From c469356292b2a069c62565f1a156a4f67be27b04 Mon Sep 17 00:00:00 2001
From: Xavier Beaudouin <kiwi@oav.net>
Date: Mon, 7 Oct 2024 16:19:51 +0200
Subject: [PATCH] 9.6

---
 security/openssh-portable/Makefile            | 17 ++--
 security/openssh-portable/distinfo            | 10 +--
 .../files/extra-patch-blacklistd              | 16 ++--
 .../openssh-portable/files/extra-patch-hpn    | 83 ++++++++-----------
 .../files/extra-patch-hpn-compat              | 16 ++--
 .../openssh-portable/files/patch-ssh-agent.c  | 24 +++---
 .../openssh-portable/files/patch-ssh_config   | 17 ----
 7 files changed, 74 insertions(+), 109 deletions(-)
 delete mode 100644 security/openssh-portable/files/patch-ssh_config

diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 4c0c4a9..f81f604 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	openssh
-DISTVERSION=	9.2p1
-PORTREVISION=	0
+DISTVERSION=	9.6p1
+PORTREVISION=	1
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -21,9 +21,9 @@ USES=			alias autoreconf compiler:c11 cpe localbase ncurses \
 			pkgconfig ssl
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS=		--prefix=${PREFIX} \
+			--without-zlib-version-check \
 			--with-ssl-engine \
-			--with-mantype=man \
-			--with-Werror
+			--with-mantype=man
 
 ETCOLD=			${PREFIX}/etc
 
@@ -108,15 +108,14 @@ EXTRA_PATCHES+=	${FILESDIR}/extra-patch-hpn-gss-glue
 .  endif
 # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to
 # pull from.
-GSSAPI_DEBIAN_VERSION=	9.2p1
-GSSAPI_DEBIAN_SUBDIR=	${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-2
+GSSAPI_DEBIAN_VERSION=	9.6p1
+GSSAPI_DEBIAN_SUBDIR=	${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-3
 # - Debian does not use a versioned filename so we trick fetch to make one for
 # us with the ?<anything>=/ trick.
 PATCH_SITES+=	https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex
 # Bump this when updating the patch location
-GSSAPI_UPDATE_DATE=	20220203
-#GSSAPI_DISTVERSION=	9.0p1
-PATCHFILES+=	openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex
+GSSAPI_DISTVERSION=	9.4p1
+PATCHFILES+=	openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-debian-rh-${GSSAPI_DISTVERSION}.patch:-p1:gsskex
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-auth2-gss.c
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-kexgssc.c
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-kexgsss.c
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index fbd9733..72841b2 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,5 +1,5 @@
-TIMESTAMP = 1676575062
-SHA256 (openssh-9.2p1.tar.gz) = 3f66dbf1655fb45f50e1c56da62ab01218c228807b21338d634ebcdf9d71cf46
-SIZE (openssh-9.2p1.tar.gz) = 1852380
-SHA256 (openssh-9.2p1-gsskex-all-20141021-debian-rh-20220203.patch) = acf9b12d68eeeae047d1042954473f859c10a7c2a4b5d9dc54fcbbd5e30a3a58
-SIZE (openssh-9.2p1-gsskex-all-20141021-debian-rh-20220203.patch) = 131618
+TIMESTAMP = 1706059638
+SHA256 (openssh-9.6p1.tar.gz) = 910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c
+SIZE (openssh-9.6p1.tar.gz) = 1857862
+SHA256 (openssh-9.4p1-gsskex-all-debian-rh-9.4p1.patch) = 03a32678a96cfd274482378d0d2889709018c403e40207b8d5dca41b7e9941bd
+SIZE (openssh-9.4p1-gsskex-all-debian-rh-9.4p1.patch) = 131920
diff --git a/security/openssh-portable/files/extra-patch-blacklistd b/security/openssh-portable/files/extra-patch-blacklistd
index 7bb88b2..5d23bf8 100644
--- a/security/openssh-portable/files/extra-patch-blacklistd
+++ b/security/openssh-portable/files/extra-patch-blacklistd
@@ -277,9 +277,9 @@
 --- auth2.c.orig	2020-11-16 17:10:36.772062000 -0800
 +++ auth2.c	2020-11-16 17:12:04.852943000 -0800
 @@ -58,6 +58,7 @@
- #endif
  #include "monitor_wrap.h"
  #include "digest.h"
+ #include "kex.h"
 +#include "blacklist_client.h"
  
