,7 +1,7 @@
-diff -up openssh-7.0p1/auth-krb5.c.kuserok openssh-7.0p1/auth-krb5.c
+diff -up openssh-7.4p1/auth-krb5.c.kuserok openssh-7.4p1/auth-krb5.c
--- openssh-7.0p1/auth-krb5.c.kuserok	2015-08-11 10:57:29.000000000 +0200
+--- openssh-7.4p1/auth-krb5.c.kuserok	2016-12-23 14:36:07.640465939 +0100
-+++ openssh-7.0p1/auth-krb5.c	2015-08-12 11:26:21.874536127 +0200
+++ openssh-7.4p1/auth-krb5.c	2016-12-23 14:36:07.644465936 +0100
-@@ -55,6 +55,21 @@
+@@ -56,6 +56,21 @@
 extern ServerOptions	 options;
@ -23,7 +23,7 @@ diff -up openssh-7.0p1/auth-krb5.c.kuserok openssh-7.0p1/auth-krb5.c
 static int
 krb5_init(void *context)
 {
-@@ -158,8 +173,9 @@ auth_krb5_password(Authctxt *authctxt, c
+@@ -160,8 +175,9 @@ auth_krb5_password(Authctxt *authctxt, c
 	if (problem)
 		goto out;
@ -35,9 +35,9 @@ diff -up openssh-7.0p1/auth-krb5.c.kuserok openssh-7.0p1/auth-krb5.c
 		problem = -1;
 		goto out;
 	}
-diff -up openssh-7.0p1/gss-serv-krb5.c.kuserok openssh-7.0p1/gss-serv-krb5.c
+diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c
--- openssh-7.0p1/gss-serv-krb5.c.kuserok	2015-08-12 11:26:21.868536137 +0200
+--- openssh-7.4p1/gss-serv-krb5.c.kuserok	2016-12-23 14:36:07.640465939 +0100
-+++ openssh-7.0p1/gss-serv-krb5.c	2015-08-12 11:26:21.875536126 +0200
+++ openssh-7.4p1/gss-serv-krb5.c	2016-12-23 14:36:07.644465936 +0100
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
     int);
@ -160,7 +160,7 @@ diff -up openssh-7.0p1/gss-serv-krb5.c.kuserok openssh-7.0p1/gss-serv-krb5.c
 		retval = 1;
 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
 		    name, (char *)client->displayname.value);
-@@ -171,9 +270,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
+@@ -190,9 +289,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
 	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
 	/* If both .k5login and .k5users DNE, self-login is ok. */
 	if (!k5login_exists && (access(file, F_OK) == -1)) {
@ -172,28 +172,28 @@ diff -up openssh-7.0p1/gss-serv-krb5.c.kuserok openssh-7.0p1/gss-serv-krb5.c
 	}
 	if ((fp = fopen(file, "r")) == NULL) {
 		int saved_errno = errno;
-diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
+diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
--- openssh-7.0p1/servconf.c.kuserok	2015-08-12 11:26:21.865536141 +0200
+--- openssh-7.4p1/servconf.c.kuserok	2016-12-23 14:36:07.630465944 +0100
-+++ openssh-7.0p1/servconf.c	2015-08-12 11:27:14.126454598 +0200
+++ openssh-7.4p1/servconf.c	2016-12-23 15:11:52.278133344 +0100
-@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions
+@@ -167,6 +167,7 @@ initialize_server_options(ServerOptions
 	options->ip_qos_bulk = -1;
 	options->version_addendum = NULL;
 	options->fingerprint_hash = -1;
 	options->disable_forwarding = -1;
 +	options->use_kuserok = -1;
 }
 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
-@@ -350,6 +351,8 @@ fill_default_server_options(ServerOption
+@@ -342,6 +343,8 @@ fill_default_server_options(ServerOption
 		options->fwd_opts.streamlocal_bind_unlink = 0;
 	if (options->fingerprint_hash == -1)
 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
 	if (options->disable_forwarding == -1)
 		options->disable_forwarding = 0;
 +	if (options->use_kuserok == -1)
 +		options->use_kuserok = 1;
 	assemble_algorithms(options);
-@@ -404,7 +407,7 @@ typedef enum {
+@@ -399,7 +402,7 @@ typedef enum {
- 	sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
+ 	sPermitRootLogin, sLogFacility, sLogLevel,
 	sRhostsRSAAuthentication, sRSAAuthentication,
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
 -	sKerberosGetAFSToken,
@ -201,7 +201,7 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
 	sKerberosTgtPassing, sChallengeResponseAuthentication,
 	sPasswordAuthentication, sKbdInteractiveAuthentication,
 	sListenAddress, sAddressFamily,
-@@ -483,11 +486,13 @@ static struct {
+@@ -478,11 +481,13 @@ static struct {
 #else
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
 #endif
@ -215,7 +215,7 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
 #endif
 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1671,6 +1676,10 @@ process_server_config_line(ServerOptions
+@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
 		*activep = value;
 		break;
@ -226,15 +226,15 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
 	case sPermitOpen:
 		arg = strdelim(&cp);
 		if (!arg || *arg == '\0')
-@@ -2023,6 +2032,7 @@ copy_set_server_options(ServerOptions *d
+@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
- 	M_CP_INTOPT(max_authtries);
+ 	M_CP_INTOPT(client_alive_interval);
 	M_CP_INTOPT(ip_qos_interactive);
 	M_CP_INTOPT(ip_qos_bulk);
 +	M_CP_INTOPT(use_kuserok);
 	M_CP_INTOPT(rekey_limit);
 	M_CP_INTOPT(rekey_interval);
-@@ -2304,6 +2314,7 @@ dump_config(ServerOptions *o)
+@@ -2309,6 +2319,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
@ -242,10 +242,10 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
-diff -up openssh-7.0p1/servconf.h.kuserok openssh-7.0p1/servconf.h
+diff -up openssh-7.4p1/servconf.h.kuserok openssh-7.4p1/servconf.h
--- openssh-7.0p1/servconf.h.kuserok	2015-08-12 11:26:21.865536141 +0200
+--- openssh-7.4p1/servconf.h.kuserok	2016-12-23 14:36:07.630465944 +0100
-+++ openssh-7.0p1/servconf.h	2015-08-12 11:26:21.876536124 +0200
+++ openssh-7.4p1/servconf.h	2016-12-23 14:36:07.645465936 +0100
-@@ -180,6 +180,7 @@ typedef struct {
+@@ -174,6 +174,7 @@ typedef struct {
 	int	num_permitted_opens;
@ -253,21 +253,21 @@ diff -up openssh-7.0p1/servconf.h.kuserok openssh-7.0p1/servconf.h
 	char   *chroot_directory;
 	char   *revoked_keys_file;
 	char   *trusted_user_ca_keys;
-diff -up openssh-7.0p1/sshd_config.5.kuserok openssh-7.0p1/sshd_config.5
+diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
--- openssh-7.0p1/sshd_config.5.kuserok	2015-08-12 11:26:21.867536138 +0200
+--- openssh-7.4p1/sshd_config.5.kuserok	2016-12-23 14:36:07.637465940 +0100
-+++ openssh-7.0p1/sshd_config.5	2015-08-12 11:26:21.877536123 +0200
+++ openssh-7.4p1/sshd_config.5	2016-12-23 15:14:03.117162222 +0100
-@@ -872,6 +872,10 @@ Specifies whether to automatically destr
+@@ -850,6 +850,10 @@ Specifies whether to automatically destr
 file on logout.
 The default is
- .Dq yes .
+ .Cm yes .
 +.It Cm KerberosUseKuserok
 +Specifies whether to look at .k5login file for user's aliases.
 +The default is
-+.Dq yes .
+.Cm yes .
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
-@@ -1116,6 +1120,7 @@ Available keywords are
+@@ -1078,6 +1082,7 @@ Available keywords are
 .Cm IPQoS ,
 .Cm KbdInteractiveAuthentication ,
 .Cm KerberosAuthentication ,
@ -275,10 +275,10 @@ diff -up openssh-7.0p1/sshd_config.5.kuserok openssh-7.0p1/sshd_config.5
 .Cm MaxAuthTries ,
 .Cm MaxSessions ,
 .Cm PasswordAuthentication ,
-diff -up openssh-7.0p1/sshd_config.kuserok openssh-7.0p1/sshd_config
+diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config
--- openssh-7.0p1/sshd_config.kuserok	2015-08-12 11:26:21.867536138 +0200
+--- openssh-7.4p1/sshd_config.kuserok	2016-12-23 14:36:07.631465943 +0100
-+++ openssh-7.0p1/sshd_config	2015-08-12 11:26:21.876536124 +0200
+++ openssh-7.4p1/sshd_config	2016-12-23 14:36:07.646465935 +0100
-@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
+@@ -73,6 +73,7 @@ ChallengeResponseAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
--- a/openssh-6.6p1-privsep-selinux.patch
+++ b/openssh-6.6p1-privsep-selinux.patch
@ -1,8 +1,18 @@
-diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
+diff -up openssh-7.4p1/openbsd-compat/port-linux.h.privsep-selinux openssh-7.4p1/openbsd-compat/port-linux.h
-index c18524e..d04f4ed 100644
+--- openssh-7.4p1/openbsd-compat/port-linux.h.privsep-selinux	2016-12-23 18:58:52.972122201 +0100
--- a/openbsd-compat/port-linux-sshd.c
+++ openssh-7.4p1/openbsd-compat/port-linux.h	2016-12-23 18:58:52.974122201 +0100
-+++ b/openbsd-compat/port-linux-sshd.c
+@@ -23,6 +23,7 @@ void ssh_selinux_setup_pty(char *, const
-@@ -409,6 +409,28 @@ sshd_selinux_setup_exec_context(char *pwname)
+ void ssh_selinux_change_context(const char *);
 void ssh_selinux_setfscreatecon(const char *);
 +void sshd_selinux_copy_context(void);
 void sshd_selinux_setup_exec_context(char *);
 #endif
 diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-7.4p1/openbsd-compat/port-linux-sshd.c
 --- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux	2016-12-23 18:58:52.973122201 +0100
 +++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c	2016-12-23 18:58:52.974122201 +0100
@@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw
 	debug3("%s: done", __func__);
 }
@ -31,23 +41,19 @@ index c18524e..d04f4ed 100644
 #endif
 #endif
-diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c
-index 8ef6cc4..b18893c 100644
+--- openssh-7.4p1/session.c.privsep-selinux	2016-12-19 05:59:41.000000000 +0100
--- a/openbsd-compat/port-linux.h
+++ openssh-7.4p1/session.c	2016-12-23 18:58:52.974122201 +0100
-+++ b/openbsd-compat/port-linux.h
+@@ -1331,7 +1331,7 @@ do_setusercontext(struct passwd *pw)
@@ -25,6 +25,7 @@ void ssh_selinux_setup_pty(char *, const char *);
 void ssh_selinux_change_context(const char *);
 void ssh_selinux_setfscreatecon(const char *);
-+void sshd_selinux_copy_context(void);
+ 	platform_setusercontext(pw);
 void sshd_selinux_setup_exec_context(char *);
 #endif
-diff --git a/session.c b/session.c
+-	if (platform_privileged_uidswap()) {
-index 2bcf818..b5dc144 100644
+	if (platform_privileged_uidswap() && (!is_child || !use_privsep)) {
--- a/session.c
+ #ifdef HAVE_LOGIN_CAP
-+++ b/session.c
+ 		if (setusercontext(lc, pw, pw->pw_uid,
-@@ -1538,6 +1538,9 @@ do_setusercontext(struct passwd *pw)
+ 		    (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
@@ -1361,6 +1361,9 @@ do_setusercontext(struct passwd *pw)
 			    pw->pw_uid);
 			chroot_path = percent_expand(tmp, "h", pw->pw_dir,
 			    "u", pw->pw_name, (char *)NULL);
@ -57,7 +63,7 @@ index 2bcf818..b5dc144 100644
 			safely_chroot(chroot_path, pw->pw_uid);
 			free(tmp);
 			free(chroot_path);
-@@ -1565,6 +1568,11 @@ do_setusercontext(struct passwd *pw)
+@@ -1396,6 +1399,11 @@ do_setusercontext(struct passwd *pw)
 		/* Permanently switch to the desired uid. */
 		permanently_set_uid(pw);
 #endif
@ -69,7 +75,7 @@ index 2bcf818..b5dc144 100644
 	} else if (options.chroot_directory != NULL &&
 	    strcasecmp(options.chroot_directory, "none") != 0) {
 		fatal("server lacks privileges to chroot to ChrootDirectory");
-@@ -1588,9 +1588,6 @@ do_pwchange(Session *s)
+@@ -1413,9 +1421,6 @@ do_pwchange(Session *s)
 	if (s->ttyfd != -1) {
 		fprintf(stderr,
 		    "You must change your password now and login again!\n");
@ -79,7 +85,7 @@ index 2bcf818..b5dc144 100644
 #ifdef PASSWD_NEEDS_USERNAME
 		execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
 		    (char *)NULL);
-@@ -1826,9 +1835,6 @@ do_child(Session *s, const char *command)
+@@ -1625,9 +1630,6 @@ do_child(Session *s, const char *command
 		argv[i] = NULL;
 		optind = optreset = 1;
 		__progname = argv[0];
@ -89,11 +95,10 @@ index 2bcf818..b5dc144 100644
 		exit(sftp_server_main(i, argv, s->pw));
 	}
-diff --git a/sshd.c b/sshd.c
+diff -up openssh-7.4p1/sshd.c.privsep-selinux openssh-7.4p1/sshd.c
-index 07f9926..a97f8b7 100644
+--- openssh-7.4p1/sshd.c.privsep-selinux	2016-12-23 18:58:52.973122201 +0100
--- a/sshd.c
+++ openssh-7.4p1/sshd.c	2016-12-23 18:59:13.808124269 +0100
-+++ b/sshd.c
+@@ -540,6 +540,10 @@ privsep_preauth_child(void)
@@ -632,6 +632,10 @@ privsep_preauth_child(void)
 	/* Demote the private keys to public keys. */
 	demote_sensitive_data();
@ -104,26 +109,13 @@ index 07f9926..a97f8b7 100644
 	/* Demote the child */
 	if (getuid() == 0 || geteuid() == 0) {
 		/* Change our root directory */
-@@ -755,6 +755,9 @@ privsep_postauth(Authctxt *authctxt)
+@@ -633,6 +637,9 @@ privsep_postauth(Authctxt *authctxt)
- 
+ {
 #ifdef DISABLE_FD_PASSING
 	if (1) {
 +#elif defined(WITH_SELINUX)
-+	if (options.use_login) {
+	if (0) {
 +		/* even root user can be confined by SELinux */
 #else
- 	if (authctxt->pw->pw_uid == 0 || options.use_login) {
+ 	if (authctxt->pw->pw_uid == 0) {
 #endif
 diff --git a/session.c b/session.c
 index 684f867..09048bc 100644
 --- a/session.c
 +++ b/session.c
@@ -1538,7 +1538,7 @@ do_setusercontext(struct passwd *pw)
 	platform_setusercontext(pw);
 -	if (platform_privileged_uidswap()) {
 +	if (platform_privileged_uidswap() && (!is_child || !use_privsep)) {
 #ifdef HAVE_LOGIN_CAP
 		if (setusercontext(lc, pw, pw->pw_uid,
 		    (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
--- a/openssh-6.6p1-redhat.patch
+++ b/openssh-6.6p1-redhat.patch
@ -1,8 +1,7 @@
-diff --git a/ssh_config b/ssh_config
+diff -up openssh-7.4p1/ssh_config.redhat openssh-7.4p1/ssh_config
-index 49a4f6c..3f83c40 100644
+--- openssh-7.4p1/ssh_config.redhat	2016-12-19 05:59:41.000000000 +0100
--- a/ssh_config
+++ openssh-7.4p1/ssh_config	2016-12-23 13:32:00.045220402 +0100
-+++ b/ssh_config
+@@ -48,3 +48,7 @@
@@ -46,3 +46,7 @@
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
@ -10,9 +9,9 @@ index 49a4f6c..3f83c40 100644
 +# To modify the system-wide ssh configuration, create a  *.conf  file under
 +#  /etc/ssh/ssh_config.d/  which will be automatically included below
 +Include /etc/ssh/ssh_config.d/*.conf
-diff --git a/ssh_config_redhat b/ssh_config_redhat
+diff -up openssh-7.4p1/ssh_config_redhat.redhat openssh-7.4p1/ssh_config_redhat
--- /dev/null
+--- openssh-7.4p1/ssh_config_redhat.redhat	2016-12-23 13:32:00.045220402 +0100
-+++ b/ssh_config_redhat
+++ openssh-7.4p1/ssh_config_redhat	2016-12-23 13:32:00.045220402 +0100
@@ -0,0 +1,20 @@
 +# Follow system-wide Crypto Poliicy, if defined:
 +Include /etc/crypto-policies/back-ends/openssh.txt
@ -34,11 +33,38 @@ diff --git a/ssh_config_redhat b/ssh_config_redhat
 +	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
 +	SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
 +	SendEnv XMODIFIERS
-diff --git a/sshd_config b/sshd_config
+diff -up openssh-7.4p1/sshd_config.0.redhat openssh-7.4p1/sshd_config.0
-index c735429..e68ddee 100644
+--- openssh-7.4p1/sshd_config.0.redhat	2016-12-19 06:21:22.000000000 +0100
--- a/sshd_config
+++ openssh-7.4p1/sshd_config.0	2016-12-23 13:32:00.045220402 +0100
-+++ b/sshd_config
+@@ -837,9 +837,9 @@ DESCRIPTION
-@@ -10,6 +10,10 @@
+ 
      SyslogFacility
              Gives the facility code that is used when logging messages from
 -             sshd(8).  The possible values are: DAEMON, USER, AUTH, LOCAL0,
 -             LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The
 -             default is AUTH.
 +             sshd(8).  The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
 +             LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 +             The default is AUTH.
      TCPKeepAlive
              Specifies whether the system should send TCP keepalive messages
 diff -up openssh-7.4p1/sshd_config.5.redhat openssh-7.4p1/sshd_config.5
 --- openssh-7.4p1/sshd_config.5.redhat	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/sshd_config.5	2016-12-23 13:32:00.046220403 +0100
@@ -1393,7 +1393,7 @@ By default no subsystems are defined.
 .It Cm SyslogFacility
 Gives the facility code that is used when logging messages from
 .Xr sshd 8 .
 -The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 +The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
 .It Cm TCPKeepAlive
 diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config
 --- openssh-7.4p1/sshd_config.redhat	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/sshd_config	2016-12-23 13:33:05.386233133 +0100
@@ -10,21 +10,26 @@
 # possible, but leave them commented.  Uncommented options override the
 # default value.
@ -49,10 +75,8 @@ index c735429..e68ddee 100644
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
-@@ -21,10 +25,10 @@
+ #ListenAddress ::
- # HostKey for protocol version 1
+ 
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
 -#HostKey /etc/ssh/ssh_host_rsa_key
 +HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
@ -61,9 +85,8 @@ index c735429..e68ddee 100644
 +HostKey /etc/ssh/ssh_host_ecdsa_key
 +HostKey /etc/ssh/ssh_host_ed25519_key
- # Lifetime and size of ephemeral version 1 server key
+ # Ciphers and keying
- #KeyRegenerationInterval 1h
+ #RekeyLimit default none
@@ -36,6 +40,7 @@
 # Logging
 #SyslogFacility AUTH
@ -71,7 +94,7 @@ index c735429..e68ddee 100644
 #LogLevel INFO
 # Authentication:
-@@ -71,9 +76,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -57,9 +62,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
@ -83,7 +106,7 @@ index c735429..e68ddee 100644
 # Kerberos options
 #KerberosAuthentication no
-@@ -82,8 +89,8 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -68,8 +75,8 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #KerberosGetAFSToken no
 # GSSAPI options
@ -94,7 +117,7 @@ index c735429..e68ddee 100644
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
-@@ -94,12 +101,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -80,12 +87,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
@ -109,7 +132,7 @@ index c735429..e68ddee 100644
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
-@@ -122,6 +129,12 @@ UsePrivilegeSeparation sandbox		# Default for new installations.
+@@ -108,6 +115,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # no default banner path
 #Banner none
@ -122,33 +145,3 @@ index c735429..e68ddee 100644
 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/sftp-server
 diff --git a/sshd_config.0 b/sshd_config.0
 index 413c260..87e7ee7 100644
 --- a/sshd_config.0
 +++ b/sshd_config.0
@@ -675,9 +675,9 @@ DESCRIPTION
      SyslogFacility
              Gives the facility code that is used when logging messages from
 -             sshd(8).  The possible values are: DAEMON, USER, AUTH, LOCAL0,
 -             LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The
 -             default is AUTH.
 +             sshd(8).  The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
 +             LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 +             The default is AUTH.
      TCPKeepAlive
              Specifies whether the system should send TCP keepalive messages
 diff --git a/sshd_config.5 b/sshd_config.5
 index ce71efe..12465c2 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
@@ -1131,7 +1131,7 @@ Note that this option applies to protocol version 2 only.
 .It Cm SyslogFacility
 Gives the facility code that is used when logging messages from
 .Xr sshd 8 .
 -The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 +The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
 .It Cm TCPKeepAlive
--- a/openssh-6.6p1-role-mls.patch
+++ b/openssh-6.6p1-role-mls.patch
@ -1,157 +1,6 @@
-diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c
+diff -up openssh-7.4p1/auth2.c.role-mls openssh-7.4p1/auth2.c
--- openssh/auth-pam.c.role-mls	2016-07-24 13:50:13.000000000 +0200
+--- openssh-7.4p1/auth2.c.role-mls	2016-12-19 05:59:41.000000000 +0100
-+++ openssh/auth-pam.c	2016-07-26 12:37:48.793593333 +0200
+++ openssh-7.4p1/auth2.c	2016-12-23 12:19:58.587459379 +0100
@@ -1095,7 +1095,7 @@ is_pam_session_open(void)
  * during the ssh authentication process.
