- Merged OpenBSD updates to include paths.

26 files changed, 131 insertions, 97 deletions

diff --git a/ChangeLog b/ChangeLog
index 7a591ba90..643a97f00 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
 20000413
  - INSTALL doc updates
+ - Merged OpenBSD updates to include paths.
 
 20000412
  - OpenBSD CVS updates:
diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c
index 19782577b..d3d90246c 100644
--- a/auth-rh-rsa.c
+++ b/auth-rh-rsa.c
@@ -15,7 +15,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: auth-rh-rsa.c,v 1.8 2000/03/26 03:04:52 damien Exp $");
+RCSID("$Id: auth-rh-rsa.c,v 1.9 2000/04/13 02:26:35 damien Exp $");
 
 #ifdef HAVE_OPENSSL
 #include <openssl/bn.h>
diff --git a/auth-rsa.c b/auth-rsa.c
index 22ac09c45..fff524949 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -16,7 +16,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: auth-rsa.c,v 1.14 2000/03/26 03:04:52 damien Exp $");
+RCSID("$Id: auth-rsa.c,v 1.15 2000/04/13 02:26:35 damien Exp $");
 
 #include "rsa.h"
 #include "packet.h"
diff --git a/authfd.c b/authfd.c
index cb7bbd5e7..80af9529a 100644
--- a/authfd.c
+++ b/authfd.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: authfd.c,v 1.10 1999/12/16 02:18:04 damien Exp $");
+RCSID("$Id: authfd.c,v 1.11 2000/04/13 02:26:35 damien Exp $");
 
 #include "ssh.h"
 #include "rsa.h"
diff --git a/authfile.c b/authfile.c
index 6ce0ac61f..6113ddd87 100644
--- a/authfile.c
+++ b/authfile.c
@@ -15,7 +15,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: authfile.c,v 1.8 2000/04/06 02:32:38 damien Exp $");
+RCSID("$Id: authfile.c,v 1.9 2000/04/13 02:26:36 damien Exp $");
 
 #ifdef HAVE_OPENSSL
 #include <openssl/bn.h>
diff --git a/bufaux.c b/bufaux.c
index 4ab45a2f8..7ebc2aa62 100644
--- a/bufaux.c
+++ b/bufaux.c
@@ -17,7 +17,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: bufaux.c,v 1.9 2000/04/01 01:09:23 damien Exp $");
+RCSID("$Id: bufaux.c,v 1.10 2000/04/13 02:26:36 damien Exp $");
 
 #include "ssh.h"
 
diff --git a/buffer.c b/buffer.c
index b4c166d0e..48ae96a42 100644
--- a/buffer.c
+++ b/buffer.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: buffer.c,v 1.3 1999/11/25 00:54:58 damien Exp $");
+RCSID("$Id: buffer.c,v 1.4 2000/04/13 02:26:36 damien Exp $");
 
 #include "xmalloc.h"
 #include "buffer.h"
@@ -114,7 +114,7 @@ void
 buffer_get(Buffer *buffer, char *buf, unsigned int len)
 {
         if (len > buffer->end - buffer->offset)
-                fatal("buffer_get trying to get more bytes than in buffer");
+                fatal("buffer_get: trying to get more bytes than in buffer");
         memcpy(buf, buffer->buf + buffer->offset, len);
         buffer->offset += len;
 }
@@ -125,7 +125,7 @@ void
 buffer_consume(Buffer *buffer, unsigned int bytes)
 {
         if (bytes > buffer->end - buffer->offset)
-                fatal("buffer_get trying to get more bytes than in buffer");
+                fatal("buffer_consume: trying to get more bytes than in buffer");
         buffer->offset += bytes;
 }
 
@@ -135,7 +135,7 @@ void
 buffer_consume_end(Buffer *buffer, unsigned int bytes)
 {
         if (bytes > buffer->end - buffer->offset)
-                fatal("buffer_get trying to get more bytes than in buffer");
+                fatal("buffer_consume_end: trying to get more bytes than in buffer");
         buffer->end -= bytes;
 }
 
diff --git a/cipher.c b/cipher.c
index 27debf90f..1bd8f7c86 100644
--- a/cipher.c
+++ b/cipher.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: cipher.c,v 1.17 2000/04/12 10:17:39 damien Exp $");
+RCSID("$Id: cipher.c,v 1.18 2000/04/13 02:26:36 damien Exp $");
 
