From owner-svn-src-all@freebsd.org  Wed Aug 26 09:25:19 2015
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 39FE89C0DE8;
 Wed, 26 Aug 2015 09:25:19 +0000 (UTC) (envelope-from des@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 26CEE147;
 Wed, 26 Aug 2015 09:25:19 +0000 (UTC) (envelope-from des@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.70])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t7Q9PJe2064315;
 Wed, 26 Aug 2015 09:25:19 GMT (envelope-from des@FreeBSD.org)
Received: (from des@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id t7Q9PHPq064309;
 Wed, 26 Aug 2015 09:25:17 GMT (envelope-from des@FreeBSD.org)
Message-Id: <201508260925.t7Q9PHPq064309@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: des set sender to des@FreeBSD.org
 using -f
From: Dag-Erling Smørgrav <des@FreeBSD.org>
Date: Wed, 26 Aug 2015 09:25:17 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-vendor@freebsd.org
Subject: svn commit: r287156 - in vendor-crypto/openssh/dist: . contrib/redhat
 contrib/suse openbsd-compat regress regress/unittests regress/unittests/kex
 regress/unittests/sshkey regress/unittests/sshkey/t...
X-SVN-Group: vendor-crypto
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2015 09:25:19 -0000

Author: des
Date: Wed Aug 26 09:25:17 2015
New Revision: 287156
URL: https://svnweb.freebsd.org/changeset/base/287156

Log:
  Vendor import of OpenSSH 7.0p1

Modified:
  vendor-crypto/openssh/dist/ChangeLog
  vendor-crypto/openssh/dist/OVERVIEW
  vendor-crypto/openssh/dist/PROTOCOL
  vendor-crypto/openssh/dist/PROTOCOL.mux
  vendor-crypto/openssh/dist/README
  vendor-crypto/openssh/dist/addrmatch.c
  vendor-crypto/openssh/dist/auth-options.c
  vendor-crypto/openssh/dist/auth.c
  vendor-crypto/openssh/dist/auth2-chall.c
  vendor-crypto/openssh/dist/authfd.c
  vendor-crypto/openssh/dist/authfile.c
  vendor-crypto/openssh/dist/cipher.h
  vendor-crypto/openssh/dist/clientloop.c
  vendor-crypto/openssh/dist/compat.c
  vendor-crypto/openssh/dist/config.h.in
  vendor-crypto/openssh/dist/configure
  vendor-crypto/openssh/dist/configure.ac
  vendor-crypto/openssh/dist/contrib/redhat/openssh.spec
  vendor-crypto/openssh/dist/contrib/suse/openssh.spec
  vendor-crypto/openssh/dist/kex.c
  vendor-crypto/openssh/dist/kex.h
  vendor-crypto/openssh/dist/key.c
  vendor-crypto/openssh/dist/key.h
  vendor-crypto/openssh/dist/krl.c
  vendor-crypto/openssh/dist/log.c
  vendor-crypto/openssh/dist/moduli
  vendor-crypto/openssh/dist/moduli.0
  vendor-crypto/openssh/dist/monitor.c
  vendor-crypto/openssh/dist/monitor_wrap.c
  vendor-crypto/openssh/dist/myproposal.h
  vendor-crypto/openssh/dist/openbsd-compat/openbsd-compat.h
  vendor-crypto/openssh/dist/openbsd-compat/port-linux.c
  vendor-crypto/openssh/dist/openbsd-compat/realpath.c
  vendor-crypto/openssh/dist/packet.c
  vendor-crypto/openssh/dist/readconf.c
  vendor-crypto/openssh/dist/readconf.h
  vendor-crypto/openssh/dist/regress/cert-hostkey.sh
  vendor-crypto/openssh/dist/regress/cert-userkey.sh
  vendor-crypto/openssh/dist/regress/hostkey-agent.sh
  vendor-crypto/openssh/dist/regress/hostkey-rotate.sh
  vendor-crypto/openssh/dist/regress/keygen-knownhosts.sh
  vendor-crypto/openssh/dist/regress/keytype.sh
  vendor-crypto/openssh/dist/regress/principals-command.sh
  vendor-crypto/openssh/dist/regress/unittests/Makefile.inc
  vendor-crypto/openssh/dist/regress/unittests/kex/test_kex.c
  vendor-crypto/openssh/dist/regress/unittests/sshkey/mktestdata.sh
  vendor-crypto/openssh/dist/regress/unittests/sshkey/test_file.c
  vendor-crypto/openssh/dist/regress/unittests/sshkey/test_sshkey.c
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/dsa_1
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/dsa_1-cert.fp
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/dsa_1-cert.pub
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/dsa_1.fp
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/dsa_1.fp.bb
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/dsa_1.param.g
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/dsa_1.param.priv
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/dsa_1.param.pub
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/dsa_1.pub
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/dsa_1_pw
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/dsa_2
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/dsa_2.fp
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/dsa_2.fp.bb
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/dsa_2.pub
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/dsa_n
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/dsa_n_pw
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ecdsa_1
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ecdsa_1-cert.pub
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ecdsa_1.fp
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ecdsa_1.fp.bb
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ecdsa_1.param.priv
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ecdsa_1.param.pub
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ecdsa_1.pub
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ecdsa_1_pw
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ecdsa_2
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ecdsa_2.fp
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ecdsa_2.fp.bb
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ecdsa_2.param.priv
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ecdsa_2.param.pub
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ecdsa_2.pub
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ecdsa_n
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ecdsa_n_pw
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ed25519_1
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ed25519_1-cert.fp
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ed25519_1-cert.pub
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ed25519_1.fp
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ed25519_1.fp.bb
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ed25519_1.pub
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ed25519_1_pw
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ed25519_2
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ed25519_2.fp
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ed25519_2.fp.bb
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/ed25519_2.pub
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa1_1
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa1_1.fp
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa1_1.fp.bb
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa1_1.param.n
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa1_1.pub
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa1_1_pw
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa1_2
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa1_2.fp
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa1_2.fp.bb
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa1_2.param.n
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa1_2.pub
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_1
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_1-cert.fp
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_1-cert.pub
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_1.fp
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_1.fp.bb
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_1.param.n
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_1.param.p
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_1.param.q
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_1.pub
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_1_pw
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_2
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_2.fp
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_2.fp.bb
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_2.param.n
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_2.param.p
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_2.param.q
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_2.pub
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_n
  vendor-crypto/openssh/dist/regress/unittests/sshkey/testdata/rsa_n_pw
  vendor-crypto/openssh/dist/sandbox-systrace.c
  vendor-crypto/openssh/dist/scp.0
  vendor-crypto/openssh/dist/scp.1
  vendor-crypto/openssh/dist/servconf.c
  vendor-crypto/openssh/dist/servconf.h
  vendor-crypto/openssh/dist/sftp-server.0
  vendor-crypto/openssh/dist/sftp.0
  vendor-crypto/openssh/dist/ssh-add.0
  vendor-crypto/openssh/dist/ssh-add.c
  vendor-crypto/openssh/dist/ssh-agent.0
  vendor-crypto/openssh/dist/ssh-agent.c
  vendor-crypto/openssh/dist/ssh-keygen.0
  vendor-crypto/openssh/dist/ssh-keygen.1
  vendor-crypto/openssh/dist/ssh-keygen.c
  vendor-crypto/openssh/dist/ssh-keyscan.0
  vendor-crypto/openssh/dist/ssh-keysign.0
  vendor-crypto/openssh/dist/ssh-keysign.c
  vendor-crypto/openssh/dist/ssh-pkcs11-helper.0
  vendor-crypto/openssh/dist/ssh-pkcs11.c
  vendor-crypto/openssh/dist/ssh.0
  vendor-crypto/openssh/dist/ssh.1
  vendor-crypto/openssh/dist/ssh.c
  vendor-crypto/openssh/dist/ssh.h
  vendor-crypto/openssh/dist/ssh_config.0
  vendor-crypto/openssh/dist/ssh_config.5
  vendor-crypto/openssh/dist/sshconnect2.c
  vendor-crypto/openssh/dist/sshd.0
  vendor-crypto/openssh/dist/sshd.8
  vendor-crypto/openssh/dist/sshd.c
  vendor-crypto/openssh/dist/sshd_config
  vendor-crypto/openssh/dist/sshd_config.0
  vendor-crypto/openssh/dist/sshd_config.5
  vendor-crypto/openssh/dist/sshkey.c
  vendor-crypto/openssh/dist/sshkey.h
  vendor-crypto/openssh/dist/sshpty.c
  vendor-crypto/openssh/dist/version.h

