* New upstream release (closes: #395507, #397961, #420035). Important

  changes not previously backported to 4.3p2:
  - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4):
    + On portable OpenSSH, fix a GSSAPI authentication abort that could be
      used to determine the validity of usernames on some platforms.
    + Implemented conditional configuration in sshd_config(5) using the
      "Match" directive. This allows some configuration options to be
      selectively overridden if specific criteria (based on user, group,
      hostname and/or address) are met. So far a useful subset of
      post-authentication options are supported and more are expected to
      be added in future releases.
    + Add support for Diffie-Hellman group exchange key agreement with a
      final hash of SHA256.
    + Added a "ForceCommand" directive to sshd_config(5). Similar to the
      command="..." option accepted in ~/.ssh/authorized_keys, this forces
      the execution of the specified command regardless of what the user
      requested. This is very useful in conjunction with the new "Match"
      option.
    + Add a "PermitOpen" directive to sshd_config(5). This mirrors the
      permitopen="..." authorized_keys option, allowing fine-grained
      control over the port-forwardings that a user is allowed to
      establish.
    + Add optional logging of transactions to sftp-server(8).
    + ssh(1) will now record port numbers for hosts stored in
      ~/.ssh/known_hosts when a non-standard port has been requested
      (closes: #50612).
    + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a
      non-zero exit code) when requested port forwardings could not be
      established.
    + Extend sshd_config(5) "SubSystem" declarations to allow the
      specification of command-line arguments.
    + Replacement of all integer overflow susceptible invocations of
      malloc(3) and realloc(3) with overflow-checking equivalents.
    + Many manpage fixes and improvements.
    + Add optional support for OpenSSL hardware accelerators (engines),
      enabled using the --with-ssl-engine configure option.
    + Tokens in configuration files may be double-quoted in order to
      contain spaces (closes: #319639).
    + Move a debug() call out of a SIGCHLD handler, fixing a hang when the
      session exits very quickly (closes: #307890).
    + Fix some incorrect buffer allocation calculations (closes: #410599).
    + ssh-add doesn't ask for a passphrase if key file permissions are too
      liberal (closes: #103677).
    + Likewise, ssh doesn't ask either (closes: #99675).
  - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6):
    + sshd now allows the enabling and disabling of authentication methods
      on a per user, group, host and network basis via the Match directive
      in sshd_config.
    + Fixed an inconsistent check for a terminal when displaying scp
      progress meter (closes: #257524).
    + Fix "hang on exit" when background processes are running at the time
      of exit on a ttyful/login session (closes: #88337).
* Update to current GSSAPI patch from
  http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch;
  install ChangeLog.gssapi.

287 files changed, 14093 insertions, 8260 deletions

diff --git a/.cvsignore b/.cvsignore
index 98f48ff50..4244eeb3b 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -1,24 +1,30 @@
-ssh
+*.out
+Makefile
+autom4te.cache
+build-deb
+build-deb-stamp
+build-udeb
+build-udeb-stamp
+buildit.sh
+buildpkg.sh
+config.cache
+config.h
+config.log
+config.status
+openssh.xml
+opensshd.init
 scp
-sshd
+sftp
+sftp-server
+ssh
 ssh-add
+ssh-agent
 ssh-keygen
 ssh-keyscan
 ssh-keysign
-ssh-agent
-sftp-server
-sftp
-config.h
-config.status
-config.cache
-config.log
-stamp-h.in
-Makefile
-ssh_prng_cmds
-*.out
-buildit.sh
 ssh-rand-helper
-build-deb
-build-deb-stamp
-build-udeb
-build-udeb-stamp
+ssh_prng_cmds
+sshd
+stamp-h.in
+survey
+survey.sh
diff --git a/CREDITS b/CREDITS
index 82b9f2210..eaf105a91 100644
--- a/CREDITS
+++ b/CREDITS
@@ -25,6 +25,7 @@ Chris, the Young One <cky@pobox.com> - Password auth fixes
 Christos Zoulas <christos@zoulas.com> - Autoconf fixes
 Chun-Chung Chen <cjj@u.washington.edu> - RPM fixes
 Corinna Vinschen <vinschen@redhat.com> - Cygwin support
+Chad Mynhier <mynhier@interstel.net> - Solaris Process Contract support
 Dan Brosemer <odin@linuxfreak.com> - Autoconf support, build fixes
 Darren Hall <dhall@virage.org> - AIX patches
 Darren Tucker <dtucker@zip.com.au> - AIX BFF package scripts
@@ -100,5 +101,5 @@ Apologies to anyone I have missed.
 
 Damien Miller <djm@mindrot.org>
 
-$Id: CREDITS,v 1.80 2005/08/26 20:15:20 tim Exp $
+$Id: CREDITS,v 1.81 2006/08/30 17:24:41 djm Exp $
 
diff --git a/ChangeLog b/ChangeLog
index ad4bf8838..f2b96c37b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,13 +1,1969 @@
-20060211
- - (dtucker) [README] Bump release notes URL.
- - (djm) Release 4.3p2
+20070306
+ - (djm) OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2007/03/01 16:19:33
+     [sshd_config.5]
+     sort the `match' keywords;
+   - djm@cvs.openbsd.org 2007/03/06 10:13:14
+     [version.h]
+     openssh-4.6; "please" deraadt@
+ - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+   [contrib/suse/openssh.spec] crank spec files for release
+ - (djm) [README] correct link to release notes
+ - (djm) Release 4.6p1
+
+20070304
+ - (djm) [configure.ac] add a --without-openssl-header-check option to
+   configure, as some platforms (OS X) ship OpenSSL headers whose version
+   does not match that of the shipping library. ok dtucker@
+ - (dtucker) [openbsd-compat/openssl-compat.h] Bug #1291: Work around a
+   bug in OpenSSL 0.9.8e that prevents aes256-ctr, aes192-ctr and arcfour256
+   ciphers from working correctly (disconnects with "Bad packet length"
+   errors) as found by Ben Harris.  ok djm@
+
+20070303
+ - (dtucker) [regress/agent-ptrace.sh] Make ttrace gdb error a little more
+   general to cover newer gdb versions on HP-UX.
+
+20070302
+ - (dtucker) [configure.ac] For Cygwin, read files in textmode (which allows
+   CRLF as well as LF lineendings) and write in binary mode.  Patch from
+   vinschen at redhat.com.
+ - (dtucker) [INSTALL] Update to autoconf-2.61.
+
+20070301
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2007/03/01 10:28:02
+     [auth2.c sshd_config.5 servconf.c]
+     Remove ChallengeResponseAuthentication support inside a Match
+     block as its interaction with KbdInteractive makes it difficult to
+     support.  Also, relocate the CR/kbdint option special-case code into
+     servconf.  "please commit" djm@, ok markus@ for the relocation.
+ - (tim) [buildpkg.sh.in openssh.xml.in] Clean up Solaris 10 smf(5) bits.
+   "Looks sane" dtucker@
+
+20070228
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2007/02/28 00:55:30
+     [ssh-agent.c]
+     Remove expired keys periodically so they don't remain in memory when
+     the agent is entirely idle, as noted by David R. Piegdon.  This is the
+     simple fix, a more efficient one will be done later.  With markus,
+     deraadt, with & ok djm.
+
+20070225
+ - (dtucker) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2007/02/20 10:25:14
+     [clientloop.c]
+     set maximum packet and window sizes the same for multiplexed clients
+     as normal connections; ok markus@
+   - dtucker@cvs.openbsd.org 2007/02/21 11:00:05
+     [sshd.c]
+     Clear alarm() before restarting sshd on SIGHUP.  Without this, if there's
+     a SIGALRM pending (for SSH1 key regeneration) when sshd is SIGHUP'ed, the
+     newly exec'ed sshd will get the SIGALRM and not have a handler for it,
+     and the default action will terminate the listening sshd.  Analysis and
+     patch from andrew at gaul.org.
+   - dtucker@cvs.openbsd.org 2007/02/22 12:58:40
+     [servconf.c]
+     Check activep so Match and GatewayPorts work together; ok markus@
+   - ray@cvs.openbsd.org 2007/02/24 03:30:11
+     [moduli.c]
+     - strlen returns size_t, not int.
+     - Pass full buffer size to fgets.
+     OK djm@, millert@, and moritz@.
+
+20070219
+  - (dtucker) OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2007/01/10 13:23:22
+     [ssh_config.5]
+     do not use a list for SYNOPSIS;
+     this is actually part of a larger report sent by eric s. raymond
+     and forwarded by brad, but i only read half of it. spotted by brad.
+   - jmc@cvs.openbsd.org 2007/01/12 20:20:41
+     [ssh-keygen.1 ssh-keygen.c]
+     more secsh -> rfc 4716 updates;
+     spotted by wiz@netbsd
+     ok markus
+   - dtucker@cvs.openbsd.org 2007/01/17 23:22:52
+     [readconf.c]
+     Honour activep for times (eg ServerAliveInterval) while parsing
+     ssh_config and ~/.ssh/config so they work properly with Host directives.
+     From mario.lorenz@wincor-nixdorf.com via bz #1275.  ok markus@
+   - stevesk@cvs.openbsd.org 2007/01/21 01:41:54
+     [auth-skey.c kex.c ssh-keygen.c session.c clientloop.c]
+     spaces
+   - stevesk@cvs.openbsd.org 2007/01/21 01:45:35
+     [readconf.c]
+     spaces
+   - djm@cvs.openbsd.org 2007/01/22 11:32:50
+     [sftp-client.c]
+     return error from do_upload() when a write fails. fixes bz#1252: zero
+     exit status from sftp when uploading to a full device. report from
+     jirkat AT atlas.cz; ok dtucker@
+   - djm@cvs.openbsd.org 2007/01/22 13:06:21
+     [scp.c]
+     fix detection of whether we should show progress meter or not: scp
+     tested isatty(stderr) but wrote the progress meter to stdout. This patch
+     makes it test stdout. bz#1265 reported by junkmail AT bitsculpture.com;
+     of dtucker@
+   - stevesk@cvs.openbsd.org 2007/02/14 14:32:00
+     [bufbn.c]
+     typos in comments; ok jmc@
+   - dtucker@cvs.openbsd.org 2007/02/19 10:45:58
+     [monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5]
+     Teach Match how handle config directives that are used before
+     authentication.  This allows configurations such as permitting password
+     authentication from the local net only while requiring pubkey from
+     offsite.  ok djm@, man page bits ok jmc@
+ - (dtucker) [contrib/findssl.sh] Add "which" as a shell function since some
+   platforms don't have it.  Patch from dleonard at vintela.com.
+ - (dtucker) [openbsd-compat/getrrsetbyname.c] Don't attempt to calloc
+   an array for signatures when there are none since "calloc(0, n) returns
+   NULL on some platforms (eg Tru64), which is explicitly permitted by
+   POSIX.  Diagnosis and patch by svallet genoscope.cns.fr.
+
+20070128
+ - (djm) [channels.c serverloop.c] Fix so-called "hang on exit" (bz #52)
+   when closing a tty session when a background process still holds tty
+   fds open. Great detective work and patch by Marc Aurele La France,
+   slightly tweaked by me; ok dtucker@
+
+20070123
+ - (dtucker) [openbsd-compat/bsd-snprintf.c] Static declarations for public
+   library interfaces aren't very helpful. Fix up the DOPR_OUTCH macro
+   so it works properly and modify its callers so that they don't pre or
+   post decrement arguments that are conditionally evaluated. While there,
+   put SNPRINTF_CONST back as it prevents build failures in some
+   configurations.  ok djm@ (for most of it)
+
+20070122
+ - (djm) [ssh-rand-helper.8] manpage nits;
+   from dleonard AT vintela.com (bz#1529)
+
+20070117
+ - (dtucker) [packet.c] Re-remove in_systm.h since it's already in includes.h
+   and multiple including it causes problems on old IRIXes.  (It snuck back
+   in during a sync.)  Found (again) by Georg Schwarz.
+
+20070114
+ - (dtucker) [ssh-keygen.c] av -> argv to match earlier sync.
+ - (djm) [openbsd-compat/bsd-snprintf.c] Fix integer overflow in return
+   value of snprintf replacement, similar to bugs in various libc
+   implementations. This overflow is not exploitable in OpenSSH. 
+   While I'm fiddling with it, make it a fair bit faster by inlining the
+   append-char routine; ok dtucker@
+
+20070105
+ - (djm) OpenBSD CVS Sync
+   - deraadt@cvs.openbsd.org 2006/11/14 19:41:04
+     [ssh-keygen.c]
+     use argc and argv not some made up short form
+   - ray@cvs.openbsd.org 2006/11/23 01:35:11
+     [misc.c sftp.c]
+     Don't access buf[strlen(buf) - 1] for zero-length strings.
+     ``ok by me'' djm@.
+   - markus@cvs.openbsd.org 2006/12/11 21:25:46
+     [ssh-keygen.1 ssh.1]
+     add rfc 4716 (public key format); ok jmc
+   - djm@cvs.openbsd.org 2006/12/12 03:58:42
+     [channels.c compat.c compat.h]
+     bz #1019: some ssh.com versions apparently can't cope with the
+     remote port forwarding bind_address being a hostname, so send
+     them an address for cases where they are not explicitly
+     specified (wildcard or localhost bind).  reported by daveroth AT
+     acm.org; ok dtucker@ deraadt@
+   - dtucker@cvs.openbsd.org 2006/12/13 08:34:39
+     [servconf.c]
+     Make PermitOpen work with multiple values like the man pages says.
+     bz #1267 with details from peter at dmtz.com, with & ok djm@
+   - dtucker@cvs.openbsd.org 2006/12/14 10:01:14
+     [servconf.c]
+     Make "PermitOpen all" first-match within a block to match the way other
+     options work.  ok markus@ djm@
+   - jmc@cvs.openbsd.org 2007/01/02 09:57:25
+     [sshd_config.5]
+     do not use lists for SYNOPSIS;
+     from eric s. raymond via brad
+   - stevesk@cvs.openbsd.org 2007/01/03 00:53:38
+     [ssh-keygen.c]
+     remove small dead code; arnaud.lacombe.1@ulaval.ca via Coverity scan
+   - stevesk@cvs.openbsd.org 2007/01/03 03:01:40
+     [auth2-chall.c channels.c dns.c sftp.c ssh-keygen.c ssh.c]
+     spaces
+   - stevesk@cvs.openbsd.org 2007/01/03 04:09:15
+     [sftp.c]
+     ARGSUSED for lint
+   - stevesk@cvs.openbsd.org 2007/01/03 07:22:36
+     [sftp-server.c]
+     spaces
+
+20061205
+ - (djm) [auth.c] Fix NULL pointer dereference in fakepw().  Crash would
+   occur if the server did not have the privsep user and an invalid user
+   tried to login and both privsep and krb5 auth are disabled; ok dtucker@
+ - (djm) [bsd-asprintf.c] Better test for bad vsnprintf lengths; ok dtucker@
+
+20061108
+ - (dtucker) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2006/11/07 13:02:07
+     [dh.c]
+     BN_hex2bn returns int; from dtucker@
+
+20061107
+ - (dtucker) [sshd.c] Use privsep_pw if we have it, but only require it
+   if we absolutely need it.  Pointed out by Corinna, ok djm@
+ - (dtucker) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2006/11/06 21:25:28
+     [auth-rsa.c kexgexc.c kexdhs.c key.c ssh-dss.c sshd.c kexgexs.c
+     ssh-keygen.c bufbn.c moduli.c scard.c kexdhc.c sshconnect1.c dh.c rsa.c]
+     add missing checks for openssl return codes; with & ok djm@
+   - markus@cvs.openbsd.org 2006/11/07 10:31:31
+     [monitor.c version.h]
+     correctly check for bad signatures in the monitor, otherwise the monitor
+     and the unpriv process can get out of sync. with dtucker@, ok djm@,
+     dtucker@
+ - (dtucker) [README contrib/{caldera,redhat,contrib}/openssh.spec] Bump
+   versions.
+ - (dtucker) Release 4.5p1.
+
+20061105
+ - (djm) OpenBSD CVS Sync
+   - otto@cvs.openbsd.org 2006/10/28 18:08:10
+     [ssh.1]
+     correct/expand example of usage of -w; ok jmc@ stevesk@
+   - markus@cvs.openbsd.org 2006/10/31 16:33:12
+     [kexdhc.c kexdhs.c kexgexc.c kexgexs.c]
+     check DH_compute_key() for -1 even if it should not happen because of
+     earlier calls to dh_pub_is_valid(); report krahmer at suse.de; ok djm
+
+20061101
+ - (dtucker) [openbsd-compat/port-solaris.c] Bug #1255: Make only hwerr
+   events fatal in Solaris process contract support and tell it to signal
+   only processes in the same process group when something happens.
+   Based on information from andrew.benham at thus.net and similar to
+   a patch from Chad Mynhier.  ok djm@
+
+20061027
+- (djm) [auth.c] gc some dead code
+
+20061023
+ - (djm) OpenBSD CVS Sync
+   - ray@cvs.openbsd.org 2006/09/30 17:48:22
+     [sftp.c]
+     Clear errno before calling the strtol functions.
+     From Paul Stoeber <x0001 at x dot de1 dot cc>.
+     OK deraadt@.
+   - djm@cvs.openbsd.org 2006/10/06 02:29:19
+     [ssh-agent.c ssh-keyscan.c ssh.c]
+     sys/resource.h needs sys/time.h; prompted by brad@
+     (NB. Id sync only for portable)
+   - djm@cvs.openbsd.org 2006/10/09 23:36:11
+     [session.c]
+     xmalloc -> xcalloc that was missed previously, from portable
+     (NB. Id sync only for portable, obviously)
+   - markus@cvs.openbsd.org 2006/10/10 10:12:45
+     [sshconnect.c]
+     sleep before retrying (not after) since sleep changes errno; fixes
+     pr 5250; rad@twig.com; ok dtucker djm
+   - markus@cvs.openbsd.org 2006/10/11 12:38:03
+     [clientloop.c serverloop.c]
+     exit instead of doing a blocking tcp send if we detect a client/server
+     timeout, since the tcp sendqueue might be already full (of alive
+     requests); ok dtucker, report mpf
+   - djm@cvs.openbsd.org 2006/10/22 02:25:50
+     [sftp-client.c]
+     cancel progress meter when upload write fails; ok deraadt@
+ - (tim) [Makefile.in scard/Makefile.in] Add datarootdir= lines to keep
+   autoconf 2.60 from complaining.
+
+20061018
+ - (dtucker) OpenBSD CVS Sync
+   - ray@cvs.openbsd.org 2006/09/25 04:55:38
+     [ssh-keyscan.1 ssh.1]
+     Change "a SSH" to "an SSH".  Hurray, I'm not the only one who
+     pronounces "SSH" as "ess-ess-aich".
+     OK jmc@ and stevesk@.
+ - (dtucker) [sshd.c] Reshuffle storing of pw struct; prevents warnings
+   on older versions of OS X.  ok djm@
+
+20061016
+ - (dtucker) [monitor_fdpass.c] Include sys/in.h, required for cmsg macros
+   on older (2.0) Linuxes.  Based on patch from thmo-13 at gmx de.
+
+20061006
+ - (tim) [buildpkg.sh.in] Use uname -r instead of -v in OS_VER for Solaris.
+   Differentiate between OpenServer 5 and OpenServer 6
+ - (dtucker) [configure.ac] Set put -lselinux into $LIBS while testing for
+   SELinux functions so they're detected correctly.  Patch from pebenito at
+   gentoo.org.
+ - (tim) [buildpkg.sh.in] Some systems have really limited nawk (OpenServer).
+   Allow setting alternate awk in openssh-config.local.
+
+20061003
+ - (tim) [configure.ac] Move CHECK_HEADERS test before platform specific
+   section so additional platform specific CHECK_HEADER tests will work
+   correctly. Fixes "<net/if_tap.h> on FreeBSD" problem report by des AT des.no
+   Feedback and "seems like a good idea" dtucker@
+
+20061001
+ - (dtucker) [audit-bsm.c] Include errno.h.  Pointed out by des at des.no.
+
+20060929
+ - (dtucker) [configure.ac] Bug #1239: Fix configure test for OpenSSH engine
+   support.  Patch from andrew.benham at thus net.
+
+20060928
+ - (dtucker) [entropy.c] Bug #1238: include signal.h to fix compilation error
+   on Solaris 8 w/out /dev/random or prngd.  Patch from rl at
+   math.technion.ac.il.
+
+20060926
+ - (dtucker) [bufaux.h] nuke bufaux.h; it's already gone from OpenBSD and not
+   referenced any more.  ok djm@
+ - (dtucker) [sftp-server.8] Resync; spotted by djm@
+ - (dtucker) Release 4.4p1.
+
+20060924
+ - (tim) [configure.ac] Remove CFLAGS hack for UnixWare 1.x/2.x (added
+   to rev 1.308) to work around broken gcc 2.x header file.
+
+20060923
+ - (dtucker) [configure.ac] Bug #1234: Put opensc libs into $LIBS rather than
+   $LDFLAGS.  Patch from vapier at gentoo org.
+
+20060922
+ - (dtucker) [packet.c canohost.c] Include arpa/inet.h for htonl macros on
+   some platforms (eg HP-UX 11.00).  From santhi.amirta at gmail com.
+
+20060921
+ - (dtucker) OpenBSD CVS Sync
+   - otto@cvs.openbsd.org 2006/09/19 05:52:23
+     [sftp.c]
+     Use S_IS* macros insted of masking with S_IF* flags. The latter may
+     have multiple bits set, which lead to surprising results. Spotted by
+     Paul Stoeber, more to come. ok millert@ pedro@ jaredy@ djm@
+   - markus@cvs.openbsd.org 2006/09/19 21:14:08
+     [packet.c]
+     client NULL deref on protocol error; Tavis Ormandy, Google Security Team
+ - (dtucker) [defines.h] Include unistd.h before defining getpgrp; fixes
+   build error on Ultrix.  From Bernhard Simon.
+
+20060918
+ - (dtucker) [configure.ac] On AIX, check to see if the compiler will allow
+   macro redefinitions, and if not, remove "-qlanglvl=ansi" from the flags.
+   Allows build out of the box with older VAC and XLC compilers.  Found by
+   David Bronder and Bernhard Simon.
+ - (dtucker) [openbsd-compat/port-aix.{c,h}] Reduce scope of includes.
+   Prevents macro redefinition warnings of "RDONLY".
+
+20060916
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2006/09/16 19:53:37
+     [deattack.c deattack.h packet.c]
+     limit maximum work performed by the CRC compensation attack detector,
+     problem reported by Tavis Ormandy, Google Security Team;
+     ok markus@ deraadt@
+ - (djm) Add openssh.xml to .cvsignore and sort it
+ - (dtucker) [auth-pam.c] Propogate TZ environment variable to PAM auth
+   process so that any logging it does is with the right timezone.  From
+   Scott Strickler, ok djm@.
+ - (dtucker) [monitor.c] Correctly handle auditing of single commands when
+   using Protocol 1.  From jhb at freebsd.
+ - (djm) [sshd.c] Fix warning/API abuse; ok dtucker@
+ - (dtucker) [INSTALL] Add info about audit support.
+
+20060912
+ - (djm) [Makefile.in buildpkg.sh.in configure.ac openssh.xml.in]
+   Support SMF in Solaris Packages if enabled by configure. Patch from
+   Chad Mynhier, tested by dtucker@
+
+20060911
+ - (dtucker) [cipher-aes.c] Include string.h for memcpy and friends.  Noted
+   by Pekka Savola.
+
+20060910
+ - (dtucker) [contrib/aix/buildbff.sh] Ensure that perl is available.
+ - (dtucker) [configure.ac] Add -lcrypt to let DragonFly build OOTB.
+
+20060909
+ - (dtucker) [openbsd-compat/bsd-snprintf.c] Add stdarg.h.
+ - (dtucker) [contrib/aix/buildbff.sh] Always create privsep user.
+ - (dtucker) [buildpkg.sh.in] Always create privsep user.  ok djm@
+
+20060908
+ - (dtucker) [auth-sia.c] Add includes required for build on Tru64.  Patch
+   from Chris Adams.
+ - (dtucker) [configure.ac] The BSM header test needs time.h in some cases.
+
+20060907
+ - (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can
+   be used to drop privilege to; fixes Solaris GSSAPI crash reported by
+   Magnus Abrante; suggestion and feedback dtucker@
+   NB. this change will require that the privilege separation user must
+   exist on all the time, not just when UsePrivilegeSeparation=yes
+ - (tim) [configure.ac] s/BROKEN_UPDWTMP/BROKEN_UPDWTMPX/ on SCO OSR6
+ - (dtucker) [loginrec.c] Wrap paths.h in HAVE_PATHS_H.
+ - (dtucker) [regress/cfgmatch.sh] stop_client is racy, so give us a better
+   chance of winning.
+
+20060905
+ - (dtucker) [configure.ac] s/AC_DEFINES/AC_DEFINE/ spotted by Roumen Petrov.
+ - (dtucker) [loginrec.c] Include paths.h for _PATH_BTMP.
+
+20060904
+ - (dtucker) [configure.ac] Define BROKEN_UPDWTMP on SCO OSR6 as the native
+   updwdtmp seems to generate invalid wtmp entries.  From Roger Cornelius,
+   ok djm@
+
+20060903
+ - (dtucker) [configure.ac openbsd-compat/openbsd-compat.h] Check for
+   declaration of writev(2) and declare it ourselves if necessary.  Makes
+   the atomiciov() calls build on really old systems.  ok djm@
+
+20060902
+ - (dtucker) [openbsd-compat/port-irix.c] Add errno.h, found by Iain Morgan.
+ - (dtucker) [ssh-keyscan.c ssh-rand-helper.c ssh.c sshconnect.c
+   openbsd-compat/bindresvport.c openbsd-compat/getrrsetbyname.c
+   openbsd-compat/port-tun.c openbsd-compat/rresvport.c] Include <arpa/inet.h>
+   for hton* and ntoh* macros.  Required on (at least) HP-UX since we define
+   _XOPEN_SOURCE_EXTENDED.  Found by santhi.amirta at gmail com.
+
+20060901
+ - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c]
+   [auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c]
+   [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c]
+   [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c]
+   [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
+   [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c]
+   [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c]
+   [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c]
+   [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c]
+   [sshconnect1.c sshconnect2.c sshd.c]
+   [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c]
+   [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c]
+   [openbsd-compat/port-uw.c]
+   Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h;
+   compile problems reported by rac AT tenzing.org
+ - (djm) [includes.h monitor.c openbsd-compat/bindresvport.c]
+   [openbsd-compat/rresvport.c] Some more headers: netinet/in.h 
+   sys/socket.h and unistd.h in various places
+ - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Fix implict declaration
+   warnings for binary_open and binary_close.  Patch from Corinna Vinschen.
+ - (dtucker) [configure.ac includes.h openbsd-compat/glob.{c,h}] Explicitly
+   test for GLOB_NOMATCH and use our glob functions if it's not found.
+   Stops sftp from segfaulting when attempting to get a nonexistent file on
+   Cygwin (previous versions of OpenSSH didn't use the native glob). Partly
+   from and tested by Corinna Vinschen.
+ - (dtucker) [README contrib/{caldera,redhat,suse}/openssh.spec]  Crank
+   versions.
+
+20060831
+ - (djm) [CREDITS LICENCE Makefile.in auth.c configure.ac includes.h ]
+   [platform.c platform.h sshd.c openbsd-compat/Makefile.in]
+   [openbsd-compat/openbsd-compat.h openbsd-compat/port-solaris.c]
+   [openbsd-compat/port-solaris.h] Add support for Solaris process
+   contracts, enabled with --use-solaris-contracts. Patch from Chad
+   Mynhier, tweaked by dtucker@ and myself; ok dtucker@
+ - (dtucker) [contrib/cygwin/ssh-host-config] Add SeTcbPrivilege privilege
+   while setting up the ssh service account.  Patch from Corinna Vinschen.
+
+20060830
+ - (djm) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2006/08/21 08:14:01
+     [sshd_config.5]
+     Document HostbasedUsesNameFromPacketOnly.  Corrections from jmc@,
+     ok jmc@ djm@
+   - dtucker@cvs.openbsd.org 2006/08/21 08:15:57
+     [sshd.8]
+     Add more detail about what permissions are and aren't accepted for
+     authorized_keys files.  Corrections jmc@, ok djm@, "looks good" jmc@
+   - djm@cvs.openbsd.org 2006/08/29 10:40:19
+     [channels.c session.c]
+     normalise some inconsistent (but harmless) NULL pointer checks
+     spotted by the Stanford SATURN tool, via Isil Dillig;
+     ok markus@ deraadt@
+   - dtucker@cvs.openbsd.org 2006/08/29 12:02:30
+     [gss-genr.c]
+     Work around a problem in Heimdal that occurs when KRB5CCNAME file is
+     missing, by checking whether or not kerberos allocated us a context
+     before attempting to free it.  Patch from Simon Wilkinson, tested by
+     biorn@, ok djm@
+   - dtucker@cvs.openbsd.org 2006/08/30 00:06:51
+     [sshconnect2.c]
+     Fix regression where SSH2 banner is printed at loglevels ERROR and FATAL
+     where previously it weren't.  bz #1221, found by Dean Kopesky, ok djm@
+   - djm@cvs.openbsd.org 2006/08/30 00:14:37
+     [version.h]
+     crank to 4.4
+ - (djm) [openbsd-compat/xcrypt.c] needs unistd.h
+ - (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call
+   loginsuccess on AIX immediately after authentication to clear the failed
+   login count.  Previously this would only happen when an interactive
+   session starts (ie when a pty is allocated) but this means that accounts
+   that have primarily non-interactive sessions (eg scp's) may gradually
+   accumulate enough failures to lock out an account.  This change may have
+   a side effect of creating two audit records, one with a tty of "ssh"
+   corresponding to the authentication and one with the allocated pty per
+   interactive session.
+
+20060824
+ - (dtucker) [openbsd-compat/basename.c] Include errno.h.
+ - (dtucker) [openbsd-compat/bsd-misc.c] Add includes needed for select(2) on
+   older systems.
+ - (dtucker) [openbsd-compat/bsd-misc.c] Include <sys/select.h> for select(2)
+   on POSIX systems.
+ - (dtucker) [openbsd-compat/bsd-openpty.c] Include for ioctl(2).
+ - (dtucker) [openbsd-compat/rresvport.c] Include <stdlib.h> for malloc.
+ - (dtucker) [openbsd-compat/xmmap.c] Move #define HAVE_MMAP to prevent
+   unused variable warning when we have a broken or missing mmap(2).
+
+20060822
+ - (dtucker) [Makefile.in] Bug #1177: fix incorrect path for sshrc in
+   Makefile.  Patch from santhi.amirta at gmail, ok djm.
+
+20060820
+ - (dtucker) [log.c] Move ifdef to prevent unused variable warning.
+ - (dtucker) [configure.ac] Save $LIBS during PAM library tests and restore
+   afterward.  Removes the need to mangle $LIBS later to remove -lpam and -ldl.
+ - (dtucker) [configure.ac] Relocate --with-pam parts in preparation for
+   fixing bug #1181.  No changes yet.
+ - (dtucker) [configure.ac] Bug #1181: Explicitly test to see if OpenSSL
+   (0.9.8a and presumably newer) requires -ldl to successfully link.
+ - (dtucker) [configure.ac] Remove errant "-".
+
+20060819
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2006/08/18 22:41:29
+     [gss-genr.c]
+     GSSAPI error code should be 0 and not -1; from simon@sxw.org.uk
+ - (dtucker) [openbsd-compat/regress/Makefile.in] Add $(EXEEXT) and add a
+   single rule for the test progs.
+
+20060818
+ - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Resync with
+   closefrom.c from sudo.
+ - (dtucker) [openbsd-compat/bsd-closefrom.c] Comment out rcsid.
+ - (dtucker) [openbsd-compat/regress/snprintftest.c] Newline on error.
+ - (dtucker) [openbsd-compat/regress/Makefile.in] Use implicit rules for the
+   test progs instead; they work better than what we have.
+ - (djm) OpenBSD CVS Sync
+   - stevesk@cvs.openbsd.org 2006/08/06 01:13:32
+     [compress.c monitor.c monitor_wrap.c]
+     "zlib.h" can be <zlib.h>; ok djm@ markus@
+   - miod@cvs.openbsd.org 2006/08/12 20:46:46
+     [monitor.c monitor_wrap.c]
+     Revert previous include file ordering change, for ssh to compile under
+     gcc2 (or until openssl include files are cleaned of parameter names
+     in function prototypes)
+   - dtucker@cvs.openbsd.org 2006/08/14 12:40:25
+     [servconf.c servconf.h sshd_config.5]
+     Add ability to match groups to Match keyword in sshd_config.  Feedback
+     djm@, stevesk@, ok stevesk@.
+   - djm@cvs.openbsd.org 2006/08/16 11:47:15
+     [sshd.c]
+     factor inetd connection, TCP listen and main TCP accept loop out of
+     main() into separate functions to improve readability; ok markus@
+   - deraadt@cvs.openbsd.org 2006/08/18 09:13:26
+     [log.c log.h sshd.c]
+     make signal handler termination path shorter; risky code pointed out by
+     mark dowd; ok djm markus
+   - markus@cvs.openbsd.org 2006/08/18 09:15:20
+     [auth.h session.c sshd.c]
+     delay authentication related cleanups until we're authenticated and
+     all alarms have been cancelled; ok deraadt
+   - djm@cvs.openbsd.org 2006/08/18 10:27:16
+     [misc.h]
+     reorder so prototypes are sorted by the files they refer to; no
+     binary change
+   - djm@cvs.openbsd.org 2006/08/18 13:54:54
+     [gss-genr.c ssh-gss.h sshconnect2.c]
+     bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk
+     ok markus@
+   - djm@cvs.openbsd.org 2006/08/18 14:40:34
+     [gss-genr.c ssh-gss.h]
+     constify host argument to match the rest of the GSSAPI functions and
+     unbreak compilation with -Werror
+ - (djm) Disable sigdie() for platforms that cannot safely syslog inside
+   a signal handler (basically all of them, excepting OpenBSD);
+   ok dtucker@
+
+20060817
+ - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c]
+   Include stdlib.h for malloc and friends.
+ - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Use F_CLOSEM fcntl
+   for closefrom() on AIX.  Pointed out by William Ahern.
+ - (dtucker) [openbsd-compat/regress/{Makefile.in,closefromtest.c}] Regress
+   test for closefrom() in compat code.
+
+20060816
+ - (djm) [audit-bsm.c] Sprinkle in some headers
+
+20060815
+ - (dtucker) [LICENCE] Add Reyk to the list for the compat dir.
+
+20060806
+ - (djm) [openbsd-compat/bsd-getpeereid.c] Add some headers to quiet warnings
+   on Solaris 10
+
+20060806
+ - (dtucker) [defines.h] With the includes.h changes we no longer get the
+   name clash on "YES" so we can remove the workaround for it.
+ - (dtucker) [openbsd-compat/{bsd-asprintf.c,bsd-openpty.c,bsd-snprintf.c,
+   glob.c}] Include stdlib.h for malloc and friends in compat code.
+
+20060805
+ - (djm) OpenBSD CVS Sync
+   - stevesk@cvs.openbsd.org 2006/07/24 13:58:22
+     [sshconnect.c]
+     disable tunnel forwarding when no strict host key checking
+     and key changed; ok djm@ markus@ dtucker@
+   - stevesk@cvs.openbsd.org 2006/07/25 02:01:34
+     [scard.c]
+     need #include <string.h>
+   - stevesk@cvs.openbsd.org 2006/07/25 02:59:21
+     [channels.c clientloop.c packet.c scp.c serverloop.c sftp-client.c]
+     [sftp-server.c ssh-agent.c ssh-keyscan.c sshconnect.c sshd.c]
+     move #include <sys/time.h> out of includes.h
+   - stevesk@cvs.openbsd.org 2006/07/26 02:35:17
+     [atomicio.c auth.c dh.c authfile.c buffer.c clientloop.c kex.c]
+     [groupaccess.c gss-genr.c kexgexs.c misc.c monitor.c monitor_mm.c]
+     [packet.c scp.c serverloop.c session.c sftp-client.c sftp-common.c]
+     [sftp-server.c sftp.c ssh-add.c ssh-agent.c ssh-keygen.c sshlogin.c]
+     [uidswap.c xmalloc.c]
+     move #include <sys/param.h> out of includes.h
+   - stevesk@cvs.openbsd.org 2006/07/26 13:57:17
+     [authfd.c authfile.c dh.c canohost.c channels.c clientloop.c compat.c]
+     [hostfile.c kex.c log.c misc.c moduli.c monitor.c packet.c readpass.c]
+     [scp.c servconf.c session.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
+     [ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c sshconnect.c]
+     [sshconnect1.c sshd.c xmalloc.c]
+     move #include <stdlib.h> out of includes.h
+   - jmc@cvs.openbsd.org 2006/07/27 08:00:50
+     [ssh_config.5]
+     avoid confusing wording in HashKnownHosts:
+     originally spotted by alan amesbury;
+     ok deraadt
+   - jmc@cvs.openbsd.org 2006/07/27 08:00:50
+     [ssh_config.5]
+     avoid confusing wording in HashKnownHosts:
+     originally spotted by alan amesbury;
+     ok deraadt
+   - dtucker@cvs.openbsd.org 2006/08/01 11:34:36
+     [sshconnect.c]
+     Allow fallback to known_hosts entries without port qualifiers for
+     non-standard ports too, so that all existing known_hosts entries will be
+     recognised.  Requested by, feedback and ok markus@
+   - stevesk@cvs.openbsd.org 2006/08/01 23:22:48
+     [auth-passwd.c auth-rhosts.c auth-rsa.c auth.c auth.h auth1.c]
+     [auth2-chall.c auth2-pubkey.c authfile.c buffer.c canohost.c]
+     [channels.c clientloop.c dh.c dns.c dns.h hostfile.c kex.c kexdhc.c]
+     [kexgexc.c kexgexs.c key.c key.h log.c misc.c misc.h moduli.c]
+     [monitor_wrap.c packet.c progressmeter.c readconf.c readpass.c scp.c]
+     [servconf.c session.c sftp-client.c sftp-common.c sftp-server.c sftp.c]
+     [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh.c sshconnect.c]
+     [sshconnect1.c sshconnect2.c sshd.c sshlogin.c sshtty.c uuencode.c]
+     [uuencode.h xmalloc.c]
+     move #include <stdio.h> out of includes.h
+   - stevesk@cvs.openbsd.org 2006/08/01 23:36:12
+     [authfile.c channels.c progressmeter.c scard.c servconf.c ssh.c]
+     clean extra spaces
+   - deraadt@cvs.openbsd.org 2006/08/03 03:34:42
+     [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c]
+     [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
+     [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c]
+     [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ]
+     [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c]
+     [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c]
+     [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
+     [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c]
+     [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
+     [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c]
+     [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c]
+     [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c]
+     [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c]
+     [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h]
+     [serverloop.c session.c session.h sftp-client.c sftp-common.c]
+     [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
+     [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c]
+     [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c]
+     [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c]
+     [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h]
+     [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h]
+     almost entirely get rid of the culture of ".h files that include .h files"
+     ok djm, sort of ok stevesk
+     makes the pain stop in one easy step
+     NB. portable commit contains everything *except* removing includes.h, as
+     that will take a fair bit more work as we move headers that are required
+     for portability workarounds to defines.h. (also, this step wasn't "easy")
+   - stevesk@cvs.openbsd.org 2006/08/04 20:46:05
+     [monitor.c session.c ssh-agent.c]
+     spaces
+ - (djm) [auth-pam.c defines.h] Move PAM related bits to auth-pam.c
+ - (djm) [auth-pam.c auth.c bufaux.h entropy.c openbsd-compat/port-tun.c]
+   remove last traces of bufaux.h - it was merged into buffer.h in the big
+   includes.h commit
+ - (djm) [auth.c loginrec.c] Missing netinet/in.h for loginrec
+ - (djm) [openbsd-compat/regress/snprintftest.c]
+   [openbsd-compat/regress/strduptest.c] Add missing includes so they pass
+   compilation with "-Wall -Werror"
+ - (djm) [auth-pam.c auth-shadow.c auth2-none.c cleanup.c sshd.c]
+   [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Sprinkle more
+   includes for Linux in
+ - (dtucker) [cleanup.c] Need defines.h for __dead.
+ - (dtucker) [auth2-gss.c] We still need the #ifdef GSSAPI in -portable.
+ - (dtucker) [openbsd-compat/{bsd-arc4random.c,port-tun.c,xmmap.c}] Lots of
+   #include stdarg.h, needed for log.h.
+ - (dtucker) [entropy.c] Needs unistd.h too.
+ - (dtucker) [ssh-rand-helper.c] Needs stdarg.h for log.h.
+ - (dtucker) [openbsd-compat/getrrsetbyname.c] Nees stdlib.h for malloc.
+ - (dtucker) [openbsd-compat/strtonum.c] Include stdlib.h for strtoll,
+   otherwise it is implicitly declared as returning an int.
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2006/08/05 07:52:52
+     [auth2-none.c sshd.c monitor_wrap.c]
+     Add headers required to build with KERBEROS5=no.  ok djm@
+   - dtucker@cvs.openbsd.org 2006/08/05 08:00:33
+     [auth-skey.c]
+     Add headers required to build with -DSKEY.  ok djm@
+   - dtucker@cvs.openbsd.org 2006/08/05 08:28:24
+     [monitor_wrap.c auth-skey.c auth2-chall.c]
+     Zap unused variables in -DSKEY code.  ok djm@
+   - dtucker@cvs.openbsd.org 2006/08/05 08:34:04
+     [packet.c]
+     Typo in comment
+ - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Add headers required to compile
+   on Cygwin.
+ - (dtucker) [openbsd-compat/fake-rfc2553.c] Add headers needed for inet_ntoa.
+ - (dtucker) [auth-skey.c] monitor_wrap.h needs ssh-gss.h.
+ - (dtucker) [audit.c audit.h] Repair headers.
+ - (dtucker) [audit-bsm.c] Add additional headers now required.
+
+20060804
+ - (dtucker) [configure.ac] The "crippled AES" test does not work on recent
+   versions of Solaris, so use AC_LINK_IFELSE to actually link the test program
+   rather than just compiling it.  Spotted by dlg@.
+
+20060802
+ - (dtucker) [openbsd-compat/daemon.c] Add unistd.h for fork() prototype.
+
+20060725
+ - (dtucker) [openbsd-compat/xmmap.c] Need fcntl.h for O_RDRW.
+
+20060724
+ - (djm) OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2006/07/12 13:39:55
+     [sshd_config.5]
+      - new sentence, new line
+      - s/The the/The/
+      - kill a bad comma
+   - stevesk@cvs.openbsd.org 2006/07/12 22:28:52
+     [auth-options.c canohost.c channels.c includes.h readconf.c]
+     [servconf.c ssh-keyscan.c ssh.c sshconnect.c sshd.c]
+     move #include <netdb.h> out of includes.h; ok djm@
+   - stevesk@cvs.openbsd.org 2006/07/12 22:42:32
+     [includes.h ssh.c ssh-rand-helper.c]
+     move #include <stddef.h> out of includes.h
+   - stevesk@cvs.openbsd.org 2006/07/14 01:15:28
+     [monitor_wrap.h]
+     don't need incompletely-typed 'struct passwd' now with
+     #include <pwd.h>; ok markus@
+   - stevesk@cvs.openbsd.org 2006/07/17 01:31:10
+     [authfd.c authfile.c channels.c cleanup.c clientloop.c groupaccess.c]
+     [includes.h log.c misc.c msg.c packet.c progressmeter.c readconf.c]
+     [readpass.c scp.c servconf.c sftp-client.c sftp-server.c sftp.c]
+     [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c]
+     [sshconnect.c sshlogin.c sshpty.c uidswap.c]
+     move #include <unistd.h> out of includes.h
+   - dtucker@cvs.openbsd.org 2006/07/17 12:02:24
+     [auth-options.c]
+     Use '\0' rather than 0 to terminates strings; ok djm@
+   - dtucker@cvs.openbsd.org 2006/07/17 12:06:00
+     [channels.c channels.h servconf.c sshd_config.5]
+     Add PermitOpen directive to sshd_config which is equivalent to the
+     "permitopen" key option.  Allows server admin to allow TCP port
+     forwarding only two specific host/port pairs.  Useful when combined
+     with Match.
+     If permitopen is used in both sshd_config and a key option, both
+     must allow a given connection before it will be permitted.
+     Note that users can still use external forwarders such as netcat,
+     so to be those must be controlled too for the limits to be effective.
+     Feedback & ok djm@, man page corrections & ok jmc@.
+   - jmc@cvs.openbsd.org 2006/07/18 07:50:40
+     [sshd_config.5]
+     tweak; ok dtucker
+   - jmc@cvs.openbsd.org 2006/07/18 07:56:28
+     [scp.1]
+     replace DIAGNOSTICS with .Ex;
+   - jmc@cvs.openbsd.org 2006/07/18 08:03:09
+     [ssh-agent.1 sshd_config.5]
+     mark up angle brackets;
+   - dtucker@cvs.openbsd.org 2006/07/18 08:22:23
+     [sshd_config.5]
+     Clarify description of Match, with minor correction from jmc@
+   - stevesk@cvs.openbsd.org 2006/07/18 22:27:55
+     [dh.c]
+     remove unneeded includes; ok djm@
+   - dtucker@cvs.openbsd.org 2006/07/19 08:56:41
+     [servconf.c sshd_config.5]
+     Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to
+     Match.  ok djm@
+   - dtucker@cvs.openbsd.org 2006/07/19 13:07:10
+     [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
+     Add ForceCommand keyword to sshd_config, equivalent to the "command="
+     key option, man page entry and example in sshd_config.
+     Feedback & ok djm@, man page corrections & ok jmc@
+   - stevesk@cvs.openbsd.org 2006/07/20 15:26:15
+     [auth1.c serverloop.c session.c sshconnect2.c]
+     missed some needed #include <unistd.h> when KERBEROS5=no; issue from
+     massimo@cedoc.mo.it
+   - dtucker@cvs.openbsd.org 2006/07/21 12:43:36
+     [channels.c channels.h servconf.c servconf.h sshd_config.5]
+     Make PermitOpen take a list of permitted ports and act more like most
+     other keywords (ie the first match is the effective setting). This
+     also makes it easier to override a previously set PermitOpen. ok djm@
+   - stevesk@cvs.openbsd.org 2006/07/21 21:13:30
+     [channels.c]
+     more ARGSUSED (lint) for dispatch table-driven functions; ok djm@
+   - stevesk@cvs.openbsd.org 2006/07/21 21:26:55
+     [progressmeter.c]
+     ARGSUSED for signal handler
+   - stevesk@cvs.openbsd.org 2006/07/22 19:08:54
+     [includes.h moduli.c progressmeter.c scp.c sftp-common.c]
+     [sftp-server.c ssh-agent.c sshlogin.c]
+     move #include <time.h> out of includes.h
+   - stevesk@cvs.openbsd.org 2006/07/22 20:48:23
+     [atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c]
+     [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c]
+     [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c]
+     [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c]
+     [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c]
+     [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c]
+     [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c]
+     [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c]
+     [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c]
+     [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c]
+     [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
+     [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c]
+     [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c]
+     move #include <string.h> out of includes.h
+   - stevesk@cvs.openbsd.org 2006/07/23 01:11:05
+     [auth.h dispatch.c kex.h sftp-client.c]
+     #include <signal.h> for sig_atomic_t; need this prior to <sys/param.h>
+     move
+ - (djm) [acss.c auth-krb5.c auth-options.c auth-pam.c auth-shadow.c]
+   [canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c]
+   [gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c]
+   [servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c]
+   [ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c]
+   [openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c]
+   [openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c]
+   [openbsd-compat/mktemp.c openbsd-compat/port-linux.c]
+   [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
+   [openbsd-compat/setproctitle.c openbsd-compat/xmmap.c]
+   make the portable tree compile again - sprinkle unistd.h and string.h 
+   back in. Don't redefine __unused, as it turned out to be used in
+   headers on Linux, and replace its use in auth-pam.c with ARGSUSED
+ - (djm) [openbsd-compat/glob.c]
+   Move get_arg_max() into the ifdef HAVE_GLOB block so that it compiles
+   on OpenBSD (or other platforms with a decent glob implementation) with
+   -Werror
+ - (djm) [uuencode.c]
+   Add resolv.h, is it contains the prototypes for __b64_ntop/__b64_pton on
+   some platforms
+ - (djm) [session.c]
+   fix compile error with -Werror -Wall: 'path' is only used in
+   do_setup_env() if HAVE_LOGIN_CAP is not defined
+ - (djm) [openbsd-compat/basename.c openbsd-compat/bsd-closefrom.c]
+   [openbsd-compat/bsd-cray.c openbsd-compat/bsd-openpty.c]
+   [openbsd-compat/bsd-snprintf.c openbsd-compat/fake-rfc2553.c]
+   [openbsd-compat/port-aix.c openbsd-compat/port-irix.c]
+   [openbsd-compat/rresvport.c]
+   These look to need string.h and/or unistd.h (based on a grep for function
+   names)
+ - (djm) [Makefile.in]
+   Remove generated openbsd-compat/regress/Makefile in distclean target
+ - (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh]
+   [regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh]
+   Sync regress tests to -current; include dtucker@'s new cfgmatch and 
+   forcecommand tests. Add cipher-speed.sh test (not linked in yet)
+ - (dtucker) [cleanup.c] Since config.h defines _LARGE_FILES on AIX, including
+   system headers before defines.h will cause conflicting definitions.
+ - (dtucker) [regress/forcecommand.sh] Portablize.
+
+20060713
+ - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h
+
+20060712
+ - (dtucker) [configure.ac defines.h] Only define SHUT_RD (and friends) and
+   O_NONBLOCK if they're really needed.  Fixes build errors on HP-UX, old
+   Linuxes and probably more.
+ - (dtucker) [configure.ac] OpenBSD needs <sys/types.h> before <sys/socket.h>
+   for SHUT_RD.
+ - (dtucker) [openbsd-compat/port-tun.c] OpenBSD needs <netinet/in.h> before
+   <netinet/ip.h>.
+ - (dtucker) OpenBSD CVS Sync
+   - stevesk@cvs.openbsd.org 2006/07/10 16:01:57
+     [sftp-glob.c sftp-common.h sftp.c]
+     buffer.h only needed in sftp-common.h and remove some unneeded
+     user includes; ok djm@
+   - jmc@cvs.openbsd.org 2006/07/10 16:04:21
+     [sshd.8]
+     s/and and/and/
+   - stevesk@cvs.openbsd.org 2006/07/10 16:37:36
+     [readpass.c log.h scp.c fatal.c xmalloc.c includes.h ssh-keyscan.c misc.c
+     auth.c packet.c log.c]
+     move #include <stdarg.h> out of includes.h; ok markus@
+   - dtucker@cvs.openbsd.org 2006/07/11 10:12:07
+     [ssh.c]
+     Only copy the part of environment variable that we actually use.  Prevents
+     ssh bailing when SendEnv is used and an environment variable with a really
+     long value exists.  ok djm@
+   - markus@cvs.openbsd.org 2006/07/11 18:50:48
+     [clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c
+     channels.h readconf.c]
+     add ExitOnForwardFailure: terminate the connection if ssh(1)
+     cannot set up all requested dynamic, local, and remote port
+     forwardings. ok djm, dtucker, stevesk, jmc
+   - stevesk@cvs.openbsd.org 2006/07/11 20:07:25
+     [scp.c auth.c monitor.c serverloop.c sftp-server.c sshpty.c readpass.c
+     sshd.c monitor_wrap.c monitor_fdpass.c ssh-agent.c ttymodes.c atomicio.c
+     includes.h session.c sshlogin.c monitor_mm.c packet.c sshconnect2.c
+     sftp-client.c nchan.c clientloop.c sftp.c misc.c canohost.c channels.c
+     ssh-keygen.c progressmeter.c uidswap.c msg.c readconf.c sshconnect.c]
+     move #include <errno.h> out of includes.h; ok markus@
+   - stevesk@cvs.openbsd.org 2006/07/11 20:16:43
+     [ssh.c]
+     cast asterisk field precision argument to int to remove warning;
+     ok markus@
+   - stevesk@cvs.openbsd.org 2006/07/11 20:27:56
+     [authfile.c ssh.c]
+     need <errno.h> here also (it's also included in <openssl/err.h>)
+   - dtucker@cvs.openbsd.org 2006/07/12 11:34:58
+     [sshd.c servconf.h servconf.c sshd_config.5 auth.c]
+     Add support for conditional directives to sshd_config via a "Match"
+     keyword, which works similarly to the "Host" directive in ssh_config.
+     Lines after a Match line override the default set in the main section
+     if the condition on the Match line is true, eg
+     AllowTcpForwarding yes
+     Match User anoncvs
+             AllowTcpForwarding no
+     will allow port forwarding by all users except "anoncvs".
+     Currently only a very small subset of directives are supported.
+     ok djm@
+ - (dtucker) [loginrec.c openbsd-compat/xmmap.c openbsd-compat/bindresvport.c
+   openbsd-compat/glob.c openbsd-compat/mktemp.c openbsd-compat/port-tun.c
+   openbsd-compat/readpassphrase.c openbsd-compat/strtonum.c] Include <errno.h>.
+ - (dtucker) [openbsd-compat/setproctitle.c] Include stdarg.h.
+ - (dtucker) [ssh-keyscan.c ssh-rand-helper.c] More errno.h here too.
+ - (dtucker) [openbsd-compat/openbsd-compat.h] v*printf needs stdarg.h.
+ - (dtucker) [openbsd-compat/bsd-asprintf.c openbsd-compat/port-aix.c
+   openbsd-compat/rresvport.c] More errno.h.
+
+20060711
+ - (dtucker) [configure.ac ssh-keygen.c openbsd-compat/bsd-openpty.c
+   openbsd-compat/daemon.c] Add includes needed by open(2).  Conditionally
+   include paths.h.  Fixes build error on Solaris.
+ - (dtucker) [entropy.c] More fcntl.h, this time on AIX (and probably
+   others).
+
+20060710
+ - (dtucker) [INSTALL] New autoconf version: 2.60.
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2006/06/14 10:50:42
+     [sshconnect.c]
+     limit the number of pre-banner characters we will accept; ok markus@
+   - djm@cvs.openbsd.org 2006/06/26 10:36:15
+     [clientloop.c]
+     mention optional bind_address in runtime port forwarding setup
+     command-line help. patch from santhi.amirta AT gmail.com
+   - stevesk@cvs.openbsd.org 2006/07/02 17:12:58
+     [ssh.1 ssh.c ssh_config.5 sshd_config.5]
+     more details and clarity for tun(4) device forwarding; ok and help
+     jmc@
+   - stevesk@cvs.openbsd.org 2006/07/02 18:36:47
+     [gss-serv-krb5.c gss-serv.c]
+     no "servconf.h" needed here
+     (gss-serv-krb5.c change not applied, portable needs the server options)
+   - stevesk@cvs.openbsd.org 2006/07/02 22:45:59
+     [groupaccess.c groupaccess.h includes.h session.c sftp-common.c sshpty.c]
+     move #include <grp.h> out of includes.h
+     (portable needed uidswap.c too)
+   - stevesk@cvs.openbsd.org 2006/07/02 23:01:55
+     [clientloop.c ssh.1]
+     use -KR[bind_address:]port here; ok djm@
+   - stevesk@cvs.openbsd.org 2006/07/03 08:54:20
+     [includes.h ssh.c sshconnect.c sshd.c]
+     move #include "version.h" out of includes.h; ok markus@
+   - stevesk@cvs.openbsd.org 2006/07/03 17:59:32
+     [channels.c includes.h]
+     move #include <arpa/inet.h> out of includes.h; old ok djm@
+     (portable needed session.c too)
+   - stevesk@cvs.openbsd.org 2006/07/05 02:42:09
+     [canohost.c hostfile.c includes.h misc.c packet.c readconf.c]
+     [serverloop.c sshconnect.c uuencode.c]
+     move #include <netinet/in.h> out of includes.h; ok deraadt@
+     (also ssh-rand-helper.c logintest.c loginrec.c)
+   - djm@cvs.openbsd.org 2006/07/06 10:47:05
+     [servconf.c servconf.h session.c sshd_config.5]
+     support arguments to Subsystem commands; ok markus@
+   - djm@cvs.openbsd.org 2006/07/06 10:47:57
+     [sftp-server.8 sftp-server.c]
+     add commandline options to enable logging of transactions; ok markus@
+   - stevesk@cvs.openbsd.org 2006/07/06 16:03:53
+     [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c]
+     [auth-rhosts.c auth-rsa.c auth.c auth.h auth2-hostbased.c]
+     [auth2-pubkey.c auth2.c includes.h misc.c misc.h monitor.c]
+     [monitor_wrap.c monitor_wrap.h scp.c serverloop.c session.c]
+     [session.h sftp-common.c ssh-add.c ssh-keygen.c ssh-keysign.c]
+     [ssh.c sshconnect.c sshconnect.h sshd.c sshpty.c sshpty.h uidswap.c]
+     [uidswap.h]
+     move #include <pwd.h> out of includes.h; ok markus@
+   - stevesk@cvs.openbsd.org 2006/07/06 16:22:39
+     [ssh-keygen.c]
+     move #include "dns.h" up
+   - stevesk@cvs.openbsd.org 2006/07/06 17:36:37
+     [monitor_wrap.h]
+     typo in comment
+   - stevesk@cvs.openbsd.org 2006/07/08 21:47:12
+     [authfd.c canohost.c clientloop.c dns.c dns.h includes.h]
+     [monitor_fdpass.c nchan.c packet.c servconf.c sftp.c ssh-agent.c]
+     [ssh-keyscan.c ssh.c sshconnect.h sshd.c sshlogin.h]
+     move #include <sys/socket.h> out of includes.h
+   - stevesk@cvs.openbsd.org 2006/07/08 21:48:53
+     [monitor.c session.c]
+     missed these from last commit:
+     move #include <sys/socket.h> out of includes.h
+   - stevesk@cvs.openbsd.org 2006/07/08 23:30:06
+     [log.c]
+     move user includes after /usr/include files
+   - stevesk@cvs.openbsd.org 2006/07/09 15:15:11
+     [auth2-none.c authfd.c authfile.c includes.h misc.c monitor.c]
+     [readpass.c scp.c serverloop.c sftp-client.c sftp-server.c]
+     [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
+     [sshlogin.c sshpty.c]
+     move #include <fcntl.h> out of includes.h
+   - stevesk@cvs.openbsd.org 2006/07/09 15:27:59
+     [ssh-add.c]
+     use O_RDONLY vs. 0 in open(); no binary change
+   - djm@cvs.openbsd.org 2006/07/10 11:24:54
+     [sftp-server.c]
+     remove optind - it isn't used here
+   - djm@cvs.openbsd.org 2006/07/10 11:25:53
+     [sftp-server.c]
+     don't log variables that aren't yet set
+ - (djm) [loginrec.c ssh-rand-helper.c sshd.c openbsd-compat/glob.c]
+   [openbsd-compat/mktemp.c openbsd-compat/openbsd-compat.h]
+   [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
+   [openbsd-compat/xcrypt.c] Fix includes.h fallout, mainly fcntl.h
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2006/07/10 12:03:20
+     [scp.c]
+     duplicate argv at the start of main() because it gets modified later;
+     pointed out by deraadt@ ok markus@
+   - djm@cvs.openbsd.org 2006/07/10 12:08:08
+     [channels.c]
+     fix misparsing of SOCKS 5 packets that could result in a crash;
+     reported by mk@ ok markus@
+   - dtucker@cvs.openbsd.org 2006/07/10 12:46:51
+     [misc.c misc.h sshd.8 sshconnect.c]
+     Add port identifier to known_hosts for non-default ports, based originally
+     on a patch from Devin Nate in bz#910.
+     For any connection using the default port or using a HostKeyAlias the
+     format is unchanged, otherwise the host name or address is enclosed
+     within square brackets in the same format as sshd's ListenAddress.
+     Tested by many, ok markus@.
+ - (dtucker) [openbsd-compat/openbsd-compat.h] Need to include <sys/socket.h>
+   for struct sockaddr on platforms that use the fake-rfc stuff.
+
+20060706
+ - (dtucker) [configure.ac] Try AIX blibpath test in different order when
+   compiling with gcc.  gcc 4.1.x will accept (but ignore) -b flags so
+   configure would not select the correct libpath linker flags.
+ - (dtucker) [INSTALL] A bit more info on autoconf.
+
+20060705
+ - (dtucker) [ssh-rand-helper.c] Don't exit if mkdir fails because the
+   target already exists.
+
+20060630
+ - (dtucker) [openbsd-compat/openbsd-compat.h] SNPRINTF_CONST for snprintf
+   declaration too.  Patch from russ at sludge.net.
+ - (dtucker) [openbsd-compat/getrrsetbyname.c] Undef _res before defining it,
+   prevents warnings on platforms where _res is in the system headers.
+ - (dtucker) [INSTALL] Bug #1202: Note when autoconf is required and which
+   version.
+
+20060627
+ - (dtucker) [configure.ac] Bug #1203: Add missing '[', which causes problems
+   with autoconf 2.60.  Patch from vapier at gentoo.org.
+
+20060625
+ - (dtucker) [channels.c serverloop.c] Apply the bug #1102 workaround to ptys
+   only, otherwise sshd can hang exiting non-interactive sessions.
+
+20060624
+ - (dtucker) [configure.ac] Bug #1193: Define PASSWD_NEEDS_USERNAME on Solaris.
+   Works around limitation in Solaris' passwd program for changing passwords
+   where the username is longer than 8 characters.  ok djm@
+ - (dtucker) [serverloop.c] Get ifdef/ifndef the right way around for the bug
+   #1102 workaround.
+
+20060623
+ - (dtucker) [README.platform configure.ac openbsd-compat/port-tun.c] Add
+   tunnel support for Mac OS X/Darwin via a third-party tun driver.  Patch
+   from reyk@, tested by anil@
+ - (dtucker) [channels.c configure.ac serverloop.c] Bug #1102: Around AIX
+   4.3.3 ML3 or so, the AIX pty layer starting passing zero-length writes
+   on the pty slave as zero-length reads on the pty master, which sshd
+   interprets as the descriptor closing.  Since most things don't do zero
+   length writes this rarely matters, but occasionally it happens, and when
+   it does the SSH pty session appears to hang, so we add a special case for
+   this condition.  ok djm@
+
+20060613
+ - (djm) [getput.h] This file has been replaced by functions in misc.c
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2006/05/08 10:49:48
+     [sshconnect2.c]
+     uint32_t -> u_int32_t (which we use everywhere else)
+     (Id sync only - portable already had this)
+   - markus@cvs.openbsd.org 2006/05/16 09:00:00
+     [clientloop.c]
+     missing free; from Kylene Hall
+   - markus@cvs.openbsd.org 2006/05/17 12:43:34
+     [scp.c sftp.c ssh-agent.c ssh-keygen.c sshconnect.c]
+     fix leak; coverity via Kylene Jo Hall
+   - miod@cvs.openbsd.org 2006/05/18 21:27:25
+     [kexdhc.c kexgexc.c]
+     paramter -> parameter
+   - dtucker@cvs.openbsd.org 2006/05/29 12:54:08
+     [ssh_config.5]
+     Add gssapi-with-mic to PreferredAuthentications default list; ok jmc
+   - dtucker@cvs.openbsd.org 2006/05/29 12:56:33
+     [ssh_config]
+     Add GSSAPIAuthentication and GSSAPIDelegateCredentials to examples in
+     sample ssh_config.  ok markus@
+   - jmc@cvs.openbsd.org 2006/05/29 16:10:03
+     [ssh_config.5]
+     oops - previous was too long; split the list of auths up
+   - mk@cvs.openbsd.org 2006/05/30 11:46:38
+     [ssh-add.c]
+     Sync usage() with man page and reality.
+     ok deraadt dtucker
+   - jmc@cvs.openbsd.org 2006/05/29 16:13:23
+     [ssh.1]
+     add GSSAPI to the list of authentication methods supported;
+   - mk@cvs.openbsd.org 2006/05/30 11:46:38
+     [ssh-add.c]
+     Sync usage() with man page and reality.
+     ok deraadt dtucker
+   - markus@cvs.openbsd.org 2006/06/01 09:21:48
+     [sshd.c]
+     call get_remote_ipaddr() early; fixes logging after client disconnects;
+     report mpf@; ok dtucker@
+   - markus@cvs.openbsd.org 2006/06/06 10:20:20
+     [readpass.c sshconnect.c sshconnect.h sshconnect2.c uidswap.c]
+     replace remaining setuid() calls with permanently_set_uid() and
+     check seteuid() return values; report Marcus Meissner; ok dtucker djm
+   - markus@cvs.openbsd.org 2006/06/08 14:45:49
+     [readpass.c sshconnect.c sshconnect2.c uidswap.c uidswap.h]
+     do not set the gid, noted by solar; ok djm
+   - djm@cvs.openbsd.org 2006/06/13 01:18:36
+     [ssh-agent.c]
+     always use a format string, even when printing a constant
+   - djm@cvs.openbsd.org 2006/06/13 02:17:07
+     [ssh-agent.c]
+     revert; i am on drugs. spotted by alexander AT beard.se
+
+20060521
+ - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor
+   and slave, we can remove the special-case handling in the audit hook in
+   auth_log.
+
+20060517
+ - (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file
+   pointer leak.  From kjhall at us.ibm.com, found by coverity.
+
+20060515
+ - (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of
+   _res, prevents problems on some platforms that have _res as a global but
+   don't have getrrsetbyname(), eg IRIX 5.3.  Found and tested by
+   georg.schwarz at freenet.de, ok djm@.
+ - (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative
+   default.  Patch originally from tim@, ok djm
+ - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
+   do not allow kbdint again after the PAM account check fails.  ok djm@
+
+20060506
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2006/04/25 08:02:27
+     [authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c]
+     Prevent ssh from trying to open private keys with bad permissions more than
+     once or prompting for their passphrases (which it subsequently ignores
+     anyway), similar to a previous change in ssh-add.  bz #1186, ok djm@
+   - djm@cvs.openbsd.org 2006/05/04 14:55:23
+     [dh.c]
+     tighter DH exponent checks here too; feedback and ok markus@
+   - djm@cvs.openbsd.org 2006/04/01 05:37:46
+     [OVERVIEW]
+     $OpenBSD$ in here too
+   - dtucker@cvs.openbsd.org 2006/05/06 08:35:40
+     [auth-krb5.c]
+     Add $OpenBSD$ in comment here too
+
+20060504
+ - (dtucker) [auth-pam.c groupaccess.c monitor.c monitor_wrap.c scard-opensc.c
+   session.c ssh-rand-helper.c sshd.c openbsd-compat/bsd-cygwin_util.c
+   openbsd-compat/setproctitle.c] Convert malloc(foo*bar) -> calloc(foo,bar)
+   in Portable-only code; since calloc zeros, remove now-redundant memsets.
+   Also add a couple of sanity checks.  With & ok djm@
+
+20060503
+ - (dtucker) [packet.c] Remove in_systm.h since it's also in includes.h
+   and double including it on IRIX 5.3 causes problems.  From Georg Schwarz,
+   "no objections" tim@
+
+20060423
+ - (djm) OpenBSD CVS Sync
+   - deraadt@cvs.openbsd.org 2006/04/01 05:42:20
+     [scp.c]
+     minimal lint cleanup (unused crud, and some size_t); ok djm
+   - djm@cvs.openbsd.org 2006/04/01 05:50:29
+     [scp.c]
+     xasprintification; ok deraadt@
+   - djm@cvs.openbsd.org 2006/04/01 05:51:34
+     [atomicio.c]
+     ANSIfy; requested deraadt@
+   - dtucker@cvs.openbsd.org 2006/04/02 08:34:52
+     [ssh-keysign.c]
+     sessionid can be 32 bytes now too when sha256 kex is used; ok djm@
+   - djm@cvs.openbsd.org 2006/04/03 07:10:38
+     [gss-genr.c]
+     GSSAPI buffers shouldn't be nul-terminated, spotted in bugzilla #1066
+     by dleonard AT vintela.com. use xasprintf() to simplify code while in
+     there; "looks right" deraadt@
+   - djm@cvs.openbsd.org 2006/04/16 00:48:52
+     [buffer.c buffer.h channels.c]
+     Fix condition where we could exit with a fatal error when an input
+     buffer became too large and the remote end had advertised a big window.
+     The problem was a mismatch in the backoff math between the channels code
+     and the buffer code, so make a buffer_check_alloc() function that the
+     channels code can use to propsectivly check whether an incremental
+     allocation will succeed.  bz #1131, debugged with the assistance of
+     cove AT wildpackets.com; ok dtucker@ deraadt@
+   - djm@cvs.openbsd.org 2006/04/16 00:52:55
+     [atomicio.c atomicio.h]
+     introduce atomiciov() function that wraps readv/writev to retry
+     interrupted transfers like atomicio() does for read/write;
+     feedback deraadt@ dtucker@ stevesk@ ok deraadt@
+   - djm@cvs.openbsd.org 2006/04/16 00:54:10
+     [sftp-client.c]
+     avoid making a tiny 4-byte write to send the packet length of sftp
+     commands, which would result in a separate tiny packet on the wire by
+     using atomiciov(writev, ...) to write the length and the command in one
+     pass; ok deraadt@
+   - djm@cvs.openbsd.org 2006/04/16 07:59:00
+     [atomicio.c]
+     reorder sanity test so that it cannot dereference past the end of the
+     iov array; well spotted canacar@!
+   - dtucker@cvs.openbsd.org 2006/04/18 10:44:28
+     [bufaux.c bufbn.c Makefile.in]
+     Move Buffer bignum functions into their own file, bufbn.c. This means
+     that sftp and sftp-server (which use the Buffer functions in bufaux.c 
+     but not the bignum ones) no longer need to be linked with libcrypto.
+     ok markus@
+   - djm@cvs.openbsd.org 2006/04/20 09:27:09
+     [auth.h clientloop.c dispatch.c dispatch.h kex.h]
+     replace the last non-sig_atomic_t flag used in a signal handler with a
+     sig_atomic_t, unfortunately with some knock-on effects in other (non-
+     signal) contexts in which it is used; ok markus@
+   - markus@cvs.openbsd.org 2006/04/20 09:47:59
+     [sshconnect.c]
+     simplify; ok djm@
+   - djm@cvs.openbsd.org 2006/04/20 21:53:44
+     [includes.h session.c sftp.c]
+     Switch from using pipes to socketpairs for communication between
+     sftp/scp and ssh, and between sshd and its subprocesses. This saves
+     a file descriptor per session and apparently makes userland ppp over
+     ssh work; ok markus@ deraadt@ (ID Sync only - portable makes this
+     decision on a per-platform basis)
+   - djm@cvs.openbsd.org 2006/04/22 04:06:51
+     [uidswap.c]
+     use setres[ug]id() to permanently revoke privileges; ok deraadt@
+     (ID Sync only - portable already uses setres[ug]id() whenever possible)
+   - stevesk@cvs.openbsd.org 2006/04/22 18:29:33
+     [crc32.c]
+     remove extra spaces
+ - (djm) [auth.h dispatch.h kex.h] sprinkle in signal.h to get
+   sig_atomic_t
+
+20060421
+ - (djm) [Makefile.in configure.ac session.c sshpty.c]
+   [contrib/redhat/sshd.init openbsd-compat/Makefile.in]
+   [openbsd-compat/openbsd-compat.h openbsd-compat/port-linux.c]
+   [openbsd-compat/port-linux.h] Add support for SELinux, setting 
+   the execution and TTY contexts. based on patch from Daniel Walsh,
+   bz #880; ok dtucker@
+
+20060418
+ - (djm) [canohost.c] Reorder IP options check so that it isn't broken
+   by mapped addresses; bz #1179 reported by markw wtech-llc.com;
+   ok dtucker@
+
+20060331
+ - OpenBSD CVS Sync
+   - deraadt@cvs.openbsd.org 2006/03/27 01:21:18
+     [xmalloc.c]
+     we can do the size & nmemb check before the integer overflow check; 
+     evol
+   - deraadt@cvs.openbsd.org 2006/03/27 13:03:54
+     [dh.c]
+     use strtonum() instead of atoi(), limit dhg size to 64k; ok djm
+   - djm@cvs.openbsd.org 2006/03/27 23:15:46
+     [sftp.c]
+     always use a format string for addargs; spotted by mouring@
+   - deraadt@cvs.openbsd.org 2006/03/28 00:12:31
+     [README.tun ssh.c]
+     spacing
+   - deraadt@cvs.openbsd.org 2006/03/28 01:52:28
+     [channels.c]
+     do not accept unreasonable X ports numbers; ok djm
+   - deraadt@cvs.openbsd.org 2006/03/28 01:53:43
+     [ssh-agent.c]
+     use strtonum() to parse the pid from the file, and range check it
+     better; ok djm
+   - djm@cvs.openbsd.org 2006/03/30 09:41:25
+     [channels.c]
+     ARGSUSED for dispatch table-driven functions
+   - djm@cvs.openbsd.org 2006/03/30 09:58:16
+     [authfd.c bufaux.c deattack.c gss-serv.c mac.c misc.c misc.h]
+     [monitor_wrap.c msg.c packet.c sftp-client.c sftp-server.c ssh-agent.c]
+     replace {GET,PUT}_XXBIT macros with functionally similar functions,
+     silencing a heap of lint warnings. also allows them to use
+     __bounded__ checking which can't be applied to macros; requested
+     by and feedback from deraadt@
+   - djm@cvs.openbsd.org 2006/03/30 10:41:25
+     [ssh.c ssh_config.5]
+     add percent escape chars to the IdentityFile option, bz #1159 based
+     on a patch by imaging AT math.ualberta.ca; feedback and ok dtucker@
+   - dtucker@cvs.openbsd.org 2006/03/30 11:05:17
+     [ssh-keygen.c]
+     Correctly handle truncated files while converting keys; ok djm@
+   - dtucker@cvs.openbsd.org 2006/03/30 11:40:21
+     [auth.c monitor.c]
+     Prevent duplicate log messages when privsep=yes; ok djm@
+   - jmc@cvs.openbsd.org 2006/03/31 09:09:30
+     [ssh_config.5]
+     kill trailing whitespace;
+   - djm@cvs.openbsd.org 2006/03/31 09:13:56
+     [ssh_config.5]
+     remote user escape is %r not %h; spotted by jmc@
+
+20060326
+ - OpenBSD CVS Sync
+   - jakob@cvs.openbsd.org 2006/03/15 08:46:44
+     [ssh-keygen.c]
+     if no key file are given when printing the DNS host record, use the
+     host key file(s) as default. ok djm@
+   - biorn@cvs.openbsd.org 2006/03/16 10:31:45
+     [scp.c]
+     Try to display errormessage even if remout == -1
+     ok djm@, markus@
+   - djm@cvs.openbsd.org 2006/03/17 22:31:50
+     [authfd.c]
+     another unreachable found by lint
+   - djm@cvs.openbsd.org 2006/03/17 22:31:11
+     [authfd.c]
+     unreachanble statement, found by lint
+   - djm@cvs.openbsd.org 2006/03/19 02:22:32
+     [serverloop.c]
+     memory leaks detected by Coverity via elad AT netbsd.org;
+     ok deraadt@ dtucker@
+   - djm@cvs.openbsd.org 2006/03/19 02:22:56
+     [sftp.c]
+     more memory leaks detected by Coverity via elad AT netbsd.org;
+     deraadt@ ok
+   - djm@cvs.openbsd.org 2006/03/19 02:23:26
+     [hostfile.c]
+     FILE* leak detected by Coverity via elad AT netbsd.org;
+     ok deraadt@
+   - djm@cvs.openbsd.org 2006/03/19 02:24:05
+     [dh.c readconf.c servconf.c]
+     potential NULL pointer dereferences detected by Coverity
+     via elad AT netbsd.org; ok deraadt@
+   - djm@cvs.openbsd.org 2006/03/19 07:41:30
+     [sshconnect2.c]
+     memory leaks detected by Coverity via elad AT netbsd.org;
+     deraadt@ ok
+   - dtucker@cvs.openbsd.org 2006/03/19 11:51:52
+     [servconf.c]
+     Correct strdelim null test; ok djm@
+   - deraadt@cvs.openbsd.org 2006/03/19 18:52:11
+     [auth1.c authfd.c channels.c]
+     spacing
+   - deraadt@cvs.openbsd.org 2006/03/19 18:53:12
+     [kex.c kex.h monitor.c myproposal.h session.c]
+     spacing
+   - deraadt@cvs.openbsd.org 2006/03/19 18:56:41
+     [clientloop.c progressmeter.c serverloop.c sshd.c]
+     ARGSUSED for signal handlers
+   - deraadt@cvs.openbsd.org 2006/03/19 18:59:49
+     [ssh-keyscan.c]
+     please lint
+   - deraadt@cvs.openbsd.org 2006/03/19 18:59:30
+     [ssh.c]
+     spacing
+   - deraadt@cvs.openbsd.org 2006/03/19 18:59:09
+     [authfile.c]
+     whoever thought that break after return was a good idea needs to
+     get their head examimed
+   - djm@cvs.openbsd.org 2006/03/20 04:09:44
+     [monitor.c]
+     memory leaks detected by Coverity via elad AT netbsd.org;
+     deraadt@ ok
+     that should be all of them now
+   - djm@cvs.openbsd.org 2006/03/20 11:38:46
+     [key.c]
+     (really) last of the Coverity diffs: avoid possible NULL deref in
+     key_free. via elad AT netbsd.org; markus@ ok
+   - deraadt@cvs.openbsd.org 2006/03/20 17:10:19
+     [auth.c key.c misc.c packet.c ssh-add.c]
+     in a switch (), break after return or goto is stupid
+   - deraadt@cvs.openbsd.org 2006/03/20 17:13:16
+     [key.c]
+     djm did a typo
+   - deraadt@cvs.openbsd.org 2006/03/20 17:17:23
+     [ssh-rsa.c]
+     in a switch (), break after return or goto is stupid
+   - deraadt@cvs.openbsd.org 2006/03/20 18:14:02
+     [channels.c clientloop.c monitor_wrap.c monitor_wrap.h serverloop.c]
+     [ssh.c sshpty.c sshpty.h]
+     sprinkle u_int throughout pty subsystem, ok markus
+   - deraadt@cvs.openbsd.org 2006/03/20 18:17:20
+     [auth1.c auth2.c sshd.c]
+     sprinkle some ARGSUSED for table driven functions (which sometimes 
+     must ignore their args)
+   - deraadt@cvs.openbsd.org 2006/03/20 18:26:55
+     [channels.c monitor.c session.c session.h ssh-agent.c ssh-keygen.c]
+     [ssh-rsa.c ssh.c sshlogin.c]
+     annoying spacing fixes getting in the way of real diffs
+   - deraadt@cvs.openbsd.org 2006/03/20 18:27:50
+     [monitor.c]
+     spacing
+   - deraadt@cvs.openbsd.org 2006/03/20 18:35:12
+     [channels.c]
+     x11_fake_data is only ever used as u_char *
+   - deraadt@cvs.openbsd.org 2006/03/20 18:41:43
+     [dns.c]
+     cast xstrdup to propert u_char *
+   - deraadt@cvs.openbsd.org 2006/03/20 18:42:27
+     [canohost.c match.c ssh.c sshconnect.c]
+     be strict with tolower() casting
+   - deraadt@cvs.openbsd.org 2006/03/20 18:48:34
+     [channels.c fatal.c kex.c packet.c serverloop.c]
+     spacing
+   - deraadt@cvs.openbsd.org 2006/03/20 21:11:53
+     [ttymodes.c]
+     spacing
+   - djm@cvs.openbsd.org 2006/03/25 00:05:41
+     [auth-bsdauth.c auth-skey.c auth.c auth2-chall.c channels.c]
+     [clientloop.c deattack.c gss-genr.c kex.c key.c misc.c moduli.c]
+     [monitor.c monitor_wrap.c packet.c scard.c sftp-server.c ssh-agent.c]
+     [ssh-keyscan.c ssh.c sshconnect.c sshconnect2.c sshd.c uuencode.c]
+     [xmalloc.c xmalloc.h]
+     introduce xcalloc() and xasprintf() failure-checked allocations 
+     functions and use them throughout openssh
+
+     xcalloc is particularly important because malloc(nmemb * size) is a
+     dangerous idiom (subject to integer overflow) and it is time for it 
+     to die
+
+     feedback and ok deraadt@
+   - djm@cvs.openbsd.org 2006/03/25 01:13:23
+     [buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c]
+     [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c]
+     [uidswap.c]
+     change OpenSSH's xrealloc() function from being xrealloc(p, new_size)
+     to xrealloc(p, new_nmemb, new_itemsize).
+
+     realloc is particularly prone to integer overflows because it is
+     almost always allocating "n * size" bytes, so this is a far safer 
+     API; ok deraadt@
+   - djm@cvs.openbsd.org 2006/03/25 01:30:23
+     [sftp.c]
+     "abormally" is a perfectly cromulent word, but "abnormally" is better
+   - djm@cvs.openbsd.org 2006/03/25 13:17:03
+     [atomicio.c auth-bsdauth.c auth-chall.c auth-options.c auth-passwd.c]
+     [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth-skey.c auth.c auth1.c]
+     [auth2-chall.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
+     [auth2-passwd.c auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c]
+     [buffer.c canohost.c channels.c cipher-3des1.c cipher-bf1.c]
+     [cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c compress.c]
+     [deattack.c dh.c dispatch.c fatal.c groupaccess.c hostfile.c kex.c]
+     [kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c]
+     [mac.c match.c md-sha256.c misc.c monitor.c monitor_fdpass.c]
+     [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c progressmeter.c]
+     [readconf.c readpass.c rsa.c scard.c scp.c servconf.c serverloop.c]
+     [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c]
+     [sftp.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
+     [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
+     [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
+     [uidswap.c uuencode.c xmalloc.c]
+     Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
+     Theo nuked - our scripts to sync -portable need them in the files
+   - deraadt@cvs.openbsd.org 2006/03/25 18:29:35
+     [auth-rsa.c authfd.c packet.c]
+     needed casts (always will be needed)
+   - deraadt@cvs.openbsd.org 2006/03/25 18:30:55
+     [clientloop.c serverloop.c]
+     spacing
+   - deraadt@cvs.openbsd.org 2006/03/25 18:36:15
+     [sshlogin.c sshlogin.h]
+     nicer size_t and time_t types
+   - deraadt@cvs.openbsd.org 2006/03/25 18:40:14
+     [ssh-keygen.c]
+     cast strtonum() result to right type
+   - deraadt@cvs.openbsd.org 2006/03/25 18:41:45
+     [ssh-agent.c]
+     mark two more signal handlers ARGSUSED
+   - deraadt@cvs.openbsd.org 2006/03/25 18:43:30
+     [channels.c]
+     use strtonum() instead of atoi() [limit X screens to 400, sorry]
+   - deraadt@cvs.openbsd.org 2006/03/25 18:56:55
+     [bufaux.c channels.c packet.c]
+     remove (char *) casts to a function that accepts void * for the arg
+   - deraadt@cvs.openbsd.org 2006/03/25 18:58:10
+     [channels.c]
+     delete cast not required
+   - djm@cvs.openbsd.org 2006/03/25 22:22:43
+     [atomicio.h auth-options.h auth.h auth2-gss.c authfd.h authfile.h]
+     [bufaux.h buffer.h canohost.h channels.h cipher.h clientloop.h]
+     [compat.h compress.h crc32.c crc32.h deattack.h dh.h dispatch.h]
+     [dns.c dns.h getput.h groupaccess.h gss-genr.c gss-serv-krb5.c]
+     [gss-serv.c hostfile.h includes.h kex.h key.h log.h mac.h match.h]
+     [misc.h monitor.h monitor_fdpass.h monitor_mm.h monitor_wrap.h msg.h]
+     [myproposal.h packet.h pathnames.h progressmeter.h readconf.h rsa.h]
+     [scard.h servconf.h serverloop.h session.h sftp-common.h sftp.h]
+     [ssh-gss.h ssh.h ssh1.h ssh2.h sshconnect.h sshlogin.h sshpty.h]
+     [ttymodes.h uidswap.h uuencode.h xmalloc.h]
+     standardise spacing in $OpenBSD$ tags; requested by deraadt@
+   - deraadt@cvs.openbsd.org 2006/03/26 01:31:48
+     [uuencode.c]
+     typo
+
+20060325
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2006/03/16 04:24:42
+     [ssh.1]
+     Add RFC4419 (Diffie-Hellman group exchange KEX) to the list of SSH RFCs
+     that OpenSSH supports
+   - deraadt@cvs.openbsd.org 2006/03/19 18:51:18
+     [atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c]
+     [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c]
+     [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c]
+     [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c]
+     [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c]
+     [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c]
+     [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
+     [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c]
+     [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c]
+     [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c]
+     [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c]
+     [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c]
+     [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c]
+     [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c]
+     [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c]
+     [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
+     [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
+     [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
+     [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c]
+     [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c]
+     [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c]
+     [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c]
+     [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c]
+     RCSID() can die
+   - deraadt@cvs.openbsd.org 2006/03/19 18:53:12
+     [kex.h myproposal.h]
+     spacing
+   - djm@cvs.openbsd.org 2006/03/20 04:07:22
+     [auth2-gss.c]
+     GSSAPI related leaks detected by Coverity via elad AT netbsd.org;
+     reviewed by simon AT sxw.org.uk; deraadt@ ok
+   - djm@cvs.openbsd.org 2006/03/20 04:07:49
+     [gss-genr.c]
+     more GSSAPI related leaks detected by Coverity via elad AT netbsd.org;
+     reviewed by simon AT sxw.org.uk; deraadt@ ok
+   - djm@cvs.openbsd.org 2006/03/20 04:08:18
+     [gss-serv.c]
+     last lot of GSSAPI related leaks detected by Coverity via
+     elad AT netbsd.org; reviewed by simon AT sxw.org.uk; deraadt@ ok
+   - deraadt@cvs.openbsd.org 2006/03/20 18:14:02
+     [monitor_wrap.h sshpty.h]
+     sprinkle u_int throughout pty subsystem, ok markus
+   - deraadt@cvs.openbsd.org 2006/03/20 18:26:55
+     [session.h]
+     annoying spacing fixes getting in the way of real diffs
+   - deraadt@cvs.openbsd.org 2006/03/20 18:41:43
+     [dns.c]
+     cast xstrdup to propert u_char *
+   - jakob@cvs.openbsd.org 2006/03/22 21:16:24
+     [ssh.1]
+     simplify SSHFP example; ok jmc@
+   - djm@cvs.openbsd.org 2006/03/22 21:27:15
+     [deattack.c deattack.h]
+     remove IV support from the CRC attack detector, OpenSSH has never used
+     it - it only applied to IDEA-CFB, which we don't support.
+     prompted by NetBSD Coverity report via elad AT netbsd.org;
+     feedback markus@ "nuke it" deraadt@
+
+20060318
+ - (djm) [auth-pam.c] Fix memleak in error path, from Coverity via
+   elad AT NetBSD.org
+ - (dtucker) [openbsd-compat/bsd-snprintf.c] Bug #1173: make fmtint() take
+   a LLONG rather than a long.  Fixes scp'ing of large files on platforms
+   with missing/broken snprintfs.  Patch from e.borovac at bom.gov.au.
+
+20060316
+ - (dtucker) [entropy.c] Add headers for WIFEXITED and friends.
+ - (dtucker) [configure.ac md-sha256.c] NetBSD has sha2.h in
+   /usr/include/crypto.  Hint from djm@.
+ - (tim) [kex.c myproposal.h md-sha256.c openbsd-compat/sha2.c,h]
+   Disable sha256 when openssl < 0.9.7. Patch from djm@.
+ - (djm) [kex.c] Slightly more clean deactivation of dhgex-sha256 on old
+   OpenSSL; ok tim
+
+20060315
+ - (djm) OpenBSD CVS Sync:
+   - msf@cvs.openbsd.org 2006/02/06 15:54:07
+     [ssh.1]
+     - typo fix
+     ok jmc@
+   - jmc@cvs.openbsd.org 2006/02/06 21:44:47
+     [ssh.1]
+     make this a little less ambiguous...
+   - stevesk@cvs.openbsd.org 2006/02/07 01:08:04
+     [auth-rhosts.c includes.h]
+     move #include <netgroup.h> out of includes.h; ok markus@
+   - stevesk@cvs.openbsd.org 2006/02/07 01:18:09
+     [includes.h ssh-agent.c ssh-keyscan.c sshconnect2.c]
+     move #include <sys/queue.h> out of includes.h; ok markus@
+   - stevesk@cvs.openbsd.org 2006/02/07 01:42:00
+     [channels.c clientloop.c clientloop.h includes.h packet.h]
+     [serverloop.c sshpty.c sshpty.h sshtty.c ttymodes.c]
+     move #include <termios.h> out of includes.h; ok markus@
+   - stevesk@cvs.openbsd.org 2006/02/07 01:52:50
+     [sshtty.c]
+     "log.h" not needed
+   - stevesk@cvs.openbsd.org 2006/02/07 03:47:05
+     [hostfile.c]
+     "packet.h" not needed
+   - stevesk@cvs.openbsd.org 2006/02/07 03:59:20
+     [deattack.c]
+     duplicate #include
+   - stevesk@cvs.openbsd.org 2006/02/08 12:15:27
+     [auth.c clientloop.c includes.h misc.c monitor.c readpass.c]
+     [session.c sftp.c ssh-agent.c ssh-keysign.c ssh.c sshconnect.c]
+     [sshd.c sshpty.c]
+     move #include <paths.h> out of includes.h; ok markus@
+   - stevesk@cvs.openbsd.org 2006/02/08 12:32:49
+     [includes.h misc.c]
+     move #include <netinet/tcp.h> out of includes.h; ok markus@
+   - stevesk@cvs.openbsd.org 2006/02/08 13:15:44
+     [gss-serv.c monitor.c]
+     small KNF
+   - stevesk@cvs.openbsd.org 2006/02/08 14:16:59
+     [sshconnect.c]
+     <openssl/bn.h> not needed
+   - stevesk@cvs.openbsd.org 2006/02/08 14:31:30
+     [includes.h ssh-agent.c ssh-keyscan.c ssh.c]
+     move #include <sys/resource.h> out of includes.h; ok markus@
+   - stevesk@cvs.openbsd.org 2006/02/08 14:38:18
+     [includes.h packet.c]
+     move #include <netinet/in_systm.h> and <netinet/ip.h> out of
+     includes.h; ok markus@
+   - stevesk@cvs.openbsd.org 2006/02/08 23:51:24
+     [includes.h scp.c sftp-glob.c sftp-server.c]
+     move #include <dirent.h> out of includes.h; ok markus@
+   - stevesk@cvs.openbsd.org 2006/02/09 00:32:07
+     [includes.h]
+     #include <sys/endian.h> not needed; ok djm@
+     NB. ID Sync only - we still need this (but it may move later)
+   - jmc@cvs.openbsd.org 2006/02/09 10:10:47
+     [sshd.8]
+     - move some text into a CAVEATS section
+     - merge the COMMAND EXECUTION... section into AUTHENTICATION
+   - stevesk@cvs.openbsd.org 2006/02/10 00:27:13
+     [channels.c clientloop.c includes.h misc.c progressmeter.c sftp.c]
+     [ssh.c sshd.c sshpty.c]
+     move #include <sys/ioctl.h> out of includes.h; ok markus@
+   - stevesk@cvs.openbsd.org 2006/02/10 01:44:27
+     [includes.h monitor.c readpass.c scp.c serverloop.c session.c]
+     [sftp.c sshconnect.c sshconnect2.c sshd.c]
+     move #include <sys/wait.h> out of includes.h; ok markus@
+   - otto@cvs.openbsd.org 2006/02/11 19:31:18
+     [atomicio.c]
+     type correctness; from Ray Lai in PR 5011; ok millert@
+   - djm@cvs.openbsd.org 2006/02/12 06:45:34
+     [ssh.c ssh_config.5]
+     add a %l expansion code to the ControlPath, which is filled in with the
+     local hostname at runtime. Requested by henning@ to avoid some problems
+     with /home on NFS; ok dtucker@
+   - djm@cvs.openbsd.org 2006/02/12 10:44:18
+     [readconf.c]
+     raise error when the user specifies a RekeyLimit that is smaller than 16
+     (the smallest of our cipher's blocksize) or big enough to cause integer
+     wraparound; ok & feedback dtucker@
+   - jmc@cvs.openbsd.org 2006/02/12 10:49:44
+     [ssh_config.5]
+     slight rewording; ok djm
+   - jmc@cvs.openbsd.org 2006/02/12 10:52:41
+     [sshd.8]
+     rework the description of authorized_keys a little;
+   - jmc@cvs.openbsd.org 2006/02/12 17:57:19
+     [sshd.8]
+     sort the list of options permissable w/ authorized_keys;
+     ok djm dtucker
+   - jmc@cvs.openbsd.org 2006/02/13 10:16:39
+     [sshd.8]
+     no need to subsection the authorized_keys examples - instead, convert
+     this to look like an actual file. also use proto 2 keys, and use IETF
+     example addresses;
+   - jmc@cvs.openbsd.org 2006/02/13 10:21:25
+     [sshd.8]
+     small tweaks for the ssh_known_hosts section;
+   - jmc@cvs.openbsd.org 2006/02/13 11:02:26
+     [sshd.8]
+     turn this into an example ssh_known_hosts file; ok djm
+   - jmc@cvs.openbsd.org 2006/02/13 11:08:43
+     [sshd.8]
+     - avoid nasty line split
+     - `*' does not need to be escaped
+   - jmc@cvs.openbsd.org 2006/02/13 11:27:25
+     [sshd.8]
+     sort FILES and use a -compact list;
+   - david@cvs.openbsd.org 2006/02/15 05:08:24
+     [sftp-client.c]
+     typo in comment; ok djm@
+   - jmc@cvs.openbsd.org 2006/02/15 16:53:20
+     [ssh.1]
+     remove the IETF draft references and replace them with some updated RFCs;
+   - jmc@cvs.openbsd.org 2006/02/15 16:55:33
+     [sshd.8]
+     remove ietf draft references; RFC list now maintained in ssh.1;
+   - jmc@cvs.openbsd.org 2006/02/16 09:05:34
+     [sshd.8]
+     sync some of the FILES entries w/ ssh.1;
+   - jmc@cvs.openbsd.org 2006/02/19 19:52:10
+     [sshd.8]
+     move the sshrc stuff out of FILES, and into its own section:
+     FILES is not a good place to document how stuff works;
+   - jmc@cvs.openbsd.org 2006/02/19 20:02:17
+     [sshd.8]
+     sync the (s)hosts.equiv FILES entries w/ those from ssh.1;
+   - jmc@cvs.openbsd.org 2006/02/19 20:05:00
+     [sshd.8]
+     grammar;
+   - jmc@cvs.openbsd.org 2006/02/19 20:12:25
+     [ssh_config.5]
+     add some vertical space;
+   - stevesk@cvs.openbsd.org 2006/02/20 16:36:15
+     [authfd.c channels.c includes.h session.c ssh-agent.c ssh.c]
+     move #include <sys/un.h> out of includes.h; ok djm@
+   - stevesk@cvs.openbsd.org 2006/02/20 17:02:44
+     [clientloop.c includes.h monitor.c progressmeter.c scp.c]
+     [serverloop.c session.c sftp.c ssh-agent.c ssh.c sshd.c]
+     move #include <signal.h> out of includes.h; ok markus@
+   - stevesk@cvs.openbsd.org 2006/02/20 17:19:54
+     [auth-rhosts.c auth-rsa.c auth.c auth2-none.c auth2-pubkey.c]
+     [authfile.c clientloop.c includes.h readconf.c scp.c session.c]
+     [sftp-client.c sftp-common.c sftp-common.h sftp-glob.c]
+     [sftp-server.c sftp.c ssh-add.c ssh-keygen.c ssh.c sshconnect.c]
+     [sshconnect2.c sshd.c sshpty.c]
+     move #include <sys/stat.h> out of includes.h; ok markus@
+   - stevesk@cvs.openbsd.org 2006/02/22 00:04:45
+     [canohost.c clientloop.c includes.h match.c readconf.c scp.c ssh.c]
+     [sshconnect.c]
+     move #include <ctype.h> out of includes.h; ok djm@
+   - jmc@cvs.openbsd.org 2006/02/24 10:25:14
+     [ssh_config.5]
+     add section on patterns;
+     from dtucker + myself
+   - jmc@cvs.openbsd.org 2006/02/24 10:33:54
+     [sshd_config.5]
+     signpost to PATTERNS;
+   - jmc@cvs.openbsd.org 2006/02/24 10:37:07
+     [ssh_config.5]
+     tidy up the refs to PATTERNS;
+   - jmc@cvs.openbsd.org 2006/02/24 10:39:52
+     [sshd.8]
+     signpost to PATTERNS section;
+   - jmc@cvs.openbsd.org 2006/02/24 20:22:16
+     [ssh-keysign.8 ssh_config.5 sshd_config.5]
+     some consistency fixes;
+   - jmc@cvs.openbsd.org 2006/02/24 20:31:31
+     [ssh.1 ssh_config.5 sshd.8 sshd_config.5]
+     more consistency fixes;
+   - jmc@cvs.openbsd.org 2006/02/24 23:20:07
+     [ssh_config.5]
+     some grammar/wording fixes;
+   - jmc@cvs.openbsd.org 2006/02/24 23:43:57
+     [sshd_config.5]
+     some grammar/wording fixes;
+   - jmc@cvs.openbsd.org 2006/02/24 23:51:17
+     [sshd_config.5]
+     oops - bits i missed;
+   - jmc@cvs.openbsd.org 2006/02/25 12:26:17
+     [ssh_config.5]
+     document the possible values for KbdInteractiveDevices;
+     help/ok dtucker
+   - jmc@cvs.openbsd.org 2006/02/25 12:28:34
+     [sshd_config.5]
+     document the order in which allow/deny directives are processed;
+     help/ok dtucker
+   - jmc@cvs.openbsd.org 2006/02/26 17:17:18
+     [ssh_config.5]
+     move PATTERNS to the end of the main body; requested by dtucker
+   - jmc@cvs.openbsd.org 2006/02/26 18:01:13
+     [sshd_config.5]
+     subsection is pointless here;
+   - jmc@cvs.openbsd.org 2006/02/26 18:03:10
+     [ssh_config.5]
+     comma;
+   - djm@cvs.openbsd.org 2006/02/28 01:10:21
+     [session.c]
+     fix logout recording when privilege separation is disabled, analysis and
+     patch from vinschen at redhat.com; tested by dtucker@ ok deraadt@
+     NB. ID sync only - patch already in portable
+   - djm@cvs.openbsd.org 2006/03/04 04:12:58
+     [serverloop.c]
+     move a debug() outside of a signal handler; ok markus@ a little while back
+   - djm@cvs.openbsd.org 2006/03/12 04:23:07
+     [ssh.c]
+     knf nit
+   - djm@cvs.openbsd.org 2006/03/13 08:16:00
+     [sshd.c]
+     don't log that we are listening on a socket before the listen() call
+     actually succeeds, bz #1162 reported by Senthil Kumar; ok dtucker@
+   - dtucker@cvs.openbsd.org 2006/03/13 08:33:00
+     [packet.c]
+     Set TCP_NODELAY for all connections not just "interactive" ones.  Fixes
+     poor performance and protocol stalls under some network conditions (mindrot
+     bugs #556 and #981). Patch originally from markus@, ok djm@
+   - dtucker@cvs.openbsd.org 2006/03/13 08:43:16
+     [ssh-keygen.c]
+     Make ssh-keygen handle CR and CRLF line termination when converting IETF
+     format keys, in adition to vanilla LF.  mindrot #1157, tested by Chris
+     Pepper, ok djm@
+   - dtucker@cvs.openbsd.org 2006/03/13 10:14:29
+     [misc.c ssh_config.5 sshd_config.5]
+     Allow config directives to contain whitespace by surrounding them by double
+     quotes.  mindrot #482, man page help from jmc@, ok djm@
+   - dtucker@cvs.openbsd.org 2006/03/13 10:26:52
+     [authfile.c authfile.h ssh-add.c]
+     Make ssh-add check file permissions before attempting to load private
+     key files multiple times; it will fail anyway and this prevents confusing
+     multiple prompts and warnings.  mindrot #1138, ok djm@
+   - djm@cvs.openbsd.org 2006/03/14 00:15:39
+     [canohost.c]
+     log the originating address and not just the name when a reverse
+     mapping check fails, requested by linux AT linuon.com
+   - markus@cvs.openbsd.org 2006/03/14 16:32:48
+     [ssh_config.5 sshd_config.5]
+     *AliveCountMax applies to protcol v2 only; ok dtucker, djm
+   - djm@cvs.openbsd.org 2006/03/07 09:07:40
+     [kex.c kex.h monitor.c myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
+     Implement the diffie-hellman-group-exchange-sha256 key exchange method
+     using the SHA256 code in libc (and wrapper to make it into an OpenSSL
+     EVP), interop tested against CVS PuTTY
+     NB. no portability bits committed yet
+ - (djm) [configure.ac defines.h kex.c md-sha256.c]
+   [openbsd-compat/sha2.h openbsd-compat/openbsd-compat.h]
+   [openbsd-compat/sha2.c] First stab at portability glue for SHA256
+   KEX support, should work with libc SHA256 support or OpenSSL
+   EVP_sha256 if present
+ - (djm) [includes.h] Restore accidentally dropped netinet/in.h
+ - (djm) [Makefile.in openbsd-compat/Makefile.in] Add added files
+ - (djm) [md-sha256.c configure.ac] md-sha256.c needs sha2.h if present
+ - (djm) [regress/.cvsignore] Ignore Makefile here
+ - (djm) [loginrec.c] Need stat.h
+ - (djm) [openbsd-compat/sha2.h] Avoid include macro clash with
+   system sha2.h
+ - (djm) [ssh-rand-helper.c] Needs a bunch of headers
+ - (djm) [ssh-agent.c] Restore dropped stat.h
+ - (djm) [openbsd-compat/sha2.h openbsd-compat/sha2.c] Comment out 
+   SHA384, which we don't need and doesn't compile without tweaks
+ - (djm) [auth-pam.c clientloop.c includes.h monitor.c session.c]
+   [sftp-client.c ssh-keysign.c ssh.c sshconnect.c sshconnect2.c]
+   [sshd.c openbsd-compat/bsd-misc.c openbsd-compat/bsd-openpty.c]
+   [openbsd-compat/glob.c openbsd-compat/mktemp.c]
+   [openbsd-compat/readpassphrase.c] Lots of include fixes for
+   OpenSolaris
+ - (tim) [includes.h] put sys/stat.h back in to quiet some "macro redefined:"
+ - (tim) [openssh/sshpty.c openssh/openbsd-compat/port-tun.c] put in some
+   includes removed from includes.h
+ - (dtucker) [configure.ac] Fix glob test conversion to AC_TRY_COMPILE
+ - (djm) [includes.h] Put back paths.h, it is needed in defines.h
+ - (dtucker) [openbsd-compat/openbsd-compat.h] AIX (at least) needs
+   sys/ioctl.h for struct winsize.
+ - (dtucker) [configure.ac] login_cap.h requires sys/types.h on NetBSD.
+
+20060313
+ - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
+   since not all platforms support it.  Instead, use internal equivalent while
+   computing LLONG_MIN and LLONG_MAX.  Remove special case for alpha-dec-osf*
+   as it's no longer required.  Tested by Bernhard Simon, ok djm@
+
+20060304
+ - (dtucker) [contrib/cygwin/ssh-host-config] Require use of lastlog as a
+   file rather than directory, required as Cygwin will be importing lastlog(1).
+   Also tightens up permissions on the file.  Patch from vinschen@redhat.com.
+ - (dtucker) [gss-serv-krb5.c] Bug #1166: Correct #ifdefs for gssapi_krb5.h
+   includes.  Patch from gentoo.riverrat at gmail.com.
+
+20060226
+ - (dtucker) [configure.ac] Bug #1156: QNX apparently needs SSHD_ACQUIRES_CTTY
+   patch from kraai at ftbfs.org.
+
+20060223
+ - (dtucker) [sshd_config sshd_config.5] Update UsePAM to reflect current
+   reality.  Pointed out by tryponraj at gmail.com.
+
+20060222
+ - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Minor tidy up: only
+   compile in compat code if required.
+
+20060221
+ - (dtucker) [openbsd-compat/openssl-compat.h] Prevent warning about
+   redefinition of SSLeay_add_all_algorithms.
+
+20060220
+ - (dtucker) [INSTALL configure.ac openbsd-compat/openssl-compat.{c,h}]
+   Add optional enabling of OpenSSL's (hardware) Engine support, via
+   configure --with-ssl-engine.  Based in part on a diff by michal at
+   logix.cz.
+
+20060219
+ - (dtucker) [Makefile.in configure.ac, added openbsd-compat/regress/]
+   Add first attempt at regress tests for compat library.  ok djm@
+
+20060214
+ - (tim) [buildpkg.sh.in] Make the names consistent.
+   s/pkg_post_make_install_fixes.sh/pkg-post-make-install-fixes.sh/ OK dtucker@
+
+20060212
+ - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Make loop counter unsigned
+   to silence compiler warning, from vinschen at redhat.com.
+ - (tim) [configure.ac] Bug #1149. Disable /etc/default/login check for QNX.
+ - (dtucker) [README version.h contrib/caldera/openssh.spec
+   contrib/redhat/openssh.spec contrib/suse/openssh.spec] Bump version
+   strings to match 4.3p2 release.
 
 20060208
  - (tim) [session.c] Logout records were not updated on systems with
    post auth privsep disabled due to bug 1086 changes. Analysis and patch
    by vinschen at redhat.com. OK tim@, dtucker@.
  - (dtucker) [configure.ac] Typo in Ultrix and NewsOS sections (NEED_SETPRGP
-   -> NEED_SETPGRP), reported by Berhard Simon.  ok tim@
+   -> NEED_SETPGRP), reported by Bernhard Simon.  ok tim@
 
