the .local domain example should be in ssh_config, not in sshd_config

6.4p1-8 + 0.9.3-1
Add missing documentation link to systemd service files (RHBZ#1181593)
2015-03-11 11:43:08 +01:00 · 2015-01-15 15:27:59 +01:00 · 2015-01-15 15:27:59 +01:00 · 2015-01-15 15:27:59 +01:00 · 2015-01-15 15:27:59 +01:00 · 2015-01-15 15:27:59 +01:00
22 changed files with 2042 additions and 308 deletions
--- a/openssh-5.8p1-localdomain.patch
+++ b/openssh-5.8p1-localdomain.patch
@ -1,14 +1,11 @@
-diff -up openssh-5.8p1/sshd_config.localdomain openssh-5.8p1/sshd_config
--- openssh-5.8p1/sshd_config.localdomain	2011-04-22 11:37:49.273648812 +0200
-+++ openssh-5.8p1/sshd_config	2011-04-22 11:39:31.758648401 +0200
-@@ -130,6 +130,10 @@ X11Forwarding yes
- # override default of no subsystems
- Subsystem	sftp	/usr/libexec/sftp-server
- 
+diff --git a/ssh_config b/ssh_config
+--- a/ssh_config
+++ b/ssh_config
+@@ -48,3 +48,7 @@
+ #   VisualHostKey no
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+ #   RekeyLimit 1G 1h
+#
 +# Uncomment this if you want to use .local domain
 +#Host *.local
 +#	CheckHostIP no
-+
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- #	X11Forwarding no
--- a/openssh-6.3p1-krb5-use-default_ccache_name.patch
+++ b/openssh-6.3p1-krb5-use-default_ccache_name.patch
@ -30,7 +30,7 @@ diff -up openssh-6.3p1/auth-krb5.c.ccache_name openssh-6.3p1/auth-krb5.c
 +	if (authctxt->krb5_ticket_file[0] == ':')
 +		authctxt->krb5_ticket_file++;
 +
-+	len = strlen(authctxt->krb5_ticket_file) + strlen(ccache_type);
+	len = strlen(authctxt->krb5_ticket_file) + strlen(ccache_type) + 2;
 	authctxt->krb5_ccname = xmalloc(len);
 -	snprintf(authctxt->krb5_ccname, len, "FILE:%s",
 +
--- a/openssh-6.3p1-kuserok.patch
+++ b/openssh-6.3p1-kuserok.patch
@ -1,167 +0,0 @@
-diff -up openssh-6.3p1/auth-krb5.c.kuserok openssh-6.3p1/auth-krb5.c
--- openssh-6.3p1/auth-krb5.c.kuserok	2013-10-11 21:41:42.889087613 +0200
-+++ openssh-6.3p1/auth-krb5.c	2013-10-11 21:41:42.905087537 +0200
-@@ -55,6 +55,20 @@
- 
- extern ServerOptions	 options;
- 
-+int
-+ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client)
-+{
-+	if (options.use_kuserok)
-+		return krb5_kuserok(krb5_ctx, krb5_user, client);
-+	else {
-+		char kuser[65];
-+
-+		if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser))
-+			return 0;
-+		return strcmp(kuser, client) == 0;
-+	}
-+}
-+
- static int
- krb5_init(void *context)
- {
-@@ -159,7 +173,7 @@ auth_krb5_password(Authctxt *authctxt, c
- 	if (problem)
- 		goto out;
- 
-	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
-+	if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
- 		problem = -1;
- 		goto out;
- 	}
-diff -up openssh-6.3p1/gss-serv-krb5.c.kuserok openssh-6.3p1/gss-serv-krb5.c
--- openssh-6.3p1/gss-serv-krb5.c.kuserok	2013-10-11 21:41:42.901087556 +0200
-+++ openssh-6.3p1/gss-serv-krb5.c	2013-10-11 21:46:42.898673597 +0200
-@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
-     int);
- 
- static krb5_context krb_context = NULL;
-+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *);
- 
- /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
- 
-@@ -116,7 +117,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
- 	/* NOTE: .k5login and .k5users must opened as root, not the user,
- 	 * because if they are on a krb5-protected filesystem, user credentials
- 	 * to access these files aren't available yet. */
-	if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
-+	if (ssh_krb5_kuserok(krb_context, princ, name) && k5login_exists) {
- 		retval = 1;
- 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
- 		    name, (char *)client->displayname.value);
-diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
--- openssh-6.3p1/servconf.c.kuserok	2013-10-11 21:41:42.896087580 +0200
-+++ openssh-6.3p1/servconf.c	2013-10-11 21:48:24.664194016 +0200
-@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions
- 	options->ip_qos_interactive = -1;
- 	options->ip_qos_bulk = -1;
- 	options->version_addendum = NULL;
-+	options->use_kuserok = -1;
- }
- 
- void
-@@ -310,6 +311,8 @@ fill_default_server_options(ServerOption
- 		options->version_addendum = xstrdup("");
- 	if (options->show_patchlevel == -1)
- 		options->show_patchlevel = 0;
-+	if (options->use_kuserok == -1)
-+		options->use_kuserok = 1;
- 
- 	/* Turn privilege separation on by default */
- 	if (use_privsep == -1)
-@@ -336,7 +339,7 @@ typedef enum {
- 	sPermitRootLogin, sLogFacility, sLogLevel,
- 	sRhostsRSAAuthentication, sRSAAuthentication,
- 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
-	sKerberosGetAFSToken,
-+	sKerberosGetAFSToken, sKerberosUseKuserok,
- 	sKerberosTgtPassing, sChallengeResponseAuthentication,
- 	sPasswordAuthentication, sKbdInteractiveAuthentication,
- 	sListenAddress, sAddressFamily,
-@@ -409,11 +412,13 @@ static struct {
- #else
- 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
- #endif
-+	{ "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
- #else
- 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
- 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
- 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
- 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
-+	{ "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
- #endif
- 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
- 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1515,6 +1520,10 @@ process_server_config_line(ServerOptions
- 		*activep = value;
- 		break;
- 
-+	case sKerberosUseKuserok:
-+		intptr = &options->use_kuserok;
-+		goto parse_flag;
-+
- 	case sPermitOpen:
- 		arg = strdelim(&cp);
- 		if (!arg || *arg == '\0')
-@@ -1815,6 +1824,7 @@ copy_set_server_options(ServerOptions *d
- 	M_CP_INTOPT(max_authtries);
- 	M_CP_INTOPT(ip_qos_interactive);
- 	M_CP_INTOPT(ip_qos_bulk);
-+	M_CP_INTOPT(use_kuserok);
- 	M_CP_INTOPT(rekey_limit);
- 	M_CP_INTOPT(rekey_interval);
- 
-@@ -2055,6 +2065,7 @@ dump_config(ServerOptions *o)
- 	dump_cfg_fmtint(sUseDNS, o->use_dns);
- 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
- 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
-+	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
- 
- 	/* string arguments */
- 	dump_cfg_string(sPidFile, o->pid_file);
-diff -up openssh-6.3p1/servconf.h.kuserok openssh-6.3p1/servconf.h
--- openssh-6.3p1/servconf.h.kuserok	2013-10-11 21:41:42.896087580 +0200
-+++ openssh-6.3p1/servconf.h	2013-10-11 21:41:42.907087528 +0200
-@@ -174,6 +174,7 @@ typedef struct {
- 
- 	int	num_permitted_opens;
- 
-+	int	use_kuserok;
- 	char   *chroot_directory;
- 	char   *revoked_keys_file;
- 	char   *trusted_user_ca_keys;
-diff -up openssh-6.3p1/sshd_config.5.kuserok openssh-6.3p1/sshd_config.5
--- openssh-6.3p1/sshd_config.5.kuserok	2013-10-11 21:41:42.898087571 +0200
-+++ openssh-6.3p1/sshd_config.5	2013-10-11 21:41:42.907087528 +0200
-@@ -675,6 +675,10 @@ Specifies whether to automatically destr
- file on logout.
- The default is
- .Dq yes .
-+.It Cm KerberosUseKuserok
-+Specifies whether to look at .k5login file for user's aliases.
-+The default is
-+.Dq yes .
- .It Cm KexAlgorithms
- Specifies the available KEX (Key Exchange) algorithms.
- Multiple algorithms must be comma-separated.
-@@ -833,6 +837,7 @@ Available keywords are
- .Cm HostbasedUsesNameFromPacketOnly ,
- .Cm KbdInteractiveAuthentication ,
- .Cm KerberosAuthentication ,
-+.Cm KerberosUseKuserok ,
- .Cm MaxAuthTries ,
- .Cm MaxSessions ,
- .Cm PasswordAuthentication ,
-diff -up openssh-6.3p1/sshd_config.kuserok openssh-6.3p1/sshd_config
--- openssh-6.3p1/sshd_config.kuserok	2013-10-11 21:41:42.898087571 +0200
-+++ openssh-6.3p1/sshd_config	2013-10-11 21:41:42.907087528 +0200
-@@ -86,6 +86,7 @@ ChallengeResponseAuthentication no
- #KerberosOrLocalPasswd yes
- #KerberosTicketCleanup yes
- #KerberosGetAFSToken no
-+#KerberosUseKuserok yes
- 
- # GSSAPI options
- #GSSAPIAuthentication no
--- a/openssh-6.3p1-ldap.patch
+++ b/openssh-6.3p1-ldap.patch
@ -761,7 +761,7 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
 +
 --- openssh-6.4p1/ldapconf.c.ldap	2013-11-26 10:31:03.513794385 +0100
 +++ openssh-6.4p1/ldapconf.c	2013-11-26 10:38:15.474635149 +0100
-@@ -0,0 +1,720 @@
+@@ -0,0 +1,722 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
 + * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
@ -1078,6 +1078,7 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
 +		else
 +			fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
 +		if (*intptr == -1)
+			*intptr = value;
 +		break;
 +
 +	case lSSLPath:
@ -1142,6 +1143,7 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
 +		else
 +			fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
 +		if (*intptr == -1)
+			*intptr = value;
 +		break;
 +
 +	case lTLS_CaCertFile:
--- a/openssh-6.3p1-redhat.patch
+++ b/openssh-6.3p1-redhat.patch
@ -2,9 +2,9 @@ diff -up openssh-6.3p1/ssh_config.redhat openssh-6.3p1/ssh_config
 --- openssh-6.3p1/ssh_config.redhat	2013-10-11 14:51:18.345876648 +0200
 +++ openssh-6.3p1/ssh_config	2013-10-11 15:13:05.429829266 +0200
@@ -46,3 +46,14 @@
- #   VisualHostKey no
- #   ProxyCommand ssh -q -W %h:%p gateway.example.com
- #   RekeyLimit 1G 1h
+ # Uncomment this if you want to use .local domain
+ #Host *.local
+ #	CheckHostIP no
 +Host *
 +	GSSAPIAuthentication yes
 +# If this option is set to yes then remote X11 clients will have full access
--- a/openssh-6.4p1-GSSAPIEnablek5users.patch
+++ b/openssh-6.4p1-GSSAPIEnablek5users.patch
@ -0,0 +1,137 @@
+diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
+index 0a4930e..a7c0c5f 100644
+--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
+@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
+ 	FILE *fp;
+ 	char file[MAXPATHLEN];
+ 	char line[BUFSIZ];
+-	char kuser[65]; /* match krb5_kuserok() */
+ 	struct stat st;
+ 	struct passwd *pw = the_authctxt->pw;
+ 	int found_principal = 0;
+@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
+ 
+ 	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
+ 	/* If both .k5login and .k5users DNE, self-login is ok. */
+-	if (!k5login_exists && (access(file, F_OK) == -1)) {
+	if ( !options.enable_k5users || (!k5login_exists && (access(file, F_OK) == -1))) {
+                 return ssh_krb5_kuserok(krb_context, principal, luser,
+                                         k5login_exists);
+ 	}
+diff --git a/servconf.c b/servconf.c
+index d482e79..ad5869b 100644
+--- a/servconf.c
+++ b/servconf.c
+@@ -158,6 +158,7 @@ initialize_server_options(ServerOptions *options)
+ 	options->ip_qos_bulk = -1;
+ 	options->version_addendum = NULL;
+ 	options->use_kuserok = -1;
+	options->enable_k5users = -1;
+ }
+ 
+ void
+@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options)
+ 		options->show_patchlevel = 0;
+ 	if (options->use_kuserok == -1)
+ 		options->use_kuserok = 1;
+	if (options->enable_k5users == -1)
+		options->enable_k5users = 0;
+ 
+ 	/* Turn privilege separation on by default */
+ 	if (use_privsep == -1)
+@@ -356,7 +359,7 @@ typedef enum {
+ 	sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
+ 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
+ 	sClientAliveCountMax, sAuthorizedKeysFile,
+-	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+	sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
+ 	sGssKeyEx, sGssStoreRekey,
+ 	sAcceptEnv, sPermitTunnel,
+ 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
+@@ -430,6 +433,7 @@ static struct {
+ 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+ 	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
+ 	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
+	{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
+ #else
+ 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+ 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+@@ -437,6 +441,7 @@ static struct {
+ 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
+	{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
+ #endif
+ 	{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
+@@ -1536,6 +1541,10 @@ process_server_config_line(ServerOptions *options, char *line,
+ 		intptr = &options->use_kuserok;
+ 		goto parse_flag;
+ 
+	case sGssEnablek5users:
+		intptr = &options->enable_k5users;
+		goto parse_flag;
+
+ 	case sPermitOpen:
+ 		arg = strdelim(&cp);
+ 		if (!arg || *arg == '\0')
+@@ -1824,6 +1833,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
+ 	M_CP_INTOPT(ip_qos_interactive);
+ 	M_CP_INTOPT(ip_qos_bulk);
+ 	M_CP_INTOPT(use_kuserok);
+	M_CP_INTOPT(enable_k5users);
+ 	M_CP_INTOPT(rekey_limit);
+ 	M_CP_INTOPT(rekey_interval);
+ 
+@@ -2076,6 +2086,7 @@ dump_config(ServerOptions *o)
+ 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
+ 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
+ 	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
+	dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
+ 
+ 	/* string arguments */
+ 	dump_cfg_string(sPidFile, o->pid_file);
+diff --git a/servconf.h b/servconf.h
+index 5117dfa..d63cb71 100644
+--- a/servconf.h
+++ b/servconf.h
+@@ -173,7 +173,8 @@ typedef struct {
+ 
+ 	int	num_permitted_opens;
+ 
+-	int	use_kuserok;
+	int		use_kuserok;
+	int		enable_k5users;
+ 	char   *chroot_directory;
+ 	char   *revoked_keys_file;
+ 	char   *trusted_user_ca_keys;
+diff --git a/sshd_config b/sshd_config
+index 43671f6..6ab00ed 100644
+--- a/sshd_config
+++ b/sshd_config
+@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
+ GSSAPICleanupCredentials no
+ #GSSAPIStrictAcceptorCheck yes
+ #GSSAPIKeyExchange no
+#GSSAPIEnablek5users no
+ 
+ # Set this to 'yes' to enable PAM authentication, account processing, 
+ # and session processing. If this is enabled, PAM authentication will 
+diff --git a/sshd_config.5 b/sshd_config.5
+index e0e5fff..aa9525d 100644
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -505,6 +505,12 @@ on logout.
+ The default is
+ .Dq yes .
+ Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIEnablek5users
+Specifies whether to look at .k5users file for GSSAPI authentication
+access control. Further details are described in
+.Xr ksu 1 .
+The default is
+.Dq no .
+ .It Cm GSSAPIStrictAcceptorCheck
+ Determines whether to be strict about the identity of the GSSAPI acceptor 
+ a client authenticates against. If
--- a/openssh-6.4p1-NI_MAXHOST.patch
+++ b/openssh-6.4p1-NI_MAXHOST.patch
@ -0,0 +1,70 @@
+diff --git a/ChangeLog b/ChangeLog
+index 55dee98..7bcd596 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,10 @@
+20140703
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/07/03 03:34:09
+     [gss-serv.c session.c ssh-keygen.c]
+     standardise on NI_MAXHOST for gethostname() string lengths; about
+     1/2 the cases were using it already. Fixes bz#2239 en passant
+
+ 20140304
+  - OpenBSD CVS Sync
+    - djm@cvs.openbsd.org 2014/03/03 22:22:30
+diff --git a/gss-serv.c b/gss-serv.c
+index e533c3a..7e343db 100644
+--- a/gss-serv.c
+++ b/gss-serv.c
+@@ -83,14 +83,14 @@ static OM_uint32
+ ssh_gssapi_acquire_cred(Gssctxt *ctx)
+ {
+ 	OM_uint32 status;
+-	char lname[MAXHOSTNAMELEN];
+	char lname[NI_MAXHOST];
+ 	gss_OID_set oidset;
+ 
+ 	if (options.gss_strict_acceptor) {
+ 		gss_create_empty_oid_set(&status, &oidset);
+ 		gss_add_oid_set_member(&status, ctx->oid, &oidset);
+ 
+-		if (gethostname(lname, MAXHOSTNAMELEN)) {
+		if (gethostname(lname, sizeof(lname))) {
+ 			gss_release_oid_set(&status, &oidset);
+ 			return (-1);
+ 		}
+diff --git a/session.c b/session.c
+index f5b6848..86da7cf 100644
+--- a/session.c
+++ b/session.c
+@@ -49,6 +49,7 @@
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <grp.h>
+#include <netdb.h>
+ #ifdef HAVE_PATHS_H
+ #include <paths.h>
+ #endif
+@@ -2697,7 +2698,7 @@ session_setup_x11fwd(Session *s)
+ {
+ 	struct stat st;
+ 	char display[512], auth_display[512];
+-	char hostname[MAXHOSTNAMELEN];
+	char hostname[NI_MAXHOST];
+ 	u_int i;
+ 
+ 	if (no_x11_forwarding_flag) {
+diff --git a/ssh-keygen.c b/ssh-keygen.c
+index 2569016..1bddd72 100644
+--- a/ssh-keygen.c
+++ b/ssh-keygen.c
+@@ -153,7 +153,7 @@ char *pkcs11provider = NULL;
+ /* argv0 */
+ extern char *__progname;
+ 
+-char hostname[MAXHOSTNAMELEN];
+char hostname[NI_MAXHOST];
+ 
+ /* moduli.c */
+ int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
--- a/openssh-6.4p1-audit.patch
+++ b/openssh-6.4p1-audit.patch
@ -1,7 +1,8 @@
-diff -up openssh-6.3p1/Makefile.in.audit openssh-6.3p1/Makefile.in
--- openssh-6.3p1/Makefile.in.audit	2013-06-11 03:26:10.000000000 +0200
-+++ openssh-6.3p1/Makefile.in	2013-10-07 15:53:34.246717277 +0200
-@@ -73,7 +73,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
+diff --git a/Makefile.in b/Makefile.in
+index 92c95a9..d2f41bd 100644
+--- a/Makefile.in
+++ b/Makefile.in
+@@ -73,7 +73,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
 	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
@ -10,10 +11,11 @@ diff -up openssh-6.3p1/Makefile.in.audit openssh-6.3p1/Makefile.in
 
