Merge 4.1p1 to the trunk.

author: Colin Watson <cjwatson@debian.org> 2005-05-30 22:13:03 +0000
committer: Colin Watson <cjwatson@debian.org> 2005-05-30 22:13:03 +0000
commit: 4e1e258d1f5745f3dc05ead3cb834c445e6e8818 (patch)
tree: bfbc91107d6bfe7b2a68d8701562e59856116a6a
parent: 4a20a0b23bd0e1db5e69f27c65aaa11a5a2eacd0 (diff)
parent: a55bd782aa819b7f5ae716de000f19f4f531850e (diff)
65 files changed, 722 insertions, 341 deletions
diff --git a/ChangeLog b/ChangeLog
index 046e32e8a..15ce35ce7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,178 @@
+20050524
+ - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+         [contrib/suse/openssh.spec] Update spec file versions to 4.1p1
+ - (dtucker) [auth-pam.c] Since people don't seem to be getting the message
+   that USE_POSIX_THREADS is unsupported, not recommended and generally a bad
+   idea, it is now known as UNSUPPORTED_POSIX_THREADS_HACK.  Attempting to use
+   USE_POSIX_THREADS will now generate an error so we don't silently change
+   behaviour.  ok djm@
+ - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Ensure sufficient memory
+   allocation when retrieving core Windows environment.  Add CYGWIN variable
+   to propagated variables.  Patch from vinschen at redhat.com, ok djm@
+ - (djm) Release 4.1p1
+20050524
+ - (djm) [openbsd-compat/readpassphrase.c] bz #950: Retry tcsetattr to ensure
+   terminal modes are reset correctly. Fix from peak AT argo.troja.mff.cuni.cz;
+   "looks ok" dtucker@
+20050512
+ - (tim) [buildpkg.sh.in] missing ${PKG_INSTALL_ROOT} in init script
+   hard link section. Bug 1038.
+20050509
+ - (dtucker) [contrib/cygwin/ssh-host-config] Add a test and warning for a
+   user-mode mounts in Cygwin installation.  Patch from vinschen at redhat.com.
+20050504
+ - (djm) [ssh.c] some systems return EADDRINUSE on a bind to an already-used
+   unix domain socket, so catch that too; from jakob@ ok dtucker@
+20050503
+ - (dtucker) [canohost.c] normalise socket addresses returned by
+   get_remote_hostname().  This means that IPv4 addresses in log messages
+   on IPv6 enabled machines will no longer be prefixed by "::ffff:" and
+   AllowUsers, DenyUsers, AllowGroups, DenyGroups will match IPv4-style
+   addresses only for 4-in-6 mapped connections, regardless of whether
+   or not the machine is IPv6 enabled.  ok djm@
+20050425
+ - (dtucker) [regress/multiplex.sh] Use "kill -0 $pid" to check for the
+   existence of a process since it's more portable.  Found by jbasney at
+   ncsa.uiuc.edu; ok tim@
+ - (dtucker) [regress/multiplex.sh] Remove cleanup call since test-exec.sh
+   will clean up anyway.  From tim@
+ - (dtucker) [regress/multiplex.sh] Put control socket in /tmp so running
+   "make tests" works even if you're building on a filesystem that doesn't
+   support sockets.  From deengert at anl.gov, ok djm@
+20050424
+ - (dtucker) [INSTALL configure.ac] Make zlib version check test for 1.1.4 or
+   1.2.1.2 or higher.  With tim@, ok djm@
+20050423
+ - (tim) [config.guess] Add support for OpenServer 6.
+20050421
+ - (dtucker) [session.c] Bug #1024: Don't check pam_session_is_open if
+   UseLogin is set as PAM is not used to establish credentials in that
+   case.  Found by Michael Selvesteen, ok djm@
+20050419
+ - (dtucker) [INSTALL] Reference README.privsep for the privilege separation
+   requirements.  Pointed out by Bengt Svensson.
+ - (dtucker) [INSTALL] Put the s/key text and URL back together.
+ - (dtucker) [INSTALL] Fix s/key text too.
+20050411
+ - (tim) [configure.ac] UnixWare needs PASSWD_NEEDS_USERNAME
+20050405
+ - (dtucker) [configure.ac] Define HAVE_SO_PEERCRED if we have it.  ok djm@
+ - (dtucker) [auth-sia.c] Constify sys_auth_passwd, fixes build error on
+   Tru64.  Patch from cmadams at hiwaay.net.
+ - (dtucker) [auth-passwd.c auth-sia.h] Remove duplicate definitions of
+   sys_auth_passwd, pointed out by cmadams at hiwaay.net.
+20050403
+ - (djm) OpenBSD CVS Sync
+   - deraadt@cvs.openbsd.org 2005/03/31 18:39:21
+     [scp.c]
+     copy argv[] element instead of smashing the one that ps will see; ok otto
+   - djm@cvs.openbsd.org 2005/04/02 12:41:16
+     [scp.c]
+     since ssh has xstrdup, use it instead of strdup+test. unbreaks -Werror
+     build
+ - (dtucker) [monitor.c] Don't free buffers in audit functions, monitor_read
+   will free as needed.  ok tim@ djm@
+20050331
+ - (dtucker) OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2005/03/16 11:10:38
+     [ssh_config.5]
+     get the syntax right for {Local,Remote}Forward;
+     based on a diff from markus;
+     problem report from ponraj;
+     ok dtucker@ markus@ deraadt@
+   - markus@cvs.openbsd.org 2005/03/16 21:17:39
+     [version.h]
+     4.1
+   - jmc@cvs.openbsd.org 2005/03/18 17:05:00
+     [sshd_config.5]
+     typo;
+ - (dtucker) [auth.h sshd.c openbsd-compat/port-aix.c] Bug #1006: fix bug in
+   handling of password expiry messages returned by AIX's authentication
+   routines, originally reported by robvdwal at sara.nl.
+ - (dtucker) [ssh.c] Prevent null pointer deref in port forwarding debug
+   message on some platforms.  Patch from pete at seebeyond.com via djm.
+ - (dtucker) [monitor.c] Remaining part of fix for bug #1006.
+20050329
+ - (dtucker) [contrib/aix/buildbff.sh] Bug #1005: Look up only the user we're
+   interested in which is much faster in large (eg LDAP or NIS) environments.
+   Patch from dleonard at vintela.com.
+20050321
+ - (dtucker) [configure.ac] Prevent configure --with-zlib from adding -Iyes
+   and -Lyes to CFLAGS and LIBS.  Pointed out by peter at slagheap.net,
+   with & ok tim@
+ - (dtucker) [configure.ac] Make configure error out if the user specifies
+   --with-libedit but the required libs can't be found, rather than silently
+   ignoring and continuing.  ok tim@
+ - (dtucker) [configure.ac openbsd-compat/port-aix.h] Prevent redefinitions
+   of setauthdb on AIX 5.3, reported by anders.liljegren at its.uu.se.
+20050317
+ - (tim) [configure.ac] Bug 998. Make path for --with-opensc optional.
+   Make --without-opensc work.
+ - (tim) [configure.ac] portability changes on test statements. Some shells
+   have problems with -a operator.
+ - (tim) [configure.ac] make some configure options a little more error proof.
+ - (tim) [configure.ac] remove trailing white space.
+20050314
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2005/03/10 10:15:02
+     [readconf.c]
+     Check listen addresses for null, prevents xfree from dying during
+     ClearAllForwardings (bz #996).  From  Craig Leres, ok markus@
+   - deraadt@cvs.openbsd.org 2005/03/10 22:01:05
+     [misc.c ssh-keygen.c servconf.c clientloop.c auth-options.c ssh-add.c
+     monitor.c sftp-client.c bufaux.h hostfile.c ssh.c sshconnect.c channels.c
+     readconf.c bufaux.c sftp.c]
+     spacing
+   - deraadt@cvs.openbsd.org 2005/03/10 22:40:38
+     [auth-options.c]
+     spacing
+   - markus@cvs.openbsd.org 2005/03/11 14:59:06
+     [ssh-keygen.c]
+     typo, missing \n; mpech
+   - jmc@cvs.openbsd.org 2005/03/12 11:55:03
+     [ssh_config.5]
+     escape `.' at eol to avoid double spacing issues;
+   - dtucker@cvs.openbsd.org 2005/03/14 10:09:03
+     [ssh-keygen.1]
+     Correct description of -H (bz #997);  ok markus@, punctuation jmc@
+   - dtucker@cvs.openbsd.org 2005/03/14 11:44:42
+     [auth.c]
+     Populate host for log message for logins denied by AllowUsers and
+     DenyUsers (bz #999); ok markus@ (patch by tryponraj at gmail.com)
+   - markus@cvs.openbsd.org 2005/03/14 11:46:56
+     [buffer.c buffer.h channels.c]
+     limit input buffer size for channels; bugzilla #896; with and ok dtucker@
+ - (tim) [contrib/caldera/openssh.spec] links in rc?.d were getting trashed
+   with a rpm -F
+20050313
+ - (dtucker) [contrib/cygwin/ssh-host-config] Makes the query for the
+   localized name of the local administrators group more reliable.  From
+   vinschen at redhat.com.
+20050312
+ - (dtucker) [regress/test-exec.sh] DEBUG can cause problems where debug
+   output ends up in the client's output, causing regress failures.  Found
+   by Corinna Vinschen.
 20050309
 - (dtucker) [regress/test-exec.sh] Set BIN_SH=xpg4 on OSF1/Digital Unix/Tru64
   so that regress tests behave.  From Chris Adams.
@@ -2321,4 +2496,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.3707.2.1 2005/03/09 04:52:09 djm Exp $
+$Id: ChangeLog,v 1.3758.2.2 2005/05/25 12:24:56 djm Exp $
diff --git a/INSTALL b/INSTALL
index 4fc3744f3..753d2d061 100644
--- a/INSTALL
+++ b/INSTALL
@@ -3,7 +3,7 @@
 You will need working installations of Zlib and OpenSSL.
-Zlib 1.1.4 or greater:
+Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems):
 http://www.gzip.org/zlib/
 OpenSSL 0.9.6 or greater:
@@ -50,20 +50,20 @@ lacks /dev/random and don't want to use OpenSSH's internal entropy collection.
 http://www.lothar.com/tech/crypto/
 S/Key Libraries:
+If you wish to use --with-skey then you will need the library below
+installed.  No other S/Key library is currently known to be supported.
 http://www.sparc.spb.su/solaris/skey/
 LibEdit:
 sftp now supports command-line editing via NetBSD's libedit.  If your
 platform has it available natively you can use that, alternatively
 you might try these multi-platform ports:
 http://www.thrysoee.dk/editline/
 http://sourceforge.net/projects/libedit/
-If you wish to use --with-skey then you will need the above library
-installed.  No other current S/Key library is currently known to be
-supported.
 2. Building / Installation
 --------------------------
@@ -91,6 +91,10 @@ make install
 This will install the binaries in /opt/{bin,lib,sbin}, but will place the
 configuration files in /etc/ssh.
+If you are using Privilege Separation (which is enabled by default)
+then you will also need to create the user, group and directory used by
+sshd for privilege separation.  See README.privsep for details.
 If you are using PAM, you may need to manually install a PAM control
 file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
 them).  Note that the service name used to start PAM is __progname,
@@ -221,4 +225,4 @@ Please refer to the "reporting bugs" section of the webpage at
 http://www.openssh.com/
-$Id: INSTALL,v 1.66 2005/01/18 01:05:18 dtucker Exp $
+$Id: INSTALL,v 1.70 2005/04/24 07:52:23 dtucker Exp $
diff --git a/README b/README
index 0c5335ff5..93682c3cb 100644
--- a/README
+++ b/README
@@ -61,4 +61,4 @@ References -
 [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
 [7] http://www.openssh.com/faq.html
-$Id: README,v 1.56.4.1 2005/03/09 03:12:09 djm Exp $
+$Id: README,v 1.57 2005/03/09 03:32:28 dtucker Exp $
diff --git a/auth-options.c b/auth-options.c
index 04d12d66e..a85e40835 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.29 2005/03/01 10:09:52 djm Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.31 2005/03/10 22:40:38 deraadt Exp $");
 #include "xmalloc.h"
 #include "match.h"
@@ -247,7 +247,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                        host = hpdelim(&p);
                        if (host == NULL || strlen(host) >= NI_MAXHOST) {
                                debug("%.100s, line %lu: Bad permitopen "
-                                    "specification <%.100s>", file, linenum, 
+                                    "specification <%.100s>", file, linenum,
                                    patterns);
                                auth_debug_add("%.100s, line %lu: "
                                    "Bad permitopen specification", file,
@@ -255,8 +255,8 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                                xfree(patterns);
                                goto bad_option;
                        }
-                        host = cleanhostname(host);
+                        host = cleanhostname(host);
-                        if (p == NULL || (port = a2port(p)) == 0) {
+                        if (p == NULL || (port = a2port(p)) == 0) {
                                debug("%.100s, line %lu: Bad permitopen port "
                                    "<%.100s>", file, linenum, p ? p : "");
                                auth_debug_add("%.100s, line %lu: "
diff --git a/auth-pam.c b/auth-pam.c
index 6ce8c429b..a8d372aac 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -47,7 +47,7 @@
 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.121 2005/01/20 02:29:51 dtucker Exp $");
+RCSID("$Id: auth-pam.c,v 1.122 2005/05/25 06:18:10 dtucker Exp $");
 #ifdef USE_PAM
 #if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -76,7 +76,17 @@ extern Buffer loginmsg;
 extern int compat20;
 extern u_int utmp_len;
+/* so we don't silently change behaviour */
 #ifdef USE_POSIX_THREADS
+# error "USE_POSIX_THREADS replaced by UNSUPPORTED_POSIX_THREADS_HACK"
+#endif
+/*
+ * Formerly known as USE_POSIX_THREADS, using this is completely unsupported
+ * and generally a bad idea.  Use at own risk and do not expect support if
+ * this breaks.