  */
 int
 -do_pam_putenv(char *name, char *value)
 +do_pam_putenv(char *name, const char *value)
 {
 	int ret = 1;
 #ifdef HAVE_PAM_PUTENV
 diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
 --- openssh/auth-pam.h.role-mls	2016-07-24 13:50:13.000000000 +0200
 +++ openssh/auth-pam.h	2016-07-26 12:37:48.793593333 +0200
@@ -38,7 +38,7 @@ void do_pam_session(void);
 void do_pam_set_tty(const char *);
 void do_pam_setcred(int );
 void do_pam_chauthtok(void);
 -int do_pam_putenv(char *, char *);
 +int do_pam_putenv(char *, const char *);
 char ** fetch_pam_environment(void);
 char ** fetch_pam_child_environment(void);
 void free_pam_environment(char **);
 diff -up openssh/auth.h.role-mls openssh/auth.h
 --- openssh/auth.h.role-mls	2016-07-24 13:50:13.000000000 +0200
 +++ openssh/auth.h	2016-07-26 12:37:48.793593333 +0200
@@ -62,6 +62,9 @@ struct Authctxt {
 	char		*service;
 	struct passwd	*pw;		/* set if 'valid' */
 	char		*style;
 +#ifdef WITH_SELINUX
 +	char		*role;
 +#endif
 	void		*kbdintctxt;
 	char		*info;		/* Extra info for next auth_log */
 #ifdef BSD_AUTH
 diff -up openssh/auth1.c.role-mls openssh/auth1.c
 --- openssh/auth1.c.role-mls	2016-07-24 13:50:13.000000000 +0200
 +++ openssh/auth1.c	2016-07-26 12:37:48.793593333 +0200
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
 {
 	u_int ulen;
 	char *user, *style = NULL;
 +#ifdef WITH_SELINUX
 +	char *role=NULL;
 +#endif
 	/* Get the name of the user that we wish to log in as. */
 	packet_read_expect(SSH_CMSG_USER);
@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt)
 	user = packet_get_cstring(&ulen);
 	packet_check_eom();
 +#ifdef WITH_SELINUX
 +	if ((role = strchr(user, '/')) != NULL)
 +		*role++ = '\0';
 +#endif
 +
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = '\0';
 +#ifdef WITH_SELINUX
 +	else
 +		if (role && (style = strchr(role, ':')) != NULL)
 +			*style++ = '\0';
 +#endif
 	authctxt->user = user;
 	authctxt->style = style;
 +#ifdef WITH_SELINUX
 +	authctxt->role = role;
 +#endif
 	/* Verify that the user is a valid user. */
 	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
 diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
 --- openssh/auth2-gss.c.role-mls	2016-07-24 13:50:13.000000000 +0200
 +++ openssh/auth2-gss.c	2016-07-26 12:37:48.794593332 +0200
@@ -255,6 +255,7 @@ input_gssapi_mic(int type, u_int32_t ple
 	Authctxt *authctxt = ctxt;
 	Gssctxt *gssctxt;
 	int authenticated = 0;
 +	char *micuser;
 	Buffer b;
 	gss_buffer_desc mic, gssbuf;
 	u_int len;
@@ -267,7 +268,13 @@ input_gssapi_mic(int type, u_int32_t ple
 	mic.value = packet_get_string(&len);
 	mic.length = len;
 -	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
 +#ifdef WITH_SELINUX
 +	if (authctxt->role && (strlen(authctxt->role) > 0))
 +		xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
 +	else
 +#endif
 +		micuser = authctxt->user;
 +	ssh_gssapi_buildmic(&b, micuser, authctxt->service,
 	    "gssapi-with-mic");
 	gssbuf.value = buffer_ptr(&b);
@@ -279,6 +286,8 @@ input_gssapi_mic(int type, u_int32_t ple
 		logit("GSSAPI MIC check failed");
 	buffer_free(&b);
 +	if (micuser != authctxt->user)
 +		free(micuser);
 	free(mic.value);
 	authctxt->postponed = 0;
 diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
 --- openssh/auth2-hostbased.c.role-mls	2016-07-24 13:50:13.000000000 +0200
 +++ openssh/auth2-hostbased.c	2016-07-26 12:37:48.794593332 +0200
@@ -121,7 +121,15 @@ userauth_hostbased(Authctxt *authctxt)
 	buffer_put_string(&b, session_id2, session_id2_len);
 	/* reconstruct packet */
 	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
 -	buffer_put_cstring(&b, authctxt->user);
 +#ifdef WITH_SELINUX
 +	if (authctxt->role) {
 +		buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
 +		buffer_append(&b, authctxt->user, strlen(authctxt->user));
 +		buffer_put_char(&b, '/');
 +		buffer_append(&b, authctxt->role, strlen(authctxt->role));
 +	} else 
 +#endif
 +		buffer_put_cstring(&b, authctxt->user);
 	buffer_put_cstring(&b, service);
 	buffer_put_cstring(&b, "hostbased");
 	buffer_put_string(&b, pkalg, alen);
 diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
 --- openssh/auth2-pubkey.c.role-mls	2016-07-24 13:50:13.000000000 +0200
 +++ openssh/auth2-pubkey.c	2016-07-26 12:37:48.794593332 +0200
@@ -151,9 +151,15 @@ userauth_pubkey(Authctxt *authctxt)
 		}
 		/* reconstruct packet */
 		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
 -		xasprintf(&userstyle, "%s%s%s", authctxt->user,
 +		xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
 		    authctxt->style ? ":" : "",
 -		    authctxt->style ? authctxt->style : "");
 +		    authctxt->style ? authctxt->style : "",
 +#ifdef WITH_SELINUX
 +		    authctxt->role ? "/" : "",
 +		    authctxt->role ? authctxt->role : "");
 +#else
 +		    "", "");
 +#endif
 		buffer_put_cstring(&b, userstyle);
 		free(userstyle);
 		buffer_put_cstring(&b,
 diff -up openssh/auth2.c.role-mls openssh/auth2.c
 --- openssh/auth2.c.role-mls	2016-07-24 13:50:13.000000000 +0200
 +++ openssh/auth2.c	2016-07-26 12:37:48.794593332 +0200
@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32
 	Authctxt *authctxt = ctxt;
 	Authmethod *m = NULL;
@ -191,9 +40,122 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
 		userauth_banner();
 		if (auth2_setup_methods_lists(authctxt) != 0)
 			packet_disconnect("no authentication methods enabled");
-diff -up openssh/misc.c.role-mls openssh/misc.c
+diff -up openssh-7.4p1/auth2-gss.c.role-mls openssh-7.4p1/auth2-gss.c
--- openssh/misc.c.role-mls	2016-07-24 13:50:13.000000000 +0200
+--- openssh-7.4p1/auth2-gss.c.role-mls	2016-12-19 05:59:41.000000000 +0100
-+++ openssh/misc.c	2016-07-26 12:37:48.794593332 +0200
+++ openssh-7.4p1/auth2-gss.c	2016-12-23 12:19:58.586459382 +0100
@@ -255,6 +255,7 @@ input_gssapi_mic(int type, u_int32_t ple
 	Authctxt *authctxt = ctxt;
 	Gssctxt *gssctxt;
 	int authenticated = 0;
 +	char *micuser;
 	Buffer b;
 	gss_buffer_desc mic, gssbuf;
 	u_int len;
@@ -267,7 +268,13 @@ input_gssapi_mic(int type, u_int32_t ple
 	mic.value = packet_get_string(&len);
 	mic.length = len;
 -	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
 +#ifdef WITH_SELINUX
 +	if (authctxt->role && (strlen(authctxt->role) > 0))
 +		xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
 +	else
 +#endif
 +		micuser = authctxt->user;
 +	ssh_gssapi_buildmic(&b, micuser, authctxt->service,
 	    "gssapi-with-mic");
 	gssbuf.value = buffer_ptr(&b);
@@ -279,6 +286,8 @@ input_gssapi_mic(int type, u_int32_t ple
 		logit("GSSAPI MIC check failed");
 	buffer_free(&b);
 +	if (micuser != authctxt->user)
 +		free(micuser);
 	free(mic.value);
 	authctxt->postponed = 0;
 diff -up openssh-7.4p1/auth2-hostbased.c.role-mls openssh-7.4p1/auth2-hostbased.c
 --- openssh-7.4p1/auth2-hostbased.c.role-mls	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/auth2-hostbased.c	2016-12-23 12:19:58.586459382 +0100
@@ -121,7 +121,15 @@ userauth_hostbased(Authctxt *authctxt)
 	buffer_put_string(&b, session_id2, session_id2_len);
 	/* reconstruct packet */
 	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
 -	buffer_put_cstring(&b, authctxt->user);
 +#ifdef WITH_SELINUX
 +	if (authctxt->role) {
 +		buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
 +		buffer_append(&b, authctxt->user, strlen(authctxt->user));
 +		buffer_put_char(&b, '/');
 +		buffer_append(&b, authctxt->role, strlen(authctxt->role));
 +	} else 
 +#endif
 +		buffer_put_cstring(&b, authctxt->user);
 	buffer_put_cstring(&b, service);
 	buffer_put_cstring(&b, "hostbased");
 	buffer_put_string(&b, pkalg, alen);
 diff -up openssh-7.4p1/auth2-pubkey.c.role-mls openssh-7.4p1/auth2-pubkey.c
 --- openssh-7.4p1/auth2-pubkey.c.role-mls	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/auth2-pubkey.c	2016-12-23 12:19:58.587459379 +0100
@@ -151,9 +151,15 @@ userauth_pubkey(Authctxt *authctxt)
 		}
 		/* reconstruct packet */
 		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
 -		xasprintf(&userstyle, "%s%s%s", authctxt->user,
 +		xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
 		    authctxt->style ? ":" : "",
 -		    authctxt->style ? authctxt->style : "");
 +		    authctxt->style ? authctxt->style : "",
 +#ifdef WITH_SELINUX
 +		    authctxt->role ? "/" : "",
 +		    authctxt->role ? authctxt->role : "");
 +#else
 +		    "", "");
 +#endif
 		buffer_put_cstring(&b, userstyle);
 		free(userstyle);
 		buffer_put_cstring(&b,
 diff -up openssh-7.4p1/auth.h.role-mls openssh-7.4p1/auth.h
 --- openssh-7.4p1/auth.h.role-mls	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/auth.h	2016-12-23 12:19:43.478510375 +0100
@@ -62,6 +62,9 @@ struct Authctxt {
 	char		*service;
 	struct passwd	*pw;		/* set if 'valid' */
 	char		*style;
 +#ifdef WITH_SELINUX
 +	char		*role;
 +#endif
 	void		*kbdintctxt;
 	char		*info;		/* Extra info for next auth_log */
 #ifdef BSD_AUTH
 diff -up openssh-7.4p1/auth-pam.c.role-mls openssh-7.4p1/auth-pam.c
 --- openssh-7.4p1/auth-pam.c.role-mls	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/auth-pam.c	2016-12-23 12:19:43.477510378 +0100
@@ -1087,7 +1087,7 @@ is_pam_session_open(void)
  * during the ssh authentication process.
  */
 int
 -do_pam_putenv(char *name, char *value)
 +do_pam_putenv(char *name, const char *value)
 {
 	int ret = 1;
 #ifdef HAVE_PAM_PUTENV
 diff -up openssh-7.4p1/auth-pam.h.role-mls openssh-7.4p1/auth-pam.h
 --- openssh-7.4p1/auth-pam.h.role-mls	2016-12-23 12:19:43.478510375 +0100
 +++ openssh-7.4p1/auth-pam.h	2016-12-23 12:21:44.698101234 +0100
@@ -31,7 +31,7 @@ u_int do_pam_account(void);
 void do_pam_session(void);
 void do_pam_setcred(int );
 void do_pam_chauthtok(void);
 -int do_pam_putenv(char *, char *);
 +int do_pam_putenv(char *, const char *);
 char ** fetch_pam_environment(void);
 char ** fetch_pam_child_environment(void);
 void free_pam_environment(char **);
 diff -up openssh-7.4p1/misc.c.role-mls openssh-7.4p1/misc.c
 --- openssh-7.4p1/misc.c.role-mls	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/misc.c	2016-12-23 12:19:58.587459379 +0100
@@ -432,6 +432,7 @@ char *
 colon(char *cp)
 {
@ -216,10 +178,10 @@ diff -up openssh/misc.c.role-mls openssh/misc.c
 	}
 	return NULL;
 }
-diff -up openssh/monitor.c.role-mls openssh/monitor.c
+diff -up openssh-7.4p1/monitor.c.role-mls openssh-7.4p1/monitor.c
--- openssh/monitor.c.role-mls	2016-07-24 13:50:13.000000000 +0200
+--- openssh-7.4p1/monitor.c.role-mls	2016-12-19 05:59:41.000000000 +0100
-+++ openssh/monitor.c	2016-07-26 12:44:19.363379490 +0200
+++ openssh-7.4p1/monitor.c	2016-12-23 12:23:03.503835248 +0100
-@@ -128,6 +128,9 @@ int mm_answer_sign(int, Buffer *);
+@@ -127,6 +127,9 @@ int mm_answer_sign(int, Buffer *);
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
 int mm_answer_authserv(int, Buffer *);
@ -229,7 +191,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -207,6 +210,9 @@ struct mon_table mon_dispatch_proto20[]
+@@ -202,6 +205,9 @@ struct mon_table mon_dispatch_proto20[]
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -239,17 +201,17 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
-@@ -863,6 +869,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
+@@ -769,6 +775,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
- 	else {
+ 
- 		/* Allow service/style information on the auth context */
+ 	/* Allow service/style information on the auth context */
- 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+ 	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
 +#ifdef WITH_SELINUX
-+		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
 +#endif
- 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
+ 	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
- 	}
+ 
 #ifdef USE_PAM
-@@ -904,6 +913,25 @@ mm_answer_authserv(int sock, Buffer *m)
+@@ -810,6 +819,25 @@ mm_answer_authserv(int sock, Buffer *m)
 	return (0);
 }
@ -275,7 +237,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 int
 mm_answer_authpassword(int sock, Buffer *m)
 {
-@@ -1300,7 +1328,7 @@ monitor_valid_userblob(u_char *data, u_i
+@@ -1208,7 +1236,7 @@ monitor_valid_userblob(u_char *data, u_i
 {
 	Buffer b;
 	u_char *p;
@ -284,7 +246,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 	u_int len;
 	int fail = 0;
-@@ -1326,6 +1354,8 @@ monitor_valid_userblob(u_char *data, u_i
+@@ -1234,6 +1262,8 @@ monitor_valid_userblob(u_char *data, u_i
 	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
 		fail++;
 	cp = buffer_get_cstring(&b, NULL);
@ -293,7 +255,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 	xasprintf(&userstyle, "%s%s%s", authctxt->user,
 	    authctxt->style ? ":" : "",
 	    authctxt->style ? authctxt->style : "");
-@@ -1361,7 +1391,7 @@ monitor_valid_hostbasedblob(u_char *data
+@@ -1269,7 +1299,7 @@ monitor_valid_hostbasedblob(u_char *data
     char *chost)
 {
 	Buffer b;
@ -302,7 +264,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 	u_int len;
 	int fail = 0;
-@@ -1378,6 +1408,8 @@ monitor_valid_hostbasedblob(u_char *data
+@@ -1286,6 +1316,8 @@ monitor_valid_hostbasedblob(u_char *data
 	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
 		fail++;
 	p = buffer_get_cstring(&b, NULL);
@ -311,9 +273,9 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 	xasprintf(&userstyle, "%s%s%s", authctxt->user,
 	    authctxt->style ? ":" : "",
 	    authctxt->style ? authctxt->style : "");
-diff -up openssh/monitor.h.role-mls openssh/monitor.h
+diff -up openssh-7.4p1/monitor.h.role-mls openssh-7.4p1/monitor.h
--- openssh/monitor.h.role-mls	2016-07-24 13:50:13.000000000 +0200
+--- openssh-7.4p1/monitor.h.role-mls	2016-12-19 05:59:41.000000000 +0100
-+++ openssh/monitor.h	2016-07-26 12:37:48.795593331 +0200
+++ openssh-7.4p1/monitor.h	2016-12-23 12:19:58.588459376 +0100
@@ -57,6 +57,10 @@ enum monitor_reqtype {
 	MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
 	MONITOR_REQ_TERM = 50,
@ -325,10 +287,10 @@ diff -up openssh/monitor.h.role-mls openssh/monitor.h
 	MONITOR_REQ_PAM_START = 100,
 	MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
 	MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
-diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
+diff -up openssh-7.4p1/monitor_wrap.c.role-mls openssh-7.4p1/monitor_wrap.c
--- openssh/monitor_wrap.c.role-mls	2016-07-24 13:50:13.000000000 +0200
+--- openssh-7.4p1/monitor_wrap.c.role-mls	2016-12-19 05:59:41.000000000 +0100
-+++ openssh/monitor_wrap.c	2016-07-26 12:37:48.795593331 +0200
+++ openssh-7.4p1/monitor_wrap.c	2016-12-23 12:19:58.588459376 +0100
-@@ -346,6 +346,25 @@ mm_inform_authserv(char *service, char *
+@@ -345,6 +345,25 @@ mm_inform_authserv(char *service, char *
 	buffer_free(&m);
 }
@ -354,9 +316,9 @@ diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
 /* Do the password authentication */
 int
 mm_auth_password(Authctxt *authctxt, char *password)
-diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
+diff -up openssh-7.4p1/monitor_wrap.h.role-mls openssh-7.4p1/monitor_wrap.h
--- openssh/monitor_wrap.h.role-mls	2016-07-24 13:50:13.000000000 +0200
+--- openssh-7.4p1/monitor_wrap.h.role-mls	2016-12-19 05:59:41.000000000 +0100
-+++ openssh/monitor_wrap.h	2016-07-26 12:37:48.795593331 +0200
+++ openssh-7.4p1/monitor_wrap.h	2016-12-23 12:19:58.588459376 +0100
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
 DH *mm_choose_dh(int, int, int);
 int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *);
@ -367,21 +329,90 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
 struct passwd *mm_getpwnamallow(const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct Authctxt *, char *);
-diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in
+diff -up openssh-7.4p1/openbsd-compat/Makefile.in.role-mls openssh-7.4p1/openbsd-compat/Makefile.in
--- openssh/openbsd-compat/Makefile.in.role-mls	2016-07-24 13:50:13.000000000 +0200
+--- openssh-7.4p1/openbsd-compat/Makefile.in.role-mls	2016-12-23 12:19:58.588459376 +0100
-+++ openssh/openbsd-compat/Makefile.in	2016-07-26 12:37:48.795593331 +0200
+++ openssh-7.4p1/openbsd-compat/Makefile.in	2016-12-23 12:24:06.042643938 +0100
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
- COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
+ COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
 -PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
 +PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
 .c.o:
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
-diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
+diff -up openssh-7.4p1/openbsd-compat/port-linux.c.role-mls openssh-7.4p1/openbsd-compat/port-linux.c
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls	2016-07-26 12:37:48.796593331 +0200
+--- openssh-7.4p1/openbsd-compat/port-linux.c.role-mls	2016-12-19 05:59:41.000000000 +0100
-+++ openssh/openbsd-compat/port-linux-sshd.c	2016-07-26 12:37:48.796593331 +0200
+++ openssh-7.4p1/openbsd-compat/port-linux.c	2016-12-23 12:19:58.590459369 +0100
@@ -101,37 +101,6 @@ ssh_selinux_getctxbyname(char *pwname)
 	return sc;
 }
 -/* Set the execution context to the default for the specified user */
 -void
 -ssh_selinux_setup_exec_context(char *pwname)
 -{
 -	security_context_t user_ctx = NULL;
 -
 -	if (!ssh_selinux_enabled())
 -		return;
 -
 -	debug3("%s: setting execution context", __func__);
 -
 -	user_ctx = ssh_selinux_getctxbyname(pwname);
 -	if (setexeccon(user_ctx) != 0) {
 -		switch (security_getenforce()) {
 -		case -1:
 -			fatal("%s: security_getenforce() failed", __func__);
 -		case 0:
 -			error("%s: Failed to set SELinux execution "
 -			    "context for %s", __func__, pwname);
 -			break;
 -		default:
 -			fatal("%s: Failed to set SELinux execution context "
 -			    "for %s (in enforcing mode)", __func__, pwname);
 -		}
 -	}
 -	if (user_ctx != NULL)
 -		freecon(user_ctx);
 -
 -	debug3("%s: done", __func__);
 -}
 -
 /* Set the TTY context for the specified user */
 void
 ssh_selinux_setup_pty(char *pwname, const char *tty)
@@ -145,7 +114,11 @@ ssh_selinux_setup_pty(char *pwname, cons
 	debug3("%s: setting TTY context on %s", __func__, tty);
 -	user_ctx = ssh_selinux_getctxbyname(pwname);
 +	if (getexeccon(&user_ctx) != 0) {
 +		error("%s: getexeccon: %s", __func__, strerror(errno));
 +		goto out;
 +	}
 +
 	/* XXX: should these calls fatal() upon failure in enforcing mode? */
 diff -up openssh-7.4p1/openbsd-compat/port-linux.h.role-mls openssh-7.4p1/openbsd-compat/port-linux.h
 --- openssh-7.4p1/openbsd-compat/port-linux.h.role-mls	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/openbsd-compat/port-linux.h	2016-12-23 12:19:58.591459365 +0100
@@ -20,9 +20,10 @@
 #ifdef WITH_SELINUX
 int ssh_selinux_enabled(void);
 void ssh_selinux_setup_pty(char *, const char *);
 -void ssh_selinux_setup_exec_context(char *);
 void ssh_selinux_change_context(const char *);
 void ssh_selinux_setfscreatecon(const char *);
 +
 +void sshd_selinux_setup_exec_context(char *);
 #endif
 #ifdef LINUX_OOM_ADJUST
 diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-7.4p1/openbsd-compat/port-linux-sshd.c
 --- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.role-mls	2016-12-23 12:19:58.590459369 +0100
 +++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c	2016-12-23 12:19:58.590459369 +0100
@@ -0,0 +1,424 @@
 +/*
 + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@ -807,79 +838,10 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
 +#endif
 +#endif
 +
-diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
+diff -up openssh-7.4p1/platform.c.role-mls openssh-7.4p1/platform.c
--- openssh/openbsd-compat/port-linux.c.role-mls	2016-07-24 13:50:13.000000000 +0200
+--- openssh-7.4p1/platform.c.role-mls	2016-12-19 05:59:41.000000000 +0100
-+++ openssh/openbsd-compat/port-linux.c	2016-07-26 12:37:48.796593331 +0200
+++ openssh-7.4p1/platform.c	2016-12-23 12:19:58.591459365 +0100
-@@ -103,37 +103,6 @@ ssh_selinux_getctxbyname(char *pwname)
+@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(stru
 	return sc;
 }
 -/* Set the execution context to the default for the specified user */
 -void
 -ssh_selinux_setup_exec_context(char *pwname)
 -{
 -	security_context_t user_ctx = NULL;
 -
 -	if (!ssh_selinux_enabled())
 -		return;
 -
 -	debug3("%s: setting execution context", __func__);
 -
 -	user_ctx = ssh_selinux_getctxbyname(pwname);
 -	if (setexeccon(user_ctx) != 0) {
 -		switch (security_getenforce()) {
 -		case -1:
 -			fatal("%s: security_getenforce() failed", __func__);
 -		case 0:
 -			error("%s: Failed to set SELinux execution "
 -			    "context for %s", __func__, pwname);
 -			break;
 -		default:
 -			fatal("%s: Failed to set SELinux execution context "
 -			    "for %s (in enforcing mode)", __func__, pwname);
 -		}
 -	}
 -	if (user_ctx != NULL)
 -		freecon(user_ctx);
 -
 -	debug3("%s: done", __func__);
 -}
 -
 /* Set the TTY context for the specified user */
 void
 ssh_selinux_setup_pty(char *pwname, const char *tty)
@@ -147,7 +116,11 @@ ssh_selinux_setup_pty(char *pwname, cons
 	debug3("%s: setting TTY context on %s", __func__, tty);
 -	user_ctx = ssh_selinux_getctxbyname(pwname);
 +	if (getexeccon(&user_ctx) != 0) {
 +		error("%s: getexeccon: %s", __func__, strerror(errno));
 +		goto out;
 +	}
 +
 	/* XXX: should these calls fatal() upon failure in enforcing mode? */
 diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/port-linux.h
 --- openssh/openbsd-compat/port-linux.h.role-mls	2016-07-24 13:50:13.000000000 +0200
 +++ openssh/openbsd-compat/port-linux.h	2016-07-26 12:37:48.796593331 +0200
@@ -22,9 +22,10 @@
 #ifdef WITH_SELINUX
 int ssh_selinux_enabled(void);
 void ssh_selinux_setup_pty(char *, const char *);
 -void ssh_selinux_setup_exec_context(char *);
 void ssh_selinux_change_context(const char *);
 void ssh_selinux_setfscreatecon(const char *);
 +
 +void sshd_selinux_setup_exec_context(char *);
 #endif
 #ifdef LINUX_OOM_ADJUST
 diff -up openssh/platform.c.role-mls openssh/platform.c
 --- openssh/platform.c.role-mls	2016-07-24 13:50:13.000000000 +0200
 +++ openssh/platform.c	2016-07-26 12:37:48.796593331 +0200
@@ -186,7 +186,7 @@ platform_setusercontext_post_groups(stru
 	}
 #endif /* HAVE_SETPCRED */
 #ifdef WITH_SELINUX
@ -888,10 +850,10 @@ diff -up openssh/platform.c.role-mls openssh/platform.c
 #endif
 }
-diff -up openssh/sshd.c.role-mls openssh/sshd.c
+diff -up openssh-7.4p1/sshd.c.role-mls openssh-7.4p1/sshd.c
--- openssh/sshd.c.role-mls	2016-07-24 13:50:13.000000000 +0200
+--- openssh-7.4p1/sshd.c.role-mls	2016-12-19 05:59:41.000000000 +0100
-+++ openssh/sshd.c	2016-07-26 12:37:48.796593331 +0200
+++ openssh-7.4p1/sshd.c	2016-12-23 12:19:58.591459365 +0100
-@@ -2295,6 +2295,9 @@ main(int ac, char **av)
+@@ -2053,6 +2053,9 @@ main(int ac, char **av)
 		restore_uid();
 	}
 #endif
--- a/openssh-6.7p1-coverity.patch
+++ b/openssh-6.7p1-coverity.patch
@ -1,22 +1,7 @@
-diff -up openssh-6.8p1/channels.c.coverity openssh-6.8p1/channels.c
+diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
--- openssh-6.8p1/channels.c.coverity	2015-03-18 17:21:51.815265002 +0100
+--- openssh-7.4p1/channels.c.coverity	2016-12-23 16:40:26.881788686 +0100
-+++ openssh-6.8p1/channels.c	2015-03-18 17:21:51.896264833 +0100
+++ openssh-7.4p1/channels.c	2016-12-23 16:42:36.244818763 +0100
-@@ -243,11 +243,11 @@ channel_register_fds(Channel *c, int rfd
+@@ -288,11 +288,11 @@ channel_register_fds(Channel *c, int rfd
 	channel_max_fd = MAX(channel_max_fd, wfd);
 	channel_max_fd = MAX(channel_max_fd, efd);
 -	if (rfd != -1)
 +	if (rfd >= 0)
 		fcntl(rfd, F_SETFD, FD_CLOEXEC);
 -	if (wfd != -1 && wfd != rfd)
 +	if (wfd >= 0 && wfd != rfd)
 		fcntl(wfd, F_SETFD, FD_CLOEXEC);
 -	if (efd != -1 && efd != rfd && efd != wfd)
 +	if (efd >= 0 && efd != rfd && efd != wfd)
 		fcntl(efd, F_SETFD, FD_CLOEXEC);
 	c->rfd = rfd;
@@ -265,11 +265,11 @@ channel_register_fds(Channel *c, int rfd
 	/* enable nonblocking mode */
 	if (nonblock) {
@ -31,10 +16,10 @@ diff -up openssh-6.8p1/channels.c.coverity openssh-6.8p1/channels.c
 			set_nonblock(efd);
 	}
 }
-diff -up openssh-6.8p1/monitor.c.coverity openssh-6.8p1/monitor.c
+diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
--- openssh-6.8p1/monitor.c.coverity	2015-03-18 17:21:51.887264852 +0100
+--- openssh-7.4p1/monitor.c.coverity	2016-12-23 16:40:26.888788688 +0100
-+++ openssh-6.8p1/monitor.c	2015-03-18 17:21:51.897264831 +0100
+++ openssh-7.4p1/monitor.c	2016-12-23 16:40:26.900788691 +0100
-@@ -444,7 +444,7 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
 	mm_get_keystate(pmonitor);
 	/* Drain any buffered messages from the child */
@ -43,10 +28,10 @@ diff -up openssh-6.8p1/monitor.c.coverity openssh-6.8p1/monitor.c
 		;
 	close(pmonitor->m_sendfd);
-diff -up openssh-6.8p1/monitor_wrap.c.coverity openssh-6.8p1/monitor_wrap.c
+diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
--- openssh-6.8p1/monitor_wrap.c.coverity	2015-03-18 17:21:51.888264849 +0100
+--- openssh-7.4p1/monitor_wrap.c.coverity	2016-12-23 16:40:26.892788689 +0100
-+++ openssh-6.8p1/monitor_wrap.c	2015-03-18 17:21:51.897264831 +0100
+++ openssh-7.4p1/monitor_wrap.c	2016-12-23 16:40:26.900788691 +0100
-@@ -533,10 +533,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
+@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
 	if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
 	    (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
 		error("%s: cannot allocate fds for pty", __func__);
@ -60,9 +45,9 @@ diff -up openssh-6.8p1/monitor_wrap.c.coverity openssh-6.8p1/monitor_wrap.c
 		return 0;
 	}
 	close(tmp1);
-diff -up openssh-6.8p1/openbsd-compat/bindresvport.c.coverity openssh-6.8p1/openbsd-compat/bindresvport.c
+diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
--- openssh-6.8p1/openbsd-compat/bindresvport.c.coverity	2015-03-17 06:49:20.000000000 +0100
+--- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-6.8p1/openbsd-compat/bindresvport.c	2015-03-18 17:21:51.897264831 +0100
+++ openssh-7.4p1/openbsd-compat/bindresvport.c	2016-12-23 16:40:26.901788691 +0100
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
 	struct sockaddr_in6 *in6;
 	u_int16_t *portp;
@ -72,10 +57,10 @@ diff -up openssh-6.8p1/openbsd-compat/bindresvport.c.coverity openssh-6.8p1/open
 	int i;
 	if (sa == NULL) {
-diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c
+diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c
--- openssh-6.8p1/scp.c.coverity	2015-03-18 17:21:51.868264891 +0100
+--- openssh-7.4p1/scp.c.coverity	2016-12-23 16:40:26.856788681 +0100
-+++ openssh-6.8p1/scp.c	2015-03-18 17:21:58.281251460 +0100
+++ openssh-7.4p1/scp.c	2016-12-23 16:40:26.901788691 +0100
-@@ -156,7 +156,7 @@ killchild(int signo)
+@@ -157,7 +157,7 @@ killchild(int signo)
 {
 	if (do_cmd_pid > 1) {
 		kill(do_cmd_pid, signo ? signo : SIGTERM);
@ -84,10 +69,10 @@ diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c
 	}
 	if (signo)
-diff -up openssh-6.8p1/servconf.c.coverity openssh-6.8p1/servconf.c
+diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
--- openssh-6.8p1/servconf.c.coverity	2015-03-18 17:21:51.893264839 +0100
+--- openssh-7.4p1/servconf.c.coverity	2016-12-23 16:40:26.896788690 +0100
-+++ openssh-6.8p1/servconf.c	2015-03-18 17:21:58.281251460 +0100
+++ openssh-7.4p1/servconf.c	2016-12-23 16:40:26.901788691 +0100
-@@ -1475,7 +1475,7 @@ process_server_config_line(ServerOptions
+@@ -1547,7 +1547,7 @@ process_server_config_line(ServerOptions
 			fatal("%s line %d: Missing subsystem name.",
 			    filename, linenum);
 		if (!*activep) {
@ -96,7 +81,7 @@ diff -up openssh-6.8p1/servconf.c.coverity openssh-6.8p1/servconf.c
 			break;
 		}
 		for (i = 0; i < options->num_subsystems; i++)
-@@ -1566,8 +1566,9 @@ process_server_config_line(ServerOptions
+@@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
 		if (*activep && *charptr == NULL) {
 			*charptr = tilde_expand_filename(arg, getuid());
 			/* increase optional counter */
@ -108,10 +93,10 @@ diff -up openssh-6.8p1/servconf.c.coverity openssh-6.8p1/servconf.c
 		}
 		break;
-diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c
+diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
--- openssh-6.8p1/serverloop.c.coverity	2015-03-17 06:49:20.000000000 +0100
+--- openssh-7.4p1/serverloop.c.coverity	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-6.8p1/serverloop.c	2015-03-18 17:28:45.616436080 +0100
+++ openssh-7.4p1/serverloop.c	2016-12-23 16:40:26.902788691 +0100
-@@ -147,13 +147,13 @@ notify_setup(void)
+@@ -125,13 +125,13 @@ notify_setup(void)
 static void
 notify_parent(void)
 {
@ -127,7 +112,7 @@ diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c
 		FD_SET(notify_pipe[0], readset);
 }
 static void
-@@ -161,8 +161,8 @@ notify_done(fd_set *readset)
+@@ -139,8 +139,8 @@ notify_done(fd_set *readset)
 {
 	char c;
@ -138,80 +123,7 @@ diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c
 			debug2("notify_done: reading");
 }
-@@ -337,7 +337,7 @@ wait_until_can_do_something(fd_set **rea
+@@ -518,7 +518,7 @@ server_request_tun(void)
 		 * If we have buffered data, try to write some of that data
 		 * to the program.