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
 	sshconnect.o sshconnect1.o sshconnect2.o mux.o \
-diff -up openssh-6.3p1/audit-bsm.c.audit openssh-6.3p1/audit-bsm.c
--- openssh-6.3p1/audit-bsm.c.audit	2012-02-24 00:40:43.000000000 +0100
-+++ openssh-6.3p1/audit-bsm.c	2013-10-07 15:53:34.246717277 +0200
-@@ -375,10 +375,23 @@ audit_connection_from(const char *host,
+diff --git a/audit-bsm.c b/audit-bsm.c
+index 6135591..5160869 100644
+--- a/audit-bsm.c
+++ b/audit-bsm.c
+@@ -375,10 +375,23 @@ audit_connection_from(const char *host, int port)
 #endif
 }
 
@ -38,7 +40,7 @@ diff -up openssh-6.3p1/audit-bsm.c.audit openssh-6.3p1/audit-bsm.c
 }
 
 void
-@@ -393,6 +406,12 @@ audit_session_close(struct logininfo *li
+@@ -393,6 +406,12 @@ audit_session_close(struct logininfo *li)
 	/* not implemented */
 }
 
@ -92,9 +94,10 @@ diff -up openssh-6.3p1/audit-bsm.c.audit openssh-6.3p1/audit-bsm.c
 +	/* not implemented */
 +}
 #endif /* BSM */
-diff -up openssh-6.3p1/audit-linux.c.audit openssh-6.3p1/audit-linux.c
--- openssh-6.3p1/audit-linux.c.audit	2011-01-17 11:15:30.000000000 +0100
-+++ openssh-6.3p1/audit-linux.c	2013-10-07 15:53:34.246717277 +0200
+diff --git a/audit-linux.c b/audit-linux.c
+index b3ee2f4..946f7fa 100644
+--- a/audit-linux.c
+++ b/audit-linux.c
@@ -35,13 +35,24 @@
 
 #include "log.h"
@ -107,7 +110,7 @@ diff -up openssh-6.3p1/audit-linux.c.audit openssh-6.3p1/audit-linux.c
 +#include "packet.h"
 +#include "cipher.h"
 
-+#define AUDIT_LOG_SIZE 128
+#define AUDIT_LOG_SIZE 256
 +
 +extern ServerOptions options;
 +extern Authctxt *the_authctxt;
@ -123,7 +126,7 @@ diff -up openssh-6.3p1/audit-linux.c.audit openssh-6.3p1/audit-linux.c
 {
 	int audit_fd, rc, saved_errno;
 
-@@ -49,11 +60,11 @@ linux_audit_record_event(int uid, const
+@@ -49,11 +60,11 @@ linux_audit_record_event(int uid, const char *username,
 	if (audit_fd < 0) {
 		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
 		    errno == EAFNOSUPPORT)
@ -138,7 +141,7 @@ diff -up openssh-6.3p1/audit-linux.c.audit openssh-6.3p1/audit-linux.c
 	    NULL, "login", username ? username : "(unknown)",
 	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
 	saved_errno = errno;
-@@ -65,35 +76,150 @@ linux_audit_record_event(int uid, const
+@@ -65,35 +76,150 @@ linux_audit_record_event(int uid, const char *username,
 	if ((rc == -EPERM) && (geteuid() != 0))
 		rc = 0;
 	errno = saved_errno;
@ -481,9 +484,10 @@ diff -up openssh-6.3p1/audit-linux.c.audit openssh-6.3p1/audit-linux.c
 +		error("cannot write into audit");
 +}
 #endif /* USE_LINUX_AUDIT */
-diff -up openssh-6.3p1/audit.c.audit openssh-6.3p1/audit.c
--- openssh-6.3p1/audit.c.audit	2011-01-17 11:15:30.000000000 +0100
-+++ openssh-6.3p1/audit.c	2013-10-07 15:53:34.246717277 +0200
+diff --git a/audit.c b/audit.c
+index ced57fa..13c6849 100644
+--- a/audit.c
+++ b/audit.c
@@ -28,6 +28,7 @@
 
 #include <stdarg.h>
@ -502,7 +506,23 @@ diff -up openssh-6.3p1/audit.c.audit openssh-6.3p1/audit.c
 
 /*
  * Care must be taken when using this since it WILL NOT be initialized when
-@@ -111,6 +115,40 @@ audit_event_lookup(ssh_audit_event_t ev)
+@@ -71,13 +75,10 @@ audit_classify_auth(const char *method)
+ const char *
+ audit_username(void)
+ {
+-	static const char unknownuser[] = "(unknown user)";
+-	static const char invaliduser[] = "(invalid user)";
+	static const char unknownuser[] = "(unknown)";
+ 
+-	if (the_authctxt == NULL || the_authctxt->user == NULL)
+	if (the_authctxt == NULL || the_authctxt->user == NULL || !the_authctxt->valid)
+ 		return (unknownuser);
+-	if (!the_authctxt->valid)
+-		return (invaliduser);
+ 	return (the_authctxt->user);
+ }
+ 
+@@ -111,6 +112,40 @@ audit_event_lookup(ssh_audit_event_t ev)
 	return(event_lookup[i].name);
 }
 
@ -543,7 +563,7 @@ diff -up openssh-6.3p1/audit.c.audit openssh-6.3p1/audit.c
 # ifndef CUSTOM_SSH_AUDIT_EVENTS
 /*
  * Null implementations of audit functions.
-@@ -140,6 +178,17 @@ audit_event(ssh_audit_event_t event)
+@@ -140,6 +175,17 @@ audit_event(ssh_audit_event_t event)
 }
 
 /*
@ -561,7 +581,7 @@ diff -up openssh-6.3p1/audit.c.audit openssh-6.3p1/audit.c
  * Called when a user session is started.  Argument is the tty allocated to
  * the session, or NULL if no tty was allocated.
  *
-@@ -174,13 +223,91 @@ audit_session_close(struct logininfo *li
+@@ -174,13 +220,91 @@ audit_session_close(struct logininfo *li)
 /*
  * This will be called when a user runs a non-interactive command.  Note that
  * it may be called multiple times for a single connection since SSH2 allows
@ -655,9 +675,10 @@ diff -up openssh-6.3p1/audit.c.audit openssh-6.3p1/audit.c
 }
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
-diff -up openssh-6.3p1/audit.h.audit openssh-6.3p1/audit.h
--- openssh-6.3p1/audit.h.audit	2011-01-17 11:15:30.000000000 +0100
-+++ openssh-6.3p1/audit.h	2013-10-07 15:53:34.246717277 +0200
+diff --git a/audit.h b/audit.h
+index 92ede5b..a2dc3ff 100644
+--- a/audit.h
+++ b/audit.h
@@ -28,6 +28,7 @@
 # define _SSH_AUDIT_H
 
@ -693,9 +714,11 @@ diff -up openssh-6.3p1/audit.h.audit openssh-6.3p1/audit.h
 +void	audit_generate_ephemeral_server_key(const char *);
 
 #endif /* _SSH_AUDIT_H */
-diff -up openssh-6.3p1/auditstub.c.audit openssh-6.3p1/auditstub.c
--- openssh-6.3p1/auditstub.c.audit	2013-10-07 15:53:34.247717272 +0200
-+++ openssh-6.3p1/auditstub.c	2013-10-07 15:53:34.247717272 +0200
+diff --git a/auditstub.c b/auditstub.c
+new file mode 100644
+index 0000000..45817e0
+--- /dev/null
+++ b/auditstub.c
@@ -0,0 +1,50 @@
 +/* $Id: auditstub.c,v 1.1 jfch Exp $ */
 +
@ -747,10 +770,11 @@ diff -up openssh-6.3p1/auditstub.c.audit openssh-6.3p1/auditstub.c
 +audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
 +{
 +}
-diff -up openssh-6.3p1/auth-rsa.c.audit openssh-6.3p1/auth-rsa.c
--- openssh-6.3p1/auth-rsa.c.audit	2013-07-18 08:12:44.000000000 +0200
-+++ openssh-6.3p1/auth-rsa.c	2013-10-07 15:53:34.247717272 +0200
-@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
+diff --git a/auth-rsa.c b/auth-rsa.c
+index 545aa49..dee0864 100644
+--- a/auth-rsa.c
+++ b/auth-rsa.c
+@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
 {
 	u_char buf[32], mdbuf[16];
 	MD5_CTX md;
@ -762,7 +786,7 @@ diff -up openssh-6.3p1/auth-rsa.c.audit openssh-6.3p1/auth-rsa.c
 
 	/* don't allow short keys */
 	if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
-@@ -113,12 +116,18 @@ auth_rsa_verify_response(Key *key, BIGNU
+@@ -113,12 +116,18 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
 	MD5_Final(mdbuf, &md);
 
 	/* Verify that the response is the original challenge. */
@ -786,10 +810,25 @@ diff -up openssh-6.3p1/auth-rsa.c.audit openssh-6.3p1/auth-rsa.c
 }
 
 /*
-diff -up openssh-6.3p1/auth.h.audit openssh-6.3p1/auth.h
--- openssh-6.3p1/auth.h.audit	2013-07-20 05:21:53.000000000 +0200
-+++ openssh-6.3p1/auth.h	2013-10-07 16:02:38.629171107 +0200
-@@ -187,6 +187,7 @@ void	abandon_challenge_response(Authctxt
+diff --git a/auth.c b/auth.c
+index 420a85b..d613f8c 100644
+--- a/auth.c
+++ b/auth.c
+@@ -628,9 +628,6 @@ getpwnamallow(const char *user)
+ 		record_failed_login(user,
+ 		    get_canonical_hostname(options.use_dns), "ssh");
+ #endif
+-#ifdef SSH_AUDIT_EVENTS
+-		audit_event(SSH_INVALID_USER);
+-#endif /* SSH_AUDIT_EVENTS */
+ 		return (NULL);
+ 	}
+ 	if (!allowed_user(pw))
+diff --git a/auth.h b/auth.h
+index 80f0898..157c738 100644
+--- a/auth.h
+++ b/auth.h
+@@ -187,6 +187,7 @@ void	abandon_challenge_response(Authctxt *);
 
 char	*expand_authorized_keys(const char *, struct passwd *pw);
 char	*authorized_principals_file(struct passwd *);
@ -805,9 +844,10 @@ diff -up openssh-6.3p1/auth.h.audit openssh-6.3p1/auth.h
 
 /* debug messages during authentication */
 void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
-diff -up openssh-6.3p1/auth2-hostbased.c.audit openssh-6.3p1/auth2-hostbased.c
--- openssh-6.3p1/auth2-hostbased.c.audit	2013-10-07 15:53:34.223717384 +0200
-+++ openssh-6.3p1/auth2-hostbased.c	2013-10-07 15:53:34.247717272 +0200
+diff --git a/auth2-hostbased.c b/auth2-hostbased.c
+index 572b12d..615e4bd 100644
+--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -123,7 +123,7 @@ userauth_hostbased(Authctxt *authctxt)
 	/* test for allowed key and correct signature */
 	authenticated = 0;
@ -836,9 +876,10 @@ diff -up openssh-6.3p1/auth2-hostbased.c.audit openssh-6.3p1/auth2-hostbased.c
 /* return 1 if given hostkey is allowed */
 int
 hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
-diff -up openssh-6.3p1/auth2-pubkey.c.audit openssh-6.3p1/auth2-pubkey.c
--- openssh-6.3p1/auth2-pubkey.c.audit	2013-10-07 15:53:34.224717379 +0200
-+++ openssh-6.3p1/auth2-pubkey.c	2013-10-08 15:11:42.282436972 +0200
+diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+index 2dfba9e..c3771a3 100644
+--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -152,7 +152,7 @@ userauth_pubkey(Authctxt *authctxt)
 		/* test for correct signature */
 		authenticated = 0;
@ -848,7 +889,7 @@ diff -up openssh-6.3p1/auth2-pubkey.c.audit openssh-6.3p1/auth2-pubkey.c
 		    buffer_len(&b))) == 1)
 			authenticated = 1;
 		buffer_free(&b);
-@@ -223,6 +223,18 @@ pubkey_auth_info(Authctxt *authctxt, con
+@@ -223,6 +223,18 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
 	free(extra);
 }
 
@ -867,10 +908,11 @@ diff -up openssh-6.3p1/auth2-pubkey.c.audit openssh-6.3p1/auth2-pubkey.c
 static int
 match_principals_option(const char *principal_list, struct KeyCert *cert)
 {
-diff -up openssh-6.3p1/auth2.c.audit openssh-6.3p1/auth2.c
--- openssh-6.3p1/auth2.c.audit	2013-06-01 23:41:51.000000000 +0200
-+++ openssh-6.3p1/auth2.c	2013-10-07 15:53:34.248717268 +0200
-@@ -245,9 +245,6 @@ input_userauth_request(int type, u_int32
+diff --git a/auth2.c b/auth2.c
+index f0cab8c..64c03a8 100644
+--- a/auth2.c
+++ b/auth2.c
+@@ -245,9 +245,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 		} else {
 			logit("input_userauth_request: invalid user %s", user);
 			authctxt->pw = fakepw();
@ -880,10 +922,11 @@ diff -up openssh-6.3p1/auth2.c.audit openssh-6.3p1/auth2.c
 		}
 #ifdef USE_PAM
 		if (options.use_pam)
-diff -up openssh-6.3p1/cipher.c.audit openssh-6.3p1/cipher.c
--- openssh-6.3p1/cipher.c.audit	2013-10-07 15:53:34.248717268 +0200
-+++ openssh-6.3p1/cipher.c	2013-10-07 16:06:51.117971891 +0200
-@@ -55,18 +55,6 @@ extern const EVP_CIPHER *evp_ssh1_bf(voi
+diff --git a/cipher.c b/cipher.c
+index a2cbe2b..02dceec 100644
+--- a/cipher.c
+++ b/cipher.c
+@@ -55,18 +55,6 @@ extern const EVP_CIPHER *evp_ssh1_bf(void);
 extern const EVP_CIPHER *evp_ssh1_3des(void);
 extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
 