Modified: vendor-crypto/openssh/dist/ChangeLog
==============================================================================
--- vendor-crypto/openssh/dist/ChangeLog	Wed Aug 26 03:44:48 2015	(r287155)
+++ vendor-crypto/openssh/dist/ChangeLog	Wed Aug 26 09:25:17 2015	(r287156)
@@ -1,3 +1,575 @@
+commit 1dc8d93ce69d6565747eb44446ed117187621b26
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date:   Thu Aug 6 14:53:21 2015 +0000
+
+    upstream commit
+    
+    add prohibit-password as a synonymn for without-password,
+     since the without-password is causing too many questions.  Harden it to ban
+     all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
+     djm, ok markus
+    
+    Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
+
+commit 90a95a4745a531b62b81ce3b025e892bdc434de5
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Aug 11 13:53:41 2015 +1000
+
+    update version in README
+
+commit 318c37743534b58124f1bab37a8a0087a3a9bd2f
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Aug 11 13:53:09 2015 +1000
+
+    update versions in *.spec
+
+commit 5e75f5198769056089fb06c4d738ab0e5abc66f7
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Aug 11 13:34:12 2015 +1000
+
+    set sshpam_ctxt to NULL after free
+    
+    Avoids use-after-free in monitor when privsep child is compromised.
+    Reported by Moritz Jodeit; ok dtucker@
+
+commit d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Aug 11 13:33:24 2015 +1000
+
+    Don't resend username to PAM; it already has it.
+    
+    Pointed out by Moritz Jodeit; ok dtucker@
+
+commit 88763a6c893bf3dfe951ba9271bf09715e8d91ca
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Mon Jul 27 12:14:25 2015 +1000
+
+    Import updated moduli file from OpenBSD.
+
+commit 55b263fb7cfeacb81aaf1c2036e0394c881637da
+Author: Damien Miller <djm@mindrot.org>
+Date:   Mon Aug 10 11:13:44 2015 +1000
+
+    let principals-command.sh work for noexec /var/run
+
+commit 2651e34cd11b1aac3a0fe23b86d8c2ff35c07897
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Aug 6 11:43:42 2015 +1000
+
+    work around echo -n / sed behaviour in tests
+
+commit d85dad81778c1aa8106acd46930b25fdf0d15b2a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Aug 5 05:27:33 2015 +0000
+
+    upstream commit
+    
+    adjust for RSA minimum modulus switch; ok deraadt@
+    
+    Upstream-Regress-ID: 5a72c83431b96224d583c573ca281cd3a3ebfdae
+
+commit 57e8e229bad5fe6056b5f1199665f5f7008192c6
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Aug 4 05:23:06 2015 +0000
+
+    upstream commit
+    
+    backout SSH_RSA_MINIMUM_MODULUS_SIZE increase for this
+     release; problems spotted by sthen@ ok deraadt@ markus@
+    
+    Upstream-ID: d0bd60dde9e8c3cd7030007680371894c1499822
+
+commit f097d0ea1e0889ca0fa2e53a00214e43ab7fa22a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sun Aug 2 09:56:42 2015 +0000
+
+    upstream commit
+    
+    openssh 7.0; ok deraadt@
+    
+    Upstream-ID: c63afdef537f57f28ae84145c5a8e29e9250221f
+
+commit 3d5728a0f6874ce4efb16913a12963595070f3a9
+Author: chris@openbsd.org <chris@openbsd.org>
+Date:   Fri Jul 31 15:38:09 2015 +0000
+
+    upstream commit
+    
+    Allow PermitRootLogin to be overridden by config
+    
+    ok markus@ deeradt@
+    
+    Upstream-ID: 5cf3e26ed702888de84e2dc9d0054ccf4d9125b4
+
+commit 6f941396b6835ad18018845f515b0c4fe20be21a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Jul 30 23:09:15 2015 +0000
+
+    upstream commit
+    
+    fix pty permissions; patch from Nikolay Edigaryev; ok
+     deraadt
+    
+    Upstream-ID: 40ff076d2878b916fbfd8e4f45dbe5bec019e550
+
+commit f4373ed1e8fbc7c8ce3fc4ea97d0ba2e0c1d7ef0
+Author: deraadt@openbsd.org <deraadt@openbsd.org>
+Date:   Thu Jul 30 19:23:02 2015 +0000
+
+    upstream commit
+    
+    change default: PermitRootLogin without-password matching
+     install script changes coming as well ok djm markus
+    
+    Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
+
+commit 0c30ba91f87fcda7e975e6ff8a057f624e87ea1c
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Jul 30 12:31:39 2015 +1000
+
+    downgrade OOM adjustment logging: verbose -> debug
+
+commit f9eca249d4961f28ae4b09186d7dc91de74b5895
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Jul 30 00:01:34 2015 +0000
+
+    upstream commit
+    
+    Allow ssh_config and sshd_config kex parameters options be
+     prefixed by a '+' to indicate that the specified items be appended to the
+     default rather than replacing it.
+    
+    approach suggested by dtucker@, feedback dlg@, ok markus@
+    
+    Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
+
+commit 5cefe769105a2a2e3ca7479d28d9a325d5ef0163
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Jul 29 08:34:54 2015 +0000
+
+    upstream commit
+    
+    fix bug in previous; was printing incorrect string for
+     failed host key algorithms negotiation
+    
+    Upstream-ID: 22c0dc6bc61930513065d92e11f0753adc4c6e6e
+
+commit f319912b0d0e1675b8bb051ed8213792c788bcb2
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Jul 29 04:43:06 2015 +0000
+
+    upstream commit
+    
+    include the peer's offer when logging a failure to
+     negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
+    