 #include "ssh.h"
 #include "cipher.h"
diff --git a/cipher.h b/cipher.h
index ee0e312fb..1112bffd9 100644
--- a/cipher.h
+++ b/cipher.h
@@ -11,7 +11,7 @@
  * 
  */
 
-/* RCSID("$Id: cipher.h,v 1.9 2000/04/12 10:17:39 damien Exp $"); */
+/* RCSID("$Id: cipher.h,v 1.10 2000/04/13 02:26:36 damien Exp $"); */
 
 #ifndef CIPHER_H
 #define CIPHER_H
diff --git a/dsa.c b/dsa.c
index a35d85bf5..935435677 100644
--- a/dsa.c
+++ b/dsa.c
@@ -28,7 +28,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: dsa.c,v 1.2 2000/04/12 06:37:02 markus Exp $");
+RCSID("$Id: dsa.c,v 1.3 2000/04/12 09:39:10 markus Exp $");
 
 #include "ssh.h"
 #include "xmalloc.h"
diff --git a/hmac.c b/hmac.c
index 45037ef87..eea1a2600 100644
--- a/hmac.c
+++ b/hmac.c
@@ -28,7 +28,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: hmac.c,v 1.1 2000/04/03 20:06:15 markus Exp $");
+RCSID("$Id: hmac.c,v 1.2 2000/04/12 09:39:10 markus Exp $");
 
 #include "xmalloc.h"
 #include "ssh.h"
diff --git a/hostfile.c b/hostfile.c
index a6684fa2c..c594c29aa 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: hostfile.c,v 1.14 2000/03/23 22:15:33 markus Exp $");
+RCSID("$OpenBSD: hostfile.c,v 1.15 2000/04/12 09:39:10 markus Exp $");
 
 #ifdef HAVE_OPENSSL
 #include <openssl/bn.h>
diff --git a/kex.c b/kex.c
index 9ec75ee0e..c747b6c4a 100644
--- a/kex.c
+++ b/kex.c
@@ -28,7 +28,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: kex.c,v 1.3 2000/04/12 10:17:39 damien Exp $");
+RCSID("$Id: kex.c,v 1.4 2000/04/13 02:26:36 damien Exp $");
 
 #include "ssh.h"
 #include "ssh2.h"
diff --git a/mpaux.c b/mpaux.c
index c105ce076..8ce89dcc4 100644
--- a/mpaux.c
+++ b/mpaux.c
@@ -15,7 +15,7 @@
 */
 
 #include "includes.h"
-RCSID("$Id: mpaux.c,v 1.9 2000/04/01 01:09:24 damien Exp $");
+RCSID("$Id: mpaux.c,v 1.10 2000/04/13 02:26:36 damien Exp $");
 
 #include "getput.h"
 #include "xmalloc.h"
diff --git a/packet.c b/packet.c
index b11519e74..b0dfe4aa7 100644
--- a/packet.c
+++ b/packet.c
@@ -17,7 +17,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: packet.c,v 1.16 2000/04/06 02:32:40 damien Exp $");
+RCSID("$Id: packet.c,v 1.17 2000/04/13 02:26:37 damien Exp $");
 
 #ifdef HAVE_OPENSSL
 # include <openssl/bn.h>
diff --git a/packet.h b/packet.h
index 61c12be94..565a9bd36 100644
--- a/packet.h
+++ b/packet.h
@@ -13,7 +13,7 @@
  * 
  */
 
-/* RCSID("$Id: packet.h,v 1.12 2000/04/06 02:32:40 damien Exp $"); */
+/* RCSID("$Id: packet.h,v 1.13 2000/04/13 02:26:37 damien Exp $"); */
 
 #ifndef PACKET_H
 #define PACKET_H
diff --git a/rsa.h b/rsa.h
index 57c00a146..bc6c7f10a 100644
--- a/rsa.h
+++ b/rsa.h
@@ -13,7 +13,7 @@
  * 
 */
 
-/* RCSID("$Id: rsa.h,v 1.6 2000/01/29 09:40:22 damien Exp $"); */
+/* RCSID("$Id: rsa.h,v 1.7 2000/04/13 02:26:37 damien Exp $"); */
 