  /* import */
@@ -317,7 +317,7 @@
 @@ -1882,6 +1883,7 @@ sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt,
  	case SSH_ERR_NO_KEX_ALG_MATCH:
  	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
- 		if (ssh && ssh->kex && ssh->kex->failed_choice) {
+ 		if (ssh->kex && ssh->kex->failed_choice) {
 +			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
  			ssh_packet_clear_keys(ssh);
  			errno = oerrno;
@@ -372,12 +372,12 @@
  #Compression delayed
  #ClientAliveInterval 0
  #ClientAliveCountMax 3
---- sshd_config.5.orig	2020-11-16 16:57:58.533307000 -0800
-+++ sshd_config.5	2020-11-16 17:00:02.635070000 -0800
-@@ -1703,6 +1703,20 @@ for authentication using
- .Cm TrustedUserCAKeys .
- For more details on certificates, see the CERTIFICATES section in
- .Xr ssh-keygen 1 .
+--- sshd_config.5.orig  2023-12-18 15:59:50.000000000 +0100
++++ sshd_config.5       2024-01-06 16:36:17.025742000 +0100
+@@ -1855,6 +1855,20 @@ This option may be useful in conjunction with
+ is to never expire connections for having no open channels.
+ This option may be useful in conjunction with
+ .Cm ChannelTimeout .
 +.It Cm UseBlacklist
 +Specifies whether
 +.Xr sshd 8
diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn
index 1f25a20..56202ba 100644
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@@ -309,50 +309,50 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  			free(cipher_list);
  			return 0;
  		}
---- work/openssh/clientloop.c.orig	2022-02-23 03:31:11.000000000 -0800
-+++ work/openssh/clientloop.c	2022-03-02 12:53:47.624273000 -0800
-@@ -1571,6 +1571,15 @@ client_request_x11(struct ssh *ssh, const char *reques
+--- work/openssh/clientloop.c.orig	2023-12-18 06:59:50.000000000 -0800
++++ work/openssh/clientloop.c	2024-01-08 16:27:47.806586000 -0800
+@@ -1813,6 +1813,15 @@ client_request_x11(struct ssh *ssh, const char *reques
  	sock = x11_connect_display(ssh);
  	if (sock < 0)
  		return NULL;
 +#ifdef HPN_ENABLED
 +	/* again is this really necessary for X11? */
 +	if (!options.hpn_disabled)
-+		c = channel_new(ssh, "x11",
++		c = channel_new(ssh, "x11-connection",
 +		    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
 +		    options.hpn_buffer_size,
 +		    CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
 +	else
 +#endif
- 	c = channel_new(ssh, "x11",
+ 	c = channel_new(ssh, "x11-connection",
  	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
  	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-@@ -1606,6 +1615,14 @@ client_request_agent(struct ssh *ssh, const char *requ
+@@ -1848,6 +1857,14 @@ client_request_agent(struct ssh *ssh, const char *requ
  	else
  		debug2_fr(r, "ssh_agent_bind_hostkey");
  
 +#ifdef HPN_ENABLED
 +	if (!options.hpn_disabled)
-+		c = channel_new(ssh, "authentication agent connection",
++		c = channel_new(ssh, "agent-connection",
 +		    SSH_CHANNEL_OPEN, sock, sock, -1,
 +		    options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0,
 +		    "authentication agent connection", 1);
 +	else
 +#endif
- 	c = channel_new(ssh, "authentication agent connection",
+ 	c = channel_new(ssh, "agent-connection",
  	    SSH_CHANNEL_OPEN, sock, sock, -1,
  	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
-@@ -1634,6 +1651,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
+@@ -1876,6 +1893,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
  	}
  	debug("Tunnel forwarding using interface %s", ifname);
  
 +#ifdef HPN_ENABLED
 +	if (!options.hpn_disabled)
-+		c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
++		c = channel_new(ssh, "tun-connection", SSH_CHANNEL_OPENING, fd, fd, -1,
 +		    options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 +	else
 +#endif
- 	c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ 	c = channel_new(ssh, "tun-connection", SSH_CHANNEL_OPENING, fd, fd, -1,
  	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
  	c->datagram = 1;
 --- work/openssh/compat.c.orig	2021-04-15 20:55:25.000000000 -0700
@@ -421,9 +421,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  
  echo ""
  
