rebase to openssh-6.1p1 (#852651)

2012-09-14 22:18:22 +02:00 · 2012-09-14 22:18:22 +02:00 · 9fe1afc163
parent 51ca3be245
commit 9fe1afc163
10 changed files with 791 additions and 847 deletions
--- a/openssh-5.9p1-null-xcrypt.patch
+++ b/openssh-5.9p1-null-xcrypt.patch
@ -1,17 +0,0 @@
 Index: auth-passwd.c
 ===================================================================
 RCS file: /cvs/openssh/auth-passwd.c,v
 retrieving revision 1.90
 retrieving revision 1.91
 diff -u -r1.90 -r1.91
 --- auth-passwd.c	8 Mar 2009 00:40:28 -0000	1.90
 +++ auth-passwd.c	25 Apr 2012 23:51:28 -0000	1.91
@@ -209,6 +209,7 @@
 	 * Authentication is accepted if the encrypted passwords
 	 * are identical.
 	 */
 -	return (strcmp(encrypted_password, pw_password) == 0);
 +	return encrypted_password != NULL &&
 +	    strcmp(encrypted_password, pw_password) == 0;
 }
 #endif
--- a/openssh-6.1p1-akc.patch
+++ b/openssh-6.1p1-akc.patch
@ -1,6 +1,6 @@
-diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
+diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
--- openssh-5.9p1/auth2-pubkey.c.akc	2012-02-06 20:47:36.641814218 +0100
+--- openssh-6.1p1/auth2-pubkey.c.akc	2012-09-14 20:20:48.459445650 +0200
-+++ openssh-5.9p1/auth2-pubkey.c	2012-02-06 20:47:36.665095838 +0100
+++ openssh-6.1p1/auth2-pubkey.c	2012-09-14 20:20:48.520446072 +0200
@@ -27,6 +27,7 @@
 #include <sys/types.h>
@ -9,7 +9,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
 #include <fcntl.h>
 #include <pwd.h>
-@@ -276,27 +277,15 @@ match_principals_file(char *file, struct
+@@ -277,27 +278,15 @@ match_principals_file(char *file, struct
 /* return 1 if user allows given key */
 static int
@ -38,7 +38,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
 	found_key = 0;
 	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
-@@ -389,8 +378,6 @@ user_key_allowed2(struct passwd *pw, Key
+@@ -390,8 +379,6 @@ user_key_allowed2(struct passwd *pw, Key
 			break;
 		}
 	}
@ -47,7 +47,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
 	key_free(found);
 	if (!found_key)
 		debug2("key not found");
-@@ -452,13 +439,191 @@ user_cert_trusted_ca(struct passwd *pw,
+@@ -453,13 +440,191 @@ user_cert_trusted_ca(struct passwd *pw,
 	return ret;
 }
@ -240,10 +240,10 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
 	if (auth_key_is_revoked(key))
 		return 0;
 	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
-diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
+diff -up openssh-6.1p1/configure.ac.akc openssh-6.1p1/configure.ac
--- openssh-5.9p1/configure.ac.akc	2012-02-06 20:47:36.656046570 +0100
+--- openssh-6.1p1/configure.ac.akc	2012-07-06 03:49:29.000000000 +0200
-+++ openssh-5.9p1/configure.ac	2012-02-06 20:47:36.666095176 +0100
+++ openssh-6.1p1/configure.ac	2012-09-14 20:20:48.525446106 +0200
-@@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit],
+@@ -1512,6 +1512,18 @@ AC_ARG_WITH([audit],
 	esac ]
 )
@ -262,7 +262,7 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
 dnl    Checks for library functions. Please keep in alphabetical order
 AC_CHECK_FUNCS([ \
 	arc4random \
-@@ -4239,6 +4251,7 @@ echo "                   SELinux support
+@@ -4407,6 +4419,7 @@ echo "                   SELinux support
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
@ -270,10 +270,10 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
-diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
+diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
--- openssh-5.9p1/servconf.c.akc	2012-02-06 20:47:36.573033521 +0100
+--- openssh-6.1p1/servconf.c.akc	2012-09-14 20:20:48.138443423 +0200
-+++ openssh-5.9p1/servconf.c	2012-02-06 20:47:36.667106367 +0100
+++ openssh-6.1p1/servconf.c	2012-09-14 20:27:34.546107295 +0200
-@@ -136,6 +136,8 @@ initialize_server_options(ServerOptions
+@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions
 	options->num_permitted_opens = -1;
 	options->adm_forced_command = NULL;
 	options->chroot_directory = NULL;
@ -282,18 +282,18 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
 	options->zero_knowledge_password_authentication = -1;
 	options->revoked_keys_file = NULL;
 	options->trusted_user_ca_keys = NULL;
-@@ -329,6 +331,7 @@ typedef enum {
+@@ -334,6 +336,7 @@ typedef enum {
 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
- 	sKexAlgorithms, sIPQoS,
+ 	sKexAlgorithms, sIPQoS, sVersionAddendum,
 +	sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
-@@ -455,6 +458,13 @@ static struct {
+@@ -461,6 +464,14 @@ static struct {
 	{ "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
 	{ "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
 	{ "ipqos", sIPQoS, SSHCFG_ALL },
 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
 +#ifdef WITH_AUTHORIZED_KEYS_COMMAND
 +	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
 +	{ "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL },
@ -301,12 +301,13 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
 +	{ "authorizedkeyscommand", sUnsupported, SSHCFG_ALL },
 +	{ "authorizedkeyscommandrunas", sUnsupported, SSHCFG_ALL },
 +#endif
 +
 	{ NULL, sBadOption, 0 }
 };
-@@ -1430,6 +1440,24 @@ process_server_config_line(ServerOptions
+@@ -1532,6 +1543,24 @@ process_server_config_line(ServerOptions
 		}
- 		break;
+ 		return 0;
 +	case sAuthorizedKeysCommand:
 +		len = strspn(cp, WHITESPACE);
@ -329,7 +330,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
 	case sDeprecated:
 		logit("%s line %d: Deprecated option %s",
 		    filename, linenum, arg);
-@@ -1534,6 +1562,8 @@ copy_set_server_options(ServerOptions *d
+@@ -1682,6 +1711,8 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
 	M_CP_INTOPT(kbd_interactive_authentication);
 	M_CP_INTOPT(zero_knowledge_password_authentication);
@ -338,30 +339,30 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
 	M_CP_INTOPT(permit_root_login);
 	M_CP_INTOPT(permit_empty_passwd);
-@@ -1793,6 +1823,8 @@ dump_config(ServerOptions *o)
+@@ -1942,6 +1973,8 @@ dump_config(ServerOptions *o)
 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
 	dump_cfg_string(sAuthorizedPrincipalsFile,
 	    o->authorized_principals_file);
 	dump_cfg_string(sVersionAddendum, o->version_addendum);
 +	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
 +	dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas);
 	/* string arguments requiring a lookup */
 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
-diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
+diff -up openssh-6.1p1/servconf.h.akc openssh-6.1p1/servconf.h
--- openssh-5.9p1/servconf.h.akc	2012-02-06 20:47:36.574033734 +0100
+--- openssh-6.1p1/servconf.h.akc	2012-09-14 20:20:48.000000000 +0200
-+++ openssh-5.9p1/servconf.h	2012-02-06 20:47:36.668096740 +0100
+++ openssh-6.1p1/servconf.h	2012-09-14 20:23:16.691844577 +0200
@@ -169,6 +169,8 @@ typedef struct {
 	char   *revoked_keys_file;
 	char   *trusted_user_ca_keys;
 	char   *authorized_principals_file;
 +	char   *authorized_keys_command;
 +	char   *authorized_keys_command_runas;
 }       ServerOptions;
- /*
+ 	char   *version_addendum;	/* Appended to SSH banner */
-diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
+ }       ServerOptions;
--- openssh-5.9p1/sshd_config.akc	2011-05-29 13:39:39.000000000 +0200
+diff -up openssh-6.1p1/sshd_config.akc openssh-6.1p1/sshd_config
-+++ openssh-5.9p1/sshd_config	2012-02-06 20:47:36.669067546 +0100
+--- openssh-6.1p1/sshd_config.akc	2012-07-31 04:21:34.000000000 +0200
 +++ openssh-6.1p1/sshd_config	2012-09-14 20:30:46.950095769 +0200
@@ -49,6 +49,9 @@
 # but this is overridden so installations will only check .ssh/authorized_keys
 AuthorizedKeysFile	.ssh/authorized_keys
@ -369,12 +370,12 @@ diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
 +#AuthorizedKeysCommand none
 +#AuthorizedKeysCommandRunAs nobody
 +
 #AuthorizedPrincipalsFile none
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
- #RhostsRSAAuthentication no
+diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0
- # similar for protocol version 2
+--- openssh-6.1p1/sshd_config.0.akc	2012-08-29 02:53:04.000000000 +0200
-diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
+++ openssh-6.1p1/sshd_config.0	2012-09-14 20:32:23.539624859 +0200
 --- openssh-5.9p1/sshd_config.0.akc	2011-09-07 01:16:30.000000000 +0200
 +++ openssh-5.9p1/sshd_config.0	2012-02-06 20:47:36.669067546 +0100
@@ -71,6 +71,23 @@ DESCRIPTION
              See PATTERNS in ssh_config(5) for more information on patterns.
@ -399,19 +400,19 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
      AuthorizedKeysFile
              Specifies the file that contains the public keys that can be used
              for user authentication.  The format is described in the
-@@ -401,7 +418,8 @@ DESCRIPTION
+@@ -402,7 +419,8 @@ DESCRIPTION
              Only a subset of keywords may be used on the lines following a
-              Match keyword.  Available keywords are AllowAgentForwarding,
+              Match keyword.  Available keywords are AcceptEnv,
-             AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile,
+              AllowAgentForwarding, AllowGroups, AllowTcpForwarding,
-+             AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysCommand,
+-             AllowUsers, AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner,
-+             AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile,
+             AllowUsers, AuthorizedKeysFile, AuthorizedKeysCommand,
-              Banner, ChrootDirectory, ForceCommand, GatewayPorts,
+             AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile, Banner,
-              GSSAPIAuthentication, HostbasedAuthentication,
+              ChrootDirectory, DenyGroups, DenyUsers, ForceCommand,
              GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
              HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
-diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
+diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.akc	2012-02-06 20:47:36.574891218 +0100
+--- openssh-6.1p1/sshd_config.5.akc	2012-09-14 20:20:48.142443448 +0200
-+++ openssh-5.9p1/sshd_config.5	2012-02-06 20:49:58.913878595 +0100
+++ openssh-6.1p1/sshd_config.5	2012-09-14 20:29:56.003873873 +0200
@@ -151,6 +151,19 @@ See
 in
 .Xr ssh_config 5
@ -432,16 +433,16 @@ diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
 .It Cm AuthorizedKeysFile
 Specifies the file that contains the public keys that can be used
 for user authentication.
-@@ -706,6 +719,8 @@ Available keywords are
+@@ -712,6 +725,8 @@ Available keywords are
 .Cm AllowAgentForwarding ,
 .Cm AllowTcpForwarding ,
 .Cm AllowUsers ,
 .Cm AuthorizedKeysFile ,
 +.Cm AuthorizedKeysCommand ,
 +.Cm AuthorizedKeysCommandRunAs ,
 .Cm AuthorizedPrincipalsFile ,
 .Cm Banner ,
 .Cm ChrootDirectory ,
-@@ -718,6 +733,7 @@ Available keywords are
+@@ -726,6 +741,7 @@ Available keywords are
 .Cm KerberosAuthentication ,
 .Cm MaxAuthTries ,
 .Cm MaxSessions ,
--- a/openssh-6.1p1-askpass-ld.patch
+++ b/openssh-6.1p1-askpass-ld.patch
@ -1,7 +1,7 @@
-diff -up openssh-5.8p2/contrib/Makefile.askpass-ld openssh-5.8p2/contrib/Makefile
+diff -up openssh-6.1p1/contrib/Makefile.askpass-ld openssh-6.1p1/contrib/Makefile
--- openssh-5.8p2/contrib/Makefile.askpass-ld	2011-08-08 22:54:06.050546199 +0200
+--- openssh-6.1p1/contrib/Makefile.askpass-ld	2012-05-19 07:24:37.000000000 +0200
-+++ openssh-5.8p2/contrib/Makefile	2011-08-08 22:54:43.364420118 +0200
+++ openssh-6.1p1/contrib/Makefile	2012-09-14 20:35:47.565704718 +0200
-@@ -2,12 +2,12 @@ all:
+@@ -4,12 +4,12 @@ all:
 	@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
 gnome-ssh-askpass1: gnome-ssh-askpass1.c
@ -11,8 +11,8 @@ diff -up openssh-5.8p2/contrib/Makefile.askpass-ld openssh-5.8p2/contrib/Makefil
 		`gnome-config --libs gnome gnomeui`
 gnome-ssh-askpass2: gnome-ssh-askpass2.c
-	$(CC) `pkg-config --cflags gtk+-2.0` \
+-	$(CC) `$(PKG_CONFIG) --cflags gtk+-2.0` \
-+	$(CC) ${CFLAGS} `pkg-config --cflags gtk+-2.0` \
+	$(CC) ${CFLAGS} `$(PKG_CONFIG) --cflags gtk+-2.0` \
 		gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
- 		`pkg-config --libs gtk+-2.0 x11`
+ 		`$(PKG_CONFIG) --libs gtk+-2.0 x11`
--- a/openssh-6.1p1-coverity.patch
+++ b/openssh-6.1p1-coverity.patch
@ -1,6 +1,6 @@
-diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
+diff -up openssh-6.1p1/auth-pam.c.coverity openssh-6.1p1/auth-pam.c
--- openssh-5.9p1/auth-pam.c.coverity	2009-07-12 14:07:21.000000000 +0200
+--- openssh-6.1p1/auth-pam.c.coverity	2009-07-12 14:07:21.000000000 +0200
-+++ openssh-5.9p1/auth-pam.c	2011-09-14 08:09:47.074520582 +0200
+++ openssh-6.1p1/auth-pam.c	2012-09-14 21:16:41.264906486 +0200
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
 	if (sshpam_thread_status != -1)
 		return (sshpam_thread_status);
@ -15,43 +15,10 @@ diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