+    Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796
+
+commit b6ea0e573042eb85d84defb19227c89eb74cf05a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Jul 28 23:20:42 2015 +0000
+
+    upstream commit
+    
+    add Cisco to the list of clients that choke on the
+     hostkeys update extension. Pointed out by Howard Kash
+    
+    Upstream-ID: c9eadde28ecec056c73d09ee10ba4570dfba7e84
+
+commit 3f628c7b537291c1019ce86af90756fb4e66d0fd
+Author: guenther@openbsd.org <guenther@openbsd.org>
+Date:   Mon Jul 27 16:29:23 2015 +0000
+
+    upstream commit
+    
+    Permit kbind(2) use in the sandbox now, to ease testing
+     of ld.so work using it
+    
+    reminded by miod@, ok deraadt@
+    
+    Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413
+
+commit ebe27ebe520098bbc0fe58945a87ce8490121edb
+Author: millert@openbsd.org <millert@openbsd.org>
+Date:   Mon Jul 20 18:44:12 2015 +0000
+
+    upstream commit
+    
+    Move .Pp before .Bl, not after to quiet mandoc -Tlint.
+     Noticed by jmc@
+    
+    Upstream-ID: 59fadbf8407cec4e6931e50c53cfa0214a848e23
+
+commit d5d91d0da819611167782c66ab629159169d94d4
+Author: millert@openbsd.org <millert@openbsd.org>
+Date:   Mon Jul 20 18:42:35 2015 +0000
+
+    upstream commit
+    
+    Sync usage with SYNOPSIS
+    
+    Upstream-ID: 7a321a170181a54f6450deabaccb6ef60cf3f0b7
+
+commit 79ec2142fbc68dd2ed9688608da355fc0b1ed743
+Author: millert@openbsd.org <millert@openbsd.org>
+Date:   Mon Jul 20 15:39:52 2015 +0000
+
+    upstream commit
+    
+    Better desciption of Unix domain socket forwarding.
+     bz#2423; ok jmc@
+    
+    Upstream-ID: 85e28874726897e3f26ae50dfa2e8d2de683805d
+
+commit d56fd1828074a4031b18b8faa0bf949669eb18a0
+Author: Damien Miller <djm@mindrot.org>
+Date:   Mon Jul 20 11:19:51 2015 +1000
+
+    make realpath.c compile -Wsign-compare clean
+
+commit c63c9a691dca26bb7648827f5a13668832948929
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Jul 20 00:30:01 2015 +0000
+
+    upstream commit
+    
+    mention that the default of UseDNS=no implies that
+     hostnames cannot be used for host matching in sshd_config and
+     authorized_keys; bz#2045, ok dtucker@
+    
+    Upstream-ID: 0812705d5f2dfa59aab01f2764ee800b1741c4e1
+
+commit 63ebcd0005e9894fcd6871b7b80aeea1fec0ff76
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Jul 18 08:02:17 2015 +0000
+
+    upstream commit
+    
+    don't ignore PKCS#11 hosted keys that return empty
+     CKA_ID; patch by Jakub Jelen via bz#2429; ok markus
+    
+    Upstream-ID: 2f7c94744eb0342f8ee8bf97b2351d4e00116485
+
+commit b15fd989c8c62074397160147a8d5bc34b3f3c63
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Jul 18 08:00:21 2015 +0000
+
+    upstream commit
+    
+    skip uninitialised PKCS#11 slots; patch from Jakub Jelen
+     in bz#2427 ok markus@
+    
+    Upstream-ID: 744c1e7796e237ad32992d0d02148e8a18f27d29
+
+commit 5b64f85bb811246c59ebab70aed331f26ba37b18
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Jul 18 07:57:14 2015 +0000
+
+    upstream commit
+    
+    only query each keyboard-interactive device once per
+     authentication request regardless of how many times it is listed; ok markus@
+    
+    Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
+
+commit cd7324d0667794eb5c236d8a4e0f236251babc2d
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jul 17 03:34:27 2015 +0000
+
+    upstream commit
+    
+    remove -u flag to diff (only used for error output) to make
+     things easier for -portable
+    
+    Upstream-Regress-ID: a5d6777d2909540d87afec3039d9bb2414ade548
+
+commit deb8d99ecba70b67f4af7880b11ca8768df9ec3a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jul 17 03:09:19 2015 +0000
+
+    upstream commit
+    
+    direct-streamlocal@openssh.com Unix domain foward
+     messages do not contain a "reserved for future use" field and in fact,
+     serverloop.c checks that there isn't one. Remove erroneous mention from
+     PROTOCOL description. bz#2421 from Daniel Black
+    
+    Upstream-ID: 3d51a19e64f72f764682f1b08f35a8aa810a43ac
+
+commit 356b61f365405b5257f5b2ab446e5d7bd33a7b52
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jul 17 03:04:27 2015 +0000
+
+    upstream commit
+    
+    describe magic for setting up Unix domain socket fowards
+     via the mux channel; bz#2422 patch from Daniel Black
+    
+    Upstream-ID: 943080fe3864715c423bdeb7c920bb30c4eee861
+
+commit d3e2aee41487d55b8d7d40f538b84ff1db7989bc
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Fri Jul 17 12:52:34 2015 +1000
+
+    Check if realpath works on nonexistent files.
+    
+    On some platforms the native realpath doesn't work with non-existent
+    files (this is actually specified in some versions of POSIX), however
+    the sftp spec says its realpath with "canonicalize any given path name".
+    On those platforms, use realpath from the compat library.
+    
+    In addition, when compiling with -DFORTIFY_SOURCE, glibc redefines
+    the realpath symbol to the checked version, so redefine ours to
+    something else so we pick up the compat version we want.
+    
+    bz#2428, ok djm@
+
+commit 25b14610dab655646a109db5ef8cb4c4bf2a48a0
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jul 17 02:47:45 2015 +0000
+
+    upstream commit