+ */
+#ifdef UNSUPPORTED_POSIX_THREADS_HACK
 #include <pthread.h>
 /*
 * Avoid namespace clash when *not* using pthreads for systems *with*
@@ -98,7 +108,7 @@ struct pam_ctxt {
 static void sshpam_free_ctx(void *);
 static struct pam_ctxt *cleanup_ctxt;
-#ifndef USE_POSIX_THREADS
+#ifndef UNSUPPORTED_POSIX_THREADS_HACK
 /*
 * Simulate threads with processes.
 */
@@ -255,7 +265,7 @@ import_environments(Buffer *b)
        debug3("PAM: %s entering", __func__);
-#ifndef USE_POSIX_THREADS
+#ifndef UNSUPPORTED_POSIX_THREADS_HACK
        /* Import variables set by do_pam_account */
        sshpam_account_status = buffer_get_int(b);
        sshpam_password_change_required(buffer_get_int(b));
@@ -384,7 +394,7 @@ sshpam_thread(void *ctxtp)
        struct pam_conv sshpam_conv;
        int flags = (options.permit_empty_passwd == 0 ?
            PAM_DISALLOW_NULL_AUTHTOK : 0);
-#ifndef USE_POSIX_THREADS
+#ifndef UNSUPPORTED_POSIX_THREADS_HACK
        extern char **environ;
        char **env_from_pam;
        u_int i;
@@ -428,7 +438,7 @@ sshpam_thread(void *ctxtp)
        buffer_put_cstring(&buffer, "OK");
-#ifndef USE_POSIX_THREADS
+#ifndef UNSUPPORTED_POSIX_THREADS_HACK
        /* Export variables set by do_pam_account */
        buffer_put_int(&buffer, sshpam_account_status);
        buffer_put_int(&buffer, sshpam_authctxt->force_pwchange);
@@ -447,7 +457,7 @@ sshpam_thread(void *ctxtp)
        buffer_put_int(&buffer, i);
        for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++)
                buffer_put_cstring(&buffer, env_from_pam[i]);
-#endif /* USE_POSIX_THREADS */
+#endif /* UNSUPPORTED_POSIX_THREADS_HACK */
        /* XXX - can't do much about an error here */
        ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
diff --git a/auth-passwd.c b/auth-passwd.c
index 27ece3f72..654e0b821 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -47,7 +47,6 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.33 2005/01/24 11:47:13 dtucker Exp $");
 extern Buffer loginmsg;
 extern ServerOptions options;
-int sys_auth_passwd(Authctxt *, const char *);
 #ifdef HAVE_LOGIN_CAP
 extern login_cap_t *lc;
diff --git a/auth-sia.c b/auth-sia.c
index 63f55d07f..af7182b48 100644
--- a/auth-sia.c
+++ b/auth-sia.c
@@ -47,7 +47,7 @@ extern int saved_argc;
 extern char **saved_argv;
 int
-sys_auth_passwd(Authctxt *authctxt, char *pass)
+sys_auth_passwd(Authctxt *authctxt, const char *pass)
 {
        int ret;
        SIAENTITY *ent = NULL;
diff --git a/auth-sia.h b/auth-sia.h
index ca55e913e..27cbb93f1 100644
--- a/auth-sia.h
+++ b/auth-sia.h
@@ -26,7 +26,6 @@
 #ifdef HAVE_OSF_SIA
-int     sys_auth_passwd(Authctxt *, char *);
 void    session_setup_sia(struct passwd *, char *);
 #endif /* HAVE_OSF_SIA */
diff --git a/auth.c b/auth.c
index 256807683..46b013137 100644
--- a/auth.c
+++ b/auth.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.57 2005/01/22 08:17:59 dtucker Exp $");
+RCSID("$OpenBSD: auth.c,v 1.58 2005/03/14 11:44:42 dtucker Exp $");
 #ifdef HAVE_LOGIN_H
 #include <login.h>
@@ -145,7 +145,8 @@ allowed_user(struct passwd * pw)
                return 0;
        }
-        if (options.num_deny_users > 0 || options.num_allow_users > 0) {
+        if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
+            options.num_deny_groups > 0 || options.num_allow_groups > 0) {
                hostname = get_canonical_hostname(options.use_dns);
                ipaddr = get_remote_ipaddr();
        }
diff --git a/auth.h b/auth.h
index 8d1f93403..471404e4e 100644
--- a/auth.h
+++ b/auth.h
@@ -30,6 +30,7 @@
 #include "key.h"
 #include "hostfile.h"
+#include "buffer.h"
 #include <openssl/rsa.h>
 #ifdef HAVE_LOGIN_CAP
@@ -68,6 +69,7 @@ struct Authctxt {
        char            *krb5_ticket_file;
        char            *krb5_ccname;
 #endif
+        Buffer          *loginmsg;
        void            *methoddata;
 };
 /*
@@ -185,6 +187,8 @@ void	 auth_debug_reset(void);
 struct passwd *fakepw(void);
+int      sys_auth_passwd(Authctxt *, const char *);
 #define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
 #define SKEY_PROMPT "\nS/Key Password: "
diff --git a/bufaux.c b/bufaux.c
index 4ea6af1b6..5dbf2b770 100644
--- a/bufaux.c
+++ b/bufaux.c
@@ -37,7 +37,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: bufaux.c,v 1.34 2004/12/06 16:00:43 markus Exp $");
+RCSID("$OpenBSD: bufaux.c,v 1.35 2005/03/10 22:01:05 deraadt Exp $");
 #include <openssl/bn.h>
 #include "bufaux.h"
@@ -179,7 +179,7 @@ buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
 {
        u_int len;
        u_char *bin;
-        
        if ((bin = buffer_get_string_ret(buffer, &len)) == NULL) {
                error("buffer_get_bignum2_ret: invalid bignum");
                return (-1);
diff --git a/bufaux.h b/bufaux.h
index e30911ddc..f5efaed3e 100644
--- a/bufaux.h
+++ b/bufaux.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bufaux.h,v 1.20 2004/10/29 23:56:17 djm Exp $ */
+/*      $OpenBSD: bufaux.h,v 1.21 2005/03/10 22:01:05 deraadt Exp $     */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -40,7 +40,7 @@ void    buffer_put_string(Buffer *, const void *, u_int);
 void    buffer_put_cstring(Buffer *, const char *);
 #define buffer_skip_string(b) \
-    do { u_int l = buffer_get_int(b); buffer_consume(b, l); } while(0)
+    do { u_int l = buffer_get_int(b); buffer_consume(b, l); } while (0)
 int     buffer_put_bignum_ret(Buffer *, const BIGNUM *);
 int     buffer_get_bignum_ret(Buffer *, BIGNUM *);
diff --git a/buffer.c b/buffer.c
index 1a25004ba..487e08105 100644
--- a/buffer.c
+++ b/buffer.c
@@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: buffer.c,v 1.22 2004/10/29 23:56:17 djm Exp $");
+RCSID("$OpenBSD: buffer.c,v 1.23 2005/03/14 11:46:56 markus Exp $");
 #include "xmalloc.h"
 #include "buffer.h"
@@ -78,7 +78,7 @@ buffer_append_space(Buffer *buffer, u_int len)
        u_int newlen;
        void *p;
-        if (len > 0x100000)
+        if (len > BUFFER_MAX_CHUNK)
                fatal("buffer_append_space: len %u not supported", len);
        /* If the buffer is empty, start using it from the beginning. */
@@ -97,7 +97,7 @@ restart:
         * If the buffer is quite empty, but all data is at the end, move the
         * data to the beginning and retry.
         */
-        if (buffer->offset > buffer->alloc / 2) {
+        if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) {
                memmove(buffer->buf, buffer->buf + buffer->offset,
                        buffer->end - buffer->offset);
                buffer->end -= buffer->offset;
@@ -107,7 +107,7 @@ restart:
        /* Increase the size of the buffer and retry. */
        newlen = buffer->alloc + len + 32768;
-        if (newlen > 0xa00000)
+        if (newlen > BUFFER_MAX_LEN)
                fatal("buffer_append_space: alloc %u not supported",
                    newlen);
        buffer->buf = xrealloc(buffer->buf, newlen);
diff --git a/buffer.h b/buffer.h
index 9c09d4f43..2b20eed52 100644
--- a/buffer.h
+++ b/buffer.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: buffer.h,v 1.12 2004/10/29 23:56:17 djm Exp $ */
+/*      $OpenBSD: buffer.h,v 1.13 2005/03/14 11:46:56 markus Exp $      */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -23,6 +23,9 @@ typedef struct {
        u_int    end;           /* Offset of last byte containing data. */
 }       Buffer;
+#define BUFFER_MAX_CHUNK        0x100000
+#define BUFFER_MAX_LEN          0xa00000
 void     buffer_init(Buffer *);
 void     buffer_clear(Buffer *);
 void     buffer_free(Buffer *);
diff --git a/buildpkg.sh.in b/buildpkg.sh.in
index f243e90bf..f90ae6e81 100644
--- a/buildpkg.sh.in
+++ b/buildpkg.sh.in
@@ -282,11 +282,11 @@ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SY
        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
 else
        [ "$RCS_D" = yes ]  &&  \
-installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
-        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
        [ "$RC1_D" = no ]  ||  \
-        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
-        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
 fi
 # If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh)
diff --git a/canohost.c b/canohost.c
index 1c22d4770..94d666432 100644
--- a/canohost.c
+++ b/canohost.c
@@ -251,6 +251,8 @@ get_socket_address(int sock, int remote, int flags)
        if (addr.ss_family == AF_INET6)
                addrlen = sizeof(struct sockaddr_in6);
+        ipv64_normalise_mapped(&addr, &addrlen);
        /* Get the address in ascii. */
        if ((r = getnameinfo((struct sockaddr *)&addr, addrlen, ntop,
            sizeof(ntop), NULL, 0, flags)) != 0) {
diff --git a/channels.c b/channels.c
index 2dea5dfd0..b8507ca13 100644
--- a/channels.c
+++ b/channels.c
@@ -39,7 +39,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.212 2005/03/01 10:09:52 djm Exp $");
+RCSID("$OpenBSD: channels.c,v 1.214 2005/03/14 11:46:56 markus Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -58,6 +58,8 @@ RCSID("$OpenBSD: channels.c,v 1.212 2005/03/01 10:09:52 djm Exp $");
 /* -- channel core */
+#define CHAN_RBUF       16*1024
 /*
 * Pointer to an array containing all allocated channels.  The array is
 * dynamically extended as needed.
@@ -712,6 +714,9 @@ channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
 {
        u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
+        /* check buffer limits */
+        limit = MIN(limit, (BUFFER_MAX_LEN - BUFFER_MAX_CHUNK - CHAN_RBUF));
        if (c->istate == CHAN_INPUT_OPEN &&
            limit > 0 &&
            buffer_len(&c->input) < limit)
@@ -1018,7 +1023,7 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
                debug2("channel %d: only socks5 connect supported", c->self);
                return -1;
        }
-        switch(s5_req.atyp){
+        switch (s5_req.atyp){
        case SSH_SOCKS5_IPV4:
                addrlen = 4;
                af = AF_INET;
@@ -1360,7 +1365,7 @@ channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset)
 static int
 channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
 {
-        char buf[16*1024];
+        char buf[CHAN_RBUF];
        int len;
        if (c->rfd != -1 &&
@@ -1454,7 +1459,7 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
 static int
 channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
 {
-        char buf[16*1024];
+        char buf[CHAN_RBUF];
        int len;
 /** XXX handle drain efd, too */
@@ -2199,11 +2204,11 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
        /*
         * Determine whether or not a port forward listens to loopback,
-         * specified address or wildcard. On the client, a specified bind 
+         * specified address or wildcard. On the client, a specified bind
-         * address will always override gateway_ports. On the server, a 
+         * address will always override gateway_ports. On the server, a
-         * gateway_ports of 1 (``yes'') will override the client's 
+         * gateway_ports of 1 (``yes'') will override the client's
-         * specification and force a wildcard bind, whereas a value of 2 
+         * specification and force a wildcard bind, whereas a value of 2
-         * (``clientspecified'') will bind to whatever address the client 
+         * (``clientspecified'') will bind to whatever address the client
         * asked for.