 	return (status);
 }
 #endif
-diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c
+diff -up openssh-6.1p1/clientloop.c.coverity openssh-6.1p1/clientloop.c
--- openssh-5.9p1/channels.c.coverity	2011-06-23 00:31:57.000000000 +0200
+--- openssh-6.1p1/clientloop.c.coverity	2012-06-20 14:31:27.000000000 +0200
-+++ openssh-5.9p1/channels.c	2011-09-14 08:09:47.556582810 +0200
+++ openssh-6.1p1/clientloop.c	2012-09-14 21:16:41.267906501 +0200
-@@ -229,11 +229,11 @@ channel_register_fds(Channel *c, int rfd
+@@ -2006,14 +2006,15 @@ client_input_global_request(int type, u_
 	channel_max_fd = MAX(channel_max_fd, wfd);
 	channel_max_fd = MAX(channel_max_fd, efd);
 -	if (rfd != -1)
 +	if (rfd >= 0)
 		fcntl(rfd, F_SETFD, FD_CLOEXEC);
 -	if (wfd != -1 && wfd != rfd)
 +	if (wfd >= 0 && wfd != rfd)
 		fcntl(wfd, F_SETFD, FD_CLOEXEC);
 -	if (efd != -1 && efd != rfd && efd != wfd)
 +	if (efd >= 0 && efd != rfd && efd != wfd)
 		fcntl(efd, F_SETFD, FD_CLOEXEC);
 	c->rfd = rfd;
@@ -248,11 +248,11 @@ channel_register_fds(Channel *c, int rfd
 	/* enable nonblocking mode */
 	if (nonblock) {
 -		if (rfd != -1)
 +		if (rfd >= 0)
 			set_nonblock(rfd);
 -		if (wfd != -1)
 +		if (wfd >= 0)
 			set_nonblock(wfd);
 -		if (efd != -1)
 +		if (efd >= 0)
 			set_nonblock(efd);
 	}
 }
 diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
 --- openssh-5.9p1/clientloop.c.coverity	2011-06-23 00:31:58.000000000 +0200
 +++ openssh-5.9p1/clientloop.c	2011-09-14 08:17:41.556521887 +0200
@@ -1970,14 +1970,15 @@ client_input_global_request(int type, u_
 	char *rtype;
 	int want_reply;
 	int success = 0;
@ -69,10 +36,43 @@ diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
 		packet_send();
 		packet_write_wait();
 	}
-diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
+diff -up openssh-6.1p1/channels.c.coverity openssh-6.1p1/channels.c
--- openssh-5.9p1/key.c.coverity	2011-05-20 11:03:08.000000000 +0200
+--- openssh-6.1p1/channels.c.coverity	2012-04-23 10:21:05.000000000 +0200
-+++ openssh-5.9p1/key.c	2011-09-14 08:09:47.803458435 +0200
+++ openssh-6.1p1/channels.c	2012-09-14 21:16:41.272906528 +0200
-@@ -803,8 +803,10 @@ key_read(Key *ret, char **cpp)
+@@ -232,11 +232,11 @@ channel_register_fds(Channel *c, int rfd
 	channel_max_fd = MAX(channel_max_fd, wfd);
 	channel_max_fd = MAX(channel_max_fd, efd);
 -	if (rfd != -1)
 +	if (rfd >= 0)
 		fcntl(rfd, F_SETFD, FD_CLOEXEC);
 -	if (wfd != -1 && wfd != rfd)
 +	if (wfd >= 0 && wfd != rfd)
 		fcntl(wfd, F_SETFD, FD_CLOEXEC);
 -	if (efd != -1 && efd != rfd && efd != wfd)
 +	if (efd >= 0 && efd != rfd && efd != wfd)
 		fcntl(efd, F_SETFD, FD_CLOEXEC);
 	c->rfd = rfd;
@@ -251,11 +251,11 @@ channel_register_fds(Channel *c, int rfd
 	/* enable nonblocking mode */
 	if (nonblock) {
 -		if (rfd != -1)
 +		if (rfd >= 0)
 			set_nonblock(rfd);
 -		if (wfd != -1)
 +		if (wfd >= 0)
 			set_nonblock(wfd);
 -		if (efd != -1)
 +		if (efd >= 0)
 			set_nonblock(efd);
 	}
 }
 diff -up openssh-6.1p1/key.c.coverity openssh-6.1p1/key.c
 --- openssh-6.1p1/key.c.coverity	2012-06-30 12:05:02.000000000 +0200
 +++ openssh-6.1p1/key.c	2012-09-14 21:16:41.274906537 +0200
@@ -808,8 +808,10 @@ key_read(Key *ret, char **cpp)
 		success = 1;
 /*XXXX*/
 		key_free(k);
@ -83,10 +83,9 @@ diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
 		/* advance cp: skip whitespace and data */
 		while (*cp == ' ' || *cp == '\t')
 			cp++;
-diff -up openssh-5.9p1/misc.c.coverity openssh-5.9p1/misc.c
+diff -up openssh-6.1p1/monitor.c.coverity openssh-6.1p1/monitor.c
-diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
+--- openssh-6.1p1/monitor.c.coverity	2012-06-30 00:33:17.000000000 +0200
--- openssh-5.9p1/monitor.c.coverity	2011-08-05 22:15:18.000000000 +0200
+++ openssh-6.1p1/monitor.c	2012-09-14 21:16:41.277906552 +0200
 +++ openssh-5.9p1/monitor.c	2011-09-14 08:09:47.914584009 +0200
@@ -420,7 +420,7 @@ monitor_child_preauth(Authctxt *_authctx
 	}
@ -96,7 +95,7 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
 		;
 	if (!authctxt->valid)
-@@ -1161,6 +1161,10 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1159,6 +1159,10 @@ mm_answer_keyallowed(int sock, Buffer *m
 			break;
 		}
 	}
@ -107,7 +106,7 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
 	if (key != NULL)
 		key_free(key);
-@@ -1182,9 +1186,6 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1180,9 +1184,6 @@ mm_answer_keyallowed(int sock, Buffer *m
 		xfree(chost);
 	}
@ -117,9 +116,9 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
 	buffer_clear(m);
 	buffer_put_int(m, allowed);
 	buffer_put_int(m, forced_command != NULL);
-diff -up openssh-5.9p1/monitor_wrap.c.coverity openssh-5.9p1/monitor_wrap.c
+diff -up openssh-6.1p1/monitor_wrap.c.coverity openssh-6.1p1/monitor_wrap.c
--- openssh-5.9p1/monitor_wrap.c.coverity	2011-09-14 08:11:36.480500123 +0200
+--- openssh-6.1p1/monitor_wrap.c.coverity	2011-06-20 06:42:23.000000000 +0200
-+++ openssh-5.9p1/monitor_wrap.c	2011-09-14 08:14:11.279520598 +0200
+++ openssh-6.1p1/monitor_wrap.c	2012-09-14 21:16:41.280906568 +0200
@@ -707,10 +707,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
 	if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
 	    (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
@ -134,9 +133,9 @@ diff -up openssh-5.9p1/monitor_wrap.c.coverity openssh-5.9p1/monitor_wrap.c
 		return 0;
 	}
 	close(tmp1);
-diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/openbsd-compat/bindresvport.c
+diff -up openssh-6.1p1/openbsd-compat/bindresvport.c.coverity openssh-6.1p1/openbsd-compat/bindresvport.c
--- openssh-5.9p1/openbsd-compat/bindresvport.c.coverity	2010-12-03 00:50:26.000000000 +0100
+--- openssh-6.1p1/openbsd-compat/bindresvport.c.coverity	2010-12-03 00:50:26.000000000 +0100
-+++ openssh-5.9p1/openbsd-compat/bindresvport.c	2011-09-14 08:09:48.084459344 +0200
+++ openssh-6.1p1/openbsd-compat/bindresvport.c	2012-09-14 21:16:41.281906573 +0200
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
 	struct sockaddr_in6 *in6;
 	u_int16_t *portp;
@ -146,9 +145,9 @@ diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/open
 	int i;
 	if (sa == NULL) {
-diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
+diff -up openssh-6.1p1/packet.c.coverity openssh-6.1p1/packet.c
--- openssh-5.9p1/packet.c.coverity	2011-05-15 00:58:15.000000000 +0200
+--- openssh-6.1p1/packet.c.coverity	2012-03-09 00:28:07.000000000 +0100
-+++ openssh-5.9p1/packet.c	2011-09-14 08:09:48.184587842 +0200
+++ openssh-6.1p1/packet.c	2012-09-14 21:16:41.284906588 +0200
@@ -1177,6 +1177,7 @@ packet_read_poll1(void)
 		case DEATTACK_DETECTED:
 			packet_disconnect("crc32 compensation attack: "
@ -157,7 +156,7 @@ diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
 		case DEATTACK_DOS_DETECTED:
 			packet_disconnect("deattack denial of "
 			    "service detected");
-@@ -1684,7 +1685,7 @@ void
+@@ -1678,7 +1679,7 @@ void
 packet_write_wait(void)
 {
 	fd_set *setp;
@ -166,9 +165,9 @@ diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
 	struct timeval start, timeout, *timeoutp = NULL;
 	setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
-diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
+diff -up openssh-6.1p1/progressmeter.c.coverity openssh-6.1p1/progressmeter.c
--- openssh-5.9p1/progressmeter.c.coverity	2006-08-05 04:39:40.000000000 +0200
+--- openssh-6.1p1/progressmeter.c.coverity	2006-08-05 04:39:40.000000000 +0200
-+++ openssh-5.9p1/progressmeter.c	2011-09-14 08:09:48.300586004 +0200
+++ openssh-6.1p1/progressmeter.c	2012-09-14 21:16:41.285906593 +0200
@@ -65,7 +65,7 @@ static void update_progress_meter(int);
 static time_t start;		/* start progress */
@ -187,9 +186,9 @@ diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
 {
 	start = last_update = time(NULL);
 	file = f;
-diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
+diff -up openssh-6.1p1/progressmeter.h.coverity openssh-6.1p1/progressmeter.h
--- openssh-5.9p1/progressmeter.h.coverity	2006-03-26 05:30:02.000000000 +0200
+--- openssh-6.1p1/progressmeter.h.coverity	2006-03-26 05:30:02.000000000 +0200
-+++ openssh-5.9p1/progressmeter.h	2011-09-14 08:09:48.420645724 +0200
+++ openssh-6.1p1/progressmeter.h	2012-09-14 21:16:41.286906598 +0200
@@ -23,5 +23,5 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
@ -197,9 +196,9 @@ diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
 -void	start_progress_meter(char *, off_t, off_t *);
 +void	start_progress_meter(const char *, off_t, off_t *);
 void	stop_progress_meter(void);
-diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
+diff -up openssh-6.1p1/scp.c.coverity openssh-6.1p1/scp.c
--- openssh-5.9p1/scp.c.coverity	2011-01-06 12:41:21.000000000 +0100
+--- openssh-6.1p1/scp.c.coverity	2011-09-22 13:38:01.000000000 +0200
-+++ openssh-5.9p1/scp.c	2011-09-14 08:09:48.531505457 +0200
+++ openssh-6.1p1/scp.c	2012-09-14 21:16:41.288906608 +0200
@@ -155,7 +155,7 @@ killchild(int signo)
 {
 	if (do_cmd_pid > 1) {
@ -209,19 +208,10 @@ diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
 	}
 	if (signo)
-diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
+diff -up openssh-6.1p1/servconf.c.coverity openssh-6.1p1/servconf.c
--- openssh-5.9p1/servconf.c.coverity	2011-06-23 00:30:03.000000000 +0200
+--- openssh-6.1p1/servconf.c.coverity	2012-07-31 04:22:38.000000000 +0200
-+++ openssh-5.9p1/servconf.c	2011-09-14 08:30:17.557468182 +0200
+++ openssh-6.1p1/servconf.c	2012-09-14 21:16:41.291906623 +0200
-@@ -609,7 +609,7 @@ match_cfg_line(char **condition, int lin
+@@ -1249,7 +1249,7 @@ process_server_config_line(ServerOptions
 		debug3("checking syntax for 'Match %s'", cp);
 	else
 		debug3("checking match for '%s' user %s host %s addr %s", cp,
 -		    user ? user : "(null)", host ? host : "(null)",
 +		    user /* User is not NULL ? user : "(null)" */, host ? host : "(null)",
 		    address ? address : "(null)");
 	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
@@ -1171,7 +1171,7 @@ process_server_config_line(ServerOptions
 			fatal("%s line %d: Missing subsystem name.",
 			    filename, linenum);
 		if (!*activep) {
@ -230,7 +220,7 @@ diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
 			break;
 		}
 		for (i = 0; i < options->num_subsystems; i++)
-@@ -1262,8 +1262,9 @@ process_server_config_line(ServerOptions
+@@ -1340,8 +1340,9 @@ process_server_config_line(ServerOptions
 		if (*activep && *charptr == NULL) {
 			*charptr = tilde_expand_filename(arg, getuid());
 			/* increase optional counter */
@ -242,9 +232,9 @@ diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
 		}
 		break;
-diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
+diff -up openssh-6.1p1/serverloop.c.coverity openssh-6.1p1/serverloop.c
--- openssh-5.9p1/serverloop.c.coverity	2011-05-20 11:02:50.000000000 +0200
+--- openssh-6.1p1/serverloop.c.coverity	2012-06-20 14:31:27.000000000 +0200
-+++ openssh-5.9p1/serverloop.c	2011-09-14 08:09:48.793586380 +0200
+++ openssh-6.1p1/serverloop.c	2012-09-14 21:16:41.294906638 +0200
@@ -147,13 +147,13 @@ notify_setup(void)
 static void
 notify_parent(void)
@ -272,7 +262,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
 			debug2("notify_done: reading");
 }
-@@ -330,7 +330,7 @@ wait_until_can_do_something(fd_set **rea
+@@ -336,7 +336,7 @@ wait_until_can_do_something(fd_set **rea
 		 * If we have buffered data, try to write some of that data
 		 * to the program.
 		 */
@ -281,7 +271,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
 			FD_SET(fdin, *writesetp);
 	}
 	notify_prepare(*readsetp);
-@@ -470,7 +470,7 @@ process_output(fd_set *writeset)
+@@ -476,7 +476,7 @@ process_output(fd_set *writeset)
 	int len;
 	/* Write buffered data to program stdin. */
@ -290,7 +280,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
 		data = buffer_ptr(&stdin_buffer);
 		dlen = buffer_len(&stdin_buffer);
 		len = write(fdin, data, dlen);
-@@ -583,7 +583,7 @@ server_loop(pid_t pid, int fdin_arg, int
+@@ -589,7 +589,7 @@ server_loop(pid_t pid, int fdin_arg, int
 	set_nonblock(fdin);
 	set_nonblock(fdout);
 	/* we don't have stderr for interactive terminal sessions, see below */
@ -299,7 +289,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
 		set_nonblock(fderr);
 	if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
-@@ -607,7 +607,7 @@ server_loop(pid_t pid, int fdin_arg, int
+@@ -613,7 +613,7 @@ server_loop(pid_t pid, int fdin_arg, int
 	max_fd = MAX(connection_in, connection_out);
 	max_fd = MAX(max_fd, fdin);
 	max_fd = MAX(max_fd, fdout);
@ -308,7 +298,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
 		max_fd = MAX(max_fd, fderr);
 #endif
-@@ -637,7 +637,7 @@ server_loop(pid_t pid, int fdin_arg, int
+@@ -643,7 +643,7 @@ server_loop(pid_t pid, int fdin_arg, int
 		 * If we have received eof, and there is no more pending
 		 * input data, cause a real eof by closing fdin.