---- work/openssh/kex.c.orig	2021-04-15 20:55:25.000000000 -0700
-+++ work/openssh/kex.c	2021-04-28 14:38:31.761909000 -0700
-@@ -960,6 +960,20 @@ kex_choose_conf(struct ssh *ssh)
+--- work/openssh/kex.c.orig	2023-12-18 06:59:50.000000000 -0800
++++ work/openssh/kex.c	2024-01-08 16:24:07.547292000 -0800
+@@ -1252,6 +1252,20 @@ kex_choose_conf(struct ssh *ssh, uint32_t seq)
  			peer[ncomp] = NULL;
  			goto out;
  		}
@@ -444,7 +444,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  		debug("kex: %s cipher: %s MAC: %s compression: %s",
  		    ctos ? "client->server" : "server->client",
  		    newkeys->enc.name,
-@@ -1170,7 +1184,7 @@ send_error(struct ssh *ssh, char *msg)
+@@ -1462,7 +1476,7 @@ kex_exchange_identification(struct ssh *ssh, int timeo
   */
  int
  kex_exchange_identification(struct ssh *ssh, int timeout_ms,
@@ -452,13 +452,13 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +    const char *version_addendum, int hpn_disabled)
  {
  	int remote_major, remote_minor, mismatch, oerrno = 0;
- 	size_t len, i, n;
-@@ -1187,8 +1201,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo
+ 	size_t len, n;
+@@ -1479,8 +1493,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo
  	sshbuf_reset(our_version);
  	if (version_addendum != NULL && *version_addendum == '\0')
  		version_addendum = NULL;
--	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
-+	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s%s\r\n",
+-	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n",
++	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s%s\r\n",
  	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
 +#ifdef HPN_ENABLED
 +	    hpn_disabled ? "" : SSH_HPN,
@@ -1119,9 +1119,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  		sshpkt_fatal(ssh, r, "banner exchange");
  
  	/* Put the connection into non-blocking mode. */
---- work/openssh/sshconnect2.c.orig	2021-08-19 21:03:49.000000000 -0700
-+++ work/openssh/sshconnect2.c	2021-09-08 10:02:03.037982000 -0700
-@@ -84,7 +84,13 @@
+--- work/openssh/sshconnect2.c.orig	2023-03-15 14:28:19.000000000 -0700
++++ work/openssh/sshconnect2.c	2023-05-19 14:20:01.965073000 -0700
+@@ -83,7 +83,13 @@ extern Options options;
  extern char *client_version_string;
  extern char *server_version_string;
  extern Options options;
@@ -1135,29 +1135,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  /*
   * SSH2 key exchange
   */
-@@ -212,11 +218,12 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
- 	return ret;
- }
- 
-+static char *myproposal[PROPOSAL_MAX];
-+static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };
- void
- ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
-     const struct ssh_conn_info *cinfo)
- {
--	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
- 	char *s, *all_key;
- 	int r, use_known_hosts_order = 0;
- 
-@@ -241,6 +248,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr 
- 		fatal_fr(r, "kex_assemble_namelist");
- 	free(all_key);
- 
-+	memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
- 	if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
- 		fatal_f("kex_names_cat");
- 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s);
-@@ -487,6 +495,29 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+@@ -482,6 +488,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
  
  	if (!authctxt.success)
  		fatal("Authentication failed.");
@@ -1169,11 +1147,16 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	 * tty allocated.
 +	 */
 +	if ((options.none_switch == 1) && (options.none_enabled == 1)) {
++		char *myproposal[PROPOSAL_MAX];
++		char *s = NULL;
++		const char *none_cipher = "none";
++
 +		if (!tty_flag) { /* no null on tty sessions */
 +			debug("Requesting none rekeying...");
-+			memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
-+			myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
-+			myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
++			kex_proposal_populate_entries(ssh, myproposal, s, none_cipher,
++			    options.macs,
++			    compression_alg_list(options.compression),
++			    options.hostkeyalgorithms);
 +			kex_prop2buf(ssh->kex->my, myproposal);
 +			packet_request_rekeying();
 +			fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
@@ -1286,8 +1269,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  # Example of overriding settings on a per-user basis
  #Match User anoncvs
  #	X11Forwarding no
---- work/openssh-7.7p1/version.h.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-7.7p1/version.h	2018-06-27 17:13:57.263086000 -0700
+--- work/openssh/version.h.orig	2023-12-18 06:59:50.000000000 -0800
++++ work/openssh/version.h	2024-01-08 16:22:25.632475000 -0800
 @@ -4,3 +4,4 @@
  
  #define SSH_PORTABLE	"p1"
diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat
index 6f6a0e1..b3a5e09 100644
--- a/security/openssh-portable/files/extra-patch-hpn-compat
+++ b/security/openssh-portable/files/extra-patch-hpn-compat
@@ -16,12 +16,12 @@ r294563 was incomplete; re-add the client-side options as well.
 