 		 */
 -		if (fdin != -1 && buffer_len(&stdin_buffer) > 0)
 +		if (fdin >= 0 && buffer_len(&stdin_buffer) > 0)
 			FD_SET(fdin, *writesetp);
 	}
 	notify_prepare(*readsetp);
@@ -477,7 +477,7 @@ process_output(fd_set *writeset)
 	int len;
 	/* Write buffered data to program stdin. */
 -	if (!compat20 && fdin != -1 && FD_ISSET(fdin, writeset)) {
 +	if (!compat20 && fdin >= 0 && FD_ISSET(fdin, writeset)) {
 		data = buffer_ptr(&stdin_buffer);
 		dlen = buffer_len(&stdin_buffer);
 		len = write(fdin, data, dlen);
@@ -590,7 +590,7 @@ server_loop(pid_t pid, int fdin_arg, int
 	set_nonblock(fdin);
 	set_nonblock(fdout);
 	/* we don't have stderr for interactive terminal sessions, see below */
 -	if (fderr != -1)
 +	if (fderr >= 0)
 		set_nonblock(fderr);
 	if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
@@ -614,7 +614,7 @@ server_loop(pid_t pid, int fdin_arg, int
 	max_fd = MAX(connection_in, connection_out);
 	max_fd = MAX(max_fd, fdin);
 	max_fd = MAX(max_fd, fdout);
 -	if (fderr != -1)
 +	if (fderr >= 0)
 		max_fd = MAX(max_fd, fderr);
 #endif
@@ -644,7 +644,7 @@ server_loop(pid_t pid, int fdin_arg, int
 		 * If we have received eof, and there is no more pending
 		 * input data, cause a real eof by closing fdin.
 		 */
 -		if (stdin_eof && fdin != -1 && buffer_len(&stdin_buffer) == 0) {
 +		if (stdin_eof && fdin >= 0 && buffer_len(&stdin_buffer) == 0) {
 			if (fdin != fdout)
 				close(fdin);
 			else
@@ -740,15 +740,15 @@ server_loop(pid_t pid, int fdin_arg, int
 	buffer_free(&stderr_buffer);
 	/* Close the file descriptors. */
 -	if (fdout != -1)
 +	if (fdout >= 0)
 		close(fdout);
 	fdout = -1;
 	fdout_eof = 1;
 -	if (fderr != -1)
 +	if (fderr >= 0)
 		close(fderr);
 	fderr = -1;
 	fderr_eof = 1;
 -	if (fdin != -1)
 +	if (fdin >= 0)
 		close(fdin);
 	fdin = -1;
@@ -950,7 +950,7 @@ server_input_window_size(int type, u_int
 	debug("Window change received.");
 	packet_check_eom();
 -	if (fdin != -1)
 +	if (fdin >= 0)
 		pty_change_window_size(fdin, row, col, xpixel, ypixel);
 	return 0;
 }
@@ -1043,7 +1043,7 @@ server_request_tun(void)
 	}
 	tun = packet_get_int();
@ -220,10 +132,10 @@ diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c
 		if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
 			goto done;
 		tun = forced_tun_device;
-diff -up openssh-6.8p1/sftp.c.coverity openssh-6.8p1/sftp.c
+diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
--- openssh-6.8p1/sftp.c.coverity	2015-03-17 06:49:20.000000000 +0100
+--- openssh-7.4p1/sftp.c.coverity	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-6.8p1/sftp.c	2015-03-18 17:21:58.283251456 +0100
+++ openssh-7.4p1/sftp.c	2016-12-23 16:40:26.903788691 +0100
-@@ -223,7 +223,7 @@ killchild(int signo)
+@@ -224,7 +224,7 @@ killchild(int signo)
 {
 	if (sshpid > 1) {
 		kill(sshpid, SIGTERM);
@ -232,10 +144,10 @@ diff -up openssh-6.8p1/sftp.c.coverity openssh-6.8p1/sftp.c
 	}
 	_exit(1);
-diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c
+diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
--- openssh-6.8p1/ssh-agent.c.coverity	2015-03-17 06:49:20.000000000 +0100
+--- openssh-7.4p1/ssh-agent.c.coverity	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-6.8p1/ssh-agent.c	2015-03-18 17:21:58.284251454 +0100
+++ openssh-7.4p1/ssh-agent.c	2016-12-23 16:40:26.903788691 +0100
-@@ -1166,8 +1166,8 @@ main(int ac, char **av)
+@@ -1220,8 +1220,8 @@ main(int ac, char **av)
 	sanitise_stdfd();
 	/* drop */
@ -246,10 +158,10 @@ diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c
 	platform_disable_tracing(0);	/* strict=no */
-diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
+diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
--- openssh-6.8p1/sshd.c.coverity	2015-03-18 17:21:51.893264839 +0100
+--- openssh-7.4p1/sshd.c.coverity	2016-12-23 16:40:26.897788690 +0100
-+++ openssh-6.8p1/sshd.c	2015-03-18 17:21:58.284251454 +0100
+++ openssh-7.4p1/sshd.c	2016-12-23 16:40:26.904788692 +0100
-@@ -778,8 +778,10 @@ privsep_preauth(Authctxt *authctxt)
+@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
 		privsep_preauth_child();
 		setproctitle("%s", "[net]");
@ -261,7 +173,7 @@ diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
 		return 0;
 	}
-@@ -1518,6 +1520,9 @@ server_accept_loop(int *sock_in, int *so
+@@ -1386,6 +1388,9 @@ server_accept_loop(int *sock_in, int *so
 		if (num_listen_socks < 0)
 			break;
 	}
--- a/openssh-6.7p1-debian-restore-tcp-wrappers.patch
+++ b/openssh-6.7p1-debian-restore-tcp-wrappers.patch
@ -1,7 +1,7 @@
-diff -up openssh/configure.ac.tcp_wrappers openssh/configure.ac
+diff -up openssh-7.4p1/configure.ac.tcp_wrappers openssh-7.4p1/configure.ac
--- openssh/configure.ac.tcp_wrappers	2015-06-24 11:41:04.519293694 +0200
+--- openssh-7.4p1/configure.ac.tcp_wrappers	2016-12-23 15:36:38.745411192 +0100
-+++ openssh/configure.ac	2015-06-24 11:41:04.556293600 +0200
+++ openssh-7.4p1/configure.ac	2016-12-23 15:36:38.777411197 +0100
-@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey],
+@@ -1491,6 +1491,62 @@ AC_ARG_WITH([skey],
 	]
 )
@ -64,7 +64,7 @@ diff -up openssh/configure.ac.tcp_wrappers openssh/configure.ac
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
-@@ -5034,6 +5090,7 @@ echo "                 KerberosV support
+@@ -5214,6 +5270,7 @@ echo "                 KerberosV support
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
@ -72,10 +72,10 @@ diff -up openssh/configure.ac.tcp_wrappers openssh/configure.ac
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
-diff -up openssh/sshd.8.tcp_wrappers openssh/sshd.8
+diff -up openssh-7.4p1/sshd.8.tcp_wrappers openssh-7.4p1/sshd.8
--- openssh/sshd.8.tcp_wrappers	2015-06-24 11:41:04.527293674 +0200
+--- openssh-7.4p1/sshd.8.tcp_wrappers	2016-12-23 15:36:38.759411194 +0100
-+++ openssh/sshd.8	2015-06-24 11:41:04.556293600 +0200
+++ openssh-7.4p1/sshd.8	2016-12-23 15:36:38.778411197 +0100
-@@ -860,6 +860,12 @@ the user's home directory becomes access
+@@ -836,6 +836,12 @@ the user's home directory becomes access
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
@ -88,7 +88,7 @@ diff -up openssh/sshd.8.tcp_wrappers openssh/sshd.8
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
-@@ -983,6 +989,7 @@ IPv6 address can be used everywhere wher
+@@ -960,6 +966,7 @@ IPv6 address can be used everywhere wher
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
@ -96,10 +96,10 @@ diff -up openssh/sshd.8.tcp_wrappers openssh/sshd.8
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
-diff -up openssh/sshd.c.tcp_wrappers openssh/sshd.c
+diff -up openssh-7.4p1/sshd.c.tcp_wrappers openssh-7.4p1/sshd.c
--- openssh/sshd.c.tcp_wrappers	2015-06-24 11:41:04.549293618 +0200
+--- openssh-7.4p1/sshd.c.tcp_wrappers	2016-12-23 15:36:38.772411196 +0100
-+++ openssh/sshd.c	2015-06-24 11:41:53.331169536 +0200
+++ openssh-7.4p1/sshd.c	2016-12-23 15:37:15.032417028 +0100
-@@ -125,6 +125,13 @@
+@@ -123,6 +123,13 @@
 #include "version.h"
 #include "ssherr.h"
@ -110,10 +110,10 @@ diff -up openssh/sshd.c.tcp_wrappers openssh/sshd.c
 +int deny_severity;
 +#endif /* LIBWRAP */
 +
- #ifndef O_NOCTTY
+ /* Re-exec fds */
- #define O_NOCTTY	0
+ #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
- #endif
+ #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
-@@ -2158,6 +2165,24 @@ main(int ac, char **av)
+@@ -2012,6 +2019,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
 	audit_connection_from(remote_ip, remote_port);
 #endif
--- a/openssh-6.8p1-memory-problems.patch
+++ b/openssh-6.8p1-memory-problems.patch
@ -1,8 +1,7 @@
-diff --git a/servconf.c b/servconf.c
+diff -up openssh-7.4p1/servconf.c.memory openssh-7.4p1/servconf.c
-index ad5869b..0255ed3 100644
+--- openssh-7.4p1/servconf.c.memory	2016-12-23 15:37:48.181422360 +0100
--- a/servconf.c
+++ openssh-7.4p1/servconf.c	2016-12-23 15:38:30.189429116 +0100
-+++ b/servconf.c
+@@ -2006,6 +2006,8 @@ copy_set_server_options(ServerOptions *d
@@ -1910,6 +1910,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
 		dst->n = src->n; \
 } while (0)
@ -10,8 +9,8 @@ index ad5869b..0255ed3 100644
 +
 	M_CP_INTOPT(password_authentication);
 	M_CP_INTOPT(gss_authentication);
- 	M_CP_INTOPT(rsa_authentication);
+ 	M_CP_INTOPT(pubkey_authentication);
-@@ -1947,8 +1949,10 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
+@@ -2058,8 +2060,10 @@ copy_set_server_options(ServerOptions *d
 } while(0)
 #define M_CP_STRARRAYOPT(n, num_n) do {\
 	if (src->num_n != 0) { \
--- a/openssh-7.0p1-show-more-fingerprints.patch
+++ b/openssh-7.0p1-show-more-fingerprints.patch
@ -1,23 +1,7 @@
-From e1d58c44bd911e5ee4dddb6205e16eb9a03cc736 Mon Sep 17 00:00:00 2001
+diff -up openssh-7.4p1/clientloop.c.fingerprint openssh-7.4p1/clientloop.c
-From: Jakub Jelen <jjelen@redhat.com>
+--- openssh-7.4p1/clientloop.c.fingerprint	2016-12-23 15:38:50.520432387 +0100
-Date: Fri, 7 Aug 2015 10:18:54 +0200
+++ openssh-7.4p1/clientloop.c	2016-12-23 15:38:50.564432394 +0100
-Subject: [PATCH] Possibility tu specify more fingerprint algorithms on client
+@@ -2279,7 +2279,7 @@ update_known_hosts(struct hostkeys_updat
 side for smother transition
 ---
 clientloop.c  |  8 ++++----
 readconf.c    | 43 +++++++++++++++++++++++++++++--------------
 readconf.h    |  4 +++-
 ssh_config.5  |  4 ++--
 sshconnect.c  | 48 +++++++++++++++++++++++++++---------------------
 sshconnect2.c |  6 +++---
 6 files changed, 68 insertions(+), 45 deletions(-)
 diff --git a/clientloop.c b/clientloop.c
 index 87ceb3d..4553114 100644
 --- a/clientloop.c
 +++ b/clientloop.c
@@ -2194,7 +2194,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
 		if (ctx->keys_seen[i] != 2)
 			continue;
 		if ((fp = sshkey_fingerprint(ctx->keys[i],
@ -26,7 +10,7 @@ index 87ceb3d..4553114 100644
 			fatal("%s: sshkey_fingerprint failed", __func__);
 		do_log2(loglevel, "Learned new hostkey: %s %s",
 		    sshkey_type(ctx->keys[i]), fp);
-@@ -2202,7 +2202,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
+@@ -2287,7 +2287,7 @@ update_known_hosts(struct hostkeys_updat
 	}
 	for (i = 0; i < ctx->nold; i++) {
 		if ((fp = sshkey_fingerprint(ctx->old_keys[i],
@ -35,7 +19,7 @@ index 87ceb3d..4553114 100644
 			fatal("%s: sshkey_fingerprint failed", __func__);
 		do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
 		    sshkey_type(ctx->old_keys[i]), fp);
-@@ -2245,7 +2245,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
+@@ -2330,7 +2330,7 @@ update_known_hosts(struct hostkeys_updat
 	    (r = hostfile_replace_entries(options.user_hostfiles[0],
 	    ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,
 	    options.hash_known_hosts, 0,
@ -44,7 +28,7 @@ index 87ceb3d..4553114 100644
 		error("%s: hostfile_replace_entries failed: %s",
 		    __func__, ssh_err(r));
 }
-@@ -2358,7 +2358,7 @@ client_input_hostkeys(void)
+@@ -2443,7 +2443,7 @@ client_input_hostkeys(void)
 			error("%s: parse key: %s", __func__, ssh_err(r));
 			goto out;
 		}
@ -53,11 +37,10 @@ index 87ceb3d..4553114 100644
 		    SSH_FP_DEFAULT);
 		debug3("%s: received %s key %s", __func__,
 		    sshkey_type(key), fp);
-diff --git a/readconf.c b/readconf.c
+diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
-index 1d03bdf..6af4c62 100644
+--- openssh-7.4p1/readconf.c.fingerprint	2016-12-23 15:38:50.559432393 +0100
--- a/readconf.c
+++ openssh-7.4p1/readconf.c	2016-12-23 15:38:50.565432394 +0100
-+++ b/readconf.c
+@@ -1668,16 +1668,18 @@ parse_keytypes:
@@ -1471,16 +1471,18 @@ parse_keytypes:
 		goto parse_string;
 	case oFingerprintHash:
@ -86,7 +69,7 @@ index 1d03bdf..6af4c62 100644
 		break;
 	case oUpdateHostkeys:
-@@ -1673,7 +1675,7 @@ initialize_options(Options * options)
+@@ -1905,7 +1907,7 @@ initialize_options(Options * options)
 	options->canonicalize_fallback_local = -1;
 	options->canonicalize_hostname = -1;
 	options->revoked_host_keys = NULL;
@ -95,7 +78,7 @@ index 1d03bdf..6af4c62 100644
 	options->update_hostkeys = -1;
 	options->hostbased_key_types = NULL;
 	options->pubkey_key_types = NULL;
-@@ -1851,8 +1853,10 @@ fill_default_options(Options * options)
+@@ -2102,8 +2104,10 @@ fill_default_options(Options * options)
 		options->canonicalize_fallback_local = 1;
 	if (options->canonicalize_hostname == -1)
 		options->canonicalize_hostname = SSH_CANONICALISE_NO;
@ -108,7 +91,7 @@ index 1d03bdf..6af4c62 100644
 	if (options->update_hostkeys == -1)
 		options->update_hostkeys = 0;
 	if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
-@@ -2189,6 +2193,17 @@ dump_cfg_strarray(OpCodes code, u_int count, char **vals)
+@@ -2489,6 +2493,17 @@ dump_cfg_strarray(OpCodes code, u_int co
 }
 static void
@ -126,7 +109,7 @@ index 1d03bdf..6af4c62 100644
 dump_cfg_strarray_oneline(OpCodes code, u_int count, char **vals)
 {
 	u_int i;
-@@ -2259,7 +2274,6 @@ dump_client_config(Options *o, const char *host)
+@@ -2564,7 +2579,6 @@ dump_client_config(Options *o, const cha
 	dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
 	dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings);
 	dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
@ -134,7 +117,7 @@ index 1d03bdf..6af4c62 100644
 	dump_cfg_fmtint(oForwardAgent, o->forward_agent);
 	dump_cfg_fmtint(oForwardX11, o->forward_x11);
 	dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);
-@@ -2328,6 +2342,7 @@ dump_client_config(Options *o, const char *host)
+@@ -2634,6 +2648,7 @@ dump_client_config(Options *o, const cha
 	dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles);
 	dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles);
 	dump_cfg_strarray(oSendEnv, o->num_send_env, o->send_env);
@ -142,10 +125,9 @@ index 1d03bdf..6af4c62 100644
 	/* Special cases */
-diff --git a/readconf.h b/readconf.h
+diff -up openssh-7.4p1/readconf.h.fingerprint openssh-7.4p1/readconf.h
-index bb2d552..d817f92 100644
+--- openssh-7.4p1/readconf.h.fingerprint	2016-12-23 15:38:50.559432393 +0100
--- a/readconf.h
+++ openssh-7.4p1/readconf.h	2016-12-23 15:38:50.565432394 +0100
 +++ b/readconf.h
@@ -21,6 +21,7 @@
 #define MAX_SEND_ENV		256
 #define SSH_MAX_HOSTS_FILES	32
@ -154,7 +136,7 @@ index bb2d552..d817f92 100644
 #define PATH_MAX_SUN		(sizeof((struct sockaddr_un *)0)->sun_path)
 struct allowed_cname {
-@@ -146,7 +147,8 @@ typedef struct {
+@@ -162,7 +163,8 @@ typedef struct {
 	char	*revoked_host_keys;
@ -164,31 +146,60 @@ index bb2d552..d817f92 100644
 	int	 update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
-diff --git a/ssh_config.5 b/ssh_config.5
+diff -up openssh-7.4p1/ssh_config.5.fingerprint openssh-7.4p1/ssh_config.5
-index 5b0975f..e8e6458 100644
+--- openssh-7.4p1/ssh_config.5.fingerprint	2016-12-23 15:38:50.565432394 +0100
--- a/ssh_config.5
+++ openssh-7.4p1/ssh_config.5	2016-12-23 15:40:03.754444166 +0100
-+++ b/ssh_config.5
+@@ -652,12 +652,13 @@ or
-@@ -647,13 +647,13 @@ or
+ .Cm no
- The default is
+ (the default).
 .Dq no .
 .It Cm FingerprintHash
 -Specifies the hash algorithm used when displaying key fingerprints.
 +Specifies the hash algorithms used when displaying key fingerprints.
 Valid options are:
- .Dq md5
+ .Cm md5
 and
- .Dq sha256 .
+-.Cm sha256
- The default is
+-(the default).
-.Dq sha256 .
+.Cm sha256 .
-+.Dq "sha256 md5".
+The default is
 +.Cm "sha256 md5".
 .It Cm ForwardAgent
 Specifies whether the connection to the authentication agent (if any)
 will be forwarded to the remote machine.
-diff --git a/sshconnect.c b/sshconnect.c
+diff -up openssh-7.4p1/sshconnect2.c.fingerprint openssh-7.4p1/sshconnect2.c
-index f41960c..e12932f 100644
+--- openssh-7.4p1/sshconnect2.c.fingerprint	2016-12-23 15:38:50.561432394 +0100
--- a/sshconnect.c
+++ openssh-7.4p1/sshconnect2.c	2016-12-23 15:38:50.566432394 +0100
-+++ b/sshconnect.c
+@@ -677,7 +677,7 @@ input_userauth_pk_ok(int type, u_int32_t
-@@ -920,9 +920,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+ 		    key->type, pktype);
 		goto done;
 	}
 -	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
 +	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
 	    SSH_FP_DEFAULT)) == NULL)
 		goto done;
 	debug2("input_userauth_pk_ok: fp %s", fp);
@@ -1172,7 +1172,7 @@ sign_and_send_pubkey(Authctxt *authctxt,
 	int matched, ret = -1, have_sig = 1;
 	char *fp;
 -	if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
 +	if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0],
 	    SSH_FP_DEFAULT)) == NULL)
 		return 0;
 	debug3("%s: %s %s", __func__, key_type(id->key), fp);
@@ -1864,7 +1864,7 @@ userauth_hostbased(Authctxt *authctxt)
 		goto out;
 	}
 -	if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
 +	if ((fp = sshkey_fingerprint(private, options.fingerprint_hash[0],
 	    SSH_FP_DEFAULT)) == NULL) {
 		error("%s: sshkey_fingerprint failed", __func__);
 		goto out;
 diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
 --- openssh-7.4p1/sshconnect.c.fingerprint	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/sshconnect.c	2016-12-23 15:38:50.566432394 +0100
@@ -922,9 +922,9 @@ check_host_key(char *hostname, struct so
 				    "of known hosts.", type, ip);
 		} else if (options.visual_host_key) {
 			fp = sshkey_fingerprint(host_key,
@ -200,7 +211,7 @@ index f41960c..e12932f 100644
 			if (fp == NULL || ra == NULL)
 				fatal("%s: sshkey_fingerprint fail", __func__);
 			logit("Host key fingerprint is %s\n%s", fp, ra);
-@@ -964,12 +964,6 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+@@ -966,12 +966,6 @@ check_host_key(char *hostname, struct so
 			else
 				snprintf(msg1, sizeof(msg1), ".");
 			/* The default */
@ -213,14 +224,14 @@ index f41960c..e12932f 100644
 			msg2[0] = '\0';
 			if (options.verify_host_key_dns) {
 				if (matching_host_key_dns)
-@@ -983,16 +977,28 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+@@ -985,16 +979,28 @@ check_host_key(char *hostname, struct so
 			}
 			snprintf(msg, sizeof(msg),
 			    "The authenticity of host '%.200s (%s)' can't be "
 -			    "established%s\n"
 -			    "%s key fingerprint is %s.%s%s\n%s"
 +			    "established%s\n", host, ip, msg1);
-+			for (i = 0; i < options.num_fingerprint_hash; i++) {
+			for (i = 0; i < (u_int) options.num_fingerprint_hash; i++) {
 +				fp = sshkey_fingerprint(host_key,
 +				    options.fingerprint_hash[i], SSH_FP_DEFAULT);
 +				ra = sshkey_fingerprint(host_key,
@ -251,7 +262,7 @@ index f41960c..e12932f 100644
 			if (!confirm(msg))
 				goto fail;
 			hostkey_trusted = 1; /* user explicitly confirmed */
-@@ -1241,7 +1247,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
+@@ -1244,7 +1250,7 @@ verify_host_key(char *host, struct socka
 	struct sshkey *plain = NULL;
 	if ((fp = sshkey_fingerprint(host_key,
@ -260,7 +271,16 @@ index f41960c..e12932f 100644
 		error("%s: fingerprint host key: %s", __func__, ssh_err(r));
 		r = -1;
 		goto out;
-@@ -1405,9 +1411,9 @@ show_other_keys(struct hostkeys *hostkeys, Key *key)
+@@ -1252,7 +1258,7 @@ verify_host_key(char *host, struct socka
 	if (sshkey_is_cert(host_key)) {
 		if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
 -		    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
 +		    options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
 			error("%s: fingerprint CA key: %s",
 			    __func__, ssh_err(r));
 			r = -1;
@@ -1432,9 +1438,9 @@ show_other_keys(struct hostkeys *hostkey
 		if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
 			continue;
 		fp = sshkey_fingerprint(found->key,
@ -272,7 +292,7 @@ index f41960c..e12932f 100644
 		if (fp == NULL || ra == NULL)
 			fatal("%s: sshkey_fingerprint fail", __func__);
 		logit("WARNING: %s key found for host %s\n"
-@@ -1430,7 +1436,7 @@ warn_changed_key(Key *host_key)
+@@ -1457,7 +1463,7 @@ warn_changed_key(Key *host_key)
 {
 	char *fp;
@ -281,42 +301,10 @@ index f41960c..e12932f 100644
 	    SSH_FP_DEFAULT);
 	if (fp == NULL)
 		fatal("%s: sshkey_fingerprint fail", __func__);
-diff --git a/sshconnect2.c b/sshconnect2.c
+diff -up openssh-7.4p1/ssh-keysign.c.fingerprint openssh-7.4p1/ssh-keysign.c
-index 7751031..82ed92e 100644
+--- openssh-7.4p1/ssh-keysign.c.fingerprint	2016-12-19 05:59:41.000000000 +0100
--- a/sshconnect2.c
+++ openssh-7.4p1/ssh-keysign.c	2016-12-23 15:38:50.566432394 +0100
-+++ b/sshconnect2.c
+@@ -285,7 +285,7 @@ main(int argc, char **argv)
@@ -589,7 +589,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
 		    key->type, pktype);
 		goto done;
 	}
 -	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
 +	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
 	    SSH_FP_DEFAULT)) == NULL)
 		goto done;
 	debug2("input_userauth_pk_ok: fp %s", fp);
@@ -1009,7 +1009,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
 	int matched, ret = -1, have_sig = 1;
 	char *fp;
 -	if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
 +	if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0],
 	    SSH_FP_DEFAULT)) == NULL)
 		return 0;
 	debug3("%s: %s %s", __func__, key_type(id->key), fp);
@@ -1635,7 +1635,7 @@ userauth_hostbased(Authctxt *authctxt)
 		goto out;
 	}
 -	if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
 +	if ((fp = sshkey_fingerprint(private, options.fingerprint_hash[0],
 	    SSH_FP_DEFAULT)) == NULL) {
 		error("%s: sshkey_fingerprint failed", __func__);
 		goto out;
 diff --git a/ssh-keysign.c b/ssh-keysign.c
 index 1dca3e2..23bff7d 100644
 --- a/ssh-keysign.c
 +++ b/ssh-keysign.c
@@ -275,7 +275,7 @@ main(int argc, char **argv)
 		}
 	}
 	if (!found) {
@ -325,21 +313,3 @@ index 1dca3e2..23bff7d 100644
 		    SSH_FP_DEFAULT)) == NULL)
 			fatal("%s: sshkey_fingerprint failed", __progname);
 		fatal("no matching hostkey found for key %s %s",
 -- 
 2.1.0
 diff --git a/sshconnect.c b/sshconnect.c
 index de7ace6..f16e606 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
@@ -1262,7 +1262,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
 	if (sshkey_is_cert(host_key)) {
 		if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
 -		    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
 +		    options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
 			error("%s: fingerprint CA key: %s",
 			    __func__, ssh_err(r));
 			r = -1;
--- a/openssh-7.1p1-gssapi-documentation.patch
+++ b/openssh-7.1p1-gssapi-documentation.patch
@ -1,7 +1,7 @@
-diff -up openssh-7.1p1/ssh_config.5.gss-docs openssh-7.1p1/ssh_config.5
+diff -up openssh-7.4p1/ssh_config.5.gss-docs openssh-7.4p1/ssh_config.5
--- openssh-7.1p1/ssh_config.5.gss-docs	2015-12-10 15:28:47.451966457 +0100
+--- openssh-7.4p1/ssh_config.5.gss-docs	2016-12-23 14:28:34.051714486 +0100
-+++ openssh-7.1p1/ssh_config.5	2015-12-10 15:30:28.070738047 +0100
+++ openssh-7.4p1/ssh_config.5	2016-12-23 14:34:24.568522417 +0100
-@@ -773,15 +773,26 @@ Note that this option applies to protoco
+@@ -765,10 +765,19 @@ The default is
 If set to 
 .Dq yes
 then renewal of the client's GSSAPI credentials will force the rekeying of the
@ -19,6 +19,11 @@ diff -up openssh-7.1p1/ssh_config.5.gss-docs openssh-7.1p1/ssh_config.5
 +For this to work
 +.Cm GSSAPIKeyExchange
 +needs to be enabled in the server and also used by the client.