         *
         * Special-case listen_addrs are:
@@ -2317,7 +2322,7 @@ channel_cancel_rport_listener(const char *host, u_short port)
        u_int i;
        int found = 0;
-        for(i = 0; i < channels_alloc; i++) {
+        for (i = 0; i < channels_alloc; i++) {
                Channel *c = channels[i];
                if (c != NULL && c->type == SSH_CHANNEL_RPORT_LISTENER &&
@@ -2629,7 +2634,7 @@ channel_send_window_changes(void)
        struct winsize ws;
        for (i = 0; i < channels_alloc; i++) {
-                if (channels[i] == NULL || !channels[i]->client_tty || 
+                if (channels[i] == NULL || !channels[i]->client_tty ||
                    channels[i]->type != SSH_CHANNEL_OPEN)
                        continue;
                if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0)
diff --git a/clientloop.c b/clientloop.c
index 90bdcbc39..d36d816de 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -59,7 +59,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: clientloop.c,v 1.135 2005/03/01 10:09:52 djm Exp $");
+RCSID("$OpenBSD: clientloop.c,v 1.136 2005/03/10 22:01:05 deraadt Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -632,7 +632,7 @@ client_process_control(fd_set * readset)
                            "to %s? ", host);
                if (allowed)
                        quit_pending = 1;
-                /* FALLTHROUGH */       
+                /* FALLTHROUGH */
        case SSHMUX_COMMAND_ALIVE_CHECK:
                /* Reply for SSHMUX_COMMAND_TERMINATE and ALIVE_CHECK */
                buffer_clear(&m);
diff --git a/config.guess b/config.guess
index e8c6fc0c3..bb9d7aee4 100755
--- a/config.guess
+++ b/config.guess
@@ -1014,7 +1014,8 @@ EOF
                echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
        fi
        exit 0 ;;
-    i*86:*:5:[78]*)
+    i*86:*:5:[678]*)
+        # Unixware 7.x, OpenUNIX 8, & OpenServer 6
        case `/bin/uname -X | grep "^Machine"` in
            *486*)           UNAME_MACHINE=i486 ;;
            *Pentium)        UNAME_MACHINE=i586 ;;
diff --git a/config.h.in b/config.h.in
index 70f997323..400561d6a 100644
--- a/config.h.in
+++ b/config.h.in
@@ -525,6 +525,10 @@
   don't. */
 #undef HAVE_DECL_PASSWDEXPIRED
+/* Define to 1 if you have the declaration of `setauthdb', and to 0 if you
+   don't. */
+#undef HAVE_DECL_SETAUTHDB
 /* Define to 1 if you have the <dirent.h> header file. */
 #undef HAVE_DIRENT_H
@@ -903,6 +907,9 @@
 /* Define to 1 if you have the `socketpair' function. */
 #undef HAVE_SOCKETPAIR
+/* Have PEERCRED socket option */
+#undef HAVE_SO_PEERCRED
 /* Define to 1 if you have the <stddef.h> header file. */
 #undef HAVE_STDDEF_H
diff --git a/configure b/configure
index 1bf7b0b0b..ef3609b70 100755
--- a/configure
+++ b/configure
@@ -881,7 +881,7 @@ Optional Packages:
  --with-entropy-timeout  Specify entropy gathering command timeout (msec)
  --with-privsep-user=user Specify non-privileged user for privilege separation
  --with-sectok           Enable smartcard support using libsectok
-  --with-opensc=PFX       Enable smartcard support using OpenSC
+--with-opensc[=PFX]       Enable smartcard support using OpenSC (optionally in PATH)
  --with-kerberos5=PATH   Enable Kerberos 5 support
  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
  --with-xauth=PATH       Specify path to xauth program
@@ -4643,6 +4643,77 @@ _ACEOF
 fi
+echo "$as_me:$LINENO: checking whether setauthdb is declared" >&5
+echo $ECHO_N "checking whether setauthdb is declared... $ECHO_C" >&6
+if test "${ac_cv_have_decl_setauthdb+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <usersec.h>
+int
+main ()
+{
+#ifndef setauthdb
+  char *p = (char *) setauthdb;
+#endif
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -z "$ac_c_werror_flag"
+                         || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+         { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_have_decl_setauthdb=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+ac_cv_have_decl_setauthdb=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_have_decl_setauthdb" >&5
+echo "${ECHO_T}$ac_cv_have_decl_setauthdb" >&6
+if test $ac_cv_have_decl_setauthdb = yes; then
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_SETAUTHDB 1
+_ACEOF
+else
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_SETAUTHDB 0
+_ACEOF
+fi
                echo "$as_me:$LINENO: checking whether loginfailed is declared" >&5
@@ -6004,6 +6075,11 @@ _ACEOF
 #define BROKEN_SETREGID 1
 _ACEOF
+cat >>confdefs.h <<\_ACEOF
+#define PASSWD_NEEDS_USERNAME 1
+_ACEOF
        ;;
 # UnixWare 7.x, OpenUNIX 8
 *-*-sysv5*)
@@ -6023,6 +6099,11 @@ _ACEOF
 #define BROKEN_SETREGID 1
 _ACEOF
+cat >>confdefs.h <<\_ACEOF
+#define PASSWD_NEEDS_USERNAME 1
+_ACEOF
        ;;
 *-*-sysv*)
        ;;
@@ -6363,7 +6444,8 @@ esac
 if test "${with_cflags+set}" = set; then
  withval="$with_cflags"
-                if test "x$withval" != "xno" ; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        CFLAGS="$CFLAGS $withval"
                fi
@@ -6374,7 +6456,8 @@ fi;
 if test "${with_cppflags+set}" = set; then
  withval="$with_cppflags"
-                if test "x$withval" != "xno"; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        CPPFLAGS="$CPPFLAGS $withval"
                fi
@@ -6385,7 +6468,8 @@ fi;
 if test "${with_ldflags+set}" = set; then
  withval="$with_ldflags"
-                if test "x$withval" != "xno" ; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        LDFLAGS="$LDFLAGS $withval"
                fi
@@ -6396,7 +6480,8 @@ fi;
 if test "${with_libs+set}" = set; then
  withval="$with_libs"
-                if test "x$withval" != "xno" ; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        LIBS="$LIBS $withval"
                fi
@@ -8171,12 +8256,11 @@ fi
 # Check whether --with-zlib or --without-zlib was given.
 if test "${with_zlib+set}" = set; then
  withval="$with_zlib"
+   if test "x$withval" = "xno" ; then
-                if test "x$withval" = "xno" ; then
+                { { echo "$as_me:$LINENO: error: *** zlib is required ***" >&5
-                        { { echo "$as_me:$LINENO: error: *** zlib is required ***" >&5
 echo "$as_me: error: *** zlib is required ***" >&2;}
   { (exit 1); exit 1; }; }
-                fi
+          elif test "x$withval" != "xyes"; then
                if test -d "$withval/lib"; then
                        if test -n "${need_dash_r}"; then
                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
@@ -8195,7 +8279,7 @@ echo "$as_me: error: *** zlib is required ***" >&2;}
                else
                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
                fi
+        fi
 fi;
@@ -8506,8 +8590,8 @@ if test "${with_zlib_version_check+set}" = set; then
 fi;
-echo "$as_me:$LINENO: checking for zlib 1.1.4 or greater" >&5
+echo "$as_me:$LINENO: checking for possibly buggy zlib" >&5
-echo $ECHO_N "checking for zlib 1.1.4 or greater... $ECHO_C" >&6
+echo $ECHO_N "checking for possibly buggy zlib... $ECHO_C" >&6
 if test "$cross_compiling" = yes; then
        { echo "$as_me:$LINENO: WARNING: cross compiling: not checking zlib version" >&5
 echo "$as_me: WARNING: cross compiling: not checking zlib version" >&2;}
@@ -8520,15 +8604,25 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
+#include <stdio.h>
 #include <zlib.h>
 int main()
 {
-        int a, b, c, v;
+        int a=0, b=0, c=0, d=0, n, v;
-        if (sscanf(ZLIB_VERSION, "%d.%d.%d", &a, &b, &c) != 3)
+        n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
+        if (n != 3 && n != 4)
                exit(1);
-        v = a*1000000 + b*1000 + c;
+        v = a*1000000 + b*10000 + c*100 + d;
-        if (v >= 1001004)
+        fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
+        /* 1.1.4 is OK */
+        if (a == 1 && b == 1 && c >= 4)
+                exit(0);
+        /* 1.2.1.2 and up are OK */
+        if (v >= 1020102)
                exit(0);
        exit(2);
 }
@@ -8544,29 +8638,31 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
  ac_status=$?
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
+  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}yes" >&6
+echo "${ECHO_T}no" >&6
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
- echo "$as_me:$LINENO: result: no" >&5
+ echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}no" >&6
+echo "${ECHO_T}yes" >&6
          if test -z "$zlib_check_nonfatal" ; then
                { { echo "$as_me:$LINENO: error: *** zlib too old - check config.log ***
 Your reported zlib version has known security problems.  It's possible your
 vendor has fixed these problems without changing the version number.  If you
 are sure this is the case, you can disable the check by running
 \"./configure --without-zlib-version-check\".
-If you are in doubt, upgrade zlib to version 1.1.4 or greater." >&5
+If you are in doubt, upgrade zlib to version 1.2.1.2 or greater.
+See http://www.gzip.org/zlib/ for details." >&5
 echo "$as_me: error: *** zlib too old - check config.log ***
 Your reported zlib version has known security problems.  It's possible your
 vendor has fixed these problems without changing the version number.  If you
 are sure this is the case, you can disable the check by running
 \"./configure --without-zlib-version-check\".
-If you are in doubt, upgrade zlib to version 1.1.4 or greater." >&2;}
+If you are in doubt, upgrade zlib to version 1.2.1.2 or greater.
+See http://www.gzip.org/zlib/ for details." >&2;}
   { (exit 1); exit 1; }; }
          else
                { echo "$as_me:$LINENO: WARNING: zlib version may have security problems" >&5
@@ -9753,7 +9849,8 @@ if test "${with_tcp_wrappers+set}" = set; then
                        saved_LIBS="$LIBS"
                        saved_LDFLAGS="$LDFLAGS"
                        saved_CPPFLAGS="$CPPFLAGS"
-                        if test -n "${withval}" -a "${withval}" != "yes"; then
+                        if test -n "${withval}" && \
+                            test "x${withval}" != "xyes"; then
                                if test -d "${withval}/lib"; then
                                        if test -n "${need_dash_r}"; then
                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
@@ -9856,13 +9953,17 @@ LIBEDIT_MSG="no"
 if test "${with_libedit+set}" = set; then
  withval="$with_libedit"
   if test "x$withval" != "xno" ; then
+                if test "x$withval" != "xyes"; then
+                        CPPFLAGS="$CPPFLAGS -I$withval/include"
+                        LDFLAGS="$LDFLAGS -L$withval/lib"
+                fi
                echo "$as_me:$LINENO: checking for el_init in -ledit" >&5
 echo $ECHO_N "checking for el_init in -ledit... $ECHO_C" >&6
 if test "${ac_cv_lib_edit_el_init+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ledit -lcurses
+LIBS="-ledit  -lcurses
                 $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -9931,6 +10032,10 @@ _ACEOF
                          LIBEDIT_MSG="yes"
+else
+   { { echo "$as_me:$LINENO: error: libedit not found" >&5
+echo "$as_me: error: libedit not found" >&2;}
+   { (exit 1); exit 1; }; }
 fi
        fi
@@ -12733,8 +12838,14 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
  ac_status=$?