 20060206
  - (tim) [configure.ac] Remove unnecessary tests for net/if.h and 
@@ -860,3019 +2816,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-20050901
- - (djm) Update RPM spec file versions
-
-20050831
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2005/08/30 22:08:05
-     [gss-serv.c sshconnect2.c]
-     destroy credentials if krb5_kuserok() call fails. Stops credentials being
-     delegated to users who are not authorised for GSSAPIAuthentication when
-     GSSAPIDeletegateCredentials=yes and another authentication mechanism 
-     succeeds; bz#1073 reported by paul.moore AT centrify.com, fix by 
-     simon AT sxw.org.uk, tested todd@ biorn@ jakob@; ok deraadt@
-   - markus@cvs.openbsd.org 2005/08/31 09:28:42
-     [version.h]
-     4.2
- - (dtucker) [README] Update release note URL to 4.2
- - (tim) [configure.ac auth.c defines.h session.c openbsd-compat/port-uw.c
-   openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] libiaf cleanup. Disable
-   libiaf bits for OpenServer6. Free memory allocated by ia_get_logpwd().
-   Feedback and OK dtucker@
-
-20050830
- - (tim) [configure.ac] Back out last change. It needs to be done differently.
-
-20050829
- - (tim) [configure.ac] ia_openinfo() seems broken on OSR6. Limit UW long
-   password support to 7.x for now.
-
-20050826
- - (tim) [CREDITS LICENCE auth.c configure.ac defines.h includes.h session.c
-   openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h
-   openbsd-compat/xcrypt.c] New files [openssh/openbsd-compat/port-uw.c
-   openssh/openbsd-compat/port-uw.h] Support long passwords (> 8-char)
-   on UnixWare 7 from Dhiraj Gulati and Ahsan Rashid. Cleanup and testing
-   by tim@. Feedback and OK dtucker@
-
-20050823
- - (dtucker) [regress/test-exec.sh] Do not prepend an extra "/" to a fully-
-   qualified sshd pathname since some systems (eg Cygwin) may consider "/foo"
-   and "//foo" to be different.  Spotted by vinschen at redhat.com.
- - (tim) [configure.ac] Not all gcc's support -Wsign-compare. Enhancements
-   and OK dtucker@
- - (tim) [defines.h] PATH_MAX bits for OpenServer OK dtucker@
-
-20050821
- - (dtucker) [configure.ac defines.h includes.h sftp.c] Add support for
-   LynxOS, patch from Olli Savia (ops at iki.fi).  ok djm@
-
-20050816
- - (djm) [ttymodes.c] bugzilla #1025: Fix encoding of _POSIX_VDISABLE,
-   from Jacob Nevins; ok dtucker@
-
-20050815
- - (tim) [sftp.c] wrap el_end() in #ifdef USE_LIBEDIT
- - (tim) [configure.ac] corrections to libedit tests. Report and patches
-   by skeleten AT shillest.net
-
-20050812
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2005/07/28 17:36:22
-     [packet.c]
-     missing packet_init_compression(); from solar
-   - djm@cvs.openbsd.org 2005/07/30 01:26:16
-     [ssh.c]
-     fix -D listen_host initialisation, so it picks up gateway_ports setting
-     correctly
-   - djm@cvs.openbsd.org 2005/07/30 02:03:47
-     [readconf.c]
-     listen_hosts initialisation here too; spotted greg AT y2005.nest.cx
-   - dtucker@cvs.openbsd.org 2005/08/06 10:03:12
-     [servconf.c]
-     Unbreak sshd ListenAddress for bare IPv6 addresses.
-     Report from Janusz Mucka; ok djm@
-   - jaredy@cvs.openbsd.org 2005/08/08 13:22:48
-     [sftp.c]
-     sftp prompt enhancements:
-     - in non-interactive mode, do not print an empty prompt at the end
-       before finishing
-     - print newline after EOF in editline mode
-     - call el_end() in editline mode
-     ok dtucker djm
-
-20050810
- - (dtucker) [configure.ac] Test libedit library and headers for compatibility.
-   Report from skeleten AT shillest.net, ok djm@
- - (dtucker) [LICENCE configure.ac defines.h openbsd-compat/realpath.c]
-   Sync current (thread-safe) version of realpath.c from OpenBSD (which is
-   in turn based on FreeBSD's).  ok djm@
-
-20050809
- - (tim) [configure.ac] Allow --with-audit=no. OK dtucker@
-   Report by skeleten AT shillest.net
-
-20050803
- - (dtucker) [openbsd-compat/fake-rfc2553.h] Check for EAI_* defines
-   individually and use a value less likely to collide with real values from
-   netdb.h.  Fixes compile warnings on FreeBSD 5.3.  ok djm@
- - (dtucker) [openbsd-compat/fake-rfc2553.h] MAX_INT -> INT_MAX since the
-   latter is specified in the standard.
-
-20050802
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2005/07/27 10:39:03
-     [scp.c hostfile.c sftp-client.c]
-     Silence bogus -Wuninitialized warnings; ok djm@
- - (dtucker) [configure.ac] Enable -Wuninitialized by default when compiling
-   with gcc.  ok djm@
- - (dtucker) [configure.ac] Add a --with-Werror option to configure for
-   adding -Werror to CFLAGS when all of the configure tests are done. ok djm@
-
-20050726
- - (dtucker) [configure.ac] Update zlib warning message too, pointed out by
-   tim@.
- - (djm) OpenBSD CVS Sync
-   - otto@cvs.openbsd.org 2005/07/19 15:32:26
-     [auth-passwd.c]
-     auth_usercheck(3) can return NULL, so check for that. Report from
-     mpech@. ok markus@
-   - markus@cvs.openbsd.org 2005/07/25 11:59:40
-     [kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c]
-     [sshconnect2.c sshd.c sshd_config sshd_config.5]
-     add a new compression method that delays compression until the user
-     has been authenticated successfully and set compression to 'delayed'
-     for sshd.
-     this breaks older openssh clients (< 3.5) if they insist on
-     compression, so you have to re-enable compression in sshd_config.
-     ok djm@
-
-20050725
- - (dtucker) [configure.ac] Update zlib version check for CAN-2005-2096.
-
-20050717
-- OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2005/07/16 01:35:24
-     [auth1.c channels.c cipher.c clientloop.c kex.c session.c ssh.c]
-     [sshconnect.c]
-     spacing
- - (djm) [acss.c auth-pam.c auth-shadow.c auth-skey.c auth1.c canohost.c]
-   [cipher-acss.c loginrec.c ssh-rand-helper.c sshd.c] Fix whitespace at EOL 
-   in portable too ("perl -p -i -e 's/\s+$/\n/' *.[ch]")
- - (djm) [auth-pam.c sftp.c] spaces vs. tabs at start of line
-   - djm@cvs.openbsd.org 2005/07/17 06:49:04
-     [channels.c channels.h session.c session.h]
-     Fix a number of X11 forwarding channel leaks:
-     1. Refuse multiple X11 forwarding requests on the same session
-     2. Clean up all listeners after a single_connection X11 forward, not just
-        the one that made the single connection
-     3. Destroy X11 listeners when the session owning them goes away
-     testing and ok dtucker@
-   - djm@cvs.openbsd.org 2005/07/17 07:17:55
-     [auth-rh-rsa.c auth-rhosts.c auth2-chall.c auth2-gss.c channels.c]
-     [cipher-ctr.c gss-genr.c gss-serv.c kex.c moduli.c readconf.c]
-     [serverloop.c session.c sftp-client.c sftp.c ssh-add.c ssh-keygen.c]
-     [sshconnect.c sshconnect2.c]
-     knf says that a 2nd level indent is four (not three or five) spaces
- -(djm) [audit.c auth1.c auth2.c entropy.c loginrec.c serverloop.c]
-  [ssh-rand-helper.c] fix portable 2nd level indents at 4 spaces too
- - (djm) [monitor.c monitor_wrap.c] -Wsign-compare for PAM monitor calls
- 
-20050716
- - (dtucker) [auth-pam.c] Ensure that only one side of the authentication
-   socketpair stays open on in both the monitor and PAM process.  Patch from
-   Joerg Sonnenberger.
-
-20050714
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2005/07/06 09:33:05
-     [ssh.1]
-     clarify meaning of ssh -b ; with & ok jmc@
-   - dtucker@cvs.openbsd.org 2005/07/08 09:26:18
-     [misc.c]
-     Make comment match code; ok djm@
-   - markus@cvs.openbsd.org 2005/07/08 09:41:33
-     [channels.h]
-     race when efd gets closed while there is still buffered data:
-     change CHANNEL_EFD_OUTPUT_ACTIVE()
-        1) c->efd must always be valid AND
-        2a) no EOF has been seen OR
-        2b) there is buffered data
-     report, initial fix and testing Chuck Cranor
-   - dtucker@cvs.openbsd.org 2005/07/08 10:20:41
-     [ssh_config.5]
-     change BindAddress to match recent ssh -b change; prompted by markus@
-   - jmc@cvs.openbsd.org 2005/07/08 12:53:10
-     [ssh_config.5]
-     new sentence, new line;
-   - dtucker@cvs.openbsd.org 2005/07/14 04:00:43
-     [misc.h]
-     use __sentinel__ attribute; ok deraadt@ djm@ markus@
- - (dtucker) [configure.ac defines.h] Define __sentinel__ to nothing if the
-   compiler doesn't understand it to prevent warnings.  If any mainstream
-   compiler versions acquire it we can test for those versions.  Based on
-   discussion with djm@.
-
-20050707
- - dtucker [auth-krb5.c auth.h gss-serv-krb5.c] Move KRB5CCNAME generation for
-   the MIT Kerberos code path into a common function and expand mkstemp
-   template to be consistent with the rest of OpenSSH.  From sxw at
-   inf.ed.ac.uk, ok djm@
- - (dtucker) [auth-krb5.c] There's no guarantee that snprintf will set errno
-   in the case where the buffer is insufficient, so always return ENOMEM.
-   Also pointed out by sxw at inf.ed.ac.uk.
- - (dtucker) [acconfig.h auth-krb5.c configure.ac gss-serv-krb5.c] Remove
-   calls to krb5_init_ets, which has not been required since krb-1.1.x and
-   most Kerberos versions no longer export in their public API.  From sxw
-   at inf.ed.ac.uk, ok djm@
-
-20050706
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2005/07/01 13:19:47
-     [channels.c]
-     don't free() if getaddrinfo() fails; report mpech@
-   - djm@cvs.openbsd.org 2005/07/04 00:58:43
-     [channels.c clientloop.c clientloop.h misc.c misc.h ssh.c ssh_config.5]
-     implement support for X11 and agent forwarding over multiplex slave
-     connections. Because of protocol limitations, the slave connections inherit
-     the master's DISPLAY and SSH_AUTH_SOCK rather than distinctly forwarding
-     their own.
-     ok dtucker@ "put it in" deraadt@
-   - jmc@cvs.openbsd.org 2005/07/04 11:29:51
-     [ssh_config.5]
-     fix Xr and a little grammar;
-   - markus@cvs.openbsd.org 2005/07/04 14:04:11
-     [channels.c]
-     don't forget to set x11_saved_display
-
-20050626
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2005/06/17 22:53:47
-     [ssh.c sshconnect.c]
-     Fix ControlPath's %p expanding to "0" for a default port,
-     spotted dwmw2 AT infradead.org; ok markus@
-   - djm@cvs.openbsd.org 2005/06/18 04:30:36
-     [ssh.c ssh_config.5]
-     allow ControlPath=none, patch from dwmw2 AT infradead.org; ok dtucker@
-   - djm@cvs.openbsd.org 2005/06/25 22:47:49
-     [ssh.c]
-     do the default port filling code a few lines earlier, so it really 
-     does fix %p
-
-20050618
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2005/05/20 12:57:01;
-   [auth1.c] split protocol 1 auth methods into separate functions, makes 
-   authloop much more readable; fixes and ok markus@ (portable ok & 
-   polish dtucker@)
-   - djm@cvs.openbsd.org 2005/06/17 02:44:33
-   [auth1.c] make this -Wsign-compare clean; ok avsm@ markus@
- - (djm) [loginrec.c ssh-rand-helper.c] Fix -Wsign-compare for portable,
-   tested and fixes tim@
-
-20050617
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2005/06/16 03:38:36
-     [channels.c channels.h clientloop.c clientloop.h ssh.c]
-     move x11_get_proto from ssh.c to clientloop.c, to make muliplexed xfwd
-     easier later; ok deraadt@
-   - markus@cvs.openbsd.org 2005/06/16 08:00:00
-     [canohost.c channels.c sshd.c]
-     don't exit if getpeername fails for forwarded ports; bugzilla #1054;
-     ok djm
-   - djm@cvs.openbsd.org 2005/06/17 02:44:33
-     [auth-rsa.c auth.c auth1.c auth2-chall.c auth2-gss.c authfd.c authfile.c]
-     [bufaux.c canohost.c channels.c cipher.c clientloop.c dns.c gss-serv.c]
-     [kex.c kex.h key.c mac.c match.c misc.c packet.c packet.h scp.c]
-     [servconf.c session.c session.h sftp-client.c sftp-server.c sftp.c]
-     [ssh-keyscan.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
-     make this -Wsign-compare clean; ok avsm@ markus@
-     NB. auth1.c changes not committed yet (conflicts with uncommitted sync)
-     NB2. more work may be needed to make portable Wsign-compare clean
- - (dtucker) [cipher.c openbsd-compat/openbsd-compat.h
-   openbsd-compat/openssl-compat.c] only include openssl compat stuff where
-   it's needed as it can cause conflicts elsewhere (eg xcrypt.c).  Found by
-   and ok tim@
-
-20050616
- - (djm) OpenBSD CVS Sync
-   - jaredy@cvs.openbsd.org 2005/06/07 13:25:23
-     [progressmeter.c]
-     catch SIGWINCH and resize progress meter accordingly; ok markus dtucker
-   - djm@cvs.openbsd.org 2005/06/06 11:20:36
-     [auth.c auth.h misc.c misc.h ssh.c ssh_config.5 sshconnect.c]
-     introduce a generic %foo expansion function. replace existing % expansion 
-     and add expansion to ControlPath; ok markus@
-   - djm@cvs.openbsd.org 2005/06/08 03:50:00
-     [ssh-keygen.1 ssh-keygen.c sshd.8]
-     increase default rsa/dsa key length from 1024 to 2048 bits;
-     ok markus@ deraadt@
-   - djm@cvs.openbsd.org 2005/06/08 11:25:09
-     [clientloop.c readconf.c readconf.h ssh.c ssh_config.5]
-     add ControlMaster=auto/autoask options to support opportunistic
-     multiplexing; tested avsm@ and jakob@, ok markus@
-   - dtucker@cvs.openbsd.org 2005/06/09 13:43:49
-     [cipher.c]
-     Correctly initialize end of array sentinel; ok djm@
-     (Id sync only, change already in portable)
-
-20050609
- - (dtucker) [cipher.c openbsd-compat/Makefile.in
-   openbsd-compat/openbsd-compat.h openbsd-compat/openssl-compat.{c,h}]
-   Move compatibility code for supporting older OpenSSL versions to the
-   compat layer.  Suggested by and "no objection" djm@
-
-20050607
- - (dtucker) [configure.ac] Continue the hunt for LLONG_MIN and LLONG_MAX:
-   in today's episode we attempt to coax it from limits.h where it may be
-   hiding, failing that we take the DIY approach.  Tested by tim@
-
-20050603
- - (dtucker) [configure.ac] Only try gcc -std=gnu99 if LLONG_MAX isn't
-   defined, and check that it helps before keeping it in CFLAGS.  Some old
-   gcc's don't set an error code when encountering an unknown value in -std.
-   Found and tested by tim@.
- - (dtucker) [configure.ac] Point configure's reporting address at the
-   openssh-unix-dev list.  ok tim@ djm@
-
-20050602
- - (tim) [configure.ac] Some platforms need sys/types.h for arpa/nameser.h.
-   Take AC_CHECK_HEADERS test out of ultrix section. It caused other platforms
-   to skip builtin standard includes tests. (first AC_CHECK_HEADERS test
-   must be run on all platforms) Add missing ;; to case statement. OK dtucker@
-
-20050601
- - (dtucker) [configure.ac] Look for _getshort and _getlong in
-   arpa/nameser.h.
- - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoll.c]
-   Add strtoll to the compat library, from OpenBSD.
- - (dtucker) OpenBSD CVS Sync
-   - avsm@cvs.openbsd.org 2005/05/26 02:08:05
-     [scp.c]
-     If copying multiple files to a target file (which normally fails, as it
-     must be a target directory), kill the spawned ssh child before exiting.
-     This stops it trying to authenticate and spewing lots of output.
-     deraadt@ ok
-   - dtucker@cvs.openbsd.org 2005/05/26 09:08:12
-     [ssh-keygen.c]
-     uint32_t -> u_int32_t for consistency; ok djm@
-   - djm@cvs.openbsd.org 2005/05/27 08:30:37
-     [ssh.c]
-     fix -O for cases where no ControlPath has been specified or socket at
-     ControlPath is not contactable; spotted by and ok avsm@
- - (tim) [config.guess config.sub] Update to '2005-05-27' version.
- - (tim) [configure.ac] set TEST_SHELL for OpenServer 6
-
-20050531
- - (dtucker) [contrib/aix/pam.conf] Correct comments.  From davidl at
-   vintela.com.
- - (dtucker) [mdoc2man.awk] Teach it to understand .Ox.
-
-20050530
- - (dtucker) [README] Link to new release notes.  Beter late than never...
-
-20050529
- - (dtucker) [openbsd-compat/port-aix.c] Bug #1046: AIX 5.3 expects the
-   argument to passwdexpired to be initialized to NULL.  Suggested by tim@
-   While at it, initialize the other arguments to auth functions in case they
-   ever acquire this behaviour.
- - (dtucker) [openbsd-compat/port-aix.c] Whitespace cleanups while there.
- - (dtucker) [openbsd-compat/port-aix.c] Minor correction to debug message,
-   spotted by tim@.
-
-20050528
- - (dtucker) [configure.ac] For AC_CHECK_HEADERS() and AC_CHECK_FUNCS() have
-   one entry per line to make it easier to merge changes.  ok djm@
- - (dtucker) [configure.ac] strsep() may be defined in string.h, so check
-   for its presence and include it in the strsep check.
- - (dtucker) [configure.ac] getpgrp may be defined in unistd.h, so check for
-   its presence before doing AC_FUNC_GETPGRP.
- - (dtucker) [configure.ac] Merge HP-UX blocks into a common block with minor
-   version-specific variations as required.
- - (dtucker) [openbsd-compat/port-aix.h] Use the HAVE_DECL_* definitions as
-   per the autoconf man page.  Configure should always define them but it
-   doesn't hurt to check.
-
-20050527
- - (djm) [defines.h] Use our realpath if we have to define PATH_MAX, spotted by
-   David Leach; ok dtucker@
- - (dtucker) [acconfig.h configure.ac defines.h includes.h sshpty.c
-   openbsd-compat/bsd-misc.c] Add support for Ultrix.  No, that's not a typo.
-   Required changes from Bernhard Simon, integrated by me.  ok djm@
-
-20050525
- - (djm) [mpaux.c mpaux.h Makefile.in] Remove old mpaux.[ch] code, it has not 
-   been used for a while
- - (djm) OpenBSD CVS Sync
-   - otto@cvs.openbsd.org 2005/04/05 13:45:31
-     [ssh-keygen.c]
-   - djm@cvs.openbsd.org 2005/04/06 09:43:59
-     [sshd.c]
-     avoid harmless logspam by not performing setsockopt() on non-socket;
-     ok markus@
-   - dtucker@cvs.openbsd.org 2005/04/06 12:26:06
-     [ssh.c]
-     Fix debug call for port forwards; patch from pete at seebeyond.com,
-     ok djm@ (ID sync only - change already in portable)
-   - djm@cvs.openbsd.org 2005/04/09 04:32:54
-     [misc.c misc.h tildexpand.c Makefile.in]
-     replace tilde_expand_filename with a simpler implementation, ahead of
-     more whacking; ok deraadt@
-   - jmc@cvs.openbsd.org 2005/04/14 12:30:30
-     [ssh.1]
-     arg to -b is an address, not if_name;
-     ok markus@
-   - jakob@cvs.openbsd.org 2005/04/20 10:05:45
-     [dns.c]
-     do not try to look up SSHFP for numerical hostname. ok djm@
-   - djm@cvs.openbsd.org 2005/04/21 06:17:50
-     [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8]
-     [sshd_config.5] OpenSSH doesn't ever look at the $HOME environment
-     variable, so don't say that we do (bz #623); ok deraadt@
-   - djm@cvs.openbsd.org 2005/04/21 11:47:19
-     [ssh.c]
-     don't allocate a pty when -n flag (/dev/null stdin) is set, patch from
-     ignasi.roca AT fujitsu-siemens.com (bz #829); ok dtucker@
-   - dtucker@cvs.openbsd.org 2005/04/23 23:43:47
-     [readpass.c]
-     Add debug message if read_passphrase can't open /dev/tty; bz #471;
-     ok djm@
-   - jmc@cvs.openbsd.org 2005/04/26 12:59:02
-     [sftp-client.h]
-     spelling correction in comment from wiz@netbsd;
-   - jakob@cvs.openbsd.org 2005/04/26 13:08:37
-     [ssh.c ssh_config.5]
-     fallback gracefully if client cannot connect to ControlPath. ok djm@
-   - moritz@cvs.openbsd.org 2005/04/28 10:17:56
-     [progressmeter.c ssh-keyscan.c]
-     add snprintf checks. ok djm@ markus@
-   - markus@cvs.openbsd.org 2005/05/02 21:13:22
-     [readpass.c]
-     missing {}
-   - djm@cvs.openbsd.org 2005/05/10 10:28:11
-     [ssh.c]
-     print nice error message for EADDRINUSE as well (ID sync only)
-   - djm@cvs.openbsd.org 2005/05/10 10:30:43
-     [ssh.c]
-     report real errors on fallback from ControlMaster=no to normal connect
-   - markus@cvs.openbsd.org 2005/05/16 15:30:51
-     [readconf.c servconf.c]
-     check return value from strdelim() for NULL (AddressFamily); mpech
-   - djm@cvs.openbsd.org 2005/05/19 02:39:55
-     [sshd_config.5]
-     sort config options, from grunk AT pestilenz.org; ok jmc@
-   - djm@cvs.openbsd.org 2005/05/19 02:40:52
-     [sshd_config]
-     whitespace nit, from grunk AT pestilenz.org
-   - djm@cvs.openbsd.org 2005/05/19 02:42:26
-     [includes.h]
-     fix cast, from grunk AT pestilenz.org
-   - djm@cvs.openbsd.org 2005/05/20 10:50:55
-     [ssh_config.5]
-     give a ProxyCommand example using nc(1), with and ok jmc@
-   - jmc@cvs.openbsd.org 2005/05/20 11:23:32
-     [ssh_config.5]
-     oops - article and spacing;
-   - avsm@cvs.openbsd.org 2005/05/23 22:44:01
-     [moduli.c ssh-keygen.c]
-     - removes signed/unsigned comparisons in moduli generation
-     - use strtonum instead of atoi where its easier
-     - check some strlcpy overflow and fatal instead of truncate
-   - djm@cvs.openbsd.org 2005/05/23 23:32:46
-     [cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5]
-     add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes;
-     ok markus@
-   - avsm@cvs.openbsd.org 2005/05/24 02:05:09
-     [ssh-keygen.c]
-     some style nits from dmiller@, and use a fatal() instead of a printf()/exit
-   - avsm@cvs.openbsd.org 2005/05/24 17:32:44
-     [atomicio.c atomicio.h authfd.c monitor_wrap.c msg.c scp.c sftp-client.c]
-     [ssh-keyscan.c sshconnect.c]
-     Switch atomicio to use a simpler interface; it now returns a size_t
-     (containing number of bytes read/written), and indicates error by
-     returning 0.  EOF is signalled by errno==EPIPE.
-     Typical use now becomes:
-
-     if (atomicio(read, ..., len) != len)
-             err(1,"read");
-
-     ok deraadt@, cloder@, djm@
- - (dtucker) [regress/reexec.sh] Add ${EXEEXT} so this test also works on
-   Cygwin.
- - (dtucker) [auth-pam.c] Bug #1033: Fix warnings building with PAM on Linux:
-   warning: dereferencing type-punned pointer will break strict-aliasing rules
-   warning: passing arg 3 of `pam_get_item' from incompatible pointer type
-   The type-punned pointer fix is based on a patch from SuSE's rpm.  ok djm@
- - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1033: Provide
-   templates for _getshort and _getlong if missing to prevent compiler warnings
-   on Linux.
- - (djm) [configure.ac openbsd-compat/Makefile.in]
-         [openbsd-compat/openbsd-compat.h openbsd-compat/strtonum.c]
-         Add strtonum(3) from OpenBSD libc, new code needs it. 
-         Unfortunately Linux forces us to do a bizarre dance with compiler
-         options to get LLONG_MIN/MAX; Spotted by and ok dtucker@ 
-
-20050524
- - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
-         [contrib/suse/openssh.spec] Update spec file versions to 4.1p1
- - (dtucker) [auth-pam.c] Since people don't seem to be getting the message
-   that USE_POSIX_THREADS is unsupported, not recommended and generally a bad
-   idea, it is now known as UNSUPPORTED_POSIX_THREADS_HACK.  Attempting to use
-   USE_POSIX_THREADS will now generate an error so we don't silently change
-   behaviour.  ok djm@
- - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Ensure sufficient memory
-   allocation when retrieving core Windows environment.  Add CYGWIN variable
-   to propagated variables.  Patch from vinschen at redhat.com, ok djm@
- - Release 4.1p1
-
-20050524
- - (djm) [openbsd-compat/readpassphrase.c] bz #950: Retry tcsetattr to ensure
-   terminal modes are reset correctly. Fix from peak AT argo.troja.mff.cuni.cz;
-   "looks ok" dtucker@
-
-20050510
- - (srivasta) [selinux.c] if selinux is enabled, then provide funtions to
-    initialize the pty and execution context for ssh.
- - (srivasta) [selinux.h] if SELinux is defined, add function prototypes for
-    functions, or make them null ops.
- - (srivasta) [sshpty.c] include selinuh.h
-   pty_setowner: set up the selinux pty correcty.
- - (srivasta) [session.c] include selinuh.h
-   do_setusercontext: set up proper execution context for SELinux.
- - (srivasta) [monitor_wrap.h] Add function prototype for new function to
-    inform the privileged process about role.
- - (srivasta) [monitor_wrap.c]  (mm_inform_authrole) Inform the privileged
-    process about role.
- - (srivasta) [monitor.h] Add a new monitor request type for auth roles.
- - (srivasta) [monitor.c] (mm_answer_authrole) Add nre function to deal withe
-   the new authorization role, and add a new monitor request type.
- - (srivasta) [contrib/redhat/sshd.init]  (PID_FILE)restore the proper security
-   file context of the generated public keys.
- - (srivasta) [configure.ac]  (HAVE_HEADER_AD)Add an SELinux option
- - (srivasta) [auth2.c]  (input_userauth_request)Handle the new role member
- - (srivasta) [auth1.c]  (do_authentication)Handle the new role member
- - (srivasta) [auth.h] Added a role member in struct Authctxt
- - (srivasta) [Makefile.in (SSHDOBJS)] Add selinux.o
-
-20050512
- - (tim) [buildpkg.sh.in] missing ${PKG_INSTALL_ROOT} in init script
-   hard link section. Bug 1038.
-
-20050509
- - (dtucker) [contrib/cygwin/ssh-host-config] Add a test and warning for a
-   user-mode mounts in Cygwin installation.  Patch from vinschen at redhat.com.
-
-20050504
- - (djm) [ssh.c] some systems return EADDRINUSE on a bind to an already-used
-   unix domain socket, so catch that too; from jakob@ ok dtucker@
-
-20050503
- - (dtucker) [canohost.c] normalise socket addresses returned by
-   get_remote_hostname().  This means that IPv4 addresses in log messages
-   on IPv6 enabled machines will no longer be prefixed by "::ffff:" and
-   AllowUsers, DenyUsers, AllowGroups, DenyGroups will match IPv4-style
-   addresses only for 4-in-6 mapped connections, regardless of whether
-   or not the machine is IPv6 enabled.  ok djm@
-
-20050425
- - (dtucker) [regress/multiplex.sh] Use "kill -0 $pid" to check for the
-   existence of a process since it's more portable.  Found by jbasney at
-   ncsa.uiuc.edu; ok tim@
- - (dtucker) [regress/multiplex.sh] Remove cleanup call since test-exec.sh
-   will clean up anyway.  From tim@
- - (dtucker) [regress/multiplex.sh] Put control socket in /tmp so running
-   "make tests" works even if you're building on a filesystem that doesn't
-   support sockets.  From deengert at anl.gov, ok djm@
-
-20050424
- - (dtucker) [INSTALL configure.ac] Make zlib version check test for 1.1.4 or
-   1.2.1.2 or higher.  With tim@, ok djm@
-
-20050423
- - (tim) [config.guess] Add support for OpenServer 6.
-
-20050421
- - (dtucker) [session.c] Bug #1024: Don't check pam_session_is_open if
-   UseLogin is set as PAM is not used to establish credentials in that
-   case.  Found by Michael Selvesteen, ok djm@
-
-20050419
- - (dtucker) [INSTALL] Reference README.privsep for the privilege separation
-   requirements.  Pointed out by Bengt Svensson.
- - (dtucker) [INSTALL] Put the s/key text and URL back together.
- - (dtucker) [INSTALL] Fix s/key text too.
-
-20050411
- - (tim) [configure.ac] UnixWare needs PASSWD_NEEDS_USERNAME
-
-20050405
- - (dtucker) [configure.ac] Define HAVE_SO_PEERCRED if we have it.  ok djm@
- - (dtucker) [auth-sia.c] Constify sys_auth_passwd, fixes build error on
-   Tru64.  Patch from cmadams at hiwaay.net.
- - (dtucker) [auth-passwd.c auth-sia.h] Remove duplicate definitions of
-   sys_auth_passwd, pointed out by cmadams at hiwaay.net.
-
-20050403
- - (djm) OpenBSD CVS Sync
-   - deraadt@cvs.openbsd.org 2005/03/31 18:39:21
-     [scp.c]
-     copy argv[] element instead of smashing the one that ps will see; ok otto
-   - djm@cvs.openbsd.org 2005/04/02 12:41:16
-     [scp.c]
-     since ssh has xstrdup, use it instead of strdup+test. unbreaks -Werror
-     build
- - (dtucker) [monitor.c] Don't free buffers in audit functions, monitor_read
-   will free as needed.  ok tim@ djm@
-
-20050331
- - (dtucker) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2005/03/16 11:10:38
-     [ssh_config.5]
-     get the syntax right for {Local,Remote}Forward;
-     based on a diff from markus;
-     problem report from ponraj;
-     ok dtucker@ markus@ deraadt@
-   - markus@cvs.openbsd.org 2005/03/16 21:17:39
-     [version.h]
-     4.1
-   - jmc@cvs.openbsd.org 2005/03/18 17:05:00
-     [sshd_config.5]
-     typo;
- - (dtucker) [auth.h sshd.c openbsd-compat/port-aix.c] Bug #1006: fix bug in
-   handling of password expiry messages returned by AIX's authentication
-   routines, originally reported by robvdwal at sara.nl.
- - (dtucker) [ssh.c] Prevent null pointer deref in port forwarding debug
-   message on some platforms.  Patch from pete at seebeyond.com via djm.
- - (dtucker) [monitor.c] Remaining part of fix for bug #1006.
-
-20050329
- - (dtucker) [contrib/aix/buildbff.sh] Bug #1005: Look up only the user we're
-   interested in which is much faster in large (eg LDAP or NIS) environments.
-   Patch from dleonard at vintela.com.
-
-20050321
- - (dtucker) [configure.ac] Prevent configure --with-zlib from adding -Iyes
-   and -Lyes to CFLAGS and LIBS.  Pointed out by peter at slagheap.net,
-   with & ok tim@
- - (dtucker) [configure.ac] Make configure error out if the user specifies
-   --with-libedit but the required libs can't be found, rather than silently
-   ignoring and continuing.  ok tim@
- - (dtucker) [configure.ac openbsd-compat/port-aix.h] Prevent redefinitions
-   of setauthdb on AIX 5.3, reported by anders.liljegren at its.uu.se.
-
-20050317
- - (tim) [configure.ac] Bug 998. Make path for --with-opensc optional.
-   Make --without-opensc work.
- - (tim) [configure.ac] portability changes on test statements. Some shells
-   have problems with -a operator.
- - (tim) [configure.ac] make some configure options a little more error proof.
- - (tim) [configure.ac] remove trailing white space.
-
-20050314
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2005/03/10 10:15:02
-     [readconf.c]
-     Check listen addresses for null, prevents xfree from dying during
-     ClearAllForwardings (bz #996).  From  Craig Leres, ok markus@
-   - deraadt@cvs.openbsd.org 2005/03/10 22:01:05
-     [misc.c ssh-keygen.c servconf.c clientloop.c auth-options.c ssh-add.c
-     monitor.c sftp-client.c bufaux.h hostfile.c ssh.c sshconnect.c channels.c
-     readconf.c bufaux.c sftp.c]
-     spacing
-   - deraadt@cvs.openbsd.org 2005/03/10 22:40:38
-     [auth-options.c]
-     spacing
-   - markus@cvs.openbsd.org 2005/03/11 14:59:06
-     [ssh-keygen.c]
-     typo, missing \n; mpech
-   - jmc@cvs.openbsd.org 2005/03/12 11:55:03
-     [ssh_config.5]
-     escape `.' at eol to avoid double spacing issues;
-   - dtucker@cvs.openbsd.org 2005/03/14 10:09:03
-     [ssh-keygen.1]
-     Correct description of -H (bz #997);  ok markus@, punctuation jmc@
-   - dtucker@cvs.openbsd.org 2005/03/14 11:44:42
-     [auth.c]
-     Populate host for log message for logins denied by AllowUsers and
-     DenyUsers (bz #999); ok markus@ (patch by tryponraj at gmail.com)
-   - markus@cvs.openbsd.org 2005/03/14 11:46:56
-     [buffer.c buffer.h channels.c]
-     limit input buffer size for channels; bugzilla #896; with and ok dtucker@
- - (tim) [contrib/caldera/openssh.spec] links in rc?.d were getting trashed
-   with a rpm -F
-
-20050313
- - (dtucker) [contrib/cygwin/ssh-host-config] Makes the query for the
-   localized name of the local administrators group more reliable.  From
-   vinschen at redhat.com.
-
-20050312
- - (dtucker) [regress/test-exec.sh] DEBUG can cause problems where debug
-   output ends up in the client's output, causing regress failures.  Found
-   by Corinna Vinschen.
-
-20050309
- - (dtucker) [regress/test-exec.sh] Set BIN_SH=xpg4 on OSF1/Digital Unix/Tru64
-   so that regress tests behave.  From Chris Adams.
- - (djm) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2005/03/07 23:41:54
-     [ssh.1 ssh_config.5]
-     more macro simplification;
-   - djm@cvs.openbsd.org 2005/03/08 23:49:48
-     [version.h]
-     OpenSSH 4.0
- - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] 
-   [contrib/suse/openssh.spec] Update spec file versions
- - (djm) [log.c] Fix dumb syntax error; ok dtucker@
- - (djm) Release OpenSSH 4.0p1
-
-20050307
- - (dtucker) [configure.ac] Disable gettext search when configuring with
-   BSM audit support for the time being.  ok djm@
- - (dtucker) OpenBSD CVS Sync (regress/)
-   - fgsch@cvs.openbsd.org 2004/12/10 01:31:30
-     [Makefile sftp-glob.sh]
-     some globbing regress; prompted and ok djm@
-   - david@cvs.openbsd.org 2005/01/14 04:21:18
-     [Makefile test-exec.sh]
-     pass the SUDO make variable to the individual sh tests; ok dtucker@ markus@
-   - dtucker@cvs.openbsd.org 2005/02/27 11:33:30
-     [multiplex.sh test-exec.sh sshd-log-wrapper.sh]
-     Add optional capability to log output from regress commands; ok markus@
-     Use with: make TEST_SSH_LOGFILE=/tmp/regress.log
-   - djm@cvs.openbsd.org 2005/02/27 23:13:36
-     [login-timeout.sh]
-     avoid nameservice lookups in regress test; ok dtucker@
-   - djm@cvs.openbsd.org 2005/03/04 08:48:46
-     [Makefile envpass.sh]
-     regress test for SendEnv config parsing bug; ok dtucker@
- - (dtucker) [regress/test-exec.sh] Put SUDO in the right place.
- - (tim) [configure.ac] SCO 3.2v4.2 no longer supported.
-
-20050306
- - (dtucker) [monitor.c] Bug #125 comment #47: fix errors returned by monitor
-   when attempting to audit disconnect events.  Reported by Phil Dibowitz.
- - (dtucker) [session.c sshd.c] Bug #125 comment #49: Send disconnect audit
-   events earlier, prevents mm_request_send errors reported by Matt Goebel.
-
-20050305
- - (djm) [contrib/cygwin/README] Improve Cygwin build documentation. Patch 
-   from vinschen at redhat.com
- - (djm) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2005/03/02 11:45:01
-     [ssh.1]
-     missing word;
-   - djm@cvs.openbsd.org 2005/03/04 08:48:06
-     [readconf.c]
-     fix SendEnv config parsing bug found by Roumen Petrov; ok dtucker@
-
-20050302
- - (djm) OpenBSD CVS sync:
-   - jmc@cvs.openbsd.org 2005/03/01 14:47:58
-     [ssh.1]
-     remove some unneccesary macros;
-     do not mark up punctuation;
-   - jmc@cvs.openbsd.org 2005/03/01 14:55:23
-     [ssh_config.5]
-     do not mark up punctuation;
-     whitespace;
-   - jmc@cvs.openbsd.org 2005/03/01 14:59:49
-     [sshd.8]
-     new sentence, new line;
-     whitespace;
-   - jmc@cvs.openbsd.org 2005/03/01 15:05:00
-     [ssh-keygen.1]
-     whitespace;
-   - jmc@cvs.openbsd.org 2005/03/01 15:47:14
-     [ssh-keyscan.1 ssh-keyscan.c]
-     sort options and sync usage();
-   - jmc@cvs.openbsd.org 2005/03/01 17:19:35
-     [scp.1 sftp.1]
-     add HashKnownHosts to -o list;
-     ok markus@
-   - jmc@cvs.openbsd.org 2005/03/01 17:22:06
-     [ssh.c]
-     sync usage() w/ man SYNOPSIS;
-     ok markus@
-   - jmc@cvs.openbsd.org 2005/03/01 17:32:19
-     [ssh-add.1]
-     sort options;
-   - jmc@cvs.openbsd.org 2005/03/01 18:15:56
-     [ssh-keygen.1]
-     sort options (no attempt made at synopsis clean up though);
-     spelling (occurance -> occurrence);
-     use prompt before examples;
-     grammar;
-   - djm@cvs.openbsd.org 2005/03/02 01:00:06
-     [sshconnect.c]
-     fix addition of new hashed hostnames when CheckHostIP=yes;
-     found and ok dtucker@
-   - djm@cvs.openbsd.org 2005/03/02 01:27:41
-     [ssh-keygen.c]
-     ignore hostnames with metachars when hashing; ok deraadt@
-   - djm@cvs.openbsd.org 2005/03/02 02:21:07
-     [ssh.1]
-     bz#987: mention ForwardX11Trusted in ssh.1,
-     reported by andrew.benham AT thus.net; ok deraadt@
- - (tim) [regress/agent-ptrace.sh] add another possible gdb error.
-
-20050301
- - (djm) OpenBSD CVS sync:
-   - otto@cvs.openbsd.org 2005/02/16 09:56:44
-     [ssh.c]
-     Better diagnostic if an identity file is not accesible. ok markus@ djm@
-   - djm@cvs.openbsd.org 2005/02/18 03:05:53
-     [canohost.c]
-     better error messages for getnameinfo failures; ok dtucker@
-   - djm@cvs.openbsd.org 2005/02/20 22:59:06
-     [sftp.c]
-     turn on ssh batch mode when in sftp batch mode, patch from 
-     jdmossh AT nand.net;
-     ok markus@
-   - jmc@cvs.openbsd.org 2005/02/25 10:55:13
-     [sshd.8]
-     add /etc/motd and $HOME/.hushlogin to FILES;
-     from michael knudsen;
-   - djm@cvs.openbsd.org 2005/02/28 00:54:10
-     [ssh_config.5]
-     bz#849: document timeout on untrusted x11 forwarding sessions. Reported by
-     orion AT cora.nwra.com; ok markus@
-   - djm@cvs.openbsd.org 2005/03/01 10:09:52
-     [auth-options.c channels.c channels.h clientloop.c compat.c compat.h]
-     [misc.c misc.h readconf.c readconf.h servconf.c ssh.1 ssh.c ssh_config.5]
-     [sshd_config.5]
-     bz#413: allow optional specification of bind address for port forwardings.
-     Patch originally by Dan Astorian, but worked on by several people
-     Adds GatewayPorts=clientspecified option on server to allow remote 
-     forwards to bind to client-specified ports.
-   - djm@cvs.openbsd.org 2005/03/01 10:40:27
-     [hostfile.c hostfile.h readconf.c readconf.h ssh.1 ssh_config.5]
-     [sshconnect.c sshd.8]
-     add support for hashing host names and addresses added to known_hosts
-     files, to improve privacy of which hosts user have been visiting; ok 
-     markus@ deraadt@
-   - djm@cvs.openbsd.org 2005/03/01 10:41:28
-     [ssh-keyscan.1 ssh-keyscan.c]
-     option to hash hostnames output by ssh-keyscan; ok markus@ deraadt@
-   - djm@cvs.openbsd.org 2005/03/01 10:42:49
-     [ssh-keygen.1 ssh-keygen.c ssh_config.5]
-     add tools for managing known_hosts files with hashed hostnames, including
-     hashing existing files and deleting hosts by name; ok markus@ deraadt@
-
-20050226
- - (dtucker) [openbsd-compat/bsd-openpty.c openbsd-compat/inet_ntop.c]
-   Remove two obsolete Cygwin #ifdefs.  Patch from vinschen at redhat.com.
- - (dtucker) [acconfig.h configure.ac openbsd-compat/bsd-misc.{c,h}]
-   Remove SETGROUPS_NOOP, was only used by Cygwin, which doesn't need it any
-   more.  Patch from vinschen at redhat.com.
- - (dtucker) [Makefile.in] Add a install-nosysconf target for installing the
-   binaries without the config files.  Primarily useful for packaging.
-   Patch from phil at usc.edu.  ok djm@
-
-20050224
- - (djm) [configure.ac] in_addr_t test needs sys/types.h too
-
-20050222
- - (dtucker) [uidswap.c] Skip uid restore test on Cygwin.  Patch from
-   vinschen at redhat.com.
-
-20050220
- - (dtucker) [LICENCE Makefile.in README.platform audit-bsm.c configure.ac
-   defines.h] Bug #125: Add *EXPERIMENTAL* BSM audit support.  Configure
-   --with-audit=bsm to enable.  Patch originally from Sun Microsystems,
-   parts by John R. Jackson.  ok djm@
- - (dtucker) [configure.ac] Missing comma in AIX section, somehow causes
-   unrelated platforms to be configured incorrectly.
-
-20050216
- - (djm) write seed to temporary file and atomically rename into place; 
-   ok dtucker@
- - (dtucker) [ssh-rand-helper.c] Provide seed_rng since it may be called
-   via mkstemp in some configurations.  ok djm@
- - (dtucker) [auth-shadow.c] Prevent compiler warnings if "DAY" is defined
-   by the system headers.
- - (dtucker) [configure.ac] Bug #893: check for libresolv early on Reliant
-   Unix; prevents problems relating to the location of -lresolv in the
-   link order.
- - (dtucker) [session.c] Bug #918: store credentials from gssapi-with-mic
-   authentication early enough to be available to PAM session modules when
-   privsep=yes.  Patch from deengert at anl.gov, ok'ed in principle by Sam
-   Hartman and similar to Debian's ssh-krb5 package.
- - (dtucker) [configure.ac openbsd-compat/port-aix.{c,h}] Silence some more
-   compiler warnings on AIX.
-
-20050215
- - (dtucker) [config.sh.in] Collect oslevel -r too.
- - (dtucker) [README.platform auth.c configure.ac loginrec.c
-   openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #835: enable IPv6
-   on AIX where possible (see README.platform for details) and work around
-   a misfeature of AIX's getnameinfo.  ok djm@
- - (dtucker) [loginrec.c] Add missing #include.
-
-20050211
- - (dtucker) [configure.ac] Tidy up configure --help output.
- - (dtucker) [openbsd-compat/fake-rfc2553.h] We now need EAI_SYSTEM too.
-
-20050210
- - (dtucker) [configure.ac] Bug #919: Provide visible feedback for the
-   --disable-etc-default-login configure option.
-
-20050209
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2005/01/28 09:45:53
-     [ssh_config]
-     Make it clear that the example entries in ssh_config are only some of the
-     commonly-used options and refer the user to ssh_config(5) for more
-     details; ok djm@
-   - jmc@cvs.openbsd.org 2005/01/28 15:05:43
-     [ssh_config.5]
-     grammar;
-   - jmc@cvs.openbsd.org 2005/01/28 18:14:09
-     [ssh_config.5]
-     wording;
-     ok markus@
-   - dtucker@cvs.openbsd.org 2005/01/30 11:18:08
-     [monitor.c]
-     Make code match intent; ok djm@
-   - dtucker@cvs.openbsd.org 2005/02/08 22:24:57
-     [sshd.c]
-     Provide reason in error message if getnameinfo fails; ok markus@
- - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c] Don't call
-   disable_forwarding() from compat library. Prevent linker errrors trying
-   to resolve it for binaries other than sshd.  ok djm@
- - (dtucker) [configure.ac] Bug #854: prepend pwd to relative --with-ssl-dir
-   paths.  ok djm@
- - (dtucker) [configure.ac session.c] Some platforms (eg some SCO) require
-   the username to be passed to the passwd command when changing expired
-   passwords.  ok djm@
-
-20050208
- - (dtucker) [regress/test-exec.sh] Bug #912: Set _POSIX2_VERSION for the
-   regress tests so newer versions of GNU head(1) behave themselves.  Patch
-   by djm, so ok me.
- - (dtucker) [openbsd-compat/port-aix.c] Silence compiler warnings.
- - (dtucker) [audit.c audit.h auth.c auth1.c auth2.c loginrec.c monitor.c
-   monitor_wrap.c monitor_wrap.h session.c sshd.c]: Prepend all of the audit
-   defines and enums with SSH_ to prevent namespace collisions on some
-   platforms (eg AIX).
-
-20050204
- - (dtucker) [monitor.c] Permit INVALID_USER audit events from slave too.
- - (dtucker) [auth.c] Fix parens in audit log check.
-
-20050202
- - (dtucker) [configure.ac openbsd-compat/realpath.c] Sync up with realpath
-   rev 1.11 from OpenBSD and make it use fchdir if available.  ok djm@
- - (dtucker) [auth.c loginrec.h openbsd-compat/{bsd-cray,port-aix}.{c,h}]
-   Make record_failed_login() call provide hostname rather than having the
-   implementations having to do lookups themselves.  Only affects AIX and
-   UNICOS (the latter only uses the "user" parameter anyway).  ok djm@
- - (dtucker) [session.c sshd.c] Bug #445: Propogate KRB5CCNAME if set to child
-   the process.  Since we also unset KRB5CCNAME at startup, if it's set after
-   authentication it must have been set by the platform's native auth system.
-   This was already done for AIX; this enables it for the general case.
- - (dtucker) [auth.c canohost.c canohost.h configure.ac defines.h loginrec.c]
-   Bug #974: Teach sshd to write failed login records to btmp for failed auth
-   attempts (currently only for password, kbdint and C/R, only on Linux and
-   HP-UX), based on code from login.c from util-linux. With ashok_kovai at
-   hotmail.com, ok djm@
- - (dtucker) [Makefile.in auth.c auth.h auth1.c auth2.c loginrec.c monitor.c
-   monitor.h monitor_wrap.c monitor_wrap.h session.c sshd.c] Bug #125:
-   (first stage) Add audit instrumentation to sshd, currently disabled by
-   default.  with suggestions from and ok djm@
-
-20050201
- - (dtucker) [log.c] Bug #973: force log_init() to open syslog, since on some
-   platforms syslog will revert to its default values.  This may result in
-   messages from external libraries (eg libwrap) being sent to a different
-   facility.
- - (dtucker) [sshd_config.5] Bug #701: remove warning about
-   keyboard-interactive since this is no longer the case.
-
-20050124
- - (dtucker) OpenBSD CVS Sync
-   - otto@cvs.openbsd.org 2005/01/21 08:32:02
-     [auth-passwd.c sshd.c]
-     Warn in advance for password and account expiry; initialize loginmsg
-     buffer earlier and clear it after privsep fork. ok and help dtucker@
-     markus@
-   - dtucker@cvs.openbsd.org 2005/01/22 08:17:59
-     [auth.c]
-     Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and
-     DenyGroups.  bz #909, ok djm@
-   - djm@cvs.openbsd.org 2005/01/23 10:18:12
-     [cipher.c]
-     config option "Ciphers" should be case-sensitive; ok dtucker@
-   - dtucker@cvs.openbsd.org 2005/01/24 10:22:06
-     [scp.c sftp.c]
-     Have scp and sftp wait for the spawned ssh to exit before they exit
-     themselves.  This prevents ssh from being unable to restore terminal
-     modes (not normally a problem on OpenBSD but common with -Portable
-     on POSIX platforms).  From peak at argo.troja.mff.cuni.cz (bz#950);
-     ok djm@ markus@
-   - dtucker@cvs.openbsd.org 2005/01/24 10:29:06
-     [moduli]
-     Import new moduli; requested by deraadt@ a week ago
-   - dtucker@cvs.openbsd.org 2005/01/24 11:47:13
-     [auth-passwd.c]
-     #if -> #ifdef so builds without HAVE_LOGIN_CAP work too; ok djm@ otto@
-
-20050120
- - (dtucker) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2004/12/23 17:35:48
-     [session.c]
-     check for NULL; from mpech
-   - markus@cvs.openbsd.org 2004/12/23 17:38:07
-     [ssh-keygen.c]
-     leak; from mpech
-   - djm@cvs.openbsd.org 2004/12/23 23:11:00
-     [servconf.c servconf.h sshd.c sshd_config sshd_config.5]
-     bz #898: support AddressFamily in sshd_config. from
-     peak@argo.troja.mff.cuni.cz; ok deraadt@
-   - markus@cvs.openbsd.org 2005/01/05 08:51:32
-     [sshconnect.c]
-     remove dead code, log connect() failures with level error, ok djm@
-   - jmc@cvs.openbsd.org 2005/01/08 00:41:19
-     [sshd_config.5]
-     `login'(n) -> `log in'(v);
-   - dtucker@cvs.openbsd.org 2005/01/17 03:25:46
-     [moduli.c]
-     Correct spelling: SCHNOOR->SCHNORR; ok djm@
-   - dtucker@cvs.openbsd.org 2005/01/17 22:48:39
-     [sshd.c]
-     Make debugging output continue after reexec; ok djm@
-   - dtucker@cvs.openbsd.org 2005/01/19 13:11:47
-     [auth-bsdauth.c auth2-chall.c]
-     Have keyboard-interactive code call the drivers even for responses for
-     invalid logins.  This allows the drivers themselves to decide how to
-     handle them and prevent leaking information where possible.  Existing
-     behaviour for bsdauth is maintained by checking authctxt->valid in the
-     bsdauth driver.  Note that any third-party kbdint drivers will now need
-     to be able to handle responses for invalid logins.  ok markus@
-   - djm@cvs.openbsd.org 2004/12/22 02:13:19
-     [cipher-ctr.c cipher.c]
-     remove fallback AES support for old OpenSSL, as OpenBSD has had it for
-     many years now; ok deraadt@
-     (Id sync only: Portable will continue to support older OpenSSLs)
- - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
-   existence via keyboard-interactive/pam, in conjunction with previous
-   auth2-chall.c change; with Colin Watson and djm.
- - (dtucker) [loginrec.h] Bug #952: Increase size of username field to 128
-   bytes to prevent errors from login_init_entry() when the username is
-   exactly 64 bytes(!) long.  From brhamon at cisco.com, ok djm@
- - (dtucker) [auth-chall.c auth.h auth2-chall.c] Bug #936: Remove pam from
-   the list of available kbdint devices if UsePAM=no.  ok djm@
-
-20050118
- - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement
-   "make survey" and "make send-survey".  This will provide data on the
-   configure parameters, platform and platform features to the development
-   team, which will allow (among other things) better targetting of testing.
-   It's entirely voluntary and is off be default. ok djm@
- - (dtucker) [survey.sh.in] Remove any blank lines from the output of
-   ccver-v and ccver-V.
-
-20041220
- - (dtucker) [ssh-rand-helper.c] Fall back to command-based seeding if reading
-   from prngd is enabled at compile time but fails at run time, eg because
-   prngd is not running.  Note that if you have prngd running when OpenSSH is
-   built, OpenSSL will consider itself internally seeded and rand-helper won't
-   be built at all unless explicitly enabled via --with-rand-helper.  ok djm@
- - (dtucker) [regress/rekey.sh] Touch datafile before filling with dd, since
-   on some wacky platforms (eg old AIXes), dd will refuse to create an output
-   file if it doesn't exist.
-
-20041213
- - (dtucker) [contrib/findssh.sh] Clean up on interrupt; from
-   amarendra.godbole at ge com.
-
-20041211
- - (dtucker) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2004/12/06 16:00:43
-     [bufaux.c]
-     use 0x00 not \0 since buf[] is a bignum
-   - fgsch@cvs.openbsd.org 2004/12/10 03:10:42
-     [sftp.c]
-     - fix globbed ls for paths the same lenght as the globbed path when
-       we have a unique matching.
-     - fix globbed ls in case of a directory when we have a unique matching.
-     - as a side effect, if the path does not exist error (used to silently
-       ignore).
-     - don't do extra do_lstat() if we only have one matching file.
-     djm@ ok
-   - dtucker@cvs.openbsd.org 2004/12/11 01:48:56
-     [auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h]
-     Fix debug call in error path of authorized_keys processing and fix related
-     warnings; ok djm@
-
-20041208
- - (tim) [configure.ac] Comment some non obvious platforms in the
- target-specific case statement. Suggested and OK by dtucker@
-
-20041207
- - (dtucker) [regress/scp.sh] Use portable-friendly $DIFFOPTs in new test.
-
-20041206
- - (dtucker) [TODO WARNING.RNG] Update to reflect current reality.  ok djm@
- - (dtucker) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2004/11/25 22:22:14
-     [sftp-client.c sftp.c]
-     leak; from mpech
-   - jmc@cvs.openbsd.org 2004/11/29 00:05:17
-     [sftp.1]
-     missing full stop;
-   - djm@cvs.openbsd.org 2004/11/29 07:41:24
-     [sftp-client.h sftp.c]
-     Some small fixes from moritz@jodeit.org. ok deraadt@
-   - jaredy@cvs.openbsd.org 2004/12/05 23:55:07
-     [sftp.1]
-     - explain that patterns can be used as arguments in get/put/ls/etc
-       commands (prodded by Michael Knudsen)
-     - describe ls flags as a list
-     - other minor improvements
-     ok jmc, djm
-   - dtucker@cvs.openbsd.org 2004/12/06 11:41:03
-     [auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h ssh.h sshd.8]
-     Discard over-length authorized_keys entries rather than complaining when
-     they don't decode.  bz #884, with & ok djm@
- - (dtucker) OpenBSD CVS Sync (regress/)
-   - djm@cvs.openbsd.org 2004/06/26 06:16:07
-     [reexec.sh]
-     don't change the name of the copied sshd for the reexec fallback test,
-     makes life simpler for portable
-   - dtucker@cvs.openbsd.org 2004/07/08 12:59:35
-     [scp.sh]
-     Regress test for bz #863 (scp double-error), requires $SUDO.  ok markus@
-   - david@cvs.openbsd.org 2004/07/09 19:45:43
-     [Makefile]
-     add a missing CLEANFILES used in the re-exec test
-   - djm@cvs.openbsd.org 2004/10/08 02:01:50
-     [reexec.sh]
-     shrink and tidy; ok dtucker@
-   - djm@cvs.openbsd.org 2004/10/29 23:59:22
-     [Makefile added brokenkeys.sh]
-     regression test for handling of corrupt keys in authorized_keys file
-   - djm@cvs.openbsd.org 2004/11/07 00:32:41
-     [multiplex.sh]
-     regression tests for new multiplex commands
-   - dtucker@cvs.openbsd.org 2004/11/25 09:39:27
-     [test-exec.sh]
-     Remove obsolete RhostsAuthentication from test config; ok markus@
-   - dtucker@cvs.openbsd.org 2004/12/06 10:49:56
-     [test-exec.sh]
-     Check if TEST_SSH_SSHD is a full path to sshd before searching; ok markus@
-
-20041203
- - (dtucker) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2004/11/07 17:42:36
-     [ssh.1]
-     options sort, and whitespace;
-   - jmc@cvs.openbsd.org 2004/11/07 17:57:30
-     [ssh.c]
-     usage():
-     - add -O
-     - sync -S w/ manpage
-     - remove -h
- - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is
-   subsequently denied by the PAM auth stack, send the PAM message to the
-   user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
-   ok djm@
-
-20041107
- - (dtucker) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2004/11/05 12:19:56
-     [sftp.c]
-     command editing and history support via libedit; ok markus@
-     thanks to hshoexer@ and many testers on tech@ too
-   - djm@cvs.openbsd.org 2004/11/07 00:01:46
-     [clientloop.c clientloop.h ssh.1 ssh.c]
-     add basic control of a running multiplex master connection; including the
-     ability to check its status and request it to exit; ok markus@
- - (dtucker) [INSTALL Makefile.in configure.ac] Add --with-libedit configure
-   option and supporting makefile bits and documentation.
-
-20041105
- - (dtucker) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2004/08/30 09:18:08
-     [LICENCE]
-     s/keygen/keyscan/
-   - jmc@cvs.openbsd.org 2004/08/30 21:22:49
-     [ssh-add.1 ssh.1]
-     .Xsession -> .xsession;
-     originally from a pr from f at obiit dot org, but missed by myself;
-     ok markus@ matthieu@
-   - djm@cvs.openbsd.org 2004/09/07 23:41:30
-     [clientloop.c ssh.c]
-     cleanup multiplex control socket on SIGHUP too, spotted by sturm@
-     ok markus@ deraadt@
-   - deraadt@cvs.openbsd.org 2004/09/15 00:46:01
-     [ssh.c]
-     /* fallthrough */ is something a programmer understands.  But
-     /* FALLTHROUGH */ is also understood by lint, so that is better.
-   - jaredy@cvs.openbsd.org 2004/09/15 03:25:41
-     [sshd_config.5]
-     mention PrintLastLog only prints last login time for interactive
-     sessions, like PrintMotd mentions.
-     From Michael Knudsen, with wording changed slightly to match the
-     PrintMotd description.
-     ok djm
-   - mickey@cvs.openbsd.org 2004/09/15 18:42:27
-     [sshd.c]
-     use less doubles in daemons; markus@ ok
-   - deraadt@cvs.openbsd.org 2004/09/15 18:46:04
-     [scp.c]
-     scratch that do { } while (0) wrapper in this case
-   - djm@cvs.openbsd.org 2004/09/23 13:00:04
-     [ssh.c]
-     correctly honour -n in multiplex client mode; spotted by sturm@ ok markus@
-   - djm@cvs.openbsd.org 2004/09/25 03:45:14
-     [sshd.c]
-     these printf args are no longer double; ok deraadt@ markus@
-   - djm@cvs.openbsd.org 2004/10/07 10:10:24
-     [scp.1 sftp.1 ssh.1 ssh_config.5]
-     document KbdInteractiveDevices; ok markus@
-   - djm@cvs.openbsd.org 2004/10/07 10:12:36
-     [ssh-agent.c]
-     don't unlink agent socket when bind() fails, spotted by rich AT
-     rich-paul.net, ok markus@
-   - markus@cvs.openbsd.org 2004/10/20 11:48:53
-     [packet.c ssh1.h]
-     disconnect for invalid (out of range) message types.
-   - djm@cvs.openbsd.org 2004/10/29 21:47:15
-     [channels.c channels.h clientloop.c]
-     fix some window size change bugs for multiplexed connections: windows sizes
-     were not being updated if they had changed after ~^Z suspends and SIGWINCH
-     was not being processed unless the first connection had requested a tty;
-     ok markus
-   - djm@cvs.openbsd.org 2004/10/29 22:53:56
-     [clientloop.c misc.h readpass.c ssh-agent.c]
-     factor out common permission-asking code to separate function; ok markus@
-   - djm@cvs.openbsd.org 2004/10/29 23:56:17
-     [bufaux.c bufaux.h buffer.c buffer.h]
-     introduce a new buffer API that returns an error rather than fatal()ing
-     when presented with bad data; ok markus@
-   - djm@cvs.openbsd.org 2004/10/29 23:57:05
-     [key.c]
-     use new buffer API to avoid fatal errors on corrupt keys in authorized_keys
-     files; ok markus@
-
-20041102
- - (dtucker) [configure.ac includes.h] Bug #947: Fix compile error on HP-UX
-   10.x by testing for conflicts in shadow.h and undef'ing _INCLUDE__STDC__
-   only if a conflict is detected.
-
-20041019
- - (dtucker) [uidswap.c] Don't test dropping of gids for the root user or
-   on Cygwin.  Cygwin parts from vinschen at redhat com; ok djm@
-
-20041016
- - (djm) [auth-pam.c] snprintf->strl*, fix server message length calculations;
-   ok dtucker@
-
-20041006
- - (dtucker) [README.privsep] Bug #939: update info about HP-UX Trusted Mode
-   and other PAM platforms.
- - (dtucker) [monitor_mm.c openbsd-compat/xmmap.c] Bug #940: cast constants
-   to void * to appease picky compilers (eg Tru64's "cc -std1").
-
-20040930
- - (dtucker) [configure.ac] Set AC_PACKAGE_NAME.  ok djm@
-
-20040923
- - (dtucker) [openbsd-compat/bsd-snprintf.c] Previous change was off by one,
-   which could have caused the justification to be wrong.  ok djm@
-
-20040921
- - (dtucker) [openbsd-compat/bsd-snprintf.c] Check for max length too.
-   ok djm@
- - (dtucker) [contrib/cygwin/ssh-host-config] Update to match current Cygwin
-   install process.  Patch from vinschen at redhat.com.
-
-20040912
- - (djm) [loginrec.c] Start KNF and tidy up of this long-neglected file.
-   No change in resultant binary
- - (djm) [loginrec.c] __func__ifiy
- - (djm) [loginrec.c] xmalloc
- - (djm) [ssh.c sshd.c version.h] Don't divulge portable version in protocol
-   banner. Suggested by deraadt@, ok mouring@, dtucker@
- - (dtucker) [configure.ac] Fix incorrect quoting and tests for cross-compile.
-   Partly by & ok djm@.
-
-20040911
- - (djm) [ssh-agent.c] unifdef some cygwin code; ok dtucker@
- - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from
-   failing PAM session modules to user then exit, similar to the way
-   /etc/nologin is handled.  ok djm@
- - (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change.
- - (djm) [auth2-kbdint.c auth2-none.c  auth2-passwd.c auth2-pubkey.c] 
-   Make cygwin code more consistent with that which surrounds it
- - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c]
-   Bug #892: Send messages from failing PAM account modules to the client via
-   SSH2_MSG_USERAUTH_BANNER messages.  Note that this will not happen with
-   SSH2 kbdint authentication, which need to be dealt with separately.  ok djm@
- - (dtucker) [session.c] Bug #927: make .hushlogin silent again.  ok djm@
- - (dtucker) [configure.ac] Bug #321: Add cross-compile support to configure.
-   Parts by chua at ayrnetworks.com, astrand at lysator.liu.se and me.  ok djm@
- - (dtucker) [auth-krb5.c] Bug #922: Pass KRB5CCNAME to PAM.  From deengert
-   at anl.gov, ok djm@
-
-20040830
- - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only
-   copy required environment variables on Cygwin.  Patch from vinschen at
-   redhat.com, ok djm@
- - (dtucker) [regress/Makefile] Clean scp-ssh-wrapper.scp too.  Patch from
-   vinschen at redhat.com.
- - (dtucker) [Makefile.in contrib/ssh-copy-id] Bug #894: Improve portability
-   of shell constructs.  Patch from cjwatson at debian.org.
-
-20040829
- - (dtucker) [openbsd-compat/getrrsetbyname.c] Prevent getrrsetbyname from
-   failing with NOMEMORY if no sigs are returned and malloc(0) returns NULL.
-   From Martin.Kraemer at Fujitsu-Siemens.com; ok djm@
- - (dtucker) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2004/08/23 11:48:09
-     [authfile.c]
-     fix error path, spotted by Martin.Kraemer AT Fujitsu-Siemens.com; ok markus
-   - djm@cvs.openbsd.org 2004/08/23 11:48:47
-     [channels.c]
-     typo, spotted by Martin.Kraemer AT Fujitsu-Siemens.com; ok markus
-   - dtucker@cvs.openbsd.org 2004/08/23 14:26:38
-     [ssh-keysign.c ssh.c]
-     Use permanently_set_uid() in ssh and ssh-keysign for consistency, matches
-     change in Portable; ok markus@ (CVS ID sync only)
-   - dtucker@cvs.openbsd.org 2004/08/23 14:29:23
-     [ssh-keysign.c]
-     Remove duplicate getuid(), suggested by & ok markus@
-   - markus@cvs.openbsd.org 2004/08/26 16:00:55
-     [ssh.1 sshd.8]
-     get rid of references to rhosts authentication; with jmc@
-   - djm@cvs.openbsd.org 2004/08/28 01:01:48
-     [sshd.c]
-     don't erroneously close stdin for !reexec case, from Dave Johnson;
-     ok markus@
- - (dtucker) [configure.ac] Include sys/stream.h in sys/ptms.h header check,
-   fixes configure warning on Solaris reported by wknox at mitre.org.
- - (dtucker) [regress/multiplex.sh] Skip test on platforms that do not
-   support FD passing since multiplex requires it.  Noted by tim@
- - (dtucker) [regress/dynamic-forward.sh] Allow time for connections to be torn
-   down, needed on some platforms, should be harmless on others.  Patch from
-   jason at devrandom.org.
- - (dtucker) [regress/scp.sh] Make this work on Cygwin too, which doesn't like
-   files ending in .exe that aren't binaries; patch from vinschen at redhat.com.
- - (dtucker) [Makefile.in] Get regress/Makefile symlink right for out-of-tree
-   builds too, from vinschen at redhat.com.
- - (dtucker) [regress/agent-ptrace.sh] Skip ptrace test on OSF1/DUnix/Tru64
-   too; patch from cmadams at hiwaay.net.
- - (dtucker) [configure.ac] Replace non-portable echo \n with extra echo.
- - (dtucker) [openbsd-compat/port-aix.c] Bug #712: Explicitly check for
-   accounts with authentication configs that sshd can't support (ie
-   SYSTEM=NONE and AUTH1=something).
-
-20040828
- - (dtucker) [openbsd-compat/mktemp.c] Remove superfluous Cygwin #ifdef; from
-   vinschen at redhat.com.
-
-20040823
- - (djm) [ssh-rand-helper.c] Typo. Found by 
-   Martin.Kraemer AT Fujitsu-Siemens.com
- - (djm) [loginrec.c] Typo and bad args in error messages; Spotted by 
-   Martin.Kraemer AT Fujitsu-Siemens.com
-
-20040817
- - (dtucker) [regress/README.regress] Note compatibility issues with GNU head.
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2004/08/16 08:17:01
-     [version.h]
-     3.9
- - (djm) Crank RPM spec version numbers
- - (djm) Release 3.9p1
-
-20040816
- - (dtucker) [acconfig.h auth-pam.c configure.ac] Set real uid to non-root
-   to convince Solaris PAM to honour password complexity rules.  ok djm@
-
-20040815
- - (dtucker) [Makefile.in ssh-keysign.c ssh.c] Use permanently_set_uid() since
-   it does the right thing on all platforms.  ok djm@
- - (djm) [acconfig.h configure.ac openbsd-compat/Makefile.in 
-   openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-misc.c 
-   openbsd-compat/bsd-misc.h openbsd-compat/openbsd-compat.h] Use smarter 
-   closefrom() replacement from sudo; ok dtucker@
- - (djm) [loginrec.c] Check that seek succeeded here too; ok dtucker
- - (dtucker) [Makefile.in] Fix typo.
-
-20040814
- - (dtucker) [auth-krb5.c gss-serv-krb5.c openbsd-compat/xmmap.c]
-   Explicitly set umask for mkstemp; ok djm@
- - (dtucker) [includes.h] Undef _INCLUDE__STDC__ on HP-UX, otherwise
-   prot.h and shadow.h provide conflicting declarations of getspnam.  ok djm@
- - (dtucker) [loginrec.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]
-   Plug AIX login recording into login_write so logins will be recorded for
-   all auth types.
-
-20040813
- - (dtucker) [openbsd-compat/bsd-misc.c] Typo in #ifdef; from vinschen at
-   redhat.com
-- (dtucker) OpenBSD CVS Sync
-   - avsm@cvs.openbsd.org 2004/08/11 21:43:05
-     [channels.c channels.h clientloop.c misc.c misc.h serverloop.c ssh-agent.c]
-     some signed/unsigned int comparison cleanups; markus@ ok
-   - avsm@cvs.openbsd.org 2004/08/11 21:44:32
-     [authfd.c scp.c ssh-keyscan.c]
-     use atomicio instead of homegrown equivalents or read/write.
-     markus@ ok
-   - djm@cvs.openbsd.org 2004/08/12 09:18:24
-     [sshlogin.c]
-     typo in error message, spotted by moritz AT jodeit.org (Id sync only)
-   - jakob@cvs.openbsd.org 2004/08/12 21:41:13
-     [ssh-keygen.1 ssh.1]
-     improve SSHFP documentation; ok deraadt@
-   - jmc@cvs.openbsd.org 2004/08/13 00:01:43
-     [ssh-keygen.1]
-     kill whitespace at eol;
-   - djm@cvs.openbsd.org 2004/08/13 02:51:48
-     [monitor_fdpass.c]
-     extra check for no message case; ok markus, deraadt, hshoexer, henning
-   - dtucker@cvs.openbsd.org 2004/08/13 11:09:24
-     [servconf.c]
-     Fix line numbers off-by-one in error messages, from tortay at cc.in2p3.fr
-     ok markus@, djm@
-
-20040812
- - (dtucker) [sshd.c] Remove duplicate variable imported during sync.
- - (dtucker) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2004/07/28 08:56:22
-     [sshd.c]
-     call setsid() _before_ re-exec
-   - markus@cvs.openbsd.org 2004/07/28 09:40:29
-     [auth.c auth1.c auth2.c cipher.c cipher.h key.c session.c ssh.c
-     sshconnect1.c]
-     more s/illegal/invalid/
-   - djm@cvs.openbsd.org 2004/08/04 10:37:52
-     [dh.c]
-     return group14 when no primes found - fixes hang on empty /etc/moduli;
-     ok markus@
-   - dtucker@cvs.openbsd.org 2004/08/11 11:09:54
-     [servconf.c]
-     Fix minor leak; "looks right" deraadt@
-   - dtucker@cvs.openbsd.org 2004/08/11 11:50:09
-     [sshd.c]
-     Don't try to close startup_pipe if it's not open; ok djm@
-   - djm@cvs.openbsd.org 2004/08/11 11:59:22
-     [sshlogin.c]
-     check that lseek went were we told it to; ok markus@
-     (Id sync only, but similar changes are needed in loginrec.c)
-   - djm@cvs.openbsd.org 2004/08/11 12:01:16
-     [sshlogin.c]
-     make store_lastlog_message() static to appease -Wall; ok markus
- - (dtucker) [sshd.c] Clear loginmsg in postauth monitor, prevents doubling
-    messages generated before the postauth privsep split.
-
-20040720
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2004/07/21 08:56:12
-     [auth.c]
-     s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas,
-     miod, ...
-   - djm@cvs.openbsd.org 2004/07/21 10:33:31
-     [auth1.c auth2.c]
-     bz#899: Don't display invalid usernames in setproctitle
-     from peak AT argo.troja.mff.cuni.cz; ok markus@
-   - djm@cvs.openbsd.org 2004/07/21 10:36:23
-     [gss-serv-krb5.c]
-     fix function declaration
-   - djm@cvs.openbsd.org 2004/07/21 11:51:29
-     [canohost.c]
-     bz#902: cache remote port so we don't fatal() in auth_log when remote
-     connection goes away quickly. from peak AT argo.troja.mff.cuni.cz;
-     ok markus@
- - (djm) [auth-pam.c] Portable parts of bz#899: Don't display invalid 
-   usernames in setproctitle from peak AT argo.troja.mff.cuni.cz;
-
-20040720
- - (djm) [log.c] bz #111: Escape more control characters when sending data 
-   to syslog; from peak AT argo.troja.mff.cuni.cz
- - (djm) [contrib/redhat/sshd.pam] bz #903: Remove redundant entries; from 
-   peak AT argo.troja.mff.cuni.cz
- - (djm) [regress/README.regress] Remove caveat regarding TCP wrappers, now
-   that sshd is fixed to behave better; suggested by tim
-
-20040719
- - (djm) [openbsd-compat/bsd-arc4random.c] Discard early keystream, like OpenBSD
-   ok dtucker@
- - (djm) [auth-pam.c] Avoid use of xstrdup and friends in conversation function,
-   instead return PAM_CONV_ERR, avoiding another path to fatal(); ok dtucker@
- - (tim) [configure.ac] updwtmpx() on OpenServer seems to add duplicate entry.
-   Report by rac AT tenzing.org
-
-20040717
- - (dtucker) [logintest.c scp.c sftp-server.c sftp.c ssh-add.c ssh-agent.c
-   ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c ssh.c sshd.c
-   openbsd-compat/bsd-misc.c] Move "char *__progname" to bsd-misc.c.  Reduces
-   diff vs OpenBSD; ok mouring@, tested by tim@ too.
- - (dtucker) OpenBSD CVS Sync
-   - deraadt@cvs.openbsd.org 2004/07/11 17:48:47
-     [channels.c cipher.c clientloop.c clientloop.h compat.h moduli.c
-     readconf.c nchan.c pathnames.h progressmeter.c readconf.h servconf.c
-     session.c sftp-client.c sftp.c ssh-agent.1 ssh-keygen.c ssh.c ssh1.h
-     sshd.c ttymodes.h]
-     spaces
-   - brad@cvs.openbsd.org 2004/07/12 23:34:25
-     [ssh-keyscan.1]
-     Fix incorrect macro, .I -> .Em
-     From: Eric S. Raymond <esr at thyrsus dot com>
-     ok jmc@
-   - dtucker@cvs.openbsd.org 2004/07/17 05:31:41
-     [monitor.c monitor_wrap.c session.c session.h sshd.c sshlogin.c]
-     Move "Last logged in at.." message generation to the monitor, right
-     before recording the new login.  Fixes missing lastlog message when
-     /var/log/lastlog is not world-readable and incorrect datestamp when
-     multiple sessions are used (bz #463);  much assistance & ok markus@
-
-20040711
- - (dtucker) [auth-pam.c] Check for zero from waitpid() too, which allows
-   the monitor to properly clean up the PAM thread (Debian bug #252676).
-
-20040709
- - (tim) [contrib/cygwin/README] add minires-devel requirement. Patch from
-   vinschen AT redhat.com
-
-20040708
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2004/07/03 05:11:33
-     [sshlogin.c] (RCSID sync only, the corresponding code is not in Portable)
-     Use '\0' not 0 for string; ok djm@, deraadt@
-   - dtucker@cvs.openbsd.org 2004/07/03 11:02:25
-     [monitor_wrap.c]
-     Put s/key functions inside #ifdef SKEY same as monitor.c,
-     from des@freebsd via bz #330, ok markus@
-   - dtucker@cvs.openbsd.org 2004/07/08 12:47:21
-     [scp.c]
-     Prevent scp from skipping the file following a double-error.
-     bz #863, ok markus@
-
-20040702
- - (dtucker) [mdoc2man.awk] Teach it to ignore .Bk -words, reported by
-   strube at physik3.gwdg.de a long time ago.
-
-20040701
- - (dtucker) [session.c] Call display_loginmsg again after do_pam_session.
-   Ensures messages from PAM modules are displayed when privsep=no.
- - (dtucker) [auth-pam.c] Bug #705: Make arguments match PAM specs, fixes
-   warnings on compliant platforms.  From paul.a.bolton at bt.com.  ok djm@
- - (dtucker) [auth-pam.c] Bug #559 (last piece): Pass DISALLOW_NULL_AUTHTOK
-   to pam_authenticate for challenge-response auth too.  Originally from
-   fcusack at fcusack.com, ok djm@
- - (tim) [buildpkg.sh.in] Add $REV to bump the package revision within
-   the same version. Handle the case where someone uses --with-privsep-user=
-   and the user name does not match the group name. ok dtucker@
-
-20040630
- - (dtucker) [auth-pam.c] Check for buggy PAM modules that return a NULL
-   appdata_ptr to the conversation function.  ok djm@
- - (djm) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2004/06/26 09:03:21
-     [ssh.1]
-     - remove double word
-     - rearrange .Bk to keep SYNOPSIS nice
-     - -M before -m in options description
-   - jmc@cvs.openbsd.org 2004/06/26 09:11:14
-     [ssh_config.5]
-     punctuation and grammar fixes. also, keep the options in order.
-   - jmc@cvs.openbsd.org 2004/06/26 09:14:40
-     [sshd_config.5]
-     new sentence, new line;
-   - avsm@cvs.openbsd.org 2004/06/26 20:07:16
-     [sshd.c]
-     initialise some fd variables to -1, djm@ ok
-   - djm@cvs.openbsd.org 2004/06/30 08:36:59
-     [session.c]
-     unbreak TTY break, diagnosed by darren AT dazwin.com; ok markus@
-
-20040627
- - (tim) update README files.
- - (dtucker) [mdoc2man.awk] Bug #883: correctly recognise .Pa and .Ev macros.
- - (dtucker) [regress/README.regress] Document new variables.
- - (dtucker) [acconfig.h configure.ac sftp-server.c] Bug #823: add sftp
-   rename handling for Linux which returns EPERM for link() on (at least some)
-   filesystems that do not support hard links.  sftp-server will fall back to
-   stat+rename() in such cases.
- - (dtucker) [openbsd-compat/port-aix.c] Missing __func__.
-
-20040626
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2004/06/25 18:43:36
-     [sshd.c]
-     fix broken fd handling in the re-exec fallback path, particularly when
-     /dev/crypto is in use; ok deraadt@ markus@
-   - djm@cvs.openbsd.org 2004/06/25 23:21:38
-     [sftp.c]
-     bz #875: fix bad escape char error message; reported by f_mohr AT yahoo.de
-
-20040625
- - (dtucker) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2004/06/24 19:30:54
-     [servconf.c servconf.h sshd.c]
-     re-exec sshd on accept(); initial work, final debugging and ok markus@
-   - djm@cvs.openbsd.org 2004/06/25 01:16:09
-     [sshd.c]
-     only perform tcp wrappers checks when the incoming connection is on a
-     socket.  silences useless warnings from regress tests that use
-     proxycommand="sshd -i".  prompted by david@ ok markus@
-   - djm@cvs.openbsd.org 2004/06/24 19:32:00
-     [regress/Makefile regress/test-exec.sh, added regress/reexec.sh]
-     regress test for re-exec corner cases
-   - djm@cvs.openbsd.org 2004/06/25 01:25:12
-     [regress/test-exec.sh]
-     clean reexec-specific junk out of text-exec.sh and simplify; idea markus@
-   - dtucker@cvs.openbsd.org 2004/06/25 05:38:48
-     [sftp-server.c]
-     Fall back to stat+rename if filesystem doesn't doesn't support hard
-     links.  bz#823, ok djm@
- - (dtucker) [configure.ac openbsd-compat/misc.c [openbsd-compat/misc.h]
-   Add closefrom() for platforms that don't have it.
- - (dtucker) [sshd.c] add line missing from reexec sync.
-
-20040623
- - (dtucker) [auth1.c] Ensure do_pam_account is called for Protocol 1
-   connections with empty passwords.  Patch from davidwu at nbttech.com,
-   ok djm@
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2004/06/22 22:42:02
-     [regress/envpass.sh]
-     Add quoting for test -z; ok markus@
-   - dtucker@cvs.openbsd.org 2004/06/22 22:45:52
-     [regress/test-exec.sh]
-     Add TEST_SSH_SSHD_CONFOPTS and TEST_SSH_SSH_CONFOPTS to allow adding
-     arbitary options to sshd_config and ssh_config during tests.  ok markus@
-   - dtucker@cvs.openbsd.org 2004/06/22 22:55:56
-     [regress/dynamic-forward.sh regress/test-exec.sh]
-     Allow setting of port for regress from TEST_SSH_PORT variable; ok markus@
-   - mouring@cvs.openbsd.org 2004/06/23 00:39:38
-     [rijndael.c]
-     -Wshadow fix up s/encrypt/do_encrypt/.  OK djm@, markus@
-   - dtucker@cvs.openbsd.org 2004/06/23 14:31:01
-     [ssh.c]
-     Fix counting in master/slave when passing environment variables; ok djm@
- - (dtucker) [cipher.c] encrypt->do_encrypt inside SSH_OLD_EVP to match
-   -Wshadow change.
- - (bal) [Makefile.in] Remove opensshd.init on 'make distclean'
- - (dtucker) [auth.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]
-   Move loginrestrictions test to port-aix.c, replace with a generic hook.
- - (tim) [regress/try-ciphers.sh] "if ! some_command" is not portable.
- - (bal) [contrib/README] Removed "mdoc2man.pl" reference and added
-   reference to "findssl.sh"
-
-20040622
- - (dtucker) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2004/06/20 17:36:59
-     [ssh.c]
-     filter passed env vars at slave in connection sharing case; ok markus@
-   - djm@cvs.openbsd.org 2004/06/20 18:53:39
-     [sftp.c]
-     make "ls -l" listings print user/group names, add "ls -n" to show uid/gid
-     (like /bin/ls); idea & ok markus@
-   - djm@cvs.openbsd.org 2004/06/20 19:28:12
-     [sftp.1]
-     mention new -n flag
-   - avsm@cvs.openbsd.org 2004/06/21 17:36:31
-     [auth-rsa.c auth2-gss.c auth2-pubkey.c authfile.c canohost.c channels.c
-     cipher.c dns.c kex.c monitor.c monitor_fdpass.c monitor_wrap.c
-     monitor_wrap.h nchan.c packet.c progressmeter.c scp.c sftp-server.c sftp.c
-     ssh-gss.h ssh-keygen.c ssh.c sshconnect.c sshconnect1.c sshlogin.c
-     sshpty.c]
-     make ssh -Wshadow clean, no functional changes
-     markus@ ok
-   - djm@cvs.openbsd.org 2004/06/21 17:53:03
-     [session.c]
-     fix fd leak for multiple subsystem connections; with markus@
-   - djm@cvs.openbsd.org 2004/06/21 22:02:58
-     [log.h]
-     mark fatal and cleanup exit as __dead; ok markus@
-   - djm@cvs.openbsd.org 2004/06/21 22:04:50
-     [sftp.c]
-     introduce sorting for ls, same options as /bin/ls; ok markus@
-   - djm@cvs.openbsd.org 2004/06/21 22:30:45
-     [sftp.c]
-     prefix ls option flags with LS_
-   - djm@cvs.openbsd.org 2004/06/21 22:41:31
-     [sftp.1]
-     document sort options
-   - djm@cvs.openbsd.org 2004/06/22 01:16:39
-     [sftp.c]
-     don't show .files by default in ls, add -a option to turn them back on;
-     ok markus
-   - markus@cvs.openbsd.org 2004/06/22 03:12:13
-     [regress/envpass.sh regress/multiplex.sh]
-     more portable env passing tests
-   - dtucker@cvs.openbsd.org 2004/06/22 05:05:45
-     [monitor.c monitor_wrap.c]
-     Change login->username, will prevent -Wshadow errors in Portable;
-     ok markus@
- - (dtucker) [monitor.c] Fix Portable-specific -Wshadow warnings on "socket".
- - (dtucker) [defines.h] Define __dead if not already defined.
- - (bal) [auth-passwd.c auth1.c] Clean up unused variables.
-
-20040620
- - (tim) [configure.ac Makefile.in] Only change TEST_SHELL on broken platforms.
-
-20040619
- - (dtucker) [auth-pam.c] Don't use PAM namespace for
-    pam_password_change_required either.
- - (tim) [configure.ac buildpkg.sh.in contrib/solaris/README] move opensshd
-   init script to top level directory.  Add opensshd.init.in.
-   Remove contrib/solaris/buildpkg.sh, contrib/solaris/opensshd.in
-
-20040618
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2004/06/17 14:52:48
-     [clientloop.c clientloop.h ssh.c]
-     support environment passing over shared connections; ok markus@
-   - djm@cvs.openbsd.org 2004/06/17 15:10:14
-     [clientloop.c misc.h readconf.c readpass.c ssh.c ssh_config.5]
-     Add option for confirmation (ControlMaster=ask) via ssh-askpass before 
-     opening shared connections; ok markus@
-   - djm@cvs.openbsd.org 2004/06/17 14:53:27
-     [regress/multiplex.sh]
-     shared connection env passing regress test
- - (dtucker) [regress/README.regress] Add detail on how to run a single
-   test from the top-level Makefile.
- - (dtucker) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2004/06/17 23:56:57
-     [ssh.1 ssh.c]
-     sync usage() and SYNPOSIS with connection sharing changes
-   - dtucker@cvs.openbsd.org 2004/06/18 06:13:25
-     [sftp.c]
-     Use execvp instead of execv so sftp -S ssh works.  "makes sense" markus@
-   - dtucker@cvs.openbsd.org 2004/06/18 06:15:51
-     [multiplex.sh]
-     Use -S for scp/sftp to force the use of the ssh being tested.
-     ok djm@,markus@
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2004/06/18 10:40:19
-     [ssh.c]
-     delay signal handler setup until we have finished talking to the master.
-     allow interrupting of setup (e.g. if master is stuck); ok markus@
-   - markus@cvs.openbsd.org 2004/06/18 10:55:43
-     [ssh.1 ssh.c]
-     trim synopsis for -S, allow -S and -oControlMaster, -MM means 'ask';
-     ok djm
-   - djm@cvs.openbsd.org 2004/06/18 11:11:54
-     [channels.c clientloop.c]
-     Don't explode in clientloop when we receive a bogus channel id, but
-     also don't generate them to begin with; ok markus@
-
-20040617
- - (dtucker) [regress/scp.sh] diff -N is not portable (but needed for some
-   platforms), so test if diff understands it.  Pointed out by tim@, ok djm@
- - (dtucker) OpenBSD CVS Sync regress/
-   - dtucker@cvs.openbsd.org 2004/06/17 05:51:59
-     [regress/multiplex.sh]
-     Remove datafile between and after tests, kill sshd rather than wait;
-     ok djm@
-   - dtucker@cvs.openbsd.org 2004/06/17 06:00:05
-     [regress/multiplex.sh]
-     Use DATA and COPY for test data rather than hard-coded paths; ok djm@
-   - dtucker@cvs.openbsd.org 2004/06/17 06:19:06
-     [regress/multiplex.sh]
-     Add small description of failing test to failure message; ok djm@
- - (dtucker) [regress/multiplex.sh] add EXEEXT for those platforms that need
-   it.
- - (dtucker) [regress/multiplex.sh] Increase sleep time to 120 sec (60 is not
-   enough for slow systems, especially if they don't have a kernel RNG).
-
-20040616
- - (dtucker) [openbsd-compat/port-aix.c] Expand whitespace -> tabs. No
-   code changes.
- - (dtucker) OpenBSD CVS Sync regress/
-   - djm@cvs.openbsd.org 2004/04/27 09:47:30
-     [regress/Makefile regress/test-exec.sh, added regress/envpass.sh]
-     regress test for environment passing, SendEnv & AcceptEnv options;
-     ok markus@
-   - dtucker@cvs.openbsd.org 2004/06/13 13:51:02
-     [regress/Makefile regress/test-exec.sh, added regress/scp-ssh-wrapper.sh
-     regress/scp.sh]
-     Add scp regression test; with & ok markus@
-   - djm@cvs.openbsd.org 2004/06/13 15:04:08
-     [regress/Makefile regress/test-exec.sh, added regress/envpass.sh]
-     regress test for client multiplexing; ok markus@
-   - djm@cvs.openbsd.org 2004/06/13 15:16:54
-     [regress/test-exec.sh]
-     remove duplicate setting of $SCP; spotted by markus@
-   - dtucker@cvs.openbsd.org 2004/06/16 13:15:09
-     [regress/scp.sh]
-     Make scp -r tests use diff -rN not cmp (which won't do dirs.  ok markus@
-   - dtucker@cvs.openbsd.org 2004/06/16 13:16:40
-     [regress/multiplex.sh]
-     Silence multiplex sftp and scp tests.  ok markus@
- - (dtucker) [regress/test-exec.sh]
-   Move Portable-only StrictModes to top of list to make syncs easier.
- - (dtucker) [regress/README.regress]
-   Add $TEST_SHELL to readme.
-
-20040615
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2004/05/26 08:59:57
-     [sftp.c]
-     exit -> _exit in forked child on error; from andrushock AT korovino.net
-   - markus@cvs.openbsd.org 2004/05/26 23:02:39
-     [channels.c]
-     missing freeaddrinfo; Andrey Matveev
-   - dtucker@cvs.openbsd.org 2004/05/27 00:50:13
-     [readconf.c]
-     Kill dead code after fatal(); ok djm@
-   - dtucker@cvs.openbsd.org 2004/06/01 14:20:45
-     [auth2-chall.c]
-     Remove redundant #include; ok markus@
-   - pedro@cvs.openbsd.org 2004/06/03 12:22:20
-     [sftp-client.c sftp.c]
-     initialize pointers, ok markus@
-   - djm@cvs.openbsd.org 2004/06/13 12:53:24
-     [dh.c dh.h kex.c kex.h kexdhc.c kexdhs.c monitor.c myproposal.h] 
-     [ssh-keyscan.c sshconnect2.c sshd.c]
-     implement diffie-hellman-group14-sha1 kex method (trivial extension to
-     existing diffie-hellman-group1-sha1); ok markus@
-   - dtucker@cvs.openbsd.org 2004/06/13 14:01:42
-     [ssh.1 ssh_config.5 sshd_config.5]
-     List supported ciphers in man pages, tidy up ssh -c;
-     "looks fine" jmc@, ok markus@
-   - djm@cvs.openbsd.org 2004/06/13 15:03:02
-     [channels.c channels.h clientloop.c clientloop.h includes.h readconf.c] 
-     [readconf.h scp.1 sftp.1 ssh.1 ssh.c ssh_config.5]
-     implement session multiplexing in the client (the server has supported 
-     this since 2.0); ok markus@
-   - djm@cvs.openbsd.org 2004/06/14 01:44:39
-     [channels.c clientloop.c misc.c misc.h packet.c ssh-agent.c ssh-keyscan.c]
-     [sshd.c]
-     set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
-   - djm@cvs.openbsd.org 2004/06/15 05:45:04
-     [clientloop.c]
-     missed one unset_nonblock; spotted by Tim Rice
- - (djm) Fix Makefile.in for connection sharing changes
- - (djm) [ssh.c] Use separate var for address length
-
-20040603
- - (dtucker) [auth-pam.c] Don't use pam_* namespace for sshd's PAM functions.
-   ok djm@
-
-20040601
- - (djm) [auth-pam.c] Add copyright for local changes
-
-20040530
- - (dtucker) [auth-pam.c auth-pam.h auth-passwd.c] Bug #874: Re-add PAM 
-   support for PasswordAuthentication=yes.  ok djm@
- - (dtucker) [auth-pam.c] Use an invalid password for root if
-   PermitRootLogin != yes or the login is invalid, to prevent leaking
-   information.  Based on Openwall's owl-always-auth patch.  ok djm@
- - (tim) [configure.ac Makefile.in] Add support for "make package" ok djm@
- - (tim) [buildpkg.sh.in] New file. A more flexible version of
-   contrib/solaris/buildpkg.sh used for "make package".
- - (tim) [buildpkg.sh.in] Last minute fix didn't make it in the .in file.
-
-20040527
- - (dtucker) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec
-   contrib/README CREDITS INSTALL] Bug #873: Correct URLs for x11-ssh-askpass
-   and Jim Knoble's email address , from Jim himself.
-
-20040524
- - (dtucker) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2004/05/19 12:17:33
-     [sftp-client.c sftp.c]
-     gracefully abort transfers on receipt of SIGINT, also ignore SIGINT while
-     waiting for a command; ok markus@
-   - dtucker@cvs.openbsd.org 2004/05/20 10:58:05
-     [clientloop.c]
-     Trivial type fix 0 -> '\0'; ok markus@
-   - markus@cvs.openbsd.org 2004/05/21 08:43:03
-     [kex.h moduli.c tildexpand.c]
-     add prototypes for -Wall; ok djm
-   - djm@cvs.openbsd.org 2004/05/21 11:33:11
-     [channels.c channels.h clientloop.c serverloop.c ssh.1]
-     bz #756: add support for the cancel-tcpip-forward request for the server
-     and the client (through the ~C commandline). reported by z3p AT
-     twistedmatrix.com; ok markus@
-   - djm@cvs.openbsd.org 2004/05/22 06:32:12
-     [clientloop.c ssh.1]
-     use '-h' for help in ~C commandline instead of '-?'; inspired by jmc@
-   - jmc@cvs.openbsd.org 2004/05/22 16:01:05
-     [ssh.1]
-     kill whitespace at eol;
-   - dtucker@cvs.openbsd.org 2004/05/23 23:59:53
-     [auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config
-     sshd_config.5]
-     Add MaxAuthTries sshd config option; ok markus@
- - (dtucker) [auth-pam.c] Bug #839: Ensure that pam authentication "thread"
-   is terminated if the privsep slave exits during keyboard-interactive
-   authentication.  ok djm@
- - (dtucker) [sshd.c] Fix typo in comment.
-
-20040523
- - (djm) [sshd_config] Explain consequences of UsePAM=yes a little better in 
-   sshd_config; ok dtucker@
- - (djm) [configure.ac] Warn if the system has no known way of figuring out 
-   which user is on the other end of a Unix domain socket; ok dtucker@
- - (bal) [openbsd-compat/sys-queue.h] Reintroduce machinary to handle
-   old/broken/incomplete <sys/queue.h>.
-
-20040513
- - (dtucker) [configure.ac] Bug #867: Additional tests for res_query in
-   libresolv, fixes problems detecting it on some platforms
-   (eg Linux/x86-64).  From Kurt Roeckx via Debian, ok mouring@
- - (dtucker) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2004/05/04 18:36:07
-     [scp.1]
-     SendEnv here too;
-   - jmc@cvs.openbsd.org 2004/05/06 11:24:23
-     [ssh_config.5]
-     typo from John Cosimano (PR 3770);
-   - deraadt@cvs.openbsd.org 2004/05/08 00:01:37
-     [auth.c clientloop.c misc.h servconf.c ssh.c sshpty.h sshtty.c
-     tildexpand.c], removed: sshtty.h tildexpand.h
-     make two tiny header files go away; djm ok
-   - djm@cvs.openbsd.org 2004/05/08 00:21:31
-     [clientloop.c misc.h readpass.c scard.c ssh-add.c ssh-agent.c ssh-keygen.c
-     sshconnect.c sshconnect1.c sshconnect2.c] removed: readpass.h
-     kill a tiny header; ok deraadt@
-   - djm@cvs.openbsd.org 2004/05/09 00:06:47
-     [moduli.c ssh-keygen.c] removed: moduli.h
-     zap another tiny header; ok deraadt@
-   - djm@cvs.openbsd.org 2004/05/09 01:19:28
-     [OVERVIEW auth-rsa.c auth1.c kex.c monitor.c session.c sshconnect1.c
-     sshd.c] removed: mpaux.c mpaux.h
-     kill some more tiny files; ok deraadt@
-   - djm@cvs.openbsd.org 2004/05/09 01:26:48
-     [kex.c]
-     don't overwrite what we are trying to compute
-   - deraadt@cvs.openbsd.org 2004/05/11 19:01:43
-     [auth.c auth2-none.c authfile.c channels.c monitor.c monitor_mm.c
-     packet.c packet.h progressmeter.c session.c openbsd-compat/xmmap.c]
-     improve some code lint did not like; djm millert ok
-   - dtucker@cvs.openbsd.org 2004/05/13 02:47:50
-     [ssh-agent.1]
-     Add examples to ssh-agent.1, bz#481 from Ralf Hauser; ok deraadt@
- - (dtucker) [sshd.8] Bug #843: Add warning about PasswordAuthentication to
-   UsePAM section.  Parts from djm@ and jmc@.
- - (dtucker) [auth-pam.c scard-opensc.c] Tinderbox says auth-pam.c uses
-   readpass.h, grep says scard-opensc.c does too.  Replace with misc.h.
- - (dtucker) [openbsd-compat/getrrsetbyname.c] Check that HAVE_DECL_H_ERROR
-   is defined before using.
- - (dtucker) [openbsd-compat/getrrsetbyname.c] Fix typo too: HAVE_DECL_H_ERROR
-   -> HAVE_DECL_H_ERRNO.
-
-20040502
- - (dtucker) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2004/04/22 11:56:57
-     [moduli.c]
-     Bugzilla #850: Sophie Germain is the correct name of the French
-     mathematician, "Sophie Germaine" isn't; from Luc.Maisonobe@c-s.fr
-   - djm@cvs.openbsd.org 2004/04/27 09:46:37
-     [readconf.c readconf.h servconf.c servconf.h session.c session.h ssh.c
-     ssh_config.5 sshd_config.5]
-     bz #815: implement ability to pass specified environment variables from
-     the client to the server; ok markus@
-   - djm@cvs.openbsd.org 2004/04/28 05:17:10
-     [ssh_config.5 sshd_config.5]
-     manpage fixes in envpass stuff from Brian Poole (raj AT cerias.purdue.edu)
-   - jmc@cvs.openbsd.org 2004/04/28 07:02:56
-     [sshd_config.5]
-     remove unnecessary .Pp;
-   - jmc@cvs.openbsd.org 2004/04/28 07:13:42
-     [sftp.1 ssh.1]
-     add SendEnv to -o list;
-   - dtucker@cvs.openbsd.org 2004/05/02 11:54:31
-     [sshd.8]
-     Man page grammar fix (bz #858), from damerell at chiark.greenend.org.uk
-     via Debian; ok djm@
-   - dtucker@cvs.openbsd.org 2004/05/02 11:57:52
-     [ssh.1]
-     ConnectionTimeout -> ConnectTimeout, from m.a.ellis at ncl.ac.uk via
-     Debian.  ok djm@
-   - dtucker@cvs.openbsd.org 2004/05/02 23:02:17
-     [sftp.1]
-     ConnectionTimeout -> ConnectTimeout here too, pointed out by jmc@
-   - dtucker@cvs.openbsd.org 2004/05/02 23:17:51
-     [scp.1]
-     ConnectionTimeout -> ConnectTimeout for scp.1 too.
-
-20040423
- - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Declare h_errno
-   as extern int if not already declared.  Fixes compile errors on old SCO
-   platforms.  ok tim@
- - (dtucker) [README.platform] List prereqs for building on Cygwin.
-
-20040421
- - (djm) Update config.guess and config.sub to autoconf-2.59 versions; ok tim@
-
-20040420
- - (djm) OpenBSD CVS Sync
-   - henning@cvs.openbsd.org 2004/04/08 16:08:21
-     [sshconnect2.c]
-     swap the last two parameters to TAILQ_FOREACH_REVERSE. matches what
-     FreeBSD and NetBSD do.
-     ok millert@ mcbride@ markus@ ho@, checked to not affect ports by naddy@
-   - djm@cvs.openbsd.org 2004/04/18 23:10:26
-     [readconf.c readconf.h ssh-keysign.c ssh.c]
-     perform strict ownership and modes checks for ~/.ssh/config files, 
-     as these can be used to execute arbitrary programs; ok markus@
-     NB. ssh will now exit when it detects a config with poor permissions
-   - djm@cvs.openbsd.org 2004/04/19 13:02:40
-     [ssh.1 ssh_config.5]
-     document strict permission checks on ~/.ssh/config; prompted by, 
-     with & ok jmc@
-   - jmc@cvs.openbsd.org 2004/04/19 16:12:14
-     [ssh_config.5]
-     kill whitespace at eol;
-   - djm@cvs.openbsd.org 2004/04/19 21:51:49
-     [ssh.c]
-     fix idiot typo that i introduced in my last commit;
-     spotted by cschneid AT cschneid.com
- - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD, needed for 
-   above change
- - (djm) [configure.ac] Check whether libroken is required when building 
-   with Heimdal
-
-20040419
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2004/02/29 22:04:45
-     [regress/login-timeout.sh]
-     Use sudo when restarting daemon during test.  ok markus@
-   - dtucker@cvs.openbsd.org 2004/03/08 10:17:12
-     [regress/login-timeout.sh]
-     Missing OBJ, from tim@.  ok markus@ (Already fixed, ID sync only)
-   - djm@cvs.openbsd.org 2004/03/30 12:41:56
-     [sftp-client.c]
-     sync comment with reality
-   - djm@cvs.openbsd.org 2004/03/31 21:58:47
-     [canohost.c]
-     don't skip ip options check when UseDNS=no; ok markus@ (ID sync only)
-   - markus@cvs.openbsd.org 2004/04/01 12:19:57
-     [scp.c]
-     limit trust between local and remote rcp/scp process,
-     noticed by lcamtuf; ok deraadt@, djm@
-
-20040418
- - (dtucker) [auth-pam.c] Log username and source host for failed PAM
-   authentication attempts.  With & ok djm@
- - (djm) [openbsd-compat/bsd-cygwin_util.c] Recent versions of Cygwin allow
-   change of user context without a password, so relax auth method 
-   restrictions; from vinschen AT redhat.com; ok dtucker@
-
-20040416
- - (dtucker) [regress/sftp-cmds.sh] Skip quoting test on Cygwin, since
-   FAT/NTFS does not permit quotes in filenames.  From vinschen at redhat.com
- - (djm) [auth-krb5.c auth.h session.c] Explicitly refer to Kerberos ccache 
-   file using FILE: method, fixes problems on Mac OSX.
-   Patch from simon@sxw.org.uk; ok dtucker@
- - (tim) [configure.ac] Set SETEUID_BREAKS_SETUID, BROKEN_SETREUID and
-   BROKEN_SETREGID for SCO OpenServer 3
-
-20040412
- - (dtucker) [sshd_config.5] Add PermitRootLogin without-password warning
-   from bug #701 (text from jfh at cise.ufl.edu).
- - (dtucker) [acconfig.h configure.ac defines.h] Bug #673: check for 4-arg
-   skeychallenge(), eg on NetBSD.  ok mouring@
- - (dtucker) [auth-skey.c defines.h monitor.c] Make skeychallenge explicitly
-   4-arg, with compatibility for 3-arg versions.  From djm@, ok me.
- - (djm) [configure.ac] Fix detection of libwrap on OpenBSD; ok dtucker@
-
-20040408
- - (dtucker) [loginrec.c] Use UT_LINESIZE if available, prevents truncating
-   pty name on Linux 2.6.x systems.  Patch from jpe at eisenmenger.org.
- - (bal) [monitor.c monitor_wrap.c] Second try.  Put the zlib.h headers
-   back and #undef TARGET_OS_MAC instead.  (Bug report pending with Apple)
- - (dtucker) [defines.h loginrec.c] Define UT_LINESIZE if not defined and
-   simplify loginrec.c.  ok tim@
- - (bal) [monitor.c monitor_wrap.c] Ok.. Last time.  Promise.  Tim suggested
-   limiting scope and dtucker@ agreed.
-
-20040407
- - (dtucker) [session.c] Flush stdout after displaying loginmsg.  From
-   f_mohr at yahoo.de.
- - (bal) [acconfig.h auth-krb5.c configure.ac gss-serv-krb5.c] Check to see
-   if Krb5 library exports krb5_init_etc() since some OSes (like MacOS/X)
-   are starting to restrict it as internal since it is not needed by
-   developers any more. (Patch based on Apple tree)
- - (bal) [monitor.c monitor_wrap.c] monitor_wrap.c] moved zlib.h higher since 
-   krb5 on MacOS/X conflicts.  There may be a better solution, but this will 
-   work for now.
-
-20040406
- - (dtucker) [acconfig.h configure.ac defines.h] Bug #820: don't use
-   updwtmpx() on IRIX since it seems to clobber utmp.  ok djm@
- - (dtucker) [configure.ac] Bug #816, #748 (again): Attempt to detect
-   broken getaddrinfo and friends on HP-UX.  ok djm@
-
-20040330
- - (dtucker) [configure.ac] Bug #811: Use "!" for LOCKED_PASSWD_PREFIX on
-   Linuxes, since that's what many use.  ok djm@
- - (dtucker) [auth-pam.c] rename the_authctxt to sshpam_authctxt in auth-pam.c
-   to reduce potential confusion with the one in sshd.c.  ok djm@
- - (djm) Bug #825: Fix ip_options_check() for mapped IPv4/IPv6 connection; 
-   with & ok dtucker@
-
-20040327
- - (dtucker) [session.c] Bug #817: Clear loginmsg after fork to prevent
-   duplicate login messages for mutli-session logins.  ok djm@
-
-20040322
- - (djm) [sshd.c] Drop supplemental groups if started as root
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2004/03/09 22:11:05
-     [ssh.c]
-     increase x11 cookie lifetime to 20 minutes; ok djm
-   - markus@cvs.openbsd.org 2004/03/10 09:45:06
-     [ssh.c]
-     trim usage to match ssh(1) and look more like unix. ok djm@
-   - markus@cvs.openbsd.org 2004/03/11 08:36:26
-     [sshd.c]
-     trim usage; ok deraadt
-   - markus@cvs.openbsd.org 2004/03/11 10:21:17
-     [ssh.c sshd.c]
-     ssh, sshd: sync version output, ok djm
-   - markus@cvs.openbsd.org 2004/03/20 10:40:59
-     [version.h]
-     3.8.1
- - (djm) Crank RPM spec versions
-
-20040311
- - (djm) [configure.ac] Add standard license to configure.ac; ok ben, dtucker
-
-20040310
- - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #812: #undef getaddrinfo
-   before redefining it, silences warnings on Tru64.
-
-20040308
- - (dtucker) [sshd.c] Back out rev 1.270 as it caused problems on some
-   platforms (eg SCO, HP-UX) with logging in the wrong TZ.  ok djm@
- - (dtucker) [configure.ac sshd.c openbsd-compat/bsd-misc.h
-   openbsd-compat/setenv.c] Unset KRB5CCNAME on AIX to prevent it from being
-   inherited by the child.  ok djm@
- - (dtucker) [auth-pam.c auth-pam.h auth1.c auth2.c monitor.c monitor_wrap.c
-   monitor_wrap.h] Bug #808: Ensure force_pwchange is correctly initialized
-   even if keyboard-interactive is not used by the client.  Prevents 
-   segfaults in some cases where the user's password is expired (note this 
-   is not considered a security exposure).  ok djm@
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2004/03/03 06:47:52
-     [sshd.c]
-     change proctiltle after accept(2); ok henning, deraadt, djm
-   - djm@cvs.openbsd.org 2004/03/03 09:30:42
-     [sftp-client.c]
-     Don't print duplicate messages when progressmeter is off
-     Spotted by job317 AT mailvault.com; ok markus@
-   - djm@cvs.openbsd.org 2004/03/03 09:31:20
-     [sftp.c]
-     Fix initialisation of progress meter; ok markus@
-   - markus@cvs.openbsd.org 2004/03/05 10:53:58
-     [readconf.c readconf.h scp.1 sftp.1 ssh.1 ssh_config.5 sshconnect2.c]
-     add IdentitiesOnly; ok djm@, pb@
-   - djm@cvs.openbsd.org 2004/03/08 09:38:05
-     [ssh-keyscan.c]
-     explicitly initialise remote_major and remote_minor.
-     from cjwatson AT debian.org; ok markus@
-   - dtucker@cvs.openbsd.org 2004/03/08 10:18:57
-     [sshd_config.5]
-     Document KerberosGetAFSToken;  ok markus@
- - (tim) [regress/README.regress] Document ssh-rand-helper issue. ok bal
-
-20040307
- - (tim) [regress/login-timeout.sh] fix building outside of source tree.
-
-20040304
- - (dtucker) [auth-pam.c] Don't try to export PAM when compiled with
-   -DUSE_POSIX_THREADS.  From antoine.verheijen at ualbert ca.  ok djm@
- - (dtucker) [auth-pam.c] Reset signal status when starting pam auth thread,
-   prevent hanging during PAM keyboard-interactive authentications.  ok djm@
- - (dtucker) [auth-passwd.c auth-sia.c auth-sia.h defines.h
-   openbsd-compat/xcrypt.c] Bug #802: Fix build error on Tru64 when
-   configured --with-osfsia.  ok djm@
-
-20040303
- - (djm) [configure.ac ssh-agent.c] Use prctl to prevent ptrace on ssh-agent
-   ok dtucker  
-
-20040229
- - (tim) [configure.ac] Put back bits mistakenly removed from Rev 1.188
-
-20040229
- - (dtucker) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2004/02/25 00:22:45
-     [sshd.c]
-     typo in comment
-   - dtucker@cvs.openbsd.org 2004/02/27 22:42:47
-     [dh.c]
-     Prevent sshd from sending DH groups with a primitive generator of zero or
-     one, even if they are listed in /etc/moduli.  ok markus@
-   - dtucker@cvs.openbsd.org 2004/02/27 22:44:56
-     [dh.c]
-     Make /etc/moduli line buffer big enough for 8kbit primes, in case anyone
-     ever uses one.  ok markus@
-   - dtucker@cvs.openbsd.org 2004/02/27 22:49:27
-     [dh.c]
-     Reset bit counter at the right time, fixes debug output in the case where
-     the DH group is rejected.  ok markus@
-   - dtucker@cvs.openbsd.org 2004/02/17 08:23:20
-     [regress/Makefile regress/login-timeout.sh]
-     Add regression test for LoginGraceTime; ok markus@
-   - markus@cvs.openbsd.org 2004/02/24 16:56:30
-     [regress/test-exec.sh]
-     allow arguments in ${TEST_SSH_XXX}
-   - markus@cvs.openbsd.org 2004/02/24 17:06:52
-     [regress/ssh-com-client.sh regress/ssh-com-keygen.sh
-     regress/ssh-com-sftp.sh regress/ssh-com.sh]
-     test against recent ssh.com releases
-   - dtucker@cvs.openbsd.org 2004/02/28 12:16:57
-     [regress/dynamic-forward.sh]
-     Make dynamic-forward understand nc's new output.  ok markus@
-   - dtucker@cvs.openbsd.org 2004/02/28 13:44:45
-     [regress/try-ciphers.sh]
-     Test acss too; ok markus@
- - (dtucker) [regress/try-ciphers.sh] Skip acss if not compiled in (eg if we
-   built with openssl < 0.9.7)
-
-20040226
- - (bal) KNF our sshlogin.c even if the code looks nothing like upstream
-   code due to diversity issues.
-
-20040225
- - (djm) Trim ChangeLog 
- - (djm) Don't specify path to PAM modules in Redhat sshd.pam; from Fedora
-
-20040224
- - (dtucker) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2004/02/19 21:15:04
-     [sftp-server.c]
-     switch to new license.template
-   - markus@cvs.openbsd.org 2004/02/23 12:02:33
-     [sshd.c]
-     backout revision 1.279; set listen socket to non-block; ok henning.
-   - markus@cvs.openbsd.org 2004/02/23 15:12:46
-     [bufaux.c]
-     encode 0 correctly in buffer_put_bignum2; noted by Mikulas Patocka
-     and drop support for negative BNs; ok otto@
-   - markus@cvs.openbsd.org 2004/02/23 15:16:46
-     [version.h]
-     enter 3.8
- - (dtucker) [configure.ac gss-serv-krb5.c ssh-gss.h] Define GSSAPI when found
-   with krb5-config, hunt down gssapi.h and friends.  Based partially on patch
-   from deengert at anl.gov.  ok djm@
- - (djm) [groupaccess.c uidswap.c] Bug #787: Size group arrays at runtime 
-   using sysconf() if available Based on patches from 
-   holger AT van-lengerich.de and openssh_bugzilla AT hockin.org
- - (dtucker) [uidswap.c] Minor KNF.  ok djm@
- - (tim) [openbsd-compat/getrrsetbyname.c] Make gcc 2.7.2.3 happy.  ok djm@
- - (djm) Crank RPM spec versions
- - (dtucker) [README] Add pointer to release notes.  ok djm@
- - (dtucker) {README.platform] Add platform-specific notes.
- - (tim) [configure.ac] SCO3 needs -lcrypt_i for -lprot
- - (djm) Release 3.8p1
-
-20040223
- - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the
-   non-interactive path.  ok djm@
-
-20040222
- - (dtucker) [auth-shadow.c auth.c auth.h] Move shadow account expiry test
-   to auth-shadow.c, no functional change.  ok djm@
- - (dtucker) [auth-shadow.c auth.h] Provide warnings of impending account or
-   password expiry.  ok djm@
- - (dtucker) [auth-passwd.c] Only check password expiry once.  Prevents
-   multiple warnings if a wrong password is entered.
- - (dtucker) [configure.ac] Apply krb5-config --libs fix to non-gssapi path
-   too.
-
-20040220
- - (djm) [openbsd-compat/setproctitle.c] fix comments; from grange@
-
-20040218
- - (dtucker) [configure.ac] Handle case where krb5-config --libs returns a
-   path with a "-" in it.  From Sergio.Gelato at astro.su.se.
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2004/02/17 07:17:29
-     [sftp-glob.c sftp.c]
-     Remove useless headers; ok deraadt@
-   - djm@cvs.openbsd.org 2004/02/17 11:03:08
-     [sftp.c]
-     sftp.c and sftp-int.c, together at last; ok markus@
-   - jmc@cvs.openbsd.org 2004/02/17 19:35:21
-     [sshd_config.5]
-     remove cruft left over from RhostsAuthentication removal;
-     ok markus@
- - (djm) [log.c] Correct use of HAVE_OPENLOG_R
- - (djm) [log.c] Tighten openlog_r tests
-
-20040217
- - (djm) Simplify the license on code I have written. No code changes.
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2004/02/17 05:39:51
-     [sftp-client.c sftp-client.h sftp-glob.c sftp-glob.h sftp-int.c]
-     [sftp-int.h sftp.c]
-     switch to license.template for code written by me (belated, I know...)
- - (djm) Bug #698: Specify FILE: for KRB5CCNAME; patch from 
-   stadal@suse.cz and simon@sxw.org.uk
- - (dtucker) [auth-pam.c] Tidy up PAM debugging.  ok djm@
- - (dtucker) [auth-pam.c] Store output from pam_session and pam_setcred for
-   display after login.  Should fix problems like pam_motd not displaying
-   anything, noticed by cjwatson at debian.org.  ok djm@
-
-20040212
- - (tim) [Makefile.in regress/sftp-badcmds.sh regress/test-exec.sh]
-   Portablity fixes. Data sftp transfers needs to be world readable. Some
-   older shells hang on while loops when  doing sh -n some_script. OK dtucker@
- - (tim) [configure.ac] Make sure -lcrypto is before -lsocket for sco3.
-   ok mouring@
-
-20040211
- - (dtucker) [auth-passwd.c auth-shadow.c] Only enable shadow expiry check
-   if HAS_SHADOW_EXPIRY is set.
- - (tim) [configure.ac] Fix comment to match code changes in ver 1.117
-
-20040210
- - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c
-   openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's
-   native password expiry.
- - (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h
-   defines.h] Bug #14: Use do_pwchange to support password expiry and force
-   change for platforms using /etc/shadow.  ok djm@
- - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #563: Prepend ssh_ to compat
-   functions to avoid conflicts with Heimdal's libroken.  ok djm@
- - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange to
-   change expired PAM passwords for SSHv1 connections without privsep.
-   pam_chauthtok is still used when privsep is disabled.  ok djm@
- - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Move
-   include from port-aix.h to port-aix.c and remove unnecessary function
-   definition.  Fixes build errors on AIX.
- - (dtucker) [configure.ac loginrec.c] Bug #464: Use updwtmpx on platforms
-   that support it.  from & ok mouring@
- - (dtucker) [configure.ac] Bug #345: Do not disable utmp on HP-UX 10.x.
-   ok djm@
-
-20040207
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2004/02/06 23:41:13
-     [cipher-ctr.c]
-     Use EVP_CIPHER_CTX_key_length for key length.  ok markus@
-     (This will fix builds with OpenSSL 0.9.5)
- - (dtucker) [cipher.c] enable AES counter modes with OpenSSL 0.9.5.
-   ok djm@, markus@
-
-20040206
- - (dtucker) [acss.c acss.h] Fix $Id tags.
- - (dtucker) [cipher-acss.c cipher.c] Enable acss only if building with
-   OpenSSL >= 0.9.7.  ok djm@
- - (dtucker) [session.c] Bug #789: Do not call do_pam_setcred as a non-root
-   user, since some modules might fail due to lack of privilege.  ok djm@
- - (dtucker) [configure.ac] Bug #748: Always define BROKEN_GETADDRINFO
-   for HP-UX 11.11.  If there are known-good configs where this is not
-   required, please report them.  ok djm@
- - (dtucker) [sshd.c] Bug #757: Clear child's environment to prevent
-   accidentally inheriting from root's environment.  ok djm@
- - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #796:
-   Restore previous authdb setting after auth calls.  Fixes problems with
-   setpcred failing on accounts that use AFS or NIS password registries.
- - (dtucker) [configure.ac includes.h] Include <sys/stream.h> if present,
-   required on Solaris 2.5.1 for queue_t, which is used by <sys/ptms.h>.
- - (dtucker) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2004/01/30 09:48:57
-     [auth-passwd.c auth.h pathnames.h session.c]
-     support for password change; ok dtucker@
-     (set password-dead=1w in login.conf to use this).
-     In -Portable, this is currently only platforms using bsdauth.
-   - dtucker@cvs.openbsd.org 2004/02/05 05:37:17
-     [monitor.c sshd.c]
-     Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
-   - markus@cvs.openbsd.org 2004/02/05 15:33:33
-     [progressmeter.c]
-     fix ETA for > 4GB; bugzilla #791; ok henning@ deraadt@
-
-20040129
- - (dtucker) OpenBSD CVS Sync regress/
-   - dtucker@cvs.openbsd.org 2003/10/11 11:49:49
-     [Makefile banner.sh]
-     Test missing banner file, suppression of banner with ssh -q, check return
-     code from ssh.  ok markus@
-   - jmc@cvs.openbsd.org 2003/11/07 10:16:44
-     [ssh-com.sh]
-     adress -> address, and a few more; all from Jonathon Gray;
-   - djm@cvs.openbsd.org 2004/01/13 09:49:06
-     [sftp-batch.sh]
- - (dtucker) [configure.ac] Add --without-zlib-version-check.  Feedback from
-   tim@, ok several
- - (dtucker) [configure.ac openbsd-compat/bsd-cray.c openbsd-compat/bsd-cray.h]
-   Bug #775: Cray fixes from wendy at cray.com
-
-20040128
- - (dtucker) [regress/README.regress] Add tcpwrappers issue, noted by tim@
- - (dtucker) [moduli] Import new moduli file from OpenBSD.
-
-20040127
- - (djm) OpenBSD CVS Sync
-   - hshoexer@cvs.openbsd.org 2004/01/23 17:06:03
-     [cipher.c]
-     enable acss for ssh
-     ok deraadt@ markus@
-   - mouring@cvs.openbsd.org 2004/01/23 17:57:48
-     [sftp-int.c]
-     Fix issue pointed out with ls not handling large directories 
-     with embeded paths correctly.  OK damien@
-   - hshoexer@cvs.openbsd.org 2004/01/23 19:26:33
-     [cipher.c]
-     rename acss@opebsd.org to acss@openssh.org
-     ok deraadt@
-   - djm@cvs.openbsd.org 2004/01/25 03:49:09
-     [sshconnect.c]
-     reset nonblocking flag after ConnectTimeout > 0 connect; (bugzilla #785)
-     from jclonguet AT free.fr; ok millert@
-   - djm@cvs.openbsd.org 2004/01/27 10:08:10
-     [sftp.c]
-     reorder parsing so user:skey@host:file works (bugzilla #777)
-     patch from admorten AT umich.edu; ok markus@
- - (djm) [acss.c acss.h cipher-acss.c] Portable support for ACSS 
-   if libcrypto lacks it
-
-20040126
- - (tim) Typo in regress/README.regress
- - (tim) [regress/test-exec.sh] RhostsAuthentication is deprecated.
- - (tim) [defines.h] Add defines for HFIXEDSZ and T_SIG
- - (tim) [configure.ac includes.h] add <sys/ptms.h> for grantpt() and friends.
- - (tim) [defines.h openbsd-compat/getrrsetbyname.h] Move defines for HFIXEDSZ
-   and T_SIG to getrrsetbyname.h
-
-20040124
- - (djm) Typo in openbsd-compat/bsd-openpty.c; from wendyp AT cray.com
-
-20040123 
- - (djm) Do pam_session processing for systems with HAVE_LOGIN_CAP; from 
-   ralf.hack AT pipex.net; ok dtucker@
- - (djm) Bug #776: Update contrib/redhat/openssh.spec to dynamically detect
-   Kerberos location (and thus work with Fedora Core 1);
-   from jason AT devrandom.org
- - (dtucker) [configure.ac] Bug #788: Test for zlib.h presence and for
-   zlib >= 1.1.4.  Partly from jbasney at ncsa.uiuc.edu.  ok djm@
- - (dtucker) [contrib/cygwin/README] Document new ssh-host-config options.
-   Patch from vinschen at redhat.com.
- - (dtucker) [acconfig.h configure.ac includes.h servconf.c session.c]
-   Change AFS symbol to USE_AFS to prevent namespace collisions, do not
-   include kafs.h unless necessary.  From deengert at anl.gov.
- - (tim) [configure.ac] Remove hard coded -L/usr/local/lib and
-   -I/usr/local/include. Users can do LDFLAGS="-L/usr/local/lib" \
-   CPPFLAGS="-I/usr/local/include" ./configure if needed.
-
-20040122
- - (dtucker) [configure.ac] Use krb5-config where available for Kerberos/
-   GSSAPI detection, libs and includes.  ok djm@
- - (dtucker) [session.c] Enable AFS support in conjunction with KRB5 not
-   just HEIMDAL.
- - (tim) [contrib/solaris/buildpkg.sh] Allow for the possibility of
-   /usr/local being a symbolic link. Fixes problem reported by Henry Grebler.
-
-20040121
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2004/01/13 09:25:05
-     [sftp-int.c sftp.1 sftp.c]
-     Tidy sftp batchmode handling, eliminate junk to stderr (bugzilla #754) and
-     enable use of "-b -" to accept batchfile from stdin; ok markus@
-   - jmc@cvs.openbsd.org 2004/01/13 12:17:33
-     [sftp.1]
-     remove unnecessary Ic's;
-     kill whitespace at EOL;
-     ok djm@
-   - markus@cvs.openbsd.org 2004/01/13 19:23:15
-     [compress.c session.c]
-     -Wall; ok henning
-   - markus@cvs.openbsd.org 2004/01/13 19:45:15
-     [compress.c]
-     cast for portability; millert@
-   - markus@cvs.openbsd.org 2004/01/19 09:24:21
-     [channels.c]
-     fake consumption for half closed channels since the peer is waiting for
-     window adjust messages; bugzilla #790 Matthew Dillon; test + ok dtucker@
-     reproduce with sh -c 'ulimit -f 10; ssh host -n od /bsd | cat > foo'
-   - markus@cvs.openbsd.org 2004/01/19 21:25:15
-     [auth2-hostbased.c auth2-pubkey.c serverloop.c ssh-keysign.c sshconnect2.c]
-     fix mem leaks; some fixes from Pete Flugstad; tested dtucker@
-   - djm@cvs.openbsd.org 2004/01/21 03:07:59
-     [sftp.c]
-     initialise infile in main, rather than statically - from portable
-   - deraadt@cvs.openbsd.org 2004/01/11 21:55:06
-     [sshpty.c]
-     for pty opening, only use the openpty() path.  the other stuff only needs
-     to be in openssh-p; markus ok
- - (djm) [openbsd-compat/bsd-openpty.c] Rework old sshpty.c code into an
-   openpty() replacement
-
-20040114
- - (dtucker) [auth-pam.c] Have monitor die if PAM authentication thread exits
-   unexpectedly.  with & ok djm@
- - (dtucker) [auth-pam.c] Reset signal handler in pthread_cancel too, add
-   test for case where cleanup has already run.
- - (dtucker) [auth-pam.c] Add minor debugging.
-
-20040113
- - (dtucker) [auth-pam.c] Relocate struct pam_ctxt and prototypes.  No
-   functional changes.
-
-20040108
- - (dtucker) [auth-pam.c defines.h] Bug #783: move __unused to defines.h and
-   only define if not already.  From des at freebsd.org.
- - (dtucker) [configure.ac] Remove extra (typo) comma.
-
-20040105
- - (dtucker) [contrib/ssh-copy-id] Bug #781: exit if ssh fails.  Patch from
-   cjwatson at debian.org.
- - (dtucker) [acconfig.h configure.ac includes.h servconf.c session.c]
-   Only enable KerberosGetAFSToken if Heimdal's libkafs is found.  with jakob@
-
-20040102
- - (djm) OSX/Darwin needs BIND_8_COMPAT to build getrrsetbyname. Report from
-   jakob@
- - (djm) Remove useless DNS support configure summary message. from jakob@
- - (djm) OSX/Darwin put the PAM headers in a different place, detect this.
-   Report from jakob@
-
-20031231
- - (dtucker) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2003/12/22 09:16:58
-     [moduli.c ssh-keygen.1 ssh-keygen.c]
-     tidy up moduli generation debugging, add -v (verbose/debug) option to
-     ssh-keygen; ok markus@
-   - markus@cvs.openbsd.org 2003/12/22 20:29:55
-     [cipher-3des1.c]
-     EVP_CIPHER_CTX_cleanup() for the des contexts; pruiksma@freesurf.fr
-   - jakob@cvs.openbsd.org 2003/12/23 16:12:10
-     [servconf.c servconf.h session.c sshd_config]
-     implement KerberosGetAFSToken server option. ok markus@, beck@
-   - millert@cvs.openbsd.org 2003/12/29 16:39:50
-     [sshd_config]
-     KeepAlive has been obsoleted, use TCPKeepAlive instead; markus@ OK
-   - dtucker@cvs.openbsd.org 2003/12/31 00:24:50
-     [auth2-passwd.c]
-     Ignore password change request during password auth (which we currently
-     don't support) and discard proposed new password.  corrections/ok markus@
- - (dtucker) [configure.ac] Only test setresuid and setresgid if they exist.
-
-20031219
- - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we
-   typedef size_t ourselves.
-
-20031218
- - (dtucker) [configure.ac] Don't use setre[ug]id on DG-UX, from Tom Orban.
- - (dtucker) [auth-pam.c] Do PAM chauthtok during SSH2 keyboard-interactive
-   authentication.  Partially fixes bug #423.  Feedback & ok djm@
-
-20031217
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2003/12/09 15:28:43
-     [serverloop.c]
-     make ClientKeepAlive work for ssh -N, too (no login shell requested).
-     1) send a bogus channel request if we find a channel
-     2) send a bogus global request if we don't have a channel
-     ok + test beck@
-   - markus@cvs.openbsd.org 2003/12/09 17:29:04
-     [sshd.c]
-     fix -o and HUP; ok henning@
-   - markus@cvs.openbsd.org 2003/12/09 17:30:05
-     [ssh.c]
-     don't modify argv for ssh -o; similar to sshd.c 1.283
-   - markus@cvs.openbsd.org 2003/12/09 21:53:37
-     [readconf.c readconf.h scp.1 servconf.c servconf.h sftp.1 ssh.1]
-     [ssh_config.5 sshconnect.c sshd.c sshd_config.5]
-     rename keepalive to tcpkeepalive; the old name causes too much
-     confusion; ok djm, dtucker; with help from jmc@
-   - dtucker@cvs.openbsd.org 2003/12/09 23:45:32
-     [clientloop.c]
-     Clear exit code when ssh -N is terminated with a SIGTERM.  ok markus@
-   - markus@cvs.openbsd.org 2003/12/14 12:37:21
-     [ssh_config.5]
-     we don't support GSS KEX; from Simon Wilkinson
-   - markus@cvs.openbsd.org 2003/12/16 15:49:51
-     [clientloop.c clientloop.h readconf.c readconf.h scp.1 sftp.1 ssh.1]
-     [ssh.c ssh_config.5]
-     application layer keep alive (ServerAliveInterval ServerAliveCountMax)
-     for ssh(1), similar to the sshd(8) option; ok beck@; with help from
-     jmc and dtucker@
-   - markus@cvs.openbsd.org 2003/12/16 15:51:54
-     [dh.c]
-     use <= instead of < in dh_estimate; ok provos/hshoexer; 
-     do not return < DH_GRP_MIN
- - (dtucker) [acconfig.h configure.ac uidswap.c] Bug #645: Check for
-   setres[ug]id() present but not implemented (eg some Linux/glibc
-   combinations).
- - (bal) [openbsd-compat/bsd-misc.c] unset 'signal' defined if we are
-   using a real 'signal()' (Noticed by a NeXT Compile)
-
-20031209
- - (dtucker) OpenBSD CVS Sync
-   - matthieu@cvs.openbsd.org 2003/11/25 23:10:08
-     [ssh-add.1]
-     ssh-add doesn't need to be a descendant of ssh-agent. Ok markus@, jmc@.
-   - djm@cvs.openbsd.org 2003/11/26 21:44:29
-     [cipher-aes.c]
-     fix #ifdef before #define; ok markus@
-     (RCS ID sync only, Portable already had this)
-   - markus@cvs.openbsd.org 2003/12/02 12:15:10
-     [progressmeter.c]
-     improvments from andreas@:
-     * saner speed estimate for transfers that takes less than a second by
-       rounding the time to 1 second.
-     * when the transfer is finished calculate the actual total speed
-       rather than the current speed which is given during the transfer
-   - markus@cvs.openbsd.org 2003/12/02 17:01:15
-     [channels.c session.c ssh-agent.c ssh.h sshd.c]
-     use SSH_LISTEN_BACKLOG (=128) in listen(2).
-   - djm@cvs.openbsd.org 2003/12/07 06:34:18
-     [moduli.c]
-     remove unused debugging #define templates
-   - markus@cvs.openbsd.org 2003/12/08 11:00:47
-     [kexgexc.c]
-     print requested group size in debug; ok djm
-   - dtucker@cvs.openbsd.org 2003/12/09 13:52:55
-     [moduli.c]
-     Prevent ssh-keygen -T from outputting moduli with a generator of 0, since
-     they can't be used for Diffie-Hellman.  Assistance and ok djm@
- - (dtucker) [ssh-keyscan.c] Sync RCSIDs, missed in SSH_SSFDMAX change below.
-
-20031208
- - (tim) [configure.ac] Bug 770. Fix --without-rpath.
-
-20031123
- - (djm) [canohost.c] Move IPv4inV6 mapped address normalisation to its own
-   function and call it unconditionally
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2003/11/23 23:17:34
-     [ssh-keyscan.c]
-     from portable - use sysconf to detect fd limit; ok markus@
-     (tidy diff by adding SSH_SSFDMAX macro to defines.h)
-   - djm@cvs.openbsd.org 2003/11/23 23:18:45
-     [ssh-keygen.c]
-     consistency PATH_MAX -> MAXPATHLEN; ok markus@
-     (RCS ID sync only)
-   - djm@cvs.openbsd.org 2003/11/23 23:21:21
-     [scp.c]
-     from portable: rename clashing variable limit-> limit_rate; ok markus@
-     (RCS ID sync only)
-   - dtucker@cvs.openbsd.org 2003/11/24 00:16:35
-     [ssh.1 ssh.c]
-     Make ssh -k mean GSSAPIDelegateCredentials=no. Suggestion & ok markus@
- - (djm) Annotate OpenBSD-derived files in openbsd-compat/ with original 
-   source file path (in OpenBSD tree).
-
-20031122
- - (dtucker) [channels.c] Make AIX write limit code clearer.  Suggested by djm@
- - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]
-   Move AIX specific password authentication code to port-aix.c, call
-   authenticate() until reenter flag is clear.
- - (dtucker) [auth-sia.c configure.ac] Tru64 update from cmadams at hiwaay.net.
-   Use permanently_set_uid for SIA, only define DISABLE_FD_PASSING when SIA
-   is enabled, rely on SIA to check for locked accounts if enabled.  ok djm@
- - (djm) [scp.c] Rename limitbw -> limit_rate to match upstreamed patch
- - (djm) [sftp-int.c] Remove duplicated code from bogus sync
- - (djm) [packet.c] Shuffle #ifdef to reduce conditionally compiled code
-
-20031121
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2003/11/20 11:39:28
-     [progressmeter.c]
-     fix rounding errors; from andreas@
-   - djm@cvs.openbsd.org 2003/11/21 11:57:03
-     [everything]
-     unexpand and delete whitespace at EOL; ok markus@
-     (done locally and RCS IDs synced)
-
-20031118
- - (djm) Fix early exit for root auth success when UsePAM=yes and 
-   PermitRootLogin=no
- - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv,
-   and use it for do_pam_session.  Fixes problems like pam_motd not
-   displaying anything.  ok djm@
- - (dtucker) [auth-pam.c] Only use pam_putenv if our platform has it. ok djm@
- - (djm) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2003/11/18 00:40:05
-     [serverloop.c]
-     Correct check for authctxt->valid.  ok djm@
-   - djm@cvs.openbsd.org 2003/11/18 10:53:07
-     [monitor.c]
-     unbreak fake authloop for non-existent users (my screwup). Spotted and
-     tested by dtucker@; ok markus@
-
-20031117
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2003/11/03 09:03:37
-     [auth-chall.c]
-     make this a little more idiot-proof; ok markus@
-     (includes portable-specific changes)
-   - jakob@cvs.openbsd.org 2003/11/03 09:09:41
-     [sshconnect.c]
-     move changed key warning into warn_changed_key(). ok markus@
-   - jakob@cvs.openbsd.org 2003/11/03 09:37:32
-     [sshconnect.c]
-     do not free static type pointer in warn_changed_key()
-   - djm@cvs.openbsd.org 2003/11/04 08:54:09
-     [auth1.c auth2.c auth2-pubkey.c auth.h auth-krb5.c auth-passwd.c]
-     [auth-rhosts.c auth-rh-rsa.c auth-rsa.c monitor.c serverloop.c]
-     [session.c]
-     standardise arguments to auth methods - they should all take authctxt.
-     check authctxt->valid rather then pw != NULL; ok markus@
-   - jakob@cvs.openbsd.org 2003/11/08 16:02:40
-     [auth1.c]
-     remove unused variable (pw). ok djm@
-     (id sync only - still used in portable)
-   - jmc@cvs.openbsd.org 2003/11/08 19:17:29
-     [sftp-int.c]
-     typos from Jonathon Gray;
-   - jakob@cvs.openbsd.org 2003/11/10 16:23:41
-     [bufaux.c bufaux.h cipher.c cipher.h hostfile.c hostfile.h key.c]
-     [key.h sftp-common.c sftp-common.h sftp-server.c sshconnect.c sshd.c]
-     [ssh-dss.c ssh-rsa.c uuencode.c uuencode.h]
-     constify. ok markus@ & djm@
-   - dtucker@cvs.openbsd.org 2003/11/12 10:12:15
-     [scp.c]
-     When called with -q, pass -q to ssh; suppresses SSH2 banner.  ok markus@
-   - jakob@cvs.openbsd.org 2003/11/12 16:39:58
-     [dns.c dns.h readconf.c ssh_config.5 sshconnect.c]
-     update SSHFP validation. ok markus@
-   - jmc@cvs.openbsd.org 2003/11/12 20:14:51
-     [ssh_config.5]
-     make verb agree with subject, and kill some whitespace;
-   - markus@cvs.openbsd.org 2003/11/14 13:19:09
-     [sshconnect2.c]
-     cleanup and minor fixes for the client code; from Simon Wilkinson
-   - djm@cvs.openbsd.org 2003/11/17 09:45:39
-     [msg.c msg.h sshconnect2.c ssh-keysign.c]
-     return error on msg send/receive failure (rather than fatal); ok markus@
-   - markus@cvs.openbsd.org 2003/11/17 11:06:07
-     [auth2-gss.c gss-genr.c gss-serv.c monitor.c monitor.h monitor_wrap.c]
-     [monitor_wrap.h sshconnect2.c ssh-gss.h]
-     replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; 
-     test + ok jakob.
- - (djm) Bug #632: Don't call pam_end indirectly from within kbd-int
-   conversation function
- - (djm) Export environment variables from authentication subprocess to 
-   parent. Part of Bug #717
-
-20031115
- - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and
-   HP-UX, skip test on AIX.
-
-20031113
- - (dtucker) [auth-pam.c] Append newlines to lines output by the
-   pam_chauthtok_conv().
- - (dtucker) [README ssh-host-config ssh-user-config Makefile] (All
-   contrib/cygwin).  Major update from vinschen at redhat.com.
-   - Makefile provides a `cygwin-postinstall' target to run right after
-     `make install'.
-   - Better support for Windows 2003 Server.
-   - Try to get permissions as correct as possible.
-   - New command line options to allow full automated host configuration.
-   - Create configs from skeletons in /etc/defaults/etc.
-   - Use /bin/bash, allows reading user input with readline support.
-   - Remove really old configs from /usr/local.
- - (dtucker) [auth-pam.c] Add newline to accumulated PAM_TEXT_INFO and
-   PAM_ERROR_MSG messages.
-
-20031106
- - (djm) Clarify UsePAM consequences a little more
-
-20031103
- - (dtucker) [contrib/cygwin/ssh-host-config] Ensure entries in /etc/services
-   are created correctly with CRLF line terminations.  Patch from vinschen at
-   redhat.com.
- - (dtucker) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2003/10/15 09:48:45
-     [monitor_wrap.c]
-     check pmonitor != NULL
-   - markus@cvs.openbsd.org 2003/10/21 09:50:06
-     [auth2-gss.c]
-     make sure the doid is larger than 2
-   - avsm@cvs.openbsd.org 2003/10/26 16:57:43
-     [sshconnect2.c]
-     rename 'supported' static var in userauth_gssapi() to 'gss_supported'
-     to avoid shadowing the global version.  markus@ ok
-   - markus@cvs.openbsd.org 2003/10/28 09:08:06
-     [misc.c]
-     error->debug for getsockopt+TCP_NODELAY; several requests
-   - markus@cvs.openbsd.org 2003/11/02 11:01:03
-     [auth2-gss.c compat.c compat.h sshconnect2.c]
-     remove support for SSH_BUG_GSSAPI_BER; simon@sxw.org.uk
- - (dtucker) [regress/agent-ptrace.sh] Use numeric uid and gid.
-
-20031021
- - (dtucker) [INSTALL] Some system crypt() functions support MD5 passwords
-   directly.  Noted by Darren.Moffat at sun.com.
- - (dtucker) [regress/agent-ptrace.sh] Skip agent-test unless SUDO is set,
-   make agent setgid during test.
-
-20031017
- - (dtucker) [INSTALL] Note that --with-md5 is now required on platforms with
-   MD5 passwords even if PAM support is enabled.  From steev at detritus.net.
-
-20031015
- - (dtucker) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2003/10/08 08:27:36
-     [scp.1 scp.c sftp-server.8 sftp.1 sftp.c ssh.1 sshd.8]
-     scp and sftp: add options list and sort options. options list requested
-     by deraadt@
-     sshd: use same format as ssh
-     ssh: remove wrong option from list
-     sftp-server: Subsystem is documented in ssh_config(5), not sshd(8)
-     ok deraadt@ markus@
-   - markus@cvs.openbsd.org 2003/10/08 15:21:24
-     [readconf.c ssh_config.5]
-     default GSS API to no in client, too; ok jakob, deraadt@
-   - markus@cvs.openbsd.org 2003/10/11 08:24:08
-     [readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
-     remote x11 clients are now untrusted by default, uses xauth(8) to generate
-     untrusted cookies; ForwardX11Trusted=yes restores old behaviour.
-     ok deraadt; feedback and ok djm/fries
-   - markus@cvs.openbsd.org 2003/10/11 08:26:43
-     [sshconnect2.c]
-     search keys in reverse order; fixes #684
-   - markus@cvs.openbsd.org 2003/10/11 11:36:23
-     [monitor_wrap.c]
-     return NULL for missing banner; ok djm@
-   - jmc@cvs.openbsd.org 2003/10/12 13:12:13
-     [ssh_config.5]
-     note that EnableSSHKeySign should be in the non-hostspecific section;
-     remove unnecessary .Pp;
-     ok markus@
-   - markus@cvs.openbsd.org 2003/10/13 08:22:25
-     [scp.1 sftp.1]
-     don't refer to options related to forwarding; ok jmc@
-   - jakob@cvs.openbsd.org 2003/10/14 19:42:10
-     [dns.c dns.h readconf.c ssh-keygen.c sshconnect.c]
-     include SSHFP lookup code (not enabled by default). ok markus@
-   - jakob@cvs.openbsd.org 2003/10/14 19:43:23
-     [README.dns]
-     update
-   - markus@cvs.openbsd.org 2003/10/14 19:54:39
-     [session.c ssh-agent.c]
-     10X for mkdtemp; djm@
- - (dtucker) [acconfig.h configure.ac dns.c openbsd-compat/getrrsetbyname.c
-   openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always
-   compiled in but disabled in config.
- - (dtucker) [auth.c] Check for disabled password expiry on HP-UX Trusted Mode.
- - (tim) [regress/banner.sh] portability fix.
-
-20031009
- - (dtucker) [sshd_config.5] UsePAM defaults to "no".  ok djm@
-
-20031008
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2003/10/07 01:47:27
-     [sshconnect2.c]
-     Don't use logit for banner, since it truncates to MSGBUFSIZ; bz #668 &
-     #707.  ok markus@
-   - djm@cvs.openbsd.org 2003/10/07 07:04:16
-     [sftp-int.c]
-     sftp quoting fix from admorten AT umich.edu; ok markus@
-   - deraadt@cvs.openbsd.org 2003/10/07 21:58:28
-     [sshconnect2.c]
-     set ptr to NULL after free
-   - dtucker@cvs.openbsd.org 2003/10/07 01:52:13
-     [regress/Makefile regress/banner.sh]
-     Test SSH2 banner.  ok markus@
-   - djm@cvs.openbsd.org 2003/10/07 07:04:52
-     [regress/sftp-cmds.sh]
-     more sftp quoting regress tests; ok markus
-
-20031007
- - (djm) Delete autom4te.cache after autoreconf
- - (dtucker) [auth-pam.c auth-pam.h session.c] Make PAM use the new static
-   cleanup functions.  With & ok djm@
- - (dtucker) [contrib/redhat/openssh.spec] Bug #714: Now that UsePAM is a
-   run-time switch, always build --with-md5-passwords.
- - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoul.c]
-   Bug #670: add strtoul() to openbsd-compat for platforms lacking it.  ok djm@
- - (dtucker) [configure.ac] Bug #715: Set BROKEN_SETREUID and BROKEN_SETREGID
-   on Reliant Unix.  Patch from Robert.Dahlem at siemens.com.
- - (dtucker) [configure.ac] Bug #710: Check for dlsym() in libdl on
-   Reliant Unix.  Based on patch from Robert.Dahlem at siemens.com.
-
-20031003
- - (dtucker) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2003/10/02 10:41:59
-     [sshd.c]
-     print openssl version, too, several requests; ok henning/djm.
-   - markus@cvs.openbsd.org 2003/10/02 08:26:53
-     [ssh-gss.h]
-     missing $OpenBSD:; dtucker
- - (tim) [contrib/caldera/openssh.spec] Remove obsolete --with-ipv4-default
-   option.
-
-20031002
- - (dtucker) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2003/09/23 20:17:11
-     [Makefile.in auth1.c auth2.c auth.c auth.h auth-krb5.c canohost.c
-     cleanup.c clientloop.c fatal.c gss-serv.c log.c log.h monitor.c monitor.h
-     monitor_wrap.c monitor_wrap.h packet.c serverloop.c session.c session.h
-     ssh-agent.c sshd.c]
-     replace fatal_cleanup() and linked list of fatal callbacks with static
-     cleanup_exit() function.  re-refine cleanup_exit() where appropriate,
-     allocate sshd's authctxt eary to allow simpler cleanup in sshd.
-     tested by many, ok deraadt@
-   - markus@cvs.openbsd.org 2003/09/23 20:18:52
-     [progressmeter.c]
-     don't print trailing \0; bug #709; Robert.Dahlem@siemens.com
-     ok millert/deraadt@
-   - markus@cvs.openbsd.org 2003/09/23 20:41:11
-     [channels.c channels.h clientloop.c]
-     move client only agent code to clientloop.c
-   - markus@cvs.openbsd.org 2003/09/26 08:19:29
-     [sshd.c]
-     no need to set the listen sockets to non-block; ok deraadt@
-   - jmc@cvs.openbsd.org 2003/09/29 11:40:51
-     [ssh.1]
-     - add list of options to -o and .Xr ssh_config(5)
-     - some other cleanup
-     requested by deraadt@;
-     ok deraadt@ markus@
-   - markus@cvs.openbsd.org 2003/09/29 20:19:57
-     [servconf.c sshd_config]
-     GSSAPICleanupCreds -> GSSAPICleanupCredentials
- - (dtucker) [configure.ac] Don't set DISABLE_SHADOW when configuring
-   --with-pam.  ok djm@
- - (dtucker) [ssh-gss.h] Prototype change missed in sync.
- - (dtucker) [session.c] Fix bus errors on some 64-bit Solaris configurations.
-   Based on patches by Matthias Koeppe and Thomas Baden.  ok djm@
-
-20030930
- - (bal) Fix issues in openbsd-compat/realpath.c
-
-20030925
- - (dtucker) [configure.ac openbsd-compat/xcrypt.c] Bug #633: Remove
-   DISABLE_SHADOW for HP-UX, use getspnam instead of getprpwnam.  Patch from
-   michael_steffens at hp.com, ok djm@
- - (tim) [sshd_config] UsePAM defaults to no.
-
-20030924
- - (djm) Update version.h and spec files for HEAD
- - (dtucker) [configure.ac] IRIX5 needs the same setre[ug]id defines as IRIX6.
-
-20030923
- - (dtucker) [Makefile.in] Bug #644: Fix "make clean" for out-of-tree
-   builds.  Portability corrections from tim@.
- - (dtucker) [configure.ac] Bug #665: uid swapping issues on Mac OS X.
-   Patch from max at quendi.de.
- - (dtucker) [configure.ac] Bug #657: uid swapping issues on BSDi.
- - (dtucker) [configure.ac] Bug #653: uid swapping issues on Tru64.
- - (dtucker) [configure.ac] Bug #693: uid swapping issues on NCR MP-RAS.
-   Patch from david.haughton at ncr.com
- - (dtucker) [configure.ac] Bug #659: uid swapping issues on IRIX 6.
-   Part of patch supplied by bugzilla-openssh at thewrittenword.com
- - (dtucker) [configure.ac openbsd-compat/fake-rfc2553.c
-   openbsd-compat/fake-rfc2553.h] Bug #659: Test for and handle systems with
-   where gai_strerror is defined as "const char *".  Part of patch supplied
-   by bugzilla-openssh at thewrittenword.com
- - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config] Update
-   ssh-host-config to match current defaults, bump README version.  Patch from
-   vinschen at redhat.com.
- - (dtucker) [uidswap.c] Don't test restoration of uid on Cygwin since the
-   OS does not support permanently dropping privileges.  Patch from
-   vinschen at redhat.com.
- - (dtucker) [openbsd-compat/port-aix.c] Use correct include for xmalloc.h,
-   add canohost.h to stop warning.  Based on patch from openssh-unix-dev at
-   thewrittenword.com
- - (dtucker) [INSTALL] Bug #686: Document requirement for zlib 1.1.4 or
-   higher.
- - (tim) Fix typo. s/SETEIUD_BREAKS_SETUID/SETEUID_BREAKS_SETUID/
- - (tim) [configure.ac] Bug 665: move 3 new AC_DEFINES outside of AC_TRY_RUN.
-   Report by distler AT golem ph utexas edu.
- - (dtucker) [contrib/aix/pam.conf] Include example pam.conf for AIX from
-   article by genty at austin.ibm.com, included with the author's permission.
- - (dtucker) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2003/09/18 07:52:54
-     [sshconnect.c]
-     missing {}; bug #656; jclonguet at free.fr
-   - markus@cvs.openbsd.org 2003/09/18 07:54:48
-     [buffer.c]
-     protect against double free; #660;  zardoz at users.sf.net
-   - markus@cvs.openbsd.org 2003/09/18 07:56:05
-     [authfile.c]
-     missing  buffer_free(&encrypted); #662; zardoz at users.sf.net
-   - markus@cvs.openbsd.org 2003/09/18 08:49:45
-     [deattack.c misc.c session.c ssh-agent.c]
-     more buffer allocation fixes; from Solar Designer; CAN-2003-0682;
-     ok millert@
-   - miod@cvs.openbsd.org 2003/09/18 13:02:21
-     [authfd.c bufaux.c dh.c mac.c ssh-keygen.c]
-     A few signedness fixes for harmless situations; markus@ ok
-   - markus@cvs.openbsd.org 2003/09/19 09:02:02
-     [packet.c]
-     buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
-   - markus@cvs.openbsd.org 2003/09/19 09:03:00
-     [buffer.c]
-     sign fix in buffer_dump; Jedi/Sector One; pr 3473
-   - markus@cvs.openbsd.org 2003/09/19 11:29:40
-     [ssh-agent.c]
-     provide a ssh-agent specific fatal() function; ok deraadt
-   - markus@cvs.openbsd.org 2003/09/19 11:30:39
-     [ssh-keyscan.c]
-     avoid fatal_cleanup, just call exit(); ok deraadt
-   - markus@cvs.openbsd.org 2003/09/19 11:31:33
-     [channels.c]
-     do not call channel_free_all on fatal; ok deraadt
-   - markus@cvs.openbsd.org 2003/09/19 11:33:09
-     [packet.c sshd.c]
-     do not call packet_close on fatal; ok deraadt
-   - markus@cvs.openbsd.org 2003/09/19 17:40:20
-     [scp.c]
-     error handling for remote-remote copy; #638; report Harald Koenig;
-     ok millert, fgs, henning, deraadt
-   - markus@cvs.openbsd.org 2003/09/19 17:43:35
-     [clientloop.c sshtty.c sshtty.h]
-     remove fatal callbacks from client code; ok deraadt
- - (bal) "extration" -> "extraction" in ssh-rand-helper.c; repoted by john
-        on #unixhelp@efnet
- - (tim) [configure.ac] add --disable-etc-default-login option. ok djm
- - (djm) Sync with V_3_7 branch:
-   - (djm) Fix SSH1 challenge kludge
-   - (djm) Bug #671: Fix builds on OpenBSD
-   - (djm) Bug #676: Fix PAM stack corruption
-   - (djm) Fix bad free() in PAM code
-   - (djm) Don't call pam_end before pam_init
-   - (djm) Enable build with old OpenSSL again
-   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
-   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-
-$Id: ChangeLog,v 1.4117.2.10 2006/02/11 00:00:44 djm Exp $
+$Id: ChangeLog,v 1.4635.2.1 2007/03/06 10:27:55 djm Exp $
diff --git a/ChangeLog.gssapi b/ChangeLog.gssapi
new file mode 100644
index 000000000..010612c4c
--- /dev/null
+++ b/ChangeLog.gssapi
@@ -0,0 +1,69 @@
+20070317
+  - [ gss-serv-krb5.c ]
+    Remove C99ism, where new_ccname was being declared in the middle of a 
+    function
+
+20061220
+  - [ servconf.c ]
+    Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and 
+    documented, behaviour. Reported by Dan Watson.
+
+20060910
+  - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c
+      ssh-gss.h ]
+    add support for gss-group14-sha1 key exchange mechanisms
+  - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]
+    Add GSSAPIStrictAcceptorCheck option to allow the disabling of
+    acceptor principal checking on multi-homed machines.
+    <Bugzilla #928>
+  - [ sshd_config ssh_config ]
+    Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample
+    configuration files
+  - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]
+    Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()
+    Limit length of error messages displayed by client
+
+20060909
+  - [ gss-genr.c gss-serv.c ]
+    move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
+    only, where they belong 
+    <Bugzilla #1225>
+
+20060829
+  - [ gss-serv-krb5.c ]
+    Fix CCAPI credentials cache name when creating KRB5CCNAME environment 
+    variable
+
+20060828
+  - [ gss-genr.c ]
+    Avoid Heimdal context freeing problem
+    <Fixed upstream 20060829>
+
+20060818
+  - [ gss-genr.c ssh-gss.h sshconnect2.c ]
+    Make sure that SPENGO is disabled 
+    <Bugzilla #1218 - Fixed upstream 20060818>
+
+20060421
+  - [ gssgenr.c, sshconnect2.c ]
+    a few type changes (signed versus unsigned, int versus size_t) to
+    fix compiler errors/warnings 
+    (from jbasney AT ncsa.uiuc.edu)
+  - [ kexgssc.c, sshconnect2.c ]
+    fix uninitialized variable warnings
+    (from jbasney AT ncsa.uiuc.edu)
+  - [ gssgenr.c ]
+    pass oid to gss_display_status (helpful when using GSSAPI mechglue)
+    (from jbasney AT ncsa.uiuc.edu)
+    <Bugzilla #1220 >
+  - [ gss-serv-krb5.c ]
+    #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
+    (from jbasney AT ncsa.uiuc.edu)
+    <Fixed upstream 20060304>
+  - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c 
+    add client-side GssapiKeyExchange option
+    (from jbasney AT ncsa.uiuc.edu)
+  - [ sshconnect2.c ]
+    add support for GssapiTrustDns option for gssapi-with-mic
+    (from jbasney AT ncsa.uiuc.edu)
+    <gssapi-with-mic support is Bugzilla #1008>
diff --git a/INSTALL b/INSTALL
index 753d2d061..af02c0b49 100644
--- a/INSTALL
+++ b/INSTALL
@@ -12,6 +12,8 @@ http://www.openssl.org/
 (OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1
 Blowfish) do not work correctly.)
 