 .It Cm GSSAPIServerIdentity
 If set, specifies the GSSAPI server identity that ssh should expect when 
 connecting to the server. The default is unset, which means that the
@@ -776,9 +785,11 @@ expected GSSAPI server identity will be
 hostname.
 .It Cm GSSAPITrustDns
 Set to 
 -.Dq yes to indicate that the DNS is trusted to securely canonicalize
@ -31,10 +36,10 @@ diff -up openssh-7.1p1/ssh_config.5.gss-docs openssh-7.1p1/ssh_config.5
 command line will be passed untouched to the GSSAPI library.
 The default is
 .Dq no .
-diff -up openssh-7.1p1/sshd_config.5.gss-docs openssh-7.1p1/sshd_config.5
+diff -up openssh-7.4p1/sshd_config.5.gss-docs openssh-7.4p1/sshd_config.5
--- openssh-7.1p1/sshd_config.5.gss-docs	2015-12-10 15:28:47.453966452 +0100
+--- openssh-7.4p1/sshd_config.5.gss-docs	2016-12-23 14:28:34.043714490 +0100
-+++ openssh-7.1p1/sshd_config.5	2015-12-10 15:28:47.461966434 +0100
+++ openssh-7.4p1/sshd_config.5	2016-12-23 14:28:34.051714486 +0100
-@@ -653,6 +653,10 @@ Controls whether the user's GSSAPI crede
+@@ -652,6 +652,10 @@ Controls whether the user's GSSAPI crede
 successful connection rekeying. This option can be used to accepted renewed 
 or updated credentials from a compatible client. The default is
 .Dq no .
--- a/openssh-7.1p2-audit-race-condition.patch
+++ b/openssh-7.1p2-audit-race-condition.patch
@ -1,7 +1,7 @@
-diff -up openssh-7.3p1/monitor_wrap.c.audit-race openssh-7.3p1/monitor_wrap.c
+diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
--- openssh-7.3p1/monitor_wrap.c.audit-race	2016-12-15 14:27:22.376603747 +0100
+--- openssh-7.4p1/monitor_wrap.c.audit-race	2016-12-23 16:35:52.694685771 +0100
-+++ openssh-7.3p1/monitor_wrap.c	2016-12-15 14:27:22.381603742 +0100
+++ openssh-7.4p1/monitor_wrap.c	2016-12-23 16:35:52.697685772 +0100
-@@ -1256,4 +1256,48 @@ mm_audit_destroy_sensitive_data(const ch
+@@ -1107,4 +1107,48 @@ mm_audit_destroy_sensitive_data(const ch
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
 	buffer_free(&m);
 }
@ -50,10 +50,10 @@ diff -up openssh-7.3p1/monitor_wrap.c.audit-race openssh-7.3p1/monitor_wrap.c
 +	pmonitor->m_recvfd = fd;
 +}
 #endif /* SSH_AUDIT_EVENTS */
-diff -up openssh-7.3p1/monitor_wrap.h.audit-race openssh-7.3p1/monitor_wrap.h
+diff -up openssh-7.4p1/monitor_wrap.h.audit-race openssh-7.4p1/monitor_wrap.h
--- openssh-7.3p1/monitor_wrap.h.audit-race	2016-12-15 14:27:22.376603747 +0100
+--- openssh-7.4p1/monitor_wrap.h.audit-race	2016-12-23 16:35:52.694685771 +0100
-+++ openssh-7.3p1/monitor_wrap.h	2016-12-15 14:27:22.381603742 +0100
+++ openssh-7.4p1/monitor_wrap.h	2016-12-23 16:35:52.698685772 +0100
-@@ -88,6 +88,8 @@ void mm_audit_unsupported_body(int);
+@@ -83,6 +83,8 @@ void mm_audit_unsupported_body(int);
 void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
 void mm_audit_session_key_free_body(int, pid_t, uid_t);
 void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t);
@ -62,10 +62,10 @@ diff -up openssh-7.3p1/monitor_wrap.h.audit-race openssh-7.3p1/monitor_wrap.h
 #endif
 struct Session;
-diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
+diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
--- openssh-7.3p1/session.c.audit-race	2016-12-15 14:27:22.378603745 +0100
+--- openssh-7.4p1/session.c.audit-race	2016-12-23 16:35:52.695685771 +0100
-+++ openssh-7.3p1/session.c	2016-12-15 14:27:22.382603741 +0100
+++ openssh-7.4p1/session.c	2016-12-23 16:37:26.339730596 +0100
-@@ -164,6 +164,10 @@ static Session *sessions = NULL;
+@@ -162,6 +162,10 @@ static Session *sessions = NULL;
 login_cap_t *lc;
 #endif
@ -76,8 +76,8 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
 static int is_child = 0;
 static int in_chroot = 0;
 static int have_dev_log = 1;
-@@ -457,6 +457,8 @@ do_authenticated1(Authctxt *authctxt)
+@@ -289,6 +293,8 @@ xauth_valid_string(const char *s)
- 	}
+ 	return 1;
 }
 +void child_destory_sensitive_data();
@ -85,7 +85,7 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
 #define USE_PIPES 1
 /*
  * This is called to fork and execute a command when we have no tty.  This
-@@ -588,6 +592,8 @@ do_exec_no_pty(Session *s, const char *c
+@@ -424,6 +430,8 @@ do_exec_no_pty(Session *s, const char *c
 		cray_init_job(s->pw); /* set up cray jid and tmpdir */
 #endif
@ -94,7 +94,7 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
 		/* Do processing for the child (exec command etc). */
 		do_child(s, command);
 		/* NOTREACHED */
-@@ -722,6 +728,9 @@ do_exec_pty(Session *s, const char *comm
+@@ -547,6 +555,9 @@ do_exec_pty(Session *s, const char *comm
 		/* Close the extra descriptor for the pseudo tty. */
 		close(ttyfd);
@ -102,9 +102,9 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
 +		child_destory_sensitive_data();
 +
 		/* record login, etc. similar to login(1) */
- #ifndef HAVE_OSF_SIA
+ #ifdef _UNICOS
- 		if (!(options.use_login && command == NULL)) {
+ 		cray_init_job(s->pw); /* set up cray jid and tmpdir */
-@@ -903,6 +912,8 @@ do_exec(Session *s, const char *command)
+@@ -717,6 +728,8 @@ do_exec(Session *s, const char *command)
 	}
 	if (s->command != NULL && s->ptyfd == -1)
 		s->command_handle = PRIVSEP(audit_run_command(s->command));
@ -113,7 +113,7 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
 #endif
 	if (s->ttyfd != -1)
 		ret = do_exec_pty(s, command);
-@@ -918,6 +929,20 @@ do_exec(Session *s, const char *command)
+@@ -732,6 +745,20 @@ do_exec(Session *s, const char *command)
 	 */
 	buffer_clear(&loginmsg);
@ -134,7 +134,7 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
 	return ret;
 }
-@@ -1751,6 +1776,33 @@ child_close_fds(void)
+@@ -1538,6 +1565,33 @@ child_close_fds(void)
 	endpwent();
 }
@ -168,7 +168,7 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
 /*
  * Performs common processing for the child, such as setting up the
  * environment, closing extra file descriptors, setting the user and group
-@@ -1768,12 +1820,6 @@ do_child(Session *s, const char *command
+@@ -1554,12 +1608,6 @@ do_child(Session *s, const char *command
 	struct passwd *pw = s->pw;
 	int r = 0;
--- a/openssh-7.2p1-audit.patch
+++ b/openssh-7.2p1-audit.patch
--- a/openssh-7.2p1-fips.patch
+++ b/openssh-7.2p1-fips.patch
@ -1,6 +1,6 @@
-diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
+diff -up openssh-7.4p1/cipher.c.fips openssh-7.4p1/cipher.c
--- openssh-7.2p1/cipher.c.fips	2016-02-12 18:53:56.083665235 +0100
+--- openssh-7.4p1/cipher.c.fips	2016-12-23 16:37:49.290741582 +0100
-+++ openssh-7.2p1/cipher.c	2016-02-12 18:53:56.090665235 +0100
+++ openssh-7.4p1/cipher.c	2016-12-23 16:37:49.300741586 +0100
@@ -39,6 +39,8 @@
 #include <sys/types.h>
@ -10,7 +10,7 @@ diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
 #include <string.h>
 #include <stdarg.h>
 #include <stdio.h>
-@@ -99,6 +101,26 @@ static const struct sshcipher ciphers[]
+@@ -116,6 +118,20 @@ static const struct sshcipher ciphers[]
 	{ NULL,		SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
 };
@ -25,19 +25,13 @@ diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
 +	{ "aes128-ctr",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
 +	{ "aes192-ctr",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
 +	{ "aes256-ctr",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
 +#ifdef OPENSSL_HAVE_EVPGCM
 +	{ "aes128-gcm@openssh.com",
 +			SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
 +	{ "aes256-gcm@openssh.com",
 +			SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
 +#endif
 +	{ NULL,		SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
 +};
 +
 /*--*/
 /* Returns a comma-separated list of supported ciphers. */
-@@ -109,7 +131,7 @@ cipher_alg_list(char sep, int auth_only)
+@@ -126,7 +142,7 @@ cipher_alg_list(char sep, int auth_only)
 	size_t nlen, rlen = 0;
 	const struct sshcipher *c;
@ -46,7 +40,7 @@ diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
 		if (c->number != SSH_CIPHER_SSH2)
 			continue;
 		if (auth_only && c->auth_len == 0)
-@@ -193,7 +215,7 @@ const struct sshcipher *
+@@ -222,7 +238,7 @@ const struct sshcipher *
 cipher_by_name(const char *name)
 {
 	const struct sshcipher *c;
@ -55,7 +49,7 @@ diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
 		if (strcmp(c->name, name) == 0)
 			return c;
 	return NULL;
-@@ -203,7 +225,7 @@ const struct sshcipher *
+@@ -232,7 +248,7 @@ const struct sshcipher *
 cipher_by_number(int id)
 {
 	const struct sshcipher *c;
@ -64,7 +58,7 @@ diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
 		if (c->number == id)
 			return c;
 	return NULL;
-@@ -244,7 +266,7 @@ cipher_number(const char *name)
+@@ -273,7 +289,7 @@ cipher_number(const char *name)
 	const struct sshcipher *c;
 	if (name == NULL)
 		return -1;
@ -73,9 +67,9 @@ diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
 		if (strcasecmp(c->name, name) == 0)
 			return c->number;
 	return -1;
-diff -up openssh-7.2p1/cipher-ctr.c.fips openssh-7.2p1/cipher-ctr.c
+diff -up openssh-7.4p1/cipher-ctr.c.fips openssh-7.4p1/cipher-ctr.c
--- openssh-7.2p1/cipher-ctr.c.fips	2016-02-12 18:53:56.013665228 +0100
+--- openssh-7.4p1/cipher-ctr.c.fips	2016-12-23 16:37:49.225741551 +0100
-+++ openssh-7.2p1/cipher-ctr.c	2016-02-12 18:53:56.090665235 +0100
+++ openssh-7.4p1/cipher-ctr.c	2016-12-23 16:37:49.297741585 +0100
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
 	aes_ctr.do_cipher = ssh_aes_ctr;
 #ifndef SSH_OLD_EVP
@ -86,10 +80,10 @@ diff -up openssh-7.2p1/cipher-ctr.c.fips openssh-7.2p1/cipher-ctr.c
 #endif
 	return (&aes_ctr);
 }
-diff -up openssh-7.2p1/dh.h.fips openssh-7.2p1/dh.h
+diff -up openssh-7.4p1/dh.h.fips openssh-7.4p1/dh.h
--- openssh-7.2p1/dh.h.fips	2016-02-12 18:53:56.090665235 +0100
+--- openssh-7.4p1/dh.h.fips	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.2p1/dh.h	2016-02-12 18:54:48.425670204 +0100
+++ openssh-7.4p1/dh.h	2016-12-23 16:37:49.297741585 +0100
-@@ -49,6 +49,7 @@ u_int	 dh_estimate(int);
+@@ -51,6 +51,7 @@ u_int	 dh_estimate(int);
  * Miniumum increased in light of DH precomputation attacks.
  */
 #define DH_GRP_MIN	2048
@ -97,9 +91,9 @@ diff -up openssh-7.2p1/dh.h.fips openssh-7.2p1/dh.h
 #define DH_GRP_MAX	8192
 /*
-diff -up openssh-7.2p1/entropy.c.fips openssh-7.2p1/entropy.c
+diff -up openssh-7.4p1/entropy.c.fips openssh-7.4p1/entropy.c
--- openssh-7.2p1/entropy.c.fips	2016-02-12 18:53:56.005665227 +0100
+--- openssh-7.4p1/entropy.c.fips	2016-12-23 16:37:49.219741548 +0100
-+++ openssh-7.2p1/entropy.c	2016-02-12 18:53:56.091665235 +0100
+++ openssh-7.4p1/entropy.c	2016-12-23 16:37:49.297741585 +0100
@@ -217,6 +217,9 @@ seed_rng(void)
 		fatal("OpenSSL version mismatch. Built against %lx, you "
 		    "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
@ -110,9 +104,9 @@ diff -up openssh-7.2p1/entropy.c.fips openssh-7.2p1/entropy.c
 #ifndef OPENSSL_PRNG_ONLY
 	if (RAND_status() == 1) {
 		debug3("RNG is ready, skipping seeding");
-diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
+diff -up openssh-7.4p1/kex.c.fips openssh-7.4p1/kex.c
--- openssh-7.2p1/kex.c.fips	2016-02-12 18:53:56.084665234 +0100
+--- openssh-7.4p1/kex.c.fips	2016-12-23 16:37:49.290741582 +0100
-+++ openssh-7.2p1/kex.c	2016-02-12 18:53:56.091665235 +0100
+++ openssh-7.4p1/kex.c	2016-12-23 16:37:49.300741586 +0100
@@ -35,6 +35,7 @@
 #ifdef WITH_OPENSSL
 #include <openssl/crypto.h>
@ -121,13 +115,11 @@ diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
 #endif
 #include "ssh2.h"
-@@ -121,6 +122,25 @@ static const struct kexalg kexalgs[] = {
+@@ -125,6 +126,23 @@ static const struct kexalg kexalgs[] = {
 	{ NULL, -1, -1, -1},
 };
 +static const struct kexalg kexalgs_fips[] = {
 +	{ KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
 +	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
 +#ifdef HAVE_EVP_SHA256
 +	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
 +#endif
@ -147,7 +139,7 @@ diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
 char *
 kex_alg_list(char sep)
 {
-@@ -148,7 +168,7 @@ kex_alg_by_name(const char *name)
+@@ -152,7 +170,7 @@ kex_alg_by_name(const char *name)
 {
 	const struct kexalg *k;
@ -156,7 +148,7 @@ diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
 		if (strcmp(k->name, name) == 0)
 			return k;
 #ifdef GSSAPI
-@@ -174,7 +194,10 @@ kex_names_valid(const char *names)
+@@ -178,7 +196,10 @@ kex_names_valid(const char *names)
 	for ((p = strsep(&cp, ",")); p && *p != '\0';
 	    (p = strsep(&cp, ","))) {
 		if (kex_alg_by_name(p) == NULL) {
@ -168,17 +160,17 @@ diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
 			free(s);
 			return 0;
 		}
-diff -up openssh-7.2p1/kexgexc.c.fips openssh-7.2p1/kexgexc.c
+diff -up openssh-7.4p1/kexgexc.c.fips openssh-7.4p1/kexgexc.c
--- openssh-7.2p1/kexgexc.c.fips	2016-02-12 11:47:25.000000000 +0100
+--- openssh-7.4p1/kexgexc.c.fips	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.2p1/kexgexc.c	2016-02-12 18:53:56.091665235 +0100
+++ openssh-7.4p1/kexgexc.c	2016-12-23 16:38:38.727763540 +0100
@@ -28,6 +28,7 @@
 #ifdef WITH_OPENSSL
 +#include <openssl/fips.h>
 #include <sys/param.h>
 #include <sys/types.h>
 #include <openssl/dh.h>
@@ -63,7 +64,7 @@ kexgex_client(struct ssh *ssh)
 	nbits = dh_estimate(kex->dh_need * 8);
@ -188,24 +180,24 @@ diff -up openssh-7.2p1/kexgexc.c.fips openssh-7.2p1/kexgexc.c
 	kex->max = DH_GRP_MAX;
 	kex->nbits = nbits;
 	if (datafellows & SSH_BUG_DHGEX_LARGE)
-diff -up openssh-7.2p1/kexgexs.c.fips openssh-7.2p1/kexgexs.c
+diff -up openssh-7.4p1/kexgexs.c.fips openssh-7.4p1/kexgexs.c
--- openssh-7.2p1/kexgexs.c.fips	2016-02-12 11:47:25.000000000 +0100
+--- openssh-7.4p1/kexgexs.c.fips	2016-12-23 16:37:49.297741585 +0100
-+++ openssh-7.2p1/kexgexs.c	2016-02-12 18:53:56.091665235 +0100
+++ openssh-7.4p1/kexgexs.c	2016-12-23 16:39:35.009776626 +0100
@@ -83,9 +83,9 @@ input_kex_dh_gex_request(int type, u_int
 	kex->nbits = nbits;
 	kex->min = min;
 	kex->max = max;
-	min = MAX(DH_GRP_MIN, min);
+-	min = MAXIMUM(DH_GRP_MIN, min);
-+	min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
+	min = MAXIMUM(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
- 	max = MIN(DH_GRP_MAX, max);
+ 	max = MINIMUM(DH_GRP_MAX, max);
-	nbits = MAX(DH_GRP_MIN, nbits);
+-	nbits = MAXIMUM(DH_GRP_MIN, nbits);
-+	nbits = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits);
+	nbits = MAXIMUM(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits);
- 	nbits = MIN(DH_GRP_MAX, nbits);
+ 	nbits = MINIMUM(DH_GRP_MAX, nbits);
 	if (kex->max < kex->min || kex->nbits < kex->min ||
-diff -up openssh-7.2p1/mac.c.fips openssh-7.2p1/mac.c
+diff -up openssh-7.4p1/mac.c.fips openssh-7.4p1/mac.c
--- openssh-7.2p1/mac.c.fips	2016-02-12 18:53:56.084665234 +0100
+--- openssh-7.4p1/mac.c.fips	2016-12-23 16:37:49.291741582 +0100
-+++ openssh-7.2p1/mac.c	2016-02-12 18:53:56.091665235 +0100
+++ openssh-7.4p1/mac.c	2016-12-23 16:37:49.298741585 +0100
@@ -27,6 +27,8 @@
 #include <sys/types.h>
@ -224,7 +216,7 @@ diff -up openssh-7.2p1/mac.c.fips openssh-7.2p1/mac.c
 	/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
 	{ "hmac-sha1",				SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
 	{ "hmac-sha1-96",			SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
-@@ -85,6 +87,24 @@ static const struct macalg macs[] = {
+@@ -89,6 +91,24 @@ static const struct macalg macs[] = {
 	{ NULL,					0, 0, 0, 0, 0, 0 }
 };
@ -249,7 +241,7 @@ diff -up openssh-7.2p1/mac.c.fips openssh-7.2p1/mac.c
 /* Returns a list of supported MACs separated by the specified char. */
 char *
 mac_alg_list(char sep)
-@@ -93,7 +113,7 @@ mac_alg_list(char sep)
+@@ -97,7 +117,7 @@ mac_alg_list(char sep)
 	size_t nlen, rlen = 0;
 	const struct macalg *m;
@ -258,7 +250,7 @@ diff -up openssh-7.2p1/mac.c.fips openssh-7.2p1/mac.c
 		if (ret != NULL)
 			ret[rlen++] = sep;
 		nlen = strlen(m->name);
-@@ -132,7 +152,7 @@ mac_setup(struct sshmac *mac, char *name
+@@ -136,7 +156,7 @@ mac_setup(struct sshmac *mac, char *name
 {
 	const struct macalg *m;
@ -267,10 +259,10 @@ diff -up openssh-7.2p1/mac.c.fips openssh-7.2p1/mac.c
 		if (strcmp(name, m->name) != 0)
 			continue;
 		if (mac != NULL)
-diff -up openssh-7.2p1/Makefile.in.fips openssh-7.2p1/Makefile.in
+diff -up openssh-7.4p1/Makefile.in.fips openssh-7.4p1/Makefile.in
--- openssh-7.2p1/Makefile.in.fips	2016-02-12 18:53:56.085665235 +0100
+--- openssh-7.4p1/Makefile.in.fips	2016-12-23 16:37:49.291741582 +0100
-+++ openssh-7.2p1/Makefile.in	2016-02-12 18:53:56.092665235 +0100
+++ openssh-7.4p1/Makefile.in	2016-12-23 16:37:49.298741585 +0100
-@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
+@@ -169,25 +169,25 @@ libssh.a: $(LIBSSH_OBJS)
 	$(RANLIB) $@
 ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@ -302,7 +294,7 @@ diff -up openssh-7.2p1/Makefile.in.fips openssh-7.2p1/Makefile.in
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-@@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
+@@ -205,7 +205,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
 	$(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
@ -311,18 +303,16 @@ diff -up openssh-7.2p1/Makefile.in.fips openssh-7.2p1/Makefile.in
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-diff -up openssh-7.2p1/myproposal.h.fips openssh-7.2p1/myproposal.h
+diff -up openssh-7.4p1/myproposal.h.fips openssh-7.4p1/myproposal.h
--- openssh-7.2p1/myproposal.h.fips	2016-02-12 18:53:56.092665235 +0100
+--- openssh-7.4p1/myproposal.h.fips	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.2p1/myproposal.h	2016-02-12 18:55:42.137675304 +0100
+++ openssh-7.4p1/myproposal.h	2016-12-23 16:37:49.300741586 +0100
-@@ -129,6 +129,28 @@
+@@ -138,6 +138,26 @@
 #define KEX_CLIENT_MAC KEX_SERVER_MAC
 +#define KEX_DEFAULT_KEX_FIPS		\
 +	KEX_ECDH_METHODS \
-+	KEX_SHA2_METHODS \
+	KEX_SHA2_METHODS
 +	"diffie-hellman-group-exchange-sha1," \
 +	"diffie-hellman-group14-sha1"
 +#define	KEX_FIPS_ENCRYPT \
 +	"aes128-ctr,aes192-ctr,aes256-ctr," \
 +	"aes128-cbc,3des-cbc," \
@ -343,10 +333,31 @@ diff -up openssh-7.2p1/myproposal.h.fips openssh-7.2p1/myproposal.h
 #else /* WITH_OPENSSL */
 #define KEX_SERVER_KEX		\
-diff -up openssh-7.2p1/readconf.c.fips openssh-7.2p1/readconf.c
+diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c.fips openssh-7.4p1/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
--- openssh-7.2p1/readconf.c.fips	2016-02-12 18:53:56.073665234 +0100
+--- openssh-7.4p1/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c.fips	2016-12-23 16:37:49.185741531 +0100
-+++ openssh-7.2p1/readconf.c	2016-02-12 18:53:56.092665235 +0100
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c	2016-12-23 16:37:49.300741586 +0100
-@@ -1969,9 +1969,12 @@ fill_default_options(Options * options)
+@@ -55,6 +55,7 @@
 #include "secure_filename.h"
 #include "uidswap.h"
 #include <unistd.h>
 +#include <openssl/crypto.h>
 #include "identity.h"
@@ -104,7 +105,8 @@ pamsshagentauth_check_authkeys_file(FILE
             found_key = 1;
             logit("matching key found: file/command %s, line %lu", file,
                                   linenum);
 -            fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
 +            fp = sshkey_fingerprint(found, FIPS_mode() ? SSH_DIGEST_SHA1 : SSH_DIGEST_MD5,
 +				SSH_FP_HEX);
             logit("Found matching %s key: %s",
                                   key_type(found), fp);
             free(fp);
 diff -up openssh-7.4p1/readconf.c.fips openssh-7.4p1/readconf.c
 --- openssh-7.4p1/readconf.c.fips	2016-12-23 16:37:49.274741574 +0100
 +++ openssh-7.4p1/readconf.c	2016-12-23 16:37:49.298741585 +0100
@@ -2110,9 +2110,12 @@ fill_default_options(Options * options)
 	}
 	if (options->update_hostkeys == -1)
 		options->update_hostkeys = 0;
@ -362,10 +373,23 @@ diff -up openssh-7.2p1/readconf.c.fips openssh-7.2p1/readconf.c
 	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
 	    &options->hostbased_key_types) != 0 ||
 	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
-diff -up openssh-7.2p1/servconf.c.fips openssh-7.2p1/servconf.c
+diff -up openssh-7.4p1/sandbox-seccomp-filter.c.fips openssh-7.4p1/sandbox-seccomp-filter.c
--- openssh-7.2p1/servconf.c.fips	2016-02-12 18:53:56.068665233 +0100
+--- openssh-7.4p1/sandbox-seccomp-filter.c.fips	2016-12-23 16:37:49.292741583 +0100
-+++ openssh-7.2p1/servconf.c	2016-02-12 18:56:52.185681954 +0100
+++ openssh-7.4p1/sandbox-seccomp-filter.c	2016-12-23 16:37:49.300741586 +0100
-@@ -188,9 +188,12 @@ option_clear_or_none(const char *o)
+@@ -118,6 +118,9 @@ static const struct sock_filter preauth_
 #ifdef __NR_open
 	SC_DENY(open, EACCES),
 #endif
 +#ifdef __NR_socket
 +	SC_DENY(socket, EACCES),
 +#endif
 #ifdef __NR_openat
 	SC_DENY(openat, EACCES),
 #endif
 diff -up openssh-7.4p1/servconf.c.fips openssh-7.4p1/servconf.c
 --- openssh-7.4p1/servconf.c.fips	2016-12-23 16:37:49.285741579 +0100
 +++ openssh-7.4p1/servconf.c	2016-12-23 16:37:49.299741586 +0100
@@ -185,9 +185,12 @@ option_clear_or_none(const char *o)
 static void
 assemble_algorithms(ServerOptions *o)
 {
@ -381,7 +405,7 @@ diff -up openssh-7.2p1/servconf.c.fips openssh-7.2p1/servconf.c
 	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
 	    &o->hostkeyalgorithms) != 0 ||
 	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
-@@ -2376,8 +2379,10 @@ dump_config(ServerOptions *o)
+@@ -2390,8 +2393,10 @@ dump_config(ServerOptions *o)
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
 	dump_cfg_string(sXAuthLocation, o->xauth_location);
@ -394,7 +418,7 @@ diff -up openssh-7.2p1/servconf.c.fips openssh-7.2p1/servconf.c
 	dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
 	dump_cfg_string(sForceCommand, o->adm_forced_command);
 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
-@@ -2392,8 +2397,8 @@ dump_config(ServerOptions *o)
+@@ -2406,8 +2411,8 @@ dump_config(ServerOptions *o)
 	dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
 	dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
@ -405,10 +429,10 @@ diff -up openssh-7.2p1/servconf.c.fips openssh-7.2p1/servconf.c
 	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
 	    o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
 	dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
-diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
+diff -up openssh-7.4p1/ssh.c.fips openssh-7.4p1/ssh.c
--- openssh-7.2p1/ssh.c.fips	2016-02-12 11:47:25.000000000 +0100
+--- openssh-7.4p1/ssh.c.fips	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.2p1/ssh.c	2016-02-12 18:53:56.093665236 +0100
+++ openssh-7.4p1/ssh.c	2016-12-23 16:37:49.299741586 +0100
-@@ -75,6 +75,8 @@
+@@ -76,6 +76,8 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #endif
@ -417,7 +441,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
 #include "openbsd-compat/openssl-compat.h"
 #include "openbsd-compat/sys-queue.h"
-@@ -531,6 +533,14 @@ main(int ac, char **av)
+@@ -530,6 +532,14 @@ main(int ac, char **av)
 	sanitise_stdfd();
 	__progname = ssh_get_progname(av[0]);
@ -432,7 +456,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
 #ifndef HAVE_SETPROCTITLE
 	/* Prepare for later setproctitle emulation */
-@@ -608,6 +618,9 @@ main(int ac, char **av)
+@@ -609,6 +619,9 @@ main(int ac, char **av)
 	    "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
 		switch (opt) {
 		case '1':
@ -442,7 +466,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
 			options.protocol = SSH_PROTO_1;
 			break;
 		case '2':
-@@ -952,7 +965,6 @@ main(int ac, char **av)
+@@ -964,7 +977,6 @@ main(int ac, char **av)
 	host_arg = xstrdup(host);
 #ifdef WITH_OPENSSL
@ -450,7 +474,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
 	ERR_load_crypto_strings();
 #endif
-@@ -1126,6 +1138,10 @@ main(int ac, char **av)
+@@ -1175,6 +1187,10 @@ main(int ac, char **av)
 	seed_rng();