 #ifndef RSA_H
 #define RSA_H
diff --git a/scp.1 b/scp.1
index 5604cb80b..c90943a06 100644
--- a/scp.1
+++ b/scp.1
@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sun May  7 00:14:37 1995 ylo
 .\"
-.\" $Id: scp.1,v 1.6 2000/03/26 03:04:53 damien Exp $
+.\" $Id: scp.1,v 1.7 2000/04/13 02:26:37 damien Exp $
 .\"
 .Dd September 25, 1999
 .Dt SCP 1
@@ -36,7 +36,7 @@
 .Ar host2 No :
 .Oc Ar file2
 .Sm on
-.Sh DESCRIPTION 
+.Sh DESCRIPTION
 .Nm
 copies files between hosts on a network.
 It uses
@@ -74,7 +74,7 @@ Recursively copy entire directories.
 Verbose mode.
 Causes
 .Nm
-and 
+and
 .Xr ssh 1
 to print debugging messages about their progress.
 This is helpful in
diff --git a/ssh-add.1 b/ssh-add.1
index 6c35996b6..d37726e69 100644
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sat Apr 22 23:55:14 1995 ylo
 .\"
-.\" $Id: ssh-add.1,v 1.10 2000/03/26 03:04:53 damien Exp $
+.\" $Id: ssh-add.1,v 1.11 2000/04/13 02:26:37 damien Exp $
 .\"
 .Dd September 25, 1999
 .Dt SSH-ADD 1
@@ -21,7 +21,7 @@
 .Nm ssh-add
 .Op Fl lLdD
 .Op Ar
-.Sh DESCRIPTION 
+.Sh DESCRIPTION
 .Nm
 adds identities to the authentication agent,
 .Xr ssh-agent 1 .
@@ -30,7 +30,7 @@ When run without arguments, it adds the file
 Alternative file names can be given on the command line.
 If any file requires a passphrase,
 .Nm
-asks for the passphrase from the user. 
+asks for the passphrase from the user.
 The Passphrase it is read from the user's tty.
 .Pp
 The authentication agent must be running and must be an ancestor of
@@ -108,7 +108,7 @@ external libraries.
 .It
 has been updated to support ssh protocol 1.5.
 .It
-contains added support for 
+contains added support for
 .Xr kerberos 8
 authentication and ticket passing.
 .It
diff --git a/ssh-agent.1 b/ssh-agent.1
index 7029b60dc..b49d62b5a 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.10 2000/03/23 21:10:10 aaron Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.11 2000/04/12 21:47:50 aaron Exp $
 .\"
 .\"  -*- nroff -*-
 .\"
@@ -18,14 +18,14 @@
 .Nm ssh-agent
 .Nd authentication agent
 .Sh SYNOPSIS
-.Nm ssh-agent 
+.Nm ssh-agent
 .Op Fl c Li | Fl s
 .Op Fl k
 .Oo
 .Ar command
 .Op Ar args ...
 .Oc
-.Sh DESCRIPTION 
+.Sh DESCRIPTION
 .Nm
 is a program to hold authentication private keys.
 The idea is that
@@ -64,12 +64,12 @@ When the command dies, so does the agent.
 The agent initially does not have any private keys.
 Keys are added using
 .Xr ssh-add 1 .
-When executed without arguments, 
+When executed without arguments,
 .Xr ssh-add 1
-adds the 
+adds the
 .Pa $HOME/.ssh/identity
 file.
-If the identity has a passphrase, 
+If the identity has a passphrase,
 .Xr ssh-add 1
 asks for the passphrase (using a small X11 application if running
 under X11, or from the terminal if running without X).
@@ -152,7 +152,7 @@ external libraries.
 .It
 has been updated to support ssh protocol 1.5.
 .It
-contains added support for 
+contains added support for
 .Xr kerberos 8
 authentication and ticket passing.
 .It
diff --git a/ssh-agent.c b/ssh-agent.c
index 459fa39f3..ecb44a229 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssh-agent.c,v 1.26 2000/03/16 20:56:14 markus Exp $   */
+/*      $OpenBSD: ssh-agent.c,v 1.27 2000/04/12 09:39:10 markus Exp $   */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -9,7 +9,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.26 2000/03/16 20:56:14 markus Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.27 2000/04/12 09:39:10 markus Exp $");
 