+    
+    fix incorrect test for SSH1 keys when compiled without SSH1
+     support
+    
+    Upstream-ID: 6004d720345b8e481c405e8ad05ce2271726e451
+
+commit df56a8035d429b2184ee94aaa7e580c1ff67f73a
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Jul 15 08:00:11 2015 +0000
+
+    upstream commit
+    
+    fix NULL-deref when SSH1 reenabled
+    
+    Upstream-ID: f22fd805288c92b3e9646782d15b48894b2d5295
+
+commit 41e38c4d49dd60908484e6703316651333f16b93
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Jul 15 07:19:50 2015 +0000
+
+    upstream commit
+    
+    regen RSA1 test keys; the last batch was missing their
+     private parts
+    
+    Upstream-Regress-ID: 7ccf437305dd63ff0b48dd50c5fd0f4d4230c10a
+
+commit 5bf0933184cb622ca3f96d224bf3299fd2285acc
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Fri Jul 10 06:23:25 2015 +0000
+
+    upstream commit
+    
+    Adapt tests, now that DSA if off by default; use
+     PubkeyAcceptedKeyTypes and PubkeyAcceptedKeyTypes to test DSA.
+    
+    Upstream-Regress-ID: 0ff2a3ff5ac1ce5f92321d27aa07b98656efcc5c
+
+commit 7a6e3fd7b41dbd3756b6bf9acd67954c0b1564cc
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Tue Jul 7 14:54:16 2015 +0000
+
+    upstream commit
+    
+    regen test data after mktestdata.sh changes
+    
+    Upstream-Regress-ID: 3495ecb082b9a7c048a2d7c5c845d3bf181d25a4
+
+commit 7c8c174c69f681d4910fa41c37646763692b28e2
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Tue Jul 7 14:53:30 2015 +0000
+
+    upstream commit
+    
+    adapt tests to new minimum RSA size and default FP format
+    
+    Upstream-Regress-ID: a4b30afd174ce82b96df14eb49fb0b81398ffd0e
+
+commit 6a977a4b68747ade189e43d302f33403fd4a47ac
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jul 3 04:39:23 2015 +0000
+
+    upstream commit
+    
+    legacy v00 certificates are gone; adapt and don't try to
+     test them; "sure" markus@ dtucker@
+    
+    Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12
+
+commit 0c4123ad5e93fb90fee9c6635b13a6cdabaac385
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Jul 1 23:11:18 2015 +0000
+
+    upstream commit
+    
+    don't expect SSH v.1 in unittests
+    
+    Upstream-Regress-ID: f8812b16668ba78e6a698646b2a652b90b653397
+
+commit 3c099845798a817cdde513c39074ec2063781f18
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Jun 15 06:38:50 2015 +0000
+
+    upstream commit
+    
+    turn SSH1 back on to match src/usr.bin/ssh being tested
+    
+    Upstream-Regress-ID: 6c4f763a2f0cc6893bf33983919e9030ae638333
+
+commit b1dc2b33689668c75e95f873a42d5aea1f4af1db
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Mon Jul 13 04:57:14 2015 +0000
+
+    upstream commit
+    
+    Add "PuTTY_Local:" to the clients to which we do not
+     offer DH-GEX. This was the string that was used for development versions
+     prior to September 2014 and they don't do RFC4419 DH-GEX, but unfortunately
+     there are some extant products based on those versions.  bx2424 from Jay
+     Rouman, ok markus@ djm@
+    
+    Upstream-ID: be34d41e18b966832fe09ca243d275b81882e1d5
+
+commit 3a1638dda19bbc73d0ae02b4c251ce08e564b4b9
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Fri Jul 10 06:21:53 2015 +0000
+
+    upstream commit
+    
+    Turn off DSA by default; add HostKeyAlgorithms to the
+     server and PubkeyAcceptedKeyTypes to the client side, so it still can be
+     tested or turned back on; feedback and ok djm@
+    
+    Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
+
+commit 16db0a7ee9a87945cc594d13863cfcb86038db59
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Thu Jul 9 09:49:46 2015 +0000
+
+    upstream commit
+    
+    re-enable ed25519-certs if compiled w/o openssl; ok djm
+    
+    Upstream-ID: e10c90808b001fd2c7a93778418e9b318f5c4c49
+
+commit c355bf306ac33de6545ce9dac22b84a194601e2f
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Wed Jul 8 20:24:02 2015 +0000
+
+    upstream commit
+    
+    no need to include the old buffer/key API
+    
+    Upstream-ID: fb13c9f7c0bba2545f3eb0a0e69cb0030819f52b
+
+commit a3cc48cdf9853f1e832d78cb29bedfab7adce1ee
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Wed Jul 8 19:09:25 2015 +0000
+
+    upstream commit
+    
+    typedefs for Cipher&CipherContext are unused
+    
+    Upstream-ID: 50e6a18ee92221d23ad173a96d5b6c42207cf9a7
+
+commit a635bd06b5c427a57c3ae760d3a2730bb2c863c0
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Wed Jul 8 19:04:21 2015 +0000
+
+    upstream commit
+    
+    xmalloc.h is unused
+    
+    Upstream-ID: afb532355b7fa7135a60d944ca1e644d1d63cb58
+
+commit 2521cf0e36c7f3f6b19f206da0af134f535e4a31
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Wed Jul 8 19:01:15 2015 +0000
+
+    upstream commit
+    
+    compress.c is gone
+    
+    Upstream-ID: 174fa7faa9b9643cba06164b5e498591356fbced
+
+commit c65a7aa6c43aa7a308ee1ab8a96f216169ae9615
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jul 3 04:05:54 2015 +0000
+
+    upstream commit
+    
+    another SSH_RSA_MINIMUM_MODULUS_SIZE that needed
+     cranking
+    
+    Upstream-ID: 9d8826cafe96aab4ae8e2f6fd22800874b7ffef1
+
+commit b1f383da5cd3cb921fc7776f17a14f44b8a31757
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jul 3 03:56:25 2015 +0000