@ -461,7 +485,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
 	if (options.user == NULL)
 		options.user = xstrdup(pw->pw_name);
-@@ -1206,6 +1222,12 @@ main(int ac, char **av)
+@@ -1263,6 +1279,12 @@ main(int ac, char **av)
 	timeout_ms = options.connection_timeout * 1000;
@ -474,9 +498,9 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
 	/* Open a connection to the remote host. */
 	if (ssh_connect(host, addrs, &hostaddr, options.port,
 	    options.address_family, options.connection_attempts,
-diff -up openssh-7.2p1/sshconnect2.c.fips openssh-7.2p1/sshconnect2.c
+diff -up openssh-7.4p1/sshconnect2.c.fips openssh-7.4p1/sshconnect2.c
--- openssh-7.2p1/sshconnect2.c.fips	2016-02-12 18:53:56.074665234 +0100
+--- openssh-7.4p1/sshconnect2.c.fips	2016-12-23 16:37:49.275741574 +0100
-+++ openssh-7.2p1/sshconnect2.c	2016-02-12 18:53:56.094665236 +0100
+++ openssh-7.4p1/sshconnect2.c	2016-12-23 16:37:49.299741586 +0100
@@ -44,6 +44,8 @@
 #include <vis.h>
 #endif
@ -486,7 +510,7 @@ diff -up openssh-7.2p1/sshconnect2.c.fips openssh-7.2p1/sshconnect2.c
 #include "openbsd-compat/sys-queue.h"
 #include "xmalloc.h"
-@@ -171,21 +173,26 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -172,21 +174,26 @@ ssh_kex2(char *host, struct sockaddr *ho
 #ifdef GSSAPI
 	if (options.gss_keyex) {
@ -528,9 +552,9 @@ diff -up openssh-7.2p1/sshconnect2.c.fips openssh-7.2p1/sshconnect2.c
 		}
 	}
 #endif
-diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
+diff -up openssh-7.4p1/sshd.c.fips openssh-7.4p1/sshd.c
--- openssh-7.2p1/sshd.c.fips	2016-02-12 18:53:56.088665235 +0100
+--- openssh-7.4p1/sshd.c.fips	2016-12-23 16:37:49.293741583 +0100
-+++ openssh-7.2p1/sshd.c	2016-02-12 18:53:56.094665236 +0100
+++ openssh-7.4p1/sshd.c	2016-12-23 16:37:49.299741586 +0100
@@ -66,6 +66,7 @@
 #include <grp.h>
 #include <pwd.h>
@ -548,7 +572,7 @@ diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
 #include "openbsd-compat/openssl-compat.h"
 #endif
-@@ -1555,6 +1558,18 @@ main(int ac, char **av)
+@@ -1475,6 +1478,18 @@ main(int ac, char **av)
 #endif
 	__progname = ssh_get_progname(av[0]);
@ -567,7 +591,7 @@ diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
 	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
 	saved_argc = ac;
 	rexec_argc = ac;
-@@ -1707,7 +1722,7 @@ main(int ac, char **av)
+@@ -1623,7 +1638,7 @@ main(int ac, char **av)
 	else
 		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@ -576,18 +600,7 @@ diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
 	OpenSSL_add_all_algorithms();
 #endif
-@@ -1906,6 +1921,10 @@ main(int ac, char **av)
+@@ -1937,6 +1952,10 @@ main(int ac, char **av)
 		    sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp);
 		free(fp);
 	}
 +	if ((options.protocol & SSH_PROTO_1) && FIPS_mode()) {
 +		logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
 +		options.protocol &= ~SSH_PROTO_1;
 +	}
 	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
 		logit("Disabling protocol version 1. Could not load host key");
 		options.protocol &= ~SSH_PROTO_1;
@@ -2074,6 +2093,10 @@ main(int ac, char **av)
 	/* Reinitialize the log (because of the fork above). */
 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -598,7 +611,7 @@ diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
 	/* Chdir to the root directory so that the current disk can be
 	   unmounted if desired. */
 	if (chdir("/") == -1)
-@@ -2695,10 +2718,14 @@ do_ssh2_kex(void)
+@@ -2309,10 +2328,14 @@ do_ssh2_kex(void)
 	if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
 		orig = NULL;
@ -617,10 +630,10 @@ diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
 	if (gss && orig)
 		xasprintf(&newstr, "%s,%s", gss, orig);
-diff -up openssh-7.2p1/sshkey.c.fips openssh-7.2p1/sshkey.c
+diff -up openssh-7.4p1/sshkey.c.fips openssh-7.4p1/sshkey.c
--- openssh-7.2p1/sshkey.c.fips	2016-02-12 18:53:56.089665235 +0100
+--- openssh-7.4p1/sshkey.c.fips	2016-12-23 16:37:49.293741583 +0100
-+++ openssh-7.2p1/sshkey.c	2016-02-12 18:53:56.095665236 +0100
+++ openssh-7.4p1/sshkey.c	2016-12-23 16:37:49.300741586 +0100
-@@ -35,6 +35,7 @@
+@@ -34,6 +34,7 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
@ -628,7 +641,7 @@ diff -up openssh-7.2p1/sshkey.c.fips openssh-7.2p1/sshkey.c
 #endif
 #include "crypto_api.h"
-@@ -58,6 +58,7 @@
+@@ -56,6 +57,7 @@
 #include "digest.h"
 #define SSHKEY_INTERNAL
 #include "sshkey.h"
@ -636,7 +649,7 @@ diff -up openssh-7.2p1/sshkey.c.fips openssh-7.2p1/sshkey.c
 #include "match.h"
 #include "xmalloc.h"
-@@ -1554,6 +1555,8 @@ rsa_generate_private_key(u_int bits, RSA
+@@ -1580,6 +1582,8 @@ rsa_generate_private_key(u_int bits, RSA
 	}
 	if (!BN_set_word(f4, RSA_F4) ||
 	    !RSA_generate_key_ex(private, bits, f4, NULL)) {
@ -645,85 +658,3 @@ diff -up openssh-7.2p1/sshkey.c.fips openssh-7.2p1/sshkey.c
 		ret = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
 diff --git a/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c b/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
 index 688b1b1..a3c1541 100644
 --- a/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
 +++ b/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
@@ -55,6 +55,7 @@
 #include "secure_filename.h"
 #include "uidswap.h"
 #include <unistd.h>
 +#include <openssl/crypto.h>
 #include "identity.h"
@@ -104,7 +105,8 @@ pamsshagentauth_check_authkeys_file(FILE * f, char *file, Key * key)
             found_key = 1;
             logit("matching key found: file/command %s, line %lu", file,
                                   linenum);
 -            fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
 +            fp = sshkey_fingerprint(found, FIPS_mode() ? SSH_DIGEST_SHA1 : SSH_DIGEST_MD5,
 +				SSH_FP_HEX);
             logit("Found matching %s key: %s",
                                   key_type(found), fp);
             free(fp);
 diff --git a/cipher.c b/cipher.c
 index f282907..51bbffb 100644
 --- a/cipher.c
 +++ b/cipher.c
@@ -112,12 +112,6 @@ static const struct sshcipher fips_ciphers[] = {
 	{ "aes128-ctr",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
 	{ "aes192-ctr",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
 	{ "aes256-ctr",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
 -#ifdef OPENSSL_HAVE_EVPGCM
 -	{ "aes128-gcm@openssh.com",
 -			SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
 -	{ "aes256-gcm@openssh.com",
 -			SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
 -#endif
 	{ NULL,		SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
 };
 diff --git a/kex.c b/kex.c
 index f07a636..4ce5843 100644
 --- a/kex.c
 +++ b/kex.c
@@ -123,8 +123,6 @@ static const struct kexalg kexalgs[] = {
 };
 static const struct kexalg kexalgs_fips[] = {
 -	{ KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
 -	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
 #ifdef HAVE_EVP_SHA256
 	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
 #endif
 diff --git a/myproposal.h b/myproposal.h
 index 7efe312..bcf2ae1 100644
 --- a/myproposal.h
 +++ b/myproposal.h
@@ -131,9 +131,7 @@
 #define KEX_DEFAULT_KEX_FIPS		\
 	KEX_ECDH_METHODS \
 -	KEX_SHA2_METHODS \
 -	"diffie-hellman-group-exchange-sha1," \
 -	"diffie-hellman-group14-sha1"
 +	KEX_SHA2_METHODS
 #define	KEX_FIPS_ENCRYPT \
 	"aes128-ctr,aes192-ctr,aes256-ctr," \
 	"aes128-cbc,3des-cbc," \
 diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
 index a3975eb..5224084 100644
 --- a/sandbox-seccomp-filter.c
 +++ b/sandbox-seccomp-filter.c
@@ -112,6 +112,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_open
 	SC_DENY(open, EACCES),
 #endif
 +#ifdef __NR_socket
 +	SC_DENY(socket, EACCES),
 +#endif
 #ifdef __NR_openat
 	SC_DENY(openat, EACCES),
 #endif
--- a/openssh-7.2p1-gsskex.patch
+++ b/openssh-7.2p1-gsskex.patch
@ -1,6 +1,6 @@
-diff -up openssh-7.2p1/auth2.c.gsskex openssh-7.2p1/auth2.c
+diff -up openssh-7.4p1/auth2.c.gsskex openssh-7.4p1/auth2.c
--- openssh-7.2p1/auth2.c.gsskex	2016-02-19 10:01:04.829969345 +0100
+--- openssh-7.4p1/auth2.c.gsskex	2016-12-23 13:38:53.685300997 +0100
-+++ openssh-7.2p1/auth2.c	2016-02-19 10:01:04.865969325 +0100
+++ openssh-7.4p1/auth2.c	2016-12-23 13:38:53.725301005 +0100
@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
 extern Authmethod method_kbdint;
 extern Authmethod method_hostbased;
@ -17,9 +17,9 @@ diff -up openssh-7.2p1/auth2.c.gsskex openssh-7.2p1/auth2.c
 	&method_gssapi,
 #endif
 	&method_passwd,
-diff -up openssh-7.2p1/auth2-gss.c.gsskex openssh-7.2p1/auth2-gss.c
+diff -up openssh-7.4p1/auth2-gss.c.gsskex openssh-7.4p1/auth2-gss.c
--- openssh-7.2p1/auth2-gss.c.gsskex	2016-02-19 10:01:04.829969345 +0100
+--- openssh-7.4p1/auth2-gss.c.gsskex	2016-12-23 13:38:53.685300997 +0100
-+++ openssh-7.2p1/auth2-gss.c	2016-02-19 10:01:04.865969325 +0100
+++ openssh-7.4p1/auth2-gss.c	2016-12-23 13:38:53.725301005 +0100
@@ -31,6 +31,7 @@
 #include <sys/types.h>
@ -102,21 +102,10 @@ diff -up openssh-7.2p1/auth2-gss.c.gsskex openssh-7.2p1/auth2-gss.c
 Authmethod method_gssapi = {
 	"gssapi-with-mic",
 	userauth_gssapi,
-diff -up openssh-7.2p1/auth.c.gsskex openssh-7.2p1/auth.c
+diff -up openssh-7.4p1/clientloop.c.gsskex openssh-7.4p1/clientloop.c
--- openssh-7.2p1/auth.c.gsskex	2016-02-12 11:47:25.000000000 +0100
+--- openssh-7.4p1/clientloop.c.gsskex	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.2p1/auth.c	2016-02-19 10:01:04.866969324 +0100
+++ openssh-7.4p1/clientloop.c	2016-12-23 13:38:53.725301005 +0100
-@@ -354,6 +354,7 @@ auth_root_allowed(const char *method)
+@@ -113,6 +113,10 @@
 	case PERMIT_NO_PASSWD:
 		if (strcmp(method, "publickey") == 0 ||
 		    strcmp(method, "hostbased") == 0 ||
 +		    strcmp(method, "gssapi-keyex") == 0 ||
 		    strcmp(method, "gssapi-with-mic") == 0)
 			return 1;
 		break;
 diff -up openssh-7.2p1/clientloop.c.gsskex openssh-7.2p1/clientloop.c
 --- openssh-7.2p1/clientloop.c.gsskex	2016-02-12 11:47:25.000000000 +0100
 +++ openssh-7.2p1/clientloop.c	2016-02-19 10:01:04.866969324 +0100
@@ -114,6 +114,10 @@
 #include "ssherr.h"
 #include "hostfile.h"
@ -127,7 +116,7 @@ diff -up openssh-7.2p1/clientloop.c.gsskex openssh-7.2p1/clientloop.c
 /* import options */
 extern Options options;
-@@ -1662,9 +1666,18 @@ client_loop(int have_pty, int escape_cha
+@@ -1664,9 +1668,18 @@ client_loop(int have_pty, int escape_cha
 			break;
 		/* Do channel operations unless rekeying in progress. */
@ -137,7 +126,7 @@ diff -up openssh-7.2p1/clientloop.c.gsskex openssh-7.2p1/clientloop.c
 +#ifdef GSSAPI
 +			if (options.gss_renewal_rekey &&
-+			    ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) {
+			    ssh_gssapi_credentials_updated(NULL)) {
 +				debug("credentials updated - forcing rekey");
 +				need_rekeying = 1;
 +			}
@ -147,10 +136,10 @@ diff -up openssh-7.2p1/clientloop.c.gsskex openssh-7.2p1/clientloop.c
 		/* Buffer input from the connection.  */
 		client_process_net_input(readset);
-diff -up openssh-7.2p1/configure.ac.gsskex openssh-7.2p1/configure.ac
+diff -up openssh-7.4p1/configure.ac.gsskex openssh-7.4p1/configure.ac
--- openssh-7.2p1/configure.ac.gsskex	2016-02-19 10:01:04.857969329 +0100
+--- openssh-7.4p1/configure.ac.gsskex	2016-12-23 13:38:53.716301003 +0100
-+++ openssh-7.2p1/configure.ac	2016-02-19 10:01:04.867969323 +0100
+++ openssh-7.4p1/configure.ac	2016-12-23 13:38:53.726301005 +0100
-@@ -632,6 +632,30 @@ main() { if (NSVersionOfRunTimeLibrary("
+@@ -623,6 +623,30 @@ main() { if (NSVersionOfRunTimeLibrary("
 	    [Use tunnel device compatibility to OpenBSD])
 	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
 	    [Prepend the address family to IP tunnel traffic])
@ -181,10 +170,10 @@ diff -up openssh-7.2p1/configure.ac.gsskex openssh-7.2p1/configure.ac
 	m4_pattern_allow([AU_IPv])
 	AC_CHECK_DECL([AU_IPv4], [],
 	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
-diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
+diff -up openssh-7.4p1/gss-genr.c.gsskex openssh-7.4p1/gss-genr.c
--- openssh-7.2p1/gss-genr.c.gsskex	2016-02-12 11:47:25.000000000 +0100
+--- openssh-7.4p1/gss-genr.c.gsskex	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.2p1/gss-genr.c	2016-02-19 10:01:04.867969323 +0100
+++ openssh-7.4p1/gss-genr.c	2016-12-23 13:38:53.726301005 +0100
-@@ -41,12 +41,167 @@
+@@ -40,12 +40,167 @@
 #include "buffer.h"
 #include "log.h"
 #include "ssh2.h"
@ -352,7 +341,7 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
 /* Check that the OID in a data stream matches that in the context */
 int
 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
-@@ -199,7 +354,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
+@@ -198,7 +353,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
 	}
 	ctx->major = gss_init_sec_context(&ctx->minor,
@ -361,7 +350,7 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
 	    GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
 	    0, NULL, recv_tok, NULL, send_tok, flags, NULL);
-@@ -229,8 +384,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
+@@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
 }
 OM_uint32
@ -404,7 +393,7 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
 	if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
 	    GSS_C_QOP_DEFAULT, buffer, hash)))
 		ssh_gssapi_error(ctx);
-@@ -238,6 +427,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
+@@ -237,6 +426,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
 	return (ctx->major);
 }
@ -424,7 +413,7 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
 void
 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
     const char *context)
-@@ -251,11 +453,16 @@ ssh_gssapi_buildmic(Buffer *b, const cha
+@@ -250,11 +452,16 @@ ssh_gssapi_buildmic(Buffer *b, const cha
 }
 int
@ -442,7 +431,7 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
 	/* RFC 4462 says we MUST NOT do SPNEGO */
 	if (oid->length == spnego_oid.length && 
-@@ -265,6 +472,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
+@@ -264,6 +471,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
 	ssh_gssapi_build_ctx(ctx);
 	ssh_gssapi_set_oid(*ctx, oid);
 	major = ssh_gssapi_import_name(*ctx, host);
@ -453,7 +442,7 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
 	if (!GSS_ERROR(major)) {
 		major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 
 		    NULL);
-@@ -274,10 +485,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
+@@ -273,10 +484,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
 			    GSS_C_NO_BUFFER);
 	}
@ -521,9 +510,9 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
 +}
 +
 #endif /* GSSAPI */
-diff -up openssh-7.2p1/gss-serv.c.gsskex openssh-7.2p1/gss-serv.c
+diff -up openssh-7.4p1/gss-serv.c.gsskex openssh-7.4p1/gss-serv.c
--- openssh-7.2p1/gss-serv.c.gsskex	2016-02-12 11:47:25.000000000 +0100
+--- openssh-7.4p1/gss-serv.c.gsskex	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.2p1/gss-serv.c	2016-02-19 10:01:04.867969323 +0100
+++ openssh-7.4p1/gss-serv.c	2016-12-23 13:38:53.727301005 +0100
@@ -45,17 +45,19 @@
 #include "session.h"
 #include "misc.h"
@ -536,9 +525,10 @@ diff -up openssh-7.2p1/gss-serv.c.gsskex openssh-7.2p1/gss-serv.c
 extern ServerOptions options;
 static ssh_gssapi_client gssapi_client =
-     { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
+-    { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
 -    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
-+    GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, {NULL, NULL, NULL}, 0, 0};
+    { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, GSS_C_NO_CREDENTIAL,
 +    GSS_C_NO_NAME, NULL, {NULL, NULL, NULL, NULL, NULL}, 0, 0};
 ssh_gssapi_mech gssapi_null_mech =
 -    { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
@ -805,9 +795,9 @@ diff -up openssh-7.2p1/gss-serv.c.gsskex openssh-7.2p1/gss-serv.c
 }
 #endif
-diff -up openssh-7.2p1/gss-serv-krb5.c.gsskex openssh-7.2p1/gss-serv-krb5.c
+diff -up openssh-7.4p1/gss-serv-krb5.c.gsskex openssh-7.4p1/gss-serv-krb5.c
--- openssh-7.2p1/gss-serv-krb5.c.gsskex	2016-02-12 11:47:25.000000000 +0100
+--- openssh-7.4p1/gss-serv-krb5.c.gsskex	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.2p1/gss-serv-krb5.c	2016-02-19 10:01:04.867969323 +0100
+++ openssh-7.4p1/gss-serv-krb5.c	2016-12-23 13:38:53.727301005 +0100
@@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
 	krb5_error_code problem;
 	krb5_principal princ;
@ -935,9 +925,9 @@ diff -up openssh-7.2p1/gss-serv-krb5.c.gsskex openssh-7.2p1/gss-serv-krb5.c
 };
 #endif /* KRB5 */
-diff -up openssh-7.2p1/kex.c.gsskex openssh-7.2p1/kex.c
+diff -up openssh-7.4p1/kex.c.gsskex openssh-7.4p1/kex.c
--- openssh-7.2p1/kex.c.gsskex	2016-02-12 11:47:25.000000000 +0100
+--- openssh-7.4p1/kex.c.gsskex	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.2p1/kex.c	2016-02-19 10:01:04.868969323 +0100
+++ openssh-7.4p1/kex.c	2016-12-23 13:39:56.064313151 +0100
@@ -54,6 +54,10 @@
 #include "sshbuf.h"
 #include "digest.h"
@ -949,9 +939,9 @@ diff -up openssh-7.2p1/kex.c.gsskex openssh-7.2p1/kex.c
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
 # if defined(HAVE_EVP_SHA256)
 # define evp_ssh_sha256 EVP_sha256
-@@ -107,6 +111,11 @@ static const struct kexalg kexalgs[] = {
+@@ -111,6 +115,11 @@ static const struct kexalg kexalgs[] = {
 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
 	{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
 +#ifdef GSSAPI
 +	{ KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
@ -961,7 +951,7 @@ diff -up openssh-7.2p1/kex.c.gsskex openssh-7.2p1/kex.c
 	{ NULL, -1, -1, -1},
 };
-@@ -140,6 +149,12 @@ kex_alg_by_name(const char *name)
+@@ -144,6 +153,12 @@ kex_alg_by_name(const char *name)
 	for (k = kexalgs; k->name != NULL; k++) {
 		if (strcmp(k->name, name) == 0)
 			return k;
@ -974,9 +964,9 @@ diff -up openssh-7.2p1/kex.c.gsskex openssh-7.2p1/kex.c
 	}
 	return NULL;
 }
-diff -up openssh-7.2p1/kexgssc.c.gsskex openssh-7.2p1/kexgssc.c
+diff -up openssh-7.4p1/kexgssc.c.gsskex openssh-7.4p1/kexgssc.c
--- openssh-7.2p1/kexgssc.c.gsskex	2016-02-19 10:01:04.868969323 +0100
+--- openssh-7.4p1/kexgssc.c.gsskex	2016-12-23 13:38:53.727301005 +0100
-+++ openssh-7.2p1/kexgssc.c	2016-02-19 10:01:04.868969323 +0100
+++ openssh-7.4p1/kexgssc.c	2016-12-23 13:38:53.727301005 +0100
@@ -0,0 +1,338 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1316,9 +1306,9 @@ diff -up openssh-7.2p1/kexgssc.c.gsskex openssh-7.2p1/kexgssc.c
 +}
 +
 +#endif /* GSSAPI */
-diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c
+diff -up openssh-7.4p1/kexgsss.c.gsskex openssh-7.4p1/kexgsss.c
--- openssh-7.2p1/kexgsss.c.gsskex	2016-02-19 10:01:04.868969323 +0100
+--- openssh-7.4p1/kexgsss.c.gsskex	2016-12-23 13:38:53.728301005 +0100
-+++ openssh-7.2p1/kexgsss.c	2016-02-19 10:01:04.868969323 +0100
+++ openssh-7.4p1/kexgsss.c	2016-12-23 13:38:53.728301005 +0100
@@ -0,0 +1,297 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1617,10 +1607,10 @@ diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c
 +	return 0;
 +}
 +#endif /* GSSAPI */
-diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h
+diff -up openssh-7.4p1/kex.h.gsskex openssh-7.4p1/kex.h
--- openssh-7.2p1/kex.h.gsskex	2016-02-12 11:47:25.000000000 +0100
+--- openssh-7.4p1/kex.h.gsskex	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.2p1/kex.h	2016-02-19 10:01:04.868969323 +0100
+++ openssh-7.4p1/kex.h	2016-12-23 13:38:53.728301005 +0100
-@@ -92,6 +92,11 @@ enum kex_exchange {
+@@ -99,6 +99,11 @@ enum kex_exchange {
 	KEX_DH_GEX_SHA256,
 	KEX_ECDH_SHA2,
 	KEX_C25519_SHA256,
@ -1632,7 +1622,7 @@ diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h
 	KEX_MAX
 };
-@@ -140,6 +145,12 @@ struct kex {
+@@ -147,6 +152,12 @@ struct kex {
 	u_int	flags;
 	int	hash_alg;
 	int	ec_nid;
@ -1645,7 +1635,7 @@ diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h
 	char	*client_version_string;
 	char	*server_version_string;
 	char	*failed_choice;
-@@ -189,6 +200,10 @@ int	 kexecdh_client(struct ssh *);
+@@ -196,6 +207,10 @@ int	 kexecdh_client(struct ssh *);
 int	 kexecdh_server(struct ssh *);
 int	 kexc25519_client(struct ssh *);
 int	 kexc25519_server(struct ssh *);
@ -1656,10 +1646,10 @@ diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h
 int	 kex_dh_hash(int, const char *, const char *,
     const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
-diff -up openssh/Makefile.in.gsskex openssh/Makefile.in
+diff -up openssh-7.4p1/Makefile.in.gsskex openssh-7.4p1/Makefile.in
--- openssh/Makefile.in.gsskex	2016-07-25 14:11:42.978324182 +0200
+--- openssh-7.4p1/Makefile.in.gsskex	2016-12-23 13:38:53.723301004 +0100
-+++ openssh/Makefile.in	2016-07-25 14:14:15.560289050 +0200
+++ openssh-7.4p1/Makefile.in	2016-12-23 13:40:32.226320197 +0100
-@@ -90,6 +90,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+@@ -91,6 +91,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 	readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
 	atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
@ -1667,19 +1657,19 @@ diff -up openssh/Makefile.in.gsskex openssh/Makefile.in
 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
 	ssh-pkcs11.o smult_curve25519_ref.o \
 	poly1305.o chacha.o cipher-chachapoly.o \
-@@ -111,7 +112,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
+@@ -112,7 +113,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
 	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
 	auth2-none.o auth2-passwd.o auth2-pubkey.o \
- 	monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
+ 	monitor.o monitor_wrap.o auth-krb5.o \
 -	auth2-gss.o gss-serv.o gss-serv-krb5.o \
-+	auth2-gss.o gss-serv.o gss-serv-krb5.o  kexgsss.o \
+	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
 	sftp-server.o sftp-common.o \
 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
-diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
+diff -up openssh-7.4p1/monitor.c.gsskex openssh-7.4p1/monitor.c
--- openssh-7.2p1/monitor.c.gsskex	2016-02-19 10:01:04.830969345 +0100
+--- openssh-7.4p1/monitor.c.gsskex	2016-12-23 13:38:53.687300997 +0100
-+++ openssh-7.2p1/monitor.c	2016-02-19 10:01:04.869969322 +0100
+++ openssh-7.4p1/monitor.c	2016-12-23 13:45:49.347381091 +0100
-@@ -159,6 +159,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
+@@ -160,6 +160,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
@ -1688,10 +1678,10 @@ diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
 #endif
 #ifdef SSH_AUDIT_EVENTS
-@@ -239,11 +241,18 @@ struct mon_table mon_dispatch_proto20[]
+@@ -236,11 +238,18 @@ struct mon_table mon_dispatch_proto20[]
-     {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
+     {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
-     {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
+     {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
-     {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
+     {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
 +    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
 #endif
     {0, 0, NULL}
@ -1707,29 +1697,29 @@ diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
 #ifdef WITH_OPENSSL
     {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
 #endif
-@@ -358,6 +367,10 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -307,6 +316,10 @@ monitor_child_preauth(Authctxt *_authctx
- 		/* Permit requests for moduli and signatures */
+ 	/* Permit requests for moduli and signatures */
- 		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
+ 	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
- 		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+ 	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
 +#ifdef GSSAPI
-+		/* and for the GSSAPI key exchange */
+	/* and for the GSSAPI key exchange */