 		 */
@ -317,7 +307,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
 			if (fdin != fdout)
 				close(fdin);
 			else
-@@ -735,15 +735,15 @@ server_loop(pid_t pid, int fdin_arg, int
+@@ -741,15 +741,15 @@ server_loop(pid_t pid, int fdin_arg, int
 	buffer_free(&stderr_buffer);
 	/* Close the file descriptors. */
@ -336,7 +326,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
 		close(fdin);
 	fdin = -1;
-@@ -937,7 +937,7 @@ server_input_window_size(int type, u_int
+@@ -943,7 +943,7 @@ server_input_window_size(int type, u_int
 	debug("Window change received.");
 	packet_check_eom();
@ -345,7 +335,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
 		pty_change_window_size(fdin, row, col, xpixel, ypixel);
 }
-@@ -990,7 +990,7 @@ server_request_tun(void)
+@@ -996,7 +996,7 @@ server_request_tun(void)
 	}
 	tun = packet_get_int();
@ -354,9 +344,111 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
 		if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
 			goto done;
 		tun = forced_tun_device;
-diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
+diff -up openssh-6.1p1/sftp.c.coverity openssh-6.1p1/sftp.c
--- openssh-5.9p1/sftp-client.c.coverity	2010-12-04 23:02:48.000000000 +0100
+--- openssh-6.1p1/sftp.c.coverity	2012-06-30 00:33:32.000000000 +0200
-+++ openssh-5.9p1/sftp-client.c	2011-09-14 08:09:48.910470343 +0200
+++ openssh-6.1p1/sftp.c	2012-09-14 21:16:41.297906653 +0200
@@ -206,7 +206,7 @@ killchild(int signo)
 {
 	if (sshpid > 1) {
 		kill(sshpid, SIGTERM);
 -		waitpid(sshpid, NULL, 0);
 +		(void) waitpid(sshpid, NULL, 0);
 	}
 	_exit(1);
@@ -316,7 +316,7 @@ local_do_ls(const char *args)
 /* Strip one path (usually the pwd) from the start of another */
 static char *
 -path_strip(char *path, char *strip)
 +path_strip(const char *path, const char *strip)
 {
 	size_t len;
@@ -334,7 +334,7 @@ path_strip(char *path, char *strip)
 }
 static char *
 -make_absolute(char *p, char *pwd)
 +make_absolute(char *p, const char *pwd)
 {
 	char *abs_str;
@@ -482,7 +482,7 @@ parse_df_flags(const char *cmd, char **a
 }
 static int
 -is_dir(char *path)
 +is_dir(const char *path)
 {
 	struct stat sb;
@@ -494,7 +494,7 @@ is_dir(char *path)
 }
 static int
 -remote_is_dir(struct sftp_conn *conn, char *path)
 +remote_is_dir(struct sftp_conn *conn, const char *path)
 {
 	Attrib *a;
@@ -508,7 +508,7 @@ remote_is_dir(struct sftp_conn *conn, ch
 /* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
 static int
 -pathname_is_dir(char *pathname)
 +pathname_is_dir(const char *pathname)
 {
 	size_t l = strlen(pathname);
@@ -516,7 +516,7 @@ pathname_is_dir(char *pathname)
 }
 static int
 -process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
 +process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
     int pflag, int rflag)
 {
 	char *abs_src = NULL;
@@ -590,7 +590,7 @@ out:
 }
 static int
 -process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
 +process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
     int pflag, int rflag)
 {
 	char *tmp_dst = NULL;
@@ -695,7 +695,7 @@ sdirent_comp(const void *aa, const void
 /* sftp ls.1 replacement for directories */
 static int
 -do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
 +do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
 {
 	int n;
 	u_int c = 1, colspace = 0, columns = 1;
@@ -780,7 +780,7 @@ do_ls_dir(struct sftp_conn *conn, char *
 /* sftp ls.1 replacement which handles path globs */
 static int
 -do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
 +do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
     int lflag)
 {
 	char *fname, *lname;
@@ -861,7 +861,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
 }
 static int
 -do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
 +do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
 {
 	struct sftp_statvfs st;
 	char s_used[FMT_SCALED_STRSIZE];
 diff -up openssh-6.1p1/sftp-client.c.coverity openssh-6.1p1/sftp-client.c
 --- openssh-6.1p1/sftp-client.c.coverity	2012-07-02 14:15:39.000000000 +0200
 +++ openssh-6.1p1/sftp-client.c	2012-09-14 21:18:16.891332281 +0200
@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
 }
@ -393,7 +485,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
     SFTP_DIRENT ***dir)
 {
 	Buffer msg;
-@@ -571,7 +571,7 @@ do_lsreaddir(struct sftp_conn *conn, cha
+@@ -572,7 +572,7 @@ do_lsreaddir(struct sftp_conn *conn, cha
 }
 int
@ -402,7 +494,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
 {
 	return(do_lsreaddir(conn, path, 0, dir));
 }
-@@ -589,7 +589,7 @@ void free_sftp_dirents(SFTP_DIRENT **s)
+@@ -590,7 +590,7 @@ void free_sftp_dirents(SFTP_DIRENT **s)
 }
 int
@ -411,7 +503,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
 {
 	u_int status, id;
-@@ -604,7 +604,7 @@ do_rm(struct sftp_conn *conn, char *path
+@@ -605,7 +605,7 @@ do_rm(struct sftp_conn *conn, char *path
 }
 int
@ -420,7 +512,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
 {
 	u_int status, id;
-@@ -620,7 +620,7 @@ do_mkdir(struct sftp_conn *conn, char *p
+@@ -621,7 +621,7 @@ do_mkdir(struct sftp_conn *conn, char *p
 }
 int
@ -429,7 +521,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
 {
 	u_int status, id;
-@@ -636,7 +636,7 @@ do_rmdir(struct sftp_conn *conn, char *p
+@@ -637,7 +637,7 @@ do_rmdir(struct sftp_conn *conn, char *p
 }
 Attrib *
@ -438,7 +530,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
 {
 	u_int id;
-@@ -650,7 +650,7 @@ do_stat(struct sftp_conn *conn, char *pa
+@@ -651,7 +651,7 @@ do_stat(struct sftp_conn *conn, char *pa
 }
 Attrib *
@ -447,7 +539,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
 {
 	u_int id;
-@@ -684,7 +684,7 @@ do_fstat(struct sftp_conn *conn, char *h
+@@ -685,7 +685,7 @@ do_fstat(struct sftp_conn *conn, char *h
 #endif
 int
@ -456,7 +548,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
 {
 	u_int status, id;
-@@ -701,7 +701,7 @@ do_setstat(struct sftp_conn *conn, char
+@@ -702,7 +702,7 @@ do_setstat(struct sftp_conn *conn, char
 }
 int
@ -465,7 +557,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
     Attrib *a)
 {
 	u_int status, id;
-@@ -718,12 +718,12 @@ do_fsetstat(struct sftp_conn *conn, char
+@@ -719,7 +719,7 @@ do_fsetstat(struct sftp_conn *conn, char
 }
 char *
@ -474,22 +566,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
 {
 	Buffer msg;
 	u_int type, expected_id, count, id;
- 	char *filename, *longname;
+@@ -768,7 +768,7 @@ do_realpath(struct sftp_conn *conn, char
 -	Attrib *a;
 +/*UNUSED Attrib *a; */
 	expected_id = id = conn->msg_id++;
 	send_string_request(conn, id, SSH2_FXP_REALPATH, path,
@@ -754,7 +754,7 @@ do_realpath(struct sftp_conn *conn, char
 	filename = buffer_get_string(&msg, NULL);
 	longname = buffer_get_string(&msg, NULL);
 -	a = decode_attrib(&msg);
 +	/*a =*/ (void) decode_attrib(&msg);
 	debug3("SSH_FXP_REALPATH %s -> %s", path, filename);
@@ -766,7 +766,7 @@ do_realpath(struct sftp_conn *conn, char
 }
 int
@ -498,7 +575,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
 {
 	Buffer msg;
 	u_int status, id;
-@@ -800,7 +800,7 @@ do_rename(struct sftp_conn *conn, char *
+@@ -802,7 +802,7 @@ do_rename(struct sftp_conn *conn, char *
 }
 int
@ -507,7 +584,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
 {
 	Buffer msg;
 	u_int status, id;
-@@ -833,7 +833,7 @@ do_hardlink(struct sftp_conn *conn, char
+@@ -835,7 +835,7 @@ do_hardlink(struct sftp_conn *conn, char
 }
 int
@ -516,7 +593,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
 {
 	Buffer msg;
 	u_int status, id;
-@@ -984,7 +984,7 @@ send_read_request(struct sftp_conn *conn
+@@ -987,7 +987,7 @@ send_read_request(struct sftp_conn *conn
 }
 int
@ -525,7 +602,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
     Attrib *a, int pflag)
 {
 	Attrib junk;
-@@ -1223,7 +1223,7 @@ do_download(struct sftp_conn *conn, char
+@@ -1226,7 +1226,7 @@ do_download(struct sftp_conn *conn, char
 }
 static int
@ -534,7 +611,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
     Attrib *dirattrib, int pflag, int printflag, int depth)
 {
 	int i, ret = 0;
-@@ -1313,7 +1313,7 @@ download_dir_internal(struct sftp_conn *
+@@ -1316,7 +1316,7 @@ download_dir_internal(struct sftp_conn *
 }
 int
@ -543,7 +620,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
     Attrib *dirattrib, int pflag, int printflag)
 {
 	char *src_canon;
-@@ -1331,7 +1331,7 @@ download_dir(struct sftp_conn *conn, cha
+@@ -1334,7 +1334,7 @@ download_dir(struct sftp_conn *conn, cha
 }
 int
@ -552,7 +629,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
     int pflag)
 {
 	int local_fd;
-@@ -1514,7 +1514,7 @@ do_upload(struct sftp_conn *conn, char *
+@@ -1517,7 +1517,7 @@ do_upload(struct sftp_conn *conn, char *
 }
 static int
@ -561,7 +638,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
     int pflag, int printflag, int depth)
 {
 	int ret = 0, status;
-@@ -1605,7 +1605,7 @@ upload_dir_internal(struct sftp_conn *co
+@@ -1608,7 +1608,7 @@ upload_dir_internal(struct sftp_conn *co
 }
 int
@ -570,7 +647,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
     int pflag)
 {
 	char *dst_canon;
-@@ -1622,7 +1622,7 @@ upload_dir(struct sftp_conn *conn, char
+@@ -1625,7 +1625,7 @@ upload_dir(struct sftp_conn *conn, char
 }
 char *
@ -579,9 +656,9 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
 {
 	char *ret;
 	size_t len = strlen(p1) + strlen(p2) + 2;
-diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
+diff -up openssh-6.1p1/sftp-client.h.coverity openssh-6.1p1/sftp-client.h
--- openssh-5.9p1/sftp-client.h.coverity	2010-12-04 23:02:48.000000000 +0100
+--- openssh-6.1p1/sftp-client.h.coverity	2010-12-04 23:02:48.000000000 +0100
-+++ openssh-5.9p1/sftp-client.h	2011-09-14 08:09:49.021583940 +0200
+++ openssh-6.1p1/sftp-client.h	2012-09-14 21:16:41.301906674 +0200
@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
 u_int sftp_proto_version(struct sftp_conn *);
@ -679,124 +756,9 @@ diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
 +char *path_append(const char *, const char *);
 #endif
-diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c
+diff -up openssh-6.1p1/ssh-agent.c.coverity openssh-6.1p1/ssh-agent.c
--- openssh-5.9p1/sftp.c.coverity	2010-12-04 23:02:48.000000000 +0100
+--- openssh-6.1p1/ssh-agent.c.coverity	2011-06-03 06:14:16.000000000 +0200
-+++ openssh-5.9p1/sftp.c	2011-09-14 08:09:49.468493585 +0200
+++ openssh-6.1p1/ssh-agent.c	2012-09-14 21:16:41.303906683 +0200
@@ -206,7 +206,7 @@ killchild(int signo)
 {
 	if (sshpid > 1) {
 		kill(sshpid, SIGTERM);
 -		waitpid(sshpid, NULL, 0);
 +		(void) waitpid(sshpid, NULL, 0);
 	}
 	_exit(1);
@@ -316,7 +316,7 @@ local_do_ls(const char *args)
 /* Strip one path (usually the pwd) from the start of another */
 static char *
 -path_strip(char *path, char *strip)
 +path_strip(const char *path, const char *strip)
 {
 	size_t len;
@@ -334,7 +334,7 @@ path_strip(char *path, char *strip)
 }
 static char *
 -make_absolute(char *p, char *pwd)
 +make_absolute(char *p, const char *pwd)
 {
 	char *abs_str;
@@ -482,7 +482,7 @@ parse_df_flags(const char *cmd, char **a
 }
 static int
 -is_dir(char *path)
 +is_dir(const char *path)
 {
 	struct stat sb;
@@ -494,7 +494,7 @@ is_dir(char *path)
 }
 static int
 -remote_is_dir(struct sftp_conn *conn, char *path)
 +remote_is_dir(struct sftp_conn *conn, const char *path)
 {
 	Attrib *a;
@@ -508,7 +508,7 @@ remote_is_dir(struct sftp_conn *conn, ch
 /* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
 static int
 -pathname_is_dir(char *pathname)
 +pathname_is_dir(const char *pathname)
 {
 	size_t l = strlen(pathname);
@@ -516,7 +516,7 @@ pathname_is_dir(char *pathname)
 }
 static int
 -process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
 +process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
     int pflag, int rflag)
 {
 	char *abs_src = NULL;
@@ -590,7 +590,7 @@ out:
 }
 static int
 -process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
 +process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
     int pflag, int rflag)
 {
 	char *tmp_dst = NULL;
@@ -695,7 +695,7 @@ sdirent_comp(const void *aa, const void
 /* sftp ls.1 replacement for directories */
 static int
 -do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
 +do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
 {
 	int n;
 	u_int c = 1, colspace = 0, columns = 1;
@@ -780,10 +780,10 @@ do_ls_dir(struct sftp_conn *conn, char *
 /* sftp ls.1 replacement which handles path globs */
 static int
 -do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
 +do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
     int lflag)
 {
 -	Attrib *a = NULL;
 +/*UNUSED Attrib *a = NULL;*/
 	char *fname, *lname;
 	glob_t g;
 	int err;
@@ -828,7 +828,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
 		colspace = width / columns;
 	}
 -	for (i = 0; g.gl_pathv[i] && !interrupted; i++, a = NULL) {
 +	for (i = 0; g.gl_pathv[i] && !interrupted; i++/*, a = NULL*/) {
 		fname = path_strip(g.gl_pathv[i], strip_path);
 		if (lflag & LS_LONG_VIEW) {
 			if (g.gl_statv[i] == NULL) {
@@ -861,7 +861,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
 }
 static int
 -do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
 +do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
 {
 	struct sftp_statvfs st;
 	char s_used[FMT_SCALED_STRSIZE];
 diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
 --- openssh-5.9p1/ssh-agent.c.coverity	2011-06-03 06:14:16.000000000 +0200
 +++ openssh-5.9p1/ssh-agent.c	2011-09-14 08:09:49.572460295 +0200
@@ -1147,8 +1147,8 @@ main(int ac, char **av)
 	sanitise_stdfd();
@ -808,10 +770,10 @@ diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
 #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
 	/* Disable ptrace on Linux without sgid bit */
-diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
+diff -up openssh-6.1p1/sshd.c.coverity openssh-6.1p1/sshd.c
--- openssh-5.9p1/sshd.c.coverity	2011-06-23 11:45:51.000000000 +0200
+--- openssh-6.1p1/sshd.c.coverity	2012-07-31 04:21:34.000000000 +0200
-+++ openssh-5.9p1/sshd.c	2011-09-14 08:09:49.687509968 +0200
+++ openssh-6.1p1/sshd.c	2012-09-14 21:16:41.307906705 +0200
-@@ -676,8 +676,10 @@ privsep_preauth(Authctxt *authctxt)
+@@ -682,8 +682,10 @@ privsep_preauth(Authctxt *authctxt)
 		if (getuid() == 0 || geteuid() == 0)
 			privsep_preauth_child();
 		setproctitle("%s", "[net]");
@ -823,7 +785,7 @@ diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
 		return 0;
 	}
-@@ -1302,6 +1304,9 @@ server_accept_loop(int *sock_in, int *so
+@@ -1311,6 +1313,9 @@ server_accept_loop(int *sock_in, int *so
 		if (num_listen_socks < 0)
 			break;
 	}
@ -833,7 +795,7 @@ diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
 }
-@@ -1774,7 +1779,7 @@ main(int ac, char **av)
+@@ -1768,7 +1773,7 @@ main(int ac, char **av)
 	/* Chdir to the root directory so that the current disk can be
 	   unmounted if desired. */
--- a/openssh-6.1p1-gsskex.patch
+++ b/openssh-6.1p1-gsskex.patch
@ -1,6 +1,115 @@
-diff -up openssh-6.0p1/auth2.c.gsskex openssh-6.0p1/auth2.c
+diff -up openssh-6.1p1/auth-krb5.c.gsskex openssh-6.1p1/auth-krb5.c
--- openssh-6.0p1/auth2.c.gsskex	2012-09-12 15:32:19.110689080 +0200
+--- openssh-6.1p1/auth-krb5.c.gsskex	2012-04-26 01:52:15.000000000 +0200
-+++ openssh-6.0p1/auth2.c	2012-09-12 15:32:28.309651601 +0200
+++ openssh-6.1p1/auth-krb5.c	2012-09-14 21:07:19.695203206 +0200
@@ -50,6 +50,7 @@
 #include <errno.h>
 #include <unistd.h>
 #include <string.h>
 +#include <sys/stat.h>
 #include <krb5.h>
 extern ServerOptions	 options;
@@ -170,8 +171,13 @@ auth_krb5_password(Authctxt *authctxt, c
 	len = strlen(authctxt->krb5_ticket_file) + 6;
 	authctxt->krb5_ccname = xmalloc(len);
 -	snprintf(authctxt->krb5_ccname, len, "FILE:%s",
 +#ifdef USE_CCAPI
 +	snprintf(authctxt->krb5_ccname, len, "API:%s",
 	    authctxt->krb5_ticket_file);
 +#else