+
+    upstream commit
+    
+    add an XXX reminder for getting correct key paths from
+     sshd_config
+    
+    Upstream-ID: feae52b209d7782ad742df04a4260e9fe41741db
+
+commit 933935ce8d093996c34d7efa4d59113163080680
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jul 3 03:49:45 2015 +0000
+
+    upstream commit
+    
+    refuse to generate or accept RSA keys smaller than 1024
+     bits; feedback and ok dtucker@
+    
+    Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
+
+commit bdfd29f60b74f3e678297269dc6247a5699583c1
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jul 3 03:47:00 2015 +0000
+
+    upstream commit
+    
+    turn off 1024 bit diffie-hellman-group1-sha1 key
+     exchange method (already off in server, this turns it off in the client by
+     default too) ok dtucker@
+    
+    Upstream-ID: f59b88f449210ab7acf7d9d88f20f1daee97a4fa
+
+commit c28fc62d789d860c75e23a9fa9fb250eb2beca57
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Jul 3 03:43:18 2015 +0000
+
+    upstream commit
+    
+    delete support for legacy v00 certificates; "sure"
+     markus@ dtucker@
+    
+    Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
+
+commit 564d63e1b4a9637a209d42a9d49646781fc9caef
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Jul 1 23:10:47 2015 +0000
+
+    upstream commit
+    
+    Compile-time disable SSH v.1 again
+    
+    Upstream-ID: 1d4b513a3a06232f02650b73bad25100d1b800af
+
+commit 868109b650504dd9bcccdb1f51d0906f967c20ff
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Jul 1 02:39:06 2015 +0000
+
+    upstream commit
+    
+    twiddle PermitRootLogin back
+    
+    Upstream-ID: 2bd23976305d0512e9f84d054e1fc23cd70b89f2
+
 commit 7de4b03a6e4071d454b72927ffaf52949fa34545
 Author: djm@openbsd.org <djm@openbsd.org>
 Date:   Wed Jul 1 02:32:17 2015 +0000
@@ -8572,364 +9144,3 @@ Date:   Wed Aug 21 02:38:51 2013 +1000
          fix some whitespace at EOL
          make list of commands an enum rather than a long list of defines
          add -a to usage()
-
-commit acd2060f750c16d48b87b92a10b5a833227baf9d
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Thu Aug 8 17:02:12 2013 +1000
-
-     - (dtucker) [regress/Makefile regress/test-exec.sh] Roll back the -nt
-       removal.  The "make clean" removes modpipe which is built by the top-level
-       directory before running the tests.  Spotted by tim@
-
-commit 9542de4547beebf707f3640082d471f1a85534c9
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Thu Aug 8 12:50:06 2013 +1000
-
-     - (dtucker) [misc.c] Remove define added for fallback testing that was
-       mistakenly included in the previous commit.
-
-commit 94396b7f06f512a0acb230640d7f703fb802a9ee
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Thu Aug 8 11:52:37 2013 +1000
-
-     - (dtucker) [misc.c] Fall back to time(2) at runtime if clock_gettime(
-       CLOCK_MONOTONIC...) fails.  Some older versions of RHEL have the
-       CLOCK_MONOTONIC define but don't actually support it.  Found and tested
-       by Kevin Brott, ok djm.
-
-commit a5a3cbfa0fb8ef011d3e7b38910a13f6ebbb8818
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Thu Aug 8 10:58:49 2013 +1000
-
-     - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt
-       since some platforms (eg really old FreeBSD) don't have it.  Instead,
-       run "make clean" before a complete regress run.  ok djm.
-
-commit f3ab2c5f9cf4aed44971eded3ac9eeb1344b2be5
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Sun Aug 4 21:48:41 2013 +1000
-
-     - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support
-       for building with older Heimdal versions.  ok djm.
-
-commit ab3575c055adfbce70fa7405345cf0f80b07c827
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Aug 1 14:34:16 2013 +1000
-
-     - (djm) [sshlogin.h] Fix prototype merge botch from 2006; bz#2134
-
-commit c192a4c4f6da907dc0e67a3ca61d806f9a92c931
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Aug 1 14:29:20 2013 +1000
-
-     - (djm) [channels.c channels.h] bz#2135: On Solaris, isatty() on a non-
-       blocking connecting socket will clear any stored errno that might
-       otherwise have been retrievable via getsockopt(). A hack to limit writes
-       to TTYs on AIX was triggering this. Since only AIX needs the hack, wrap
-       it in an #ifdef. Diagnosis and patch from Ivo Raisr.
-
-commit 81f7cf1ec5bc2fd202eda05abc2e5361c54633c5
-Author: Tim Rice <tim@multitalents.net>
-Date:   Thu Jul 25 18:41:40 2013 -0700
-
-    more correct comment for last commit
-
-commit 0553ad76ffdff35fb31b9e6df935a71a1cc6daa2
-Author: Tim Rice <tim@multitalents.net>
-Date:   Thu Jul 25 16:03:16 2013 -0700
-
-     - (tim) [regress/forwarding.sh] Fix for building outside read only source tree.
-
-commit ed899eb597a8901ff7322cba809660515ec0d601
-Author: Tim Rice <tim@multitalents.net>
-Date:   Thu Jul 25 15:40:00 2013 -0700
-
-     - (tim) [sftp-client.c] Use of a gcc extension trips up native compilers on
-       Solaris and UnixWare. Feedback and OK djm@
-
-commit e9e936d33b4b1d77ffbaace9438cb2f1469c1dc7
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 25 12:34:00 2013 +1000
-
-     - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
-        [contrib/suse/openssh.spec] Update version numbers