-+		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
 +#endif
 	} else {
 		mon_dispatch = mon_dispatch_proto15;
-@@ -466,6 +479,10 @@ monitor_child_postauth(struct monitor *p
+ 	/* The first few requests do not require asynchronous access */
- 		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
+ 	while (!authenticated) {
- 		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+@@ -406,6 +419,10 @@ monitor_child_postauth(struct monitor *p
- 		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+ 	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
 	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
 	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
 +#ifdef GSSAPI
-+		/* and for the GSSAPI key exchange */
+	/* and for the GSSAPI key exchange */
-+		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
 +#endif		
- 	} else {
+ 
- 		mon_dispatch = mon_dispatch_postauth15;
+ 	if (!no_pty_flag) {
- 		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+ 		monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
-@@ -1893,6 +1910,13 @@ monitor_apply_keystate(struct monitor *p
+@@ -1633,6 +1650,13 @@ monitor_apply_keystate(struct monitor *p
 # endif
 #endif /* WITH_OPENSSL */
 		kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@ -1743,27 +1733,25 @@ diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
 		kex->load_host_public_key=&get_hostkey_public_by_type;
 		kex->load_host_private_key=&get_hostkey_private_by_type;
 		kex->host_key_index=&get_hostkey_index;
-@@ -1992,6 +2016,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
+@@ -1712,7 +1736,7 @@ mm_answer_gss_setup_ctx(int sock, Buffer
 	OM_uint32 major;
 	u_int len;
 -	if (!options.gss_authentication)
 +	if (!options.gss_authentication && !options.gss_keyex)
-+		fatal("In GSSAPI monitor when GSSAPI is disabled");
+ 		fatal("%s: GSSAPI authentication not enabled", __func__);
 +
 	goid.elements = buffer_get_string(m, &len);
 	goid.length = len;
-@@ -2019,6 +2046,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+ 	goid.elements = buffer_get_string(m, &len);
@@ -1742,7 +1766,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
 	OM_uint32 flags = 0; /* GSI needs this */
 	u_int len;
 -	if (!options.gss_authentication)
 +	if (!options.gss_authentication && !options.gss_keyex)
-+		fatal("In GSSAPI monitor when GSSAPI is disabled");
+ 		fatal("%s: GSSAPI authentication not enabled", __func__);
-+
+ 
 	in.value = buffer_get_string(m, &len);
- 	in.length = len;
+@@ -1762,6 +1786,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
 	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -2036,6 +2066,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
 		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
 		monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
 		monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@ -1771,30 +1759,30 @@ diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
 	}
 	return (0);
 }
-@@ -2047,6 +2078,9 @@ mm_answer_gss_checkmic(int sock, Buffer
+@@ -1773,7 +1798,7 @@ mm_answer_gss_checkmic(int sock, Buffer
 	OM_uint32 ret;
 	u_int len;
 -	if (!options.gss_authentication)
 +	if (!options.gss_authentication && !options.gss_keyex)
-+		fatal("In GSSAPI monitor when GSSAPI is disabled");
+ 		fatal("%s: GSSAPI authentication not enabled", __func__);
-+
+ 
 	gssbuf.value = buffer_get_string(m, &len);
- 	gssbuf.length = len;
+@@ -1802,10 +1827,11 @@ mm_answer_gss_userok(int sock, Buffer *m
 	mic.value = buffer_get_string(m, &len);
@@ -2073,7 +2107,11 @@ mm_answer_gss_userok(int sock, Buffer *m
 {
 	int authenticated;
-	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+-	if (!options.gss_authentication)
 +	if (!options.gss_authentication && !options.gss_keyex)
-+		fatal("In GSSAPI monitor when GSSAPI is disabled");
+ 		fatal("%s: GSSAPI authentication not enabled", __func__);
-+
+ 
-+	authenticated = authctxt->valid && 
+-	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
 +	authenticated = authctxt->valid &&
 +	    ssh_gssapi_userok(authctxt->user, authctxt->pw);
 	buffer_clear(m);
 	buffer_put_int(m, authenticated);
-@@ -2086,5 +2124,73 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -1818,5 +1844,73 @@ mm_answer_gss_userok(int sock, Buffer *m
 	/* Monitor loop will terminate if authenticated */
 	return (authenticated);
 }
@ -1868,9 +1856,9 @@ diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
 +
 #endif /* GSSAPI */
-diff -up openssh-7.2p1/monitor.h.gsskex openssh-7.2p1/monitor.h
+diff -up openssh-7.4p1/monitor.h.gsskex openssh-7.4p1/monitor.h
--- openssh-7.2p1/monitor.h.gsskex	2016-02-19 10:01:04.830969345 +0100
+--- openssh-7.4p1/monitor.h.gsskex	2016-12-23 13:38:53.687300997 +0100
-+++ openssh-7.2p1/monitor.h	2016-02-19 10:01:04.869969322 +0100
+++ openssh-7.4p1/monitor.h	2016-12-23 13:38:53.729301005 +0100
@@ -60,6 +60,8 @@ enum monitor_reqtype {
 #ifdef WITH_SELINUX
 	MONITOR_REQ_AUTHROLE = 80,
@ -1880,10 +1868,10 @@ diff -up openssh-7.2p1/monitor.h.gsskex openssh-7.2p1/monitor.h
 	MONITOR_REQ_PAM_START = 100,
 	MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
-diff -up openssh-7.2p1/monitor_wrap.c.gsskex openssh-7.2p1/monitor_wrap.c
+diff -up openssh-7.4p1/monitor_wrap.c.gsskex openssh-7.4p1/monitor_wrap.c
--- openssh-7.2p1/monitor_wrap.c.gsskex	2016-02-19 10:01:04.830969345 +0100
+--- openssh-7.4p1/monitor_wrap.c.gsskex	2016-12-23 13:38:53.687300997 +0100
-+++ openssh-7.2p1/monitor_wrap.c	2016-02-19 10:01:04.869969322 +0100
+++ openssh-7.4p1/monitor_wrap.c	2016-12-23 13:38:53.729301005 +0100
-@@ -1087,7 +1087,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
+@@ -943,7 +943,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
 }
 int
@ -1892,7 +1880,7 @@ diff -up openssh-7.2p1/monitor_wrap.c.gsskex openssh-7.2p1/monitor_wrap.c
 {
 	Buffer m;
 	int authenticated = 0;
-@@ -1104,5 +1104,50 @@ mm_ssh_gssapi_userok(char *user)
+@@ -960,5 +960,50 @@ mm_ssh_gssapi_userok(char *user)
 	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
 	return (authenticated);
 }
@ -1943,10 +1931,10 @@ diff -up openssh-7.2p1/monitor_wrap.c.gsskex openssh-7.2p1/monitor_wrap.c
 +
 #endif /* GSSAPI */
-diff -up openssh-7.2p1/monitor_wrap.h.gsskex openssh-7.2p1/monitor_wrap.h
+diff -up openssh-7.4p1/monitor_wrap.h.gsskex openssh-7.4p1/monitor_wrap.h
--- openssh-7.2p1/monitor_wrap.h.gsskex	2016-02-19 10:01:04.830969345 +0100
+--- openssh-7.4p1/monitor_wrap.h.gsskex	2016-12-23 13:38:53.687300997 +0100
-+++ openssh-7.2p1/monitor_wrap.h	2016-02-19 10:01:04.869969322 +0100
+++ openssh-7.4p1/monitor_wrap.h	2016-12-23 13:38:53.729301005 +0100
-@@ -61,8 +61,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
+@@ -58,8 +58,10 @@ int mm_key_verify(Key *, u_char *, u_int
 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
    gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@ -1958,10 +1946,10 @@ diff -up openssh-7.2p1/monitor_wrap.h.gsskex openssh-7.2p1/monitor_wrap.h
 #endif
 #ifdef USE_PAM
-diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
+diff -up openssh-7.4p1/readconf.c.gsskex openssh-7.4p1/readconf.c
--- openssh-7.2p1/readconf.c.gsskex	2016-02-12 11:47:25.000000000 +0100
+--- openssh-7.4p1/readconf.c.gsskex	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.2p1/readconf.c	2016-02-19 10:01:04.870969322 +0100
+++ openssh-7.4p1/readconf.c	2016-12-23 13:38:53.730301005 +0100
-@@ -148,6 +148,8 @@ typedef enum {
+@@ -160,6 +160,8 @@ typedef enum {
 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@ -1970,7 +1958,7 @@ diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
 	oHashKnownHosts,
-@@ -193,10 +195,19 @@ static struct {
+@@ -205,10 +207,19 @@ static struct {
 	{ "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
 	{ "gssapiauthentication", oGssAuthentication },
@ -1990,7 +1978,7 @@ diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
 #endif
 	{ "fallbacktorsh", oDeprecated },
 	{ "usersh", oDeprecated },
-@@ -926,10 +937,30 @@ parse_time:
+@@ -961,10 +972,30 @@ parse_time:
 		intptr = &options->gss_authentication;
 		goto parse_flag;
@ -2021,7 +2009,7 @@ diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
 	case oBatchMode:
 		intptr = &options->batch_mode;
 		goto parse_flag;
-@@ -1648,7 +1679,12 @@ initialize_options(Options * options)
+@@ -1776,7 +1807,12 @@ initialize_options(Options * options)
 	options->pubkey_authentication = -1;
 	options->challenge_response_authentication = -1;
 	options->gss_authentication = -1;
@ -2034,7 +2022,7 @@ diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->kbd_interactive_devices = NULL;
-@@ -1777,8 +1813,14 @@ fill_default_options(Options * options)
+@@ -1920,8 +1956,14 @@ fill_default_options(Options * options)
 		options->challenge_response_authentication = 1;
 	if (options->gss_authentication == -1)
 		options->gss_authentication = 0;
@ -2049,9 +2037,9 @@ diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
-diff -up openssh-7.2p1/readconf.h.gsskex openssh-7.2p1/readconf.h
+diff -up openssh-7.4p1/readconf.h.gsskex openssh-7.4p1/readconf.h
--- openssh-7.2p1/readconf.h.gsskex	2016-02-12 11:47:25.000000000 +0100
+--- openssh-7.4p1/readconf.h.gsskex	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.2p1/readconf.h	2016-02-19 10:01:04.870969322 +0100
+++ openssh-7.4p1/readconf.h	2016-12-23 13:38:53.730301005 +0100
@@ -45,7 +45,12 @@ typedef struct {
 	int     challenge_response_authentication;
 					/* Try S/Key or TIS, authentication. */
@ -2065,9 +2053,9 @@ diff -up openssh-7.2p1/readconf.h.gsskex openssh-7.2p1/readconf.h
 	int     password_authentication;	/* Try password
 						 * authentication. */
 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff -up openssh/regress/cert-hostkey.sh.gsskex openssh/regress/cert-hostkey.sh
+diff -up openssh-7.4p1/regress/cert-hostkey.sh.gsskex openssh-7.4p1/regress/cert-hostkey.sh
--- openssh/regress/cert-hostkey.sh.gsskex	2016-07-25 14:11:42.986324181 +0200
+--- openssh-7.4p1/regress/cert-hostkey.sh.gsskex	2016-12-19 05:59:41.000000000 +0100
-+++ openssh/regress/cert-hostkey.sh	2016-07-25 14:15:17.784274722 +0200
+++ openssh-7.4p1/regress/cert-hostkey.sh	2016-12-23 13:38:53.731301006 +0100
@@ -59,7 +59,7 @@ touch $OBJ/host_revoked_plain
 touch $OBJ/host_revoked_cert
 cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
@ -2077,9 +2065,9 @@ diff -up openssh/regress/cert-hostkey.sh.gsskex openssh/regress/cert-hostkey.sh
 if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
 	PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
-diff -up openssh/regress/cert-userkey.sh.gsskex openssh/regress/cert-userkey.sh
+diff -up openssh-7.4p1/regress/cert-userkey.sh.gsskex openssh-7.4p1/regress/cert-userkey.sh
--- openssh/regress/cert-userkey.sh.gsskex	2016-07-25 14:11:42.986324181 +0200
+--- openssh-7.4p1/regress/cert-userkey.sh.gsskex	2016-12-19 05:59:41.000000000 +0100
-+++ openssh/regress/cert-userkey.sh	2016-07-25 14:15:36.769270354 +0200
+++ openssh-7.4p1/regress/cert-userkey.sh	2016-12-23 13:38:53.731301006 +0100
@@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
@ -2089,9 +2077,9 @@ diff -up openssh/regress/cert-userkey.sh.gsskex openssh/regress/cert-userkey.sh
 if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
 	PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
-diff -up openssh/regress/kextype.sh.gsskex openssh/regress/kextype.sh
+diff -up openssh-7.4p1/regress/kextype.sh.gsskex openssh-7.4p1/regress/kextype.sh
--- openssh/regress/kextype.sh.gsskex	2016-07-24 13:50:13.000000000 +0200
+--- openssh-7.4p1/regress/kextype.sh.gsskex	2016-12-19 05:59:41.000000000 +0100
-+++ openssh/regress/kextype.sh	2016-07-25 14:11:42.987324180 +0200
+++ openssh-7.4p1/regress/kextype.sh	2016-12-23 13:38:53.731301006 +0100
@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh
 tries="1 2 3 4"
@ -2102,9 +2090,9 @@ diff -up openssh/regress/kextype.sh.gsskex openssh/regress/kextype.sh
 	verbose "kex $k"
 	for i in $tries; do
 		${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
-diff -up openssh-7.2p1/regress/rekey.sh.gsskex openssh-7.2p1/regress/rekey.sh
+diff -up openssh-7.4p1/regress/rekey.sh.gsskex openssh-7.4p1/regress/rekey.sh
--- openssh-7.2p1/regress/rekey.sh.gsskex	2016-02-12 11:47:25.000000000 +0100
+--- openssh-7.4p1/regress/rekey.sh.gsskex	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.2p1/regress/rekey.sh	2016-02-19 10:01:04.870969322 +0100
+++ openssh-7.4p1/regress/rekey.sh	2016-12-23 13:38:53.731301006 +0100
@@ -38,6 +38,9 @@ increase_datafile_size 300
 opts=""
@ -2125,10 +2113,10 @@ diff -up openssh-7.2p1/regress/rekey.sh.gsskex openssh-7.2p1/regress/rekey.sh
 	verbose "client rekey $c $kex"
 	ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
     done
-diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
+diff -up openssh-7.4p1/servconf.c.gsskex openssh-7.4p1/servconf.c
--- openssh-7.2p1/servconf.c.gsskex	2016-02-19 10:01:04.857969329 +0100
+--- openssh-7.4p1/servconf.c.gsskex	2016-12-23 13:38:53.717301003 +0100
-+++ openssh-7.2p1/servconf.c	2016-02-19 10:01:04.870969322 +0100
+++ openssh-7.4p1/servconf.c	2016-12-23 13:38:53.732301006 +0100
-@@ -117,8 +117,10 @@ initialize_server_options(ServerOptions
+@@ -113,8 +113,10 @@ initialize_server_options(ServerOptions
 	options->kerberos_ticket_cleanup = -1;
 	options->kerberos_get_afs_token = -1;
 	options->gss_authentication=-1;
@ -2139,7 +2127,7 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->challenge_response_authentication = -1;
-@@ -288,10 +290,14 @@ fill_default_server_options(ServerOption
+@@ -268,10 +270,14 @@ fill_default_server_options(ServerOption
 		options->kerberos_get_afs_token = 0;
 	if (options->gss_authentication == -1)
 		options->gss_authentication = 0;
@ -2154,7 +2142,7 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
-@@ -422,7 +428,7 @@ typedef enum {
+@@ -410,7 +416,7 @@ typedef enum {
 	sHostKeyAlgorithms,
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@ -2163,7 +2151,7 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
 	sHostCertificate,
-@@ -496,11 +502,17 @@ static struct {
+@@ -484,11 +490,17 @@ static struct {
 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
@ -2181,7 +2169,7 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
 	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1246,6 +1258,10 @@ process_server_config_line(ServerOptions
+@@ -1211,6 +1223,10 @@ process_server_config_line(ServerOptions
 		intptr = &options->gss_authentication;
 		goto parse_flag;
@ -2192,7 +2180,7 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
 	case sGssCleanupCreds:
 		intptr = &options->gss_cleanup_creds;
 		goto parse_flag;
-@@ -1254,6 +1270,10 @@ process_server_config_line(ServerOptions
+@@ -1219,6 +1235,10 @@ process_server_config_line(ServerOptions
 		intptr = &options->gss_strict_acceptor;
 		goto parse_flag;
@ -2203,7 +2191,7 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
 	case sPasswordAuthentication:
 		intptr = &options->password_authentication;
 		goto parse_flag;
-@@ -2274,6 +2294,9 @@ dump_config(ServerOptions *o)
+@@ -2257,6 +2277,9 @@ dump_config(ServerOptions *o)
 #ifdef GSSAPI
 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@ -2213,10 +2201,10 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
 #endif
 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
-diff -up openssh-7.2p1/servconf.h.gsskex openssh-7.2p1/servconf.h
+diff -up openssh-7.4p1/servconf.h.gsskex openssh-7.4p1/servconf.h
--- openssh-7.2p1/servconf.h.gsskex	2016-02-19 10:01:04.857969329 +0100
+--- openssh-7.4p1/servconf.h.gsskex	2016-12-23 13:38:53.717301003 +0100
-+++ openssh-7.2p1/servconf.h	2016-02-19 10:01:04.871969321 +0100
+++ openssh-7.4p1/servconf.h	2016-12-23 13:38:53.732301006 +0100
-@@ -118,8 +118,10 @@ typedef struct {
+@@ -112,8 +112,10 @@ typedef struct {
 	int     kerberos_get_afs_token;		/* If true, try to get AFS token if
 						 * authenticated with Kerberos. */
 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
@ -2227,31 +2215,26 @@ diff -up openssh-7.2p1/servconf.h.gsskex openssh-7.2p1/servconf.h
 	int     password_authentication;	/* If true, permit password
 						 * authentication. */
 	int     kbd_interactive_authentication;	/* If true, permit */
-diff -up openssh-7.2p1/ssh_config.5.gsskex openssh-7.2p1/ssh_config.5
+diff -up openssh-7.4p1/ssh_config.5.gsskex openssh-7.4p1/ssh_config.5
--- openssh-7.2p1/ssh_config.5.gsskex	2016-02-19 10:01:04.871969321 +0100
+--- openssh-7.4p1/ssh_config.5.gsskex	2016-12-23 13:38:53.732301006 +0100
-+++ openssh-7.2p1/ssh_config.5	2016-02-19 10:05:58.630146245 +0100
+++ openssh-7.4p1/ssh_config.5	2016-12-23 13:48:00.502331870 +0100
-@@ -824,10 +824,40 @@ The default is
+@@ -748,10 +748,40 @@ The default is
 Specifies whether user authentication based on GSSAPI is allowed.
 The default is
- .Dq no .
+ .Cm no .
 +.It Cm GSSAPIClientIdentity
 +If set, specifies the GSSAPI client identity that ssh should use when 
 +connecting to the server. The default is unset, which means that the default 
 +identity will be used.
 .It Cm GSSAPIDelegateCredentials
 Forward (delegate) credentials to the server.
 The default is
 .Cm no .
 +.It Cm GSSAPIKeyExchange
 +Specifies whether key exchange based on GSSAPI may be used. When using
 +GSSAPI key exchange the server need not have a host key.
 +The default is
 +.Dq no .
 +.It Cm GSSAPIClientIdentity
 +If set, specifies the GSSAPI client identity that ssh should use when 
 +connecting to the server. The default is unset, which means that the default 
 +identity will be used.
 +.It Cm GSSAPIServerIdentity
 +If set, specifies the GSSAPI server identity that ssh should expect when 
 +connecting to the server. The default is unset, which means that the
 +expected GSSAPI server identity will be determined from the target
 +hostname.
 .It Cm GSSAPIDelegateCredentials
 Forward (delegate) credentials to the server.
 The default is
 .Dq no .
 +.It Cm GSSAPIRenewalForcesRekey
 +If set to 
 +.Dq yes
@ -2260,6 +2243,11 @@ diff -up openssh-7.2p1/ssh_config.5.gsskex openssh-7.2p1/ssh_config.5
 +credentials to a session on the server.
 +The default is
 +.Dq no .
 +.It Cm GSSAPIServerIdentity
 +If set, specifies the GSSAPI server identity that ssh should expect when 
 +connecting to the server. The default is unset, which means that the
 +expected GSSAPI server identity will be determined from the target
 +hostname.
 +.It Cm GSSAPITrustDns
 +Set to 
 +.Dq yes to indicate that the DNS is trusted to securely canonicalize
@ -2271,9 +2259,9 @@ diff -up openssh-7.2p1/ssh_config.5.gsskex openssh-7.2p1/ssh_config.5
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
-diff -up openssh-7.2p1/ssh_config.gsskex openssh-7.2p1/ssh_config
+diff -up openssh-7.4p1/ssh_config.gsskex openssh-7.4p1/ssh_config
--- openssh-7.2p1/ssh_config.gsskex	2016-02-19 10:01:04.852969332 +0100
+--- openssh-7.4p1/ssh_config.gsskex	2016-12-23 13:38:53.708301001 +0100
-+++ openssh-7.2p1/ssh_config	2016-02-19 10:01:04.871969321 +0100
+++ openssh-7.4p1/ssh_config	2016-12-23 13:38:53.733301006 +0100
@@ -26,6 +26,8 @@
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
@ -2283,10 +2271,10 @@ diff -up openssh-7.2p1/ssh_config.gsskex openssh-7.2p1/ssh_config
 #   BatchMode no
 #   CheckHostIP yes
 #   AddressFamily any
-diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
+diff -up openssh-7.4p1/sshconnect2.c.gsskex openssh-7.4p1/sshconnect2.c
--- openssh-7.2p1/sshconnect2.c.gsskex	2016-02-12 11:47:25.000000000 +0100
+--- openssh-7.4p1/sshconnect2.c.gsskex	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.2p1/sshconnect2.c	2016-02-19 10:01:04.872969321 +0100
+++ openssh-7.4p1/sshconnect2.c	2016-12-23 13:38:53.733301006 +0100
-@@ -161,9 +161,34 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -162,9 +162,34 @@ ssh_kex2(char *host, struct sockaddr *ho
 	struct kex *kex;
 	int r;
@ -2321,7 +2309,7 @@ diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
 	if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
 		fatal("%s: kex_names_cat", __func__);
 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
-@@ -195,6 +220,17 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -192,6 +217,17 @@ ssh_kex2(char *host, struct sockaddr *ho
 		    order_hostkeyalgs(host, hostaddr, port));
 	}
@ -2379,7 +2367,7 @@ diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
 #endif
 void	userauth(Authctxt *, char *);
-@@ -326,6 +383,11 @@ static char *authmethods_get(void);
+@@ -327,6 +384,11 @@ static char *authmethods_get(void);
 Authmethod authmethods[] = {
 #ifdef GSSAPI
@ -2391,7 +2379,7 @@ diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
 	{"gssapi-with-mic",
 		userauth_gssapi,
 		NULL,
-@@ -656,19 +718,31 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -652,19 +714,31 @@ userauth_gssapi(Authctxt *authctxt)
 	static u_int mech = 0;
 	OM_uint32 min;
 	int ok = 0;
@ -2425,7 +2413,7 @@ diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
 			ok = 1; /* Mechanism works */
 		} else {
 			mech++;
-@@ -765,8 +839,8 @@ input_gssapi_response(int type, u_int32_
+@@ -761,8 +835,8 @@ input_gssapi_response(int type, u_int32_
 {
 	Authctxt *authctxt = ctxt;
 	Gssctxt *gssctxt;
@ -2436,7 +2424,7 @@ diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
 	if (authctxt == NULL)
 		fatal("input_gssapi_response: no authentication context");
-@@ -879,6 +953,48 @@ input_gssapi_error(int type, u_int32_t p
+@@ -875,6 +949,48 @@ input_gssapi_error(int type, u_int32_t p
 	free(lang);
 	return 0;
 }
@ -2509,21 +2497,17 @@ diff -up openssh-7.2p1/sshd.c.gsskex openssh-7.2p1/sshd.c
 	sshbuf_free(buf);
 }
-@@ -1845,10 +1846,13 @@ main(int ac, char **av)
+@@ -1739,7 +1740,8 @@ main(int ac, char **av)
- 		logit("Disabling protocol version 1. Could not load host key");
+ 		    key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
- 		options.protocol &= ~SSH_PROTO_1;
+ 		free(fp);
 	}
-+#ifndef GSSAPI
+-	if (!sensitive_data.have_ssh2_key) {
 +	/* The GSSAPI key exchange can run without a host key */
- 	if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
+	if (!sensitive_data.have_ssh2_key && !options.gss_keyex) {
 		logit("Disabling protocol version 2. Could not load host key");
 		options.protocol &= ~SSH_PROTO_2;
 	}
 +#endif
 	if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
 		logit("sshd: no hostkeys available -- exiting.");
 		exit(1);
-@@ -2586,6 +2590,48 @@ do_ssh2_kex(void)
+ 	}
@@ -2196,6 +2198,48 @@ do_ssh2_kex(void)
 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
 	    list_hostkey_types());
@ -2572,7 +2556,7 @@ diff -up openssh-7.2p1/sshd.c.gsskex openssh-7.2p1/sshd.c
 	/* start key exchange */
 	if ((r = kex_setup(active_state, myproposal)) != 0)
 		fatal("kex_setup: %s", ssh_err(r));
-@@ -2600,6 +2646,13 @@ do_ssh2_kex(void)
+@@ -2213,6 +2257,13 @@ do_ssh2_kex(void)
 # endif
 #endif
 	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@ -2586,25 +2570,25 @@ diff -up openssh-7.2p1/sshd.c.gsskex openssh-7.2p1/sshd.c
 	kex->server = 1;
 	kex->client_version_string=client_version_string;
 	kex->server_version_string=server_version_string;
-diff -up openssh-7.2p1/sshd_config.5.gsskex openssh-7.2p1/sshd_config.5
+diff -up openssh-7.4p1/sshd_config.5.gsskex openssh-7.4p1/sshd_config.5
--- openssh-7.2p1/sshd_config.5.gsskex	2016-02-19 10:01:04.858969329 +0100
+--- openssh-7.4p1/sshd_config.5.gsskex	2016-12-23 13:38:53.734301006 +0100
-+++ openssh-7.2p1/sshd_config.5	2016-02-19 10:06:26.651172355 +0100
+++ openssh-7.4p1/sshd_config.5	2016-12-23 13:48:57.825310358 +0100
-@@ -623,6 +623,11 @@ The default is
+@@ -628,6 +628,11 @@ Specifies whether to automatically destr
- Specifies whether user authentication based on GSSAPI is allowed.