 +	snprintf(authctxt->krb5_ccname, len, "DIR:%s",
 +	    authctxt->krb5_ticket_file);
 +#endif
 #ifdef USE_PAM
 	if (options.use_pam)
@@ -208,10 +214,33 @@ auth_krb5_password(Authctxt *authctxt, c
 void
 krb5_cleanup_proc(Authctxt *authctxt)
 {
 +	struct stat krb5_ccname_stat;
 +	char krb5_ccname[128], *krb5_ccname_dir_end;
 +
 	debug("krb5_cleanup_proc called");
 	if (authctxt->krb5_fwd_ccache) {
 		krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
 		authctxt->krb5_fwd_ccache = NULL;
 +
 +		/* assume ticket cache type DIR - DIR::/tmp/krb5cc_876600005_T9eDKSQvzb/tkt */
 +		strncpy(krb5_ccname, authctxt->krb5_ccname + strlen("DIR::"), sizeof(krb5_ccname) - 10);
 +
 +		krb5_ccname_dir_end = strrchr(krb5_ccname, '/');
 +		if (krb5_ccname_dir_end != NULL) {
 +			strcpy(krb5_ccname_dir_end, "/primary");
 +
 +			if (stat(krb5_ccname, &krb5_ccname_stat) == 0) {
 +				if (unlink(krb5_ccname) == 0) {
 +					*krb5_ccname_dir_end = '\0';
 +					if (rmdir(krb5_ccname) == -1)
 +						debug("cache dir '%s' remove failed: %s", krb5_ccname, strerror(errno));
 +				}
 +				else
 +					debug("cache primary file '%s', remove failed: %s",
 +						krb5_ccname, strerror(errno)
 +					);
 +			}
 +		}
 	}
 	if (authctxt->krb5_user) {
 		krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
@@ -226,31 +255,37 @@ krb5_cleanup_proc(Authctxt *authctxt)
 #ifndef HEIMDAL
 krb5_error_code
 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
 -	int tmpfd, ret, oerrno;
 -	char ccname[40];
 +	int ret, oerrno;
 +	char ccname[128];
 	mode_t old_umask;
 +#ifdef USE_CCAPI
 +	char cctemplate[] = "API:krb5cc_%d";
 +#else
 +	char cctemplate[] = "DIR:/tmp/krb5cc_%d_XXXXXXXXXX";
 +	char *tmpdir;
 +#endif
 	ret = snprintf(ccname, sizeof(ccname),
 -	    "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
 +	    cctemplate, geteuid());
 	if (ret < 0 || (size_t)ret >= sizeof(ccname))
 		return ENOMEM;
 -	old_umask = umask(0177);
 -	tmpfd = mkstemp(ccname + strlen("FILE:"));
 +#ifndef USE_CCAPI
 +	old_umask = umask(0077);
 +	tmpdir = mkdtemp(ccname + strlen("DIR:"));
 	oerrno = errno;
 	umask(old_umask);
 -	if (tmpfd == -1) {
 -		logit("mkstemp(): %.100s", strerror(oerrno));
 +	if (tmpdir == NULL) {
 +		logit("mkdtemp(): %.100s", strerror(oerrno));
 		return oerrno;
 	}
 -	if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
 +	if (chmod(tmpdir, S_IRUSR | S_IWUSR | S_IXUSR) == -1) {
 		oerrno = errno;
 -		logit("fchmod(): %.100s", strerror(oerrno));
 -		close(tmpfd);
 +		logit("chmod(): %.100s", strerror(oerrno));
 		return oerrno;
 	}
 -	close(tmpfd);
 +#endif
 	return (krb5_cc_resolve(ctx, ccname, ccache));
 }
 diff -up openssh-6.1p1/auth2.c.gsskex openssh-6.1p1/auth2.c
 --- openssh-6.1p1/auth2.c.gsskex	2012-09-14 20:57:55.291263269 +0200
 +++ openssh-6.1p1/auth2.c	2012-09-14 20:57:55.853266860 +0200
@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
 extern Authmethod method_kbdint;
 extern Authmethod method_hostbased;
@ -17,9 +126,9 @@ diff -up openssh-6.0p1/auth2.c.gsskex openssh-6.0p1/auth2.c
 	&method_gssapi,
 #endif
 #ifdef JPAKE
-diff -up openssh-6.0p1/auth2-gss.c.gsskex openssh-6.0p1/auth2-gss.c
+diff -up openssh-6.1p1/auth2-gss.c.gsskex openssh-6.1p1/auth2-gss.c
--- openssh-6.0p1/auth2-gss.c.gsskex	2012-09-12 15:32:19.126689015 +0200
+--- openssh-6.1p1/auth2-gss.c.gsskex	2012-09-14 20:57:55.292263276 +0200
-+++ openssh-6.0p1/auth2-gss.c	2012-09-12 15:32:28.309651601 +0200
+++ openssh-6.1p1/auth2-gss.c	2012-09-14 20:57:55.855266873 +0200
@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u
 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
 static void input_gssapi_errtok(int, u_int32_t, void *);
@ -94,233 +203,9 @@ diff -up openssh-6.0p1/auth2-gss.c.gsskex openssh-6.0p1/auth2-gss.c
 Authmethod method_gssapi = {
 	"gssapi-with-mic",
 	userauth_gssapi,
-diff -up openssh-6.0p1/auth-krb5.c.gsskex openssh-6.0p1/auth-krb5.c
+diff -up openssh-6.1p1/clientloop.c.gsskex openssh-6.1p1/clientloop.c
--- openssh-6.0p1/auth-krb5.c.gsskex	2012-09-12 15:32:19.118689046 +0200
+--- openssh-6.1p1/clientloop.c.gsskex	2012-09-14 20:57:54.862260529 +0200
-+++ openssh-6.0p1/auth-krb5.c	2012-09-12 16:03:22.216097657 +0200
+++ openssh-6.1p1/clientloop.c	2012-09-14 20:57:55.861266911 +0200
@@ -50,6 +50,7 @@
 #include <errno.h>
 #include <unistd.h>
 #include <string.h>
 +#include <sys/stat.h>
 #include <krb5.h>
 extern ServerOptions	 options;
@@ -170,8 +171,13 @@ auth_krb5_password(Authctxt *authctxt, c
 	len = strlen(authctxt->krb5_ticket_file) + 6;
 	authctxt->krb5_ccname = xmalloc(len);
 -	snprintf(authctxt->krb5_ccname, len, "FILE:%s",
 +#ifdef USE_CCAPI
 +	snprintf(authctxt->krb5_ccname, len, "API:%s",
 	    authctxt->krb5_ticket_file);
 +#else
 +	snprintf(authctxt->krb5_ccname, len, "DIR:%s",
 +	    authctxt->krb5_ticket_file);
 +#endif
 #ifdef USE_PAM
 	if (options.use_pam)
@@ -208,10 +214,33 @@ auth_krb5_password(Authctxt *authctxt, c
 void
 krb5_cleanup_proc(Authctxt *authctxt)
 {
 +	struct stat krb5_ccname_stat;
 +	char krb5_ccname[128], *krb5_ccname_dir_end;
 +
 	debug("krb5_cleanup_proc called");
 	if (authctxt->krb5_fwd_ccache) {
 		krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
 		authctxt->krb5_fwd_ccache = NULL;
 +
 +		/* assume ticket cache type DIR - DIR::/tmp/krb5cc_876600005_T9eDKSQvzb/tkt */
 +		strncpy(krb5_ccname, authctxt->krb5_ccname + strlen("DIR::"), sizeof(krb5_ccname) - 10);
 +
 +		krb5_ccname_dir_end = strrchr(krb5_ccname, '/');
 +		if (krb5_ccname_dir_end != NULL) {
 +			strcpy(krb5_ccname_dir_end, "/primary");
 +
 +			if (stat(krb5_ccname, &krb5_ccname_stat) == 0) {
 +				if (unlink(krb5_ccname) == 0) {
 +					*krb5_ccname_dir_end = '\0';
 +					if (rmdir(krb5_ccname) == -1)
 +						debug("cache dir '%s' remove failed: %s", krb5_ccname, strerror(errno));
 +				}
 +				else
 +					debug("cache primary file '%s', remove failed: %s",
 +						krb5_ccname, strerror(errno)
 +					);
 +			}
 +		}
 	}
 	if (authctxt->krb5_user) {
 		krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
@@ -226,29 +255,35 @@ krb5_cleanup_proc(Authctxt *authctxt)
 #ifndef HEIMDAL
 krb5_error_code
 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
 -	int tmpfd, ret;
 +	int ret;
 	char ccname[40];
 	mode_t old_umask;
 +#ifdef USE_CCAPI
 +	char cctemplate[] = "API:krb5cc_%d";
 +#else
 +	char cctemplate[] = "DIR:/tmp/krb5cc_%d_XXXXXXXXXX";
 +	char *tmpdir;
 +#endif
 	ret = snprintf(ccname, sizeof(ccname),
 -	    "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
 +	    cctemplate, geteuid());
 	if (ret < 0 || (size_t)ret >= sizeof(ccname))
 		return ENOMEM;
 -	old_umask = umask(0177);
 -	tmpfd = mkstemp(ccname + strlen("FILE:"));
 +#ifndef USE_CCAPI
 +	old_umask = umask(0077);
 +	tmpdir = mkdtemp(ccname + strlen("DIR:"));
 	umask(old_umask);
 -	if (tmpfd == -1) {
 -		logit("mkstemp(): %.100s", strerror(errno));
 +	if (tmpdir == NULL) {
 +		logit("mkdtemp(): %.100s", strerror(errno));
 		return errno;
 	}
 -
 -	if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
 -		logit("fchmod(): %.100s", strerror(errno));
 -		close(tmpfd);
 +	if (chmod(tmpdir, S_IRUSR | S_IWUSR | S_IXUSR) == -1) {
 +		logit("chmod(): %.100s", strerror(errno));
 		return errno;
 	}
 -	close(tmpfd);
 +
 +#endif
 	return (krb5_cc_resolve(ctx, ccname, ccache));
 }
 diff -up openssh-6.0p1/ChangeLog.gssapi.gsskex openssh-6.0p1/ChangeLog.gssapi
 --- openssh-6.0p1/ChangeLog.gssapi.gsskex	2012-09-12 15:32:19.106689094 +0200
 +++ openssh-6.0p1/ChangeLog.gssapi	2012-09-12 15:32:28.310651598 +0200
@@ -0,0 +1,113 @@
 +20110101
 +  - Finally update for OpenSSH 5.6p1
 +  - Add GSSAPIServerIdentity option from Jim Basney
 + 
 +20100308
 +  - [ Makefile.in, key.c, key.h ]
 +    Updates for OpenSSH 5.4p1
 +  - [ servconf.c ]
 +    Include GSSAPI options in the sshd -T configuration dump, and flag
 +    some older configuration options as being unsupported. Thanks to Colin 
 +    Watson.
 +  -
 +
 +20100124
 +  - [ sshconnect2.c ]
 +    Adapt to deal with additional element in Authmethod structure. Thanks to
 +    Colin Watson
 +
 +20090615
 +  - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
 +      sshd.c ]
 +    Fix issues identified by Greg Hudson following a code review
 +	Check return value of gss_indicate_mechs
 +	Protect GSSAPI calls in monitor, so they can only be used if enabled
 +	Check return values of bignum functions in key exchange
 +	Use BN_clear_free to clear other side's DH value
 +	Make ssh_gssapi_id_kex more robust
 +	Only configure kex table pointers if GSSAPI is enabled
 +	Don't leak mechanism list, or gss mechanism list
 +	Cast data.length before printing
 +	If serverkey isn't provided, use an empty string, rather than NULL
 +
 +20090201
 +  - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h
 +      ssh_config.5 sshconnet2.c ]
 +    Add support for the GSSAPIClientIdentity option, which allows the user
 +    to specify which GSSAPI identity to use to contact a given server
 +
 +20080404
 +  - [ gss-serv.c ]
 +    Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow
 +    been omitted from a previous version of this patch. Reported by Borislav
 +    Stoichkov
 +
 +20070317
 +  - [ gss-serv-krb5.c ]
 +    Remove C99ism, where new_ccname was being declared in the middle of a 
 +    function
 +
 +20061220
 +  - [ servconf.c ]
 +    Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and 
 +    documented, behaviour. Reported by Dan Watson.
 +
 +20060910
 +  - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c
 +      ssh-gss.h ]
 +    add support for gss-group14-sha1 key exchange mechanisms
 +  - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]
 +    Add GSSAPIStrictAcceptorCheck option to allow the disabling of
 +    acceptor principal checking on multi-homed machines.
 +    <Bugzilla #928>
 +  - [ sshd_config ssh_config ]
 +    Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample
 +    configuration files
 +  - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]
 +    Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()
 +    Limit length of error messages displayed by client
 +
 +20060909
 +  - [ gss-genr.c gss-serv.c ]
 +    move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
 +    only, where they belong 
 +    <Bugzilla #1225>
 +
 +20060829
 +  - [ gss-serv-krb5.c ]
 +    Fix CCAPI credentials cache name when creating KRB5CCNAME environment 
 +    variable
 +
 +20060828
 +  - [ gss-genr.c ]
 +    Avoid Heimdal context freeing problem
 +    <Fixed upstream 20060829>
 +
 +20060818
 +  - [ gss-genr.c ssh-gss.h sshconnect2.c ]
 +    Make sure that SPENGO is disabled 
 +    <Bugzilla #1218 - Fixed upstream 20060818>
 +
 +20060421
 +  - [ gssgenr.c, sshconnect2.c ]
 +    a few type changes (signed versus unsigned, int versus size_t) to
 +    fix compiler errors/warnings 
 +    (from jbasney AT ncsa.uiuc.edu)
 +  - [ kexgssc.c, sshconnect2.c ]
 +    fix uninitialized variable warnings
 +    (from jbasney AT ncsa.uiuc.edu)
 +  - [ gssgenr.c ]
 +    pass oid to gss_display_status (helpful when using GSSAPI mechglue)
 +    (from jbasney AT ncsa.uiuc.edu)
 +    <Bugzilla #1220 >
 +  - [ gss-serv-krb5.c ]
 +    #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
 +    (from jbasney AT ncsa.uiuc.edu)
 +    <Fixed upstream 20060304>
 +  - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c 
 +    add client-side GssapiKeyExchange option
 +    (from jbasney AT ncsa.uiuc.edu)
 +  - [ sshconnect2.c ]
 +    add support for GssapiTrustDns option for gssapi-with-mic
 +    (from jbasney AT ncsa.uiuc.edu)
 +    <gssapi-with-mic support is Bugzilla #1008>
 diff -up openssh-6.0p1/clientloop.c.gsskex openssh-6.0p1/clientloop.c
 --- openssh-6.0p1/clientloop.c.gsskex	2012-09-12 15:32:19.113689067 +0200
 +++ openssh-6.0p1/clientloop.c	2012-09-12 15:32:28.311651595 +0200
@@ -111,6 +111,10 @@
 #include "msg.h"
 #include "roaming.h"
@ -332,7 +217,7 @@ diff -up openssh-6.0p1/clientloop.c.gsskex openssh-6.0p1/clientloop.c
 /* import options */
 extern Options options;
-@@ -1540,6 +1544,15 @@ client_loop(int have_pty, int escape_cha
+@@ -1544,6 +1548,15 @@ client_loop(int have_pty, int escape_cha
 		/* Do channel operations unless rekeying in progress. */
 		if (!rekeying) {
 			channel_after_select(readset, writeset);
@ -348,9 +233,9 @@ diff -up openssh-6.0p1/clientloop.c.gsskex openssh-6.0p1/clientloop.c
 			if (need_rekeying || packet_need_rekeying()) {
 				debug("need rekeying");
 				xxx_kex->done = 0;
-diff -up openssh-6.0p1/configure.ac.gsskex openssh-6.0p1/configure.ac
+diff -up openssh-6.1p1/configure.ac.gsskex openssh-6.1p1/configure.ac
--- openssh-6.0p1/configure.ac.gsskex	2012-09-12 15:32:19.085689183 +0200
+--- openssh-6.1p1/configure.ac.gsskex	2012-09-14 20:57:55.756266240 +0200
-+++ openssh-6.0p1/configure.ac	2012-09-12 15:32:28.312651591 +0200
+++ openssh-6.1p1/configure.ac	2012-09-14 20:57:55.865266937 +0200
@@ -545,6 +545,30 @@ main() { if (NSVersionOfRunTimeLibrary("
 	    [Use tunnel device compatibility to OpenBSD])
 	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
@ -382,9 +267,9 @@ diff -up openssh-6.0p1/configure.ac.gsskex openssh-6.0p1/configure.ac
 	m4_pattern_allow([AU_IPv])
 	AC_CHECK_DECL([AU_IPv4], [], 
 	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
-diff -up openssh-6.0p1/gss-genr.c.gsskex openssh-6.0p1/gss-genr.c
+diff -up openssh-6.1p1/gss-genr.c.gsskex openssh-6.1p1/gss-genr.c
--- openssh-6.0p1/gss-genr.c.gsskex	2012-09-12 15:32:19.097689132 +0200
+--- openssh-6.1p1/gss-genr.c.gsskex	2009-06-22 08:11:07.000000000 +0200
-+++ openssh-6.0p1/gss-genr.c	2012-09-12 15:32:28.313651587 +0200
+++ openssh-6.1p1/gss-genr.c	2012-09-14 20:57:55.867266949 +0200
@@ -1,7 +1,7 @@
 /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
@ -732,9 +617,9 @@ diff -up openssh-6.0p1/gss-genr.c.gsskex openssh-6.0p1/gss-genr.c
 +}
 +
 #endif /* GSSAPI */
-diff -up openssh-6.0p1/gss-serv.c.gsskex openssh-6.0p1/gss-serv.c
+diff -up openssh-6.1p1/gss-serv.c.gsskex openssh-6.1p1/gss-serv.c
--- openssh-6.0p1/gss-serv.c.gsskex	2012-09-12 15:32:19.123689027 +0200
+--- openssh-6.1p1/gss-serv.c.gsskex	2011-08-05 22:16:46.000000000 +0200
-+++ openssh-6.0p1/gss-serv.c	2012-09-12 15:53:27.719520213 +0200
+++ openssh-6.1p1/gss-serv.c	2012-09-14 20:57:55.870266969 +0200
@@ -45,15 +45,20 @@
 #include "channels.h"
 #include "session.h"
@ -1073,9 +958,9 @@ diff -up openssh-6.0p1/gss-serv.c.gsskex openssh-6.0p1/gss-serv.c
 }
 #endif
-diff -up openssh-6.0p1/gss-serv-krb5.c.gsskex openssh-6.0p1/gss-serv-krb5.c
+diff -up openssh-6.1p1/gss-serv-krb5.c.gsskex openssh-6.1p1/gss-serv-krb5.c
--- openssh-6.0p1/gss-serv-krb5.c.gsskex	2012-09-12 15:32:19.115689059 +0200
+--- openssh-6.1p1/gss-serv-krb5.c.gsskex	2006-09-01 07:38:36.000000000 +0200
-+++ openssh-6.0p1/gss-serv-krb5.c	2012-09-12 16:36:15.768054426 +0200
+++ openssh-6.1p1/gss-serv-krb5.c	2012-09-14 20:57:55.872266981 +0200
@@ -1,7 +1,7 @@
 /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
@ -1198,9 +1083,126 @@ diff -up openssh-6.0p1/gss-serv-krb5.c.gsskex openssh-6.0p1/gss-serv-krb5.c
 };
 #endif /* KRB5 */
-diff -up openssh-6.0p1/kex.c.gsskex openssh-6.0p1/kex.c
+diff -up openssh-6.1p1/ChangeLog.gssapi.gsskex openssh-6.1p1/ChangeLog.gssapi
--- openssh-6.0p1/kex.c.gsskex	2012-09-12 15:32:19.096689136 +0200
+--- openssh-6.1p1/ChangeLog.gssapi.gsskex	2012-09-14 20:57:55.858266892 +0200
-+++ openssh-6.0p1/kex.c	2012-09-12 15:32:28.315651579 +0200
+++ openssh-6.1p1/ChangeLog.gssapi	2012-09-14 20:57:55.859266899 +0200
@@ -0,0 +1,113 @@
 +20110101
 +  - Finally update for OpenSSH 5.6p1
 +  - Add GSSAPIServerIdentity option from Jim Basney
 + 
 +20100308
 +  - [ Makefile.in, key.c, key.h ]
 +    Updates for OpenSSH 5.4p1
 +  - [ servconf.c ]
 +    Include GSSAPI options in the sshd -T configuration dump, and flag
 +    some older configuration options as being unsupported. Thanks to Colin 
 +    Watson.
