diff --git a/Documentation/config-labels.txt b/Documentation/config-labels.txt
index 3c0f0ebdc4..ce49d317c6 100644
--- a/Documentation/config-labels.txt
+++ b/Documentation/config-labels.txt
@@ -340,6 +340,7 @@ user permissions.  Assume the configuration below.
 ====
 
 Upon clicking the Reply button:
+
 * Administrators have all scores (-3..+3) available, -3 is set as the default.
 * Project Owners have limited scores (-2..+2) available, -2 is set as the default.
 * Registered Users have limited scores (-1..+1) available, -1 is set as the default.
diff --git a/ReleaseNotes/ReleaseNotes-2.11.txt b/ReleaseNotes/ReleaseNotes-2.11.txt
index a976612e20..49b13170be 100644
--- a/ReleaseNotes/ReleaseNotes-2.11.txt
+++ b/ReleaseNotes/ReleaseNotes-2.11.txt
@@ -367,6 +367,10 @@ Allow projects to be configured to create a new change for every uploaded commit
 link:https://gerrit-documentation.storage.googleapis.com/Documentation/2.11/config-gerrit.html#container.daemonOpt[
 options to pass to the daemon].
 
+* Allow to configure
+link:https://gerrit-documentation.storage.googleapis.com/Documentation/2.11/config-gerrit.html#sshd.rekeyBytesLimit[
+SSHD rekey parameters].
+
 Daemon
 ~~~~~~
 
@@ -388,9 +392,12 @@ a change message on the created change.
 * Don't send 'new patch set' notification emails for trivial rebases.
 
 
-ssh
+SSH
 ~~~
 
+* link:https://code.google.com/p/gerrit/issues/detail?id=2797[Issue 2797]:
+Add support for ECDSA based public key authentication.
+
 * Add new commands
 link:https://gerrit-documentation.storage.googleapis.com/Documentation/2.11/cmd-logging-ls-level.html[
 `logging ls-level`] and
@@ -530,6 +537,21 @@ was stuck in the draft state.
 * link:https://code.google.com/p/gerrit/issues/detail?id=3249[Issue 3249]:
 Fix server error when checking mergeability of a change.
 
+* Workaround Guice bug "getPathInfo not decoded".
++
+Due to link:https://github.com/google/guice/issues/745[Guice issue 745], cloning
+of a repository with a space in its name was impossible.
+
+* Print proper names for tasks in output of `show-queue` command.
++
+Some tasks were not displayed with the proper name.
+
+
+SSH
+~~~
+
+* Prevent double authentication for the same public key.
+
 
 Secondary Index / Search
 ~~~~~~~~~~~~~~~~~~~~~~~~
@@ -578,6 +600,9 @@ documented.
 Web UI
 ~~~~~~
 
+* link:http://code.google.com/p/gerrit/issues/detail?id=3044[Issue 3044]:
+Remove stripping `#` in login redirect.
+
 Change Screen
 ^^^^^^^^^^^^^
 
@@ -818,6 +843,8 @@ Upgrades
 
 * Update ASM to 5.0.3.
 
+* Update Bouncycastle to 1.51.
+
 * Update CodeMirror to 4.10.0-6-gd0a2dda.
 
 * Update Guava to 18.0.
@@ -832,10 +859,12 @@ Upgrades
 
 * Update Jetty to 9.2.9.v20150224.
 
-* Update JGit to 3.6.2.201501210735-r.40-g23ad3a3.
+* Update JGit to 3.7.0.201502260915-r.58-g65c379e.
 
 * Update Lucene to 4.10.2.
 
 * Update Parboiled to 1.1.7.
 
 * Update Pegdown to 1.4.2.
+
+* Update SSHD to 0.14.0.
diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GitOverHttpServlet.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GitOverHttpServlet.java
index 97de6b555e..e73f80592c 100644
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GitOverHttpServlet.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/GitOverHttpServlet.java
@@ -63,6 +63,8 @@ import org.eclipse.jgit.transport.resolver.ServiceNotEnabledException;
 import org.eclipse.jgit.transport.resolver.UploadPackFactory;
 