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
+   echo "$as_me:$LINENO: result: yes" >&5
 echo "${ECHO_T}yes" >&6
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_SO_PEERCRED
+_ACEOF
 else
  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
@@ -12895,7 +13006,8 @@ rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftes
 fi
 fi
-if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
+if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
+    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
        echo "$as_me:$LINENO: checking if getaddrinfo seems to work" >&5
 echo $ECHO_N "checking if getaddrinfo seems to work... $ECHO_C" >&6
        if test "$cross_compiling" = yes; then
@@ -13002,7 +13114,8 @@ rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftes
 fi
 fi
-if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_aix_broken_getaddrinfo" = "x1"; then
+if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
+    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
        echo "$as_me:$LINENO: checking if getaddrinfo seems to work" >&5
 echo $ECHO_N "checking if getaddrinfo seems to work... $ECHO_C" >&6
        if test "$cross_compiling" = yes; then
@@ -14272,7 +14385,7 @@ echo "$as_me: WARNING: *** Forcing use of OpenSSL's non-self-seeding PRNG" >&2;}
 fi;
 # Which randomness source do we use?
-if test ! -z "$OPENSSL_SEEDS_ITSELF" -a -z "$USE_RAND_HELPER" ; then
+if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then
        # OpenSSL only
        cat >>confdefs.h <<\_ACEOF
 #define OPENSSL_PRNG_ONLY 1
@@ -14393,7 +14506,8 @@ entropy_timeout=200
 if test "${with_entropy_timeout+set}" = set; then
  withval="$with_entropy_timeout"
-                if test "x$withval" != "xno" ; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        entropy_timeout=$withval
                fi
@@ -14410,7 +14524,8 @@ SSH_PRIVSEP_USER=sshd
 if test "${with_privsep_user+set}" = set; then
  withval="$with_privsep_user"
-                if test -n "$withval"; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        SSH_PRIVSEP_USER=$withval
                fi
@@ -19152,9 +19267,9 @@ fi
 # We need int64_t or else certian parts of the compile will fail.
-if test "x$ac_cv_have_int64_t" = "xno" -a \
+if test "x$ac_cv_have_int64_t" = "xno" && \
-        "x$ac_cv_sizeof_long_int" != "x8" -a \
+        test "x$ac_cv_sizeof_long_int" != "x8" && \
-        "x$ac_cv_sizeof_long_long_int" = "x0" ; then
+        test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
        echo "OpenSSH requires int64_t support.  Contact your vendor or install"
        echo "an alternative compiler (I.E., GCC) before continuing."
        echo ""
@@ -21195,17 +21310,17 @@ _ACEOF
 fi;
 # Check whether user wants OpenSC support
+OPENSC_CONFIG="no"
 # Check whether --with-opensc or --without-opensc was given.
 if test "${with_opensc+set}" = set; then
  withval="$with_opensc"
-  opensc_config_prefix="$withval"
-else
+            if test "x$withval" != "xno" ; then
-  opensc_config_prefix=""
+                if test "x$withval" != "xyes" ; then
-fi;
+                        OPENSC_CONFIG=$withval/bin/opensc-config
-if test x$opensc_config_prefix != x ; then
+                else
-  OPENSC_CONFIG=$opensc_config_prefix/bin/opensc-config
+                        # Extract the first word of "opensc-config", so it can be a program name with args.
-  # Extract the first word of "opensc-config", so it can be a program name with args.
 set dummy opensc-config; ac_word=$2
 echo "$as_me:$LINENO: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
@@ -21245,22 +21360,26 @@ else
 echo "${ECHO_T}no" >&6
 fi
-  if test "$OPENSC_CONFIG" != "no"; then
+                fi
-    LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags`
+                if test "$OPENSC_CONFIG" != "no"; then
-    LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs`
+                        LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags`
-    CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
+                        LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs`
-    LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS"
+                        CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
-    cat >>confdefs.h <<\_ACEOF
+                        LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS"
+                        cat >>confdefs.h <<\_ACEOF
 #define SMARTCARD 1
 _ACEOF
-    cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\_ACEOF
 #define USE_OPENSC 1
 _ACEOF
-    SCARD_MSG="yes, using OpenSC"
+                        SCARD_MSG="yes, using OpenSC"
-  fi
+                fi
-fi
+            fi
+fi;
 # Check libraries needed by DNS fingerprint support
 echo "$as_me:$LINENO: checking for library containing getrrsetbyname" >&5
@@ -23659,7 +23778,8 @@ PRIVSEP_PATH=/var/empty
 if test "${with_privsep_path+set}" = set; then
  withval="$with_privsep_path"
-                if test "x$withval" != "$no" ; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        PRIVSEP_PATH=$withval
                fi
@@ -23672,7 +23792,8 @@ fi;
 if test "${with_xauth+set}" = set; then
  withval="$with_xauth"
-                if test "x$withval" != "xno" ; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        xauth_path=$withval
                fi
@@ -24095,8 +24216,8 @@ _ACEOF
        fi
 fi
-if test $ac_cv_func_login_getcapbool = "yes" -a \
+if test $ac_cv_func_login_getcapbool = "yes" && \
-        $ac_cv_header_login_cap_h = "yes" ; then
+        test $ac_cv_header_login_cap_h = "yes" ; then
        external_path_file=/etc/login.conf
 fi
@@ -24240,7 +24361,8 @@ fi
 if test "${with_superuser_path+set}" = set; then
  withval="$with_superuser_path"
-                if test "x$withval" != "xno" ; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        cat >>confdefs.h <<_ACEOF
 #define SUPERUSER_PATH "$withval"
 _ACEOF
@@ -24324,7 +24446,8 @@ fi
 if test "${with_pid_dir+set}" = set; then
  withval="$with_pid_dir"
-                if test "x$withval" != "xno" ; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        piddir=$withval
                        if test ! -d $piddir ; then
                        { echo "$as_me:$LINENO: WARNING: ** no $piddir directory on this system **" >&5
@@ -24455,7 +24578,7 @@ if test "${with_lastlog+set}" = set; then
 #define DISABLE_LASTLOG 1
 _ACEOF
-                else
+                elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
                        conf_lastlog_location=$withval
                fi
@@ -25290,9 +25413,9 @@ exec 6>&1
 exec 5>>config.log
 {
  echo
-  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<BOXI_EOF
+  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
 ## Running $as_me. ##
-BOXI_EOF
+_ASBOX
 } >&5
 cat >&5 <<_CSEOF
diff --git a/configure.ac b/configure.ac
index e48028b7b..20c8f1587 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.250 2005/03/07 09:21:37 tim Exp $
+# $Id: configure.ac,v 1.260 2005/04/24 07:52:23 dtucker Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -75,7 +75,7 @@ if test -z "$LD" ; then
        LD=$CC
 fi
 AC_SUBST(LD)
-        
 AC_C_INLINE
 if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
        CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wno-uninitialized"
@@ -84,7 +84,7 @@ fi
 AC_ARG_WITH(rpath,
        [  --without-rpath         Disable auto-added -R linker paths],
        [
-                if test "x$withval" = "xno" ; then      
+                if test "x$withval" = "xno" ; then
                        need_dash_r=""
                fi
                if test "x$withval" = "xyes" ; then
@@ -123,7 +123,7 @@ case "$host" in
                ])
        dnl Check for various auth function declarations in headers.
        AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
-            passwdexpired], , , [#include <usersec.h>])
+            passwdexpired, setauthdb], , , [#include <usersec.h>])
        dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
        AC_CHECK_DECLS(loginfailed,
                 [AC_MSG_CHECKING(if loginfailed takes 4 arguments)
@@ -274,7 +274,7 @@ mips-sony-bsd|mips-sony-newsos4)
        ;;
 *-*-netbsd*)
        check_for_libcrypt_before=1
-        if test "x$withval" != "xno" ; then     
+        if test "x$withval" != "xno" ; then
                need_dash_r=1
        fi
        ;;
@@ -297,7 +297,7 @@ mips-sony-bsd|mips-sony-newsos4)
        AC_DEFINE(BROKEN_SAVED_UIDS)
        ;;
 *-*-solaris*)
-        if test "x$withval" != "xno" ; then     
+        if test "x$withval" != "xno" ; then
                need_dash_r=1
        fi
        AC_DEFINE(PAM_SUN_CODEBASE)
@@ -361,6 +361,7 @@ mips-sony-bsd|mips-sony-newsos4)
        AC_DEFINE(SETEUID_BREAKS_SETUID)
        AC_DEFINE(BROKEN_SETREUID)
        AC_DEFINE(BROKEN_SETREGID)
+        AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd])
        ;;
 # UnixWare 7.x, OpenUNIX 8
 *-*-sysv5*)
@@ -368,6 +369,7 @@ mips-sony-bsd|mips-sony-newsos4)
        AC_DEFINE(SETEUID_BREAKS_SETUID)
        AC_DEFINE(BROKEN_SETREUID)
        AC_DEFINE(BROKEN_SETREGID)
+        AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd])
        ;;
 *-*-sysv*)
        ;;
@@ -472,15 +474,17 @@ esac
 AC_ARG_WITH(cflags,
        [  --with-cflags           Specify additional flags to pass to compiler],
        [
-                if test "x$withval" != "xno" ; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        CFLAGS="$CFLAGS $withval"
                fi
-        ]       
+        ]
 )
 AC_ARG_WITH(cppflags,
        [  --with-cppflags         Specify additional flags to pass to preprocessor] ,
        [
-                if test "x$withval" != "xno"; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        CPPFLAGS="$CPPFLAGS $withval"
                fi
        ]
@@ -488,18 +492,20 @@ AC_ARG_WITH(cppflags,
 AC_ARG_WITH(ldflags,
        [  --with-ldflags          Specify additional flags to pass to linker],
        [
-                if test "x$withval" != "xno" ; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        LDFLAGS="$LDFLAGS $withval"
                fi
-        ]       
+        ]
 )
 AC_ARG_WITH(libs,
        [  --with-libs             Specify additional libraries to link with],
        [
-                if test "x$withval" != "xno" ; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        LIBS="$LIBS $withval"
                fi
-        ]       
+        ]
 )
 AC_MSG_CHECKING(compiler and flags for sanity)
@@ -583,10 +589,9 @@ AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME))
 dnl zlib is required
 AC_ARG_WITH(zlib,
        [  --with-zlib=PATH        Use zlib in PATH],
-        [
+        [ if test "x$withval" = "xno" ; then
-                if test "x$withval" = "xno" ; then
+                AC_MSG_ERROR([*** zlib is required ***])
-                        AC_MSG_ERROR([*** zlib is required ***])
+          elif test "x$withval" != "xyes"; then
-                fi
                if test -d "$withval/lib"; then
                        if test -n "${need_dash_r}"; then
                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
@@ -605,7 +610,7 @@ AC_ARG_WITH(zlib,
                else
                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
                fi
-        ]
+        fi ]
 )
 AC_CHECK_LIB(z, deflate, ,
@@ -638,29 +643,40 @@ AC_ARG_WITH(zlib-version-check,
        ]
 )
-AC_MSG_CHECKING(for zlib 1.1.4 or greater)
+AC_MSG_CHECKING(for possibly buggy zlib)
 AC_RUN_IFELSE([AC_LANG_SOURCE([[
+#include <stdio.h>
 #include <zlib.h>
 int main()
 {
-        int a, b, c, v;
+        int a=0, b=0, c=0, d=0, n, v;
-        if (sscanf(ZLIB_VERSION, "%d.%d.%d", &a, &b, &c) != 3)
+        n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
+        if (n != 3 && n != 4)
                exit(1);
-        v = a*1000000 + b*1000 + c;
+        v = a*1000000 + b*10000 + c*100 + d;
-        if (v >= 1001004)
+        fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
+        /* 1.1.4 is OK */
+        if (a == 1 && b == 1 && c >= 4)
                exit(0);
+        /* 1.2.1.2 and up are OK */
+        if (v >= 1020102)
+                exit(0);
        exit(2);
 }
        ]])],
-        AC_MSG_RESULT(yes),
+        AC_MSG_RESULT(no),
-        [ AC_MSG_RESULT(no)
+        [ AC_MSG_RESULT(yes)
          if test -z "$zlib_check_nonfatal" ; then
                AC_MSG_ERROR([*** zlib too old - check config.log ***
 Your reported zlib version has known security problems.  It's possible your
 vendor has fixed these problems without changing the version number.  If you
 are sure this is the case, you can disable the check by running
 "./configure --without-zlib-version-check".
-If you are in doubt, upgrade zlib to version 1.1.4 or greater.])
+If you are in doubt, upgrade zlib to version 1.2.1.2 or greater.