-
-commit d1e26cf391de31128b4edde118bff5fed98a90ea
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 25 12:11:18 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/06/21 02:26:26
-         [regress/sftp-cmds.sh regress/test-exec.sh]
-         unbreak sftp-cmds for renamed test data (s/ls/data/)
-
-commit 78d47b7c5b182e44552913de2b4b7e0363c8e3cc
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 25 12:08:46 2013 +1000
-
-       - dtucker@cvs.openbsd.org 2013/06/10 21:56:43
-         [regress/forwarding.sh]
-         Add test for forward config parsing
-
-commit fea440639e04cea9f2605375a41d654390369402
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 25 12:08:07 2013 +1000
-
-       - dtucker@cvs.openbsd.org 2013/05/30 20:12:32
-         [regress/test-exec.sh]
-         use ssh and sshd as testdata since it needs to be >256k for the rekey test
-
-commit 53435b2d8773a5d7c78359e9f7bf9df2d93b9ef5
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 25 11:57:15 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/07/25 00:57:37
-         [version.h]
-         openssh-6.3 for release
-
-commit 0d032419ee6e1968fc1cb187af63bf3b77b506ea
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 25 11:56:52 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/07/25 00:56:52
-         [sftp-client.c sftp-client.h sftp.1 sftp.c]
-         sftp support for resuming partial downloads; patch mostly by Loganaden
-         Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@
-
-commit 98e27dcf581647b5bbe9780e8f59685d942d8ea3
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 25 11:55:52 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/07/25 00:29:10
-         [ssh.c]
-         daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure
-         it is fully detached from its controlling terminal. based on debugging
-
-commit 94c9cd34d1590ea1d4bf76919a15b5688fa90ed1
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 25 11:55:39 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/07/22 12:20:02
-         [umac.h]
-         oops, forgot to commit corresponding header change;
-         spotted by jsg and jasper
-
-commit c331dbd22297ab9bf351abee659893d139c9f28a
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 25 11:55:20 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/07/22 05:00:17
-         [umac.c]
-         make MAC key, data to be hashed and nonce for final hash const;
-         checked with -Wcast-qual
-
-commit c8669a8cd24952b3f16a44eac63d2b6ce8a6343a
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 25 11:52:48 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/07/20 22:20:42
-         [krl.c]
-         fix verification error in (as-yet usused) KRL signature checking path
-
-commit 63ddc899d28cf60045b560891894b9fbf6f822e9
-Author: Damien Miller <djm@mindrot.org>
-Date:   Sat Jul 20 13:35:45 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/07/20 01:55:13
-         [auth-krb5.c gss-serv-krb5.c gss-serv.c]
-         fix kerberos/GSSAPI deprecation warnings and linking; "looks okay" millert@
-
-commit 1f0e86f23fcebb026371c0888402a981df2a61c4
-Author: Damien Miller <djm@mindrot.org>
-Date:   Sat Jul 20 13:22:49 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/07/20 01:50:20
-         [ssh-agent.c]
-         call cleanup_handler on SIGINT when in debug mode to ensure sockets
-         are cleaned up on manual exit; bz#2120
-
-commit 3009d3cbb89316b1294fb5cedb54770b5d114d04
-Author: Damien Miller <djm@mindrot.org>
-Date:   Sat Jul 20 13:22:31 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/07/20 01:44:37
-         [ssh-keygen.c ssh.c]
-         More useful error message on missing current user in /etc/passwd
-
-commit 32ecfa0f7920db31471ca8c1f4adc20ae38ed9d6
-Author: Damien Miller <djm@mindrot.org>
-Date:   Sat Jul 20 13:22:13 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/07/20 01:43:46
-         [umac.c]
-         use a union to ensure correct alignment; ok deraadt
-
-commit 85b45e09188e7a7fc8f0a900a4c6a0f04a5720a7
-Author: Damien Miller <djm@mindrot.org>
-Date:   Sat Jul 20 13:21:52 2013 +1000
-
-       - markus@cvs.openbsd.org 2013/07/19 07:37:48
-         [auth.h kex.h kexdhs.c kexecdhs.c kexgexs.c monitor.c servconf.c]
-         [servconf.h session.c sshd.c sshd_config.5]
-         add ssh-agent(1) support to sshd(8); allows encrypted hostkeys,
-         or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974
-         ok djm@
-
-commit d93340cbb6bc0fc0dbd4427e0cec6d994a494dd9
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 18 16:14:34 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/07/18 01:12:26
-         [ssh.1]
-         be more exact wrt perms for ~/.ssh/config; bz#2078
-
-commit bf836e535dc3a8050c1756423539bac127ee5098
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 18 16:14:13 2013 +1000
-
-       - schwarze@cvs.openbsd.org 2013/07/16 00:07:52
-         [scp.1 sftp-server.8 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8]
-         use .Mt for email addresses; from Jan Stary <hans at stare dot cz>; ok jmc@
-
-commit 649fe025a409d0ce88c60a068f3f211193c35873
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 18 16:13:55 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/07/12 05:48:55
-         [ssh.c]