+The remaining items are optional.
+
 OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system
 supports it. PAM is standard on Redhat and Debian Linux, Solaris and
 HP-UX 11.
@@ -57,13 +59,30 @@ installed.  No other S/Key library is currently known to be supported.
 http://www.sparc.spb.su/solaris/skey/
 
 LibEdit:
-sftp now supports command-line editing via NetBSD's libedit.  If your
-platform has it available natively you can use that, alternatively
-you might try these multi-platform ports:
+
+sftp supports command-line editing via NetBSD's libedit.  If your platform
+has it available natively you can use that, alternatively you might try
+these multi-platform ports:
 
 http://www.thrysoee.dk/editline/
 http://sourceforge.net/projects/libedit/
 
+Autoconf:
+
+If you modify configure.ac or configure doesn't exist (eg if you checked
+the code out of CVS yourself) then you will need autoconf-2.61 to rebuild
+the automatically generated files by running "autoreconf".  Earlier
+version may also work but this is not guaranteed.
+
+http://www.gnu.org/software/autoconf/
+
+Basic Security Module (BSM):
+
+Native BSM support is know to exist in Solaris from at least 2.5.1,
+FreeBSD 6.1 and OS X.  Alternatively, you may use the OpenBSM
+implementation (http://www.openbsm.org).
+
+
 2. Building / Installation
 --------------------------
 
@@ -113,6 +132,10 @@ name).
 
 There are a few other options to the configure script:
 
+--with-audit=[module] enable additional auditing via the specified module.
+Currently, drivers for "debug" (additional info via syslog) and "bsm"
+(Sun's Basic Security Module) are supported.
+
 --with-pam enables PAM support. If PAM support is compiled in, it must
 also be enabled in sshd_config (refer to the UsePAM directive).
 
@@ -165,6 +188,8 @@ created.
 --with-ssl-dir=DIR allows you to specify where your OpenSSL libraries
 are installed.
 
+--with-ssl-engine enables OpenSSL's (hardware) ENGINE support
+
 --with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
 real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
 
@@ -208,7 +233,8 @@ for sshd, ssh and ssh-agent.
 -------------------------
 
 $ make survey
-[check the contents and make sure there's no sensitive information]
+[check the contents of the file "survey" to ensure there's no information
+that you consider sensitive]
 $ make send-survey
 
 This will send configuration information for the currently configured
@@ -225,4 +251,4 @@ Please refer to the "reporting bugs" section of the webpage at
 http://www.openssh.com/
 
 
-$Id: INSTALL,v 1.70 2005/04/24 07:52:23 dtucker Exp $
+$Id: INSTALL,v 1.77 2007/03/02 06:53:41 dtucker Exp $
diff --git a/LICENCE b/LICENCE
index ac3634f22..0c2ff067a 100644
--- a/LICENCE
+++ b/LICENCE
@@ -287,6 +287,8 @@ OpenSSH contains no GPL code.
 
         Internet Software Consortium.
         Todd C. Miller
+        Reyk Floeter
+        Chad Mynhier
 
         * Permission to use, copy, modify, and distribute this software for any
         * purpose with or without fee is hereby granted, provided that the above
diff --git a/Makefile.in b/Makefile.in
index ea738aac1..1e79ab913 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.274 2006/01/01 08:47:05 djm Exp $
+# $Id: Makefile.in,v 1.283 2006/10/23 21:44:47 tim Exp $
 
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@@ -11,6 +11,7 @@ bindir=@bindir@
 sbindir=@sbindir@
 libexecdir=@libexecdir@
 datadir=@datadir@
+datarootdir=@datarootdir@
 mandir=@mandir@
 mansubdir=@mansubdir@
 sysconfdir=@sysconfdir@
@@ -44,6 +45,7 @@ CFLAGS=@CFLAGS@
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
 LIBSELINUX=@LIBSELINUX@
+SSHDLIBS=@SSHDLIBS@
 LIBEDIT=@LIBEDIT@
 LIBPAM=@LIBPAM@
 LIBWRAP=@LIBWRAP@
@@ -63,11 +65,11 @@ INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
 
 TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
 
-LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o buffer.o \
+LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
         canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
         cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
         compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
-        log.o match.o moduli.o nchan.o packet.o \
+        log.o match.o md-sha256.o moduli.o nchan.o packet.o \
         readpass.o rsa.o ttymodes.o xmalloc.o \
         atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
         monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
@@ -78,7 +80,7 @@ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
         sshconnect.o sshconnect1.o sshconnect2.o
 
 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
-        sshpty.o sshlogin.o servconf.o serverloop.o selinux.o \
+        sshpty.o sshlogin.o servconf.o serverloop.o \
         auth.o auth1.o auth2.o auth-options.o session.o \
         auth-chall.o auth2-chall.o groupaccess.o \
         auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
@@ -87,7 +89,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
         auth-krb5.o \
         auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
         loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
-        audit.o audit-bsm.o
+        audit.o audit-bsm.o platform.o
 
 MANPAGES        = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
 MANPAGES_IN     = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
@@ -108,7 +110,7 @@ PATHSUBS	= \
         -e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
         -e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
         -e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \
-        -e 's|/etc/sshrc|$(sysconfdir)/sshrc|g' \
+        -e 's|/etc/ssh/sshrc|$(sysconfdir)/sshrc|g' \
         -e 's|/usr/X11R6/bin/xauth|$(XAUTH_PATH)|g' \
         -e 's|/var/empty|$(PRIVSEP_PATH)|g' \
         -e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g'
@@ -137,7 +139,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
         $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
 sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
-        $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)
+        $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS)
 
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
         $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -202,8 +204,9 @@ clean:	regressclean
 
 distclean:      regressclean
         rm -f *.o *.a $(TARGETS) logintest config.cache config.log
-        rm -f *.out core opensshd.init
-        rm -f Makefile buildpkg.sh config.h config.status ssh_prng_cmds survey.sh *~
+        rm -f *.out core opensshd.init openssh.xml
+        rm -f Makefile buildpkg.sh config.h config.status ssh_prng_cmds
+        rm -f survey.sh openbsd-compat/regress/Makefile *~ 
         rm -rf autom4te.cache
         (cd openbsd-compat && $(MAKE) distclean)
         (cd scard && $(MAKE) distclean)
@@ -411,6 +414,9 @@ tests:	$(TARGETS)
                 EXEEXT="$(EXEEXT)" \
                 $@
 
+compat-tests: $(LIBCOMPAT)
+        (cd openbsd-compat/regress && $(MAKE))
+
 regressclean:
         if [ -f regress/Makefile ] && [ -r regress/Makefile ]; then \
                 (cd regress && $(MAKE) clean) \
diff --git a/OVERVIEW b/OVERVIEW
index d1a768c10..2e1cc0ba3 100644
--- a/OVERVIEW
+++ b/OVERVIEW
@@ -162,8 +162,7 @@ these programs.
     - There are several other files in the distribution that contain
       various auxiliary routines:
         ssh.h        the main header file for ssh (various definitions)
-        getput.h     byte-order independent storage of integers
-        includes.h   includes most system headers.  Lots of #ifdefs.
-        tildexpand.c expand tilde in file names
         uidswap.c    uid-swapping
         xmalloc.c    "safe" malloc routines
+
+$OpenBSD: OVERVIEW,v 1.11 2006/08/03 03:34:41 deraadt Exp $
diff --git a/README b/README
index c8c413195..0c732cffe 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-4.3p2 for the release notes.
+See http://www.openssh.com/txt/release-4.6 for the release notes.
 
 - A Japanese translation of this document and of the OpenSSH FAQ is
 - available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
 [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
 [7] http://www.openssh.com/faq.html
 
-$Id: README,v 1.61.2.1 2006/02/10 23:43:34 dtucker Exp $
+$Id: README,v 1.64.4.1 2007/03/06 10:27:56 djm Exp $
diff --git a/README.platform b/README.platform
index 4c18a3278..b7dc3f91c 100644
--- a/README.platform
+++ b/README.platform
@@ -30,6 +30,18 @@ gcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl,
 openssl-devel, zlib, minres, minires-devel.
 
 
+Darwin and MacOS X
+------------------
+Darwin does not provide a tun(4) driver required for OpenSSH-based
+virtual private networks. The BSD manpage still exists, but the driver
+has been removed in recent releases of Darwin and MacOS X.
+
+Nevertheless, tunnel support is known to work with Darwin 8 and
+MacOS X 10.4 in Point-to-Point (Layer 3) and Ethernet (Layer 2) mode
+using a third party driver. More information is available at:
+        http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
+
+
 Solaris
 -------
 If you enable BSM auditing on Solaris, you need to update audit_event(4)
@@ -55,4 +67,4 @@ account stacks which will prevent authentication entirely, but will still
 return the output from pam_nologin to the client.
 
 
-$Id: README.platform,v 1.6 2005/11/05 05:28:35 dtucker Exp $
+$Id: README.platform,v 1.7 2006/06/23 11:05:13 dtucker Exp $
diff --git a/README.tun b/README.tun
index d814f396d..5e1cb074c 100644
--- a/README.tun
+++ b/README.tun
@@ -87,12 +87,12 @@ combination with layer 2 tunneling and Ethernet bridging.
 | Client |------(  Internet  )-----| access.somewhere.net |
 +--------+       (          )      +----------------------+
     : 192.168.1.78                             |
-    :.............................         +-------+       
+    :.............................         +-------+
      Forwarded ssh connection    :         | dmzgw |
      Layer 2 tunnel              :         +-------+
                                  :             |
                                  :             |
-                                 :      +------------+  
+                                 :      +------------+
                                  :......| sshgateway |
                                       | +------------+
 --- real connection                 Bridge ->  |          +----------+
@@ -104,7 +104,7 @@ combination with layer 2 tunneling and Ethernet bridging.
 
 Finally connect to the OpenSSH server to establish the tunnel by using
 the following command:
-        
+
         ssh sshgateway
 
 It is also possible to tell the client to fork into the background after
@@ -129,4 +129,4 @@ interconnect corporate networks.
 
         Reyk Floeter
 
-$OpenBSD: README.tun,v 1.3 2005/12/08 18:34:10 reyk Exp $
+$OpenBSD: README.tun,v 1.4 2006/03/28 00:12:31 deraadt Exp $
diff --git a/acss.c b/acss.c
index 99efde071..86e2c01a8 100644
--- a/acss.c
+++ b/acss.c
@@ -1,4 +1,4 @@
-/*      $Id: acss.c,v 1.3 2005/07/17 07:04:47 djm Exp $ */
+/*      $Id: acss.c,v 1.4 2006/07/24 04:51:01 djm Exp $ */
 /*
  * Copyright (c) 2004 The OpenBSD project
  *
@@ -16,6 +16,9 @@
  */
 
 #include "includes.h"
+
+#include <string.h>
+
 #include <openssl/evp.h>
 
 #if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00906000L)
diff --git a/atomicio.c b/atomicio.c
index 12abbda16..f651a292c 100644
--- a/atomicio.c
+++ b/atomicio.c
@@ -1,4 +1,6 @@
+/* $OpenBSD: atomicio.c,v 1.23 2006/08/03 03:34:41 deraadt Exp $ */
 /*
+ * Copyright (c) 2006 Damien Miller. All rights reserved.
  * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
  * Copyright (c) 1995,1999 Theo de Raadt.  All rights reserved.
  * All rights reserved.
@@ -25,7 +27,12 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: atomicio.c,v 1.13 2005/05/24 17:32:43 avsm Exp $");
+
+#include <sys/param.h>
+#include <sys/uio.h>
+
+#include <errno.h>
+#include <string.h>
 
 #include "atomicio.h"
 
@@ -33,11 +40,7 @@ RCSID("$OpenBSD: atomicio.c,v 1.13 2005/05/24 17:32:43 avsm Exp $");
  * ensure all of data on socket comes through. f==read || f==vwrite
  */
 size_t
-atomicio(f, fd, _s, n)
-        ssize_t (*f) (int, void *, size_t);
-        int fd;
-        void *_s;
-        size_t n;
+atomicio(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n)
 {
         char *s = _s;
         size_t pos = 0;
@@ -58,8 +61,60 @@ atomicio(f, fd, _s, n)
                         errno = EPIPE;
                         return pos;
                 default:
-                        pos += (u_int)res;
+                        pos += (size_t)res;
                 }
         }
         return (pos);
 }
+
+/*
+ * ensure all of data on socket comes through. f==readv || f==writev
+ */
+size_t
+atomiciov(ssize_t (*f) (int, const struct iovec *, int), int fd,
+    const struct iovec *_iov, int iovcnt)
+{
+        size_t pos = 0, rem;
+        ssize_t res;
+        struct iovec iov_array[IOV_MAX], *iov = iov_array;
+
+        if (iovcnt > IOV_MAX) {
+                errno = EINVAL;
+                return 0;
+        }
+        /* Make a copy of the iov array because we may modify it below */
+        memcpy(iov, _iov, iovcnt * sizeof(*_iov));
+
+        for (; iovcnt > 0 && iov[0].iov_len > 0;) {
+                res = (f) (fd, iov, iovcnt);
+                switch (res) {
+                case -1:
+                        if (errno == EINTR || errno == EAGAIN)
+                                continue;
+                        return 0;
+                case 0:
+                        errno = EPIPE;
+                        return pos;
+                default:
+                        rem = (size_t)res;
+                        pos += rem;
+                        /* skip completed iov entries */
+                        while (iovcnt > 0 && rem >= iov[0].iov_len) {
+                                rem -= iov[0].iov_len;
+                                iov++;
+                                iovcnt--;
+                        }
+                        /* This shouldn't happen... */
+                        if (rem > 0 && (iovcnt <= 0 || rem > iov[0].iov_len)) {
+                                errno = EFAULT;
+                                return 0;
+                        }
+                        if (iovcnt == 0)
+                                break;
+                        /* update pointer in partially complete iov */
+                        iov[0].iov_base = ((char *)iov[0].iov_base) + rem;
+                        iov[0].iov_len -= rem;
+                }
+        }
+        return pos;
+}
diff --git a/atomicio.h b/atomicio.h
index 7eccf206b..2fcd25d43 100644
--- a/atomicio.h
+++ b/atomicio.h
@@ -1,6 +1,7 @@
-/*      $OpenBSD: atomicio.h,v 1.6 2005/05/24 17:32:43 avsm Exp $       */
+/* $OpenBSD: atomicio.h,v 1.10 2006/08/03 03:34:41 deraadt Exp $ */
 
 /*
+ * Copyright (c) 2006 Damien Miller.  All rights reserved.
  * Copyright (c) 1995,1999 Theo de Raadt.  All rights reserved.
  * All rights reserved.
  *
@@ -25,9 +26,20 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+#ifndef _ATOMICIO_H
+#define _ATOMICIO_H
+
 /*
  * Ensure all of data on socket comes through. f==read || f==vwrite
  */
 size_t  atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t);
 
 #define vwrite (ssize_t (*)(int, void *, size_t))write
+
+/*
+ * ensure all of data on socket comes through. f==readv || f==writev
+ */
+size_t  atomiciov(ssize_t (*)(int, const struct iovec *, int),
+    int, const struct iovec *, int);
+
+#endif /* _ATOMICIO_H */
diff --git a/audit-bsm.c b/audit-bsm.c
index c2679d3da..c26b4caed 100644
--- a/audit-bsm.c
+++ b/audit-bsm.c
@@ -1,4 +1,4 @@
-/* $Id: audit-bsm.c,v 1.1 2005/02/20 10:08:00 dtucker Exp $ */
+/* $Id: audit-bsm.c,v 1.5 2006/09/30 22:09:50 dtucker Exp $ */
 
 /*
  * TODO
@@ -37,8 +37,16 @@
 #include "includes.h"
 #if defined(USE_BSM_AUDIT)
 
+#include <sys/types.h>
+
+#include <errno.h>
+#include <stdarg.h>
+#include <unistd.h>
+
 #include "ssh.h"
 #include "log.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "xmalloc.h"
 
diff --git a/audit.c b/audit.c
index c77d0c012..dbea34cb2 100644
--- a/audit.c
+++ b/audit.c
@@ -1,4 +1,4 @@
-/* $Id: audit.c,v 1.3 2005/07/17 07:26:44 djm Exp $ */
+/* $Id: audit.c,v 1.5 2006/09/01 05:38:36 djm Exp $ */
 
 /*
  * Copyright (c) 2004, 2005 Darren Tucker.  All rights reserved.
@@ -26,10 +26,15 @@
 
 #include "includes.h"
 
+#include <stdarg.h>
+#include <string.h>
+
 #ifdef SSH_AUDIT_EVENTS
 
 #include "audit.h"
 #include "log.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 
 /*
diff --git a/audit.h b/audit.h
index 78e58966f..695f72354 100644
--- a/audit.h
+++ b/audit.h
@@ -1,4 +1,4 @@
-/* $Id: audit.h,v 1.2 2005/02/08 10:52:48 dtucker Exp $ */
+/* $Id: audit.h,v 1.3 2006/08/05 14:05:10 dtucker Exp $ */
 
 /*
  * Copyright (c) 2004, 2005 Darren Tucker.  All rights reserved.
@@ -24,8 +24,6 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#include "auth.h"
-
 #ifndef _SSH_AUDIT_H
 # define _SSH_AUDIT_H
 enum ssh_audit_event_type {
diff --git a/auth-bsdauth.c b/auth-bsdauth.c
index 920c977d8..37d527d11 100644
--- a/auth-bsdauth.c
+++ b/auth-bsdauth.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth-bsdauth.c,v 1.10 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -21,13 +22,23 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 #include "includes.h"
-RCSID("$OpenBSD: auth-bsdauth.c,v 1.6 2005/01/19 13:11:47 dtucker Exp $");
+
+#include <sys/types.h>
+
+#include <stdarg.h>
 
 #ifdef BSD_AUTH
 #include "xmalloc.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "log.h"
+#include "buffer.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
 
 static void *
@@ -69,9 +80,8 @@ bsdauth_query(void *ctx, char **name, char **infotxt,
         *name = xstrdup("");
         *infotxt = xstrdup("");
         *numprompts = 1;
-        *prompts = xmalloc(*numprompts * sizeof(char *));
-        *echo_on = xmalloc(*numprompts * sizeof(u_int));
-        (*echo_on)[0] = 0;
+        *prompts = xcalloc(*numprompts, sizeof(char *));
+        *echo_on = xcalloc(*numprompts, sizeof(u_int));
         (*prompts)[0] = xstrdup(challenge);
 
         return 0;
diff --git a/auth-chall.c b/auth-chall.c
index e4f783096..919b1eaa4 100644
--- a/auth-chall.c
+++ b/auth-chall.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth-chall.c,v 1.12 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -23,11 +24,16 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-chall.c,v 1.9 2003/11/03 09:03:37 djm Exp $");
 
+#include <sys/types.h>
+
+#include <stdarg.h>
+
+#include "xmalloc.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "log.h"
-#include "xmalloc.h"
 #include "servconf.h"
 
 /* limited protocol v1 interface to kbd-interactive authentication */
diff --git a/auth-krb5.c b/auth-krb5.c
index bc37675a2..38164fda8 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  *    Kerberos v5 authentication and ticket-passing routines.
  *
@@ -28,18 +29,27 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.16 2005/11/21 09:42:10 dtucker Exp $");
 
+#include <sys/types.h>
+#include <pwd.h>
+#include <stdarg.h>
+
+#include "xmalloc.h"
 #include "ssh.h"
 #include "ssh1.h"
 #include "packet.h"
-#include "xmalloc.h"
 #include "log.h"
+#include "buffer.h"
 #include "servconf.h"
 #include "uidswap.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 
 #ifdef KRB5
+#include <errno.h>
+#include <unistd.h>
+#include <string.h>
 #include <krb5.h>
 
 extern ServerOptions     options;
diff --git a/auth-options.c b/auth-options.c
index ad97e6129..ca5e1c931 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth-options.c,v 1.40 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -10,18 +11,31 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.33 2005/12/08 18:34:11 reyk Exp $");
+
+#include <sys/types.h>
+
+#include <netdb.h>
+#include <pwd.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdarg.h>
 
 #include "xmalloc.h"
 #include "match.h"
 #include "log.h"
 #include "canohost.h"
+#include "buffer.h"
 #include "channels.h"
 #include "auth-options.h"
 #include "servconf.h"
 #include "misc.h"
-#include "monitor_wrap.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
+#include "monitor_wrap.h"
 
 /* Flags set authorized_keys flags */
 int no_port_forwarding_flag = 0;
@@ -131,7 +145,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                                 forced_command = NULL;
                                 goto bad_option;
                         }
-                        forced_command[i] = 0;
+                        forced_command[i] = '\0';
                         auth_debug_add("Forced command: %.900s", forced_command);
                         opts++;
                         goto next_option;
@@ -163,7 +177,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                                 xfree(s);
                                 goto bad_option;
                         }
-                        s[i] = 0;
+                        s[i] = '\0';
                         auth_debug_add("Adding to environment: %.900s", s);
                         debug("Adding to environment: %.900s", s);
                         opts++;
@@ -200,7 +214,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                                 xfree(patterns);
                                 goto bad_option;
                         }
-                        patterns[i] = 0;
+                        patterns[i] = '\0';
                         opts++;
                         if (match_host_and_ip(remote_host, remote_ip,
                             patterns) != 1) {
@@ -245,7 +259,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                                 xfree(patterns);
                                 goto bad_option;
                         }
-                        patterns[i] = 0;
+                        patterns[i] = '\0';
                         opts++;
                         p = patterns;
                         host = hpdelim(&p);
@@ -293,7 +307,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                                 forced_tun_device = -1;
                                 goto bad_option;
                         }
-                        tun[i] = 0;
+                        tun[i] = '\0';
                         forced_tun_device = a2tun(tun, NULL);
                         xfree(tun);
                         if (forced_tun_device == SSH_TUNID_ERR) {
diff --git a/auth-options.h b/auth-options.h
index 3cd02a71f..853f8b517 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: auth-options.h,v 1.13 2005/12/06 22:38:27 reyk Exp $  */
+/* $OpenBSD: auth-options.h,v 1.16 2006/08/03 03:34:41 deraadt Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/auth-pam.c b/auth-pam.c
index fb9ae954a..c08d47229 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -47,7 +47,16 @@
 
 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.128 2006/01/29 05:46:13 dtucker Exp $");
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+
+#include <errno.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
 
 #ifdef USE_PAM
 #if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -63,20 +72,31 @@ RCSID("$Id: auth-pam.c,v 1.128 2006/01/29 05:46:13 dtucker Exp $");
 # define sshpam_const   const   /* LinuxPAM, OpenPAM */
 #endif
 
+/* Ambiguity in spec: is it an array of pointers or a pointer to an array? */
+#ifdef PAM_SUN_CODEBASE
+# define PAM_MSG_MEMBER(msg, n, member) ((*(msg))[(n)].member)
+#else
+# define PAM_MSG_MEMBER(msg, n, member) ((msg)[(n)]->member)
+#endif
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "auth-pam.h"
-#include "buffer.h"
-#include "bufaux.h"
 #include "canohost.h"
 #include "log.h"
-#include "monitor_wrap.h"
 #include "msg.h"
 #include "packet.h"
 #include "misc.h"
 #include "servconf.h"
 #include "ssh2.h"
-#include "xmalloc.h"
 #include "auth-options.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
+#include "monitor_wrap.h"
 
 extern ServerOptions options;
 extern Buffer loginmsg;
@@ -146,14 +166,16 @@ sshpam_sigchld_handler(int sig)
                 fatal("PAM: authentication thread exited uncleanly");
 }
 
+/* ARGSUSED */
 static void
-pthread_exit(void *value __unused)
+pthread_exit(void *value)
 {
         _exit(0);
 }
 
+/* ARGSUSED */
 static int
-pthread_create(sp_pthread_t *thread, const void *attr __unused,
+pthread_create(sp_pthread_t *thread, const void *attr,
     void *(*thread_start)(void *), void *arg)
 {
         pid_t pid;
@@ -185,8 +207,9 @@ pthread_cancel(sp_pthread_t thread)
         return (kill(thread, SIGTERM));
 }
 
+/* ARGSUSED */
 static int
-pthread_join(sp_pthread_t thread, void **value __unused)
+pthread_join(sp_pthread_t thread, void **value)
 {
         int status;
 
@@ -284,7 +307,10 @@ import_environments(Buffer *b)
 
         /* Import environment from subprocess */
         num_env = buffer_get_int(b);
-        sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env));
+        if (num_env > 1024)
+                fatal("%s: received %u environment variables, expected <= 1024",
+                    __func__, num_env);
+        sshpam_env = xcalloc(num_env + 1, sizeof(*sshpam_env));
         debug3("PAM: num env strings %d", num_env);
         for(i = 0; i < num_env; i++)
                 sshpam_env[i] = buffer_get_string(b, NULL);
@@ -331,9 +357,8 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
         if (n <= 0 || n > PAM_MAX_NUM_MSG)
                 return (PAM_CONV_ERR);
 
-        if ((reply = malloc(n * sizeof(*reply))) == NULL)
+        if ((reply = calloc(n, sizeof(*reply))) == NULL)
                 return (PAM_CONV_ERR);
-        memset(reply, 0, n * sizeof(*reply));
 
         buffer_init(&buffer);
         for (i = 0; i < n; ++i) {
@@ -412,10 +437,16 @@ sshpam_thread(void *ctxtp)
         u_int i;
         const char *pam_user;
         const char **ptr_pam_user = &pam_user;
+        char *tz = getenv("TZ");
 
         pam_get_item(sshpam_handle, PAM_USER,
             (sshpam_const void **)ptr_pam_user);
+
         environ[0] = NULL;
+        if (tz != NULL)
+                if (setenv("TZ", tz, 1) == -1)
+                        error("PAM: could not set TZ environment: %s",
+                            strerror(errno));
 
         if (sshpam_authctxt != NULL) {
                 setproctitle("%s [pam]",
@@ -439,8 +470,10 @@ sshpam_thread(void *ctxtp)
                 goto auth_fail;
 
         if (compat20) {
-                if (!do_pam_account())
+                if (!do_pam_account()) {
+                        sshpam_err = PAM_ACCT_EXPIRED;
                         goto auth_fail;
+                }
                 if (sshpam_authctxt->force_pwchange) {
                         sshpam_err = pam_chauthtok(sshpam_handle,
                             PAM_CHANGE_EXPIRED_AUTHTOK);
@@ -482,7 +515,10 @@ sshpam_thread(void *ctxtp)
         buffer_put_cstring(&buffer,
             pam_strerror(sshpam_handle, sshpam_err));
         /* XXX - can't do much about an error here */
-        ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
+        if (sshpam_err == PAM_ACCT_EXPIRED)
+                ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer);
+        else
+                ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
         buffer_free(&buffer);
         pthread_exit(NULL);
 
@@ -529,9 +565,8 @@ sshpam_store_conv(int n, sshpam_const struct pam_message **msg,
         if (n <= 0 || n > PAM_MAX_NUM_MSG)
                 return (PAM_CONV_ERR);
 
-        if ((reply = malloc(n * sizeof(*reply))) == NULL)
+        if ((reply = calloc(n, sizeof(*reply))) == NULL)
                 return (PAM_CONV_ERR);
-        memset(reply, 0, n * sizeof(*reply));
 
         for (i = 0; i < n; ++i) {
                 switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
@@ -638,8 +673,11 @@ sshpam_init_ctx(Authctxt *authctxt)
         int socks[2];
 
         debug3("PAM: %s entering", __func__);
-        /* Refuse to start if we don't have PAM enabled */
-        if (!options.use_pam)
+        /*
+         * Refuse to start if we don't have PAM enabled or do_pam_account
+         * has previously failed.
+         */
+        if (!options.use_pam || sshpam_account_status == 0)
                 return NULL;
 
         /* Initialize PAM */
@@ -699,7 +737,7 @@ sshpam_query(void *ctx, char **name, char **info,
                 case PAM_PROMPT_ECHO_OFF:
                         *num = 1;
                         len = plen + mlen + 1;
-                        **prompts = xrealloc(**prompts, len);
+                        **prompts = xrealloc(**prompts, 1, len);
                         strlcpy(**prompts + plen, msg, len - plen);
                         plen += mlen;
                         **echo_on = (type == PAM_PROMPT_ECHO_ON);
@@ -709,21 +747,25 @@ sshpam_query(void *ctx, char **name, char **info,
                 case PAM_TEXT_INFO:
                         /* accumulate messages */
                         len = plen + mlen + 2;
-                        **prompts = xrealloc(**prompts, len);
+                        **prompts = xrealloc(**prompts, 1, len);
                         strlcpy(**prompts + plen, msg, len - plen);
                         plen += mlen;
                         strlcat(**prompts + plen, "\n", len - plen);
                         plen++;
                         xfree(msg);
                         break;
+                case PAM_ACCT_EXPIRED:
+                        sshpam_account_status = 0;
+                        /* FALLTHROUGH */
                 case PAM_AUTH_ERR:
-                        debug3("PAM: PAM_AUTH_ERR");
+                        debug3("PAM: %s", pam_strerror(sshpam_handle, type));
                         if (**prompts != NULL && strlen(**prompts) != 0) {
                                 *info = **prompts;
                                 **prompts = NULL;
                                 *num = 0;
                                 **echo_on = 0;
                                 ctxt->pam_done = -1;
+                                xfree(msg);
                                 return 0;
                         }
                         /* FALLTHROUGH */
@@ -930,9 +972,8 @@ sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
         if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO))
                 return (PAM_CONV_ERR);
 
-        if ((reply = malloc(n * sizeof(*reply))) == NULL)
+        if ((reply = calloc(n, sizeof(*reply))) == NULL)
                 return (PAM_CONV_ERR);
-        memset(reply, 0, n * sizeof(*reply));
 
         for (i = 0; i < n; ++i) {
                 switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
diff --git a/auth-passwd.c b/auth-passwd.c
index 6e6d0d76a..be6283796 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth-passwd.c,v 1.40 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -36,12 +37,20 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-passwd.c,v 1.34 2005/07/19 15:32:26 otto Exp $");
+
+#include <sys/types.h>
+
+#include <pwd.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
 
 #include "packet.h"
 #include "buffer.h"
 #include "log.h"
 #include "servconf.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "auth-options.h"
 
diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c
index c31f2b97b..eca750275 100644
--- a/auth-rh-rsa.c
+++ b/auth-rh-rsa.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth-rh-rsa.c,v 1.42 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -13,18 +14,25 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-rh-rsa.c,v 1.38 2005/07/17 07:17:54 djm Exp $");
+
+#include <sys/types.h>
+
+#include <pwd.h>
+#include <stdarg.h>
 
 #include "packet.h"
 #include "uidswap.h"
 #include "log.h"
+#include "buffer.h"
 #include "servconf.h"
 #include "key.h"
 #include "hostfile.h"
 #include "pathnames.h"
 #include "auth.h"
 #include "canohost.h"
-
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
 
 /* import */
diff --git a/auth-rhosts.c b/auth-rhosts.c
index aaba8557e..cd0a7967a 100644
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth-rhosts.c,v 1.41 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -14,14 +15,27 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-rhosts.c,v 1.33 2005/07/17 07:17:54 djm Exp $");
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#ifdef HAVE_NETGROUP_H
+# include <netgroup.h>
+#endif
+#include <pwd.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
 
 #include "packet.h"
+#include "buffer.h"
 #include "uidswap.h"
 #include "pathnames.h"
 #include "log.h"
 #include "servconf.h"
 #include "canohost.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 
 /* import */
diff --git a/auth-rsa.c b/auth-rsa.c
index d9c9652dc..69f9a5896 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth-rsa.c,v 1.72 2006/11/06 21:25:27 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -14,23 +15,35 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-rsa.c,v 1.63 2005/06/17 02:44:32 djm Exp $");
+
+#include <sys/types.h>
+#include <sys/stat.h>
 
 #include <openssl/rsa.h>
 #include <openssl/md5.h>
 
+#include <pwd.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
+
+#include "xmalloc.h"
 #include "rsa.h"
 #include "packet.h"
-#include "xmalloc.h"
 #include "ssh1.h"
 #include "uidswap.h"
 #include "match.h"
+#include "buffer.h"
 #include "auth-options.h"
 #include "pathnames.h"
 #include "log.h"
 #include "servconf.h"
-#include "auth.h"
+#include "key.h"
 #include "hostfile.h"
+#include "auth.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
 #include "ssh.h"
 #include "misc.h"
@@ -63,10 +76,12 @@ auth_rsa_generate_challenge(Key *key)
         if ((challenge = BN_new()) == NULL)
                 fatal("auth_rsa_generate_challenge: BN_new() failed");
         /* Generate a random challenge. */
-        BN_rand(challenge, 256, 0, 0);
+        if (BN_rand(challenge, 256, 0, 0) == 0)
+                fatal("auth_rsa_generate_challenge: BN_rand failed");
         if ((ctx = BN_CTX_new()) == NULL)
-                fatal("auth_rsa_generate_challenge: BN_CTX_new() failed");
-        BN_mod(challenge, challenge, key->rsa->n, ctx);
+                fatal("auth_rsa_generate_challenge: BN_CTX_new failed");
+        if (BN_mod(challenge, challenge, key->rsa->n, ctx) == 0)
+                fatal("auth_rsa_generate_challenge: BN_mod failed");
         BN_CTX_free(ctx);
 
         return challenge;
@@ -137,7 +152,7 @@ auth_rsa_challenge_dialog(Key *key)
         /* Wait for a response. */
         packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE);
         for (i = 0; i < 16; i++)
-                response[i] = packet_get_char();
+                response[i] = (u_char)packet_get_char();
         packet_check_eom();
 
         success = PRIVSEP(auth_rsa_verify_response(key, challenge, response));
diff --git a/auth-shadow.c b/auth-shadow.c
index 59737b93c..8b3160aee 100644
--- a/auth-shadow.c
+++ b/auth-shadow.c
@@ -23,11 +23,14 @@
  */
 
 #include "includes.h"
-RCSID("$Id: auth-shadow.c,v 1.7 2005/07/17 07:04:47 djm Exp $");
 
 #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
 #include <shadow.h>
+#include <stdarg.h>
+#include <string.h>
 
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "buffer.h"
 #include "log.h"
diff --git a/auth-sia.c b/auth-sia.c
index af7182b48..a9e1c258c 100644
--- a/auth-sia.c
+++ b/auth-sia.c
@@ -25,14 +25,6 @@
 #include "includes.h"
 
 #ifdef HAVE_OSF_SIA
-#include "ssh.h"
-#include "auth.h"
-#include "auth-sia.h"
-#include "log.h"
-#include "servconf.h"
-#include "canohost.h"
-#include "uidswap.h"
-
 #include <sia.h>
 #include <siad.h>
 #include <pwd.h>
@@ -40,8 +32,19 @@
 #include <setjmp.h>
 #include <sys/resource.h>
 #include <unistd.h>
+#include <stdarg.h>
 #include <string.h>
 
+#include "ssh.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+#include "auth-sia.h"
+#include "log.h"
+#include "servconf.h"
+#include "canohost.h"
+#include "uidswap.h"
+
 extern ServerOptions options;
 extern int saved_argc;
 extern char **saved_argv;
diff --git a/auth-skey.c b/auth-skey.c
index f676dbec9..cb43dba48 100644
--- a/auth-skey.c
+++ b/auth-skey.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth-skey.c,v 1.27 2007/01/21 01:41:54 stevesk Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -21,15 +22,23 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 #include "includes.h"
-RCSID("$OpenBSD: auth-skey.c,v 1.20 2002/06/30 21:59:45 deraadt Exp $");
 
 #ifdef SKEY
 
+#include <sys/types.h>
+
+#include <pwd.h>
+#include <stdio.h>
+
 #include <skey.h>
 
 #include "xmalloc.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
+#include "ssh-gss.h"
 #include "monitor_wrap.h"
 
 static void *
@@ -43,26 +52,20 @@ skey_query(void *ctx, char **name, char **infotxt,
     u_int* numprompts, char ***prompts, u_int **echo_on)
 {
         Authctxt *authctxt = ctx;
-        char challenge[1024], *p;
-        int len;
+        char challenge[1024];
         struct skey skey;
 
         if (_compat_skeychallenge(&skey, authctxt->user, challenge,
             sizeof(challenge)) == -1)
                 return -1;
 
-        *name  = xstrdup("");
-        *infotxt  = xstrdup("");
+        *name = xstrdup("");
+        *infotxt = xstrdup("");
         *numprompts = 1;
-        *prompts = xmalloc(*numprompts * sizeof(char *));
-        *echo_on = xmalloc(*numprompts * sizeof(u_int));
-        (*echo_on)[0] = 0;
-
-        len = strlen(challenge) + strlen(SKEY_PROMPT) + 1;
-        p = xmalloc(len);
-        strlcpy(p, challenge, len);
-        strlcat(p, SKEY_PROMPT, len);
-        (*prompts)[0] = p;
+        *prompts = xcalloc(*numprompts, sizeof(char *));
+        *echo_on = xcalloc(*numprompts, sizeof(u_int));
+
+        xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT);
 
         return 0;
 }
diff --git a/auth.c b/auth.c
index 2dc5c2be6..505102f8a 100644
--- a/auth.c
+++ b/auth.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth.c,v 1.75 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -23,39 +24,56 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.60 2005/06/17 02:44:32 djm Exp $");
 
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/param.h>
+
+#include <netinet/in.h>
+
+#include <errno.h>
+#ifdef HAVE_PATHS_H
+# include <paths.h>
+#endif
+#include <pwd.h>
 #ifdef HAVE_LOGIN_H
 #include <login.h>
 #endif
 #ifdef USE_SHADOW
 #include <shadow.h>
 #endif
-
 #ifdef HAVE_LIBGEN_H
 #include <libgen.h>
 #endif
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
 
 #include "xmalloc.h"
 #include "match.h"
 #include "groupaccess.h"
 #include "log.h"
+#include "buffer.h"
 #include "servconf.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "auth-options.h"
 #include "canohost.h"
-#include "buffer.h"
-#include "bufaux.h"
 #include "uidswap.h"
 #include "misc.h"
-#include "bufaux.h"
 #include "packet.h"
 #include "loginrec.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
 
 /* import */
 extern ServerOptions options;
+extern int use_privsep;
 extern Buffer loginmsg;
+extern struct passwd *privsep_pw;
 
 /* Debugging messages */
 Buffer auth_debug;
@@ -231,6 +249,9 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
         void (*authlog) (const char *fmt,...) = verbose;
         char *authmsg;
 
+        if (use_privsep && !mm_is_monitor() && !authctxt->postponed)
+                return;
+
         /* Raise logging level */
         if (authenticated == 1 ||
             !authctxt->valid ||
@@ -259,44 +280,15 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
             strcmp(method, "challenge-response") == 0))
                 record_failed_login(authctxt->user,
                     get_canonical_hostname(options.use_dns), "ssh");
+# ifdef WITH_AIXAUTHENTICATE
+        if (authenticated)
+                sys_auth_record_login(authctxt->user,
+                    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
+# endif
 #endif
 #ifdef SSH_AUDIT_EVENTS
-        if (authenticated == 0 && !authctxt->postponed) {
-                ssh_audit_event_t event;
-
-                debug3("audit failed auth attempt, method %s euid %d",
-                    method, (int)geteuid());
-                /*
-                 * Because the auth loop is used in both monitor and slave,
-                 * we must be careful to send each event only once and with
-                 * enough privs to write the event.
-                 */
-                event = audit_classify_auth(method);
-                switch(event) {
-                case SSH_AUTH_FAIL_NONE:
-                case SSH_AUTH_FAIL_PASSWD:
-                case SSH_AUTH_FAIL_KBDINT:
-                        if (geteuid() == 0)
-                                audit_event(event);
-                        break;
-                case SSH_AUTH_FAIL_PUBKEY:
-                case SSH_AUTH_FAIL_HOSTBASED:
-                case SSH_AUTH_FAIL_GSSAPI:
-                        /*
-                         * This is required to handle the case where privsep
-                         * is enabled but it's root logging in, since
-                         * use_privsep won't be cleared until after a
-                         * successful login.
-                         */
-                        if (geteuid() == 0)
-                                audit_event(event);
-                        else
-                                PRIVSEP(audit_event(event));
-                        break;
-                default:
-                        error("unknown authentication audit event %d", event);
-                }
-        }
+        if (authenticated == 0 && !authctxt->postponed)
+                audit_event(audit_classify_auth(method));
 #endif
 }
 
@@ -309,7 +301,6 @@ auth_root_allowed(char *method)
         switch (options.permit_root_login) {
         case PERMIT_YES:
                 return 1;
-                break;
         case PERMIT_NO_PASSWD:
                 if (strcmp(method, "password") != 0)
                         return 1;
@@ -336,7 +327,8 @@ auth_root_allowed(char *method)
 static char *
 expand_authorized_keys(const char *filename, struct passwd *pw)
 {
-        char *file, *ret;
+        char *file, ret[MAXPATHLEN];
+        int i;
 
         file = percent_expand(filename, "h", pw->pw_dir,
             "u", pw->pw_name, (char *)NULL);
@@ -348,14 +340,11 @@ expand_authorized_keys(const char *filename, struct passwd *pw)
         if (*file == '/')
                 return (file);
 
-        ret = xmalloc(MAXPATHLEN);
-        if (strlcpy(ret, pw->pw_dir, MAXPATHLEN) >= MAXPATHLEN ||
-            strlcat(ret, "/", MAXPATHLEN) >= MAXPATHLEN ||
-            strlcat(ret, file, MAXPATHLEN) >= MAXPATHLEN)
+        i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file);
+        if (i < 0 || (size_t)i >= sizeof(ret))
                 fatal("expand_authorized_keys: path too long");
-
         xfree(file);
-        return (ret);
+        return (xstrdup(ret));
 }
 
 char *
@@ -492,6 +481,9 @@ getpwnamallow(const char *user)
 #endif
         struct passwd *pw;
 
+        parse_server_match_config(&options, user,
+            get_canonical_hostname(options.use_dns), get_remote_ipaddr());
+
         pw = getpwnam(user);
         if (pw == NULL) {
                 logit("Invalid user %.100s from %.100s",
@@ -577,8 +569,8 @@ fakepw(void)
         fake.pw_passwd =
             "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
         fake.pw_gecos = "NOUSER";
-        fake.pw_uid = (uid_t)-1;
-        fake.pw_gid = (gid_t)-1;
+        fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid;
+        fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid;
 #ifdef HAVE_PW_CLASS_IN_PASSWD
         fake.pw_class = "";
 #endif
diff --git a/auth.h b/auth.h
index e76cf871a..6c22fabcc 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: auth.h,v 1.51 2005/06/06 11:20:36 djm Exp $   */
+/* $OpenBSD: auth.h,v 1.58 2006/08/18 09:15:20 markus Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -28,9 +28,8 @@
 #ifndef AUTH_H
 #define AUTH_H
 
-#include "key.h"
-#include "hostfile.h"
-#include "buffer.h"
+#include <signal.h>
+
 #include <openssl/rsa.h>
 
 #ifdef HAVE_LOGIN_CAP
@@ -48,7 +47,7 @@ typedef struct Authmethod Authmethod;
 typedef struct KbdintDevice KbdintDevice;
 
 struct Authctxt {
-        int              success;
+        sig_atomic_t     success;
         int              authenticated; /* authenticated and alarms cancelled */
         int              postponed;     /* authentication needs another step */
         int              valid;         /* user exists and is allowed to login */
diff --git a/auth1.c b/auth1.c
index f89c3cf4f..ac8f6414b 100644
--- a/auth1.c
+++ b/auth1.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth1.c,v 1.70 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -10,7 +11,14 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.62 2005/07/16 01:35:24 djm Exp $");
+
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <pwd.h>
 
 #include "xmalloc.h"
 #include "rsa.h"
@@ -20,10 +28,15 @@ RCSID("$OpenBSD: auth1.c,v 1.62 2005/07/16 01:35:24 djm Exp $");
 #include "log.h"
 #include "servconf.h"
 #include "compat.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "channels.h"
 #include "session.h"
 #include "uidswap.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
 #include "buffer.h"
 
@@ -77,7 +90,7 @@ static const struct AuthMethod1
 {
         int i;
 
-        for(i = 0; auth1_methods[i].name != NULL; i++)
+        for (i = 0; auth1_methods[i].name != NULL; i++)
                 if (auth1_methods[i].type == type)
                         return (&(auth1_methods[i]));
 
@@ -96,6 +109,7 @@ get_authname(int type)
         return (buf);
 }
 
+/*ARGSUSED*/
 static int
 auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
 {
@@ -120,6 +134,7 @@ auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
         return (authenticated);
 }
 
+/*ARGSUSED*/
 static int
 auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
 {
@@ -137,6 +152,7 @@ auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
         return (authenticated);
 }
 
+/*ARGSUSED*/
 static int
 auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
 {
@@ -175,6 +191,7 @@ auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
         return (authenticated);
 }
 
+/*ARGSUSED*/
 static int
 auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
 {
@@ -193,6 +210,7 @@ auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
         return (-1);
 }
 
+/*ARGSUSED*/
 static int
 auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen)
 {
diff --git a/auth2-chall.c b/auth2-chall.c
index b147cadf3..51059c2bd 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth2-chall.c,v 1.32 2007/01/03 03:01:40 stevesk Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2001 Per Allansson.  All rights reserved.
@@ -22,14 +23,22 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 #include "includes.h"
-RCSID("$OpenBSD: auth2-chall.c,v 1.24 2005/07/17 07:17:54 djm Exp $");
 
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "xmalloc.h"
 #include "ssh2.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "buffer.h"
 #include "packet.h"
-#include "xmalloc.h"
 #include "dispatch.h"
 #include "log.h"
 #include "servconf.h"
@@ -197,7 +206,7 @@ auth2_challenge_stop(Authctxt *authctxt)
 {
         /* unregister callback */
         dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
-        if (authctxt->kbdintctxt != NULL)  {
+        if (authctxt->kbdintctxt != NULL) {
                 kbdint_free(authctxt->kbdintctxt);
                 authctxt->kbdintctxt = NULL;
         }
@@ -291,7 +300,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
         if (nresp > 100)
                 fatal("input_userauth_info_response: too many replies");
         if (nresp > 0) {
-                response = xmalloc(nresp * sizeof(char *));
+                response = xcalloc(nresp, sizeof(char *));
                 for (i = 0; i < nresp; i++)
                         response[i] = packet_get_string(NULL);
         }
diff --git a/auth2-gss.c b/auth2-gss.c
index 539654ee0..50bdc6452 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: auth2-gss.c,v 1.12 2005/10/13 22:24:31 stevesk Exp $  */
+/* $OpenBSD: auth2-gss.c,v 1.15 2006/08/03 03:34:41 deraadt Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -28,16 +28,22 @@
 
 #ifdef GSSAPI
 
+#include <sys/types.h>
+
+#include <stdarg.h>
+
+#include "xmalloc.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "ssh2.h"
-#include "xmalloc.h"
 #include "log.h"
 #include "dispatch.h"
+#include "buffer.h"
 #include "servconf.h"
 #include "packet.h"
-#include "monitor_wrap.h"
-
 #include "ssh-gss.h"
+#include "monitor_wrap.h"
 
 extern ServerOptions options;
 
@@ -134,6 +140,8 @@ userauth_gssapi(Authctxt *authctxt)
         }
 
         if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
+                if (ctxt != NULL)
+                        ssh_gssapi_delete_ctx(&ctxt);
                 xfree(doid);
                 authctxt->server_caused_failure = 1;
                 return (0);
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 1111ed67a..663dec5d9 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth2-hostbased.c,v 1.11 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -23,19 +24,27 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2-hostbased.c,v 1.6 2004/01/19 21:25:15 markus Exp $");
 
-#include "ssh2.h"
+#include <sys/types.h>
+
+#include <pwd.h>
+#include <string.h>
+#include <stdarg.h>
+
 #include "xmalloc.h"
+#include "ssh2.h"
 #include "packet.h"
 #include "buffer.h"
 #include "log.h"
 #include "servconf.h"
 #include "compat.h"
-#include "bufaux.h"
-#include "auth.h"
 #include "key.h"
+#include "hostfile.h"
+#include "auth.h"
 #include "canohost.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
 #include "pathnames.h"
 
diff --git a/auth2-kbdint.c b/auth2-kbdint.c
index fa8364975..a4fc9e6f7 100644
--- a/auth2-kbdint.c
+++ b/auth2-kbdint.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth2-kbdint.c,v 1.5 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -23,13 +24,19 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2-kbdint.c,v 1.2 2002/05/31 11:35:15 markus Exp $");
 
+#include <sys/types.h>
+
+#include <stdarg.h>
+
+#include "xmalloc.h"
 #include "packet.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "log.h"
+#include "buffer.h"
 #include "servconf.h"
-#include "xmalloc.h"
 
 /* import */
 extern ServerOptions options;
diff --git a/auth2-none.c b/auth2-none.c
index 1c30a3203..952b44824 100644
--- a/auth2-none.c
+++ b/auth2-none.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth2-none.c,v 1.13 2006/08/05 07:52:52 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -23,16 +24,29 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2-none.c,v 1.7 2004/05/11 19:01:43 deraadt Exp $");
 
-#include "auth.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/uio.h>
+
+#include <fcntl.h>
+#include <stdarg.h>
+#include <unistd.h>
+
 #include "xmalloc.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
 #include "packet.h"
 #include "log.h"
+#include "buffer.h"
 #include "servconf.h"
 #include "atomicio.h"
 #include "compat.h"
 #include "ssh2.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
 
 /* import */
diff --git a/auth2-passwd.c b/auth2-passwd.c
index 2321ef47b..421c5c25d 100644
--- a/auth2-passwd.c
+++ b/auth2-passwd.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth2-passwd.c,v 1.9 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -23,12 +24,22 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2-passwd.c,v 1.5 2003/12/31 00:24:50 dtucker Exp $");
+
+#include <sys/types.h>
+
+#include <string.h>
+#include <stdarg.h>
 
 #include "xmalloc.h"
 #include "packet.h"
 #include "log.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
+#include "buffer.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
 #include "servconf.h"
 
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index a97d0f430..9863cd9e6 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth2-pubkey.c,v 1.15 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -23,23 +24,32 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2-pubkey.c,v 1.9 2004/12/11 01:48:56 dtucker Exp $");
 
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <pwd.h>
+#include <stdio.h>
+#include <stdarg.h>
+
+#include "xmalloc.h"
 #include "ssh.h"
 #include "ssh2.h"
-#include "xmalloc.h"
 #include "packet.h"
 #include "buffer.h"
 #include "log.h"
 #include "servconf.h"
 #include "compat.h"
-#include "bufaux.h"
-#include "auth.h"
 #include "key.h"
+#include "hostfile.h"
+#include "auth.h"
 #include "pathnames.h"
 #include "uidswap.h"
 #include "auth-options.h"
 #include "canohost.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
 #include "misc.h"
 
diff --git a/auth2.c b/auth2.c
index a67449db5..6a1653064 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth2.c,v 1.114 2007/03/01 10:28:02 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -23,23 +24,31 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $");
 
-#include "ssh2.h"
+#include <sys/types.h>
+
+#include <pwd.h>
+#include <stdarg.h>
+#include <string.h>
+
 #include "xmalloc.h"
+#include "ssh2.h"
 #include "packet.h"
 #include "log.h"
+#include "buffer.h"
 #include "servconf.h"
 #include "compat.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "dispatch.h"
 #include "pathnames.h"
-#include "monitor_wrap.h"
 #include "buffer.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
 #endif
+#include "monitor_wrap.h"
 
 /* import */
 extern ServerOptions options;
@@ -89,15 +98,12 @@ int user_key_allowed(struct passwd *, Key *);
 void
 do_authentication2(Authctxt *authctxt)
 {
-        /* challenge-response is implemented via keyboard interactive */
-        if (options.challenge_response_authentication)
-                options.kbd_interactive_authentication = 1;
-
         dispatch_init(&dispatch_protocol_error);
         dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
         dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
 }
 
+/*ARGSUSED*/
 static void
 input_service_request(int type, u_int32_t seq, void *ctxt)
 {
@@ -131,6 +137,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt)
         xfree(service);
 }
 
+/*ARGSUSED*/
 static void
 input_userauth_request(int type, u_int32_t seq, void *ctxt)
 {
diff --git a/authfd.c b/authfd.c
index 8976616b4..61faad123 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: authfd.c,v 1.80 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,16 +36,25 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: authfd.c,v 1.66 2005/06/17 02:44:32 djm Exp $");
+
+#include <sys/types.h>
+#include <sys/un.h>
+#include <sys/socket.h>
 
 #include <openssl/evp.h>
 
+#include <openssl/crypto.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "xmalloc.h"
 #include "ssh.h"
 #include "rsa.h"
 #include "buffer.h"
-#include "bufaux.h"
-#include "xmalloc.h"
-#include "getput.h"
 #include "key.h"
 #include "authfd.h"
 #include "cipher.h"
@@ -52,6 +62,7 @@ RCSID("$OpenBSD: authfd.c,v 1.66 2005/06/17 02:44:32 djm Exp $");
 #include "compat.h"
 #include "log.h"
 #include "atomicio.h"
+#include "misc.h"
 
 static int agent_present = 0;
 
@@ -103,7 +114,7 @@ ssh_get_authentication_socket(void)
                 close(sock);
                 return -1;
         }
-        if (connect(sock, (struct sockaddr *) &sunaddr, sizeof sunaddr) < 0) {
+        if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
                 close(sock);
                 return -1;
         }
@@ -119,7 +130,7 @@ ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply
 
         /* Get the length of the message, and format it in the buffer. */
         len = buffer_len(request);
-        PUT_32BIT(buf, len);
+        put_u32(buf, len);
 
         /* Send the length and then the packet to the agent. */
         if (atomicio(vwrite, auth->fd, buf, 4) != 4 ||
@@ -138,7 +149,7 @@ ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply
         }
 
         /* Extract the length, and check it for sanity. */
-        len = GET_32BIT(buf);
+        len = get_u32(buf);
         if (len > 256 * 1024)
                 fatal("Authentication response too long: %u", len);
 
@@ -335,7 +346,6 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
                 break;
         default:
                 return NULL;
-                break;
         }
         /* Decrement the number of remaining entries. */
         auth->howmany--;
@@ -394,7 +404,7 @@ ssh_decrypt_challenge(AuthenticationConnection *auth,
                  * fatal error if the packet is corrupt.
                  */
                 for (i = 0; i < 16; i++)
-                        response[i] = buffer_get_char(&buffer);
+                        response[i] = (u_char)buffer_get_char(&buffer);
         }
         buffer_free(&buffer);
         return success;
@@ -517,7 +527,6 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
         default:
                 buffer_free(&msg);
                 return 0;
-                break;
         }
         if (constrained) {
                 if (life != 0) {
diff --git a/authfd.h b/authfd.h
index 0a6a4e3ec..3da256112 100644
--- a/authfd.h
+++ b/authfd.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: authfd.h,v 1.34 2003/11/21 11:57:03 djm Exp $ */
+/* $OpenBSD: authfd.h,v 1.36 2006/08/03 03:34:41 deraadt Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -16,8 +16,6 @@
 #ifndef AUTHFD_H
 #define AUTHFD_H
 
-#include "buffer.h"
-
 /* Messages for the authentication agent connection. */
 #define SSH_AGENTC_REQUEST_RSA_IDENTITIES       1
 #define SSH_AGENT_RSA_IDENTITIES_ANSWER         2
diff --git a/authfile.c b/authfile.c
index 420813f37..735c64780 100644
--- a/authfile.c
+++ b/authfile.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: authfile.c,v 1.76 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -36,16 +37,27 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: authfile.c,v 1.61 2005/06/17 02:44:32 djm Exp $");
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/param.h>
+#include <sys/uio.h>
 
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/pem.h>
 
-#include "cipher.h"
+#include <errno.h>
+#include <fcntl.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
 #include "xmalloc.h"
+#include "cipher.h"
 #include "buffer.h"
-#include "bufaux.h"
 #include "key.h"
 #include "ssh.h"
 #include "log.h"
@@ -184,7 +196,7 @@ key_save_private_pem(Key *key, const char *filename, const char *_passphrase,
                 return 0;
         }
         fp = fdopen(fd, "w");
-        if (fp == NULL ) {
+        if (fp == NULL) {
                 error("fdopen %s failed: %s.", filename, strerror(errno));
                 close(fd);
                 return 0;
@@ -211,12 +223,10 @@ key_save_private(Key *key, const char *filename, const char *passphrase,
         case KEY_RSA1:
                 return key_save_private_rsa1(key, filename, passphrase,
                     comment);
-                break;
         case KEY_DSA:
         case KEY_RSA:
                 return key_save_private_pem(key, filename, passphrase,
                     comment);
-                break;
         default:
                 break;
         }
@@ -507,7 +517,7 @@ key_load_private_pem(int fd, int type, const char *passphrase,
         return prv;
 }
 
-static int
+int
 key_perm_ok(int fd, const char *filename)
 {
         struct stat st;
@@ -537,7 +547,7 @@ key_perm_ok(int fd, const char *filename)
 
 Key *
 key_load_private_type(int type, const char *filename, const char *passphrase,
-    char **commentp)
+    char **commentp, int *perm_ok)
 {
         int fd;
 
@@ -545,22 +555,24 @@ key_load_private_type(int type, const char *filename, const char *passphrase,
         if (fd < 0)
                 return NULL;
         if (!key_perm_ok(fd, filename)) {
+                if (perm_ok != NULL)
+                        *perm_ok = 0;
                 error("bad permissions: ignore key: %s", filename);
                 close(fd);
                 return NULL;
         }
+        if (perm_ok != NULL)
+                *perm_ok = 1;
         switch (type) {
         case KEY_RSA1:
                 return key_load_private_rsa1(fd, filename, passphrase,
                     commentp);
                 /* closes fd */
-                break;
         case KEY_DSA:
         case KEY_RSA:
         case KEY_UNSPEC:
                 return key_load_private_pem(fd, type, passphrase, commentp);
                 /* closes fd */
-                break;
         default:
                 close(fd);
                 break;
diff --git a/authfile.h b/authfile.h
index 7f92701ec..a6c74934d 100644
--- a/authfile.h
+++ b/authfile.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: authfile.h,v 1.10 2002/05/23 19:24:30 markus Exp $    */
+/* $OpenBSD: authfile.h,v 1.13 2006/04/25 08:02:27 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -19,7 +19,8 @@ int	 key_save_private(Key *, const char *, const char *, const char *);
 Key     *key_load_public(const char *, char **);
 Key     *key_load_public_type(int, const char *, char **);
 Key     *key_load_private(const char *, const char *, char **);
-Key     *key_load_private_type(int, const char *, const char *, char **);
+Key     *key_load_private_type(int, const char *, const char *, char **, int *);
 Key     *key_load_private_pem(int, int, const char *, char **);
+int      key_perm_ok(int, const char *);
 
 #endif
diff --git a/bufaux.c b/bufaux.c
index 106a3a0c7..cbdc22c64 100644
--- a/bufaux.c
+++ b/bufaux.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: bufaux.c,v 1.44 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -37,176 +38,18 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: bufaux.c,v 1.37 2005/11/05 05:01:15 djm Exp $");
 
-#include <openssl/bn.h>
-#include "bufaux.h"
-#include "xmalloc.h"
-#include "getput.h"
-#include "log.h"
-
-/*
- * Stores an BIGNUM in the buffer with a 2-byte msb first bit count, followed
- * by (bits+7)/8 bytes of binary data, msb first.
- */
-int
-buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
-{
-        int bits = BN_num_bits(value);
-        int bin_size = (bits + 7) / 8;
-        u_char *buf = xmalloc(bin_size);
-        int oi;
-        char msg[2];
-
-        /* Get the value of in binary */
-        oi = BN_bn2bin(value, buf);
-        if (oi != bin_size) {
-                error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d",
-                    oi, bin_size);
-                xfree(buf);
-                return (-1);
-        }
-
-        /* Store the number of bits in the buffer in two bytes, msb first. */
-        PUT_16BIT(msg, bits);
-        buffer_append(buffer, msg, 2);
-        /* Store the binary data. */
-        buffer_append(buffer, (char *)buf, oi);
-
-        memset(buf, 0, bin_size);
-        xfree(buf);
-
-        return (0);
-}
-
-void
-buffer_put_bignum(Buffer *buffer, const BIGNUM *value)
-{
-        if (buffer_put_bignum_ret(buffer, value) == -1)
-                fatal("buffer_put_bignum: buffer error");
-}
+#include <sys/types.h>
 
-/*
- * Retrieves an BIGNUM from the buffer.
- */
-int
-buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
-{
-        u_int bits, bytes;
-        u_char buf[2], *bin;
-
-        /* Get the number for bits. */
-        if (buffer_get_ret(buffer, (char *) buf, 2) == -1) {
-                error("buffer_get_bignum_ret: invalid length");
-                return (-1);
-        }
-        bits = GET_16BIT(buf);
-        /* Compute the number of binary bytes that follow. */
-        bytes = (bits + 7) / 8;
-        if (bytes > 8 * 1024) {
-                error("buffer_get_bignum_ret: cannot handle BN of size %d", bytes);
-                return (-1);
-        }
-        if (buffer_len(buffer) < bytes) {
-                error("buffer_get_bignum_ret: input buffer too small");
-                return (-1);
-        }
-        bin = buffer_ptr(buffer);
-        BN_bin2bn(bin, bytes, value);
-        if (buffer_consume_ret(buffer, bytes) == -1) {
-                error("buffer_get_bignum_ret: buffer_consume failed");
-                return (-1);
-        }
-        return (0);
-}
-
-void
-buffer_get_bignum(Buffer *buffer, BIGNUM *value)
-{
-        if (buffer_get_bignum_ret(buffer, value) == -1)
-                fatal("buffer_get_bignum: buffer error");
-}
-
-/*
- * Stores an BIGNUM in the buffer in SSH2 format.
- */
-int
-buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
-{
-        u_int bytes;
-        u_char *buf;
-        int oi;
-        u_int hasnohigh = 0;
-
-        if (BN_is_zero(value)) {
-                buffer_put_int(buffer, 0);
-                return 0;
-        }
-        if (value->neg) {
-                error("buffer_put_bignum2_ret: negative numbers not supported");
-                return (-1);
-        }
-        bytes = BN_num_bytes(value) + 1; /* extra padding byte */
-        if (bytes < 2) {
-                error("buffer_put_bignum2_ret: BN too small");
-                return (-1);
-        }
-        buf = xmalloc(bytes);
-        buf[0] = 0x00;
-        /* Get the value of in binary */
-        oi = BN_bn2bin(value, buf+1);
-        if (oi < 0 || (u_int)oi != bytes - 1) {
-                error("buffer_put_bignum2_ret: BN_bn2bin() failed: "
-                    "oi %d != bin_size %d", oi, bytes);
-                xfree(buf);
-                return (-1);
-        }
-        hasnohigh = (buf[1] & 0x80) ? 0 : 1;
-        buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh);
-        memset(buf, 0, bytes);
-        xfree(buf);
-        return (0);
-}
-
-void
-buffer_put_bignum2(Buffer *buffer, const BIGNUM *value)
-{
-        if (buffer_put_bignum2_ret(buffer, value) == -1)
-                fatal("buffer_put_bignum2: buffer error");
-}
-
-int
-buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
-{
-        u_int len;
-        u_char *bin;
-
-        if ((bin = buffer_get_string_ret(buffer, &len)) == NULL) {
-                error("buffer_get_bignum2_ret: invalid bignum");
-                return (-1);
-        }
+#include <openssl/bn.h>
 
-        if (len > 0 && (bin[0] & 0x80)) {
-                error("buffer_get_bignum2_ret: negative numbers not supported");
-                xfree(bin);
-                return (-1);
-        }
-        if (len > 8 * 1024) {
-                error("buffer_get_bignum2_ret: cannot handle BN of size %d", len);
-                xfree(bin);
-                return (-1);
-        }
-        BN_bin2bn(bin, len, value);
-        xfree(bin);
-        return (0);
-}
+#include <string.h>
+#include <stdarg.h>
 
-void
-buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
-{
-        if (buffer_get_bignum2_ret(buffer, value) == -1)
-                fatal("buffer_get_bignum2: buffer error");
-}
+#include "xmalloc.h"
+#include "buffer.h"
+#include "log.h"
+#include "misc.h"
 
 /*
  * Returns integers from the buffer (msb first).
@@ -219,7 +62,7 @@ buffer_get_short_ret(u_short *ret, Buffer *buffer)
 
         if (buffer_get_ret(buffer, (char *) buf, 2) == -1)
                 return (-1);
-        *ret = GET_16BIT(buf);
+        *ret = get_u16(buf);
         return (0);
 }
 
@@ -241,7 +84,7 @@ buffer_get_int_ret(u_int *ret, Buffer *buffer)
 
         if (buffer_get_ret(buffer, (char *) buf, 4) == -1)
                 return (-1);
-        *ret = GET_32BIT(buf);
+        *ret = get_u32(buf);
         return (0);
 }
 
@@ -263,7 +106,7 @@ buffer_get_int64_ret(u_int64_t *ret, Buffer *buffer)
 
         if (buffer_get_ret(buffer, (char *) buf, 8) == -1)
                 return (-1);
-        *ret = GET_64BIT(buf);
+        *ret = get_u64(buf);
         return (0);
 }
 
@@ -286,7 +129,7 @@ buffer_put_short(Buffer *buffer, u_short value)
 {
         char buf[2];
 
-        PUT_16BIT(buf, value);
+        put_u16(buf, value);
         buffer_append(buffer, buf, 2);
 }
 
@@ -295,7 +138,7 @@ buffer_put_int(Buffer *buffer, u_int value)
 {
         char buf[4];
 
-        PUT_32BIT(buf, value);
+        put_u32(buf, value);
         buffer_append(buffer, buf, 4);
 }
 
@@ -304,7 +147,7 @@ buffer_put_int64(Buffer *buffer, u_int64_t value)
 {
         char buf[8];
 
-        PUT_64BIT(buf, value);
+        put_u64(buf, value);
         buffer_append(buffer, buf, 8);
 }
 
diff --git a/bufaux.h b/bufaux.h
deleted file mode 100644
index f5efaed3e..000000000
--- a/bufaux.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*      $OpenBSD: bufaux.h,v 1.21 2005/03/10 22:01:05 deraadt Exp $     */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#ifndef BUFAUX_H
-#define BUFAUX_H
-
-#include "buffer.h"
-#include <openssl/bn.h>
-
-void    buffer_put_bignum(Buffer *, const BIGNUM *);
-void    buffer_put_bignum2(Buffer *, const BIGNUM *);
-void    buffer_get_bignum(Buffer *, BIGNUM *);
-void    buffer_get_bignum2(Buffer *, BIGNUM *);
-
-u_short buffer_get_short(Buffer *);
-void    buffer_put_short(Buffer *, u_short);
-
-u_int   buffer_get_int(Buffer *);
-void    buffer_put_int(Buffer *, u_int);
-
-u_int64_t buffer_get_int64(Buffer *);
-void    buffer_put_int64(Buffer *, u_int64_t);
-
-int     buffer_get_char(Buffer *);
-void    buffer_put_char(Buffer *, int);
-
-void   *buffer_get_string(Buffer *, u_int *);
-void    buffer_put_string(Buffer *, const void *, u_int);
-void    buffer_put_cstring(Buffer *, const char *);
-
-#define buffer_skip_string(b) \
-    do { u_int l = buffer_get_int(b); buffer_consume(b, l); } while (0)
-
-int     buffer_put_bignum_ret(Buffer *, const BIGNUM *);
-int     buffer_get_bignum_ret(Buffer *, BIGNUM *);
-int     buffer_put_bignum2_ret(Buffer *, const BIGNUM *);
-int     buffer_get_bignum2_ret(Buffer *, BIGNUM *);
-int     buffer_get_short_ret(u_short *, Buffer *);
-int     buffer_get_int_ret(u_int *, Buffer *);
-int     buffer_get_int64_ret(u_int64_t *, Buffer *);
-void    *buffer_get_string_ret(Buffer *, u_int *);
-int     buffer_get_char_ret(char *, Buffer *);
-
-#endif                          /* BUFAUX_H */
diff --git a/bufbn.c b/bufbn.c
new file mode 100644
index 000000000..ce8fba515
--- /dev/null
+++ b/bufbn.c
@@ -0,0 +1,221 @@
+/* $OpenBSD: bufbn.c,v 1.5 2007/02/14 14:32:00 stevesk Exp $*/
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Auxiliary functions for storing and retrieving various data types to/from
+ * Buffers.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ *
+ * SSH2 packet format added by Markus Friedl
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+
+#include <openssl/bn.h>
+
+#include <string.h>
+#include <stdarg.h>
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "log.h"
+#include "misc.h"
+
+/*
+ * Stores an BIGNUM in the buffer with a 2-byte msb first bit count, followed
+ * by (bits+7)/8 bytes of binary data, msb first.
+ */
+int
+buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
+{
+        int bits = BN_num_bits(value);
+        int bin_size = (bits + 7) / 8;
+        u_char *buf = xmalloc(bin_size);
+        int oi;
+        char msg[2];
+
+        /* Get the value of in binary */
+        oi = BN_bn2bin(value, buf);
+        if (oi != bin_size) {
+                error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d",
+                    oi, bin_size);
+                xfree(buf);
+                return (-1);
+        }
+
+        /* Store the number of bits in the buffer in two bytes, msb first. */
+        put_u16(msg, bits);
+        buffer_append(buffer, msg, 2);
+        /* Store the binary data. */
+        buffer_append(buffer, buf, oi);
+
+        memset(buf, 0, bin_size);
+        xfree(buf);
+
+        return (0);
+}
+
+void
+buffer_put_bignum(Buffer *buffer, const BIGNUM *value)
+{
+        if (buffer_put_bignum_ret(buffer, value) == -1)
+                fatal("buffer_put_bignum: buffer error");
+}
+
+/*
+ * Retrieves a BIGNUM from the buffer.
+ */
+int
+buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
+{
+        u_int bits, bytes;
+        u_char buf[2], *bin;
+
+        /* Get the number of bits. */
+        if (buffer_get_ret(buffer, (char *) buf, 2) == -1) {
+                error("buffer_get_bignum_ret: invalid length");
+                return (-1);
+        }
+        bits = get_u16(buf);
+        /* Compute the number of binary bytes that follow. */
+        bytes = (bits + 7) / 8;
+        if (bytes > 8 * 1024) {
+                error("buffer_get_bignum_ret: cannot handle BN of size %d", bytes);
+                return (-1);
+        }
+        if (buffer_len(buffer) < bytes) {
+                error("buffer_get_bignum_ret: input buffer too small");
+                return (-1);
+        }
+        bin = buffer_ptr(buffer);
+        if (BN_bin2bn(bin, bytes, value) == NULL) {
+                error("buffer_get_bignum_ret: BN_bin2bn failed");
+                return (-1);
+        }
+        if (buffer_consume_ret(buffer, bytes) == -1) {
+                error("buffer_get_bignum_ret: buffer_consume failed");
+                return (-1);
+        }
+        return (0);
+}
+
+void
+buffer_get_bignum(Buffer *buffer, BIGNUM *value)
+{
+        if (buffer_get_bignum_ret(buffer, value) == -1)
+                fatal("buffer_get_bignum: buffer error");
+}
+
+/*
+ * Stores a BIGNUM in the buffer in SSH2 format.
+ */
+int
+buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
+{
+        u_int bytes;
+        u_char *buf;
+        int oi;
+        u_int hasnohigh = 0;
+
+        if (BN_is_zero(value)) {
+                buffer_put_int(buffer, 0);
+                return 0;
+        }
+        if (value->neg) {
+                error("buffer_put_bignum2_ret: negative numbers not supported");
+                return (-1);
+        }
+        bytes = BN_num_bytes(value) + 1; /* extra padding byte */
+        if (bytes < 2) {
+                error("buffer_put_bignum2_ret: BN too small");
+                return (-1);
+        }
+        buf = xmalloc(bytes);
+        buf[0] = 0x00;
+        /* Get the value of in binary */
+        oi = BN_bn2bin(value, buf+1);
+        if (oi < 0 || (u_int)oi != bytes - 1) {
+                error("buffer_put_bignum2_ret: BN_bn2bin() failed: "
+                    "oi %d != bin_size %d", oi, bytes);
+                xfree(buf);
+                return (-1);
+        }
+        hasnohigh = (buf[1] & 0x80) ? 0 : 1;
+        buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh);
+        memset(buf, 0, bytes);
+        xfree(buf);
+        return (0);
+}
+
+void
+buffer_put_bignum2(Buffer *buffer, const BIGNUM *value)
+{
+        if (buffer_put_bignum2_ret(buffer, value) == -1)
+                fatal("buffer_put_bignum2: buffer error");
+}
+
+int
+buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
+{
+        u_int len;
+        u_char *bin;
+
+        if ((bin = buffer_get_string_ret(buffer, &len)) == NULL) {
+                error("buffer_get_bignum2_ret: invalid bignum");
+                return (-1);
+        }
+
+        if (len > 0 && (bin[0] & 0x80)) {
+                error("buffer_get_bignum2_ret: negative numbers not supported");
+                xfree(bin);
+                return (-1);
+        }
+        if (len > 8 * 1024) {
+                error("buffer_get_bignum2_ret: cannot handle BN of size %d", len);
+                xfree(bin);
+                return (-1);
+        }
+        if (BN_bin2bn(bin, len, value) == NULL) {
+                error("buffer_get_bignum2_ret: BN_bin2bn failed");
+                return (-1);
+        }
+        xfree(bin);
+        return (0);
+}
+
+void
+buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
+{
+        if (buffer_get_bignum2_ret(buffer, value) == -1)
+                fatal("buffer_get_bignum2: buffer error");
+}
diff --git a/buffer.c b/buffer.c
index 487e08105..e02e1e35c 100644
--- a/buffer.c
+++ b/buffer.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: buffer.c,v 1.31 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -12,12 +13,21 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: buffer.c,v 1.23 2005/03/14 11:46:56 markus Exp $");
+
+#include <sys/param.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
 
 #include "xmalloc.h"
 #include "buffer.h"
 #include "log.h"
 
+#define BUFFER_MAX_CHUNK        0x100000
+#define BUFFER_MAX_LEN          0xa00000
+#define BUFFER_ALLOCSZ          0x008000
+
 /* Initializes the buffer structure. */
 
 void
@@ -66,6 +76,23 @@ buffer_append(Buffer *buffer, const void *data, u_int len)
         memcpy(p, data, len);
 }
 
+static int
+buffer_compact(Buffer *buffer)
+{
+        /*
+         * If the buffer is quite empty, but all data is at the end, move the
+         * data to the beginning.
+         */
+        if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) {
+                memmove(buffer->buf, buffer->buf + buffer->offset,
+                        buffer->end - buffer->offset);
+                buffer->end -= buffer->offset;
+                buffer->offset = 0;
+                return (1);
+        }
+        return (0);
+}
+
 /*
  * Appends space to the buffer, expanding the buffer if necessary. This does
  * not actually copy the data into the buffer, but instead returns a pointer
@@ -93,29 +120,43 @@ restart:
                 buffer->end += len;
                 return p;
         }
-        /*
-         * If the buffer is quite empty, but all data is at the end, move the
-         * data to the beginning and retry.
-         */
-        if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) {
-                memmove(buffer->buf, buffer->buf + buffer->offset,
-                        buffer->end - buffer->offset);
-                buffer->end -= buffer->offset;
-                buffer->offset = 0;
+
+        /* Compact data back to the start of the buffer if necessary */
+        if (buffer_compact(buffer))
                 goto restart;
-        }
-        /* Increase the size of the buffer and retry. */
 
-        newlen = buffer->alloc + len + 32768;
+        /* Increase the size of the buffer and retry. */
+        newlen = roundup(buffer->alloc + len, BUFFER_ALLOCSZ);
         if (newlen > BUFFER_MAX_LEN)
                 fatal("buffer_append_space: alloc %u not supported",
                     newlen);
-        buffer->buf = xrealloc(buffer->buf, newlen);
+        buffer->buf = xrealloc(buffer->buf, 1, newlen);
         buffer->alloc = newlen;
         goto restart;
         /* NOTREACHED */
 }
 
+/*
+ * Check whether an allocation of 'len' will fit in the buffer
+ * This must follow the same math as buffer_append_space
+ */
+int
+buffer_check_alloc(Buffer *buffer, u_int len)
+{
+        if (buffer->offset == buffer->end) {
+                buffer->offset = 0;
+                buffer->end = 0;
+        }
+ restart:
+        if (buffer->end + len < buffer->alloc)
+                return (1);
+        if (buffer_compact(buffer))
+                goto restart;
+        if (roundup(buffer->alloc + len, BUFFER_ALLOCSZ) <= BUFFER_MAX_LEN)
+                return (1);
+        return (0);
+}
+
 /* Returns the number of bytes of data in the buffer. */
 
 u_int
diff --git a/buffer.h b/buffer.h
index 2b20eed52..ecc4aea83 100644
--- a/buffer.h
+++ b/buffer.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: buffer.h,v 1.13 2005/03/14 11:46:56 markus Exp $      */
+/* $OpenBSD: buffer.h,v 1.16 2006/08/03 03:34:41 deraadt Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -23,9 +23,6 @@ typedef struct {
         u_int    end;           /* Offset of last byte containing data. */
 }       Buffer;
 
-#define BUFFER_MAX_CHUNK        0x100000
-#define BUFFER_MAX_LEN          0xa00000
-
 void     buffer_init(Buffer *);
 void     buffer_clear(Buffer *);
 void     buffer_free(Buffer *);
@@ -36,6 +33,8 @@ void	*buffer_ptr(Buffer *);
 void     buffer_append(Buffer *, const void *, u_int);
 void    *buffer_append_space(Buffer *, u_int);
 
+int      buffer_check_alloc(Buffer *, u_int);
+
 void     buffer_get(Buffer *, void *, u_int);
 
 void     buffer_consume(Buffer *, u_int);
@@ -47,4 +46,40 @@ int	 buffer_get_ret(Buffer *, void *, u_int);
 int      buffer_consume_ret(Buffer *, u_int);
 int      buffer_consume_end_ret(Buffer *, u_int);
 
+#include <openssl/bn.h>
+
+void    buffer_put_bignum(Buffer *, const BIGNUM *);
+void    buffer_put_bignum2(Buffer *, const BIGNUM *);
+void    buffer_get_bignum(Buffer *, BIGNUM *);
+void    buffer_get_bignum2(Buffer *, BIGNUM *);
+
+u_short buffer_get_short(Buffer *);
+void    buffer_put_short(Buffer *, u_short);
+
+u_int   buffer_get_int(Buffer *);
+void    buffer_put_int(Buffer *, u_int);
+
+u_int64_t buffer_get_int64(Buffer *);
+void    buffer_put_int64(Buffer *, u_int64_t);
+
+int     buffer_get_char(Buffer *);
+void    buffer_put_char(Buffer *, int);
+
+void   *buffer_get_string(Buffer *, u_int *);
+void    buffer_put_string(Buffer *, const void *, u_int);
+void    buffer_put_cstring(Buffer *, const char *);
+
+#define buffer_skip_string(b) \
+    do { u_int l = buffer_get_int(b); buffer_consume(b, l); } while (0)
+
+int     buffer_put_bignum_ret(Buffer *, const BIGNUM *);
+int     buffer_get_bignum_ret(Buffer *, BIGNUM *);
+int     buffer_put_bignum2_ret(Buffer *, const BIGNUM *);
+int     buffer_get_bignum2_ret(Buffer *, BIGNUM *);
+int     buffer_get_short_ret(u_short *, Buffer *);
+int     buffer_get_int_ret(u_int *, Buffer *);
+int     buffer_get_int64_ret(u_int64_t *, Buffer *);
+void    *buffer_get_string_ret(Buffer *, u_int *);
+int     buffer_get_char_ret(char *, Buffer *);
+
 #endif                          /* BUFFER_H */
diff --git a/buildpkg.sh.in b/buildpkg.sh.in
index cb9eb3048..8a96b9050 100644
--- a/buildpkg.sh.in
+++ b/buildpkg.sh.in
@@ -24,6 +24,7 @@ PKGNAME=OpenSSH
 # revisions within the same version (REV=a)
 #REV=
 SYSVINIT_NAME=opensshd
+AWK=${AWK:="nawk"}
 MAKE=${MAKE:="make"}
 SSHDUID=67      # Default privsep uid
 SSHDGID=67      # Default privsep gid
@@ -35,7 +36,7 @@ SSHDGID=67	# Default privsep gid
 SYSVINITSTART=S98
 SYSVINITSTOPT=K30
 # We will source these if they exist
-POST_MAKE_INSTALL_FIXES=./pkg_post_make_install_fixes.sh
+POST_MAKE_INSTALL_FIXES=./pkg-post-make-install-fixes.sh
 POST_PROTOTYPE_EDITS=./pkg-post-prototype-edit.sh
 # We'll be one level deeper looking for these
 PKG_PREINSTALL_LOCAL=../pkg-preinstall.local
@@ -46,6 +47,8 @@ PKG_REQUEST_LOCAL=../pkg-request.local
 # end of sourced files
 #
 OPENSSHD=opensshd.init
+OPENSSH_MANIFEST=openssh.xml
+OPENSSH_FMRI=svc:/site/${SYSVINIT_NAME}:default
 
 PATH_GROUPADD_PROG=@PATH_GROUPADD_PROG@
 PATH_USERADD_PROG=@PATH_USERADD_PROG@
@@ -60,6 +63,10 @@ SYSTEM_DIR="/etc	\
 /etc/rc1.d              \
 /etc/rc2.d              \
 /etc/opt                \
+/lib                    \
+/lib/svc                \
+/lib/svc/method         \
+/lib/svc/method/site    \
 /opt                    \
 /opt/bin                \
 /usr                    \
@@ -82,6 +89,9 @@ SYSTEM_DIR="/etc	\
 /var                    \
 /var/opt                \
 /var/run                \
+/var/svc                \
+/var/svc/manifest       \
+/var/svc/manifest/site  \
 /var/tmp                \
 /tmp"
 
@@ -119,6 +129,12 @@ do
         eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2`
 done
 
+## Are we using Solaris' SMF?
+DO_SMF=0
+if egrep "^#define USE_SOLARIS_PROCESS_CONTRACTS" config.h > /dev/null 2>&1
+then
+        DO_SMF=1
+fi
 
 ## Collect value of privsep user
 for confvar in SSH_PRIVSEP_USER
@@ -139,15 +155,22 @@ ARCH=`uname -m`
 DEF_MSG="\n"
 OS_VER=`uname -v`
 SCRIPT_SHELL=/sbin/sh
+UNAME_R=`uname -r`
 UNAME_S=`uname -s`
 case ${UNAME_S} in
         SunOS)  UNAME_S=Solaris
+                OS_VER=${UNAME_R}
                 ARCH=`uname -p`
                 RCS_D=yes
                 DEF_MSG="(default: n)"
                 ;;
-        SCO_SV) UNAME_S=OpenServer
+        SCO_SV) case ${UNAME_R} in
+                        3.2)    UNAME_S=OpenServer5
                 OS_VER=`uname -X | grep Release | sed -e 's/^Rel.*3.2v//'`
+                                ;;
+                        5)      UNAME_S=OpenServer6
+                                ;;
+                esac
                 SCRIPT_SHELL=/bin/sh
                 RC1_D=no
                 DEF_MSG="(default: n)"
@@ -168,10 +191,26 @@ then
 fi
 
 ## Setup our run level stuff while we are at it.
-mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d
+if [ $DO_SMF -eq 1 ]
+then
+        # For Solaris' SMF, /lib/svc/method/site is the preferred place
+        # for start/stop scripts that aren't supplied with the OS, and
+        # similarly /var/svc/manifest/site for manifests.
+        mkdir -p $FAKE_ROOT${TEST_DIR}/lib/svc/method/site
+        mkdir -p $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site
+
+        cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/lib/svc/method/site/${SYSVINIT_NAME}
+        chmod 744 $FAKE_ROOT${TEST_DIR}/lib/svc/method/site/${SYSVINIT_NAME}
+
+        cat ${OPENSSH_MANIFEST} | sed "s|__SYSVINIT_NAME__|${SYSVINIT_NAME}|" \
+            > $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml
+        chmod 644 $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml
+else
+        mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d
 
-cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
-chmod 744 $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
+        cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
+        chmod 744 $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
+fi
 
 [ "${PERMIT_ROOT_LOGIN}" = no ]  &&  \
         perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
@@ -221,15 +260,22 @@ touch depend
 
 ## Build space file
 echo "Building space file..."
-cat > space << _EOF
-# extra space required by start/stop links added by installf in postinstall
+if [ $DO_SMF -eq 1 ]
+then
+        # XXX Is this necessary?  If not, remove space line from mk-proto.awk.
+        touch space
+else
+        cat > space << _EOF
+# extra space required by start/stop links added by installf 
+# in postinstall
 $TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1
 $TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME} 0 1
 _EOF
-[ "$RC1_D" = no ]  ||  \
-echo "$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space
-[ "$RCS_D" = yes ]  &&  \
-echo "$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space
+        [ "$RC1_D" = no ]  ||  \
+        echo "$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space
+        [ "$RCS_D" = yes ]  &&  \
+        echo "$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space
+fi
 
 ## Build preinstall file
 echo "Building preinstall file..."
@@ -243,7 +289,16 @@ _EOF
 
 cat >> preinstall << _EOF
 #
-[ "\${PRE_INS_STOP}" = "yes" ]  &&  ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
+if [ "\${PRE_INS_STOP}" = "yes" ]
+then
+        if [ $DO_SMF -eq 1 ] 
+        then
+                svcadm disable $OPENSSH_FMRI
+        else
+                ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
+        fi
+fi
+
 exit 0
 _EOF
 
@@ -265,28 +320,40 @@ cat > postinstall << _EOF
 }
 
 # make rc?.d dirs only if we are doing a test install
-[ -n "${TEST_DIR}" ]  &&  {
+[ -n "${TEST_DIR}" ]  &&  [ $DO_SMF -ne 1 ] && {
         [ "$RCS_D" = yes ]  &&  mkdir -p ${TEST_DIR}/etc/rcS.d
         mkdir -p ${TEST_DIR}/etc/rc0.d
         [ "$RC1_D" = no ]  ||  mkdir -p ${TEST_DIR}/etc/rc1.d
         mkdir -p ${TEST_DIR}/etc/rc2.d
 }
 
-if [ "\${USE_SYM_LINKS}" = yes ]
+if [ $DO_SMF -eq 1 ]
 then
-        [ "$RCS_D" = yes ]  &&  \
-installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
-        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
-        [ "$RC1_D" = no ]  ||  \
-        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
-        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
+        # Delete the existing service, if it exists, then import the 
+        # new one.
+        if svcs $OPENSSH_FMRI > /dev/null 2>&1
+        then
+                svccfg delete -f $OPENSSH_FMRI
+        fi
+        # NOTE, The manifest disables sshd by default.
+        svccfg import ${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml
 else
-        [ "$RCS_D" = yes ]  &&  \
-installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
-        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
-        [ "$RC1_D" = no ]  ||  \
-        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
-        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+        if [ "\${USE_SYM_LINKS}" = yes ]
+        then
+                [ "$RCS_D" = yes ]  &&  \
+        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
+                installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
+                [ "$RC1_D" = no ]  ||  \
+                installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
+                installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
+        else
+                [ "$RCS_D" = yes ]  &&  \
+        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+                installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+                [ "$RC1_D" = no ]  ||  \
+                installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+                installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+        fi
 fi
 
 # If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh)
@@ -311,14 +378,7 @@ then
         chroot=echo
 fi
 
-if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' \${PKG_INSTALL_ROOT}/$sysconfdir/sshd_config >/dev/null
-then
-        echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user"
-        echo "or group."
-else
-        echo "UsePrivilegeSeparation enabled in config (or defaulting to on)."
-
-        # user required?
+        echo "PrivilegeSeparation user always required."
         if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
         then
                 echo "PrivSep user $SSH_PRIVSEP_USER already exists."
@@ -363,9 +423,16 @@ else
                 \$chroot ${PATH_USERADD_PROG} -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER
                 \$chroot ${PATH_PASSWD_PROG} -l $SSH_PRIVSEP_USER
         }
-fi
 
-[ "\${POST_INS_START}" = "yes" ]  &&  ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start
+if [ "\${POST_INS_START}" = "yes" ]
+then
+        if [ $DO_SMF -eq 1 ]
+        then
+                svcadm enable $OPENSSH_FMRI
+        else
+                ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start
+        fi
+fi
 exit 0
 _EOF
 
@@ -374,7 +441,12 @@ echo "Building preremove file..."
 cat > preremove << _EOF
 #! ${SCRIPT_SHELL}
 #
-${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
+if [ $DO_SMF -eq 1 ] 
+then
+        svcadm disable $OPENSSH_FMRI
+else
+        ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
+fi
 _EOF
 
 # local preremove changes here
@@ -389,6 +461,13 @@ echo "Building postremove file..."
 cat > postremove << _EOF
 #! ${SCRIPT_SHELL}
 #
+if [ $DO_SMF -eq 1 ]
+then
+        if svcs $OPENSSH_FMRI > /dev/null 2>&1
+        then
+                svccfg delete -f $OPENSSH_FMRI
+        fi
+fi
 _EOF
 
 # local postremove changes here
@@ -408,7 +487,7 @@ _EOF
 [ -x /usr/bin/ckyorn ]  ||  cat >> request << _EOF
 
 ckyorn() {
-# for some strange reason OpenServer has no ckyorn
+# for some strange reason OpenServer5 has no ckyorn
 # We build a striped down version here
 
 DEFAULT=n
@@ -454,7 +533,45 @@ done
 
 _EOF
 
-cat >> request << _EOF
+if [ $DO_SMF -eq 1 ]
+then
+        # This could get hairy, as the running sshd may not be under SMF.
+        # We'll assume an earlier version of OpenSSH started via SMF.
+        cat >> request << _EOF
+PRE_INS_STOP=no
+POST_INS_START=no
+# determine if should restart the daemon
+if [ -s ${piddir}/sshd.pid  ] && \
+    /usr/bin/svcs -H $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1
+then
+        ans=\`ckyorn -d n \
+-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
+        case \$ans in
+                [y,Y]*) PRE_INS_STOP=yes
+                        POST_INS_START=yes
+                        ;;
+        esac
+
+else
+
+# determine if we should start sshd
+        ans=\`ckyorn -d n \
+-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
+        case \$ans in
+                [y,Y]*) POST_INS_START=yes ;;
+        esac
+fi
+
+# make parameters available to installation service,
+# and so to any other packaging scripts
+cat >\$1 <<!
+PRE_INS_STOP='\$PRE_INS_STOP'
+POST_INS_START='\$POST_INS_START'
+!
+
+_EOF
+else
+        cat >> request << _EOF
 USE_SYM_LINKS=no
 PRE_INS_STOP=no
 POST_INS_START=no
@@ -495,6 +612,7 @@ POST_INS_START='\$POST_INS_START'
 !
 
 _EOF
+fi
 
 # local request changes here
 [ -s "${PKG_REQUEST_LOCAL}" ]  &&  . ${PKG_REQUEST_LOCAL}
@@ -526,7 +644,7 @@ cat >mk-proto.awk << _EOF
 _EOF
 
 find . | egrep -v "prototype|pkginfo|mk-proto.awk" | sort | \
-        pkgproto $PROTO_ARGS | nawk -f mk-proto.awk > prototype
+        pkgproto $PROTO_ARGS | ${AWK} -f mk-proto.awk > prototype
 
 # /usr/local is a symlink on some systems
 [ "${USR_LOCAL_IS_SYMLINK}" = yes ]  &&  {
diff --git a/canohost.c b/canohost.c
index 6ca60e6b4..2345cc35c 100644
--- a/canohost.c
+++ b/canohost.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: canohost.c,v 1.61 2006/08/03 03:34:41 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -12,10 +13,23 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.48 2005/12/28 22:46:06 stevesk Exp $");
 
-#include "packet.h"
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+
 #include "xmalloc.h"
+#include "packet.h"
 #include "log.h"
 #include "canohost.h"
 
@@ -43,6 +57,9 @@ get_remote_hostname(int sock, int use_dns)
                 cleanup_exit(255);
         }
 
+        if (from.ss_family == AF_INET)
+                check_ip_options(sock, ntop);
+
         ipv64_normalise_mapped(&from, &fromlen);
 
         if (from.ss_family == AF_INET6)
@@ -52,9 +69,6 @@ get_remote_hostname(int sock, int use_dns)
             NULL, 0, NI_NUMERICHOST) != 0)
                 fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
 
-        if (from.ss_family == AF_INET)
-                check_ip_options(sock, ntop);
-
         if (!use_dns)
                 return xstrdup(ntop);
 
@@ -87,7 +101,7 @@ get_remote_hostname(int sock, int use_dns)
          */
         for (i = 0; name[i]; i++)
                 if (isupper(name[i]))
-                        name[i] = tolower(name[i]);
+                        name[i] = (char)tolower(name[i]);
         /*
          * Map it back to an IP address and check that the given
          * address actually is an address of this host.  This is
@@ -102,7 +116,7 @@ get_remote_hostname(int sock, int use_dns)
         hints.ai_socktype = SOCK_STREAM;
         if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
                 logit("reverse mapping checking getaddrinfo for %.700s "
-                    "failed - POSSIBLE BREAK-IN ATTEMPT!", name);
+                    "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop);
                 return xstrdup(ntop);
         }
         /* Look for the address from the list of addresses. */
diff --git a/canohost.h b/canohost.h
index df1f125e5..e33e8941b 100644
--- a/canohost.h
+++ b/canohost.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: canohost.h,v 1.8 2001/06/26 17:27:23 markus Exp $     */
+/* $OpenBSD: canohost.h,v 1.9 2006/03/25 22:22:42 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/channels.c b/channels.c
index 92448da77..530c0d460 100644
--- a/channels.c
+++ b/channels.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: channels.c,v 1.268 2007/01/03 03:01:40 stevesk Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -39,22 +40,41 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.232 2006/01/30 12:22:22 reyk Exp $");
 
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <sys/un.h>
+#include <sys/socket.h>
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <termios.h>
+#include <unistd.h>
+#include <stdarg.h>
+
+#include "xmalloc.h"
 #include "ssh.h"
 #include "ssh1.h"
 #include "ssh2.h"
 #include "packet.h"
-#include "xmalloc.h"
 #include "log.h"
 #include "misc.h"
+#include "buffer.h"
 #include "channels.h"
 #include "compat.h"
 #include "canohost.h"
 #include "key.h"
 #include "authfd.h"
 #include "pathnames.h"
-#include "bufaux.h"
 
 /* -- channel core */
 
@@ -91,11 +111,18 @@ typedef struct {
         u_short listen_port;            /* Remote side should listen port number. */
 } ForwardPermission;
 
-/* List of all permitted host/port pairs to connect. */
+/* List of all permitted host/port pairs to connect by the user. */
 static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
 
-/* Number of permitted host/port pairs in the array. */
+/* List of all permitted host/port pairs to connect by the admin. */
+static ForwardPermission permitted_adm_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
+
+/* Number of permitted host/port pairs in the array permitted by the user. */
 static int num_permitted_opens = 0;
+
+/* Number of permitted host/port pair in the array permitted by the admin. */
+static int num_adm_permitted_opens = 0;
+
 /*
  * If this is true, all opens are permitted.  This is the case on the server
  * on which we have to trust the client anyway, and the user could do
@@ -123,7 +150,7 @@ static u_int x11_saved_data_len = 0;
  * Fake X11 authentication data.  This is what the server will be sending us;
  * we should replace any occurrences of this by the real data.
  */
-static char *x11_fake_data = NULL;
+static u_char *x11_fake_data = NULL;
 static u_int x11_fake_data_len;
 
 
@@ -168,7 +195,7 @@ channel_lookup(int id)
         if ((c = channel_by_id(id)) == NULL)
                 return (NULL);
 
-        switch(c->type) {
+        switch (c->type) {
         case SSH_CHANNEL_X11_OPEN:
         case SSH_CHANNEL_LARVAL:
         case SSH_CHANNEL_CONNECTING:
@@ -178,7 +205,6 @@ channel_lookup(int id)
         case SSH_CHANNEL_INPUT_DRAINING:
         case SSH_CHANNEL_OUTPUT_DRAINING:
                 return (c);
-                break;
         }
         logit("Non-public channel %d, type %d.", id, c->type);
         return (NULL);
@@ -188,7 +214,6 @@ channel_lookup(int id)
  * Register filedescriptors for a channel, used when allocating a channel or
  * when the channel consumer/producer is ready, e.g. shell exec'd
  */
-
 static void
 channel_register_fds(Channel *c, int rfd, int wfd, int efd,
     int extusage, int nonblock)
@@ -235,7 +260,6 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd,
  * Allocate a new channel object and set its type and socket. This will cause
  * remote_name to be freed.
  */
-
 Channel *
 channel_new(char *ctype, int type, int rfd, int wfd, int efd,
     u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock)
@@ -247,7 +271,7 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
         /* Do initial allocation if this is the first call. */
         if (channels_alloc == 0) {
                 channels_alloc = 10;
-                channels = xmalloc(channels_alloc * sizeof(Channel *));
+                channels = xcalloc(channels_alloc, sizeof(Channel *));
                 for (i = 0; i < channels_alloc; i++)
                         channels[i] = NULL;
         }
@@ -264,16 +288,15 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
                 if (channels_alloc > 10000)
                         fatal("channel_new: internal error: channels_alloc %d "
                             "too big.", channels_alloc);
-                channels = xrealloc(channels,
-                    (channels_alloc + 10) * sizeof(Channel *));
+                channels = xrealloc(channels, channels_alloc + 10,
+                    sizeof(Channel *));
                 channels_alloc += 10;
                 debug2("channel: expanding %d", channels_alloc);
                 for (i = found; i < channels_alloc; i++)
                         channels[i] = NULL;
         }
         /* Initialize and return new channel. */
-        c = channels[found] = xmalloc(sizeof(Channel));
-        memset(c, 0, sizeof(Channel));
+        c = channels[found] = xcalloc(1, sizeof(Channel));
         buffer_init(&c->input);
         buffer_init(&c->output);
         buffer_init(&c->extended);
@@ -337,7 +360,6 @@ channel_close_fd(int *fdp)
 }
 
 /* Close all channel fd/socket. */
-
 static void
 channel_close_fds(Channel *c)
 {
@@ -352,7 +374,6 @@ channel_close_fds(Channel *c)
 }
 
 /* Free the channel and close its fd/socket. */
-
 void
 channel_free(Channel *c)
 {
@@ -399,7 +420,6 @@ channel_free_all(void)
  * Closes the sockets/fds of all channels.  This is used to close extra file
  * descriptors after a fork.
  */
-
 void
 channel_close_all(void)
 {
@@ -413,7 +433,6 @@ channel_close_all(void)
 /*
  * Stop listening to channels.
  */
-
 void
 channel_stop_listening(void)
 {
@@ -440,7 +459,6 @@ channel_stop_listening(void)
  * Returns true if no channel has too much buffered data, and false if one or
  * more channel is overfull.
  */
-
 int
 channel_not_very_much_buffered_data(void)
 {
@@ -470,7 +488,6 @@ channel_not_very_much_buffered_data(void)
 }
 
 /* Returns true if any channel is still open. */
-
 int
 channel_still_open(void)
 {
@@ -513,7 +530,6 @@ channel_still_open(void)
 }
 
 /* Returns the id of an open channel suitable for keepaliving */
-
 int
 channel_find_open(void)
 {
@@ -558,7 +574,6 @@ channel_find_open(void)
  * suitable for sending to the client.  The message contains crlf pairs for
  * newlines.
  */
-
 char *
 channel_open_message(void)
 {
@@ -643,6 +658,7 @@ channel_request_start(int id, char *service, int wantconfirm)
         packet_put_cstring(service);
         packet_put_char(wantconfirm);
 }
+
 void
 channel_register_confirm(int id, channel_callback_fn *fn, void *ctx)
 {
@@ -655,6 +671,7 @@ channel_register_confirm(int id, channel_callback_fn *fn, void *ctx)
         c->confirm = fn;
         c->confirm_ctx = ctx;
 }
+
 void
 channel_register_cleanup(int id, channel_callback_fn *fn, int do_close)
 {
@@ -667,6 +684,7 @@ channel_register_cleanup(int id, channel_callback_fn *fn, int do_close)
         c->detach_user = fn;
         c->detach_close = do_close;
 }
+
 void
 channel_cancel_cleanup(int id)
 {
@@ -679,6 +697,7 @@ channel_cancel_cleanup(int id)
         c->detach_user = NULL;
         c->detach_close = 0;
 }
+
 void
 channel_register_filter(int id, channel_infilter_fn *ifn,
     channel_outfilter_fn *ofn)
@@ -718,25 +737,27 @@ channel_set_fds(int id, int rfd, int wfd, int efd,
  * 'channel_post*': perform any appropriate operations for channels which
  * have events pending.
  */
-typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset);
+typedef void chan_fn(Channel *c, fd_set *readset, fd_set *writeset);
 chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE];
 chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE];
 
+/* ARGSUSED */
 static void
-channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset)
+channel_pre_listener(Channel *c, fd_set *readset, fd_set *writeset)
 {
         FD_SET(c->sock, readset);
 }
 
+/* ARGSUSED */
 static void
-channel_pre_connecting(Channel *c, fd_set * readset, fd_set * writeset)
+channel_pre_connecting(Channel *c, fd_set *readset, fd_set *writeset)
 {
         debug3("channel %d: waiting for connection", c->self);
         FD_SET(c->sock, writeset);
 }
 
 static void
-channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset)
+channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset)
 {
         if (buffer_len(&c->input) < packet_get_maxsize())
                 FD_SET(c->sock, readset);
@@ -745,16 +766,14 @@ channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset)
 }
 
 static void
-channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
+channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
 {
         u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
 
-        /* check buffer limits */
-        limit = MIN(limit, (BUFFER_MAX_LEN - BUFFER_MAX_CHUNK - CHAN_RBUF));
-
         if (c->istate == CHAN_INPUT_OPEN &&
             limit > 0 &&
-            buffer_len(&c->input) < limit)
+            buffer_len(&c->input) < limit &&
+            buffer_check_alloc(&c->input, CHAN_RBUF))
                 FD_SET(c->rfd, readset);
         if (c->ostate == CHAN_OUTPUT_OPEN ||
             c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
@@ -784,8 +803,9 @@ channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
                 FD_SET(c->ctl_fd, readset);
 }
 
+/* ARGSUSED */
 static void
-channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset)
+channel_pre_input_draining(Channel *c, fd_set *readset, fd_set *writeset)
 {
         if (buffer_len(&c->input) == 0) {
                 packet_start(SSH_MSG_CHANNEL_CLOSE);
@@ -796,8 +816,9 @@ channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset)
         }
 }
 
+/* ARGSUSED */
 static void
-channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset)
+channel_pre_output_draining(Channel *c, fd_set *readset, fd_set *writeset)
 {
         if (buffer_len(&c->output) == 0)
                 chan_mark_dead(c);
@@ -873,7 +894,7 @@ x11_open_helper(Buffer *b)
 }
 
 static void
-channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
+channel_pre_x11_open_13(Channel *c, fd_set *readset, fd_set *writeset)
 {
         int ret = x11_open_helper(&c->output);
 
@@ -899,7 +920,7 @@ channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
 }
 
 static void
-channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
+channel_pre_x11_open(Channel *c, fd_set *readset, fd_set *writeset)
 {
         int ret = x11_open_helper(&c->output);
 
@@ -925,8 +946,9 @@ channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
 }
 
 /* try to decode a socks4 header */
+/* ARGSUSED */
 static int
-channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset)
+channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset)
 {
         char *p, *host;
         u_int len, have, i, found;
@@ -990,7 +1012,7 @@ channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset)
         s4_rsp.command = 90;                    /* cd: req granted */
         s4_rsp.dest_port = 0;                   /* ignored */
         s4_rsp.dest_addr.s_addr = INADDR_ANY;   /* ignored */
-        buffer_append(&c->output, (char *)&s4_rsp, sizeof(s4_rsp));
+        buffer_append(&c->output, &s4_rsp, sizeof(s4_rsp));
         return 1;
 }
 
@@ -1003,8 +1025,9 @@ channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset)
 #define SSH_SOCKS5_CONNECT      0x01
 #define SSH_SOCKS5_SUCCESS      0x00
 
+/* ARGSUSED */
 static int
-channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
+channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset)
 {
         struct {
                 u_int8_t version;
@@ -1014,7 +1037,7 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
         } s5_req, s5_rsp;
         u_int16_t dest_port;
         u_char *p, dest_addr[255+1];
-        u_int have, i, found, nmethods, addrlen, af;
+        u_int have, need, i, found, nmethods, addrlen, af;
 
         debug2("channel %d: decode socks5", c->self);
         p = buffer_ptr(&c->input);
@@ -1029,8 +1052,8 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
                 if (have < nmethods + 2)
                         return 0;
                 /* look for method: "NO AUTHENTICATION REQUIRED" */
-                for (found = 0, i = 2 ; i < nmethods + 2; i++) {
-                        if (p[i] == SSH_SOCKS5_NOAUTH ) {
+                for (found = 0, i = 2; i < nmethods + 2; i++) {
+                        if (p[i] == SSH_SOCKS5_NOAUTH) {
                                 found = 1;
                                 break;
                         }
@@ -1051,7 +1074,7 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
         debug2("channel %d: socks5 post auth", c->self);
         if (have < sizeof(s5_req)+1)
                 return 0;                       /* need more */
-        memcpy((char *)&s5_req, p, sizeof(s5_req));
+        memcpy(&s5_req, p, sizeof(s5_req));
         if (s5_req.version != 0x05 ||
             s5_req.command != SSH_SOCKS5_CONNECT ||
             s5_req.reserved != 0x00) {
@@ -1075,7 +1098,10 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
                 debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp);
                 return -1;
         }
-        if (have < 4 + addrlen + 2)
+        need = sizeof(s5_req) + addrlen + 2;
+        if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
+                need++;
+        if (have < need)
                 return 0;
         buffer_consume(&c->input, sizeof(s5_req));
         if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
@@ -1099,15 +1125,15 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
         ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY;
         dest_port = 0;                          /* ignored */
 
-        buffer_append(&c->output, (char *)&s5_rsp, sizeof(s5_rsp));
-        buffer_append(&c->output, (char *)&dest_addr, sizeof(struct in_addr));
-        buffer_append(&c->output, (char *)&dest_port, sizeof(dest_port));
+        buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp));
+        buffer_append(&c->output, &dest_addr, sizeof(struct in_addr));
+        buffer_append(&c->output, &dest_port, sizeof(dest_port));
         return 1;
 }
 
 /* dynamic port forwarding */
 static void
-channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset)
+channel_pre_dynamic(Channel *c, fd_set *readset, fd_set *writeset)
 {
         u_char *p;
         u_int have;
@@ -1150,8 +1176,9 @@ channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset)
 }
 
 /* This is our fake X11 server socket. */
+/* ARGSUSED */
 static void
-channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
+channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset)
 {
         Channel *nc;
         struct sockaddr addr;
@@ -1275,8 +1302,9 @@ channel_set_reuseaddr(int fd)
 /*
  * This socket is listening for connections to a forwarded TCP/IP port.
  */
+/* ARGSUSED */
 static void
-channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset)
+channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset)
 {
         Channel *nc;
         struct sockaddr addr;
@@ -1332,8 +1360,9 @@ channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset)
  * This is the authentication agent socket listening for connections from
  * clients.
  */
+/* ARGSUSED */
 static void
-channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
+channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset)
 {
         Channel *nc;
         int newsock;
@@ -1365,8 +1394,9 @@ channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
         }
 }
 
+/* ARGSUSED */
 static void
-channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset)
+channel_post_connecting(Channel *c, fd_set *readset, fd_set *writeset)
 {
         int err = 0;
         socklen_t sz = sizeof(err);
@@ -1411,18 +1441,26 @@ channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset)
         }
 }
 
+/* ARGSUSED */
 static int
-channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
+channel_handle_rfd(Channel *c, fd_set *readset, fd_set *writeset)
 {
         char buf[CHAN_RBUF];
         int len;
 
         if (c->rfd != -1 &&
-            FD_ISSET(c->rfd, readset)) {
+            (c->detach_close || FD_ISSET(c->rfd, readset))) {
+                errno = 0;
                 len = read(c->rfd, buf, sizeof(buf));
-                if (len < 0 && (errno == EINTR || errno == EAGAIN))
+                if (len < 0 && (errno == EINTR ||
+                    (errno == EAGAIN && !(c->isatty && c->detach_close))))
                         return 1;
+#ifndef PTY_ZEROREAD
                 if (len <= 0) {
+#else
+                if ((!c->isatty && len <= 0) ||
+                    (c->isatty && (len < 0 || (len == 0 && errno != 0)))) {
+#endif
                         debug2("channel %d: read<=0 rfd %d len %d",
                             c->self, c->rfd, len);
                         if (c->type != SSH_CHANNEL_OPEN) {
@@ -1451,8 +1489,10 @@ channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
         }
         return 1;
 }
+
+/* ARGSUSED */
 static int
-channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
+channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset)
 {
         struct termios tio;
         u_char *data = NULL, *buf;
@@ -1538,8 +1578,9 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
         }
         return 1;
 }
+
 static int
-channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
+channel_handle_efd(Channel *c, fd_set *readset, fd_set *writeset)
 {
         char buf[CHAN_RBUF];
         int len;
@@ -1564,11 +1605,12 @@ channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
                                 c->local_consumed += len;
                         }
                 } else if (c->extended_usage == CHAN_EXTENDED_READ &&
-                    FD_ISSET(c->efd, readset)) {
+                    (c->detach_close || FD_ISSET(c->efd, readset))) {
                         len = read(c->efd, buf, sizeof(buf));
                         debug2("channel %d: read %d from efd %d",
                             c->self, len, c->efd);
-                        if (len < 0 && (errno == EINTR || errno == EAGAIN))
+                        if (len < 0 && (errno == EINTR ||
+                            (errno == EAGAIN && !c->detach_close)))
                                 return 1;
                         if (len <= 0) {
                                 debug2("channel %d: closing read-efd %d",
@@ -1581,8 +1623,10 @@ channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
         }
         return 1;
 }
+
+/* ARGSUSED */
 static int
-channel_handle_ctl(Channel *c, fd_set * readset, fd_set * writeset)
+channel_handle_ctl(Channel *c, fd_set *readset, fd_set *writeset)
 {
         char buf[16];
         int len;
@@ -1608,6 +1652,7 @@ channel_handle_ctl(Channel *c, fd_set * readset, fd_set * writeset)
         }
         return 1;
 }
+
 static int
 channel_check_window(Channel *c)
 {
@@ -1629,7 +1674,7 @@ channel_check_window(Channel *c)
 }
 
 static void
-channel_post_open(Channel *c, fd_set * readset, fd_set * writeset)
+channel_post_open(Channel *c, fd_set *readset, fd_set *writeset)
 {
         if (c->delayed)
                 return;
@@ -1642,8 +1687,9 @@ channel_post_open(Channel *c, fd_set * readset, fd_set * writeset)
         channel_check_window(c);
 }
 
+/* ARGSUSED */
 static void
-channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset)
+channel_post_output_drain_13(Channel *c, fd_set *readset, fd_set *writeset)
 {
         int len;
 
@@ -1760,7 +1806,7 @@ channel_garbage_collect(Channel *c)
 }
 
 static void
-channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset)
+channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset)
 {
         static int did_init = 0;
         u_int i;
@@ -1788,15 +1834,20 @@ void
 channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
     u_int *nallocp, int rekeying)
 {
-        u_int n, sz;
+        u_int n, sz, nfdset;
 
         n = MAX(*maxfdp, channel_max_fd);
 
-        sz = howmany(n+1, NFDBITS) * sizeof(fd_mask);
+        nfdset = howmany(n+1, NFDBITS);
+        /* Explicitly test here, because xrealloc isn't always called */
+        if (nfdset && SIZE_T_MAX / nfdset < sizeof(fd_mask))
+                fatal("channel_prepare_select: max_fd (%d) is too large", n);
+        sz = nfdset * sizeof(fd_mask);
+
         /* perhaps check sz < nalloc/2 and shrink? */
         if (*readsetp == NULL || sz > *nallocp) {
-                *readsetp = xrealloc(*readsetp, sz);
-                *writesetp = xrealloc(*writesetp, sz);
+                *readsetp = xrealloc(*readsetp, nfdset, sizeof(fd_mask));
+                *writesetp = xrealloc(*writesetp, nfdset, sizeof(fd_mask));
                 *nallocp = sz;
         }
         *maxfdp = n;
@@ -1812,14 +1863,13 @@ channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
  * events pending.
  */
 void
-channel_after_select(fd_set * readset, fd_set * writeset)
+channel_after_select(fd_set *readset, fd_set *writeset)
 {
         channel_handler(channel_post, readset, writeset);
 }
 
 
 /* If there is data to send to the connection, enqueue some of it now. */
-
 void
 channel_output_poll(void)
 {
@@ -1940,6 +1990,7 @@ channel_output_poll(void)
 
 /* -- protocol input */
 
+/* ARGSUSED */
 void
 channel_input_data(int type, u_int32_t seq, void *ctxt)
 {
@@ -1999,6 +2050,7 @@ channel_input_data(int type, u_int32_t seq, void *ctxt)
         xfree(data);
 }
 
+/* ARGSUSED */
 void
 channel_input_extended_data(int type, u_int32_t seq, void *ctxt)
 {
@@ -2045,6 +2097,7 @@ channel_input_extended_data(int type, u_int32_t seq, void *ctxt)
         xfree(data);
 }
 
+/* ARGSUSED */
 void
 channel_input_ieof(int type, u_int32_t seq, void *ctxt)
 {
@@ -2068,6 +2121,7 @@ channel_input_ieof(int type, u_int32_t seq, void *ctxt)
 
 }
 
+/* ARGSUSED */
 void
 channel_input_close(int type, u_int32_t seq, void *ctxt)
 {
@@ -2106,6 +2160,7 @@ channel_input_close(int type, u_int32_t seq, void *ctxt)
 }
 
 /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
+/* ARGSUSED */
 void
 channel_input_oclose(int type, u_int32_t seq, void *ctxt)
 {
@@ -2118,6 +2173,7 @@ channel_input_oclose(int type, u_int32_t seq, void *ctxt)
         chan_rcvd_oclose(c);
 }
 
+/* ARGSUSED */
 void
 channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt)
 {
@@ -2134,6 +2190,7 @@ channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt)
         channel_free(c);
 }
 
+/* ARGSUSED */
 void
 channel_input_open_confirmation(int type, u_int32_t seq, void *ctxt)
 {
@@ -2181,6 +2238,7 @@ reason2txt(int reason)
         return "unknown reason";
 }
 
+/* ARGSUSED */
 void
 channel_input_open_failure(int type, u_int32_t seq, void *ctxt)
 {
@@ -2212,6 +2270,7 @@ channel_input_open_failure(int type, u_int32_t seq, void *ctxt)
         channel_free(c);
 }
 
+/* ARGSUSED */
 void
 channel_input_window_adjust(int type, u_int32_t seq, void *ctxt)
 {
@@ -2236,6 +2295,7 @@ channel_input_window_adjust(int type, u_int32_t seq, void *ctxt)
         c->remote_window += adjust;
 }
 
+/* ARGSUSED */
 void
 channel_input_port_open(int type, u_int32_t seq, void *ctxt)
 {
@@ -2454,7 +2514,7 @@ channel_setup_remote_fwd_listener(const char *listen_address,
  * the secure channel to host:port from local side.
  */
 
-void
+int
 channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
     const char *host_to_connect, u_short port_to_connect)
 {
@@ -2467,11 +2527,18 @@ channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
         /* Send the forward request to the remote side. */
         if (compat20) {
                 const char *address_to_bind;
-                if (listen_host == NULL)
-                        address_to_bind = "localhost";
-                else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0)
-                        address_to_bind = "";
-                else
+                if (listen_host == NULL) {
+                        if (datafellows & SSH_BUG_RFWD_ADDR)
+                                address_to_bind = "127.0.0.1";
+                        else
+                                address_to_bind = "localhost";
+                } else if (*listen_host == '\0' ||
+                           strcmp(listen_host, "*") == 0) {
+                        if (datafellows & SSH_BUG_RFWD_ADDR)
+                                address_to_bind = "0.0.0.0";
+                        else
+                                address_to_bind = "";
+                } else
                         address_to_bind = listen_host;
 
                 packet_start(SSH2_MSG_GLOBAL_REQUEST);
@@ -2498,7 +2565,6 @@ channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
                         success = 1;
                         break;
                 case SSH_SMSG_FAILURE:
-                        logit("Warning: Server denied remote port forwarding.");
                         break;
                 default:
                         /* Unknown packet */
@@ -2512,6 +2578,7 @@ channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
                 permitted_opens[num_permitted_opens].listen_port = listen_port;
                 num_permitted_opens++;
         }
+        return (success ? 0 : -1);
 }
 