 +  -
 +
 +20100124
 +  - [ sshconnect2.c ]
 +    Adapt to deal with additional element in Authmethod structure. Thanks to
 +    Colin Watson
 +
 +20090615
 +  - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
 +      sshd.c ]
 +    Fix issues identified by Greg Hudson following a code review
 +	Check return value of gss_indicate_mechs
 +	Protect GSSAPI calls in monitor, so they can only be used if enabled
 +	Check return values of bignum functions in key exchange
 +	Use BN_clear_free to clear other side's DH value
 +	Make ssh_gssapi_id_kex more robust
 +	Only configure kex table pointers if GSSAPI is enabled
 +	Don't leak mechanism list, or gss mechanism list
 +	Cast data.length before printing
 +	If serverkey isn't provided, use an empty string, rather than NULL
 +
 +20090201
 +  - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h
 +      ssh_config.5 sshconnet2.c ]
 +    Add support for the GSSAPIClientIdentity option, which allows the user
 +    to specify which GSSAPI identity to use to contact a given server
 +
 +20080404
 +  - [ gss-serv.c ]
 +    Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow
 +    been omitted from a previous version of this patch. Reported by Borislav
 +    Stoichkov
 +
 +20070317
 +  - [ gss-serv-krb5.c ]
 +    Remove C99ism, where new_ccname was being declared in the middle of a 
 +    function
 +
 +20061220
 +  - [ servconf.c ]
 +    Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and 
 +    documented, behaviour. Reported by Dan Watson.
 +
 +20060910
 +  - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c
 +      ssh-gss.h ]
 +    add support for gss-group14-sha1 key exchange mechanisms
 +  - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]
 +    Add GSSAPIStrictAcceptorCheck option to allow the disabling of
 +    acceptor principal checking on multi-homed machines.
 +    <Bugzilla #928>
 +  - [ sshd_config ssh_config ]
 +    Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample
 +    configuration files
 +  - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]
 +    Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()
 +    Limit length of error messages displayed by client
 +
 +20060909
 +  - [ gss-genr.c gss-serv.c ]
 +    move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
 +    only, where they belong 
 +    <Bugzilla #1225>
 +
 +20060829
 +  - [ gss-serv-krb5.c ]
 +    Fix CCAPI credentials cache name when creating KRB5CCNAME environment 
 +    variable
 +
 +20060828
 +  - [ gss-genr.c ]
 +    Avoid Heimdal context freeing problem
 +    <Fixed upstream 20060829>
 +
 +20060818
 +  - [ gss-genr.c ssh-gss.h sshconnect2.c ]
 +    Make sure that SPENGO is disabled 
 +    <Bugzilla #1218 - Fixed upstream 20060818>
 +
 +20060421
 +  - [ gssgenr.c, sshconnect2.c ]
 +    a few type changes (signed versus unsigned, int versus size_t) to
 +    fix compiler errors/warnings 
 +    (from jbasney AT ncsa.uiuc.edu)
 +  - [ kexgssc.c, sshconnect2.c ]
 +    fix uninitialized variable warnings
 +    (from jbasney AT ncsa.uiuc.edu)
 +  - [ gssgenr.c ]
 +    pass oid to gss_display_status (helpful when using GSSAPI mechglue)
 +    (from jbasney AT ncsa.uiuc.edu)
 +    <Bugzilla #1220 >
 +  - [ gss-serv-krb5.c ]
 +    #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
 +    (from jbasney AT ncsa.uiuc.edu)
 +    <Fixed upstream 20060304>
 +  - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c 
 +    add client-side GssapiKeyExchange option
 +    (from jbasney AT ncsa.uiuc.edu)
 +  - [ sshconnect2.c ]
 +    add support for GssapiTrustDns option for gssapi-with-mic
 +    (from jbasney AT ncsa.uiuc.edu)
 +    <gssapi-with-mic support is Bugzilla #1008>
 diff -up openssh-6.1p1/kex.c.gsskex openssh-6.1p1/kex.c
 --- openssh-6.1p1/kex.c.gsskex	2012-09-14 20:57:55.139262298 +0200
 +++ openssh-6.1p1/kex.c	2012-09-14 20:57:55.874266995 +0200
@@ -51,6 +51,10 @@
 #include "roaming.h"
 #include "audit.h"
@ -1233,9 +1235,9 @@ diff -up openssh-6.0p1/kex.c.gsskex openssh-6.0p1/kex.c
 	} else
 		fatal("bad kex alg %s", k->name);
 }
-diff -up openssh-6.0p1/kexgssc.c.gsskex openssh-6.0p1/kexgssc.c
+diff -up openssh-6.1p1/kexgssc.c.gsskex openssh-6.1p1/kexgssc.c
--- openssh-6.0p1/kexgssc.c.gsskex	2012-09-12 15:32:19.105689098 +0200
+--- openssh-6.1p1/kexgssc.c.gsskex	2012-09-14 20:57:55.875267001 +0200
-+++ openssh-6.0p1/kexgssc.c	2012-09-12 15:32:28.315651579 +0200
+++ openssh-6.1p1/kexgssc.c	2012-09-14 20:57:55.875267001 +0200
@@ -0,0 +1,334 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1571,9 +1573,9 @@ diff -up openssh-6.0p1/kexgssc.c.gsskex openssh-6.0p1/kexgssc.c
 +}
 +
 +#endif /* GSSAPI */
-diff -up openssh-6.0p1/kexgsss.c.gsskex openssh-6.0p1/kexgsss.c
+diff -up openssh-6.1p1/kexgsss.c.gsskex openssh-6.1p1/kexgsss.c
--- openssh-6.0p1/kexgsss.c.gsskex	2012-09-12 15:32:19.116689055 +0200
+--- openssh-6.1p1/kexgsss.c.gsskex	2012-09-14 20:57:55.876267007 +0200
-+++ openssh-6.0p1/kexgsss.c	2012-09-12 15:32:28.316651574 +0200
+++ openssh-6.1p1/kexgsss.c	2012-09-14 20:57:55.876267007 +0200
@@ -0,0 +1,288 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1863,9 +1865,9 @@ diff -up openssh-6.0p1/kexgsss.c.gsskex openssh-6.0p1/kexgsss.c
 +		ssh_gssapi_rekey_creds();
 +}
 +#endif /* GSSAPI */
-diff -up openssh-6.0p1/kex.h.gsskex openssh-6.0p1/kex.h
+diff -up openssh-6.1p1/kex.h.gsskex openssh-6.1p1/kex.h
--- openssh-6.0p1/kex.h.gsskex	2012-09-12 15:32:19.093689148 +0200
+--- openssh-6.1p1/kex.h.gsskex	2012-09-14 20:57:55.141262312 +0200
-+++ openssh-6.0p1/kex.h	2012-09-12 15:32:28.316651574 +0200
+++ openssh-6.1p1/kex.h	2012-09-14 20:57:55.878267019 +0200
@@ -73,6 +73,9 @@ enum kex_exchange {
 	KEX_DH_GEX_SHA1,
 	KEX_DH_GEX_SHA256,
@ -1901,10 +1903,10 @@ diff -up openssh-6.0p1/kex.h.gsskex openssh-6.0p1/kex.h
 void	newkeys_destroy(Newkeys *newkeys);
 void
-diff -up openssh-6.0p1/key.c.gsskex openssh-6.0p1/key.c
+diff -up openssh-6.1p1/key.c.gsskex openssh-6.1p1/key.c
--- openssh-6.0p1/key.c.gsskex	2012-09-12 15:32:19.103689108 +0200
+--- openssh-6.1p1/key.c.gsskex	2012-09-14 20:57:55.593265199 +0200
-+++ openssh-6.0p1/key.c	2012-09-12 15:32:28.317651570 +0200
+++ openssh-6.1p1/key.c	2012-09-14 20:57:55.881267039 +0200
-@@ -1006,6 +1006,8 @@ key_ssh_name_from_type_nid(int type, int
+@@ -1011,6 +1011,8 @@ key_ssh_name_from_type_nid(int type, int
 		}
 		break;
 #endif /* OPENSSL_HAS_ECC */
@ -1913,7 +1915,7 @@ diff -up openssh-6.0p1/key.c.gsskex openssh-6.0p1/key.c
 	}
 	return "ssh-unknown";
 }
-@@ -1311,6 +1313,8 @@ key_type_from_name(char *name)
+@@ -1316,6 +1318,8 @@ key_type_from_name(char *name)
 	    strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
 		return KEY_ECDSA_CERT;
 #endif
@ -1922,9 +1924,9 @@ diff -up openssh-6.0p1/key.c.gsskex openssh-6.0p1/key.c
 	}
 	debug2("key_type_from_name: unknown key type '%s'", name);
-diff -up openssh-6.0p1/key.h.gsskex openssh-6.0p1/key.h
+diff -up openssh-6.1p1/key.h.gsskex openssh-6.1p1/key.h
--- openssh-6.0p1/key.h.gsskex	2012-09-12 15:32:19.094689144 +0200
+--- openssh-6.1p1/key.h.gsskex	2012-09-14 20:57:55.184262586 +0200
-+++ openssh-6.0p1/key.h	2012-09-12 15:32:28.318651566 +0200
+++ openssh-6.1p1/key.h	2012-09-14 20:57:55.882267045 +0200
@@ -44,6 +44,7 @@ enum types {
 	KEY_ECDSA_CERT,
 	KEY_RSA_CERT_V00,
@ -1933,9 +1935,9 @@ diff -up openssh-6.0p1/key.h.gsskex openssh-6.0p1/key.h
 	KEY_UNSPEC
 };
 enum fp_type {
-diff -up openssh-6.0p1/Makefile.in.gsskex openssh-6.0p1/Makefile.in
+diff -up openssh-6.1p1/Makefile.in.gsskex openssh-6.1p1/Makefile.in
--- openssh-6.0p1/Makefile.in.gsskex	2012-09-12 15:32:19.128689006 +0200
+--- openssh-6.1p1/Makefile.in.gsskex	2012-09-14 20:57:55.832266726 +0200
-+++ openssh-6.0p1/Makefile.in	2012-09-12 15:32:28.318651566 +0200
+++ openssh-6.1p1/Makefile.in	2012-09-14 20:57:55.884267058 +0200
@@ -75,6 +75,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
 	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
@ -1953,9 +1955,9 @@ diff -up openssh-6.0p1/Makefile.in.gsskex openssh-6.0p1/Makefile.in
 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
 	sftp-server.o sftp-common.o \
 	roaming_common.o roaming_serv.o \
-diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
+diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
--- openssh-6.0p1/monitor.c.gsskex	2012-09-12 15:32:19.112689072 +0200
+--- openssh-6.1p1/monitor.c.gsskex	2012-09-14 20:57:55.299263321 +0200
-+++ openssh-6.0p1/monitor.c	2012-09-12 15:32:28.319651562 +0200
+++ openssh-6.1p1/monitor.c	2012-09-14 20:57:55.888267083 +0200
@@ -186,6 +186,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
@ -2008,7 +2010,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
 	} else {
 		mon_dispatch = mon_dispatch_postauth15;
 		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1942,6 +1959,13 @@ mm_get_kex(Buffer *m)
+@@ -1939,6 +1956,13 @@ mm_get_kex(Buffer *m)
 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
 	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
 	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@ -2022,7 +2024,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
 	kex->server = 1;
 	kex->hostkey_type = buffer_get_int(m);
 	kex->kex_type = buffer_get_int(m);
-@@ -2165,6 +2189,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
+@@ -2162,6 +2186,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
 	OM_uint32 major;
 	u_int len;
@ -2032,7 +2034,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
 	goid.elements = buffer_get_string(m, &len);
 	goid.length = len;
-@@ -2192,6 +2219,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -2189,6 +2216,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
 	OM_uint32 flags = 0; /* GSI needs this */
 	u_int len;
@ -2042,7 +2044,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
 	in.value = buffer_get_string(m, &len);
 	in.length = len;
 	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2209,6 +2239,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -2206,6 +2236,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
 		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
 		monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
 		monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@ -2050,7 +2052,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
 	}
 	return (0);
 }
-@@ -2220,6 +2251,9 @@ mm_answer_gss_checkmic(int sock, Buffer
+@@ -2217,6 +2248,9 @@ mm_answer_gss_checkmic(int sock, Buffer
 	OM_uint32 ret;
 	u_int len;
@ -2060,7 +2062,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
 	gssbuf.value = buffer_get_string(m, &len);
 	gssbuf.length = len;
 	mic.value = buffer_get_string(m, &len);
-@@ -2246,7 +2280,11 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2243,7 +2277,11 @@ mm_answer_gss_userok(int sock, Buffer *m
 {
 	int authenticated;
@ -2073,7 +2075,7 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
 	buffer_clear(m);
 	buffer_put_int(m, authenticated);
-@@ -2260,6 +2298,74 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2257,6 +2295,74 @@ mm_answer_gss_userok(int sock, Buffer *m
 	/* Monitor loop will terminate if authenticated */
 	return (authenticated);
 }
@ -2148,9 +2150,9 @@ diff -up openssh-6.0p1/monitor.c.gsskex openssh-6.0p1/monitor.c
 #endif /* GSSAPI */
 #ifdef JPAKE
-diff -up openssh-6.0p1/monitor.h.gsskex openssh-6.0p1/monitor.h
+diff -up openssh-6.1p1/monitor.h.gsskex openssh-6.1p1/monitor.h
--- openssh-6.0p1/monitor.h.gsskex	2012-09-12 15:32:19.119689041 +0200
+--- openssh-6.1p1/monitor.h.gsskex	2012-09-14 20:57:55.300263327 +0200
-+++ openssh-6.0p1/monitor.h	2012-09-12 15:32:28.319651562 +0200
+++ openssh-6.1p1/monitor.h	2012-09-14 20:57:55.889267090 +0200
@@ -56,6 +56,8 @@ enum monitor_reqtype {
 	MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
 	MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
@ -2160,9 +2162,9 @@ diff -up openssh-6.0p1/monitor.h.gsskex openssh-6.0p1/monitor.h
 	MONITOR_REQ_PAM_START,
 	MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
 	MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
-diff -up openssh-6.0p1/monitor_wrap.c.gsskex openssh-6.0p1/monitor_wrap.c
+diff -up openssh-6.1p1/monitor_wrap.c.gsskex openssh-6.1p1/monitor_wrap.c
--- openssh-6.0p1/monitor_wrap.c.gsskex	2012-09-12 15:32:19.122689031 +0200
+--- openssh-6.1p1/monitor_wrap.c.gsskex	2012-09-14 20:57:55.302263340 +0200
-+++ openssh-6.0p1/monitor_wrap.c	2012-09-12 15:32:28.320651557 +0200
+++ openssh-6.1p1/monitor_wrap.c	2012-09-14 20:57:55.892267109 +0200
@@ -1326,7 +1326,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
 }
@ -2224,9 +2226,9 @@ diff -up openssh-6.0p1/monitor_wrap.c.gsskex openssh-6.0p1/monitor_wrap.c
 #endif /* GSSAPI */
 #ifdef JPAKE
-diff -up openssh-6.0p1/monitor_wrap.h.gsskex openssh-6.0p1/monitor_wrap.h
+diff -up openssh-6.1p1/monitor_wrap.h.gsskex openssh-6.1p1/monitor_wrap.h
--- openssh-6.0p1/monitor_wrap.h.gsskex	2012-09-12 15:32:19.107689091 +0200
+--- openssh-6.1p1/monitor_wrap.h.gsskex	2012-09-14 20:57:55.304263353 +0200
-+++ openssh-6.0p1/monitor_wrap.h	2012-09-12 15:32:28.321651552 +0200
+++ openssh-6.1p1/monitor_wrap.h	2012-09-14 20:57:55.893267116 +0200
@@ -62,8 +62,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@ -2239,9 +2241,9 @@ diff -up openssh-6.0p1/monitor_wrap.h.gsskex openssh-6.0p1/monitor_wrap.h
 #endif
 #ifdef USE_PAM
-diff -up openssh-6.0p1/readconf.c.gsskex openssh-6.0p1/readconf.c
+diff -up openssh-6.1p1/readconf.c.gsskex openssh-6.1p1/readconf.c
--- openssh-6.0p1/readconf.c.gsskex	2012-09-12 15:32:19.100689120 +0200
+--- openssh-6.1p1/readconf.c.gsskex	2011-10-02 09:59:03.000000000 +0200
-+++ openssh-6.0p1/readconf.c	2012-09-12 15:32:28.321651552 +0200
+++ openssh-6.1p1/readconf.c	2012-09-14 20:57:55.896267134 +0200
@@ -129,6 +129,8 @@ typedef enum {
 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@ -2330,9 +2332,9 @@ diff -up openssh-6.0p1/readconf.c.gsskex openssh-6.0p1/readconf.c
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
-diff -up openssh-6.0p1/readconf.h.gsskex openssh-6.0p1/readconf.h
+diff -up openssh-6.1p1/readconf.h.gsskex openssh-6.1p1/readconf.h
--- openssh-6.0p1/readconf.h.gsskex	2012-09-12 15:32:19.125689019 +0200
+--- openssh-6.1p1/readconf.h.gsskex	2011-10-02 09:59:03.000000000 +0200
-+++ openssh-6.0p1/readconf.h	2012-09-12 15:32:28.322651548 +0200
+++ openssh-6.1p1/readconf.h	2012-09-14 20:57:55.897267141 +0200
@@ -48,7 +48,12 @@ typedef struct {
 	int     challenge_response_authentication;
 					/* Try S/Key or TIS, authentication. */
@ -2346,10 +2348,10 @@ diff -up openssh-6.0p1/readconf.h.gsskex openssh-6.0p1/readconf.h
 	int     password_authentication;	/* Try password
 						 * authentication. */
 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
+diff -up openssh-6.1p1/servconf.c.gsskex openssh-6.1p1/servconf.c
--- openssh-6.0p1/servconf.c.gsskex	2012-09-12 15:32:19.088689170 +0200
+--- openssh-6.1p1/servconf.c.gsskex	2012-09-14 20:57:55.760266266 +0200
-+++ openssh-6.0p1/servconf.c	2012-09-12 15:32:28.323651545 +0200
+++ openssh-6.1p1/servconf.c	2012-09-14 20:57:55.900267160 +0200
-@@ -99,7 +99,10 @@ initialize_server_options(ServerOptions
+@@ -102,7 +102,10 @@ initialize_server_options(ServerOptions
 	options->kerberos_ticket_cleanup = -1;
 	options->kerberos_get_afs_token = -1;