@ -902,9 +945,10 @@ diff -up openssh-6.3p1/cipher.c.audit openssh-6.3p1/cipher.c
 static const struct Cipher ciphers[] = {
 	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
 	{ "des",	SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
-diff -up openssh-6.3p1/cipher.h.audit openssh-6.3p1/cipher.h
--- openssh-6.3p1/cipher.h.audit	2013-04-23 11:24:32.000000000 +0200
-+++ openssh-6.3p1/cipher.h	2013-10-07 15:53:34.248717268 +0200
+diff --git a/cipher.h b/cipher.h
+index b878d50..d4e801b 100644
+--- a/cipher.h
+++ b/cipher.h
@@ -61,7 +61,18 @@
 typedef struct Cipher Cipher;
 typedef struct CipherContext CipherContext;
@ -925,9 +969,10 @@ diff -up openssh-6.3p1/cipher.h.audit openssh-6.3p1/cipher.h
 struct CipherContext {
 	int	plaintext;
 	int	encrypt;
-diff -up openssh-6.3p1/kex.c.audit openssh-6.3p1/kex.c
--- openssh-6.3p1/kex.c.audit	2013-06-01 23:31:18.000000000 +0200
-+++ openssh-6.3p1/kex.c	2013-10-07 15:53:34.249717264 +0200
+diff --git a/kex.c b/kex.c
+index 54bd1a4..1c617b9 100644
+--- a/kex.c
+++ b/kex.c
@@ -49,6 +49,7 @@
 #include "dispatch.h"
 #include "monitor.h"
@ -990,7 +1035,7 @@ diff -up openssh-6.3p1/kex.c.audit openssh-6.3p1/kex.c
 	}
 	choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
 	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
-@@ -656,3 +672,34 @@ dump_digest(char *msg, u_char *digest, i
+@@ -656,3 +672,34 @@ dump_digest(char *msg, u_char *digest, int len)
 	fprintf(stderr, "\n");
 }
 #endif
@ -1025,9 +1070,10 @@ diff -up openssh-6.3p1/kex.c.audit openssh-6.3p1/kex.c
 +	memset(&newkeys->comp, 0, sizeof(newkeys->comp));
 +}
 +
-diff -up openssh-6.3p1/kex.h.audit openssh-6.3p1/kex.h
--- openssh-6.3p1/kex.h.audit	2013-07-20 05:21:53.000000000 +0200
-+++ openssh-6.3p1/kex.h	2013-10-07 15:53:34.249717264 +0200
+diff --git a/kex.h b/kex.h
+index 9f1e1ad..7d81793 100644
+--- a/kex.h
+++ b/kex.h
@@ -162,6 +162,8 @@ void	 kexgex_server(Kex *);
 void	 kexecdh_client(Kex *);
 void	 kexecdh_server(Kex *);
@ -1037,9 +1083,10 @@ diff -up openssh-6.3p1/kex.h.audit openssh-6.3p1/kex.h
 void
 kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
     BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
-diff -up openssh-6.3p1/key.c.audit openssh-6.3p1/key.c
--- openssh-6.3p1/key.c.audit	2013-10-07 15:53:34.224717379 +0200
-+++ openssh-6.3p1/key.c	2013-10-07 15:53:34.249717264 +0200
+diff --git a/key.c b/key.c
+index 4b10ef4..8c0a47d 100644
+--- a/key.c
+++ b/key.c
@@ -1773,6 +1773,30 @@ key_demote(const Key *k)
 }
 
@ -1071,9 +1118,10 @@ diff -up openssh-6.3p1/key.c.audit openssh-6.3p1/key.c
 key_is_cert(const Key *k)
 {
 	if (k == NULL)
-diff -up openssh-6.3p1/key.h.audit openssh-6.3p1/key.h
--- openssh-6.3p1/key.h.audit	2013-10-07 15:53:34.224717379 +0200
-+++ openssh-6.3p1/key.h	2013-10-07 15:53:34.249717264 +0200
+diff --git a/key.h b/key.h
+index 9d0e7a8..7a5b8f5 100644
+--- a/key.h
+++ b/key.h
@@ -110,6 +110,7 @@ Key	*key_generate(int, u_int);
 Key	*key_from_private(const Key *);
 int	 key_type_from_name(char *);
@ -1082,9 +1130,10 @@ diff -up openssh-6.3p1/key.h.audit openssh-6.3p1/key.h
 int	 key_type_plain(int);
 int	 key_to_certified(Key *, int);
 int	 key_drop_cert(Key *);
-diff -up openssh-6.3p1/mac.c.audit openssh-6.3p1/mac.c
--- openssh-6.3p1/mac.c.audit	2013-06-06 00:12:37.000000000 +0200
-+++ openssh-6.3p1/mac.c	2013-10-07 15:53:34.250717259 +0200
+diff --git a/mac.c b/mac.c
+index c4dfb50..cb53860 100644
+--- a/mac.c
+++ b/mac.c
@@ -224,6 +224,20 @@ mac_clear(Mac *mac)
 	mac->umac_ctx = NULL;
 }
@ -1106,17 +1155,19 @@ diff -up openssh-6.3p1/mac.c.audit openssh-6.3p1/mac.c
 /* XXX copied from ciphers_valid */
 #define	MAC_SEP	","
 int
-diff -up openssh-6.3p1/mac.h.audit openssh-6.3p1/mac.h
--- openssh-6.3p1/mac.h.audit	2013-04-23 11:24:32.000000000 +0200
-+++ openssh-6.3p1/mac.h	2013-10-07 15:53:34.250717259 +0200
+diff --git a/mac.h b/mac.h
+index 260798a..f51508e 100644
+--- a/mac.h
+++ b/mac.h
@@ -29,3 +29,4 @@ int	 mac_setup(Mac *, char *);
 int	 mac_init(Mac *);
 u_char	*mac_compute(Mac *, u_int32_t, u_char *, int);
 void	 mac_clear(Mac *);
 +void	 mac_destroy(Mac *);
-diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
--- openssh-6.3p1/monitor.c.audit	2013-10-07 15:53:34.217717411 +0200
-+++ openssh-6.3p1/monitor.c	2013-10-08 15:10:38.270726936 +0200
+diff --git a/monitor.c b/monitor.c
+index b5414ba..e28690e 100644
+--- a/monitor.c
+++ b/monitor.c
@@ -98,6 +98,7 @@
 #include "jpake.h"
 #include "roaming.h"
@ -1134,7 +1185,7 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
 /* State exported from the child */
 
 struct {
-@@ -186,6 +189,11 @@ int mm_answer_gss_checkmic(int, Buffer *
+@@ -186,6 +189,11 @@ int mm_answer_gss_checkmic(int, Buffer *);
 #ifdef SSH_AUDIT_EVENTS
 int mm_answer_audit_event(int, Buffer *);
 int mm_answer_audit_command(int, Buffer *);
@ -1146,7 +1197,7 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
 #endif
 
 static int monitor_read_log(struct monitor *);
-@@ -237,6 +245,10 @@ struct mon_table mon_dispatch_proto20[]
+@@ -237,6 +245,10 @@ struct mon_table mon_dispatch_proto20[] = {
 #endif
 #ifdef SSH_AUDIT_EVENTS
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@ -1157,7 +1208,7 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
 #endif
 #ifdef BSD_AUTH
     {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
-@@ -273,6 +285,11 @@ struct mon_table mon_dispatch_postauth20
+@@ -273,6 +285,11 @@ struct mon_table mon_dispatch_postauth20[] = {
 #ifdef SSH_AUDIT_EVENTS
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
     {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
@ -1169,7 +1220,7 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
 #endif
     {0, 0, NULL}
 };
-@@ -304,6 +321,10 @@ struct mon_table mon_dispatch_proto15[]
+@@ -304,6 +321,10 @@ struct mon_table mon_dispatch_proto15[] = {
 #endif
 #ifdef SSH_AUDIT_EVENTS
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@ -1180,7 +1231,7 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
 #endif
     {0, 0, NULL}
 };
-@@ -315,6 +336,11 @@ struct mon_table mon_dispatch_postauth15
+@@ -315,6 +336,11 @@ struct mon_table mon_dispatch_postauth15[] = {
 #ifdef SSH_AUDIT_EVENTS
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
     {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
@ -1254,7 +1305,7 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
 	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
 		if (errno != EINTR)
 			exit(1);
-@@ -1770,11 +1818,43 @@ mm_answer_audit_command(int socket, Buff
+@@ -1770,11 +1818,43 @@ mm_answer_audit_command(int socket, Buffer *m)
 {
 	u_int len;
 	char *cmd;
@ -1299,7 +1350,7 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
 	free(cmd);
 	return (0);
 }
-@@ -1910,11 +1990,13 @@ mm_get_keystate(struct monitor *pmonitor
+@@ -1910,11 +1990,13 @@ mm_get_keystate(struct monitor *pmonitor)
 
 	blob = buffer_get_string(&m, &bloblen);
 	current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
@ -1313,7 +1364,7 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
 	free(blob);
 
 	/* Now get sequence numbers for the packets */
-@@ -1960,6 +2042,21 @@ mm_get_keystate(struct monitor *pmonitor
+@@ -1960,6 +2042,21 @@ mm_get_keystate(struct monitor *pmonitor)
 	}
 
 	buffer_free(&m);
@ -1335,7 +1386,7 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
 }
 
 
-@@ -2361,3 +2458,86 @@ mm_answer_jpake_check_confirm(int sock,
+@@ -2361,3 +2458,86 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m)
 }
 
 #endif /* JPAKE */
@ -1422,9 +1473,10 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
 +	return 0;
 +}
 +#endif /* SSH_AUDIT_EVENTS */
-diff -up openssh-6.3p1/monitor.h.audit openssh-6.3p1/monitor.h
--- openssh-6.3p1/monitor.h.audit	2012-12-02 23:53:21.000000000 +0100
-+++ openssh-6.3p1/monitor.h	2013-10-07 15:53:34.251717254 +0200
+diff --git a/monitor.h b/monitor.h
+index 2caa469..1a15066 100644
+--- a/monitor.h
+++ b/monitor.h
@@ -68,7 +68,13 @@ enum monitor_reqtype {
 	MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
 	MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@ -1440,10 +1492,11 @@ diff -up openssh-6.3p1/monitor.h.audit openssh-6.3p1/monitor.h
 
 };
 
-diff -up openssh-6.4p1/monitor_wrap.c.audit openssh-6.4p1/monitor_wrap.c
--- openssh-6.4p1/monitor_wrap.c.audit	2013-11-08 13:26:47.062595006 +0100
-+++ openssh-6.4p1/monitor_wrap.c	2013-11-08 13:26:47.089594877 +0100
-@@ -433,7 +433,7 @@ mm_key_allowed(enum mm_keytype type, cha
+diff --git a/monitor_wrap.c b/monitor_wrap.c
+index 4940761..75e9cba 100644
+--- a/monitor_wrap.c
+++ b/monitor_wrap.c
+@@ -433,7 +433,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key)
  */
 
 int
@ -1452,7 +1505,7 @@ diff -up openssh-6.4p1/monitor_wrap.c.audit openssh-6.4p1/monitor_wrap.c
 {
 	Buffer m;
 	u_char *blob;
-@@ -447,6 +447,7 @@ mm_key_verify(Key *key, u_char *sig, u_i
+@@ -447,6 +447,7 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
 		return (0);
 
 	buffer_init(&m);
@ -1460,7 +1513,7 @@ diff -up openssh-6.4p1/monitor_wrap.c.audit openssh-6.4p1/monitor_wrap.c
 	buffer_put_string(&m, blob, len);
 	buffer_put_string(&m, sig, siglen);
 	buffer_put_string(&m, data, datalen);
-@@ -464,6 +465,19 @@ mm_key_verify(Key *key, u_char *sig, u_i
+@@ -464,6 +465,19 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
 	return (verified);
 }
 
@ -1480,7 +1533,7 @@ diff -up openssh-6.4p1/monitor_wrap.c.audit openssh-6.4p1/monitor_wrap.c
 /* Export key state after authentication */
 Newkeys *
 mm_newkeys_from_blob(u_char *blob, int blen)
-@@ -642,12 +656,14 @@ mm_send_keystate(struct monitor *monitor
+@@ -642,12 +656,14 @@ mm_send_keystate(struct monitor *monitor)
 		fatal("%s: conversion of newkeys failed", __func__);
 
 	buffer_put_string(&m, blob, bloblen);
@ -1508,7 +1561,7 @@ diff -up openssh-6.4p1/monitor_wrap.c.audit openssh-6.4p1/monitor_wrap.c
 
 	debug3("%s entering command %s", __func__, command);
 
-@@ -1202,6 +1219,26 @@ mm_audit_run_command(const char *command
+@@ -1202,6 +1219,26 @@ mm_audit_run_command(const char *command)
 	buffer_put_cstring(&m, command);
 
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
@ -1608,10 +1661,11 @@ diff -up openssh-6.4p1/monitor_wrap.c.audit openssh-6.4p1/monitor_wrap.c
 +	buffer_free(&m);
 +}
 +#endif /* SSH_AUDIT_EVENTS */
-diff -up openssh-6.3p1/monitor_wrap.h.audit openssh-6.3p1/monitor_wrap.h
--- openssh-6.3p1/monitor_wrap.h.audit	2011-06-20 06:42:23.000000000 +0200
-+++ openssh-6.3p1/monitor_wrap.h	2013-10-07 15:53:34.252717250 +0200
-@@ -49,7 +49,8 @@ int mm_key_allowed(enum mm_keytype, char
+diff --git a/monitor_wrap.h b/monitor_wrap.h
+index 0c7f2e3..f47c7df 100644
+--- a/monitor_wrap.h
+++ b/monitor_wrap.h
+@@ -49,7 +49,8 @@ int mm_key_allowed(enum mm_keytype, char *, char *, Key *);
 int mm_user_key_allowed(struct passwd *, Key *);
 int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *);
 int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
@ -1635,9 +1689,10 @@ diff -up openssh-6.3p1/monitor_wrap.h.audit openssh-6.3p1/monitor_wrap.h
 #endif
 
 struct Session;
-diff -up openssh-6.3p1/packet.c.audit openssh-6.3p1/packet.c
--- openssh-6.3p1/packet.c.audit	2013-10-07 15:53:34.231717347 +0200
-+++ openssh-6.3p1/packet.c	2013-10-07 16:08:00.764639577 +0200
+diff --git a/packet.c b/packet.c
+index 776660e..01eb4d1 100644
+--- a/packet.c
+++ b/packet.c
@@ -61,6 +61,7 @@
 #include <time.h>
 
@ -1834,18 +1889,20 @@ diff -up openssh-6.3p1/packet.c.audit openssh-6.3p1/packet.c
 +	backup_state = NULL;
 }
 +
-diff -up openssh-6.3p1/packet.h.audit openssh-6.3p1/packet.h
--- openssh-6.3p1/packet.h.audit	2013-07-18 08:12:45.000000000 +0200
-+++ openssh-6.3p1/packet.h	2013-10-07 15:53:34.252717250 +0200
+diff --git a/packet.h b/packet.h
+index f8edf85..c36c812 100644
+--- a/packet.h
+++ b/packet.h
@@ -124,4 +124,5 @@ void	 packet_restore_state(void);
 void	*packet_get_input(void);
 void	*packet_get_output(void);
 