 /*
@@ -2551,13 +2618,13 @@ channel_request_rforward_cancel(const char *host, u_short port)
 /*
  * This is called after receiving CHANNEL_FORWARDING_REQUEST.  This initates
  * listening for the port, and sends back a success reply (or disconnect
- * message if there was an error).  This never returns if there was an error.
+ * message if there was an error).
  */
-
-void
+int
 channel_input_port_forward_request(int is_root, int gateway_ports)
 {
         u_short port, host_port;
+        int success = 0;
         char *hostname;
 
         /* Get arguments from the packet. */
@@ -2579,11 +2646,13 @@ channel_input_port_forward_request(int is_root, int gateway_ports)
 #endif
 
         /* Initiate forwarding */
-        channel_setup_local_fwd_listener(NULL, port, hostname,
+        success = channel_setup_local_fwd_listener(NULL, port, hostname,
             host_port, gateway_ports);
 
         /* Free the argument string. */
         xfree(hostname);
+
+        return (success ? 0 : -1);
 }
 
 /*
@@ -2602,7 +2671,7 @@ void
 channel_add_permitted_opens(char *host, int port)
 {
         if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
-                fatal("channel_request_remote_forwarding: too many forwards");
+                fatal("channel_add_permitted_opens: too many forwards");
         debug("allow port forwarding to host %s port %d", host, port);
 
         permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host);
@@ -2612,6 +2681,19 @@ channel_add_permitted_opens(char *host, int port)
         all_opens_permitted = 0;
 }
 
+int
+channel_add_adm_permitted_opens(char *host, int port)
+{
+        if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
+                fatal("channel_add_adm_permitted_opens: too many forwards");
+        debug("config allows port forwarding to host %s port %d", host, port);
+
+        permitted_adm_opens[num_adm_permitted_opens].host_to_connect
+             = xstrdup(host);
+        permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port;
+        return ++num_adm_permitted_opens;
+}
+
 void
 channel_clear_permitted_opens(void)
 {
@@ -2621,9 +2703,18 @@ channel_clear_permitted_opens(void)
                 if (permitted_opens[i].host_to_connect != NULL)
                         xfree(permitted_opens[i].host_to_connect);
         num_permitted_opens = 0;
-
 }
 
+void
+channel_clear_adm_permitted_opens(void)
+{
+        int i;
+
+        for (i = 0; i < num_adm_permitted_opens; i++)
+                if (permitted_adm_opens[i].host_to_connect != NULL)
+                        xfree(permitted_adm_opens[i].host_to_connect);
+        num_adm_permitted_opens = 0;
+}
 
 /* return socket to remote host, port */
 static int
@@ -2701,7 +2792,7 @@ channel_connect_by_listen_address(u_short listen_port)
 int
 channel_connect_to(const char *host, u_short port)
 {
-        int i, permit;
+        int i, permit, permit_adm = 1;
 
         permit = all_opens_permitted;
         if (!permit) {
@@ -2710,9 +2801,19 @@ channel_connect_to(const char *host, u_short port)
                             permitted_opens[i].port_to_connect == port &&
                             strcmp(permitted_opens[i].host_to_connect, host) == 0)
                                 permit = 1;
+        }
 
+        if (num_adm_permitted_opens > 0) {
+                permit_adm = 0;
+                for (i = 0; i < num_adm_permitted_opens; i++)
+                        if (permitted_adm_opens[i].host_to_connect != NULL &&
+                            permitted_adm_opens[i].port_to_connect == port &&
+                            strcmp(permitted_adm_opens[i].host_to_connect, host)
+                            == 0)
+                                permit_adm = 1;
         }
-        if (!permit) {
+
+        if (!permit || !permit_adm) {
                 logit("Received request to connect to host %.100s port %d, "
                     "but the request was denied.", host, port);
                 return -1;
@@ -2733,10 +2834,10 @@ channel_send_window_changes(void)
                 if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0)
                         continue;
                 channel_request_start(i, "window-change", 0);
-                packet_put_int(ws.ws_col);
-                packet_put_int(ws.ws_row);
-                packet_put_int(ws.ws_xpixel);
-                packet_put_int(ws.ws_ypixel);
+                packet_put_int((u_int)ws.ws_col);
+                packet_put_int((u_int)ws.ws_row);
+                packet_put_int((u_int)ws.ws_xpixel);
+                packet_put_int((u_int)ws.ws_ypixel);
                 packet_send();
         }
 }
@@ -2848,7 +2949,7 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
         }
 
         /* Allocate a channel for each socket. */
-        *chanids = xmalloc(sizeof(**chanids) * (num_socks + 1));
+        *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
         for (n = 0; n < num_socks; n++) {
                 sock = socks[n];
                 nc = channel_new("x11 listener",
@@ -2877,7 +2978,7 @@ connect_local_xsocket(u_int dnr)
         memset(&addr, 0, sizeof(addr));
         addr.sun_family = AF_UNIX;
         snprintf(addr.sun_path, sizeof addr.sun_path, _PATH_UNIX_X, dnr);
-        if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0)
+        if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
                 return sock;
         close(sock);
         error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
@@ -2887,12 +2988,12 @@ connect_local_xsocket(u_int dnr)
 int
 x11_connect_display(void)
 {
-        int display_number, sock = 0;
+        u_int display_number;
         const char *display;
         char buf[1024], *cp;
         struct addrinfo hints, *ai, *aitop;
         char strport[NI_MAXSERV];
-        int gaierr;
+        int gaierr, sock = 0;
 
         /* Try to open a socket for the local X server. */
         display = getenv("DISPLAY");
@@ -2912,7 +3013,7 @@ x11_connect_display(void)
         if (strncmp(display, "unix:", 5) == 0 ||
             display[0] == ':') {
                 /* Connect to the unix domain socket. */
-                if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) {
+                if (sscanf(strrchr(display, ':') + 1, "%u", &display_number) != 1) {
                         error("Could not parse display number from DISPLAY: %.100s",
                             display);
                         return -1;
@@ -2937,7 +3038,7 @@ x11_connect_display(void)
         }
         *cp = 0;
         /* buf now contains the host name.  But first we parse the display number. */
-        if (sscanf(cp + 1, "%d", &display_number) != 1) {
+        if (sscanf(cp + 1, "%u", &display_number) != 1) {
                 error("Could not parse display number from DISPLAY: %.100s",
                     display);
                 return -1;
@@ -2947,7 +3048,7 @@ x11_connect_display(void)
         memset(&hints, 0, sizeof(hints));
         hints.ai_family = IPv4or6;
         hints.ai_socktype = SOCK_STREAM;
-        snprintf(strport, sizeof strport, "%d", 6000 + display_number);
+        snprintf(strport, sizeof strport, "%u", 6000 + display_number);
         if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
                 error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
                 return -1;
@@ -2961,7 +3062,7 @@ x11_connect_display(void)
                 }
                 /* Connect it to the display. */
                 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
-                        debug2("connect %.100s port %d: %.100s", buf,
+                        debug2("connect %.100s port %u: %.100s", buf,
                             6000 + display_number, strerror(errno));
                         close(sock);
                         continue;
@@ -2971,7 +3072,7 @@ x11_connect_display(void)
         }
         freeaddrinfo(aitop);
         if (!ai) {
-                error("connect %.100s port %d: %.100s", buf, 6000 + display_number,
+                error("connect %.100s port %u: %.100s", buf, 6000 + display_number,
                     strerror(errno));
                 return -1;
         }
@@ -2985,6 +3086,7 @@ x11_connect_display(void)
  * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
  */
 
+/* ARGSUSED */
 void
 x11_input_open(int type, u_int32_t seq, void *ctxt)
 {
@@ -3028,6 +3130,7 @@ x11_input_open(int type, u_int32_t seq, void *ctxt)
 }
 
 /* dummy protocol handler that denies SSH-1 requests (agent/x11) */
+/* ARGSUSED */
 void
 deny_input_open(int type, u_int32_t seq, void *ctxt)
 {
@@ -3074,13 +3177,11 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *disp,
                 return;
         }
 
-        cp = disp;
-        if (disp)
-                cp = strchr(disp, ':');
+        cp = strchr(disp, ':');
         if (cp)
                 cp = strchr(cp, '.');
         if (cp)
-                screen_number = atoi(cp + 1);
+                screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL);
         else
                 screen_number = 0;
 
diff --git a/channels.h b/channels.h
index a97dd9007..2674f096e 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: channels.h,v 1.83 2005/12/30 15:56:37 reyk Exp $      */
+/* $OpenBSD: channels.h,v 1.88 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -38,8 +38,6 @@
 #ifndef CHANNEL_H
 #define CHANNEL_H
 
-#include "buffer.h"
-
 /* Definitions for channel types. */
 #define SSH_CHANNEL_X11_LISTENER        1       /* Listening for inet X11 conn. */
 #define SSH_CHANNEL_PORT_LISTENER       2       /* Listening on a port. */
@@ -207,11 +205,13 @@ int	 channel_find_open(void);
 void     channel_set_af(int af);
 void     channel_permit_all_opens(void);
 void     channel_add_permitted_opens(char *, int);
+int      channel_add_adm_permitted_opens(char *, int);
 void     channel_clear_permitted_opens(void);
-void     channel_input_port_forward_request(int, int);
+void     channel_clear_adm_permitted_opens(void);
+int      channel_input_port_forward_request(int, int);
 int      channel_connect_to(const char *, u_short);
 int      channel_connect_by_listen_address(u_short);
-void     channel_request_remote_forwarding(const char *, u_short,
+int      channel_request_remote_forwarding(const char *, u_short,
              const char *, u_short);
 int      channel_setup_local_fwd_listener(const char *, u_short,
              const char *, u_short, int);
diff --git a/cipher-3des1.c b/cipher-3des1.c
index f815e8ae5..fc16e20d7 100644
--- a/cipher-3des1.c
+++ b/cipher-3des1.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: cipher-3des1.c,v 1.6 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 2003 Markus Friedl.  All rights reserved.
  *
@@ -23,9 +24,14 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: cipher-3des1.c,v 1.2 2003/12/22 20:29:55 markus Exp $");
+
+#include <sys/types.h>
 
 #include <openssl/evp.h>
+
+#include <stdarg.h>
+#include <string.h>
+
 #include "xmalloc.h"
 #include "log.h"
 
diff --git a/cipher-acss.c b/cipher-acss.c
index a95fa6747..cb0bf736c 100644
--- a/cipher-acss.c
+++ b/cipher-acss.c
@@ -15,9 +15,10 @@
  */
 
 #include "includes.h"
+
 #include <openssl/evp.h>
 
-RCSID("$Id: cipher-acss.c,v 1.3 2005/07/17 07:04:47 djm Exp $");
+#include <string.h>
 
 #if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
 
diff --git a/cipher-aes.c b/cipher-aes.c
index 228ddb104..3ea594969 100644
--- a/cipher-aes.c
+++ b/cipher-aes.c
@@ -28,9 +28,13 @@
 #include "openbsd-compat/openssl-compat.h"
 
 #ifdef USE_BUILTIN_RIJNDAEL
-RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $");
+#include <sys/types.h>
 
 #include <openssl/evp.h>
+
+#include <stdarg.h>
+#include <string.h>
+
 #include "rijndael.h"
 #include "xmalloc.h"
 #include "log.h"
diff --git a/cipher-bf1.c b/cipher-bf1.c
index 64578bae8..292488c5c 100644
--- a/cipher-bf1.c
+++ b/cipher-bf1.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: cipher-bf1.c,v 1.5 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 2003 Markus Friedl.  All rights reserved.
  *
@@ -23,11 +24,21 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: cipher-bf1.c,v 1.1 2003/05/15 03:08:29 markus Exp $");
+
+#include <sys/types.h>
 
 #include <openssl/evp.h>
+
+#include <stdarg.h>
+#include <string.h>
+
 #include "xmalloc.h"
 #include "log.h"
+
+#if OPENSSL_VERSION_NUMBER < 0x00906000L
+#define SSH_OLD_EVP
+#endif
+
 /*
  * SSH1 uses a variation on Blowfish, all bytes must be swapped before
  * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
diff --git a/cipher-ctr.c b/cipher-ctr.c
index 8a98f3c42..b24f3a428 100644
--- a/cipher-ctr.c
+++ b/cipher-ctr.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: cipher-ctr.c,v 1.10 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
  *
@@ -14,12 +15,16 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: cipher-ctr.c,v 1.6 2005/07/17 07:17:55 djm Exp $");
+
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <string.h>
 
 #include <openssl/evp.h>
 
-#include "log.h"
 #include "xmalloc.h"
+#include "log.h"
 
 /* compatibility with old or broken OpenSSL versions */
 #include "openbsd-compat/openssl-compat.h"
diff --git a/cipher.c b/cipher.c
index 1434d5524..b264063c4 100644
--- a/cipher.c
+++ b/cipher.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: cipher.c,v 1.81 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,14 +36,18 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: cipher.c,v 1.77 2005/07/16 01:35:24 djm Exp $");
+
+#include <sys/types.h>
+
+#include <openssl/md5.h>
+
+#include <string.h>
+#include <stdarg.h>
 
 #include "xmalloc.h"
 #include "log.h"
 #include "cipher.h"
 
-#include <openssl/md5.h>
-
 /* compatibility with old or broken OpenSSL versions */
 #include "openbsd-compat/openssl-compat.h"
 
diff --git a/cipher.h b/cipher.h
index 6bb5719b0..49bbc1682 100644
--- a/cipher.h
+++ b/cipher.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: cipher.h,v 1.35 2004/07/28 09:40:29 markus Exp $      */
+/* $OpenBSD: cipher.h,v 1.36 2006/03/25 22:22:42 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/cleanup.c b/cleanup.c
index 11d1d4d9a..238f965e6 100644
--- a/cleanup.c
+++ b/cleanup.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: cleanup.c,v 1.5 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
  *
@@ -13,8 +14,13 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
+
 #include "includes.h"
-RCSID("$OpenBSD: cleanup.c,v 1.1 2003/09/23 20:17:11 markus Exp $");
+
+#include <sys/types.h>
+
+#include <unistd.h>
+#include <stdarg.h>
 
 #include "log.h"
 
diff --git a/clientloop.c b/clientloop.c
index 5621768b5..ae93dcdf3 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: clientloop.c,v 1.178 2007/02/20 10:25:14 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -59,20 +60,43 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: clientloop.c,v 1.149 2005/12/30 15:56:37 reyk Exp $");
 
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <sys/param.h>
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+#include <sys/socket.h>
+
+#include <ctype.h>
+#include <errno.h>
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <termios.h>
+#include <pwd.h>
+#include <unistd.h>
+
+#include "xmalloc.h"
 #include "ssh.h"
 #include "ssh1.h"
 #include "ssh2.h"
-#include "xmalloc.h"
 #include "packet.h"
 #include "buffer.h"
 #include "compat.h"
 #include "channels.h"
 #include "dispatch.h"
-#include "buffer.h"
-#include "bufaux.h"
 #include "key.h"
+#include "cipher.h"
 #include "kex.h"
 #include "log.h"
 #include "readconf.h"
@@ -118,7 +142,7 @@ static volatile sig_atomic_t received_signal = 0;
 static int in_non_blocking_mode = 0;
 
 /* Common data for the client loop code. */
-static int quit_pending;        /* Set to non-zero to quit the client loop. */
+static volatile sig_atomic_t quit_pending; /* Set non-zero to quit the loop. */
 static int escape_char;         /* Escape character. */
 static int escape_pending;      /* Last character was the escape character */
 static int last_was_cr;         /* Last character was a newline. */
@@ -178,7 +202,7 @@ enter_non_blocking(void)
  * Signal handler for the window change signal (SIGWINCH).  This just sets a
  * flag indicating that the window has changed.
  */
-
+/*ARGSUSED */
 static void
 window_change_handler(int sig)
 {
@@ -190,7 +214,7 @@ window_change_handler(int sig)
  * Signal handler for signals that cause the program to terminate.  These
  * signals must be trapped to restore terminal modes.
  */
-
+/*ARGSUSED */
 static void
 signal_handler(int sig)
 {
@@ -422,10 +446,10 @@ client_check_window_change(void)
                 if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0)
                         return;
                 packet_start(SSH_CMSG_WINDOW_SIZE);
-                packet_put_int(ws.ws_row);
-                packet_put_int(ws.ws_col);
-                packet_put_int(ws.ws_xpixel);
-                packet_put_int(ws.ws_ypixel);
+                packet_put_int((u_int)ws.ws_row);
+                packet_put_int((u_int)ws.ws_col);
+                packet_put_int((u_int)ws.ws_xpixel);
+                packet_put_int((u_int)ws.ws_ypixel);
                 packet_send();
         }
 }
@@ -441,8 +465,10 @@ static void
 server_alive_check(void)
 {
         if (compat20) {
-                if (++server_alive_timeouts > options.server_alive_count_max)
-                        packet_disconnect("Timeout, server not responding.");
+                if (++server_alive_timeouts > options.server_alive_count_max) {
+                        logit("Timeout, server not responding.");
+                        cleanup_exit(255);
+                }
                 packet_start(SSH2_MSG_GLOBAL_REQUEST);
                 packet_put_cstring("keepalive@openssh.com");
                 packet_put_char(1);     /* boolean: want reply */
@@ -574,7 +600,7 @@ client_suspend_self(Buffer *bin, Buffer *bout, Buffer *berr)
 }
 
 static void
-client_process_net_input(fd_set * readset)
+client_process_net_input(fd_set *readset)
 {
         int len;
         char buf[8192];
@@ -682,11 +708,11 @@ client_extra_session2_setup(int id, void *arg)
 }
 
 static void
-client_process_control(fd_set * readset)
+client_process_control(fd_set *readset)
 {
         Buffer m;
         Channel *c;
-        int client_fd, new_fd[3], ver, allowed;
+        int client_fd, new_fd[3], ver, allowed, window, packetmax;
         socklen_t addrlen;
         struct sockaddr_storage addr;
         struct confirm_ctx *cctx;
@@ -813,8 +839,7 @@ client_process_control(fd_set * readset)
                 return;
         }
 
-        cctx = xmalloc(sizeof(*cctx));
-        memset(cctx, 0, sizeof(*cctx));
+        cctx = xcalloc(1, sizeof(*cctx));
         cctx->want_tty = (flags & SSHMUX_FLAG_TTY) != 0;
         cctx->want_subsys = (flags & SSHMUX_FLAG_SUBSYS) != 0;
         cctx->want_x_fwd = (flags & SSHMUX_FLAG_X11_FWD) != 0;
@@ -829,7 +854,7 @@ client_process_control(fd_set * readset)
         env_len = MIN(env_len, 4096);
         debug3("%s: receiving %d env vars", __func__, env_len);
         if (env_len != 0) {
-                cctx->env = xmalloc(sizeof(*cctx->env) * (env_len + 1));
+                cctx->env = xcalloc(env_len + 1, sizeof(*cctx->env));
                 for (i = 0; i < env_len; i++)
                         cctx->env[i] = buffer_get_string(&m, &len);
                 cctx->env[i] = NULL;
@@ -837,6 +862,7 @@ client_process_control(fd_set * readset)
 
         debug2("%s: accepted tty %d, subsys %d, cmd %s", __func__,
             cctx->want_tty, cctx->want_subsys, cmd);
+        xfree(cmd);
 
         /* Gather fds from client */
         new_fd[0] = mm_receive_fd(client_fd);
@@ -879,9 +905,15 @@ client_process_control(fd_set * readset)
 
         set_nonblock(client_fd);
 
+        window = CHAN_SES_WINDOW_DEFAULT;
+        packetmax = CHAN_SES_PACKET_DEFAULT;
+        if (cctx->want_tty) {
+                window >>= 1;
+                packetmax >>= 1;
+        }
+        
         c = channel_new("session", SSH_CHANNEL_OPENING,
-            new_fd[0], new_fd[1], new_fd[2],
-            CHAN_SES_WINDOW_DEFAULT, CHAN_SES_PACKET_DEFAULT,
+            new_fd[0], new_fd[1], new_fd[2], window, packetmax,
             CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
 
         /* XXX */
@@ -917,12 +949,16 @@ process_cmdline(void)
 
         if (*s == 'h' || *s == 'H' || *s == '?') {
                 logit("Commands:");
-                logit("      -Lport:host:hostport    Request local forward");
-                logit("      -Rport:host:hostport    Request remote forward");
-                logit("      -KRhostport             Cancel remote forward");
+                logit("      -L[bind_address:]port:host:hostport    "
+                    "Request local forward");
+                logit("      -R[bind_address:]port:host:hostport    "
+                    "Request remote forward");
+                logit("      -KR[bind_address:]port                 "
+                    "Cancel remote forward");
                 if (!options.permit_local_command)
                         goto out;
-                logit("      !args                   Execute local command");
+                logit("      !args                                  "
+                    "Execute local command");
                 goto out;
         }
 
@@ -983,9 +1019,12 @@ process_cmdline(void)
                                 goto out;
                         }
                 } else {
-                        channel_request_remote_forwarding(fwd.listen_host,
+                        if (channel_request_remote_forwarding(fwd.listen_host,
                             fwd.listen_port, fwd.connect_host,
-                            fwd.connect_port);
+                            fwd.connect_port) < 0) {
+                                logit("Port forwarding failed.");
+                                goto out;
+                        }
                 }
 
                 logit("Forwarding port.");
@@ -1177,7 +1216,7 @@ Supported escape sequences:\r\n\
 }
 
 static void
-client_process_input(fd_set * readset)
+client_process_input(fd_set *readset)
 {
         int len;
         char buf[8192];
@@ -1230,7 +1269,7 @@ client_process_input(fd_set * readset)
 }
 
 static void
-client_process_output(fd_set * writeset)
+client_process_output(fd_set *writeset)
 {
         int len;
         char buf[100];
@@ -1731,7 +1770,7 @@ client_request_agent(const char *request_type, int rchan)
                 error("Warning: this is probably a break-in attempt by a malicious server.");
                 return NULL;
         }
-        sock =  ssh_get_authentication_socket();
+        sock = ssh_get_authentication_socket();
         if (sock < 0)
                 return NULL;
         c = channel_new("authentication agent connection",
@@ -1876,10 +1915,10 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
 
                 channel_request_start(id, "pty-req", 0);
                 packet_put_cstring(term != NULL ? term : "");
-                packet_put_int(ws.ws_col);
-                packet_put_int(ws.ws_row);
-                packet_put_int(ws.ws_xpixel);
-                packet_put_int(ws.ws_ypixel);
+                packet_put_int((u_int)ws.ws_col);
+                packet_put_int((u_int)ws.ws_row);
+                packet_put_int((u_int)ws.ws_xpixel);
+                packet_put_int((u_int)ws.ws_ypixel);
                 tio = get_saved_tio();
                 tty_make_modes(-1, tiop != NULL ? tiop : &tio);
                 packet_send();
diff --git a/clientloop.h b/clientloop.h
index aed2d918b..beec62f70 100644
--- a/clientloop.h
+++ b/clientloop.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: clientloop.h,v 1.14 2005/07/04 00:58:43 djm Exp $     */
+/* $OpenBSD: clientloop.h,v 1.16 2006/03/25 22:22:42 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -35,6 +35,8 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+#include <termios.h>
+
 /* Client side main loop for the interactive session. */
 int      client_loop(int, int, int);
 void     client_x11_get_proto(const char *, const char *, u_int,
diff --git a/compat.c b/compat.c
index 4086e853e..bc1131581 100644
--- a/compat.c
+++ b/compat.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: compat.c,v 1.77 2006/12/12 03:58:42 djm Exp $ */
 /*
  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  *
@@ -23,11 +24,16 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: compat.c,v 1.71 2005/03/01 10:09:52 djm Exp $");
 
+#include <sys/types.h>
+
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+
+#include "xmalloc.h"
 #include "buffer.h"
 #include "packet.h"
-#include "xmalloc.h"
 #include "compat.h"
 #include "log.h"
 #include "match.h"
@@ -127,7 +133,8 @@ compat_datafellows(const char *version)
                 { "2.3.*",              SSH_BUG_DEBUG|SSH_BUG_RSASIGMD5|
                                         SSH_BUG_FIRSTKEX },
                 { "2.4",                SSH_OLD_SESSIONID },    /* Van Dyke */
-                { "2.*",                SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX },
+                { "2.*",                SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX|
+                                        SSH_BUG_RFWD_ADDR },
                 { "3.0.*",              SSH_BUG_DEBUG },
                 { "3.0 SecureCRT*",     SSH_OLD_SESSIONID },
                 { "1.7 SecureFX*",      SSH_OLD_SESSIONID },
diff --git a/compat.h b/compat.h
index cf92dbdee..4d8ebc908 100644
--- a/compat.h
+++ b/compat.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: compat.h,v 1.39 2005/03/01 10:09:52 djm Exp $ */
+/* $OpenBSD: compat.h,v 1.41 2006/12/12 03:58:42 djm Exp $ */
 
 /*
  * Copyright (c) 1999, 2000, 2001 Markus Friedl.  All rights reserved.
@@ -56,6 +56,7 @@
 #define SSH_BUG_PROBE           0x00400000
 #define SSH_BUG_FIRSTKEX        0x00800000
 #define SSH_OLD_FORWARD_ADDR    0x01000000
+#define SSH_BUG_RFWD_ADDR       0x02000000
 
 void     enable_compat13(void);
 void     enable_compat20(void);
diff --git a/compress.c b/compress.c
index 0d1c7e55e..c058d2224 100644
--- a/compress.c
+++ b/compress.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: compress.c,v 1.25 2006/08/06 01:13:32 stevesk Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -12,11 +13,14 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: compress.c,v 1.21 2004/01/13 19:45:15 markus Exp $");
+
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <zlib.h>
 
 #include "log.h"
 #include "buffer.h"
-#include "zlib.h"
 #include "compress.h"
 
 z_stream incoming_stream;
diff --git a/compress.h b/compress.h
index e364f4bdc..418d6fd2c 100644
--- a/compress.h
+++ b/compress.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: compress.h,v 1.11 2002/03/04 17:27:39 stevesk Exp $   */
+/* $OpenBSD: compress.h,v 1.12 2006/03/25 22:22:43 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/config.h.in b/config.h.in
index b5cfdbb2c..a913487e1 100644
--- a/config.h.in
+++ b/config.h.in
@@ -1,5 +1,9 @@
 /* config.h.in.  Generated from configure.ac by autoheader.  */
 
+/* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
+   */
+#undef AIX_GETNAMEINFO_HACK
+
 /* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */
 #undef AIX_LOGINFAILED_4ARG
 
@@ -190,6 +194,9 @@
 /* Define if your system uses ancillary data style file descriptor passing */
 #undef HAVE_CONTROL_IN_MSGHDR
 
+/* Define to 1 if you have the <crypto/sha2.h> header file. */
+#undef HAVE_CRYPTO_SHA2_H
+
 /* Define to 1 if you have the <crypt.h> header file. */
 #undef HAVE_CRYPT_H
 
@@ -203,6 +210,10 @@
    don't. */
 #undef HAVE_DECL_AUTHENTICATE
 
+/* Define to 1 if you have the declaration of `GLOB_NOMATCH', and to 0 if you
+   don't. */
+#undef HAVE_DECL_GLOB_NOMATCH
+
 /* Define to 1 if you have the declaration of `h_errno', and to 0 if you
    don't. */
 #undef HAVE_DECL_H_ERRNO
@@ -219,6 +230,10 @@
    don't. */
 #undef HAVE_DECL_LOGINSUCCESS
 
+/* Define to 1 if you have the declaration of `O_NONBLOCK', and to 0 if you
+   don't. */
+#undef HAVE_DECL_O_NONBLOCK
+
 /* Define to 1 if you have the declaration of `passwdexpired', and to 0 if you
    don't. */
 #undef HAVE_DECL_PASSWDEXPIRED
@@ -227,6 +242,14 @@
    don't. */
 #undef HAVE_DECL_SETAUTHDB
 
+/* Define to 1 if you have the declaration of `SHUT_RD', and to 0 if you
+   don't. */
+#undef HAVE_DECL_SHUT_RD
+
+/* Define to 1 if you have the declaration of `writev', and to 0 if you don't.
+   */
+#undef HAVE_DECL_WRITEV
+
 /* Define to 1 if you have the declaration of `_getlong', and to 0 if you
    don't. */
 #undef HAVE_DECL__GETLONG
@@ -262,6 +285,9 @@
 /* Define if your system has /etc/default/login */
 #undef HAVE_ETC_DEFAULT_LOGIN
 
+/* Define to 1 if you have the `EVP_sha256' function. */
+#undef HAVE_EVP_SHA256
+
 /* Define if you have ut_exit in utmp.h */
 #undef HAVE_EXIT_IN_UTMP
 
@@ -271,6 +297,12 @@
 /* Define to 1 if you have the `fchown' function. */
 #undef HAVE_FCHOWN
 
+/* Use F_CLOSEM fcntl for closefrom */
+#undef HAVE_FCNTL_CLOSEM
+
+/* Define to 1 if you have the <fcntl.h> header file. */
+#undef HAVE_FCNTL_H
+
 /* Define to 1 if you have the <features.h> header file. */
 #undef HAVE_FEATURES_H
 
@@ -334,6 +366,9 @@
 /* Define to 1 if you have the `getrusage' function. */
 #undef HAVE_GETRUSAGE
 
+/* Define to 1 if you have the `getseuserbyname' function. */
+#undef HAVE_GETSEUSERBYNAME
+
 /* Define to 1 if you have the `gettimeofday' function. */
 #undef HAVE_GETTIMEOFDAY
 
@@ -358,6 +393,9 @@
 /* Define to 1 if you have the `getutxline' function. */
 #undef HAVE_GETUTXLINE
 
+/* Define to 1 if you have the `get_default_context_with_level' function. */
+#undef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+
 /* Define to 1 if you have the `glob' function. */
 #undef HAVE_GLOB
 
@@ -532,6 +570,9 @@
 /* Define to 1 if you have the <netgroup.h> header file. */
 #undef HAVE_NETGROUP_H
 
+/* Define to 1 if you have the <net/if_tun.h> header file. */
+#undef HAVE_NET_IF_TUN_H
+
 /* Define if you are on NeXT */
 #undef HAVE_NEXT
 
@@ -635,9 +676,6 @@
 /* Define to 1 if you have the <security/pam_appl.h> header file. */
 #undef HAVE_SECURITY_PAM_APPL_H
 
-/* Define to 1 if you have the <selinux/selinux.h> header file. */
-#undef HAVE_SELINUX_SELINUX_H
-
 /* Define to 1 if you have the `sendmsg' function. */
 #undef HAVE_SENDMSG
 
@@ -698,6 +736,12 @@
 /* Define to 1 if you have the `setvbuf' function. */
 #undef HAVE_SETVBUF
 
+/* Define to 1 if you have the `SHA256_Update' function. */
+#undef HAVE_SHA256_UPDATE
+
+/* Define to 1 if you have the <sha2.h> header file. */
+#undef HAVE_SHA2_H
+
 /* Define to 1 if you have the <shadow.h> header file. */
 #undef HAVE_SHADOW_H
 
@@ -1127,6 +1171,9 @@
 /* Location of PRNGD/EGD random number socket */
 #undef PRNGD_SOCKET
 
+/* read(1) can return 0 for a non-closed fd */
+#undef PTY_ZEROREAD
+
 /* Define if your platform breaks doing a seteuid before a setuid */
 #undef SETEUID_BREAKS_SETUID
 
@@ -1197,6 +1244,9 @@
 /* Define if you want a different $PATH for the superuser */
 #undef SUPERUSER_PATH
 
+/* syslog_r function is safe to use in in a signal handler */
+#undef SYSLOG_R_SAFE_IN_SIGHAND
+
 /* Support passwords > 8 chars */
 #undef UNIXWARE_LONG_PASSWORDS
 
@@ -1221,6 +1271,9 @@
 /* Define if you want smartcard support using OpenSC */
 #undef USE_OPENSC
 
+/* Enable OpenSSL engine support */
+#undef USE_OPENSSL_ENGINE
+
 /* Define if you want to enable PAM support */
 #undef USE_PAM
 
@@ -1233,6 +1286,9 @@
 /* platform has the Security Authorization Session API */
 #undef USE_SECURITY_SESSION_API
 
+/* Define if you have Solaris process contracts */
+#undef USE_SOLARIS_PROCESS_CONTRACTS
+
 /* Define if you shouldn't strip 'tty' from your ttyname in [uw]tmp */
 #undef WITH_ABBREV_NO_TTY
 
diff --git a/configure b/configure
index df330316e..ce28f0d52 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.ac Revision: 1.322.2.6 .
+# From configure.ac Revision: 1.372 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.61 for OpenSSH Portable.
 #
@@ -692,6 +692,7 @@ STARTUP_SCRIPT_SHELL
 LOGIN_PROGRAM_FALLBACK
 PATH_PASSWD_PROG
 LD
+SSHDLIBS
 LIBWRAP
 LIBEDIT
 LIBPAM
@@ -1327,20 +1328,23 @@ Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
   --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
   --without-rpath         Disable auto-added -R linker paths
-  --with-osfsia           Enable Digital Unix SIA
   --with-cflags           Specify additional flags to pass to compiler
   --with-cppflags         Specify additional flags to pass to preprocessor
   --with-ldflags          Specify additional flags to pass to linker
   --with-libs             Specify additional libraries to link with
   --with-Werror           Build main code with -Werror
+  --with-solaris-contracts Enable Solaris process contracts (experimental)
+  --with-osfsia           Enable Digital Unix SIA
   --with-zlib=PATH        Use zlib in PATH
   --without-zlib-version-check Disable zlib version check
   --with-skey[=PATH]      Enable S/Key support (optionally in PATH)
   --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
   --with-libedit[=PATH]   Enable libedit support for sftp
   --with-audit=module     Enable EXPERIMENTAL audit support (modules=debug,bsm)
-  --with-pam              Enable PAM support
   --with-ssl-dir=PATH     Specify path to OpenSSL installation
+  --without-openssl-header-check Disable OpenSSL version consistency check
+  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support
+  --with-pam              Enable PAM support
   --with-rand-helper      Use subprocess to gather strong randomness
   --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT
   --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)
@@ -1348,7 +1352,7 @@ Optional Packages:
   --with-privsep-user=user Specify non-privileged user for privilege separation
   --with-sectok           Enable smartcard support using libsectok
   --with-opensc[=PFX]     Enable smartcard support using OpenSC (optionally in PATH)
-  --with-selinux[=LIBSELINUX-PATH]   Enable SELinux support
+  --with-selinux   Enable SELinux support
   --with-kerberos5=PATH   Enable Kerberos 5 support
   --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
   --with-xauth=PATH       Specify path to xauth program
@@ -5477,16 +5481,597 @@ if test "${with_rpath+set}" = set; then
 fi
 
 
+# Allow user to specify flags
+
+# Check whether --with-cflags was given.
+if test "${with_cflags+set}" = set; then
+  withval=$with_cflags;
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
+                        CFLAGS="$CFLAGS $withval"
+                fi
+
+
+fi
+
+
+# Check whether --with-cppflags was given.
+if test "${with_cppflags+set}" = set; then
+  withval=$with_cppflags;
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
+                        CPPFLAGS="$CPPFLAGS $withval"
+                fi
+
+
+fi
+
+
+# Check whether --with-ldflags was given.
+if test "${with_ldflags+set}" = set; then
+  withval=$with_ldflags;
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
+                        LDFLAGS="$LDFLAGS $withval"
+                fi
+
+
+fi
+
+
+# Check whether --with-libs was given.
+if test "${with_libs+set}" = set; then
+  withval=$with_libs;
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
+                        LIBS="$LIBS $withval"
+                fi
+
+
+fi
+
+
+# Check whether --with-Werror was given.
+if test "${with_Werror+set}" = set; then
+  withval=$with_Werror;
+                if test -n "$withval"  &&  test "x$withval" != "xno"; then
+                        werror_flags="-Werror"
+                        if test "x${withval}" != "xyes"; then
+                                werror_flags="$withval"
+                        fi
+                fi
+
+
+fi
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+for ac_header in \
+        bstring.h \
+        crypt.h \
+        crypto/sha2.h \
+        dirent.h \
+        endian.h \
+        features.h \
+        fcntl.h \
+        floatingpoint.h \
+        getopt.h \
+        glob.h \
+        ia.h \
+        iaf.h \
+        limits.h \
+        login.h \
+        maillock.h \
+        ndir.h \
+        net/if_tun.h \
+        netdb.h \
+        netgroup.h \
+        pam/pam_appl.h \
+        paths.h \
+        pty.h \
+        readpassphrase.h \
+        rpc/types.h \
+        security/pam_appl.h \
+        sha2.h \
+        shadow.h \
+        stddef.h \
+        stdint.h \
+        string.h \
+        strings.h \
+        sys/audit.h \
+        sys/bitypes.h \
+        sys/bsdtty.h \
+        sys/cdefs.h \
+        sys/dir.h \
+        sys/mman.h \
+        sys/ndir.h \
+        sys/prctl.h \
+        sys/pstat.h \
+        sys/select.h \
+        sys/stat.h \
+        sys/stream.h \
+        sys/stropts.h \
+        sys/strtio.h \
+        sys/sysmacros.h \
+        sys/time.h \
+        sys/timers.h \
+        sys/un.h \
+        time.h \
+        tmpdir.h \
+        ttyent.h \
+        unistd.h \
+        usersec.h \
+        util.h \
+        utime.h \
+        utmp.h \
+        utmpx.h \
+        vis.h \
+
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+               { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+        ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <$ac_header>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+         test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    ( cat <<\_ASBOX
+## ------------------------------------------- ##
+## Report this to openssh-unix-dev@mindrot.org ##
+## ------------------------------------------- ##
+_ASBOX
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  eval "$as_ac_Header=\$ac_header_preproc"
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+               { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+
+fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+# lastlog.h requires sys/time.h to be included first on Solaris
+
+for ac_header in lastlog.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+        eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+               { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+# sys/ptms.h requires sys/stream.h to be included first on Solaris
+
+for ac_header in sys/ptms.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#ifdef HAVE_SYS_STREAM_H
+# include <sys/stream.h>
+#endif
+
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+        eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+               { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+# login_cap.h requires sys/types.h on NetBSD
+
+for ac_header in login_cap.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+        eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+               { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+# Messages for features tested for in target-specific section
+SIA_MSG="no"
+SPC_MSG="no"
+
 # Check for some target-specific stuff
 case "$host" in
 *-*-aix*)
+        # Some versions of VAC won't allow macro redefinitions at
+        # -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
+        # particularly with older versions of vac or xlc.
+        # It also throws errors about null macro argments, but these are
+        # not fatal.
+        { echo "$as_me:$LINENO: checking if compiler allows macro redefinitions" >&5
+echo $ECHO_N "checking if compiler allows macro redefinitions... $ECHO_C" >&6; }
+        cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#define testmacro foo
+#define testmacro bar
+int main(void) { exit(0); }
+
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+   { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+         { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+              CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
+              LD="`echo $LD | sed 's/-qlanglvl\=ansi//g'`"
+              CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
+              CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
         { echo "$as_me:$LINENO: checking how to specify blibpath for linker ($LD)" >&5
 echo $ECHO_N "checking how to specify blibpath for linker ($LD)... $ECHO_C" >&6; }
         if (test -z "$blibpath"); then
                 blibpath="/usr/lib:/lib"
         fi
         saved_LDFLAGS="$LDFLAGS"
-        for tryflags in -blibpath: -Wl,-blibpath: -Wl,-rpath, ;do
+        if test "$GCC" = "yes"; then
+                flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
+        else
+                flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
+        fi
+        for tryflags in $flags ;do
                 if (test -z "$blibflags"); then
                         LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
                         cat >conftest.$ac_ext <<_ACEOF
@@ -6257,6 +6842,69 @@ _ACEOF
 fi
 done
 
+        { echo "$as_me:$LINENO: checking whether F_CLOSEM is declared" >&5
+echo $ECHO_N "checking whether F_CLOSEM is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl_F_CLOSEM+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+ #include <limits.h>
+              #include <fcntl.h>
+
+
+int
+main ()
+{
+#ifndef F_CLOSEM
+  (void) F_CLOSEM;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_have_decl_F_CLOSEM=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+        ac_cv_have_decl_F_CLOSEM=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_F_CLOSEM" >&5
+echo "${ECHO_T}$ac_cv_have_decl_F_CLOSEM" >&6; }
+if test $ac_cv_have_decl_F_CLOSEM = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_FCNTL_CLOSEM 1
+_ACEOF
+
+fi
+
         check_for_aix_broken_getaddrinfo=1
 
 cat >>confdefs.h <<\_ACEOF
@@ -6298,10 +6946,15 @@ cat >>confdefs.h <<\_ACEOF
 #define SSHPAM_CHAUTHTOK_NEEDS_RUID 1
 _ACEOF
 
+
+cat >>confdefs.h <<\_ACEOF
+#define PTY_ZEROREAD 1
+_ACEOF
+
         ;;
 *-*-cygwin*)
         check_for_libcrypt_later=1
-        LIBS="$LIBS /usr/lib/textmode.o"
+        LIBS="$LIBS /usr/lib/textreadmode.o"
 
 cat >>confdefs.h <<\_ACEOF
 #define HAVE_CYGWIN 1
@@ -6433,9 +7086,24 @@ cat >>confdefs.h <<_ACEOF
 #define BIND_8_COMPAT 1
 _ACEOF
 
-        { echo "$as_me:$LINENO: checking if we have the Security Authorization Session API" >&5
+
+cat >>confdefs.h <<\_ACEOF
+#define SSH_TUN_FREEBSD 1
+_ACEOF
+
+
+cat >>confdefs.h <<\_ACEOF
+#define SSH_TUN_COMPAT_AF 1
+_ACEOF
+
+
+cat >>confdefs.h <<\_ACEOF
+#define SSH_TUN_PREPEND_AF 1
+_ACEOF
+
+        { echo "$as_me:$LINENO: checking if we have the Security Authorization Session API" >&5
 echo $ECHO_N "checking if we have the Security Authorization Session API... $ECHO_C" >&6; }
-        cat >conftest.$ac_ext <<_ACEOF
+        cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
@@ -6473,22 +7141,22 @@ cat >>confdefs.h <<\_ACEOF
 #define USE_SECURITY_SESSION_API 1
 _ACEOF
 
-                 LIBS="$LIBS -framework Security"
-                 { echo "$as_me:$LINENO: result: yes" >&5
+                 LIBS="$LIBS -framework Security"
+                 { echo "$as_me:$LINENO: result: yes" >&5
 echo "${ECHO_T}yes" >&6; }
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
         ac_cv_use_security_session_api="no"
-                 { echo "$as_me:$LINENO: result: no" >&5
+                 { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-        { echo "$as_me:$LINENO: checking if we have an in-memory credentials cache" >&5
+        { echo "$as_me:$LINENO: checking if we have an in-memory credentials cache" >&5
 echo $ECHO_N "checking if we have an in-memory credentials cache... $ECHO_C" >&6; }
-        cat >conftest.$ac_ext <<_ACEOF
+        cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
@@ -6499,7 +7167,7 @@ int
 main ()
 {
 cc_context_t c;
-                 (void) cc_initialize (&c, 0, NULL, NULL);
+                 (void) cc_initialize (&c, 0, NULL, NULL);
   ;
   return 0;
 }
@@ -6526,14 +7194,14 @@ cat >>confdefs.h <<\_ACEOF
 #define USE_CCAPI 1
 _ACEOF
 
-                 LIBS="$LIBS -framework Security"
-                 { echo "$as_me:$LINENO: result: yes" >&5
+                 LIBS="$LIBS -framework Security"
+                 { echo "$as_me:$LINENO: result: yes" >&5
 echo "${ECHO_T}yes" >&6; }
-                 if test "x$ac_cv_use_security_session_api" = "xno"; then
-                        { { echo "$as_me:$LINENO: error: *** Need a security framework to use the credentials cache API ***" >&5
+                 if test "x$ac_cv_use_security_session_api" = "xno"; then
+                        { { echo "$as_me:$LINENO: error: *** Need a security framework to use the credentials cache API ***" >&5
 echo "$as_me: error: *** Need a security framework to use the credentials cache API ***" >&2;}
    { (exit 1); exit 1; }; }
-                fi
+                fi
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
@@ -6544,6 +7212,9 @@ echo "${ECHO_T}no" >&6; }
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+        ;;
+*-*-dragonfly*)
+        SSHDLIBS="$SSHDLIBS -lcrypt"
         ;;
 *-*-hpux*)
         # first we define all of the options common to all HP-UX releases
@@ -7464,6 +8135,11 @@ cat >>confdefs.h <<\_ACEOF
 #define SSH_TUN_OPENBSD 1
 _ACEOF
 
+
+cat >>confdefs.h <<\_ACEOF
+#define SYSLOG_R_SAFE_IN_SIGHAND 1
+_ACEOF
+
         ;;
 *-*-solaris*)
         if test "x$withval" != "xno" ; then
@@ -7501,6 +8177,11 @@ cat >>confdefs.h <<\_ACEOF
 #define SSHD_ACQUIRES_CTTY 1
 _ACEOF
 
+
+cat >>confdefs.h <<\_ACEOF
+#define PASSWD_NEEDS_USERNAME 1
+_ACEOF
+
         external_path_file=/etc/default/login
         # hardwire lastlog location (can't detect it on some versions)
         conf_lastlog_location="/var/adm/lastlog"
@@ -7523,6 +8204,85 @@ _ACEOF
                 { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
         fi
+
+# Check whether --with-solaris-contracts was given.
+if test "${with_solaris_contracts+set}" = set; then
+  withval=$with_solaris_contracts;
+                { echo "$as_me:$LINENO: checking for ct_tmpl_activate in -lcontract" >&5
+echo $ECHO_N "checking for ct_tmpl_activate in -lcontract... $ECHO_C" >&6; }
+if test "${ac_cv_lib_contract_ct_tmpl_activate+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lcontract  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char ct_tmpl_activate ();
+int
+main ()
+{
+return ct_tmpl_activate ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_contract_ct_tmpl_activate=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+        ac_cv_lib_contract_ct_tmpl_activate=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_contract_ct_tmpl_activate" >&5
+echo "${ECHO_T}$ac_cv_lib_contract_ct_tmpl_activate" >&6; }
+if test $ac_cv_lib_contract_ct_tmpl_activate = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define USE_SOLARIS_PROCESS_CONTRACTS 1
+_ACEOF
+
+                          SSHDLIBS="$SSHDLIBS -lcontract"
+
+                          SPC_MSG="yes"
+fi
+
+
+fi
+
         ;;
 *-*-sunos4*)
         CPPFLAGS="$CPPFLAGS -DSUNOS4"
@@ -7826,7 +8586,6 @@ _ACEOF
         ;;
 # UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
 *-*-sysv4.2*)
-        CFLAGS="$CFLAGS -Dva_list=_VA_LIST"
         cat >>confdefs.h <<\_ACEOF
 #define USE_PIPES 1
 _ACEOF
@@ -7889,6 +8648,10 @@ cat >>confdefs.h <<\_ACEOF
 #define BROKEN_LIBIAF 1
 _ACEOF
 
+                cat >>confdefs.h <<\_ACEOF
+#define BROKEN_UPDWTMPX 1
+_ACEOF
+
                 ;;
         *)      cat >>confdefs.h <<\_ACEOF
 #define LOCKED_PASSWD_STRING "*LK*"
@@ -8173,6 +8936,7 @@ _ACEOF
 _ACEOF
 
                         LIBS="$LIBS -lsecurity -ldb -lm -laud"
+                        SIA_MSG="yes"
                 else
                         { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
@@ -8229,6 +8993,11 @@ _ACEOF
 #define DISABLE_LASTLOG 1
 _ACEOF
 
+        cat >>confdefs.h <<\_ACEOF
+#define SSHD_ACQUIRES_CTTY 1
+_ACEOF
+
+        enable_etc_default_login=no     # has incompatible /etc/default/login
         ;;
 
 *-*-ultrix*)
@@ -8267,70 +9036,6 @@ _ACEOF
         ;;
 esac
 
-# Allow user to specify flags
-
-# Check whether --with-cflags was given.
-if test "${with_cflags+set}" = set; then
-  withval=$with_cflags;
-                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-                    test "x${withval}" != "xyes"; then
-                        CFLAGS="$CFLAGS $withval"
-                fi
-
-
-fi
-
-
-# Check whether --with-cppflags was given.
-if test "${with_cppflags+set}" = set; then
-  withval=$with_cppflags;
-                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-                    test "x${withval}" != "xyes"; then
-                        CPPFLAGS="$CPPFLAGS $withval"
-                fi
-
-
-fi
-
-
-# Check whether --with-ldflags was given.
-if test "${with_ldflags+set}" = set; then
-  withval=$with_ldflags;
-                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-                    test "x${withval}" != "xyes"; then
-                        LDFLAGS="$LDFLAGS $withval"
-                fi
-
-
-fi
-
-
-# Check whether --with-libs was given.
-if test "${with_libs+set}" = set; then
-  withval=$with_libs;
-                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-                    test "x${withval}" != "xyes"; then
-                        LIBS="$LIBS $withval"
-                fi
-
-
-fi
-
-
-# Check whether --with-Werror was given.
-if test "${with_Werror+set}" = set; then
-  withval=$with_Werror;
-                if test -n "$withval"  &&  test "x$withval" != "xno"; then
-                        werror_flags="-Werror"
-                        if test "x${withval}" != "xyes"; then
-                                werror_flags="$withval"
-                        fi
-                fi
-
-
-fi
-
-
 { echo "$as_me:$LINENO: checking compiler and flags for sanity" >&5
 echo $ECHO_N "checking compiler and flags for sanity... $ECHO_C" >&6; }
 if test "$cross_compiling" = yes; then
@@ -8390,392 +9095,6 @@ fi
 
 
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-for ac_header in \
-        bstring.h \
-        crypt.h \
-        dirent.h \
-        endian.h \
-        features.h \
-        floatingpoint.h \
-        getopt.h \
-        glob.h \
-        ia.h \
-        iaf.h \
-        limits.h \
-        login.h \
-        login_cap.h \
-        maillock.h \
-        ndir.h \
-        netdb.h \
-        netgroup.h \
-        pam/pam_appl.h \
-        paths.h \
-        pty.h \
-        readpassphrase.h \
-        rpc/types.h \
-        security/pam_appl.h \
-        shadow.h \
-        stddef.h \
-        stdint.h \
-        string.h \
-        strings.h \
-        sys/audit.h \
-        sys/bitypes.h \
-        sys/bsdtty.h \
-        sys/cdefs.h \
-        sys/dir.h \
-        sys/mman.h \
-        sys/ndir.h \
-        sys/prctl.h \
-        sys/pstat.h \
-        sys/select.h \
-        sys/stat.h \
-        sys/stream.h \
-        sys/stropts.h \
-        sys/strtio.h \
-        sys/sysmacros.h \
-        sys/time.h \
-        sys/timers.h \
-        sys/un.h \
-        time.h \
-        tmpdir.h \
-        ttyent.h \
-        unistd.h \
-        usersec.h \
-        util.h \
-        utime.h \
-        utmp.h \
-        utmpx.h \
-        vis.h \
-
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-               { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-else
-  # Is the header compilable?
-{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-         test -z "$ac_c_werror_flag" ||
-         test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-        ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <$ac_header>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-         test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-         test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    ( cat <<\_ASBOX
-## ------------------------------------------- ##
-## Report this to openssh-unix-dev@mindrot.org ##
-## ------------------------------------------- ##
-_ASBOX
-     ) | sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-{ echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  eval "$as_ac_Header=\$ac_header_preproc"
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-               { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-
-fi
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-
-done
-
-
-# lastlog.h requires sys/time.h to be included first on Solaris
-
-for ac_header in lastlog.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-{ echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#ifdef HAVE_SYS_TIME_H
-# include <sys/time.h>
-#endif
-
-
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-         test -z "$ac_c_werror_flag" ||
-         test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  eval "$as_ac_Header=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-        eval "$as_ac_Header=no"
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-               { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-
-done
-
-
-# sys/ptms.h requires sys/stream.h to be included first on Solaris
-
-for ac_header in sys/ptms.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-{ echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#ifdef HAVE_SYS_STREAM_H
-# include <sys/stream.h>
-#endif
-
-
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-         test -z "$ac_c_werror_flag" ||
-         test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  eval "$as_ac_Header=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-        eval "$as_ac_Header=no"
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-               { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-
-done
-
-
 # Checks for libraries.
 { echo "$as_me:$LINENO: checking for yp_match" >&5
 echo $ECHO_N "checking for yp_match... $ECHO_C" >&6; }
@@ -11141,13 +11460,32 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-
-                #include <glob.h>
-                int main(void){glob_t g; g.gl_matchc = 1;}
-
+ #include <glob.h>
+int
+main ()
+{
+glob_t g; g.gl_matchc = 1;
+  ;
+  return 0;
+}
 _ACEOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "FOUNDIT" >/dev/null 2>&1; then
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
 
 
 cat >>confdefs.h <<\_ACEOF
@@ -11158,13 +11496,86 @@ _ACEOF
 echo "${ECHO_T}yes" >&6; }
 
 else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
 
                 { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
 
 
 fi
-rm -f conftest*
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+{ echo "$as_me:$LINENO: checking whether GLOB_NOMATCH is declared" >&5
+echo $ECHO_N "checking whether GLOB_NOMATCH is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl_GLOB_NOMATCH+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <glob.h>
+
+int
+main ()
+{
+#ifndef GLOB_NOMATCH
+  (void) GLOB_NOMATCH;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_have_decl_GLOB_NOMATCH=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+        ac_cv_have_decl_GLOB_NOMATCH=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_GLOB_NOMATCH" >&5
+echo "${ECHO_T}$ac_cv_have_decl_GLOB_NOMATCH" >&6; }
+if test $ac_cv_have_decl_GLOB_NOMATCH = yes; then
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_GLOB_NOMATCH 1
+_ACEOF
+
+
+else
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_GLOB_NOMATCH 0
+_ACEOF
+
+
+fi
+
 
 
 { echo "$as_me:$LINENO: checking whether struct dirent allocates space for d_name" >&5
@@ -11647,26 +12058,24 @@ echo "${ECHO_T}bsm" >&6; }
 for ac_header in bsm/audit.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
 echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-               { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
 else
-  # Is the header compilable?
-{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-$ac_includes_default
+
+#ifdef HAVE_TIME_H
+# include <time.h>
+#endif
+
+
+
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
@@ -11686,99 +12095,19 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
          test -z "$ac_c_werror_flag" ||
          test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
+  eval "$as_ac_Header=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-        ac_header_compiler=no
+        eval "$as_ac_Header=no"
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <$ac_header>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-         test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-         test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    ( cat <<\_ASBOX
-## ------------------------------------------- ##
-## Report this to openssh-unix-dev@mindrot.org ##
-## ------------------------------------------- ##
-_ASBOX
-     ) | sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-{ echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  eval "$as_ac_Header=\$ac_header_preproc"
 fi
 ac_res=`eval echo '${'$as_ac_Header'}'`
                { echo "$as_me:$LINENO: result: $ac_res" >&5
 echo "${ECHO_T}$ac_res" >&6; }
-
-fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
@@ -13120,6 +13449,231 @@ fi
 
 
 
+{ echo "$as_me:$LINENO: checking whether SHUT_RD is declared" >&5
+echo $ECHO_N "checking whether SHUT_RD is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl_SHUT_RD+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+
+int
+main ()
+{
+#ifndef SHUT_RD
+  (void) SHUT_RD;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_have_decl_SHUT_RD=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+        ac_cv_have_decl_SHUT_RD=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_SHUT_RD" >&5
+echo "${ECHO_T}$ac_cv_have_decl_SHUT_RD" >&6; }
+if test $ac_cv_have_decl_SHUT_RD = yes; then
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_SHUT_RD 1
+_ACEOF
+
+
+else
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_SHUT_RD 0
+_ACEOF
+
+
+fi
+
+
+
+{ echo "$as_me:$LINENO: checking whether O_NONBLOCK is declared" >&5
+echo $ECHO_N "checking whether O_NONBLOCK is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl_O_NONBLOCK+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#endif
+
+
+int
+main ()
+{
+#ifndef O_NONBLOCK
+  (void) O_NONBLOCK;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_have_decl_O_NONBLOCK=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+        ac_cv_have_decl_O_NONBLOCK=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_O_NONBLOCK" >&5
+echo "${ECHO_T}$ac_cv_have_decl_O_NONBLOCK" >&6; }
+if test $ac_cv_have_decl_O_NONBLOCK = yes; then
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_O_NONBLOCK 1
+_ACEOF
+
+
+else
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_O_NONBLOCK 0
+_ACEOF
+
+
+fi
+
+
+
+{ echo "$as_me:$LINENO: checking whether writev is declared" >&5
+echo $ECHO_N "checking whether writev is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl_writev+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <unistd.h>
+
+
+int
+main ()
+{
+#ifndef writev
+  (void) writev;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_have_decl_writev=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+        ac_cv_have_decl_writev=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_writev" >&5
+echo "${ECHO_T}$ac_cv_have_decl_writev" >&6; }
+if test $ac_cv_have_decl_writev = yes; then
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_WRITEV 1
+_ACEOF
+
+
+else
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_WRITEV 0
+_ACEOF
+
+
+fi
+
+
+
 
 for ac_func in setresuid
 do
@@ -15000,440 +15554,6 @@ _ACEOF
 fi
 
 
-# Check for PAM libs
-PAM_MSG="no"
-
-# Check whether --with-pam was given.
-if test "${with_pam+set}" = set; then
-  withval=$with_pam;
-                if test "x$withval" != "xno" ; then
-                        if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
-                           test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
-                                { { echo "$as_me:$LINENO: error: PAM headers not found" >&5
-echo "$as_me: error: PAM headers not found" >&2;}
-   { (exit 1); exit 1; }; }
-                        fi
-
-
-{ echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; }
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char dlopen ();
-int
-main ()
-{
-return dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-         test -z "$ac_c_werror_flag" ||
-         test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_dl_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-        ac_cv_lib_dl_dlopen=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; }
-if test $ac_cv_lib_dl_dlopen = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBDL 1
-_ACEOF
-
-  LIBS="-ldl $LIBS"
-
-fi
-
-
-{ echo "$as_me:$LINENO: checking for pam_set_item in -lpam" >&5
-echo $ECHO_N "checking for pam_set_item in -lpam... $ECHO_C" >&6; }
-if test "${ac_cv_lib_pam_pam_set_item+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpam  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char pam_set_item ();
-int
-main ()
-{
-return pam_set_item ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-         test -z "$ac_c_werror_flag" ||
-         test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  ac_cv_lib_pam_pam_set_item=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-        ac_cv_lib_pam_pam_set_item=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_pam_pam_set_item" >&5
-echo "${ECHO_T}$ac_cv_lib_pam_pam_set_item" >&6; }
-if test $ac_cv_lib_pam_pam_set_item = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPAM 1
-_ACEOF
-
-  LIBS="-lpam $LIBS"
-
-else
-  { { echo "$as_me:$LINENO: error: *** libpam missing" >&5
-echo "$as_me: error: *** libpam missing" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-
-for ac_func in pam_getenvlist
-do
-as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-{ echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef $ac_func
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_$ac_func || defined __stub___$ac_func
-choke me
-#endif
-
-int
-main ()
-{
-return $ac_func ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-         test -z "$ac_c_werror_flag" ||
-         test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  eval "$as_ac_var=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-        eval "$as_ac_var=no"
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-ac_res=`eval echo '${'$as_ac_var'}'`
-               { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-done
-
-
-for ac_func in pam_putenv
-do
-as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-{ echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define $ac_func innocuous_$ac_func
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef $ac_func
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined __stub_$ac_func || defined __stub___$ac_func
-choke me
-#endif
-
-int
-main ()
-{
-return $ac_func ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-         test -z "$ac_c_werror_flag" ||
-         test ! -s conftest.err
-       } && test -s conftest$ac_exeext &&
-       $as_test_x conftest$ac_exeext; then
-  eval "$as_ac_var=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-        eval "$as_ac_var=no"
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-ac_res=`eval echo '${'$as_ac_var'}'`
-               { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-done
-
-
-                        PAM_MSG="yes"
-
-
-cat >>confdefs.h <<\_ACEOF
-#define USE_PAM 1
-_ACEOF
-
-                        if test $ac_cv_lib_dl_dlopen = yes; then
-                                LIBPAM="-lpam -ldl"
-                        else
-                                LIBPAM="-lpam"
-                        fi
-
-                fi
-
-
-fi
-
-
-# Check for older PAM
-if test "x$PAM_MSG" = "xyes" ; then
-        # Check PAM strerror arguments (old PAM)
-        { echo "$as_me:$LINENO: checking whether pam_strerror takes only one argument" >&5
-echo $ECHO_N "checking whether pam_strerror takes only one argument... $ECHO_C" >&6; }
-        cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <stdlib.h>
-#if defined(HAVE_SECURITY_PAM_APPL_H)
-#include <security/pam_appl.h>
-#elif defined (HAVE_PAM_PAM_APPL_H)
-#include <pam/pam_appl.h>
-#endif
-
-int
-main ()
-{
-(void)pam_strerror((pam_handle_t *)NULL, -1);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-         test -z "$ac_c_werror_flag" ||
-         test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  { echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6; }
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_OLD_PAM 1
-_ACEOF
-
-                        { echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; }
-                        PAM_MSG="yes (old library)"
-
-
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-
 # Search for OpenSSL
 saved_CPPFLAGS="$CPPFLAGS"
 saved_LDFLAGS="$LDFLAGS"
@@ -15752,6 +15872,17 @@ fi
 
 
 
+
+# Check whether --with-openssl-header-check was given.
+if test "${with_openssl_header_check+set}" = set; then
+  withval=$with_openssl_header_check;   if test "x$withval" = "xno" ; then
+                openssl_check_nonfatal=1
+           fi
+
+
+fi
+
+
 # Sanity check OpenSSL headers
 { echo "$as_me:$LINENO: checking whether OpenSSL's headers match the library" >&5
 echo $ECHO_N "checking whether OpenSSL's headers match the library... $ECHO_C" >&6; }
@@ -15807,13 +15938,28 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
                 { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
-                { { echo "$as_me:$LINENO: error: Your OpenSSL headers do not match your library.
-Check config.log for details.
+                if test "x$openssl_check_nonfatal" = "x"; then
+                        { { echo "$as_me:$LINENO: error: Your OpenSSL headers do not match your
+library. Check config.log for details.
+If you are sure your installation is consistent, you can disable the check
+by running \"./configure --without-openssl-header-check\".
+Also see contrib/findssl.sh for help identifying header/library mismatches.
+" >&5
+echo "$as_me: error: Your OpenSSL headers do not match your
+library. Check config.log for details.
+If you are sure your installation is consistent, you can disable the check
+by running \"./configure --without-openssl-header-check\".
+Also see contrib/findssl.sh for help identifying header/library mismatches.
+" >&2;}
+   { (exit 1); exit 1; }; }
+                else
+                        { echo "$as_me:$LINENO: WARNING: Your OpenSSL headers do not match your
+library. Check config.log for details.
 Also see contrib/findssl.sh for help identifying header/library mismatches." >&5
-echo "$as_me: error: Your OpenSSL headers do not match your library.
-Check config.log for details.
+echo "$as_me: WARNING: Your OpenSSL headers do not match your
+library. Check config.log for details.
 Also see contrib/findssl.sh for help identifying header/library mismatches." >&2;}
-   { (exit 1); exit 1; }; }
+                fi
 
 fi
 rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
@@ -15821,6 +15967,170 @@ fi
 
 
 
+{ echo "$as_me:$LINENO: checking if programs using OpenSSL functions will link" >&5
+echo $ECHO_N "checking if programs using OpenSSL functions will link... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <openssl/evp.h>
+int main(void) { SSLeay_add_all_algorithms(); }
+
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+                { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+                { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+                saved_LIBS="$LIBS"
+                LIBS="$LIBS -ldl"
+                { echo "$as_me:$LINENO: checking if programs using OpenSSL need -ldl" >&5
+echo $ECHO_N "checking if programs using OpenSSL need -ldl... $ECHO_C" >&6; }
+                cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <openssl/evp.h>
+int main(void) { SSLeay_add_all_algorithms(); }
+
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+                                { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+                                { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+                                LIBS="$saved_LIBS"
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+
+
+# Check whether --with-ssl-engine was given.
+if test "${with_ssl_engine+set}" = set; then
+  withval=$with_ssl_engine;  if test "x$withval" != "xno" ; then
+                { echo "$as_me:$LINENO: checking for OpenSSL ENGINE support" >&5
+echo $ECHO_N "checking for OpenSSL ENGINE support... $ECHO_C" >&6; }
+                cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+ #include <openssl/engine.h>
+int
+main ()
+{
+
+ENGINE_load_builtin_engines();ENGINE_register_all_complete();
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+   { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+
+cat >>confdefs.h <<\_ACEOF
+#define USE_OPENSSL_ENGINE 1
+_ACEOF
+
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+         { { echo "$as_me:$LINENO: error: OpenSSL ENGINE support not found" >&5
+echo "$as_me: error: OpenSSL ENGINE support not found" >&2;}
+   { (exit 1); exit 1; }; }
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+          fi
+
+fi
+
+
 # Check for OpenSSL without EVP_aes_{192,256}_cbc
 { echo "$as_me:$LINENO: checking whether OpenSSL has crippled AES support" >&5
 echo $ECHO_N "checking whether OpenSSL has crippled AES support... $ECHO_C" >&6; }
@@ -15836,14 +16146,14 @@ cat >>conftest.$ac_ext <<_ACEOF
 int main(void) { exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);}
 
 _ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
 eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
@@ -15852,7 +16162,8 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (exit $ac_status); } && {
          test -z "$ac_c_werror_flag" ||
          test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
                 { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
@@ -15873,7 +16184,8 @@ _ACEOF
 
 fi
 
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
 
 # Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
 # because the system crypt() is more featureful.
@@ -16021,6 +16333,103 @@ fi
 
 fi
 
+# Search for SHA256 support in libc and/or OpenSSL
+
+
+for ac_func in SHA256_Update EVP_sha256
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+        eval "$as_ac_var=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+               { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
 
 { echo "$as_me:$LINENO: checking for ia_openinfo in -liaf" >&5
 echo $ECHO_N "checking for ia_openinfo in -liaf... $ECHO_C" >&6; }
@@ -16164,6 +16573,448 @@ fi
 
 
 
+# Check for PAM libs
+PAM_MSG="no"
+
+# Check whether --with-pam was given.
+if test "${with_pam+set}" = set; then
+  withval=$with_pam;
+                if test "x$withval" != "xno" ; then
+                        if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
+                           test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
+                                { { echo "$as_me:$LINENO: error: PAM headers not found" >&5
+echo "$as_me: error: PAM headers not found" >&2;}
+   { (exit 1); exit 1; }; }
+                        fi
+
+                        saved_LIBS="$LIBS"
+
+{ echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; }
+if test "${ac_cv_lib_dl_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen ();
+int
+main ()
+{
+return dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_dl_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+        ac_cv_lib_dl_dlopen=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; }
+if test $ac_cv_lib_dl_dlopen = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBDL 1
+_ACEOF
+
+  LIBS="-ldl $LIBS"
+
+fi
+
+
+{ echo "$as_me:$LINENO: checking for pam_set_item in -lpam" >&5
+echo $ECHO_N "checking for pam_set_item in -lpam... $ECHO_C" >&6; }
+if test "${ac_cv_lib_pam_pam_set_item+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpam  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char pam_set_item ();
+int
+main ()
+{
+return pam_set_item ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_pam_pam_set_item=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+        ac_cv_lib_pam_pam_set_item=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_pam_pam_set_item" >&5
+echo "${ECHO_T}$ac_cv_lib_pam_pam_set_item" >&6; }
+if test $ac_cv_lib_pam_pam_set_item = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBPAM 1
+_ACEOF
+
+  LIBS="-lpam $LIBS"
+
+else
+  { { echo "$as_me:$LINENO: error: *** libpam missing" >&5
+echo "$as_me: error: *** libpam missing" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+
+for ac_func in pam_getenvlist
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+        eval "$as_ac_var=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+               { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
+for ac_func in pam_putenv
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+        eval "$as_ac_var=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+               { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+                        LIBS="$saved_LIBS"
+
+                        PAM_MSG="yes"
+
+                        LIBPAM="-lpam"
+
+cat >>confdefs.h <<\_ACEOF
+#define USE_PAM 1
+_ACEOF
+
+
+                        if test $ac_cv_lib_dl_dlopen = yes; then
+                                case "$LIBS" in
+                                *-ldl*)
+                                        # libdl already in LIBS
+                                        ;;
+                                *)
+                                        LIBPAM="$LIBPAM -ldl"
+                                        ;;
+                                esac
+                        fi
+
+                fi
+
+
+fi
+
+
+# Check for older PAM
+if test "x$PAM_MSG" = "xyes" ; then
+        # Check PAM strerror arguments (old PAM)
+        { echo "$as_me:$LINENO: checking whether pam_strerror takes only one argument" >&5
+echo $ECHO_N "checking whether pam_strerror takes only one argument... $ECHO_C" >&6; }
+        cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <stdlib.h>
+#if defined(HAVE_SECURITY_PAM_APPL_H)
+#include <security/pam_appl.h>
+#elif defined (HAVE_PAM_PAM_APPL_H)
+#include <pam/pam_appl.h>
+#endif
+
+int
+main ()
+{
+(void)pam_strerror((pam_handle_t *)NULL, -1);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_OLD_PAM 1
+_ACEOF
+
+                        { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+                        PAM_MSG="yes (old library)"
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
 
 # Do we want to force the use of the rand helper?
 
@@ -19363,6 +20214,34 @@ cat >>conftest.$ac_ext <<_ACEOF
 #define __USE_ISOC99
 #include <limits.h>
 #define DATA "conftest.llminmax"
+#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
+
+/*
+ * printf in libc on some platforms (eg old Tru64) does not understand %lld so
+ * we do this the hard way.
+ */
+static int
+fprint_ll(FILE *f, long long n)
+{
+        unsigned int i;
+        int l[sizeof(long long) * 8];
+
+        if (n < 0)
+                if (fprintf(f, "-") < 0)
+                        return -1;
+        for (i = 0; n != 0; i++) {
+                l[i] = my_abs(n % 10);
+                n /= 10;
+        }
+        do {
+                if (fprintf(f, "%d", l[--i]) < 0)
+                        return -1;
+        } while (i != 0);
+        if (fprintf(f, " ") < 0)
+                return -1;
+        return 0;
+}
+
 int main(void) {
         FILE *f;
         long long i, llmin, llmax = 0;
@@ -19384,14 +20263,18 @@ int main(void) {
 
         /* Sanity check */
         if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
-            || llmax - 1 > llmax) {
+            || llmax - 1 > llmax || llmin == llmax || llmin == 0
+            || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
                 fprintf(f, "unknown unknown\n");
                 exit(2);
         }
 
-        if (fprintf(f ,"%lld %lld", llmin, llmax) < 0)
+        if (fprint_ll(f, llmin) < 0)
                 exit(3);
-
+        if (fprint_ll(f, llmax) < 0)
+                exit(4);
+        if (fclose(f) < 0)
+                exit(5);
         exit(0);
 }
 
@@ -19420,17 +20303,6 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
                         llong_min=`$AWK '{print $1}' conftest.llminmax`
                         llong_max=`$AWK '{print $2}' conftest.llminmax`
 
-                        # snprintf on some Tru64s doesn't understand "%lld"
-                        case "$host" in
-                        alpha-dec-osf*)
-                                if test "x$ac_cv_sizeof_long_long_int" = "x8" &&
-                                  test "x$llong_max" = "xld"; then
-                                        llong_min="-9223372036854775808"
-                                        llong_max="9223372036854775807"
-                                fi
-                                ;;
-                        esac
-
                         { echo "$as_me:$LINENO: result: $llong_max" >&5
 echo "${ECHO_T}$llong_max" >&6; }
 
@@ -23593,7 +24465,7 @@ fi
                         LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags`
                         LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs`
                         CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
-                        LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS"
+                        LIBS="$LIBS $LIBOPENSC_LIBS"
                         cat >>confdefs.h <<\_ACEOF
 #define SMARTCARD 1
 _ACEOF
@@ -24314,37 +25186,24 @@ LIBSELINUX=""
 # Check whether --with-selinux was given.
 if test "${with_selinux+set}" = set; then
   withval=$with_selinux;  if test "x$withval" != "xno" ; then
-                if test "x$withval" != "xyes"; then
-                        CPPFLAGS="$CPPFLAGS -I${withval}/include"
-                        if test -n "${need_dash_r}"; then
-                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
-                        else
-                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
-                        fi
-               fi
 
 cat >>confdefs.h <<\_ACEOF
 #define WITH_SELINUX 1
 _ACEOF
 
                 SELINUX_MSG="yes"
-
-for ac_header in selinux/selinux.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+                if test "${ac_cv_header_selinux_selinux_h+set}" = set; then
+  { echo "$as_me:$LINENO: checking for selinux/selinux.h" >&5
+echo $ECHO_N "checking for selinux/selinux.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_selinux_selinux_h+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-               { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_header_selinux_selinux_h" >&5
+echo "${ECHO_T}$ac_cv_header_selinux_selinux_h" >&6; }
 else
   # Is the header compilable?
-{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: checking selinux/selinux.h usability" >&5
+echo $ECHO_N "checking selinux/selinux.h usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -24352,7 +25211,7 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
-#include <$ac_header>
+#include <selinux/selinux.h>
 _ACEOF
 rm -f conftest.$ac_objext
 if { (ac_try="$ac_compile"
@@ -24384,15 +25243,15 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: checking selinux/selinux.h presence" >&5
+echo $ECHO_N "checking selinux/selinux.h presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-#include <$ac_header>
+#include <selinux/selinux.h>
 _ACEOF
 if { (ac_try="$ac_cpp conftest.$ac_ext"
 case "(($ac_try" in
@@ -24425,25 +25284,25 @@ echo "${ECHO_T}$ac_header_preproc" >&6; }
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: selinux/selinux.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: selinux/selinux.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: selinux/selinux.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: selinux/selinux.h: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    { echo "$as_me:$LINENO: WARNING: selinux/selinux.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: selinux/selinux.h: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: selinux/selinux.h:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: selinux/selinux.h:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: selinux/selinux.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: selinux/selinux.h: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: selinux/selinux.h:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: selinux/selinux.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: selinux/selinux.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: selinux/selinux.h: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: selinux/selinux.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: selinux/selinux.h: in the future, the compiler will take precedence" >&2;}
     ( cat <<\_ASBOX
 ## ------------------------------------------- ##
 ## Report this to openssh-unix-dev@mindrot.org ##
@@ -24452,28 +25311,193 @@ _ASBOX
      ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
-{ echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+{ echo "$as_me:$LINENO: checking for selinux/selinux.h" >&5
+echo $ECHO_N "checking for selinux/selinux.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_selinux_selinux_h+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  eval "$as_ac_Header=\$ac_header_preproc"
+  ac_cv_header_selinux_selinux_h=$ac_header_preproc
 fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-               { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_header_selinux_selinux_h" >&5
+echo "${ECHO_T}$ac_cv_header_selinux_selinux_h" >&6; }
 
 fi
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+if test $ac_cv_header_selinux_selinux_h = yes; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: SELinux support requires selinux.h header" >&5
+echo "$as_me: error: SELinux support requires selinux.h header" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+
+                { echo "$as_me:$LINENO: checking for setexeccon in -lselinux" >&5
+echo $ECHO_N "checking for setexeccon in -lselinux... $ECHO_C" >&6; }
+if test "${ac_cv_lib_selinux_setexeccon+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lselinux  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char setexeccon ();
+int
+main ()
+{
+return setexeccon ();
+  ;
+  return 0;
+}
 _ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_selinux_setexeccon=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
+        ac_cv_lib_selinux_setexeccon=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_selinux_setexeccon" >&5
+echo "${ECHO_T}$ac_cv_lib_selinux_setexeccon" >&6; }
+if test $ac_cv_lib_selinux_setexeccon = yes; then
+   LIBSELINUX="-lselinux"
+else
+  { { echo "$as_me:$LINENO: error: SELinux support requires libselinux library" >&5
+echo "$as_me: error: SELinux support requires libselinux library" >&2;}
+   { (exit 1); exit 1; }; }
 fi
 
+                save_LIBS="$LIBS"
+                LIBS="$LIBS $LIBSELINUX"
+
+
+for ac_func in getseuserbyname get_default_context_with_level
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+        eval "$as_ac_var=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+               { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
 done
 
-                LIBSELINUX="-lselinux"
+                LIBS="$save_LIBS"
         fi
 
 fi
@@ -27187,17 +28211,10 @@ if test ! -z "$blibpath" ; then
 echo "$as_me: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&2;}
 fi
 
-if test "$PAM_MSG" = yes ; then
-        LIBS=`echo $LIBS | sed 's/-lpam //'`
-fi
-if test "$ac_cv_lib_pam_pam_set_item" = yes ; then
-        LIBS=`echo $LIBS | sed 's/-ldl //'`
-fi
-
 CFLAGS="$CFLAGS $werror_flags"
 
 
-ac_config_files="$ac_config_files Makefile buildpkg.sh opensshd.init openbsd-compat/Makefile scard/Makefile ssh_prng_cmds survey.sh"
+ac_config_files="$ac_config_files Makefile buildpkg.sh opensshd.init openssh.xml openbsd-compat/Makefile openbsd-compat/regress/Makefile scard/Makefile ssh_prng_cmds survey.sh"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -27756,7 +28773,9 @@ do
     "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
     "buildpkg.sh") CONFIG_FILES="$CONFIG_FILES buildpkg.sh" ;;
     "opensshd.init") CONFIG_FILES="$CONFIG_FILES opensshd.init" ;;
+    "openssh.xml") CONFIG_FILES="$CONFIG_FILES openssh.xml" ;;
     "openbsd-compat/Makefile") CONFIG_FILES="$CONFIG_FILES openbsd-compat/Makefile" ;;
+    "openbsd-compat/regress/Makefile") CONFIG_FILES="$CONFIG_FILES openbsd-compat/regress/Makefile" ;;
     "scard/Makefile") CONFIG_FILES="$CONFIG_FILES scard/Makefile" ;;
     "ssh_prng_cmds") CONFIG_FILES="$CONFIG_FILES ssh_prng_cmds" ;;
     "survey.sh") CONFIG_FILES="$CONFIG_FILES survey.sh" ;;
@@ -27897,6 +28916,7 @@ STARTUP_SCRIPT_SHELL!$STARTUP_SCRIPT_SHELL$ac_delim
 LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim
 PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim
 LD!$LD$ac_delim
+SSHDLIBS!$SSHDLIBS$ac_delim
 LIBWRAP!$LIBWRAP$ac_delim
 LIBEDIT!$LIBEDIT$ac_delim
 LIBPAM!$LIBPAM$ac_delim
@@ -27917,7 +28937,6 @@ PROG_DF!$PROG_DF$ac_delim
 PROG_VMSTAT!$PROG_VMSTAT$ac_delim
 PROG_UPTIME!$PROG_UPTIME$ac_delim
 PROG_IPCS!$PROG_IPCS$ac_delim
-PROG_TAIL!$PROG_TAIL$ac_delim
 _ACEOF
 
   if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -27959,6 +28978,7 @@ _ACEOF
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
   cat >conf$$subs.sed <<_ACEOF
+PROG_TAIL!$PROG_TAIL$ac_delim
 INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim
 OPENSC_CONFIG!$OPENSC_CONFIG$ac_delim
 LIBSELINUX!$LIBSELINUX$ac_delim
@@ -27975,7 +28995,7 @@ LIBOBJS!$LIBOBJS$ac_delim
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 14; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 15; then
     break
   elif $ac_last_try; then
     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
@@ -28443,6 +29463,7 @@ echo "          sshd superuser user PATH: $J"
 fi
 echo "                    Manpage format: $MANTYPE"
 echo "                       PAM support: $PAM_MSG"
+echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
@@ -28450,6 +29471,7 @@ echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
+echo "  Solaris process contract support: $SPC_MSG"
 echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
diff --git a/configure.ac b/configure.ac
index 86f0f1c41..05ccc2f7e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.322.2.6 2006/02/08 11:11:06 dtucker Exp $
+# $Id: configure.ac,v 1.372 2007/03/05 00:51:27 djm Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
-AC_REVISION($Revision: 1.322.2.6 $)
+AC_REVISION($Revision: 1.372 $)
 AC_CONFIG_SRCDIR([ssh.c])
 
 AC_CONFIG_HEADER(config.h)
@@ -127,15 +127,175 @@ AC_ARG_WITH(rpath,
         ]
 )
 
+# Allow user to specify flags
+AC_ARG_WITH(cflags,
+        [  --with-cflags           Specify additional flags to pass to compiler],
+        [
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
+                        CFLAGS="$CFLAGS $withval"
+                fi
+        ]
+)
+AC_ARG_WITH(cppflags,
+        [  --with-cppflags         Specify additional flags to pass to preprocessor] ,
+        [
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
+                        CPPFLAGS="$CPPFLAGS $withval"
+                fi
+        ]
+)
+AC_ARG_WITH(ldflags,
+        [  --with-ldflags          Specify additional flags to pass to linker],
+        [
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
+                        LDFLAGS="$LDFLAGS $withval"
+                fi
+        ]
+)
+AC_ARG_WITH(libs,
+        [  --with-libs             Specify additional libraries to link with],
+        [
+                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
+                        LIBS="$LIBS $withval"
+                fi
+        ]
+)
+AC_ARG_WITH(Werror,
+        [  --with-Werror           Build main code with -Werror],
+        [
+                if test -n "$withval"  &&  test "x$withval" != "xno"; then
+                        werror_flags="-Werror"
+                        if test "x${withval}" != "xyes"; then
+                                werror_flags="$withval"
+                        fi
+                fi
+        ]
+)
+
+AC_CHECK_HEADERS( \
+        bstring.h \
+        crypt.h \
+        crypto/sha2.h \
+        dirent.h \
+        endian.h \
+        features.h \
+        fcntl.h \
+        floatingpoint.h \
+        getopt.h \
+        glob.h \
+        ia.h \
+        iaf.h \
+        limits.h \
+        login.h \
+        maillock.h \
+        ndir.h \
+        net/if_tun.h \
+        netdb.h \
+        netgroup.h \
+        pam/pam_appl.h \
+        paths.h \
+        pty.h \
+        readpassphrase.h \
+        rpc/types.h \
+        security/pam_appl.h \
+        sha2.h \
+        shadow.h \
+        stddef.h \
+        stdint.h \
+        string.h \
+        strings.h \
+        sys/audit.h \
+        sys/bitypes.h \
+        sys/bsdtty.h \
+        sys/cdefs.h \
+        sys/dir.h \
+        sys/mman.h \
+        sys/ndir.h \
+        sys/prctl.h \
+        sys/pstat.h \
+        sys/select.h \
+        sys/stat.h \
+        sys/stream.h \
+        sys/stropts.h \
+        sys/strtio.h \
+        sys/sysmacros.h \
+        sys/time.h \
+        sys/timers.h \
+        sys/un.h \
+        time.h \
+        tmpdir.h \
+        ttyent.h \
+        unistd.h \
+        usersec.h \
+        util.h \
+        utime.h \
+        utmp.h \
+        utmpx.h \
+        vis.h \
+)
+
+# lastlog.h requires sys/time.h to be included first on Solaris
+AC_CHECK_HEADERS(lastlog.h, [], [], [
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+])
+
+# sys/ptms.h requires sys/stream.h to be included first on Solaris
+AC_CHECK_HEADERS(sys/ptms.h, [], [], [
+#ifdef HAVE_SYS_STREAM_H
+# include <sys/stream.h>
+#endif
+])
+
+# login_cap.h requires sys/types.h on NetBSD
+AC_CHECK_HEADERS(login_cap.h, [], [], [
+#include <sys/types.h>
+])
+
+# Messages for features tested for in target-specific section
+SIA_MSG="no"
+SPC_MSG="no"
+
 # Check for some target-specific stuff
 case "$host" in
 *-*-aix*)
+        # Some versions of VAC won't allow macro redefinitions at
+        # -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
+        # particularly with older versions of vac or xlc.
+        # It also throws errors about null macro argments, but these are
+        # not fatal.
+        AC_MSG_CHECKING(if compiler allows macro redefinitions)
+        AC_COMPILE_IFELSE(
+            [AC_LANG_SOURCE([[
+#define testmacro foo
+#define testmacro bar
+int main(void) { exit(0); }
+            ]])],
+            [ AC_MSG_RESULT(yes) ],
+            [ AC_MSG_RESULT(no)
+              CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
+              LD="`echo $LD | sed 's/-qlanglvl\=ansi//g'`"
+              CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
+              CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
+            ]
+        )
+
         AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
         if (test -z "$blibpath"); then
                 blibpath="/usr/lib:/lib"
         fi
         saved_LDFLAGS="$LDFLAGS"
-        for tryflags in -blibpath: -Wl,-blibpath: -Wl,-rpath, ;do
+        if test "$GCC" = "yes"; then
+                flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
+        else
+                flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
+        fi
+        for tryflags in $flags ;do
                 if (test -z "$blibflags"); then
                         LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
                         AC_TRY_LINK([], [], [blibflags=$tryflags])
@@ -175,6 +335,12 @@ case "$host" in
                 [#include <usersec.h>]
         )
         AC_CHECK_FUNCS(setauthdb)
+        AC_CHECK_DECL(F_CLOSEM,
+            AC_DEFINE(HAVE_FCNTL_CLOSEM, 1, [Use F_CLOSEM fcntl for closefrom]),
+            [],
+            [ #include <limits.h>
+              #include <fcntl.h> ]
+        )
         check_for_aix_broken_getaddrinfo=1
         AC_DEFINE(BROKEN_REALPATH, 1, [Define if you have a broken realpath.])
         AC_DEFINE(SETEUID_BREAKS_SETUID, 1,
@@ -190,10 +356,11 @@ case "$host" in
                 supported by bsd-setproctitle.c])
         AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID, 1,
             [AIX 5.2 and 5.3 (and presumably newer) require this])
+        AC_DEFINE(PTY_ZEROREAD, 1, [read(1) can return 0 for a non-closed fd])
         ;;
 *-*-cygwin*)
         check_for_libcrypt_later=1
-        LIBS="$LIBS /usr/lib/textmode.o"
+        LIBS="$LIBS /usr/lib/textreadmode.o"
         AC_DEFINE(HAVE_CYGWIN, 1, [Define if you are on Cygwin])
         AC_DEFINE(USE_PIPES, 1, [Use PIPES instead of a socketpair()])
         AC_DEFINE(DISABLE_SHADOW, 1,
@@ -231,30 +398,38 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
         AC_DEFINE(BROKEN_SETREGID)
         AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1,
                 [Define if your resolver libs need this for getrrsetbyname])
-        AC_MSG_CHECKING(if we have the Security Authorization Session API)
-        AC_TRY_COMPILE([#include <Security/AuthSession.h>],
-                [SessionCreate(0, 0);],
-                [ac_cv_use_security_session_api="yes"
-                 AC_DEFINE(USE_SECURITY_SESSION_API, 1, 
+        AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way])
+        AC_DEFINE(SSH_TUN_COMPAT_AF, 1,
+            [Use tunnel device compatibility to OpenBSD])
+        AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
+            [Prepend the address family to IP tunnel traffic])
+        AC_MSG_CHECKING(if we have the Security Authorization Session API)
+        AC_TRY_COMPILE([#include <Security/AuthSession.h>],
+                [SessionCreate(0, 0);],
+                [ac_cv_use_security_session_api="yes"
+                 AC_DEFINE(USE_SECURITY_SESSION_API, 1, 
                         [platform has the Security Authorization Session API])
-                 LIBS="$LIBS -framework Security"
-                 AC_MSG_RESULT(yes)],
-                [ac_cv_use_security_session_api="no"
-                 AC_MSG_RESULT(no)])
-        AC_MSG_CHECKING(if we have an in-memory credentials cache)
-        AC_TRY_COMPILE(
-                [#include <Kerberos/Kerberos.h>],
-                [cc_context_t c;
-                 (void) cc_initialize (&c, 0, NULL, NULL);],
-                [AC_DEFINE(USE_CCAPI, 1, 
+                 LIBS="$LIBS -framework Security"
+                 AC_MSG_RESULT(yes)],
+                [ac_cv_use_security_session_api="no"
+                 AC_MSG_RESULT(no)])
+        AC_MSG_CHECKING(if we have an in-memory credentials cache)
+        AC_TRY_COMPILE(
+                [#include <Kerberos/Kerberos.h>],
+                [cc_context_t c;
+                 (void) cc_initialize (&c, 0, NULL, NULL);],
+                [AC_DEFINE(USE_CCAPI, 1, 
                         [platform uses an in-memory credentials cache])
-                 LIBS="$LIBS -framework Security"
-                 AC_MSG_RESULT(yes)
-                 if test "x$ac_cv_use_security_session_api" = "xno"; then
-                        AC_MSG_ERROR(*** Need a security framework to use the credentials cache API ***)
-                fi],
-                [AC_MSG_RESULT(no)]
-        )
+                 LIBS="$LIBS -framework Security"
+                 AC_MSG_RESULT(yes)
+                 if test "x$ac_cv_use_security_session_api" = "xno"; then
+                        AC_MSG_ERROR(*** Need a security framework to use the credentials cache API ***)
+                fi],
+                [AC_MSG_RESULT(no)]
+        )
+        ;;
+*-*-dragonfly*)
+        SSHDLIBS="$SSHDLIBS -lcrypt"
         ;;
 *-*-hpux*)
         # first we define all of the options common to all HP-UX releases
@@ -417,6 +592,8 @@ mips-sony-bsd|mips-sony-newsos4)
         AC_DEFINE(HAVE_ATTRIBUTE__SENTINEL__, 1, [OpenBSD's gcc has sentinel])
         AC_DEFINE(HAVE_ATTRIBUTE__BOUNDED__, 1, [OpenBSD's gcc has bounded])
         AC_DEFINE(SSH_TUN_OPENBSD, 1, [Open tunnel devices the OpenBSD way])
+        AC_DEFINE(SYSLOG_R_SAFE_IN_SIGHAND, 1,
+            [syslog_r function is safe to use in in a signal handler])
         ;;
 *-*-solaris*)
         if test "x$withval" != "xno" ; then
@@ -436,6 +613,8 @@ mips-sony-bsd|mips-sony-newsos4)
         AC_DEFINE(SSHD_ACQUIRES_CTTY, 1,
                 [Define if sshd somehow reacquires a controlling TTY
                 after setsid()])
+        AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd
+                in case the name is longer than 8 chars])
         external_path_file=/etc/default/login
         # hardwire lastlog location (can't detect it on some versions)
         conf_lastlog_location="/var/adm/lastlog"
@@ -449,6 +628,17 @@ mips-sony-bsd|mips-sony-newsos4)
         else
                 AC_MSG_RESULT(no)
         fi
+        AC_ARG_WITH(solaris-contracts,
+                [  --with-solaris-contracts Enable Solaris process contracts (experimental)],
+                [
+                AC_CHECK_LIB(contract, ct_tmpl_activate,
+                        [ AC_DEFINE(USE_SOLARIS_PROCESS_CONTRACTS, 1,
+                                [Define if you have Solaris process contracts])
+                          SSHDLIBS="$SSHDLIBS -lcontract"
+                          AC_SUBST(SSHDLIBS)
+                          SPC_MSG="yes" ], )
+                ],
+        )
         ;;
 *-*-sunos4*)
         CPPFLAGS="$CPPFLAGS -DSUNOS4"
@@ -486,7 +676,6 @@ mips-sony-bsd|mips-sony-newsos4)
         ;;
 # UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
 *-*-sysv4.2*)
-        CFLAGS="$CFLAGS -Dva_list=_VA_LIST"
         AC_DEFINE(USE_PIPES)
         AC_DEFINE(SETEUID_BREAKS_SETUID)
         AC_DEFINE(BROKEN_SETREUID)
@@ -508,6 +697,7 @@ mips-sony-bsd|mips-sony-newsos4)
                 TEST_SHELL=/u95/bin/sh
                 AC_DEFINE(BROKEN_LIBIAF, 1,
                         [ia_uinfo routines not supported by OS yet])
+                AC_DEFINE(BROKEN_UPDWTMPX)
                 ;;
         *)      AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
                 ;;
@@ -597,6 +787,7 @@ mips-sony-bsd|mips-sony-newsos4)
                                 system's login() call])
                         AC_DEFINE(DISABLE_FD_PASSING)
                         LIBS="$LIBS -lsecurity -ldb -lm -laud"
+                        SIA_MSG="yes"
                 else
                         AC_MSG_RESULT(no)
                         AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin",
@@ -616,6 +807,8 @@ mips-sony-bsd|mips-sony-newsos4)
         AC_DEFINE(MISSING_HOWMANY, 1, [Define on *nto-qnx systems])
         AC_DEFINE(MISSING_FD_MASK, 1, [Define on *nto-qnx systems])
         AC_DEFINE(DISABLE_LASTLOG)
+        AC_DEFINE(SSHD_ACQUIRES_CTTY)
+        enable_etc_default_login=no     # has incompatible /etc/default/login
         ;;
 
 *-*-ultrix*)
@@ -632,55 +825,6 @@ mips-sony-bsd|mips-sony-newsos4)
         ;;
 esac
 
-# Allow user to specify flags
-AC_ARG_WITH(cflags,
-        [  --with-cflags           Specify additional flags to pass to compiler],
-        [
-                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-                    test "x${withval}" != "xyes"; then
-                        CFLAGS="$CFLAGS $withval"
-                fi
-        ]
-)
-AC_ARG_WITH(cppflags,
-        [  --with-cppflags         Specify additional flags to pass to preprocessor] ,
-        [
-                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-                    test "x${withval}" != "xyes"; then
-                        CPPFLAGS="$CPPFLAGS $withval"
-                fi
-        ]
-)
-AC_ARG_WITH(ldflags,
-        [  --with-ldflags          Specify additional flags to pass to linker],
-        [
-                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-                    test "x${withval}" != "xyes"; then
-                        LDFLAGS="$LDFLAGS $withval"
-                fi
-        ]
-)
-AC_ARG_WITH(libs,
-        [  --with-libs             Specify additional libraries to link with],
-        [
-                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-                    test "x${withval}" != "xyes"; then
-                        LIBS="$LIBS $withval"
-                fi
-        ]
-)
-AC_ARG_WITH(Werror,
-        [  --with-Werror           Build main code with -Werror],
-        [
-                if test -n "$withval"  &&  test "x$withval" != "xno"; then
-                        werror_flags="-Werror"
-                        if test "x${withval}" != "xyes"; then
-                                werror_flags="$withval"
-                        fi
-                fi
-        ]
-)
-
 AC_MSG_CHECKING(compiler and flags for sanity)
 AC_RUN_IFELSE(
         [AC_LANG_SOURCE([
@@ -696,79 +840,6 @@ int main(){exit(0);}
 )
 
 dnl Checks for header files.
-AC_CHECK_HEADERS( \
-        bstring.h \
-        crypt.h \
-        dirent.h \
-        endian.h \
-        features.h \
-        floatingpoint.h \
-        getopt.h \
-        glob.h \
-        ia.h \
-        iaf.h \
-        limits.h \
-        login.h \
-        login_cap.h \
-        maillock.h \
-        ndir.h \
-        netdb.h \
-        netgroup.h \
-        pam/pam_appl.h \
-        paths.h \
-        pty.h \
-        readpassphrase.h \
-        rpc/types.h \
-        security/pam_appl.h \
-        shadow.h \
-        stddef.h \
-        stdint.h \
-        string.h \
-        strings.h \
-        sys/audit.h \
-        sys/bitypes.h \
-        sys/bsdtty.h \
-        sys/cdefs.h \
-        sys/dir.h \
-        sys/mman.h \
-        sys/ndir.h \
-        sys/prctl.h \
-        sys/pstat.h \
-        sys/select.h \
-        sys/stat.h \
-        sys/stream.h \
-        sys/stropts.h \
-        sys/strtio.h \
-        sys/sysmacros.h \
-        sys/time.h \
-        sys/timers.h \
-        sys/un.h \
-        time.h \
-        tmpdir.h \
-        ttyent.h \
-        unistd.h \
-        usersec.h \
-        util.h \
-        utime.h \
-        utmp.h \
-        utmpx.h \
-        vis.h \
-)
-
-# lastlog.h requires sys/time.h to be included first on Solaris
-AC_CHECK_HEADERS(lastlog.h, [], [], [
-#ifdef HAVE_SYS_TIME_H
-# include <sys/time.h>
-#endif
-])
-
-# sys/ptms.h requires sys/stream.h to be included first on Solaris
-AC_CHECK_HEADERS(sys/ptms.h, [], [], [
-#ifdef HAVE_SYS_STREAM_H
-# include <sys/stream.h>
-#endif
-])
-
 # Checks for libraries.
 AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match))
 AC_CHECK_FUNC(setsockopt, , AC_CHECK_LIB(socket, setsockopt))
@@ -953,11 +1024,9 @@ AC_EGREP_CPP(FOUNDIT,
 
 # Check for g.gl_matchc glob() extension
 AC_MSG_CHECKING(for gl_matchc field in glob_t)
-AC_EGREP_CPP(FOUNDIT,
-        [
-                #include <glob.h>
-                int main(void){glob_t g; g.gl_matchc = 1;}
-        ],
+AC_TRY_COMPILE(
+        [ #include <glob.h> ],
+        [glob_t g; g.gl_matchc = 1;],
         [
                 AC_DEFINE(GLOB_HAS_GL_MATCHC, 1,
                         [Define if your system glob() function has
@@ -969,6 +1038,8 @@ AC_EGREP_CPP(FOUNDIT,
         ]
 )
 
+AC_CHECK_DECLS(GLOB_NOMATCH, , , [#include <glob.h>])
+
 AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
 AC_RUN_IFELSE(
         [AC_LANG_SOURCE([[
@@ -1150,7 +1221,13 @@ AC_ARG_WITH(audit,
                 AUDIT_MODULE=bsm
                 dnl    Checks for headers, libs and functions
                 AC_CHECK_HEADERS(bsm/audit.h, [],
-                    [AC_MSG_ERROR(BSM enabled and bsm/audit.h not found)])
+                    [AC_MSG_ERROR(BSM enabled and bsm/audit.h not found)],
+                    [
+#ifdef HAVE_TIME_H
+# include <time.h>
+#endif
+                    ]
+)
                 AC_CHECK_LIB(bsm, getaudit, [],
                     [AC_MSG_ERROR(BSM enabled and required library not found)])
                 AC_CHECK_FUNCS(getaudit, [],
@@ -1296,6 +1373,29 @@ AC_CHECK_DECL(tcsendbreak,
 
 AC_CHECK_DECLS(h_errno, , ,[#include <netdb.h>])
 
+AC_CHECK_DECLS(SHUT_RD, , ,
+        [
+#include <sys/types.h>
+#include <sys/socket.h>
+        ])
+
+AC_CHECK_DECLS(O_NONBLOCK, , ,
+        [
+#include <sys/types.h>
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#endif
+        ])
+
+AC_CHECK_DECLS(writev, , , [
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <unistd.h>
+        ])
+
 AC_CHECK_FUNCS(setresuid, [
         dnl Some platorms have setresuid that isn't implemented, test for this
         AC_MSG_CHECKING(if setresuid seems to work)
@@ -1666,61 +1766,6 @@ fi
 
 AC_FUNC_GETPGRP
 
-# Check for PAM libs
-PAM_MSG="no"
-AC_ARG_WITH(pam,
-        [  --with-pam              Enable PAM support ],
-        [
-                if test "x$withval" != "xno" ; then
-                        if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
-                           test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
-                                AC_MSG_ERROR([PAM headers not found])
-                        fi
-
-                        AC_CHECK_LIB(dl, dlopen, , )
-                        AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing]))
-                        AC_CHECK_FUNCS(pam_getenvlist)
-                        AC_CHECK_FUNCS(pam_putenv)
-
-                        PAM_MSG="yes"
-
-                        AC_DEFINE(USE_PAM, 1,
-                                [Define if you want to enable PAM support])
-                        if test $ac_cv_lib_dl_dlopen = yes; then
-                                LIBPAM="-lpam -ldl"
-                        else
-                                LIBPAM="-lpam"
-                        fi
-                        AC_SUBST(LIBPAM)
-                fi
-        ]
-)
-
-# Check for older PAM
-if test "x$PAM_MSG" = "xyes" ; then
-        # Check PAM strerror arguments (old PAM)
-        AC_MSG_CHECKING([whether pam_strerror takes only one argument])
-        AC_TRY_COMPILE(
-                [
-#include <stdlib.h>
-#if defined(HAVE_SECURITY_PAM_APPL_H)
-#include <security/pam_appl.h>
-#elif defined (HAVE_PAM_PAM_APPL_H)
-#include <pam/pam_appl.h>
-#endif
-                ],
-                [(void)pam_strerror((pam_handle_t *)NULL, -1);],
-                [AC_MSG_RESULT(no)],
-                [
-                        AC_DEFINE(HAVE_OLD_PAM, 1,
-                                [Define if you have an old version of PAM
-                                which takes only one argument to pam_strerror])
-                        AC_MSG_RESULT(yes)
-                        PAM_MSG="yes (old library)"
-                ]
-        )
-fi
-
 # Search for OpenSSL
 saved_CPPFLAGS="$CPPFLAGS"
 saved_LDFLAGS="$LDFLAGS"
@@ -1844,6 +1889,14 @@ int main(void) {
         ]
 )
 
+AC_ARG_WITH(openssl-header-check,
+        [  --without-openssl-header-check Disable OpenSSL version consistency check],
+        [  if test "x$withval" = "xno" ; then
+                openssl_check_nonfatal=1
+           fi
+        ]
+)
+
 # Sanity check OpenSSL headers
 AC_MSG_CHECKING([whether OpenSSL's headers match the library])
 AC_RUN_IFELSE(
@@ -1857,18 +1910,75 @@ int main(void) { exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); }
         ],
         [
                 AC_MSG_RESULT(no)
-                AC_MSG_ERROR([Your OpenSSL headers do not match your library.
-Check config.log for details.
+                if test "x$openssl_check_nonfatal" = "x"; then
+                        AC_MSG_ERROR([Your OpenSSL headers do not match your
+library. Check config.log for details.
+If you are sure your installation is consistent, you can disable the check
+by running "./configure --without-openssl-header-check".
+Also see contrib/findssl.sh for help identifying header/library mismatches.
+])
+                else
+                        AC_MSG_WARN([Your OpenSSL headers do not match your
+library. Check config.log for details.
 Also see contrib/findssl.sh for help identifying header/library mismatches.])
+                fi
         ],
         [
                 AC_MSG_WARN([cross compiling: not checking])
         ]
 )
 
+AC_MSG_CHECKING([if programs using OpenSSL functions will link])
+AC_LINK_IFELSE(
+        [AC_LANG_SOURCE([[
+#include <openssl/evp.h>
+int main(void) { SSLeay_add_all_algorithms(); }
+        ]])],
+        [
+                AC_MSG_RESULT(yes)
+        ],
+        [
+                AC_MSG_RESULT(no)
+                saved_LIBS="$LIBS"
+                LIBS="$LIBS -ldl"
+                AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
+                AC_LINK_IFELSE(
+                        [AC_LANG_SOURCE([[
+#include <openssl/evp.h>
+int main(void) { SSLeay_add_all_algorithms(); }
+                        ]])],
+                        [
+                                AC_MSG_RESULT(yes)
+                        ],
+                        [
+                                AC_MSG_RESULT(no)
+                                LIBS="$saved_LIBS"
+                        ]
+                )
+        ]
+)
+
+AC_ARG_WITH(ssl-engine,
+        [  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
+        [ if test "x$withval" != "xno" ; then
+                AC_MSG_CHECKING(for OpenSSL ENGINE support)
+                AC_TRY_COMPILE(
+                        [ #include <openssl/engine.h>],
+                        [
+ENGINE_load_builtin_engines();ENGINE_register_all_complete();
+                        ],
+                        [ AC_MSG_RESULT(yes)
+                          AC_DEFINE(USE_OPENSSL_ENGINE, 1,
+                             [Enable OpenSSL engine support])
+                        ],
+                        [ AC_MSG_ERROR(OpenSSL ENGINE support not found)]
+                )
+          fi ]
+)
+
 # Check for OpenSSL without EVP_aes_{192,256}_cbc
 AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
-AC_COMPILE_IFELSE(
+AC_LINK_IFELSE(
         [AC_LANG_SOURCE([[
 #include <string.h>
 #include <openssl/evp.h>
@@ -1896,6 +2006,9 @@ if test "x$check_for_libcrypt_later" = "x1"; then
         AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt")
 fi
 
+# Search for SHA256 support in libc and/or OpenSSL
+AC_CHECK_FUNCS(SHA256_Update EVP_sha256)
+
 AC_CHECK_LIB(iaf, ia_openinfo)
 
 ### Configure cryptographic random number support
@@ -1926,6 +2039,69 @@ int main(void) { exit(RAND_status() == 1 ? 0 : 1); }
         ]
 )
 
+# Check for PAM libs
+PAM_MSG="no"
+AC_ARG_WITH(pam,
+        [  --with-pam              Enable PAM support ],
+        [
+                if test "x$withval" != "xno" ; then
+                        if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
+                           test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
+                                AC_MSG_ERROR([PAM headers not found])
+                        fi
+
+                        saved_LIBS="$LIBS"
+                        AC_CHECK_LIB(dl, dlopen, , )
+                        AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing]))
+                        AC_CHECK_FUNCS(pam_getenvlist)
+                        AC_CHECK_FUNCS(pam_putenv)
+                        LIBS="$saved_LIBS"
+
+                        PAM_MSG="yes"
+
+                        LIBPAM="-lpam"
+                        AC_DEFINE(USE_PAM, 1,
+                                [Define if you want to enable PAM support])
+
+                        if test $ac_cv_lib_dl_dlopen = yes; then
+                                case "$LIBS" in
+                                *-ldl*)
+                                        # libdl already in LIBS
+                                        ;;
+                                *)
+                                        LIBPAM="$LIBPAM -ldl"
+                                        ;;
+                                esac
+                        fi
+                        AC_SUBST(LIBPAM)
+                fi
+        ]
+)
+
+# Check for older PAM
+if test "x$PAM_MSG" = "xyes" ; then
+        # Check PAM strerror arguments (old PAM)
+        AC_MSG_CHECKING([whether pam_strerror takes only one argument])
+        AC_TRY_COMPILE(
+                [
+#include <stdlib.h>
+#if defined(HAVE_SECURITY_PAM_APPL_H)
+#include <security/pam_appl.h>
+#elif defined (HAVE_PAM_PAM_APPL_H)
+#include <pam/pam_appl.h>
+#endif
+                ],
+                [(void)pam_strerror((pam_handle_t *)NULL, -1);],
+                [AC_MSG_RESULT(no)],
+                [
+                        AC_DEFINE(HAVE_OLD_PAM, 1,
+                                [Define if you have an old version of PAM
+                                which takes only one argument to pam_strerror])
+                        AC_MSG_RESULT(yes)
+                        PAM_MSG="yes (old library)"
+                ]
+        )
+fi
 
 # Do we want to force the use of the rand helper?
 AC_ARG_WITH(rand-helper,
@@ -2145,6 +2321,34 @@ if test -z "$have_llong_max"; then
 #define __USE_ISOC99
 #include <limits.h>
 #define DATA "conftest.llminmax"
+#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
+
+/*
+ * printf in libc on some platforms (eg old Tru64) does not understand %lld so
+ * we do this the hard way.
+ */
+static int
+fprint_ll(FILE *f, long long n)
+{
+        unsigned int i;
+        int l[sizeof(long long) * 8];
+
+        if (n < 0)
+                if (fprintf(f, "-") < 0)
+                        return -1;
+        for (i = 0; n != 0; i++) {
+                l[i] = my_abs(n % 10);
+                n /= 10;
+        }
+        do {
+                if (fprintf(f, "%d", l[--i]) < 0)
+                        return -1;
+        } while (i != 0);
+        if (fprintf(f, " ") < 0)
+                return -1;
+        return 0;
+}
+
 int main(void) {
         FILE *f;
         long long i, llmin, llmax = 0;
@@ -2166,14 +2370,18 @@ int main(void) {
 
         /* Sanity check */
         if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
-            || llmax - 1 > llmax) {
+            || llmax - 1 > llmax || llmin == llmax || llmin == 0
+            || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
                 fprintf(f, "unknown unknown\n");
                 exit(2);
         }
 
-        if (fprintf(f ,"%lld %lld", llmin, llmax) < 0)
+        if (fprint_ll(f, llmin) < 0)
                 exit(3);
-
+        if (fprint_ll(f, llmax) < 0)
+                exit(4);
+        if (fclose(f) < 0)
+                exit(5);
         exit(0);
 }
                 ]])],
@@ -2181,17 +2389,6 @@ int main(void) {
                         llong_min=`$AWK '{print $1}' conftest.llminmax`
                         llong_max=`$AWK '{print $2}' conftest.llminmax`
 
-                        # snprintf on some Tru64s doesn't understand "%lld"
-                        case "$host" in
-                        alpha-dec-osf*)
-                                if test "x$ac_cv_sizeof_long_long_int" = "x8" &&
-                                  test "x$llong_max" = "xld"; then
-                                        llong_min="-9223372036854775808"
-                                        llong_max="9223372036854775807"
-                                fi
-                                ;;
-                        esac
-
                         AC_MSG_RESULT($llong_max)
                         AC_DEFINE_UNQUOTED(LLONG_MAX, [${llong_max}LL],
                             [max value of long long calculated by configure])
@@ -2937,7 +3134,7 @@ AC_ARG_WITH(opensc,
                         LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags`
                         LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs`
                         CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
-                        LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS"
+                        LIBS="$LIBS $LIBOPENSC_LIBS"
                         AC_DEFINE(SMARTCARD)
                         AC_DEFINE(USE_OPENSC, 1,
                                 [Define if you want smartcard support
@@ -2989,22 +3186,20 @@ int main()
 SELINUX_MSG="no"
 LIBSELINUX=""
 AC_ARG_WITH(selinux,
-        [  --with-selinux[[=LIBSELINUX-PATH]]   Enable SELinux support],
+        [  --with-selinux   Enable SELinux support],
         [ if test "x$withval" != "xno" ; then
-                if test "x$withval" != "xyes"; then
-                        CPPFLAGS="$CPPFLAGS -I${withval}/include"
-                        if test -n "${need_dash_r}"; then
-                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
-                        else
-                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
-                        fi
-               fi 
                 AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
                 SELINUX_MSG="yes"
-                AC_CHECK_HEADERS(selinux/selinux.h)
-                LIBSELINUX="-lselinux"
-        fi
-        ])
+                AC_CHECK_HEADER([selinux/selinux.h], ,
+                    AC_MSG_ERROR(SELinux support requires selinux.h header))
+                AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
+                    AC_MSG_ERROR(SELinux support requires libselinux library))
+                save_LIBS="$LIBS"
+                LIBS="$LIBS $LIBSELINUX"
+                AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
+                LIBS="$save_LIBS"
+        fi ]
+)
 AC_SUBST(LIBSELINUX)
 
 # Check whether user wants Kerberos 5 support
@@ -3769,20 +3964,13 @@ if test ! -z "$blibpath" ; then
         AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
 fi
 
-dnl remove pam and dl because they are in $LIBPAM
-if test "$PAM_MSG" = yes ; then
-        LIBS=`echo $LIBS | sed 's/-lpam //'`
-fi
-if test "$ac_cv_lib_pam_pam_set_item" = yes ; then
-        LIBS=`echo $LIBS | sed 's/-ldl //'`
-fi
-
 dnl Adding -Werror to CFLAGS early prevents configure tests from running.
 dnl Add now.
 CFLAGS="$CFLAGS $werror_flags"
 
 AC_EXEEXT
-AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openbsd-compat/Makefile \
+AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
+        openbsd-compat/Makefile openbsd-compat/regress/Makefile \
         scard/Makefile ssh_prng_cmds survey.sh])
 AC_OUTPUT
 
@@ -3824,6 +4012,7 @@ echo "          sshd superuser user PATH: $J"
 fi
 echo "                    Manpage format: $MANTYPE"
 echo "                       PAM support: $PAM_MSG"
+echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
@@ -3831,6 +4020,7 @@ echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
+echo "  Solaris process contract support: $SPC_MSG"
 echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh
index 09b9c118c..97a7cbbba 100755
--- a/contrib/aix/buildbff.sh
+++ b/contrib/aix/buildbff.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # buildbff.sh: Create AIX SMIT-installable OpenSSH packages
-# $Id: buildbff.sh,v 1.8 2005/03/29 13:24:12 dtucker Exp $
+# $Id: buildbff.sh,v 1.10 2006/09/10 03:24:19 dtucker Exp $
 #
 # Author: Darren Tucker (dtucker at zip dot com dot au)
 # This file is placed in the public domain and comes with absolutely
@@ -23,6 +23,8 @@ umask 022
 
 startdir=`pwd`
 
+perl -v >/dev/null || (echo perl required; exit 1)
+
 # Path to inventory.sh: same place as buildbff.sh
 if  echo $0 | egrep '^/'
 then
@@ -200,33 +202,29 @@ do
 done
 echo
 
-# Create PrivSep user if PrivSep not disabled in config
-echo Creating PrivSep prereqs if required.
-if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null
+# Create PrivilegeSeparation user and group if not present
+echo Checking for PrivilegeSeparation user and group.
+if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
 then
-        echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user,"
-        echo "group or chroot directory."
+        echo "PrivSep group $SSH_PRIVSEP_USER already exists."
 else
-        echo "UsePrivilegeSeparation enabled in config (or defaulting to on)."
-
-        # create group if required
-        if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
-        then
-                echo "PrivSep group $SSH_PRIVSEP_USER already exists."
-        else
-                echo "Creating PrivSep group $SSH_PRIVSEP_USER."
-                mkgroup -A $SSH_PRIVSEP_USER
-        fi
+        echo "Creating PrivSep group $SSH_PRIVSEP_USER."
+        mkgroup -A $SSH_PRIVSEP_USER
+fi
 
-        # Create user if required
-        if lsuser "$SSH_PRIVSEP_USER" >/dev/null
-        then
-                echo "PrivSep user $SSH_PRIVSEP_USER already exists."
-        else
-                echo "Creating PrivSep user $SSH_PRIVSEP_USER."
-                mkuser gecos='SSHD PrivSep User' login=false rlogin=false account_locked=true pgrp=$SSH_PRIVSEP_USER $SSH_PRIVSEP_USER
-        fi
+# Create user if required
+if lsuser "$SSH_PRIVSEP_USER" >/dev/null
+then
+        echo "PrivSep user $SSH_PRIVSEP_USER already exists."
+else
+        echo "Creating PrivSep user $SSH_PRIVSEP_USER."
+        mkuser gecos='SSHD PrivSep User' login=false rlogin=false account_locked=true pgrp=$SSH_PRIVSEP_USER $SSH_PRIVSEP_USER
+fi
 
+if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null
+then
+        echo UsePrivilegeSeparation not enabled, privsep directory not required.
+else
         # create chroot directory if required
         if [ -d $PRIVSEP_PATH ]
         then
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index 09c08f194..3d756eb7f 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -17,7 +17,7 @@
 #old cvs stuff.  please update before use.  may be deprecated.
 %define use_stable      1
 %if %{use_stable}
-  %define version       4.3p2
+  %define version       4.6p1
   %define cvs           %{nil}
   %define release       1
 %else
@@ -357,4 +357,4 @@ fi
 * Mon Jan 01 1998 ...
 Template Version: 1.31
 
-$Id: openssh.spec,v 1.56.2.1 2006/02/11 00:00:45 djm Exp $
+$Id: openssh.spec,v 1.60 2007/03/06 10:23:27 djm Exp $
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index 0540890e6..e2ad69f19 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -153,22 +153,31 @@ fi
 
 # Create /var/log and /var/log/lastlog if not already existing
 
-if [ -f ${LOCALSTATEDIR}/log ]
+if [ -e ${LOCALSTATEDIR}/log -a ! -d ${LOCALSTATEDIR}/log ]
 then
-  echo "Creating ${LOCALSTATEDIR}/log failed!"
-else
-  if [ ! -d ${LOCALSTATEDIR}/log ]
-  then
-    mkdir -p ${LOCALSTATEDIR}/log
-  fi
-  if [ -d ${LOCALSTATEDIR}/log/lastlog ]
-  then
-    chmod 777 ${LOCALSTATEDIR}/log/lastlog
-  elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
-  then
-    cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
-    chmod 666 ${LOCALSTATEDIR}/log/lastlog
-  fi
+  echo
+  echo "${LOCALSTATEDIR}/log is existant but not a directory."
+  echo "Cannot create ssh host configuration."
+  echo
+  exit 1
+fi
+if [ ! -e ${LOCALSTATEDIR}/log ]
+then
+  mkdir -p ${LOCALSTATEDIR}/log
+fi
+
+if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
+then
+  echo 
+  echo "${LOCALSTATEDIR}/log/lastlog exists, but is not a file."
+  echo "Cannot create ssh host configuration."
+  echo 
+  exit 1
+fi
+if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
+then
+  cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
+  chmod 644 ${LOCALSTATEDIR}/log/lastlog
 fi
 
 # Create /var/empty file used as chroot jail for privilege separation
@@ -507,6 +516,7 @@ then
             fi
             editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
             editrights -a SeCreateTokenPrivilege -u sshd_server &&
+            editrights -a SeTcbPrivilege -u sshd_server &&
             editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
             editrights -a SeDenyNetworkLogonRight -u sshd_server &&
             editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
@@ -578,6 +588,7 @@ then
       fi
       chown "${_user}" ${SYSCONFDIR}/ssh*
       chown "${_user}".544 ${LOCALSTATEDIR}/empty
+      chown "${_user}".544 ${LOCALSTATEDIR}/log/lastlog
       if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
       then
         chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
diff --git a/contrib/findssl.sh b/contrib/findssl.sh
index 716abced5..263fd2644 100644
--- a/contrib/findssl.sh
+++ b/contrib/findssl.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $Id: findssl.sh,v 1.3 2004/12/13 07:08:33 dtucker Exp $
+# $Id: findssl.sh,v 1.4 2007/02/19 11:44:25 dtucker Exp $
 #
 # findssl.sh
 #       Search for all instances of OpenSSL headers and libraries
@@ -89,6 +89,25 @@ LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH}
 LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH}
 export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
 
+# not all platforms have a 'which' command
+if which ls >/dev/null 2>/dev/null; then
+    : which is defined
+else
+    which () {
+        saveIFS="$IFS"
+        IFS=:
+        for p in $PATH; do
+            if test -x "$p/$1" -a -f "$p/$1"; then
+                IFS="$saveIFS"
+                echo "$p/$1"
+                return 0
+            fi
+        done
+        IFS="$saveIFS"
+        return 1
+    }
+fi
+
 #
 # Search for OpenSSL headers and print versions
 #
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index cbdf7bbc7..08515d2b0 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
-%define ver 4.3p2
+%define ver 4.6p1
 %define rel 1
 
 # OpenSSH privilege separation requires a user & group ID
diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init
index ffa66cd52..e5d837cbc 100755
--- a/contrib/redhat/sshd.init
+++ b/contrib/redhat/sshd.init
@@ -35,8 +35,8 @@ do_rsa1_keygen() {
                 if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
                         chmod 600 $RSA1_KEY
                         chmod 644 $RSA1_KEY.pub
-                        if type restorecon >/dev/null 2>&1; then
-                                restorecon $RSA1_KEY.pub
+                        if [ -x /sbin/restorecon ]; then
+                            /sbin/restorecon $RSA1_KEY.pub
                         fi
                         success $"RSA1 key generation"
                         echo
@@ -54,8 +54,8 @@ do_rsa_keygen() {
                 if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
                         chmod 600 $RSA_KEY
                         chmod 644 $RSA_KEY.pub
-                        if type restorecon >/dev/null 2>&1; then
-                                restorecon $RSA_KEY.pub
+                        if [ -x /sbin/restorecon ]; then
+                            /sbin/restorecon $RSA_KEY.pub
                         fi
                         success $"RSA key generation"
                         echo
@@ -73,8 +73,8 @@ do_dsa_keygen() {
                 if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
                         chmod 600 $DSA_KEY
                         chmod 644 $DSA_KEY.pub
-                        if type restorecon >/dev/null 2>&1; then
-                                restorecon $DSA_KEY.pub
+                        if [ -x /sbin/restorecon ]; then
+                            /sbin/restorecon $DSA_KEY.pub
                         fi
                         success $"DSA key generation"
                         echo
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index b49e78c65..95b394f18 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
 
 Summary:        OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name:           openssh
-Version:        4.3p2
+Version:        4.6p1
 URL:            http://www.openssh.com/
 Release:        1
 Source0:        openssh-%{version}.tar.gz
diff --git a/crc32.c b/crc32.c
index ac627b57a..c192eb4d6 100644
--- a/crc32.c
+++ b/crc32.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crc32.c,v 1.9 2003/02/12 21:39:50 markus Exp $        */
+/* $OpenBSD: crc32.c,v 1.11 2006/04/22 18:29:33 stevesk Exp $ */
 
 /*
  * Copyright (c) 2003 Markus Friedl.  All rights reserved.
@@ -99,7 +99,7 @@ ssh_crc32(const u_char *buf, u_int32_t size)
         u_int32_t i, crc;
 
         crc = 0;
-        for (i = 0;  i < size;  i++)
+        for (i = 0; i < size; i++)
                 crc = crc32tab[(crc ^ buf[i]) & 0xff] ^ (crc >> 8);
         return crc;
 }
diff --git a/crc32.h b/crc32.h
index a2fb58493..5d7131aff 100644
--- a/crc32.h
+++ b/crc32.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crc32.h,v 1.14 2003/02/12 21:39:50 markus Exp $       */
+/* $OpenBSD: crc32.h,v 1.15 2006/03/25 22:22:43 djm Exp $ */
 
 /*
  * Copyright (c) 2003 Markus Friedl.  All rights reserved.
diff --git a/deattack.c b/deattack.c
index d174abc76..1b37e4dab 100644
--- a/deattack.c
+++ b/deattack.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: deattack.c,v 1.30 2006/09/16 19:53:37 djm Exp $ */
 /*
  * Cryptographic attack detector for ssh - source code
  *
@@ -18,14 +19,18 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: deattack.c,v 1.19 2003/09/18 08:49:45 markus Exp $");
 
+#include <sys/types.h>
+
+#include <string.h>
+#include <stdio.h>
+#include <stdarg.h>
+
+#include "xmalloc.h"
 #include "deattack.h"
 #include "log.h"
 #include "crc32.h"
-#include "getput.h"
-#include "xmalloc.h"
-#include "deattack.h"
+#include "misc.h"
 
 /*
  * CRC attack detection has a worst-case behaviour that is O(N^3) over
@@ -61,7 +66,7 @@ RCSID("$OpenBSD: deattack.c,v 1.19 2003/09/18 08:49:45 markus Exp $");
 
 
 /* Hash function (Input keys are cipher results) */
-#define HASH(x)         GET_32BIT(x)
+#define HASH(x)         get_u32(x)
 
 #define CMP(a, b)       (memcmp(a, b, SSH_BLOCKSIZE))
 
@@ -69,22 +74,17 @@ static void
 crc_update(u_int32_t *a, u_int32_t b)
 {
         b ^= *a;
-        *a = ssh_crc32((u_char *) &b, sizeof(b));
+        *a = ssh_crc32((u_char *)&b, sizeof(b));
 }
 
 /* detect if a block is used in a particular pattern */
 static int
-check_crc(u_char *S, u_char *buf, u_int32_t len,
-          u_char *IV)
+check_crc(u_char *S, u_char *buf, u_int32_t len)
 {
         u_int32_t crc;
         u_char *c;
 
         crc = 0;
-        if (IV && !CMP(S, IV)) {
-                crc_update(&crc, 1);
-                crc_update(&crc, 0);
-        }
         for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
                 if (!CMP(S, c)) {
                         crc_update(&crc, 1);
@@ -100,7 +100,7 @@ check_crc(u_char *S, u_char *buf, u_int32_t len,
 
 /* Detect a crc32 compensation attack on a packet */
 int
-detect_attack(u_char *buf, u_int32_t len, u_char *IV)
+detect_attack(u_char *buf, u_int32_t len)
 {
         static u_int16_t *h = (u_int16_t *) NULL;
         static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
@@ -118,26 +118,20 @@ detect_attack(u_char *buf, u_int32_t len, u_char *IV)
 
         if (h == NULL) {
                 debug("Installing crc compensation attack detector.");
-                h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
+                h = (u_int16_t *) xcalloc(l, HASH_ENTRYSIZE);
                 n = l;
         } else {
                 if (l > n) {
-                        h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE);
+                        h = (u_int16_t *)xrealloc(h, l, HASH_ENTRYSIZE);
                         n = l;
                 }
         }
 
         if (len <= HASH_MINBLOCKS) {
                 for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
-                        if (IV && (!CMP(c, IV))) {
-                                if ((check_crc(c, buf, len, IV)))
-                                        return (DEATTACK_DETECTED);
-                                else
-                                        break;
-                        }
                         for (d = buf; d < c; d += SSH_BLOCKSIZE) {
                                 if (!CMP(c, d)) {
-                                        if ((check_crc(c, buf, len, IV)))
+                                        if ((check_crc(c, buf, len)))
                                                 return (DEATTACK_DETECTED);
                                         else
                                                 break;
@@ -148,25 +142,13 @@ detect_attack(u_char *buf, u_int32_t len, u_char *IV)
         }
         memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE);
 