+See http://www.gzip.org/zlib/ for details.])
          else
                AC_MSG_WARN([zlib version may have security problems])
          fi
@@ -730,7 +746,7 @@ int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));}
                AC_MSG_RESULT(no)
                AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME)
        ],
-        [ 
+        [
                AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
                AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME)
        ]
@@ -759,7 +775,7 @@ AC_ARG_WITH(skey,
                        AC_DEFINE(SKEY)
                        LIBS="-lskey $LIBS"
                        SKEY_MSG="yes"
-        
                        AC_MSG_CHECKING([for s/key support])
                        AC_TRY_RUN(
                                [
@@ -794,7 +810,8 @@ AC_ARG_WITH(tcp-wrappers,
                        saved_LIBS="$LIBS"
                        saved_LDFLAGS="$LDFLAGS"
                        saved_CPPFLAGS="$CPPFLAGS"
-                        if test -n "${withval}" -a "${withval}" != "yes"; then
+                        if test -n "${withval}" && \
+                            test "x${withval}" != "xyes"; then
                                if test -d "${withval}/lib"; then
                                        if test -n "${need_dash_r}"; then
                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
@@ -846,13 +863,18 @@ LIBEDIT_MSG="no"
 AC_ARG_WITH(libedit,
        [  --with-libedit[[=PATH]]   Enable libedit support for sftp],
        [ if test "x$withval" != "xno" ; then
+                if test "x$withval" != "xyes"; then
+                        CPPFLAGS="$CPPFLAGS -I$withval/include"
+                        LDFLAGS="$LDFLAGS -L$withval/lib"
+                fi
                AC_CHECK_LIB(edit, el_init,
                        [ AC_DEFINE(USE_LIBEDIT, [], [Use libedit for sftp])
                          LIBEDIT="-ledit -lcurses"
                          LIBEDIT_MSG="yes"
                          AC_SUBST(LIBEDIT)
                        ],
-                        [], [-lcurses]
+                        [ AC_MSG_ERROR(libedit not found) ],
+                        [ -lcurses ]
                )
        fi ]
 )
@@ -1011,7 +1033,9 @@ if test "x$ac_cv_func_getpeereid" != "xyes" ; then
                [#include <sys/types.h>
                 #include <sys/socket.h>],
                [int i = SO_PEERCRED;],
-                [AC_MSG_RESULT(yes)],
+                [ AC_MSG_RESULT(yes)
+                  AC_DEFINE(HAVE_SO_PEERCRED, [], [Have PEERCRED socket option])
+                ],
                [AC_MSG_RESULT(no)
                NO_PEERCHECK=1]
        )
@@ -1090,7 +1114,8 @@ main()
        )
 fi
-if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
+if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
+    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
        AC_MSG_CHECKING(if getaddrinfo seems to work)
        AC_TRY_RUN(
                [
@@ -1158,7 +1183,8 @@ main(void)
        )
 fi
-if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_aix_broken_getaddrinfo" = "x1"; then
+if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
+    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
        AC_MSG_CHECKING(if getaddrinfo seems to work)
        AC_TRY_RUN(
                [
@@ -1467,7 +1493,7 @@ int main(void) { exit(RAND_status() == 1 ? 0 : 1); }
        [
                AC_MSG_WARN([cross compiling: assuming yes])
                # This is safe, since all recent OpenSSL versions will
-                # complain at runtime if not seeded correctly. 
+                # complain at runtime if not seeded correctly.
                OPENSSL_SEEDS_ITSELF=yes
        ]
 )
@@ -1489,10 +1515,10 @@ AC_ARG_WITH(rand-helper,
                        USE_RAND_HELPER=yes
                fi
        ],
-)       
+)
 # Which randomness source do we use?
-if test ! -z "$OPENSSL_SEEDS_ITSELF" -a -z "$USE_RAND_HELPER" ; then
+if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then
        # OpenSSL only
        AC_DEFINE(OPENSSL_PRNG_ONLY)
        RAND_MSG="OpenSSL internal ONLY"
@@ -1582,10 +1608,11 @@ entropy_timeout=200
 AC_ARG_WITH(entropy-timeout,
        [  --with-entropy-timeout  Specify entropy gathering command timeout (msec)],
        [
-                if test "x$withval" != "xno" ; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        entropy_timeout=$withval
                fi
-        ]       
+        ]
 )
 AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout)
@@ -1593,10 +1620,11 @@ SSH_PRIVSEP_USER=sshd
 AC_ARG_WITH(privsep-user,
        [  --with-privsep-user=user Specify non-privileged user for privilege separation],
        [
-                if test -n "$withval"; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        SSH_PRIVSEP_USER=$withval
                fi
-        ]       
+        ]
 )
 AC_DEFINE_UNQUOTED(SSH_PRIVSEP_USER, "$SSH_PRIVSEP_USER")
 AC_SUBST(SSH_PRIVSEP_USER)
@@ -2030,9 +2058,9 @@ fi
 AC_CHECK_TYPES(struct timespec)
 # We need int64_t or else certian parts of the compile will fail.
-if test "x$ac_cv_have_int64_t" = "xno" -a \
+if test "x$ac_cv_have_int64_t" = "xno" && \
-        "x$ac_cv_sizeof_long_int" != "x8" -a \
+        test "x$ac_cv_sizeof_long_int" != "x8" && \
-        "x$ac_cv_sizeof_long_long_int" = "x0" ; then
+        test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
        echo "OpenSSH requires int64_t support.  Contact your vendor or install"
        echo "an alternative compiler (I.E., GCC) before continuing."
        echo ""
@@ -2324,23 +2352,28 @@ AC_ARG_WITH(sectok,
 )
 # Check whether user wants OpenSC support
+OPENSC_CONFIG="no"
 AC_ARG_WITH(opensc,
-        AC_HELP_STRING([--with-opensc=PFX],
+        [--with-opensc[[=PFX]]       Enable smartcard support using OpenSC (optionally in PATH)],
-                       [Enable smartcard support using OpenSC]),
+        [
-        opensc_config_prefix="$withval", opensc_config_prefix="")
+            if test "x$withval" != "xno" ; then
-if test x$opensc_config_prefix != x ; then
+                if test "x$withval" != "xyes" ; then
-  OPENSC_CONFIG=$opensc_config_prefix/bin/opensc-config
+                        OPENSC_CONFIG=$withval/bin/opensc-config
-  AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no)
+                else
-  if test "$OPENSC_CONFIG" != "no"; then
+                        AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no)
-    LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags`
+                fi
-    LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs`
+                if test "$OPENSC_CONFIG" != "no"; then
-    CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
+                        LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags`
-    LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS"
+                        LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs`
-    AC_DEFINE(SMARTCARD)
+                        CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
-    AC_DEFINE(USE_OPENSC)
+                        LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS"
-    SCARD_MSG="yes, using OpenSC"
+                        AC_DEFINE(SMARTCARD)
-  fi
+                        AC_DEFINE(USE_OPENSC)
-fi
+                        SCARD_MSG="yes, using OpenSC"
+                fi
+            fi
+        ]
+)
 # Check libraries needed by DNS fingerprint support
 AC_SEARCH_LIBS(getrrsetbyname, resolv,
@@ -2423,7 +2456,7 @@ AC_ARG_WITH(kerberos5,
                                         AC_DEFINE(HEIMDAL)
                                         K5LIBS="-lkrb5 -ldes"
                                         K5LIBS="$K5LIBS -lcom_err -lasn1"
-                                         AC_CHECK_LIB(roken, net_write, 
+                                         AC_CHECK_LIB(roken, net_write,
                                           [K5LIBS="$K5LIBS -lroken"])
                                       ],
                                       [ AC_MSG_RESULT(no)
@@ -2442,7 +2475,7 @@ AC_ARG_WITH(kerberos5,
                                        $K5LIBS)
                                ],
                                $K5LIBS)
-                        
                        AC_CHECK_HEADER(gssapi.h, ,
                                [ unset ac_cv_header_gssapi_h
                                  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
@@ -2482,7 +2515,8 @@ PRIVSEP_PATH=/var/empty
 AC_ARG_WITH(privsep-path,
        [  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
        [
-                if test "x$withval" != "$no" ; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        PRIVSEP_PATH=$withval
                fi
        ]
@@ -2492,7 +2526,8 @@ AC_SUBST(PRIVSEP_PATH)
 AC_ARG_WITH(xauth,
        [  --with-xauth=PATH       Specify path to xauth program ],
        [
-                if test "x$withval" != "xno" ; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        xauth_path=$withval
                fi
        ],
@@ -2610,7 +2645,7 @@ AC_ARG_WITH(md5-passwords,
 AC_ARG_WITH(shadow,
        [  --without-shadow        Disable shadow password support],
        [
-                if test "x$withval" = "xno" ; then      
+                if test "x$withval" = "xno" ; then
                        AC_DEFINE(DISABLE_SHADOW)
                        disable_shadow=yes
                fi
@@ -2645,7 +2680,7 @@ else
        AC_ARG_WITH(ipaddr-display,
                [  --with-ipaddr-display   Use ip address instead of hostname in \$DISPLAY],
                [
-                        if test "x$withval" != "xno" ; then     
+                        if test "x$withval" != "xno" ; then
                                AC_DEFINE(IPADDR_IN_DISPLAY)
                                DISPLAY_HACK_MSG="yes"
                        fi
@@ -2677,8 +2712,8 @@ if test "x$etc_default_login" != "xno"; then
 fi
 dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
-if test $ac_cv_func_login_getcapbool = "yes" -a \
+if test $ac_cv_func_login_getcapbool = "yes" && \
-        $ac_cv_header_login_cap_h = "yes" ; then
+        test $ac_cv_header_login_cap_h = "yes" ; then
        external_path_file=/etc/login.conf
 fi
@@ -2691,7 +2726,7 @@ AC_ARG_WITH(default-path,
                        AC_MSG_WARN([
 --with-default-path=PATH has no effect on this system.
 Edit /etc/login.conf instead.])
-                elif test "x$withval" != "xno" ; then   
+                elif test "x$withval" != "xno" ; then
                        if test ! -z "$external_path_file" ; then
                                AC_MSG_WARN([
 --with-default-path=PATH will only be used if PATH is not defined in
@@ -2732,11 +2767,11 @@ main()
 {
        FILE *fd;
        int rc;
-        
        fd = fopen(DATA,"w");
        if(fd == NULL)
                exit(1);
-        
        if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
                exit(1);
@@ -2773,7 +2808,8 @@ fi
 AC_ARG_WITH(superuser-path,
        [  --with-superuser-path=  Specify different path for super-user],
        [
-                if test "x$withval" != "xno" ; then
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        AC_DEFINE_UNQUOTED(SUPERUSER_PATH, "$withval")
                        superuser_path=$withval
                fi
@@ -2809,7 +2845,7 @@ BSD_AUTH_MSG=no
 AC_ARG_WITH(bsd-auth,
        [  --with-bsd-auth         Enable BSD auth support],
        [
-                if test "x$withval" != "xno" ; then     
+                if test "x$withval" != "xno" ; then
                        AC_DEFINE(BSD_AUTH)
                        BSD_AUTH_MSG=yes
                fi
@@ -2819,7 +2855,7 @@ AC_ARG_WITH(bsd-auth,
 # Where to place sshd.pid
 piddir=/var/run
 # make sure the directory exists
-if test ! -d $piddir ; then     
+if test ! -d $piddir ; then
        piddir=`eval echo ${sysconfdir}`
        case $piddir in
                NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
@@ -2829,9 +2865,10 @@ fi
 AC_ARG_WITH(pid-dir,
        [  --with-pid-dir=PATH     Specify location of ssh.pid file],
        [
-                if test "x$withval" != "xno" ; then     
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
                        piddir=$withval
-                        if test ! -d $piddir ; then     
+                        if test ! -d $piddir ; then
                        AC_MSG_WARN([** no $piddir directory on this system **])
                        fi
                fi
@@ -2909,9 +2946,9 @@ AC_ARG_ENABLE(pututxline,
 AC_ARG_WITH(lastlog,
  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
        [
-                if test "x$withval" = "xno" ; then      
+                if test "x$withval" = "xno" ; then
                        AC_DEFINE(DISABLE_LASTLOG)
-                else
+                elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
                        conf_lastlog_location=$withval
                fi
        ]
@@ -2978,7 +3015,7 @@ fi
 if test -n "$conf_lastlog_location"; then
        AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location")
-fi      
+fi
 dnl utmp detection
 AC_MSG_CHECKING([if your system defines UTMP_FILE])
@@ -3008,7 +3045,7 @@ if test -z "$conf_utmp_location"; then
 fi
 if test -n "$conf_utmp_location"; then
        AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location")
-fi      
+fi
 dnl wtmp detection
 AC_MSG_CHECKING([if your system defines WTMP_FILE])
@@ -3038,7 +3075,7 @@ if test -z "$conf_wtmp_location"; then
 fi
 if test -n "$conf_wtmp_location"; then
        AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location")
-fi      
+fi
 dnl utmpx detection - I don't know any system so perverse as to require
@@ -3066,7 +3103,7 @@ if test -z "$conf_utmpx_location"; then
        fi
 else
        AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location")
-fi      
+fi
 dnl wtmpx detection
 AC_MSG_CHECKING([if your system defines WTMPX_FILE])
@@ -3091,7 +3128,7 @@ if test -z "$conf_wtmpx_location"; then
        fi
 else
        AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location")
-fi      
+fi
 if test ! -z "$blibpath" ; then
diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh
index 4a5c32b0e..09b9c118c 100755
--- a/contrib/aix/buildbff.sh
+++ b/contrib/aix/buildbff.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # buildbff.sh: Create AIX SMIT-installable OpenSSH packages
-# $Id: buildbff.sh,v 1.7 2003/11/21 12:48:56 djm Exp $
+# $Id: buildbff.sh,v 1.8 2005/03/29 13:24:12 dtucker Exp $
 #
 # Author: Darren Tucker (dtucker at zip dot com dot au)
 # This file is placed in the public domain and comes with absolutely
@@ -219,7 +219,7 @@ else
        fi
        # Create user if required
-        if lsuser ALL | cut -f1 -d: | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+        if lsuser "$SSH_PRIVSEP_USER" >/dev/null
        then
                echo "PrivSep user $SSH_PRIVSEP_USER already exists."
        else
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index 67d8e6ff4..355663ed4 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -17,12 +17,12 @@
 #old cvs stuff.  please update before use.  may be deprecated.