 +void	 packet_destroy_all(int, int);
 #endif				/* PACKET_H */
-diff -up openssh-6.3p1/session.c.audit openssh-6.3p1/session.c
--- openssh-6.3p1/session.c.audit	2013-07-20 05:21:53.000000000 +0200
-+++ openssh-6.3p1/session.c	2013-10-07 16:03:43.975861636 +0200
+diff --git a/session.c b/session.c
+index d4b57bd..4279af5 100644
+--- a/session.c
+++ b/session.c
@@ -137,7 +137,7 @@ extern int log_stderr;
 extern int debug_flag;
 extern u_int utmp_len;
@ -1855,7 +1912,7 @@ diff -up openssh-6.3p1/session.c.audit openssh-6.3p1/session.c
 extern Buffer loginmsg;
 
 /* original command from peer. */
-@@ -745,6 +745,14 @@ do_exec_pty(Session *s, const char *comm
+@@ -745,6 +745,14 @@ do_exec_pty(Session *s, const char *command)
 	/* Parent.  Close the slave side of the pseudo tty. */
 	close(ttyfd);
 
@ -1892,7 +1949,7 @@ diff -up openssh-6.3p1/session.c.audit openssh-6.3p1/session.c
 #endif
 	if (s->ttyfd != -1)
 		ret = do_exec_pty(s, command);
-@@ -1642,7 +1654,10 @@ do_child(Session *s, const char *command
+@@ -1642,7 +1654,10 @@ do_child(Session *s, const char *command)
 	int r = 0;
 
 	/* remove hostkey from the child's memory */
@ -1912,7 +1969,7 @@ diff -up openssh-6.3p1/session.c.audit openssh-6.3p1/session.c
 	sessions[id].next_unused = sessions_first_unused;
 	sessions_first_unused = id;
 }
-@@ -1951,6 +1967,19 @@ session_open(Authctxt *authctxt, int cha
+@@ -1951,6 +1967,19 @@ session_open(Authctxt *authctxt, int chanid)
 }
 
 Session *
@ -1932,7 +1989,7 @@ diff -up openssh-6.3p1/session.c.audit openssh-6.3p1/session.c
 session_by_tty(char *tty)
 {
 	int i;
-@@ -2467,6 +2496,30 @@ session_exit_message(Session *s, int sta
+@@ -2467,6 +2496,30 @@ session_exit_message(Session *s, int status)
 		chan_write_failed(c);
 }
 
@ -1997,9 +2054,10 @@ diff -up openssh-6.3p1/session.c.audit openssh-6.3p1/session.c
 -		session_destroy_all(session_pty_cleanup2);
 +		session_destroy_all(do_cleanup_one_session);
 }
-diff -up openssh-6.3p1/session.h.audit openssh-6.3p1/session.h
--- openssh-6.3p1/session.h.audit	2008-05-19 07:34:50.000000000 +0200
-+++ openssh-6.3p1/session.h	2013-10-07 15:53:34.253717245 +0200
+diff --git a/session.h b/session.h
+index cbb8e3a..fc6a7d3 100644
+--- a/session.h
+++ b/session.h
@@ -60,6 +60,12 @@ struct Session {
 		char	*name;
 		char	*val;
@ -2024,9 +2082,10 @@ diff -up openssh-6.3p1/session.h.audit openssh-6.3p1/session.h
 Session	*session_by_tty(char *);
 void	 session_close(Session *);
 void	 do_setusercontext(struct passwd *);
-diff -up openssh-6.3p1/sshd.c.audit openssh-6.3p1/sshd.c
--- openssh-6.3p1/sshd.c.audit	2013-10-07 15:53:34.221717393 +0200
-+++ openssh-6.3p1/sshd.c	2013-10-07 15:53:34.254717240 +0200
+diff --git a/sshd.c b/sshd.c
+index 5b8a432..c792495 100644
+--- a/sshd.c
+++ b/sshd.c
@@ -119,6 +119,7 @@
 #endif
 #include "monitor_wrap.h"
@ -2060,7 +2119,7 @@ diff -up openssh-6.3p1/sshd.c.audit openssh-6.3p1/sshd.c
 static void
 close_startup_pipes(void)
 {
-@@ -550,22 +560,47 @@ sshd_exchange_identification(int sock_in
+@@ -550,22 +560,47 @@ sshd_exchange_identification(int sock_in, int sock_out)
 	}
 }
 
@ -2177,7 +2236,7 @@ diff -up openssh-6.3p1/sshd.c.audit openssh-6.3p1/sshd.c
 		monitor_child_postauth(pmonitor);
 