-        if (IV)
-                h[HASH(IV) & (n - 1)] = HASH_IV;
-
         for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
                 for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
                     i = (i + 1) & (n - 1)) {
-                        if (h[i] == HASH_IV) {
-                                if (!CMP(c, IV)) {
-                                        if (++same > MAX_IDENTICAL)
-                                                return (DEATTACK_DOS_DETECTED);
-                                        if (check_crc(c, buf, len, IV))
-                                                return (DEATTACK_DETECTED);
-                                        else
-                                                break;
-                                }
-                        } else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
+                        if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
                                 if (++same > MAX_IDENTICAL)
                                         return (DEATTACK_DOS_DETECTED);
-                                if (check_crc(c, buf, len, IV))
+                                if (check_crc(c, buf, len))
                                         return (DEATTACK_DETECTED);
                                 else
                                         break;
diff --git a/deattack.h b/deattack.h
index cd3d7aa3b..0316fb285 100644
--- a/deattack.h
+++ b/deattack.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: deattack.h,v 1.7 2001/06/26 17:27:23 markus Exp $     */
+/* $OpenBSD: deattack.h,v 1.10 2006/09/16 19:53:37 djm Exp $ */
 
 /*
  * Cryptographic attack detector for ssh - Header file
@@ -27,5 +27,5 @@
 #define DEATTACK_DETECTED       1
 #define DEATTACK_DOS_DETECTED   2
 
-int      detect_attack(u_char *, u_int32_t, u_char[8]);
+int      detect_attack(u_char *, u_int32_t);
 #endif
diff --git a/debian/.cvsignore b/debian/.cvsignore
index 3604280e2..27afde263 100644
--- a/debian/.cvsignore
+++ b/debian/.cvsignore
@@ -1,12 +1,12 @@
+*.debhelper
+*.templates
+*substvars
 files
-tmp
 openssh-client
-openssh-server
-ssh
 openssh-client-udeb
+openssh-server
 openssh-server-udeb
+ssh
 ssh-askpass-gnome
 ssh-krb5
-*.debhelper
-*substvars
-*.templates
+tmp
diff --git a/debian/changelog b/debian/changelog
index 0c159c1c7..a6eb2d15b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,63 @@
+openssh (1:4.6p1-1) UNRELEASED; urgency=low
+
+  * New upstream release (closes: #395507, #397961, #420035). Important
+    changes not previously backported to 4.3p2:
+    - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4):
+      + On portable OpenSSH, fix a GSSAPI authentication abort that could be
+        used to determine the validity of usernames on some platforms.
+      + Implemented conditional configuration in sshd_config(5) using the
+        "Match" directive. This allows some configuration options to be
+        selectively overridden if specific criteria (based on user, group,
+        hostname and/or address) are met. So far a useful subset of
+        post-authentication options are supported and more are expected to
+        be added in future releases.
+      + Add support for Diffie-Hellman group exchange key agreement with a
+        final hash of SHA256.
+      + Added a "ForceCommand" directive to sshd_config(5). Similar to the
+        command="..." option accepted in ~/.ssh/authorized_keys, this forces
+        the execution of the specified command regardless of what the user
+        requested. This is very useful in conjunction with the new "Match"
+        option.
+      + Add a "PermitOpen" directive to sshd_config(5). This mirrors the
+        permitopen="..." authorized_keys option, allowing fine-grained
+        control over the port-forwardings that a user is allowed to
+        establish.
+      + Add optional logging of transactions to sftp-server(8).
+      + ssh(1) will now record port numbers for hosts stored in
+        ~/.ssh/known_hosts when a non-standard port has been requested
+        (closes: #50612).
+      + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a
+        non-zero exit code) when requested port forwardings could not be
+        established.
+      + Extend sshd_config(5) "SubSystem" declarations to allow the
+        specification of command-line arguments.
+      + Replacement of all integer overflow susceptible invocations of
+        malloc(3) and realloc(3) with overflow-checking equivalents.
+      + Many manpage fixes and improvements.
+      + Add optional support for OpenSSL hardware accelerators (engines),
+        enabled using the --with-ssl-engine configure option.
+      + Tokens in configuration files may be double-quoted in order to
+        contain spaces (closes: #319639).
+      + Move a debug() call out of a SIGCHLD handler, fixing a hang when the
+        session exits very quickly (closes: #307890).
+      + Fix some incorrect buffer allocation calculations (closes: #410599).
+      + ssh-add doesn't ask for a passphrase if key file permissions are too
+        liberal (closes: #103677).
+      + Likewise, ssh doesn't ask either (closes: #99675).
+    - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6):
+      + sshd now allows the enabling and disabling of authentication methods
+        on a per user, group, host and network basis via the Match directive
+        in sshd_config.
+      + Fixed an inconsistent check for a terminal when displaying scp
+        progress meter (closes: #257524).
+      + Fix "hang on exit" when background processes are running at the time
+        of exit on a ttyful/login session (closes: #88337).
+  * Update to current GSSAPI patch from
+    http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch;
+    install ChangeLog.gssapi.
+
+ -- Colin Watson <cjwatson@ubuntu.com>  Tue, 12 Jun 2007 14:31:01 +0100
+
 openssh (1:4.3p2-11) unstable; urgency=low
 
   * It's been four and a half years now since I took over as "temporary"
diff --git a/debian/rules b/debian/rules
index fdef12dcf..e18c77153 100755
--- a/debian/rules
+++ b/debian/rules
@@ -186,7 +186,7 @@ binary-openssh-client: build install
         dh_installdebconf
         dh_installdocs OVERVIEW README README.dns README.tun
         cat debian/copyright.head LICENCE > debian/openssh-client/usr/share/doc/openssh-client/copyright
-        dh_installchangelogs ChangeLog
+        dh_installchangelogs ChangeLog ChangeLog.gssapi
         install -m644 debian/openssh-client.lintian debian/openssh-client/usr/share/lintian/overrides/openssh-client
         dh_strip
         dh_compress
@@ -265,7 +265,7 @@ binary-ssh-krb5: build install
         dh_testroot
         dh_installdocs
         cat debian/copyright.head LICENCE > debian/ssh-krb5/usr/share/doc/ssh-krb5/copyright
-        dh_installchangelogs ChangeLog
+        dh_installchangelogs ChangeLog ChangeLog.gssapi
         dh_link
         dh_compress
         dh_fixperms
@@ -280,7 +280,7 @@ binary-ssh-askpass-gnome: build install
         dh_testroot
         dh_installdocs
         dh_installexamples debian/ssh-askpass-gnome.desktop
-        dh_installchangelogs ChangeLog
+        dh_installchangelogs ChangeLog ChangeLog.gssapi
         dh_strip
         dh_compress
         dh_fixperms
diff --git a/defines.h b/defines.h
index f25934176..8a4e2c73e 100644
--- a/defines.h
+++ b/defines.h
@@ -25,12 +25,12 @@
 #ifndef _DEFINES_H
 #define _DEFINES_H
 
-/* $Id: defines.h,v 1.130 2005/12/17 11:04:09 dtucker Exp $ */
+/* $Id: defines.h,v 1.138 2006/09/21 13:13:30 dtucker Exp $ */
 
 
 /* Constants */
 
-#ifndef SHUT_RDWR
+#if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
 enum
 {
   SHUT_RD = 0,          /* No more receptions.  */
@@ -90,8 +90,8 @@ enum
 #endif
 #endif
 
-#ifndef O_NONBLOCK      /* Non Blocking Open */
-# define O_NONBLOCK      00004
+#if defined(HAVE_DECL_O_NONBLOCK) && HAVE_DECL_O_NONBLOCK == 0
+# define O_NONBLOCK      00004  /* Non Blocking Open */
 #endif
 
 #ifndef S_ISDIR
@@ -143,16 +143,11 @@ including rpc/rpc.h breaks Solaris 6
 #define INADDR_LOOPBACK ((u_long)0x7f000001)
 #endif
 
-#ifndef __unused
-#define __unused
-#endif
-
 /* Types */
 
 /* If sys/types.h does not supply intXX_t, supply them ourselves */
 /* (or die trying) */
 
-
 #ifndef HAVE_U_INT
 typedef unsigned int u_int;
 #endif
@@ -496,6 +491,22 @@ struct winsize {
 # define offsetof(type, member) ((size_t) &((type *)0)->member)
 #endif
 
+/* Set up BSD-style BYTE_ORDER definition if it isn't there already */
+/* XXX: doesn't try to cope with strange byte orders (PDP_ENDIAN) */
+#ifndef BYTE_ORDER
+# ifndef LITTLE_ENDIAN
+#  define LITTLE_ENDIAN  1234
+# endif /* LITTLE_ENDIAN */
+# ifndef BIG_ENDIAN
+#  define BIG_ENDIAN     4321
+# endif /* BIG_ENDIAN */
+# ifdef WORDS_BIGENDIAN
+#  define BYTE_ORDER BIG_ENDIAN
+# else /* WORDS_BIGENDIAN */
+#  define BYTE_ORDER LITTLE_ENDIAN
+# endif /* WORDS_BIGENDIAN */
+#endif /* BYTE_ORDER */
+
 /* Function replacement / compatibility hacks */
 
 #if !defined(HAVE_GETADDRINFO) && (defined(HAVE_OGETADDRINFO) || defined(HAVE_NGETADDRINFO))
@@ -517,19 +528,6 @@ struct winsize {
 # define optarg             BSDoptarg
 #endif
 
-/* In older versions of libpam, pam_strerror takes a single argument */
-#ifdef HAVE_OLD_PAM
-# define PAM_STRERROR(a,b) pam_strerror((b))
-#else
-# define PAM_STRERROR(a,b) pam_strerror((a),(b))
-#endif
-
-#ifdef PAM_SUN_CODEBASE
-# define PAM_MSG_MEMBER(msg, n, member) ((*(msg))[(n)].member)
-#else
-# define PAM_MSG_MEMBER(msg, n, member) ((msg)[(n)]->member)
-#endif
-
 #if defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO)
 # undef HAVE_GETADDRINFO
 #endif
@@ -544,6 +542,11 @@ struct winsize {
 # undef HAVE_UPDWTMPX
 #endif
 
+#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) && \
+    defined(SYSLOG_R_SAFE_IN_SIGHAND)
+# define DO_LOG_SAFE_IN_SIGHAND
+#endif
+
 #if !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY)
 # define memmove(s1, s2, n) bcopy((s2), (s1), (n))
 #endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */
@@ -553,6 +556,7 @@ struct winsize {
 #endif /* defined(HAVE_VHANGUP) && !defined(HAVE_DEV_PTMX) */
 
 #ifndef GETPGRP_VOID
+# include <unistd.h>
 # define getpgrp() getpgrp(0)
 #endif
 
@@ -715,12 +719,14 @@ struct winsize {
 # undef HAVE_MMAP
 #endif
 
-/* some system headers on HP-UX define YES/NO */
-#ifdef YES
-# undef YES
-#endif
-#ifdef NO
-# undef NO
+#ifndef IOV_MAX
+# if defined(_XOPEN_IOV_MAX)
+#  define       IOV_MAX         _XOPEN_IOV_MAX
+# elif defined(DEF_IOV_MAX)
+#  define       IOV_MAX         DEF_IOV_MAX
+# else
+#  define       IOV_MAX         16
+# endif
 #endif
 
 #endif /* _DEFINES_H */
diff --git a/dh.c b/dh.c
index 044d869fb..78e230b9f 100644
--- a/dh.c
+++ b/dh.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: dh.c,v 1.44 2006/11/07 13:02:07 markus Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
  *
@@ -23,17 +24,17 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: dh.c,v 1.31 2004/08/04 10:37:52 djm Exp $");
 
-#include "xmalloc.h"
+#include <sys/param.h>
 
 #include <openssl/bn.h>
 #include <openssl/dh.h>
-#include <openssl/evp.h>
 
-#include "buffer.h"
-#include "cipher.h"
-#include "kex.h"
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
 #include "dh.h"
 #include "pathnames.h"
 #include "log.h"
@@ -44,9 +45,11 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg)
 {
         char *cp, *arg;
         char *strsize, *gen, *prime;
+        const char *errstr = NULL;
 
         cp = line;
-        arg = strdelim(&cp);
+        if ((arg = strdelim(&cp)) == NULL)
+                return 0;
         /* Ignore leading whitespace */
         if (*arg == '\0')
                 arg = strdelim(&cp);
@@ -67,7 +70,8 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg)
                 goto fail;
         strsize = strsep(&cp, " "); /* size */
         if (cp == NULL || *strsize == '\0' ||
-            (dhg->size = atoi(strsize)) == 0)
+            (dhg->size = (u_int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 ||
+            errstr)
                 goto fail;
         /* The whole group is one bit larger */
         dhg->size++;
@@ -178,19 +182,36 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
         int i;
         int n = BN_num_bits(dh_pub);
         int bits_set = 0;
+        BIGNUM *tmp;
 
         if (dh_pub->neg) {
                 logit("invalid public DH value: negativ");
                 return 0;
         }
+        if (BN_cmp(dh_pub, BN_value_one()) != 1) {      /* pub_exp <= 1 */
+                logit("invalid public DH value: <= 1");
+                return 0;
+        }
+
+        if ((tmp = BN_new()) == NULL)
+                return (-1);
+        if (!BN_sub(tmp, dh->p, BN_value_one()) ||
+            BN_cmp(dh_pub, tmp) != -1) {                /* pub_exp > p-2 */
+                BN_clear_free(tmp);
+                logit("invalid public DH value: >= p-1");
+                return 0;
+        }
+        BN_clear_free(tmp);
+
         for (i = 0; i <= n; i++)
                 if (BN_is_bit_set(dh_pub, i))
                         bits_set++;
         debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
 
         /* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
-        if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
+        if (bits_set > 1)
                 return 1;
+
         logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
         return 0;
 }
diff --git a/dh.h b/dh.h
index 723dd08e4..8e580ee87 100644
--- a/dh.h
+++ b/dh.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: dh.h,v 1.8 2004/06/13 12:53:24 djm Exp $      */
+/* $OpenBSD: dh.h,v 1.9 2006/03/25 22:22:43 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
diff --git a/dispatch.c b/dispatch.c
index c5ff65031..d6b63be4b 100644
--- a/dispatch.c
+++ b/dispatch.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: dispatch.c,v 1.21 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -21,8 +22,13 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 #include "includes.h"
-RCSID("$OpenBSD: dispatch.c,v 1.16 2003/04/08 20:21:28 itojun Exp $");
+
+#include <sys/types.h>
+
+#include <signal.h>
+#include <stdarg.h>
 
 #include "ssh1.h"
 #include "ssh2.h"
@@ -76,7 +82,7 @@ dispatch_set(int type, dispatch_fn *fn)
         dispatch[type] = fn;
 }
 void
-dispatch_run(int mode, int *done, void *ctxt)
+dispatch_run(int mode, volatile sig_atomic_t *done, void *ctxt)
 {
         for (;;) {
                 int type;
diff --git a/dispatch.h b/dispatch.h
index a82e2165b..3e3d1a1ad 100644
--- a/dispatch.h
+++ b/dispatch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: dispatch.h,v 1.9 2002/01/11 13:39:36 markus Exp $     */
+/* $OpenBSD: dispatch.h,v 1.11 2006/04/20 09:27:09 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -23,6 +23,9 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
+#include <signal.h>
+
 enum {
         DISPATCH_BLOCK,
         DISPATCH_NONBLOCK
@@ -33,6 +36,6 @@ typedef void dispatch_fn(int, u_int32_t, void *);
 void     dispatch_init(dispatch_fn *);
 void     dispatch_set(int, dispatch_fn *);
 void     dispatch_range(u_int, u_int, dispatch_fn *);
-void     dispatch_run(int, int *, void *);
+void     dispatch_run(int, volatile sig_atomic_t *, void *);
 void     dispatch_protocol_error(int, u_int32_t, void *);
 void     dispatch_protocol_ignore(int, u_int32_t, void *);
diff --git a/dns.c b/dns.c
index a71dd9bff..a89176f88 100644
--- a/dns.c
+++ b/dns.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: dns.c,v 1.16 2005/10/17 14:13:35 stevesk Exp $        */
+/* $OpenBSD: dns.c,v 1.24 2007/01/03 03:01:40 stevesk Exp $ */
 
 /*
  * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -26,9 +26,14 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: dns.c,v 1.16 2005/10/17 14:13:35 stevesk Exp $");
+
+#include <sys/types.h>
+#include <sys/socket.h>
 
 #include <netdb.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
 
 #include "xmalloc.h"
 #include "key.h"
@@ -122,7 +127,7 @@ dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type,
                         *digest = (u_char *) xmalloc(*digest_len);
                         memcpy(*digest, rdata + 2, *digest_len);
                 } else {
-                        *digest = xstrdup("");
+                        *digest = (u_char *)xstrdup("");
                 }
 
                 success = 1;
@@ -212,7 +217,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
         if (fingerprints->rri_nrdatas)
                 *flags |= DNS_VERIFY_FOUND;
 
-        for (counter = 0; counter < fingerprints->rri_nrdatas; counter++)  {
+        for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) {
                 /*
                  * Extract the key from the answer. Ignore any badly
                  * formatted fingerprints.
diff --git a/dns.h b/dns.h
index 0aa1c28f2..b2633a1fe 100644
--- a/dns.h
+++ b/dns.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: dns.h,v 1.6 2005/10/17 14:13:35 stevesk Exp $ */
+/* $OpenBSD: dns.h,v 1.10 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -25,8 +25,6 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#include "includes.h"
-
 #ifndef DNS_H
 #define DNS_H
 
diff --git a/entropy.c b/entropy.c
index b9d238200..e264063e9 100644
--- a/entropy.c
+++ b/entropy.c
@@ -24,6 +24,20 @@
 
 #include "includes.h"
 
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#endif
+#include <stdarg.h>
+#include <unistd.h>
+#include <signal.h>
+
 #include <openssl/rand.h>
 #include <openssl/crypto.h>
 #include <openssl/err.h>
@@ -35,7 +49,6 @@
 #include "pathnames.h"
 #include "log.h"
 #include "buffer.h"
-#include "bufaux.h"
 
 /*
  * Portable OpenSSH PRNG seeding:
@@ -48,8 +61,6 @@
  * XXX: we should tell the child how many bytes we need.
  */
 
-RCSID("$Id: entropy.c,v 1.52 2005/09/27 22:26:30 dtucker Exp $");
-
 #ifndef OPENSSL_PRNG_ONLY
 #define RANDOM_SEED_SIZE 48
 static uid_t original_uid, original_euid;
diff --git a/fatal.c b/fatal.c
index ae1aaac6e..5e5aa3fe1 100644
--- a/fatal.c
+++ b/fatal.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: fatal.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 2002 Markus Friedl.  All rights reserved.
  *
@@ -23,7 +24,10 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: fatal.c,v 1.2 2003/09/23 20:17:11 markus Exp $");
+
+#include <sys/types.h>
+
+#include <stdarg.h>
 
 #include "log.h"
 
@@ -33,6 +37,7 @@ void
 fatal(const char *fmt,...)
 {
         va_list args;
+
         va_start(args, fmt);
         do_log(SYSLOG_LEVEL_FATAL, fmt, args);
         va_end(args);
diff --git a/getput.h b/getput.h
deleted file mode 100644
index 20cf8f20b..000000000
--- a/getput.h
+++ /dev/null
@@ -1,58 +0,0 @@
-/*      $OpenBSD: getput.h,v 1.8 2002/03/04 17:27:39 stevesk Exp $      */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Macros for storing and retrieving data in msb first and lsb first order.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#ifndef GETPUT_H
-#define GETPUT_H
-
-/*------------ macros for storing/extracting msb first words -------------*/
-
-#define GET_64BIT(cp) (((u_int64_t)(u_char)(cp)[0] << 56) | \
-                       ((u_int64_t)(u_char)(cp)[1] << 48) | \
-                       ((u_int64_t)(u_char)(cp)[2] << 40) | \
-                       ((u_int64_t)(u_char)(cp)[3] << 32) | \
-                       ((u_int64_t)(u_char)(cp)[4] << 24) | \
-                       ((u_int64_t)(u_char)(cp)[5] << 16) | \
-                       ((u_int64_t)(u_char)(cp)[6] << 8) | \
-                       ((u_int64_t)(u_char)(cp)[7]))
-
-#define GET_32BIT(cp) (((u_long)(u_char)(cp)[0] << 24) | \
-                       ((u_long)(u_char)(cp)[1] << 16) | \
-                       ((u_long)(u_char)(cp)[2] << 8) | \
-                       ((u_long)(u_char)(cp)[3]))
-
-#define GET_16BIT(cp) (((u_long)(u_char)(cp)[0] << 8) | \
-                       ((u_long)(u_char)(cp)[1]))
-
-#define PUT_64BIT(cp, value) do { \
-  (cp)[0] = (value) >> 56; \
-  (cp)[1] = (value) >> 48; \
-  (cp)[2] = (value) >> 40; \
-  (cp)[3] = (value) >> 32; \
-  (cp)[4] = (value) >> 24; \
-  (cp)[5] = (value) >> 16; \
-  (cp)[6] = (value) >> 8; \
-  (cp)[7] = (value); } while (0)
-
-#define PUT_32BIT(cp, value) do { \
-  (cp)[0] = (value) >> 24; \
-  (cp)[1] = (value) >> 16; \
-  (cp)[2] = (value) >> 8; \
-  (cp)[3] = (value); } while (0)
-
-#define PUT_16BIT(cp, value) do { \
-  (cp)[0] = (value) >> 8; \
-  (cp)[1] = (value); } while (0)
-
-#endif                          /* GETPUT_H */
diff --git a/groupaccess.c b/groupaccess.c
index f50879f83..e73f62b22 100644
--- a/groupaccess.c
+++ b/groupaccess.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: groupaccess.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 2001 Kevin Steves.  All rights reserved.
  *
@@ -23,10 +24,16 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: groupaccess.c,v 1.6 2003/04/08 20:21:28 itojun Exp $");
 
-#include "groupaccess.h"
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <grp.h>
+#include <unistd.h>
+#include <stdarg.h>
+
 #include "xmalloc.h"
+#include "groupaccess.h"
 #include "match.h"
 #include "log.h"
 
@@ -52,8 +59,8 @@ ga_init(const char *user, gid_t base)
         ngroups = MAX(NGROUPS_MAX, sysconf(_SC_NGROUPS_MAX));
 #endif
 
-        groups_bygid = xmalloc(ngroups * sizeof(*groups_bygid));
-        groups_byname = xmalloc(ngroups * sizeof(*groups_byname));
+        groups_bygid = xcalloc(ngroups, sizeof(*groups_bygid));
+        groups_byname = xcalloc(ngroups, sizeof(*groups_byname));
 
         if (getgrouplist(user, base, groups_bygid, &ngroups) == -1)
                 logit("getgrouplist: groups list too small");
diff --git a/groupaccess.h b/groupaccess.h
index ede4805c2..04b449894 100644
--- a/groupaccess.h
+++ b/groupaccess.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: groupaccess.h,v 1.4 2001/06/26 17:27:23 markus Exp $  */
+/* $OpenBSD: groupaccess.h,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Copyright (c) 2001 Kevin Steves.  All rights reserved.
@@ -27,8 +27,6 @@
 #ifndef GROUPACCESS_H
 #define GROUPACCESS_H
 
-#include <grp.h>
-
 int      ga_init(const char *, gid_t);
 int      ga_match(char * const *, int);
 void     ga_free(void);
diff --git a/gss-genr.c b/gss-genr.c
index dfaa708ea..42f942b58 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -1,7 +1,7 @@
-/*      $OpenBSD: gss-genr.c,v 1.6 2005/10/13 22:24:31 stevesk Exp $    */
+/* $OpenBSD: gss-genr.c,v 1.17 2006/08/29 12:02:30 dtucker Exp $ */
 
 /*
- * Copyright (c) 2001-2005 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -28,10 +28,20 @@
 
 #ifdef GSSAPI
 
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+
 #include "xmalloc.h"
-#include "bufaux.h"
+#include "buffer.h"
 #include "log.h"
 #include "ssh2.h"
+#include "cipher.h"
+#include "key.h"
+#include "kex.h"
 #include <openssl/evp.h>
 
 #include "ssh-gss.h"
@@ -65,7 +75,6 @@ ssh_gssapi_oid_table_ok() {
  * a key exchange with a bad mechanism
  */
 
-
 char *
 ssh_gssapi_client_mechanisms(const char *host) {
         gss_OID_set gss_supported;
@@ -74,35 +83,36 @@ ssh_gssapi_client_mechanisms(const char *host) {
         gss_indicate_mechs(&min_status, &gss_supported);
 
         return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
-            (void *)host));
+            host));
 }
 
 char *
 ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
-    void *data) {
+    const char *data) {
         Buffer buf;
-        int i, oidpos, enclen;
+        size_t i;
+        int oidpos, enclen;
         char *mechs, *encoded;
-        char digest[EVP_MAX_MD_SIZE];
+        u_char digest[EVP_MAX_MD_SIZE];
         char deroid[2];
         const EVP_MD *evp_md = EVP_md5();
         EVP_MD_CTX md;
 
         if (gss_enc2oid != NULL) {
-                for (i=0;gss_enc2oid[i].encoded!=NULL;i++)
+                for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
                         xfree(gss_enc2oid[i].encoded);
                 xfree(gss_enc2oid);
         }
 
-        gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping)*
-            (gss_supported->count+1));
+        gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
+            (gss_supported->count + 1));
 
         buffer_init(&buf);
 
         oidpos = 0;
-        for (i = 0;i < gss_supported->count;i++) {
+        for (i = 0; i < gss_supported->count; i++) {
                 if (gss_supported->elements[i].length < 128 &&
-                    (*check)(&(gss_supported->elements[i]), data)) {
+                    (*check)(NULL, &(gss_supported->elements[i]), data)) {
 
                         deroid[0] = SSH_GSS_OIDTYPE;
                         deroid[1] = gss_supported->elements[i].length;
@@ -114,19 +124,23 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
                             gss_supported->elements[i].length);
                         EVP_DigestFinal(&md, digest, NULL);
 
-                        encoded = xmalloc(EVP_MD_size(evp_md)*2);
+                        encoded = xmalloc(EVP_MD_size(evp_md) * 2);
                         enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
-                            encoded, EVP_MD_size(evp_md)*2);
+                            encoded, EVP_MD_size(evp_md) * 2);
 
                         if (oidpos != 0)
-                            buffer_put_char(&buf, ',');
+                                buffer_put_char(&buf, ',');
 
                         buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
-                            sizeof(KEX_GSS_GEX_SHA1_ID)-1);
+                            sizeof(KEX_GSS_GEX_SHA1_ID) - 1);
                         buffer_append(&buf, encoded, enclen);
-                        buffer_put_char(&buf,',');
+                        buffer_put_char(&buf, ',');
                         buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, 
-                            sizeof(KEX_GSS_GRP1_SHA1_ID)-1);
+                            sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);
+                        buffer_append(&buf, encoded, enclen);
+                        buffer_put_char(&buf, ',');
+                        buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,
+                            sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);
                         buffer_append(&buf, encoded, enclen);
 
                         gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
@@ -152,25 +166,26 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
 }
 
 gss_OID
-ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int *gex) {
+ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {
         int i = 0;
-
-        if (strncmp(name, KEX_GSS_GRP1_SHA1_ID,
-            sizeof(KEX_GSS_GRP1_SHA1_ID)-1) == 0) {
-                name+=sizeof(KEX_GSS_GRP1_SHA1_ID)-1;
-                *gex = 0;
-        } else if (strncmp(name, KEX_GSS_GEX_SHA1_ID,
-            sizeof(KEX_GSS_GEX_SHA1_ID)-1) == 0) {
-                name+=sizeof(KEX_GSS_GEX_SHA1_ID)-1;
-                *gex = 1;
-        } else {
-                return NULL;
+        
+        switch (kex_type) {
+        case KEX_GSS_GRP1_SHA1:
+                name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;
+                break;
+        case KEX_GSS_GRP14_SHA1:
+                name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;
+                break;
+        case KEX_GSS_GEX_SHA1:
+                name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;
+                break;
+        default:
+                return GSS_C_NO_OID;
         }
 
         while (gss_enc2oid[i].encoded != NULL &&
-            strcmp(name, gss_enc2oid[i].encoded) != 0) {
+            strcmp(name, gss_enc2oid[i].encoded) != 0)
                 i++;
-        }
 
         if (gss_enc2oid[i].oid != NULL && ctx != NULL)
                 ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);
@@ -212,7 +227,11 @@ ssh_gssapi_set_oid(Gssctxt *ctx, gss_OID oid)
 void
 ssh_gssapi_error(Gssctxt *ctxt)
 {
-        debug("%s", ssh_gssapi_last_error(ctxt, NULL, NULL));
+        char *s;
+
+        s = ssh_gssapi_last_error(ctxt, NULL, NULL);
+        debug("%s", s);
+        xfree(s);
 }
 
 char *
@@ -236,7 +255,7 @@ ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status,
         /* The GSSAPI error */
         do {
                 gss_display_status(&lmin, ctxt->major,
-                    GSS_C_GSS_CODE, GSS_C_NULL_OID, &ctx, &msg);
+                    GSS_C_GSS_CODE, ctxt->oid, &ctx, &msg);
 
                 buffer_append(&b, msg.value, msg.length);
                 buffer_put_char(&b, '\n');
@@ -247,7 +266,7 @@ ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status,
         /* The mechanism specific error */
         do {
                 gss_display_status(&lmin, ctxt->minor,
-                    GSS_C_MECH_CODE, GSS_C_NULL_OID, &ctx, &msg);
+                    GSS_C_MECH_CODE, ctxt->oid, &ctx, &msg);
 
                 buffer_append(&b, msg.value, msg.length);
                 buffer_put_char(&b, '\n');
@@ -271,9 +290,7 @@ ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status,
 void
 ssh_gssapi_build_ctx(Gssctxt **ctx)
 {
-        *ctx = xmalloc(sizeof (Gssctxt));
-        (*ctx)->major = 0;
-        (*ctx)->minor = 0;
+        *ctx = xcalloc(1, sizeof (Gssctxt));
         (*ctx)->context = GSS_C_NO_CONTEXT;
         (*ctx)->name = GSS_C_NO_NAME;
         (*ctx)->oid = GSS_C_NO_OID;
@@ -343,10 +360,11 @@ OM_uint32
 ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
 {
         gss_buffer_desc gssbuf;
+        char *val;
 
-        gssbuf.length = sizeof("host@") + strlen(host);
-        gssbuf.value = xmalloc(gssbuf.length);
-        snprintf(gssbuf.value, gssbuf.length, "host@%s", host);
+        xasprintf(&val, "host@%s", host);
+        gssbuf.value = val;
+        gssbuf.length = strlen(gssbuf.value);
 
         if ((ctx->major = gss_import_name(&ctx->minor,
             &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name)))
@@ -356,35 +374,6 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
         return (ctx->major);
 }
 
-/* Acquire credentials for a server running on the current host.
- * Requires that the context structure contains a valid OID
- */
-
-/* Returns a GSSAPI error code */
-OM_uint32
-ssh_gssapi_acquire_cred(Gssctxt *ctx)
-{
-        OM_uint32 status;
-        char lname[MAXHOSTNAMELEN];
-        gss_OID_set oidset;
-
-        gss_create_empty_oid_set(&status, &oidset);
-        gss_add_oid_set_member(&status, ctx->oid, &oidset);
-
-        if (gethostname(lname, MAXHOSTNAMELEN))
-                return (-1);
-
-        if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname)))
-                return (ctx->major);
-
-        if ((ctx->major = gss_acquire_cred(&ctx->minor,
-            ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
-                ssh_gssapi_error(ctx);
-
-        gss_release_oid_set(&status, &oidset);
-        return (ctx->major);
-}
-
 OM_uint32
 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
 {
@@ -423,28 +412,37 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
         buffer_put_cstring(b, context);
 }
 
-OM_uint32
-ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
+int
+ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
 {
-        if (*ctx)
-                ssh_gssapi_delete_ctx(ctx);
+        gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
+        OM_uint32 major, minor;
+        gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
+        Gssctxt *intctx = NULL;
+
+        if (ctx == NULL)
+                ctx = &intctx;
+
+        /* RFC 4462 says we MUST NOT do SPNEGO */
+        if (oid->length == spnego_oid.length && 
+            (memcmp(oid->elements, spnego_oid.elements, oid->length) == 0))
+                return 0; /* false */
+
         ssh_gssapi_build_ctx(ctx);
         ssh_gssapi_set_oid(*ctx, oid);
-        return (ssh_gssapi_acquire_cred(*ctx));
-}
+        major = ssh_gssapi_import_name(*ctx, host);
+        if (!GSS_ERROR(major)) {
+                major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 
+                    NULL);
+                gss_release_buffer(&minor, &token);
+                if ((*ctx)->context != GSS_C_NO_CONTEXT)
+                        gss_delete_sec_context(&minor, &(*ctx)->context,
+                            GSS_C_NO_BUFFER);
+        }
+
+        if (GSS_ERROR(major) || intctx != NULL) 
+                ssh_gssapi_delete_ctx(ctx);
 
-int
-ssh_gssapi_check_mechanism(gss_OID oid, void *host) {
-        Gssctxt * ctx = NULL;
-        gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
-        OM_uint32 major, minor;
-        
-        ssh_gssapi_build_ctx(&ctx);
-        ssh_gssapi_set_oid(ctx, oid);
-        ssh_gssapi_import_name(ctx, host);
-        major = ssh_gssapi_init_ctx(ctx, 0, GSS_C_NO_BUFFER, &token, NULL);
-        gss_release_buffer(&minor, &token);
-        ssh_gssapi_delete_ctx(&ctx);
         return (!GSS_ERROR(major));
 }
 
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index 5a9b2cdd3..b400081f6 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: gss-serv-krb5.c,v 1.4 2005/10/13 19:08:08 stevesk Exp $       */
+/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -29,11 +29,19 @@
 #ifdef GSSAPI
 #ifdef KRB5
 
-#include "auth.h"
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <string.h>
+
 #include "xmalloc.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
 #include "log.h"
 #include "servconf.h"
 
+#include "buffer.h"
 #include "ssh-gss.h"
 
 extern ServerOptions options;
@@ -112,6 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
         krb5_principal princ;
         OM_uint32 maj_status, min_status;
         int len;
+        const char *new_ccname;
 
         if (client->creds == NULL) {
                 debug("No credentials stored");
@@ -160,11 +169,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
                 return;
         }
 
-        client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
+        new_ccname = krb5_cc_get_name(krb_context, ccache);
+
         client->store.envvar = "KRB5CCNAME";
-        len = strlen(client->store.filename) + 6;
-        client->store.envval = xmalloc(len);
-        snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
+#ifdef USE_CCAPI
+        xasprintf(&client->store.envval, "API:%s", new_ccname);
+        client->store.filename = NULL;
+#else
+        xasprintf(&client->store.envval, "FILE:%s", new_ccname);
+        client->store.filename = xstrdup(new_ccname);
+#endif
 
 #ifdef USE_PAM
         if (options.use_pam)
diff --git a/gss-serv.c b/gss-serv.c
index 190f56fc0..841d8bb2f 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,7 +1,7 @@
-/*      $OpenBSD: gss-serv.c,v 1.13 2005/10/13 22:24:31 stevesk Exp $   */
+/* $OpenBSD: gss-serv.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -28,17 +28,27 @@
 
 #ifdef GSSAPI
 
-#include "bufaux.h"
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "log.h"
 #include "channels.h"
 #include "session.h"
+#include "misc.h"
 #include "servconf.h"
-#include "xmalloc.h"
-#include "getput.h"
-#include "monitor_wrap.h"
 
 #include "ssh-gss.h"
+#include "monitor_wrap.h"
+
+extern ServerOptions options;
 
 static ssh_gssapi_client gssapi_client =
     { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
@@ -70,8 +80,8 @@ ssh_gssapi_server_mechanisms() {
 
 /* Unprivileged */
 int
-ssh_gssapi_server_check_mech(gss_OID oid, void *data) {
-        Gssctxt * ctx = NULL;
+ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data) {
+        Gssctxt *ctx = NULL;
         int res;
  
         res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));
@@ -101,6 +111,58 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
                             &supported_mechs[i]->oid, oidset);
                 i++;
         }
+
+        gss_release_oid_set(&min_status, &supported);
+}
+
+OM_uint32
+ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
+{
+        if (*ctx)
+                ssh_gssapi_delete_ctx(ctx);
+        ssh_gssapi_build_ctx(ctx);
+        ssh_gssapi_set_oid(*ctx, oid);
+        return (ssh_gssapi_acquire_cred(*ctx));
+}
+
+/* Acquire credentials for a server running on the current host.
+ * Requires that the context structure contains a valid OID
+ */
+
+/* Returns a GSSAPI error code */
+OM_uint32
+ssh_gssapi_acquire_cred(Gssctxt *ctx)
+{
+        OM_uint32 status;
+        char lname[MAXHOSTNAMELEN];
+        gss_OID_set oidset;
+
+        if (options.gss_strict_acceptor) {
+                gss_create_empty_oid_set(&status, &oidset);
+                gss_add_oid_set_member(&status, ctx->oid, &oidset);
+
+                if (gethostname(lname, MAXHOSTNAMELEN)) {
+                        gss_release_oid_set(&status, &oidset);
+                        return (-1);
+                }
+
+                if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+                        gss_release_oid_set(&status, &oidset);
+                        return (ctx->major);
+                }
+
+                if ((ctx->major = gss_acquire_cred(&ctx->minor,
+                    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, 
+                    NULL, NULL)))
+                        ssh_gssapi_error(ctx);
+
+                gss_release_oid_set(&status, &oidset);
+                return (ctx->major);
+        } else {
+                ctx->name = GSS_C_NO_NAME;
+                ctx->creds = GSS_C_NO_CREDENTIAL;
+        }
+        return GSS_S_COMPLETE;
 }
 
 
@@ -174,7 +236,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
          * second without.
          */
 
-        oidl = GET_16BIT(tok+2); /* length including next two bytes */
+        oidl = get_u16(tok+2); /* length including next two bytes */
         oidl = oidl-2; /* turn it into the _real_ length of the variable OID */
 
         /*
@@ -191,14 +253,14 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
         if (ename->length < offset+4)
                 return GSS_S_FAILURE;
 
-        name->length = GET_32BIT(tok+offset);
+        name->length = get_u32(tok+offset);
         offset += 4;
 
         if (ename->length < offset+name->length)
                 return GSS_S_FAILURE;
 
         name->value = xmalloc(name->length+1);
-        memcpy(name->value, tok+offset,name->length);
+        memcpy(name->value, tok+offset, name->length);
         ((char *)name->value)[name->length] = 0;
 
         return GSS_S_COMPLETE;
@@ -257,7 +319,8 @@ ssh_gssapi_cleanup_creds(void)
 {
         if (gssapi_client.store.filename != NULL) {
                 /* Unlink probably isn't sufficient */
-                debug("removing gssapi cred file\"%s\"", gssapi_client.store.filename);
+                debug("removing gssapi cred file\"%s\"",
+                    gssapi_client.store.filename);
                 unlink(gssapi_client.store.filename);
         }
 }
diff --git a/hostfile.c b/hostfile.c
index 3ed646247..2cceb352a 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: hostfile.c,v 1.45 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -36,18 +37,25 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: hostfile.c,v 1.36 2005/11/22 03:36:03 dtucker Exp $");
 
-#include <resolv.h>
+#include <sys/types.h>
+
+#include <netinet/in.h>
+
 #include <openssl/hmac.h>
 #include <openssl/sha.h>
 
-#include "packet.h"
+#include <resolv.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "xmalloc.h"
 #include "match.h"
 #include "key.h"
 #include "hostfile.h"
 #include "log.h"
-#include "xmalloc.h"
 
 static int
 extract_salt(const char *s, u_int l, char *salt, size_t salt_len)
@@ -254,8 +262,10 @@ check_host_in_hostfile_by_key_or_type(const char *filename,
 
                 if (key == NULL) {
                         /* we found a key of the requested type */
-                        if (found->type == keytype)
+                        if (found->type == keytype) {
+                                fclose(f);
                                 return HOST_FOUND;
+                        }
                         continue;
                 }
 
diff --git a/hostfile.h b/hostfile.h
index d6330752e..d1983b3e0 100644
--- a/hostfile.h
+++ b/hostfile.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: hostfile.h,v 1.15 2005/03/01 10:40:26 djm Exp $       */
+/* $OpenBSD: hostfile.h,v 1.16 2006/03/25 22:22:43 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/includes.h b/includes.h
index 520817400..967fcc26c 100644
--- a/includes.h
+++ b/includes.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: includes.h,v 1.22 2006/01/01 08:59:27 stevesk Exp $   */
+/* $OpenBSD: includes.h,v 1.54 2006/07/22 20:48:23 stevesk Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -16,44 +16,24 @@
 #ifndef INCLUDES_H
 #define INCLUDES_H
 
-#define RCSID(msg) \
-static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
-
 #include "config.h"
 
 #define _GNU_SOURCE /* activate extra prototypes for glibc */
 
-#include <stdarg.h>
-#include <stdio.h>
-#include <ctype.h>
-#include <errno.h>
-#include <fcntl.h> /* For O_NONBLOCK */
-#include <signal.h>
-#include <stdlib.h>
-#include <string.h>
-#include <stdarg.h>
-#include <pwd.h>
-#include <grp.h>
-#include <time.h>
-#include <dirent.h>
-#include <stddef.h>
+#include <sys/types.h>
+#include <sys/socket.h> /* For CMSG_* */
 
 #ifdef HAVE_LIMITS_H
 # include <limits.h> /* For PATH_MAX */
 #endif
-#ifdef HAVE_GETOPT_H
-# include <getopt.h>
-#endif
 #ifdef HAVE_BSTRING_H
 # include <bstring.h>
 #endif
 #if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && \
-    defined(GLOB_HAS_GL_MATCHC)
+    defined(GLOB_HAS_GL_MATCHC) && \
+    defined(HAVE_DECL_GLOB_NOMATCH) &&  HAVE_DECL_GLOB_NOMATCH != 0
 # include <glob.h>
 #endif
-#ifdef HAVE_NETGROUP_H
-# include <netgroup.h>
-#endif
 #ifdef HAVE_ENDIAN_H
 # include <endian.h>
 #endif
@@ -67,10 +47,11 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
 # include <maillock.h> /* For _PATH_MAILDIR */
 #endif
 #ifdef HAVE_NEXT
-#  include <libc.h>
+# include <libc.h>
+#endif
+#ifdef HAVE_PATHS
+# include <paths.h>
 #endif
-#include <unistd.h> /* For STDIN_FILENO, etc */
-#include <termios.h> /* Struct winsize */
 
 /*
  *-*-nto-qnx needs these headers for strcasecmp and LASTLOG_FILE respectively
@@ -86,39 +67,22 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
 #  include <utmp.h>
 #endif
 #ifdef HAVE_UTMPX_H
-#  ifdef HAVE_TV_IN_UTMPX
-#    include <sys/time.h>
-#  endif
 #  include <utmpx.h>
 #endif
 #ifdef HAVE_LASTLOG_H
 #  include <lastlog.h>
 #endif
-#ifdef HAVE_PATHS_H
-#  include <paths.h> /* For _PATH_XXX */
-#endif
 
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <sys/wait.h>
-#ifdef HAVE_SYS_TIME_H
-# include <sys/time.h> /* For timersub */
-#endif
-#include <sys/resource.h>
 #ifdef HAVE_SYS_SELECT_H
 # include <sys/select.h>
 #endif
 #ifdef HAVE_SYS_BSDTTY_H
 # include <sys/bsdtty.h>
 #endif
-#include <sys/param.h> /* For MAXPATHLEN and roundup() */
-#ifdef HAVE_SYS_UN_H
-# include <sys/un.h> /* For sockaddr_un */
-#endif
 #ifdef HAVE_STDINT_H
 # include <stdint.h>
 #endif
+#include <termios.h>
 #ifdef HAVE_SYS_BITYPES_H
 # include <sys/bitypes.h> /* For u_intXX_t */
 #endif
@@ -144,14 +108,8 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
 #include <sys/ptms.h>   /* for grantpt() and friends */
 #endif
 
+#include <netinet/in.h>
 #include <netinet/in_systm.h> /* For typedefs */
-#include <netinet/in.h> /* For IPv6 macros */
-#include <netinet/ip.h> /* For IPTOS macros */
-#include <netinet/tcp.h>
-#include <arpa/inet.h>
-#if defined(HAVE_NETDB_H)
-# include <netdb.h>
-#endif
 #ifdef HAVE_RPC_TYPES_H
 # include <rpc/types.h> /* For INADDR_LOOPBACK */
 #endif
@@ -205,7 +163,7 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
 
 #include "defines.h"
 
-#include "version.h"
+#include "platform.h"
 #include "openbsd-compat/openbsd-compat.h"
 #include "openbsd-compat/bsd-nextstep.h"
 
diff --git a/kex.c b/kex.c
index 47983f8d9..5f9b1dc40 100644
--- a/kex.c
+++ b/kex.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: kex.c,v 1.77 2007/01/21 01:41:54 stevesk Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  *
@@ -23,19 +24,25 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kex.c,v 1.65 2005/11/04 05:15:59 djm Exp $");
+
+#include <sys/param.h>
+
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
 
 #include <openssl/crypto.h>
 
-#include "ssh2.h"
 #include "xmalloc.h"
+#include "ssh2.h"
 #include "buffer.h"
-#include "bufaux.h"
 #include "packet.h"
 #include "compat.h"
 #include "cipher.h"
-#include "kex.h"
 #include "key.h"
+#include "kex.h"
 #include "log.h"
 #include "mac.h"
 #include "match.h"
@@ -48,6 +55,14 @@ RCSID("$OpenBSD: kex.c,v 1.65 2005/11/04 05:15:59 djm Exp $");
 
 #define KEX_COOKIE_LEN  16
 
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+# if defined(HAVE_EVP_SHA256)
+# define evp_ssh_sha256 EVP_sha256
+# else
+extern const EVP_MD *evp_ssh_sha256(void);
+# endif
+#endif
+
 /* prototype */
 static void kex_kexinit_finish(Kex *);
 static void kex_choose_conf(Kex *);
@@ -79,7 +94,7 @@ kex_buf2prop(Buffer *raw, int *first_kex_follows)
         int i;
         char **proposal;
 
-        proposal = xmalloc(PROPOSAL_MAX * sizeof(char *));
+        proposal = xcalloc(PROPOSAL_MAX, sizeof(char *));
 
         buffer_init(&b);
         buffer_append(&b, buffer_ptr(raw), buffer_len(raw));
@@ -214,8 +229,7 @@ kex_setup(char *proposal[PROPOSAL_MAX])
 {
         Kex *kex;
 
-        kex = xmalloc(sizeof(*kex));
-        memset(kex, 0, sizeof(*kex));
+        kex = xcalloc(1, sizeof(*kex));
         buffer_init(&kex->peer);
         buffer_init(&kex->my);
         kex_prop2buf(&kex->my, proposal);
@@ -258,6 +272,7 @@ choose_enc(Enc *enc, char *client, char *server)
         enc->key_len = cipher_keylen(enc->cipher);
         enc->block_size = cipher_blocksize(enc->cipher);
 }
+
 static void
 choose_mac(Mac *mac, char *client, char *server)
 {
@@ -273,6 +288,7 @@ choose_mac(Mac *mac, char *client, char *server)
         mac->key = NULL;
         mac->enabled = 0;
 }
+
 static void
 choose_comp(Comp *comp, char *client, char *server)
 {
@@ -290,6 +306,7 @@ choose_comp(Comp *comp, char *client, char *server)
         }
         comp->name = name;
 }
+
 static void
 choose_kex(Kex *k, char *client, char *server)
 {
@@ -305,15 +322,24 @@ choose_kex(Kex *k, char *client, char *server)
         } else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) {
                 k->kex_type = KEX_DH_GEX_SHA1;
                 k->evp_md = EVP_sha1();
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+        } else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) {
+                k->kex_type = KEX_DH_GEX_SHA256;
+                k->evp_md = evp_ssh_sha256();
+#endif
 #ifdef GSSAPI
         } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID,
-            sizeof(KEX_GSS_GEX_SHA1_ID)-1) == 0) {
+            sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) {
                 k->kex_type = KEX_GSS_GEX_SHA1;
                 k->evp_md = EVP_sha1();
         } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID,
-            sizeof(KEX_GSS_GRP1_SHA1_ID)-1) == 0) {
+            sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) {
                 k->kex_type = KEX_GSS_GRP1_SHA1;
                 k->evp_md = EVP_sha1();
+        } else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID,
+            sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) {
+                k->kex_type = KEX_GSS_GRP14_SHA1;
+                k->evp_md = EVP_sha1();
 #endif
         } else
                 fatal("bad kex alg %s", k->name);
@@ -378,8 +404,7 @@ kex_choose_conf(Kex *kex)
 
         /* Algorithm Negotiation */
         for (mode = 0; mode < MODE_MAX; mode++) {
-                newkeys = xmalloc(sizeof(*newkeys));
-                memset(newkeys, 0, sizeof(*newkeys));
+                newkeys = xcalloc(1, sizeof(*newkeys));
                 kex->newkeys[mode] = newkeys;
                 ctos = (!kex->server && mode == MODE_OUT) || (kex->server && mode == MODE_IN);
                 nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
@@ -434,7 +459,7 @@ derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen,
 
         if ((mdsz = EVP_MD_size(kex->evp_md)) <= 0)
                 fatal("bad kex md size %d", mdsz);
-        digest = xmalloc(roundup(need, mdsz));
+        digest = xmalloc(roundup(need, mdsz));
 
         buffer_init(&b);
         buffer_put_bignum2(&b, shared_secret);
@@ -487,7 +512,8 @@ kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen, BIGNUM *shared_secret)
         for (mode = 0; mode < MODE_MAX; mode++) {
                 current_keys[mode] = kex->newkeys[mode];
                 kex->newkeys[mode] = NULL;
-                ctos = (!kex->server && mode == MODE_OUT) || (kex->server && mode == MODE_IN);
+                ctos = (!kex->server && mode == MODE_OUT) ||
+                    (kex->server && mode == MODE_IN);
                 current_keys[mode]->enc.iv  = keys[ctos ? 0 : 1];
                 current_keys[mode]->enc.key = keys[ctos ? 2 : 3];
                 current_keys[mode]->mac.key = keys[ctos ? 4 : 5];
@@ -544,7 +570,7 @@ dump_digest(char *msg, u_char *digest, int len)
         u_int i;
 
         fprintf(stderr, "%s\n", msg);
-        for (i = 0; i< len; i++) {
+        for (i = 0; i < len; i++) {
                 fprintf(stderr, "%02x", digest[i]);
                 if (i%32 == 31)
                         fprintf(stderr, "\n");
diff --git a/kex.h b/kex.h
index 1c4d1a718..51d224c87 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: kex.h,v 1.38 2005/11/04 05:15:59 djm Exp $    */
+/* $OpenBSD: kex.h,v 1.44 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -26,14 +26,13 @@
 #ifndef KEX_H
 #define KEX_H
 
+#include <signal.h>
 #include <openssl/evp.h>
-#include "buffer.h"
-#include "cipher.h"
-#include "key.h"
 
 #define KEX_DH1                 "diffie-hellman-group1-sha1"
 #define KEX_DH14                "diffie-hellman-group14-sha1"
 #define KEX_DHGEX_SHA1          "diffie-hellman-group-exchange-sha1"
+#define KEX_DHGEX_SHA256        "diffie-hellman-group-exchange-sha256"
 
 #define COMP_NONE       0
 #define COMP_ZLIB       1
@@ -63,7 +62,9 @@ enum kex_exchange {
         KEX_DH_GRP1_SHA1,
         KEX_DH_GRP14_SHA1,
         KEX_DH_GEX_SHA1,
+        KEX_DH_GEX_SHA256,
         KEX_GSS_GRP1_SHA1,
+        KEX_GSS_GRP14_SHA1,
         KEX_GSS_GEX_SHA1,
         KEX_MAX
 };
@@ -114,7 +115,7 @@ struct Kex {
         int     kex_type;
         Buffer  my;
         Buffer  peer;
-        int     done;
+        sig_atomic_t done;
         int     flags;
         const EVP_MD *evp_md;
 #ifdef GSSAPI
@@ -154,7 +155,7 @@ kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
     BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
 void
 kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
-    int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, 
+    int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
     BIGNUM *, BIGNUM *, u_char **, u_int *);
 
 void
diff --git a/kexdh.c b/kexdh.c
index f79d8781d..56e22f5bc 100644
--- a/kexdh.c
+++ b/kexdh.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: kexdh.c,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -23,13 +24,17 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kexdh.c,v 1.20 2005/11/04 05:15:59 djm Exp $");
+
+#include <sys/types.h>
+
+#include <signal.h>
 
 #include <openssl/evp.h>
 
 #include "buffer.h"
-#include "bufaux.h"
 #include "ssh2.h"
+#include "key.h"
+#include "cipher.h"
 #include "kex.h"
 
 void
diff --git a/kexdhc.c b/kexdhc.c
index d8a2fa3b7..d384c8052 100644
--- a/kexdhc.c
+++ b/kexdhc.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: kexdhc.c,v 1.11 2006/11/06 21:25:28 markus Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -23,10 +24,18 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kexdhc.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
+
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <signal.h>
 
 #include "xmalloc.h"
+#include "buffer.h"
 #include "key.h"
+#include "cipher.h"
 #include "kex.h"
 #include "log.h"
 #include "packet.h"
@@ -41,7 +50,8 @@ kexdh_client(Kex *kex)
         Key *server_host_key;
         u_char *server_host_key_blob = NULL, *signature = NULL;
         u_char *kbuf, *hash;
-        u_int klen, kout, slen, sbloblen, hashlen;
+        u_int klen, slen, sbloblen, hashlen;
+        int kout;
 
         /* generate and send 'e', client DH public key */
         switch (kex->kex_type) {
@@ -82,7 +92,7 @@ kexdh_client(Kex *kex)
         if (kex->verify_host_key(server_host_key) == -1)
                 fatal("server_host_key verification failed");
 
-        /* DH paramter f, server public DH key */
+        /* DH parameter f, server public DH key */
         if ((dh_server_pub = BN_new()) == NULL)
                 fatal("dh_server_pub == NULL");
         packet_get_bignum2(dh_server_pub);
@@ -103,13 +113,15 @@ kexdh_client(Kex *kex)
 
         klen = DH_size(dh);
         kbuf = xmalloc(klen);
-        kout = DH_compute_key(kbuf, dh_server_pub, dh);
+        if ((kout = DH_compute_key(kbuf, dh_server_pub, dh)) < 0)
+                fatal("DH_compute_key: failed");
 #ifdef DEBUG_KEXDH
         dump_digest("shared secret", kbuf, kout);
 #endif
         if ((shared_secret = BN_new()) == NULL)
                 fatal("kexdh_client: BN_new failed");
-        BN_bin2bn(kbuf, kout, shared_secret);
+        if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
+                fatal("kexdh_client: BN_bin2bn failed");
         memset(kbuf, 0, klen);
         xfree(kbuf);
 
diff --git a/kexdhs.c b/kexdhs.c
index 26c8cdfd6..861708818 100644
--- a/kexdhs.c
+++ b/kexdhs.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: kexdhs.c,v 1.9 2006/11/06 21:25:28 markus Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -23,15 +24,25 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kexdhs.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
+
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <string.h>
+#include <signal.h>
 
 #include "xmalloc.h"
+#include "buffer.h"
 #include "key.h"
+#include "cipher.h"
 #include "kex.h"
 #include "log.h"
 #include "packet.h"
 #include "dh.h"
 #include "ssh2.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
 
 void
@@ -41,8 +52,8 @@ kexdh_server(Kex *kex)
         DH *dh;
         Key *server_host_key;
         u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
-        u_int sbloblen, klen, kout, hashlen;
-        u_int slen;
+        u_int sbloblen, klen, hashlen, slen;
+        int kout;
 
         /* generate server DH public key */
         switch (kex->kex_type) {
@@ -90,13 +101,15 @@ kexdh_server(Kex *kex)
 
         klen = DH_size(dh);
         kbuf = xmalloc(klen);
-        kout = DH_compute_key(kbuf, dh_client_pub, dh);
+        if ((kout = DH_compute_key(kbuf, dh_client_pub, dh)) < 0)
+                fatal("DH_compute_key: failed");
 #ifdef DEBUG_KEXDH
         dump_digest("shared secret", kbuf, kout);
 #endif
         if ((shared_secret = BN_new()) == NULL)
                 fatal("kexdh_server: BN_new failed");
-        BN_bin2bn(kbuf, kout, shared_secret);
+        if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
+                fatal("kexdh_server: BN_bin2bn failed");
         memset(kbuf, 0, klen);
         xfree(kbuf);
 
diff --git a/kexgex.c b/kexgex.c
index 705484a47..b60ab5c53 100644
--- a/kexgex.c
+++ b/kexgex.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: kexgex.c,v 1.27 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -24,12 +25,15 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kexgex.c,v 1.24 2005/11/04 05:15:59 djm Exp $");
+
+#include <sys/types.h>
 
 #include <openssl/evp.h>
+#include <signal.h>
 
 #include "buffer.h"
-#include "bufaux.h"
+#include "key.h"
+#include "cipher.h"
 #include "kex.h"
 #include "ssh2.h"
 
diff --git a/kexgexc.c b/kexgexc.c
index a6ff8757d..adb973d5b 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: kexgexc.c,v 1.11 2006/11/06 21:25:28 markus Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -24,10 +25,18 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kexgexc.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
+
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <signal.h>
 
 #include "xmalloc.h"
+#include "buffer.h"
 #include "key.h"
+#include "cipher.h"
 #include "kex.h"
 #include "log.h"
 #include "packet.h"
@@ -42,7 +51,8 @@ kexgex_client(Kex *kex)
         BIGNUM *p = NULL, *g = NULL;
         Key *server_host_key;
         u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
-        u_int klen, kout, slen, sbloblen, hashlen;
+        u_int klen, slen, sbloblen, hashlen;
+        int kout;
         int min, max, nbits;
         DH *dh;
 
@@ -120,7 +130,7 @@ kexgex_client(Kex *kex)
         if (kex->verify_host_key(server_host_key) == -1)
                 fatal("server_host_key verification failed");
 
-        /* DH paramter f, server public DH key */
+        /* DH parameter f, server public DH key */
         if ((dh_server_pub = BN_new()) == NULL)
                 fatal("dh_server_pub == NULL");
         packet_get_bignum2(dh_server_pub);
@@ -141,13 +151,15 @@ kexgex_client(Kex *kex)
 
         klen = DH_size(dh);
         kbuf = xmalloc(klen);
-        kout = DH_compute_key(kbuf, dh_server_pub, dh);
+        if ((kout = DH_compute_key(kbuf, dh_server_pub, dh)) < 0)
+                fatal("DH_compute_key: failed");
 #ifdef DEBUG_KEXDH
         dump_digest("shared secret", kbuf, kout);
 #endif
         if ((shared_secret = BN_new()) == NULL)
                 fatal("kexgex_client: BN_new failed");
-        BN_bin2bn(kbuf, kout, shared_secret);
+        if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
+                fatal("kexgex_client: BN_bin2bn failed");
         memset(kbuf, 0, klen);
         xfree(kbuf);
 
diff --git a/kexgexs.c b/kexgexs.c
index c48b27af9..a037f57f2 100644
--- a/kexgexs.c
+++ b/kexgexs.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: kexgexs.c,v 1.10 2006/11/06 21:25:28 markus Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -24,16 +25,27 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: kexgexs.c,v 1.2 2005/11/04 05:15:59 djm Exp $");
+
+#include <sys/param.h>
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <signal.h>
 
 #include "xmalloc.h"
+#include "buffer.h"
 #include "key.h"
+#include "cipher.h"
 #include "kex.h"
 #include "log.h"
 #include "packet.h"
 #include "dh.h"
 #include "ssh2.h"
 #include "compat.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
 
 void
@@ -43,8 +55,8 @@ kexgex_server(Kex *kex)
         Key *server_host_key;
         DH *dh;
         u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
-        u_int sbloblen, klen, kout, slen, hashlen;
-        int min = -1, max = -1, nbits = -1, type;
+        u_int sbloblen, klen, slen, hashlen;
+        int min = -1, max = -1, nbits = -1, type, kout;
 
         if (kex->load_host_key == NULL)
                 fatal("Cannot load hostkey");
@@ -122,13 +134,15 @@ kexgex_server(Kex *kex)
 
         klen = DH_size(dh);
         kbuf = xmalloc(klen);
-        kout = DH_compute_key(kbuf, dh_client_pub, dh);
+        if ((kout = DH_compute_key(kbuf, dh_client_pub, dh)) < 0)
+                fatal("DH_compute_key: failed");
 #ifdef DEBUG_KEXDH
         dump_digest("shared secret", kbuf, kout);
 #endif
         if ((shared_secret = BN_new()) == NULL)
                 fatal("kexgex_server: BN_new failed");
-        BN_bin2bn(kbuf, kout, shared_secret);
+        if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
+                fatal("kexgex_server: BN_bin2bn failed");
         memset(kbuf, 0, klen);
         xfree(kbuf);
 
diff --git a/kexgssc.c b/kexgssc.c
index 9830ad384..7c4a56f45 100644
--- a/kexgssc.c
+++ b/kexgssc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001-2005 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -26,24 +26,29 @@
 
 #ifdef GSSAPI
 
+#include "includes.h"
+
 #include <openssl/crypto.h>
 #include <openssl/bn.h>
 
+#include <string.h>
+
 #include "xmalloc.h"
 #include "buffer.h"
-#include "bufaux.h"
+#include "ssh2.h"
+#include "key.h"
+#include "cipher.h"
 #include "kex.h"
 #include "log.h"
 #include "packet.h"
 #include "dh.h"
-#include "canohost.h"
-#include "ssh2.h"
+
 #include "ssh-gss.h"
 
 void
 kexgss_client(Kex *kex) {
         gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
-        gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
+        gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
         Gssctxt *ctxt;
         OM_uint32 maj_status, min_status, ret_flags;
         u_int klen, kout, slen = 0, hashlen, strlen;
@@ -58,22 +63,27 @@ kexgss_client(Kex *kex) {
         char *lang;
         int type = 0;
         int first = 1;
-        int gex = 0;
-        int nbits, min, max;
+        int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
 
         /* Initialise our GSSAPI world */       
         ssh_gssapi_build_ctx(&ctxt);
-        if (ssh_gssapi_id_kex(ctxt, kex->name, &gex) == NULL)
+        if (ssh_gssapi_id_kex(ctxt, kex->name, kex->kex_type) 
+            == GSS_C_NO_OID)
                 fatal("Couldn't identify host exchange");
 
         if (ssh_gssapi_import_name(ctxt, kex->gss_host))
                 fatal("Couldn't import hostname");
         
-        if (gex) {
+        switch (kex->kex_type) {
+        case KEX_GSS_GRP1_SHA1:
+                dh = dh_new_group1();
+                break;
+        case KEX_GSS_GRP14_SHA1:
+                dh = dh_new_group14();
+                break;
+        case KEX_GSS_GEX_SHA1:
                 debug("Doing group exchange\n");
                 nbits = dh_estimate(kex->we_need * 8);
-                min = DH_GRP_MIN;
-                max = DH_GRP_MAX;
                 packet_start(SSH2_MSG_KEXGSS_GROUPREQ);
                 packet_put_int(min);
                 packet_put_int(nbits);
@@ -96,8 +106,9 @@ kexgss_client(Kex *kex) {
                             min, BN_num_bits(p), max);
 
                 dh = dh_new_group(g, p);
-        } else {
-                dh = dh_new_group1();
+                break;
+        default:
+                fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
         }
         
         /* Step 1 - e is dh->pub_key */
@@ -205,7 +216,7 @@ kexgss_client(Kex *kex) {
                                 min_status = packet_get_int();
                                 msg = packet_get_string(NULL);
                                 lang = packet_get_string(NULL);
-                                fatal("GSSAPI Error: \n%s",msg);
+                                fatal("GSSAPI Error: \n%.400s",msg);
                         default:
                                 packet_disconnect("Protocol error: didn't expect packet type %d",
                                 type);
@@ -240,7 +251,21 @@ kexgss_client(Kex *kex) {
         memset(kbuf, 0, klen);
         xfree(kbuf);
 
-        if (gex) {
+        switch (kex->kex_type) {
+        case KEX_GSS_GRP1_SHA1:
+        case KEX_GSS_GRP14_SHA1:
+                kex_dh_hash( kex->client_version_string, 
+                    kex->server_version_string,
+                    buffer_ptr(&kex->my), buffer_len(&kex->my),
+                    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
+                    serverhostkey, slen, /* server host key */
+                    dh->pub_key,        /* e */
+                    dh_server_pub,      /* f */
+                    shared_secret,      /* K */
+                    &hash, &hashlen
+                );
+                break;
+        case KEX_GSS_GEX_SHA1:
                 kexgex_hash(
                     kex->evp_md,
                     kex->client_version_string,
@@ -255,24 +280,15 @@ kexgss_client(Kex *kex) {
                     shared_secret,
                     &hash, &hashlen
                 );
-        } else {
-                /* The GSS hash is identical to the DH one */
-                kex_dh_hash( kex->client_version_string, 
-                    kex->server_version_string,
-                    buffer_ptr(&kex->my), buffer_len(&kex->my),
-                    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
-                    serverhostkey, slen, /* server host key */
-                    dh->pub_key,        /* e */
-                    dh_server_pub,      /* f */
-                    shared_secret,      /* K */
-                    &hash, &hashlen
-                );
-        }
+                break;
+        default:
+                fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+        }
 
         gssbuf.value = hash;
         gssbuf.length = hashlen;
 
-        /* Verify that the hash matches the MIC we just got. */
+        /* Verify that the hash matches the MIC we just got. */
         if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
                 packet_disconnect("Hash's MIC didn't verify");
 
diff --git a/kexgsss.c b/kexgsss.c
index 6447dc97b..3ca23bbb2 100644
--- a/kexgsss.c
+++ b/kexgsss.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001-2005 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -26,17 +26,20 @@
 
 #ifdef GSSAPI
 
+#include <string.h>
+
 #include <openssl/crypto.h>
 #include <openssl/bn.h>
 
 #include "xmalloc.h"
 #include "buffer.h"
-#include "bufaux.h"
+#include "ssh2.h"
+#include "key.h"
+#include "cipher.h"
 #include "kex.h"
 #include "log.h"
 #include "packet.h"
 #include "dh.h"
-#include "ssh2.h"
 #include "ssh-gss.h"
 #include "monitor_wrap.h"
 
@@ -63,29 +66,35 @@ kexgss_server(Kex *kex)
         BIGNUM *shared_secret = NULL;
         BIGNUM *dh_client_pub = NULL;
         int type = 0;
-        int gex;
         gss_OID oid;
-        
+
         /* Initialise GSSAPI */
 
         /* If we're rekeying, privsep means that some of the private structures
          * in the GSSAPI code are no longer available. This kludges them back
-         * into life
+         * into life
          */
         if (!ssh_gssapi_oid_table_ok()) 
                 ssh_gssapi_server_mechanisms();
 
         debug2("%s: Identifying %s", __func__, kex->name);
-        oid = ssh_gssapi_id_kex(NULL, kex->name, &gex);
-        if (oid == NULL)
+        oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
+        if (oid == GSS_C_NO_OID)
            fatal("Unknown gssapi mechanism");
 
         debug2("%s: Acquiring credentials", __func__);
 
         if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
-                fatal("Unable to acquire credentials for the server");
-
-        if (gex) {
+                fatal("Unable to acquire credentials for the server");
+
+        switch (kex->kex_type) {
+        case KEX_GSS_GRP1_SHA1:
+                dh = dh_new_group1();
+                break;
+        case KEX_GSS_GRP14_SHA1:
+                dh = dh_new_group14();
+                break;
+        case KEX_GSS_GEX_SHA1:
                 debug("Doing group exchange");
                 packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
                 min = packet_get_int();
@@ -107,10 +116,11 @@ kexgss_server(Kex *kex)
                 packet_send();
 
                 packet_write_wait();
-                
-        } else {
-                dh = dh_new_group1();
+                break;
+        default:
+                fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
         }
+
         dh_gen_key(dh, kex->we_need * 8);
 
         do {
@@ -187,7 +197,19 @@ kexgss_server(Kex *kex)
         memset(kbuf, 0, klen);
         xfree(kbuf);
 
-        if (gex) {
+        switch (kex->kex_type) {
+        case KEX_GSS_GRP1_SHA1:
+        case KEX_GSS_GRP14_SHA1:
+                kex_dh_hash(
+                    kex->client_version_string, kex->server_version_string,
+                    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
+                    buffer_ptr(&kex->my), buffer_len(&kex->my),
+                    NULL, 0, /* Change this if we start sending host keys */
+                    dh_client_pub, dh->pub_key, shared_secret,
+                    &hash, &hashlen
+                );
+                break;
+        case KEX_GSS_GEX_SHA1:
                 kexgex_hash(
                     kex->evp_md,
                     kex->client_version_string, kex->server_version_string,
@@ -201,18 +223,11 @@ kexgss_server(Kex *kex)
                     shared_secret,
                     &hash, &hashlen
                 );
+                break;
+        default:
+                fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
         }
-        else {  
-                /* The GSSAPI hash is identical to the Diffie Helman one */
-                kex_dh_hash(
-                    kex->client_version_string, kex->server_version_string,
-                    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
-                    buffer_ptr(&kex->my), buffer_len(&kex->my),
-                    NULL, 0, /* Change this if we start sending host keys */
-                    dh_client_pub, dh->pub_key, shared_secret,
-                    &hash, &hashlen
-                );
-        }
+
         BN_free(dh_client_pub);
 
         if (kex->session_id == NULL) {
@@ -229,11 +244,11 @@ kexgss_server(Kex *kex)
 
         packet_start(SSH2_MSG_KEXGSS_COMPLETE);
         packet_put_bignum2(dh->pub_key);
-        packet_put_string((char *)msg_tok.value,msg_tok.length);
+        packet_put_string(msg_tok.value,msg_tok.length);
 
         if (send_tok.length != 0) {
                 packet_put_char(1); /* true */
-                packet_put_string((char *)send_tok.value, send_tok.length);
+                packet_put_string(send_tok.value, send_tok.length);
         } else {
                 packet_put_char(0); /* false */
         }
diff --git a/key.c b/key.c
index 239a35919..5563608ec 100644
--- a/key.c
+++ b/key.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: key.c,v 1.68 2006/11/06 21:25:28 markus Exp $ */
 /*
  * read_bignum():
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -31,17 +32,22 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 #include "includes.h"
-RCSID("$OpenBSD: key.c,v 1.58 2005/06/17 02:44:32 djm Exp $");
+
+#include <sys/types.h>
 
 #include <openssl/evp.h>
 
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+
 #include "xmalloc.h"
 #include "key.h"
 #include "rsa.h"
 #include "uuencode.h"
 #include "buffer.h"
-#include "bufaux.h"
 #include "log.h"
 
 Key *
@@ -50,9 +56,8 @@ key_new(int type)
         Key *k;
         RSA *rsa;
         DSA *dsa;
-        k = xmalloc(sizeof(*k));
+        k = xcalloc(1, sizeof(*k));
         k->type = type;
-        k->flags = 0;
         k->dsa = NULL;
         k->rsa = NULL;
         switch (k->type) {
@@ -123,6 +128,8 @@ key_new_private(int type)
 void
 key_free(Key *k)
 {
+        if (k == NULL)
+                fatal("key_free: key is NULL");
         switch (k->type) {
         case KEY_RSA1:
         case KEY_RSA:
@@ -155,14 +162,12 @@ key_equal(const Key *a, const Key *b)
                 return a->rsa != NULL && b->rsa != NULL &&
                     BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
                     BN_cmp(a->rsa->n, b->rsa->n) == 0;
-                break;
         case KEY_DSA:
                 return a->dsa != NULL && b->dsa != NULL &&
                     BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
                     BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
                     BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
                     BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
-                break;
         default:
                 fatal("key_equal: bad key type %d", a->type);
                 break;
@@ -209,7 +214,6 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
                 break;
         case KEY_UNSPEC:
                 return retval;
-                break;
         default:
                 fatal("key_fingerprint_raw: bad key type %d", k->type);
                 break;
@@ -233,8 +237,7 @@ key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
         char *retval;
         u_int i;
 
-        retval = xmalloc(dgst_raw_len * 3 + 1);
-        retval[0] = '\0';
+        retval = xcalloc(1, dgst_raw_len * 3 + 1);
         for (i = 0; i < dgst_raw_len; i++) {
                 char hex[4];
                 snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]);
@@ -256,7 +259,7 @@ key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len)
         char *retval;
 
         rounds = (dgst_raw_len / 2) + 1;
-        retval = xmalloc(sizeof(char) * (rounds*6));
+        retval = xcalloc((rounds * 6), sizeof(char));
         retval[j++] = 'x';
         for (i = 0; i < rounds; i++) {
                 u_int idx0, idx1, idx2, idx3, idx4;
@@ -530,13 +533,10 @@ key_type(const Key *k)
         switch (k->type) {
         case KEY_RSA1:
                 return "RSA1";
-                break;
         case KEY_RSA:
                 return "RSA";
-                break;
         case KEY_DSA:
                 return "DSA";
-                break;
         }
         return "unknown";
 }
@@ -547,10 +547,8 @@ key_ssh_name(const Key *k)
         switch (k->type) {
         case KEY_RSA:
                 return "ssh-rsa";
-                break;
         case KEY_DSA:
                 return "ssh-dss";
-                break;
         }
         return "ssh-unknown";
 }
@@ -562,10 +560,8 @@ key_size(const Key *k)
         case KEY_RSA1:
         case KEY_RSA:
                 return BN_num_bits(k->rsa->n);
-                break;
         case KEY_DSA:
                 return BN_num_bits(k->dsa->p);
-                break;
         }
         return 0;
 }
@@ -574,6 +570,7 @@ static RSA *
 rsa_generate_private_key(u_int bits)
 {
         RSA *private;
+
         private = RSA_generate_key(bits, 35, NULL, NULL);
         if (private == NULL)
                 fatal("rsa_generate_private_key: key generation failed.");
@@ -584,6 +581,7 @@ static DSA*
 dsa_generate_private_key(u_int bits)
 {
         DSA *private = DSA_generate_parameters(bits, NULL, 0, NULL, NULL, NULL, NULL);
+
         if (private == NULL)
                 fatal("dsa_generate_private_key: DSA_generate_parameters failed");
         if (!DSA_generate_key(private))
@@ -619,16 +617,18 @@ key_from_private(const Key *k)
         switch (k->type) {
         case KEY_DSA:
                 n = key_new(k->type);
-                BN_copy(n->dsa->p, k->dsa->p);
-                BN_copy(n->dsa->q, k->dsa->q);
-                BN_copy(n->dsa->g, k->dsa->g);
-                BN_copy(n->dsa->pub_key, k->dsa->pub_key);
+                if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
+                    (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
+                    (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
+                    (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL))
+                        fatal("key_from_private: BN_copy failed");
                 break;
         case KEY_RSA:
         case KEY_RSA1:
                 n = key_new(k->type);
-                BN_copy(n->rsa->n, k->rsa->n);
-                BN_copy(n->rsa->e, k->rsa->e);
+                if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
+                    (BN_copy(n->rsa->e, k->rsa->e) == NULL))
+                        fatal("key_from_private: BN_copy failed");
                 break;
         default:
                 fatal("key_from_private: unknown type %d", k->type);
@@ -795,14 +795,11 @@ key_sign(
         switch (key->type) {
         case KEY_DSA:
                 return ssh_dss_sign(key, sigp, lenp, data, datalen);
-                break;
         case KEY_RSA:
                 return ssh_rsa_sign(key, sigp, lenp, data, datalen);
-                break;
         default:
                 error("key_sign: invalid key type %d", key->type);
                 return -1;
-                break;
         }
 }
 
@@ -822,14 +819,11 @@ key_verify(
         switch (key->type) {
         case KEY_DSA:
                 return ssh_dss_verify(key, signature, signaturelen, data, datalen);
-                break;
         case KEY_RSA:
                 return ssh_rsa_verify(key, signature, signaturelen, data, datalen);
-                break;
         default:
                 error("key_verify: invalid key type %d", key->type);
                 return -1;
-                break;
         }
 }
 
@@ -839,7 +833,7 @@ key_demote(const Key *k)
 {
         Key *pk;
 
-        pk = xmalloc(sizeof(*pk));
+        pk = xcalloc(1, sizeof(*pk));
         pk->type = k->type;
         pk->flags = k->flags;
         pk->dsa = NULL;
diff --git a/key.h b/key.h
index 6358e955f..40576f3d7 100644
--- a/key.h
+++ b/key.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: key.h,v 1.23 2003/11/10 16:23:41 jakob Exp $  */
+/* $OpenBSD: key.h,v 1.26 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
diff --git a/log.c b/log.c
index 07f866230..f7256d8e5 100644
--- a/log.c
+++ b/log.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: log.c,v 1.39 2006/08/18 09:13:25 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,16 +35,22 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: log.c,v 1.29 2003/09/23 20:17:11 markus Exp $");
 
-#include "log.h"
-#include "xmalloc.h"
+#include <sys/types.h>
 
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
 #include <syslog.h>
+#include <unistd.h>
 #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
 # include <vis.h>
 #endif
 
+#include "xmalloc.h"
+#include "log.h"
+
 static LogLevel log_level = SYSLOG_LEVEL_INFO;
 static int log_on_stderr = 1;
 static int log_facility = LOG_AUTH;
@@ -134,11 +141,13 @@ error(const char *fmt,...)
 void
 sigdie(const char *fmt,...)
 {
+#ifdef DO_LOG_SAFE_IN_SIGHAND
         va_list args;
 
         va_start(args, fmt);
         do_log(SYSLOG_LEVEL_FATAL, fmt, args);
         va_end(args);
+#endif
         _exit(1);
 }
 
diff --git a/log.h b/log.h
index 76012180c..57e2ee5b4 100644
--- a/log.h
+++ b/log.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: log.h,v 1.11 2004/06/21 22:02:58 djm Exp $    */
+/* $OpenBSD: log.h,v 1.15 2006/08/18 09:13:25 deraadt Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -15,8 +15,6 @@
 #ifndef SSH_LOG_H
 #define SSH_LOG_H
 
-#include <syslog.h> /* Needed for LOG_AUTHPRIV (if present) */
-
 /* Supported syslog facilities and levels. */
 typedef enum {
         SYSLOG_FACILITY_DAEMON,
diff --git a/loginrec.c b/loginrec.c
index d096346ec..e59127747 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -147,8 +147,26 @@
 
 #include "includes.h"
 
-#include "ssh.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#ifdef HAVE_PATHS_H
+# include <paths.h>
+#endif
+#include <pwd.h>
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+
 #include "xmalloc.h"
+#include "key.h"
+#include "hostfile.h"
+#include "ssh.h"
 #include "loginrec.h"
 #include "log.h"
 #include "atomicio.h"
@@ -165,8 +183,6 @@
 # include <libutil.h>
 #endif
 
-RCSID("$Id: loginrec.c,v 1.71 2005/11/22 08:55:13 dtucker Exp $");
-
 /**
  ** prototypes for helper functions in this file
  **/
diff --git a/loginrec.h b/loginrec.h
index 8e3390178..859e1a630 100644
--- a/loginrec.h
+++ b/loginrec.h
@@ -31,12 +31,6 @@
 
 #include "includes.h"
 
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <sys/socket.h>
-
-/* RCSID("$Id: loginrec.h,v 1.10 2005/06/19 00:19:44 djm Exp $"); */
-
 /**
  ** you should use the login_* calls to work around platform dependencies
  **/
diff --git a/logintest.c b/logintest.c
index 95cce5a3a..7e9fbbfbb 100644
--- a/logintest.c
+++ b/logintest.c
@@ -31,6 +31,10 @@
 
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+
 #include <unistd.h>
 #include <stdlib.h>
 #include <stdio.h>
@@ -43,8 +47,6 @@
 
 #include "loginrec.h"
 
-RCSID("$Id: logintest.c,v 1.11 2004/07/17 04:07:42 dtucker Exp $");
-
 extern char *__progname;
 
 #define PAUSE_BEFORE_LOGOUT 3
diff --git a/mac.c b/mac.c
index 2bda5a1b9..e5d5bfa88 100644
--- a/mac.c
+++ b/mac.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: mac.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -23,16 +24,23 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: mac.c,v 1.7 2005/06/17 02:44:32 djm Exp $");
+
+#include <sys/types.h>
 
 #include <openssl/hmac.h>
 
+#include <stdarg.h>
+#include <string.h>
+#include <signal.h>
+
 #include "xmalloc.h"
-#include "getput.h"
 #include "log.h"
 #include "cipher.h"
+#include "buffer.h"
+#include "key.h"
 #include "kex.h"
 #include "mac.h"
+#include "misc.h"
 
 struct {
         char            *name;
@@ -83,7 +91,7 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
         if (mac->mac_len > sizeof(m))
                 fatal("mac_compute: mac too long");
         HMAC_Init(&c, mac->key, mac->key_len, mac->md);
-        PUT_32BIT(b, seqno);
+        put_u32(b, seqno);
         HMAC_Update(&c, b, sizeof(b));
         HMAC_Update(&c, data, datalen);
         HMAC_Final(&c, m, NULL);
diff --git a/mac.h b/mac.h
index 43b485dd9..960cc5c50 100644
--- a/mac.h
+++ b/mac.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: mac.h,v 1.3 2001/06/26 17:27:24 markus Exp $   */
+/* $OpenBSD: mac.h,v 1.4 2006/03/25 22:22:43 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
diff --git a/match.c b/match.c
index 29fb7dab9..e3c993073 100644
--- a/match.c
+++ b/match.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: match.c,v 1.26 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,10 +36,14 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: match.c,v 1.20 2005/06/17 02:44:32 djm Exp $");
 
-#include "match.h"
+#include <sys/types.h>
+
+#include <ctype.h>
+#include <string.h>
+
 #include "xmalloc.h"
+#include "match.h"
 
 /*
  * Returns true if the given string matches the pattern (which may contain ?
@@ -136,7 +141,7 @@ match_pattern_list(const char *string, const char *pattern, u_int len,
                     i < len && subi < sizeof(sub) - 1 && pattern[i] != ',';
                     subi++, i++)
                         sub[subi] = dolower && isupper(pattern[i]) ?
-                            tolower(pattern[i]) : pattern[i];
+                            (char)tolower(pattern[i]) : pattern[i];
                 /* If subpattern too long, return failure (no match). */
                 if (subi >= sizeof(sub) - 1)
                         return 0;
diff --git a/match.h b/match.h
index a0764e001..d1d538654 100644
--- a/match.h
+++ b/match.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: match.h,v 1.12 2002/03/01 13:12:10 markus Exp $       */
+/* $OpenBSD: match.h,v 1.13 2006/03/25 22:22:43 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/md-sha256.c b/md-sha256.c
new file mode 100644
index 000000000..8c1b3b92d
--- /dev/null
+++ b/md-sha256.c
@@ -0,0 +1,86 @@
+/* $OpenBSD: md-sha256.c,v 1.5 2006/08/03 03:34:42 deraadt Exp $ */
+/*
+ * Copyright (c) 2005 Damien Miller <djm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* EVP wrapper for SHA256 */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <openssl/opensslv.h>
+
+#if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
+
+#include <string.h>
+#include <openssl/evp.h>
+#ifdef HAVE_SHA256_UPDATE
+# ifdef HAVE_SHA2_H
+#  include <sha2.h>
+# elif defined(HAVE_CRYPTO_SHA2_H)
+#  include <crypto/sha2.h>
+# endif
+#endif
+
+const EVP_MD *evp_ssh_sha256(void);
+
+static int
+ssh_sha256_init(EVP_MD_CTX *ctxt)
+{
+        SHA256_Init(ctxt->md_data);
+        return (1);
+}
+
+static int
+ssh_sha256_update(EVP_MD_CTX *ctxt, const void *data, unsigned long len)
+{
+        SHA256_Update(ctxt->md_data, data, len);
+        return (1);
+}
+
+static int
+ssh_sha256_final(EVP_MD_CTX *ctxt, unsigned char *digest)
+{
+        SHA256_Final(digest, ctxt->md_data);
+        return (1);
+}
+
+static int
+ssh_sha256_cleanup(EVP_MD_CTX *ctxt)
+{
+        memset(ctxt->md_data, 0, sizeof(SHA256_CTX));
+        return (1);
+}
+
+const EVP_MD *
+evp_ssh_sha256(void)
+{
+        static EVP_MD ssh_sha256;
+
+        memset(&ssh_sha256, 0, sizeof(ssh_sha256));
+        ssh_sha256.type = NID_undef;
+        ssh_sha256.md_size = SHA256_DIGEST_LENGTH;
+        ssh_sha256.init = ssh_sha256_init;
+        ssh_sha256.update = ssh_sha256_update;
+        ssh_sha256.final = ssh_sha256_final;
+        ssh_sha256.cleanup = ssh_sha256_cleanup;
+        ssh_sha256.block_size = SHA256_BLOCK_LENGTH;
+        ssh_sha256.ctx_size = sizeof(SHA256_CTX);
+
+        return (&ssh_sha256);
+}
+
+#endif /* !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) */
+
diff --git a/md5crypt.c b/md5crypt.c
index 8f2523e62..22ef98933 100644
--- a/md5crypt.c
+++ b/md5crypt.c
@@ -11,9 +11,11 @@
 #include "includes.h"
 
 #if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
-#include <openssl/md5.h>
+#include <sys/types.h>
+
+#include <string.h>
 
-RCSID("$Id: md5crypt.c,v 1.9 2003/11/21 12:56:47 djm Exp $");
+#include <openssl/md5.h>
 
 /* 0 ... 63 => ascii - 64 */
 static unsigned char itoa64[] =
diff --git a/misc.c b/misc.c
index 29e928886..625a34368 100644
--- a/misc.c
+++ b/misc.c
@@ -1,6 +1,7 @@
+/* $OpenBSD: misc.c,v 1.65 2006/11/23 01:35:11 ray Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- * Copyright (c) 2005 Damien Miller.  All rights reserved.
+ * Copyright (c) 2005,2006 Damien Miller.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -24,15 +25,35 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: misc.c,v 1.42 2006/01/31 10:19:02 djm Exp $");
 
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <sys/socket.h>
+#include <sys/param.h>
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#ifdef HAVE_PATHS_H
+# include <paths.h>
+#include <pwd.h>
+#endif
 #ifdef SSH_TUN_OPENBSD
 #include <net/if.h>
 #endif
 
+#include "xmalloc.h"
 #include "misc.h"
 #include "log.h"
-#include "xmalloc.h"
+#include "ssh.h"
 
 /* remove newline at end of string */
 char *
@@ -123,6 +144,7 @@ set_nodelay(int fd)
 
 /* Characters considered whitespace in strsep calls. */
 #define WHITESPACE " \t\r\n"
+#define QUOTE   "\""
 
 /* return next token in configuration line */
 char *
@@ -136,15 +158,27 @@ strdelim(char **s)
 
         old = *s;
 
-        *s = strpbrk(*s, WHITESPACE "=");
+        *s = strpbrk(*s, WHITESPACE QUOTE "=");
         if (*s == NULL)
                 return (old);
 
+        if (*s[0] == '\"') {
+                memmove(*s, *s + 1, strlen(*s)); /* move nul too */
+                /* Find matching quote */
+                if ((*s = strpbrk(*s, QUOTE)) == NULL) {
+                        return (NULL);          /* no matching quote */
+                } else {
+                        *s[0] = '\0';
+                        return (old);
+                }
+        }
+
         /* Allow only one '=' to be skipped */
         if (*s[0] == '=')
                 wspace = 1;
         *s[0] = '\0';
 
+        /* Skip any extra whitespace after first token */
         *s += strspn(*s + 1, WHITESPACE) + 1;
         if (*s[0] == '=' && !wspace)
                 *s += strspn(*s + 1, WHITESPACE) + 1;
@@ -155,9 +189,8 @@ strdelim(char **s)
 struct passwd *
 pwcopy(struct passwd *pw)
 {
-        struct passwd *copy = xmalloc(sizeof(*copy));
+        struct passwd *copy = xcalloc(1, sizeof(*copy));
 
-        memset(copy, 0, sizeof(*copy));
         copy->pw_name = xstrdup(pw->pw_name);
         copy->pw_passwd = xstrdup(pw->pw_passwd);
         copy->pw_gecos = xstrdup(pw->pw_gecos);
@@ -280,6 +313,7 @@ convtime(const char *s)
                 switch (*endp++) {
                 case '\0':
                         endp--;
+                        break;
                 case 's':
                 case 'S':
                         break;
@@ -312,6 +346,23 @@ convtime(const char *s)
 }
 
 /*
+ * Returns a standardized host+port identifier string.
+ * Caller must free returned string.
+ */
+char *
+put_host_port(const char *host, u_short port)
+{
+        char *hoststr;
+
+        if (port == 0 || port == SSH_DEFAULT_PORT)
+                return(xstrdup(host));
+        if (asprintf(&hoststr, "[%s]:%d", host, (int)port) < 0)
+                fatal("put_host_port: asprintf: %s", strerror(errno));
+        debug3("put_host_port: %s", hoststr);
+        return hoststr;
+}
+
+/*
  * Search for next delimiter between hostnames/addresses and ports.
  * Argument may be modified (for termination).
  * Returns *cp if parsing succeeds.
@@ -408,7 +459,7 @@ addargs(arglist *args, char *fmt, ...)
         } else if (args->num+2 >= nalloc)
                 nalloc *= 2;
 
-        args->list = xrealloc(args->list, nalloc * sizeof(char *));
+        args->list = xrealloc(args->list, nalloc, sizeof(char *));
         args->nalloc = nalloc;
         args->list[args->num++] = cp;
         args->list[args->num] = NULL;
@@ -565,6 +616,8 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
    u_long *lineno)
 {
         while (fgets(buf, bufsz, f) != NULL) {
+                if (buf[0] == '\0')
+                        continue;
                 (*lineno)++;
                 if (buf[strlen(buf) - 1] == '\n' || feof(f)) {
                         return 0;
@@ -673,18 +726,100 @@ sanitise_stdfd(void)
 }
 
 char *
-tohex(const u_char *d, u_int l)
+tohex(const void *vp, size_t l)
 {
+        const u_char *p = (const u_char *)vp;
         char b[3], *r;
-        u_int i, hl;
+        size_t i, hl;
+
+        if (l > 65536)
+                return xstrdup("tohex: length > 65536");
 
         hl = l * 2 + 1;
-        r = xmalloc(hl);
-        *r = '\0';
+        r = xcalloc(1, hl);
         for (i = 0; i < l; i++) {
-                snprintf(b, sizeof(b), "%02x", d[i]);
+                snprintf(b, sizeof(b), "%02x", p[i]);
                 strlcat(r, b, hl);
         }
         return (r);
 }
 
+u_int64_t
+get_u64(const void *vp)
+{
+        const u_char *p = (const u_char *)vp;
+        u_int64_t v;
+
+        v  = (u_int64_t)p[0] << 56;
+        v |= (u_int64_t)p[1] << 48;
+        v |= (u_int64_t)p[2] << 40;
+        v |= (u_int64_t)p[3] << 32;
+        v |= (u_int64_t)p[4] << 24;
+        v |= (u_int64_t)p[5] << 16;
+        v |= (u_int64_t)p[6] << 8;
+        v |= (u_int64_t)p[7];
+
+        return (v);
+}
+
+u_int32_t
+get_u32(const void *vp)
+{
+        const u_char *p = (const u_char *)vp;
+        u_int32_t v;
+
+        v  = (u_int32_t)p[0] << 24;
+        v |= (u_int32_t)p[1] << 16;
+        v |= (u_int32_t)p[2] << 8;
+        v |= (u_int32_t)p[3];
+
+        return (v);
+}
+
+u_int16_t
+get_u16(const void *vp)
+{
+        const u_char *p = (const u_char *)vp;
+        u_int16_t v;
+
+        v  = (u_int16_t)p[0] << 8;
+        v |= (u_int16_t)p[1];
+
+        return (v);
+}
+
+void
+put_u64(void *vp, u_int64_t v)
+{
+        u_char *p = (u_char *)vp;
+
+        p[0] = (u_char)(v >> 56) & 0xff;
+        p[1] = (u_char)(v >> 48) & 0xff;
+        p[2] = (u_char)(v >> 40) & 0xff;
+        p[3] = (u_char)(v >> 32) & 0xff;
+        p[4] = (u_char)(v >> 24) & 0xff;
+        p[5] = (u_char)(v >> 16) & 0xff;
+        p[6] = (u_char)(v >> 8) & 0xff;
+        p[7] = (u_char)v & 0xff;
+}
+
+void
+put_u32(void *vp, u_int32_t v)
+{
+        u_char *p = (u_char *)vp;
+
+        p[0] = (u_char)(v >> 24) & 0xff;
+        p[1] = (u_char)(v >> 16) & 0xff;
+        p[2] = (u_char)(v >> 8) & 0xff;
+        p[3] = (u_char)v & 0xff;
+}
+
+
+void
+put_u16(void *vp, u_int16_t v)
+{
+        u_char *p = (u_char *)vp;
+
+        p[0] = (u_char)(v >> 8) & 0xff;
+        p[1] = (u_char)v & 0xff;
+}
diff --git a/misc.h b/misc.h
index 0a1a09a68..f175b4426 100644
--- a/misc.h
+++ b/misc.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: misc.h,v 1.29 2006/01/31 10:19:02 djm Exp $   */
+/* $OpenBSD: misc.h,v 1.36 2006/08/18 10:27:16 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -12,6 +12,9 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 
+#ifndef _MISC_H
+#define _MISC_H
+
 /* misc.c */
 
 char    *chop(char *);
@@ -21,13 +24,14 @@ int	 unset_nonblock(int);
 void     set_nodelay(int);
 int      a2port(const char *);
 int      a2tun(const char *, int *);
+char    *put_host_port(const char *, u_short);
 char    *hpdelim(char **);
 char    *cleanhostname(char *);
 char    *colon(char *);
 long     convtime(const char *);
 char    *tilde_expand_filename(const char *, uid_t);
 char    *percent_expand(const char *, ...) __attribute__((__sentinel__));
-char    *tohex(const u_char *, u_int);
+char    *tohex(const void *, size_t);
 void     sanitise_stdfd(void);
 
 struct passwd *pwcopy(struct passwd *);
@@ -44,17 +48,6 @@ void	 replacearg(arglist *, u_int, char *, ...)
              __attribute__((format(printf, 3, 4)));
 void     freeargs(arglist *);
 
-/* readpass.c */
-
-#define RP_ECHO                 0x0001
-#define RP_ALLOW_STDIN          0x0002
-#define RP_ALLOW_EOF            0x0004
-#define RP_USE_ASKPASS          0x0008
-
-char    *read_passphrase(const char *, int);
-int      ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
-int      read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
-
 int      tun_open(int, int);
 
 /* Common definitions for ssh tunnel device forwarding */
@@ -67,3 +60,31 @@ int	 tun_open(int, int);
 #define SSH_TUNID_ANY           0x7fffffff
 #define SSH_TUNID_ERR           (SSH_TUNID_ANY - 1)
 #define SSH_TUNID_MAX           (SSH_TUNID_ANY - 2)
+
+/* Functions to extract or store big-endian words of various sizes */
+u_int64_t       get_u64(const void *)
+    __attribute__((__bounded__( __minbytes__, 1, 8)));
+u_int32_t       get_u32(const void *)
+    __attribute__((__bounded__( __minbytes__, 1, 4)));
+u_int16_t       get_u16(const void *)
+    __attribute__((__bounded__( __minbytes__, 1, 2)));
+void            put_u64(void *, u_int64_t)
+    __attribute__((__bounded__( __minbytes__, 1, 8)));
+void            put_u32(void *, u_int32_t)
+    __attribute__((__bounded__( __minbytes__, 1, 4)));
+void            put_u16(void *, u_int16_t)
+    __attribute__((__bounded__( __minbytes__, 1, 2)));
+
+
+/* readpass.c */
+
+#define RP_ECHO                 0x0001
+#define RP_ALLOW_STDIN          0x0002
+#define RP_ALLOW_EOF            0x0004
+#define RP_USE_ASKPASS          0x0008
+
+char    *read_passphrase(const char *, int);
+int      ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
+int      read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
+
+#endif /* _MISC_H */
diff --git a/moduli.c b/moduli.c
index d53806ea6..8fa545daf 100644
--- a/moduli.c
+++ b/moduli.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: moduli.c,v 1.12 2005/07/17 07:17:55 djm Exp $ */
+/* $OpenBSD: moduli.c,v 1.20 2007/02/24 03:30:11 ray Exp $ */
 /*
  * Copyright 1994 Phil Karn <karn@qualcomm.com>
  * Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com>
@@ -38,11 +38,20 @@
  */
 
 #include "includes.h"
-#include "xmalloc.h"
-#include "log.h"
+
+#include <sys/types.h>
 
 #include <openssl/bn.h>
 
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <time.h>
+
+#include "xmalloc.h"
+#include "log.h"
+
 /*
  * File output defines
  */
@@ -301,21 +310,10 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start)
                 largewords = (largememory << SHIFT_MEGAWORD);
         }
 
-        TinySieve = calloc(tinywords, sizeof(u_int32_t));
-        if (TinySieve == NULL) {
-                error("Insufficient memory for tiny sieve: need %u bytes",
-                    tinywords << SHIFT_BYTE);
-                exit(1);
-        }
+        TinySieve = xcalloc(tinywords, sizeof(u_int32_t));
         tinybits = tinywords << SHIFT_WORD;
 
-        SmallSieve = calloc(smallwords, sizeof(u_int32_t));
-        if (SmallSieve == NULL) {
-                error("Insufficient memory for small sieve: need %u bytes",
-                    smallwords << SHIFT_BYTE);
-                xfree(TinySieve);
-                exit(1);
-        }
+        SmallSieve = xcalloc(smallwords, sizeof(u_int32_t));
         smallbits = smallwords << SHIFT_WORD;
 
         /*
@@ -329,20 +327,26 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start)
 
         /* validation check: count the number of primes tried */
         largetries = 0;
-        q = BN_new();
+        if ((q = BN_new()) == NULL)
+                fatal("BN_new failed");
 
         /*
          * Generate random starting point for subprime search, or use
          * specified parameter.
          */
-        largebase = BN_new();
-        if (start == NULL)
-                BN_rand(largebase, power, 1, 1);
-        else
-                BN_copy(largebase, start);
+        if ((largebase = BN_new()) == NULL)
+                fatal("BN_new failed");
+        if (start == NULL) {
+                if (BN_rand(largebase, power, 1, 1) == 0)
+                        fatal("BN_rand failed");
+        } else {
+                if (BN_copy(largebase, start) == NULL)
+                        fatal("BN_copy: failed");
+        }
 
         /* ensure odd */
-        BN_set_bit(largebase, 0);
+        if (BN_set_bit(largebase, 0) == 0)
+                fatal("BN_set_bit: failed");
 
         time(&time_start);
 
@@ -426,8 +430,10 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start)
                         continue; /* Definitely composite, skip */
 
                 debug2("test q = largebase+%u", 2 * j);
-                BN_set_word(q, 2 * j);
-                BN_add(q, q, largebase);
+                if (BN_set_word(q, 2 * j) == 0)
+                        fatal("BN_set_word failed");
+                if (BN_add(q, q, largebase) == 0)
+                        fatal("BN_add failed");
                 if (qfileout(out, QTYPE_SOPHIE_GERMAIN, QTEST_SIEVE,
                     largetries, (power - 1) /* MSB */, (0), q) == -1) {
                         ret = -1;
@@ -472,20 +478,21 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
 
         time(&time_start);
 
-        p = BN_new();
-        q = BN_new();
-        ctx = BN_CTX_new();
+        if ((p = BN_new()) == NULL)
+                fatal("BN_new failed");
+        if ((q = BN_new()) == NULL)
+                fatal("BN_new failed");
+        if ((ctx = BN_CTX_new()) == NULL)
+                fatal("BN_CTX_new failed");
 
         debug2("%.24s Final %u Miller-Rabin trials (%x generator)",
             ctime(&time_start), trials, generator_wanted);
 
         res = 0;
         lp = xmalloc(QLINESIZE + 1);
-        while (fgets(lp, QLINESIZE, in) != NULL) {
-                int ll = strlen(lp);
-
+        while (fgets(lp, QLINESIZE + 1, in) != NULL) {
                 count_in++;
-                if (ll < 14 || *lp == '!' || *lp == '#') {
+                if (strlen(lp) < 14 || *lp == '!' || *lp == '#') {
                         debug2("%10u: comment or short line", count_in);
                         continue;
                 }
@@ -522,10 +529,13 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
                 case QTYPE_SOPHIE_GERMAIN:
                         debug2("%10u: (%u) Sophie-Germain", count_in, in_type);
                         a = q;
-                        BN_hex2bn(&a, cp);
+                        if (BN_hex2bn(&a, cp) == 0)
+                                fatal("BN_hex2bn failed");
                         /* p = 2*q + 1 */
-                        BN_lshift(p, q, 1);
-                        BN_add_word(p, 1);
+                        if (BN_lshift(p, q, 1) == 0)
+                                fatal("BN_lshift failed");
+                        if (BN_add_word(p, 1) == 0)
+                                fatal("BN_add_word failed");
                         in_size += 1;
                         generator_known = 0;
                         break;
@@ -536,9 +546,11 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
                 case QTYPE_UNKNOWN:
                         debug2("%10u: (%u)", count_in, in_type);
                         a = p;
-                        BN_hex2bn(&a, cp);
+                        if (BN_hex2bn(&a, cp) == 0)
+                                fatal("BN_hex2bn failed");
                         /* q = (p-1) / 2 */
-                        BN_rshift(q, p, 1);
+                        if (BN_rshift(q, p, 1) == 0)
+                                fatal("BN_rshift failed");
                         break;
                 default:
                         debug2("Unknown prime type");
diff --git a/monitor.c b/monitor.c
index 867431ff1..5db4d52da 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: monitor.c,v 1.90 2007/02/19 10:45:58 dtucker Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -25,16 +26,38 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.64 2005/10/13 22:24:31 stevesk Exp $");
 
-#include <openssl/dh.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include "openbsd-compat/sys-tree.h"
+#include <sys/wait.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#include <pwd.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
 
 #ifdef SKEY
 #include <skey.h>
 #endif
 
+#include <openssl/dh.h>
+
+#include "xmalloc.h"
 #include "ssh.h"
+#include "key.h"
+#include "buffer.h"
+#include "hostfile.h"
 #include "auth.h"
+#include "cipher.h"
 #include "kex.h"
 #include "dh.h"
 #ifdef TARGET_OS_MAC    /* XXX Broken krb5 headers on Mac */
@@ -55,17 +78,16 @@ RCSID("$OpenBSD: monitor.c,v 1.64 2005/10/13 22:24:31 stevesk Exp $");
 #include "servconf.h"
 #include "monitor.h"
 #include "monitor_mm.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
 #include "monitor_fdpass.h"
-#include "xmalloc.h"
 #include "misc.h"
-#include "buffer.h"
-#include "bufaux.h"
 #include "compat.h"
 #include "ssh2.h"
 
 #ifdef GSSAPI
-#include "ssh-gss.h"
 static Gssctxt *gsscontext = NULL;
 #endif
 
@@ -173,6 +195,7 @@ struct mon_table {
 #define MON_ISAUTH      0x0004  /* Required for Authentication */
 #define MON_AUTHDECIDE  0x0008  /* Decides Authentication */
 #define MON_ONCE        0x0010  /* Disable after calling */
+#define MON_ALOG        0x0020  /* Log auth attempt without authenticating */
 
 #define MON_AUTH        (MON_ISAUTH|MON_AUTHDECIDE)
 
@@ -199,7 +222,7 @@ struct mon_table mon_dispatch_proto20[] = {
 #endif
 #ifdef BSD_AUTH
     {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
-    {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond},
+    {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond},
 #endif
 #ifdef SKEY
     {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
@@ -240,13 +263,13 @@ struct mon_table mon_dispatch_proto15[] = {
     {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
     {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
-    {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH, mm_answer_rsa_keyallowed},
-    {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
+    {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_rsa_keyallowed},
+    {MONITOR_REQ_KEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_keyallowed},
     {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge},
     {MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response},
 #ifdef BSD_AUTH
     {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
-    {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond},
+    {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond},
 #endif
 #ifdef SKEY
     {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
@@ -272,7 +295,7 @@ struct mon_table mon_dispatch_postauth15[] = {
     {MONITOR_REQ_TERM, 0, mm_answer_term},
 #ifdef SSH_AUDIT_EVENTS
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
-    {MONITOR_REQ_AUDIT_COMMAND, MON_ONCE, mm_answer_audit_command},
+    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
 #endif
     {0, 0, NULL}
 };
@@ -339,6 +362,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
 
         /* The first few requests do not require asynchronous access */
         while (!authenticated) {
+                auth_method = "unknown";
                 authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
                 if (authenticated) {
                         if (!(ent->flags & MON_AUTHDECIDE))
@@ -361,7 +385,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
 #endif
                 }
 
-                if (ent->flags & MON_AUTHDECIDE) {
+                if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
                         auth_log(authctxt, authenticated, auth_method,
                             compat20 ? " ssh2" : "");
                         if (!authenticated)
@@ -371,6 +395,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
 
         if (!authctxt->valid)
                 fatal("%s: authenticated invalid user", __func__);
+        if (strcmp(auth_method, "unknown") == 0)
+                fatal("%s: authentication method name unknown", __func__);
 
         debug("%s: %s has been authenticated by privileged process",
             __func__, authctxt->user);
@@ -554,7 +580,11 @@ mm_answer_sign(int sock, Buffer *m)
         keyid = buffer_get_int(m);
         p = buffer_get_string(m, &datlen);
 
-        if (datlen != 20)
+        /*
+         * Supported KEX types will only return SHA1 (20 byte) or
+         * SHA256 (32 byte) hashes
+         */
+        if (datlen != 20 && datlen != 32)
                 fatal("%s: data length incorrect: %u", __func__, datlen);
 
         /* save session id, it will be passed on the first call */
@@ -629,6 +659,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
 #endif
         buffer_put_cstring(m, pwent->pw_dir);
         buffer_put_cstring(m, pwent->pw_shell);
+        buffer_put_string(m, &options, sizeof(options));
+        if (options.banner != NULL)
+                buffer_put_cstring(m, options.banner);
 
  out:
         debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
@@ -648,9 +681,6 @@ mm_answer_pwnamallow(int sock, Buffer *m)
         if (options.use_pam)
                 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
 #endif
-#ifdef SSH_AUDIT_EVENTS
-        monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_COMMAND, 1);
-#endif
 
         return (0);
 }
@@ -934,6 +964,7 @@ mm_answer_pam_query(int sock, Buffer *m)
                 xfree(prompts);
         if (echo_on != NULL)
                 xfree(echo_on);
+        auth_method = "keyboard-interactive/pam";
         mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
         return (0);
 }
@@ -949,7 +980,7 @@ mm_answer_pam_respond(int sock, Buffer *m)
         sshpam_authok = NULL;
         num = buffer_get_int(m);
         if (num > 0) {
-                resp = xmalloc(num * sizeof(char *));
+                resp = xcalloc(num, sizeof(char *));
                 for (i = 0; i < num; ++i)
                         resp[i] = buffer_get_string(m, NULL);
                 ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);
@@ -976,6 +1007,7 @@ mm_answer_pam_free_ctx(int sock, Buffer *m)
         (sshpam_device.free_ctx)(sshpam_ctxt);
         buffer_clear(m);
         mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+        auth_method = "keyboard-interactive/pam";
         return (sshpam_authok == sshpam_ctxt);
 }
 #endif
@@ -1021,17 +1053,20 @@ mm_answer_keyallowed(int sock, Buffer *m)
                 case MM_USERKEY:
                         allowed = options.pubkey_authentication &&
                             user_key_allowed(authctxt->pw, key);
+                        auth_method = "publickey";
                         break;
                 case MM_HOSTKEY:
                         allowed = options.hostbased_authentication &&
                             hostbased_key_allowed(authctxt->pw,
                             cuser, chost, key);
+                        auth_method = "hostbased";
                         break;
                 case MM_RSAHOSTKEY:
                         key->type = KEY_RSA1; /* XXX */
                         allowed = options.rhosts_rsa_authentication &&
                             auth_rhosts_rsa_key_allowed(authctxt->pw,
                             cuser, chost, key);
+                        auth_method = "rsa";
                         break;
                 default:
                         fatal("%s: unknown key type %d", __func__, type);
@@ -1051,6 +1086,12 @@ mm_answer_keyallowed(int sock, Buffer *m)
                 key_blobtype = type;
                 hostbased_cuser = cuser;
                 hostbased_chost = chost;
+        } else {
+                /* Log failed attempt */
+                auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : "");
+                xfree(blob);
+                xfree(cuser);
+                xfree(chost);
         }
 
         debug3("%s: key %p is %s",
@@ -1252,7 +1293,7 @@ mm_record_login(Session *s, struct passwd *pw)
         fromlen = sizeof(from);
         if (packet_connection_is_on_socket()) {
                 if (getpeername(packet_get_connection_in(),
-                        (struct sockaddr *) & from, &fromlen) < 0) {
+                    (struct sockaddr *)&from, &fromlen) < 0) {
                         debug("getpeername: %.100s", strerror(errno));
                         cleanup_exit(255);
                 }
@@ -1268,7 +1309,7 @@ mm_session_close(Session *s)
 {
         debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid);
         if (s->ttyfd != -1) {
-                debug3("%s: tty %s ptyfd %d",  __func__, s->tty, s->ptyfd);
+                debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
                 session_pty_cleanup2(s);
         }
         s->used = 0;
@@ -1328,7 +1369,7 @@ mm_answer_pty(int sock, Buffer *m)
         /* no need to dup() because nobody closes ptyfd */
         s->ptymaster = s->ptyfd;
 
-        debug3("%s: tty %s ptyfd %d",  __func__, s->tty, s->ttyfd);
+        debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ttyfd);
 
         return (0);
 
@@ -1415,6 +1456,7 @@ mm_answer_rsa_keyallowed(int sock, Buffer *m)
 
         debug3("%s entering", __func__);
 
+        auth_method = "rsa";
         if (options.rsa_authentication && authctxt->valid) {
                 if ((client_n = BN_new()) == NULL)
                         fatal("%s: BN_new", __func__);
@@ -1651,8 +1693,7 @@ mm_get_kex(Buffer *m)
         void *blob;
         u_int bloblen;
 
-        kex = xmalloc(sizeof(*kex));
-        memset(kex, 0, sizeof(*kex));
+        kex = xcalloc(1, sizeof(*kex));
         kex->session_id = buffer_get_string(m, &kex->session_id_len);
         if ((session_id2 == NULL) ||
             (kex->session_id_len != session_id2_len) ||
@@ -1662,8 +1703,10 @@ mm_get_kex(Buffer *m)
         kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
         kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
         kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
+        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
 #ifdef GSSAPI
         kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+        kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
         kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
 #endif
         kex->server = 1;
@@ -1825,9 +1868,8 @@ monitor_init(void)
         struct monitor *mon;
         int pair[2];
 
-        mon = xmalloc(sizeof(*mon));
+        mon = xcalloc(1, sizeof(*mon));
 
-        mon->m_pid = 0;
         monitor_socketpair(pair);
 
         mon->m_recvfd = pair[0];
diff --git a/monitor.h b/monitor.h
index 707df9216..835ff7290 100644
--- a/monitor.h
+++ b/monitor.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: monitor.h,v 1.13 2003/11/17 11:06:07 markus Exp $     */
+/* $OpenBSD: monitor.h,v 1.14 2006/03/25 22:22:43 djm Exp $ */
 
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
diff --git a/monitor_fdpass.c b/monitor_fdpass.c
index f384c174c..52d133647 100644
--- a/monitor_fdpass.c
+++ b/monitor_fdpass.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: monitor_fdpass.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright 2001 Niels Provos <provos@citi.umich.edu>
  * All rights reserved.
@@ -24,11 +25,19 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: monitor_fdpass.c,v 1.6 2004/08/13 02:51:48 djm Exp $");
 
+#include <sys/types.h>
+#include <sys/socket.h>
 #include <sys/uio.h>
+#ifdef HAVE_SYS_UN_H
+#include <sys/un.h>
+#endif
 #include <sys/utsname.h>
 
+#include <errno.h>
+#include <string.h>
+#include <stdarg.h>
+
 #include "log.h"
 #include "monitor_fdpass.h"
 
diff --git a/monitor_fdpass.h b/monitor_fdpass.h
index 31d080e21..12c67ec2d 100644
--- a/monitor_fdpass.h
+++ b/monitor_fdpass.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: monitor_fdpass.h,v 1.2 2002/03/26 03:24:01 stevesk Exp $      */
+/* $OpenBSD: monitor_fdpass.h,v 1.3 2006/03/25 22:22:43 djm Exp $ */
 
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
diff --git a/monitor_mm.c b/monitor_mm.c
index b0ec37cff..dab747532 100644
--- a/monitor_mm.c
+++ b/monitor_mm.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: monitor_mm.c,v 1.15 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * All rights reserved.
@@ -24,14 +25,20 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: monitor_mm.c,v 1.9 2004/05/11 19:01:43 deraadt Exp $");
 
+#include <sys/types.h>
 #ifdef HAVE_SYS_MMAN_H
 #include <sys/mman.h>
 #endif
+#include <sys/param.h>
+#include "openbsd-compat/sys-tree.h"
+
+#include <errno.h>
+#include <stdarg.h>
+#include <string.h>
 
-#include "ssh.h"
 #include "xmalloc.h"
+#include "ssh.h"
 #include "log.h"
 #include "monitor_mm.h"
 
diff --git a/monitor_mm.h b/monitor_mm.h
index a1323b9a8..36a07a06d 100644
--- a/monitor_mm.h
+++ b/monitor_mm.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: monitor_mm.h,v 1.2 2002/03/26 03:24:01 stevesk Exp $  */
+/* $OpenBSD: monitor_mm.h,v 1.4 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -27,7 +27,6 @@
 
 #ifndef _MM_H_
 #define _MM_H_
-#include "openbsd-compat/sys-tree.h"
 
 struct mm_share {
         RB_ENTRY(mm_share) next;
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 29cafc751..448324b81 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -25,18 +26,31 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.40 2005/05/24 17:32:43 avsm Exp $");
+
+#include <sys/types.h>
+#include <sys/uio.h>
+
+#include <errno.h>
+#include <pwd.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
 
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 
+#include "xmalloc.h"
 #include "ssh.h"
 #include "dh.h"
+#include "buffer.h"
+#include "key.h"
+#include "cipher.h"
 #include "kex.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "auth-options.h"
-#include "buffer.h"
-#include "bufaux.h"
 #include "packet.h"
 #include "mac.h"
 #include "log.h"
@@ -48,20 +62,18 @@ RCSID("$OpenBSD: monitor_wrap.c,v 1.40 2005/05/24 17:32:43 avsm Exp $");
 #include "zlib.h"
 #endif
 #include "monitor.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
-#include "xmalloc.h"
 #include "atomicio.h"
 #include "monitor_fdpass.h"
-#include "getput.h"
+#include "misc.h"
 #include "servconf.h"
 
-#include "auth.h"
 #include "channels.h"
 #include "session.h"
-
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
+#include "servconf.h"
 
 /* Imports */
 extern int compat20;
@@ -91,7 +103,7 @@ mm_request_send(int sock, enum monitor_reqtype type, Buffer *m)
 
         debug3("%s entering: type %d", __func__, type);
 
-        PUT_32BIT(buf, mlen + 1);
+        put_u32(buf, mlen + 1);
         buf[4] = (u_char) type;         /* 1st byte of payload is mesg-type */
         if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf))
                 fatal("%s: write: %s", __func__, strerror(errno));
@@ -112,7 +124,7 @@ mm_request_receive(int sock, Buffer *m)
                         cleanup_exit(255);
                 fatal("%s: read: %s", __func__, strerror(errno));
         }
-        msg_len = GET_32BIT(buf);
+        msg_len = get_u32(buf);
         if (msg_len > 256 * 1024)
                 fatal("%s: read: bad msg_len %d", __func__, msg_len);
         buffer_clear(m);
@@ -196,7 +208,8 @@ mm_getpwnamallow(const char *username)
 {
         Buffer m;
         struct passwd *pw;
-        u_int pwlen;
+        u_int len;
+        ServerOptions *newopts;
 
         debug3("%s entering", __func__);
 
@@ -212,8 +225,8 @@ mm_getpwnamallow(const char *username)
                 buffer_free(&m);
                 return (NULL);
         }
-        pw = buffer_get_string(&m, &pwlen);
-        if (pwlen != sizeof(struct passwd))
+        pw = buffer_get_string(&m, &len);
+        if (len != sizeof(struct passwd))
                 fatal("%s: struct passwd size mismatch", __func__);
         pw->pw_name = buffer_get_string(&m, NULL);
         pw->pw_passwd = buffer_get_string(&m, NULL);
@@ -223,6 +236,16 @@ mm_getpwnamallow(const char *username)
 #endif
         pw->pw_dir = buffer_get_string(&m, NULL);
         pw->pw_shell = buffer_get_string(&m, NULL);
+
+        /* copy options block as a Match directive may have changed some */
+        newopts = buffer_get_string(&m, &len);
+        if (len != sizeof(*newopts))
+                fatal("%s: option block size mismatch", __func__);
+        if (newopts->banner != NULL)
+                newopts->banner = buffer_get_string(&m, NULL);
+        copy_set_server_options(&options, newopts, 1);
+        xfree(newopts);
+
         buffer_free(&m);
 
         return (pw);
@@ -655,7 +678,7 @@ mm_send_keystate(struct monitor *monitor)
 }
 
 int
-mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
+mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
 {
         Buffer m;
         char *p, *msg;
@@ -794,8 +817,11 @@ mm_sshpam_query(void *ctx, char **name, char **info,
         *name = buffer_get_string(&m, NULL);
         *info = buffer_get_string(&m, NULL);
         *num = buffer_get_int(&m);
-        *prompts = xmalloc((*num + 1) * sizeof(char *));
-        *echo_on = xmalloc((*num + 1) * sizeof(u_int));
+        if (*num > PAM_MAX_NUM_MSG)
+                fatal("%s: recieved %u PAM messages, expected <= %u",
+                    __func__, *num, PAM_MAX_NUM_MSG);
+        *prompts = xcalloc((*num + 1), sizeof(char *));
+        *echo_on = xcalloc((*num + 1), sizeof(u_int));
         for (i = 0; i < *num; ++i) {
                 (*prompts)[i] = buffer_get_string(&m, NULL);
                 (*echo_on)[i] = buffer_get_int(&m);
@@ -878,8 +904,8 @@ mm_chall_setup(char **name, char **infotxt, u_int *numprompts,
         *name = xstrdup("");
         *infotxt = xstrdup("");
         *numprompts = 1;
-        *prompts = xmalloc(*numprompts * sizeof(char *));
-        *echo_on = xmalloc(*numprompts * sizeof(u_int));
+        *prompts = xcalloc(*numprompts, sizeof(char *));
+        *echo_on = xcalloc(*numprompts, sizeof(u_int));
         (*echo_on)[0] = 0;
 }
 
@@ -946,9 +972,8 @@ mm_skey_query(void *ctx, char **name, char **infotxt,
    u_int *numprompts, char ***prompts, u_int **echo_on)
 {
         Buffer m;
-        int len;
         u_int success;
-        char *p, *challenge;
+        char *challenge;
 
         debug3("%s: entering", __func__);
 
@@ -972,11 +997,7 @@ mm_skey_query(void *ctx, char **name, char **infotxt,
 
         mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
 
-        len = strlen(challenge) + strlen(SKEY_PROMPT) + 1;
-        p = xmalloc(len);
-        strlcpy(p, challenge, len);
-        strlcat(p, SKEY_PROMPT, len);
-        (*prompts)[0] = p;
+        xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT);
         xfree(challenge);
 
         return (0);
diff --git a/monitor_wrap.h b/monitor_wrap.h
index 8417b61f8..5920a90b2 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: monitor_wrap.h,v 1.14 2004/06/21 17:36:31 avsm Exp $  */
+/* $OpenBSD: monitor_wrap.h,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -27,8 +27,6 @@
 
 #ifndef _MM_WRAP_H_
 #define _MM_WRAP_H_
-#include "key.h"
-#include "buffer.h"
 
 extern int use_privsep;
 #define PRIVSEP(x)      (use_privsep ? mm_##x : x)
@@ -37,7 +35,6 @@ enum mm_keytype {MM_NOKEY, MM_HOSTKEY, MM_USERKEY, MM_RSAHOSTKEY, MM_RSAUSERKEY}
 
 struct monitor;
 struct mm_master;
-struct passwd;
 struct Authctxt;
 
 int mm_is_monitor(void);
@@ -58,7 +55,6 @@ int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
 BIGNUM *mm_auth_rsa_generate_challenge(Key *);
 
 #ifdef GSSAPI
-#include "ssh-gss.h"
 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
    gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -84,7 +80,7 @@ void mm_audit_run_command(const char *);
 
 struct Session;
 void mm_terminate(void);
-int mm_pty_allocate(int *, int *, char *, int);
+int mm_pty_allocate(int *, int *, char *, size_t);
 void mm_session_pty_cleanup2(struct Session *);
 
 /* SSHv1 interfaces */
@@ -113,4 +109,4 @@ void *mm_zalloc(struct mm_master *, u_int, u_int);
 void mm_zfree(struct mm_master *, void *);
 void mm_init_compression(struct mm_master *);
 
-#endif /* _MM_H_ */
+#endif /* _MM_WRAP_H_ */
diff --git a/msg.c b/msg.c
index 3e4c2882c..cd5f98c4f 100644
--- a/msg.c
+++ b/msg.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: msg.c,v 1.15 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 2002 Markus Friedl.  All rights reserved.
  *
@@ -21,14 +22,23 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 #include "includes.h"
-RCSID("$OpenBSD: msg.c,v 1.8 2005/05/24 17:32:43 avsm Exp $");
+
+#include <sys/types.h>
+#include <sys/uio.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdarg.h>
 
 #include "buffer.h"
-#include "getput.h"
 #include "log.h"
 #include "atomicio.h"
 #include "msg.h"
+#include "misc.h"
 
 int
 ssh_msg_send(int fd, u_char type, Buffer *m)
@@ -38,7 +48,7 @@ ssh_msg_send(int fd, u_char type, Buffer *m)
 
         debug3("ssh_msg_send: type %u", (unsigned int)type & 0xff);
 
-        PUT_32BIT(buf, mlen + 1);
+        put_u32(buf, mlen + 1);
         buf[4] = type;          /* 1st byte of payload is mesg-type */
         if (atomicio(vwrite, fd, buf, sizeof(buf)) != sizeof(buf)) {
                 error("ssh_msg_send: write");
@@ -64,7 +74,7 @@ ssh_msg_recv(int fd, Buffer *m)
                         error("ssh_msg_recv: read: header");
                 return (-1);
         }
-        msg_len = GET_32BIT(buf);
+        msg_len = get_u32(buf);
         if (msg_len > 256 * 1024) {
                 error("ssh_msg_recv: read: bad msg_len %u", msg_len);
                 return (-1);
diff --git a/msg.h b/msg.h
index 0d3ea0658..b0cb9b52b 100644
--- a/msg.h
+++ b/msg.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: msg.h,v 1.3 2003/11/17 09:45:39 djm Exp $     */
+/* $OpenBSD: msg.h,v 1.4 2006/03/25 22:22:43 djm Exp $ */
 /*
  * Copyright (c) 2002 Markus Friedl.  All rights reserved.
  *
diff --git a/myproposal.h b/myproposal.h
index d8cba1caf..e246e0dd9 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: myproposal.h,v 1.18 2005/07/25 11:59:39 markus Exp $  */
+/* $OpenBSD: myproposal.h,v 1.21 2006/03/25 22:22:43 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -23,9 +23,23 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-#define KEX_DEFAULT_KEX         "diffie-hellman-group-exchange-sha1," \
+
+#include <openssl/opensslv.h>
+
+/* Old OpenSSL doesn't support what we need for DHGEX-sha256 */
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+# define KEX_DEFAULT_KEX                \
+        "diffie-hellman-group-exchange-sha1," \
         "diffie-hellman-group14-sha1," \
         "diffie-hellman-group1-sha1"
+#else
+# define KEX_DEFAULT_KEX                \
+        "diffie-hellman-group-exchange-sha256," \
+        "diffie-hellman-group-exchange-sha1," \
+        "diffie-hellman-group14-sha1," \
+        "diffie-hellman-group1-sha1"
+#endif
+
 #define KEX_DEFAULT_PK_ALG      "ssh-rsa,ssh-dss"
 #define KEX_DEFAULT_ENCRYPT \
         "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
diff --git a/nchan.c b/nchan.c
index aee3f37b0..ad461f4af 100644
--- a/nchan.c
+++ b/nchan.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: nchan.c,v 1.57 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  *
@@ -23,7 +24,13 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: nchan.c,v 1.51 2004/07/11 17:48:47 deraadt Exp $");
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <errno.h>
+#include <string.h>
+#include <stdarg.h>
 
 #include "ssh1.h"
 #include "ssh2.h"
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 3a8703bc1..9f06605d7 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.37 2005/12/31 05:33:37 djm Exp $
+# $Id: Makefile.in,v 1.40 2006/08/30 17:24:41 djm Exp $
 
 sysconfdir=@sysconfdir@
 piddir=@piddir@
@@ -16,11 +16,11 @@ RANLIB=@RANLIB@
 INSTALL=@INSTALL@
 LDFLAGS=-L. @LDFLAGS@
 
-OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o
+OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o
 
 COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
 
-PORTS=port-irix.o port-aix.o port-uw.o port-tun.o
+PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
 