 	options->gss_authentication=-1;
@ -2360,7 +2362,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->challenge_response_authentication = -1;
-@@ -232,8 +235,14 @@ fill_default_server_options(ServerOption
+@@ -236,8 +239,14 @@ fill_default_server_options(ServerOption
 		options->kerberos_get_afs_token = 0;
 	if (options->gss_authentication == -1)
 		options->gss_authentication = 0;
@ -2375,7 +2377,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
-@@ -327,7 +336,9 @@ typedef enum {
+@@ -333,7 +342,9 @@ typedef enum {
 	sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
 	sClientAliveCountMax, sAuthorizedKeysFile,
@ -2386,7 +2388,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
 	sRequiredAuthentications1, sRequiredAuthentications2,
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
-@@ -393,10 +404,20 @@ static struct {
+@@ -399,10 +410,20 @@ static struct {
 #ifdef GSSAPI
 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@ -2407,7 +2409,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
 	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -983,10 +1004,22 @@ process_server_config_line(ServerOptions
+@@ -1054,10 +1075,22 @@ process_server_config_line(ServerOptions
 		intptr = &options->gss_authentication;
 		goto parse_flag;
@ -2430,7 +2432,7 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
 	case sPasswordAuthentication:
 		intptr = &options->password_authentication;
 		goto parse_flag;
-@@ -1794,6 +1827,9 @@ dump_config(ServerOptions *o)
+@@ -1944,6 +1977,9 @@ dump_config(ServerOptions *o)
 #ifdef GSSAPI
 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@ -2440,9 +2442,9 @@ diff -up openssh-6.0p1/servconf.c.gsskex openssh-6.0p1/servconf.c
 #endif
 #ifdef JPAKE
 	dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
-diff -up openssh-6.0p1/servconf.h.gsskex openssh-6.0p1/servconf.h
+diff -up openssh-6.1p1/servconf.h.gsskex openssh-6.1p1/servconf.h
--- openssh-6.0p1/servconf.h.gsskex	2012-09-12 15:32:19.121689034 +0200
+--- openssh-6.1p1/servconf.h.gsskex	2012-09-14 20:57:55.762266278 +0200
-+++ openssh-6.0p1/servconf.h	2012-09-12 15:32:28.323651545 +0200
+++ openssh-6.1p1/servconf.h	2012-09-14 20:57:55.902267173 +0200
@@ -103,7 +103,10 @@ typedef struct {
 	int     kerberos_get_afs_token;		/* If true, try to get AFS token if
 						 * authenticated with Kerberos. */
@ -2454,9 +2456,21 @@ diff -up openssh-6.0p1/servconf.h.gsskex openssh-6.0p1/servconf.h
 	int     password_authentication;	/* If true, permit password
 						 * authentication. */
 	int     kbd_interactive_authentication;	/* If true, permit */
-diff -up openssh-6.0p1/ssh_config.5.gsskex openssh-6.0p1/ssh_config.5
+diff -up openssh-6.1p1/ssh_config.gsskex openssh-6.1p1/ssh_config
--- openssh-6.0p1/ssh_config.5.gsskex	2012-09-12 15:32:19.091689156 +0200
+--- openssh-6.1p1/ssh_config.gsskex	2012-09-14 20:57:55.707265928 +0200
-+++ openssh-6.0p1/ssh_config.5	2012-09-12 15:32:28.324651542 +0200
+++ openssh-6.1p1/ssh_config	2012-09-14 20:57:55.906267198 +0200
@@ -26,6 +26,8 @@
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
 #   GSSAPIDelegateCredentials no
 +#   GSSAPIKeyExchange no
 +#   GSSAPITrustDNS no
 #   BatchMode no
 #   CheckHostIP yes
 #   AddressFamily any
 diff -up openssh-6.1p1/ssh_config.5.gsskex openssh-6.1p1/ssh_config.5
 --- openssh-6.1p1/ssh_config.5.gsskex	2012-07-02 10:53:38.000000000 +0200
 +++ openssh-6.1p1/ssh_config.5	2012-09-14 20:57:55.904267186 +0200
@@ -527,11 +527,43 @@ Specifies whether user authentication ba
 The default is
 .Dq no .
@ -2502,21 +2516,9 @@ diff -up openssh-6.0p1/ssh_config.5.gsskex openssh-6.0p1/ssh_config.5
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
-diff -up openssh-6.0p1/ssh_config.gsskex openssh-6.0p1/ssh_config
+diff -up openssh-6.1p1/sshconnect2.c.gsskex openssh-6.1p1/sshconnect2.c
--- openssh-6.0p1/ssh_config.gsskex	2012-09-12 15:32:19.087689174 +0200
+--- openssh-6.1p1/sshconnect2.c.gsskex	2012-09-14 20:57:55.605265275 +0200
-+++ openssh-6.0p1/ssh_config	2012-09-12 15:32:28.324651542 +0200
+++ openssh-6.1p1/sshconnect2.c	2012-09-14 20:57:55.909267218 +0200
@@ -26,6 +26,8 @@
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
 #   GSSAPIDelegateCredentials no
 +#   GSSAPIKeyExchange no
 +#   GSSAPITrustDNS no
 #   BatchMode no
 #   CheckHostIP yes
 #   AddressFamily any
 diff -up openssh-6.0p1/sshconnect2.c.gsskex openssh-6.0p1/sshconnect2.c
 --- openssh-6.0p1/sshconnect2.c.gsskex	2012-09-12 15:32:19.099689124 +0200
 +++ openssh-6.0p1/sshconnect2.c	2012-09-12 15:32:28.325651538 +0200
@@ -162,9 +162,34 @@ ssh_kex2(char *host, struct sockaddr *ho
 {
 	Kex *kex;
@ -2715,9 +2717,9 @@ diff -up openssh-6.0p1/sshconnect2.c.gsskex openssh-6.0p1/sshconnect2.c
 #endif /* GSSAPI */
 int
-diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
+diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c
--- openssh-6.0p1/sshd.c.gsskex	2012-09-12 15:32:19.130688998 +0200
+--- openssh-6.1p1/sshd.c.gsskex	2012-09-14 20:57:55.799266515 +0200
-+++ openssh-6.0p1/sshd.c	2012-09-12 15:32:28.326651534 +0200
+++ openssh-6.1p1/sshd.c	2012-09-14 20:57:55.912267237 +0200
@@ -124,6 +124,10 @@
 #include "ssh-sandbox.h"
 #include "version.h"
@ -2729,7 +2731,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
 #ifdef LIBWRAP
 #include <tcpd.h>
 #include <syslog.h>
-@@ -1701,10 +1705,13 @@ main(int ac, char **av)
+@@ -1692,10 +1696,13 @@ main(int ac, char **av)
 		logit("Disabling protocol version 1. Could not load host key");
 		options.protocol &= ~SSH_PROTO_1;
 	}
@ -2743,7 +2745,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
 	if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
 		logit("sshd: no hostkeys available -- exiting.");
 		exit(1);
-@@ -2037,6 +2044,60 @@ main(int ac, char **av)
+@@ -2027,6 +2034,60 @@ main(int ac, char **av)
 	/* Log the connection. */
 	verbose("Connection from %.500s port %d", remote_ip, remote_port);
@ -2804,7 +2806,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
 	/*
 	 * We don't want to listen forever unless the other side
 	 * successfully authenticates itself.  So we set up an alarm which is
-@@ -2435,6 +2496,48 @@ do_ssh2_kex(void)
+@@ -2425,6 +2486,48 @@ do_ssh2_kex(void)
 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
@ -2853,7 +2855,7 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
 	/* start key exchange */
 	kex = kex_setup(myproposal);
 	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
-@@ -2442,6 +2545,13 @@ do_ssh2_kex(void)
+@@ -2432,6 +2535,13 @@ do_ssh2_kex(void)
 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
 	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
 	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@ -2867,10 +2869,22 @@ diff -up openssh-6.0p1/sshd.c.gsskex openssh-6.0p1/sshd.c
 	kex->server = 1;
 	kex->client_version_string=client_version_string;
 	kex->server_version_string=server_version_string;
-diff -up openssh-6.0p1/sshd_config.5.gsskex openssh-6.0p1/sshd_config.5
+diff -up openssh-6.1p1/sshd_config.gsskex openssh-6.1p1/sshd_config
--- openssh-6.0p1/sshd_config.5.gsskex	2012-09-12 15:32:19.109689084 +0200
+--- openssh-6.1p1/sshd_config.gsskex	2012-09-14 20:57:55.801266528 +0200
-+++ openssh-6.0p1/sshd_config.5	2012-09-12 15:32:28.327651530 +0200
+++ openssh-6.1p1/sshd_config	2012-09-14 20:57:55.916267263 +0200
-@@ -437,12 +437,40 @@ Specifies whether user authentication ba
+@@ -85,6 +85,8 @@ ChallengeResponseAuthentication no
 GSSAPIAuthentication yes
 #GSSAPICleanupCredentials yes
 GSSAPICleanupCredentials yes
 +#GSSAPIStrictAcceptorCheck yes
 +#GSSAPIKeyExchange no
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
 diff -up openssh-6.1p1/sshd_config.5.gsskex openssh-6.1p1/sshd_config.5
 --- openssh-6.1p1/sshd_config.5.gsskex	2012-09-14 20:57:55.767266310 +0200
 +++ openssh-6.1p1/sshd_config.5	2012-09-14 20:57:55.915267256 +0200
@@ -439,12 +439,40 @@ Specifies whether user authentication ba
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
@ -2911,21 +2925,9 @@ diff -up openssh-6.0p1/sshd_config.5.gsskex openssh-6.0p1/sshd_config.5
 .It Cm HostbasedAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful public key client host authentication is allowed
-diff -up openssh-6.0p1/sshd_config.gsskex openssh-6.0p1/sshd_config
+diff -up openssh-6.1p1/ssh-gss.h.gsskex openssh-6.1p1/ssh-gss.h
--- openssh-6.0p1/sshd_config.gsskex	2012-09-12 15:32:19.102689112 +0200
+--- openssh-6.1p1/ssh-gss.h.gsskex	2007-06-12 15:40:39.000000000 +0200
-+++ openssh-6.0p1/sshd_config	2012-09-12 15:32:28.327651530 +0200
+++ openssh-6.1p1/ssh-gss.h	2012-09-14 20:57:55.918267275 +0200
@@ -83,6 +83,8 @@ ChallengeResponseAuthentication no
 GSSAPIAuthentication yes
 #GSSAPICleanupCredentials yes
 GSSAPICleanupCredentials yes
 +#GSSAPIStrictAcceptorCheck yes
 +#GSSAPIKeyExchange no
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
 diff -up openssh-6.0p1/ssh-gss.h.gsskex openssh-6.0p1/ssh-gss.h
 --- openssh-6.0p1/ssh-gss.h.gsskex	2012-09-12 15:32:19.090689160 +0200
 +++ openssh-6.0p1/ssh-gss.h	2012-09-12 15:32:28.328651526 +0200
@@ -1,6 +1,6 @@
 /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
 /*
--- a/openssh-6.1p1-kuserok.patch
+++ b/openssh-6.1p1-kuserok.patch
@ -1,7 +1,7 @@
-diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c
+diff -up openssh-6.1p1/auth-krb5.c.kuserok openssh-6.1p1/auth-krb5.c
--- openssh-5.9p0/auth-krb5.c.kuserok	2011-08-30 16:37:32.651150128 +0200
+--- openssh-6.1p1/auth-krb5.c.kuserok	2012-09-14 21:08:16.941496194 +0200
-+++ openssh-5.9p0/auth-krb5.c	2011-08-30 16:37:37.549087368 +0200
+++ openssh-6.1p1/auth-krb5.c	2012-09-14 21:08:17.063496896 +0200
-@@ -54,6 +54,20 @@
+@@ -55,6 +55,20 @@
 extern ServerOptions	 options;
@ -22,7 +22,7 @@ diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c
 static int
 krb5_init(void *context)
 {
-@@ -146,7 +160,7 @@ auth_krb5_password(Authctxt *authctxt, c
+@@ -147,7 +161,7 @@ auth_krb5_password(Authctxt *authctxt, c
 	if (problem)
 		goto out;
@ -31,9 +31,9 @@ diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c
 		problem = -1;
 		goto out;
 	}
-diff -up openssh-5.9p0/gss-serv-krb5.c.kuserok openssh-5.9p0/gss-serv-krb5.c
+diff -up openssh-6.1p1/gss-serv-krb5.c.kuserok openssh-6.1p1/gss-serv-krb5.c
--- openssh-5.9p0/gss-serv-krb5.c.kuserok	2011-08-30 16:37:36.988024804 +0200
+--- openssh-6.1p1/gss-serv-krb5.c.kuserok	2012-09-14 21:08:17.019496642 +0200
-+++ openssh-5.9p0/gss-serv-krb5.c	2011-08-30 16:37:37.659088030 +0200
+++ openssh-6.1p1/gss-serv-krb5.c	2012-09-14 21:08:17.065496906 +0200
@@ -68,6 +68,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
     int);
@ -51,27 +51,27 @@ diff -up openssh-5.9p0/gss-serv-krb5.c.kuserok openssh-5.9p0/gss-serv-krb5.c
 		retval = 1;
 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
 		    luser, (char *)client->displayname.value);
-diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
+diff -up openssh-6.1p1/servconf.c.kuserok openssh-6.1p1/servconf.c
--- openssh-5.9p0/servconf.c.kuserok	2011-08-30 16:37:35.093073603 +0200
+--- openssh-6.1p1/servconf.c.kuserok	2012-09-14 21:08:16.989496471 +0200
-+++ openssh-5.9p0/servconf.c	2011-08-30 16:41:13.568087145 +0200
+++ openssh-6.1p1/servconf.c	2012-09-14 21:09:30.864868698 +0200
-@@ -144,6 +144,7 @@ initialize_server_options(ServerOptions
+@@ -152,6 +152,7 @@ initialize_server_options(ServerOptions
 	options->authorized_principals_file = NULL;
 	options->ip_qos_interactive = -1;
 	options->ip_qos_bulk = -1;
 	options->version_addendum = NULL;
 +	options->use_kuserok = -1;
 }
 void
-@@ -291,6 +292,8 @@ fill_default_server_options(ServerOption
+@@ -301,6 +302,8 @@ fill_default_server_options(ServerOption
- 		options->ip_qos_bulk = IPTOS_THROUGHPUT;
+ 		options->version_addendum = xstrdup("");
 	if (options->show_patchlevel == -1)
-  		options->show_patchlevel = 0;
+ 		options->show_patchlevel = 0;
 +	if (options->use_kuserok == -1)
 +		options->use_kuserok = 1;
 	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
-@@ -317,7 +320,7 @@ typedef enum {
+@@ -327,7 +330,7 @@ typedef enum {
 	sPermitRootLogin, sLogFacility, sLogLevel,
 	sRhostsRSAAuthentication, sRSAAuthentication,
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@ -80,7 +80,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
 	sKerberosTgtPassing, sChallengeResponseAuthentication,
 	sPasswordAuthentication, sKbdInteractiveAuthentication,
 	sListenAddress, sAddressFamily,
-@@ -388,11 +391,13 @@ static struct {
+@@ -399,11 +402,13 @@ static struct {
 #else
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
 #endif
@ -94,7 +94,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
 #endif
 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1371,6 +1376,10 @@ process_server_config_line(ServerOptions
+@@ -1486,6 +1491,10 @@ process_server_config_line(ServerOptions
 		*activep = value;
 		break;
@ -105,7 +105,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
 	case sPermitOpen:
 		arg = strdelim(&cp);
 		if (!arg || *arg == '\0')
-@@ -1580,6 +1589,7 @@ copy_set_server_options(ServerOptions *d
+@@ -1769,6 +1778,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(max_authtries);
 	M_CP_INTOPT(ip_qos_interactive);
 	M_CP_INTOPT(ip_qos_bulk);
@ -113,7 +113,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
 	/* See comment in servconf.h */
 	COPY_MATCH_STRING_OPTS();
-@@ -1816,6 +1826,7 @@ dump_config(ServerOptions *o)
+@@ -2005,6 +2015,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sUseDNS, o->use_dns);
 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
@ -121,10 +121,10 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
-diff -up openssh-5.9p0/servconf.h.kuserok openssh-5.9p0/servconf.h
+diff -up openssh-6.1p1/servconf.h.kuserok openssh-6.1p1/servconf.h
--- openssh-5.9p0/servconf.h.kuserok	2011-08-30 16:37:35.201051957 +0200
+--- openssh-6.1p1/servconf.h.kuserok	2012-09-14 21:08:16.990496476 +0200
-+++ openssh-5.9p0/servconf.h	2011-08-30 16:37:37.926087431 +0200
+++ openssh-6.1p1/servconf.h	2012-09-14 21:08:17.071496942 +0200
-@@ -166,6 +166,7 @@ typedef struct {
+@@ -169,6 +169,7 @@ typedef struct {
 	int	num_permitted_opens;
@ -132,10 +132,21 @@ diff -up openssh-5.9p0/servconf.h.kuserok openssh-5.9p0/servconf.h
 	char   *chroot_directory;
 	char   *revoked_keys_file;
 	char   *trusted_user_ca_keys;
-diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5
+diff -up openssh-6.1p1/sshd_config.kuserok openssh-6.1p1/sshd_config
--- openssh-5.9p0/sshd_config.5.kuserok	2011-08-30 16:37:35.979024607 +0200
+--- openssh-6.1p1/sshd_config.kuserok	2012-09-14 21:08:17.002496545 +0200
-+++ openssh-5.9p0/sshd_config.5	2011-08-30 16:37:38.040087843 +0200
+++ openssh-6.1p1/sshd_config	2012-09-14 21:08:17.074496957 +0200
-@@ -603,6 +603,10 @@ Specifies whether to automatically destr
+@@ -79,6 +79,7 @@ ChallengeResponseAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 +#KerberosUseKuserok yes
 # GSSAPI options
 #GSSAPIAuthentication no
 diff -up openssh-6.1p1/sshd_config.5.kuserok openssh-6.1p1/sshd_config.5
 --- openssh-6.1p1/sshd_config.5.kuserok	2012-09-14 21:08:17.004496556 +0200
 +++ openssh-6.1p1/sshd_config.5	2012-09-14 21:08:17.073496952 +0200
@@ -618,6 +618,10 @@ Specifies whether to automatically destr
 file on logout.