 #include "ssh.h"
 #include "rsa.h"
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 8474e8f9d..c8d18b03e 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sat Apr 22 23:55:14 1995 ylo
 .\"
-.\" $Id: ssh-keygen.1,v 1.10 2000/03/26 03:04:53 damien Exp $
+.\" $Id: ssh-keygen.1,v 1.11 2000/04/13 02:26:37 damien Exp $
 .\"
 .Dd September 25, 1999
 .Dt SSH-KEYGEN 1
@@ -37,9 +37,9 @@
 .Nm ssh-keygen
 .Fl l
 .Op Fl f Ar keyfile
-.Sh DESCRIPTION 
+.Sh DESCRIPTION
 .Nm
-generates and manages authentication keys for 
+generates and manages authentication keys for
 .Xr ssh 1 .
 Normally each user wishing to use SSH
 with RSA authentication runs this once to create the authentication
@@ -150,7 +150,7 @@ external libraries.
 .It
 has been updated to support ssh protocol 1.5.
 .It
-contains added support for 
+contains added support for
 .Xr kerberos 8
 authentication and ticket passing.
 .It
diff --git a/ssh.1 b/ssh.1
index eba0e0f93..548339e6b 100644
--- a/ssh.1
+++ b/ssh.1
@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sat Apr 22 21:55:14 1995 ylo
 .\"
-.\" $Id: ssh.1,v 1.20 2000/03/26 03:04:54 damien Exp $
+.\" $Id: ssh.1,v 1.21 2000/04/13 02:26:37 damien Exp $
 .\"
 .Dd September 25, 1999
 .Dt SSH 1
@@ -49,7 +49,7 @@
 .Oc
 .Op Ar hostname | user@hostname
 .Op Ar command
-.Sh DESCRIPTION 
+.Sh DESCRIPTION
 .Nm
 (Secure Shell) is a program for logging into a remote machine and for
 executing commands on a remote machine.
@@ -60,7 +60,7 @@ X11 connections and
 arbitrary TCP/IP ports can also be forwarded over the secure channel.
 .Pp
 .Nm
-connects and logs into the specified 
+connects and logs into the specified
 .Ar hostname .
 The user must prove
 his/her identity to the remote machine using one of several methods.
@@ -71,7 +71,7 @@ or
 .Pa /etc/shosts.equiv
 on the remote machine, and the user names are
 the same on both sides, the user is immediately permitted to log in.
-Second, if 
+Second, if
 .Pa \&.rhosts
 or
 .Pa \&.shosts
@@ -94,7 +94,7 @@ It means that if the login would be permitted by
 or
 .Pa /etc/shosts.equiv ,
 and if additionally the server can verify the client's
-host key (see 
+host key (see
 .Pa /etc/ssh_known_hosts
 and
 .Pa $HOME/.ssh/known_hosts
@@ -109,17 +109,17 @@ spoofing, DNS spoofing and routing spoofing.
 and the rlogin/rsh protocol in general, are inherently insecure and should be
 disabled if security is desired.]
 .Pp
-As a third authentication method, 
+As a third authentication method,
 .Nm
 supports RSA based authentication.
 The scheme is based on public-key cryptography: there are cryptosystems
 where encryption and decryption are done using separate keys, and it
 is not possible to derive the decryption key from the encryption key.
 RSA is one such system.
-The idea is that each user creates a public/private 
+The idea is that each user creates a public/private
 key pair for authentication purposes.
 The server knows the public key, and only the user knows the private key.
-The file 
+The file
 .Pa $HOME/.ssh/authorized_keys
 lists the public keys that are permitted for logging
 in.
@@ -142,18 +142,18 @@ key but without disclosing it to the server.
 implements the RSA authentication protocol automatically.
 The user creates his/her RSA key pair by running
 .Xr ssh-keygen 1 .
-This stores the private key in 
+This stores the private key in
 .Pa \&.ssh/identity
 and the public key in
 .Pa \&.ssh/identity.pub