 ------------------------------------------------------------------------
 
---- readconf.c.orig	2023-02-03 11:17:45.506822000 -0800
-+++ readconf.c	2023-02-03 11:30:14.894959000 -0800
-@@ -323,6 +323,12 @@ static struct {
- 	{ "knownhostscommand", oKnownHostsCommand },
- 	{ "requiredrsasize", oRequiredRSASize },
+--- readconf.c.orig	2023-12-19 17:09:41.366788000 -0800
++++ readconf.c	2023-12-19 17:10:24.155247000 -0800
+@@ -329,6 +329,12 @@
  	{ "enableescapecommandline", oEnableEscapeCommandline },
+ 	{ "obscurekeystroketiming", oObscureKeystrokeTiming },
+ 	{ "channeltimeout", oChannelTimeout },
 +	{ "hpndisabled", oDeprecated },
 +	{ "hpnbuffersize", oDeprecated },
 +	{ "tcprcvbufpoll", oDeprecated },
@@ -31,9 +31,9 @@ r294563 was incomplete; re-add the client-side options as well.
  
  	{ NULL, oBadOption }
  };
---- servconf.c.orig	2023-02-02 04:21:54.000000000 -0800
-+++ servconf.c	2023-02-03 11:31:00.387624000 -0800
-@@ -695,6 +695,10 @@ static struct {
+--- servconf.c.orig	2023-12-19 17:11:52.320491000 -0800
++++ servconf.c	2023-12-19 17:12:43.950318000 -0800
+@@ -693,6 +693,10 @@
  	{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
  	{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
  	{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c
index 9fc1abc..cd85012 100644
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.
 
---- ssh-agent.c.orig	2023-02-02 04:21:54.000000000 -0800
-+++ ssh-agent.c	2023-02-03 10:55:34.277561000 -0800
-@@ -188,11 +188,28 @@ static int restrict_websafe = 1;
+--- ssh-agent.c.orig	2023-12-18 06:59:50.000000000 -0800
++++ ssh-agent.c	2023-12-19 17:16:22.128981000 -0800
+@@ -196,11 +196,28 @@
  /* Refuse signing of non-SSH messages for web-origin FIDO keys */
  static int restrict_websafe = 1;
  
@@ -39,7 +39,7 @@ disconnected.
  	close(e->fd);
  	sshbuf_free(e->input);
  	sshbuf_free(e->output);
-@@ -205,6 +222,8 @@ close_socket(SocketEntry *e)
+@@ -213,6 +230,8 @@
  	memset(e, '\0', sizeof(*e));
  	e->fd = -1;
  	e->type = AUTH_UNUSED;
@@ -48,7 +48,7 @@ disconnected.
  }
  
  static void
-@@ -1698,6 +1717,10 @@ new_socket(sock_type type, int fd)
+@@ -1893,6 +1912,10 @@
  
  	debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
  	    (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
@@ -59,7 +59,7 @@ disconnected.
  	set_nonblock(fd);
  
  	if (fd > max_fd)
-@@ -1990,7 +2013,7 @@ usage(void)
+@@ -2184,7 +2207,7 @@
  usage(void)
  {
  	fprintf(stderr,
@@ -68,15 +68,15 @@ disconnected.
  	    "                 [-O option] [-P allowed_providers] [-t life]\n"
  	    "       ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n"
  	    "                 [-P allowed_providers] [-t life] command [arg ...]\n"
-@@ -2024,6 +2047,7 @@ main(int ac, char **av)
+@@ -2218,6 +2241,7 @@
  	/* drop */
- 	setegid(getgid());
- 	setgid(getgid());
-+	setuid(geteuid());
+ 	(void)setegid(getgid());
+ 	(void)setgid(getgid());
++	(void)setuid(geteuid());
  
  	platform_disable_tracing(0);	/* strict=no */
  
-@@ -2035,7 +2059,7 @@ main(int ac, char **av)
+@@ -2229,7 +2253,7 @@
  	__progname = ssh_get_progname(av[0]);
  	seed_rng();
  
@@ -85,7 +85,7 @@ disconnected.
  		switch (ch) {
  		case 'E':
  			fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -2084,6 +2108,9 @@ main(int ac, char **av)
+@@ -2280,6 +2304,9 @@
  				fprintf(stderr, "Invalid lifetime\n");
  				usage();
  			}
diff --git a/security/openssh-portable/files/patch-ssh_config b/security/openssh-portable/files/patch-ssh_config
deleted file mode 100644
index efad15f..0000000
--- a/security/openssh-portable/files/patch-ssh_config
+++ /dev/null
@@ -1,17 +0,0 @@
---- UTC
-r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines
-
-Document the FreeBSD default for CheckHostIP, which was changed in
-rev 1.2 of readconf.c.
-
---- ssh_config.orig	2010-01-12 01:40:27.000000000 -0700
-+++ ssh_config	2010-09-14 16:14:13.000000000 -0600
-@@ -27,7 +27,7 @@
- #   GSSAPIAuthentication no
- #   GSSAPIDelegateCredentials no
- #   BatchMode no
--#   CheckHostIP yes
-+#   CheckHostIP no
- #   AddressFamily any
- #   ConnectTimeout 0
- #   StrictHostKeyChecking ask