 		/* NEVERREACHED */
-@@ -1178,6 +1235,7 @@ server_accept_loop(int *sock_in, int *so
+@@ -1178,6 +1235,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
 		if (received_sigterm) {
 			logit("Received signal %d; terminating.",
 			    (int) received_sigterm);
--- a/openssh-6.4p1-cisco-dh-keys.patch
+++ b/openssh-6.4p1-cisco-dh-keys.patch
@ -0,0 +1,67 @@
+diff -up openssh-6.4p1/compat.c.cisco-dh openssh-6.4p1/compat.c
+--- openssh-6.4p1/compat.c.cisco-dh	2013-06-01 23:31:18.000000000 +0200
+++ openssh-6.4p1/compat.c	2014-12-04 13:28:03.717787655 +0100
+@@ -164,6 +164,7 @@ compat_datafellows(const char *version)
+ 					SSH_BUG_SCANNER },
+ 		{ "Probe-*",
+ 					SSH_BUG_PROBE },
+		{ "Cisco-*",		SSH_BUG_MAX4096DH },
+ 		{ NULL,			0 }
+ 	};
+ 
+diff -up openssh-6.4p1/compat.h.cisco-dh openssh-6.4p1/compat.h
+--- openssh-6.4p1/compat.h.cisco-dh	2014-12-04 13:28:03.717787655 +0100
+++ openssh-6.4p1/compat.h	2014-12-04 13:28:36.579658095 +0100
+@@ -59,6 +59,7 @@
+ #define SSH_BUG_RFWD_ADDR	0x02000000
+ #define SSH_NEW_OPENSSH		0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT	0x08000000
+#define SSH_BUG_MAX4096DH       0x20000000
+ 
+ void     enable_compat13(void);
+ void     enable_compat20(void);
+diff -up openssh-6.4p1/kexgexc.c.cisco-dh openssh-6.4p1/kexgexc.c
+--- openssh-6.4p1/kexgexc.c.cisco-dh	2014-12-04 13:28:03.717787655 +0100
+++ openssh-6.4p1/kexgexc.c	2014-12-04 13:31:03.270079756 +0100
+@@ -60,20 +60,36 @@ kexgex_client(Kex *kex)
+ 	int min, max, nbits;
+ 	DH *dh;
+ 
+	min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
+	max = DH_GRP_MAX;
+
+	/* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
+ 	 * We need to also ensure that min < nbits < max */
+
+	if (datafellows & SSH_BUG_MAX4096DH) {
+		/* The largest min for these servers is 4096 */
+		min = MIN(min, 4096);
+	}
+
+ 	nbits = dh_estimate(kex->we_need * 8);
+	nbits = MIN(nbits, max);
+	nbits = MAX(nbits, min);
+
+	if (datafellows & SSH_BUG_MAX4096DH) {
+		/* Cannot have a nbits > 4096 for these servers */
+		nbits = MIN(nbits, 4096);
+		/* nbits has to be powers of two */
+		if (nbits == 3072)
+			nbits = 4096;
+	}
+ 
+ 	if (datafellows & SSH_OLD_DHGEX) {
+ 		/* Old GEX request */
+ 		packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
+ 		packet_put_int(nbits);
+-		min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
+-		max = DH_GRP_MAX;
+-
+ 		debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
+ 	} else {
+ 		/* New GEX request */
+-		min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
+-		max = DH_GRP_MAX;
+ 		packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
+ 		packet_put_int(min);
+ 		packet_put_int(nbits);
--- a/openssh-6.4p1-ignore-SIGXFSZ-in-postauth.patch
+++ b/openssh-6.4p1-ignore-SIGXFSZ-in-postauth.patch
@ -0,0 +1,28 @@
+diff --git a/ChangeLog b/ChangeLog
+index 7bcd596..3a0d993 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,9 @@
+20140823
+ - (djm) [sshd.c] Ignore SIGXFSZ in preauth monitor child; can explode on
+   lastlog writing on platforms with high UIDs; bz#2263
+ - (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauth
+   monitor, not preauth; bz#2263
+
+ 20140703
+  - OpenBSD CVS Sync
+    - djm@cvs.openbsd.org 2014/07/03 03:34:09
+diff --git a/monitor.c b/monitor.c
+index 453bea3..9dadb4d 100644
+--- a/monitor.c
+++ b/monitor.c
+@@ -524,6 +524,9 @@ monitor_child_postauth(struct monitor *pmonitor)
+ 	signal(SIGHUP, &monitor_child_handler);
+ 	signal(SIGTERM, &monitor_child_handler);
+ 	signal(SIGINT, &monitor_child_handler);
+#ifdef SIGXFSZ
+	signal(SIGXFSZ, SIG_IGN);
+#endif
+ 
+ 	if (compat20) {
+ 		mon_dispatch = mon_dispatch_postauth20;
--- a/openssh-6.4p1-ip-port-config-parser.patch
+++ b/openssh-6.4p1-ip-port-config-parser.patch
@ -0,0 +1,24 @@
+diff --git a/misc.c b/misc.c
+index 2f11de4..36402d1 100644
+--- a/misc.c
+++ b/misc.c
+@@ -396,7 +396,7 @@ hpdelim(char **cp)
+ 			return NULL;
+ 		else
+ 			s++;
+-	} else if ((s = strpbrk(s, ":/")) == NULL)
+	} else if ((s = strpbrk(s, ":")) == NULL)
+ 		s = *cp + strlen(*cp); /* skip to end (see first case below) */
+ 
+ 	switch (*s) {
+@@ -405,7 +405,6 @@ hpdelim(char **cp)
+ 		break;
+ 
+ 	case ':':
+-	case '/':
+ 		*s = '\0';	/* terminate */
+ 		*cp = s + 1;
+ 		break;
+-- 
+2.1.0
+
--- a/openssh-6.4p1-kuserok.patch
+++ b/openssh-6.4p1-kuserok.patch
@ -0,0 +1,291 @@
+diff --git a/auth-krb5.c b/auth-krb5.c
+index 7c83f59..966b4cb 100644
+--- a/auth-krb5.c
+++ b/auth-krb5.c
+@@ -54,6 +54,21 @@
+ 
+ extern ServerOptions	 options;
+ 
+int
+ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client,
+                 int k5login_exists)
+{
+	if (options.use_kuserok || !k5login_exists)
+		return krb5_kuserok(krb5_ctx, krb5_user, client);
+	else {
+		char kuser[65];
+
+		if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser))
+			return 0;
+		return strcmp(kuser, client) == 0;
+	}
+}
+
+ static int
+ krb5_init(void *context)
+ {
+@@ -157,7 +172,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
+ 	if (problem)
+ 		goto out;
+ 
+-	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
+	/* Use !options.use_kuserok here to make ssh_krb5_kuserok() not
+	 * depend on the existance of .k5login */
+	if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client, !options.use_kuserok)) {
+ 		problem = -1;
+ 		goto out;
+ 	}
+diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
+index b4d479e..a9326a7 100644
+--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
+@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *,
+     int);
+ 
+ static krb5_context krb_context = NULL;
+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *, int);
+ 
+ /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
+ 
+@@ -92,6 +93,103 @@ ssh_gssapi_krb5_init(void)
+  * Returns true if the user is OK to log in, otherwise returns 0
+  */
+ 
+/* The purpose of the function is to find out if a Kerberos principal is
+ * allowed to log in as the given local user. This is a general problem with
+ * Kerberized services because by design the Kerberos principals are
+ * completely independent from the local user names. This is one of the
+ * reasons why Kerberos is working well on different operating systems like
+ * Windows and UNIX/Linux. Nevertheless a relationship between a Kerberos
+ * principal and a local user name must be established because otherwise every
+ * access would be granted for every principal with a valid ticket.
+ *
+ * Since it is a general issue libkrb5 provides some functions for
+ * applications to find out about the relationship between the Kerberos
+ * principal and a local user name. They are krb5_kuserok() and
+ * krb5_aname_to_localname().
+ *
+ * krb5_kuserok() can be used to "Determine if a principal is authorized to
+ * log in as a local user" (from the MIT Kerberos documentation of this
+ * function). Which is exactly what we are looking for and should be the
+ * preferred choice. It accepts the Kerberos principal and a local user name
+ * and let libkrb5 or its plugins determine if they relate to each other or
+ * not.
+ *
+ * krb5_aname_to_localname() can use used to "Convert a principal name to a
+ * local name" (from the MIT Kerberos documentation of this function). It
+ * accepts a Kerberos principle and returns a local name and it is up to the
+ * application to do any additional checks. There are two issues using
+ * krb5_aname_to_localname(). First, since POSIX user names are case
+ * sensitive, the calling application in general has no other choice than
+ * doing a case-sensitive string comparison between the name returned by
+ * krb5_aname_to_localname() and the name used at the login prompt. When the
+ * users are provided by a case in-sensitive server, e.g. Active Directory,
+ * this might lead to login failures because the user typing the name at the
+ * login prompt might not be aware of the right case. Another issue might be
+ * caused if there are multiple alias names available for a single user. E.g.
+ * the canonical name of a user is user@group.department.example.com but there
+ * exists a shorter login name, e.g. user@example.com, to safe typing at the
+ * login prompt. Here krb5_aname_to_localname() can only return the canonical
+ * name, but if the short alias is used at the login prompt authentication
+ * will fail as well. All this can be avoided by using krb5_kuserok() and
+ * configuring krb5.conf or using a suitable plugin to meet the needs of the
+ * given environment.
+ *
+ * The Fedora and RHEL version of openssh contain two patches which modify the
+ * access control behavior:
+ *  - openssh-6.6p1-kuserok.patch
+ *  - openssh-6.6p1-force_krb.patch
+ *
+ * openssh-6.6p1-kuserok.patch adds a new option KerberosUseKuserok for
+ * sshd_config which controls if krb5_kuserok() is used to check if the
+ * principle is authorized or if krb5_aname_to_localname() should be used.
+ * The reason to add this patch was that krb5_kuserok() by default checks if
+ * a .k5login file exits in the users home-directory. With this the user can
+ * give access to his account for any given principal which might be
+ * in violation with company policies and it would be useful if this can be
+ * rejected. Nevertheless the patch ignores the fact that krb5_kuserok() does
+ * no only check .k5login but other sources as well and checking .k5login can
+ * be disabled for all applications in krb5.conf as well. With this new
+ * option KerberosUseKuserok set to 'no' (and this is the default for RHEL7
+ * and Fedora 21) openssh can only use krb5_aname_to_localname() with the
+ * restrictions mentioned above.
+ *
+ * openssh-6.6p1-force_krb.patch adds a ksu like behaviour to ssh, i.e. when
+ * using GSSAPI authentication only commands configured in the .k5user can be
+ * executed. Here the wrong assumption that krb5_kuserok() only checks
+ * .k5login is made as well. In contrast ksu checks .k5login directly and
+ * does not use krb5_kuserok() which might be more useful for the given
+ * purpose. Additionally this patch is not synced with
+ * openssh-6.6p1-kuserok.patch.
+ *
+ * The current patch tries to restore the usage of krb5_kuserok() so that e.g.
+ * localauth plugins can be used. It does so by adding a forth parameter to
+ * ssh_krb5_kuserok() which indicates whether .k5login exists or not. If it
+ * does not exists krb5_kuserok() is called even if KerberosUseKuserok is set
+ * to 'no' because the intent of the option is to not check .k5login and if it
+ * does not exists krb5_kuserok() returns a result without checking .k5login.
+ * If .k5login does exists and KerberosUseKuserok is 'no' we fall back to
+ * krb5_aname_to_localname(). This is in my point of view an acceptable
+ * limitation and does not break the current behaviour.
+ *
+ * Additionally with this patch ssh_krb5_kuserok() is called in
+ * ssh_gssapi_krb5_cmdok() instead of only krb5_aname_to_localname() is
+ * neither .k5login nor .k5users exists to allow plugin evaluation via
+ * krb5_kuserok() as well.
+ *
+ * I tried to keep the patch as minimal as possible, nevertheless I see some
+ * areas for improvement which, if they make sense, have to be evaluated
+ * carefully because they might change existing behaviour and cause breaks
+ * during upgrade:
+ * - I wonder if disabling .k5login usage make sense in sshd or if it should
+ *   be better disabled globally in krb5.conf
+ * - if really needed openssh-6.6p1-kuserok.patch should be fixed to really
+ *   only disable checking .k5login and maybe .k5users
+ * - the ksu behaviour should be configurable and maybe check the .k5login and
+ *   .k5users files directly like ksu itself does
+ * - to make krb5_aname_to_localname() more useful an option for sshd to use
+ *   the canonical name (the one returned by getpwnam()) instead of the name
+ *   given at the login prompt might be useful */
+
+ static int
+ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
+ {
+@@ -116,7 +214,8 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
+ 	/* NOTE: .k5login and .k5users must opened as root, not the user,
+ 	 * because if they are on a krb5-protected filesystem, user credentials
+ 	 * to access these files aren't available yet. */
+-	if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
+	if (ssh_krb5_kuserok(krb_context, princ, name, k5login_exists)
+			&& k5login_exists) {
+ 		retval = 1;
+ 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
+ 		    name, (char *)client->displayname.value);
+@@ -171,9 +270,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
+ 	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
+ 	/* If both .k5login and .k5users DNE, self-login is ok. */
+ 	if (!k5login_exists && (access(file, F_OK) == -1)) {
+-		return (krb5_aname_to_localname(krb_context, principal,
+-		    sizeof(kuser), kuser) == 0) &&
+-		    (strcmp(kuser, luser) == 0);
+                return ssh_krb5_kuserok(krb_context, principal, luser,
+                                        k5login_exists);
+ 	}
+ 	if ((fp = fopen(file, "r")) == NULL) {
+ 		int saved_errno = errno;
+diff --git a/servconf.c b/servconf.c
+index 277b2bd..1e88905 100644
+--- a/servconf.c
+++ b/servconf.c
+@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions *options)
+ 	options->ip_qos_interactive = -1;
+ 	options->ip_qos_bulk = -1;
+ 	options->version_addendum = NULL;
+	options->use_kuserok = -1;
+ }
+ 
+ void
+@@ -310,6 +311,8 @@ fill_default_server_options(ServerOptions *options)
+ 		options->version_addendum = xstrdup("");
+ 	if (options->show_patchlevel == -1)
+ 		options->show_patchlevel = 0;
+	if (options->use_kuserok == -1)
+		options->use_kuserok = 1;
+ 
+ 	/* Turn privilege separation on by default */
+ 	if (use_privsep == -1)
+@@ -336,7 +339,7 @@ typedef enum {
+ 	sPermitRootLogin, sLogFacility, sLogLevel,
+ 	sRhostsRSAAuthentication, sRSAAuthentication,
+ 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
+-	sKerberosGetAFSToken,
+	sKerberosGetAFSToken, sKerberosUseKuserok,
+ 	sKerberosTgtPassing, sChallengeResponseAuthentication,
+ 	sPasswordAuthentication, sKbdInteractiveAuthentication,
+ 	sListenAddress, sAddressFamily,
+@@ -409,11 +412,13 @@ static struct {
+ #else
+ 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
+ #endif
+	{ "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
+ #else
+ 	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
+ 	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
+	{ "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
+ #endif
+ 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
+@@ -1515,6 +1520,10 @@ process_server_config_line(ServerOptions *options, char *line,
+ 		*activep = value;
+ 		break;
+ 
+	case sKerberosUseKuserok:
+		intptr = &options->use_kuserok;
+		goto parse_flag;
+
+ 	case sPermitOpen:
+ 		arg = strdelim(&cp);
+ 		if (!arg || *arg == '\0')
+@@ -1815,6 +1824,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
+ 	M_CP_INTOPT(max_authtries);
+ 	M_CP_INTOPT(ip_qos_interactive);
+ 	M_CP_INTOPT(ip_qos_bulk);
+	M_CP_INTOPT(use_kuserok);
+ 	M_CP_INTOPT(rekey_limit);
+ 	M_CP_INTOPT(rekey_interval);
+ 
+@@ -2055,6 +2065,7 @@ dump_config(ServerOptions *o)
+ 	dump_cfg_fmtint(sUseDNS, o->use_dns);
+ 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
+ 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
+	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
+ 
+ 	/* string arguments */
+ 	dump_cfg_string(sPidFile, o->pid_file);
+diff --git a/servconf.h b/servconf.h
+index 57752cb..615aaba 100644
+--- a/servconf.h
+++ b/servconf.h
+@@ -174,6 +174,7 @@ typedef struct {
+ 
+ 	int	num_permitted_opens;
+ 
+	int	use_kuserok;
+ 	char   *chroot_directory;
+ 	char   *revoked_keys_file;
+ 	char   *trusted_user_ca_keys;
+diff -up openssh-6.3p1/sshd_config.5.kuserok openssh-6.3p1/sshd_config.5
+--- openssh-6.3p1/sshd_config.5.kuserok	2013-10-11 21:41:42.898087571 +0200
+++ openssh-6.3p1/sshd_config.5	2013-10-11 21:41:42.907087528 +0200
+@@ -675,6 +675,10 @@ Specifies whether to automatically destr
+ file on logout.
+ The default is
+ .Dq yes .
+.It Cm KerberosUseKuserok
+Specifies whether to look at .k5login file for user's aliases.
+The default is
+.Dq yes .
+ .It Cm KexAlgorithms
+ Specifies the available KEX (Key Exchange) algorithms.
+ Multiple algorithms must be comma-separated.
+@@ -833,6 +837,7 @@ Available keywords are
+ .Cm HostbasedUsesNameFromPacketOnly ,
+ .Cm KbdInteractiveAuthentication ,
+ .Cm KerberosAuthentication ,
+.Cm KerberosUseKuserok ,
+ .Cm MaxAuthTries ,
+ .Cm MaxSessions ,
+ .Cm PasswordAuthentication ,
+diff -up openssh-6.3p1/sshd_config.kuserok openssh-6.3p1/sshd_config
+--- openssh-6.3p1/sshd_config.kuserok	2013-10-11 21:41:42.898087571 +0200
+++ openssh-6.3p1/sshd_config	2013-10-11 21:41:42.907087528 +0200
+@@ -86,6 +86,7 @@ ChallengeResponseAuthentication no
+ #KerberosOrLocalPasswd yes
+ #KerberosTicketCleanup yes
+ #KerberosGetAFSToken no
+#KerberosUseKuserok yes
+ 
+ # GSSAPI options
+ #GSSAPIAuthentication no
--- a/openssh-6.4p1-partial-success.patch
+++ b/openssh-6.4p1-partial-success.patch
@ -0,0 +1,16 @@
+diff --git a/auth2.c b/auth2.c
+index 06b672c..8cb9a97 100644
+--- a/auth2.c
+++ b/auth2.c
+@@ -377,8 +377,9 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
+ 		authctxt->success = 1;
+ 	} else {
+ 
+-		/* Allow initial try of "none" auth without failure penalty */
+-		if (!authctxt->server_caused_failure &&
+		/* Allow initial try of "none" auth without failure penalty
+		 * Partial succes is not failure */
+		if (!authctxt->server_caused_failure && !partial &&
+ 		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))
+ 			authctxt->failures++;
+ 		if (authctxt->failures >= options.max_authtries) {
--- a/openssh-6.4p1-scp-non-existing-directory.patch
+++ b/openssh-6.4p1-scp-non-existing-directory.patch
@ -0,0 +1,14 @@
+--- a/scp.c	
+++ a/scp.c	
+@@ -1084,6 +1084,10 @@ sink(int argc, char **argv)
+ 			free(vect[0]);
+ 			continue;
+ 		}
+		if (buf[0] == 'C' && ! exists && np[strlen(np)-1] == '/') {
+			errno = ENOTDIR;
+			goto bad;
+		}
+ 		omode = mode;
+ 		mode |= S_IWUSR;
+ 		if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
+-- 
--- a/openssh-6.4p1-servconf-parser.patch
+++ b/openssh-6.4p1-servconf-parser.patch
@ -0,0 +1,31 @@
+diff --git a/servconf.c b/servconf.c
+index 1e88905..f20504b 100644
+--- a/servconf.c
+++ b/servconf.c
+@@ -1562,7 +1562,7 @@ process_server_config_line(ServerOptions *options, char *line,
+ 		break;
+ 
+ 	case sForceCommand:
+-		if (cp == NULL)
+		if (cp == NULL || *cp == '\0')
+ 			fatal("%.200s line %d: Missing argument.", filename,
+ 			    linenum);
+ 		len = strspn(cp, WHITESPACE);
+@@ -1607,7 +1607,7 @@ process_server_config_line(ServerOptions *options, char *line,
+ 		break;
+ 
+ 	case sVersionAddendum:
+-		if (cp == NULL)
+		if (cp == NULL || *cp == '\0')
+ 			fatal("%.200s line %d: Missing argument.", filename,
+ 			    linenum);
+ 		len = strspn(cp, WHITESPACE);
+@@ -1642,6 +1642,8 @@ process_server_config_line(ServerOptions *options, char *line,
+ 		break;
+ 
+ 	case sAuthenticationMethods:
+		if (cp == NULL || *cp == '\0')
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+ 		if (*activep && options->num_auth_methods == 0) {
+ 			while ((arg = strdelim(&cp)) && *arg != '\0') {
+ 				if (options->num_auth_methods >=
--- a/openssh-6.4p1-set_remote_ipaddr.patch
+++ b/openssh-6.4p1-set_remote_ipaddr.patch
@ -0,0 +1,87 @@
+diff --git a/canohost.c b/canohost.c
+index f5cb854..c53cc39 100644
+--- a/canohost.c
+++ b/canohost.c
+@@ -343,6 +343,21 @@ clear_cached_addr(void)
+ 	cached_port = -1;
+ }
+ 
+void set_remote_ipaddr(void) {
+	if (canonical_host_ip != NULL)
+		free(canonical_host_ip);
+
+	if (packet_connection_is_on_socket()) {
+		canonical_host_ip =
+		    get_peer_ipaddr(packet_get_connection_in());
+		if (canonical_host_ip == NULL)
+			cleanup_exit(255);
+	} else {
+		/* If not on socket, return UNKNOWN. */
+		canonical_host_ip = xstrdup("UNKNOWN");
+	}
+}
+
+ /*
+  * Returns the IP-address of the remote host as a string.  The returned
+  * string must not be freed.
+@@ -352,17 +367,9 @@ const char *
+ get_remote_ipaddr(void)
+ {
+ 	/* Check whether we have cached the ipaddr. */
+-	if (canonical_host_ip == NULL) {
+-		if (packet_connection_is_on_socket()) {
+-			canonical_host_ip =
+-			    get_peer_ipaddr(packet_get_connection_in());
+-			if (canonical_host_ip == NULL)
+-				cleanup_exit(255);
+-		} else {
+-			/* If not on socket, return UNKNOWN. */
+-			canonical_host_ip = xstrdup("UNKNOWN");
+-		}
+-	}
+	if (canonical_host_ip == NULL)
+		set_remote_ipaddr();
+
+ 	return canonical_host_ip;
+ }
+ 
+diff --git a/canohost.h b/canohost.h
+index 4c8636f..4079953 100644
+--- a/canohost.h
+++ b/canohost.h
+@@ -13,6 +13,7 @@
+  */
+ 
+ const char	*get_canonical_hostname(int);
+void		 set_remote_ipaddr(void);
+ const char	*get_remote_ipaddr(void);
+ const char	*get_remote_name_or_ip(u_int, int);
+ 
+diff --git a/sshconnect.c b/sshconnect.c
+index 4d8c718..b0b4870 100644
+--- a/sshconnect.c
+++ b/sshconnect.c
+@@ -61,6 +61,7 @@
+ #include "roaming.h"
+ #include "ssh2.h"
+ #include "version.h"
+#include "canohost.h"
+ 
+ char *client_version_string = NULL;
+ char *server_version_string = NULL;
+@@ -172,6 +173,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
+ 	packet_set_connection(pout[0], pin[1]);
+ 	packet_set_timeout(options.server_alive_interval,
+ 	    options.server_alive_count_max);
+	set_remote_ipaddr();
+ 
+ 	/* Indicate OK return */
+ 	return 0;
+@@ -433,6 +435,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
+ 	packet_set_connection(sock, sock);
+ 	packet_set_timeout(options.server_alive_interval,
+ 	    options.server_alive_count_max);
+	set_remote_ipaddr();
+ 
+ 	return 0;
+ }
--- a/openssh-6.4p1-sftp-symlink-prepend-relative-links.patch
+++ b/openssh-6.4p1-sftp-symlink-prepend-relative-links.patch
@ -0,0 +1,15 @@
+diff --git a/sftp.c b/sftp.c
+index 4e1a026..6f16f7c 100644
+--- a/sftp.c
+++ b/sftp.c
+@@ -1356,7 +1356,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
+ 	case I_SYMLINK:
+ 		sflag = 1;
+ 	case I_LINK:
+-		path1 = make_absolute(path1, *pwd);
+		if (!sflag)
+			path1 = make_absolute(path1, *pwd);
+ 		path2 = make_absolute(path2, *pwd);
+ 		err = (sflag ? do_symlink : do_hardlink)(conn, path1, path2);
+ 		break;
+--
--- a/openssh-6.4p1-utf8-banner.patch
+++ b/openssh-6.4p1-utf8-banner.patch
@ -0,0 +1,994 @@
+diff --git a/Makefile.in b/Makefile.in
+index a82bb07..2c0ada8 100644
+--- a/Makefile.in
+++ b/Makefile.in
+@@ -79,7 +79,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
+ 	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
+ 	kexgssc.o \
+ 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
+-	jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o
+	jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o utf8_stringprep.o