 .c.o:
         $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff --git a/openbsd-compat/basename.c b/openbsd-compat/basename.c
index ad040e139..ffa5c8984 100644
--- a/openbsd-compat/basename.c
+++ b/openbsd-compat/basename.c
@@ -20,6 +20,8 @@
 
 #include "includes.h"
 #ifndef HAVE_BASENAME
+#include <errno.h>
+#include <string.h>
 
 char *
 basename(const char *path)
diff --git a/openbsd-compat/bindresvport.c b/openbsd-compat/bindresvport.c
index 7f48fd03a..65afed1e3 100644
--- a/openbsd-compat/bindresvport.c
+++ b/openbsd-compat/bindresvport.c
@@ -33,8 +33,14 @@
 #include "includes.h"
 
 #ifndef HAVE_BINDRESVPORT_SA
+#include <sys/types.h>
+#include <sys/socket.h>
 
-#include "includes.h"
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <string.h>
 
 #define STARTPORT 600
 #define ENDPORT (IPPORT_RESERVED - 1)
diff --git a/openbsd-compat/bsd-arc4random.c b/openbsd-compat/bsd-arc4random.c
index 1eeb6953b..d45fb182a 100644
--- a/openbsd-compat/bsd-arc4random.c
+++ b/openbsd-compat/bsd-arc4random.c
@@ -15,9 +15,13 @@
  */
 
 #include "includes.h"
-#include "log.h"
 
-RCSID("$Id: bsd-arc4random.c,v 1.10 2005/02/16 02:01:28 djm Exp $");
+#include <sys/types.h>
+
+#include <string.h>
+#include <stdarg.h>
+
+#include "log.h"
 
 #ifndef HAVE_ARC4RANDOM
 
diff --git a/openbsd-compat/bsd-asprintf.c b/openbsd-compat/bsd-asprintf.c
index 5ca01f80f..00fa0dfd8 100644
--- a/openbsd-compat/bsd-asprintf.c
+++ b/openbsd-compat/bsd-asprintf.c
@@ -21,6 +21,10 @@
 
 #ifndef HAVE_VASPRINTF
 
+#include <errno.h>
+#include <stdarg.h>
+#include <stdlib.h>
+
 #ifndef VA_COPY
 # ifdef HAVE_VA_COPY
 #  define VA_COPY(dest, src) va_copy(dest, src)
@@ -35,7 +39,8 @@
 
 #define INIT_SZ 128
 
-int vasprintf(char **str, const char *fmt, va_list ap)
+int
+vasprintf(char **str, const char *fmt, va_list ap)
 {
         int ret = -1;
         va_list ap2;
@@ -49,7 +54,7 @@ int vasprintf(char **str, const char *fmt, va_list ap)
         ret = vsnprintf(string, INIT_SZ, fmt, ap2);
         if (ret >= 0 && ret < INIT_SZ) { /* succeeded with initial alloc */
                 *str = string;
-        } else if (ret == INT_MAX) { /* shouldn't happen */
+        } else if (ret == INT_MAX || ret < 0) { /* Bad length */
                 goto fail;
         } else {        /* bigger than initial, realloc allowing for nul */
                 len = (size_t)ret + 1;
diff --git a/openbsd-compat/bsd-closefrom.c b/openbsd-compat/bsd-closefrom.c
index 5b7b94ae4..9380b33a7 100644
--- a/openbsd-compat/bsd-closefrom.c
+++ b/openbsd-compat/bsd-closefrom.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2004-2005 Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -22,9 +22,14 @@
 #include <sys/param.h>
 #include <unistd.h>
 #include <stdio.h>
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#endif
 #include <limits.h>
 #include <stdlib.h>
 #include <stddef.h>
+#include <string.h>
+#include <unistd.h>
 #ifdef HAVE_DIRENT_H
 # include <dirent.h>
 # define NAMLEN(dirent) strlen((dirent)->d_name)
@@ -46,15 +51,20 @@
 # define OPEN_MAX       256
 #endif
 
-RCSID("$Id: bsd-closefrom.c,v 1.2 2005/11/10 08:29:13 dtucker Exp $");
-
-#ifndef lint
-static const char sudorcsid[] = "$Sudo: closefrom.c,v 1.6 2004/06/01 20:51:56 millert Exp $";
+#if 0
+__unused static const char rcsid[] = "$Sudo: closefrom.c,v 1.11 2006/08/17 15:26:54 millert Exp $";
 #endif /* lint */
 
 /*
  * Close all file descriptors greater than or equal to lowfd.
  */
+#ifdef HAVE_FCNTL_CLOSEM
+void
+closefrom(int lowfd)
+{
+    (void) fcntl(lowfd, F_CLOSEM, 0);
+}
+#else
 void
 closefrom(int lowfd)
 {
@@ -67,7 +77,7 @@ closefrom(int lowfd)
 
     /* Check for a /proc/$$/fd directory. */
     len = snprintf(fdpath, sizeof(fdpath), "/proc/%ld/fd", (long)getpid());
-    if (len >= 0 && (u_int)len <= sizeof(fdpath) && (dirp = opendir(fdpath))) {
+    if (len > 0 && (size_t)len <= sizeof(fdpath) && (dirp = opendir(fdpath))) {
         while ((dent = readdir(dirp)) != NULL) {
             fd = strtol(dent->d_name, &endp, 10);
             if (dent->d_name != endp && *endp == '\0' &&
@@ -95,6 +105,5 @@ closefrom(int lowfd)
             (void) close((int) fd);
     }
 }
-
+#endif /* !HAVE_FCNTL_CLOSEM */
 #endif /* HAVE_CLOSEFROM */
-
diff --git a/openbsd-compat/bsd-cray.c b/openbsd-compat/bsd-cray.c
index d1f1c059c..1532c991c 100644
--- a/openbsd-compat/bsd-cray.c
+++ b/openbsd-compat/bsd-cray.c
@@ -1,5 +1,5 @@
 /* 
- * $Id: bsd-cray.c,v 1.14 2005/02/02 06:10:11 dtucker Exp $
+ * $Id: bsd-cray.c,v 1.16 2006/09/01 05:38:41 djm Exp $
  *
  * bsd-cray.c
  *
@@ -52,7 +52,10 @@
 #include <sys/secstat.h>
 #include <sys/stat.h>
 #include <sys/session.h>
+#include <stdarg.h>
 #include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
 #include <pwd.h>
 #include <fcntl.h>
 #include <errno.h>
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index b5e3cc52b..dbf8176b6 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -29,15 +29,25 @@
 
 #include "includes.h"
 
-RCSID("$Id: bsd-cygwin_util.c,v 1.14 2005/05/25 09:42:11 dtucker Exp $");
-
 #ifdef HAVE_CYGWIN
 
-#include <fcntl.h>
-#include <stdlib.h>
+#if defined(open) && open == binary_open
+# undef open
+#endif
+#if defined(pipe) && open == binary_pipe
+# undef pipe
+#endif
+
+#include <sys/types.h>
+#include <sys/stat.h>
 #include <sys/utsname.h>
 #include <sys/vfs.h>
+
+#include <fcntl.h>
+#include <stdlib.h>
+#include <unistd.h>
 #include <windows.h>
+
 #include "xmalloc.h"
 #define is_winnt       (GetVersion() < 0x80000000)
 
@@ -45,13 +55,6 @@ RCSID("$Id: bsd-cygwin_util.c,v 1.14 2005/05/25 09:42:11 dtucker Exp $");
 #define ntsec_off(c)    ((c) && strstr((c),"nontsec"))
 #define ntea_on(c)      ((c) && strstr((c),"ntea") && !strstr((c),"nontea"))
 
-#if defined(open) && open == binary_open
-# undef open
-#endif
-#if defined(pipe) && open == binary_pipe
-# undef pipe
-#endif
-
 int 
 binary_open(const char *filename, int flags, ...)
 {
@@ -268,9 +271,9 @@ char **
 fetch_windows_environment(void)
 {
         char **e, **p;
-        int i, idx = 0;
+        unsigned int i, idx = 0;
 
-        p = xmalloc((WENV_SIZ + 1) * sizeof(char *));
+        p = xcalloc(WENV_SIZ + 1, sizeof(char *));
         for (e = environ; *e != NULL; ++e) {
                 for (i = 0; i < WENV_SIZ; ++i) {
                         if (!strncmp(*e, wenv_arr[i].name, wenv_arr[i].namelen))
diff --git a/openbsd-compat/bsd-getpeereid.c b/openbsd-compat/bsd-getpeereid.c
index fe2edad71..bdae8b637 100644
--- a/openbsd-compat/bsd-getpeereid.c
+++ b/openbsd-compat/bsd-getpeereid.c
@@ -16,10 +16,13 @@
 
 #include "includes.h"
 
-RCSID("$Id: bsd-getpeereid.c,v 1.3 2004/02/17 05:49:55 djm Exp $");
-
 #if !defined(HAVE_GETPEEREID)
 
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <unistd.h>
+
 #if defined(SO_PEERCRED)
 int
 getpeereid(int s, uid_t *euid, gid_t *gid)
diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c
index d32b054d7..17d731bd2 100644
--- a/openbsd-compat/bsd-misc.c
+++ b/openbsd-compat/bsd-misc.c
@@ -16,9 +16,19 @@
  */
 
 #include "includes.h"
-#include "xmalloc.h"
 
-RCSID("$Id: bsd-misc.c,v 1.28 2005/11/01 22:07:31 dtucker Exp $");
+#ifdef HAVE_SYS_SELECT_H
+# include <sys/select.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+
+#include <string.h>
+#include <signal.h>
+#include <stdlib.h>
+
+#include "xmalloc.h"
 
 #ifndef HAVE___PROGNAME
 char *__progname;
diff --git a/openbsd-compat/bsd-nextstep.c b/openbsd-compat/bsd-nextstep.c
index bd35a3afc..8195af88a 100644
--- a/openbsd-compat/bsd-nextstep.c
+++ b/openbsd-compat/bsd-nextstep.c
@@ -24,8 +24,6 @@
 
 #include "includes.h"
 
-RCSID("$Id: bsd-nextstep.c,v 1.6 2003/06/01 03:23:57 mouring Exp $");
-
 #ifdef HAVE_NEXT
 #include <errno.h>
 #include <sys/wait.h>
diff --git a/openbsd-compat/bsd-openpty.c b/openbsd-compat/bsd-openpty.c
index 8eb62b7a8..9777eb556 100644
--- a/openbsd-compat/bsd-openpty.c
+++ b/openbsd-compat/bsd-openpty.c
@@ -35,6 +35,21 @@
 #include "includes.h"
 #if !defined(HAVE_OPENPTY)
 
+#include <sys/types.h>
+
+#include <stdlib.h>
+
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_IOCTL_H
+# include <sys/ioctl.h>
+#endif
+
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#endif
+
 #ifdef HAVE_UTIL_H
 # include <util.h>
 #endif /* HAVE_UTIL_H */
@@ -46,6 +61,10 @@
 # include <sys/stropts.h>
 #endif
 
+#include <signal.h>
+#include <string.h>
+#include <unistd.h>
+
 #ifndef O_NOCTTY
 #define O_NOCTTY 0
 #endif
diff --git a/openbsd-compat/bsd-snprintf.c b/openbsd-compat/bsd-snprintf.c
index e4ba154fd..41d2be238 100644
--- a/openbsd-compat/bsd-snprintf.c
+++ b/openbsd-compat/bsd-snprintf.c
@@ -85,12 +85,15 @@
  *
  *    Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even
  *    if the C library has some snprintf functions already.
+ *
+ * Damien Miller (djm@mindrot.org) Jan 2007
+ *    Fix integer overflows in return value.
+ *    Make formatting quite a bit faster by inlining dopr_outch()
+ *
  **************************************************************/
 
 #include "includes.h"
 
-RCSID("$Id: bsd-snprintf.c,v 1.11 2005/12/17 11:32:04 dtucker Exp $");
-
 #if defined(BROKEN_SNPRINTF)            /* For those with broken snprintf() */
 # undef HAVE_SNPRINTF
 # undef HAVE_VSNPRINTF
@@ -110,6 +113,13 @@ RCSID("$Id: bsd-snprintf.c,v 1.11 2005/12/17 11:32:04 dtucker Exp $");
 
 #if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF)
 
+#include <ctype.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <errno.h>
+
 #ifdef HAVE_LONG_DOUBLE
 # define LDOUBLE long double
 #else
@@ -156,17 +166,28 @@ RCSID("$Id: bsd-snprintf.c,v 1.11 2005/12/17 11:32:04 dtucker Exp $");
 # define MAX(p,q) (((p) >= (q)) ? (p) : (q))
 #endif
 
-static size_t dopr(char *buffer, size_t maxlen, const char *format, 
-                   va_list args_in);
-static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
-                    char *value, int flags, int min, int max);
-static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
-                    long value, int base, int min, int max, int flags);
-static void fmtfp(char *buffer, size_t *currlen, size_t maxlen,
-                   LDOUBLE fvalue, int min, int max, int flags);
-static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c);
-
-static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args_in)
+#define DOPR_OUTCH(buf, pos, buflen, thechar) \
+        do { \
+                if (pos + 1 >= INT_MAX) { \
+                        errno = ERANGE; \
+                        return -1; \
+                } \
+                if (pos < buflen) \
+                        buf[pos] = thechar; \
+                (pos)++; \
+        } while (0)
+
+static int dopr(char *buffer, size_t maxlen, const char *format, 
+    va_list args_in);
+static int fmtstr(char *buffer, size_t *currlen, size_t maxlen,
+    char *value, int flags, int min, int max);
+static int fmtint(char *buffer, size_t *currlen, size_t maxlen,
+    LLONG value, int base, int min, int max, int flags);
+static int fmtfp(char *buffer, size_t *currlen, size_t maxlen,
+    LDOUBLE fvalue, int min, int max, int flags);
+
+static int
+dopr(char *buffer, size_t maxlen, const char *format, va_list args_in)
 {
         char ch;
         LLONG value;
@@ -195,8 +216,8 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                 case DP_S_DEFAULT:
                         if (ch == '%') 
                                 state = DP_S_FLAGS;
-                        else 
-                                dopr_outch (buffer, &currlen, maxlen, ch);
+                        else
+                                DOPR_OUTCH(buffer, currlen, maxlen, ch);
                         ch = *format++;
                         break;
                 case DP_S_FLAGS:
@@ -295,7 +316,9 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                                         value = va_arg (args, LLONG);
                                 else
                                         value = va_arg (args, int);
-                                fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
+                                if (fmtint(buffer, &currlen, maxlen,
+                                    value, 10, min, max, flags) == -1)
+                                        return -1;
                                 break;
                         case 'o':
                                 flags |= DP_F_UNSIGNED;
@@ -307,7 +330,9 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                                         value = (long)va_arg (args, unsigned LLONG);
                                 else
                                         value = (long)va_arg (args, unsigned int);
-                                fmtint (buffer, &currlen, maxlen, value, 8, min, max, flags);
+                                if (fmtint(buffer, &currlen, maxlen, value,
+                                    8, min, max, flags) == -1)
+                                        return -1;
                                 break;
                         case 'u':
                                 flags |= DP_F_UNSIGNED;
@@ -319,7 +344,9 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                                         value = (LLONG)va_arg (args, unsigned LLONG);
                                 else
                                         value = (long)va_arg (args, unsigned int);
-                                fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
+                                if (fmtint(buffer, &currlen, maxlen, value,
+                                    10, min, max, flags) == -1)
+                                        return -1;
                                 break;
                         case 'X':
                                 flags |= DP_F_UP;
@@ -333,15 +360,18 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                                         value = (LLONG)va_arg (args, unsigned LLONG);
                                 else
                                         value = (long)va_arg (args, unsigned int);
-                                fmtint (buffer, &currlen, maxlen, value, 16, min, max, flags);
+                                if (fmtint(buffer, &currlen, maxlen, value,
+                                    16, min, max, flags) == -1)
+                                        return -1;
                                 break;
                         case 'f':
                                 if (cflags == DP_C_LDOUBLE)
                                         fvalue = va_arg (args, LDOUBLE);
                                 else
                                         fvalue = va_arg (args, double);
-                                /* um, floating point? */
-                                fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
+                                if (fmtfp(buffer, &currlen, maxlen, fvalue,
+                                    min, max, flags) == -1)
+                                        return -1;
                                 break;
                         case 'E':
                                 flags |= DP_F_UP;
@@ -350,7 +380,9 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                                         fvalue = va_arg (args, LDOUBLE);
                                 else
                                         fvalue = va_arg (args, double);
-                                fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
+                                if (fmtfp(buffer, &currlen, maxlen, fvalue,
+                                    min, max, flags) == -1)
+                                        return -1;
                                 break;
                         case 'G':
                                 flags |= DP_F_UP;
@@ -359,10 +391,13 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                                         fvalue = va_arg (args, LDOUBLE);
                                 else
                                         fvalue = va_arg (args, double);
-                                fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
+                                if (fmtfp(buffer, &currlen, maxlen, fvalue,
+                                    min, max, flags) == -1)
+                                        return -1;
                                 break;
                         case 'c':
-                                dopr_outch (buffer, &currlen, maxlen, va_arg (args, int));
+                                DOPR_OUTCH(buffer, currlen, maxlen,
+                                    va_arg (args, int));
                                 break;
                         case 's':
                                 strvalue = va_arg (args, char *);
@@ -371,11 +406,15 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                                         max = strlen(strvalue);
                                 }
                                 if (min > 0 && max >= 0 && min > max) max = min;
-                                fmtstr (buffer, &currlen, maxlen, strvalue, flags, min, max);
+                                if (fmtstr(buffer, &currlen, maxlen,
+                                    strvalue, flags, min, max) == -1)
+                                        return -1;
                                 break;
                         case 'p':
                                 strvalue = va_arg (args, void *);
-                                fmtint (buffer, &currlen, maxlen, (long) strvalue, 16, min, max, flags);
+                                if (fmtint(buffer, &currlen, maxlen,
+                                    (long) strvalue, 16, min, max, flags) == -1)
+                                        return -1;
                                 break;
                         case 'n':
                                 if (cflags == DP_C_SHORT) {
@@ -397,7 +436,7 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                                 }
                                 break;
                         case '%':
-                                dopr_outch (buffer, &currlen, maxlen, ch);
+                                DOPR_OUTCH(buffer, currlen, maxlen, ch);
                                 break;
                         case 'w':
                                 /* not supported yet, treat as next char */
@@ -426,11 +465,12 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                         buffer[maxlen - 1] = '\0';
         }
         
-        return currlen;
+        return currlen < INT_MAX ? (int)currlen : -1;
 }
 
-static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
-                    char *value, int flags, int min, int max)
+static int
+fmtstr(char *buffer, size_t *currlen, size_t maxlen,
+    char *value, int flags, int min, int max)
 {
         int padlen, strln;     /* amount to pad */
         int cnt = 0;
@@ -450,28 +490,31 @@ static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
                 padlen = -padlen; /* Left Justify */
         
         while ((padlen > 0) && (cnt < max)) {
-                dopr_outch (buffer, currlen, maxlen, ' ');
+                DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
                 --padlen;
                 ++cnt;
         }
         while (*value && (cnt < max)) {
-                dopr_outch (buffer, currlen, maxlen, *value++);
+                DOPR_OUTCH(buffer, *currlen, maxlen, *value);
+                *value++;
                 ++cnt;
         }
         while ((padlen < 0) && (cnt < max)) {
-                dopr_outch (buffer, currlen, maxlen, ' ');
+                DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
                 ++padlen;
                 ++cnt;
         }
+        return 0;
 }
 
 /* Have to handle DP_F_NUM (ie 0x and 0 alternates) */
 
-static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
-                    long value, int base, int min, int max, int flags)
+static int
+fmtint(char *buffer, size_t *currlen, size_t maxlen,
+                    LLONG value, int base, int min, int max, int flags)
 {
         int signvalue = 0;
-        unsigned long uvalue;
+        unsigned LLONG uvalue;
         char convert[20];
         int place = 0;
         int spadlen = 0; /* amount to space pad */
@@ -524,31 +567,34 @@ static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
 
         /* Spaces */
         while (spadlen > 0) {
-                dopr_outch (buffer, currlen, maxlen, ' ');
+                DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
                 --spadlen;
         }
 
         /* Sign */
         if (signvalue) 
-                dopr_outch (buffer, currlen, maxlen, signvalue);
+                DOPR_OUTCH(buffer, *currlen, maxlen, signvalue);
 
         /* Zeros */
         if (zpadlen > 0) {
                 while (zpadlen > 0) {
-                        dopr_outch (buffer, currlen, maxlen, '0');
+                        DOPR_OUTCH(buffer, *currlen, maxlen, '0');
                         --zpadlen;
                 }
         }
 
         /* Digits */
-        while (place > 0) 
-                dopr_outch (buffer, currlen, maxlen, convert[--place]);
+        while (place > 0) {
+                --place;
+                DOPR_OUTCH(buffer, *currlen, maxlen, convert[place]);
+        }
   
         /* Left Justified spaces */
         while (spadlen < 0) {
-                dopr_outch (buffer, currlen, maxlen, ' ');
+                DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
                 ++spadlen;
         }
+        return 0;
 }
 
 static LDOUBLE abs_val(LDOUBLE value)
@@ -561,13 +607,13 @@ static LDOUBLE abs_val(LDOUBLE value)
         return result;
 }
 
-static LDOUBLE POW10(int exp)
+static LDOUBLE POW10(int val)
 {
         LDOUBLE result = 1;
         
-        while (exp) {
+        while (val) {
                 result *= 10;
-                exp--;
+                val--;
         }
   
         return result;
@@ -601,7 +647,10 @@ static double my_modf(double x0, double *iptr)
         }
 
         if (i == 100) {
-                /* yikes! the number is beyond what we can handle. What do we do? */
+                /*
+                 * yikes! the number is beyond what we can handle.
+                 * What do we do?
+                 */
                 (*iptr) = 0;
                 return 0;
         }
@@ -620,8 +669,9 @@ static double my_modf(double x0, double *iptr)
 }
 
 
-static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
-                   LDOUBLE fvalue, int min, int max, int flags)
+static int
+fmtfp (char *buffer, size_t *currlen, size_t maxlen,
+    LDOUBLE fvalue, int min, int max, int flags)
 {
         int signvalue = 0;
         double ufvalue;
@@ -726,24 +776,26 @@ static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
         
         if ((flags & DP_F_ZERO) && (padlen > 0)) {
                 if (signvalue) {
-                        dopr_outch (buffer, currlen, maxlen, signvalue);
+                        DOPR_OUTCH(buffer, *currlen, maxlen, signvalue);
                         --padlen;
                         signvalue = 0;
                 }
                 while (padlen > 0) {
-                        dopr_outch (buffer, currlen, maxlen, '0');
+                        DOPR_OUTCH(buffer, *currlen, maxlen, '0');
                         --padlen;
                 }
         }
         while (padlen > 0) {
-                dopr_outch (buffer, currlen, maxlen, ' ');
+                DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
                 --padlen;
         }
         if (signvalue) 
-                dopr_outch (buffer, currlen, maxlen, signvalue);
+                DOPR_OUTCH(buffer, *currlen, maxlen, signvalue);
         
-        while (iplace > 0) 
-                dopr_outch (buffer, currlen, maxlen, iconvert[--iplace]);
+        while (iplace > 0) {
+                --iplace;
+                DOPR_OUTCH(buffer, *currlen, maxlen, iconvert[iplace]);
+        }
 
 #ifdef DEBUG_SNPRINTF
         printf("fmtfp: fplace=%d zpadlen=%d\n", fplace, zpadlen);
@@ -754,41 +806,38 @@ static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
          * char to print out.
          */
         if (max > 0) {
-                dopr_outch (buffer, currlen, maxlen, '.');
+                DOPR_OUTCH(buffer, *currlen, maxlen, '.');
                 
                 while (zpadlen > 0) {
-                        dopr_outch (buffer, currlen, maxlen, '0');
+                        DOPR_OUTCH(buffer, *currlen, maxlen, '0');
                         --zpadlen;
                 }
 
-                while (fplace > 0) 
-                        dopr_outch (buffer, currlen, maxlen, fconvert[--fplace]);
+                while (fplace > 0) {
+                        --fplace;
+                        DOPR_OUTCH(buffer, *currlen, maxlen, fconvert[fplace]);
+                }
         }
 
         while (padlen < 0) {
-                dopr_outch (buffer, currlen, maxlen, ' ');
+                DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
                 ++padlen;
         }
-}
-
-static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c)
-{
-        if (*currlen < maxlen) {
-                buffer[(*currlen)] = c;
-        }
-        (*currlen)++;
+        return 0;
 }
 #endif /* !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) */
 
 #if !defined(HAVE_VSNPRINTF)
-int vsnprintf (char *str, size_t count, const char *fmt, va_list args)
+int
+vsnprintf (char *str, size_t count, const char *fmt, va_list args)
 {
         return dopr(str, count, fmt, args);
 }
 #endif
 
 #if !defined(HAVE_SNPRINTF)
-int snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...)
+int
+snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...)
 {
         size_t ret;
         va_list ap;
@@ -799,4 +848,3 @@ int snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...)
         return ret;
 }
 #endif
-
diff --git a/openbsd-compat/bsd-waitpid.c b/openbsd-compat/bsd-waitpid.c
index 93c9ec35e..40e6ffaa8 100644
--- a/openbsd-compat/bsd-waitpid.c
+++ b/openbsd-compat/bsd-waitpid.c
@@ -24,8 +24,6 @@
 
 #include "includes.h"
 
-RCSID("$Id: bsd-waitpid.c,v 1.5 2003/06/01 03:23:57 mouring Exp $");
-
 #ifndef HAVE_WAITPID 
 #include <errno.h>
 #include <sys/wait.h>
diff --git a/openbsd-compat/daemon.c b/openbsd-compat/daemon.c
index f8a0680bf..e3a6886bd 100644
--- a/openbsd-compat/daemon.c
+++ b/openbsd-compat/daemon.c
@@ -34,6 +34,20 @@
 
 #ifndef HAVE_DAEMON
 
+#include <sys/types.h>
+
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#endif
+
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>
+#endif
+
 int
 daemon(int nochdir, int noclose)
 {
diff --git a/openbsd-compat/fake-rfc2553.c b/openbsd-compat/fake-rfc2553.c
index 0186b5300..b6ea3d21e 100644
--- a/openbsd-compat/fake-rfc2553.c
+++ b/openbsd-compat/fake-rfc2553.c
@@ -37,7 +37,11 @@
 
 #include "includes.h"
 
-RCSID("$Id: fake-rfc2553.c,v 1.5 2003/09/22 02:08:23 dtucker Exp $");
+#include <stdlib.h>
+#include <string.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
 
 #ifndef HAVE_GETNAMEINFO
 int getnameinfo(const struct sockaddr *sa, size_t salen, char *host, 
diff --git a/openbsd-compat/fake-rfc2553.h b/openbsd-compat/fake-rfc2553.h
index cbcf7f727..5c2ce5b1b 100644
--- a/openbsd-compat/fake-rfc2553.h
+++ b/openbsd-compat/fake-rfc2553.h
@@ -1,4 +1,4 @@
-/* $Id: fake-rfc2553.h,v 1.12 2005/08/03 05:36:21 dtucker Exp $ */
+/* $Id: fake-rfc2553.h,v 1.13 2006/07/24 03:51:52 djm Exp $ */
 
 /*
  * Copyright (C) 2000-2003 Damien Miller.  All rights reserved.
@@ -41,7 +41,10 @@
 #define _FAKE_RFC2553_H
 
 #include "includes.h"
-#include "sys/types.h"
+#include <sys/types.h>
+#if defined(HAVE_NETDB_H)
+# include <netdb.h>
+#endif
 
 /*
  * First, socket and INET6 related definitions 
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index bea6aea3b..07231d005 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -49,6 +49,12 @@
 
 #ifndef HAVE_GETRRSETBYNAME
 
+#include <stdlib.h>
+#include <string.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
 #include "getrrsetbyname.h"
 
 #if defined(HAVE_DECL_H_ERRNO) && !HAVE_DECL_H_ERRNO
@@ -60,6 +66,13 @@ extern int h_errno;
 # undef _THREAD_PRIVATE
 #endif
 #define _THREAD_PRIVATE(a,b,c) (c)
+
+/* to avoid conflicts where a platform already has _res */
+#ifdef _res
+# undef _res
+#endif
+#define _res    _compat_res
+
 struct __res_state _res;
 
 /* Necessary functions and macros */
@@ -290,10 +303,12 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
         }
 
         /* allocate memory for signatures */
-        rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
-        if (rrset->rri_sigs == NULL) {
-                result = ERRSET_NOMEMORY;
-                goto fail;
+        if (rrset->rri_nsigs > 0) {
+                rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
+                if (rrset->rri_sigs == NULL) {
+                        result = ERRSET_NOMEMORY;
+                        goto fail;
+                }
         }
 
         /* copy answers & signatures */
diff --git a/openbsd-compat/glob.c b/openbsd-compat/glob.c
index f6a04ea3f..b3dd2b171 100644
--- a/openbsd-compat/glob.c
+++ b/openbsd-compat/glob.c
@@ -34,7 +34,21 @@
 /* OPENBSD ORIGINAL: lib/libc/gen/glob.c */
 
 #include "includes.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <dirent.h>
 #include <ctype.h>
+#include <errno.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#if !defined(HAVE_GLOB) || !defined(GLOB_HAS_ALTDIRFUNC) || \
+    !defined(GLOB_HAS_GL_MATCHC) || \
+    !defined(HAVE_DECL_GLOB_NOMATCH) || HAVE_DECL_GLOB_NOMATCH == 0
 
 static long
 get_arg_max(void)
@@ -48,9 +62,6 @@ get_arg_max(void)
 #endif
 }
 
-#if !defined(HAVE_GLOB) || !defined(GLOB_HAS_ALTDIRFUNC) || \
-    !defined(GLOB_HAS_GL_MATCHC)
-
 /*
  * glob(3) -- a superset of the one defined in POSIX 1003.2.
  *
diff --git a/openbsd-compat/glob.h b/openbsd-compat/glob.h
index 4fdbfc1ea..9ba07f76e 100644
--- a/openbsd-compat/glob.h
+++ b/openbsd-compat/glob.h
@@ -38,7 +38,8 @@
 /* OPENBSD ORIGINAL: include/glob.h */
 
 #if !defined(HAVE_GLOB_H) || !defined(GLOB_HAS_ALTDIRFUNC) || \
-    !defined(GLOB_HAS_GL_MATCHC)
+    !defined(GLOB_HAS_GL_MATCHC) || \
+    !defined(HAVE_DECL_GLOB_NOMATCH) || HAVE_DECL_GLOB_NOMATCH == 0
 
 #ifndef _GLOB_H_
 #define _GLOB_H_
diff --git a/openbsd-compat/mktemp.c b/openbsd-compat/mktemp.c
index 88e04c520..2285c84df 100644
--- a/openbsd-compat/mktemp.c
+++ b/openbsd-compat/mktemp.c
@@ -35,6 +35,14 @@
 
 #include "includes.h"
 
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <fcntl.h>
+#include <ctype.h>
+#include <errno.h>
+#include <unistd.h>
+
 #if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP)
 
 static int _gettemp(char *, int *, int, int);
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index 1a3027353..aac2e6cbc 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openbsd-compat.h,v 1.33 2005/12/31 05:33:37 djm Exp $ */
+/* $Id: openbsd-compat.h,v 1.42 2006/09/03 12:44:50 dtucker Exp $ */
 
 /*
  * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
@@ -31,6 +31,11 @@
 
 #include "includes.h"
 
+#include <sys/types.h>
+#include <pwd.h>
+
+#include <sys/socket.h>
+
 /* OpenBSD function replacements */
 #include "base64.h"
 #include "sigact.h"
@@ -38,7 +43,7 @@
 #include "readpassphrase.h"
 #include "vis.h"
 #include "getrrsetbyname.h"
-
+#include "sha2.h"
 
 #ifndef HAVE_BASENAME
 char *basename(const char *path);
@@ -126,13 +131,16 @@ int getgrouplist(const char *, gid_t, gid_t *, int *);
 int BSDgetopt(int argc, char * const *argv, const char *opts);
 #endif
 
+#if defined(HAVE_DECL_WRITEV) && HAVE_DECL_WRITEV == 0
+# include <sys/types.h>
+# include <sys/uio.h>
+int writev(int, struct iovec *, int);
+#endif
 
 /* Home grown routines */
 #include "bsd-misc.h"
 #include "bsd-waitpid.h"
 
-/*#include <sys/types.h> XXX Still needed? * For uid_t, gid_t * */
-
 #ifndef HAVE_GETPEEREID
 int getpeereid(int , uid_t *, gid_t *);
 #endif 
@@ -147,13 +155,14 @@ int asprintf(char **, const char *, ...);
 #endif 
 
 #ifndef HAVE_OPENPTY
+# include <sys/ioctl.h> /* for struct winsize */
 int openpty(int *, int *, char *, struct termios *, struct winsize *);
 #endif /* HAVE_OPENPTY */
 
 /* #include <sys/types.h> XXX needed? For size_t */
 
 #ifndef HAVE_SNPRINTF
-int snprintf(char *, size_t, const char *, ...);
+int snprintf(char *, size_t, SNPRINTF_CONST char *, ...);
 #endif 
 
 #ifndef HAVE_STRTOLL
@@ -164,6 +173,10 @@ long long strtoll(const char *, char **, int);
 long long strtonum(const char *, long long, long long, const char **);
 #endif
 
+#if !defined(HAVE_VASPRINTF) || !defined(HAVE_VSNPRINTF)
+# include <stdarg.h>
+#endif
+
 #ifndef HAVE_VASPRINTF
 int vasprintf(char **, const char *, va_list);
 #endif
@@ -176,16 +189,18 @@ void *xmmap(size_t size);
 char *xcrypt(const char *password, const char *salt);
 char *shadow_pw(struct passwd *pw);
 
-
 /* rfc2553 socket API replacements */
 #include "fake-rfc2553.h"
 
 /* Routines for a single OS platform */
 #include "bsd-cray.h"
 #include "bsd-cygwin_util.h"
-#include "port-irix.h"
+
 #include "port-aix.h"
-#include "port-uw.h"
+#include "port-irix.h"
+#include "port-linux.h"
+#include "port-solaris.h"
 #include "port-tun.h"
+#include "port-uw.h"
 
 #endif /* _OPENBSD_COMPAT_H */
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index b690e8fe6..45ebd3f66 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -1,4 +1,4 @@
-/* $Id: openssl-compat.c,v 1.2 2005/06/17 11:15:21 dtucker Exp $ */
+/* $Id: openssl-compat.c,v 1.4 2006/02/22 11:24:47 dtucker Exp $ */
 
 /*
  * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -18,7 +18,11 @@
 
 #include "includes.h"
 
-#define SSH_DONT_REDEF_EVP
+#ifdef USE_OPENSSL_ENGINE
+# include <openssl/engine.h>
+#endif
+
+#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
 #include "openssl-compat.h"
 
 #ifdef SSH_OLD_EVP
@@ -44,3 +48,15 @@ ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp)
         return 1;
 }
 #endif
+
+#ifdef  USE_OPENSSL_ENGINE
+void
+ssh_SSLeay_add_all_algorithms(void)
+{
+        SSLeay_add_all_algorithms();
+
+        /* Enable use of crypto hardware */
+        ENGINE_load_builtin_engines();
+        ENGINE_register_all_complete();
+}
+#endif
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 8a015ec43..9b5ccff5f 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openssl-compat.h,v 1.3 2005/12/19 06:40:40 dtucker Exp $ */
+/* $Id: openssl-compat.h,v 1.7 2007/03/05 07:25:20 dtucker Exp $ */
 
 /*
  * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -46,6 +46,11 @@ extern const EVP_CIPHER *evp_acss(void);
 # endif
 #endif
 
+/* OpenSSL 0.9.8e returns cipher key len not context key len */
+#if (OPENSSL_VERSION_NUMBER == 0x0090805fL)
+# define EVP_CIPHER_CTX_key_length(c) ((c)->key_len)
+#endif
+
 /*
  * We overload some of the OpenSSL crypto functions with ssh_* equivalents
  * which cater for older and/or less featureful OpenSSL version.
@@ -54,21 +59,27 @@ extern const EVP_CIPHER *evp_acss(void);
  * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and
  * implement the ssh_* equivalents.
  */
-#ifdef SSH_OLD_EVP
-
-# ifndef SSH_DONT_REDEF_EVP
+#ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS
 
+# ifdef SSH_OLD_EVP
 #  ifdef EVP_Cipher
 #   undef EVP_Cipher
 #  endif
-
 #  define EVP_CipherInit(a,b,c,d,e)     ssh_EVP_CipherInit((a),(b),(c),(d),(e))
 #  define EVP_Cipher(a,b,c,d)           ssh_EVP_Cipher((a),(b),(c),(d))
 #  define EVP_CIPHER_CTX_cleanup(a)     ssh_EVP_CIPHER_CTX_cleanup((a))
-# endif
+# endif /* SSH_OLD_EVP */
+
+# ifdef USE_OPENSSL_ENGINE
+#  ifdef SSLeay_add_all_algorithms
+#   undef SSLeay_add_all_algorithms
+#  endif
+#  define SSLeay_add_all_algorithms()   ssh_SSLeay_add_all_algorithms()
+#endif
 
 int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *,
     unsigned char *, int);
 int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
 int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
-#endif
+void ssh_SSLeay_add_all_algorithms(void);
+#endif  /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 81d8124e0..b9fabf61f 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -25,16 +25,36 @@
  *
  */
 #include "includes.h"
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "ssh.h"
 #include "log.h"
-#include "xmalloc.h"
-#include "buffer.h"
 
 #ifdef _AIX
 
+#include <errno.h>
+#if defined(HAVE_NETDB_H)
+# include <netdb.h>
+#endif
 #include <uinfo.h>
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
 #include <sys/socket.h>
+
+#ifdef WITH_AIXAUTHENTICATE
+# include <login.h>
+# include <userpw.h>
+# if defined(HAVE_SYS_AUDIT_H) && defined(AIX_LOGINFAILED_4ARG)
+#  include <sys/audit.h>
+# endif
+# include <usersec.h>
+#endif
+
 #include "port-aix.h"
 
 # ifdef HAVE_SETAUTHDB
@@ -256,15 +276,17 @@ sys_auth_record_login(const char *user, const char *host, const char *ttynm,
     Buffer *loginmsg)
 {
         char *msg = NULL;
+        static int msg_done = 0;
         int success = 0;
 
         aix_setauthdb(user);
         if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) {
                 success = 1;
-                if (msg != NULL) {
+                if (msg != NULL && loginmsg != NULL && !msg_done) {
                         debug("AIX/loginsuccess: msg %s", msg);
                         buffer_append(loginmsg, msg, strlen(msg));
                         xfree(msg);
+                        msg_done = 1;
                 }
         }
         aix_restoreauthdb();
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index 37b2c12b0..5a04bedad 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -1,4 +1,4 @@
-/* $Id: port-aix.h,v 1.26 2005/05/28 10:28:40 dtucker Exp $ */
+/* $Id: port-aix.h,v 1.27 2006/09/18 13:54:33 dtucker Exp $ */
 
 /*
  *
@@ -31,18 +31,6 @@
 #ifdef HAVE_SYS_SOCKET_H
 # include <sys/socket.h>
 #endif
-#ifdef HAVE_UNISTD_H
-# include <unistd.h>    /* for seteuid() */
-#endif
-
-#ifdef WITH_AIXAUTHENTICATE
-# include <login.h>
-# include <userpw.h>
-# if defined(HAVE_SYS_AUDIT_H) && defined(AIX_LOGINFAILED_4ARG)
-#  include <sys/audit.h>
-# endif
-# include <usersec.h>
-#endif
 
 #include "buffer.h"
 
diff --git a/openbsd-compat/port-irix.c b/openbsd-compat/port-irix.c
index aa6db1cf8..ba751a538 100644
--- a/openbsd-compat/port-irix.c
+++ b/openbsd-compat/port-irix.c
@@ -29,6 +29,10 @@
     defined(WITH_IRIX_JOBS) || \
     defined(WITH_IRIX_ARRAY)
 
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
 #ifdef WITH_IRIX_PROJECT
 # include <proj.h>
 #endif /* WITH_IRIX_PROJECT */
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
new file mode 100644
index 000000000..d153f8fb5
--- /dev/null
+++ b/openbsd-compat/port-linux.c
@@ -0,0 +1,178 @@
+/* $Id: port-linux.c,v 1.3 2006/09/01 05:38:41 djm Exp $ */
+
+/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
+ * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Linux-specific portability code - just SELinux support at present
+ */
+
+#include "includes.h"
+
+#include <errno.h>
+#include <stdarg.h>
+#include <string.h>
+
+#ifdef WITH_SELINUX
+#include "log.h"
+#include "port-linux.h"
+
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/get_context_list.h>
+
+/* Wrapper around is_selinux_enabled() to log its return value once only */
+static int
+ssh_selinux_enabled(void)
+{
+        static int enabled = -1;
+
+        if (enabled == -1) {
+                enabled = is_selinux_enabled();
+                debug("SELinux support %s", enabled ? "enabled" : "disabled");
+        }
+
+        return (enabled);
+}
+
+/* Return the default security context for the given username */
+static security_context_t
+ssh_selinux_getctxbyname(char *pwname)
+{
+        security_context_t sc;
+        char *sename = NULL, *role = NULL, *lvl = NULL;
+        int r;
+
+#ifdef HAVE_GETSEUSERBYNAME
+        if (getseuserbyname(pwname, &sename, &lvl) != 0)
+                return NULL;
+#else
+        sename = pwname;
+        lvl = NULL;
+#endif
+        if (the_authctxt)
+                role = the_authctxt->role;
+
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+        if (role != NULL && role[0])
+                r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
+                                                       &sc);
+        else
+                r = get_default_context_with_level(sename, lvl, NULL, &sc);
+#else
+        if (role != NULL && role[0])
+                r = get_default_context_with_role(sename, role, NULL, &sc);
+        else
+                r = get_default_context(sename, NULL, &sc);
+#endif
+
+        if (r != 0) {
+                switch (security_getenforce()) {
+                case -1:
+                        fatal("%s: ssh_selinux_getctxbyname: "
+                            "security_getenforce() failed", __func__);
+                case 0:
+                        error("%s: Failed to get default SELinux security "
+                            "context for %s", __func__, pwname);
+                default:
+                        fatal("%s: Failed to get default SELinux security "
+                            "context for %s (in enforcing mode)",
+                            __func__, pwname);
+                }
+        }
+
+#ifdef HAVE_GETSEUSERBYNAME
+        if (sename != NULL)
+                xfree(sename);
+        if (lvl != NULL)
+                xfree(lvl);
+#endif
+
+        return (sc);
+}
+
+/* Set the execution context to the default for the specified user */
+void
+ssh_selinux_setup_exec_context(char *pwname)
+{
+        security_context_t user_ctx = NULL;
+
+        if (!ssh_selinux_enabled())
+                return;
+
+        debug3("%s: setting execution context", __func__);
+
+        user_ctx = ssh_selinux_getctxbyname(pwname);
+        if (setexeccon(user_ctx) != 0) {
+                switch (security_getenforce()) {
+                case -1:
+                        fatal("%s: security_getenforce() failed", __func__);
+                case 0:
+                        error("%s: Failed to set SELinux execution "
+                            "context for %s", __func__, pwname);
+                default:
+                        fatal("%s: Failed to set SELinux execution context "
+                            "for %s (in enforcing mode)", __func__, pwname);
+                }
+        }
+        if (user_ctx != NULL)
+                freecon(user_ctx);
+
+        debug3("%s: done", __func__);
+}
+
+/* Set the TTY context for the specified user */
+void
+ssh_selinux_setup_pty(char *pwname, const char *tty)
+{
+        security_context_t new_tty_ctx = NULL;
+        security_context_t user_ctx = NULL;
+        security_context_t old_tty_ctx = NULL;
+
+        if (!ssh_selinux_enabled())
+                return;
+
+        debug3("%s: setting TTY context on %s", __func__, tty);
+
+        user_ctx = ssh_selinux_getctxbyname(pwname);
+
+        /* XXX: should these calls fatal() upon failure in enforcing mode? */
+
+        if (getfilecon(tty, &old_tty_ctx) == -1) {
+                error("%s: getfilecon: %s", __func__, strerror(errno));
+                goto out;
+        }
+
+        if (security_compute_relabel(user_ctx, old_tty_ctx,
+            SECCLASS_CHR_FILE, &new_tty_ctx) != 0) {
+                error("%s: security_compute_relabel: %s",
+                    __func__, strerror(errno));
+                goto out;
+        }
+
+        if (setfilecon(tty, new_tty_ctx) != 0)
+                error("%s: setfilecon: %s", __func__, strerror(errno));
+ out:
+        if (new_tty_ctx != NULL)
+                freecon(new_tty_ctx);
+        if (old_tty_ctx != NULL)
+                freecon(old_tty_ctx);
+        if (user_ctx != NULL)
+                freecon(user_ctx);
+        debug3("%s: done", __func__);
+}
+#endif /* WITH_SELINUX */
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
new file mode 100644
index 000000000..05e520e1c
--- /dev/null
+++ b/openbsd-compat/port-linux.h
@@ -0,0 +1,27 @@
+/* $Id: port-linux.h,v 1.1 2006/04/22 11:26:08 djm Exp $ */
+
+/*
+ * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _PORT_LINUX_H
+#define _PORT_LINUX_H
+
+#ifdef WITH_SELINUX
+void ssh_selinux_setup_pty(char *, const char *);
+void ssh_selinux_setup_exec_context(char *);
+#endif
+
+#endif /* ! _PORT_LINUX_H */
diff --git a/openbsd-compat/port-solaris.c b/openbsd-compat/port-solaris.c
new file mode 100644
index 000000000..2ab64d487
--- /dev/null
+++ b/openbsd-compat/port-solaris.c
@@ -0,0 +1,199 @@
+/* $Id: port-solaris.c,v 1.3 2006/10/31 23:28:49 dtucker Exp $ */
+
+/*
+ * Copyright (c) 2006 Chad Mynhier.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "config.h"
+#include "includes.h"
+
+#ifdef USE_SOLARIS_PROCESS_CONTRACTS
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/param.h>
+
+#include <errno.h>
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#endif
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <libcontract.h>
+#include <sys/contract/process.h>
+#include <sys/ctfs.h>
+
+#include "log.h"
+
+#define CT_TEMPLATE     CTFS_ROOT "/process/template"
+#define CT_LATEST       CTFS_ROOT "/process/latest"
+
+static int tmpl_fd = -1;
+
+/* Lookup the latest process contract */
+static ctid_t
+get_active_process_contract_id(void)
+{
+        int stat_fd;
+        ctid_t ctid = -1;
+        ct_stathdl_t stathdl;
+
+        if ((stat_fd = open64(CT_LATEST, O_RDONLY)) == -1) {
+                error("%s: Error opening 'latest' process "
+                    "contract: %s", __func__, strerror(errno));
+                return -1;
+        }
+        if (ct_status_read(stat_fd, CTD_COMMON, &stathdl) != 0) {
+                error("%s: Error reading process contract "
+                    "status: %s", __func__, strerror(errno));
+                goto out;
+        }
+        if ((ctid = ct_status_get_id(stathdl)) < 0) {
+                error("%s: Error getting process contract id: %s",
+                    __func__, strerror(errno));
+                goto out;
+        }
+
+        ct_status_free(stathdl);
+ out:
+        close(stat_fd);
+        return ctid;
+}
+
+void
+solaris_contract_pre_fork(void)
+{
+        if ((tmpl_fd = open64(CT_TEMPLATE, O_RDWR)) == -1) {
+                error("%s: open %s: %s", __func__,
+                    CT_TEMPLATE, strerror(errno));
+                return;
+        }
+
+        debug2("%s: setting up process contract template on fd %d",
+            __func__, tmpl_fd);
+
+        /* First we set the template parameters and event sets. */
+        if (ct_pr_tmpl_set_param(tmpl_fd, CT_PR_PGRPONLY) != 0) {
+                error("%s: Error setting process contract parameter set "
+                    "(pgrponly): %s", __func__, strerror(errno));
+                goto fail;
+        }
+        if (ct_pr_tmpl_set_fatal(tmpl_fd, CT_PR_EV_HWERR) != 0) {
+                error("%s: Error setting process contract template "
+                    "fatal events: %s", __func__, strerror(errno));
+                goto fail;
+        }
+        if (ct_tmpl_set_critical(tmpl_fd, 0) != 0) {
+                error("%s: Error setting process contract template "
+                    "critical events: %s", __func__, strerror(errno));
+                goto fail;
+        }
+        if (ct_tmpl_set_informative(tmpl_fd, CT_PR_EV_HWERR) != 0) {
+                error("%s: Error setting process contract template "
+                    "informative events: %s", __func__, strerror(errno));
+                goto fail;
+        }
+
+        /* Now make this the active template for this process. */
+        if (ct_tmpl_activate(tmpl_fd) != 0) {
+                error("%s: Error activating process contract "
+                    "template: %s", __func__, strerror(errno));
+                goto fail;
+        }
+        return;
+
+ fail:
+        if (tmpl_fd != -1) {
+                close(tmpl_fd);
+                tmpl_fd = -1;
+        }
+}
+
+void
+solaris_contract_post_fork_child()
+{
+        debug2("%s: clearing process contract template on fd %d",
+            __func__, tmpl_fd);
+
+        /* Clear the active template. */
+        if (ct_tmpl_clear(tmpl_fd) != 0)
+                error("%s: Error clearing active process contract "
+                    "template: %s", __func__, strerror(errno));
+
+        close(tmpl_fd);
+        tmpl_fd = -1;
+}
+
+void
+solaris_contract_post_fork_parent(pid_t pid)
+{
+        ctid_t ctid;
+        char ctl_path[256];
+        int r, ctl_fd = -1, stat_fd = -1;
+
+        debug2("%s: clearing template (fd %d)", __func__, tmpl_fd);
+
+        if (tmpl_fd == -1)
+                return;
+
+        /* First clear the active template. */
+        if ((r = ct_tmpl_clear(tmpl_fd)) != 0)
+                error("%s: Error clearing active process contract "
+                    "template: %s", __func__, strerror(errno));
+
+        close(tmpl_fd);
+        tmpl_fd = -1;
+
+        /*
+         * If either the fork didn't succeed (pid < 0), or clearing
+         * th active contract failed (r != 0), then we have nothing
+         * more do.
+         */
+        if (r != 0 || pid <= 0)
+                return;
+
+        /* Now lookup and abandon the contract we've created. */
+        ctid = get_active_process_contract_id();
+
+        debug2("%s: abandoning contract id %ld", __func__, ctid);
+
+        snprintf(ctl_path, sizeof(ctl_path),
+            CTFS_ROOT "/process/%ld/ctl", ctid);
+        if ((ctl_fd = open64(ctl_path, O_WRONLY)) < 0) {
+                error("%s: Error opening process contract "
+                    "ctl file: %s", __func__, strerror(errno));
+                goto fail;
+        }
+        if (ct_ctl_abandon(ctl_fd) < 0) {
+                error("%s: Error abandoning process contract: %s",
+                    __func__, strerror(errno));
+                goto fail;
+        }
+        close(ctl_fd);
+        return;
+
+ fail:
+        if (tmpl_fd != -1) {
+                close(tmpl_fd);
+                tmpl_fd = -1;
+        }
+        if (stat_fd != -1)
+                close(stat_fd);
+        if (ctl_fd != -1)
+                close(ctl_fd);
+}
+#endif
diff --git a/openbsd-compat/port-solaris.h b/openbsd-compat/port-solaris.h
new file mode 100644
index 000000000..4c324871e
--- /dev/null
+++ b/openbsd-compat/port-solaris.h
@@ -0,0 +1,27 @@
+/* $Id: port-solaris.h,v 1.1 2006/08/30 17:24:42 djm Exp $ */
+
+/*
+ * Copyright (c) 2006 Chad Mynhier.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _PORT_SOLARIS_H
+
+#include <sys/types.h>
+
+void solaris_contract_pre_fork(void);
+void solaris_contract_post_fork_child(void);
+void solaris_contract_post_fork_parent(pid_t pid);
+
+#endif
diff --git a/openbsd-compat/port-tun.c b/openbsd-compat/port-tun.c
index 31921615f..276474db8 100644
--- a/openbsd-compat/port-tun.c
+++ b/openbsd-compat/port-tun.c
@@ -16,9 +16,23 @@
 
 #include "includes.h"
 
+#include <sys/types.h>
+#include <sys/ioctl.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netinet/ip.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+
 #include "log.h"
 #include "misc.h"
-#include "bufaux.h"
+#include "buffer.h"
+#include "channels.h"
 
 /*
  * This is the portable version of the SSH tunnel forwarding, it
@@ -26,6 +40,7 @@
  * settings.
  *
  * SSH_TUN_LINUX        Use the (newer) Linux tun/tap device
+ * SSH_TUN_FREEBSD      Use the FreeBSD tun/tap device
  * SSH_TUN_COMPAT_AF    Translate the OpenBSD address family
  * SSH_TUN_PREPEND_AF   Prepend/remove the address family
  */
@@ -93,7 +108,10 @@ sys_tun_open(int tun, int mode)
 #ifdef SSH_TUN_FREEBSD
 #include <sys/socket.h>
 #include <net/if.h>
+
+#ifdef HAVE_NET_IF_TUN_H
 #include <net/if_tun.h>
+#endif
 
 int
 sys_tun_open(int tun, int mode)
diff --git a/openbsd-compat/port-tun.h b/openbsd-compat/port-tun.h
index 86d9272b4..c53df01fc 100644
--- a/openbsd-compat/port-tun.h
+++ b/openbsd-compat/port-tun.h
@@ -17,7 +17,7 @@
 #ifndef _PORT_TUN_H
 #define _PORT_TUN_H
 
-#include "channels.h"
+struct Channel;
 
 #if defined(SSH_TUN_LINUX) || defined(SSH_TUN_FREEBSD)
 # define CUSTOM_SYS_TUN_OPEN
diff --git a/openbsd-compat/port-uw.c b/openbsd-compat/port-uw.c
index c64427121..6f3523902 100644
--- a/openbsd-compat/port-uw.c
+++ b/openbsd-compat/port-uw.c
@@ -26,15 +26,26 @@
 #include "includes.h"
 
 #ifdef HAVE_LIBIAF
+#include <sys/types.h>
 #ifdef HAVE_CRYPT_H
-#include <crypt.h>
+# include <crypt.h>
 #endif
+#include <pwd.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "xmalloc.h"
 #include "packet.h"
 #include "buffer.h"
+#include "auth-options.h"
 #include "log.h"
 #include "servconf.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
-#include "auth-options.h"
+#include "ssh.h"
 
 int nischeck(char *);
 
diff --git a/openbsd-compat/readpassphrase.c b/openbsd-compat/readpassphrase.c
index 919c0174a..11bd8f646 100644
--- a/openbsd-compat/readpassphrase.c
+++ b/openbsd-compat/readpassphrase.c
@@ -27,7 +27,13 @@
 #ifndef HAVE_READPASSPHRASE
 
 #include <termios.h>
+#include <signal.h>
+#include <ctype.h>
+#include <fcntl.h>
 #include <readpassphrase.h>
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
 
 #ifdef TCSASOFT
 # define _T_FLUSH       (TCSAFLUSH|TCSASOFT)
diff --git a/openbsd-compat/regress/Makefile.in b/openbsd-compat/regress/Makefile.in
new file mode 100644
index 000000000..bcf214bd0
--- /dev/null
+++ b/openbsd-compat/regress/Makefile.in
@@ -0,0 +1,38 @@
+# $Id: Makefile.in,v 1.4 2006/08/19 09:12:14 dtucker Exp $
+
+sysconfdir=@sysconfdir@
+piddir=@piddir@
+srcdir=@srcdir@
+top_srcdir=@top_srcdir@
+
+VPATH=@srcdir@
+CC=@CC@
+LD=@LD@
+CFLAGS=@CFLAGS@
+CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
+EXEEXT=@EXEEXT@
+LIBCOMPAT=../libopenbsd-compat.a
+LIBS=@LIBS@
+LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
+
+TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \
+        strtonumtest$(EXEEXT)
+
+all:    t-exec ${OTHERTESTS}
+
+%$(EXEEXT):     %.c
+        $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS)
+
+t-exec: $(TESTPROGS)
+        @echo running compat regress tests
+        @for TEST in ""$?; do \
+                echo "run test $${TEST}" ... 1>&2; \
+                ./$${TEST}$(EXEEXT) || exit $$? ; \
+        done
+        @echo finished compat regress tests
+
+clean:
+        rm -f *.o *.a core $(TESTPROGS) valid.out
+
+distclean: clean
+        rm -f Makefile *~
diff --git a/openbsd-compat/regress/closefromtest.c b/openbsd-compat/regress/closefromtest.c
new file mode 100644
index 000000000..feb1b567d
--- /dev/null
+++ b/openbsd-compat/regress/closefromtest.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2006 Darren Tucker
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#define NUM_OPENS 10
+
+void
+fail(char *msg)
+{
+        fprintf(stderr, "closefrom: %s\n", msg);
+        exit(1);
+}
+
+int
+main(void)
+{
+        int i, max, fds[NUM_OPENS];
+        char buf[512];
+
+        for (i = 0; i < NUM_OPENS; i++)
+                if ((fds[i] = open("/dev/null", "r")) == -1)
+                        exit(0);        /* can't test */
+        max = i - 1;
+
+        /* should close last fd only */
+        closefrom(fds[max]);
+        if (close(fds[max]) != -1)
+                fail("failed to close highest fd");
+
+        /* make sure we can still use remaining descriptors */
+        for (i = 0; i < max; i++)
+                if (read(fds[i], buf, sizeof(buf)) == -1)
+                        fail("closed descriptors it should not have");
+
+        /* should close all fds */
+        closefrom(fds[0]);
+        for (i = 0; i < NUM_OPENS; i++)
+                if (close(fds[i]) != -1)
+                        fail("failed to close from lowest fd");
+}
diff --git a/openbsd-compat/regress/snprintftest.c b/openbsd-compat/regress/snprintftest.c
new file mode 100644
index 000000000..4ca63e180
--- /dev/null
+++ b/openbsd-compat/regress/snprintftest.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2005 Darren Tucker
+ * Copyright (c) 2005 Damien Miller
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#define BUFSZ 2048
+
+#include <sys/types.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
+
+static int failed = 0;
+
+static void
+fail(const char *m)
+{
+        fprintf(stderr, "snprintftest: %s\n", m);
+        failed = 1;
+}
+
+int x_snprintf(char *str, size_t count, const char *fmt, ...)
+{
+        size_t ret;
+        va_list ap;
+
+        va_start(ap, fmt);
+        ret = vsnprintf(str, count, fmt, ap);
+        va_end(ap);
+        return ret;
+}
+
+int
+main(void)
+{
+        char b[5];
+        char *src;
+
+        snprintf(b,5,"123456789");
+        if (b[4] != '\0')
+                fail("snprintf does not correctly terminate long strings");
+
+        /* check for read overrun on unterminated string */
+        if ((src = malloc(BUFSZ)) == NULL) {
+                fail("malloc failed");
+        } else {
+                memset(src, 'a', BUFSZ);
+                snprintf(b, sizeof(b), "%.*s", 1, src);
+                if (strcmp(b, "a") != 0)
+                        fail("failed with length limit '%%.s'");
+        }
+
+        /* check that snprintf and vsnprintf return sane values */
+        if (snprintf(b, 1, "%s %d", "hello", 12345) != 11)
+                fail("snprintf does not return required length");
+        if (x_snprintf(b, 1, "%s %d", "hello", 12345) != 11)
+                fail("vsnprintf does not return required length");
+
+        return failed;
+}
diff --git a/openbsd-compat/regress/strduptest.c b/openbsd-compat/regress/strduptest.c
new file mode 100644
index 000000000..7f6d779be
--- /dev/null
+++ b/openbsd-compat/regress/strduptest.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2005 Darren Tucker
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+static int fail = 0;
+
+void
+test(const char *a)
+{
+        char *b;
+
+        b = strdup(a);
+        if (b == 0) {
+                fail = 1;
+                return;
+        }
+        if (strcmp(a, b) != 0)
+                fail = 1;
+        free(b);
+}
+
+int
+main(void)
+{
+        test("");
+        test("a");
+        test("\0");
+        test("abcdefghijklmnopqrstuvwxyz");
+        return fail;
+}
diff --git a/openbsd-compat/regress/strtonumtest.c b/openbsd-compat/regress/strtonumtest.c
new file mode 100644
index 000000000..cb8585129
--- /dev/null
+++ b/openbsd-compat/regress/strtonumtest.c
@@ -0,0 +1,66 @@
+/*      $OpenBSD: strtonumtest.c,v 1.1 2004/08/03 20:38:36 otto Exp $   */
+/*
+ * Copyright (c) 2004 Otto Moerbeek <otto@drijf.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* OPENBSD ORIGINAL: regress/lib/libc/strtonum/strtonumtest.c */
+
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+int fail;
+
+void
+test(const char *p, long long lb, long long ub, int ok)
+{
+        long long val;
+        const char *q;
+
+        val = strtonum(p, lb, ub, &q);
+        if (ok && q != NULL) {
+                fprintf(stderr, "%s [%lld-%lld] ", p, lb, ub);
+                fprintf(stderr, "NUMBER NOT ACCEPTED %s\n", q);
+                fail = 1;
+        } else if (!ok && q == NULL) {
+                fprintf(stderr, "%s [%lld-%lld] %lld ", p, lb, ub, val);
+                fprintf(stderr, "NUMBER ACCEPTED\n");
+                fail = 1;
+        }
+}
+
+int main(int argc, char *argv[])
+{
+        test("1", 0, 10, 1);
+        test("0", -2, 5, 1);
+        test("0", 2, 5, 0);
+        test("0", 2, LLONG_MAX, 0);
+        test("-2", 0, LLONG_MAX, 0);
+        test("0", -5, LLONG_MAX, 1);
+        test("-3", -3, LLONG_MAX, 1);
+        test("-9223372036854775808", LLONG_MIN, LLONG_MAX, 1);
+        test("9223372036854775807", LLONG_MIN, LLONG_MAX, 1);
+        test("-9223372036854775809", LLONG_MIN, LLONG_MAX, 0);
+        test("9223372036854775808", LLONG_MIN, LLONG_MAX, 0);
+        test("1000000000000000000000000", LLONG_MIN, LLONG_MAX, 0);
+        test("-1000000000000000000000000", LLONG_MIN, LLONG_MAX, 0);
+        test("-2", 10, -1, 0);
+        test("-2", -10, -1, 1);
+        test("-20", -10, -1, 0);
+        test("20", -10, -1, 0);
+
+        return (fail);
+}
+
diff --git a/openbsd-compat/rresvport.c b/openbsd-compat/rresvport.c
index 71cf6e6eb..5b0275ce0 100644
--- a/openbsd-compat/rresvport.c
+++ b/openbsd-compat/rresvport.c
@@ -35,6 +35,16 @@
 
 #ifndef HAVE_RRESVPORT_AF
 
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+
 #if 0
 int
 rresvport(int *alport)
diff --git a/openbsd-compat/setproctitle.c b/openbsd-compat/setproctitle.c
index 6e2b19bb4..b511f6649 100644
--- a/openbsd-compat/setproctitle.c
+++ b/openbsd-compat/setproctitle.c
@@ -35,10 +35,13 @@
 
 #ifndef HAVE_SETPROCTITLE
 
+#include <stdarg.h>
+#include <stdlib.h>
 #include <unistd.h>
 #ifdef HAVE_SYS_PSTAT_H
 #include <sys/pstat.h>
 #endif
+#include <string.h>
 
 #define SPT_NONE        0       /* don't use it at all */
 #define SPT_PSTAT       1       /* use pstat(PSTAT_SETCMD, ...) */
@@ -80,7 +83,7 @@ compat_init_setproctitle(int argc, char *argv[])
         /* Fail if we can't allocate room for the new environment */
         for (i = 0; envp[i] != NULL; i++)
                 ;
-        if ((environ = malloc(sizeof(*environ) * (i + 1))) == NULL) {
+        if ((environ = calloc(i + 1, sizeof(*environ))) == NULL) {
                 environ = envp; /* put it back */
                 return;
         }
diff --git a/openbsd-compat/sha2.c b/openbsd-compat/sha2.c
new file mode 100755
index 000000000..cf8e0ad66
--- /dev/null
+++ b/openbsd-compat/sha2.c
@@ -0,0 +1,882 @@
+/*      $OpenBSD: sha2.c,v 1.11 2005/08/08 08:05:35 espie Exp $ */
+
+/*
+ * FILE:        sha2.c
+ * AUTHOR:      Aaron D. Gifford <me@aarongifford.com>
+ * 
+ * Copyright (c) 2000-2001, Aaron D. Gifford
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the copyright holder nor the names of contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
+ */
+
+/* OPENBSD ORIGINAL: lib/libc/hash/sha2.c */
+
+#include "includes.h"
+
+#include <openssl/opensslv.h>
+
+#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
+    (OPENSSL_VERSION_NUMBER >= 0x00907000L)
+#include <sys/types.h>
+#include <string.h>
+#include "sha2.h"
+
+/*
+ * UNROLLED TRANSFORM LOOP NOTE:
+ * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
+ * loop version for the hash transform rounds (defined using macros
+ * later in this file).  Either define on the command line, for example:
+ *
+ *   cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
+ *
+ * or define below:
+ *
+ *   #define SHA2_UNROLL_TRANSFORM
+ *
+ */
+
+/*** SHA-256/384/512 Machine Architecture Definitions *****************/
+/*
+ * BYTE_ORDER NOTE:
+ *
+ * Please make sure that your system defines BYTE_ORDER.  If your
+ * architecture is little-endian, make sure it also defines
+ * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
+ * equivilent.
+ *
+ * If your system does not define the above, then you can do so by
+ * hand like this:
+ *
+ *   #define LITTLE_ENDIAN 1234
+ *   #define BIG_ENDIAN    4321
+ *
+ * And for little-endian machines, add:
+ *
+ *   #define BYTE_ORDER LITTLE_ENDIAN 
+ *
+ * Or for big-endian machines:
+ *
+ *   #define BYTE_ORDER BIG_ENDIAN
+ *
+ * The FreeBSD machine this was written on defines BYTE_ORDER
+ * appropriately by including <sys/types.h> (which in turn includes
+ * <machine/endian.h> where the appropriate definitions are actually
+ * made).
+ */
+#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
+#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
+#endif
+
+
+/*** SHA-256/384/512 Various Length Definitions ***********************/
+/* NOTE: Most of these are in sha2.h */
+#define SHA256_SHORT_BLOCK_LENGTH       (SHA256_BLOCK_LENGTH - 8)
+#define SHA384_SHORT_BLOCK_LENGTH       (SHA384_BLOCK_LENGTH - 16)
+#define SHA512_SHORT_BLOCK_LENGTH       (SHA512_BLOCK_LENGTH - 16)
+
+/*** ENDIAN SPECIFIC COPY MACROS **************************************/
+#define BE_8_TO_32(dst, cp) do {                                        \
+        (dst) = (u_int32_t)(cp)[3] | ((u_int32_t)(cp)[2] << 8) |        \
+            ((u_int32_t)(cp)[1] << 16) | ((u_int32_t)(cp)[0] << 24);    \
+} while(0)
+
+#define BE_8_TO_64(dst, cp) do {                                        \
+        (dst) = (u_int64_t)(cp)[7] | ((u_int64_t)(cp)[6] << 8) |        \
+            ((u_int64_t)(cp)[5] << 16) | ((u_int64_t)(cp)[4] << 24) |   \
+            ((u_int64_t)(cp)[3] << 32) | ((u_int64_t)(cp)[2] << 40) |   \
+            ((u_int64_t)(cp)[1] << 48) | ((u_int64_t)(cp)[0] << 56);    \
+} while (0)
+
+#define BE_64_TO_8(cp, src) do {                                        \
+        (cp)[0] = (src) >> 56;                                          \
+        (cp)[1] = (src) >> 48;                                          \
+        (cp)[2] = (src) >> 40;                                          \
+        (cp)[3] = (src) >> 32;                                          \
+        (cp)[4] = (src) >> 24;                                          \
+        (cp)[5] = (src) >> 16;                                          \
+        (cp)[6] = (src) >> 8;                                           \
+        (cp)[7] = (src);                                                \
+} while (0)
+
+#define BE_32_TO_8(cp, src) do {                                        \
+        (cp)[0] = (src) >> 24;                                          \
+        (cp)[1] = (src) >> 16;                                          \
+        (cp)[2] = (src) >> 8;                                           \
+        (cp)[3] = (src);                                                \
+} while (0)
+
+/*
+ * Macro for incrementally adding the unsigned 64-bit integer n to the
+ * unsigned 128-bit integer (represented using a two-element array of
+ * 64-bit words):
+ */
+#define ADDINC128(w,n) do {                                             \
+        (w)[0] += (u_int64_t)(n);                                       \
+        if ((w)[0] < (n)) {                                             \
+                (w)[1]++;                                               \
+        }                                                               \
+} while (0)
+
+/*** THE SIX LOGICAL FUNCTIONS ****************************************/
+/*
+ * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
+ *
+ *   NOTE:  The naming of R and S appears backwards here (R is a SHIFT and
+ *   S is a ROTATION) because the SHA-256/384/512 description document
+ *   (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
+ *   same "backwards" definition.
+ */
+/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
+#define R(b,x)          ((x) >> (b))
+/* 32-bit Rotate-right (used in SHA-256): */
+#define S32(b,x)        (((x) >> (b)) | ((x) << (32 - (b))))
+/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
+#define S64(b,x)        (((x) >> (b)) | ((x) << (64 - (b))))
+
+/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
+#define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
+#define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+
+/* Four of six logical functions used in SHA-256: */
+#define Sigma0_256(x)   (S32(2,  (x)) ^ S32(13, (x)) ^ S32(22, (x)))
+#define Sigma1_256(x)   (S32(6,  (x)) ^ S32(11, (x)) ^ S32(25, (x)))
+#define sigma0_256(x)   (S32(7,  (x)) ^ S32(18, (x)) ^ R(3 ,   (x)))
+#define sigma1_256(x)   (S32(17, (x)) ^ S32(19, (x)) ^ R(10,   (x)))
+
+/* Four of six logical functions used in SHA-384 and SHA-512: */
+#define Sigma0_512(x)   (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
+#define Sigma1_512(x)   (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
+#define sigma0_512(x)   (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7,   (x)))
+#define sigma1_512(x)   (S64(19, (x)) ^ S64(61, (x)) ^ R( 6,   (x)))
+
+
+/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
+/* Hash constant words K for SHA-256: */
+const static u_int32_t K256[64] = {
+        0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
+        0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
+        0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
+        0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
+        0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
+        0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
+        0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
+        0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
+        0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
+        0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
+        0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
+        0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
+        0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
+        0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
+        0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
+        0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
+};
+
+/* Initial hash value H for SHA-256: */
+const static u_int32_t sha256_initial_hash_value[8] = {
+        0x6a09e667UL,
+        0xbb67ae85UL,
+        0x3c6ef372UL,
+        0xa54ff53aUL,
+        0x510e527fUL,
+        0x9b05688cUL,
+        0x1f83d9abUL,
+        0x5be0cd19UL
+};
+
+/* Hash constant words K for SHA-384 and SHA-512: */
+const static u_int64_t K512[80] = {
+        0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
+        0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
+        0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
+        0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
+        0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
+        0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
+        0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
+        0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
+        0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
+        0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
+        0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
+        0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
+        0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
+        0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
+        0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
+        0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
+        0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
+        0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
+        0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
+        0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
+        0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
+        0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
+        0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
+        0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
+        0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
+        0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
+        0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
+        0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
+        0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
+        0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
+        0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
+        0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
+        0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
+        0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
+        0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
+        0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
+        0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
+        0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
+        0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
+        0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
+};
+
+/* Initial hash value H for SHA-384 */
+const static u_int64_t sha384_initial_hash_value[8] = {
+        0xcbbb9d5dc1059ed8ULL,
+        0x629a292a367cd507ULL,
+        0x9159015a3070dd17ULL,
+        0x152fecd8f70e5939ULL,
+        0x67332667ffc00b31ULL,
+        0x8eb44a8768581511ULL,
+        0xdb0c2e0d64f98fa7ULL,
+        0x47b5481dbefa4fa4ULL
+};
+
+/* Initial hash value H for SHA-512 */
+const static u_int64_t sha512_initial_hash_value[8] = {
+        0x6a09e667f3bcc908ULL,
+        0xbb67ae8584caa73bULL,
+        0x3c6ef372fe94f82bULL,
+        0xa54ff53a5f1d36f1ULL,
+        0x510e527fade682d1ULL,
+        0x9b05688c2b3e6c1fULL,
+        0x1f83d9abfb41bd6bULL,
+        0x5be0cd19137e2179ULL
+};
+
+
+/*** SHA-256: *********************************************************/
+void
+SHA256_Init(SHA256_CTX *context)
+{
+        if (context == NULL)
+                return;
+        memcpy(context->state, sha256_initial_hash_value,
+            sizeof(sha256_initial_hash_value));
+        memset(context->buffer, 0, sizeof(context->buffer));
+        context->bitcount = 0;
+}
+
+#ifdef SHA2_UNROLL_TRANSFORM
+
+/* Unrolled SHA-256 round macros: */
+
+#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do {                              \
+        BE_8_TO_32(W256[j], data);                                          \
+        data += 4;                                                          \
+        T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
+        (d) += T1;                                                          \
+        (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c));                    \
+        j++;                                                                \
+} while(0)
+
+#define ROUND256(a,b,c,d,e,f,g,h) do {                                      \
+        s0 = W256[(j+1)&0x0f];                                              \
+        s0 = sigma0_256(s0);                                                \
+        s1 = W256[(j+14)&0x0f];                                             \
+        s1 = sigma1_256(s1);                                                \
+        T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] +          \
+             (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);                  \
+        (d) += T1;                                                          \
+        (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c));                    \
+        j++;                                                                \
+} while(0)
+
+void
+SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH])
+{
+        u_int32_t       a, b, c, d, e, f, g, h, s0, s1;
+        u_int32_t       T1, W256[16];
+        int             j;
+
+        /* Initialize registers with the prev. intermediate value */
+        a = state[0];
+        b = state[1];
+        c = state[2];
+        d = state[3];
+        e = state[4];
+        f = state[5];
+        g = state[6];
+        h = state[7];
+
+        j = 0;
+        do {
+                /* Rounds 0 to 15 (unrolled): */
+                ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
+                ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
+                ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
+                ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
+                ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
+                ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
+                ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
+                ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
+        } while (j < 16);
+
+        /* Now for the remaining rounds up to 63: */
+        do {
+                ROUND256(a,b,c,d,e,f,g,h);
+                ROUND256(h,a,b,c,d,e,f,g);
+                ROUND256(g,h,a,b,c,d,e,f);
+                ROUND256(f,g,h,a,b,c,d,e);
+                ROUND256(e,f,g,h,a,b,c,d);
+                ROUND256(d,e,f,g,h,a,b,c);
+                ROUND256(c,d,e,f,g,h,a,b);
+                ROUND256(b,c,d,e,f,g,h,a);
+        } while (j < 64);
+
+        /* Compute the current intermediate hash value */
+        state[0] += a;
+        state[1] += b;
+        state[2] += c;
+        state[3] += d;
+        state[4] += e;
+        state[5] += f;
+        state[6] += g;
+        state[7] += h;
+
+        /* Clean up */
+        a = b = c = d = e = f = g = h = T1 = 0;
+}
+
+#else /* SHA2_UNROLL_TRANSFORM */
+
+void
+SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH])
+{
+        u_int32_t       a, b, c, d, e, f, g, h, s0, s1;
+        u_int32_t       T1, T2, W256[16];
+        int             j;
+
+        /* Initialize registers with the prev. intermediate value */
+        a = state[0];
+        b = state[1];
+        c = state[2];
+        d = state[3];
+        e = state[4];
+        f = state[5];
+        g = state[6];
+        h = state[7];
+
+        j = 0;
+        do {
+                BE_8_TO_32(W256[j], data);
+                data += 4;
+                /* Apply the SHA-256 compression function to update a..h */
+                T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
+                T2 = Sigma0_256(a) + Maj(a, b, c);
+                h = g;
+                g = f;
+                f = e;
+                e = d + T1;
+                d = c;
+                c = b;
+                b = a;
+                a = T1 + T2;
+
+                j++;
+        } while (j < 16);
+
+        do {
+                /* Part of the message block expansion: */
+                s0 = W256[(j+1)&0x0f];
+                s0 = sigma0_256(s0);
+                s1 = W256[(j+14)&0x0f]; 
+                s1 = sigma1_256(s1);
+
+                /* Apply the SHA-256 compression function to update a..h */
+                T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 
+                     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
+                T2 = Sigma0_256(a) + Maj(a, b, c);
+                h = g;
+                g = f;
+                f = e;
+                e = d + T1;
+                d = c;
+                c = b;
+                b = a;
+                a = T1 + T2;
+
+                j++;
+        } while (j < 64);
+
+        /* Compute the current intermediate hash value */
+        state[0] += a;
+        state[1] += b;
+        state[2] += c;
+        state[3] += d;
+        state[4] += e;
+        state[5] += f;
+        state[6] += g;
+        state[7] += h;
+
+        /* Clean up */
+        a = b = c = d = e = f = g = h = T1 = T2 = 0;
+}
+
+#endif /* SHA2_UNROLL_TRANSFORM */
+
+void
+SHA256_Update(SHA256_CTX *context, const u_int8_t *data, size_t len)
+{
+        size_t  freespace, usedspace;
+
+        /* Calling with no data is valid (we do nothing) */
+        if (len == 0)
+                return;
+
+        usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
+        if (usedspace > 0) {
+                /* Calculate how much free space is available in the buffer */
+                freespace = SHA256_BLOCK_LENGTH - usedspace;
+
+                if (len >= freespace) {
+                        /* Fill the buffer completely and process it */
+                        memcpy(&context->buffer[usedspace], data, freespace);
+                        context->bitcount += freespace << 3;
+                        len -= freespace;
+                        data += freespace;
+                        SHA256_Transform(context->state, context->buffer);
+                } else {
+                        /* The buffer is not yet full */
+                        memcpy(&context->buffer[usedspace], data, len);
+                        context->bitcount += len << 3;
+                        /* Clean up: */
+                        usedspace = freespace = 0;
+                        return;
+                }
+        }
+        while (len >= SHA256_BLOCK_LENGTH) {
+                /* Process as many complete blocks as we can */
+                SHA256_Transform(context->state, data);
+                context->bitcount += SHA256_BLOCK_LENGTH << 3;
+                len -= SHA256_BLOCK_LENGTH;
+                data += SHA256_BLOCK_LENGTH;
+        }
+        if (len > 0) {
+                /* There's left-overs, so save 'em */
+                memcpy(context->buffer, data, len);
+                context->bitcount += len << 3;
+        }
+        /* Clean up: */
+        usedspace = freespace = 0;
+}
+
+void
+SHA256_Pad(SHA256_CTX *context)
+{
+        unsigned int    usedspace;
+
+        usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
+        if (usedspace > 0) {
+                /* Begin padding with a 1 bit: */
+                context->buffer[usedspace++] = 0x80;
+
+                if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
+                        /* Set-up for the last transform: */
+                        memset(&context->buffer[usedspace], 0,
+                            SHA256_SHORT_BLOCK_LENGTH - usedspace);
+                } else {
+                        if (usedspace < SHA256_BLOCK_LENGTH) {
+                                memset(&context->buffer[usedspace], 0,
+                                    SHA256_BLOCK_LENGTH - usedspace);
+                        }
+                        /* Do second-to-last transform: */
+                        SHA256_Transform(context->state, context->buffer);
+
+                        /* Prepare for last transform: */
+                        memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
+                }
+        } else {
+                /* Set-up for the last transform: */
+                memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
+
+                /* Begin padding with a 1 bit: */
+                *context->buffer = 0x80;
+        }
+        /* Store the length of input data (in bits) in big endian format: */
+        BE_64_TO_8(&context->buffer[SHA256_SHORT_BLOCK_LENGTH],
+            context->bitcount);
+
+        /* Final transform: */
+        SHA256_Transform(context->state, context->buffer);
+
+        /* Clean up: */
+        usedspace = 0;
+}
+
+void
+SHA256_Final(u_int8_t digest[SHA256_DIGEST_LENGTH], SHA256_CTX *context)
+{
+        SHA256_Pad(context);
+
+        /* If no digest buffer is passed, we don't bother doing this: */
+        if (digest != NULL) {
+#if BYTE_ORDER == LITTLE_ENDIAN
+                int     i;
+
+                /* Convert TO host byte order */
+                for (i = 0; i < 8; i++)
+                        BE_32_TO_8(digest + i * 4, context->state[i]);
+#else
+                memcpy(digest, context->state, SHA256_DIGEST_LENGTH);
+#endif
+                memset(context, 0, sizeof(*context));
+        }
+}
+
+
+/*** SHA-512: *********************************************************/
+void
+SHA512_Init(SHA512_CTX *context)
+{
+        if (context == NULL)
+                return;
+        memcpy(context->state, sha512_initial_hash_value,
+            sizeof(sha512_initial_hash_value));
+        memset(context->buffer, 0, sizeof(context->buffer));
+        context->bitcount[0] = context->bitcount[1] =  0;
+}
+
+#ifdef SHA2_UNROLL_TRANSFORM
+
+/* Unrolled SHA-512 round macros: */
+
+#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do {                              \
+        BE_8_TO_64(W512[j], data);                                          \
+        data += 8;                                                          \
+        T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
+        (d) += T1;                                                          \
+        (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c));                    \
+        j++;                                                                \
+} while(0)
+
+
+#define ROUND512(a,b,c,d,e,f,g,h) do {                                      \
+        s0 = W512[(j+1)&0x0f];                                              \
+        s0 = sigma0_512(s0);                                                \
+        s1 = W512[(j+14)&0x0f];                                             \
+        s1 = sigma1_512(s1);                                                \
+        T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] +          \
+             (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);                  \
+        (d) += T1;                                                          \
+        (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c));                    \
+        j++;                                                                \
+} while(0)
+
+void
+SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
+{
+        u_int64_t       a, b, c, d, e, f, g, h, s0, s1;
+        u_int64_t       T1, W512[16];
+        int             j;
+
+        /* Initialize registers with the prev. intermediate value */
+        a = state[0];
+        b = state[1];
+        c = state[2];
+        d = state[3];
+        e = state[4];
+        f = state[5];
+        g = state[6];
+        h = state[7];
+
+        j = 0;
+        do {
+                /* Rounds 0 to 15 (unrolled): */
+                ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
+                ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
+                ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
+                ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
+                ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
+                ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
+                ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
+                ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
+        } while (j < 16);
+
+        /* Now for the remaining rounds up to 79: */
+        do {
+                ROUND512(a,b,c,d,e,f,g,h);
+                ROUND512(h,a,b,c,d,e,f,g);
+                ROUND512(g,h,a,b,c,d,e,f);
+                ROUND512(f,g,h,a,b,c,d,e);
+                ROUND512(e,f,g,h,a,b,c,d);
+                ROUND512(d,e,f,g,h,a,b,c);
+                ROUND512(c,d,e,f,g,h,a,b);
+                ROUND512(b,c,d,e,f,g,h,a);
+        } while (j < 80);
+
+        /* Compute the current intermediate hash value */
+        state[0] += a;
+        state[1] += b;
+        state[2] += c;
+        state[3] += d;
+        state[4] += e;
+        state[5] += f;
+        state[6] += g;
+        state[7] += h;
+
+        /* Clean up */
+        a = b = c = d = e = f = g = h = T1 = 0;
+}
+
+#else /* SHA2_UNROLL_TRANSFORM */
+
+void
+SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
+{
+        u_int64_t       a, b, c, d, e, f, g, h, s0, s1;
+        u_int64_t       T1, T2, W512[16];
+        int             j;
+
+        /* Initialize registers with the prev. intermediate value */
+        a = state[0];
+        b = state[1];
+        c = state[2];
+        d = state[3];
+        e = state[4];
+        f = state[5];
+        g = state[6];
+        h = state[7];
+
+        j = 0;
+        do {
+                BE_8_TO_64(W512[j], data);
+                data += 8;
+                /* Apply the SHA-512 compression function to update a..h */
+                T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
+                T2 = Sigma0_512(a) + Maj(a, b, c);
+                h = g;
+                g = f;
+                f = e;
+                e = d + T1;
+                d = c;
+                c = b;
+                b = a;
+                a = T1 + T2;
+
+                j++;
+        } while (j < 16);
+
+        do {
+                /* Part of the message block expansion: */
+                s0 = W512[(j+1)&0x0f];
+                s0 = sigma0_512(s0);
+                s1 = W512[(j+14)&0x0f];
+                s1 =  sigma1_512(s1);
+
+                /* Apply the SHA-512 compression function to update a..h */
+                T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
+                     (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
+                T2 = Sigma0_512(a) + Maj(a, b, c);
+                h = g;
+                g = f;
+                f = e;
+                e = d + T1;
+                d = c;
+                c = b;
+                b = a;
+                a = T1 + T2;
+
+                j++;
+        } while (j < 80);
+
+        /* Compute the current intermediate hash value */
+        state[0] += a;
+        state[1] += b;
+        state[2] += c;
+        state[3] += d;
+        state[4] += e;
+        state[5] += f;
+        state[6] += g;
+        state[7] += h;
+
+        /* Clean up */
+        a = b = c = d = e = f = g = h = T1 = T2 = 0;
+}
+
+#endif /* SHA2_UNROLL_TRANSFORM */
+
+void
+SHA512_Update(SHA512_CTX *context, const u_int8_t *data, size_t len)
+{
+        size_t  freespace, usedspace;
+
+        /* Calling with no data is valid (we do nothing) */
+        if (len == 0)
+                return;
+
+        usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
+        if (usedspace > 0) {
+                /* Calculate how much free space is available in the buffer */
+                freespace = SHA512_BLOCK_LENGTH - usedspace;
+
+                if (len >= freespace) {
+                        /* Fill the buffer completely and process it */
+                        memcpy(&context->buffer[usedspace], data, freespace);
+                        ADDINC128(context->bitcount, freespace << 3);
+                        len -= freespace;
+                        data += freespace;
+                        SHA512_Transform(context->state, context->buffer);
+                } else {
+                        /* The buffer is not yet full */
+                        memcpy(&context->buffer[usedspace], data, len);
+                        ADDINC128(context->bitcount, len << 3);
+                        /* Clean up: */
+                        usedspace = freespace = 0;
+                        return;
+                }
+        }
+        while (len >= SHA512_BLOCK_LENGTH) {
+                /* Process as many complete blocks as we can */
+                SHA512_Transform(context->state, data);
+                ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
+                len -= SHA512_BLOCK_LENGTH;
+                data += SHA512_BLOCK_LENGTH;
+        }
+        if (len > 0) {
+                /* There's left-overs, so save 'em */
+                memcpy(context->buffer, data, len);
+                ADDINC128(context->bitcount, len << 3);
+        }
+        /* Clean up: */
+        usedspace = freespace = 0;
+}
+
+void
+SHA512_Pad(SHA512_CTX *context)
+{
+        unsigned int    usedspace;
+
+        usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
+        if (usedspace > 0) {
+                /* Begin padding with a 1 bit: */
+                context->buffer[usedspace++] = 0x80;
+
+                if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
+                        /* Set-up for the last transform: */
+                        memset(&context->buffer[usedspace], 0, SHA512_SHORT_BLOCK_LENGTH - usedspace);
+                } else {
+                        if (usedspace < SHA512_BLOCK_LENGTH) {
+                                memset(&context->buffer[usedspace], 0, SHA512_BLOCK_LENGTH - usedspace);
+                        }
+                        /* Do second-to-last transform: */
+                        SHA512_Transform(context->state, context->buffer);
+
+                        /* And set-up for the last transform: */
+                        memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2);
+                }
+        } else {
+                /* Prepare for final transform: */
+                memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH);
+
+                /* Begin padding with a 1 bit: */
+                *context->buffer = 0x80;
+        }
+        /* Store the length of input data (in bits) in big endian format: */
+        BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH],
+            context->bitcount[1]);
+        BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8],
+            context->bitcount[0]);
+
+        /* Final transform: */
+        SHA512_Transform(context->state, context->buffer);
+
+        /* Clean up: */
+        usedspace = 0;
+}
+
+void
+SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA512_CTX *context)
+{
+        SHA512_Pad(context);
+
+        /* If no digest buffer is passed, we don't bother doing this: */
+        if (digest != NULL) {
+#if BYTE_ORDER == LITTLE_ENDIAN
+                int     i;
+
+                /* Convert TO host byte order */
+                for (i = 0; i < 8; i++)
+                        BE_64_TO_8(digest + i * 8, context->state[i]);
+#else
+                memcpy(digest, context->state, SHA512_DIGEST_LENGTH);
+#endif
+                memset(context, 0, sizeof(*context));
+        }
+}
+
+
+#if 0
+/*** SHA-384: *********************************************************/
+void
+SHA384_Init(SHA384_CTX *context)
+{
+        if (context == NULL)
+                return;
+        memcpy(context->state, sha384_initial_hash_value,
+            sizeof(sha384_initial_hash_value));
+        memset(context->buffer, 0, sizeof(context->buffer));
+        context->bitcount[0] = context->bitcount[1] = 0;
+}
+
+__weak_alias(SHA384_Transform, SHA512_Transform);
+__weak_alias(SHA384_Update, SHA512_Update);
+__weak_alias(SHA384_Pad, SHA512_Pad);
+
+void
+SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context)
+{
+        SHA384_Pad(context);
+
+        /* If no digest buffer is passed, we don't bother doing this: */
+        if (digest != NULL) {
+#if BYTE_ORDER == LITTLE_ENDIAN
+                int     i;
+
+                /* Convert TO host byte order */
+                for (i = 0; i < 6; i++)
+                        BE_64_TO_8(digest + i * 8, context->state[i]);
+#else
+                memcpy(digest, context->state, SHA384_DIGEST_LENGTH);
+#endif
+        }
+
+        /* Zero out state data */
+        memset(context, 0, sizeof(*context));
+}
+#endif
+
+#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
+    (OPENSSL_VERSION_NUMBER >= 0x00907000L) */
diff --git a/openbsd-compat/sha2.h b/openbsd-compat/sha2.h
new file mode 100755
index 000000000..821f2dd6c
--- /dev/null
+++ b/openbsd-compat/sha2.h
@@ -0,0 +1,133 @@
+/*      $OpenBSD: sha2.h,v 1.6 2004/06/22 01:57:30 jfb Exp $    */
+
+/*
+ * FILE:        sha2.h
+ * AUTHOR:      Aaron D. Gifford <me@aarongifford.com>
+ * 
+ * Copyright (c) 2000-2001, Aaron D. Gifford
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the copyright holder nor the names of contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $From: sha2.h,v 1.1 2001/11/08 00:02:01 adg Exp adg $
+ */
+
+/* OPENBSD ORIGINAL: include/sha2.h */
+
+#ifndef _SSHSHA2_H
+#define _SSHSHA2_H
+
+#include "includes.h"
+
+#include <openssl/opensslv.h>
+
+#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
+    (OPENSSL_VERSION_NUMBER >= 0x00907000L)
+
+/*** SHA-256/384/512 Various Length Definitions ***********************/
+#define SHA256_BLOCK_LENGTH             64
+#define SHA256_DIGEST_LENGTH            32
+#define SHA256_DIGEST_STRING_LENGTH     (SHA256_DIGEST_LENGTH * 2 + 1)
+#define SHA384_BLOCK_LENGTH             128
+#define SHA384_DIGEST_LENGTH            48
+#define SHA384_DIGEST_STRING_LENGTH     (SHA384_DIGEST_LENGTH * 2 + 1)
+#define SHA512_BLOCK_LENGTH             128
+#define SHA512_DIGEST_LENGTH            64
+#define SHA512_DIGEST_STRING_LENGTH     (SHA512_DIGEST_LENGTH * 2 + 1)
+
+
+/*** SHA-256/384/512 Context Structures *******************************/
+typedef struct _SHA256_CTX {
+        u_int32_t       state[8];
+        u_int64_t       bitcount;
+        u_int8_t        buffer[SHA256_BLOCK_LENGTH];
+} SHA256_CTX;
+typedef struct _SHA512_CTX {
+        u_int64_t       state[8];
+        u_int64_t       bitcount[2];
+        u_int8_t        buffer[SHA512_BLOCK_LENGTH];
+} SHA512_CTX;
+
+#if 0
+typedef SHA512_CTX SHA384_CTX;
+#endif
+
+void SHA256_Init(SHA256_CTX *);
+void SHA256_Transform(u_int32_t state[8], const u_int8_t [SHA256_BLOCK_LENGTH]);
+void SHA256_Update(SHA256_CTX *, const u_int8_t *, size_t)
+        __attribute__((__bounded__(__string__,2,3)));
+void SHA256_Pad(SHA256_CTX *);
+void SHA256_Final(u_int8_t [SHA256_DIGEST_LENGTH], SHA256_CTX *)
+        __attribute__((__bounded__(__minbytes__,1,SHA256_DIGEST_LENGTH)));
+char *SHA256_End(SHA256_CTX *, char *)
+        __attribute__((__bounded__(__minbytes__,2,SHA256_DIGEST_STRING_LENGTH)));
+char *SHA256_File(const char *, char *)
+        __attribute__((__bounded__(__minbytes__,2,SHA256_DIGEST_STRING_LENGTH)));
+char *SHA256_FileChunk(const char *, char *, off_t, off_t)
+        __attribute__((__bounded__(__minbytes__,2,SHA256_DIGEST_STRING_LENGTH)));
+char *SHA256_Data(const u_int8_t *, size_t, char *)
+        __attribute__((__bounded__(__string__,1,2)))
+        __attribute__((__bounded__(__minbytes__,3,SHA256_DIGEST_STRING_LENGTH)));
+
+#if 0
+void SHA384_Init(SHA384_CTX *);
+void SHA384_Transform(u_int64_t state[8], const u_int8_t [SHA384_BLOCK_LENGTH]);
+void SHA384_Update(SHA384_CTX *, const u_int8_t *, size_t)
+        __attribute__((__bounded__(__string__,2,3)));
+void SHA384_Pad(SHA384_CTX *);
+void SHA384_Final(u_int8_t [SHA384_DIGEST_LENGTH], SHA384_CTX *)
+        __attribute__((__bounded__(__minbytes__,1,SHA384_DIGEST_LENGTH)));
+char *SHA384_End(SHA384_CTX *, char *)
+        __attribute__((__bounded__(__minbytes__,2,SHA384_DIGEST_STRING_LENGTH)));
+char *SHA384_File(const char *, char *)
+        __attribute__((__bounded__(__minbytes__,2,SHA384_DIGEST_STRING_LENGTH)));
+char *SHA384_FileChunk(const char *, char *, off_t, off_t)
+        __attribute__((__bounded__(__minbytes__,2,SHA384_DIGEST_STRING_LENGTH)));
+char *SHA384_Data(const u_int8_t *, size_t, char *)
+        __attribute__((__bounded__(__string__,1,2)))
+        __attribute__((__bounded__(__minbytes__,3,SHA384_DIGEST_STRING_LENGTH)));
+#endif /* 0 */
+
+void SHA512_Init(SHA512_CTX *);
+void SHA512_Transform(u_int64_t state[8], const u_int8_t [SHA512_BLOCK_LENGTH]);
+void SHA512_Update(SHA512_CTX *, const u_int8_t *, size_t)
+        __attribute__((__bounded__(__string__,2,3)));
+void SHA512_Pad(SHA512_CTX *);
+void SHA512_Final(u_int8_t [SHA512_DIGEST_LENGTH], SHA512_CTX *)
+        __attribute__((__bounded__(__minbytes__,1,SHA512_DIGEST_LENGTH)));
+char *SHA512_End(SHA512_CTX *, char *)
+        __attribute__((__bounded__(__minbytes__,2,SHA512_DIGEST_STRING_LENGTH)));
+char *SHA512_File(const char *, char *)
+        __attribute__((__bounded__(__minbytes__,2,SHA512_DIGEST_STRING_LENGTH)));
+char *SHA512_FileChunk(const char *, char *, off_t, off_t)
+        __attribute__((__bounded__(__minbytes__,2,SHA512_DIGEST_STRING_LENGTH)));
+char *SHA512_Data(const u_int8_t *, size_t, char *)
+        __attribute__((__bounded__(__string__,1,2)))
+        __attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH)));
+
+#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
+    (OPENSSL_VERSION_NUMBER >= 0x00907000L) */
+
+#endif /* _SSHSHA2_H */
diff --git a/openbsd-compat/strtonum.c b/openbsd-compat/strtonum.c
index 8ad0d0058..87f2f24b2 100644
--- a/openbsd-compat/strtonum.c
+++ b/openbsd-compat/strtonum.c
@@ -20,8 +20,11 @@
 /* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */
 
 #include "includes.h"
+
 #ifndef HAVE_STRTONUM
+#include <stdlib.h>
 #include <limits.h>
+#include <errno.h>
 
 #define INVALID         1
 #define TOOSMALL        2
diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
index 9afa0b9f2..14899321f 100644
--- a/openbsd-compat/xcrypt.c
+++ b/openbsd-compat/xcrypt.c
@@ -24,6 +24,10 @@
 
 #include "includes.h"
 
+#include <sys/types.h>
+#include <unistd.h>
+#include <pwd.h>
+
 # ifdef HAVE_CRYPT_H
 #  include <crypt.h>
 # endif
diff --git a/openbsd-compat/xmmap.c b/openbsd-compat/xmmap.c
index 74e8a8b13..0fb23269b 100644
--- a/openbsd-compat/xmmap.c
+++ b/openbsd-compat/xmmap.c
@@ -23,21 +23,31 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-/* $Id: xmmap.c,v 1.6 2004/10/06 13:15:44 dtucker Exp $ */
+/* $Id: xmmap.c,v 1.12 2006/08/24 09:58:36 dtucker Exp $ */
 
 #include "includes.h"
 
+#include <sys/types.h>
 #ifdef HAVE_SYS_MMAN_H
 #include <sys/mman.h>
 #endif
+#include <sys/stat.h>
+
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#endif
+#include <errno.h>
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
 
 #include "log.h"
 
 void *xmmap(size_t size)
 {
+#ifdef HAVE_MMAP
         void *address;
 
-#ifdef HAVE_MMAP
 # ifdef MAP_ANON
         address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED,
             -1, (off_t)0);
diff --git a/openssh.xml.in b/openssh.xml.in
new file mode 100644
index 000000000..2fcdea0a1
--- /dev/null
+++ b/openssh.xml.in
@@ -0,0 +1,90 @@
+<?xml version='1.0'?>
+<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
+<!--
+    Copyright (c) 2006 Chad Mynhier.
+
+    Permission to use, copy, modify, and distribute this software for any
+    purpose with or without fee is hereby granted, provided that the above
+    copyright notice and this permission notice appear in all copies.
+
+    THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+    WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+    MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+    ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<service_bundle type='manifest' name='OpenSSH server'>
+
+    <service
+        name='site/openssh'
+        type='service'
+        version='1'>
+
+<!--
+        We default to disabled so administrator can decide to enable or not.
+-->
+        <create_default_instance enabled='false'/>
+
+        <single_instance/>
+
+        <dependency
+            name='filesystem-local'
+            grouping='require_all'
+            restart_on='none'
+            type='service'>
+            <service_fmri value='svc:/system/filesystem/local'/>
+        </dependency>
+
+        <dependency
+            name='network'
+            grouping='require_all'
+            restart_on='none'
+            type='service'>
+            <service_fmri value='svc:/milestone/network'/>
+        </dependency>
+
+        <dependent
+            name='multi-user-server'
+            restart_on='none'
+            grouping='optional_all'>
+            <service_fmri value='svc:/milestone/multi-user-server'/>
+        </dependent>
+
+        <exec_method
+            name='start'
+            type='method'
+            exec='/lib/svc/method/site/__SYSVINIT_NAME__ start'
+            timeout_seconds='60'>
+            <method_context/>
+        </exec_method>
+
+        <exec_method
+            name='stop'
+            type='method'
+            exec=':kill'
+            timeout_seconds='60'>
+            <method_context/>
+        </exec_method>
+
+        <property_group
+            name='startd'
+            type='framework'>
+            <propval name='ignore_error' type='astring' value='core,signal'/>
+        </property_group>
+
+        <template>
+            <common_name>
+                <loctext xml:lang='C'>OpenSSH server</loctext>
+            </common_name>
+            <documentation>
+                <manpage
+                    title='sshd'
+                    section='1M'
+                    manpath='@prefix@/man'/>
+            </documentation>
+        </template>
+    </service>
+</service_bundle>
diff --git a/packet.c b/packet.c
index 827ae16b3..bc1b658ca 100644
--- a/packet.c
+++ b/packet.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: packet.c,v 1.145 2006/09/19 21:14:08 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -37,26 +38,39 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: packet.c,v 1.120 2005/10/30 08:52:17 djm Exp $");
-
+ 
+#include <sys/types.h>
 #include "openbsd-compat/sys-queue.h"
+#include <sys/param.h>
+#include <sys/socket.h>
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <signal.h>
 
 #include "xmalloc.h"
 #include "buffer.h"
 #include "packet.h"
-#include "bufaux.h"
 #include "crc32.h"
-#include "getput.h"
-
 #include "compress.h"
 #include "deattack.h"
 #include "channels.h"
-
 #include "compat.h"
 #include "ssh1.h"
 #include "ssh2.h"
-
 #include "cipher.h"
+#include "key.h"
 #include "kex.h"
 #include "mac.h"
 #include "log.h"
@@ -261,6 +275,7 @@ packet_get_keyiv_len(int mode)
 
         return (cipher_get_keyiv_len(cc));
 }
+
 void
 packet_set_iv(int mode, u_char *dat)
 {
@@ -273,6 +288,7 @@ packet_set_iv(int mode, u_char *dat)
 
         cipher_set_keyiv(cc, dat);
 }
+
 int
 packet_get_ssh1_cipher(void)
 {
@@ -474,31 +490,37 @@ packet_put_char(int value)
 
         buffer_append(&outgoing_packet, &ch, 1);
 }
+
 void
 packet_put_int(u_int value)
 {
         buffer_put_int(&outgoing_packet, value);
 }
+
 void
 packet_put_string(const void *buf, u_int len)
 {
         buffer_put_string(&outgoing_packet, buf, len);
 }
+
 void
 packet_put_cstring(const char *str)
 {
         buffer_put_cstring(&outgoing_packet, str);
 }
+
 void
 packet_put_raw(const void *buf, u_int len)
 {
         buffer_append(&outgoing_packet, buf, len);
 }
+
 void
 packet_put_bignum(BIGNUM * value)
 {
         buffer_put_bignum(&outgoing_packet, value);
 }
+
 void
 packet_put_bignum2(BIGNUM * value)
 {
@@ -552,7 +574,7 @@ packet_send1(void)
         /* Add check bytes. */
         checksum = ssh_crc32(buffer_ptr(&outgoing_packet),
             buffer_len(&outgoing_packet));
-        PUT_32BIT(buf, checksum);
+        put_u32(buf, checksum);
         buffer_append(&outgoing_packet, buf, 4);
 
 #ifdef PACKET_DEBUG
@@ -561,7 +583,7 @@ packet_send1(void)
 #endif
 
         /* Append to output. */
-        PUT_32BIT(buf, len);
+        put_u32(buf, len);
         buffer_append(&output, buf, 4);
         cp = buffer_append_space(&output, buffer_len(&outgoing_packet));
         cipher_crypt(&send_context, cp, buffer_ptr(&outgoing_packet),
@@ -657,7 +679,7 @@ set_newkeys(int mode)
 
 /*
  * Delayed compression for SSH2 is enabled after authentication:
- * This happans on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent,
+ * This happens on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent,
  * and on the client side after a SSH2_MSG_USERAUTH_SUCCESS is received.
  */
 static void
@@ -672,6 +694,9 @@ packet_enable_delayed_compress(void)
          */
         after_authentication = 1;
         for (mode = 0; mode < MODE_MAX; mode++) {
+                /* protocol error: USERAUTH_SUCCESS received before NEWKEYS */
+                if (newkeys[mode] == NULL)
+                        continue;
                 comp = &newkeys[mode]->comp;
                 if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
                         packet_init_compression();
@@ -764,7 +789,7 @@ packet_send2_wrapped(void)
         /* packet_length includes payload, padding and padding length field */
         packet_length = buffer_len(&outgoing_packet) - 4;
         cp = buffer_ptr(&outgoing_packet);
-        PUT_32BIT(cp, packet_length);
+        put_u32(cp, packet_length);
         cp[4] = padlen;
         DBG(debug("send: len %d (includes padlen %d)", packet_length+4, padlen));
 
@@ -781,7 +806,7 @@ packet_send2_wrapped(void)
             buffer_len(&outgoing_packet));
         /* append unencrypted MAC */
         if (mac && mac->enabled)
-                buffer_append(&output, (char *)macbuf, mac->mac_len);
+                buffer_append(&output, macbuf, mac->mac_len);
 #ifdef PACKET_DEBUG
         fprintf(stderr, "encrypted: ");
         buffer_dump(&output);
@@ -872,7 +897,7 @@ packet_read_seqnr(u_int32_t *seqnr_p)
         struct timeval tv, *tvp;
         DBG(debug("packet_read()"));
 
-        setp = (fd_set *)xmalloc(howmany(connection_in+1, NFDBITS) *
+        setp = (fd_set *)xcalloc(howmany(connection_in+1, NFDBITS),
             sizeof(fd_mask));
 
         /* Since we are blocking, ensure that all written packets have been sent. */
@@ -902,11 +927,11 @@ packet_read_seqnr(u_int32_t *seqnr_p)
                 FD_SET(connection_in, setp);
 
                 if (setup_timeout > 0) {
-                  tvp = &tv;
-                  tv.tv_sec = setup_timeout;
-                  tv.tv_usec = 0;
+                        tvp = &tv;
+                        tv.tv_sec = setup_timeout;
+                        tv.tv_usec = 0;
                 } else
-                  tvp = 0;
+                        tvp = NULL;
 
                 /* Wait for some data to arrive. */
                 while (select(connection_in + 1, setp, NULL, NULL, tvp) == -1 &&
@@ -914,7 +939,7 @@ packet_read_seqnr(u_int32_t *seqnr_p)
                         ;
 
                 if (!FD_ISSET(connection_in, setp))
-                  fatal("packet_read: Setup timeout expired, giving up");
+                        fatal("packet_read: Setup timeout expired, giving up");
 
                 /* Read data from the socket. */
                 len = read(connection_in, buf, sizeof(buf));
@@ -973,7 +998,7 @@ packet_read_poll1(void)
                 return SSH_MSG_NONE;
         /* Get length of incoming packet. */
         cp = buffer_ptr(&input);
-        len = GET_32BIT(cp);
+        len = get_u32(cp);
         if (len < 1 + 2 + 2 || len > 256 * 1024)
                 packet_disconnect("Bad packet length %u.", len);
         padded_len = (len + 8) & ~7;
@@ -993,7 +1018,7 @@ packet_read_poll1(void)
          * Ariel Futoransky(futo@core-sdi.com)
          */
         if (!receive_context.plaintext) {
-                switch (detect_attack(buffer_ptr(&input), padded_len, NULL)) {
+                switch (detect_attack(buffer_ptr(&input), padded_len)) {
                 case DEATTACK_DETECTED:
                         packet_disconnect("crc32 compensation attack: "
                             "network attack detected");
@@ -1028,7 +1053,7 @@ packet_read_poll1(void)
                     len, buffer_len(&incoming_packet));
 
         cp = (u_char *)buffer_ptr(&incoming_packet) + len - 4;
-        stored_checksum = GET_32BIT(cp);
+        stored_checksum = get_u32(cp);
         if (checksum != stored_checksum)
                 packet_disconnect("Corrupted check bytes on input.");
         buffer_consume_end(&incoming_packet, 4);
@@ -1077,7 +1102,7 @@ packet_read_poll2(u_int32_t *seqnr_p)
                 cipher_crypt(&receive_context, cp, buffer_ptr(&input),
                     block_size);
                 cp = buffer_ptr(&incoming_packet);
-                packet_length = GET_32BIT(cp);
+                packet_length = get_u32(cp);
                 if (packet_length < 1 + 4 || packet_length > 256 * 1024) {
 #ifdef PACKET_DEBUG
                         buffer_dump(&incoming_packet);
@@ -1208,7 +1233,6 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
                                 break;
                         default:
                                 return type;
-                                break;
                         }
                 } else {
                         type = packet_read_poll1();
@@ -1231,7 +1255,6 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
                                 if (type)
                                         DBG(debug("received packet type %d", type));
                                 return type;
-                                break;
                         }
                 }
         }
@@ -1433,7 +1456,7 @@ packet_write_wait(void)
 {
         fd_set *setp;
 
-        setp = (fd_set *)xmalloc(howmany(connection_out + 1, NFDBITS) *
+        setp = (fd_set *)xcalloc(howmany(connection_out + 1, NFDBITS),
             sizeof(fd_mask));
         packet_write_poll();
         while (packet_have_data_to_write()) {
@@ -1501,8 +1524,7 @@ packet_set_interactive(int interactive)
         /* Only set socket options if using a socket.  */
         if (!packet_connection_is_on_socket())
                 return;
-        if (interactive)
-                set_nodelay(connection_in);
+        set_nodelay(connection_in);
         packet_set_tos(interactive);
 }
 
@@ -1563,7 +1585,7 @@ packet_send_ignore(int nbytes)
         for (i = 0; i < nbytes; i++) {
                 if (i % 4 == 0)
                         rnd = arc4random();
-                packet_put_char(rnd & 0xff);
+                packet_put_char((u_char)rnd & 0xff);
                 rnd >>= 8;
         }
 }
diff --git a/packet.h b/packet.h
index c2367c234..3782949e8 100644
--- a/packet.h
+++ b/packet.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: packet.h,v 1.43 2005/07/25 11:59:40 markus Exp $      */
+/* $OpenBSD: packet.h,v 1.45 2006/03/25 22:22:43 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -16,6 +16,8 @@
 #ifndef PACKET_H
 #define PACKET_H
 
+#include <termios.h>
+
 #include <openssl/bn.h>
 
 void     packet_set_connection(int, int, int);
diff --git a/pathnames.h b/pathnames.h
index cf42625a4..f2571e274 100644
--- a/pathnames.h
+++ b/pathnames.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: pathnames.h,v 1.15 2004/07/11 17:48:47 deraadt Exp $  */
+/* $OpenBSD: pathnames.h,v 1.16 2006/03/25 22:22:43 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/platform.c b/platform.c
new file mode 100644
index 000000000..aee4b01e7
--- /dev/null
+++ b/platform.c
@@ -0,0 +1,46 @@
+/* $Id: platform.c,v 1.1 2006/08/30 17:24:41 djm Exp $ */
+
+/*
+ * Copyright (c) 2006 Darren Tucker.  All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "config.h"
+#include "platform.h"
+
+#include "openbsd-compat/openbsd-compat.h"
+
+void
+platform_pre_fork(void)
+{
+#ifdef USE_SOLARIS_PROCESS_CONTRACTS
+        solaris_contract_pre_fork();
+#endif
+}
+
+void
+platform_post_fork_parent(pid_t child_pid)
+{
+#ifdef USE_SOLARIS_PROCESS_CONTRACTS
+        solaris_contract_post_fork_parent(child_pid);
+#endif
+}
+
+void
+platform_post_fork_child(void)
+{
+#ifdef USE_SOLARIS_PROCESS_CONTRACTS
+        solaris_contract_post_fork_child();
+#endif
+}
diff --git a/platform.h b/platform.h
new file mode 100644
index 000000000..cf93bc57c
--- /dev/null
+++ b/platform.h
@@ -0,0 +1,23 @@
+/* $Id: platform.h,v 1.1 2006/08/30 17:24:41 djm Exp $ */
+
+/*
+ * Copyright (c) 2006 Darren Tucker.  All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+
+void platform_pre_fork(void);
+void platform_post_fork_parent(pid_t child_pid);
+void platform_post_fork_child(void);
diff --git a/progressmeter.c b/progressmeter.c
index 13c51d87e..0f95222d2 100644
--- a/progressmeter.c
+++ b/progressmeter.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: progressmeter.c,v 1.37 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 2003 Nils Nordman.  All rights reserved.
  *
@@ -23,7 +24,17 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: progressmeter.c,v 1.24 2005/06/07 13:25:23 jaredy Exp $");
+
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <sys/uio.h>
+
+#include <errno.h>
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
 
 #include "progressmeter.h"
 #include "atomicio.h"
@@ -154,7 +165,7 @@ refresh_progress_meter(void)
                         len = 0;
                 if (len >= file_len + 1)
                         len = file_len;
-                for (i = len;  i < file_len; i++ )
+                for (i = len; i < file_len; i++)
                         buf[i] = ' ';
                 buf[file_len] = '\0';
         }
@@ -215,6 +226,7 @@ refresh_progress_meter(void)
         last_update = now;
 }
 
+/*ARGSUSED*/
 static void
 update_progress_meter(int ignore)
 {
@@ -269,6 +281,7 @@ stop_progress_meter(void)
         atomicio(vwrite, STDOUT_FILENO, "\n", 1);
 }
 
+/*ARGSUSED*/
 static void
 sig_winch(int sig)
 {
diff --git a/progressmeter.h b/progressmeter.h
index bfb9a0b77..10bab99ba 100644
--- a/progressmeter.h
+++ b/progressmeter.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: progressmeter.h,v 1.1 2003/01/10 08:19:07 fgsch Exp $ */
+/* $OpenBSD: progressmeter.h,v 1.2 2006/03/25 22:22:43 djm Exp $ */
 /*
  * Copyright (c) 2002 Nils Nordman.  All rights reserved.
  *
diff --git a/readconf.c b/readconf.c
index b3e14b9d2..6a0ffd634 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: readconf.c,v 1.161 2007/01/21 01:45:35 stevesk Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -12,17 +13,33 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.145 2005/12/08 18:34:11 reyk Exp $");
 
-#include "ssh.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <netdb.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
 #include "xmalloc.h"
+#include "ssh.h"
 #include "compat.h"
 #include "cipher.h"
 #include "pathnames.h"
 #include "log.h"
+#include "key.h"
 #include "readconf.h"
 #include "match.h"
 #include "misc.h"
+#include "buffer.h"
 #include "kex.h"
 #include "mac.h"
 
@@ -94,6 +111,7 @@ RCSID("$OpenBSD: readconf.c,v 1.145 2005/12/08 18:34:11 reyk Exp $");
 typedef enum {
         oBadOption,
         oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
+        oExitOnForwardFailure,
         oPasswordAuthentication, oRSAAuthentication,
         oChallengeResponseAuthentication, oXAuthLocation,
         oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
@@ -109,6 +127,7 @@ typedef enum {
         oClearAllForwardings, oNoHostAuthenticationForLocalhost,
         oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
         oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+        oGssKeyEx,
         oGssTrustDns,
         oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
         oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
@@ -126,6 +145,7 @@ static struct {
         { "forwardagent", oForwardAgent },
         { "forwardx11", oForwardX11 },
         { "forwardx11trusted", oForwardX11Trusted },
+        { "exitonforwardfailure", oExitOnForwardFailure },
         { "xauthlocation", oXAuthLocation },
         { "gatewayports", oGatewayPorts },
         { "useprivilegedport", oUsePrivilegedPort },
@@ -146,10 +166,12 @@ static struct {
         { "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
         { "gssapiauthentication", oGssAuthentication },
+        { "gssapikeyexchange", oGssKeyEx },
         { "gssapidelegatecredentials", oGssDelegateCreds },
         { "gssapitrustdns", oGssTrustDns },
 #else
         { "gssapiauthentication", oUnsupported },
+        { "gssapikeyexchange", oUnsupported },
         { "gssapidelegatecredentials", oUnsupported },
         { "gssapitrustdns", oUnsupported },
 #endif
@@ -312,7 +334,8 @@ process_config_line(Options *options, const char *host,
                     int *activep)
 {
         char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
-        int opcode, *intptr, value, value2;
+        int opcode, *intptr, value, value2, scale;
+        long long orig, val64;
         size_t len;
         Forward fwd;
 
@@ -325,7 +348,8 @@ process_config_line(Options *options, const char *host,
 
         s = line;
         /* Get the keyword. (Each line is supposed to begin with a keyword). */
-        keyword = strdelim(&s);
+        if ((keyword = strdelim(&s)) == NULL)
+                return 0;
         /* Ignore leading whitespace. */
         if (*keyword == '\0')
                 keyword = strdelim(&s);
@@ -349,7 +373,7 @@ parse_time:
                 if ((value = convtime(arg)) == -1)
                         fatal("%s line %d: invalid time value.",
                             filename, linenum);
-                if (*intptr == -1)
+                if (*activep && *intptr == -1)
                         *intptr = value;
                 break;
 
@@ -382,6 +406,10 @@ parse_flag:
                 intptr = &options->gateway_ports;
                 goto parse_flag;
 
+        case oExitOnForwardFailure:
+                intptr = &options->exit_on_forward_failure;
+                goto parse_flag;
+
         case oUsePrivilegedPort:
                 intptr = &options->use_privileged_port;
                 goto parse_flag;
@@ -422,6 +450,10 @@ parse_flag:
                 intptr = &options->gss_authentication;
                 goto parse_flag;
 
+        case oGssKeyEx:
+                intptr = &options->gss_keyex;
+                goto parse_flag;
+
         case oGssDelegateCreds:
                 intptr = &options->gss_deleg_creds;
                 goto parse_flag;
@@ -489,22 +521,36 @@ parse_yesnoask:
                         fatal("%.200s line %d: Missing argument.", filename, linenum);
                 if (arg[0] < '0' || arg[0] > '9')
                         fatal("%.200s line %d: Bad number.", filename, linenum);
-                value = strtol(arg, &endofnumber, 10);
+                orig = val64 = strtoll(arg, &endofnumber, 10);
                 if (arg == endofnumber)
                         fatal("%.200s line %d: Bad number.", filename, linenum);
                 switch (toupper(*endofnumber)) {
+                case '\0':
+                        scale = 1;
+                        break;
                 case 'K':
-                        value *= 1<<10;
+                        scale = 1<<10;
                         break;
                 case 'M':
-                        value *= 1<<20;
+                        scale = 1<<20;
                         break;
                 case 'G':
-                        value *= 1<<30;
+                        scale = 1<<30;
                         break;
+                default:
+                        fatal("%.200s line %d: Invalid RekeyLimit suffix",
+                            filename, linenum);
                 }
+                val64 *= scale;
+                /* detect integer wrap and too-large limits */
+                if ((val64 / scale) != orig || val64 > INT_MAX)
+                        fatal("%.200s line %d: RekeyLimit too large",
+                            filename, linenum);
+                if (val64 < 16)
+                        fatal("%.200s line %d: RekeyLimit too small",
+                            filename, linenum);
                 if (*activep && *intptr == -1)
-                        *intptr = value;
+                        *intptr = (int)val64;
                 break;
 
         case oIdentityFile:
@@ -516,7 +562,7 @@ parse_yesnoask:
                         if (*intptr >= SSH_MAX_IDENTITY_FILES)
                                 fatal("%.200s line %d: Too many identity files specified (max %d).",
                                     filename, linenum, SSH_MAX_IDENTITY_FILES);
-                        charptr =  &options->identity_files[*intptr];
+                        charptr = &options->identity_files[*intptr];
                         *charptr = xstrdup(arg);
                         *intptr = *intptr + 1;
                 }
@@ -997,6 +1043,7 @@ initialize_options(Options * options)
         options->forward_agent = -1;
         options->forward_x11 = -1;
         options->forward_x11_trusted = -1;
+        options->exit_on_forward_failure = -1;
         options->xauth_location = NULL;
         options->gateway_ports = -1;
         options->use_privileged_port = -1;
@@ -1004,6 +1051,7 @@ initialize_options(Options * options)
         options->pubkey_authentication = -1;
         options->challenge_response_authentication = -1;
         options->gss_authentication = -1;
+        options->gss_keyex = -1;
         options->gss_deleg_creds = -1;
         options->gss_trust_dns = -1;
         options->password_authentication = -1;
@@ -1079,6 +1127,8 @@ fill_default_options(Options * options)
                 options->forward_x11 = 0;
         if (options->forward_x11_trusted == -1)
                 options->forward_x11_trusted = 1;
+        if (options->exit_on_forward_failure == -1)
+                options->exit_on_forward_failure = 0;
         if (options->xauth_location == NULL)
                 options->xauth_location = _PATH_XAUTH;
         if (options->gateway_ports == -1)
@@ -1093,6 +1143,8 @@ fill_default_options(Options * options)
                 options->challenge_response_authentication = 1;
         if (options->gss_authentication == -1)
                 options->gss_authentication = 0;
+        if (options->gss_keyex == -1)
+                options->gss_keyex = 0;
         if (options->gss_deleg_creds == -1)
                 options->gss_deleg_creds = 0;
         if (options->gss_trust_dns == -1)
diff --git a/readconf.h b/readconf.h
index 4639a74a4..a7d9200b5 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: readconf.h,v 1.68 2005/12/06 22:38:27 reyk Exp $      */
+/* $OpenBSD: readconf.h,v 1.71 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -16,8 +16,6 @@
 #ifndef READCONF_H
 #define READCONF_H
 
-#include "key.h"
-
 /* Data structure for representing a forwarding request. */
 
 typedef struct {
@@ -34,6 +32,7 @@ typedef struct {
         int     forward_agent;  /* Forward authentication agent. */
         int     forward_x11;    /* Forward X11 display. */
         int     forward_x11_trusted;    /* Trust Forward X11 display. */
+        int     exit_on_forward_failure;        /* Exit if bind(2) fails for -L/-R */
         char   *xauth_location; /* Location for xauth program */
         int     gateway_ports;  /* Allow remote connects to forwarded ports. */
         int     use_privileged_port;    /* Don't use privileged port if false. */
@@ -45,6 +44,7 @@ typedef struct {
         int     challenge_response_authentication;
                                         /* Try S/Key or TIS, authentication. */
         int     gss_authentication;     /* Try GSS authentication */
+        int     gss_keyex;              /* Try GSS key exchange */
         int     gss_deleg_creds;        /* Delegate GSS credentials */
         int     gss_trust_dns;          /* Trust DNS for GSS canonicalization */
         int     password_authentication;        /* Try password
@@ -58,7 +58,7 @@ typedef struct {
         int     compression_level;      /* Compression level 1 (fast) to 9
                                          * (best). */
         int     tcp_keep_alive; /* Set SO_KEEPALIVE. */
-        int     setuptimeout; /* timeout in the protocol banner exchange */
+        int     setuptimeout;   /* timeout in the protocol banner exchange */
         LogLevel log_level;     /* Level for logging. */
 
         int     port;           /* Port to connect. */
diff --git a/readpass.c b/readpass.c
index 7914799a4..bd144c2e3 100644
--- a/readpass.c
+++ b/readpass.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: readpass.c,v 1.47 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -23,13 +24,27 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: readpass.c,v 1.33 2005/05/02 21:13:22 markus Exp $");
+
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#ifdef HAVE_PATHS_H
+# include <paths.h>
+#endif
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
 
 #include "xmalloc.h"
 #include "misc.h"
 #include "pathnames.h"
 #include "log.h"
 #include "ssh.h"
+#include "uidswap.h"
 
 static char *
 ssh_askpass(char *askpass, const char *msg)
@@ -53,8 +68,7 @@ ssh_askpass(char *askpass, const char *msg)
                 return NULL;
         }
         if (pid == 0) {
-                seteuid(getuid());
-                setuid(getuid());
+                permanently_drop_suid(getuid());
                 close(p[0]);
                 if (dup2(p[1], STDOUT_FILENO) < 0)
                         fatal("ssh_askpass: dup2: %s", strerror(errno));
diff --git a/regress/Makefile b/regress/Makefile
index 4f47bc3fd..539956398 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.36 2005/03/04 08:48:46 djm Exp $
+#       $OpenBSD: Makefile,v 1.42 2006/07/19 13:34:52 dtucker Exp $
 
 REGRESS_TARGETS=        t1 t2 t3 t4 t5 t6 t7 t-exec
 tests:          $(REGRESS_TARGETS)
@@ -40,7 +40,9 @@ LTESTS= 	connect \
                 forwarding \
                 multiplex \
                 reexec \
-                brokenkeys
+                brokenkeys \
+                cfgmatch \
+                forcecommand
 
 USER!=          id -un
 CLEANFILES=     t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
@@ -49,8 +51,8 @@ CLEANFILES=	t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
                 rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \
                 rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \
                 ls.copy banner.in banner.out empty.in \
-                scp-ssh-wrapper.scp ssh_proxy_envpass \
-                remote_pid
+                scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
+                sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv
 
 #LTESTS +=      ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
 
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh
index 6186a8d48..e5fcedda7 100644
--- a/regress/agent-getpeereid.sh
+++ b/regress/agent-getpeereid.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: agent-getpeereid.sh,v 1.2 2005/11/14 21:25:56 grunk Exp $
+#       $OpenBSD: agent-getpeereid.sh,v 1.3 2006/07/06 12:01:53 grunk Exp $
 #       Placed in the Public Domain.
 
 tid="disallow agent attach from other uid"
@@ -12,6 +12,11 @@ then
         echo "skipped (not supported on this platform)"
         exit 0
 fi
+if [ -z "$SUDO" ]; then
+        echo "skipped: need SUDO to switch to uid $UNPRIV"
+        exit 0
+fi
+
 
 trace "start agent"
 eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh
index 4de2638e4..d5892ed03 100644
--- a/regress/agent-ptrace.sh
+++ b/regress/agent-ptrace.sh
@@ -41,7 +41,7 @@ EOF
         if [ $? -ne 0 ]; then
                 fail "gdb failed: exit code $?"
         fi
-        egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace attach: Permission denied.|procfs:.*: Invalid argument.' >/dev/null ${OBJ}/gdb.out
+        egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.' >/dev/null ${OBJ}/gdb.out
         r=$?
         rm -f ${OBJ}/gdb.out
         if [ $r -ne 0 ]; then
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh
new file mode 100644
index 000000000..d987dcb97
--- /dev/null
+++ b/regress/cfgmatch.sh
@@ -0,0 +1,106 @@
+#       $OpenBSD: cfgmatch.sh,v 1.2 2006/07/22 01:50:00 dtucker Exp $
+#       Placed in the Public Domain.
+
+tid="sshd_config match"
+
+pidfile=$OBJ/remote_pid
+fwdport=3301
+fwd="-L $fwdport:127.0.0.1:$PORT"
+
+stop_client()
+{
+        pid=`cat $pidfile`
+        if [ ! -z "$pid" ]; then
+                kill $pid
+                sleep 1
+        fi
+}
+
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+
+echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
+echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
+echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
+
+echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
+echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
+
+start_sshd
+
+#set -x
+
+# Test Match + PermitOpen in sshd_config.  This should be permitted
+for p in 1 2; do
+        rm -f $pidfile
+        trace "match permitopen localhost proto $p"
+        ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
+            "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+            fail "match permitopen proto $p sshd failed"
+        sleep 1;
+        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
+            fail "match permitopen permit proto $p"
+        stop_client
+done
+
+# Same but from different source.  This should not be permitted
+for p in 1 2; do
+        rm -f $pidfile
+        trace "match permitopen proxy proto $p"
+        ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+            "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+            fail "match permitopen proxy proto $p sshd failed"
+        sleep 1;
+        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
+            fail "match permitopen deny proto $p"
+        stop_client
+done
+
+# Retry previous with key option, should also be denied.
+echo -n 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
+cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
+echo -n 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
+cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
+for p in 1 2; do
+        rm -f $pidfile
+        trace "match permitopen proxy w/key opts proto $p"
+        ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+            "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+            fail "match permitopen w/key opt proto $p sshd failed"
+        sleep 1;
+        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
+            fail "match permitopen deny w/key opt proto $p"
+        stop_client
+done
+
+# Test both sshd_config and key options permitting the same dst/port pair.
+# Should be permitted.
+for p in 1 2; do
+        rm -f $pidfile
+        trace "match permitopen localhost proto $p"
+        ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
+            "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+            fail "match permitopen proto $p sshd failed"
+        sleep 1;
+        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
+            fail "match permitopen permit proto $p"
+        stop_client
+done
+
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
+echo "Match User $USER" >>$OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
+
+# Test that a Match overrides a PermitOpen in the global section
+for p in 1 2; do
+        rm -f $pidfile
+        trace "match permitopen proxy w/key opts proto $p"
+        ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+            "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+            fail "match override permitopen proto $p sshd failed"
+        sleep 1;
+        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
+            fail "match override permitopen proto $p"
+        stop_client
+done
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh
new file mode 100644
index 000000000..592511143
--- /dev/null
+++ b/regress/cipher-speed.sh
@@ -0,0 +1,47 @@
+#       $OpenBSD: cipher-speed.sh,v 1.2 2005/05/24 04:09:54 djm Exp $
+#       Placed in the Public Domain.
+
+tid="cipher speed"
+
+getbytes ()
+{
+        sed -n '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p'
+}
+
+tries="1 2"
+DATA=/bin/ls
+DATA=/bsd
+
+macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96"
+ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc 
+        arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc aes128-ctr"
+
+for c in $ciphers; do for m in $macs; do
+        trace "proto 2 cipher $c mac $m"
+        for x in $tries; do
+                echo -n "$c/$m:\t"
+                ( ${SSH} -o 'compression no' \
+                        -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
+                        exec sh -c \'"dd of=/dev/null obs=32k"\' \
+                < ${DATA} ) 2>&1 | getbytes
+
+                if [ $? -ne 0 ]; then
+                        fail "ssh -2 failed with mac $m cipher $c"
+                fi
+        done
+done; done
+
+ciphers="3des blowfish"
+for c in $ciphers; do
+        trace "proto 1 cipher $c"
+        for x in $tries; do
+                echo -n "$c:\t"
+                ( ${SSH} -o 'compression no' \
+                        -F $OBJ/ssh_proxy -1 -c $c somehost \
+                        exec sh -c \'"dd of=/dev/null obs=32k"\' \
+                < ${DATA} ) 2>&1 | getbytes
+                if [ $? -ne 0 ]; then
+                        fail "ssh -1 failed with cipher $c"
+                fi
+        done
+done
diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh
new file mode 100644
index 000000000..99e51a60f
--- /dev/null
+++ b/regress/forcecommand.sh
@@ -0,0 +1,42 @@
+#       $OpenBSD: forcecommand.sh,v 1.1 2006/07/19 13:09:28 dtucker Exp $
+#       Placed in the Public Domain.
+
+tid="forced command"
+
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+
+echon 'command="true" ' >$OBJ/authorized_keys_$USER
+cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
+echon 'command="true" ' >>$OBJ/authorized_keys_$USER
+cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
+
+for p in 1 2; do
+        trace "forced command in key option proto $p"
+        ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
+            fail "forced command in key proto $p"
+done
+
+echon 'command="false" ' >$OBJ/authorized_keys_$USER
+cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
+echon 'command="false" ' >>$OBJ/authorized_keys_$USER
+cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
+
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "ForceCommand true" >> $OBJ/sshd_proxy
+
+for p in 1 2; do
+        trace "forced command in sshd_config overrides key option proto $p"
+        ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
+            fail "forced command in key proto $p"
+done
+
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "ForceCommand false" >> $OBJ/sshd_proxy
+echo "Match User $USER" >> $OBJ/sshd_proxy
+echo "    ForceCommand true" >> $OBJ/sshd_proxy
+
+for p in 1 2; do
+        trace "forced command with match proto $p"
+        ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
+            fail "forced command in key proto $p"
+done
diff --git a/regress/forwarding.sh b/regress/forwarding.sh
index 3b171144f..9ffbb3dd4 100644
--- a/regress/forwarding.sh
+++ b/regress/forwarding.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: forwarding.sh,v 1.5 2005/03/10 10:20:39 dtucker Exp $
+#       $OpenBSD: forwarding.sh,v 1.6 2006/07/11 18:51:21 markus Exp $
 #       Placed in the Public Domain.
 
 tid="local and remote forwarding"
@@ -34,6 +34,36 @@ for p in 1 2; do
 done
 
 for p in 1 2; do
+for d in L R; do
+        trace "exit on -$d forward failure, proto $p"
+
+        # this one should succeed
+        ${SSH} -$p -F $OBJ/ssh_config \
+            -$d ${base}01:127.0.0.1:$PORT \
+            -$d ${base}02:127.0.0.1:$PORT \
+            -$d ${base}03:127.0.0.1:$PORT \
+            -$d ${base}04:127.0.0.1:$PORT \
+            -oExitOnForwardFailure=yes somehost true
+        if [ $? != 0 ]; then
+                fail "connection failed, should not"
+        else
+                # this one should fail
+                ${SSH} -q -$p -F $OBJ/ssh_config \
+                    -$d ${base}01:127.0.0.1:$PORT \
+                    -$d ${base}02:127.0.0.1:$PORT \
+                    -$d ${base}03:127.0.0.1:$PORT \
+                    -$d ${base}01:127.0.0.1:$PORT \
+                    -$d ${base}04:127.0.0.1:$PORT \
+                    -oExitOnForwardFailure=yes somehost true
+                r=$?
+                if [ $r != 255 ]; then
+                        fail "connection not termintated, but should ($r)"
+                fi
+        fi
+done
+done
+
+for p in 1 2; do
         trace "simple clear forwarding proto $p"
         ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
 
diff --git a/rsa.c b/rsa.c
index 66561a421..bec1d190b 100644
--- a/rsa.c
+++ b/rsa.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: rsa.c,v 1.29 2006/11/06 21:25:28 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -60,11 +61,15 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: rsa.c,v 1.24 2001/12/27 18:22:16 markus Exp $");
 
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <string.h>
+
+#include "xmalloc.h"
 #include "rsa.h"
 #include "log.h"
-#include "xmalloc.h"
 
 void
 rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key)
@@ -86,7 +91,8 @@ rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key)
             RSA_PKCS1_PADDING)) <= 0)
                 fatal("rsa_public_encrypt() failed");
 
-        BN_bin2bn(outbuf, len, out);
+        if (BN_bin2bn(outbuf, len, out) == NULL)
+                fatal("rsa_public_encrypt: BN_bin2bn failed");
 
         memset(outbuf, 0, olen);
         memset(inbuf, 0, ilen);
@@ -111,7 +117,8 @@ rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key)
             RSA_PKCS1_PADDING)) <= 0) {
                 error("rsa_private_decrypt() failed");
         } else {
-                BN_bin2bn(outbuf, len, out);
+                if (BN_bin2bn(outbuf, len, out) == NULL)
+                        fatal("rsa_private_decrypt: BN_bin2bn failed");
         }
         memset(outbuf, 0, olen);
         memset(inbuf, 0, ilen);
@@ -132,11 +139,11 @@ rsa_generate_additional_parameters(RSA *rsa)
         if ((ctx = BN_CTX_new()) == NULL)
                 fatal("rsa_generate_additional_parameters: BN_CTX_new failed");
 
-        BN_sub(aux, rsa->q, BN_value_one());
-        BN_mod(rsa->dmq1, rsa->d, aux, ctx);
-
-        BN_sub(aux, rsa->p, BN_value_one());
-        BN_mod(rsa->dmp1, rsa->d, aux, ctx);
+        if ((BN_sub(aux, rsa->q, BN_value_one()) == 0) ||
+            (BN_mod(rsa->dmq1, rsa->d, aux, ctx) == 0) ||
+            (BN_sub(aux, rsa->p, BN_value_one()) == 0) ||
+            (BN_mod(rsa->dmp1, rsa->d, aux, ctx) == 0))
+                fatal("rsa_generate_additional_parameters: BN_sub/mod failed");
 
         BN_clear_free(aux);
         BN_CTX_free(ctx);
diff --git a/rsa.h b/rsa.h
index 957d86552..b841ea4e1 100644
--- a/rsa.h
+++ b/rsa.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: rsa.h,v 1.15 2002/03/04 17:27:39 stevesk Exp $        */
+/* $OpenBSD: rsa.h,v 1.16 2006/03/25 22:22:43 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/scard-opensc.c b/scard-opensc.c
index dd2c28df2..4751ea295 100644
--- a/scard-opensc.c
+++ b/scard-opensc.c
@@ -26,9 +26,13 @@
 #include "includes.h"
 #if defined(SMARTCARD) && defined(USE_OPENSC)
 
+#include <sys/types.h>
+
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 
+#include <stdarg.h>
+
 #include <opensc/opensc.h>
 #include <opensc/pkcs15.h>
 
@@ -455,7 +459,9 @@ sc_get_keys(const char *id, const char *pin)
                 }
                 key_count = r;
         }
-        keys = xmalloc(sizeof(Key *) * (key_count*2+1));
+        if (key_count > 1024)
+                fatal("Too many keys (%u), expected <= 1024", key_count);
+        keys = xcalloc(key_count * 2 + 1, sizeof(Key *));
         for (i = 0; i < key_count; i++) {
                 sc_pkcs15_object_t *tmp_obj = NULL;
                 cert_id = ((sc_pkcs15_cert_info_t *)(certs[i]->data))->id;
diff --git a/scard.c b/scard.c
index b3d25058a..9fd3ca1b4 100644
--- a/scard.c
+++ b/scard.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: scard.c,v 1.36 2006/11/06 21:25:28 markus Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -24,14 +25,18 @@
 
 #include "includes.h"
 #if defined(SMARTCARD) && defined(USE_SECTOK)
-RCSID("$OpenBSD: scard.c,v 1.29 2004/05/08 00:21:31 djm Exp $");
 
-#include <openssl/evp.h>
+#include <sys/types.h>
+
 #include <sectok.h>
+#include <stdarg.h>
+#include <string.h>
+
+#include <openssl/evp.h>
 
+#include "xmalloc.h"
 #include "key.h"
 #include "log.h"
-#include "xmalloc.h"
 #include "misc.h"
 #include "scard.h"
 
@@ -125,7 +130,7 @@ sc_init(void)
         if (status == SCARD_ERROR_NOCARD) {
                 return SCARD_ERROR_NOCARD;
         }
-        if (status < 0 ) {
+        if (status < 0) {
                 error("sc_open failed");
                 return status;
         }
@@ -215,7 +220,7 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa,
         olen = len = sw = 0;
         if (sc_fd < 0) {
                 status = sc_init();
-                if (status < 0 )
+                if (status < 0)
                         goto err;
         }
         if (padding != RSA_PKCS1_PADDING)
@@ -255,7 +260,7 @@ sc_private_encrypt(int flen, u_char *from, u_char *to, RSA *rsa,
         len = sw = 0;
         if (sc_fd < 0) {
                 status = sc_init();
-                if (status < 0 )
+                if (status < 0)
                         goto err;
         }
         if (padding != RSA_PKCS1_PADDING)
@@ -378,23 +383,25 @@ sc_get_keys(const char *id, const char *pin)
                 key_free(k);
                 return NULL;
         }
-        if (status < 0 ) {
+        if (status < 0) {
                 error("sc_read_pubkey failed");
                 key_free(k);
                 return NULL;
         }
-        keys = xmalloc((nkeys+1) * sizeof(Key *));
+        keys = xcalloc((nkeys+1), sizeof(Key *));
 
         n = key_new(KEY_RSA1);
-        BN_copy(n->rsa->n, k->rsa->n);
-        BN_copy(n->rsa->e, k->rsa->e);
+        if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
+            (BN_copy(n->rsa->e, k->rsa->e) == NULL))
+                fatal("sc_get_keys: BN_copy failed");
         RSA_set_method(n->rsa, sc_get_rsa());
         n->flags |= KEY_FLAG_EXT;
         keys[0] = n;
 
         n = key_new(KEY_RSA);
-        BN_copy(n->rsa->n, k->rsa->n);
-        BN_copy(n->rsa->e, k->rsa->e);
+        if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
+            (BN_copy(n->rsa->e, k->rsa->e) == NULL))
+                fatal("sc_get_keys: BN_copy failed");
         RSA_set_method(n->rsa, sc_get_rsa());
         n->flags |= KEY_FLAG_EXT;
         keys[1] = n;
diff --git a/scard.h b/scard.h
index 9ba20a361..82efe4839 100644
--- a/scard.h
+++ b/scard.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: scard.h,v 1.12 2003/06/12 19:12:03 markus Exp $       */
+/* $OpenBSD: scard.h,v 1.14 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -27,8 +27,6 @@
 #ifndef SCARD_H
 #define SCARD_H
 
-#include "key.h"
-
 #define SCARD_ERROR_FAIL        -1
 #define SCARD_ERROR_NOCARD      -2
 #define SCARD_ERROR_APPLET      -3
diff --git a/scard/Makefile.in b/scard/Makefile.in
index ab4e22043..8519e208b 100644
--- a/scard/Makefile.in
+++ b/scard/Makefile.in
@@ -1,7 +1,8 @@
-# $Id: Makefile.in,v 1.4 2002/04/26 01:25:41 djm Exp $
+# $Id: Makefile.in,v 1.5 2006/10/23 21:44:47 tim Exp $
 
 prefix=@prefix@
 datadir=@datadir@
+datarootdir=@datarootdir@
 srcdir=@srcdir@
 top_srcdir=@top_srcdir@
 
diff --git a/scp.0 b/scp.0
index 2c7f15567..6e7a196f4 100644
--- a/scp.0
+++ b/scp.0
@@ -127,8 +127,7 @@ DESCRIPTION
              about their progress.  This is helpful in debugging connection,
              authentication, and configuration problems.
 