 in the user's home directory.
 The user should then copy the
 .Pa identity.pub
-to 
+to
 .Pa \&.ssh/authorized_keys
-in his/her home directory on the remote machine (the 
+in his/her home directory on the remote machine (the
 .Pa authorized_keys
-file corresponds to the conventional 
+file corresponds to the conventional
 .Pa \&.rhosts
 file, and has one key
 per line, though the lines can be very long).
@@ -167,7 +167,7 @@ See
 .Xr ssh-agent 1
 for more information.
 .Pp
-If other authentication methods fail, 
+If other authentication methods fail,
 .Nm
 prompts the user for a password.
 The password is sent to the remote
@@ -188,7 +188,7 @@ and suspend
 with
 .Ic ~^Z .
 All forwarded connections can be listed with
-.Ic ~# 
+.Ic ~#
 and if
 the session blocks waiting for forwarded X11 or TCP/IP
 connections to terminate, it can be backgrounded with
@@ -232,7 +232,7 @@ Forwarding of X11 connections can be
 configured on the command line or in configuration files.
 .Pp
 The
-.Ev DISPLAY 
+.Ev DISPLAY
 value set by
 .Nm
 will point to the server machine, but with a display number greater
@@ -265,10 +265,10 @@ electronic purse; another is going trough firewalls.
 .Nm
 automatically maintains and checks a database containing RSA-based
 identifications for all hosts it has ever been used with.
-The database is stored in 
+The database is stored in
 .Pa \&.ssh/known_hosts
 in the user's home directory.
-Additionally, the file 
+Additionally, the file
 .Pa /etc/ssh_known_hosts
 is automatically checked for known hosts.
 Any new hosts are automatically added to the user's file.
@@ -290,10 +290,10 @@ host key is not known or has changed.
 Disables forwarding of the authentication agent connection.
 This may also be specified on a per-host basis in the configuration file.
 .It Fl c Ar blowfish|3des
-Selects the cipher to use for encrypting the session. 
+Selects the cipher to use for encrypting the session.
 .Ar 3des
 is used by default.
-It is believed to be secure. 
+It is believed to be secure.
 .Ar 3des
 (triple-des) is an encrypt-decrypt-encrypt triple with three different keys.
 It is presumably more secure than the
@@ -322,7 +322,7 @@ This is useful if
 .Nm
 is going to ask for passwords or passphrases, but the user
 wants it in the background.
-This implies 
+This implies
 .Fl n .
 The recommended way to start X11 programs at a remote site is with
 something like
@@ -330,9 +330,9 @@ something like
 .It Fl g
 Allows remote hosts to connect to local forwarded ports.
 .It Fl i Ar identity_file
-Selects the file from which the identity (private key) for 
+Selects the file from which the identity (private key) for
 RSA authentication is read.
-Default is 
+Default is
 .Pa \&.ssh/identity
 in the user's home directory.
 Identity files may also be specified on
@@ -548,6 +548,12 @@ and
 are supported.
 The default is
 .Dq 3des .
+.It Cm Ciphers
+Specifies the ciphers allowed for protocol version 2
+in order of preference.
+Multiple ciphers must be comma-separated.
+The default is
+.Dq blowfish-cbc,3des-cbc,arcfour,cast128-cbc .
 .It Cm Compression
 Specifies whether to use compression.
 The argument must be
@@ -577,12 +583,12 @@ followed by a letter, or
 to disable the escape
 character entirely (making the connection transparent for binary
 data).
-.It Cm FallBackToRsh 
+.It Cm FallBackToRsh
 Specifies that if connecting via
 .Nm