+ on logout.
 The default is
- .Dq no .
+ .Cm yes .
 +.It Cm GSSAPIKeyExchange
 +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
 +doesn't rely on ssh keys to verify host identity.
 +The default is
 +.Dq no .
- .It Cm GSSAPICleanupCredentials
+ .It Cm GSSAPIStrictAcceptorCheck
- Specifies whether to automatically destroy the user's credentials cache
+ Determines whether to be strict about the identity of the GSSAPI acceptor
- on logout.
+ a client authenticates against.
-@@ -643,6 +648,11 @@ machine's default store.
+@@ -642,6 +647,11 @@ machine's default store.
 This facility is provided to assist with operation on multi homed machines.
 The default is
- .Dq yes .
+ .Cm yes .
 +.It Cm GSSAPIStoreCredentialsOnRekey
 +Controls whether the user's GSSAPI credentials should be updated following a 
 +successful connection rekeying. This option can be used to accepted renewed 
@ -2613,10 +2597,10 @@ diff -up openssh-7.2p1/sshd_config.5.gsskex openssh-7.2p1/sshd_config.5
 .It Cm HostbasedAcceptedKeyTypes
 Specifies the key types that will be accepted for hostbased authentication
 as a comma-separated pattern list.
-diff -up openssh-7.2p1/sshd_config.gsskex openssh-7.2p1/sshd_config
+diff -up openssh-7.4p1/sshd_config.gsskex openssh-7.4p1/sshd_config
--- openssh-7.2p1/sshd_config.gsskex	2016-02-19 10:01:04.860969328 +0100
+--- openssh-7.4p1/sshd_config.gsskex	2016-12-23 13:38:53.719301003 +0100
-+++ openssh-7.2p1/sshd_config	2016-02-19 10:01:04.873969320 +0100
+++ openssh-7.4p1/sshd_config	2016-12-23 13:38:53.734301006 +0100
-@@ -91,6 +91,8 @@ ChallengeResponseAuthentication no
+@@ -77,6 +77,8 @@ ChallengeResponseAuthentication no
 # GSSAPI options
 GSSAPIAuthentication yes
 GSSAPICleanupCredentials no
@ -2625,9 +2609,9 @@ diff -up openssh-7.2p1/sshd_config.gsskex openssh-7.2p1/sshd_config
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
-diff -up openssh-7.2p1/ssh-gss.h.gsskex openssh-7.2p1/ssh-gss.h
+diff -up openssh-7.4p1/ssh-gss.h.gsskex openssh-7.4p1/ssh-gss.h
--- openssh-7.2p1/ssh-gss.h.gsskex	2016-02-12 11:47:25.000000000 +0100
+--- openssh-7.4p1/ssh-gss.h.gsskex	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.2p1/ssh-gss.h	2016-02-19 10:01:04.873969320 +0100
+++ openssh-7.4p1/ssh-gss.h	2016-12-23 13:38:53.734301006 +0100
@@ -1,6 +1,6 @@
 /* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */
 /*
@ -2727,10 +2711,10 @@ diff -up openssh-7.2p1/ssh-gss.h.gsskex openssh-7.2p1/ssh-gss.h
 #endif /* GSSAPI */
 #endif /* _SSH_GSS_H */
-diff -up openssh-7.2p1/sshkey.c.gsskex openssh-7.2p1/sshkey.c
+diff -up openssh-7.4p1/sshkey.c.gsskex openssh-7.4p1/sshkey.c
--- openssh-7.2p1/sshkey.c.gsskex	2016-02-12 11:47:25.000000000 +0100
+--- openssh-7.4p1/sshkey.c.gsskex	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.2p1/sshkey.c	2016-02-19 10:01:04.874969320 +0100
+++ openssh-7.4p1/sshkey.c	2016-12-23 13:38:53.735301006 +0100
-@@ -115,6 +115,7 @@ static const struct keytype keytypes[] =
+@@ -114,6 +114,7 @@ static const struct keytype keytypes[] =
 #  endif /* OPENSSL_HAS_NISTP521 */
 # endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
@ -2738,9 +2722,9 @@ diff -up openssh-7.2p1/sshkey.c.gsskex openssh-7.2p1/sshkey.c
 	{ NULL, NULL, -1, -1, 0, 0 }
 };
-diff -up openssh-7.2p1/sshkey.h.gsskex openssh-7.2p1/sshkey.h
+diff -up openssh-7.4p1/sshkey.h.gsskex openssh-7.4p1/sshkey.h
--- openssh-7.2p1/sshkey.h.gsskex	2016-02-12 11:47:25.000000000 +0100
+--- openssh-7.4p1/sshkey.h.gsskex	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.2p1/sshkey.h	2016-02-19 10:01:04.874969320 +0100
+++ openssh-7.4p1/sshkey.h	2016-12-23 13:38:53.735301006 +0100
@@ -62,6 +62,7 @@ enum sshkey_types {
 	KEY_DSA_CERT,
 	KEY_ECDSA_CERT,
@ -2749,11 +2733,18 @@ diff -up openssh-7.2p1/sshkey.h.gsskex openssh-7.2p1/sshkey.h
 	KEY_UNSPEC
 };
-diff --git a/auth.c b/auth.c
+diff -up openssh-7.4p1/auth.c.gsskex openssh-7.4p1/auth.c
-index e0f7639..a5a346e 100644
+--- openssh-7.4p1/auth.c.gsskex	2016-12-19 05:59:41.000000000 +0100
--- a/auth.c
+++ openssh-7.4p1/auth.c	2016-12-23 13:38:53.735301006 +0100
-+++ b/auth.c
+@@ -372,6 +372,7 @@ auth_root_allowed(const char *method)
-@@ -784,99 +784,6 @@ fakepw(void)
+ 	case PERMIT_NO_PASSWD:
 		if (strcmp(method, "publickey") == 0 ||
 		    strcmp(method, "hostbased") == 0 ||
 +		    strcmp(method, "gssapi-keyex") == 0 ||
 		    strcmp(method, "gssapi-with-mic") == 0)
 			return 1;
 		break;
@@ -795,99 +796,6 @@ fakepw(void)
 }
 /*
@ -2853,11 +2844,10 @@ index e0f7639..a5a346e 100644
  * Return the canonical name of the host in the other side of the current
  * connection.  The host name is cached, so it is efficient to call this
  * several times.
-diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+diff -up openssh-7.4p1/openbsd-compat/port-linux.c.gsskex openssh-7.4p1/openbsd-compat/port-linux.c
-index 80729b3..93a1b04 100644
+--- openssh-7.4p1/openbsd-compat/port-linux.c.gsskex	2016-12-23 13:38:53.688300997 +0100
--- a/openbsd-compat/port-linux.c
+++ openssh-7.4p1/openbsd-compat/port-linux.c	2016-12-23 13:38:53.735301006 +0100
-+++ b/openbsd-compat/port-linux.c
+@@ -30,6 +30,8 @@
@@ -32,6 +32,8 @@
 #include "log.h"
 #include "xmalloc.h"
 #include "port-linux.h"
@ -2866,7 +2856,7 @@ index 80729b3..93a1b04 100644
 #ifdef WITH_SELINUX
 #include <selinux/selinux.h>
-@@ -286,4 +288,121 @@ oom_adjust_restore(void)
+@@ -279,4 +281,121 @@ oom_adjust_restore(void)
 	return;
 }
 #endif /* LINUX_OOM_ADJUST */
@ -2988,11 +2978,10 @@ index 80729b3..93a1b04 100644
 +	}
 +}
 #endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
-diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+diff -up openssh-7.4p1/openbsd-compat/port-linux.h.gsskex openssh-7.4p1/openbsd-compat/port-linux.h
-index e2ca8a1..6c5ac3f 100644
+--- openssh-7.4p1/openbsd-compat/port-linux.h.gsskex	2016-12-23 13:38:53.712301002 +0100
--- a/openbsd-compat/port-linux.h
+++ openssh-7.4p1/openbsd-compat/port-linux.h	2016-12-23 13:38:53.735301006 +0100
-+++ b/openbsd-compat/port-linux.h
+@@ -16,6 +16,7 @@
@@ -18,6 +18,7 @@
 #ifndef _PORT_LINUX_H
 #define _PORT_LINUX_H
@ -3000,7 +2989,7 @@ index e2ca8a1..6c5ac3f 100644
 #ifdef WITH_SELINUX
 int ssh_selinux_enabled(void);
-@@ -39,4 +40,8 @@ void oom_adjust_setup(void);
+@@ -36,4 +37,8 @@ void oom_adjust_setup(void);
 void linux_seed(void);
@ -3009,18 +2998,3 @@ index e2ca8a1..6c5ac3f 100644
 +
 +
 #endif /* ! _PORT_LINUX_H */
 diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
 index 3e6f982..4c2653f 100644
 --- a/sandbox-seccomp-filter.c
 +++ b/sandbox-seccomp-filter.c
@@ -213,6 +213,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_write
 	SC_ALLOW(write),
 #endif
 +#ifdef __NR_futex
 +	SC_ALLOW(futex), /* for GSSAPI Kex */
 +#endif
 #ifdef __NR_socketcall
 	SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
 #endif
--- a/openssh-7.2p2-UsePAM-UseLogin-warning.patch
+++ b/openssh-7.2p2-UsePAM-UseLogin-warning.patch
@ -1,14 +1,10 @@
 diff --git a/sshd.c b/sshd.c
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1701,6 +1701,14 @@ main(int ac, char **av)
+@@ -1701,6 +1701,10 @@ main(int ac, char **av)
 	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
 	    &cfg, NULL);
 +	/* 'UseLogin yes' is not supported in Fedora */
 +	if (options.use_login == 1)
 +		logit("WARNING: 'UseLogin yes' is not supported in Fedora and may cause several problems.");
 +
 +	/* 'UsePAM no' is not supported in Fedora */
 +	if (! options.use_pam)
 +		logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
@ -28,12 +24,3 @@ diff --git a/sshd_config b/sshd_config
 UsePAM yes
 #AllowAgentForwarding yes
@@ -113,6 +115,8 @@ X11Forwarding yes
 #PrintMotd yes
 #PrintLastLog yes
 #TCPKeepAlive yes
 +# WARNING: 'UseLogin yes' is not supported in Fedora and may cause several
 +# problems.
 #UseLogin no
 #UsePrivilegeSeparation sandbox
 #PermitUserEnvironment no
--- a/openssh-7.2p2-expose-pam.patch
+++ b/openssh-7.2p2-expose-pam.patch
@ -1,6 +1,6 @@
-diff -up openssh-7.2p2/auth2.c.expose-pam openssh-7.2p2/auth2.c
+diff -up openssh-7.4p1/auth2.c.expose-pam openssh-7.4p1/auth2.c
--- openssh-7.2p2/auth2.c.expose-pam	2016-07-18 12:30:12.064783302 +0200
+--- openssh-7.4p1/auth2.c.expose-pam	2016-12-23 15:40:26.768447868 +0100
-+++ openssh-7.2p2/auth2.c	2016-07-18 12:30:12.124783255 +0200
+++ openssh-7.4p1/auth2.c	2016-12-23 15:40:26.818447876 +0100
@@ -310,6 +310,7 @@ userauth_finish(Authctxt *authctxt, int
     const char *submethod)
 {
@ -28,9 +28,9 @@ diff -up openssh-7.2p2/auth2.c.expose-pam openssh-7.2p2/auth2.c
 #ifdef USE_PAM
 	if (options.use_pam && authenticated) {
 		if (!PRIVSEP(do_pam_account())) {
-diff -up openssh-7.2p2/auth2-gss.c.expose-pam openssh-7.2p2/auth2-gss.c
+diff -up openssh-7.4p1/auth2-gss.c.expose-pam openssh-7.4p1/auth2-gss.c
--- openssh-7.2p2/auth2-gss.c.expose-pam	2016-07-18 12:30:12.123783256 +0200
+--- openssh-7.4p1/auth2-gss.c.expose-pam	2016-12-23 15:40:26.769447868 +0100
-+++ openssh-7.2p2/auth2-gss.c	2016-07-18 12:32:08.034692086 +0200
+++ openssh-7.4p1/auth2-gss.c	2016-12-23 15:40:26.818447876 +0100
@@ -276,6 +276,9 @@ input_gssapi_exchange_complete(int type,
 	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
 	    authctxt->pw));
@ -51,9 +51,9 @@ diff -up openssh-7.2p2/auth2-gss.c.expose-pam openssh-7.2p2/auth2-gss.c
 	buffer_free(&b);
 	if (micuser != authctxt->user)
 		free(micuser);
-diff -up openssh-7.2p2/auth2-hostbased.c.expose-pam openssh-7.2p2/auth2-hostbased.c
+diff -up openssh-7.4p1/auth2-hostbased.c.expose-pam openssh-7.4p1/auth2-hostbased.c
--- openssh-7.2p2/auth2-hostbased.c.expose-pam	2016-07-18 12:30:12.027783331 +0200
+--- openssh-7.4p1/auth2-hostbased.c.expose-pam	2016-12-23 15:40:26.731447862 +0100
-+++ openssh-7.2p2/auth2-hostbased.c	2016-07-18 12:30:12.124783255 +0200
+++ openssh-7.4p1/auth2-hostbased.c	2016-12-23 15:40:26.818447876 +0100
@@ -60,7 +60,7 @@ userauth_hostbased(Authctxt *authctxt)
 {
 	Buffer b;
@ -88,9 +88,9 @@ diff -up openssh-7.2p2/auth2-hostbased.c.expose-pam openssh-7.2p2/auth2-hostbase
 	buffer_free(&b);
 done:
-diff -up openssh-7.2p2/auth2-pubkey.c.expose-pam openssh-7.2p2/auth2-pubkey.c
+diff -up openssh-7.4p1/auth2-pubkey.c.expose-pam openssh-7.4p1/auth2-pubkey.c
--- openssh-7.2p2/auth2-pubkey.c.expose-pam	2016-07-18 12:30:12.039783322 +0200
+--- openssh-7.4p1/auth2-pubkey.c.expose-pam	2016-12-23 15:40:26.746447864 +0100
-+++ openssh-7.2p2/auth2-pubkey.c	2016-07-18 12:30:12.124783255 +0200
+++ openssh-7.4p1/auth2-pubkey.c	2016-12-23 15:40:26.819447876 +0100
@@ -79,7 +79,7 @@ userauth_pubkey(Authctxt *authctxt)
 {
 	Buffer b;
@ -100,7 +100,7 @@ diff -up openssh-7.2p2/auth2-pubkey.c.expose-pam openssh-7.2p2/auth2-pubkey.c
 	u_char *pkblob, *sig;
 	u_int alen, blen, slen;
 	int have_sig, pktype;
-@@ -173,7 +173,8 @@ userauth_pubkey(Authctxt *authctxt)
+@@ -177,7 +177,8 @@ userauth_pubkey(Authctxt *authctxt)
 #ifdef DEBUG_PK
 		buffer_dump(&b);
 #endif
@ -110,7 +110,7 @@ diff -up openssh-7.2p2/auth2-pubkey.c.expose-pam openssh-7.2p2/auth2-pubkey.c
 		/* test for correct signature */
 		authenticated = 0;
-@@ -181,9 +182,12 @@ userauth_pubkey(Authctxt *authctxt)
+@@ -185,9 +186,12 @@ userauth_pubkey(Authctxt *authctxt)
 		    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
 		    buffer_len(&b))) == 1) {
 			authenticated = 1;
@ -123,7 +123,7 @@ diff -up openssh-7.2p2/auth2-pubkey.c.expose-pam openssh-7.2p2/auth2-pubkey.c
 		}
 		buffer_free(&b);
 		free(sig);
-@@ -224,7 +228,7 @@ done:
+@@ -228,7 +232,7 @@ done:
 void
 pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
 {
@ -132,7 +132,7 @@ diff -up openssh-7.2p2/auth2-pubkey.c.expose-pam openssh-7.2p2/auth2-pubkey.c
 	va_list ap;
 	int i;
-@@ -234,27 +238,13 @@ pubkey_auth_info(Authctxt *authctxt, con
+@@ -238,27 +242,13 @@ pubkey_auth_info(Authctxt *authctxt, con
 		i = vasprintf(&extra, fmt, ap);
 		va_end(ap);
 		if (i < 0 || extra == NULL)
@ -165,9 +165,9 @@ diff -up openssh-7.2p2/auth2-pubkey.c.expose-pam openssh-7.2p2/auth2-pubkey.c
 	free(extra);
 }
-diff -up openssh-7.2p2/auth.h.expose-pam openssh-7.2p2/auth.h
+diff -up openssh-7.4p1/auth.h.expose-pam openssh-7.4p1/auth.h
--- openssh-7.2p2/auth.h.expose-pam	2016-07-18 12:30:12.077783292 +0200
+--- openssh-7.4p1/auth.h.expose-pam	2016-12-23 15:40:26.782447870 +0100
-+++ openssh-7.2p2/auth.h	2016-07-18 12:30:12.123783256 +0200
+++ openssh-7.4p1/auth.h	2016-12-23 15:40:26.819447876 +0100
@@ -84,6 +84,9 @@ struct Authctxt {
 	struct sshkey	**prev_userkeys;
@ -178,10 +178,10 @@ diff -up openssh-7.2p2/auth.h.expose-pam openssh-7.2p2/auth.h
 };
 /*
  * Every authentication method has to handle authentication requests for
-diff -up openssh-7.2p2/auth-pam.c.expose-pam openssh-7.2p2/auth-pam.c
+diff -up openssh-7.4p1/auth-pam.c.expose-pam openssh-7.4p1/auth-pam.c
--- openssh-7.2p2/auth-pam.c.expose-pam	2016-07-18 12:30:12.026783332 +0200
+--- openssh-7.4p1/auth-pam.c.expose-pam	2016-12-23 15:40:26.731447862 +0100
-+++ openssh-7.2p2/auth-pam.c	2016-07-18 12:30:12.123783256 +0200
+++ openssh-7.4p1/auth-pam.c	2016-12-23 15:40:26.819447876 +0100
-@@ -689,6 +689,11 @@ sshpam_init_ctx(Authctxt *authctxt)
+@@ -688,6 +688,11 @@ sshpam_init_ctx(Authctxt *authctxt)
 		return (NULL);
 	}
@ -193,9 +193,9 @@ diff -up openssh-7.2p2/auth-pam.c.expose-pam openssh-7.2p2/auth-pam.c
 	ctxt = xcalloc(1, sizeof *ctxt);
 	/* Start the authentication thread */
-diff -up openssh-7.2p2/gss-serv.c.expose-pam openssh-7.2p2/gss-serv.c
+diff -up openssh-7.4p1/gss-serv.c.expose-pam openssh-7.4p1/gss-serv.c
--- openssh-7.2p2/gss-serv.c.expose-pam	2016-07-18 12:30:12.124783255 +0200
+--- openssh-7.4p1/gss-serv.c.expose-pam	2016-12-23 15:40:26.808447874 +0100
-+++ openssh-7.2p2/gss-serv.c	2016-07-18 12:33:08.835644264 +0200
+++ openssh-7.4p1/gss-serv.c	2016-12-23 15:40:26.819447876 +0100
@@ -441,6 +441,16 @@ ssh_gssapi_do_child(char ***envp, u_int
 }
@ -213,10 +213,10 @@ diff -up openssh-7.2p2/gss-serv.c.expose-pam openssh-7.2p2/gss-serv.c
 int
 ssh_gssapi_userok(char *user, struct passwd *pw)
 {
-diff -up openssh-7.2p2/monitor.c.expose-pam openssh-7.2p2/monitor.c
+diff -up openssh-7.4p1/monitor.c.expose-pam openssh-7.4p1/monitor.c
--- openssh-7.2p2/monitor.c.expose-pam	2016-07-18 12:30:12.093783279 +0200
+--- openssh-7.4p1/monitor.c.expose-pam	2016-12-23 15:40:26.794447872 +0100
-+++ openssh-7.2p2/monitor.c	2016-07-18 12:30:12.124783255 +0200
+++ openssh-7.4p1/monitor.c	2016-12-23 15:41:16.473455863 +0100
-@@ -349,6 +349,7 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -300,6 +300,7 @@ monitor_child_preauth(Authctxt *_authctx
 {
 	struct mon_table *ent;
 	int authenticated = 0, partial = 0;
@ -224,7 +224,7 @@ diff -up openssh-7.2p2/monitor.c.expose-pam openssh-7.2p2/monitor.c
 	debug3("preauth child monitor started");
-@@ -386,6 +387,18 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -330,6 +331,18 @@ monitor_child_preauth(Authctxt *_authctx
 		auth_submethod = NULL;
 		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
@ -242,8 +242,8 @@ diff -up openssh-7.2p2/monitor.c.expose-pam openssh-7.2p2/monitor.c
 +
 		/* Special handling for multiple required authentications */
 		if (options.num_auth_methods != 0) {
- 			if (!compat20)
+ 			if (authenticated &&
-@@ -1498,6 +1511,10 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1417,6 +1430,10 @@ mm_answer_keyverify(int sock, Buffer *m)
 	debug3("%s: key %p signature %s",
 	    __func__, key, (verified == 1) ? "verified" : "unverified");
@ -254,7 +254,7 @@ diff -up openssh-7.2p2/monitor.c.expose-pam openssh-7.2p2/monitor.c
 	/* If auth was successful then record key to ensure it isn't reused */
 	if (verified == 1 && key_blobtype == MM_USERKEY)
 		auth2_record_userkey(authctxt, key);
-@@ -2140,6 +2157,9 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -1860,6 +1877,9 @@ mm_answer_gss_userok(int sock, Buffer *m
 	auth_method = "gssapi-with-mic";
@ -264,43 +264,43 @@ diff -up openssh-7.2p2/monitor.c.expose-pam openssh-7.2p2/monitor.c
 	/* Monitor loop will terminate if authenticated */
 	return (authenticated);
 }
-diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c
+diff -up openssh-7.4p1/servconf.c.expose-pam openssh-7.4p1/servconf.c
--- openssh-7.2p2/servconf.c.expose-pam	2016-07-18 12:30:12.112783264 +0200
+--- openssh-7.4p1/servconf.c.expose-pam	2016-12-23 15:40:26.810447875 +0100
-+++ openssh-7.2p2/servconf.c	2016-07-18 12:34:38.170574004 +0200
+++ openssh-7.4p1/servconf.c	2016-12-23 15:44:04.691482920 +0100
-@@ -176,6 +176,7 @@ initialize_server_options(ServerOptions
+@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions
- 	options->fingerprint_hash = -1;
+ 	options->disable_forwarding = -1;
 	options->use_kuserok = -1;
 	options->enable_k5users = -1;
 +	options->expose_auth_methods = -1;
 }
 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
-@@ -374,6 +375,8 @@ fill_default_server_options(ServerOption
+@@ -354,6 +355,8 @@ fill_default_server_options(ServerOption
 		options->enable_k5users = 0;
 	if (options->use_kuserok == -1)
 		options->use_kuserok = 1;
 	if (options->enable_k5users == -1)
 		options->enable_k5users = 0;
 +	if (options->expose_auth_methods == -1)
 +		options->expose_auth_methods = EXPOSE_AUTHMETH_NEVER;
 	assemble_algorithms(options);
-@@ -451,6 +454,7 @@ typedef enum {
+@@ -439,6 +442,7 @@ typedef enum {
 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
 	sStreamLocalBindMask, sStreamLocalBindUnlink,
- 	sAllowStreamLocalForwarding, sFingerprintHash,
+ 	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
 +	sExposeAuthenticationMethods,
- 	sDeprecated, sUnsupported
+ 	sDeprecated, sIgnore, sUnsupported
 } ServerOpCodes;
-@@ -606,6 +610,7 @@ static struct {
+@@ -595,6 +599,7 @@ static struct {
 	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
 	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
 +	{ "exposeauthenticationmethods", sExposeAuthenticationMethods, SSHCFG_ALL },
 	{ NULL, sBadOption, 0 }
 };
-@@ -994,6 +999,12 @@ static const struct multistate multistat
+@@ -984,6 +989,12 @@ static const struct multistate multistat
 	{ "local",			FORWARD_LOCAL },
 	{ NULL, -1 }
 };
@ -313,7 +313,7 @@ diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c
 int
 process_server_config_line(ServerOptions *options, char *line,
-@@ -1918,6 +1929,11 @@ process_server_config_line(ServerOptions
+@@ -1902,6 +1913,11 @@ process_server_config_line(ServerOptions
 			options->fingerprint_hash = value;
 		break;
@ -323,9 +323,9 @@ diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c
 +		goto parse_multistate;
 +
 	case sDeprecated:
- 		logit("%s line %d: Deprecated option %s",
+ 	case sIgnore:
- 		    filename, linenum, arg);
+ 	case sUnsupported:
-@@ -2076,6 +2092,7 @@ copy_set_server_options(ServerOptions *d
+@@ -2060,6 +2076,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(enable_k5users);
 	M_CP_INTOPT(rekey_limit);
 	M_CP_INTOPT(rekey_interval);
@ -333,16 +333,16 @@ diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c
 	/*
 	 * The bind_mask is a mode_t that may be unsigned, so we can't use
-@@ -2181,6 +2198,8 @@ fmt_intarg(ServerOpCodes code, int val)
+@@ -2176,6 +2193,8 @@ fmt_intarg(ServerOpCodes code, int val)
 		return fmt_multistate_int(val, multistate_tcpfwd);
 	case sFingerprintHash:
 		return ssh_digest_alg_name(val);
 +	case sExposeAuthenticationMethods:
 +		return fmt_multistate_int(val, multistate_exposeauthmeth);
- 	case sProtocol:
+ 	default:
 		switch (val) {
- 		case SSH_PROTO_1:
+ 		case 0:
-@@ -2374,6 +2393,7 @@ dump_config(ServerOptions *o)
+@@ -2356,6 +2375,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
 	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
 	dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
@ -350,9 +350,9 @@ diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
-diff -up openssh-7.2p2/servconf.h.expose-pam openssh-7.2p2/servconf.h
+diff -up openssh-7.4p1/servconf.h.expose-pam openssh-7.4p1/servconf.h
--- openssh-7.2p2/servconf.h.expose-pam	2016-07-18 12:30:12.112783264 +0200
+--- openssh-7.4p1/servconf.h.expose-pam	2016-12-23 15:40:26.810447875 +0100
-+++ openssh-7.2p2/servconf.h	2016-07-18 12:30:12.125783254 +0200
+++ openssh-7.4p1/servconf.h	2016-12-23 15:40:26.821447876 +0100
@@ -48,6 +48,11 @@
 #define FORWARD_LOCAL		(1<<1)
 #define FORWARD_ALLOW		(FORWARD_REMOTE|FORWARD_LOCAL)
@ -365,7 +365,7 @@ diff -up openssh-7.2p2/servconf.h.expose-pam openssh-7.2p2/servconf.h
 #define DEFAULT_AUTH_FAIL_MAX	6	/* Default for MaxAuthTries */
 #define DEFAULT_SESSIONS_MAX	10	/* Default for MaxSessions */
-@@ -201,6 +206,8 @@ typedef struct {
+@@ -195,6 +200,8 @@ typedef struct {
 	char   *auth_methods[MAX_AUTH_METHODS];
 	int	fingerprint_hash;
@ -374,10 +374,10 @@ diff -up openssh-7.2p2/servconf.h.expose-pam openssh-7.2p2/servconf.h
 }       ServerOptions;
 /* Information about the incoming connection as used by Match */
-diff -up openssh-7.2p2/session.c.expose-pam openssh-7.2p2/session.c
+diff -up openssh-7.4p1/session.c.expose-pam openssh-7.4p1/session.c
--- openssh-7.2p2/session.c.expose-pam	2016-07-18 12:30:12.120783258 +0200
+--- openssh-7.4p1/session.c.expose-pam	2016-12-23 15:40:26.794447872 +0100
-+++ openssh-7.2p2/session.c	2016-07-18 12:30:12.125783254 +0200
+++ openssh-7.4p1/session.c	2016-12-23 15:40:26.821447876 +0100
-@@ -1180,6 +1180,12 @@ copy_environment(char **source, char ***
+@@ -997,6 +997,12 @@ copy_environment(char **source, char ***
 		}
 		*var_val++ = '\0';
@ -390,7 +390,7 @@ diff -up openssh-7.2p2/session.c.expose-pam openssh-7.2p2/session.c
 		debug3("Copy environment: %s=%s", var_name, var_val);
 		child_set_env(env, envsize, var_name, var_val);
-@@ -1359,6 +1365,11 @@ do_setup_env(Session *s, const char *she
+@@ -1173,6 +1179,11 @@ do_setup_env(Session *s, const char *she
 	}
 #endif /* USE_PAM */
@ -402,7 +402,7 @@ diff -up openssh-7.2p2/session.c.expose-pam openssh-7.2p2/session.c
 	if (auth_sock_name != NULL)
 		child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
 		    auth_sock_name);
-@@ -2798,6 +2809,9 @@ do_cleanup(Authctxt *authctxt)
+@@ -2561,6 +2572,9 @@ do_cleanup(Authctxt *authctxt)
 	if (authctxt == NULL)
 		return;
@ -412,10 +412,10 @@ diff -up openssh-7.2p2/session.c.expose-pam openssh-7.2p2/session.c
 #ifdef USE_PAM
 	if (options.use_pam) {
 		sshpam_cleanup();
-diff -up openssh-7.2p2/ssh.1.expose-pam openssh-7.2p2/ssh.1
+diff -up openssh-7.4p1/ssh.1.expose-pam openssh-7.4p1/ssh.1
--- openssh-7.2p2/ssh.1.expose-pam	2016-07-18 12:30:12.112783264 +0200
+--- openssh-7.4p1/ssh.1.expose-pam	2016-12-23 15:40:26.810447875 +0100
-+++ openssh-7.2p2/ssh.1	2016-07-18 12:30:12.126783253 +0200
+++ openssh-7.4p1/ssh.1	2016-12-23 15:40:26.822447877 +0100
-@@ -1396,6 +1396,10 @@ server IP address, and server port numbe
+@@ -1421,6 +1421,10 @@ server IP address, and server port numbe
 This variable contains the original command line if a forced command
 is executed.