 %define use_stable      1
 %if %{use_stable}
-  %define version       4.0p1
+  %define version       4.1p1
  %define cvs           %{nil}
  %define release       1
 %else
-  %define version       3.9p1
+  %define version       4.1p1
-  %define cvs           cvs20011009
+  %define cvs           cvs20050315
  %define release       0r1
 %endif
 %define xsa             x11-ssh-askpass         
@@ -297,12 +297,7 @@ fi
 %PreUn server
 [ "$1" = 0 ] || exit 0
 ! %{SVIdir}/sshd status || %{SVIdir}/sshd stop
-: # to protect the rpm database
-%PostUn server
 if [ -x %{LSBinit}-remove ]; then
  %{LSBinit}-remove sshd
 else
@@ -310,7 +305,6 @@ else
 fi
 : # to protect the rpm database
 %Files 
 %defattr(-,root,root)
 %dir %{_sysconfdir}
@@ -363,4 +357,4 @@ fi
 * Mon Jan 01 1998 ...
 Template Version: 1.31
-$Id: openssh.spec,v 1.52 2005/03/09 00:02:42 djm Exp $
+$Id: openssh.spec,v 1.54 2005/05/25 04:43:48 djm Exp $
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index c7164f610..fbfb5c195 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -449,12 +449,10 @@ then
          echo "Should this script create a new local account 'sshd_server' which has"
          if request "the required privileges?"
          then
-            _admingroup=`awk -F: '{if ( $1 != "root" && $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group`
+            _admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
            if [ -z "${_admingroup}" ]
            then
-              echo "There's no group with SID S-1-5-32-544 (Local administrators group) in"
+              echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
-              echo "your ${SYSCONFDIR}/group file.  Please regenerate this entry using 'mkgroup -l'"
-              echo "and restart this script."
              exit 1
            fi
            dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
@@ -585,6 +583,16 @@ then
        chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
      fi
    fi
+    if ! ( mount | egrep -q 'on /(|usr/(bin|lib)) type system' )
+    then
+      echo
+      echo "Warning: It appears that you have user mode mounts (\"Just me\""
+      echo "chosen during install.)  Any daemons installed as services will"
+      echo "fail to function unless system mounts are used.  To change this,"
+      echo "re-run setup.exe and choose \"All users\"."
+      echo
+      echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33"
+    fi
  fi
 fi
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index 8fbc4c02a..430c4d323 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
-%define ver 4.0p1
+%define ver 4.1p1
 %define rel 1
 # OpenSSH privilege separation requires a user & group ID
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 449613db6..a574d3f2f 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -1,6 +1,6 @@
 Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name: openssh
-Version: 4.0p1
+Version: 4.1p1
 URL: http://www.openssh.com/
 Release: 1
 Source0: openssh-%{version}.tar.gz
diff --git a/hostfile.c b/hostfile.c
index 2e1c8bcd0..bf2a31c9b 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -36,7 +36,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: hostfile.c,v 1.33 2005/03/01 10:40:26 djm Exp $");
+RCSID("$OpenBSD: hostfile.c,v 1.34 2005/03/10 22:01:05 deraadt Exp $");
 #include <resolv.h>
 #include <openssl/hmac.h>
@@ -92,7 +92,7 @@ extract_salt(const char *s, u_int l, char *salt, size_t salt_len)
                    salt_len, ret);
                return (-1);
        }
-        
        return (0);
 }
@@ -123,7 +123,7 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
        HMAC_Final(&mac_ctx, result, NULL);
        HMAC_cleanup(&mac_ctx);
-        if (__b64_ntop(salt, len, uu_salt, sizeof(uu_salt)) == -1 || 
+        if (__b64_ntop(salt, len, uu_salt, sizeof(uu_salt)) == -1 ||
            __b64_ntop(result, len, uu_result, sizeof(uu_result)) == -1)
                fatal("host_hash: __b64_ntop failed");
@@ -310,7 +310,7 @@ lookup_key_in_hostfile_by_type(const char *filename, const char *host,
 */
 int
-add_host_to_hostfile(const char *filename, const char *host, const Key *key, 
+add_host_to_hostfile(const char *filename, const char *host, const Key *key,
    int store_hash)
 {
        FILE *f;
diff --git a/log.c b/log.c
index bab88feea..c09786ade 100644
--- a/log.c
+++ b/log.c
@@ -197,6 +197,7 @@ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
 #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
        struct syslog_data sdata = SYSLOG_DATA_INIT;
 #endif
        argv0 = av0;
        switch (level) {
diff --git a/misc.c b/misc.c
index 2e366f81b..7adbcea1c 100644
--- a/misc.c
+++ b/misc.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: misc.c,v 1.28 2005/03/01 10:09:52 djm Exp $");
+RCSID("$OpenBSD: misc.c,v 1.29 2005/03/10 22:01:05 deraadt Exp $");
 #include "misc.h"
 #include "log.h"
@@ -303,13 +303,13 @@ hpdelim(char **cp)
        case '\0':
                *cp = NULL;     /* no more fields*/
                break;
-        
        case ':':
        case '/':
                *s = '\0';      /* terminate */
                *cp = s + 1;
                break;
-        
        default:
                return NULL;
        }
@@ -391,7 +391,7 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
                        debug("%s: %s line %lu exceeds size limit", __func__,
                            filename, *lineno);
                        /* discard remainder of line */
-                        while(fgetc(f) != '\n' && !feof(f))
+                        while (fgetc(f) != '\n' && !feof(f))
                                ;       /* nothing */
                }
        }
diff --git a/monitor.c b/monitor.c
index 301e150b3..9dca9c803 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.62 2005/01/30 11:18:08 dtucker Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.63 2005/03/10 22:01:05 deraadt Exp $");
 #include <openssl/dh.h>
@@ -310,6 +310,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
        authctxt = _authctxt;
        memset(authctxt, 0, sizeof(*authctxt));
+        authctxt->loginmsg = &loginmsg;
        if (compat20) {
                mon_dispatch = mon_dispatch_proto20;
@@ -976,7 +978,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
        debug3("%s: key_from_blob: %p", __func__, key);
        if (key != NULL && authctxt->valid) {
-                switch(type) {
+                switch (type) {
                case MM_USERKEY:
                        allowed = options.pubkey_authentication &&
                            user_key_allowed(authctxt->pw, key);
@@ -1523,7 +1525,6 @@ mm_answer_audit_event(int socket, Buffer *m)
        debug3("%s entering", __func__);
        event = buffer_get_int(m);
-        buffer_free(m);
        switch(event) {
        case SSH_AUTH_FAIL_PUBKEY:
        case SSH_AUTH_FAIL_HOSTBASED:
@@ -1552,7 +1553,6 @@ mm_answer_audit_command(int socket, Buffer *m)
        /* sanity check command, if so how? */
        audit_run_command(cmd);
        xfree(cmd);
-        buffer_free(m);
        return (0);
 }
 #endif /* SSH_AUDIT_EVENTS */
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index f53abb6e2..ff394ec17 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -29,7 +29,7 @@
 #include "includes.h"
-RCSID("$Id: bsd-cygwin_util.c,v 1.13 2004/08/30 10:42:08 dtucker Exp $");
+RCSID("$Id: bsd-cygwin_util.c,v 1.13.4.1 2005/05/25 09:42:40 dtucker Exp $");
 #ifdef HAVE_CYGWIN
@@ -247,6 +247,7 @@ static struct wenv {
        { NL("COMMONPROGRAMFILES=") },
        { NL("COMPUTERNAME=") },
        { NL("COMSPEC=") },
+        { NL("CYGWIN=") },
        { NL("NUMBER_OF_PROCESSORS=") },
        { NL("OS=") },
        { NL("PATH=") },
@@ -260,7 +261,7 @@ static struct wenv {
        { NL("SYSTEMROOT=") },
        { NL("TMP=") },
        { NL("TEMP=") },
-        { NL("WINDIR=") },
+        { NL("WINDIR=") }
 };
 char **
@@ -269,7 +270,7 @@ fetch_windows_environment(void)
        char **e, **p;
        int i, idx = 0;
-        p = xmalloc(WENV_SIZ * sizeof(char *));
+        p = xmalloc((WENV_SIZ + 1) * sizeof(char *));
        for (e = environ; *e != NULL; ++e) {
                for (i = 0; i < WENV_SIZ; ++i) {
                        if (!strncmp(*e, wenv_arr[i].name, wenv_arr[i].namelen))
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index fa6a4ff7b..cf5d4b9a3 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -151,7 +151,7 @@ aix_valid_authentications(const char *user)
 * returns 0.
 */
 int
-sys_auth_passwd(Authctxt *ctxt, const char *password, Buffer *loginmsg)
+sys_auth_passwd(Authctxt *ctxt, const char *password)
 {
        char *authmsg = NULL, *msg, *name = ctxt->pw->pw_name;
        int authsuccess = 0, expired, reenter, result;
@@ -181,7 +181,7 @@ sys_auth_passwd(Authctxt *ctxt, const char *password, Buffer *loginmsg)
                 */
                expired = passwdexpired(name, &msg);
                if (msg && *msg) {
-                        buffer_append(loginmsg, msg, strlen(msg));
+                        buffer_append(ctxt->loginmsg, msg, strlen(msg));
                        aix_remove_embedded_newlines(msg);
                }
                debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg);
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index a05ce9703..9e3dce4dd 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -1,4 +1,4 @@
-/* $Id: port-aix.h,v 1.24 2005/02/16 11:49:31 dtucker Exp $ */
+/* $Id: port-aix.h,v 1.25 2005/03/21 11:46:34 dtucker Exp $ */
 /*
 *
@@ -47,7 +47,9 @@
 /* These should be in the system headers but are not. */
 int usrinfo(int, char *, int);
+#if (HAVE_DECL_SETAUTHDB == 0)
 int setauthdb(const char *, char *);
+#endif
 /* these may or may not be in the headers depending on the version */
 #if (HAVE_DECL_AUTHENTICATE == 0)
 int authenticate(char *, char *, int *, char **);
diff --git a/openbsd-compat/readpassphrase.c b/openbsd-compat/readpassphrase.c
index 4ee1be5de..eb060bdbf 100644
--- a/openbsd-compat/readpassphrase.c
+++ b/openbsd-compat/readpassphrase.c
@@ -137,8 +137,11 @@ restart:
                (void)write(output, "\n", 1);
        /* Restore old terminal settings and signals. */
-        if (memcmp(&term, &oterm, sizeof(term)) != 0)
+        if (memcmp(&term, &oterm, sizeof(term)) != 0) {
-                (void)tcsetattr(input, _T_FLUSH, &oterm);
+                while (tcsetattr(input, _T_FLUSH, &oterm) == -1 &&
+                    errno == EINTR)
+                        continue;
+        }
        (void)sigaction(SIGALRM, &savealrm, NULL);
        (void)sigaction(SIGHUP, &savehup, NULL);
        (void)sigaction(SIGINT, &saveint, NULL);
diff --git a/readconf.c b/readconf.c
index 963b706aa..6c0511519 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.137 2005/03/04 08:48:06 djm Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.139 2005/03/10 22:01:05 deraadt Exp $");
 #include "ssh.h"
 #include "xmalloc.h"
@@ -256,12 +256,14 @@ clear_forwardings(Options *options)
        int i;
        for (i = 0; i < options->num_local_forwards; i++) {
-                xfree(options->local_forwards[i].listen_host);
+                if (options->local_forwards[i].listen_host != NULL)
+                        xfree(options->local_forwards[i].listen_host);
                xfree(options->local_forwards[i].connect_host);
        }
        options->num_local_forwards = 0;
        for (i = 0; i < options->num_remote_forwards; i++) {
-                xfree(options->remote_forwards[i].listen_host);
+                if (options->remote_forwards[i].listen_host != NULL)
+                        xfree(options->remote_forwards[i].listen_host);
                xfree(options->remote_forwards[i].connect_host);
        }
        options->num_remote_forwards = 0;
@@ -302,7 +304,7 @@ process_config_line(Options *options, const char *host,
        Forward fwd;
        /* Strip trailing whitespace */
-        for(len = strlen(line) - 1; len > 0; len--) {
+        for (len = strlen(line) - 1; len > 0; len--) {
                if (strchr(WHITESPACE, line[len]) == NULL)
                        break;
                line[len] = '\0';
diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index e8cc1ac53..a172e5790 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -1,7 +1,7 @@