-DIAGNOSTICS
-     scp exits with 0 on success or >0 if an error occurred.
+     The scp utility exits 0 on success, and >0 if an error occurs.
 
 SEE ALSO
      rcp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
@@ -142,4 +141,4 @@ AUTHORS
      Timo Rinne <tri@iki.fi>
      Tatu Ylonen <ylo@cs.hut.fi>
 
-OpenBSD 3.9                   September 25, 1999                             3
+OpenBSD 4.1                   September 25, 1999                             3
diff --git a/scp.1 b/scp.1
index d9b1f8e8f..43662abea 100644
--- a/scp.1
+++ b/scp.1
@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sun May  7 00:14:37 1995 ylo
 .\"
-.\" $OpenBSD: scp.1,v 1.39 2006/01/20 00:14:55 dtucker Exp $
+.\" $OpenBSD: scp.1,v 1.40 2006/07/18 07:56:28 jmc Exp $
 .\"
 .Dd September 25, 1999
 .Dt SCP 1
@@ -198,9 +198,8 @@ to print debugging messages about their progress.
 This is helpful in
 debugging connection, authentication, and configuration problems.
 .El
-.Sh DIAGNOSTICS
-.Nm
-exits with 0 on success or >0 if an error occurred.
+.Pp
+.Ex -std scp
 .Sh SEE ALSO
 .Xr rcp 1 ,
 .Xr sftp 1 ,
diff --git a/scp.c b/scp.c
index 620024ea7..a52aaeb12 100644
--- a/scp.c
+++ b/scp.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: scp.c,v 1.156 2007/01/22 13:06:21 djm Exp $ */
 /*
  * scp - secure remote copy.  This is basically patched BSD rcp which
  * uses ssh to do the data transfer (instead of using rcmd).
@@ -71,7 +72,30 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: scp.c,v 1.130 2006/01/31 10:35:43 djm Exp $");
+
+#include <sys/types.h>
+#include <sys/param.h>
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+#include <sys/wait.h>
+#include <sys/uio.h>
+
+#include <ctype.h>
+#include <dirent.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <pwd.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
 
 #include "xmalloc.h"
 #include "atomicio.h"
@@ -82,6 +106,8 @@ RCSID("$OpenBSD: scp.c,v 1.130 2006/01/31 10:35:43 djm Exp $");
 
 extern char *__progname;
 
+int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout);
+
 void bwlimit(int);
 
 /* Struct for addargs */
@@ -167,7 +193,7 @@ do_local_cmd(arglist *a)
  */
 
 int
-do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc)
+do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout)
 {
         int pin[2], pout[2], reserved[2];
 
@@ -181,7 +207,8 @@ do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc)
          * Reserve two descriptors so that the real pipes won't get
          * descriptors 0 and 1 because that will screw up dup2 below.
          */
-        pipe(reserved);
+        if (pipe(reserved) < 0)
+                fatal("pipe: %s", strerror(errno));
 
         /* Create a socket pair for communicating with ssh. */
         if (pipe(pin) < 0)
@@ -234,7 +261,6 @@ typedef struct {
 
 BUF *allocbuf(BUF *, int, int);
 void lostconn(int);
-void nospace(void);
 int okname(char *);
 void run_err(const char *,...);
 void verifydir(char *);
@@ -258,15 +284,21 @@ void usage(void);
 int
 main(int argc, char **argv)
 {
-        int ch, fflag, tflag, status;
+        int ch, fflag, tflag, status, n;
         double speed;
-        char *targ, *endp;
+        char *targ, *endp, **newargv;
         extern char *optarg;
         extern int optind;
 
         /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
         sanitise_stdfd();
 
+        /* Copy argv, because we modify it */
+        newargv = xcalloc(MAX(argc + 1, 1), sizeof(*newargv));
+        for (n = 0; n < argc; n++)
+                newargv[n] = xstrdup(argv[n]);
+        argv = newargv;
+
         __progname = ssh_get_progname(argv[0]);
 
         memset(&args, '\0', sizeof(args));
@@ -348,7 +380,7 @@ main(int argc, char **argv)
         if ((pwd = getpwuid(userid = getuid())) == NULL)
                 fatal("unknown user %u", (u_int) userid);
 
-        if (!isatty(STDERR_FILENO))
+        if (!isatty(STDOUT_FILENO))
                 showprogress = 0;
 
         remin = STDIN_FILENO;
@@ -409,9 +441,9 @@ main(int argc, char **argv)
 void
 toremote(char *targ, int argc, char **argv)
 {
-        int i, len;
         char *bp, *host, *src, *suser, *thost, *tuser, *arg;
         arglist alist;
+        int i;
 
         memset(&alist, '\0', sizeof(alist));
         alist.list = NULL;
@@ -476,12 +508,10 @@ toremote(char *targ, int argc, char **argv)
                                 errs = 1;
                 } else {        /* local to remote */
                         if (remin == -1) {
-                                len = strlen(targ) + CMDNEEDS + 20;
-                                bp = xmalloc(len);
-                                (void) snprintf(bp, len, "%s -t %s", cmd, targ);
+                                xasprintf(&bp, "%s -t %s", cmd, targ);
                                 host = cleanhostname(thost);
                                 if (do_cmd(host, tuser, bp, &remin,
-                                    &remout, argc) < 0)
+                                    &remout) < 0)
                                         exit(1);
                                 if (response() < 0)
                                         exit(1);
@@ -490,14 +520,15 @@ toremote(char *targ, int argc, char **argv)
                         source(1, argv + i);
                 }
         }
+        xfree(arg);
 }
 
 void
 tolocal(int argc, char **argv)
 {
-        int i, len;
         char *bp, *host, *src, *suser;
         arglist alist;
+        int i;
 
         memset(&alist, '\0', sizeof(alist));
         alist.list = NULL;
@@ -529,10 +560,8 @@ tolocal(int argc, char **argv)
                                 suser = pwd->pw_name;
                 }
                 host = cleanhostname(host);
-                len = strlen(src) + CMDNEEDS + 20;
-                bp = xmalloc(len);
-                (void) snprintf(bp, len, "%s -f %s", cmd, src);
-                if (do_cmd(host, suser, bp, &remin, &remout, argc) < 0) {
+                xasprintf(&bp, "%s -f %s", cmd, src);
+                if (do_cmd(host, suser, bp, &remin, &remout) < 0) {
                         (void) xfree(bp);
                         ++errs;
                         continue;
@@ -777,7 +806,8 @@ sink(int argc, char **argv)
         BUF *bp;
         off_t i;
         size_t j, count;
-        int amt, exists, first, mask, mode, ofd, omode;
+        int amt, exists, first, ofd;
+        mode_t mode, omode, mask;
         off_t size, statbytes;
         int setimes, targisdir, wrerrno = 0;
         char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
@@ -1097,15 +1127,15 @@ run_err(const char *fmt,...)
         va_list ap;
 
         ++errs;
-        if (fp == NULL && !(fp = fdopen(remout, "w")))
-                return;
-        (void) fprintf(fp, "%c", 0x01);
-        (void) fprintf(fp, "scp: ");
-        va_start(ap, fmt);
-        (void) vfprintf(fp, fmt, ap);
-        va_end(ap);
-        (void) fprintf(fp, "\n");
-        (void) fflush(fp);
+        if (fp != NULL || (remout != -1 && (fp = fdopen(remout, "w")))) {
+                (void) fprintf(fp, "%c", 0x01);
+                (void) fprintf(fp, "scp: ");
+                va_start(ap, fmt);
+                (void) vfprintf(fp, fmt, ap);
+                va_end(ap);
+                (void) fprintf(fp, "\n");
+                (void) fflush(fp);
+        }
 
         if (!iamremote) {
                 va_start(ap, fmt);
@@ -1181,7 +1211,7 @@ allocbuf(BUF *bp, int fd, int blksize)
         if (bp->buf == NULL)
                 bp->buf = xmalloc(size);
         else
-                bp->buf = xrealloc(bp->buf, size);
+                bp->buf = xrealloc(bp->buf, 1, size);
         memset(bp->buf, 0, size);
         bp->cnt = size;
         return (bp);
diff --git a/selinux.c b/selinux.c
deleted file mode 100644
index 2811a9b80..000000000
--- a/selinux.c
+++ /dev/null
@@ -1,95 +0,0 @@
-#include "includes.h"
-#include "auth.h"
-#include "log.h"
-
-#ifdef WITH_SELINUX
-#include <selinux/selinux.h>
-#include <selinux/flask.h>
-#include <selinux/context.h>
-#include <selinux/get_context_list.h>
-#include <selinux/get_default_type.h>
-
-extern Authctxt *the_authctxt;
-
-static const security_context_t 
-selinux_get_user_context(const char *name)
-{
-        security_context_t user_context=NULL;
-        char *role=NULL;
-        int ret = -1;
-        char *seuser=NULL;
-        char *level=NULL;
-
-        if (the_authctxt) 
-          role=the_authctxt->role;
-        if (getseuserbyname(name, &seuser, &level)==0) {
-          if (role != NULL && role[0])
-            ret=get_default_context_with_rolelevel(seuser, role, level,NULL,
-                                                   &user_context);
-          else
-            ret=get_default_context_with_level(seuser, level, NULL,&user_context);
-        }
-        if ( ret < 0 ) {
-          if (security_getenforce() > 0)
-            fatal("Failed to get default security context for %s.",
-                  name);
-          else
-            error("Failed to get default security context for %s."
-                  "Continuing in permissive mode",
-                  name);
-        }
-        return user_context;
-}
-
-void 
-setup_selinux_pty(const char *name, const char *tty)
-{
-  if (is_selinux_enabled() > 0) {
-    security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL;
-
-    user_context=selinux_get_user_context(name);
-
-    if (getfilecon(tty, &old_tty_context) < 0) {
-      error("getfilecon(%.100s) failed: %.100s",
-            tty, strerror(errno));
-    } else {
-      if (security_compute_relabel(user_context,old_tty_context,
-                                   SECCLASS_CHR_FILE, &new_tty_context) != 0) {
-        error("security_compute_relabel(%.100s) failed: "
-              "%.100s", tty, strerror(errno));
-      } else {
-        if (setfilecon (tty, new_tty_context) != 0)
-          error("setfilecon(%.100s, %s) failed: %.100s",
-                tty, new_tty_context, strerror(errno));
-        freecon(new_tty_context);
-      }
-      freecon(old_tty_context);
-    }
-    if (user_context) {
-      freecon(user_context);
-    }
-  }
-}
-
-void 
-setup_selinux_exec_context(char *name)
-{
-
-  if (is_selinux_enabled() > 0) {
-    security_context_t user_context=selinux_get_user_context(name);
-    if (setexeccon(user_context)) {
-      if (security_getenforce() > 0)
-        fatal("Failed to set exec security context %s for %s.",
-              user_context, name);
-      else
-        error("Failed to set exec security context %s for %s. "
-              "Continuing in permissive mode",
-              user_context, name);
-    }
-    if (user_context) {
-      freecon(user_context);
-    }
-  }
-}
-
-#endif /* WITH_SELINUX */
diff --git a/selinux.h b/selinux.h
deleted file mode 100644
index af1d44632..000000000
--- a/selinux.h
+++ /dev/null
@@ -1,15 +0,0 @@
-#ifndef SELINUX_H
-#define SELINUX_H
-
-#  ifdef WITH_SELINUX
-
-extern void setup_selinux_pty(const char *, const char *);
-extern void setup_selinux_exec_context(const char *);
-
-#  else
-
-static inline void setup_selinux_pty(const char *name, const char *tty) {}
-static inline void setup_selinux_exec_context(const char *name) {} 
-
-#endif /* WITH_SELINUX */
-#endif /* SELINUX_H */
diff --git a/servconf.c b/servconf.c
index 60febff99..951bbc4bf 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: servconf.c,v 1.170 2007/03/01 10:28:02 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -10,24 +11,41 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.146 2005/12/08 18:34:11 reyk Exp $");
 
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netdb.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <unistd.h>
+#include <stdarg.h>
+
+#include "xmalloc.h"
 #include "ssh.h"
 #include "log.h"
+#include "buffer.h"
 #include "servconf.h"
-#include "xmalloc.h"
 #include "compat.h"
 #include "pathnames.h"
 #include "misc.h"
 #include "cipher.h"
+#include "key.h"
 #include "kex.h"
 #include "mac.h"
+#include "match.h"
+#include "channels.h"
+#include "groupaccess.h"
 
 static void add_listen_addr(ServerOptions *, char *, u_short);
 static void add_one_listen_addr(ServerOptions *, char *, u_short);
 
 /* Use of privilege separation or not */
 extern int use_privsep;
+extern Buffer cfg;
 
 /* Initializes the server options to their default values. */
 
@@ -74,6 +92,7 @@ initialize_server_options(ServerOptions *options)
         options->gss_authentication=-1;
         options->gss_keyex = -1;
         options->gss_cleanup_creds = -1;
+        options->gss_strict_acceptor = -1;
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->challenge_response_authentication = -1;
@@ -103,9 +122,8 @@ initialize_server_options(ServerOptions *options)
         options->authorized_keys_file2 = NULL;
         options->num_accept_env = 0;
         options->permit_tun = -1;
-
-        /* Needs to be accessable in many places */
-        use_privsep = -1;
+        options->num_permitted_opens = -1;
+        options->adm_forced_command = NULL;
 }
 
 void
@@ -192,6 +210,8 @@ fill_default_server_options(ServerOptions *options)
                 options->gss_keyex = 0;
         if (options->gss_cleanup_creds == -1)
                 options->gss_cleanup_creds = 1;
+        if (options->gss_strict_acceptor == -1)
+                options->gss_strict_acceptor = 1;
         if (options->password_authentication == -1)
                 options->password_authentication = 1;
         if (options->kbd_interactive_authentication == -1)
@@ -276,118 +296,130 @@ typedef enum {
         sBanner, sUseDNS, sHostbasedAuthentication,
         sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
         sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
-        sGssAuthentication, sGssKeyEx, sGssCleanupCreds, 
+        sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+        sGssKeyEx,
         sAcceptEnv, sPermitTunnel,
+        sMatch, sPermitOpen, sForceCommand,
         sUsePrivilegeSeparation,
         sDeprecated, sUnsupported
 } ServerOpCodes;
 
+#define SSHCFG_GLOBAL   0x01    /* allowed in main section of sshd_config */
+#define SSHCFG_MATCH    0x02    /* allowed inside a Match section */
+#define SSHCFG_ALL      (SSHCFG_GLOBAL|SSHCFG_MATCH)
+
 /* Textual representation of the tokens. */
 static struct {
         const char *name;
         ServerOpCodes opcode;
+        u_int flags;
 } keywords[] = {
         /* Portable-specific options */
 #ifdef USE_PAM
-        { "usepam", sUsePAM },
+        { "usepam", sUsePAM, SSHCFG_GLOBAL },
 #else
-        { "usepam", sUnsupported },
+        { "usepam", sUnsupported, SSHCFG_GLOBAL },
 #endif
-        { "pamauthenticationviakbdint", sDeprecated },
+        { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
         /* Standard Options */
-        { "port", sPort },
-        { "hostkey", sHostKeyFile },
-        { "hostdsakey", sHostKeyFile },                                 /* alias */
-        { "pidfile", sPidFile },
-        { "serverkeybits", sServerKeyBits },
-        { "logingracetime", sLoginGraceTime },
-        { "keyregenerationinterval", sKeyRegenerationTime },
-        { "permitrootlogin", sPermitRootLogin },
-        { "syslogfacility", sLogFacility },
-        { "loglevel", sLogLevel },
-        { "rhostsauthentication", sDeprecated },
-        { "rhostsrsaauthentication", sRhostsRSAAuthentication },
-        { "hostbasedauthentication", sHostbasedAuthentication },
-        { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
-        { "rsaauthentication", sRSAAuthentication },
-        { "pubkeyauthentication", sPubkeyAuthentication },
-        { "dsaauthentication", sPubkeyAuthentication },                 /* alias */
+        { "port", sPort, SSHCFG_GLOBAL },
+        { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
+        { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },          /* alias */
+        { "pidfile", sPidFile, SSHCFG_GLOBAL },
+        { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
+        { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
+        { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
+        { "permitrootlogin", sPermitRootLogin, SSHCFG_GLOBAL },
+        { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
+        { "loglevel", sLogLevel, SSHCFG_GLOBAL },
+        { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
+        { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
+        { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
+        { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
+        { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
+        { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
+        { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL },  /* alias */
 #ifdef KRB5
-        { "kerberosauthentication", sKerberosAuthentication },
-        { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
-        { "kerberosticketcleanup", sKerberosTicketCleanup },
+        { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
+        { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
+        { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
 #ifdef USE_AFS
-        { "kerberosgetafstoken", sKerberosGetAFSToken },
+        { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
 #else
-        { "kerberosgetafstoken", sUnsupported },
+        { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
 #endif
 #else
-        { "kerberosauthentication", sUnsupported },
-        { "kerberosorlocalpasswd", sUnsupported },
-        { "kerberosticketcleanup", sUnsupported },
-        { "kerberosgetafstoken", sUnsupported },
+        { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
+        { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
+        { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
+        { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
 #endif
-        { "kerberostgtpassing", sUnsupported },
-        { "afstokenpassing", sUnsupported },
+        { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
+        { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
 #ifdef GSSAPI
-        { "gssapiauthentication", sGssAuthentication },
-        { "gssapikeyexchange", sGssKeyEx },
-        { "gssapicleanupcredentials", sGssCleanupCreds },
-        { "gssapicleanupcreds", sGssCleanupCreds },
+        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
+        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+        { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
+        { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+        { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
 #else
-        { "gssapiauthentication", sUnsupported },
-        { "gssapikeyexchange", sUnsupported },
-        { "gssapicleanupcredentials", sUnsupported },
-        { "gssapicleanupcreds", sUnsupported },
+        { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+        { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
 #endif
-        { "gssusesessionccache", sUnsupported },
-        { "gssapiusesessioncredcache", sUnsupported },
-        { "passwordauthentication", sPasswordAuthentication },
-        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
-        { "challengeresponseauthentication", sChallengeResponseAuthentication },
-        { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
-        { "checkmail", sDeprecated },
-        { "listenaddress", sListenAddress },
-        { "addressfamily", sAddressFamily },
-        { "printmotd", sPrintMotd },
-        { "printlastlog", sPrintLastLog },
-        { "ignorerhosts", sIgnoreRhosts },
-        { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
-        { "x11forwarding", sX11Forwarding },
-        { "x11displayoffset", sX11DisplayOffset },
-        { "x11uselocalhost", sX11UseLocalhost },
-        { "xauthlocation", sXAuthLocation },
-        { "strictmodes", sStrictModes },
-        { "permitemptypasswords", sEmptyPasswd },
-        { "permituserenvironment", sPermitUserEnvironment },
-        { "uselogin", sUseLogin },
-        { "compression", sCompression },
-        { "tcpkeepalive", sTCPKeepAlive },
-        { "keepalive", sTCPKeepAlive },                         /* obsolete alias */
-        { "allowtcpforwarding", sAllowTcpForwarding },
-        { "allowusers", sAllowUsers },
-        { "denyusers", sDenyUsers },
-        { "allowgroups", sAllowGroups },
-        { "denygroups", sDenyGroups },
-        { "ciphers", sCiphers },
-        { "macs", sMacs },
-        { "protocol", sProtocol },
-        { "gatewayports", sGatewayPorts },
-        { "subsystem", sSubsystem },
-        { "maxstartups", sMaxStartups },
-        { "maxauthtries", sMaxAuthTries },
-        { "banner", sBanner },
-        { "usedns", sUseDNS },
-        { "verifyreversemapping", sDeprecated },
-        { "reversemappingcheck", sDeprecated },
-        { "clientaliveinterval", sClientAliveInterval },
-        { "clientalivecountmax", sClientAliveCountMax },
-        { "authorizedkeysfile", sAuthorizedKeysFile },
-        { "authorizedkeysfile2", sAuthorizedKeysFile2 },
-        { "useprivilegeseparation", sUsePrivilegeSeparation},
-        { "acceptenv", sAcceptEnv },
-        { "permittunnel", sPermitTunnel },
-        { NULL, sBadOption }
+        { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
+        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
+        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
+        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
+        { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
+        { "checkmail", sDeprecated, SSHCFG_GLOBAL },
+        { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
+        { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
+        { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
+        { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
+        { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
+        { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
+        { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
+        { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
+        { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
+        { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
+        { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
+        { "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL },
+        { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
+        { "uselogin", sUseLogin, SSHCFG_GLOBAL },
+        { "compression", sCompression, SSHCFG_GLOBAL },
+        { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
+        { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },  /* obsolete alias */
+        { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
+        { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
+        { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
+        { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
+        { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
+        { "ciphers", sCiphers, SSHCFG_GLOBAL },
+        { "macs", sMacs, SSHCFG_GLOBAL },
+        { "protocol", sProtocol, SSHCFG_GLOBAL },
+        { "gatewayports", sGatewayPorts, SSHCFG_ALL },
+        { "subsystem", sSubsystem, SSHCFG_GLOBAL },
+        { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
+        { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
+        { "banner", sBanner, SSHCFG_ALL },
+        { "usedns", sUseDNS, SSHCFG_GLOBAL },
+        { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
+        { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
+        { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
+        { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
+        { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
+        { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
+        { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
+        { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
+        { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
+        { "match", sMatch, SSHCFG_ALL },
+        { "permitopen", sPermitOpen, SSHCFG_ALL },
+        { "forcecommand", sForceCommand, SSHCFG_ALL },
+        { NULL, sBadOption, 0 }
 };
 
 /*
@@ -396,13 +428,15 @@ static struct {
 
 static ServerOpCodes
 parse_token(const char *cp, const char *filename,
-            int linenum)
+            int linenum, u_int *flags)
 {
         u_int i;
 
         for (i = 0; keywords[i].name; i++)
-                if (strcasecmp(cp, keywords[i].name) == 0)
+                if (strcasecmp(cp, keywords[i].name) == 0) {
+                        *flags = keywords[i].flags;
                         return keywords[i].opcode;
+                }
 
         error("%s: line %d: Bad configuration option: %s",
             filename, linenum, cp);
@@ -447,18 +481,171 @@ add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
         options->listen_addrs = aitop;
 }
 
+/*
+ * The strategy for the Match blocks is that the config file is parsed twice.
+ *
+ * The first time is at startup.  activep is initialized to 1 and the
+ * directives in the global context are processed and acted on.  Hitting a
+ * Match directive unsets activep and the directives inside the block are
+ * checked for syntax only.
+ *
+ * The second time is after a connection has been established but before
+ * authentication.  activep is initialized to 2 and global config directives
+ * are ignored since they have already been processed.  If the criteria in a
+ * Match block is met, activep is set and the subsequent directives
+ * processed and actioned until EOF or another Match block unsets it.  Any
+ * options set are copied into the main server config.
+ *
+ * Potential additions/improvements:
+ *  - Add Match support for pre-kex directives, eg Protocol, Ciphers.
+ *
+ *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
+ *      Match Address 192.168.0.*
+ *              Tag trusted
+ *      Match Group wheel
+ *              Tag trusted
+ *      Match Tag trusted
+ *              AllowTcpForwarding yes
+ *              GatewayPorts clientspecified
+ *              [...]
+ *
+ *  - Add a PermittedChannelRequests directive
+ *      Match Group shell
+ *              PermittedChannelRequests session,forwarded-tcpip
+ */
+
+static int
+match_cfg_line_group(const char *grps, int line, const char *user)
+{
+        int result = 0;
+        u_int ngrps = 0;
+        char *arg, *p, *cp, *grplist[MAX_MATCH_GROUPS];
+        struct passwd *pw;
+
+        /*
+         * Even if we do not have a user yet, we still need to check for
+         * valid syntax.
+         */
+        arg = cp = xstrdup(grps);
+        while ((p = strsep(&cp, ",")) != NULL && *p != '\0') {
+                if (ngrps >= MAX_MATCH_GROUPS) {
+                        error("line %d: too many groups in Match Group", line);
+                        result = -1;
+                        goto out;
+                }
+                grplist[ngrps++] = p;
+        }
+
+        if (user == NULL)
+                goto out;
+
+        if ((pw = getpwnam(user)) == NULL) {
+                debug("Can't match group at line %d because user %.100s does "
+                    "not exist", line, user);
+        } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
+                debug("Can't Match group because user %.100s not in any group "
+                    "at line %d", user, line);
+        } else if (ga_match(grplist, ngrps) != 1) {
+                debug("user %.100s does not match group %.100s at line %d",
+                    user, arg, line);
+        } else {
+                debug("user %.100s matched group %.100s at line %d", user,
+                    arg, line);
+                result = 1;
+        }
+out:
+        ga_free();
+        xfree(arg);
+        return result;
+}
+
+static int
+match_cfg_line(char **condition, int line, const char *user, const char *host,
+    const char *address)
+{
+        int result = 1;
+        char *arg, *attrib, *cp = *condition;
+        size_t len;
+
+        if (user == NULL)
+                debug3("checking syntax for 'Match %s'", cp);
+        else
+                debug3("checking match for '%s' user %s host %s addr %s", cp,
+                    user ? user : "(null)", host ? host : "(null)",
+                    address ? address : "(null)");
+
+        while ((attrib = strdelim(&cp)) && *attrib != '\0') {
+                if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
+                        error("Missing Match criteria for %s", attrib);
+                        return -1;
+                }
+                len = strlen(arg);
+                if (strcasecmp(attrib, "user") == 0) {
+                        if (!user) {
+                                result = 0;
+                                continue;
+                        }
+                        if (match_pattern_list(user, arg, len, 0) != 1)
+                                result = 0;
+                        else
+                                debug("user %.100s matched 'User %.100s' at "
+                                    "line %d", user, arg, line);
+                } else if (strcasecmp(attrib, "group") == 0) {
+                        switch (match_cfg_line_group(arg, line, user)) {
+                        case -1:
+                                return -1;
+                        case 0:
+                                result = 0;
+                        }
+                } else if (strcasecmp(attrib, "host") == 0) {
+                        if (!host) {
+                                result = 0;
+                                continue;
+                        }
+                        if (match_hostname(host, arg, len) != 1)
+                                result = 0;
+                        else
+                                debug("connection from %.100s matched 'Host "
+                                    "%.100s' at line %d", host, arg, line);
+                } else if (strcasecmp(attrib, "address") == 0) {
+                        debug("address '%s' arg '%s'", address, arg);
+                        if (!address) {
+                                result = 0;
+                                continue;
+                        }
+                        if (match_hostname(address, arg, len) != 1)
+                                result = 0;
+                        else
+                                debug("connection from %.100s matched 'Address "
+                                    "%.100s' at line %d", address, arg, line);
+                } else {
+                        error("Unsupported Match attribute %s", attrib);
+                        return -1;
+                }
+        }
+        if (user != NULL)
+                debug3("match %sfound", result ? "" : "not ");
+        *condition = cp;
+        return result;
+}
+
+#define WHITESPACE " \t\r\n"
+
 int
 process_server_config_line(ServerOptions *options, char *line,
-    const char *filename, int linenum)
+    const char *filename, int linenum, int *activep, const char *user,
+    const char *host, const char *address)
 {
         char *cp, **charptr, *arg, *p;
-        int *intptr, value, n;
+        int cmdline = 0, *intptr, value, n;
         ServerOpCodes opcode;
         u_short port;
-        u_int i;
+        u_int i, flags = 0;
+        size_t len;
 
         cp = line;
-        arg = strdelim(&cp);
+        if ((arg = strdelim(&cp)) == NULL)
+                return 0;
         /* Ignore leading whitespace */
         if (*arg == '\0')
                 arg = strdelim(&cp);
@@ -466,7 +653,25 @@ process_server_config_line(ServerOptions *options, char *line,
                 return 0;
         intptr = NULL;
         charptr = NULL;
-        opcode = parse_token(arg, filename, linenum);
+        opcode = parse_token(arg, filename, linenum, &flags);
+
+        if (activep == NULL) { /* We are processing a command line directive */
+                cmdline = 1;
+                activep = &cmdline;
+        }
+        if (*activep && opcode != sMatch)
+                debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
+        if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
+                if (user == NULL) {
+                        fatal("%s line %d: Directive '%s' is not allowed "
+                            "within a Match block", filename, linenum, arg);
+                } else { /* this is a directive we have already processed */
+                        while (arg)
+                                arg = strdelim(&cp);
+                        return 0;
+                }
+        }
+
         switch (opcode) {
         /* Portable-specific options */
         case sUsePAM:
@@ -504,7 +709,7 @@ parse_int:
                         fatal("%s line %d: missing integer value.",
                             filename, linenum);
                 value = atoi(arg);
-                if (*intptr == -1)
+                if (*activep && *intptr == -1)
                         *intptr = value;
                 break;
 
@@ -584,7 +789,7 @@ parse_filename:
                 if (!arg || *arg == '\0')
                         fatal("%s line %d: missing file name.",
                             filename, linenum);
-                if (*charptr == NULL) {
+                if (*activep && *charptr == NULL) {
                         *charptr = tilde_expand_filename(arg, getuid());
                         /* increase optional counter */
                         if (intptr != NULL)
@@ -635,7 +840,7 @@ parse_flag:
                 else
                         fatal("%s line %d: Bad yes/no argument: %s",
                                 filename, linenum, arg);
-                if (*intptr == -1)
+                if (*activep && *intptr == -1)
                         *intptr = value;
                 break;
 
@@ -691,6 +896,10 @@ parse_flag:
                 intptr = &options->gss_cleanup_creds;
                 goto parse_flag;
 
+        case sGssStrictAcceptor:
+                intptr = &options->gss_strict_acceptor;
+                goto parse_flag;
+
         case sPasswordAuthentication:
                 intptr = &options->password_authentication;
                 goto parse_flag;
@@ -783,7 +992,7 @@ parse_flag:
                 else
                         fatal("%s line %d: Bad yes/no/clientspecified "
                             "argument: %s", filename, linenum, arg);
-                if (*intptr == -1)
+                if (*activep && *intptr == -1)
                         *intptr = value;
                 break;
 
@@ -834,7 +1043,7 @@ parse_flag:
         case sDenyUsers:
                 while ((arg = strdelim(&cp)) && *arg != '\0') {
                         if (options->num_deny_users >= MAX_DENY_USERS)
-                                fatal( "%s line %d: too many deny users.",
+                                fatal("%s line %d: too many deny users.",
                                     filename, linenum);
                         options->deny_users[options->num_deny_users++] =
                             xstrdup(arg);
@@ -904,6 +1113,10 @@ parse_flag:
                 if (!arg || *arg == '\0')
                         fatal("%s line %d: Missing subsystem name.",
                             filename, linenum);
+                if (!*activep) {
+                        arg = strdelim(&cp);
+                        break;
+                }
                 for (i = 0; i < options->num_subsystems; i++)
                         if (strcmp(arg, options->subsystem_name[i]) == 0)
                                 fatal("%s line %d: Subsystem '%s' already defined.",
@@ -914,6 +1127,17 @@ parse_flag:
                         fatal("%s line %d: Missing subsystem command.",
                             filename, linenum);
                 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
+
+                /* Collect arguments (separate to executable) */
+                p = xstrdup(arg);
+                len = strlen(p) + 1;
+                while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
+                        len += 1 + strlen(arg);
+                        p = xrealloc(p, 1, len);
+                        strlcat(p, " ", len);
+                        strlcat(p, arg, len);
+                }
+                options->subsystem_args[options->num_subsystems] = p;
                 options->num_subsystems++;
                 break;
 
@@ -954,7 +1178,7 @@ parse_flag:
          */
         case sAuthorizedKeysFile:
         case sAuthorizedKeysFile2:
-                charptr = (opcode == sAuthorizedKeysFile ) ?
+                charptr = (opcode == sAuthorizedKeysFile) ?
                     &options->authorized_keys_file :
                     &options->authorized_keys_file2;
                 goto parse_filename;
@@ -975,6 +1199,8 @@ parse_flag:
                         if (options->num_accept_env >= MAX_ACCEPT_ENV)
                                 fatal("%s line %d: too many allow env.",
                                     filename, linenum);
+                        if (!*activep)
+                                break;
                         options->accept_env[options->num_accept_env++] =
                             xstrdup(arg);
                 }
@@ -1002,6 +1228,56 @@ parse_flag:
                         *intptr = value;
                 break;
 
+        case sMatch:
+                if (cmdline)
+                        fatal("Match directive not supported as a command-line "
+                           "option");
+                value = match_cfg_line(&cp, linenum, user, host, address);
+                if (value < 0)
+                        fatal("%s line %d: Bad Match condition", filename,
+                            linenum);
+                *activep = value;
+                break;
+
+        case sPermitOpen:
+                arg = strdelim(&cp);
+                if (!arg || *arg == '\0')
+                        fatal("%s line %d: missing PermitOpen specification",
+                            filename, linenum);
+                n = options->num_permitted_opens;       /* modified later */
+                if (strcmp(arg, "any") == 0) {
+                        if (*activep && n == -1) {
+                                channel_clear_adm_permitted_opens();
+                                options->num_permitted_opens = 0;
+                        }
+                        break;
+                }
+                if (*activep && n == -1)
+                        channel_clear_adm_permitted_opens();
+                for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
+                        p = hpdelim(&arg);
+                        if (p == NULL)
+                                fatal("%s line %d: missing host in PermitOpen",
+                                    filename, linenum);
+                        p = cleanhostname(p);
+                        if (arg == NULL || (port = a2port(arg)) == 0)
+                                fatal("%s line %d: bad port number in "
+                                    "PermitOpen", filename, linenum);
+                        if (*activep && n == -1)
+                                options->num_permitted_opens =
+                                    channel_add_adm_permitted_opens(p, port);
+                }
+                break;
+
+        case sForceCommand:
+                if (cp == NULL)
+                        fatal("%.200s line %d: Missing argument.", filename,
+                            linenum);
+                len = strspn(cp, WHITESPACE);
+                if (*activep && options->adm_forced_command == NULL)
+                        options->adm_forced_command = xstrdup(cp + len);
+                return 0;
+
         case sDeprecated:
                 logit("%s line %d: Deprecated option %s",
                     filename, linenum, arg);
@@ -1058,22 +1334,85 @@ load_server_config(const char *filename, Buffer *conf)
 }
 
 void
-parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
+parse_server_match_config(ServerOptions *options, const char *user,
+    const char *host, const char *address)
 {
-        int linenum, bad_options = 0;
+        ServerOptions mo;
+
+        initialize_server_options(&mo);
+        parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
+        copy_set_server_options(options, &mo, 0);
+}
+
+/* Helper macros */
+#define M_CP_INTOPT(n) do {\
+        if (src->n != -1) \
+                dst->n = src->n; \
+} while (0)
+#define M_CP_STROPT(n) do {\
+        if (src->n != NULL) { \
+                if (dst->n != NULL) \
+                        xfree(dst->n); \
+                dst->n = src->n; \
+        } \
+} while(0)
+
+/*
+ * Copy any supported values that are set.
+ *
+ * If the preauth flag is set, we do not bother copying the the string or
+ * array values that are not used pre-authentication, because any that we
+ * do use must be explictly sent in mm_getpwnamallow().
+ */
+void
+copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
+{
+        M_CP_INTOPT(password_authentication);
+        M_CP_INTOPT(gss_authentication);
+        M_CP_INTOPT(rsa_authentication);
+        M_CP_INTOPT(pubkey_authentication);
+        M_CP_INTOPT(kerberos_authentication);
+        M_CP_INTOPT(hostbased_authentication);
+        M_CP_INTOPT(kbd_interactive_authentication);
+
+        M_CP_INTOPT(allow_tcp_forwarding);
+        M_CP_INTOPT(gateway_ports);
+        M_CP_INTOPT(x11_display_offset);
+        M_CP_INTOPT(x11_forwarding);
+        M_CP_INTOPT(x11_use_localhost);
+
+        M_CP_STROPT(banner);
+        if (preauth)
+                return;
+        M_CP_STROPT(adm_forced_command);
+}
+
+#undef M_CP_INTOPT
+#undef M_CP_STROPT
+
+void
+parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
+    const char *user, const char *host, const char *address)
+{
+        int active, linenum, bad_options = 0;
         char *cp, *obuf, *cbuf;
 
         debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
 
         obuf = cbuf = xstrdup(buffer_ptr(conf));
+        active = user ? 0 : 1;
         linenum = 1;
         while ((cp = strsep(&cbuf, "\n")) != NULL) {
                 if (process_server_config_line(options, cp, filename,
-                    linenum++) != 0)
+                    linenum++, &active, user, host, address) != 0)
                         bad_options++;
         }
         xfree(obuf);
         if (bad_options > 0)
                 fatal("%s: terminating, %d bad configuration options",
                     filename, bad_options);
+
+        /* challenge-response is implemented via keyboard interactive */
+        if (options->challenge_response_authentication == 1)
+                options->kbd_interactive_authentication = 1;
 }
diff --git a/servconf.h b/servconf.h
index 0ef05bcd9..257de1c8b 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: servconf.h,v 1.72 2005/12/06 22:38:27 reyk Exp $      */
+/* $OpenBSD: servconf.h,v 1.80 2007/02/19 10:45:58 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -16,8 +16,6 @@
 #ifndef SERVCONF_H
 #define SERVCONF_H
 
-#include "buffer.h"
-
 #define MAX_PORTS               256     /* Max # ports. */
 
 #define MAX_ALLOW_USERS         256     /* Max # users on allow list. */
@@ -27,6 +25,7 @@
 #define MAX_SUBSYSTEMS          256     /* Max # subsystems. */
 #define MAX_HOSTKEYS            256     /* Max # hostkeys. */
 #define MAX_ACCEPT_ENV          256     /* Max # of env vars. */
+#define MAX_MATCH_GROUPS        256     /* Max # of groups for Match. */
 
 /* permit_root_login */
 #define PERMIT_NOT_SET          -1
@@ -90,6 +89,7 @@ typedef struct {
         int     gss_authentication;     /* If true, permit GSSAPI authentication */
         int     gss_keyex;              /* If true, permit GSSAPI key exchange */
         int     gss_cleanup_creds;      /* If true, destroy cred cache on logout */
+        int     gss_strict_acceptor;    /* If true, restrict the GSSAPI acceptor name */
         int     password_authentication;        /* If true, permit password
                                                  * authentication. */
         int     kbd_interactive_authentication; /* If true, permit */
@@ -112,6 +112,7 @@ typedef struct {
         u_int num_subsystems;
         char   *subsystem_name[MAX_SUBSYSTEMS];
         char   *subsystem_command[MAX_SUBSYSTEMS];
+        char   *subsystem_args[MAX_SUBSYSTEMS];
 
         u_int num_accept_env;
         char   *accept_env[MAX_ACCEPT_ENV];
@@ -135,15 +136,24 @@ typedef struct {
         char   *authorized_keys_file;   /* File containing public keys */
         char   *authorized_keys_file2;
 
+        char   *adm_forced_command;
+
         int     use_pam;                /* Enable auth via PAM */
 
         int     permit_tun;
+
+        int     num_permitted_opens;
 }       ServerOptions;
 
 void     initialize_server_options(ServerOptions *);
 void     fill_default_server_options(ServerOptions *);
-int      process_server_config_line(ServerOptions *, char *, const char *, int);
+int      process_server_config_line(ServerOptions *, char *, const char *, int,
+             int *, const char *, const char *, const char *);
 void     load_server_config(const char *, Buffer *);
-void     parse_server_config(ServerOptions *, const char *, Buffer *);
+void     parse_server_config(ServerOptions *, const char *, Buffer *,
+             const char *, const char *, const char *);
+void     parse_server_match_config(ServerOptions *, const char *, const char *,
+             const char *);
+void     copy_set_server_options(ServerOptions *, ServerOptions *, int);
 
 #endif                          /* SERVCONF_H */
diff --git a/serverloop.c b/serverloop.c
index f72b73bf8..29ffcfee1 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: serverloop.c,v 1.145 2006/10/11 12:38:03 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +36,25 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: serverloop.c,v 1.124 2005/12/13 15:03:02 reyk Exp $");
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/wait.h>
+#include <sys/socket.h>
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+
+#include <netinet/in.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <pwd.h>
+#include <signal.h>
+#include <string.h>
+#include <termios.h>
+#include <unistd.h>
+#include <stdarg.h>
 
 #include "xmalloc.h"
 #include "packet.h"
@@ -48,13 +67,16 @@ RCSID("$OpenBSD: serverloop.c,v 1.124 2005/12/13 15:03:02 reyk Exp $");
 #include "compat.h"
 #include "ssh1.h"
 #include "ssh2.h"
+#include "key.h"
+#include "cipher.h"
+#include "kex.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "session.h"
 #include "dispatch.h"
 #include "auth-options.h"
 #include "serverloop.h"
 #include "misc.h"
-#include "kex.h"
 
 extern ServerOptions options;
 
@@ -142,11 +164,11 @@ notify_done(fd_set *readset)
                         debug2("notify_done: reading");
 }
 
+/*ARGSUSED*/
 static void
 sigchld_handler(int sig)
 {
         int save_errno = errno;
-        debug("Received SIGCHLD.");
         child_terminated = 1;
 #ifndef _UNICOS
         mysignal(SIGCHLD, sigchld_handler);
@@ -155,6 +177,7 @@ sigchld_handler(int sig)
         errno = save_errno;
 }
 
+/*ARGSUSED*/
 static void
 sigterm_handler(int sig)
 {
@@ -225,8 +248,10 @@ client_alive_check(void)
         int channel_id;
 
         /* timeout, check to see how many we have had */
-        if (++client_alive_timeouts > options.client_alive_count_max)
-                packet_disconnect("Timeout, your session not responding.");
+        if (++client_alive_timeouts > options.client_alive_count_max) {
+                logit("Timeout, client not responding.");
+                cleanup_exit(255);
+        }
 
         /*
          * send a bogus global/channel request with "wantreply",
@@ -255,6 +280,7 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
         struct timeval tv, *tvp;
         int ret;
         int client_alive_scheduled = 0;
+        int program_alive_scheduled = 0;
 
         /*
          * if using client_alive, set the max timeout accordingly,
@@ -292,6 +318,7 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
                  * the client, try to get some more data from the program.
                  */
                 if (packet_not_very_much_data_to_write()) {
+                        program_alive_scheduled = child_terminated;
                         if (!fdout_eof)
                                 FD_SET(fdout, *readsetp);
                         if (!fderr_eof)
@@ -337,8 +364,16 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
                 memset(*writesetp, 0, *nallocp);
                 if (errno != EINTR)
                         error("select: %.100s", strerror(errno));
-        } else if (ret == 0 && client_alive_scheduled)
-                client_alive_check();
+        } else {
+                if (ret == 0 && client_alive_scheduled)
+                        client_alive_check();
+                if (!compat20 && program_alive_scheduled && fdin_is_tty) {
+                        if (!fdout_eof)
+                                FD_SET(fdout, *readsetp);
+                        if (!fderr_eof)
+                                FD_SET(fderr, *readsetp);
+                }
+        }
 
         notify_done(*readsetp);
 }
@@ -348,7 +383,7 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
  * in buffers and processed later.
  */
 static void
-process_input(fd_set * readset)
+process_input(fd_set *readset)
 {
         int len;
         char buf[16384];
@@ -380,10 +415,17 @@ process_input(fd_set * readset)
 
         /* Read and buffer any available stdout data from the program. */
         if (!fdout_eof && FD_ISSET(fdout, readset)) {
+                errno = 0;
                 len = read(fdout, buf, sizeof(buf));
-                if (len < 0 && (errno == EINTR || errno == EAGAIN)) {
+                if (len < 0 && (errno == EINTR ||
+                    (errno == EAGAIN && !child_terminated))) {
                         /* do nothing */
+#ifndef PTY_ZEROREAD
                 } else if (len <= 0) {
+#else
+                } else if ((!isatty(fdout) && len <= 0) ||
+                    (isatty(fdout) && (len < 0 || (len == 0 && errno != 0)))) {
+#endif
                         fdout_eof = 1;
                 } else {
                         buffer_append(&stdout_buffer, buf, len);
@@ -392,10 +434,17 @@ process_input(fd_set * readset)
         }
         /* Read and buffer any available stderr data from the program. */
         if (!fderr_eof && FD_ISSET(fderr, readset)) {
+                errno = 0;
                 len = read(fderr, buf, sizeof(buf));
-                if (len < 0 && (errno == EINTR || errno == EAGAIN)) {
+                if (len < 0 && (errno == EINTR ||
+                    (errno == EAGAIN && !child_terminated))) {
                         /* do nothing */
+#ifndef PTY_ZEROREAD
                 } else if (len <= 0) {
+#else
+                } else if ((!isatty(fderr) && len <= 0) ||
+                    (isatty(fderr) && (len < 0 || (len == 0 && errno != 0)))) {
+#endif
                         fderr_eof = 1;
                 } else {
                         buffer_append(&stderr_buffer, buf, len);
@@ -407,7 +456,7 @@ process_input(fd_set * readset)
  * Sends data from internal buffers to client program stdin.
  */
 static void
-process_output(fd_set * writeset)
+process_output(fd_set *writeset)
 {
         struct termios tio;
         u_char *data;
@@ -749,6 +798,7 @@ collect_children(void)
         sigaddset(&nset, SIGCHLD);
         sigprocmask(SIG_BLOCK, &nset, &oset);
         if (child_terminated) {
+                debug("Received SIGCHLD.");
                 while ((pid = waitpid(-1, &status, WNOHANG)) > 0 ||
                     (pid < 0 && errno == EINTR))
                         if (pid > 0)
@@ -873,10 +923,10 @@ server_input_eof(int type, u_int32_t seq, void *ctxt)
 static void
 server_input_window_size(int type, u_int32_t seq, void *ctxt)
 {
-        int row = packet_get_int();
-        int col = packet_get_int();
-        int xpixel = packet_get_int();
-        int ypixel = packet_get_int();
+        u_int row = packet_get_int();
+        u_int col = packet_get_int();
+        u_int xpixel = packet_get_int();
+        u_int ypixel = packet_get_int();
 
         debug("Window change received.");
         packet_check_eom();
@@ -937,7 +987,7 @@ server_request_tun(void)
 
         tun = packet_get_int();
         if (forced_tun_device != -1) {
-                if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
+                if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
                         goto done;
                 tun = forced_tun_device;
         }
@@ -1085,6 +1135,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
 
                 success = channel_cancel_rport_listener(cancel_address,
                     cancel_port);
+                xfree(cancel_address);
         }
         if (want_reply) {
                 packet_start(success ?
@@ -1094,6 +1145,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
         }
         xfree(rtype);
 }
+
 static void
 server_input_channel_req(int type, u_int32_t seq, void *ctxt)
 {
diff --git a/serverloop.h b/serverloop.h
index f419198d1..7311558f9 100644
--- a/serverloop.h
+++ b/serverloop.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: serverloop.h,v 1.5 2001/06/27 02:12:53 markus Exp $   */
+/* $OpenBSD: serverloop.h,v 1.6 2006/03/25 22:22:43 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/session.c b/session.c
index 73fcb6453..160cb4ecc 100644
--- a/session.c
+++ b/session.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: session.c,v 1.221 2007/01/21 01:41:54 stevesk Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -33,12 +34,35 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.191 2005/12/24 02:27:41 djm Exp $");
 
+#include <sys/types.h>
+#include <sys/param.h>
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/wait.h>
+
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <grp.h>
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#include <pwd.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "xmalloc.h"
 #include "ssh.h"
 #include "ssh1.h"
 #include "ssh2.h"
-#include "xmalloc.h"
 #include "sshpty.h"
 #include "packet.h"
 #include "buffer.h"
@@ -46,7 +70,12 @@ RCSID("$OpenBSD: session.c,v 1.191 2005/12/24 02:27:41 djm Exp $");
 #include "uidswap.h"
 #include "compat.h"
 #include "channels.h"
-#include "bufaux.h"
+#include "key.h"
+#include "cipher.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
+#include "hostfile.h"
 #include "auth.h"
 #include "auth-options.h"
 #include "pathnames.h"
@@ -59,16 +88,10 @@ RCSID("$OpenBSD: session.c,v 1.191 2005/12/24 02:27:41 djm Exp $");
 #include "kex.h"
 #include "monitor_wrap.h"
 
-#include "selinux.h"
-
 #if defined(KRB5) && defined(USE_AFS)
 #include <kafs.h>
 #endif
 
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-
 /* func */
 
 Session *session_new(void);
@@ -177,7 +200,7 @@ auth_input_request_forwarding(struct passwd * pw)
         sunaddr.sun_family = AF_UNIX;
         strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path));
 
-        if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
+        if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0)
                 packet_disconnect("bind: %.100s", strerror(errno));
 
         /* Restore the privileged uid. */
@@ -324,7 +347,11 @@ do_authenticated1(Authctxt *authctxt)
                                 break;
                         }
                         debug("Received TCP/IP port forwarding request.");
-                        channel_input_port_forward_request(s->pw->pw_uid == 0, options.gateway_ports);
+                        if (channel_input_port_forward_request(s->pw->pw_uid == 0,
+                            options.gateway_ports) < 0) {
+                                debug("Port forwarding failed.");
+                                break;
+                        }
                         success = 1;
                         break;
 
@@ -634,7 +661,7 @@ do_pre_login(Session *s)
         fromlen = sizeof(from);
         if (packet_connection_is_on_socket()) {
                 if (getpeername(packet_get_connection_in(),
-                    (struct sockaddr *) & from, &fromlen) < 0) {
+                    (struct sockaddr *)&from, &fromlen) < 0) {
                         debug("getpeername: %.100s", strerror(errno));
                         cleanup_exit(255);
                 }
@@ -653,10 +680,14 @@ do_pre_login(Session *s)
 void
 do_exec(Session *s, const char *command)
 {
-        if (forced_command) {
+        if (options.adm_forced_command) {
+                original_command = command;
+                command = options.adm_forced_command;
+                debug("Forced command (config) '%.900s'", command);
+        } else if (forced_command) {
                 original_command = command;
                 command = forced_command;
-                debug("Forced command '%.900s'", command);
+                debug("Forced command (key option) '%.900s'", command);
         }
 
 #ifdef SSH_AUDIT_EVENTS
@@ -828,7 +859,7 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
                         if (envsize >= 1000)
                                 fatal("child_set_env: too many env vars");
                         envsize += 50;
-                        env = (*envp) = xrealloc(env, envsize * sizeof(char *));
+                        env = (*envp) = xrealloc(env, envsize, sizeof(char *));
                         *envsizep = envsize;
                 }
                 /* Need to set the NULL pointer at end of array beyond the new slot. */
@@ -969,12 +1000,15 @@ do_setup_env(Session *s, const char *shell)
 {
         char buf[256];
         u_int i, envsize;
-        char **env, *laddr, *path = NULL;
+        char **env, *laddr;
         struct passwd *pw = s->pw;
+#ifndef HAVE_LOGIN_CAP
+        char *path = NULL;
+#endif
 
         /* Initialize the environment. */
         envsize = 100;
-        env = xmalloc(envsize * sizeof(char *));
+        env = xcalloc(envsize, sizeof(char *));
         env[0] = NULL;
 
 #ifdef HAVE_CYGWIN
@@ -1343,7 +1377,9 @@ do_setusercontext(struct passwd *pw)
         if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
                 fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
 
-        setup_selinux_exec_context(pw->pw_name);
+#ifdef WITH_SELINUX
+        ssh_selinux_setup_exec_context(pw->pw_name);
+#endif
 }
 
 static void
@@ -1563,7 +1599,7 @@ do_child(Session *s, const char *command)
                 do_rc_files(s, shell);
 
         /* restore SIGPIPE for child */
-        signal(SIGPIPE,  SIG_DFL);
+        signal(SIGPIPE, SIG_DFL);
 
         if (options.use_login) {
                 launch_login(pw, hostname);
@@ -1827,7 +1863,7 @@ session_subsystem_req(Session *s)
         struct stat st;
         u_int len;
         int success = 0;
-        char *cmd, *subsys = packet_get_string(&len);
+        char *prog, *cmd, *subsys = packet_get_string(&len);
         u_int i;
 
         packet_check_eom();
@@ -1835,9 +1871,10 @@ session_subsystem_req(Session *s)
 
         for (i = 0; i < options.num_subsystems; i++) {
                 if (strcmp(subsys, options.subsystem_name[i]) == 0) {
-                        cmd = options.subsystem_command[i];
-                        if (stat(cmd, &st) < 0) {
-                                error("subsystem: cannot stat %s: %s", cmd,
+                        prog = options.subsystem_command[i];
+                        cmd = options.subsystem_args[i];
+                        if (stat(prog, &st) < 0) {
+                                error("subsystem: cannot stat %s: %s", prog,
                                     strerror(errno));
                                 break;
                         }
@@ -1934,8 +1971,8 @@ session_env_req(Session *s)
         for (i = 0; i < options.num_accept_env; i++) {
                 if (match_pattern(name, options.accept_env[i])) {
                         debug2("Setting env %d: %s=%s", s->num_env, name, val);
-                        s->env = xrealloc(s->env, sizeof(*s->env) *
-                            (s->num_env + 1));
+                        s->env = xrealloc(s->env, s->num_env + 1,
+                            sizeof(*s->env));
                         s->env[s->num_env].name = name;
                         s->env[s->num_env].val = val;
                         s->num_env++;
@@ -1990,7 +2027,7 @@ session_input_channel_req(Channel *c, const char *rtype)
                 } else if (strcmp(rtype, "exec") == 0) {
                         success = session_exec_req(s);
                 } else if (strcmp(rtype, "pty-req") == 0) {
-                        success =  session_pty_req(s);
+                        success = session_pty_req(s);
                 } else if (strcmp(rtype, "x11-req") == 0) {
                         success = session_x11_req(s);
                 } else if (strcmp(rtype, "auth-agent-req@openssh.com") == 0) {
@@ -2115,7 +2152,7 @@ session_close_single_x11(int id, void *arg)
 
         debug3("session_close_single_x11: channel %d", id);
         channel_cancel_cleanup(id);
-        if ((s  = session_by_x11_channel(id)) == NULL)
+        if ((s = session_by_x11_channel(id)) == NULL)
                 fatal("session_close_single_x11: no x11 channel %d", id);
         for (i = 0; s->x11_chanids[i] != -1; i++) {
                 debug("session_close_single_x11: session %d: "
@@ -2183,7 +2220,7 @@ session_exit_message(Session *s, int status)
 
         /*
          * Adjust cleanup callback attachment to send close messages when
-         * the channel gets EOF. The session will be then be closed 
+         * the channel gets EOF. The session will be then be closed
          * by session_close_by_channel when the childs close their fds.
          */
         channel_register_cleanup(c->self, session_close_by_channel, 1);
@@ -2219,12 +2256,13 @@ session_close(Session *s)
         if (s->auth_proto)
                 xfree(s->auth_proto);
         s->used = 0;
-        for (i = 0; i < s->num_env; i++) {
-                xfree(s->env[i].name);
-                xfree(s->env[i].val);
-        }
-        if (s->env != NULL)
+        if (s->env != NULL) {
+                for (i = 0; i < s->num_env; i++) {
+                        xfree(s->env[i].name);
+                        xfree(s->env[i].val);
+                }
                 xfree(s->env);
+        }
         session_proctitle(s);
 }
 
diff --git a/session.h b/session.h
index a2598a99c..ee9338e4f 100644
--- a/session.h
+++ b/session.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: session.h,v 1.25 2005/07/17 06:49:04 djm Exp $        */
+/* $OpenBSD: session.h,v 1.29 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -34,11 +34,13 @@ struct Session {
         struct passwd *pw;
         Authctxt *authctxt;
         pid_t   pid;
+
         /* tty */
         char    *term;
         int     ptyfd, ttyfd, ptymaster;
         u_int   row, col, xpixel, ypixel;
         char    tty[TTYSZ];
+
         /* X11 */
         u_int   display_number;
         char    *display;
@@ -47,6 +49,7 @@ struct Session {
         char    *auth_proto;
         char    *auth_data;
         int     single_connection;
+
         /* proto 2 */
         int     chanid;
         int     *x11_chanids;
@@ -55,7 +58,7 @@ struct Session {
         struct {
                 char    *name;
                 char    *val;
-        }       *env;
+        } *env;
 };
 
 void     do_authenticated(Authctxt *);
diff --git a/sftp-client.c b/sftp-client.c
index 05bce3368..2746f3245 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: sftp-client.c,v 1.76 2007/01/22 11:32:50 djm Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
  *
@@ -20,17 +21,32 @@
 /* XXX: copy between two remote sites */
 
 #include "includes.h"
-RCSID("$OpenBSD: sftp-client.c,v 1.58 2006/01/02 01:20:31 djm Exp $");
 
+#include <sys/types.h>
+#include <sys/param.h>
 #include "openbsd-compat/sys-queue.h"
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+#include <sys/uio.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
 
-#include "buffer.h"
-#include "bufaux.h"
-#include "getput.h"
 #include "xmalloc.h"
+#include "buffer.h"
 #include "log.h"
 #include "atomicio.h"
 #include "progressmeter.h"
+#include "misc.h"
 
 #include "sftp.h"
 #include "sftp-common.h"
@@ -39,7 +55,7 @@ RCSID("$OpenBSD: sftp-client.c,v 1.58 2006/01/02 01:20:31 djm Exp $");
 extern volatile sig_atomic_t interrupted;
 extern int showprogress;
 
-/* Minimum amount of data to read at at time */
+/* Minimum amount of data to read at a time */
 #define MIN_READ_SIZE   512
 
 struct sftp_conn {
@@ -55,16 +71,19 @@ static void
 send_msg(int fd, Buffer *m)
 {
         u_char mlen[4];
+        struct iovec iov[2];
 
         if (buffer_len(m) > SFTP_MAX_MSG_LENGTH)
                 fatal("Outbound message too long %u", buffer_len(m));
 
         /* Send length first */
-        PUT_32BIT(mlen, buffer_len(m));
-        if (atomicio(vwrite, fd, mlen, sizeof(mlen)) != sizeof(mlen))
-                fatal("Couldn't send packet: %s", strerror(errno));
+        put_u32(mlen, buffer_len(m));
+        iov[0].iov_base = mlen;
+        iov[0].iov_len = sizeof(mlen);
+        iov[1].iov_base = buffer_ptr(m);
+        iov[1].iov_len = buffer_len(m);
 
-        if (atomicio(vwrite, fd, buffer_ptr(m), buffer_len(m)) != buffer_len(m))
+        if (atomiciov(writev, fd, iov, 2) != buffer_len(m) + sizeof(mlen))
                 fatal("Couldn't send packet: %s", strerror(errno));
 
         buffer_clear(m);
@@ -388,8 +407,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
                                 printf("%s\n", longname);
 
                         if (dir) {
-                                *dir = xrealloc(*dir, sizeof(**dir) *
-                                    (ents + 2));
+                                *dir = xrealloc(*dir, ents + 2, sizeof(**dir));
                                 (*dir)[ents] = xmalloc(sizeof(***dir));
                                 (*dir)[ents]->filename = xstrdup(filename);
                                 (*dir)[ents]->longname = xstrdup(longname);
@@ -1116,10 +1134,13 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
                         if (status != SSH2_FX_OK) {
                                 error("Couldn't write to remote file \"%s\": %s",
                                     remote_path, fx2txt(status));
+                                if (showprogress)
+                                        stop_progress_meter();
                                 do_close(conn, handle, handle_len);
                                 close(local_fd);
                                 xfree(data);
                                 xfree(ack);
+                                status = -1;
                                 goto done;
                         }
                         debug3("In write loop, ack for %u %u bytes at %llu",
diff --git a/sftp-common.c b/sftp-common.c
index 4cea3c305..7ebadcc53 100644
--- a/sftp-common.c
+++ b/sftp-common.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: sftp-common.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2001 Damien Miller.  All rights reserved.
@@ -24,12 +25,21 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sftp-common.c,v 1.10 2003/11/10 16:23:41 jakob Exp $");
 
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/param.h>
+
+#include <grp.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <stdarg.h>
+
+#include "xmalloc.h"
 #include "buffer.h"
-#include "bufaux.h"
 #include "log.h"
-#include "xmalloc.h"
 
 #include "sftp.h"
 #include "sftp-common.h"
diff --git a/sftp-common.h b/sftp-common.h
index 2b1995a2d..9b5848462 100644
--- a/sftp-common.h
+++ b/sftp-common.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sftp-common.h,v 1.6 2006/01/02 01:20:31 djm Exp $     */
+/* $OpenBSD: sftp-common.h,v 1.10 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
diff --git a/sftp-glob.c b/sftp-glob.c
index 16c5e206a..cdc270827 100644
--- a/sftp-glob.c
+++ b/sftp-glob.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: sftp-glob.c,v 1.22 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
  *
@@ -15,14 +16,18 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sftp-glob.c,v 1.15 2004/02/17 07:17:29 djm Exp $");
 
-#include "buffer.h"
-#include "bufaux.h"
-#include "xmalloc.h"
-#include "log.h"
+#include <sys/types.h>
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
 
+#include <dirent.h>
+#include <string.h>
+
+#include "xmalloc.h"
 #include "sftp.h"
+#include "buffer.h"
 #include "sftp-common.h"
 #include "sftp-client.h"
 
diff --git a/sftp-server.0 b/sftp-server.0
index 5367b5fdb..a5caf8229 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -4,13 +4,32 @@ NAME
      sftp-server - SFTP server subsystem
 
 SYNOPSIS
-     sftp-server
+     sftp-server [-f log_facility] [-l log_level]
 
 DESCRIPTION
      sftp-server is a program that speaks the server side of SFTP protocol to
      stdout and expects client requests from stdin.  sftp-server is not in-
      tended to be called directly, but from sshd(8) using the Subsystem op-
-     tion.  See sshd_config(5) for more information.
+     tion.
+
+     Command-line flags to sftp-server should be specified in the Subsystem
+     declaration.  See sshd_config(5) for more information.
+
+     Valid options are:
+
+     -f log_facility
+             Specifies the facility code that is used when logging messages
+             from sftp-server.  The possible values are: DAEMON, USER, AUTH,
+             LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+             The default is AUTH.
+
+     -l log_level
+             Specifies which messages will be logged by sftp-server.  The pos-
+             sible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DE-
+             BUG1, DEBUG2, and DEBUG3.  INFO and VERBOSE log transactions that
+             sftp-server performs on behalf of the client.  DEBUG and DEBUG1
+             are equivalent.  DEBUG2 and DEBUG3 each specify higher levels of
+             debugging output.  The default is ERROR.
 
 SEE ALSO
      sftp(1), ssh(1), sshd_config(5), sshd(8)
@@ -18,10 +37,10 @@ SEE ALSO
      T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
      filexfer-00.txt, January 2001, work in progress material.
 
+HISTORY
+     sftp-server first appeared in OpenBSD 2.8.
+
 AUTHORS
      Markus Friedl <markus@openbsd.org>
 
-HISTORY
-     sftp-server first appeared in OpenBSD 2.8 .
-
-OpenBSD 3.9                     August 30, 2000                              1
+OpenBSD 4.1                     August 30, 2000                              1
diff --git a/sftp-server.8 b/sftp-server.8
index 42f5d437c..199c4f30e 100644
--- a/sftp-server.8
+++ b/sftp-server.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp-server.8,v 1.10 2003/10/08 08:27:36 jmc Exp $
+.\" $OpenBSD: sftp-server.8,v 1.11 2006/07/06 10:47:57 djm Exp $
 .\"
 .\" Copyright (c) 2000 Markus Friedl.  All rights reserved.
 .\"
@@ -30,6 +30,8 @@
 .Nd SFTP server subsystem
 .Sh SYNOPSIS
 .Nm sftp-server
+.Op Fl f Ar log_facility
+.Op Fl l Ar log_level
 .Sh DESCRIPTION
 .Nm
 is a program that speaks the server side of SFTP protocol
@@ -40,9 +42,36 @@ is not intended to be called directly, but from
 using the
 .Cm Subsystem
 option.
+.Pp
+Command-line flags to
+.Nm
+should be specified in the
+.Cm Subsystem
+declaration.
 See
 .Xr sshd_config 5
 for more information.
+.Pp
+Valid options are:
+.Bl -tag -width Ds
+.It Fl f Ar log_facility
+Specifies the facility code that is used when logging messages from
+.Nm .
+The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+The default is AUTH.
+.It Fl l Ar log_level
+Specifies which messages will be logged by
+.Nm .
+The possible values are:
+QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
+INFO and VERBOSE log transactions that
+.Nm
+performs on behalf of the client.
+DEBUG and DEBUG1 are equivalent.
+DEBUG2 and DEBUG3 each specify higher levels of debugging output.
+The default is ERROR.
+.El
 .Sh SEE ALSO
 .Xr sftp 1 ,
 .Xr ssh 1 ,
@@ -56,8 +85,9 @@ for more information.
 .%D January 2001
 .%O work in progress material
 .Re
-.Sh AUTHORS
-.An Markus Friedl Aq markus@openbsd.org
 .Sh HISTORY
 .Nm
-first appeared in OpenBSD 2.8 .
+first appeared in
+.Ox 2.8 .
+.Sh AUTHORS
+.An Markus Friedl Aq markus@openbsd.org
diff --git a/sftp-server.c b/sftp-server.c
index 7060c44ad..64777beff 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: sftp-server.c,v 1.71 2007/01/03 07:22:36 stevesk Exp $ */
 /*
  * Copyright (c) 2000-2004 Markus Friedl.  All rights reserved.
  *
@@ -13,15 +14,33 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
+
 #include "includes.h"
-RCSID("$OpenBSD: sftp-server.c,v 1.50 2006/01/02 01:20:31 djm Exp $");
 
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/stat.h>
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+
+#include <dirent.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <pwd.h>
+#include <time.h>
+#include <unistd.h>
+#include <stdarg.h>
+
+#include "xmalloc.h"
 #include "buffer.h"
-#include "bufaux.h"
-#include "getput.h"
 #include "log.h"
-#include "xmalloc.h"
 #include "misc.h"
+#include "uidswap.h"
 
 #include "sftp.h"
 #include "sftp-common.h"
@@ -30,9 +49,13 @@ RCSID("$OpenBSD: sftp-server.c,v 1.50 2006/01/02 01:20:31 djm Exp $");
 #define get_int64()                     buffer_get_int64(&iqueue);
 #define get_int()                       buffer_get_int(&iqueue);
 #define get_string(lenp)                buffer_get_string(&iqueue, lenp);
-#define TRACE                           debug
 
-extern char *__progname;
+/* Our verbosity */
+LogLevel log_level = SYSLOG_LEVEL_ERROR;
+
+/* Our client */
+struct passwd *pw = NULL;
+char *client_addr = NULL;
 
 /* input and output queue */
 Buffer iqueue;
@@ -104,6 +127,33 @@ flags_from_portable(int pflags)
         return flags;
 }
 
+static const char *
+string_from_portable(int pflags)
+{
+        static char ret[128];
+
+        *ret = '\0';
+
+#define PAPPEND(str)    {                               \
+                if (*ret != '\0')                       \
+                        strlcat(ret, ",", sizeof(ret)); \
+                strlcat(ret, str, sizeof(ret));         \
+        }
+
+        if (pflags & SSH2_FXF_READ)
+                PAPPEND("READ")
+        if (pflags & SSH2_FXF_WRITE)
+                PAPPEND("WRITE")
+        if (pflags & SSH2_FXF_CREAT)
+                PAPPEND("CREATE")
+        if (pflags & SSH2_FXF_TRUNC)
+                PAPPEND("TRUNCATE")
+        if (pflags & SSH2_FXF_EXCL)
+                PAPPEND("EXCL")
+
+        return ret;
+}
+
 static Attrib *
 get_attrib(void)
 {
@@ -118,6 +168,7 @@ struct Handle {
         DIR *dirp;
         int fd;
         char *name;
+        u_int64_t bytes_read, bytes_write;
 };
 
 enum {
@@ -148,6 +199,7 @@ handle_new(int use, const char *name, int fd, DIR *dirp)
                         handles[i].dirp = dirp;
                         handles[i].fd = fd;
                         handles[i].name = xstrdup(name);
+                        handles[i].bytes_read = handles[i].bytes_write = 0;
                         return i;
                 }
         }
@@ -167,7 +219,7 @@ handle_to_string(int handle, char **stringp, int *hlenp)
         if (stringp == NULL || hlenp == NULL)
                 return -1;
         *stringp = xmalloc(sizeof(int32_t));
-        PUT_32BIT(*stringp, handle);
+        put_u32(*stringp, handle);
         *hlenp = sizeof(int32_t);
         return 0;
 }
@@ -179,7 +231,7 @@ handle_from_string(const char *handle, u_int hlen)
 
         if (hlen != sizeof(int32_t))
                 return -1;
-        val = GET_32BIT(handle);
+        val = get_u32(handle);
         if (handle_is_ok(val, HANDLE_FILE) ||
             handle_is_ok(val, HANDLE_DIR))
                 return val;
@@ -211,6 +263,36 @@ handle_to_fd(int handle)
         return -1;
 }
 
+static void
+handle_update_read(int handle, ssize_t bytes)
+{
+        if (handle_is_ok(handle, HANDLE_FILE) && bytes > 0)
+                handles[handle].bytes_read += bytes;
+}
+
+static void
+handle_update_write(int handle, ssize_t bytes)
+{
+        if (handle_is_ok(handle, HANDLE_FILE) && bytes > 0)
+                handles[handle].bytes_write += bytes;
+}
+
+static u_int64_t
+handle_bytes_read(int handle)
+{
+        if (handle_is_ok(handle, HANDLE_FILE))
+                return (handles[handle].bytes_read);
+        return 0;
+}
+
+static u_int64_t
+handle_bytes_write(int handle)
+{
+        if (handle_is_ok(handle, HANDLE_FILE))
+                return (handles[handle].bytes_write);
+        return 0;
+}
+
 static int
 handle_close(int handle)
 {
@@ -230,6 +312,31 @@ handle_close(int handle)
         return ret;
 }
 
+static void
+handle_log_close(int handle, char *emsg)
+{
+        if (handle_is_ok(handle, HANDLE_FILE)) {
+                logit("%s%sclose \"%s\" bytes read %llu written %llu",
+                    emsg == NULL ? "" : emsg, emsg == NULL ? "" : " ",
+                    handle_to_name(handle),
+                    handle_bytes_read(handle), handle_bytes_write(handle));
+        } else {
+                logit("%s%sclosedir \"%s\"",
+                    emsg == NULL ? "" : emsg, emsg == NULL ? "" : " ",
+                    handle_to_name(handle));
+        }
+}
+
+static void
+handle_log_exit(void)
+{
+        u_int i;
+
+        for (i = 0; i < sizeof(handles)/sizeof(Handle); i++)
+                if (handles[i].use != HANDLE_UNUSED)
+                        handle_log_close(i, "forced");
+}
+
 static int
 get_handle(void)
 {
@@ -256,10 +363,9 @@ send_msg(Buffer *m)
         buffer_consume(m, mlen);
 }
 
-static void
-send_status(u_int32_t id, u_int32_t status)
+static const char *
+status_to_message(u_int32_t status)
 {
-        Buffer msg;
         const char *status_messages[] = {
                 "Success",                      /* SSH_FX_OK */
                 "End of file",                  /* SSH_FX_EOF */
@@ -272,15 +378,24 @@ send_status(u_int32_t id, u_int32_t status)
                 "Operation unsupported",        /* SSH_FX_OP_UNSUPPORTED */
                 "Unknown error"                 /* Others */
         };
+        return (status_messages[MIN(status,SSH2_FX_MAX)]);
+}
+
+static void
+send_status(u_int32_t id, u_int32_t status)
+{
+        Buffer msg;
 
-        TRACE("sent status id %u error %u", id, status);
+        debug3("request %u: sent status %u", id, status);
+        if (log_level > SYSLOG_LEVEL_VERBOSE ||
+            (status != SSH2_FX_OK && status != SSH2_FX_EOF))
+                logit("sent status %s", status_to_message(status));
         buffer_init(&msg);
         buffer_put_char(&msg, SSH2_FXP_STATUS);
         buffer_put_int(&msg, id);
         buffer_put_int(&msg, status);
         if (version >= 3) {
-                buffer_put_cstring(&msg,
-                    status_messages[MIN(status,SSH2_FX_MAX)]);
+                buffer_put_cstring(&msg, status_to_message(status));
                 buffer_put_cstring(&msg, "");
         }
         send_msg(&msg);
@@ -302,7 +417,7 @@ send_data_or_handle(char type, u_int32_t id, const char *data, int dlen)
 static void
 send_data(u_int32_t id, const char *data, int dlen)
 {
-        TRACE("sent data id %u len %d", id, dlen);
+        debug("request %u: sent data len %d", id, dlen);
         send_data_or_handle(SSH2_FXP_DATA, id, data, dlen);
 }
 
@@ -313,7 +428,7 @@ send_handle(u_int32_t id, int handle)
         int hlen;
 
         handle_to_string(handle, &string, &hlen);
-        TRACE("sent handle id %u handle %d", id, handle);
+        debug("request %u: sent handle handle %d", id, handle);
         send_data_or_handle(SSH2_FXP_HANDLE, id, string, hlen);
         xfree(string);
 }
@@ -328,7 +443,7 @@ send_names(u_int32_t id, int count, const Stat *stats)
         buffer_put_char(&msg, SSH2_FXP_NAME);
         buffer_put_int(&msg, id);
         buffer_put_int(&msg, count);
-        TRACE("sent names id %u count %d", id, count);
+        debug("request %u: sent names count %d", id, count);
         for (i = 0; i < count; i++) {
                 buffer_put_cstring(&msg, stats[i].name);
                 buffer_put_cstring(&msg, stats[i].long_name);
@@ -343,7 +458,7 @@ send_attrib(u_int32_t id, const Attrib *a)
 {
         Buffer msg;
 
-        TRACE("sent attrib id %u have 0x%x", id, a->flags);
+        debug("request %u: sent attrib have 0x%x", id, a->flags);
         buffer_init(&msg);
         buffer_put_char(&msg, SSH2_FXP_ATTRS);
         buffer_put_int(&msg, id);
@@ -360,7 +475,7 @@ process_init(void)
         Buffer msg;
 
         version = get_int();
-        TRACE("client version %d", version);
+        verbose("received client version %d", version);
         buffer_init(&msg);
         buffer_put_char(&msg, SSH2_FXP_VERSION);
         buffer_put_int(&msg, SSH2_FILEXFER_VERSION);
@@ -379,10 +494,12 @@ process_open(void)
         id = get_int();
         name = get_string(NULL);
         pflags = get_int();             /* portable flags */
+        debug3("request %u: open flags %d", id, pflags);
         a = get_attrib();
         flags = flags_from_portable(pflags);
         mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666;
-        TRACE("open id %u name %s flags %d mode 0%o", id, name, pflags, mode);
+        logit("open \"%s\" flags %s mode 0%o",
+            name, string_from_portable(pflags), mode);
         fd = open(name, flags, mode);
         if (fd < 0) {
                 status = errno_to_portable(errno);
@@ -408,7 +525,8 @@ process_close(void)
 
         id = get_int();
         handle = get_handle();
-        TRACE("close id %u handle %d", id, handle);
+        debug3("request %u: close handle %u", id, handle);
+        handle_log_close(handle, NULL);
         ret = handle_close(handle);
         status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
         send_status(id, status);
@@ -427,11 +545,11 @@ process_read(void)
         off = get_int64();
         len = get_int();
 
-        TRACE("read id %u handle %d off %llu len %d", id, handle,
-            (unsigned long long)off, len);
+        debug("request %u: read \"%s\" (handle %d) off %llu len %d",
+            id, handle_to_name(handle), handle, (unsigned long long)off, len);
         if (len > sizeof buf) {
                 len = sizeof buf;
-                logit("read change len %d", len);
+                debug2("read change len %d", len);
         }
         fd = handle_to_fd(handle);
         if (fd >= 0) {
@@ -447,6 +565,7 @@ process_read(void)
                         } else {
                                 send_data(id, buf, ret);
                                 status = SSH2_FX_OK;
+                                handle_update_read(handle, ret);
                         }
                 }
         }
@@ -468,8 +587,8 @@ process_write(void)
         off = get_int64();
         data = get_string(&len);
 
-        TRACE("write id %u handle %d off %llu len %d", id, handle,
-            (unsigned long long)off, len);
+        debug("request %u: write \"%s\" (handle %d) off %llu len %d",
+            id, handle_to_name(handle), handle, (unsigned long long)off, len);
         fd = handle_to_fd(handle);
         if (fd >= 0) {
                 if (lseek(fd, off, SEEK_SET) < 0) {
@@ -483,8 +602,9 @@ process_write(void)
                                 status = errno_to_portable(errno);
                         } else if ((size_t)ret == len) {
                                 status = SSH2_FX_OK;
+                                handle_update_write(handle, ret);
                         } else {
-                                logit("nothing at all written");
+                                debug2("nothing at all written");
                         }
                 }
         }
@@ -503,7 +623,8 @@ process_do_stat(int do_lstat)
 
         id = get_int();
         name = get_string(NULL);
-        TRACE("%sstat id %u name %s", do_lstat ? "l" : "", id, name);
+        debug3("request %u: %sstat", id, do_lstat ? "l" : "");
+        verbose("%sstat name \"%s\"", do_lstat ? "l" : "", name);
         ret = do_lstat ? lstat(name, &st) : stat(name, &st);
         if (ret < 0) {
                 status = errno_to_portable(errno);
@@ -539,9 +660,10 @@ process_fstat(void)
 
         id = get_int();
         handle = get_handle();
-        TRACE("fstat id %u handle %d", id, handle);
+        debug("request %u: fstat \"%s\" (handle %u)",
+            id, handle_to_name(handle), handle);
         fd = handle_to_fd(handle);
-        if (fd  >= 0) {
+        if (fd >= 0) {
                 ret = fstat(fd, &st);
                 if (ret < 0) {
                         status = errno_to_portable(errno);
@@ -578,23 +700,33 @@ process_setstat(void)
         id = get_int();
         name = get_string(NULL);
         a = get_attrib();
-        TRACE("setstat id %u name %s", id, name);
+        debug("request %u: setstat name \"%s\"", id, name);
         if (a->flags & SSH2_FILEXFER_ATTR_SIZE) {
+                logit("set \"%s\" size %llu", name, a->size);
                 ret = truncate(name, a->size);
                 if (ret == -1)
                         status = errno_to_portable(errno);
         }
         if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) {
+                logit("set \"%s\" mode %04o", name, a->perm);
                 ret = chmod(name, a->perm & 0777);
                 if (ret == -1)
                         status = errno_to_portable(errno);
         }
         if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
+                char buf[64];
+                time_t t = a->mtime;
+
+                strftime(buf, sizeof(buf), "%Y%m%d-%H:%M:%S",
+                    localtime(&t));
+                logit("set \"%s\" modtime %s", name, buf);
                 ret = utimes(name, attrib_to_tv(a));
                 if (ret == -1)
                         status = errno_to_portable(errno);
         }
         if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
+                logit("set \"%s\" owner %lu group %lu", name,
+                    (u_long)a->uid, (u_long)a->gid);
                 ret = chown(name, a->uid, a->gid);
                 if (ret == -1)
                         status = errno_to_portable(errno);
@@ -610,23 +742,25 @@ process_fsetstat(void)
         u_int32_t id;
         int handle, fd, ret;
         int status = SSH2_FX_OK;
-        char *name;
 
         id = get_int();
         handle = get_handle();
         a = get_attrib();
-        TRACE("fsetstat id %u handle %d", id, handle);
+        debug("request %u: fsetstat handle %d", id, handle);
         fd = handle_to_fd(handle);
-        name = handle_to_name(handle);
-        if (fd < 0 || name == NULL) {
+        if (fd < 0) {
                 status = SSH2_FX_FAILURE;
         } else {
+                char *name = handle_to_name(handle);
+
                 if (a->flags & SSH2_FILEXFER_ATTR_SIZE) {
+                        logit("set \"%s\" size %llu", name, a->size);
                         ret = ftruncate(fd, a->size);
                         if (ret == -1)
                                 status = errno_to_portable(errno);
                 }
                 if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) {
+                        logit("set \"%s\" mode %04o", name, a->perm);
 #ifdef HAVE_FCHMOD
                         ret = fchmod(fd, a->perm & 0777);
 #else
@@ -636,6 +770,12 @@ process_fsetstat(void)
                                 status = errno_to_portable(errno);
                 }
                 if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
+                        char buf[64];
+                        time_t t = a->mtime;
+
+                        strftime(buf, sizeof(buf), "%Y%m%d-%H:%M:%S",
+                            localtime(&t));
+                        logit("set \"%s\" modtime %s", name, buf);
 #ifdef HAVE_FUTIMES
                         ret = futimes(fd, attrib_to_tv(a));
 #else
@@ -645,6 +785,8 @@ process_fsetstat(void)
                                 status = errno_to_portable(errno);
                 }
                 if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
+                        logit("set \"%s\" owner %lu group %lu", name,
+                            (u_long)a->uid, (u_long)a->gid);
 #ifdef HAVE_FCHOWN
                         ret = fchown(fd, a->uid, a->gid);
 #else
@@ -667,7 +809,8 @@ process_opendir(void)
 
         id = get_int();
         path = get_string(NULL);
-        TRACE("opendir id %u path %s", id, path);
+        debug3("request %u: opendir", id);
+        logit("opendir \"%s\"", path);
         dirp = opendir(path);
         if (dirp == NULL) {
                 status = errno_to_portable(errno);
@@ -697,22 +840,23 @@ process_readdir(void)
 
         id = get_int();
         handle = get_handle();
-        TRACE("readdir id %u handle %d", id, handle);
+        debug("request %u: readdir \"%s\" (handle %d)", id,
+            handle_to_name(handle), handle);
         dirp = handle_to_dir(handle);
         path = handle_to_name(handle);
         if (dirp == NULL || path == NULL) {
                 send_status(id, SSH2_FX_FAILURE);
         } else {
                 struct stat st;
-                char pathname[1024];
+                char pathname[MAXPATHLEN];
                 Stat *stats;
                 int nstats = 10, count = 0, i;
 
-                stats = xmalloc(nstats * sizeof(Stat));
+                stats = xcalloc(nstats, sizeof(Stat));
                 while ((dp = readdir(dirp)) != NULL) {
                         if (count >= nstats) {
                                 nstats *= 2;
-                                stats = xrealloc(stats, nstats * sizeof(Stat));
+                                stats = xrealloc(stats, nstats, sizeof(Stat));
                         }
 /* XXX OVERFLOW ? */
                         snprintf(pathname, sizeof pathname, "%s%s%s", path,
@@ -751,7 +895,8 @@ process_remove(void)
 
         id = get_int();
         name = get_string(NULL);
-        TRACE("remove id %u name %s", id, name);
+        debug3("request %u: remove", id);
+        logit("remove name \"%s\"", name);
         ret = unlink(name);
         status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
         send_status(id, status);
@@ -771,7 +916,8 @@ process_mkdir(void)
         a = get_attrib();
         mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
             a->perm & 0777 : 0777;
-        TRACE("mkdir id %u name %s mode 0%o", id, name, mode);
+        debug3("request %u: mkdir", id);
+        logit("mkdir name \"%s\" mode 0%o", name, mode);
         ret = mkdir(name, mode);
         status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
         send_status(id, status);
@@ -787,7 +933,8 @@ process_rmdir(void)
 
         id = get_int();
         name = get_string(NULL);
-        TRACE("rmdir id %u name %s", id, name);
+        debug3("request %u: rmdir", id);
+        logit("rmdir name \"%s\"", name);
         ret = rmdir(name);
         status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
         send_status(id, status);
@@ -807,7 +954,8 @@ process_realpath(void)
                 xfree(path);
                 path = xstrdup(".");
         }
-        TRACE("realpath id %u path %s", id, path);
+        debug3("request %u: realpath", id);
+        verbose("realpath \"%s\"", path);
         if (realpath(path, resolvedname) == NULL) {
                 send_status(id, errno_to_portable(errno));
         } else {
@@ -830,7 +978,8 @@ process_rename(void)
         id = get_int();
         oldpath = get_string(NULL);
         newpath = get_string(NULL);
-        TRACE("rename id %u old %s new %s", id, oldpath, newpath);
+        debug3("request %u: rename", id);
+        logit("rename old \"%s\" new \"%s\"", oldpath, newpath);
         status = SSH2_FX_FAILURE;
         if (lstat(oldpath, &sb) == -1)
                 status = errno_to_portable(errno);
@@ -885,7 +1034,8 @@ process_readlink(void)
 
         id = get_int();
         path = get_string(NULL);
-        TRACE("readlink id %u path %s", id, path);
+        debug3("request %u: readlink", id);
+        verbose("readlink \"%s\"", path);
         if ((len = readlink(path, buf, sizeof(buf) - 1)) == -1)
                 send_status(id, errno_to_portable(errno));
         else {
@@ -909,7 +1059,8 @@ process_symlink(void)
         id = get_int();
         oldpath = get_string(NULL);
         newpath = get_string(NULL);
-        TRACE("symlink id %u old %s new %s", id, oldpath, newpath);
+        debug3("request %u: symlink", id);
+        logit("symlink old \"%s\" new \"%s\"", oldpath, newpath);
         /* this will fail if 'newpath' exists */
         ret = symlink(oldpath, newpath);
         status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
@@ -945,10 +1096,11 @@ process(void)
         if (buf_len < 5)
                 return;         /* Incomplete message. */
         cp = buffer_ptr(&iqueue);
-        msg_len = GET_32BIT(cp);
+        msg_len = get_u32(cp);
         if (msg_len > SFTP_MAX_MSG_LENGTH) {
-                error("bad message ");
-                exit(11);
+                error("bad message from %s local user %s",
+                    client_addr, pw->pw_name);
+                cleanup_exit(11);
         }
         if (buf_len < msg_len + 4)
                 return;
@@ -1022,7 +1174,7 @@ process(void)
         }
         /* discard the remaining bytes from the current packet */
         if (buf_len < buffer_len(&iqueue))
-                fatal("iqueue grows");
+                fatal("iqueue grew unexpectedly");
         consumed = buf_len - buffer_len(&iqueue);
         if (msg_len < consumed)
                 fatal("msg_len %d < consumed %d", msg_len, consumed);
@@ -1030,24 +1182,93 @@ process(void)
                 buffer_consume(&iqueue, msg_len - consumed);
 }
 
+/* Cleanup handler that logs active handles upon normal exit */
+void
+cleanup_exit(int i)
+{
+        if (pw != NULL && client_addr != NULL) {
+                handle_log_exit();
+                logit("session closed for local user %s from [%s]",
+                    pw->pw_name, client_addr);
+        }
+        _exit(i);
+}
+
+static void
+usage(void)
+{
+        extern char *__progname;
+
+        fprintf(stderr,
+            "usage: %s [-he] [-l log_level] [-f log_facility]\n", __progname);
+        exit(1);
+}
+
 int
-main(int ac, char **av)
+main(int argc, char **argv)
 {
         fd_set *rset, *wset;
-        int in, out, max;
+        int in, out, max, ch, skipargs = 0, log_stderr = 0;
         ssize_t len, olen, set_size;
+        SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
+        char *cp;
+
+        extern char *optarg;
+        extern char *__progname;
 
         /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
         sanitise_stdfd();
 
-        /* XXX should use getopt */
+        __progname = ssh_get_progname(argv[0]);
+        log_init(__progname, log_level, log_facility, log_stderr);
+
+        while (!skipargs && (ch = getopt(argc, argv, "C:f:l:che")) != -1) {
+                switch (ch) {
+                case 'c':
+                        /*
+                         * Ignore all arguments if we are invoked as a
+                         * shell using "sftp-server -c command"
+                         */
+                        skipargs = 1;
+                        break;
+                case 'e':
+                        log_stderr = 1;
+                        break;
+                case 'l':
+                        log_level = log_level_number(optarg);
+                        if (log_level == SYSLOG_LEVEL_NOT_SET)
+                                error("Invalid log level \"%s\"", optarg);
+                        break;
+                case 'f':
+                        log_facility = log_facility_number(optarg);
+                        if (log_level == SYSLOG_FACILITY_NOT_SET)
+                                error("Invalid log facility \"%s\"", optarg);
+                        break;
+                case 'h':
+                default:
+                        usage();
+                }
+        }
 
-        __progname = ssh_get_progname(av[0]);
-        handle_init();
+        log_init(__progname, log_level, log_facility, log_stderr);
 
-#ifdef DEBUG_SFTP_SERVER
-        log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0);
-#endif
+        if ((cp = getenv("SSH_CONNECTION")) != NULL) {
+                client_addr = xstrdup(cp);
+                if ((cp = strchr(client_addr, ' ')) == NULL)
+                        fatal("Malformed SSH_CONNECTION variable: \"%s\"",
+                            getenv("SSH_CONNECTION"));
+                *cp = '\0';
+        } else
+                client_addr = xstrdup("UNKNOWN");
+
+        if ((pw = getpwuid(getuid())) == NULL)
+                fatal("No user found for uid %lu", (u_long)getuid());
+        pw = pwcopy(pw);
+
+        logit("session opened for local user %s from [%s]",
+            pw->pw_name, client_addr);
+
+        handle_init();
 
         in = dup(STDIN_FILENO);
         out = dup(STDOUT_FILENO);
@@ -1082,7 +1303,8 @@ main(int ac, char **av)
                 if (select(max+1, rset, wset, NULL, NULL) < 0) {
                         if (errno == EINTR)
                                 continue;
-                        exit(2);
+                        error("select: %s", strerror(errno));
+                        cleanup_exit(2);
                 }
 
                 /* copy stdin to iqueue */
@@ -1091,10 +1313,10 @@ main(int ac, char **av)
                         len = read(in, buf, sizeof buf);
                         if (len == 0) {
                                 debug("read eof");
-                                exit(0);
+                                cleanup_exit(0);
                         } else if (len < 0) {
-                                error("read error");
-                                exit(1);
+                                error("read: %s", strerror(errno));
+                                cleanup_exit(1);
                         } else {
                                 buffer_append(&iqueue, buf, len);
                         }
@@ -1103,8 +1325,8 @@ main(int ac, char **av)
                 if (FD_ISSET(out, wset)) {
                         len = write(out, buffer_ptr(&oqueue), olen);
                         if (len < 0) {
-                                error("write error");
-                                exit(1);
+                                error("write: %s", strerror(errno));
+                                cleanup_exit(1);
                         } else {
                                 buffer_consume(&oqueue, len);
                         }
diff --git a/sftp.0 b/sftp.0
index 77ab78d96..6b8a85658 100644
--- a/sftp.0
+++ b/sftp.0
@@ -263,4 +263,4 @@ SEE ALSO
      T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
      filexfer-00.txt, January 2001, work in progress material.
 
-OpenBSD 3.9                    February 4, 2001                              4
+OpenBSD 4.1                    February 4, 2001                              4
diff --git a/sftp.c b/sftp.c
index a2e3f6aad..f0d5dd557 100644
--- a/sftp.c
+++ b/sftp.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: sftp.c,v 1.96 2007/01/03 04:09:15 stevesk Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
  *
@@ -16,21 +17,39 @@
 
 #include "includes.h"
 
-RCSID("$OpenBSD: sftp.c,v 1.70 2006/01/31 10:19:02 djm Exp $");
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+
+#include <errno.h>
 
+#ifdef HAVE_PATHS_H
+# include <paths.h>
+#endif
 #ifdef USE_LIBEDIT
 #include <histedit.h>
 #else
 typedef void EditLine;
 #endif
+#include <signal.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdarg.h>
 
-#include "buffer.h"
 #include "xmalloc.h"
 #include "log.h"
 #include "pathnames.h"
 #include "misc.h"
 
 #include "sftp.h"
+#include "buffer.h"
 #include "sftp-common.h"
 #include "sftp-client.h"
 
@@ -147,6 +166,7 @@ static const struct CMD cmds[] = {
 
 int interactive_loop(int fd_in, int fd_out, char *file1, char *file2);
 
+/* ARGSUSED */
 static void
 killchild(int signo)
 {
@@ -158,6 +178,7 @@ killchild(int signo)
         _exit(1);
 }
 
+/* ARGSUSED */
 static void
 cmd_interrupt(int signo)
 {
@@ -235,7 +256,7 @@ local_do_shell(const char *args)
                 if (errno != EINTR)
                         fatal("Couldn't wait for child: %s", strerror(errno));
         if (!WIFEXITED(status))
-                error("Shell exited abormally");
+                error("Shell exited abnormally");
         else if (WEXITSTATUS(status))
                 error("Shell exited with status %d", WEXITSTATUS(status));
 }
@@ -279,11 +300,11 @@ static char *
 path_append(char *p1, char *p2)
 {
         char *ret;
-        int len = strlen(p1) + strlen(p2) + 2;
+        size_t len = strlen(p1) + strlen(p2) + 2;
 
         ret = xmalloc(len);
         strlcpy(ret, p1, len);
-        if (p1[strlen(p1) - 1] != '/')
+        if (p1[0] != '\0' && p1[strlen(p1) - 1] != '/')
                 strlcat(ret, "/", len);
         strlcat(ret, p2, len);
 
@@ -474,7 +495,7 @@ is_dir(char *path)
         if (stat(path, &sb) == -1)
                 return(0);
 
-        return(sb.st_mode & S_IFDIR);
+        return(S_ISDIR(sb.st_mode));
 }
 
 static int
@@ -498,7 +519,7 @@ remote_is_dir(struct sftp_conn *conn, char *path)
                 return(0);
         if (!(a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS))
                 return(0);
-        return(a->perm & S_IFDIR);
+        return(S_ISDIR(a->perm));
 }
 
 static int
@@ -538,6 +559,7 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag)
 
                 if (g.gl_matchc == 1 && dst) {
                         /* If directory specified, append filename */
+                        xfree(tmp);
                         if (is_dir(dst)) {
                                 if (infer_path(g.gl_pathv[0], &tmp)) {
                                         err = 1;
@@ -562,8 +584,6 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag)
 
 out:
         xfree(abs_src);
-        if (abs_dst)
-                xfree(abs_dst);
         globfree(&g);
         return(err);
 }
@@ -959,6 +979,7 @@ parse_args(const char **cpp, int *pflag, int *lflag, int *iflag,
         case I_CHOWN:
         case I_CHGRP:
                 /* Get numeric arg (mandatory) */
+                errno = 0;
                 l = strtol(cp, &cp2, base);
                 if (cp2 == cp || ((l == LONG_MIN || l == LONG_MAX) &&
                     errno == ERANGE) || l < 0) {
@@ -1280,6 +1301,7 @@ interactive_loop(int fd_in, int fd_out, char *file1, char *file2)
                         if (parse_dispatch_command(conn, cmd, &pwd, 1) != 0) {
                                 xfree(dir);
                                 xfree(pwd);
+                                xfree(conn);
                                 return (-1);
                         }
                 } else {
@@ -1292,6 +1314,7 @@ interactive_loop(int fd_in, int fd_out, char *file1, char *file2)
                         err = parse_dispatch_command(conn, cmd, &pwd, 1);
                         xfree(dir);
                         xfree(pwd);
+                        xfree(conn);
                         return (err);
                 }
                 xfree(dir);
@@ -1356,6 +1379,7 @@ interactive_loop(int fd_in, int fd_out, char *file1, char *file2)
                         break;
         }
         xfree(pwd);
+        xfree(conn);
 
 #ifdef USE_LIBEDIT
         if (el != NULL)
@@ -1455,7 +1479,7 @@ main(int argc, char **argv)
         __progname = ssh_get_progname(argv[0]);
         memset(&args, '\0', sizeof(args));
         args.list = NULL;
-        addargs(&args, ssh_program);
+        addargs(&args, "%s", ssh_program);
         addargs(&args, "-oForwardX11 no");
         addargs(&args, "-oForwardAgent no");
         addargs(&args, "-oPermitLocalCommand no");
@@ -1544,7 +1568,7 @@ main(int argc, char **argv)
                                 fprintf(stderr, "Missing username\n");
                                 usage();
                         }
-                        addargs(&args, "-l%s",userhost);
+                        addargs(&args, "-l%s", userhost);
                 }
 
                 if ((cp = colon(host)) != NULL) {
diff --git a/sftp.h b/sftp.h
index 675c6086e..610c0b758 100644
--- a/sftp.h
+++ b/sftp.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sftp.h,v 1.4 2002/02/13 00:59:23 djm Exp $    */
+/* $OpenBSD: sftp.h,v 1.5 2006/03/25 22:22:43 djm Exp $ */
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
diff --git a/ssh-add.0 b/ssh-add.0
index ee05d09d6..71ce5d26b 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -99,4 +99,4 @@ AUTHORS
      ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 3.9                   September 25, 1999                             2
+OpenBSD 4.1                   September 25, 1999                             2
diff --git a/ssh-add.c b/ssh-add.c
index 2b01e6f13..4dc46f6db 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: ssh-add.c,v 1.89 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,15 +36,27 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.74 2005/11/12 18:37:59 deraadt Exp $");
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/param.h>
 
 #include <openssl/evp.h>
 
+#include <fcntl.h>
+#include <pwd.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "xmalloc.h"
 #include "ssh.h"
 #include "rsa.h"
 #include "log.h"
-#include "xmalloc.h"
 #include "key.h"
+#include "buffer.h"
 #include "authfd.h"
 #include "authfile.h"
 #include "pathnames.h"
@@ -124,16 +137,25 @@ delete_all(AuthenticationConnection *ac)
 static int
 add_file(AuthenticationConnection *ac, const char *filename)
 {
-        struct stat st;
         Key *private;
         char *comment = NULL;
         char msg[1024];
-        int ret = -1;
+        int fd, perms_ok, ret = -1;
 
-        if (stat(filename, &st) < 0) {
+        if ((fd = open(filename, O_RDONLY)) < 0) {
                 perror(filename);
                 return -1;
         }
+
+        /*
+         * Since we'll try to load a keyfile multiple times, permission errors
+         * will occur multiple times, so check perms first and bail if wrong.
+         */
+        perms_ok = key_perm_ok(fd, filename);
+        close(fd);
+        if (!perms_ok)
+                return -1;
+
         /* At first, try empty passphrase */
         private = key_load_private(filename, "", &comment);
         if (comment == NULL)
@@ -287,7 +309,7 @@ do_file(AuthenticationConnection *ac, int deleting, char *file)
 static void
 usage(void)
 {
-        fprintf(stderr, "Usage: %s [options]\n", __progname);
+        fprintf(stderr, "Usage: %s [options] [file ...]\n", __progname);
         fprintf(stderr, "Options:\n");
         fprintf(stderr, "  -l          List fingerprints of all identities.\n");
         fprintf(stderr, "  -L          List public key parameters of all identities.\n");
@@ -335,13 +357,11 @@ main(int argc, char **argv)
                         if (list_identities(ac, ch == 'l' ? 1 : 0) == -1)
                                 ret = 1;
                         goto done;
-                        break;
                 case 'x':
                 case 'X':
                         if (lock_agent(ac, ch == 'x' ? 1 : 0) == -1)
                                 ret = 1;
                         goto done;
-                        break;
                 case 'c':
                         confirm = 1;
                         break;
@@ -352,7 +372,6 @@ main(int argc, char **argv)
                         if (delete_all(ac) == -1)
                                 ret = 1;
                         goto done;
-                        break;
                 case 's':
                         sc_reader_id = optarg;
                         break;
diff --git a/ssh-agent.0 b/ssh-agent.0
index 7d64d550f..f3f52b67d 100644
--- a/ssh-agent.0
+++ b/ssh-agent.0
@@ -114,4 +114,4 @@ AUTHORS
      ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 3.9                   September 25, 1999                             2
+OpenBSD 4.1                   September 25, 1999                             2
diff --git a/ssh-agent.1 b/ssh-agent.1
index fd6bd3f6c..f1b877790 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.43 2005/11/28 06:02:56 dtucker Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.44 2006/07/18 08:03:09 jmc Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -70,7 +70,7 @@ The options are as follows:
 Bind the agent to the unix-domain socket
 .Ar bind_address .
 The default is
-.Pa /tmp/ssh-XXXXXXXXXX/agent.<ppid> .
+.Pa /tmp/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt .
 .It Fl c
 Generate C-shell commands on
 .Dv stdout .
@@ -185,7 +185,7 @@ Contains the protocol version 1 RSA authentication identity of the user.
 Contains the protocol version 2 DSA authentication identity of the user.
 .It Pa ~/.ssh/id_rsa
 Contains the protocol version 2 RSA authentication identity of the user.
-.It Pa /tmp/ssh-XXXXXXXXXX/agent.<ppid>
+.It Pa /tmp/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt
 Unix-domain sockets used to contain the connection to the
 authentication agent.
 These sockets should only be readable by the owner.
diff --git a/ssh-agent.c b/ssh-agent.c
index a69c25eec..a3a867c33 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: ssh-agent.c,v 1.154 2007/02/28 00:55:30 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,18 +35,40 @@
  */
 
 #include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/resource.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+#ifdef HAVE_SYS_UN_H
+# include <sys/un.h>
+#endif
 #include "openbsd-compat/sys-queue.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.124 2005/10/30 08:52:18 djm Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/md5.h>
 
+#include <errno.h>
+#include <fcntl.h>
+#ifdef HAVE_PATHS_H
+# include <paths.h>
+#endif
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "xmalloc.h"
 #include "ssh.h"
 #include "rsa.h"
 #include "buffer.h"
-#include "bufaux.h"
-#include "xmalloc.h"
-#include "getput.h"
 #include "key.h"
 #include "authfd.h"
 #include "compat.h"
@@ -99,8 +122,8 @@ int max_fd = 0;
 pid_t parent_pid = -1;
 
 /* pathname and directory for AUTH_SOCKET */
-char socket_name[1024];
-char socket_dir[1024];
+char socket_name[MAXPATHLEN];
+char socket_dir[MAXPATHLEN];
 
 /* locking */
 int locked = 0;
@@ -305,8 +328,8 @@ process_sign_request2(SocketEntry *e)
                 Identity *id = lookup_identity(key, 2);
                 if (id != NULL && (!id->confirm || confirm_key(id) == 0))
                         ok = key_sign(id->key, &signature, &slen, data, dlen);
+                key_free(key);
         }
-        key_free(key);
         buffer_init(&msg);
         if (ok == 0) {
                 buffer_put_char(&msg, SSH2_AGENT_SIGN_RESPONSE);
@@ -411,6 +434,7 @@ reaper(void)
                 for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {
                         nxt = TAILQ_NEXT(id, next);
                         if (id->death != 0 && now >= id->death) {
+                                debug("expiring key '%s'", id->comment);
                                 TAILQ_REMOVE(&tab->idlist, id, next);
                                 free_identity(id);
                                 tab->nentries--;
@@ -675,13 +699,10 @@ process_message(SocketEntry *e)
         u_int msg_len, type;
         u_char *cp;
 
-        /* kill dead keys */
-        reaper();
-
         if (buffer_len(&e->input) < 5)
                 return;         /* Incomplete message. */
         cp = buffer_ptr(&e->input);
-        msg_len = GET_32BIT(cp);
+        msg_len = get_u32(cp);
         if (msg_len > 256 * 1024) {
                 close_socket(e);
                 return;
@@ -793,10 +814,7 @@ new_socket(sock_type type, int fd)
                 }
         old_alloc = sockets_alloc;
         new_alloc = sockets_alloc + 10;
-        if (sockets)
-                sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
-        else
-                sockets = xmalloc(new_alloc * sizeof(sockets[0]));
+        sockets = xrealloc(sockets, new_alloc, sizeof(sockets[0]));
         for (i = old_alloc; i < new_alloc; i++)
                 sockets[i].type = AUTH_UNUSED;
         sockets_alloc = new_alloc;
@@ -877,7 +895,7 @@ after_select(fd_set *readset, fd_set *writeset)
                         if (FD_ISSET(sockets[i].fd, readset)) {
                                 slen = sizeof(sunaddr);
                                 sock = accept(sockets[i].fd,
-                                    (struct sockaddr *) &sunaddr, &slen);
+                                    (struct sockaddr *)&sunaddr, &slen);
                                 if (sock < 0) {
                                         error("accept from AUTH_SOCKET: %s",
                                             strerror(errno));
@@ -954,6 +972,7 @@ cleanup_exit(int i)
         _exit(i);
 }
 
+/*ARGSUSED*/
 static void
 cleanup_handler(int sig)
 {
@@ -961,6 +980,7 @@ cleanup_handler(int sig)
         _exit(2);
 }
 
+/*ARGSUSED*/
 static void
 check_parent_exists(int sig)
 {
@@ -994,7 +1014,7 @@ int
 main(int ac, char **av)
 {
         int c_flag = 0, d_flag = 0, k_flag = 0, s_flag = 0;
-        int sock, fd,  ch;
+        int sock, fd, ch, result, saved_errno;
         u_int nalloc;
         char *shell, *format, *pidstr, *agentsocket = NULL;
         fd_set *readsetp = NULL, *writesetp = NULL;
@@ -1007,6 +1027,7 @@ main(int ac, char **av)
         extern char *optarg;
         pid_t pid;
         char pidstrbuf[1 + 3 * sizeof pid];
+        struct timeval tv;
 
         /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
         sanitise_stdfd();
@@ -1067,20 +1088,24 @@ main(int ac, char **av)
 
         if (ac == 0 && !c_flag && !s_flag) {
                 shell = getenv("SHELL");
-                if (shell != NULL && strncmp(shell + strlen(shell) - 3, "csh", 3) == 0)
+                if (shell != NULL &&
+                    strncmp(shell + strlen(shell) - 3, "csh", 3) == 0)
                         c_flag = 1;
         }
         if (k_flag) {
+                const char *errstr = NULL;
+
                 pidstr = getenv(SSH_AGENTPID_ENV_NAME);
                 if (pidstr == NULL) {
                         fprintf(stderr, "%s not set, cannot kill agent\n",
                             SSH_AGENTPID_ENV_NAME);
                         exit(1);
                 }
-                pid = atoi(pidstr);
-                if (pid < 1) {
-                        fprintf(stderr, "%s=\"%s\", which is not a good PID\n",
-                            SSH_AGENTPID_ENV_NAME, pidstr);
+                pid = (int)strtonum(pidstr, 2, INT_MAX, &errstr);
+                if (errstr) {
+                        fprintf(stderr,
+                            "%s=\"%s\", which is not a good PID: %s\n",
+                            SSH_AGENTPID_ENV_NAME, pidstr, errstr);
                         exit(1);
                 }
                 if (kill(pid, SIGTERM) == -1) {
@@ -1124,7 +1149,7 @@ main(int ac, char **av)
         sunaddr.sun_family = AF_UNIX;
         strlcpy(sunaddr.sun_path, socket_name, sizeof(sunaddr.sun_path));
         prev_mask = umask(0177);
-        if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0) {
+        if (bind(sock, (struct sockaddr *) &sunaddr, sizeof(sunaddr)) < 0) {
                 perror("bind");
                 *socket_name = '\0'; /* Don't unlink any existing file */
                 umask(prev_mask);
@@ -1216,13 +1241,18 @@ skip:
         nalloc = 0;
 
         while (1) {
+                tv.tv_sec = 10;
+                tv.tv_usec = 0;
                 prepare_select(&readsetp, &writesetp, &max_fd, &nalloc);
-                if (select(max_fd + 1, readsetp, writesetp, NULL, NULL) < 0) {
-                        if (errno == EINTR)
+                result = select(max_fd + 1, readsetp, writesetp, NULL, &tv);
+                saved_errno = errno;
+                reaper();       /* remove expired keys */
+                if (result < 0) {
+                        if (saved_errno == EINTR)
                                 continue;
-                        fatal("select: %s", strerror(errno));
-                }
-                after_select(readsetp, writesetp);
+                        fatal("select: %s", strerror(saved_errno));
+                } else if (result > 0)
+                        after_select(readsetp, writesetp);
         }
         /* NOTREACHED */
 }
diff --git a/ssh-dss.c b/ssh-dss.c
index 381b7dedb..51a06e98f 100644
--- a/ssh-dss.c
+++ b/ssh-dss.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: ssh-dss.c,v 1.24 2006/11/06 21:25:28 markus Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -23,14 +24,17 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-dss.c,v 1.19 2003/11/10 16:23:41 jakob Exp $");
+
+#include <sys/types.h>
 
 #include <openssl/bn.h>
 #include <openssl/evp.h>
 
+#include <stdarg.h>
+#include <string.h>
+
 #include "xmalloc.h"
 #include "buffer.h"
-#include "bufaux.h"
 #include "compat.h"
 #include "log.h"
 #include "key.h"
@@ -157,8 +161,9 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
                 fatal("ssh_dss_verify: BN_new failed");
         if ((sig->s = BN_new()) == NULL)
                 fatal("ssh_dss_verify: BN_new failed");
-        BN_bin2bn(sigblob, INTBLOB_LEN, sig->r);
-        BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s);
+        if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) ||
+            (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL))
+                fatal("ssh_dss_verify: BN_bin2bn failed");
 
         /* clean up */
         memset(sigblob, 0, len);
diff --git a/ssh-gss.h b/ssh-gss.h
index 213930103..ca8da70a2 100644
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssh-gss.h,v 1.5 2004/06/21 17:36:31 avsm Exp $        */
+/* $OpenBSD: ssh-gss.h,v 1.9 2006/08/18 14:40:34 djm Exp $ */
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
  *
@@ -28,8 +28,6 @@
 
 #ifdef GSSAPI
 
-#include "buffer.h"
-
 #ifdef HAVE_GSSAPI_H
 #include <gssapi.h>
 #elif defined(HAVE_GSSAPI_GSSAPI_H)
@@ -62,14 +60,15 @@
 
 #define SSH_GSS_OIDTYPE 0x06
 
-#define SSH2_MSG_KEXGSS_INIT                           30
-#define SSH2_MSG_KEXGSS_CONTINUE                       31
-#define SSH2_MSG_KEXGSS_COMPLETE                       32
-#define SSH2_MSG_KEXGSS_HOSTKEY                                33
-#define SSH2_MSG_KEXGSS_ERROR                          34
+#define SSH2_MSG_KEXGSS_INIT                            30
+#define SSH2_MSG_KEXGSS_CONTINUE                        31
+#define SSH2_MSG_KEXGSS_COMPLETE                        32
+#define SSH2_MSG_KEXGSS_HOSTKEY                         33
+#define SSH2_MSG_KEXGSS_ERROR                           34
 #define SSH2_MSG_KEXGSS_GROUPREQ                        40
 #define SSH2_MSG_KEXGSS_GROUP                           41
 #define KEX_GSS_GRP1_SHA1_ID                            "gss-group1-sha1-"
+#define KEX_GSS_GRP14_SHA1_ID                           "gss-group14-sha1-"
 #define KEX_GSS_GEX_SHA1_ID                             "gss-gex-sha1-"
 
 typedef struct {
@@ -131,20 +130,21 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
 OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
 void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
 
-typedef int ssh_gssapi_check_fn(gss_OID, void *);
+/* In the server */
+typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *);
 char *ssh_gssapi_client_mechanisms(const char *host);
-char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, void *);
-int ssh_gssapi_check_mechanism(gss_OID, void *);
-gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int *);
-
-int ssh_gssapi_server_check_mech(gss_OID, void *);
+char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *);
+gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
+int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *);
 int ssh_gssapi_userok(char *name);
 OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
 void ssh_gssapi_do_child(char ***, u_int *);
 void ssh_gssapi_cleanup_creds(void);
 void ssh_gssapi_storecreds(void);
-char * ssh_gssapi_server_mechanisms(void);
+
+char *ssh_gssapi_server_mechanisms(void);
 int ssh_gssapi_oid_table_ok();
 #endif /* GSSAPI */
 
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index a972607b2..fe169d81c 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -93,7 +93,7 @@ DESCRIPTION
              Download the RSA public key stored in the smartcard in reader.
 