+ 
+ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
+ 	sshconnect.o sshconnect1.o sshconnect2.o mux.o \
+diff --git a/misc.h b/misc.h
+index fceb306..379f7f3 100644
+--- a/misc.h
+++ b/misc.h
+@@ -104,4 +104,7 @@ char	*read_passphrase(const char *, int);
+ int	 ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
+ int	 read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
+ 
+/* utf8_stringprep.c */
+int utf8_stringprep(const char *, char *, size_t);
+
+ #endif /* _MISC_H */
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 3179d82..c74644a 100644
+--- a/sshconnect2.c
+++ b/sshconnect2.c
+@@ -33,6 +33,8 @@
+ 
+ #include <errno.h>
+ #include <fcntl.h>
+#include <langinfo.h>
+#include <locale.h>
+ #include <netdb.h>
+ #include <pwd.h>
+ #include <signal.h>
+@@ -542,21 +544,51 @@ input_userauth_error(int type, u_int32_t seq, void *ctxt)
+ 	    "type %d", type);
+ }
+ 
+/* Check whether we can display UTF-8 safely */
+static int
+utf8_ok(void)
+{
+	static int ret = -1;
+	char *cp;
+
+	if (ret == -1) {
+		setlocale(LC_CTYPE, "");
+		cp = nl_langinfo(CODESET);
+		ret = strcmp(cp, "UTF-8") == 0;
+	}
+	return ret;
+}
+
+ /* ARGSUSED */
+ void
+ input_userauth_banner(int type, u_int32_t seq, void *ctxt)
+ {
+ 	char *msg, *raw, *lang;
+-	u_int len;
+	u_int done, len;
+ 
+ 	debug3("input_userauth_banner");
+
+ 	raw = packet_get_string(&len);
+ 	lang = packet_get_string(NULL);
+ 	if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
+ 		if (len > 65536)
+ 			len = 65536;
+ 		msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
+-		strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
+		done = 0;
+		if (utf8_ok()) {
+			if (utf8_stringprep(raw, msg, len * 4 + 1) == 0)
+				done = 1;
+			else
+				debug2("%s: UTF8 stringprep failed", __func__);
+		}
+		/*
+		 * Fallback to strnvis if UTF8 display not supported or
+		 * conversion failed.
+		 */
+		if (!done) {
+			strnvis(msg, raw, len * 4 + 1,
+			    VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
+		}
+ 		fprintf(stderr, "%s", msg);
+ 		free(msg);
+ 	}
+diff --git a/stringprep-tables.c b/stringprep-tables.c
+new file mode 100644
+index 0000000..49f4d9d
+--- /dev/null
+++ b/stringprep-tables.c
+@@ -0,0 +1,661 @@
+/* Public domain.  */
+
+/* $OpenBSD$ */
+
+/*
+ * Tables for RFC3454 stringprep algorithm, updated with a table of allocated
+ * characters generated from Unicode.6.2's UnicodeData.txt
+ *
+ * Intended to be included directly from utf8_stringprep.c
+ */
+
+/* Unassigned characters in Unicode 6.2 */
+static const struct u32_range unassigned[] = {
+	{ 0x0378, 0x0379 },
+	{ 0x037F, 0x0383 },
+	{ 0x038B, 0x038B },
+	{ 0x038D, 0x038D },
+	{ 0x03A2, 0x03A2 },
+	{ 0x0528, 0x0530 },
+	{ 0x0557, 0x0558 },
+	{ 0x0560, 0x0560 },
+	{ 0x0588, 0x0588 },
+	{ 0x058B, 0x058E },
+	{ 0x0590, 0x0590 },
+	{ 0x05C8, 0x05CF },
+	{ 0x05EB, 0x05EF },
+	{ 0x05F5, 0x05FF },
+	{ 0x0605, 0x0605 },
+	{ 0x061C, 0x061D },
+	{ 0x070E, 0x070E },
+	{ 0x074B, 0x074C },
+	{ 0x07B2, 0x07BF },
+	{ 0x07FB, 0x07FF },
+	{ 0x082E, 0x082F },
+	{ 0x083F, 0x083F },
+	{ 0x085C, 0x085D },
+	{ 0x085F, 0x089F },
+	{ 0x08A1, 0x08A1 },
+	{ 0x08AD, 0x08E3 },
+	{ 0x08FF, 0x08FF },
+	{ 0x0978, 0x0978 },
+	{ 0x0980, 0x0980 },
+	{ 0x0984, 0x0984 },
+	{ 0x098D, 0x098E },
+	{ 0x0991, 0x0992 },
+	{ 0x09A9, 0x09A9 },
+	{ 0x09B1, 0x09B1 },
+	{ 0x09B3, 0x09B5 },
+	{ 0x09BA, 0x09BB },
+	{ 0x09C5, 0x09C6 },
+	{ 0x09C9, 0x09CA },
+	{ 0x09CF, 0x09D6 },
+	{ 0x09D8, 0x09DB },
+	{ 0x09DE, 0x09DE },
+	{ 0x09E4, 0x09E5 },
+	{ 0x09FC, 0x0A00 },
+	{ 0x0A04, 0x0A04 },
+	{ 0x0A0B, 0x0A0E },
+	{ 0x0A11, 0x0A12 },
+	{ 0x0A29, 0x0A29 },
+	{ 0x0A31, 0x0A31 },
+	{ 0x0A34, 0x0A34 },
+	{ 0x0A37, 0x0A37 },
+	{ 0x0A3A, 0x0A3B },
+	{ 0x0A3D, 0x0A3D },
+	{ 0x0A43, 0x0A46 },
+	{ 0x0A49, 0x0A4A },
+	{ 0x0A4E, 0x0A50 },
+	{ 0x0A52, 0x0A58 },
+	{ 0x0A5D, 0x0A5D },
+	{ 0x0A5F, 0x0A65 },
+	{ 0x0A76, 0x0A80 },
+	{ 0x0A84, 0x0A84 },
+	{ 0x0A8E, 0x0A8E },
+	{ 0x0A92, 0x0A92 },
+	{ 0x0AA9, 0x0AA9 },
+	{ 0x0AB1, 0x0AB1 },
+	{ 0x0AB4, 0x0AB4 },
+	{ 0x0ABA, 0x0ABB },
+	{ 0x0AC6, 0x0AC6 },
+	{ 0x0ACA, 0x0ACA },
+	{ 0x0ACE, 0x0ACF },
+	{ 0x0AD1, 0x0ADF },
+	{ 0x0AE4, 0x0AE5 },
+	{ 0x0AF2, 0x0B00 },
+	{ 0x0B04, 0x0B04 },
+	{ 0x0B0D, 0x0B0E },
+	{ 0x0B11, 0x0B12 },
+	{ 0x0B29, 0x0B29 },
+	{ 0x0B31, 0x0B31 },
+	{ 0x0B34, 0x0B34 },
+	{ 0x0B3A, 0x0B3B },
+	{ 0x0B45, 0x0B46 },
+	{ 0x0B49, 0x0B4A },
+	{ 0x0B4E, 0x0B55 },
+	{ 0x0B58, 0x0B5B },
+	{ 0x0B5E, 0x0B5E },
+	{ 0x0B64, 0x0B65 },
+	{ 0x0B78, 0x0B81 },
+	{ 0x0B84, 0x0B84 },
+	{ 0x0B8B, 0x0B8D },
+	{ 0x0B91, 0x0B91 },
+	{ 0x0B96, 0x0B98 },
+	{ 0x0B9B, 0x0B9B },
+	{ 0x0B9D, 0x0B9D },
+	{ 0x0BA0, 0x0BA2 },
+	{ 0x0BA5, 0x0BA7 },
+	{ 0x0BAB, 0x0BAD },
+	{ 0x0BBA, 0x0BBD },
+	{ 0x0BC3, 0x0BC5 },
+	{ 0x0BC9, 0x0BC9 },
+	{ 0x0BCE, 0x0BCF },
+	{ 0x0BD1, 0x0BD6 },
+	{ 0x0BD8, 0x0BE5 },
+	{ 0x0BFB, 0x0C00 },
+	{ 0x0C04, 0x0C04 },
+	{ 0x0C0D, 0x0C0D },
+	{ 0x0C11, 0x0C11 },
+	{ 0x0C29, 0x0C29 },
+	{ 0x0C34, 0x0C34 },
+	{ 0x0C3A, 0x0C3C },
+	{ 0x0C45, 0x0C45 },
+	{ 0x0C49, 0x0C49 },
+	{ 0x0C4E, 0x0C54 },
+	{ 0x0C57, 0x0C57 },
+	{ 0x0C5A, 0x0C5F },
+	{ 0x0C64, 0x0C65 },
+	{ 0x0C70, 0x0C77 },
+	{ 0x0C80, 0x0C81 },
+	{ 0x0C84, 0x0C84 },
+	{ 0x0C8D, 0x0C8D },
+	{ 0x0C91, 0x0C91 },
+	{ 0x0CA9, 0x0CA9 },
+	{ 0x0CB4, 0x0CB4 },
+	{ 0x0CBA, 0x0CBB },
+	{ 0x0CC5, 0x0CC5 },
+	{ 0x0CC9, 0x0CC9 },
+	{ 0x0CCE, 0x0CD4 },
+	{ 0x0CD7, 0x0CDD },
+	{ 0x0CDF, 0x0CDF },
+	{ 0x0CE4, 0x0CE5 },
+	{ 0x0CF0, 0x0CF0 },
+	{ 0x0CF3, 0x0D01 },
+	{ 0x0D04, 0x0D04 },
+	{ 0x0D0D, 0x0D0D },
+	{ 0x0D11, 0x0D11 },
+	{ 0x0D3B, 0x0D3C },
+	{ 0x0D45, 0x0D45 },
+	{ 0x0D49, 0x0D49 },
+	{ 0x0D4F, 0x0D56 },
+	{ 0x0D58, 0x0D5F },
+	{ 0x0D64, 0x0D65 },
+	{ 0x0D76, 0x0D78 },
+	{ 0x0D80, 0x0D81 },
+	{ 0x0D84, 0x0D84 },
+	{ 0x0D97, 0x0D99 },
+	{ 0x0DB2, 0x0DB2 },
+	{ 0x0DBC, 0x0DBC },
+	{ 0x0DBE, 0x0DBF },
+	{ 0x0DC7, 0x0DC9 },
+	{ 0x0DCB, 0x0DCE },
+	{ 0x0DD5, 0x0DD5 },
+	{ 0x0DD7, 0x0DD7 },
+	{ 0x0DE0, 0x0DF1 },
+	{ 0x0DF5, 0x0E00 },
+	{ 0x0E3B, 0x0E3E },
+	{ 0x0E5C, 0x0E80 },
+	{ 0x0E83, 0x0E83 },
+	{ 0x0E85, 0x0E86 },
+	{ 0x0E89, 0x0E89 },
+	{ 0x0E8B, 0x0E8C },
+	{ 0x0E8E, 0x0E93 },
+	{ 0x0E98, 0x0E98 },
+	{ 0x0EA0, 0x0EA0 },
+	{ 0x0EA4, 0x0EA4 },
+	{ 0x0EA6, 0x0EA6 },
+	{ 0x0EA8, 0x0EA9 },
+	{ 0x0EAC, 0x0EAC },
+	{ 0x0EBA, 0x0EBA },
+	{ 0x0EBE, 0x0EBF },
+	{ 0x0EC5, 0x0EC5 },
+	{ 0x0EC7, 0x0EC7 },
+	{ 0x0ECE, 0x0ECF },
+	{ 0x0EDA, 0x0EDB },
+	{ 0x0EE0, 0x0EFF },
+	{ 0x0F48, 0x0F48 },
+	{ 0x0F6D, 0x0F70 },
+	{ 0x0F98, 0x0F98 },
+	{ 0x0FBD, 0x0FBD },
+	{ 0x0FCD, 0x0FCD },
+	{ 0x0FDB, 0x0FFF },
+	{ 0x10C6, 0x10C6 },
+	{ 0x10C8, 0x10CC },
+	{ 0x10CE, 0x10CF },
+	{ 0x1249, 0x1249 },
+	{ 0x124E, 0x124F },
+	{ 0x1257, 0x1257 },
+	{ 0x1259, 0x1259 },
+	{ 0x125E, 0x125F },
+	{ 0x1289, 0x1289 },
+	{ 0x128E, 0x128F },
+	{ 0x12B1, 0x12B1 },
+	{ 0x12B6, 0x12B7 },
+	{ 0x12BF, 0x12BF },
+	{ 0x12C1, 0x12C1 },
+	{ 0x12C6, 0x12C7 },
+	{ 0x12D7, 0x12D7 },
+	{ 0x1311, 0x1311 },
+	{ 0x1316, 0x1317 },
+	{ 0x135B, 0x135C },
+	{ 0x137D, 0x137F },
+	{ 0x139A, 0x139F },
+	{ 0x13F5, 0x13FF },
+	{ 0x169D, 0x169F },
+	{ 0x16F1, 0x16FF },
+	{ 0x170D, 0x170D },
+	{ 0x1715, 0x171F },
+	{ 0x1737, 0x173F },
+	{ 0x1754, 0x175F },
+	{ 0x176D, 0x176D },
+	{ 0x1771, 0x1771 },
+	{ 0x1774, 0x177F },
+	{ 0x17DE, 0x17DF },
+	{ 0x17EA, 0x17EF },
+	{ 0x17FA, 0x17FF },
+	{ 0x180F, 0x180F },
+	{ 0x181A, 0x181F },
+	{ 0x1878, 0x187F },
+	{ 0x18AB, 0x18AF },
+	{ 0x18F6, 0x18FF },
+	{ 0x191D, 0x191F },
+	{ 0x192C, 0x192F },
+	{ 0x193C, 0x193F },
+	{ 0x1941, 0x1943 },
+	{ 0x196E, 0x196F },
+	{ 0x1975, 0x197F },
+	{ 0x19AC, 0x19AF },
+	{ 0x19CA, 0x19CF },
+	{ 0x19DB, 0x19DD },
+	{ 0x1A1C, 0x1A1D },
+	{ 0x1A5F, 0x1A5F },
+	{ 0x1A7D, 0x1A7E },
+	{ 0x1A8A, 0x1A8F },
+	{ 0x1A9A, 0x1A9F },
+	{ 0x1AAE, 0x1AFF },
+	{ 0x1B4C, 0x1B4F },
+	{ 0x1B7D, 0x1B7F },
+	{ 0x1BF4, 0x1BFB },
+	{ 0x1C38, 0x1C3A },
+	{ 0x1C4A, 0x1C4C },
+	{ 0x1C80, 0x1CBF },
+	{ 0x1CC8, 0x1CCF },
+	{ 0x1CF7, 0x1CFF },
+	{ 0x1DE7, 0x1DFB },
+	{ 0x1F16, 0x1F17 },
+	{ 0x1F1E, 0x1F1F },
+	{ 0x1F46, 0x1F47 },
+	{ 0x1F4E, 0x1F4F },
+	{ 0x1F58, 0x1F58 },
+	{ 0x1F5A, 0x1F5A },
+	{ 0x1F5C, 0x1F5C },
+	{ 0x1F5E, 0x1F5E },
+	{ 0x1F7E, 0x1F7F },
+	{ 0x1FB5, 0x1FB5 },
+	{ 0x1FC5, 0x1FC5 },
+	{ 0x1FD4, 0x1FD5 },
+	{ 0x1FDC, 0x1FDC },
+	{ 0x1FF0, 0x1FF1 },
+	{ 0x1FF5, 0x1FF5 },
+	{ 0x1FFF, 0x1FFF },
+	{ 0x2065, 0x2069 },
+	{ 0x2072, 0x2073 },
+	{ 0x208F, 0x208F },
+	{ 0x209D, 0x209F },
+	{ 0x20BB, 0x20CF },
+	{ 0x20F1, 0x20FF },
+	{ 0x218A, 0x218F },
+	{ 0x23F4, 0x23FF },
+	{ 0x2427, 0x243F },
+	{ 0x244B, 0x245F },
+	{ 0x2700, 0x2700 },
+	{ 0x2B4D, 0x2B4F },
+	{ 0x2B5A, 0x2BFF },
+	{ 0x2C2F, 0x2C2F },
+	{ 0x2C5F, 0x2C5F },
+	{ 0x2CF4, 0x2CF8 },
+	{ 0x2D26, 0x2D26 },
+	{ 0x2D28, 0x2D2C },
+	{ 0x2D2E, 0x2D2F },
+	{ 0x2D68, 0x2D6E },
+	{ 0x2D71, 0x2D7E },
+	{ 0x2D97, 0x2D9F },
+	{ 0x2DA7, 0x2DA7 },
+	{ 0x2DAF, 0x2DAF },
+	{ 0x2DB7, 0x2DB7 },
+	{ 0x2DBF, 0x2DBF },
+	{ 0x2DC7, 0x2DC7 },
+	{ 0x2DCF, 0x2DCF },
+	{ 0x2DD7, 0x2DD7 },
+	{ 0x2DDF, 0x2DDF },
+	{ 0x2E3C, 0x2E7F },
+	{ 0x2E9A, 0x2E9A },
+	{ 0x2EF4, 0x2EFF },
+	{ 0x2FD6, 0x2FEF },
+	{ 0x2FFC, 0x2FFF },
+	{ 0x3040, 0x3040 },
+	{ 0x3097, 0x3098 },
+	{ 0x3100, 0x3104 },
+	{ 0x312E, 0x3130 },
+	{ 0x318F, 0x318F },
+	{ 0x31BB, 0x31BF },
+	{ 0x31E4, 0x31EF },
+	{ 0x321F, 0x321F },
+	{ 0x32FF, 0x32FF },
+	{ 0x4DB6, 0x4DBF },
+	{ 0x9FA6, 0x9FCB },
+	{ 0x9FCD, 0x9FFF },
+	{ 0xA48D, 0xA48F },
+	{ 0xA4C7, 0xA4CF },
+	{ 0xA62C, 0xA63F },
+	{ 0xA698, 0xA69E },
+	{ 0xA6F8, 0xA6FF },
+	{ 0xA78F, 0xA78F },
+	{ 0xA794, 0xA79F },
+	{ 0xA7AB, 0xA7F7 },
+	{ 0xA82C, 0xA82F },
+	{ 0xA83A, 0xA83F },
+	{ 0xA878, 0xA87F },
+	{ 0xA8C5, 0xA8CD },
+	{ 0xA8DA, 0xA8DF },
+	{ 0xA8FC, 0xA8FF },
+	{ 0xA954, 0xA95E },
+	{ 0xA97D, 0xA97F },
+	{ 0xA9CE, 0xA9CE },
+	{ 0xA9DA, 0xA9DD },
+	{ 0xA9E0, 0xA9FF },
+	{ 0xAA37, 0xAA3F },
+	{ 0xAA4E, 0xAA4F },
+	{ 0xAA5A, 0xAA5B },
+	{ 0xAA7C, 0xAA7F },
+	{ 0xAAC3, 0xAADA },
+	{ 0xAAF7, 0xAB00 },
+	{ 0xAB07, 0xAB08 },
+	{ 0xAB0F, 0xAB10 },
+	{ 0xAB17, 0xAB1F },
+	{ 0xAB27, 0xAB27 },
+	{ 0xAB2F, 0xABBF },
+	{ 0xABEE, 0xABEF },
+	{ 0xABFA, 0xABFF },
+	{ 0xD7A4, 0xD7AF },
+	{ 0xD7C7, 0xD7CA },
+	{ 0xD7FC, 0xD7FF },
+	{ 0xFA6E, 0xFA6F },
+	{ 0xFADA, 0xFAFF },
+	{ 0xFB07, 0xFB12 },
+	{ 0xFB18, 0xFB1C },
+	{ 0xFB37, 0xFB37 },
+	{ 0xFB3D, 0xFB3D },
+	{ 0xFB3F, 0xFB3F },
+	{ 0xFB42, 0xFB42 },
+	{ 0xFB45, 0xFB45 },
+	{ 0xFBC2, 0xFBD2 },
+	{ 0xFD40, 0xFD4F },
+	{ 0xFD90, 0xFD91 },
+	{ 0xFDC8, 0xFDCF },
+	{ 0xFDFE, 0xFDFF },
+	{ 0xFE1A, 0xFE1F },
+	{ 0xFE27, 0xFE2F },
+	{ 0xFE53, 0xFE53 },
+	{ 0xFE67, 0xFE67 },
+	{ 0xFE6C, 0xFE6F },
+	{ 0xFE75, 0xFE75 },
+	{ 0xFEFD, 0xFEFE },
+	{ 0xFF00, 0xFF00 },
+	{ 0xFFBF, 0xFFC1 },
+	{ 0xFFC8, 0xFFC9 },
+	{ 0xFFD0, 0xFFD1 },
+	{ 0xFFD8, 0xFFD9 },
+	{ 0xFFDD, 0xFFDF },
+	{ 0xFFE7, 0xFFE7 },
+	{ 0xFFEF, 0xFFF8 },
+	{ 0x1000C, 0x1000C },
+	{ 0x10027, 0x10027 },
+	{ 0x1003B, 0x1003B },
+	{ 0x1003E, 0x1003E },
+	{ 0x1004E, 0x1004F },
+	{ 0x1005E, 0x1007F },
+	{ 0x100FB, 0x100FF },
+	{ 0x10103, 0x10106 },
+	{ 0x10134, 0x10136 },
+	{ 0x1018B, 0x1018F },
+	{ 0x1019C, 0x101CF },
+	{ 0x101FE, 0x1027F },
+	{ 0x1029D, 0x1029F },
+	{ 0x102D1, 0x102FF },
+	{ 0x1031F, 0x1031F },
+	{ 0x10324, 0x1032F },
+	{ 0x1034B, 0x1037F },
+	{ 0x1039E, 0x1039E },
+	{ 0x103C4, 0x103C7 },
+	{ 0x103D6, 0x103FF },
+	{ 0x1049E, 0x1049F },
+	{ 0x104AA, 0x107FF },
+	{ 0x10806, 0x10807 },
+	{ 0x10809, 0x10809 },
+	{ 0x10836, 0x10836 },
+	{ 0x10839, 0x1083B },
+	{ 0x1083D, 0x1083E },
+	{ 0x10856, 0x10856 },
+	{ 0x10860, 0x108FF },
+	{ 0x1091C, 0x1091E },
+	{ 0x1093A, 0x1093E },
+	{ 0x10940, 0x1097F },
+	{ 0x109B8, 0x109BD },
+	{ 0x109C0, 0x109FF },
+	{ 0x10A04, 0x10A04 },
+	{ 0x10A07, 0x10A0B },
+	{ 0x10A14, 0x10A14 },
+	{ 0x10A18, 0x10A18 },
+	{ 0x10A34, 0x10A37 },
+	{ 0x10A3B, 0x10A3E },
+	{ 0x10A48, 0x10A4F },
+	{ 0x10A59, 0x10A5F },
+	{ 0x10A80, 0x10AFF },
+	{ 0x10B36, 0x10B38 },
+	{ 0x10B56, 0x10B57 },
+	{ 0x10B73, 0x10B77 },
+	{ 0x10B80, 0x10BFF },
+	{ 0x10C49, 0x10E5F },
+	{ 0x10E7F, 0x10FFF },
+	{ 0x1104E, 0x11051 },
+	{ 0x11070, 0x1107F },
+	{ 0x110C2, 0x110CF },
+	{ 0x110E9, 0x110EF },
+	{ 0x110FA, 0x110FF },
+	{ 0x11135, 0x11135 },
+	{ 0x11144, 0x1117F },
+	{ 0x111C9, 0x111CF },
+	{ 0x111DA, 0x1167F },
+	{ 0x116B8, 0x116BF },
+	{ 0x116CA, 0x11FFF },
+	{ 0x1236F, 0x123FF },
+	{ 0x12463, 0x1246F },
+	{ 0x12474, 0x12FFF },
+	{ 0x1342F, 0x167FF },
+	{ 0x16A39, 0x16EFF },
+	{ 0x16F45, 0x16F4F },
+	{ 0x16F7F, 0x16F8E },
+	{ 0x16FA0, 0x1AFFF },
+	{ 0x1B002, 0x1CFFF },
+	{ 0x1D0F6, 0x1D0FF },
+	{ 0x1D127, 0x1D128 },
+	{ 0x1D1DE, 0x1D1FF },
+	{ 0x1D246, 0x1D2FF },
+	{ 0x1D357, 0x1D35F },
+	{ 0x1D372, 0x1D3FF },
+	{ 0x1D455, 0x1D455 },
+	{ 0x1D49D, 0x1D49D },
+	{ 0x1D4A0, 0x1D4A1 },
+	{ 0x1D4A3, 0x1D4A4 },
+	{ 0x1D4A7, 0x1D4A8 },
+	{ 0x1D4AD, 0x1D4AD },
+	{ 0x1D4BA, 0x1D4BA },
+	{ 0x1D4BC, 0x1D4BC },
+	{ 0x1D4C4, 0x1D4C4 },
+	{ 0x1D506, 0x1D506 },
+	{ 0x1D50B, 0x1D50C },
+	{ 0x1D515, 0x1D515 },
+	{ 0x1D51D, 0x1D51D },
+	{ 0x1D53A, 0x1D53A },
+	{ 0x1D53F, 0x1D53F },
+	{ 0x1D545, 0x1D545 },
+	{ 0x1D547, 0x1D549 },
+	{ 0x1D551, 0x1D551 },
+	{ 0x1D6A6, 0x1D6A7 },
+	{ 0x1D7CC, 0x1D7CD },
+	{ 0x1D800, 0x1EDFF },
+	{ 0x1EE04, 0x1EE04 },
+	{ 0x1EE20, 0x1EE20 },
+	{ 0x1EE23, 0x1EE23 },
+	{ 0x1EE25, 0x1EE26 },
+	{ 0x1EE28, 0x1EE28 },
+	{ 0x1EE33, 0x1EE33 },
+	{ 0x1EE38, 0x1EE38 },
+	{ 0x1EE3A, 0x1EE3A },
+	{ 0x1EE3C, 0x1EE41 },
+	{ 0x1EE43, 0x1EE46 },
+	{ 0x1EE48, 0x1EE48 },
+	{ 0x1EE4A, 0x1EE4A },
+	{ 0x1EE4C, 0x1EE4C },
+	{ 0x1EE50, 0x1EE50 },
+	{ 0x1EE53, 0x1EE53 },
+	{ 0x1EE55, 0x1EE56 },
+	{ 0x1EE58, 0x1EE58 },
+	{ 0x1EE5A, 0x1EE5A },
+	{ 0x1EE5C, 0x1EE5C },
+	{ 0x1EE5E, 0x1EE5E },
+	{ 0x1EE60, 0x1EE60 },
+	{ 0x1EE63, 0x1EE63 },
+	{ 0x1EE65, 0x1EE66 },
+	{ 0x1EE6B, 0x1EE6B },
+	{ 0x1EE73, 0x1EE73 },
+	{ 0x1EE78, 0x1EE78 },
+	{ 0x1EE7D, 0x1EE7D },
+	{ 0x1EE7F, 0x1EE7F },
+	{ 0x1EE8A, 0x1EE8A },
+	{ 0x1EE9C, 0x1EEA0 },
+	{ 0x1EEA4, 0x1EEA4 },
+	{ 0x1EEAA, 0x1EEAA },
+	{ 0x1EEBC, 0x1EEEF },
+	{ 0x1EEF2, 0x1EFFF },
+	{ 0x1F02C, 0x1F02F },
+	{ 0x1F094, 0x1F09F },
+	{ 0x1F0AF, 0x1F0B0 },
+	{ 0x1F0BF, 0x1F0C0 },
+	{ 0x1F0D0, 0x1F0D0 },
+	{ 0x1F0E0, 0x1F0FF },
+	{ 0x1F10B, 0x1F10F },
+	{ 0x1F12F, 0x1F12F },
+	{ 0x1F16C, 0x1F16F },
+	{ 0x1F19B, 0x1F1E5 },
+	{ 0x1F203, 0x1F20F },
+	{ 0x1F23B, 0x1F23F },
+	{ 0x1F249, 0x1F24F },
+	{ 0x1F252, 0x1F2FF },
+	{ 0x1F321, 0x1F32F },
+	{ 0x1F336, 0x1F336 },
+	{ 0x1F37D, 0x1F37F },
+	{ 0x1F394, 0x1F39F },
+	{ 0x1F3C5, 0x1F3C5 },
+	{ 0x1F3CB, 0x1F3DF },
+	{ 0x1F3F1, 0x1F3FF },
+	{ 0x1F43F, 0x1F43F },
+	{ 0x1F441, 0x1F441 },
+	{ 0x1F4F8, 0x1F4F8 },
+	{ 0x1F4FD, 0x1F4FF },
+	{ 0x1F53E, 0x1F53F },
+	{ 0x1F544, 0x1F54F },
+	{ 0x1F568, 0x1F5FA },
+	{ 0x1F641, 0x1F644 },
+	{ 0x1F650, 0x1F67F },
+	{ 0x1F6C6, 0x1F6FF },
+	{ 0x1F774, 0x1FFFD },
+	{ 0x2A6D7, 0x2A6FF },
+	{ 0x2A701, 0x2B733 },
+	{ 0x2B735, 0x2B73F },
+	{ 0x2B741, 0x2B81C },
+	{ 0x2B81E, 0x2F7FF },
+	{ 0x2FA1E, 0x2FFFD },
+	{ 0x30000, 0x3FFFD },
+	{ 0x40000, 0x4FFFD },
+	{ 0x50000, 0x5FFFD },
+	{ 0x60000, 0x6FFFD },
+	{ 0x70000, 0x7FFFD },
+	{ 0x80000, 0x8FFFD },
+	{ 0x90000, 0x9FFFD },
+	{ 0xA0000, 0xAFFFD },
+	{ 0xB0000, 0xBFFFD },
+	{ 0xC0000, 0xCFFFD },
+	{ 0xD0000, 0xDFFFD },
+	{ 0xE0000, 0xE0000 },
+	{ 0xE0002, 0xE001F },
+	{ 0xE0080, 0xE00FF },
+	{ 0xE01F0, 0xEFFFD },
+};
+
+/* RFC3454 Table B.1 */
+static const struct u32_range map_to_nothing[] = {
+	{ 0x00AD, 0x00AD },
+	{ 0x034F, 0x034F },
+	{ 0x1806, 0x1806 },
+	{ 0x180B, 0x180D },
+	{ 0x200B, 0x200D },
+	{ 0x2060, 0x2060 },
+	{ 0xFE00, 0xFE0F },
+	{ 0xFEFF, 0xFEFF },
+};
+
+/* Local: allow tab, CR and LF */
+static const struct u32_range whitelist[] = {
+	{ 0x09, 0x09 },
+	{ 0x0a, 0x0a },
+	{ 0x0d, 0x0d },
+};
+
+/* RFC3454 Tables in appendix C */
+static const struct u32_range prohibited[] = {
+	/* C.2.1 ASCII control characters */
+	{ 0x0000, 0x001F },
+	{ 0x007F, 0x007F },
+	/* C.2.2 Non-ASCII control characters */
+	{ 0x0080, 0x009F },
+	{ 0x06DD, 0x06DD },
+	{ 0x070F, 0x070F },
+	{ 0x180E, 0x180E },
+	{ 0x200C, 0x200C },
+	{ 0x200D, 0x200D },
+	{ 0x2028, 0x2028 },
+	{ 0x2029, 0x2029 },
+	{ 0x2060, 0x2060 },
+	{ 0x2061, 0x2061 },
+	{ 0x2062, 0x2062 },
+	{ 0x2063, 0x2063 },
+	{ 0x206A, 0x206F },
+	{ 0xFEFF, 0xFEFF },
+	{ 0xFFF9, 0xFFFC },
+	{ 0x1D173, 0x1D17A },
+	/* C.3 Private use */
+	{ 0xE000, 0xF8FF },
+	{ 0xF0000, 0xFFFFD },
+	{ 0x100000, 0x10FFFD },
+	/* C.4 Non-character code points */
+	{ 0xFDD0, 0xFDEF },
+	{ 0xFFFE, 0xFFFF },
+	{ 0x1FFFE, 0x1FFFF },
+	{ 0x2FFFE, 0x2FFFF },
+	{ 0x3FFFE, 0x3FFFF },
+	{ 0x4FFFE, 0x4FFFF },
+	{ 0x5FFFE, 0x5FFFF },
+	{ 0x6FFFE, 0x6FFFF },
+	{ 0x7FFFE, 0x7FFFF },
+	{ 0x8FFFE, 0x8FFFF },
+	{ 0x9FFFE, 0x9FFFF },
+	{ 0xAFFFE, 0xAFFFF },
+	{ 0xBFFFE, 0xBFFFF },
+	{ 0xCFFFE, 0xCFFFF },
+	{ 0xDFFFE, 0xDFFFF },
+	{ 0xEFFFE, 0xEFFFF },
+	{ 0xFFFFE, 0xFFFFF },
+	{ 0x10FFFE, 0x10FFFF },
+	/* C.5 Surrogate codes */
+	{ 0xD800, 0xDFFF },
+	/* C.6 Inappropriate for plain text */
+	{ 0xFFF9, 0xFFF9 },
+	{ 0xFFFA, 0xFFFA },
+	{ 0xFFFB, 0xFFFB },
+	{ 0xFFFC, 0xFFFC },
+	{ 0xFFFD, 0xFFFD },
+	/* C.7 Inappropriate for canonical representation */
+	{ 0x2FF0, 0x2FFB },
+	/* C.8 Change display properties or are deprecated */
+	{ 0x0340, 0x0340 },
+	{ 0x0341, 0x0341 },
+	{ 0x200E, 0x200E },
+	{ 0x200F, 0x200F },
+	{ 0x202A, 0x202A },
+	{ 0x202B, 0x202B },
+	{ 0x202C, 0x202C },
+	{ 0x202D, 0x202D },
+	{ 0x202E, 0x202E },
+	{ 0x206A, 0x206A },
+	{ 0x206B, 0x206B },
+	{ 0x206C, 0x206C },
+	{ 0x206D, 0x206D },
+	{ 0x206E, 0x206E },
+	{ 0x206F, 0x206F },
+	/* C.9 Tagging characters */
+	{ 0xE0001, 0xE0001 },
+	{ 0xE0020, 0xE007F },
+};
+
+diff --git a/utf8_stringprep.c b/utf8_stringprep.c
+new file mode 100644
+index 0000000..bcafae7
+--- /dev/null
+++ b/utf8_stringprep.c
+@@ -0,0 +1,229 @@
+/*
+ * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This is a simple RFC3454 stringprep profile to sanitise UTF-8 strings
+ * from untrusted sources.
+ *
+ * It is intended to be used prior to display of untrusted strings only.
+ * It should not be used for logging because of bi-di ambiguity. It
+ * should also not be used in any case where lack of normalisation may
+ * cause problems.
+ *
+ * This profile uses the prohibition and mapping tables from RFC3454
+ * (listed below) but the unassigned character table has been updated to
+ * Unicode 6.2. It uses a local whitelist of whitespace characters (\n,
+ * \a and \t). Unicode normalisation and bi-di testing are not used.
+ *
+ * XXX: implement bi-di handling (needed for logs)
+ * XXX: implement KC normalisation (needed for passing to libs/syscalls)
+ */
+
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <ctype.h>
+
+#include "misc.h"
+
+struct u32_range {
+	u_int32_t lo, hi;  /* Inclusive */
+};
+
+#include "stringprep-tables.c"
+
+/* Returns 1 if code 'c' appears in the table or 0 otherwise */
+static int
+code_in_table(u_int32_t c, const struct u32_range *table, size_t tlen)
+{
+	const struct u32_range *e, *end = (void *)(tlen + (char *)table);
+
+	for (e = table; e < end; e++) {
+		if (c >= e->lo && c <= e->hi)
+			return 1;
+	}
+	return 0;
+}
+
+/*
+ * Decode the next valid UCS character from a UTF-8 string, skipping past bad
+ * codes. Returns the decoded character or 0 for end-of-string and updates
+ * nextc to point to the start of the next character (if any).
+ * had_error is set if an invalid code was encountered.
+ */
+static u_int32_t
+decode_utf8(const char *in, const char **nextc, int *had_error)
+{
+	int state = 0;
+	size_t i;
+	u_int32_t c, e;
+
+	e = c = 0;
+	for (i = 0; in[i] != '\0'; i++) {
+		e = (u_char)in[i];
+		/* Invalid code point state */
+		if (state == -1) {
+			/*
+			 * Continue eating continuation characters until
+			 * a new start character comes along.
+			 */
+			if ((e & 0xc0) == 0x80)
+				continue;
+			state = 0;
+		}
+
+		/* New code point state */
+		if (state == 0) {
+			if ((e & 0x80) == 0) { /* 7 bit code */
+				c = e & 0x7f;
+				goto have_code;
+			} else if ((e & 0xe0) == 0xc0) { /* 11 bit code point */
+				state = 1;
+				c = (e & 0x1f) << 6;
+			} else if ((e & 0xf0) == 0xe0) { /* 16 bit code point */
+				state = 2;
+				c = (e & 0xf) << 12;
+			} else if ((e & 0xf8) == 0xf0) { /* 21 bit code point */
+				state = 3;
+				c = (e & 0x7) << 18;
+			} else {
+				/* A five or six byte header, or 0xff */
+				goto bad_encoding;
+			}
+			/*
+			 * Check that the header byte has some non-zero data
+			 * after masking off the length marker. If not it is
+			 * an invalid encoding.
+			 */
+			if (c == 0) {
+ bad_encoding:
+				c = 0;
+				state = -1;
+				if (had_error != NULL)
+					*had_error = 1;
+			}
+			continue;
+		}
+
+		/* Sanity check: should never happen */
+		if (state < 1 || state > 5) {
+			*nextc = NULL;
+			if (had_error != NULL)
+				*had_error = 1;
+			return 0;
+		}
+		/* Multibyte code point state */
+		state--;
+		c |= (e & 0x3f) << (state * 6);	
+		if (state > 0)
+			continue;
+
+		/* RFC3629 bans codepoints > U+10FFFF */
+		if (c > 0x10FFFF) {
+			if (had_error != NULL)
+				*had_error = 1;
+			continue;
+		}
+ have_code:
+		*nextc = in + i + 1;
+		return c;
+	}
+	if (state != 0 && had_error != NULL)
+		*had_error = 1;
+	*nextc = in + i;
+	return 0;
+}
+
+/*
+ * Attempt to encode a UCS character as a UTF-8 sequence. Returns the number
+ * of characters used or -1 on error (insufficient space or bad code).
+ */
+static int
+encode_utf8(u_int32_t c, char *s, size_t slen)
+{
+	size_t i, need;
+	u_char h;
+
+	if (c < 0x80) {
+		if (slen >= 1) {
+			s[0] = (char)c;
+		}
+		return 1;
+	} else if (c < 0x800) {
+		need = 2;
+		h = 0xc0;
+	} else if (c < 0x10000) {
+		need = 3;
+		h = 0xe0;
+	} else if (c < 0x200000) {
+		need = 4;
+		h = 0xf0;
+	} else {
+		/* Invalid code point > U+10FFFF */
+		return -1;
+	}
+	if (need > slen)
+		return -1;
+	for (i = 0; i < need; i++) {
+		s[i] = (i == 0 ? h : 0x80);
+		s[i] |= (c >> (need - i - 1) * 6) & 0x3f;
+	}
+	return need;
+}
+
+
+/*
+ * Normalise a UTF-8 string using the RFC3454 stringprep algorithm.
+ * Returns 0 on success or -1 on failure (prohibited code or insufficient
+ * length in the output string.
+ * Requires an output buffer at most the same length as the input.
+ */
+int
+utf8_stringprep(const char *in, char *out, size_t olen)
+{
+	int r;
+	size_t o;
+	u_int32_t c;
+
+	if (olen < 1)
+		return -1;
+
+	for (o = 0; (c = decode_utf8(in, &in, NULL)) != 0;) {
+		/* Mapping */
+		if (code_in_table(c, map_to_nothing, sizeof(map_to_nothing)))
+			continue;
+
+		/* Prohibitied output */
+		if (code_in_table(c, prohibited, sizeof(prohibited)) &&
+		    !code_in_table(c, whitelist, sizeof(whitelist)))
+			return -1;
+
+		/* Map unassigned code points to U+FFFD */
+		if (code_in_table(c, unassigned, sizeof(unassigned)))
+			c = 0xFFFD;
+
+		/* Encode the character */
+		r = encode_utf8(c, out + o, olen - o - 1);
+		if (r < 0)
+			return -1;
+		o += r;
+	}
+	out[o] = '\0';
+	return 0;
+}
+
--- a/openssh.spec
+++ b/openssh.spec
@ -64,7 +64,7 @@