 import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.net.URLDecoder;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
@@ -156,6 +158,13 @@ public class GitOverHttpServlet extends GitServlet {
     public Repository open(HttpServletRequest req, String projectName)
         throws RepositoryNotFoundException, ServiceNotAuthorizedException,
         ServiceNotEnabledException {
+      try {
+        // TODO: remove this code when Guice fixes its issue 745
+        projectName = URLDecoder.decode(projectName, "UTF-8");
+      } catch (UnsupportedEncodingException e) {
+        // leave it encoded
+      }
+
       while (projectName.endsWith("/")) {
         projectName = projectName.substring(0, projectName.length() - 1);
       }
diff --git a/gerrit-httpd/src/main/resources/com/google/gerrit/httpd/auth/container/LoginRedirect.html b/gerrit-httpd/src/main/resources/com/google/gerrit/httpd/auth/container/LoginRedirect.html
index d88af9a42f..0567468e8c 100644
--- a/gerrit-httpd/src/main/resources/com/google/gerrit/httpd/auth/container/LoginRedirect.html
+++ b/gerrit-httpd/src/main/resources/com/google/gerrit/httpd/auth/container/LoginRedirect.html
@@ -7,10 +7,7 @@
       var p = href.indexOf('#');
       var token;
       if (p >= 0) {
-        token = href.substring(p + 1);
-        if (token.length != 0 && token.charAt(0) == '/') {
-          token = token.substring(1);
-        }
+        token = href.substring(p);
         href = href.substring(0, p);
       } else {
         token = '';
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/AccountState.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/AccountState.java
index 2a961c3510..815b51940b 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/AccountState.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/AccountState.java
@@ -73,7 +73,7 @@ public class AccountState {
     return internalGroups;
   }
 
-  private static String getUserName(Collection<AccountExternalId> ids) {
+  public static String getUserName(Collection<AccountExternalId> ids) {
     for (AccountExternalId id : ids) {
       if (id.isScheme(SCHEME_USERNAME)) {
         return id.getSchemeRest();
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/InternalAccountDirectory.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/InternalAccountDirectory.java
index 700fd76b92..4f8eacd0d3 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/InternalAccountDirectory.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/InternalAccountDirectory.java
@@ -85,6 +85,10 @@ public class InternalAccountDirectory extends AccountDirectory {
     if (!missing.isEmpty()) {
       try {
         for (Account account : db.get().accounts().get(missing.keySet())) {
+          if (options.contains(FillOptions.USERNAME)) {
+            account.setUserName(AccountState.getUserName(
+                db.get().accountExternalIds().byAccount(account.getId()).toList()));
+          }
           for (AccountInfo info : missing.get(account.getId())) {
             fill(info, account, options);
           }
diff --git a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/CachingPublicKeyAuthenticator.java b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/CachingPublicKeyAuthenticator.java
index f315cff3b8..0471af8d44 100644
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/CachingPublicKeyAuthenticator.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/CachingPublicKeyAuthenticator.java
@@ -17,56 +17,12 @@ package com.google.gerrit.sshd;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
 
-import org.apache.sshd.common.Session;
-import org.apache.sshd.common.SessionListener;
-import org.apache.sshd.server.PublickeyAuthenticator;
-import org.apache.sshd.server.session.ServerSession;
-
-import java.security.PublicKey;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
-
 @Singleton
-public class CachingPublicKeyAuthenticator implements PublickeyAuthenticator,
-    SessionListener {
-
-  private final PublickeyAuthenticator authenticator;
-  private final Map<ServerSession, Map<PublicKey, Boolean>> sessionCache;
+public class CachingPublicKeyAuthenticator
+    extends org.apache.sshd.server.auth.CachingPublicKeyAuthenticator {
 
   @Inject
   public CachingPublicKeyAuthenticator(DatabasePubKeyAuth authenticator) {
-    this.authenticator = authenticator;
-    this.sessionCache = new ConcurrentHashMap<>();
-  }
-
-  @Override
-  public boolean authenticate(String username, PublicKey key,
-      ServerSession session) {
-    Map<PublicKey, Boolean> m = sessionCache.get(session);
-    if (m == null) {
-      m = new HashMap<>();
-      sessionCache.put(session, m);
-      session.addListener(this);
-    }
-    if (m.containsKey(key)) {
-      return m.get(key);
-    }
-    boolean r = authenticator.authenticate(username, key, session);
-    m.put(key, r);
-    return r;
-  }
-
-  @Override
-  public void sessionCreated(Session session) {
-  }
-
-  @Override
-  public void sessionEvent(Session sesssion, Event event) {
-  }
-
-  @Override
-  public void sessionClosed(Session session) {
-    sessionCache.remove(session);
+    super(authenticator);
   }
 }
diff --git a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java
index 9b8147d8fa..39eb720c9b 100644
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java
@@ -439,8 +439,29 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener {
 
     @Override
     public int random(int n) {
-      // TODO Auto-generated method stub
-      return 0;
+      if (n > 0) {
+        if ((n & -n) == n) {
+          return (int)((n * (long) next(31)) >> 31);
+        }
+        int bits, val;
+        do {
+          bits = next(31);
+          val = bits % n;
+        } while (bits - val + (n-1) < 0);
+        return val;
+      }
+      throw new IllegalArgumentException();
+    }
+
+    final protected int next(int numBits) {
+      int bytes = (numBits+7)/8;
+      byte next[] = new byte[bytes];
+      int ret = 0;
+      random.nextBytes(next);
+      for (int i = 0; i < bytes; i++) {
+        ret = (next[i] & 0xFF) | (ret << 8);
+      }
+      return ret >>> (bytes*8 - numBits);
     }
   }