-         set TCP nodelay for connections started with -N; bz#2124 ok dtucker@
-
-commit 5bb8833e809d827496dffca0dc2c223052c93931
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 18 16:13:37 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/07/12 05:42:03
-         [ssh-keygen.c]
-         do_print_resource_record() can never be called with a NULL filename, so
-         don't attempt (and bungle) asking for one if it has not been specified
-         bz#2127 ok dtucker@
-
-commit 7313fc9222785d0c54a7ffcaf2067f4db02c8d72
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 18 16:13:19 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/07/12 00:43:50
-         [misc.c]
-         in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when
-         errno == 0. Avoids confusing error message in some broken resolver
-         cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker
-
-commit 746d1a6c524d2e90ebe98cc29e42573a3e1c3c1b
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 18 16:13:02 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/07/12 00:20:00
-         [sftp.c ssh-keygen.c ssh-pkcs11.c]
-         fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
-
-commit ce98654674648fb7d58f73edf6aa398656a2dba4
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 18 16:12:44 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/07/12 00:19:59
-         [auth-options.c auth-rsa.c bufaux.c buffer.h channels.c hostfile.c]
-         [hostfile.h mux.c packet.c packet.h roaming_common.c serverloop.c]
-         fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
-
-commit 0d02c3e10e1ed16d6396748375a133d348127a2a
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 18 16:12:06 2013 +1000
-
-       - markus@cvs.openbsd.org 2013/07/02 12:31:43
-         [dh.c]
-         remove extra whitespace
-
-commit fecfd118d6c90df4fcd3cec7b14e4d3ce69a41d5
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 18 16:11:50 2013 +1000
-
-       - jmc@cvs.openbsd.org 2013/06/27 14:05:37
-         [ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
-         do not use Sx for sections outwith the man page - ingo informs me that
-         stuff like html will render with broken links;
-    
-         issue reported by Eric S. Raymond, via djm
-
-commit bc35d92e78fd53c3f32cbdbdf89d8b1919788c50
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 18 16:11:25 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/06/22 06:31:57
-         [scp.c]
-         improved time_t overflow check suggested by guenther@
-
-commit 8158441d01ab84f33a7e70e27f87c02cbf67e709
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 18 16:11:07 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/06/21 05:43:10
-         [scp.c]
-         make this -Wsign-compare clean after time_t conversion
-
-commit bbeb1dac550bad8e6aff9bd27113c6bd5ebb7413
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 18 16:10:49 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/06/21 05:42:32
-         [dh.c]
-         sprinkle in some error() to explain moduli(5) parse failures
-
-commit 7f2b438ca0b7c3b9684a03d7bf3eaf379da16de9
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 18 16:10:29 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/06/21 00:37:49
-         [ssh_config.5]
-         explicitly mention that IdentitiesOnly can be used with IdentityFile
-         to control which keys are offered from an agent.
-
-commit 20bdcd72365e8b3d51261993928cc47c5f0d7c8a
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 18 16:10:09 2013 +1000
-
-       - djm@cvs.openbsd.org 2013/06/21 00:34:49
-         [auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c]
-         for hostbased authentication, print the client host and user on
-         the auth success/failure line; bz#2064, ok dtucker@
-
-commit 3071070b39e6d1722151c754cdc2b26640eaf45e
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 18 16:09:44 2013 +1000
-
-       - markus@cvs.openbsd.org 2013/06/20 19:15:06
-         [krl.c]
-         don't leak the rdata blob on errors; ok djm@
-
-commit 044bd2a7ddb0b6f6b716c87e57261572e2b89028
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 18 16:09:25 2013 +1000
-
-       - guenther@cvs.openbsd.org 2013/06/17 04:48:42
-         [scp.c]
-         Handle time_t values as long long's when formatting them and when
-         parsing them from remote servers.
-         Improve error checking in parsing of 'T' lines.
-    
-         ok dtucker@ deraadt@
-
-commit 9a6615542108118582f64b7161ca0e12176e3712
-Author: Damien Miller <djm@mindrot.org>
-Date:   Thu Jul 18 16:09:04 2013 +1000
-
-       - dtucker@cvs.openbsd.org 2013/06/10 19:19:44
-         [readconf.c]
-         revert 1.203 while we investigate crashes reported by okan@
-
-commit b7482cff46e7e76bfb3cda86c365a08f58d4fca0
-Author: Darren Tucker <dtucker@zip.com.au>
-Date:   Tue Jul 2 20:06:46 2013 +1000
-
-     - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config
-       contrib/cygwin/ssh-user-config] Modernizes and improve readability of
-       the Cygwin README file (which hasn't been updated for ages), drop
-       unsupported OSes from the ssh-host-config help text, and drop an
-       unneeded option from ssh-user-config.  Patch from vinschen at redhat com.