 It can be used to extract the original arguments.
@ -426,13 +426,13 @@ diff -up openssh-7.2p2/ssh.1.expose-pam openssh-7.2p2/ssh.1
 .It Ev SSH_TTY
 This is set to the name of the tty (path to the device) associated
 with the current shell or command.
-diff -up openssh-7.2p2/sshd_config.5.expose-pam openssh-7.2p2/sshd_config.5
+diff -up openssh-7.4p1/sshd_config.5.expose-pam openssh-7.4p1/sshd_config.5
--- openssh-7.2p2/sshd_config.5.expose-pam	2016-07-18 12:30:12.113783263 +0200
+--- openssh-7.4p1/sshd_config.5.expose-pam	2016-12-23 15:40:26.822447877 +0100
-+++ openssh-7.2p2/sshd_config.5	2016-07-18 12:30:12.126783253 +0200
+++ openssh-7.4p1/sshd_config.5	2016-12-23 15:45:22.411495421 +0100
-@@ -570,6 +570,21 @@ and finally
+@@ -570,6 +570,21 @@ Disables all forwarding features, includ
- See PATTERNS in
+ TCP and StreamLocal.
- .Xr ssh_config 5
+ This option overrides all other forwarding-related options and may
- for more information on patterns.
+ simplify restricted configurations.
 +.It Cm ExposeAuthenticationMethods
 +When using SSH2, this option controls the exposure of the list of
 +successful authentication methods to PAM during the authentication
@ -440,20 +440,20 @@ diff -up openssh-7.2p2/sshd_config.5.expose-pam openssh-7.2p2/sshd_config.5
 +.Cm SSH_USER_AUTH
 +variable. See the description of this variable for more details.
 +Valid options are:
-+.Dq never
+.Cm never
 +(Do not expose successful authentication methods),
-+.Dq pam-only
+.Cm pam-only
 +(Only expose them to PAM during authentication, not afterwards),
-+.Dq pam-and-env
+.Cm pam-and-env
 +(Expose them to PAM and keep them in the shell environment).
 +The default is
-+.Dq never .
+.Cm never .
 .It Cm FingerprintHash
 Specifies the hash algorithm used when logging key fingerprints.
 Valid options are:
-diff -up openssh-7.2p2/ssh-gss.h.expose-pam openssh-7.2p2/ssh-gss.h
+diff -up openssh-7.4p1/ssh-gss.h.expose-pam openssh-7.4p1/ssh-gss.h
--- openssh-7.2p2/ssh-gss.h.expose-pam	2016-07-18 12:30:12.125783254 +0200
+--- openssh-7.4p1/ssh-gss.h.expose-pam	2016-12-23 15:40:26.811447875 +0100
-+++ openssh-7.2p2/ssh-gss.h	2016-07-18 12:35:01.906555328 +0200
+++ openssh-7.4p1/ssh-gss.h	2016-12-23 15:40:26.823447877 +0100
@@ -159,6 +159,7 @@ int ssh_gssapi_server_check_mech(Gssctxt
     const char *);
 OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
@ -462,10 +462,10 @@ diff -up openssh-7.2p2/ssh-gss.h.expose-pam openssh-7.2p2/ssh-gss.h
 OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
 void ssh_gssapi_do_child(char ***, u_int *);
 void ssh_gssapi_cleanup_creds(void);
-diff -up openssh-7.2p2/sshkey.c.expose-pam openssh-7.2p2/sshkey.c
+diff -up openssh-7.4p1/sshkey.c.expose-pam openssh-7.4p1/sshkey.c
--- openssh-7.2p2/sshkey.c.expose-pam	2016-07-18 12:30:12.071783296 +0200
+--- openssh-7.4p1/sshkey.c.expose-pam	2016-12-23 15:40:26.777447869 +0100
-+++ openssh-7.2p2/sshkey.c	2016-07-18 12:30:12.126783253 +0200
+++ openssh-7.4p1/sshkey.c	2016-12-23 15:40:26.823447877 +0100
-@@ -58,6 +58,7 @@
+@@ -57,6 +57,7 @@
 #define SSHKEY_INTERNAL
 #include "sshkey.h"
 #include "match.h"
@ -473,7 +473,7 @@ diff -up openssh-7.2p2/sshkey.c.expose-pam openssh-7.2p2/sshkey.c
 /* openssh private key file format */
 #define MARK_BEGIN		"-----BEGIN OPENSSH PRIVATE KEY-----\n"
-@@ -1190,6 +1191,30 @@ sshkey_fingerprint(const struct sshkey *
+@@ -1191,6 +1192,30 @@ sshkey_fingerprint(const struct sshkey *
 	return retval;
 }
@ -504,9 +504,9 @@ diff -up openssh-7.2p2/sshkey.c.expose-pam openssh-7.2p2/sshkey.c
 #ifdef WITH_SSH1
 /*
  * Reads a multiple-precision integer in decimal from the buffer, and advances
-diff -up openssh-7.2p2/sshkey.h.expose-pam openssh-7.2p2/sshkey.h
+diff -up openssh-7.4p1/sshkey.h.expose-pam openssh-7.4p1/sshkey.h
--- openssh-7.2p2/sshkey.h.expose-pam	2016-07-18 12:30:12.071783296 +0200
+--- openssh-7.4p1/sshkey.h.expose-pam	2016-12-23 15:40:26.777447869 +0100
-+++ openssh-7.2p2/sshkey.h	2016-07-18 12:30:12.127783252 +0200
+++ openssh-7.4p1/sshkey.h	2016-12-23 15:40:26.823447877 +0100
@@ -124,6 +124,7 @@ char		*sshkey_fingerprint(const struct s
     int, enum sshkey_fp_rep);
 int		 sshkey_fingerprint_raw(const struct sshkey *k,
--- a/openssh-7.3p1-null-deref.patch
+++ b/openssh-7.3p1-null-deref.patch
@ -1,48 +0,0 @@
 From 28652bca29046f62c7045e933e6b931de1d16737 Mon Sep 17 00:00:00 2001
 From: "markus@openbsd.org" <markus@openbsd.org>
 Date: Mon, 19 Sep 2016 19:02:19 +0000
 Subject: upstream commit
 move inbound NEWKEYS handling to kex layer; otherwise
 early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed
 with & ok djm@
 Upstream-ID: 9a68b882892e9f51dc7bfa9f5a423858af358b2f
 ---
 kex.c    | 4 +++-
 packet.c | 6 ++----
 2 files changed, 5 insertions(+), 5 deletions(-)
 diff --git a/kex.c b/kex.c
 index f4c130f..8800d40 100644
 --- a/kex.c
 +++ b/kex.c
@@ -425,6 +425,8 @@ kex_input_newkeys(int type, u_int32_t seq, void *ctxt)
 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
 	if ((r = sshpkt_get_end(ssh)) != 0)
 		return r;
 +	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
 +		return r;
 	kex->done = 1;
 	sshbuf_reset(kex->peer);
 	/* sshbuf_reset(kex->my); */
 diff --git a/packet.c b/packet.c
 index 711091d..fb316ac 100644
 --- a/packet.c
 +++ b/packet.c
@@ -1907,9 +1907,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
 			return r;
 		return SSH_ERR_PROTOCOL_ERROR;
 	}
 -	if (*typep == SSH2_MSG_NEWKEYS)
 -		r = ssh_set_newkeys(ssh, MODE_IN);
 -	else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
 +	if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
 		r = ssh_packet_enable_delayed_compress(ssh);
 	else
 		r = 0;
 -- 
 cgit v0.12
 0
--- a/openssh-7.3p1-openssl-1.1.0.patch
+++ b/openssh-7.3p1-openssl-1.1.0.patch
--- a/openssh-7.3p1-x11-max-displays.patch
+++ b/openssh-7.3p1-x11-max-displays.patch
@ -1,7 +1,7 @@
-diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
+diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
--- openssh-6.6p1/channels.c.x11max	2016-06-27 16:28:49.803631684 +0200
+--- openssh-7.4p1/channels.c.x11max	2016-12-23 15:46:32.071506625 +0100
-+++ openssh-6.6p1/channels.c	2016-06-27 16:28:49.814631678 +0200
+++ openssh-7.4p1/channels.c	2016-12-23 15:46:32.139506636 +0100
-@@ -138,8 +138,8 @@ static int all_opens_permitted = 0;
+@@ -152,8 +152,8 @@ static int all_opens_permitted = 0;
 /* -- X11 forwarding */
@ -12,7 +12,7 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
 /* Saved X11 local (client) display. */
 static char *x11_saved_display = NULL;
-@@ -3445,7 +3445,8 @@ channel_send_window_changes(void)
+@@ -4228,7 +4228,8 @@ channel_send_window_changes(void)
  */
 int
 x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
@ -22,7 +22,7 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
 {
 	Channel *nc = NULL;
 	int display_number, sock;
-@@ -3457,10 +3458,15 @@ x11_create_display_inet(int x11_display_
+@@ -4240,10 +4241,15 @@ x11_create_display_inet(int x11_display_
 	if (chanids == NULL)
 		return -1;
@ -40,7 +40,7 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
 		memset(&hints, 0, sizeof(hints));
 		hints.ai_family = IPv4or6;
 		hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
-@@ -3512,7 +3518,7 @@ x11_create_display_inet(int x11_display_
+@@ -4295,7 +4301,7 @@ x11_create_display_inet(int x11_display_
 		if (num_socks > 0)
 			break;
 	}
@ -49,7 +49,7 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
 		error("Failed to allocate internet-domain X11 display socket.");
 		return -1;
 	}
-@@ -3658,7 +3664,7 @@ x11_connect_display(void)
+@@ -4441,7 +4447,7 @@ x11_connect_display(void)
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_family = IPv4or6;
 	hints.ai_socktype = SOCK_STREAM;
@ -58,7 +58,7 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
 	if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
 		error("%.100s: unknown host. (%s)", buf,
 		ssh_gai_strerror(gaierr));
-@@ -3674,7 +3680,7 @@ x11_connect_display(void)
+@@ -4457,7 +4463,7 @@ x11_connect_display(void)
 		/* Connect it to the display. */
 		if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
 			debug2("connect %.100s port %u: %.100s", buf,
@ -67,7 +67,7 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
 			close(sock);
 			continue;
 		}
-@@ -3683,8 +3689,8 @@ x11_connect_display(void)
+@@ -4466,8 +4472,8 @@ x11_connect_display(void)
 	}
 	freeaddrinfo(aitop);
 	if (!ai) {
@ -78,10 +78,10 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
 		return -1;
 	}
 	set_nodelay(sock);
-diff -up openssh-6.6p1/channels.h.x11max openssh-6.6p1/channels.h
+diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h
--- openssh-6.6p1/channels.h.x11max	2016-06-27 16:28:49.814631678 +0200
+--- openssh-7.4p1/channels.h.x11max	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-6.6p1/channels.h	2016-06-27 16:31:18.925557840 +0200
+++ openssh-7.4p1/channels.h	2016-12-23 15:46:32.139506636 +0100
-@@ -281,7 +281,7 @@ int	 permitopen_port(const char *);
+@@ -293,7 +293,7 @@ int	 permitopen_port(const char *);
 void	 channel_set_x11_refuse_time(u_int);
 int	 x11_connect_display(void);
@ -90,10 +90,10 @@ diff -up openssh-6.6p1/channels.h.x11max openssh-6.6p1/channels.h
 int      x11_input_open(int, u_int32_t, void *);
 void	 x11_request_forwarding_with_spoofing(int, const char *, const char *,
 	     const char *, int);
-diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c
+diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
--- openssh-6.6p1/servconf.c.x11max	2016-06-27 16:28:49.808631681 +0200
+--- openssh-7.4p1/servconf.c.x11max	2016-12-23 15:46:32.133506635 +0100
-+++ openssh-6.6p1/servconf.c	2016-06-27 16:30:46.941573678 +0200
+++ openssh-7.4p1/servconf.c	2016-12-23 15:47:27.320519121 +0100
-@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions
+@@ -95,6 +95,7 @@ initialize_server_options(ServerOptions
 	options->print_lastlog = -1;
 	options->x11_forwarding = -1;
 	options->x11_display_offset = -1;
@ -101,7 +101,7 @@ diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c
 	options->x11_use_localhost = -1;
 	options->permit_tty = -1;
 	options->permit_user_rc = -1;
-@@ -219,6 +220,8 @@ fill_default_server_options(ServerOption
+@@ -243,6 +244,8 @@ fill_default_server_options(ServerOption
 		options->x11_forwarding = 0;
 	if (options->x11_display_offset == -1)
 		options->x11_display_offset = 10;
@ -110,16 +110,16 @@ diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c
 	if (options->x11_use_localhost == -1)
 		options->x11_use_localhost = 1;
 	if (options->xauth_location == NULL)
-@@ -364,7 +367,7 @@ typedef enum {
+@@ -419,7 +422,7 @@ typedef enum {
 	sPasswordAuthentication, sKbdInteractiveAuthentication,
 	sListenAddress, sAddressFamily,
 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
 -	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
 +	sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost,
 	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
- 	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
+ 	sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
-@@ -476,6 +479,7 @@ static struct {
+@@ -540,6 +543,7 @@ static struct {
 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
 	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
 	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
@ -127,9 +127,9 @@ diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c
 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
-@@ -1202,6 +1206,10 @@ process_server_config_line(ServerOptions
+@@ -1316,6 +1320,10 @@ process_server_config_line(ServerOptions
- 		intptr = &options->x11_display_offset;
+ 			*intptr = value;
- 		goto parse_int;
+ 		break;
 +	case sX11MaxDisplays:
 +		intptr = &options->x11_max_displays;
@ -138,7 +138,7 @@ diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c
 	case sX11UseLocalhost:
 		intptr = &options->x11_use_localhost;
 		goto parse_flag;
-@@ -1889,6 +1897,7 @@ copy_set_server_options(ServerOptions *d
+@@ -2063,6 +2071,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
 	M_CP_INTOPT(x11_display_offset);
 	M_CP_INTOPT(x11_forwarding);
@ -146,17 +146,17 @@ diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c
 	M_CP_INTOPT(x11_use_localhost);
 	M_CP_INTOPT(permit_tty);
 	M_CP_INTOPT(permit_user_rc);
-@@ -2106,6 +2115,7 @@ dump_config(ServerOptions *o)
+@@ -2315,6 +2324,7 @@ dump_config(ServerOptions *o)
 #endif
 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
 	dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
 	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
 +	dump_cfg_int(sX11MaxDisplays, o->x11_max_displays);
 	dump_cfg_int(sMaxAuthTries, o->max_authtries);
 	dump_cfg_int(sMaxSessions, o->max_sessions);
 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
-diff -up openssh-6.6p1/servconf.h.x11max openssh-6.6p1/servconf.h
+diff -up openssh-7.4p1/servconf.h.x11max openssh-7.4p1/servconf.h
--- openssh-6.6p1/servconf.h.x11max	2016-06-27 16:28:49.809631681 +0200
+--- openssh-7.4p1/servconf.h.x11max	2016-12-23 15:46:32.133506635 +0100
-+++ openssh-6.6p1/servconf.h	2016-06-27 16:28:49.815631678 +0200
+++ openssh-7.4p1/servconf.h	2016-12-23 15:46:32.140506636 +0100
@@ -55,6 +55,7 @@
 #define DEFAULT_AUTH_FAIL_MAX	6	/* Default for MaxAuthTries */
@ -173,10 +173,10 @@ diff -up openssh-6.6p1/servconf.h.x11max openssh-6.6p1/servconf.h
 	int     x11_use_localhost;	/* If true, use localhost for fake X11 server. */
 	char   *xauth_location;	/* Location of xauth program */
 	int	permit_tty;	/* If false, deny pty allocation */
-diff -up openssh-6.6p1/session.c.x11max openssh-6.6p1/session.c
+diff -up openssh-7.4p1/session.c.x11max openssh-7.4p1/session.c
--- openssh-6.6p1/session.c.x11max	2016-06-27 16:28:49.809631681 +0200
+--- openssh-7.4p1/session.c.x11max	2016-12-23 15:46:32.136506636 +0100
-+++ openssh-6.6p1/session.c	2016-06-27 16:28:49.815631678 +0200
+++ openssh-7.4p1/session.c	2016-12-23 15:46:32.141506636 +0100
-@@ -2741,8 +2741,9 @@ session_setup_x11fwd(Session *s)
+@@ -2518,8 +2518,9 @@ session_setup_x11fwd(Session *s)
 		return 0;
 	}
 	if (x11_create_display_inet(options.x11_display_offset,
@ -188,10 +188,10 @@ diff -up openssh-6.6p1/session.c.x11max openssh-6.6p1/session.c
 		debug("x11_create_display_inet failed.");
 		return 0;
 	}
-diff -up openssh-6.6p1/sshd_config.5.x11max openssh-6.6p1/sshd_config.5
+diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5
--- openssh-6.6p1/sshd_config.5.x11max	2016-06-27 16:28:49.809631681 +0200
+--- openssh-7.4p1/sshd_config.5.x11max	2016-12-23 15:46:32.134506635 +0100
-+++ openssh-6.6p1/sshd_config.5	2016-06-27 16:32:01.253536879 +0200
+++ openssh-7.4p1/sshd_config.5	2016-12-23 15:46:32.141506636 +0100
-@@ -930,6 +930,7 @@ Available keywords are
+@@ -1133,6 +1133,7 @@ Available keywords are
 .Cm StreamLocalBindUnlink ,
 .Cm TrustedUserCAKeys ,
 .Cm X11DisplayOffset ,
@ -199,7 +199,7 @@ diff -up openssh-6.6p1/sshd_config.5.x11max openssh-6.6p1/sshd_config.5
 .Cm X11Forwarding
 and
 .Cm X11UseLocalHost .
-@@ -1339,6 +1340,12 @@ Specifies the first display number avail
+@@ -1566,6 +1567,12 @@ Specifies the first display number avail
 X11 forwarding.
 This prevents sshd from interfering with real X11 servers.
 The default is 10.
--- a/openssh-7.4p1-daemon.patch
+++ b/openssh-7.4p1-daemon.patch
@ -0,0 +1,12 @@
 diff -up openssh-7.4p1/sshd.c.daemon openssh-7.4p1/sshd.c
 --- openssh-7.4p1/sshd.c.daemon	2017-01-02 15:32:56.618447579 +0100
 +++ openssh-7.4p1/sshd.c	2017-01-02 15:33:07.606442751 +0100
@@ -1943,7 +1943,7 @@ main(int ac, char **av)
 	 * terminal, and fork.  The original process exits.
 	 */
 	already_daemon = daemonized();
 -	if (!(debug_flag || inetd_flag || no_daemon_flag || already_daemon)) {
 +	if (!(debug_flag || inetd_flag || no_daemon_flag /*|| already_daemon*/)) {
 		if (daemon(0, 0) < 0)
 			fatal("daemon() failed: %.200s", strerror(errno));
--- a/openssh.spec
+++ b/openssh.spec
@ -65,10 +65,10 @@
 %endif
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%global openssh_ver 7.3p1
+%global openssh_ver 7.4p1
-%global openssh_rel 7
+%global openssh_rel 1
 %global pam_ssh_agent_ver 0.10.2
-%global pam_ssh_agent_rel 4
+%global pam_ssh_agent_rel 5
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
@ -223,10 +223,10 @@ Patch939: openssh-7.2p2-s390-closefrom.patch
 Patch940: openssh-7.2p2-expose-pam.patch
 # Rework SELinux context handling with chroot (#1357860)
 Patch942: openssh-7.2p2-chroot-capabilities.patch
 # Null dereference in newkeys code (#1380297)
 Patch943: openssh-7.3p1-null-deref.patch
 # Move MAX_DISPLAYS to a configuration option (#1341302)
 Patch944: openssh-7.3p1-x11-max-displays.patch
 # Temporary workaround for upstream (#2641)
 Patch945: openssh-7.4p1-daemon.patch
 License: BSD
@ -459,8 +459,8 @@ popd
 %patch939 -p1 -b .s390-dev
 %patch940 -p1 -b .expose-pam
 %patch942 -p1 -b .chroot-cap
 %patch943 -p1 -b .deref
 %patch944 -p1 -b .x11max
 %patch945 -p1 -b .daemon
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-a212baca7ce11d596bd8dcb222859ace  pam_ssh_agent_auth-0.10.2.tar.bz2
+SHA512 (openssh-7.4p1.tar.gz) = 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292
-dfadd9f035d38ce5d58a3bf130b86d08  openssh-7.3p1.tar.gz
+SHA512 (pam_ssh_agent_auth-0.10.2.tar.bz2) = b4b9bc4486d873f236f7c54874c996e24f344f889dfda3beadb12b97cbb89078028a103a4a7175cd919fb0a12fd5bcefef50420510ae5eff9252e494e0124b38
`@ -1,2 +1,2 @@`
	`a212baca7ce11d596bd8dcb222859ace pam_ssh_agent_auth-0.10.2.tar.bz2`	`SHA512 (openssh-7.4p1.tar.gz) = 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292`
	`dfadd9f035d38ce5d58a3bf130b86d08 openssh-7.3p1.tar.gz`	`SHA512 (pam_ssh_agent_auth-0.10.2.tar.bz2) = b4b9bc4486d873f236f7c54874c996e24f344f889dfda3beadb12b97cbb89078028a103a4a7175cd919fb0a12fd5bcefef50420510ae5eff9252e494e0124b38`