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 6.4p1
-%define openssh_rel 4
+%define openssh_rel 8
 %define pam_ssh_agent_ver 0.9.3
 %define pam_ssh_agent_rel 1

@ -175,9 +175,12 @@ Patch713: openssh-6.3p1-ctr-cavstest.patch
 Patch800: openssh-6.3p1-gsskex.patch
 #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
 Patch801: openssh-6.3p1-force_krb.patch
+# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
+# CVE-2014-9278
+Patch802: openssh-6.4p1-GSSAPIEnablek5users.patch
 Patch900: openssh-6.1p1-gssapi-canohost.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1780
-Patch901: openssh-6.3p1-kuserok.patch
+Patch901: openssh-6.4p1-kuserok.patch
 # use default_ccache_name from /etc/krb5.conf (#991186)
 Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch
 # increase the size of the Diffie-Hellman groups (#1010607)
@ -195,7 +198,32 @@ Patch907: openssh-6.4p1-CLOCK_BOOTTIME.patch
 Patch908: openssh-6.4p1-CVE-2014-2653.patch
 # ignore environment variables with embedded '=' or '\0' characters (#1077843)
 Patch909: openssh-6.4p1-ignore-bad-env-var.patch
-
+# standardise on NI_MAXHOST for gethostname() string lengths (#1051490)
+Patch910: openssh-6.4p1-NI_MAXHOST.patch
+# set a client's address right after a connection is set
+# http://bugzilla.mindrot.org/show_bug.cgi?id=2257
+Patch911: openssh-6.4p1-set_remote_ipaddr.patch
+# apply RFC3454 stringprep to banners when possible
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2058
+# slightly changed patch from comment 10
+Patch912: openssh-6.4p1-utf8-banner.patch
+# don't consider a partial success as a failure
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2270
+Patch913: openssh-6.4p1-partial-success.patch
+# fix parsing of empty options in sshd_conf
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2281
+Patch914: openssh-6.4p1-servconf-parser.patch
+# Ignore SIGXFSZ in postauth monitor
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2263
+Patch915: openssh-6.4p1-ignore-SIGXFSZ-in-postauth.patch
+# use different values for DH for Cisco servers (#1026430)
+Patch916: openssh-6.4p1-cisco-dh-keys.patch
+# sftp: remote directory always prepended to relative symbolic links (#825538)
+Patch917: openssh-6.4p1-sftp-symlink-prepend-relative-links.patch
+# scp file into non-existing directory (#1142223)
+Patch918: openssh-6.4p1-scp-non-existing-directory.patch
+# Config parser shouldn't accept ip/port syntax (#1130733)
+Patch919: openssh-6.4p1-ip-port-config-parser.patch