 fails due to a connection refused error (there is no
 .Xr sshd 8
-listening on the remote host), 
+listening on the remote host),
 .Xr rsh 1
 should automatically be used instead (after a suitable warning about
 the session being unencrypted).
@@ -599,10 +605,10 @@ or
 .Dq no .
 .It Cm ForwardX11
 Specifies whether X11 connections will be automatically redirected
-over the secure channel and 
+over the secure channel and
 .Ev DISPLAY
 set.
-The argument must be 
+The argument must be
 .Dq yes
 or
 .Dq no .
@@ -618,7 +624,7 @@ or
 The default is
 .Dq no .
 .It Cm GlobalKnownHostsFile
-Specifies a file to use instead of 
+Specifies a file to use instead of
 .Pa /etc/ssh_known_hosts .
 .It Cm HostName
 Specifies the real host name to log into.
@@ -697,6 +703,17 @@ or
 .It Cm Port
 Specifies the port number to connect on the remote host.
 Default is 22.
+.It Cm Protocol
+Specifies the protocol versions
+.Nm
+should support in order of preference.
+The possible values are
+.Dq 1
+and
+.Dq 2 .
+Multiple versions must be comma-separated.
+The default is
+.Dq 1 .
 .It Cm ProxyCommand
 Specifies the command to use to connect to the server.
 The command
@@ -773,7 +790,7 @@ The default is
 .Dq no .
 .It Cm StrictHostKeyChecking
 If this flag is set to
-.Dq yes , 
+.Dq yes ,
 .Nm
 ssh will never automatically add host keys to the
 .Pa $HOME/.ssh/known_hosts
@@ -839,7 +856,7 @@ will normally set the following environment variables:
 The
 .Ev DISPLAY
 variable indicates the location of the X11 server.
-It is automatically set by 
+It is automatically set by
 .Nm
 to point to a value of the form
 .Dq hostname:n
@@ -885,10 +902,10 @@ on to new connections).
 Set to the name of the user logging in.
 .El
 .Pp
-Additionally, 
+Additionally,
 .Nm
-reads 
-.Pa $HOME/.ssh/environment , 
+reads
+.Pa $HOME/.ssh/environment ,
 and adds lines of the format
 .Dq VARNAME=value
 to the environment.
@@ -911,7 +928,7 @@ ignores this file if it is accessible by others.
 It is possible to specify a passphrase when
 generating the key; the passphrase will be used to encrypt the
 sensitive part of this file using 3DES.
-.It Pa $HOME/.ssh/identity.pub 
+.It Pa $HOME/.ssh/identity.pub
 Contains the public key for authentication (public part of the
 identity file in human-readable form).
 The contents of this file should be added to
@@ -1031,7 +1048,7 @@ Additionally, successful RSA host authentication is normally
 required.
 This file should only be writable by root.
 .It Pa /etc/shosts.equiv
-This file is processed exactly as 
+This file is processed exactly as
 .Pa /etc/hosts.equiv .
 This file may be useful to permit logins using
 .Nm
@@ -1048,7 +1065,7 @@ Commands in this file are executed by
 .Nm
 when the user logs in just before the user's shell (or command) is
 started.
-See the 
+See the
 .Xr sshd 8
 manual page for more information.
 .It Pa $HOME/.ssh/environment
@@ -1077,7 +1094,7 @@ external libraries.
 has been updated to support ssh protocol 1.5, making it compatible with
 all other ssh protocol 1 clients and servers.
 .It
-contains added support for 
+contains added support for
 .Xr kerberos 8
 authentication and ticket passing.
 .It
diff --git a/sshconnect.c b/sshconnect.c
index 167b8e63a..675de6102 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.65 2000/04/12 07:56:16 markus Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.66 2000/04/12 09:39:10 markus Exp $");
 