Modified: vendor-crypto/openssh/dist/OVERVIEW
==============================================================================
--- vendor-crypto/openssh/dist/OVERVIEW	Wed Aug 26 03:44:48 2015	(r287155)
+++ vendor-crypto/openssh/dist/OVERVIEW	Wed Aug 26 09:25:17 2015	(r287156)
@@ -65,8 +65,8 @@ these programs.
       packets.  CRC code comes from crc32.c.
 
     - The code in packet.c calls the buffer manipulation routines
-      (buffer.c, bufaux.c), compression routines (compress.c, zlib),
-      and the encryption routines.
+      (buffer.c, bufaux.c), compression routines (zlib), and the
+      encryption routines.
 
   X11, TCP/IP, and Agent forwarding
 
@@ -165,4 +165,4 @@ these programs.
 	uidswap.c    uid-swapping
 	xmalloc.c    "safe" malloc routines
 
-$OpenBSD: OVERVIEW,v 1.11 2006/08/03 03:34:41 deraadt Exp $
+$OpenBSD: OVERVIEW,v 1.12 2015/07/08 19:01:15 markus Exp $

Modified: vendor-crypto/openssh/dist/PROTOCOL
==============================================================================
--- vendor-crypto/openssh/dist/PROTOCOL	Wed Aug 26 03:44:48 2015	(r287155)
+++ vendor-crypto/openssh/dist/PROTOCOL	Wed Aug 26 09:25:17 2015	(r287156)
@@ -247,7 +247,6 @@ to request that the server make a connec
 	uint32		initial window size
 	uint32		maximum packet size
 	string		socket path
-	string		reserved for future use
 
 Similar to forwarded-tcpip, forwarded-streamlocal is sent by the
 server when the client has previously send the server a streamlocal-forward
@@ -453,4 +452,4 @@ respond with a SSH_FXP_STATUS message.
 This extension is advertised in the SSH_FXP_VERSION hello with version
 "1".
 
-$OpenBSD: PROTOCOL,v 1.28 2015/05/08 03:56:51 djm Exp $
+$OpenBSD: PROTOCOL,v 1.29 2015/07/17 03:09:19 djm Exp $

Modified: vendor-crypto/openssh/dist/PROTOCOL.mux
==============================================================================
--- vendor-crypto/openssh/dist/PROTOCOL.mux	Wed Aug 26 03:44:48 2015	(r287155)
+++ vendor-crypto/openssh/dist/PROTOCOL.mux	Wed Aug 26 09:25:17 2015	(r287156)
@@ -116,6 +116,12 @@ A client may request the master to estab
 
 forwarding type may be MUX_FWD_LOCAL, MUX_FWD_REMOTE, MUX_FWD_DYNAMIC.
 
+If listen port is (unsigned int) -2, then the listen host is treated as
+a unix socket path name.
+
+If connect port is (unsigned int) -2, then the connect host is treated
+as a unix socket path name.
+
 A server may reply with a MUX_S_OK, a MUX_S_REMOTE_PORT, a
 MUX_S_PERMISSION_DENIED or a MUX_S_FAILURE.
 
@@ -219,4 +225,4 @@ XXX inject packet (what about replies)
 XXX server->client error/warning notifications
 XXX send signals via mux
 
-$OpenBSD: PROTOCOL.mux,v 1.9 2012/06/01 00:49:35 djm Exp $
+$OpenBSD: PROTOCOL.mux,v 1.10 2015/07/17 03:04:27 djm Exp $

Modified: vendor-crypto/openssh/dist/README
==============================================================================
--- vendor-crypto/openssh/dist/README	Wed Aug 26 03:44:48 2015	(r287155)

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***