Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed

upstream) and a number of security fixes which we had already backported.

MFC after:	1 week

1 files changed, 92 insertions, 34 deletions

diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5
index bef14fa..6049e4a 100644
--- a/crypto/openssh/ssh_config.5
+++ b/crypto/openssh/ssh_config.5
@@ -33,9 +33,9 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.185 2014/02/23 20:11:36 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.191 2014/07/15 15:54:14 millert Exp $
 .\" $FreeBSD$
-.Dd $Mdocdate: February 23 2014 $
+.Dd $Mdocdate: July 15 2014 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -343,30 +343,47 @@ in order of preference.
 Multiple ciphers must be comma-separated.
 The supported ciphers are:
 .Pp
-.Dq 3des-cbc ,
-.Dq aes128-cbc ,
-.Dq aes192-cbc ,
-.Dq aes256-cbc ,
-.Dq aes128-ctr ,
-.Dq aes192-ctr ,
-.Dq aes256-ctr ,
-.Dq aes128-gcm@openssh.com ,
-.Dq aes256-gcm@openssh.com ,
-.Dq arcfour128 ,
-.Dq arcfour256 ,
-.Dq arcfour ,
-.Dq blowfish-cbc ,
-.Dq cast128-cbc ,
-and
-.Dq chacha20-poly1305@openssh.com .
+.Bl -item -compact -offset indent
+.It
+3des-cbc
+.It
+aes128-cbc
+.It
+aes192-cbc
+.It
+aes256-cbc
+.It
+aes128-ctr
+.It
+aes192-ctr
+.It
+aes256-ctr
+.It
+aes128-gcm@openssh.com
+.It
+aes256-gcm@openssh.com
+.It
+arcfour
+.It
+arcfour128
+.It
+arcfour256
+.It
+blowfish-cbc
+.It
+cast128-cbc
+.It
+chacha20-poly1305@openssh.com
+.El
 .Pp
 The default is:
-.Bd -literal -offset 3n
-aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+.Bd -literal -offset indent
+aes128-ctr,aes192-ctr,aes256-ctr,
 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
 chacha20-poly1305@openssh.com,
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
-aes256-cbc,arcfour
+arcfour256,arcfour128,
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
+aes192-cbc,aes256-cbc,arcfour
 .Ed
 .Pp
 The list of available ciphers may also be obtained using the
@@ -483,14 +500,16 @@ specified on the command line,
 .Ql %p
 the destination port,
 .Ql %r
-by the remote login username, and
+by the remote login username,
 .Ql %u
 by the username of the user running
-.Xr ssh 1 .
+.Xr ssh 1 , and
+.Ql \&%C
+by a hash of the concatenation: %l%h%p%r.
 It is recommended that any
 .Cm ControlPath
 used for opportunistic connection sharing include
-at least %h, %p, and %r.
+at least %h, %p, and %r (or alternatively %C).
 This ensures that shared connections are uniquely identified.
 .It Cm ControlPersist
 When used in conjunction with
@@ -747,6 +766,12 @@ If the hostname contains the character sequence
 .Ql %h ,
 then this will be replaced with the host name specified on the command line
 (this is useful for manipulating unqualified names).
+The character sequence
+.Ql %%
+will be replaced by a single
+.Ql %
+character, which may be used when specifying IPv6 link-local addresses.
+.Pp
 The default is the name given on the command line.
 Numeric IP addresses are also permitted (both on the command line and in
 .Cm HostName
@@ -894,8 +919,8 @@ The default is:
 curve25519-sha256@libssh.org,
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
-diffie-hellman-group-exchange-sha1,
 diffie-hellman-group14-sha1,
+diffie-hellman-group-exchange-sha1,
 diffie-hellman-group1-sha1
 .Ed
 .It Cm LocalCommand
@@ -917,7 +942,9 @@ The following escape character substitutions will be performed:
 .Ql %r
 (remote user name) or
 .Ql %u
-(local user name).
+(local user name) or
+.Ql \&%C
+by a hash of the concatenation: %l%h%p%r.
 .Pp
 The command is run synchronously and does not have access to the
 session of the
@@ -975,13 +1002,14 @@ calculate the MAC after encryption (encrypt-then-mac).
 These are considered safer and their use recommended.
 The default is:
 .Bd -literal -offset indent
-hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
-hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
-hmac-md5-96-etm@openssh.com,
-hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
+umac-64@openssh.com,umac-128@openssh.com,
+hmac-sha2-256,hmac-sha2-512,
+hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
+hmac-ripemd160-etm@openssh.com,
+hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,
+hmac-md5,hmac-sha1,hmac-ripemd160,
 hmac-sha1-96,hmac-md5-96
 .Ed
 .It Cm NoHostAuthenticationForLocalhost
@@ -1059,8 +1087,11 @@ The default is
 .It Cm ProxyCommand
 Specifies the command to use to connect to the server.
 The command
-string extends to the end of the line, and is executed with
-the user's shell.
+string extends to the end of the line, and is executed
+using the user's shell
+.Ql exec
+directive to avoid a lingering shell process.
+.Pp
 In the command string, any occurrence of
 .Ql %h
 will be substituted by the host name to
@@ -1273,6 +1304,33 @@ channel to request a response from the server.
 The default
 is 0, indicating that these messages will not be sent to the server.
 This option applies to protocol version 2 only.
+.It Cm StreamLocalBindMask
+Sets the octal file creation mode mask
+.Pq umask
+used when creating a Unix-domain socket file for local or remote
+port forwarding.
+This option is only used for port forwarding to a Unix-domain socket file.
+.Pp
+The default value is 0177, which creates a Unix-domain socket file that is
+readable and writable only by the owner.
+Note that not all operating systems honor the file mode on Unix-domain
+socket files.
+.It Cm StreamLocalBindUnlink
+Specifies whether to remove an existing Unix-domain socket file for local
+or remote port forwarding before creating a new one.
+If the socket file already exists and
+.Cm StreamLocalBindUnlink
+is not enabled,
+.Nm ssh
+will be unable to forward the port to the Unix-domain socket file.
+This option is only used for port forwarding to a Unix-domain socket file.
+.Pp
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
 .It Cm StrictHostKeyChecking
 If this flag is set to
 .Dq yes ,