 #       $OpenBSD: multiplex.sh,v 1.10 2005/02/27 11:33:30 dtucker Exp $
 #       Placed in the Public Domain.
-CTL=$OBJ/ctl-sock
+CTL=/tmp/openssh.regress.ctl-sock.$$
 tid="connection multiplexing"
@@ -89,6 +89,4 @@ ${SSH} -S $CTL -Oexit otherhost || fail "send exit command failed"
 # Wait for master to exit
 sleep 2
-ps -p $MASTER_PID >/dev/null && fail "exit command failed" 
+kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed" 
-cleanup
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 4e53449be..bd0c025ba 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -197,7 +197,7 @@ cat << EOF > $OBJ/sshd_config
        #ListenAddress          ::1
        PidFile                 $PIDFILE
        AuthorizedKeysFile      $OBJ/authorized_keys_%u
-        LogLevel                DEBUG
+        LogLevel                VERBOSE
        AcceptEnv               _XXX_TEST_*
        AcceptEnv               _XXX_TEST
        Subsystem       sftp    $SFTPSERVER
diff --git a/scp.0 b/scp.0
index f9368e71b..24b9fb096 100644
--- a/scp.0
+++ b/scp.0
@@ -141,4 +141,4 @@ AUTHORS
     Timo Rinne <tri@iki.fi>
     Tatu Ylonen <ylo@cs.hut.fi>
-OpenBSD 3.6                   September 25, 1999                             3
+OpenBSD 3.7                   September 25, 1999                             3
diff --git a/scp.c b/scp.c
index f69fd05fc..1d34cc639 100644
--- a/scp.c
+++ b/scp.c
@@ -71,7 +71,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: scp.c,v 1.119 2005/01/24 10:22:06 dtucker Exp $");
+RCSID("$OpenBSD: scp.c,v 1.121 2005/04/02 12:41:16 djm Exp $");
 #include "xmalloc.h"
 #include "atomicio.h"
@@ -361,20 +361,21 @@ void
 toremote(char *targ, int argc, char **argv)
 {
        int i, len;
-        char *bp, *host, *src, *suser, *thost, *tuser;
+        char *bp, *host, *src, *suser, *thost, *tuser, *arg;
        *targ++ = 0;
        if (*targ == 0)
                targ = ".";
-        if ((thost = strrchr(argv[argc - 1], '@'))) {
+        arg = xstrdup(argv[argc - 1]);
+        if ((thost = strrchr(arg, '@'))) {
                /* user@host */
                *thost++ = 0;
-                tuser = argv[argc - 1];
+                tuser = arg;
                if (*tuser == '\0')
                        tuser = NULL;
        } else {
-                thost = argv[argc - 1];
+                thost = arg;
                tuser = NULL;
        }
diff --git a/servconf.c b/servconf.c
index 2d1a0c362..96ad18084 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.139 2005/03/01 10:09:52 djm Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.140 2005/03/10 22:01:05 deraadt Exp $");
 #include "ssh.h"
 #include "log.h"
@@ -1001,7 +1001,7 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
        obuf = cbuf = xstrdup(buffer_ptr(conf));
        linenum = 1;
-        while((cp = strsep(&cbuf, "\n")) != NULL) {
+        while ((cp = strsep(&cbuf, "\n")) != NULL) {
                if (process_server_config_line(options, cp, filename,
                    linenum++) != 0)
                        bad_options++;
diff --git a/session.c b/session.c
index b32c9e2ca..8ac476c69 100644
--- a/session.c
+++ b/session.c
@@ -1477,7 +1477,8 @@ do_child(Session *s, const char *command)
        }
 #ifdef USE_PAM
-        if (options.use_pam && !is_pam_session_open()) {
+        if (options.use_pam && !options.use_login && !is_pam_session_open()) {
+                debug3("PAM session not opened, exiting");
                display_loginmsg();
                exit(254);
        }
diff --git a/sftp-client.c b/sftp-client.c
index d894a11f2..92df42751 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -20,7 +20,7 @@
 /* XXX: copy between two remote sites */
 #include "includes.h"
-RCSID("$OpenBSD: sftp-client.c,v 1.52 2004/11/25 22:22:14 markus Exp $");
+RCSID("$OpenBSD: sftp-client.c,v 1.53 2005/03/10 22:01:05 deraadt Exp $");
 #include "openbsd-compat/sys-queue.h"
@@ -856,7 +856,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
                debug3("Received reply T:%u I:%u R:%d", type, id, max_req);
                /* Find the request in our queue */
-                for(req = TAILQ_FIRST(&requests);
+                for (req = TAILQ_FIRST(&requests);
                    req != NULL && req->id != id;
                    req = TAILQ_NEXT(req, tq))
                        ;
@@ -1109,7 +1109,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
                        debug3("SSH2_FXP_STATUS %d", status);
                        /* Find the request in our queue */
-                        for(ack = TAILQ_FIRST(&acks);
+                        for (ack = TAILQ_FIRST(&acks);
                            ack != NULL && ack->id != r_id;
                            ack = TAILQ_NEXT(ack, tq))
                                ;
diff --git a/sftp-server.0 b/sftp-server.0
index 995e48ecd..b1c89c702 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -24,4 +24,4 @@ AUTHORS
 HISTORY
     sftp-server first appeared in OpenBSD 2.8 .
-OpenBSD 3.6                     August 30, 2000                              1
+OpenBSD 3.7                     August 30, 2000                              1
diff --git a/sftp.0 b/sftp.0
index 5b1a2fc69..604b62d5a 100644
--- a/sftp.0
+++ b/sftp.0
@@ -262,4 +262,4 @@ SEE ALSO
     T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
     filexfer-00.txt, January 2001, work in progress material.
-OpenBSD 3.6                    February 4, 2001                              4
+OpenBSD 3.7                    February 4, 2001                              4
diff --git a/sftp.c b/sftp.c
index f8553ed82..16a6cf0c6 100644
--- a/sftp.c
+++ b/sftp.c
@@ -16,7 +16,7 @@
 #include "includes.h"
-RCSID("$OpenBSD: sftp.c,v 1.62 2005/02/20 22:59:06 djm Exp $");
+RCSID("$OpenBSD: sftp.c,v 1.63 2005/03/10 22:01:05 deraadt Exp $");
 #ifdef USE_LIBEDIT
 #include <histedit.h>
@@ -357,7 +357,7 @@ parse_ls_flags(const char **cpp, int *lflag)
        /* Check for flags */
        if (cp++[0] == '-') {
-                for(; strchr(WHITESPACE, *cp) == NULL; cp++) {
+                for (; strchr(WHITESPACE, *cp) == NULL; cp++) {
                        switch (*cp) {
                        case 'l':
                                *lflag &= ~VIEW_FLAGS;
diff --git a/ssh-add.0 b/ssh-add.0
index 28a2ad222..fba38887c 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -99,4 +99,4 @@ AUTHORS
     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-OpenBSD 3.6                   September 25, 1999                             2
+OpenBSD 3.7                   September 25, 1999                             2
diff --git a/ssh-add.c b/ssh-add.c
index 06a52464e..a796647a7 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -35,7 +35,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.70 2004/05/08 00:21:31 djm Exp $");
+RCSID("$OpenBSD: ssh-add.c,v 1.71 2005/03/10 22:01:06 deraadt Exp $");
 #include <openssl/evp.h>
@@ -389,7 +389,7 @@ main(int argc, char **argv)
                        goto done;
                }
-                for(i = 0; default_files[i]; i++) {
+                for (i = 0; default_files[i]; i++) {
                        snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir,
                            default_files[i]);
                        if (stat(buf, &st) < 0)
@@ -402,7 +402,7 @@ main(int argc, char **argv)
                if (count == 0)
                        ret = 1;
        } else {
-                for(i = 0; i < argc; i++) {
+                for (i = 0; i < argc; i++) {
                        if (do_file(ac, deleting, argv[i]) == -1)
                                ret = 1;
                }
diff --git a/ssh-agent.0 b/ssh-agent.0
index c2d7efa57..34da0a941 100644
--- a/ssh-agent.0
+++ b/ssh-agent.0
@@ -115,4 +115,4 @@ AUTHORS
     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-OpenBSD 3.6                   September 25, 1999                             2
+OpenBSD 3.7                   September 25, 1999                             2
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index 998b6f1e0..dd251e4bc 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -110,13 +110,14 @@ DESCRIPTION
     -g      Use generic DNS format when printing fingerprint resource records
             using the -r command.
-     -H      Hash a known_hosts file, printing the result to standard output.
+     -H      Hash a known_hosts file.  This replaces all hostnames and ad-
-             This replaces all hostnames and addresses with hashed representa-
+             dresses with hashed representations within the specified file;
-             tions.  These hashes may be used normally by ssh and sshd, but
+             the original content is moved to a file with a .old suffix.
-             they do not reveal identifying information should the file's con-
+             These hashes may be used normally by ssh and sshd, but they do
-             tents be disclosed.  This option will not modify existing hashed
+             not reveal identifying information should the file's contents be
-             hostnames and is therefore safe to use on files that mix hashed
+             disclosed.  This option will not modify existing hashed hostnames
-             and non-hashed names.
+             and is therefore safe to use on files that mix hashed and non-
+             hashed names.
     -i      This option will read an unencrypted private (or public) key file
             in SSH2-compatible format and print an OpenSSH compatible private
@@ -281,4 +282,4 @@ AUTHORS
     created OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-OpenBSD 3.6                   September 25, 1999                             5
+OpenBSD 3.7                   September 25, 1999                             5
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 3987b1e66..c14eed14e 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.66 2005/03/01 18:15:56 jmc Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.67 2005/03/14 10:09:03 dtucker Exp $
 .\"
 .\"  -*- nroff -*-
 .\"
@@ -232,8 +232,10 @@ command.
 .It Fl H
 Hash a
 .Pa known_hosts
-file, printing the result to standard output.
+file.
-This replaces all hostnames and addresses with hashed representations.
+This replaces all hostnames and addresses with hashed representations
+within the specified file; the original content is moved to a file with
+a .old suffix.
 These hashes may be used normally by
 .Nm ssh
 and
diff --git a/ssh-keygen.c b/ssh-keygen.c
index a9931d4d8..92885506a 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.120 2005/03/02 01:27:41 djm Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.122 2005/03/11 14:59:06 markus Exp $");
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@@ -684,7 +684,7 @@ do_known_hosts(struct passwd *pw, const char *name)
                                if (delete_host && !c)
                                        print_host(out, cp, public, 0);
                        } else if (hash_hosts) {
-                                for(cp2 = strsep(&cp, ",");
+                                for (cp2 = strsep(&cp, ",");
                                    cp2 != NULL && *cp2 != '\0';
                                    cp2 = strsep(&cp, ",")) {
                                        if (strcspn(cp2, "*?!") != strlen(cp2))
@@ -707,7 +707,7 @@ do_known_hosts(struct passwd *pw, const char *name)
                    identity_file);
                if (inplace) {
                        fprintf(stderr, "Not replacing existing known_hosts "
-                            "file beacuse of errors");
+                            "file because of errors\n");
                        fclose(out);
                        unlink(tmp);
                }
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
index 4bbfd1483..eb55a017c 100644
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@@ -104,4 +104,4 @@ BUGS
     This is because it opens a connection to the ssh port, reads the public
     key, and drops the connection as soon as it gets the key.