 #ifdef HAVE_OPENSSL
 #include <openssl/bn.h>
diff --git a/sshd.8 b/sshd.8
index 0de3cef4a..a59bd22fb 100644
--- a/sshd.8
+++ b/sshd.8
@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sat Apr 22 21:55:14 1995 ylo
 .\"
-.\" $Id: sshd.8,v 1.16 2000/04/01 01:09:27 damien Exp $
+.\" $Id: sshd.8,v 1.17 2000/04/13 02:26:38 damien Exp $
 .\"
 .Dd September 25, 1999
 .Dt SSHD 8
@@ -27,9 +27,9 @@
 .Op Fl k Ar key_gen_time
 .Op Fl p Ar port
 .Op Fl V Ar client_protocol_id
-.Sh DESCRIPTION 
+.Sh DESCRIPTION
 .Nm
-(Secure Shell Daemon) is the daemon program for 
+(Secure Shell Daemon) is the daemon program for
 .Xr ssh 1 .
 Together these programs replace rlogin and rsh programs, and
 provide secure encrypted communications between two untrusted hosts
@@ -39,7 +39,7 @@ install and use as possible.
 .Pp
 .Nm
 is the daemon that listens for connections from clients.
-It is normally started at boot from 
+It is normally started at boot from
 .Pa /etc/rc .
 It forks a new
 daemon for each incoming connection.
@@ -157,7 +157,7 @@ host file is normally not readable by anyone but root).
 .It Fl i
 Specifies that
 .Nm
-is being run from inetd. 
+is being run from inetd.
 .Nm
 is normally not run
 from inetd because it needs to generate the server key before it can
@@ -204,7 +204,7 @@ to use IPv6 addresses only.
 .El
 .Sh CONFIGURATION FILE
 .Nm
-reads configuration data from 
+reads configuration data from
 .Pa /etc/sshd_config
 (or the file specified with
 .Fl f
@@ -246,6 +246,11 @@ wildcards in the patterns.
 Only user names are valid, a numerical user ID isn't recognized.
 By default login is allowed regardless of the user name.
 .Pp
+.It Cm Ciphers
+Specifies the ciphers allowed for protocol version 2.
+Multiple ciphers must be comma-separated.
+The default is
+.Dq blowfish-cbc,3des-cbc,arcfour,cast128-cbc .
 .It Cm CheckMail
 Specifies whether
 .Nm
@@ -284,14 +289,14 @@ does not start if this file is group/world-accessible.
 .It Cm IgnoreRhosts
 Specifies that
 .Pa .rhosts
-and 
+and
 .Pa .shosts
 files will not be used in authentication.
 .Pa /etc/hosts.equiv
 and
-.Pa /etc/shosts.equiv 
+.Pa /etc/shosts.equiv
 are still used.
-The default is 
+The default is
 .Dq yes .
 .It Cm IgnoreUserKnownHosts
 Specifies whether
@@ -342,7 +347,7 @@ Default is
 .Dq yes .
 .It Cm KerberosTgtPassing
 Specifies whether a Kerberos TGT may be forwarded to the server.
-Default is 
+Default is
 .Dq no ,
 as this only works when the Kerberos KDC is actually an AFS kaserver.
 .It Cm KerberosTicketCleanup
@@ -419,7 +424,7 @@ Multiple options of this type are permitted.
 .It Cm PrintMotd
 Specifies whether
 .Nm
-should print 
+should print
 .Pa /etc/motd
 when a user logs in interactively.
 (On some systems it is also printed by the shell,
@@ -427,6 +432,17 @@ when a user logs in interactively.
 or equivalent.)
 The default is
 .Dq yes .
+.It Cm Protocol
+Specifies the protocol versions
+.Nm
+should support.
+The possible values are
+.Dq 1
+and
+.Dq 2 .
+Multiple versions must be comma-separated.
+The default is
+.Dq 1 .
 .It Cm RandomSeed
 Obsolete.
 Random number generation uses other techniques.
@@ -454,7 +470,7 @@ Defines the number of bits in the server key.
 The minimum value is 512, and the default is 768.
 .It Cm SkeyAuthentication
 Specifies whether
-.Xr skey 1 
+.Xr skey 1
 authentication is allowed.
 The default is
 .Dq yes .
@@ -504,12 +520,12 @@ does the following:
 .Bl -enum -offset indent
 .It
 If the login is on a tty, and no command has been specified,
-prints last login time and 
+prints last login time and
 .Pa /etc/motd
 (unless prevented in the configuration file or by
 .Pa $HOME/.hushlogin ;
 see the
-.Sx FILES 
+.Sx FILES
 section).
 .It
 If the login is on a tty, records login time.
@@ -543,7 +559,7 @@ authentication protocol and cookie in standard input.
 Runs user's shell or command.
 .El
 .Sh AUTHORIZED_KEYS FILE FORMAT
-The 
+The
 .Pa $HOME/.ssh/authorized_keys
 file lists the RSA keys that are
 permitted for RSA authentication.
@@ -632,9 +648,9 @@ from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula
 .Pp
 command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi
 .Sh SSH_KNOWN_HOSTS FILE FORMAT
-The 
+The
 .Pa /etc/ssh_known_hosts
-and 
+and
 .Pa $HOME/.ssh/known_hosts
 files contain host public keys for all known hosts.
 The global file should
@@ -679,7 +695,7 @@ accepted if valid information can be found from either file.
 Note that the lines in these files are typically hundreds of characters
 long, and you definitely don't want to type in the host keys by hand.
 Rather, generate them by a script
-or by taking 
+or by taking
 .Pa /etc/ssh_host_key.pub
 and adding the host names at the front.
 .Ss Examples
@@ -734,7 +750,7 @@ should be world-readable, and
 .Pa $HOME/.ssh/known_hosts
 can but need not be world-readable.
 .It Pa /etc/nologin
-If this file exists, 
+If this file exists,
 .Nm
 refuses to let anyone except root log in.
 The contents of the file
@@ -865,7 +881,7 @@ external libraries.
 has been updated to support ssh protocol 1.5, making it compatible with
 all other ssh protocol 1 clients and servers.
 .It
-contains added support for 
+contains added support for
 .Xr kerberos 8
 authentication and ticket passing.
 .It
diff --git a/sshd.c b/sshd.c
index 266146bf0..cd5760ecb 100644
--- a/sshd.c
+++ b/sshd.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.103 2000/04/12 08:11:36 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.104 2000/04/12 09:39:10 markus Exp $");
 
 #include "xmalloc.h"
 #include "rsa.h"