 License: BSD
 Group: Applications/Internet
@ -423,6 +451,18 @@ popd
 %patch907 -p1 -b .CLOCK_BOOTTIME
 %patch908 -p1 -b .CVE-2014-2653
 %patch909 -p1 -b .bad-env-var
+%patch910 -p1 -b .NI_MAXHOST
+%patch911 -p1 -b .set_remote_ipaddr
+%patch912 -p1 -b .utf8-banner
+%patch913 -p1 -b .partial-success
+%patch914 -p1 -b .servconf
+%patch915 -p1 -b .SIGXFSZ
+%patch916 -p1 -b .cisco-dh
+%patch917 -p1 -b .sftp
+%patch918 -p1 -b .scp
+%patch919 -p1 -b .config
+%patch802 -p1 -b .GSSAPIEnablek5users
+

 %if 0
 # Nothing here yet
@ -477,7 +517,7 @@ fi
 	--with-default-path=/usr/local/bin:/usr/bin \
 	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
 	--with-privsep-path=%{_var}/empty/sshd \
-	--enable-vendor-patchlevel="FC-%{version}-%{release}" \
+	--enable-vendor-patchlevel="FC-%{openssh_ver}-%{openssh_rel}" \
 	--disable-strip \
 	--without-zlib-version-check \
 	--with-ssl-engine \
@ -737,6 +777,32 @@ getent passwd sshd >/dev/null || \
 %endif

 %changelog
+* Thu Jan 15 2015 Jakub Jelen <jjelen@redhat.com> 6.4p1-8 + 0.9.3-1
+- error message if scp when directory doesn't exist (#1142223)
+- parsing configuration file values (#1130733)
+- documentation in service and socket files for systemd (#1181593)
+- updated ldap patch (#981058)
+- fixed vendor-patchlevel
+- add new option GSSAPIEnablek5users and disable using ~/.k5users by default CVE-2014-9278 (#1170745)
+- increase size of AUDIT_LOG_SIZE to 256
+- backport fix for sftp prepending remote directory to relative symlinks (#825538)
+
+* Thu Dec 04 2014 Petr Lautrbach <plautrba@redhat.com> 6.4p1-7 + 0.9.3-1
+- use different values for DH for Cisco servers (#1026430)
+
+* Tue Nov 11 2014 Petr Lautrbach <plautrba@redhat.com> 6.4p1-6 + 0.9.3-1
+- correct the calculation of bytes for authctxt->krb5_ccname <ams@corefiling.com> (#1161073)
+- change audit trail for unknown users (mindrot#2245)
+- fix kuserok patch which checked for the existence of .k5login
+  unconditionally and hence prevented other mechanisms to be used properly
+- ignore SIGXFSZ in postauth monitor (mindrot#2263)
+- set a client's address right after a connection is set (mindrot#2257)
+- apply RFC3454 stringprep to banners when possible (mindrot#2058)
+- don't consider a partial success as a failure (mindrot#2270)
+
+* Fri Jul 18 2014 Petr Lautrbach <plautrba@redhat.com> 6.4p1-5 + 0.9.3-1
+- standardise on NI_MAXHOST for gethostname() string lengths (#1051490)
+
 * Thu May 15 2014 Petr Lautrbach <plautrba@redhat.com> 6.4p1-4 + 0.9.3-1
 - use SSH_COPY_ID_LEGACY variable to run ssh-copy-id in the legacy mode
 - make /etc/ssh/moduli file public (#1043661)
--- a/sshd.service
+++ b/sshd.service
@ -1,5 +1,6 @@
 [Unit]
 Description=OpenSSH server daemon
+Documentation=man:sshd(8) man:sshd_config(5)
 After=syslog.target network.target auditd.service

 [Service]
--- a/sshd.socket
+++ b/sshd.socket
@ -1,5 +1,6 @@
 [Unit]
 Description=OpenSSH Server Socket
+Documentation=man:sshd(8) man:sshd_config(5)
 Conflicts=sshd.service

 [Socket]
--- a/sshd@.service
+++ b/sshd@.service
@ -1,5 +1,6 @@
 [Unit]
 Description=OpenSSH per-connection server daemon
+Documentation=man:sshd(8) man:sshd_config(5)
 Wants=sshd-keygen.service
 After=auditd.service sshd-keygen.service
Author	SHA1	Message	Date
Jakub Jelen	4769e25cb1	the .local domain example should be in ssh_config, not in sshd_config	2015-03-11 11:43:08 +01:00
Jakub Jelen	e3688ed6ab	6.4p1-8 + 0.9.3-1	2015-01-15 15:27:59 +01:00
Jakub Jelen	9718c78d6b	Add missing documentation link to systemd service files (RHBZ#1181593)	2015-01-15 15:27:59 +01:00
Petr Lautrbach	e83e64b469	add new option GSSAPIEnablek5users and disable using ~/.k5users by default CVE-2014-9278 (#1170745 )	2015-01-15 15:27:59 +01:00
Jakub Jelen	6d6c363361	Update vendor-patchlevel string	2015-01-15 15:27:59 +01:00
Jakub Jelen	284aebf281	Update ldap extension to resolve #981058	2015-01-15 15:27:59 +01:00
Jakub Jelen	6b64f7566c	Fix config parser for ip:port values (#1130733 )	2015-01-15 15:27:59 +01:00
Jakub Jelen	87ef7b8238	Fix confusing error message in scp (#1142223 )	2015-01-15 15:27:59 +01:00
Petr Lautrbach	11084609c9	increase size of AUDIT_LOG_SIZE to 256	2015-01-15 15:27:59 +01:00
Jakub Jelen	91cb47ec28	backport fix for sftp prepending remote directory to relative symlinks (#825538 )	2015-01-09 17:21:15 +01:00
Petr Lautrbach	2de83b1356	6.4p1-7 + 0.9.3-1	2014-12-04 14:30:46 +01:00
Petr Lautrbach	2f3cd96ab9	use different values for DH for Cisco servers (#1026430 )	2014-12-04 14:30:23 +01:00
Petr Lautrbach	b64b2cc975	6.4p1-6 + 0.9.3-1	2014-11-11 16:06:16 +01:00
Petr Lautrbach	1232a2070b	correct the calculation of bytes for authctxt->krb5_ccname <ams@corefiling.com> (#1161073 )	2014-11-11 16:02:12 +01:00
Petr Lautrbach	c53250668e	change audit trail - do not use (invalid user) - change acct for an unknown user "(unknown)" - don't send login audit event in getpwnamallow()	2014-11-11 16:01:29 +01:00
Petr Lautrbach	4a92081130	fix kuserok patch which checked for the existence of .k5login unconditionally and hence prevented other mechanisms to be used properly	2014-11-11 11:34:18 +01:00
Petr Lautrbach	3c7aefbbeb	Ignore SIGXFSZ in postauth monitor https://bugzilla.mindrot.org/show_bug.cgi?id=2263	2014-11-10 14:39:23 +01:00
Petr Lautrbach	f9f5754ffc	fix parsing of empty arguments in sshd_conf https://bugzilla.mindrot.org/show_bug.cgi?id=2281	2014-11-10 10:58:25 +01:00
Petr Lautrbach	2ab5418106	don't consider a partial success as a failure	2014-11-10 10:53:49 +01:00
Petr Lautrbach	a1fe096ff3	apply RFC3454 stringprep to banners when possible https://bugzilla.mindrot.org/show_bug.cgi?id=2058	2014-11-10 10:51:04 +01:00
Petr Lautrbach	9f170e3ec1	set a client's address right after a connection is set http://bugzilla.mindrot.org/show_bug.cgi?id=2257	2014-11-10 10:30:45 +01:00
Petr Lautrbach	81226fcc51	6.4p1-5 + 0.9.3-1	2014-07-18 08:42:26 +02:00
Petr Lautrbach	66d55f7a69	standardise on NI_MAXHOST for gethostname() string lengths (#1051490 )	2014-07-17 18:30:37 +02:00