-OpenBSD 3.6                     January 1, 1996                              2
+OpenBSD 3.7                     January 1, 1996                              2
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index e10b8ac45..e35b1c7f7 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -39,4 +39,4 @@ HISTORY
 AUTHORS
     Markus Friedl <markus@openbsd.org>
-OpenBSD 3.6                      May 24, 2002                                1
+OpenBSD 3.7                      May 24, 2002                                1
diff --git a/ssh-rand-helper.0 b/ssh-rand-helper.0
index 9af5fdd8f..d33bbbd51 100644
--- a/ssh-rand-helper.0
+++ b/ssh-rand-helper.0
@@ -46,4 +46,4 @@ AUTHORS
 SEE ALSO
     ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
-OpenBSD 3.6                     April 14, 2002                               1
+OpenBSD 3.7                     April 14, 2002                               1
diff --git a/ssh.0 b/ssh.0
index 7ef493013..2397456b2 100644
--- a/ssh.0
+++ b/ssh.0
@@ -725,4 +725,4 @@ AUTHORS
     created OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-OpenBSD 3.6                   September 25, 1999                            11
+OpenBSD 3.7                   September 25, 1999                            11
diff --git a/ssh.c b/ssh.c
index 1b03543c3..d85e56fd7 100644
--- a/ssh.c
+++ b/ssh.c
@@ -40,7 +40,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.233 2005/03/01 17:22:06 jmc Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.234 2005/03/10 22:01:06 deraadt Exp $");
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -861,8 +861,8 @@ ssh_init_forwarding(void)
        for (i = 0; i < options.num_local_forwards; i++) {
                debug("Local connections to %.200s:%d forwarded to remote "
                    "address %.200s:%d",
-                    (options.local_forwards[i].listen_host == NULL) ? 
+                    (options.local_forwards[i].listen_host == NULL) ?
-                    (options.gateway_ports ? "*" : "LOCALHOST") : 
+                    (options.gateway_ports ? "*" : "LOCALHOST") :
                    options.local_forwards[i].listen_host,
                    options.local_forwards[i].listen_port,
                    options.local_forwards[i].connect_host,
@@ -881,6 +881,8 @@ ssh_init_forwarding(void)
        for (i = 0; i < options.num_remote_forwards; i++) {
                debug("Remote connections from %.200s:%d forwarded to "
                    "local address %.200s:%d",
+                    (options.remote_forwards[i].listen_host == NULL) ? 
+                    (options.gateway_ports ? "*" : "LOCALHOST") : 
                    options.remote_forwards[i].listen_host,
                    options.remote_forwards[i].listen_port,
                    options.remote_forwards[i].connect_host,
@@ -1098,7 +1100,7 @@ ssh_control_listener(void)
        old_umask = umask(0177);
        if (bind(control_fd, (struct sockaddr*)&addr, addr_len) == -1) {
                control_fd = -1;
-                if (errno == EINVAL)
+                if (errno == EINVAL || errno == EADDRINUSE)
                        fatal("ControlSocket %s already exists",
                            options.control_path);
                else
@@ -1348,7 +1350,7 @@ control_client(const char *path)
        switch (mux_command) {
        case SSHMUX_COMMAND_ALIVE_CHECK:
-                fprintf(stderr, "Master running (pid=%d)\r\n", 
+                fprintf(stderr, "Master running (pid=%d)\r\n",
                    control_server_pid);
                exit(0);
        case SSHMUX_COMMAND_TERMINATE:
diff --git a/ssh_config.0 b/ssh_config.0
index 9577abc48..92be76b6d 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -286,18 +286,19 @@ DESCRIPTION
     LocalForward
             Specifies that a TCP/IP port on the local machine be forwarded
             over the secure channel to the specified host and port from the
-             remote machine.  The first argument must be a port number, and
+             remote machine.  The first argument must be [bind_address:]port
-             the second must be [bind_address:]host:port.  IPv6 addresses can
+             and the second argument must be host:hostport.  IPv6 addresses
-             be specified by enclosing addresses in square brackets or by us-
+             can be specified by enclosing addresses in square brackets or by
-             ing an alternative syntax: [bind_address/]host/port.  Multiple
+             using an alternative syntax: [bind_address/]port and
-             forwardings may be specified, and additional forwardings can be
+             host/hostport.  Multiple forwardings may be specified, and addi-
-             given on the command line.  Only the superuser can forward privi-
+             tional forwardings can be given on the command line.  Only the
-             leged ports.  By default, the local port is bound in accordance
+             superuser can forward privileged ports.  By default, the local
-             with the GatewayPorts setting.  However, an explicit bind_address
+             port is bound in accordance with the GatewayPorts setting.  How-
-             may be used to bind the connection to a specific address.  The
+             ever, an explicit bind_address may be used to bind the connection
-             bind_address of ``localhost'' indicates that the listening port
+             to a specific address.  The bind_address of ``localhost'' indi-
-             be bound for local use only, while an empty address or `*' indi-
+             cates that the listening port be bound for local use only, while
-             cates that the port should be available from all interfaces.
+             an empty address or `*' indicates that the port should be avail-
+             able from all interfaces.
     LogLevel
             Gives the verbosity level that is used when logging messages from
@@ -336,7 +337,7 @@ DESCRIPTION
     PreferredAuthentications
             Specifies the order in which the client should try protocol 2 au-
             thentication methods.  This allows a client to prefer one method
-             (e.g.  keyboard-interactive) over another method (e.g.  password)
+             (e.g. keyboard-interactive) over another method (e.g. password)
             The default for this option is: ``hostbased,publickey,keyboard-
             interactive,password''.
@@ -369,13 +370,13 @@ DESCRIPTION
     RemoteForward
             Specifies that a TCP/IP port on the remote machine be forwarded
             over the secure channel to the specified host and port from the
-             local machine.  The first argument must be a port number, and the
+             local machine.  The first argument must be [bind_address:]port
-             second must be [bind_address:]host:port.  IPv6 addresses can be
+             and the second argument must be host:hostport.  IPv6 addresses
-             specified by enclosing any addresses in square brackets or by us-
+             can be specified by enclosing addresses in square brackets or by
-             ing the alternative syntax: [bind_address/]host/port.  Multiple
+             using an alternative syntax: [bind_address/]port and
-             forwardings may be specified, and additional forwardings can be
+             host/hostport.  Multiple forwardings may be specified, and addi-
-             given on the command line.  Only the superuser can forward privi-
+             tional forwardings can be given on the command line.  Only the
-             leged ports.
+             superuser can forward privileged ports.
             If the bind_address is not specified, the default is to only bind
             to loopback addresses.  If the bind_address is `*' or an empty
@@ -524,4 +525,4 @@ AUTHORS
     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-OpenBSD 3.6                   September 25, 1999                             8
+OpenBSD 3.7                   September 25, 1999                             8
diff --git a/ssh_config.5 b/ssh_config.5
index cf3dfd138..9c277a66f 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.47 2005/03/07 23:41:54 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.49 2005/03/16 11:10:38 jmc Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -503,21 +503,17 @@ The default is to use the server specified list.
 .It Cm LocalForward
 Specifies that a TCP/IP port on the local machine be forwarded over
 the secure channel to the specified host and port from the remote machine.
-The first argument must be a port number, and the second must be
+The first argument must be
-.Xo
 .Sm off
-.Oo Ar bind_address : Oc
+.Oo Ar bind_address : Oc Ar port
-.Ar host : port
 .Sm on
-.Xc .
+and the second argument must be
+.Ar host : Ns Ar hostport .
 IPv6 addresses can be specified by enclosing addresses in square brackets or
 by using an alternative syntax:
-.Sm off
+.Oo Ar bind_address Ns / Oc Ns Ar port
-.Xo
+and
-.Op Ar bind_address No /
+.Ar host Ns / Ns Ar hostport .
-.Ar host No / Ar port
-.Xc .
-.Sm on
 Multiple forwardings may be specified, and additional forwardings can be
 given on the command line.
 Only the superuser can forward privileged ports.
@@ -579,9 +575,9 @@ Default is 22.
 .It Cm PreferredAuthentications
 Specifies the order in which the client should try protocol 2
 authentication methods.
-This allows a client to prefer one method (e.g.
+This allows a client to prefer one method (e.g.\&
 .Cm keyboard-interactive )
-over another method (e.g.
+over another method (e.g.\&
 .Cm password )
 The default for this option is:
 .Dq hostbased,publickey,keyboard-interactive,password .
@@ -640,21 +636,17 @@ This option applies to protocol version 2 only.
 .It Cm RemoteForward
 Specifies that a TCP/IP port on the remote machine be forwarded over
 the secure channel to the specified host and port from the local machine.
-The first argument must be a port number, and the second must be
+The first argument must be
-.Xo
 .Sm off
-.Oo Ar bind_address : Oc
+.Oo Ar bind_address : Oc Ar port
-.Ar host : port
-.Sm on
-.Xc .
-IPv6 addresses can be specified by enclosing any addresses in square brackets
-or by using the alternative syntax:
-.Sm off
-.Xo
-.Op Ar bind_address No /
-.Ar host No / Ar port
-.Xc .
 .Sm on
+and the second argument must be
+.Ar host : Ns Ar hostport .
+IPv6 addresses can be specified by enclosing addresses in square brackets
+or by using an alternative syntax:
+.Oo Ar bind_address Ns / Oc Ns Ar port
+and
+.Ar host Ns / Ns Ar hostport .
 Multiple forwardings may be specified, and additional
 forwardings can be given on the command line.
 Only the superuser can forward privileged ports.
diff --git a/sshconnect.c b/sshconnect.c
index 180da43cd..10a614127 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -13,7 +13,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.161 2005/03/02 01:00:06 djm Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.162 2005/03/10 22:01:06 deraadt Exp $");
 #include <openssl/bn.h>
@@ -254,13 +254,13 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr,
        tv.tv_sec = timeout;
        tv.tv_usec = 0;
-        for(;;) {
+        for (;;) {
                rc = select(sockfd + 1, NULL, fdset, NULL, &tv);
                if (rc != -1 || errno != EINTR)
                        break;
        }
-        switch(rc) {
+        switch (rc) {
        case 0:
                /* Timed out */
                errno = ETIMEDOUT;
diff --git a/sshd.0 b/sshd.0
index fe4d29e54..e509a9dfa 100644
--- a/sshd.0
+++ b/sshd.0
@@ -573,4 +573,4 @@ AUTHORS
     versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
     for privilege separation.
-OpenBSD 3.6                   September 25, 1999                             9
+OpenBSD 3.7                   September 25, 1999                             9
diff --git a/sshd.c b/sshd.c
index 416270e37..8f782d48c 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1678,6 +1678,8 @@ main(int ac, char **av)
        authctxt = xmalloc(sizeof(*authctxt));
        memset(authctxt, 0, sizeof(*authctxt));
+        authctxt->loginmsg = &loginmsg;
        /* XXX global for cleanup, access from other modules */
        the_authctxt = authctxt;
diff --git a/sshd_config.0 b/sshd_config.0
index 1f8763faf..036c85946 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -383,7 +383,7 @@ DESCRIPTION
             To disable TCP keepalive messages, the value should be set to
             ``no''.
-     UseDNS  Specifies whether sshd should lookup the remote host name and
+     UseDNS  Specifies whether sshd should look up the remote host name and
             check that the resolved host name for the remote IP address maps
             back to the very same IP address.  The default is ``yes''.
@@ -498,4 +498,4 @@ AUTHORS
     versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
     for privilege separation.
-OpenBSD 3.6                   September 25, 1999                             8
+OpenBSD 3.7                   September 25, 1999                             8
diff --git a/sshd_config.5 b/sshd_config.5
index 8d291e61d..ea79a54bf 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.39 2005/03/01 10:09:52 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.40 2005/03/18 17:05:00 jmc Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -630,7 +630,7 @@ To disable TCP keepalive messages, the value should be set to
 .It Cm UseDNS
 Specifies whether
 .Nm sshd
-should lookup the remote host name and check that
+should look up the remote host name and check that
 the resolved host name for the remote IP address maps back to the
 very same IP address.
 The default is
diff --git a/version.h b/version.h
index 4da5f8083..2ab1d442a 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
-/* $OpenBSD: version.h,v 1.43 2005/03/08 23:49:48 djm Exp $ */
+/* $OpenBSD: version.h,v 1.44 2005/03/16 21:17:39 markus Exp $ */
-#define SSH_VERSION     "OpenSSH_4.0"
+#define SSH_VERSION     "OpenSSH_4.1"
 #define SSH_PORTABLE    "p1"
 #ifndef SSH_EXTRAVERSION
author	Colin Watson <cjwatson@debian.org>	2005-05-30 22:13:03 +0000
committer	Colin Watson <cjwatson@debian.org>	2005-05-30 22:13:03 +0000
commit	4e1e258d1f5745f3dc05ead3cb834c445e6e8818 (patch)
tree	bfbc91107d6bfe7b2a68d8701562e59856116a6a
parent	4a20a0b23bd0e1db5e69f27c65aaa11a5a2eacd0 (diff)
parent	a55bd782aa819b7f5ae716de000f19f4f531850e (diff)