 The default is
 .Dq yes .
@ -146,7 +157,7 @@ diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
-@@ -746,6 +750,7 @@ Available keywords are
+@@ -767,6 +771,7 @@ Available keywords are
 .Cm HostbasedUsesNameFromPacketOnly ,
 .Cm KbdInteractiveAuthentication ,
 .Cm KerberosAuthentication ,
@ -154,14 +165,3 @@ diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5
 .Cm MaxAuthTries ,
 .Cm MaxSessions ,
 .Cm PubkeyAuthentication ,
 diff -up openssh-5.9p0/sshd_config.kuserok openssh-5.9p0/sshd_config
 --- openssh-5.9p0/sshd_config.kuserok	2011-08-30 16:37:36.808026328 +0200
 +++ openssh-5.9p0/sshd_config	2011-08-30 16:37:38.148071520 +0200
@@ -77,6 +77,7 @@ ChallengeResponseAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 +#KerberosUseKuserok yes
 # GSSAPI options
 #GSSAPIAuthentication no
--- a/openssh-6.1p1-log-usepam-no.patch
+++ b/openssh-6.1p1-log-usepam-no.patch
@ -1,10 +1,9 @@
-diff --git a/sshd.c b/sshd.c
+diff -up openssh-6.1p1/sshd.c.log-usepam-no openssh-6.1p1/sshd.c
-index 8dcfdf2..95b63ad 100644
+--- openssh-6.1p1/sshd.c.log-usepam-no	2012-09-14 20:54:58.000000000 +0200
--- a/sshd.c
+++ openssh-6.1p1/sshd.c	2012-09-14 20:55:42.289477749 +0200
-+++ b/sshd.c
+@@ -1617,6 +1617,10 @@ main(int ac, char **av)
@@ -1592,6 +1592,10 @@ main(int ac, char **av)
 	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
- 	    &cfg, NULL, NULL, NULL);
+ 	    &cfg, NULL);
 +	/* 'UsePAM no' is not supported in Fedora */
 +	if (! options.use_pam)
@ -13,11 +12,10 @@ index 8dcfdf2..95b63ad 100644
 	seed_rng();
 	/* Fill in default values for those options not explicitly set. */
-diff --git a/sshd_config b/sshd_config
+diff -up openssh-6.1p1/sshd_config.log-usepam-no openssh-6.1p1/sshd_config
-index 8c16754..9f28b04 100644
+--- openssh-6.1p1/sshd_config.log-usepam-no	2012-09-14 20:54:58.514255748 +0200
--- a/sshd_config
+++ openssh-6.1p1/sshd_config	2012-09-14 20:54:58.551255954 +0200
-+++ b/sshd_config
+@@ -95,6 +95,8 @@ GSSAPICleanupCredentials yes
@@ -92,6 +92,8 @@ GSSAPICleanupCredentials yes
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
--- a/openssh-6.1p1-required-authentications.patch
+++ b/openssh-6.1p1-required-authentications.patch
@ -1,6 +1,6 @@
-diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
+diff -up openssh-6.1p1/auth.c.required-authentication openssh-6.1p1/auth.c
--- openssh-5.9p1/auth.c.required-authentication	2012-07-27 12:21:41.181601972 +0200
+--- openssh-6.1p1/auth.c.required-authentication	2012-09-14 20:17:56.730488188 +0200
-+++ openssh-5.9p1/auth.c	2012-07-27 12:21:41.203602020 +0200
+++ openssh-6.1p1/auth.c	2012-09-14 20:17:56.795488498 +0200
@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
 }
@ -32,7 +32,7 @@ diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
 {
 	switch (options.permit_root_login) {
 	case PERMIT_YES:
-@@ -694,3 +696,57 @@ fakepw(void)
+@@ -696,3 +698,57 @@ fakepw(void)
 	return (&fake);
 }
@ -90,9 +90,9 @@ diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
 +	
 +	return (ret);
 +}
-diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
+diff -up openssh-6.1p1/auth.h.required-authentication openssh-6.1p1/auth.h
--- openssh-5.9p1/auth.h.required-authentication	2011-05-29 13:39:38.000000000 +0200
+--- openssh-6.1p1/auth.h.required-authentication	2011-05-29 13:39:38.000000000 +0200
-+++ openssh-5.9p1/auth.h	2012-07-27 12:21:41.204602022 +0200
+++ openssh-6.1p1/auth.h	2012-09-14 20:17:56.796488502 +0200
@@ -142,10 +142,11 @@ void disable_forwarding(void);
 void	do_authentication(Authctxt *);
 void	do_authentication2(Authctxt *);
@ -120,9 +120,9 @@ diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
 int	 sys_auth_passwd(Authctxt *, const char *);
-diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
+diff -up openssh-6.1p1/auth1.c.required-authentication openssh-6.1p1/auth1.c
--- openssh-5.9p1/auth1.c.required-authentication	2010-08-31 14:36:39.000000000 +0200
+--- openssh-6.1p1/auth1.c.required-authentication	2010-08-31 14:36:39.000000000 +0200
-+++ openssh-5.9p1/auth1.c	2012-07-27 12:50:50.708706675 +0200
+++ openssh-6.1p1/auth1.c	2012-09-14 20:17:56.798488515 +0200
@@ -98,6 +98,55 @@ static const struct AuthMethod1
 	return (NULL);
 }
@ -281,9 +281,9 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 		packet_start(SSH_SMSG_FAILURE);
 		packet_send();
-diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
+diff -up openssh-6.1p1/auth2.c.required-authentication openssh-6.1p1/auth2.c
--- openssh-5.9p1/auth2.c.required-authentication	2011-05-05 06:04:11.000000000 +0200
+--- openssh-6.1p1/auth2.c.required-authentication	2011-12-19 00:52:51.000000000 +0100
-+++ openssh-5.9p1/auth2.c	2012-07-27 12:51:59.048241612 +0200
+++ openssh-6.1p1/auth2.c	2012-09-14 20:17:56.799488520 +0200
@@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32
 {
 	Authctxt *authctxt = ctxt;
@ -452,9 +452,9 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
 +	return (ret);
 +}
 +
-diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c
+diff -up openssh-6.1p1/auth2-gss.c.required-authentication openssh-6.1p1/auth2-gss.c
--- openssh-5.9p1/auth2-gss.c.required-authentication	2011-05-05 06:04:11.000000000 +0200
+--- openssh-6.1p1/auth2-gss.c.required-authentication	2011-05-05 06:04:11.000000000 +0200
-+++ openssh-5.9p1/auth2-gss.c	2012-07-27 12:21:41.206602026 +0200
+++ openssh-6.1p1/auth2-gss.c	2012-09-14 20:17:56.801488528 +0200
@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p
 		}
 		authctxt->postponed = 0;
@ -482,9 +482,9 @@ diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-g
 }
 Authmethod method_gssapi = {
-diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
+diff -up openssh-6.1p1/auth2-chall.c.required-authentication openssh-6.1p1/auth2-chall.c
--- openssh-5.9p1/auth2-chall.c.required-authentication	2009-01-28 06:13:39.000000000 +0100
+--- openssh-6.1p1/auth2-chall.c.required-authentication	2009-01-28 06:13:39.000000000 +0100
-+++ openssh-5.9p1/auth2-chall.c	2012-07-27 12:21:41.206602026 +0200
+++ openssh-6.1p1/auth2-chall.c	2012-09-14 20:17:56.802488532 +0200
@@ -341,7 +341,8 @@ input_userauth_info_response(int type, u
 			auth2_challenge_start(authctxt);
 		}
@ -495,9 +495,9 @@ diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2
 	xfree(method);
 }
-diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c
+diff -up openssh-6.1p1/auth2-none.c.required-authentication openssh-6.1p1/auth2-none.c
--- openssh-5.9p1/auth2-none.c.required-authentication	2010-06-26 02:01:33.000000000 +0200
+--- openssh-6.1p1/auth2-none.c.required-authentication	2010-06-26 02:01:33.000000000 +0200
-+++ openssh-5.9p1/auth2-none.c	2012-07-27 12:21:41.207602028 +0200
+++ openssh-6.1p1/auth2-none.c	2012-09-14 20:17:56.803488537 +0200
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
 {
 	none_enabled = 0;
@ -507,9 +507,9 @@ diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-
 		return (PRIVSEP(auth_password(authctxt, "")));
 	return (0);
 }
-diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
+diff -up openssh-6.1p1/monitor.c.required-authentication openssh-6.1p1/monitor.c
--- openssh-5.9p1/monitor.c.required-authentication	2012-07-27 12:21:41.161601930 +0200
+--- openssh-6.1p1/monitor.c.required-authentication	2012-09-14 20:17:56.685487974 +0200
-+++ openssh-5.9p1/monitor.c	2012-07-27 12:51:18.884927066 +0200
+++ openssh-6.1p1/monitor.c	2012-09-14 20:17:56.806488552 +0200
@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
 static char *hostbased_cuser = NULL;
 static char *hostbased_chost = NULL;
@ -579,7 +579,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 	}
 	/* Drain any buffered messages from the child */
-@@ -862,6 +878,7 @@ mm_answer_authpassword(int sock, Buffer
+@@ -860,6 +876,7 @@ mm_answer_authpassword(int sock, Buffer
 		auth_method = "none";
 	else
 		auth_method = "password";
@ -587,7 +587,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 	/* Causes monitor loop to terminate if authenticated */
 	return (authenticated);
-@@ -921,6 +938,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
+@@ -919,6 +936,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
 	mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
 	auth_method = "bsdauth";
@ -595,7 +595,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 	return (authok != 0);
 }
-@@ -970,6 +988,7 @@ mm_answer_skeyrespond(int sock, Buffer *
+@@ -968,6 +986,7 @@ mm_answer_skeyrespond(int sock, Buffer *
 	mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
 	auth_method = "skey";
@ -603,7 +603,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 	return (authok != 0);
 }
-@@ -1059,7 +1078,8 @@ mm_answer_pam_query(int sock, Buffer *m)
+@@ -1057,7 +1076,8 @@ mm_answer_pam_query(int sock, Buffer *m)
 		xfree(prompts);
 	if (echo_on != NULL)
 		xfree(echo_on);
@ -613,7 +613,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 	mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
 	return (0);
 }
-@@ -1088,7 +1108,8 @@ mm_answer_pam_respond(int sock, Buffer *
+@@ -1086,7 +1106,8 @@ mm_answer_pam_respond(int sock, Buffer *
 	buffer_clear(m);
 	buffer_put_int(m, ret);
 	mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
@ -623,7 +623,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 	if (ret == 0)
 		sshpam_authok = sshpam_ctxt;
 	return (0);
-@@ -1102,7 +1123,8 @@ mm_answer_pam_free_ctx(int sock, Buffer
+@@ -1100,7 +1121,8 @@ mm_answer_pam_free_ctx(int sock, Buffer
 	(sshpam_device.free_ctx)(sshpam_ctxt);
 	buffer_clear(m);
 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
@ -633,7 +633,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 	return (sshpam_authok == sshpam_ctxt);
 }
 #endif
-@@ -1138,6 +1160,7 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1136,6 +1158,7 @@ mm_answer_keyallowed(int sock, Buffer *m
 			allowed = options.pubkey_authentication &&
 			    user_key_allowed(authctxt->pw, key);
 			auth_method = "publickey";
@ -641,7 +641,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 			if (options.pubkey_authentication && allowed != 1)
 				auth_clear_options();
 			break;
-@@ -1146,6 +1169,7 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1144,6 +1167,7 @@ mm_answer_keyallowed(int sock, Buffer *m
 			    hostbased_key_allowed(authctxt->pw,
 			    cuser, chost, key);
 			auth_method = "hostbased";
@ -649,7 +649,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 			break;
 		case MM_RSAHOSTKEY:
 			key->type = KEY_RSA1; /* XXX */
-@@ -1155,6 +1179,7 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1153,6 +1177,7 @@ mm_answer_keyallowed(int sock, Buffer *m
 			if (options.rhosts_rsa_authentication && allowed != 1)
 				auth_clear_options();
 			auth_method = "rsa";
@ -657,7 +657,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 			break;
 		default:
 			fatal("%s: unknown key type %d", __func__, type);
-@@ -1180,7 +1205,8 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1178,7 +1203,8 @@ mm_answer_keyallowed(int sock, Buffer *m
 		hostbased_chost = chost;
 	} else {
 		/* Log failed attempt */
@ -667,7 +667,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 		xfree(blob);
 		xfree(cuser);
 		xfree(chost);
-@@ -1356,6 +1382,7 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1354,6 +1380,7 @@ mm_answer_keyverify(int sock, Buffer *m)
 	xfree(data);
 	auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
@ -675,7 +675,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 	monitor_reset_key_state();
-@@ -1545,6 +1572,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
+@@ -1543,6 +1570,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
 	debug3("%s entering", __func__);
 	auth_method = "rsa";
@ -683,7 +683,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 	if (options.rsa_authentication && authctxt->valid) {
 		if ((client_n = BN_new()) == NULL)
 			fatal("%s: BN_new", __func__);
-@@ -1650,6 +1678,7 @@ mm_answer_rsa_response(int sock, Buffer
+@@ -1648,6 +1676,7 @@ mm_answer_rsa_response(int sock, Buffer
 	xfree(response);
 	auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
@ -691,7 +691,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 	/* reset state */
 	BN_clear_free(ssh1_challenge);
-@@ -2099,6 +2128,7 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2097,6 +2126,7 @@ mm_answer_gss_userok(int sock, Buffer *m
 	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
 	auth_method = "gssapi-with-mic";
@ -699,7 +699,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 	/* Monitor loop will terminate if authenticated */
 	return (authenticated);
-@@ -2303,6 +2333,7 @@ mm_answer_jpake_check_confirm(int sock,
+@@ -2301,6 +2331,7 @@ mm_answer_jpake_check_confirm(int sock,
 	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
 	auth_method = "jpake-01@openssh.com";
@ -707,10 +707,10 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 	return authenticated;
 }
-diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c
+diff -up openssh-6.1p1/servconf.c.required-authentication openssh-6.1p1/servconf.c
--- openssh-5.9p1/servconf.c.required-authentication	2012-07-27 12:21:41.167601942 +0200
+--- openssh-6.1p1/servconf.c.required-authentication	2012-09-14 20:17:56.699488040 +0200
-+++ openssh-5.9p1/servconf.c	2012-07-27 12:21:41.209602032 +0200
+++ openssh-6.1p1/servconf.c	2012-09-14 20:19:49.179983651 +0200
-@@ -42,6 +42,8 @@
+@@ -43,6 +43,8 @@
 #include "key.h"
 #include "kex.h"
 #include "mac.h"
@ -719,7 +719,7 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
 #include "match.h"
 #include "channels.h"
 #include "groupaccess.h"
-@@ -129,6 +131,8 @@ initialize_server_options(ServerOptions
+@@ -132,6 +134,8 @@ initialize_server_options(ServerOptions
 	options->num_authkeys_files = 0;
 	options->num_accept_env = 0;
 	options->permit_tun = -1;
@ -728,7 +728,7 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
 	options->num_permitted_opens = -1;
 	options->adm_forced_command = NULL;
 	options->chroot_directory = NULL;
-@@ -319,6 +323,7 @@ typedef enum {
+@@ -324,6 +328,7 @@ typedef enum {
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
 	sClientAliveCountMax, sAuthorizedKeysFile,
 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
@ -736,16 +736,16 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -447,6 +452,8 @@ static struct {
+@@ -452,6 +457,8 @@ static struct {
 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
 +	{ "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
 +	{ "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
 	{ "ipqos", sIPQoS, SSHCFG_ALL },
 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
 	{ NULL, sBadOption, 0 }
- };
+@@ -1298,6 +1305,33 @@ process_server_config_line(ServerOptions
@@ -1220,6 +1227,33 @@ process_server_config_line(ServerOptions
 			options->max_startups = options->max_startups_begin;
 		break;
@ -779,9 +779,9 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
 	case sMaxAuthTries:
 		intptr = &options->max_authtries;
 		goto parse_int;
-diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h
+diff -up openssh-6.1p1/servconf.h.required-authentication openssh-6.1p1/servconf.h
--- openssh-5.9p1/servconf.h.required-authentication	2011-06-23 00:30:03.000000000 +0200
+--- openssh-6.1p1/servconf.h.required-authentication	2012-07-31 04:21:34.000000000 +0200
-+++ openssh-5.9p1/servconf.h	2012-07-27 12:21:41.210602035 +0200
+++ openssh-6.1p1/servconf.h	2012-09-14 20:17:56.810488571 +0200
@@ -154,6 +154,9 @@ typedef struct {
 	u_int num_authkeys_files;	/* Files containing public keys */
 	char   *authorized_keys_files[MAX_AUTHKEYS_FILES];
@ -792,10 +792,10 @@ diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf
 	char   *adm_forced_command;
 	int	use_pam;		/* Enable auth via PAM */
-diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5
+diff -up openssh-6.1p1/sshd_config.5.required-authentication openssh-6.1p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.required-authentication	2011-08-05 22:17:33.000000000 +0200
+--- openssh-6.1p1/sshd_config.5.required-authentication	2012-07-02 10:53:38.000000000 +0200
-+++ openssh-5.9p1/sshd_config.5	2012-07-27 12:38:47.607222070 +0200
+++ openssh-6.1p1/sshd_config.5	2012-09-14 20:17:56.812488582 +0200
-@@ -723,6 +723,8 @@ Available keywords are
+@@ -731,6 +731,8 @@ Available keywords are
 .Cm PermitOpen ,
 .Cm PermitRootLogin ,
 .Cm PermitTunnel ,
@ -804,7 +804,7 @@ diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_
 .Cm PubkeyAuthentication ,
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
-@@ -920,6 +922,21 @@ Specifies a list of revoked public keys.
+@@ -931,6 +933,21 @@ Specifies a list of revoked public keys.
 Keys listed in this file will be refused for public key authentication.
 Note that if this file is not readable, then public key authentication will
 be refused for all users.
--- a/openssh-6.1p1-vendor.patch
+++ b/openssh-6.1p1-vendor.patch
@ -1,7 +1,7 @@
-diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
+diff -up openssh-6.1p1/configure.ac.vendor openssh-6.1p1/configure.ac
--- openssh-5.9p1/configure.ac.vendor	2012-02-06 17:35:37.439855272 +0100
+--- openssh-6.1p1/configure.ac.vendor	2012-09-14 20:36:49.153085211 +0200
-+++ openssh-5.9p1/configure.ac	2012-02-06 17:35:37.510219862 +0100
+++ openssh-6.1p1/configure.ac	2012-09-14 20:36:49.559088133 +0200
-@@ -4135,6 +4135,12 @@ AC_ARG_WITH([lastlog],
+@@ -4303,6 +4303,12 @@ AC_ARG_WITH([lastlog],
 		fi
 	]
 )
@ -14,7 +14,7 @@ diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
 dnl lastlog, [uw]tmpx? detection
 dnl  NOTE: set the paths in the platform section to avoid the
-@@ -4361,6 +4367,7 @@ echo "           Translate v4 in v6 hack
+@@ -4529,6 +4535,7 @@ echo "           Translate v4 in v6 hack
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
 echo "             Privsep sandbox style: $SANDBOX_STYLE"
@ -22,10 +22,10 @@ diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
 echo ""
-diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
+diff -up openssh-6.1p1/servconf.c.vendor openssh-6.1p1/servconf.c
--- openssh-5.9p1/servconf.c.vendor	2012-02-06 17:35:37.432972267 +0100
+--- openssh-6.1p1/servconf.c.vendor	2012-09-14 20:36:49.124085002 +0200
-+++ openssh-5.9p1/servconf.c	2012-02-06 17:37:58.806272833 +0100
+++ openssh-6.1p1/servconf.c	2012-09-14 20:50:34.995972516 +0200
-@@ -125,6 +125,7 @@ initialize_server_options(ServerOptions 
+@@ -128,6 +128,7 @@ initialize_server_options(ServerOptions
 	options->max_authtries = -1;
 	options->max_sessions = -1;
 	options->banner = NULL;
@ -33,16 +33,17 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
 	options->use_dns = -1;
 	options->client_alive_interval = -1;
 	options->client_alive_count_max = -1;
-@@ -283,6 +284,8 @@ fill_default_server_options(ServerOption
+@@ -289,6 +290,9 @@ fill_default_server_options(ServerOption
 		options->ip_qos_interactive = IPTOS_LOWDELAY;
 	if (options->ip_qos_bulk == -1)
 		options->ip_qos_bulk = IPTOS_THROUGHPUT;
 	if (options->version_addendum == NULL)
 		options->version_addendum = xstrdup("");
 +	if (options->show_patchlevel == -1)
-+ 		options->show_patchlevel = 0;
+		options->show_patchlevel = 0;
- 
+
 	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
-@@ -321,7 +324,7 @@ typedef enum {
+ 		use_privsep = PRIVSEP_NOSANDBOX;
@@ -326,7 +330,7 @@ typedef enum {
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
 	sMaxStartups, sMaxAuthTries, sMaxSessions,
@ -51,7 +52,7 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
 	sClientAliveCountMax, sAuthorizedKeysFile,
 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
-@@ -436,6 +439,7 @@ static struct {
+@@ -441,6 +445,7 @@ static struct {
 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
 	{ "banner", sBanner, SSHCFG_ALL },
@ -59,7 +60,7 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
-@@ -1092,6 +1096,10 @@ process_server_config_line(ServerOptions
+@@ -1162,6 +1167,10 @@ process_server_config_line(ServerOptions
 		multistate_ptr = multistate_privsep;
 		goto parse_multistate;
@ -70,7 +71,7 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
 	case sAllowUsers:
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
 			if (options->num_allow_users >= MAX_ALLOW_USERS)
-@@ -1807,6 +1815,7 @@ dump_config(ServerOptions *o)
+@@ -1956,6 +1965,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sUseLogin, o->use_login);
 	dump_cfg_fmtint(sCompression, o->compression);
 	dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
@ -78,9 +79,9 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
 	dump_cfg_fmtint(sUseDNS, o->use_dns);
 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
-diff -up openssh-5.9p1/servconf.h.vendor openssh-5.9p1/servconf.h
+diff -up openssh-6.1p1/servconf.h.vendor openssh-6.1p1/servconf.h
--- openssh-5.9p1/servconf.h.vendor	2012-02-06 17:35:37.434095467 +0100
+--- openssh-6.1p1/servconf.h.vendor	2012-09-14 20:36:49.125085009 +0200
-+++ openssh-5.9p1/servconf.h	2012-02-06 17:35:37.512225786 +0100
+++ openssh-6.1p1/servconf.h	2012-09-14 20:36:49.564088168 +0200
@@ -140,6 +140,7 @@ typedef struct {
 	int	max_authtries;
 	int	max_sessions;
@ -89,10 +90,10 @@ diff -up openssh-5.9p1/servconf.h.vendor openssh-5.9p1/servconf.h
 	int	use_dns;
 	int	client_alive_interval;	/*
 					 * poke the client this often to
-diff -up openssh-5.9p1/sshd_config.vendor openssh-5.9p1/sshd_config
+diff -up openssh-6.1p1/sshd_config.vendor openssh-6.1p1/sshd_config
--- openssh-5.9p1/sshd_config.vendor	2012-02-06 17:35:37.499226201 +0100
+--- openssh-6.1p1/sshd_config.vendor	2012-09-14 20:36:49.507087759 +0200
-+++ openssh-5.9p1/sshd_config	2012-02-06 17:35:37.515220444 +0100
+++ openssh-6.1p1/sshd_config	2012-09-14 20:36:49.565088175 +0200
-@@ -112,6 +112,7 @@ X11Forwarding yes
+@@ -114,6 +114,7 @@ UsePrivilegeSeparation sandbox		# Defaul
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
@ -100,10 +101,10 @@ diff -up openssh-5.9p1/sshd_config.vendor openssh-5.9p1/sshd_config
 #UseDNS yes
 #PidFile /var/run/sshd.pid
 #MaxStartups 10
-diff -up openssh-5.9p1/sshd_config.0.vendor openssh-5.9p1/sshd_config.0
+diff -up openssh-6.1p1/sshd_config.0.vendor openssh-6.1p1/sshd_config.0
--- openssh-5.9p1/sshd_config.0.vendor	2012-02-06 17:35:37.500225787 +0100
+--- openssh-6.1p1/sshd_config.0.vendor	2012-09-14 20:36:49.510087780 +0200
-+++ openssh-5.9p1/sshd_config.0	2012-02-06 17:35:37.513225808 +0100
+++ openssh-6.1p1/sshd_config.0	2012-09-14 20:36:49.567088190 +0200
-@@ -556,6 +556,11 @@ DESCRIPTION
+@@ -558,6 +558,11 @@ DESCRIPTION
              Defines the number of bits in the ephemeral protocol version 1
              server key.  The minimum value is 512, and the default is 1024.
@ -115,10 +116,10 @@ diff -up openssh-5.9p1/sshd_config.0.vendor openssh-5.9p1/sshd_config.0
      StrictModes
              Specifies whether sshd(8) should check file modes and ownership
              of the user's files and home directory before accepting login.
-diff -up openssh-5.9p1/sshd_config.5.vendor openssh-5.9p1/sshd_config.5
+diff -up openssh-6.1p1/sshd_config.5.vendor openssh-6.1p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.vendor	2012-02-06 17:35:37.500225787 +0100
+--- openssh-6.1p1/sshd_config.5.vendor	2012-09-14 20:36:49.512087794 +0200
-+++ openssh-5.9p1/sshd_config.5	2012-02-06 17:35:37.514220449 +0100
+++ openssh-6.1p1/sshd_config.5	2012-09-14 20:36:49.568088198 +0200
-@@ -982,6 +982,14 @@ This option applies to protocol version 
+@@ -978,6 +978,14 @@ This option applies to protocol version
 .It Cm ServerKeyBits
 Defines the number of bits in the ephemeral protocol version 1 server key.
 The minimum value is 512, and the default is 1024.
@ -133,19 +134,19 @@ diff -up openssh-5.9p1/sshd_config.5.vendor openssh-5.9p1/sshd_config.5
 .It Cm StrictModes
 Specifies whether
 .Xr sshd 8
-diff -up openssh-5.9p1/sshd.c.vendor openssh-5.9p1/sshd.c
+diff -up openssh-6.1p1/sshd.c.vendor openssh-6.1p1/sshd.c
--- openssh-5.9p1/sshd.c.vendor	2012-02-06 17:35:37.485230832 +0100
+--- openssh-6.1p1/sshd.c.vendor	2012-09-14 20:36:49.399086981 +0200
-+++ openssh-5.9p1/sshd.c	2012-02-06 17:35:37.513225808 +0100
+++ openssh-6.1p1/sshd.c	2012-09-14 20:47:30.696088744 +0200
-@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
+@@ -433,7 +433,7 @@ sshd_exchange_identification(int sock_in
 		minor = PROTOCOL_MINOR_1;
 	}
 	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
 -	    SSH_VERSION, newline);
 +	   (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
 	server_version_string = xstrdup(buf);
- 	/* Send our protocol version identification. */
+ 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-@@ -1634,7 +1634,8 @@ main(int ac, char **av)
+-	    major, minor, SSH_VERSION,
 +	    major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
 	    *options.version_addendum == '\0' ? "" : " ",
 	    options.version_addendum, newline);
@@ -1635,7 +1635,8 @@ main(int ac, char **av)
 		exit(1);
 	}
--- a/openssh.spec
+++ b/openssh.spec
@ -108,7 +108,7 @@ Source13: sshd-keygen
 Patch0: openssh-5.9p1-wIm.patch
 #?
-Patch100: openssh-5.9p1-coverity.patch
+Patch100: openssh-6.1p1-coverity.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1872
 Patch101: openssh-5.8p1-fingerprint.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1894
@ -118,7 +118,7 @@ Patch102: openssh-5.8p1-getaddrinfo.patch
 Patch103: openssh-5.8p1-packet.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=983
 #Patch104: openssh-5.9p1-2auth.patch
-Patch104: openssh-5.9p1-required-authentications.patch
+Patch104: openssh-6.1p1-required-authentications.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
 Patch200: openssh-5.8p1-audit0.patch
@ -150,7 +150,7 @@ Patch402: openssh-5.9p1-sftp-chroot.patch
 Patch404: openssh-5.9p1-privsep-selinux.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1663
-Patch500: openssh-5.9p1-akc.patch
+Patch500: openssh-6.1p1-akc.patch
 #?-- unwanted child :(
 Patch501: openssh-6.0p1-ldap.patch
 #?
@ -173,7 +173,7 @@ Patch606: openssh-5.9p1-ipv6man.patch
 #?
 Patch607: openssh-5.8p2-sigpipe.patch
 #?
-Patch608: openssh-5.8p2-askpass-ld.patch
+Patch608: openssh-6.1p1-askpass-ld.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1789
 Patch609: openssh-5.5p1-x11.patch
@ -196,29 +196,27 @@ Patch707: openssh-5.9p1-redhat.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
 Patch708: openssh-6.0p1-entropy.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
-Patch709: openssh-5.9p1-vendor.patch
+Patch709: openssh-6.1p1-vendor.patch
 #?
 Patch710: openssh-5.9p1-copy-id-restorecon.patch
 # warn users for unsupported UsePAM=no (#757545)
-Patch711: openssh-5.9p1-log-usepam-no.patch
+Patch711: openssh-6.1p1-log-usepam-no.patch
 # make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
 Patch712: openssh-5.9p1-ctr-evp-fast.patch
 # add cavs test binary for the aes-ctr
 Patch713: openssh-5.9p1-ctr-cavstest.patch
 #https://bugzilla.redhat.com/show_bug.cgi?id=815993
 Patch714: openssh-5.9p1-null-xcrypt.patch
 #http://www.sxw.org.uk/computing/patches/openssh.html
 #changed cache storage type - #848228
-Patch800: openssh-6.0p1-gsskex.patch
+Patch800: openssh-6.1p1-gsskex.patch
 #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
 Patch801: openssh-5.8p2-force_krb.patch
 #?
 Patch900: openssh-5.8p1-gssapi-canohost.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1780
-Patch901: openssh-5.9p1-kuserok.patch
+Patch901: openssh-6.1p1-kuserok.patch
 #---
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1604
 # sctp
@ -459,7 +457,6 @@ popd
 %patch711 -p1 -b .log-usepam-no
 %patch712 -p1 -b .evp-ctr
 %patch713 -p1 -b .ctr-cavs
 %patch714 -p0 -b .null-xcrypt
 %patch800 -p1 -b .gsskex
 %patch801 -p1 -b .force_krb