      -e      This option will read a private or public OpenSSH key file and
-             print the key in a `SECSH Public Key File Format' to stdout.
+             print the key in RFC 4716 SSH Public Key File Format to stdout.
              This option allows exporting keys for use by several commercial
              SSH implementations.
 
@@ -124,9 +124,9 @@ DESCRIPTION
 
      -i      This option will read an unencrypted private (or public) key file
              in SSH2-compatible format and print an OpenSSH compatible private
-             (or public) key to stdout.  ssh-keygen also reads the `SECSH
-             Public Key File Format'.  This option allows importing keys from
-             several commercial SSH implementations.
+             (or public) key to stdout.  ssh-keygen also reads the RFC 4716
+             SSH Public Key File Format.  This option allows importing keys
+             from several commercial SSH implementations.
 
      -l      Show fingerprint of specified public key file.  Private RSA1 keys
              are also supported.  For RSA and DSA keys ssh-keygen tries to
@@ -275,8 +275,7 @@ FILES
 SEE ALSO
      ssh(1), ssh-add(1), ssh-agent(1), moduli(5), sshd(8)
 
-     J. Galbraith and R. Thayer, SECSH Public Key File Format, draft-ietf-
-     secsh-publickeyfile-01.txt, March 2001, work in progress material.
+     The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006.
 
 AUTHORS
      OpenSSH is a derivative of the original and free ssh 1.2.12 release by
@@ -285,4 +284,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 3.9                   September 25, 1999                             5
+OpenBSD 4.1                   September 25, 1999                             5
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index ab16bcd77..5a8c8c471 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.72 2005/11/28 05:16:53 dtucker Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.74 2007/01/12 20:20:41 jmc Exp $
 .\"
 .\"  -*- nroff -*-
 .\"
@@ -205,8 +205,8 @@ Download the RSA public key stored in the smartcard in
 .Ar reader .
 .It Fl e
 This option will read a private or public OpenSSH key file and
-print the key in a
-.Sq SECSH Public Key File Format
+print the key in
+RFC 4716 SSH Public Key File Format
 to stdout.
 This option allows exporting keys for use by several commercial
 SSH implementations.
@@ -253,7 +253,7 @@ in SSH2-compatible format and print an OpenSSH compatible private
 (or public) key to stdout.
 .Nm
 also reads the
-.Sq SECSH Public Key File Format .
+RFC 4716 SSH Public Key File Format.
 This option allows importing keys from several commercial
 SSH implementations.
 .It Fl l
@@ -450,12 +450,9 @@ The file format is described in
 .Xr moduli 5 ,
 .Xr sshd 8
 .Rs
-.%A J. Galbraith
-.%A R. Thayer
-.%T "SECSH Public Key File Format"
-.%N draft-ietf-secsh-publickeyfile-01.txt
-.%D March 2001
-.%O work in progress material
+.%R RFC 4716
+.%T "The Secure Shell (SSH) Public Key File Format"
+.%D 2006
 .Re
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 64fadc7a1..04a9b939a 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: ssh-keygen.c,v 1.160 2007/01/21 01:41:54 stevesk Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -12,28 +13,44 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.135 2005/11/29 02:04:55 dtucker Exp $");
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/param.h>
 
 #include <openssl/evp.h>
 #include <openssl/pem.h>
 
+#include <errno.h>
+#include <fcntl.h>
+#include <netdb.h>
+#ifdef HAVE_PATHS_H
+# include <paths.h>
+#endif
+#include <pwd.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
 #include "xmalloc.h"
 #include "key.h"
 #include "rsa.h"
 #include "authfile.h"
 #include "uuencode.h"
 #include "buffer.h"
-#include "bufaux.h"
 #include "pathnames.h"
 #include "log.h"
 #include "misc.h"
 #include "match.h"
 #include "hostfile.h"
+#include "dns.h"
 
 #ifdef SMARTCARD
 #include "scard.h"
 #endif
-#include "dns.h"
 
 /* Number of bits in the RSA/DSA key.  This value can be set on the command line. */
 #define DEFAULT_BITS            2048
@@ -103,7 +120,7 @@ ask_filename(struct passwd *pw, const char *prompt)
 
         if (key_type_name == NULL)
                 name = _PATH_SSH_CLIENT_ID_RSA;
-        else
+        else {
                 switch (key_type_from_name(key_type_name)) {
                 case KEY_RSA1:
                         name = _PATH_SSH_CLIENT_IDENTITY;
@@ -119,7 +136,7 @@ ask_filename(struct passwd *pw, const char *prompt)
                         exit(1);
                         break;
                 }
-
+        }
         snprintf(identity_file, sizeof(identity_file), "%s/%s", pw->pw_dir, name);
         fprintf(stderr, "%s (%s): ", prompt, identity_file);
         if (fgets(buf, sizeof(buf), stdin) == NULL)
@@ -205,7 +222,8 @@ buffer_get_bignum_bits(Buffer *b, BIGNUM *value)
         if (buffer_len(b) < bytes)
                 fatal("buffer_get_bignum_bits: input buffer too small: "
                     "need %d have %d", bytes, buffer_len(b));
-        BN_bin2bn(buffer_ptr(b), bytes, value);
+        if (BN_bin2bn(buffer_ptr(b), bytes, value) == NULL)
+                fatal("buffer_get_bignum_bits: BN_bin2bn failed");
         buffer_consume(b, bytes);
 }
 
@@ -223,7 +241,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
         buffer_init(&b);
         buffer_append(&b, blob, blen);
 
-        magic  = buffer_get_int(&b);
+        magic = buffer_get_int(&b);
         if (magic != SSH_COM_PRIVATE_KEY_MAGIC) {
                 error("bad magic 0x%x != 0x%x", magic, SSH_COM_PRIVATE_KEY_MAGIC);
                 buffer_free(&b);
@@ -235,7 +253,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
         i2 = buffer_get_int(&b);
         i3 = buffer_get_int(&b);
         i4 = buffer_get_int(&b);
-        debug("ignore (%d %d %d %d)", i1,i2,i3,i4);
+        debug("ignore (%d %d %d %d)", i1, i2, i3, i4);
         if (strcmp(cipher, "none") != 0) {
                 error("unsupported cipher %s", cipher);
                 xfree(cipher);
@@ -266,7 +284,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
                 buffer_get_bignum_bits(&b, key->dsa->priv_key);
                 break;
         case KEY_RSA:
-                e  = buffer_get_char(&b);
+                e = buffer_get_char(&b);
                 debug("e %lx", e);
                 if (e < 30) {
                         e <<= 8;
@@ -302,13 +320,43 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
         return key;
 }
 
+static int
+get_line(FILE *fp, char *line, size_t len)
+{
+        int c;
+        size_t pos = 0;
+
+        line[0] = '\0';
+        while ((c = fgetc(fp)) != EOF) {
+                if (pos >= len - 1) {
+                        fprintf(stderr, "input line too long.\n");
+                        exit(1);
+                }
+                switch (c) {
+                case '\r':
+                        c = fgetc(fp);
+                        if (c != EOF && c != '\n' && ungetc(c, fp) == EOF) {
+                                fprintf(stderr, "unget: %s\n", strerror(errno));
+                                exit(1);
+                        }
+                        return pos;
+                case '\n':
+                        return pos;
+                }
+                line[pos++] = c;
+                line[pos] = '\0';
+        }
+        /* We reached EOF */
+        return -1;
+}
+
 static void
 do_convert_from_ssh2(struct passwd *pw)
 {
         Key *k;
         int blen;
         u_int len;
-        char line[1024], *p;
+        char line[1024];
         u_char blob[8096];
         char encoded[8096];
         struct stat st;
@@ -327,12 +375,8 @@ do_convert_from_ssh2(struct passwd *pw)
                 exit(1);
         }
         encoded[0] = '\0';
-        while (fgets(line, sizeof(line), fp)) {
-                if (!(p = strchr(line, '\n'))) {
-                        fprintf(stderr, "input line too long.\n");
-                        exit(1);
-                }
-                if (p > line && p[-1] == '\\')
+        while ((blen = get_line(fp, line, sizeof(line))) != -1) {
+                if (line[blen - 1] == '\\')
                         escaped++;
                 if (strncmp(line, "----", 4) == 0 ||
                     strstr(line, ": ") != NULL) {
@@ -349,7 +393,6 @@ do_convert_from_ssh2(struct passwd *pw)
                         /* fprintf(stderr, "escaped: %s", line); */
                         continue;
                 }
-                *p = '\0';
                 strlcat(encoded, line, sizeof(encoded));
         }
         len = strlen(encoded);
@@ -485,8 +528,10 @@ do_fingerprint(struct passwd *pw)
                 xfree(fp);
                 exit(0);
         }
-        if (comment)
+        if (comment) {
                 xfree(comment);
+                comment = NULL;
+        }
 
         f = fopen(identity_file, "r");
         if (f != NULL) {
@@ -508,7 +553,7 @@ do_fingerprint(struct passwd *pw)
                         for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
                                 ;
                         if (!*cp || *cp == '\n' || *cp == '#')
-                                continue ;
+                                continue;
                         i = strtol(cp, &ep, 10);
                         if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) {
                                 int quoted = 0;
@@ -832,30 +877,32 @@ do_change_passphrase(struct passwd *pw)
 /*
  * Print the SSHFP RR.
  */
-static void
-do_print_resource_record(struct passwd *pw, char *hname)
+static int
+do_print_resource_record(struct passwd *pw, char *fname, char *hname)
 {
         Key *public;
         char *comment = NULL;
         struct stat st;
 
-        if (!have_identity)
+        if (fname == NULL)
                 ask_filename(pw, "Enter file in which the key is");
-        if (stat(identity_file, &st) < 0) {
-                perror(identity_file);
+        if (stat(fname, &st) < 0) {
+                if (errno == ENOENT)
+                        return 0;
+                perror(fname);
                 exit(1);
         }
-        public = key_load_public(identity_file, &comment);
+        public = key_load_public(fname, &comment);
         if (public != NULL) {
                 export_dns_rr(hname, public, stdout, print_generic);
                 key_free(public);
                 xfree(comment);
-                exit(0);
+                return 1;
         }
         if (comment)
                 xfree(comment);
 
-        printf("failed to read v2 public key from %s.\n", identity_file);
+        printf("failed to read v2 public key from %s.\n", fname);
         exit(1);
 }
 
@@ -969,13 +1016,13 @@ usage(void)
 #ifdef SMARTCARD
         fprintf(stderr, "  -D reader   Download public key from smartcard.\n");
 #endif /* SMARTCARD */
-        fprintf(stderr, "  -e          Convert OpenSSH to IETF SECSH key file.\n");
+        fprintf(stderr, "  -e          Convert OpenSSH to RFC 4716 key file.\n");
         fprintf(stderr, "  -F hostname Find hostname in known hosts file.\n");
         fprintf(stderr, "  -f filename Filename of the key file.\n");
         fprintf(stderr, "  -G file     Generate candidates for DH-GEX moduli.\n");
         fprintf(stderr, "  -g          Use generic DNS resource record format.\n");
         fprintf(stderr, "  -H          Hash names in known_hosts file.\n");
-        fprintf(stderr, "  -i          Convert IETF SECSH to OpenSSH key file.\n");
+        fprintf(stderr, "  -i          Convert RFC 4716 to OpenSSH key file.\n");
         fprintf(stderr, "  -l          Show fingerprint of key file.\n");
         fprintf(stderr, "  -M memory   Amount of memory (MB) to use for generating DH-GEX moduli.\n");
         fprintf(stderr, "  -N phrase   Provide new passphrase.\n");
@@ -1001,7 +1048,7 @@ usage(void)
  * Main program for key management.
  */
 int
-main(int ac, char **av)
+main(int argc, char **argv)
 {
         char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2;
         char out_file[MAXPATHLEN], *reader_id = NULL;
@@ -1023,10 +1070,10 @@ main(int ac, char **av)
         /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
         sanitise_stdfd();
 
-        __progname = ssh_get_progname(av[0]);
+        __progname = ssh_get_progname(argv[0]);
 
         SSLeay_add_all_algorithms();
-        log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
+        log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
 
         init_rng();
         seed_rng();
@@ -1042,11 +1089,11 @@ main(int ac, char **av)
                 exit(1);
         }
 
-        while ((opt = getopt(ac, av,
+        while ((opt = getopt(argc, argv,
             "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
                 switch (opt) {
                 case 'b':
-                        bits = strtonum(optarg, 768, 32768, &errstr);
+                        bits = (u_int32_t)strtonum(optarg, 768, 32768, &errstr);
                         if (errstr)
                                 fatal("Bits has bad value %s (%s)",
                                         optarg, errstr);
@@ -1116,6 +1163,7 @@ main(int ac, char **av)
                         break;
                 case 'D':
                         download = 1;
+                        /*FALLTHROUGH*/
                 case 'U':
                         reader_id = optarg;
                         break;
@@ -1132,19 +1180,20 @@ main(int ac, char **av)
                         rr_hostname = optarg;
                         break;
                 case 'W':
-                        generator_wanted = strtonum(optarg, 1, UINT_MAX, &errstr);
+                        generator_wanted = (u_int32_t)strtonum(optarg, 1,
+                            UINT_MAX, &errstr);
                         if (errstr)
                                 fatal("Desired generator has bad value: %s (%s)",
                                         optarg, errstr);
                         break;
                 case 'a':
-                        trials = strtonum(optarg, 1, UINT_MAX, &errstr);
+                        trials = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr);
                         if (errstr)
                                 fatal("Invalid number of trials: %s (%s)",
                                         optarg, errstr);
                         break;
                 case 'M':
-                        memory = strtonum(optarg, 1, UINT_MAX, &errstr);
+                        memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr);
                         if (errstr) {
                                 fatal("Memory limit is %s: %s", errstr, optarg);
                         }
@@ -1173,9 +1222,9 @@ main(int ac, char **av)
         }
 
         /* reinit */
-        log_init(av[0], log_level, SYSLOG_FACILITY_USER, 1);
+        log_init(argv[0], log_level, SYSLOG_FACILITY_USER, 1);
 
-        if (optind < ac) {
+        if (optind < argc) {
                 printf("Too many arguments.\n");
                 usage();
         }
@@ -1198,7 +1247,27 @@ main(int ac, char **av)
         if (print_public)
                 do_print_public(pw);
         if (rr_hostname != NULL) {
-                do_print_resource_record(pw, rr_hostname);
+                unsigned int n = 0;
+
+                if (have_identity) {
+                        n = do_print_resource_record(pw,
+                            identity_file, rr_hostname);
+                        if (n == 0) {
+                                perror(identity_file);
+                                exit(1);
+                        }
+                        exit(0);
+                } else {
+
+                        n += do_print_resource_record(pw,
+                            _PATH_HOST_RSA_KEY_FILE, rr_hostname);
+                        n += do_print_resource_record(pw,
+                            _PATH_HOST_DSA_KEY_FILE, rr_hostname);
+
+                        if (n == 0)
+                                fatal("no keys found.");
+                        exit(0);
+                }
         }
         if (reader_id != NULL) {
 #ifdef SMARTCARD
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
index 0206c04fb..f655abd47 100644
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@@ -56,7 +56,7 @@ DESCRIPTION
              about its progress.
 
 SECURITY
-     If a ssh_known_hosts file is constructed using ssh-keyscan without veri-
+     If an ssh_known_hosts file is constructed using ssh-keyscan without veri-
      fying the keys, users will be vulnerable to man in the middle attacks.
      On the other hand, if the security model allows such a risk, ssh-keyscan
      can help in the detection of tampered keyfiles or man in the middle at-
@@ -104,4 +104,4 @@ BUGS
      This is because it opens a connection to the ssh port, reads the public
      key, and drops the connection as soon as it gets the key.
 
-OpenBSD 3.9                     January 1, 1996                              2
+OpenBSD 4.1                     January 1, 1996                              2
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index 80fc8cd96..a3656fc77 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keyscan.1,v 1.21 2005/09/30 20:34:26 jaredy Exp $
+.\"     $OpenBSD: ssh-keyscan.1,v 1.22 2006/09/25 04:55:38 ray Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 .\"
@@ -102,7 +102,7 @@ Causes
 to print debugging messages about its progress.
 .El
 .Sh SECURITY
-If a ssh_known_hosts file is constructed using
+If an ssh_known_hosts file is constructed using
 .Nm
 without verifying the keys, users will be vulnerable to
 .Em man in the middle
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index f429c2c02..7ffbda421 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: ssh-keyscan.c,v 1.74 2006/10/06 02:29:19 djm Exp $ */
 /*
  * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
  *
@@ -7,24 +8,39 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keyscan.c,v 1.57 2005/10/30 04:01:03 djm Exp $");
-
+ 
 #include "openbsd-compat/sys-queue.h"
+#include <sys/resource.h>
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
 
 #include <openssl/bn.h>
 
+#include <netdb.h>
+#include <errno.h>
 #include <setjmp.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <string.h>
+#include <unistd.h>
+
 #include "xmalloc.h"
 #include "ssh.h"
 #include "ssh1.h"
+#include "buffer.h"
 #include "key.h"
+#include "cipher.h"
 #include "kex.h"
 #include "compat.h"
 #include "myproposal.h"
 #include "packet.h"
 #include "dispatch.h"
-#include "buffer.h"
-#include "bufaux.h"
 #include "log.h"
 #include "atomicio.h"
 #include "misc.h"
@@ -54,7 +70,7 @@ int maxfd;
 
 extern char *__progname;
 fd_set *read_wait;
-size_t read_wait_size;
+size_t read_wait_nfdset;
 int ncon;
 int nonfatal_fatal = 0;
 jmp_buf kexjmp;
@@ -128,7 +144,7 @@ Linebuf_alloc(const char *filename, void (*errfun) (const char *,...))
                 lb->stream = stdin;
         }
 
-        if (!(lb->buf = malloc(lb->size = LINEBUF_SIZE))) {
+        if (!(lb->buf = malloc((lb->size = LINEBUF_SIZE)))) {
                 if (errfun)
                         (*errfun) ("linebuf (%s): malloc failed\n", lb->filename);
                 xfree(lb);
@@ -350,6 +366,7 @@ keygrab_ssh2(con *c)
         c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
         c->c_kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
         c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
+        c->c_kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
         c->c_kex->verify_host_key = hostjump;
 
         if (!(j = setjmp(kexjmp))) {
@@ -602,7 +619,6 @@ conread(int s)
                         keyprint(c, keygrab_ssh1(c));
                         confree(s);
                         return;
-                        break;
                 default:
                         fatal("conread: invalid status %d", c->c_status);
                         break;
@@ -634,10 +650,10 @@ conloop(void)
         } else
                 seltime.tv_sec = seltime.tv_usec = 0;
 
-        r = xmalloc(read_wait_size);
-        memcpy(r, read_wait, read_wait_size);
-        e = xmalloc(read_wait_size);
-        memcpy(e, read_wait, read_wait_size);
+        r = xcalloc(read_wait_nfdset, sizeof(fd_mask));
+        e = xcalloc(read_wait_nfdset, sizeof(fd_mask));
+        memcpy(r, read_wait, read_wait_nfdset * sizeof(fd_mask));
+        memcpy(e, read_wait, read_wait_nfdset * sizeof(fd_mask));
 
         while (select(maxfd, r, NULL, e, &seltime) == -1 &&
             (errno == EAGAIN || errno == EINTR))
@@ -804,12 +820,10 @@ main(int argc, char **argv)
                 fatal("%s: not enough file descriptors", __progname);
         if (maxfd > fdlim_get(0))
                 fdlim_set(maxfd);
-        fdcon = xmalloc(maxfd * sizeof(con));
-        memset(fdcon, 0, maxfd * sizeof(con));
+        fdcon = xcalloc(maxfd, sizeof(con));
 
-        read_wait_size = howmany(maxfd, NFDBITS) * sizeof(fd_mask);
-        read_wait = xmalloc(read_wait_size);
-        memset(read_wait, 0, read_wait_size);
+        read_wait_nfdset = howmany(maxfd, NFDBITS);
+        read_wait = xcalloc(read_wait_nfdset, sizeof(fd_mask));
 
         if (fopt_count) {
                 Linebuf *lb;
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index c32c42fb2..d509f5ef0 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -1,14 +1,14 @@
 SSH-KEYSIGN(8)          OpenBSD System Manager's Manual         SSH-KEYSIGN(8)
 
 NAME
-     ssh-keysign - ssh helper program for hostbased authentication
+     ssh-keysign - ssh helper program for host-based authentication
 
 SYNOPSIS
      ssh-keysign
 
 DESCRIPTION
      ssh-keysign is used by ssh(1) to access the local host keys and generate
-     the digital signature required during hostbased authentication with SSH
+     the digital signature required during host-based authentication with SSH
      protocol version 2.
 
      ssh-keysign is disabled by default and can only be enabled in the global
@@ -16,7 +16,7 @@ DESCRIPTION
      to ``yes''.
 
      ssh-keysign is not intended to be invoked by the user, but from ssh(1).
-     See ssh(1) and sshd(8) for more information about hostbased authentica-
+     See ssh(1) and sshd(8) for more information about host-based authentica-
      tion.
 
 FILES
@@ -28,7 +28,7 @@ FILES
              generate the digital signature.  They should be owned by root,
              readable only by root, and not accessible to others.  Since they
              are readable only by root, ssh-keysign must be set-uid root if
-             hostbased authentication is used.
+             host-based authentication is used.
 
 SEE ALSO
      ssh(1), ssh-keygen(1), ssh_config(5), sshd(8)
@@ -39,4 +39,4 @@ HISTORY
 AUTHORS
      Markus Friedl <markus@openbsd.org>
 
-OpenBSD 3.9                      May 24, 2002                                1
+OpenBSD 4.1                      May 24, 2002                                1
diff --git a/ssh-keysign.8 b/ssh-keysign.8
index a17e8d5cf..4cdcb7a43 100644
--- a/ssh-keysign.8
+++ b/ssh-keysign.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keysign.8,v 1.7 2003/06/10 09:12:11 jmc Exp $
+.\" $OpenBSD: ssh-keysign.8,v 1.8 2006/02/24 20:22:16 jmc Exp $
 .\"
 .\" Copyright (c) 2002 Markus Friedl.  All rights reserved.
 .\"
@@ -27,7 +27,7 @@
 .Os
 .Sh NAME
 .Nm ssh-keysign
-.Nd ssh helper program for hostbased authentication
+.Nd ssh helper program for host-based authentication
 .Sh SYNOPSIS
 .Nm
 .Sh DESCRIPTION
@@ -35,7 +35,7 @@
 is used by
 .Xr ssh 1
 to access the local host keys and generate the digital signature
-required during hostbased authentication with SSH protocol version 2.
+required during host-based authentication with SSH protocol version 2.
 .Pp
 .Nm
 is disabled by default and can only be enabled in the
@@ -53,7 +53,7 @@ See
 .Xr ssh 1
 and
 .Xr sshd 8
-for more information about hostbased authentication.
+for more information about host-based authentication.
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa /etc/ssh/ssh_config
@@ -67,7 +67,7 @@ They should be owned by root, readable only by root, and not
 accessible to others.
 Since they are readable only by root,
 .Nm
-must be set-uid root if hostbased authentication is used.
+must be set-uid root if host-based authentication is used.
 .El
 .Sh SEE ALSO
 .Xr ssh 1 ,
diff --git a/ssh-keysign.c b/ssh-keysign.c
index dae3a2e8c..c4bc7e56e 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: ssh-keysign.c,v 1.29 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 2002 Markus Friedl.  All rights reserved.
  *
@@ -21,21 +22,30 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keysign.c,v 1.19 2005/09/13 23:40:07 djm Exp $");
+
+#include <fcntl.h>
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#include <pwd.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
 
 #include <openssl/evp.h>
 #include <openssl/rand.h>
 #include <openssl/rsa.h>
 
+#include "xmalloc.h"
 #include "log.h"
 #include "key.h"
 #include "ssh.h"
 #include "ssh2.h"
 #include "misc.h"
-#include "xmalloc.h"
 #include "buffer.h"
-#include "bufaux.h"
 #include "authfile.h"
 #include "msg.h"
 #include "canohost.h"
@@ -64,9 +74,9 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
         buffer_init(&b);
         buffer_append(&b, data, datalen);
 
-        /* session id, currently limited to SHA1 (20 bytes) */
+        /* session id, currently limited to SHA1 (20 bytes) or SHA256 (32) */
         p = buffer_get_string(&b, &len);
-        if (len != 20)
+        if (len != 20 && len != 32)
                 fail++;
         xfree(p);
 
@@ -140,7 +150,7 @@ main(int argc, char **argv)
 {
         Buffer b;
         Options options;
-        Key *keys[2], *key;
+        Key *keys[2], *key = NULL;
         struct passwd *pw;
         int key_fd[2], i, found, version = 2, fd;
         u_char *signature, *data;
diff --git a/ssh-rand-helper.0 b/ssh-rand-helper.0
index 75ad52fa4..429582b78 100644
--- a/ssh-rand-helper.0
+++ b/ssh-rand-helper.0
@@ -1,7 +1,7 @@
 SSH-RAND-HELPER(8)      OpenBSD System Manager's Manual     SSH-RAND-HELPER(8)
 
 NAME
-     ssh-rand-helper - Random number gatherer for OpenSSH
+     ssh-rand-helper - random number gatherer for OpenSSH
 
 SYNOPSIS
      ssh-rand-hlper [-vxXh] [-b bytes]
@@ -38,7 +38,9 @@ DESCRIPTION
      -X      Force output of a binary seed, even if standard output is a tty
 
      -v      Turn on debugging message. Multiple -v options will increase the
-             debugging level.  -h Display a summary of options.
+             debugging level.
+
+     -h      Display a summary of options.
 
 AUTHORS
      Damien Miller <djm@mindrot.org>
@@ -46,4 +48,4 @@ AUTHORS
 SEE ALSO
      ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
 
-OpenBSD 3.9                     April 14, 2002                               1
+OpenBSD 4.1                     April 14, 2002                               1
diff --git a/ssh-rand-helper.8 b/ssh-rand-helper.8
index df559d332..af5a72fcb 100644
--- a/ssh-rand-helper.8
+++ b/ssh-rand-helper.8
@@ -1,4 +1,4 @@
-.\" $Id: ssh-rand-helper.8,v 1.2 2003/11/21 12:48:56 djm Exp $
+.\" $Id: ssh-rand-helper.8,v 1.3 2007/01/22 01:44:53 djm Exp $
 .\"
 .\" Copyright (c) 2002 Damien Miller.  All rights reserved.
 .\"
@@ -27,7 +27,7 @@
 .Os
 .Sh NAME
 .Nm ssh-rand-helper
-.Nd Random number gatherer for OpenSSH
+.Nd random number gatherer for OpenSSH
 .Sh SYNOPSIS
 .Nm ssh-rand-hlper
 .Op Fl vxXh
@@ -82,7 +82,7 @@ Force output of a binary seed, even if standard output is a tty
 Turn on debugging message. Multiple
 .Fl v
 options will increase the debugging level.
-.Fl h
+.It Fl h
 Display a summary of options.
 .El
 .Sh AUTHORS
diff --git a/ssh-rand-helper.c b/ssh-rand-helper.c
index 87e52cf75..8520c3a62 100644
--- a/ssh-rand-helper.c
+++ b/ssh-rand-helper.c
@@ -24,6 +24,29 @@
 
 #include "includes.h"
 
+#include <sys/types.h>
+#include <sys/resource.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <sys/socket.h>
+
+#include <stdarg.h>
+#include <stddef.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#ifdef HAVE_SYS_UN_H
+# include <sys/un.h>
+#endif
+
+#include <errno.h>
+#include <fcntl.h>
+#include <pwd.h>
+#include <signal.h>
+#include <time.h>
+#include <unistd.h>
+
 #include <openssl/rand.h>
 #include <openssl/sha.h>
 #include <openssl/crypto.h>
@@ -39,8 +62,6 @@
 #include "pathnames.h"
 #include "log.h"
 
-RCSID("$Id: ssh-rand-helper.c,v 1.26 2005/07/17 07:26:44 djm Exp $");
-
 /* Number of bytes we write out */
 #define OUTPUT_SEED_SIZE        48
 
@@ -564,7 +585,8 @@ prng_write_seedfile(void)
         /* Try to ensure that the parent directory is there */
         snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir,
             _PATH_SSH_USER_DIR);
-        mkdir(filename, 0700);
+        if (mkdir(filename, 0700) < 0 && errno != EEXIST)
+                fatal("mkdir %.200s: %s", filename, strerror(errno));
 
         snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir,
             SSH_PRNG_SEED_FILE);
@@ -665,8 +687,7 @@ prng_read_commands(char *cmdfilename)
         }
 
         num_cmds = 64;
-        entcmd = xmalloc(num_cmds * sizeof(entropy_cmd_t));
-        memset(entcmd, '\0', num_cmds * sizeof(entropy_cmd_t));
+        entcmd = xcalloc(num_cmds, sizeof(entropy_cmd_t));
 
         /* Read in file */
         cur_cmd = linenum = 0;
@@ -759,7 +780,7 @@ prng_read_commands(char *cmdfilename)
                  */
                 if (cur_cmd == num_cmds) {
                         num_cmds *= 2;
-                        entcmd = xrealloc(entcmd, num_cmds *
+                        entcmd = xrealloc(entcmd, num_cmds,
                             sizeof(entropy_cmd_t));
                 }
         }
@@ -768,12 +789,13 @@ prng_read_commands(char *cmdfilename)
         memset(&entcmd[cur_cmd], '\0', sizeof(entropy_cmd_t));
 
         /* trim to size */
-        entropy_cmds = xrealloc(entcmd, (cur_cmd + 1) *
+        entropy_cmds = xrealloc(entcmd, (cur_cmd + 1),
             sizeof(entropy_cmd_t));
 
         debug("Loaded %d entropy commands from %.100s", cur_cmd,
             cmdfilename);
 
+        fclose(f);
         return cur_cmd < MIN_ENTROPY_SOURCES ? -1 : 0;
 }
 
diff --git a/ssh-rsa.c b/ssh-rsa.c
index eb422d07e..0e16ff85f 100644
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: ssh-rsa.c,v 1.39 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org>
  *
@@ -13,16 +14,20 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
+
 #include "includes.h"
-RCSID("$OpenBSD: ssh-rsa.c,v 1.32 2005/06/17 02:44:33 djm Exp $");
+
+#include <sys/types.h>
 
 #include <openssl/evp.h>
 #include <openssl/err.h>
 
+#include <stdarg.h>
+#include <string.h>
+
 #include "xmalloc.h"
 #include "log.h"
 #include "buffer.h"
-#include "bufaux.h"
 #include "key.h"
 #include "compat.h"
 #include "ssh.h"
@@ -62,6 +67,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
 
         if (ok != 1) {
                 int ecode = ERR_get_error();
+
                 error("ssh_rsa_sign: RSA_sign failed: %s",
                     ERR_error_string(ecode, NULL));
                 xfree(sig);
@@ -144,7 +150,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
                 u_int diff = modlen - len;
                 debug("ssh_rsa_verify: add padding: modlen %u > len %u",
                     modlen, len);
-                sigblob = xrealloc(sigblob, modlen);
+                sigblob = xrealloc(sigblob, 1, modlen);
                 memmove(sigblob + diff, sigblob, len);
                 memset(sigblob, 0, diff);
                 len = modlen;
@@ -220,7 +226,6 @@ openssh_RSA_verify(int type, u_char *hash, u_int hashlen,
                 break;
         default:
                 goto done;
-                break;
         }
         if (hashlen != hlen) {
                 error("bad hashlen");
diff --git a/ssh.0 b/ssh.0
index 83c4b94eb..c31e17eaf 100644
--- a/ssh.0
+++ b/ssh.0
@@ -9,7 +9,7 @@ SYNOPSIS
          [-i identity_file] [-L [bind_address:]port:host:hostport]
          [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
          [-R [bind_address:]port:host:hostport] [-S ctl_path]
-         [-w tunnel:tunnel] [user@]hostname [command]
+         [-w local_tun[:remote_tun]] [user@]hostname [command]
 
 DESCRIPTION
      ssh (SSH client) is a program for logging into a remote machine and for
@@ -225,6 +225,7 @@ DESCRIPTION
                    ControlPath
                    DynamicForward
                    EscapeChar
+                   ExitOnForwardFailure
                    ForwardAgent
                    ForwardX11
                    ForwardX11Trusted
@@ -315,7 +316,7 @@ DESCRIPTION
 
      -t      Force pseudo-tty allocation.  This can be used to execute arbi-
              trary screen-based programs on a remote machine, which can be
-             very useful, e.g., when implementing menu services.  Multiple -t
+             very useful, e.g. when implementing menu services.  Multiple -t
              options force tty allocation, even if ssh has no local tty.
 
      -V      Display the version number and exit.
@@ -325,11 +326,16 @@ DESCRIPTION
              tion, and configuration problems.  Multiple -v options increase
              the verbosity.  The maximum is 3.
 
-     -w tunnel:tunnel
-             Requests a tun(4) device on the client (first tunnel arg) and
-             server (second tunnel arg).  The devices may be specified by nu-
-             merical ID or the keyword ``any'', which uses the next available
-             tunnel device.  See also the Tunnel directive in ssh_config(5).
+     -w local_tun[:remote_tun]
+             Requests tunnel device forwarding with the specified tun(4) de-
+             vices between the client (local_tun) and the server (remote_tun).
+
+             The devices may be specified by numerical ID or the keyword
+             ``any'', which uses the next available tunnel device.  If
+             remote_tun is not specified, it defaults to ``any''.  See also
+             the Tunnel and TunnelDevice directives in ssh_config(5).  If the
+             Tunnel directive is unset, it is set to the default tunnel mode,
+             which is ``point-to-point''.
 
      -X      Enables X11 forwarding.  This can also be specified on a per-host
              basis in a configuration file.
@@ -368,11 +374,11 @@ AUTHENTICATION
      integrity (hmac-md5, hmac-sha1, hmac-ripemd160).  Protocol 1 lacks a
      strong mechanism for ensuring the integrity of the connection.
 
-     The methods available for authentication are: host-based authentication,
-     public key authentication, challenge-response authentication, and pass-
-     word authentication.  Authentication methods are tried in the order spec-
-     ified above, though protocol 2 has a configuration option to change the
-     default order: PreferredAuthentications.
+     The methods available for authentication are: GSSAPI-based authentica-
+     tion, host-based authentication, public key authentication, challenge-re-
+     sponse authentication, and password authentication.  Authentication meth-
+     ods are tried in the order specified above, though protocol 2 has a con-
+     figuration option to change the default order: PreferredAuthentications.
 
      Host-based authentication works as follows: If the machine the user logs
      in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote
@@ -487,8 +493,8 @@ ESCAPE CHARACTERS
      ~C      Open command line.  Currently this allows the addition of port
              forwardings using the -L and -R options (see above).  It also al-
              lows the cancellation of existing remote port-forwardings using
-             -KR hostport.  !command allows the user to execute a local com-
-             mand if the PermitLocalCommand option is enabled in
+             -KR[bind_address:]port.  !command allows the user to execute a
+             local command if the PermitLocalCommand option is enabled in
              ssh_config(5).  Basic help is available, using the -h option.
 
      ~R      Request rekeying of the connection (only useful for SSH protocol
@@ -573,8 +579,7 @@ VERIFYING HOST KEYS
      ``host.example.com''.  The SSHFP resource records should first be added
      to the zonefile for host.example.com:
 
-           $ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com.
-           $ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com.
+           $ ssh-keygen -r host.example.com.
 
      The output lines will have to be added to the zonefile.  To check that
      the zone is answering fingerprint queries:
@@ -598,24 +603,34 @@ SSH-BASED VIRTUAL PRIVATE NETWORKS
      fic).
 
      The following example would connect client network 10.0.50.0/24 with re-
-     mote network 10.0.99.0/24, provided that the SSH server running on the
-     gateway to the remote network, at 192.168.1.15, allows it:
+     mote network 10.0.99.0/24 using a point-to-point connection from 10.1.1.1
+     to 10.1.1.2, provided that the SSH server running on the gateway to the
+     remote network, at 192.168.1.15, allows it.
+
+     On the client:
 
            # ssh -f -w 0:1 192.168.1.15 true
-           # ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252
+           # ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
+           # route add 10.0.99.0/24 10.1.1.2
+
+     On the server:
+
+           # ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
+           # route add 10.0.50.0/24 10.1.1.1
 
      Client access may be more finely tuned via the /root/.ssh/authorized_keys
      file (see below) and the PermitRootLogin server option.  The following
-     entry would permit connections on the first tun(4) device from user
-     ``jane'' and on the second device from user ``john'', if PermitRootLogin
-     is set to ``forced-commands-only'':
+     entry would permit connections on tun(4) device 1 from user ``jane'' and
+     on tun device 2 from user ``john'', if PermitRootLogin is set to
+     ``forced-commands-only'':
 
        tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
-       tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john
+       tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
 
-     Since a SSH-based setup entails a fair amount of overhead, it may be more
-     suited to temporary setups, such as for wireless VPNs.  More permanent
-     VPNs are better provided by tools such as ipsecctl(8) and isakmpd(8).
+     Since an SSH-based setup entails a fair amount of overhead, it may be
+     more suited to temporary setups, such as for wireless VPNs.  More perma-
+     nent VPNs are better provided by tools such as ipsecctl(8) and
+     isakmpd(8).
 
 ENVIRONMENT
      ssh will normally set the following environment variables:
@@ -671,8 +686,8 @@ ENVIRONMENT
 
      TZ                    This variable is set to indicate the present time
                            zone if it was set when the daemon was started
-                           (i.e., the daemon passes the value on to new con-
-                           nections).
+                           (i.e. the daemon passes the value on to new connec-
+                           tions).
 
      USER                  Set to the name of the user logging in.
 
@@ -779,9 +794,33 @@ SEE ALSO
      scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1),
      tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8)
 
-     T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH
-     Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January
-     2002, work in progress material.
+     The Secure Shell (SSH) Protocol Assigned Numbers, RFC 4250, 2006.
+
+     The Secure Shell (SSH) Protocol Architecture, RFC 4251, 2006.
+
+     The Secure Shell (SSH) Authentication Protocol, RFC 4252, 2006.
+
+     The Secure Shell (SSH) Transport Layer Protocol, RFC 4253, 2006.
+
+     The Secure Shell (SSH) Connection Protocol, RFC 4254, 2006.
+
+     Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, RFC
+     4255, 2006.
+
+     Generic Message Exchange Authentication for the Secure Shell Protocol
+     (SSH), RFC 4256, 2006.
+
+     The Secure Shell (SSH) Session Channel Break Extension, RFC 4335, 2006.
+
+     The Secure Shell (SSH) Transport Layer Encryption Modes, RFC 4344, 2006.
+
+     Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer
+     Protocol, RFC 4345, 2006.
+
+     Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer
+     Protocol, RFC 4419, 2006.
+
+     The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006.
 
 AUTHORS
      OpenSSH is a derivative of the original and free ssh 1.2.12 release by
@@ -790,4 +829,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 3.9                   September 25, 1999                            12
+OpenBSD 4.1                   September 25, 1999                            13
diff --git a/ssh.1 b/ssh.1
index b1662d7ac..04326e654 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.253 2006/01/30 13:37:49 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -78,7 +78,8 @@
 .Oc
 .Op Fl S Ar ctl_path
 .Bk -words
-.Op Fl w Ar tunnel : Ns Ar tunnel
+.Oo Fl w Ar local_tun Ns
+.Op : Ns Ar remote_tun Oc
 .Oo Ar user Ns @ Oc Ns Ar hostname
 .Op Ar command
 .Ek
@@ -450,6 +451,7 @@ For full details of the options listed below, and their possible values, see
 .It ControlPath
 .It DynamicForward
 .It EscapeChar
+.It ExitOnForwardFailure
 .It ForwardAgent
 .It ForwardX11
 .It ForwardX11Trusted
@@ -575,7 +577,7 @@ Disable pseudo-tty allocation.
 Force pseudo-tty allocation.
 This can be used to execute arbitrary
 screen-based programs on a remote machine, which can be very useful,
-e.g., when implementing menu services.
+e.g. when implementing menu services.
 Multiple
 .Fl t
 options force tty allocation, even if
@@ -594,24 +596,35 @@ Multiple
 .Fl v
 options increase the verbosity.
 The maximum is 3.
-.It Fl w Ar tunnel : Ns Ar tunnel
-Requests a
+.It Fl w Xo
+.Ar local_tun Ns Op : Ns Ar remote_tun
+.Xc
+Requests
+tunnel
+device forwarding with the specified
 .Xr tun 4
-device on the client
-(first
-.Ar tunnel
-arg)
-and server
-(second
-.Ar tunnel
-arg).
+devices between the client
+.Pq Ar local_tun
+and the server
+.Pq Ar remote_tun .
+.Pp
 The devices may be specified by numerical ID or the keyword
 .Dq any ,
 which uses the next available tunnel device.
+If
+.Ar remote_tun
+is not specified, it defaults to
+.Dq any .
 See also the
 .Cm Tunnel
-directive in
+and
+.Cm TunnelDevice
+directives in
 .Xr ssh_config 5 .
+If the
+.Cm Tunnel
+directive is unset, it is set to the default tunnel mode, which is
+.Dq point-to-point .
 .It Fl X
 Enables X11 forwarding.
 This can also be specified on a per-host basis in a configuration file.
@@ -672,6 +685,7 @@ Protocol 1 lacks a strong mechanism for ensuring the
 integrity of the connection.
 .Pp
 The methods available for authentication are:
+GSSAPI-based authentication,
 host-based authentication,
 public key authentication,
 challenge-response authentication,
@@ -878,7 +892,9 @@ and
 options (see above).
 It also allows the cancellation of existing remote port-forwardings
 using
-.Fl KR Ar hostport .
+.Sm off
+.Fl KR Oo Ar bind_address : Oc Ar port .
+.Sm on
 .Ic !\& Ns Ar command
 allows the user to execute a local command if the
 .Ic PermitLocalCommand
@@ -1031,8 +1047,7 @@ In this example, we are connecting a client to a server,
 The SSHFP resource records should first be added to the zonefile for
 host.example.com:
 .Bd -literal -offset indent
-$ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com.
-$ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com.
+$ ssh-keygen -r host.example.com.
 .Ed
 .Pp
 The output lines will have to be added to the zonefile.
@@ -1068,12 +1083,22 @@ controls whether the server supports this,
 and at what level (layer 2 or 3 traffic).
 .Pp
 The following example would connect client network 10.0.50.0/24
-with remote network 10.0.99.0/24, provided that the SSH server
-running on the gateway to the remote network,
-at 192.168.1.15, allows it:
+with remote network 10.0.99.0/24 using a point-to-point connection
+from 10.1.1.1 to 10.1.1.2,
+provided that the SSH server running on the gateway to the remote network,
+at 192.168.1.15, allows it.
+.Pp
+On the client:
 .Bd -literal -offset indent
 # ssh -f -w 0:1 192.168.1.15 true
-# ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252
+# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
+# route add 10.0.99.0/24 10.1.1.2
+.Ed
+.Pp
+On the server:
+.Bd -literal -offset indent
+# ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
+# route add 10.0.50.0/24 10.1.1.1
 .Ed
 .Pp
 Client access may be more finely tuned via the
@@ -1081,11 +1106,11 @@ Client access may be more finely tuned via the
 file (see below) and the
 .Cm PermitRootLogin
 server option.
-The following entry would permit connections on the first
+The following entry would permit connections on
 .Xr tun 4
-device from user
+device 1 from user
 .Dq jane
-and on the second device from user
+and on tun device 2 from user
 .Dq john ,
 if
 .Cm PermitRootLogin
@@ -1093,10 +1118,10 @@ is set to
 .Dq forced-commands-only :
 .Bd -literal -offset 2n
 tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
-tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john
+tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
 .Ed
 .Pp
-Since a SSH-based setup entails a fair amount of overhead,
+Since an SSH-based setup entails a fair amount of overhead,
 it may be more suited to temporary setups,
 such as for wireless VPNs.
 More permanent VPNs are better provided by tools such as
@@ -1184,7 +1209,7 @@ If the current session has no tty,
 this variable is not set.
 .It Ev TZ
 This variable is set to indicate the present time zone if it
-was set when the daemon was started (i.e., the daemon passes the value
+was set when the daemon was started (i.e. the daemon passes the value
 on to new connections).
 .It Ev USER
 Set to the name of the user logging in.
@@ -1348,15 +1373,64 @@ manual page for more information.
 .Xr ssh-keysign 8 ,
 .Xr sshd 8
 .Rs
-.%A T. Ylonen
-.%A T. Kivinen
-.%A M. Saarinen
-.%A T. Rinne
-.%A S. Lehtinen
-.%T "SSH Protocol Architecture"
-.%N draft-ietf-secsh-architecture-12.txt
-.%D January 2002
-.%O work in progress material
+.%R RFC 4250
+.%T "The Secure Shell (SSH) Protocol Assigned Numbers"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4251
+.%T "The Secure Shell (SSH) Protocol Architecture"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4252
+.%T "The Secure Shell (SSH) Authentication Protocol"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4253
+.%T "The Secure Shell (SSH) Transport Layer Protocol"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4254
+.%T "The Secure Shell (SSH) Connection Protocol"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4255
+.%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4256
+.%T "Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4335
+.%T "The Secure Shell (SSH) Session Channel Break Extension"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4344
+.%T "The Secure Shell (SSH) Transport Layer Encryption Modes"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4345
+.%T "Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4419
+.%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol"
+.%D 2006
+.Re
+.Rs
+.%R RFC 4716
+.%T "The Secure Shell (SSH) Public Key File Format"
+.%D 2006
 .Re
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free
diff --git a/ssh.c b/ssh.c
index a86d0e17b..c75decc1b 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: ssh.c,v 1.295 2007/01/03 03:01:40 stevesk Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -40,20 +41,46 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.257 2005/12/20 04:41:07 dtucker Exp $");
+
+#include <sys/types.h>
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+#include <sys/resource.h>
+#include <sys/ioctl.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <netdb.h>
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#include <pwd.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
 
 #include <openssl/evp.h>
 #include <openssl/err.h>
 
+#include "xmalloc.h"
 #include "ssh.h"
 #include "ssh1.h"
 #include "ssh2.h"
 #include "compat.h"
 #include "cipher.h"
-#include "xmalloc.h"
 #include "packet.h"
 #include "buffer.h"
-#include "bufaux.h"
 #include "channels.h"
 #include "key.h"
 #include "authfd.h"
@@ -72,6 +99,7 @@ RCSID("$OpenBSD: ssh.c,v 1.257 2005/12/20 04:41:07 dtucker Exp $");
 #include "msg.h"
 #include "monitor_fdpass.h"
 #include "uidswap.h"
+#include "version.h"
 
 #ifdef SMARTCARD
 #include "scard.h"
@@ -162,7 +190,7 @@ usage(void)
 "           [-i identity_file] [-L [bind_address:]port:host:hostport]\n"
 "           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
 "           [-R [bind_address:]port:host:hostport] [-S ctl_path]\n"
-"           [-w tunnel:tunnel] [user@]hostname [command]\n"
+"           [-w local_tun[:remote_tun]] [user@]hostname [command]\n"
         );
         exit(255);
 }
@@ -242,7 +270,7 @@ main(int ac, char **av)
         /* Parse command-line arguments. */
         host = NULL;
 
-again:
+ again:
         while ((opt = getopt(ac, av,
             "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:KL:MNO:PR:S:TVw:XY")) != -1) {
                 switch (opt) {
@@ -594,7 +622,7 @@ again:
                 if (!read_config_file(config, host, &options, 0))
                         fatal("Can't open user config file %.100s: "
                             "%.100s", config, strerror(errno));
-        } else  {
+        } else {
                 snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir,
                     _PATH_SSH_USER_CONFFILE);
                 (void)read_config_file(buf, host, &options, 1);
@@ -624,7 +652,7 @@ again:
         if (options.host_key_alias != NULL) {
                 for (p = options.host_key_alias; *p; p++)
                         if (isupper(*p))
-                                *p = tolower(*p);
+                                *p = (char)tolower(*p);
         }
 
         /* Get default port if port has not been set. */
@@ -641,11 +669,15 @@ again:
                 options.control_path = NULL;
 
         if (options.control_path != NULL) {
+                char thishost[NI_MAXHOST];
+
+                if (gethostname(thishost, sizeof(thishost)) == -1)
+                        fatal("gethostname: %s", strerror(errno));
                 snprintf(buf, sizeof(buf), "%d", options.port);
                 cp = tilde_expand_filename(options.control_path,
                     original_real_uid);
                 options.control_path = percent_expand(cp, "p", buf, "h", host,
-                    "r", options.user, (char *)NULL);
+                    "r", options.user, "l", thishost, (char *)NULL);
                 xfree(cp);
         }
         if (mux_command != 0 && options.control_path == NULL)
@@ -678,16 +710,16 @@ again:
         if (options.rhosts_rsa_authentication ||
             options.hostbased_authentication) {
                 sensitive_data.nkeys = 3;
-                sensitive_data.keys = xmalloc(sensitive_data.nkeys *
+                sensitive_data.keys = xcalloc(sensitive_data.nkeys,
                     sizeof(Key));
 
                 PRIV_START;
                 sensitive_data.keys[0] = key_load_private_type(KEY_RSA1,
-                    _PATH_HOST_KEY_FILE, "", NULL);
+                    _PATH_HOST_KEY_FILE, "", NULL, NULL);
                 sensitive_data.keys[1] = key_load_private_type(KEY_DSA,
-                    _PATH_HOST_DSA_KEY_FILE, "", NULL);
+                    _PATH_HOST_DSA_KEY_FILE, "", NULL, NULL);
                 sensitive_data.keys[2] = key_load_private_type(KEY_RSA,
-                    _PATH_HOST_RSA_KEY_FILE, "", NULL);
+                    _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);
                 PRIV_END;
 
                 if (options.hostbased_authentication == 1 &&
@@ -803,6 +835,8 @@ ssh_init_forwarding(void)
                     options.local_forwards[i].connect_port,
                     options.gateway_ports);
         }
+        if (i > 0 && success != i && options.exit_on_forward_failure)
+                fatal("Could not request local forwarding.");
         if (i > 0 && success == 0)
                 error("Could not request local forwarding.");
 
@@ -815,11 +849,17 @@ ssh_init_forwarding(void)
                     options.remote_forwards[i].listen_port,
                     options.remote_forwards[i].connect_host,
                     options.remote_forwards[i].connect_port);
-                channel_request_remote_forwarding(
+                if (channel_request_remote_forwarding(
                     options.remote_forwards[i].listen_host,
                     options.remote_forwards[i].listen_port,
                     options.remote_forwards[i].connect_host,
-                    options.remote_forwards[i].connect_port);
+                    options.remote_forwards[i].connect_port) < 0) {
+                        if (options.exit_on_forward_failure)
+                                fatal("Could not request remote forwarding.");
+                        else
+                                logit("Warning: Could not request remote "
+                                    "forwarding.");
+                }
         }
 }
 
@@ -880,10 +920,10 @@ ssh_session(void)
                 /* Store window size in the packet. */
                 if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0)
                         memset(&ws, 0, sizeof(ws));
-                packet_put_int(ws.ws_row);
-                packet_put_int(ws.ws_col);
-                packet_put_int(ws.ws_xpixel);
-                packet_put_int(ws.ws_ypixel);
+                packet_put_int((u_int)ws.ws_row);
+                packet_put_int((u_int)ws.ws_col);
+                packet_put_int((u_int)ws.ws_xpixel);
+                packet_put_int((u_int)ws.ws_ypixel);
 
                 /* Store tty modes in the packet. */
                 tty_make_modes(fileno(stdin), NULL);
@@ -1001,9 +1041,16 @@ client_global_request_reply_fwd(int type, u_int32_t seq, void *ctxt)
             options.remote_forwards[i].listen_port,
             options.remote_forwards[i].connect_host,
             options.remote_forwards[i].connect_port);
-        if (type == SSH2_MSG_REQUEST_FAILURE)
-                logit("Warning: remote port forwarding failed for listen "
-                    "port %d", options.remote_forwards[i].listen_port);
+        if (type == SSH2_MSG_REQUEST_FAILURE) {
+                if (options.exit_on_forward_failure)
+                        fatal("Error: remote port forwarding failed for "
+                            "listen port %d",
+                            options.remote_forwards[i].listen_port);
+                else
+                        logit("Warning: remote port forwarding failed for "
+                            "listen port %d",
+                            options.remote_forwards[i].listen_port);
+        }
 }
 
 static void
@@ -1032,7 +1079,7 @@ ssh_control_listener(void)
                 fatal("%s socket(): %s", __func__, strerror(errno));
 
         old_umask = umask(0177);
-        if (bind(control_fd, (struct sockaddr*)&addr, addr_len) == -1) {
+        if (bind(control_fd, (struct sockaddr *)&addr, addr_len) == -1) {
                 control_fd = -1;
                 if (errno == EINVAL || errno == EADDRINUSE)
                         fatal("ControlSocket %s already exists",
@@ -1184,15 +1231,16 @@ ssh_session2(void)
 static void
 load_public_identity_files(void)
 {
-        char *filename;
+        char *filename, *cp, thishost[NI_MAXHOST];
         int i = 0;
         Key *public;
+        struct passwd *pw;
 #ifdef SMARTCARD
         Key **keys;
 
         if (options.smartcard_device != NULL &&
             options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
-            (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) {
+            (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL) {
                 int count = 0;
                 for (i = 0; keys[i] != NULL; i++) {
                         count++;
@@ -1210,9 +1258,18 @@ load_public_identity_files(void)
                 xfree(keys);
         }
 #endif /* SMARTCARD */
+        if ((pw = getpwuid(original_real_uid)) == NULL)
+                fatal("load_public_identity_files: getpwuid failed");
+        if (gethostname(thishost, sizeof(thishost)) == -1)
+                fatal("load_public_identity_files: gethostname: %s",
+                    strerror(errno));
         for (; i < options.num_identity_files; i++) {
-                filename = tilde_expand_filename(options.identity_files[i],
+                cp = tilde_expand_filename(options.identity_files[i],
                     original_real_uid);
+                filename = percent_expand(cp, "d", pw->pw_dir,
+                    "u", pw->pw_name, "l", thishost, "h", host,
+                    "r", options.user, (char *)NULL);
+                xfree(cp);
                 public = key_load_public(filename, NULL);
                 debug("identity file %s type %d", filename,
                     public ? public->type : -1);
@@ -1238,14 +1295,14 @@ control_client_sigrelay(int signo)
 static int
 env_permitted(char *env)
 {
-        int i;
+        int i, ret;
         char name[1024], *cp;
 
-        strlcpy(name, env, sizeof(name));
-        if ((cp = strchr(name, '=')) == NULL)
+        if ((cp = strchr(env, '=')) == NULL || cp == env)
                 return (0);
-
-        *cp = '\0';
+        ret = snprintf(name, sizeof(name), "%.*s", (int)(cp - env), env);
+        if (ret <= 0 || (size_t)ret >= sizeof(name))
+                fatal("env_permitted: name '%.100s...' too long", env);
 
         for (i = 0; i < options.num_send_env; i++)
                 if (match_pattern(name, options.send_env[i]))
@@ -1290,29 +1347,29 @@ control_client(const char *path)
         if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
                 fatal("%s socket(): %s", __func__, strerror(errno));
 
-        if (connect(sock, (struct sockaddr*)&addr, addr_len) == -1) {
+        if (connect(sock, (struct sockaddr *)&addr, addr_len) == -1) {
                 if (mux_command != SSHMUX_COMMAND_OPEN) {
                         fatal("Control socket connect(%.100s): %s", path,
                             strerror(errno));
                 }
                 if (errno == ENOENT)
-                        debug("Control socket \"%.100s\" does not exist", path);
+                        debug("Control socket \"%.100s\" does not exist", path);
                 else {
-                        error("Control socket connect(%.100s): %s", path,
+                        error("Control socket connect(%.100s): %s", path,
                             strerror(errno));
                 }
-                close(sock);
-                return;
-        }
-
-        if (stdin_null_flag) {
-                if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1)
-                        fatal("open(/dev/null): %s", strerror(errno));
-                if (dup2(fd, STDIN_FILENO) == -1)
-                        fatal("dup2: %s", strerror(errno));
-                if (fd > STDERR_FILENO)
-                        close(fd);
-        }
+                close(sock);
+                return;
+        }
+
+        if (stdin_null_flag) {
+                if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1)
+                        fatal("open(/dev/null): %s", strerror(errno));
+                if (dup2(fd, STDIN_FILENO) == -1)
+                        fatal("dup2: %s", strerror(errno));
+                if (fd > STDERR_FILENO)
+                        close(fd);
+        }
 
         term = getenv("TERM");
 
diff --git a/ssh.h b/ssh.h
index 07592415b..186cfff96 100644
--- a/ssh.h
+++ b/ssh.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssh.h,v 1.76 2004/12/06 11:41:03 dtucker Exp $        */
+/* $OpenBSD: ssh.h,v 1.78 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -12,18 +12,6 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 
-#ifndef SSH_H
-#define SSH_H
-
-#include <netinet/in.h> /* For struct sockaddr_in */
-#include <pwd.h> /* For struct pw */
-#include <stdarg.h> /* For va_list */
-#include <syslog.h> /* For LOG_AUTH and friends */
-#include <sys/socket.h> /* For struct sockaddr_storage */
-#ifdef HAVE_SYS_SELECT_H
-# include <sys/select.h>
-#endif
-
 /* Cipher used for encrypting authentication files. */
 #define SSH_AUTHFILE_CIPHER     SSH_CIPHER_3DES
 
@@ -112,5 +100,3 @@
 
 /* Listen backlog for sshd, ssh-agent and forwarding sockets */
 #define SSH_LISTEN_BACKLOG              128
-
-#endif                          /* SSH_H */
diff --git a/ssh1.h b/ssh1.h
index 1741c229a..353d93041 100644
--- a/ssh1.h
+++ b/ssh1.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssh1.h,v 1.5 2004/10/20 11:48:53 markus Exp $ */
+/* $OpenBSD: ssh1.h,v 1.6 2006/03/25 22:22:43 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/ssh2.h b/ssh2.h
index fb491c918..cf56bc4ee 100644
--- a/ssh2.h
+++ b/ssh2.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssh2.h,v 1.9 2003/05/14 00:52:59 markus Exp $ */
+/* $OpenBSD: ssh2.h,v 1.10 2006/03/25 22:22:43 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
diff --git a/ssh_config b/ssh_config
index 9a6614398..12bdb2b22 100644
--- a/ssh_config
+++ b/ssh_config
@@ -1,4 +1,4 @@
-#       $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $
+#       $OpenBSD: ssh_config,v 1.22 2006/05/29 12:56:33 dtucker Exp $
 
 # This is the ssh client system-wide configuration file.  See
 # ssh_config(5) for more information.  This file provides defaults for
@@ -25,6 +25,10 @@ Host *
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
 #   HostbasedAuthentication no
+#   GSSAPIAuthentication no
+#   GSSAPIDelegateCredentials no
+#   GSSAPIKeyExchange no
+#   GSSAPITrustDNS no
 #   BatchMode no
 #   CheckHostIP yes
 #   AddressFamily any
diff --git a/ssh_config.0 b/ssh_config.0
index 46a0543c3..2ca4ee31b 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -8,8 +8,9 @@ SYNOPSIS
      /etc/ssh/ssh_config
 
 DESCRIPTION
-     ssh obtains configuration data from the following sources in the follow-
-     ing order:
+     ssh(1) obtains configuration data from the following sources in the fol-
+     lowing order:
+
            1.   command-line options
            2.   user's configuration file (~/.ssh/config)
            3.   system-wide configuration file (/etc/ssh/ssh_config)
@@ -26,28 +27,29 @@ DESCRIPTION
 
      The configuration file has the following format:
 
-     Empty lines and lines starting with `#' are comments.
-
-     Otherwise a line is of the format ``keyword arguments''.  Configuration
-     options may be separated by whitespace or optional whitespace and exactly
-     one `='; the latter format is useful to avoid the need to quote whites-
-     pace when specifying configuration options using the ssh, scp and sftp -o
-     option.
+     Empty lines and lines starting with `#' are comments.  Otherwise a line
+     is of the format ``keyword arguments''.  Configuration options may be
+     separated by whitespace or optional whitespace and exactly one `='; the
+     latter format is useful to avoid the need to quote whitespace when speci-
+     fying configuration options using the ssh, scp, and sftp -o option.  Ar-
+     guments may optionally be enclosed in double quotes (") in order to rep-
+     resent arguments containing spaces.
 
      The possible keywords and their meanings are as follows (note that key-
      words are case-insensitive and arguments are case-sensitive):
 
      Host    Restricts the following declarations (up to the next Host key-
              word) to be only for those hosts that match one of the patterns
-             given after the keyword.  `*' and `?' can be used as wildcards in
-             the patterns.  A single `*' as a pattern can be used to provide
-             global defaults for all hosts.  The host is the hostname argument
-             given on the command line (i.e., the name is not converted to a
-             canonicalized host name before matching).
+             given after the keyword.  A single `*' as a pattern can be used
+             to provide global defaults for all hosts.  The host is the
+             hostname argument given on the command line (i.e. the name is not
+             converted to a canonicalized host name before matching).
+
+             See PATTERNS for more information on patterns.
 
      AddressFamily
              Specifies which address family to use when connecting.  Valid ar-
-             guments are ``any'', ``inet'' (use IPv4 only) or ``inet6'' (use
+             guments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' (use
              IPv6 only).
 
      BatchMode
@@ -63,23 +65,23 @@ DESCRIPTION
              UsePrivilegedPort is set to ``yes''.
 
      ChallengeResponseAuthentication
-             Specifies whether to use challenge response authentication.  The
+             Specifies whether to use challenge-response authentication.  The
              argument to this keyword must be ``yes'' or ``no''.  The default
              is ``yes''.
 
      CheckHostIP
-             If this flag is set to ``yes'', ssh will additionally check the
-             host IP address in the known_hosts file.  This allows ssh to de-
-             tect if a host key changed due to DNS spoofing.  If the option is
-             set to ``no'', the check will not be executed.  The default is
+             If this flag is set to ``yes'', ssh(1) will additionally check
+             the host IP address in the known_hosts file.  This allows ssh to
+             detect if a host key changed due to DNS spoofing.  If the option
+             is set to ``no'', the check will not be executed.  The default is
              ``yes''.
 
      Cipher  Specifies the cipher to use for encrypting the session in proto-
              col version 1.  Currently, ``blowfish'', ``3des'', and ``des''
-             are supported.  des is only supported in the ssh client for in-
-             teroperability with legacy protocol 1 implementations that do not
-             support the 3des cipher.  Its use is strongly discouraged due to
-             cryptographic weaknesses.  The default is ``3des''.
+             are supported.  des is only supported in the ssh(1) client for
+             interoperability with legacy protocol 1 implementations that do
+             not support the 3des cipher.  Its use is strongly discouraged due
+             to cryptographic weaknesses.  The default is ``3des''.
 
      Ciphers
              Specifies the ciphers allowed for protocol version 2 in order of
@@ -87,19 +89,19 @@ DESCRIPTION
              ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'',
              ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
              ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'',
-             and ``cast128-cbc''.  The default is
+             and ``cast128-cbc''.  The default is:
 
-               ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-                 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
-                 aes192-ctr,aes256-ctr''
+                aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
+                arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
+                aes192-ctr,aes256-ctr
 
      ClearAllForwardings
-             Specifies that all local, remote and dynamic port forwardings
+             Specifies that all local, remote, and dynamic port forwardings
              specified in the configuration files or on the command line be
-             cleared.  This option is primarily useful when used from the ssh
-             command line to clear port forwardings set in configuration
-             files, and is automatically set by scp(1) and sftp(1).  The argu-
-             ment must be ``yes'' or ``no''.  The default is ``no''.
+             cleared.  This option is primarily useful when used from the
+             ssh(1) command line to clear port forwardings set in configura-
+             tion files, and is automatically set by scp(1) and sftp(1).  The
+             argument must be ``yes'' or ``no''.  The default is ``no''.
 
      Compression
              Specifies whether to use compression.  The argument must be
@@ -119,16 +121,16 @@ DESCRIPTION
 
      ConnectTimeout
              Specifies the timeout (in seconds) used when connecting to the
-             ssh server, instead of using the default system TCP timeout.
+             SSH server, instead of using the default system TCP timeout.
              This value is used only when the target is down or really un-
              reachable, not when it refuses the connection.
 
      ControlMaster
              Enables the sharing of multiple sessions over a single network
-             connection.  When set to ``yes'' ssh will listen for connections
-             on a control socket specified using the ControlPath argument.
-             Additional sessions can connect to this socket using the same
-             ControlPath with ControlMaster set to ``no'' (the default).
+             connection.  When set to ``yes'', ssh(1) will listen for connec-
+             tions on a control socket specified using the ControlPath argu-
+             ment.  Additional sessions can connect to this socket using the
+             same ControlPath with ControlMaster set to ``no'' (the default).
              These sessions will try to reuse the master instance's network
              connection rather than initiating new ones, but will fall back to
              connecting normally if the control socket does not exist, or is
@@ -137,7 +139,7 @@ DESCRIPTION
              Setting this to ``ask'' will cause ssh to listen for control con-
              nections, but require confirmation using the SSH_ASKPASS program
              before they are accepted (see ssh-add(1) for details).  If the
-             ControlPath can not be opened, ssh will continue without connect-
+             ControlPath cannot be opened, ssh will continue without connect-
              ing to a master instance.
 
              X11 and ssh-agent(1) forwarding is supported over these multi-
@@ -154,12 +156,12 @@ DESCRIPTION
      ControlPath
              Specify the path to the control socket used for connection shar-
              ing as described in the ControlMaster section above or the string
-             ``none'' to disable connection sharing.  In the path, `%h' will
-             be substituted by the target host name, `%p' the port and `%r' by
-             the remote login username.  It is recommended that any
-             ControlPath used for opportunistic connection sharing include all
-             three of these escape sequences.  This ensures that shared con-
-             nections are uniquely identified.
+             ``none'' to disable connection sharing.  In the path, `%l' will
+             be substituted by the local host name, `%h' will be substituted
+             by the target host name, `%p' the port, and `%r' by the remote
+             login username.  It is recommended that any ControlPath used for
+             opportunistic connection sharing include at least %h, %p, and %r.
+             This ensures that shared connections are uniquely identified.
 
      DynamicForward
              Specifies that a TCP port on the local machine be forwarded over
@@ -176,9 +178,9 @@ DESCRIPTION
              while an empty address or `*' indicates that the port should be
              available from all interfaces.
 
-             Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh
-             will act as a SOCKS server.  Multiple forwardings may be speci-
-             fied, and additional forwardings can be given on the command
+             Currently the SOCKS4 and SOCKS5 protocols are supported, and
+             ssh(1) will act as a SOCKS server.  Multiple forwardings may be
+             specified, and additional forwardings can be given on the command
              line.  Only the superuser can forward privileged ports.
 
      EnableSSHKeysign
@@ -196,6 +198,12 @@ DESCRIPTION
              able the escape character entirely (making the connection trans-
              parent for binary data).
 
+     ExitOnForwardFailure
+             Specifies whether ssh(1) should terminate the connection if it
+             cannot set up all requested dynamic, local, and remote port for-
+             wardings.  The argument must be ``yes'' or ``no''.  The default
+             is ``no''.
+
      ForwardAgent
              Specifies whether the connection to the authentication agent (if
              any) will be forwarded to the remote machine.  The argument must
@@ -222,15 +230,14 @@ DESCRIPTION
              ForwardX11Trusted option is also enabled.
 
      ForwardX11Trusted
-             If this option is set to ``yes'' then remote X11 clients will
-             have full access to the original X11 display.
+             If this option is set to ``yes'', remote X11 clients will have
+             full access to the original X11 display.
 
-             If this option is set to ``no'' then remote X11 clients will be
-             considered untrusted and prevented from stealing or tampering
-             with data belonging to trusted X11 clients.  Furthermore, the
-             xauth(1) token used for the session will be set to expire after
-             20 minutes.  Remote clients will be refused access after this
-             time.
+             If this option is set to ``no'', remote X11 clients will be con-
+             sidered untrusted and prevented from stealing or tampering with
+             data belonging to trusted X11 clients.  Furthermore, the xauth(1)
+             token used for the session will be set to expire after 20 min-
+             utes.  Remote clients will be refused access after this time.
 
              The default is ``no''.
 
@@ -239,12 +246,13 @@ DESCRIPTION
 
      GatewayPorts
              Specifies whether remote hosts are allowed to connect to local
-             forwarded ports.  By default, ssh binds local port forwardings to
-             the loopback address.  This prevents other remote hosts from con-
-             necting to forwarded ports.  GatewayPorts can be used to specify
-             that ssh should bind local port forwardings to the wildcard ad-
-             dress, thus allowing remote hosts to connect to forwarded ports.
-             The argument must be ``yes'' or ``no''.  The default is ``no''.
+             forwarded ports.  By default, ssh(1) binds local port forwardings
+             to the loopback address.  This prevents other remote hosts from
+             connecting to forwarded ports.  GatewayPorts can be used to spec-
+             ify that ssh should bind local port forwardings to the wildcard
+             address, thus allowing remote hosts to connect to forwarded
+             ports.  The argument must be ``yes'' or ``no''.  The default is
+             ``no''.
 
      GlobalKnownHostsFile
              Specifies a file to use for the global host key database instead
@@ -261,13 +269,13 @@ DESCRIPTION
              ly.
 
      HashKnownHosts
-             Indicates that ssh should hash host names and addresses when they
-             are added to ~/.ssh/known_hosts.  These hashed names may be used
-             normally by ssh and sshd, but they do not reveal identifying in-
-             formation should the file's contents be disclosed.  The default
-             is ``no''.  Note that hashing of names and addresses will not be
-             retrospectively applied to existing known hosts files, but these
-             may be manually hashed using ssh-keygen(1).
+             Indicates that ssh(1) should hash host names and addresses when
+             they are added to ~/.ssh/known_hosts.  These hashed names may be
+             used normally by ssh(1) and sshd(8), but they do not reveal iden-
+             tifying information should the file's contents be disclosed.  The
+             default is ``no''.  Note that existing names and addresses in
+             known hosts files will not be converted automatically, but may be
+             manually hashed using ssh-keygen(1).
 
      HostbasedAuthentication
              Specifies whether to try rhosts based authentication with public
@@ -283,19 +291,19 @@ DESCRIPTION
      HostKeyAlias
              Specifies an alias that should be used instead of the real host
              name when looking up or saving the host key in the host key
-             database files.  This option is useful for tunneling ssh connec-
+             database files.  This option is useful for tunneling SSH connec-
              tions or for multiple servers running on a single host.
 
      HostName
              Specifies the real host name to log into.  This can be used to
-             specify nicknames or abbreviations for hosts.  Default is the
+             specify nicknames or abbreviations for hosts.  The default is the
              name given on the command line.  Numeric IP addresses are also
              permitted (both on the command line and in HostName specifica-
              tions).
 
      IdentitiesOnly
-             Specifies that ssh should only use the authentication identity
-             files configured in the ssh_config files, even if the ssh-agent
+             Specifies that ssh(1) should only use the authentication identity
+             files configured in the ssh_config files, even if ssh-agent(1)
              offers more identities.  The argument to this keyword must be
              ``yes'' or ``no''.  This option is intended for situations where
              ssh-agent offers many different identities.  The default is
@@ -306,15 +314,23 @@ DESCRIPTION
              identity is read.  The default is ~/.ssh/identity for protocol
              version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver-
              sion 2.  Additionally, any identities represented by the authen-
-             tication agent will be used for authentication.  The file name
-             may use the tilde syntax to refer to a user's home directory.  It
-             is possible to have multiple identity files specified in configu-
-             ration files; all these identities will be tried in sequence.
+             tication agent will be used for authentication.
+
+             The file name may use the tilde syntax to refer to a user's home
+             directory or one of the following escape characters: `%d' (local
+             user's home directory), `%u' (local user name), `%l' (local host
+             name), `%h' (remote host name) or `%r' (remote user name).
+
+             It is possible to have multiple identity files specified in con-
+             figuration files; all these identities will be tried in sequence.
 
      KbdInteractiveDevices
              Specifies the list of methods to use in keyboard-interactive au-
              thentication.  Multiple method names must be comma-separated.
-             The default is to use the server specified list.
+             The default is to use the server specified list.  The methods
+             available vary depending on what the server supports.  For an
+             OpenSSH server, it may be zero or more of: ``bsdauth'', ``pam'',
+             and ``skey''.
 
      LocalCommand
              Specifies a command to execute on the local machine after suc-
@@ -341,15 +357,15 @@ DESCRIPTION
 
      LogLevel
              Gives the verbosity level that is used when logging messages from
-             ssh.  The possible values are: QUIET, FATAL, ERROR, INFO, VER-
-             BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.  The default is INFO.
+             ssh(1).  The possible values are: QUIET, FATAL, ERROR, INFO, VER-
+             BOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.  The default is INFO.
              DEBUG and DEBUG1 are equivalent.  DEBUG2 and DEBUG3 each specify
              higher levels of verbose output.
 
      MACs    Specifies the MAC (message authentication code) algorithms in or-
              der of preference.  The MAC algorithm is used in protocol version
              2 for data integrity protection.  Multiple algorithms must be
-             comma-separated.  The default is ``hmac-md5,hmac-sha1,hmac-
+             comma-separated.  The default is: ``hmac-md5,hmac-sha1,hmac-
              ripemd160,hmac-sha1-96,hmac-md5-96''.
 
      NoHostAuthenticationForLocalhost
@@ -363,7 +379,7 @@ DESCRIPTION
 
      NumberOfPasswordPrompts
              Specifies the number of password prompts before giving up.  The
-             argument to this keyword must be an integer.  Default is 3.
+             argument to this keyword must be an integer.  The default is 3.
 
      PasswordAuthentication
              Specifies whether to use password authentication.  The argument
@@ -375,20 +391,20 @@ DESCRIPTION
              ing the !command escape sequence in ssh(1).  The argument must be
              ``yes'' or ``no''.  The default is ``no''.
 
-     Port    Specifies the port number to connect on the remote host.  Default
-             is 22.
+     Port    Specifies the port number to connect on the remote host.  The de-
+             fault is 22.
 
      PreferredAuthentications
              Specifies the order in which the client should try protocol 2 au-
              thentication methods.  This allows a client to prefer one method
              (e.g. keyboard-interactive) over another method (e.g. password)
-             The default for this option is: ``hostbased,publickey,keyboard-
-             interactive,password''.
+             The default for this option is: ``gssapi-with-mic,hostbased,
+             publickey, keyboard-interactive, password''.
 
      Protocol
-             Specifies the protocol versions ssh should support in order of
-             preference.  The possible values are ``1'' and ``2''.  Multiple
-             versions must be comma-separated.  The default is ``2,1''.  This
+             Specifies the protocol versions ssh(1) should support in order of
+             preference.  The possible values are `1' and `2'.  Multiple ver-
+             sions must be comma-separated.  The default is ``2,1''.  This
              means that ssh tries version 2 and falls back to version 1 if
              version 2 is not available.
 
@@ -422,8 +438,8 @@ DESCRIPTION
              fore the session key is renegotiated.  The argument is the number
              of bytes, with an optional suffix of `K', `M', or `G' to indicate
              Kilobytes, Megabytes, or Gigabytes, respectively.  The default is
-             between ``1G'' and ``4G'', depending on the cipher.  This option
-             applies to protocol version 2 only.
+             between `1G' and `4G', depending on the cipher.  This option ap-
+             plies to protocol version 2 only.
 
      RemoteForward
              Specifies that a TCP port on the remote machine be forwarded over
@@ -446,7 +462,7 @@ DESCRIPTION
              Specifies whether to try rhosts based authentication with RSA
              host authentication.  The argument must be ``yes'' or ``no''.
              The default is ``no''.  This option applies to protocol version 1
-             only and requires ssh to be setuid root.
+             only and requires ssh(1) to be setuid root.
 
      RSAAuthentication
              Specifies whether to try RSA authentication.  The argument to
@@ -458,21 +474,23 @@ DESCRIPTION
      SendEnv
              Specifies what variables from the local environ(7) should be sent
              to the server.  Note that environment passing is only supported
-             for protocol 2, the server must also support it, and the server
+             for protocol 2.  The server must also support it, and the server
              must be configured to accept these environment variables.  Refer
              to AcceptEnv in sshd_config(5) for how to configure the server.
-             Variables are specified by name, which may contain the wildcard
-             characters `*' and `?'.  Multiple environment variables may be
-             separated by whitespace or spread across multiple SendEnv direc-
-             tives.  The default is not to send any environment variables.
+             Variables are specified by name, which may contain wildcard char-
+             acters.  Multiple environment variables may be separated by
+             whitespace or spread across multiple SendEnv directives.  The de-
+             fault is not to send any environment variables.
+
+             See PATTERNS for more information on patterns.
 
      ServerAliveCountMax
              Sets the number of server alive messages (see below) which may be
-             sent without ssh receiving any messages back from the server.  If
-             this threshold is reached while server alive messages are being
-             sent, ssh will disconnect from the server, terminating the ses-
-             sion.  It is important to note that the use of server alive mes-
-             sages is very different from TCPKeepAlive (below).  The server
+             sent without ssh(1) receiving any messages back from the server.
+             If this threshold is reached while server alive messages are be-
+             ing sent, ssh will disconnect from the server, terminating the
+             session.  It is important to note that the use of server alive
+             messages is very different from TCPKeepAlive (below).  The server
              alive messages are sent through the encrypted channel and there-
              fore will not be spoofable.  The TCP keepalive option enabled by
              TCPKeepAlive is spoofable.  The server alive mechanism is valu-
@@ -480,39 +498,41 @@ DESCRIPTION
              tion has become inactive.
 
              The default value is 3.  If, for example, ServerAliveInterval
-             (see below) is set to 15, and ServerAliveCountMax is left at the
-             default, if the server becomes unresponsive ssh will disconnect
-             after approximately 45 seconds.
+             (see below) is set to 15 and ServerAliveCountMax is left at the
+             default, if the server becomes unresponsive, ssh will disconnect
+             after approximately 45 seconds.  This option applies to protocol
+             version 2 only.
 
      ServerAliveInterval
              Sets a timeout interval in seconds after which if no data has
-             been received from the server, ssh will send a message through
+             been received from the server, ssh(1) will send a message through
              the encrypted channel to request a response from the server.  The
              default is 0, indicating that these messages will not be sent to
              the server.  This option applies to protocol version 2 only.
 
      SmartcardDevice
              Specifies which smartcard device to use.  The argument to this
-             keyword is the device ssh should use to communicate with a smart-
-             card used for storing the user's private RSA key.  By default, no
-             device is specified and smartcard support is not activated.
+             keyword is the device ssh(1) should use to communicate with a
+             smartcard used for storing the user's private RSA key.  By de-
+             fault, no device is specified and smartcard support is not acti-
+             vated.
 
      StrictHostKeyChecking
-             If this flag is set to ``yes'', ssh will never automatically add
-             host keys to the ~/.ssh/known_hosts file, and refuses to connect
-             to hosts whose host key has changed.  This provides maximum pro-
-             tection against trojan horse attacks, however, can be annoying
-             when the /etc/ssh/ssh_known_hosts file is poorly maintained, or
-             connections to new hosts are frequently made.  This option forces
-             the user to manually add all new hosts.  If this flag is set to
-             ``no'', ssh will automatically add new host keys to the user
-             known hosts files.  If this flag is set to ``ask'', new host keys
-             will be added to the user known host files only after the user
-             has confirmed that is what they really want to do, and ssh will
-             refuse to connect to hosts whose host key has changed.  The host
-             keys of known hosts will be verified automatically in all cases.
-             The argument must be ``yes'', ``no'' or ``ask''.  The default is
-             ``ask''.
+             If this flag is set to ``yes'', ssh(1) will never automatically
+             add host keys to the ~/.ssh/known_hosts file, and refuses to con-
+             nect to hosts whose host key has changed.  This provides maximum
+             protection against trojan horse attacks, though it can be annoy-
+             ing when the /etc/ssh/ssh_known_hosts file is poorly maintained
+             or when connections to new hosts are frequently made.  This op-
+             tion forces the user to manually add all new hosts.  If this flag
+             is set to ``no'', ssh will automatically add new host keys to the
+             user known hosts files.  If this flag is set to ``ask'', new host
+             keys will be added to the user known host files only after the
+             user has confirmed that is what they really want to do, and ssh
+             will refuse to connect to hosts whose host key has changed.  The
+             host keys of known hosts will be verified automatically in all
+             cases.  The argument must be ``yes'', ``no'', or ``ask''.  The
+             default is ``ask''.
 
      TCPKeepAlive
              Specifies whether the system should send TCP keepalive messages
@@ -528,22 +548,27 @@ DESCRIPTION
              To disable TCP keepalive messages, the value should be set to
              ``no''.
 
-     Tunnel  Request starting tun(4) device forwarding between the client and
-             the server.  This option also allows requesting layer 2 (ether-
-             net) instead of layer 3 (point-to-point) tunneling from the serv-
-             er.  The argument must be ``yes'', ``point-to-point'',
-             ``ethernet'' or ``no''.  The default is ``no''.
+     Tunnel  Request tun(4) device forwarding between the client and the serv-
+             er.  The argument must be ``yes'', ``point-to-point'' (layer 3),
+             ``ethernet'' (layer 2), or ``no''.  Specifying ``yes'' requests
+             the default tunnel mode, which is ``point-to-point''.  The de-
+             fault is ``no''.
 
      TunnelDevice
-             Force a specified tun(4) device on the client.  Without this op-
-             tion, the next available device will be used.
+             Specifies the tun(4) devices to open on the client (local_tun)
+             and the server (remote_tun).
+
+             The argument must be local_tun[:remote_tun].  The devices may be
+             specified by numerical ID or the keyword ``any'', which uses the
+             next available tunnel device.  If remote_tun is not specified, it
+             defaults to ``any''.  The default is ``any:any''.
 
      UsePrivilegedPort
              Specifies whether to use a privileged port for outgoing connec-
              tions.  The argument must be ``yes'' or ``no''.  The default is
-             ``no''.  If set to ``yes'' ssh must be setuid root.  Note that
-             this option must be set to ``yes'' for RhostsRSAAuthentication
-             with older servers.
+             ``no''.  If set to ``yes'', ssh(1) must be setuid root.  Note
+             that this option must be set to ``yes'' for
+             RhostsRSAAuthentication with older servers.
 
      User    Specifies the user to log in as.  This can be useful when a dif-
              ferent user name is used on different machines.  This saves the
@@ -562,18 +587,42 @@ DESCRIPTION
              set to ``ask''.  If this option is set to ``ask'', information on
              fingerprint match will be displayed, but the user will still need
              to confirm new host keys according to the StrictHostKeyChecking
-             option.  The argument must be ``yes'', ``no'' or ``ask''.  The
+             option.  The argument must be ``yes'', ``no'', or ``ask''.  The
              default is ``no''.  Note that this option applies to protocol
              version 2 only.
 
+             See also VERIFYING HOST KEYS in ssh(1).
+
      XAuthLocation
              Specifies the full pathname of the xauth(1) program.  The default
              is /usr/X11R6/bin/xauth.
 
+PATTERNS
+     A pattern consists of zero or more non-whitespace characters, `*' (a
+     wildcard that matches zero or more characters), or `?' (a wildcard that
+     matches exactly one character).  For example, to specify a set of decla-
+     rations for any host in the ``.co.uk'' set of domains, the following pat-
+     tern could be used:
+
+           Host *.co.uk
+
+     The following pattern would match any host in the 192.168.0.[0-9] network
+     range:
+
+           Host 192.168.0.?
+
+     A pattern-list is a comma-separated list of patterns.  Patterns within
+     pattern-lists may be negated by preceding them with an exclamation mark
+     (`!').  For example, to allow a key to be used from anywhere within an
+     organisation except from the ``dialup'' pool, the following entry (in au-
+     thorized_keys) could be used:
+
+           from="!*.dialup.example.com,*.example.com"
+
 FILES
      ~/.ssh/config
              This is the per-user configuration file.  The format of this file
-             is described above.  This file is used by the ssh client.  Be-
+             is described above.  This file is used by the SSH client.  Be-
              cause of the potential for abuse, this file must have strict per-
              missions: read/write for the user, and not accessible by others.
 
@@ -593,4 +642,4 @@ AUTHORS
      ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 3.9                   September 25, 1999                             9
+OpenBSD 4.1                   September 25, 1999                            10
diff --git a/ssh_config.5 b/ssh_config.5
index 979f9282f..4c46c62cb 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.76 2006/01/20 11:21:45 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.98 2007/01/10 13:23:22 jmc Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -42,14 +42,13 @@
 .Nm ssh_config
 .Nd OpenSSH SSH client configuration files
 .Sh SYNOPSIS
-.Bl -tag -width Ds -compact
-.It Pa ~/.ssh/config
-.It Pa /etc/ssh/ssh_config
-.El
+.Nm ~/.ssh/config
+.Nm /etc/ssh/ssh_config
 .Sh DESCRIPTION
-.Nm ssh
+.Xr ssh 1
 obtains configuration data from the following sources in
 the following order:
+.Pp
 .Bl -enum -offset indent -compact
 .It
 command-line options
@@ -78,7 +77,6 @@ The configuration file has the following format:
 Empty lines and lines starting with
 .Ql #
 are comments.
-.Pp
 Otherwise a line is of the format
 .Dq keyword arguments .
 Configuration options may be separated by whitespace or
@@ -87,11 +85,14 @@ optional whitespace and exactly one
 the latter format is useful to avoid the need to quote whitespace
 when specifying configuration options using the
 .Nm ssh ,
-.Nm scp
+.Nm scp ,
 and
 .Nm sftp
 .Fl o
 option.
+Arguments may optionally be enclosed in double quotes
+.Pq \&"
+in order to represent arguments containing spaces.
 .Pp
 The possible
 keywords and their meanings are as follows (note that
@@ -102,25 +103,24 @@ Restricts the following declarations (up to the next
 .Cm Host
 keyword) to be only for those hosts that match one of the patterns
 given after the keyword.
-.Ql \&*
-and
-.Ql \&?
-can be used as wildcards in the
-patterns.
 A single
-.Ql \&*
+.Ql *
 as a pattern can be used to provide global
 defaults for all hosts.
 The host is the
 .Ar hostname
-argument given on the command line (i.e., the name is not converted to
+argument given on the command line (i.e. the name is not converted to
 a canonicalized host name before matching).
+.Pp
+See
+.Sx PATTERNS
+for more information on patterns.
 .It Cm AddressFamily
 Specifies which address family to use when connecting.
 Valid arguments are
 .Dq any ,
 .Dq inet
-(use IPv4 only) or
+(use IPv4 only), or
 .Dq inet6
 (use IPv6 only).
 .It Cm BatchMode
@@ -134,8 +134,7 @@ and
 options will both be set to 300 seconds by default.
 This option is useful in scripts and other batch jobs where no user
 is present to supply the password,
-and where it is desirable to detect a
-broken network swiftly.
+and where it is desirable to detect a broken network swiftly.
 The argument must be
 .Dq yes
 or
@@ -151,7 +150,7 @@ Note that this option does not work if
 is set to
 .Dq yes .
 .It Cm ChallengeResponseAuthentication
-Specifies whether to use challenge response authentication.
+Specifies whether to use challenge-response authentication.
 The argument to this keyword must be
 .Dq yes
 or
@@ -161,7 +160,8 @@ The default is
 .It Cm CheckHostIP
 If this flag is set to
 .Dq yes ,
-ssh will additionally check the host IP address in the
+.Xr ssh 1
+will additionally check the host IP address in the
 .Pa known_hosts
 file.
 This allows ssh to detect if a host key changed due to DNS spoofing.
@@ -181,7 +181,7 @@ and
 are supported.
 .Ar des
 is only supported in the
-.Nm ssh
+.Xr ssh 1
 client for interoperability with legacy protocol 1 implementations
 that do not support the
 .Ar 3des
@@ -207,18 +207,18 @@ The supported ciphers are
 .Dq blowfish-cbc ,
 and
 .Dq cast128-cbc .
-The default is
-.Bd -literal
-  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-    arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
-    aes192-ctr,aes256-ctr''
+The default is:
+.Bd -literal -offset 3n
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
+arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
+aes192-ctr,aes256-ctr
 .Ed
 .It Cm ClearAllForwardings
-Specifies that all local, remote and dynamic port forwardings
+Specifies that all local, remote, and dynamic port forwardings
 specified in the configuration files or on the command line be
 cleared.
 This option is primarily useful when used from the
-.Nm ssh
+.Xr ssh 1
 command line to clear port forwardings set in
 configuration files, and is automatically set by
 .Xr scp 1
@@ -251,15 +251,15 @@ The argument must be an integer.
 This may be useful in scripts if the connection sometimes fails.
 The default is 1.
 .It Cm ConnectTimeout
-Specifies the timeout (in seconds) used when connecting to the ssh
-server, instead of using the default system TCP timeout.
+Specifies the timeout (in seconds) used when connecting to the
+SSH server, instead of using the default system TCP timeout.
 This value is used only when the target is down or really unreachable,
 not when it refuses the connection.
 .It Cm ControlMaster
 Enables the sharing of multiple sessions over a single network connection.
 When set to
-.Dq yes
-.Nm ssh
+.Dq yes ,
+.Xr ssh 1
 will listen for connections on a control socket specified using the
 .Cm ControlPath
 argument.
@@ -276,8 +276,7 @@ if the control socket does not exist, or is not listening.
 .Pp
 Setting this to
 .Dq ask
-will cause
-.Nm ssh
+will cause ssh
 to listen for control connections, but require confirmation using the
 .Ev SSH_ASKPASS
 program before they are accepted (see
@@ -285,9 +284,8 @@ program before they are accepted (see
 for details).
 If the
 .Cm ControlPath
-can not be opened,
-.Nm ssh
-will continue without connecting to a master instance.
+cannot be opened,
+ssh will continue without connecting to a master instance.
 .Pp
 X11 and
 .Xr ssh-agent 1
@@ -313,16 +311,18 @@ section above or the string
 .Dq none
 to disable connection sharing.
 In the path,
+.Ql %l
+will be substituted by the local host name,
 .Ql %h
 will be substituted by the target host name,
 .Ql %p
-the port and
+the port, and
 .Ql %r
 by the remote login username.
 It is recommended that any
 .Cm ControlPath
 used for opportunistic connection sharing include
-all three of these escape sequences.
+at least %h, %p, and %r.
 This ensures that shared connections are uniquely identified.
 .It Cm DynamicForward
 Specifies that a TCP port on the local machine be forwarded
@@ -353,7 +353,7 @@ empty address or
 indicates that the port should be available from all interfaces.
 .Pp
 Currently the SOCKS4 and SOCKS5 protocols are supported, and
-.Nm ssh
+.Xr ssh 1
 will act as a SOCKS server.
 Multiple forwardings may be specified, and
 additional forwardings can be given on the command line.
@@ -389,6 +389,17 @@ followed by a letter, or
 to disable the escape
 character entirely (making the connection transparent for binary
 data).
+.It Cm ExitOnForwardFailure
+Specifies whether
+.Xr ssh 1
+should terminate the connection if it cannot set up all requested
+dynamic, local, and remote port forwardings.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
 .It Cm ForwardAgent
 Specifies whether the connection to the authentication agent (if any)
 will be forwarded to the remote machine.
@@ -428,12 +439,12 @@ if the
 option is also enabled.
 .It Cm ForwardX11Trusted
 If this option is set to
-.Dq yes
-then remote X11 clients will have full access to the original X11 display.
+.Dq yes ,
+remote X11 clients will have full access to the original X11 display.
 .Pp
 If this option is set to
-.Dq no
-then remote X11 clients will be considered untrusted and prevented
+.Dq no ,
+remote X11 clients will be considered untrusted and prevented
 from stealing or tampering with data belonging to trusted X11
 clients.
 Furthermore, the
@@ -451,12 +462,11 @@ the restrictions imposed on untrusted clients.
 Specifies whether remote hosts are allowed to connect to local
 forwarded ports.
 By default,
-.Nm ssh
+.Xr ssh 1
 binds local port forwardings to the loopback address.
 This prevents other remote hosts from connecting to forwarded ports.
 .Cm GatewayPorts
-can be used to specify that
-.Nm ssh
+can be used to specify that ssh
 should bind local port forwardings to the wildcard address,
 thus allowing remote hosts to connect to forwarded ports.
 The argument must be
@@ -474,6 +484,12 @@ Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI may be used. When using
+GSSAPI key exchange the server need not have a host key.
+The default is
+.Dq no .
+Note that this option applies to protocol version 2 only.
 .It Cm GSSAPIDelegateCredentials
 Forward (delegate) credentials to the server.
 The default is
@@ -481,29 +497,31 @@ The default is
 Note that this option applies to protocol version 2 only.
 .It Cm GSSAPITrustDns
 Set to 
-.Dq yes to indicate that the DNS is trusted to securely canonicalize
+.Dq yes 
+to indicate that the DNS is trusted to securely canonicalize
 the name of the host being connected to. If 
-.Dq no, the hostname entered on the
+.Dq no , 
+the hostname entered on the
 command line will be passed untouched to the GSSAPI library.
 The default is
 .Dq no .
-This option only applies to protocol version 2 connections using GSSAPI 
-key exchange.
+This option only applies to protocol version 2 connections using GSSAPI.
 .It Cm HashKnownHosts
 Indicates that
-.Nm ssh
+.Xr ssh 1
 should hash host names and addresses when they are added to
 .Pa ~/.ssh/known_hosts .
 These hashed names may be used normally by
-.Nm ssh
+.Xr ssh 1
 and
-.Nm sshd ,
+.Xr sshd 8 ,
 but they do not reveal identifying information should the file's contents
 be disclosed.
 The default is
 .Dq no .
-Note that hashing of names and addresses will not be retrospectively applied
-to existing known hosts files, but these may be manually hashed using
+Note that existing names and addresses in known hosts files
+will not be converted automatically,
+but may be manually hashed using
 .Xr ssh-keygen 1 .
 .It Cm HostbasedAuthentication
 Specifies whether to try rhosts based authentication with public key
@@ -526,30 +544,29 @@ The default for this option is:
 Specifies an alias that should be used instead of the
 real host name when looking up or saving the host key
 in the host key database files.
-This option is useful for tunneling ssh connections
+This option is useful for tunneling SSH connections
 or for multiple servers running on a single host.
 .It Cm HostName
 Specifies the real host name to log into.
 This can be used to specify nicknames or abbreviations for hosts.
-Default is the name given on the command line.
+The default is the name given on the command line.
 Numeric IP addresses are also permitted (both on the command line and in
 .Cm HostName
 specifications).
 .It Cm IdentitiesOnly
 Specifies that
-.Nm ssh
+.Xr ssh 1
 should only use the authentication identity files configured in the
 .Nm
 files,
-even if the
-.Nm ssh-agent
+even if
+.Xr ssh-agent 1
 offers more identities.
 The argument to this keyword must be
 .Dq yes
 or
 .Dq no .
-This option is intended for situations where
-.Nm ssh-agent
+This option is intended for situations where ssh-agent
 offers many different identities.
 The default is
 .Dq no .
@@ -565,8 +582,21 @@ and
 for protocol version 2.
 Additionally, any identities represented by the authentication agent
 will be used for authentication.
+.Pp
 The file name may use the tilde
-syntax to refer to a user's home directory.
+syntax to refer to a user's home directory or one of the following
+escape characters:
+.Ql %d
+(local user's home directory),
+.Ql %u
+(local user name),
+.Ql %l
+(local host name),
+.Ql %h
+(remote host name) or
+.Ql %r
+(remote user name).
+.Pp
 It is possible to have
 multiple identity files specified in configuration files; all these
 identities will be tried in sequence.
@@ -574,6 +604,13 @@ identities will be tried in sequence.
 Specifies the list of methods to use in keyboard-interactive authentication.
 Multiple method names must be comma-separated.
 The default is to use the server specified list.
+The methods available vary depending on what the server supports.
+For an OpenSSH server,
+it may be zero or more of:
+.Dq bsdauth ,
+.Dq pam ,
+and
+.Dq skey .
 .It Cm LocalCommand
 Specifies a command to execute on the local machine after successfully
 connecting to the server.
@@ -615,9 +652,9 @@ empty address or
 indicates that the port should be available from all interfaces.
 .It Cm LogLevel
 Gives the verbosity level that is used when logging messages from
-.Nm ssh .
+.Xr ssh 1 .
 The possible values are:
-QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
+QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
 The default is INFO.
 DEBUG and DEBUG1 are equivalent.
 DEBUG2 and DEBUG3 each specify higher levels of verbose output.
@@ -627,7 +664,7 @@ in order of preference.
 The MAC algorithm is used in protocol version 2
 for data integrity protection.
 Multiple algorithms must be comma-separated.
-The default is
+The default is:
 .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
 .It Cm NoHostAuthenticationForLocalhost
 This option can be used if the home directory is shared across machines.
@@ -642,7 +679,7 @@ The default is to check the host key for localhost.
 .It Cm NumberOfPasswordPrompts
 Specifies the number of password prompts before giving up.
 The argument to this keyword must be an integer.
-Default is 3.
+The default is 3.
 .It Cm PasswordAuthentication
 Specifies whether to use password authentication.
 The argument to this keyword must be
@@ -666,7 +703,7 @@ The default is
 .Dq no .
 .It Cm Port
 Specifies the port number to connect on the remote host.
-Default is 22.
+The default is 22.
 .It Cm PreferredAuthentications
 Specifies the order in which the client should try protocol 2
 authentication methods.
@@ -675,20 +712,24 @@ This allows a client to prefer one method (e.g.\&
 over another method (e.g.\&
 .Cm password )
 The default for this option is:
-.Dq hostbased,publickey,keyboard-interactive,password .
+.Do gssapi-with-mic ,
+hostbased,
+publickey,
+keyboard-interactive,
+password
+.Dc .
 .It Cm Protocol
 Specifies the protocol versions
-.Nm ssh
+.Xr ssh 1
 should support in order of preference.
 The possible values are
-.Dq 1
+.Sq 1
 and
-.Dq 2 .
+.Sq 2 .
 Multiple versions must be comma-separated.
 The default is
 .Dq 2,1 .
-This means that
-.Nm ssh
+This means that ssh
 tries version 2 and falls back to version 1
 if version 2 is not available.
 .It Cm ProxyCommand
@@ -746,9 +787,9 @@ or
 .Sq G
 to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
 The default is between
-.Dq 1G
+.Sq 1G
 and
-.Dq 4G ,
+.Sq 4G ,
 depending on the cipher.
 This option applies to protocol version 2 only.
 .It Cm RemoteForward
@@ -794,7 +835,7 @@ or
 The default is
 .Dq no .
 This option applies to protocol version 1 only and requires
-.Nm ssh
+.Xr ssh 1
 to be setuid root.
 .It Cm RSAAuthentication
 Specifies whether to try RSA authentication.
@@ -812,31 +853,31 @@ Note that this option applies to protocol version 1 only.
 Specifies what variables from the local
 .Xr environ 7
 should be sent to the server.
-Note that environment passing is only supported for protocol 2, the
-server must also support it, and the server must be configured to
+Note that environment passing is only supported for protocol 2.
+The server must also support it, and the server must be configured to
 accept these environment variables.
 Refer to
 .Cm AcceptEnv
 in
 .Xr sshd_config 5
 for how to configure the server.
-Variables are specified by name, which may contain the wildcard characters
-.Ql \&*
-and
-.Ql \&? .
+Variables are specified by name, which may contain wildcard characters.
 Multiple environment variables may be separated by whitespace or spread
 across multiple
 .Cm SendEnv
 directives.
 The default is not to send any environment variables.
+.Pp
+See
+.Sx PATTERNS
+for more information on patterns.
 .It Cm ServerAliveCountMax
 Sets the number of server alive messages (see below) which may be
 sent without
-.Nm ssh
+.Xr ssh 1
 receiving any messages back from the server.
 If this threshold is reached while server alive messages are being sent,
-.Nm ssh
-will disconnect from the server, terminating the session.
+ssh will disconnect from the server, terminating the session.
 It is important to note that the use of server alive messages is very
 different from
 .Cm TCPKeepAlive
@@ -852,18 +893,18 @@ server depend on knowing when a connection has become inactive.
 The default value is 3.
 If, for example,
 .Cm ServerAliveInterval
-(see below) is set to 15, and
+(see below) is set to 15 and
 .Cm ServerAliveCountMax
-is left at the default, if the server becomes unresponsive ssh
-will disconnect after approximately 45 seconds.
-This option works when using protocol version 2 only; in protocol version
+is left at the default, if the server becomes unresponsive,
+ssh will disconnect after approximately 45 seconds.
+This option applies to protocol version 2 only; in protocol version
 1 there is no mechanism to request a response from the server to the
 server alive messages, so disconnection is the responsibility of the TCP
 stack.
 .It Cm ServerAliveInterval
 Sets a timeout interval in seconds after which if no data has been received
 from the server,
-.Nm ssh
+.Xr ssh 1
 will send a message through the encrypted
 channel to request a response from the server.
 The default
@@ -894,41 +935,39 @@ This is a Debian-specific option.
 .It Cm SmartcardDevice
 Specifies which smartcard device to use.
 The argument to this keyword is the device
-.Nm ssh
+.Xr ssh 1
 should use to communicate with a smartcard used for storing the user's
 private RSA key.
 By default, no device is specified and smartcard support is not activated.
 .It Cm StrictHostKeyChecking
 If this flag is set to
 .Dq yes ,
-.Nm ssh
+.Xr ssh 1
 will never automatically add host keys to the
 .Pa ~/.ssh/known_hosts
 file, and refuses to connect to hosts whose host key has changed.
 This provides maximum protection against trojan horse attacks,
-however, can be annoying when the
+though it can be annoying when the
 .Pa /etc/ssh/ssh_known_hosts
-file is poorly maintained, or connections to new hosts are
+file is poorly maintained or when connections to new hosts are
 frequently made.
 This option forces the user to manually
 add all new hosts.
 If this flag is set to
 .Dq no ,
-.Nm ssh
-will automatically add new host keys to the
+ssh will automatically add new host keys to the
 user known hosts files.
 If this flag is set to
 .Dq ask ,
 new host keys
 will be added to the user known host files only after the user
 has confirmed that is what they really want to do, and
-.Nm ssh
-will refuse to connect to hosts whose host key has changed.
+ssh will refuse to connect to hosts whose host key has changed.
 The host keys of
 known hosts will be verified automatically in all cases.
 The argument must be
 .Dq yes ,
-.Dq no
+.Dq no ,
 or
 .Dq ask .
 The default is
@@ -957,24 +996,44 @@ This is important in scripts, and many users want it too.
 To disable TCP keepalive messages, the value should be set to
 .Dq no .
 .It Cm Tunnel
-Request starting
+Request
 .Xr tun 4
 device forwarding between the client and the server.
-This option also allows requesting layer 2 (ethernet)
-instead of layer 3 (point-to-point) tunneling from the server.
 The argument must be
 .Dq yes ,
-.Dq point-to-point ,
+.Dq point-to-point
+(layer 3),
 .Dq ethernet
+(layer 2),
 or
 .Dq no .
+Specifying
+.Dq yes
+requests the default tunnel mode, which is
+.Dq point-to-point .
 The default is
 .Dq no .
 .It Cm TunnelDevice
-Force a specified
+Specifies the
 .Xr tun 4
-device on the client.
-Without this option, the next available device will be used.
+devices to open on the client
+.Pq Ar local_tun
+and the server
+.Pq Ar remote_tun .
+.Pp
+The argument must be
+.Sm off
+.Ar local_tun Op : Ar remote_tun .
+.Sm on
+The devices may be specified by numerical ID or the keyword
+.Dq any ,
+which uses the next available tunnel device.
+If
+.Ar remote_tun
+is not specified, it defaults to
+.Dq any .
+The default is
+.Dq any:any .
 .It Cm UsePrivilegedPort
 Specifies whether to use a privileged port for outgoing connections.
 The argument must be
@@ -984,8 +1043,8 @@ or
 The default is
 .Dq no .
 If set to
-.Dq yes
-.Nm ssh
+.Dq yes ,
+.Xr ssh 1
 must be setuid root.
 Note that this option must be set to
 .Dq yes
@@ -1018,12 +1077,17 @@ need to confirm new host keys according to the
 option.
 The argument must be
 .Dq yes ,
-.Dq no
+.Dq no ,
 or
 .Dq ask .
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
+.Pp
+See also
+.Sx VERIFYING HOST KEYS
+in
+.Xr ssh 1 .
 .It Cm XAuthLocation
 Specifies the full pathname of the
 .Xr xauth 1
@@ -1031,14 +1095,47 @@ program.
 The default is
 .Pa /usr/X11R6/bin/xauth .
 .El
+.Sh PATTERNS
+A
+.Em pattern
+consists of zero or more non-whitespace characters,
+.Sq *
+(a wildcard that matches zero or more characters),
+or
+.Sq ?\&
+(a wildcard that matches exactly one character).
+For example, to specify a set of declarations for any host in the
+.Dq .co.uk
+set of domains,
+the following pattern could be used:
+.Pp
+.Dl Host *.co.uk
+.Pp
+The following pattern
+would match any host in the 192.168.0.[0-9] network range:
+.Pp
+.Dl Host 192.168.0.?
+.Pp
+A
+.Em pattern-list
+is a comma-separated list of patterns.
+Patterns within pattern-lists may be negated
+by preceding them with an exclamation mark
+.Pq Sq !\& .
+For example,
+to allow a key to be used from anywhere within an organisation
+except from the
+.Dq dialup
+pool,
+the following entry (in authorized_keys) could be used:
+.Pp
+.Dl from=\&"!*.dialup.example.com,*.example.com\&"
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa ~/.ssh/config
 This is the per-user configuration file.
 The format of this file is described above.
-This file is used by the
-.Nm ssh
-client.
+This file is used by the SSH client.
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.
 It may be group-writable provided that the group in question contains only
diff --git a/sshconnect.c b/sshconnect.c
index 8a63ef22b..3c888e36a 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: sshconnect.c,v 1.200 2006/10/10 10:12:45 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -13,12 +14,35 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.171 2005/12/06 22:38:27 reyk Exp $");
 
-#include <openssl/bn.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <netdb.h>
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#include <pwd.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
 
-#include "ssh.h"
 #include "xmalloc.h"
+#include "key.h"
+#include "hostfile.h"
+#include "ssh.h"
 #include "rsa.h"
 #include "buffer.h"
 #include "packet.h"
@@ -32,6 +56,7 @@ RCSID("$OpenBSD: sshconnect.c,v 1.171 2005/12/06 22:38:27 reyk Exp $");
 #include "atomicio.h"
 #include "misc.h"
 #include "dns.h"
+#include "version.h"
 
 char *client_version_string = NULL;
 char *server_version_string = NULL;
@@ -69,7 +94,6 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
         int pin[2], pout[2];
         pid_t pid;
         char strport[NI_MAXSERV];
-        size_t len;
 
         /* Convert the port number into a string. */
         snprintf(strport, sizeof strport, "%hu", port);
@@ -81,10 +105,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
          * Use "exec" to avoid "sh -c" processes on some platforms
          * (e.g. Solaris)
          */
-        len = strlen(proxy_command) + 6;
-        tmp = xmalloc(len);
-        strlcpy(tmp, "exec ", len);
-        strlcat(tmp, proxy_command, len);
+        xasprintf(&tmp, "exec %s", proxy_command);
         command_string = percent_expand(tmp, "h", host,
             "p", strport, (char *)NULL);
         xfree(tmp);
@@ -101,8 +122,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
                 char *argv[10];
 
                 /* Child.  Permanently give up superuser privileges. */
-                seteuid(original_real_uid);
-                setuid(original_real_uid);
+                permanently_drop_suid(original_real_uid);
 
                 /* Redirect stdin and stdout. */
                 close(pin[1]);
@@ -212,7 +232,7 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr,
         fd_set *fdset;
         struct timeval tv;
         socklen_t optlen;
-        int fdsetsz, optval, rc, result = -1;
+        int optval, rc, result = -1;
 
         if (timeout <= 0)
                 return (connect(sockfd, serv_addr, addrlen));
@@ -226,10 +246,8 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr,
         if (errno != EINPROGRESS)
                 return (-1);
 
-        fdsetsz = howmany(sockfd + 1, NFDBITS) * sizeof(fd_mask);
-        fdset = (fd_set *)xmalloc(fdsetsz);
-
-        memset(fdset, 0, fdsetsz);
+        fdset = (fd_set *)xcalloc(howmany(sockfd + 1, NFDBITS),
+            sizeof(fd_mask));
         FD_SET(sockfd, fdset);
         tv.tv_sec = timeout;
         tv.tv_usec = 0;
@@ -312,17 +330,16 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
                 fatal("%s: %.100s: %s", __progname, host,
                     gai_strerror(gaierr));
 
-        /*
-         * Try to connect several times.  On some machines, the first time
-         * will sometimes fail.  In general socket code appears to behave
-         * quite magically on many machines.
-                 */
-        for (attempt = 0; ;) {
-                if (attempt > 0)
+        for (attempt = 0; attempt < connection_attempts; attempt++) {
+                if (attempt > 0) {
+                        /* Sleep a moment before retrying. */
+                        sleep(1);
                         debug("Trying again...");
-
-                /* Loop through addresses for this host, and try each one in
-                   sequence until the connection succeeds. */
+                }
+                /*
+                 * Loop through addresses for this host, and try each one in
+                 * sequence until the connection succeeds.
+                 */
                 for (ai = aitop; ai; ai = ai->ai_next) {
                         if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
                                 continue;
@@ -349,29 +366,18 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
                         } else {
                                 debug("connect to address %s port %s: %s",
                                     ntop, strport, strerror(errno));
-                                /*
-                                 * Close the failed socket; there appear to
-                                 * be some problems when reusing a socket for
-                                 * which connect() has already returned an
-                                 * error.
-                                 */
                                 close(sock);
+                                sock = -1;
                         }
                 }
-                if (ai)
+                if (sock != -1)
                         break;  /* Successful connection. */
-
-                attempt++;
-                if (attempt >= connection_attempts)
-                        break;
-                /* Sleep a moment before retrying. */
-                sleep(1);
         }
 
         freeaddrinfo(aitop);
 
         /* Return failure if we didn't get a successful connection. */
-        if (attempt >= connection_attempts) {
+        if (sock == -1) {
                 error("ssh: connect to host %s port %s: %s",
                     host, strport, strerror(errno));
                 return (-1);
@@ -403,22 +409,23 @@ ssh_exchange_identification(void)
         int connection_in = packet_get_connection_in();
         int connection_out = packet_get_connection_out();
         int minor1 = PROTOCOL_MINOR_1;
-        u_int i;
+        u_int i, n;
         struct sigaction sa, osa;
 
         /* Read other side's version identification.
-         * If SetupTimeOut has been set, give up after
-         * the specified amount of time
+         * If SetupTimeOut has been set, give up after the specified amount
+         * of time.
          */
-        if(options.setuptimeout > 0){
+        if (options.setuptimeout > 0) {
                 memset(&sa, 0, sizeof(sa));
                 sa.sa_handler = banner_alarm_catch;
-                /*throw away any pending alarms, since we'd block otherwise*/
+                /* throw away any pending alarms, since we'd block otherwise */
                 alarm(0);
                 sigaction(SIGALRM, &sa, &osa);
                 alarm(options.setuptimeout);
         }
-        for (;;) {
+        /* Read other side's version identification. */
+        for (n = 0;;) {
                 for (i = 0; i < sizeof(buf) - 1; ) {
                         ssize_t len = read(connection_in, &buf[i], 1);
                         if (banner_timedout)
@@ -450,6 +457,8 @@ ssh_exchange_identification(void)
                                 buf[i] = '\n';
                                 buf[i + 1] = 0;         /**XXX wait for \n */
                         }
+                        if (++n > 65536)
+                                fatal("ssh_exchange_identification: No banner received");
                         i++;
                 }
                 buf[sizeof(buf) - 1] = 0;
@@ -464,7 +473,7 @@ ssh_exchange_identification(void)
          */
         if (options.setuptimeout > 0) {
                 alarm(0);
-                sigaction(SIGALRM,&osa,NULL);
+                sigaction(SIGALRM, &osa, NULL);
         }
 
         /*
@@ -560,13 +569,17 @@ confirm(const char *prompt)
  * check whether the supplied host key is valid, return -1 if the key
  * is not valid. the user_hostfile will not be updated if 'readonly' is true.
  */
+#define RDRW    0
+#define RDONLY  1
+#define ROQUIET 2
 static int
-check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
-    int readonly, const char *user_hostfile, const char *system_hostfile)
+check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+    Key *host_key, int readonly, const char *user_hostfile,
+    const char *system_hostfile)
 {
         Key *file_key;
         const char *type = key_type(host_key);
-        char *ip = NULL;
+        char *ip = NULL, *host = NULL;
         char hostline[1000], *hostp, *fp;
         HostStatus host_status;
         HostStatus ip_status;
@@ -617,7 +630,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
                 if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop),
                     NULL, 0, NI_NUMERICHOST) != 0)
                         fatal("check_host_key: getnameinfo failed");
-                ip = xstrdup(ntop);
+                ip = put_host_port(ntop, port);
         } else {
                 ip = xstrdup("<no hostip for proxy command>");
         }
@@ -625,18 +638,21 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
          * Turn off check_host_ip if the connection is to localhost, via proxy
          * command or if we don't have a hostname to compare with
          */
-        if (options.check_host_ip &&
-            (local || strcmp(host, ip) == 0 || options.proxy_command != NULL))
+        if (options.check_host_ip && (local ||
+            strcmp(hostname, ip) == 0 || options.proxy_command != NULL))
                 options.check_host_ip = 0;
 
         /*
-         * Allow the user to record the key under a different name. This is
-         * useful for ssh tunneling over forwarded connections or if you run
-         * multiple sshd's on different ports on the same machine.
+         * Allow the user to record the key under a different name or
+         * differentiate a non-standard port.  This is useful for ssh
+         * tunneling over forwarded connections or if you run multiple
+         * sshd's on different ports on the same machine.
          */
         if (options.host_key_alias != NULL) {
-                host = options.host_key_alias;
+                host = xstrdup(options.host_key_alias);
                 debug("using hostkeyalias: %s", host);
+        } else {
+                host = put_host_port(hostname, port);
         }
 
         /*
@@ -705,6 +721,15 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
                 }
                 break;
         case HOST_NEW:
+                if (options.host_key_alias == NULL && port != 0 &&
+                    port != SSH_DEFAULT_PORT) {
+                        debug("checking without port identifier");
+                        if (check_host_key(hostname, hostaddr, 0, host_key, 2,
+                            user_hostfile, system_hostfile) == 0) {
+                                debug("found matching key w/out port");
+                                break;
+                        }
+                }
                 if (readonly)
                         goto fail;
                 /* The host is new. */
@@ -784,6 +809,8 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
                             "list of known hosts.", hostp, type);
                 break;
         case HOST_CHANGED:
+                if (readonly == ROQUIET)
+                        goto fail;
                 if (options.check_host_ip && host_ip_differ) {
                         char *key_msg;
                         if (ip_status == HOST_NEW)
@@ -822,7 +849,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
                 /*
                  * If strict host key checking has not been requested, allow
                  * the connection but without MITM-able authentication or
-                 * agent forwarding.
+                 * forwarding.
                  */
                 if (options.password_authentication) {
                         error("Password authentication is disabled to avoid "
@@ -857,6 +884,11 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
                         options.num_local_forwards =
                             options.num_remote_forwards = 0;
                 }
+                if (options.tun_open != SSH_TUNMODE_NO) {
+                        error("Tunnel forwarding is disabled to avoid "
+                            "man-in-the-middle attacks.");
+                        options.tun_open = SSH_TUNMODE_NO;
+                }
                 /*
                  * XXX Should permit the user to change to use the new id.
                  * This could be done by converting the host key to an
@@ -898,10 +930,12 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
         }
 
         xfree(ip);
+        xfree(host);
         return 0;
 
 fail:
         xfree(ip);
+        xfree(host);
         return -1;
 }
 
@@ -935,12 +969,13 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
         /* return ok if the key can be found in an old keyfile */
         if (stat(options.system_hostfile2, &st) == 0 ||
             stat(options.user_hostfile2, &st) == 0) {
-                if (check_host_key(host, hostaddr, host_key, /*readonly*/ 1,
-                    options.user_hostfile2, options.system_hostfile2) == 0)
+                if (check_host_key(host, hostaddr, options.port, host_key,
+                    RDONLY, options.user_hostfile2,
+                    options.system_hostfile2) == 0)
                         return 0;
         }
-        return check_host_key(host, hostaddr, host_key, /*readonly*/ 0,
-            options.user_hostfile, options.system_hostfile);
+        return check_host_key(host, hostaddr, options.port, host_key,
+            RDRW, options.user_hostfile, options.system_hostfile);
 }
 
 /*
@@ -964,7 +999,7 @@ ssh_login(Sensitive *sensitive, const char *orighost,
         host = xstrdup(orighost);
         for (cp = host; *cp; cp++)
                 if (isupper(*cp))
-                        *cp = tolower(*cp);
+                        *cp = (char)tolower(*cp);
 
         /* Exchange protocol version identification strings with the server. */
         ssh_exchange_identification();
@@ -981,6 +1016,7 @@ ssh_login(Sensitive *sensitive, const char *orighost,
                 ssh_kex(host, hostaddr);
                 ssh_userauth1(local_user, server_user, host, sensitive);
         }
+        xfree(local_user);
 }
 
 void
@@ -994,8 +1030,7 @@ ssh_put_password(char *password)
                 return;
         }
         size = roundup(strlen(password) + 1, 32);
-        padded = xmalloc(size);
-        memset(padded, 0, size);
+        padded = xcalloc(1, size);
         strlcpy(padded, password, size);
         packet_put_string(padded, size);
         memset(padded, 0, size);
diff --git a/sshconnect.h b/sshconnect.h
index e7c7a2b34..4e66bbffc 100644
--- a/sshconnect.h
+++ b/sshconnect.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sshconnect.h,v 1.18 2005/12/06 22:38:28 reyk Exp $    */
+/* $OpenBSD: sshconnect.h,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -23,8 +23,6 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-#ifndef SSHCONNECT_H
-#define SSHCONNECT_H
 
 typedef struct Sensitive Sensitive;
 struct Sensitive {
@@ -54,16 +52,18 @@ int	 ssh_local_cmd(const char *);
 /*
  * Macros to raise/lower permissions.
  */
-#define PRIV_START do {                         \
-        int save_errno = errno;                 \
-        (void)seteuid(original_effective_uid);  \
-        errno = save_errno;                     \
+#define PRIV_START do {                                 \
+        int save_errno = errno;                         \
+        if (seteuid(original_effective_uid) != 0)       \
+                fatal("PRIV_START: seteuid: %s",        \
+                    strerror(errno));                   \
+        errno = save_errno;                             \
 } while (0)
 
-#define PRIV_END do {                           \
-        int save_errno = errno;                 \
-        (void)seteuid(original_real_uid);       \
-        errno = save_errno;                     \
+#define PRIV_END do {                                   \
+        int save_errno = errno;                         \
+        if (seteuid(original_real_uid) != 0)            \
+                fatal("PRIV_END: seteuid: %s",          \
+                    strerror(errno));                   \
+        errno = save_errno;                             \
 } while (0)
-
-#endif
diff --git a/sshconnect1.c b/sshconnect1.c
index 440d7c5bd..fd07bbf74 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: sshconnect1.c,v 1.70 2006/11/06 21:25:28 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -13,28 +14,38 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.62 2005/10/30 08:52:18 djm Exp $");
+
+#include <sys/types.h>
+#include <sys/socket.h>
 
 #include <openssl/bn.h>
 #include <openssl/md5.h>
 
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <pwd.h>
+
+#include "xmalloc.h"
 #include "ssh.h"
 #include "ssh1.h"
-#include "xmalloc.h"
 #include "rsa.h"
 #include "buffer.h"
 #include "packet.h"
+#include "key.h"
+#include "cipher.h"
 #include "kex.h"
 #include "uidswap.h"
 #include "log.h"
 #include "readconf.h"
-#include "key.h"
 #include "authfd.h"
 #include "sshconnect.h"
 #include "authfile.h"
 #include "misc.h"
-#include "cipher.h"
 #include "canohost.h"
+#include "hostfile.h"
 #include "auth.h"
 
 /* Session id for the current session. */
@@ -197,7 +208,7 @@ try_rsa_authentication(int idx)
         BIGNUM *challenge;
         Key *public, *private;
         char buf[300], *passphrase, *comment, *authfile;
-        int i, type, quit;
+        int i, perm_ok = 1, type, quit;
 
         public = options.identity_keys[idx];
         authfile = options.identity_files[idx];
@@ -243,15 +254,16 @@ try_rsa_authentication(int idx)
         if (public->flags & KEY_FLAG_EXT)
                 private = public;
         else
-                private = key_load_private_type(KEY_RSA1, authfile, "", NULL);
-        if (private == NULL && !options.batch_mode) {
+                private = key_load_private_type(KEY_RSA1, authfile, "", NULL,
+                    &perm_ok);
+        if (private == NULL && !options.batch_mode && perm_ok) {
                 snprintf(buf, sizeof(buf),
                     "Enter passphrase for RSA key '%.100s': ", comment);
                 for (i = 0; i < options.number_of_password_prompts; i++) {
                         passphrase = read_passphrase(buf, 0);
                         if (strcmp(passphrase, "") != 0) {
                                 private = key_load_private_type(KEY_RSA1,
-                                    authfile, passphrase, NULL);
+                                    authfile, passphrase, NULL, NULL);
                                 quit = 0;
                         } else {
                                 debug2("no passphrase given, try next key");
@@ -268,7 +280,7 @@ try_rsa_authentication(int idx)
         xfree(comment);
 
         if (private == NULL) {
-                if (!options.batch_mode)
+                if (!options.batch_mode && perm_ok)
                         error("Bad passphrase.");
 
                 /* Send a dummy response packet to avoid protocol error. */
@@ -551,14 +563,20 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
          * the first 16 bytes of the session id.
          */
         if ((key = BN_new()) == NULL)
-                fatal("respond_to_rsa_challenge: BN_new failed");
-        BN_set_word(key, 0);
+                fatal("ssh_kex: BN_new failed");
+        if (BN_set_word(key, 0) == 0)
+                fatal("ssh_kex: BN_set_word failed");
         for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
-                BN_lshift(key, key, 8);
-                if (i < 16)
-                        BN_add_word(key, session_key[i] ^ session_id[i]);
-                else
-                        BN_add_word(key, session_key[i]);
+                if (BN_lshift(key, key, 8) == 0)
+                        fatal("ssh_kex: BN_lshift failed");
+                if (i < 16) {
+                        if (BN_add_word(key, session_key[i] ^ session_id[i])
+                            == 0)
+                                fatal("ssh_kex: BN_add_word failed");
+                } else {
+                        if (BN_add_word(key, session_key[i]) == 0)
+                                fatal("ssh_kex: BN_add_word failed");
+                }
         }
 
         /*
diff --git a/sshconnect2.c b/sshconnect2.c
index 566571ae9..63e9369b1 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: sshconnect2.c,v 1.162 2006/08/30 00:06:51 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -23,18 +24,30 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.143 2005/10/14 02:17:59 stevesk Exp $");
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <sys/stat.h>
+
+#include <errno.h>
+#include <pwd.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
 
 #include "openbsd-compat/sys-queue.h"
 
+#include "xmalloc.h"
 #include "ssh.h"
 #include "ssh2.h"
-#include "xmalloc.h"
 #include "buffer.h"
 #include "packet.h"
 #include "compat.h"
-#include "bufaux.h"
 #include "cipher.h"
+#include "key.h"
 #include "kex.h"
 #include "myproposal.h"
 #include "sshconnect.h"
@@ -49,6 +62,7 @@ RCSID("$OpenBSD: sshconnect2.c,v 1.143 2005/10/14 02:17:59 stevesk Exp $");
 #include "canohost.h"
 #include "msg.h"
 #include "pathnames.h"
+#include "uidswap.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -85,19 +99,19 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
         Kex *kex;
 
 #ifdef GSSAPI
-        char *orig, *gss = NULL;
-        int len;
-        char *gss_host = NULL;
+        char *orig = NULL, *gss = NULL;
+        char *gss_host = NULL;
 #endif
 
         xxx_host = host;
         xxx_hostaddr = hostaddr;
 
 #ifdef GSSAPI
-        if (options.gss_authentication) {
-                /* Add the GSSAPI mechanisms currently supported on this
+        if (options.gss_keyex) {
+                /* Add the GSSAPI mechanisms currently supported on this 
                  * client to the key exchange algorithm proposal */
                 orig = myproposal[PROPOSAL_KEX_ALGS];
+
                 if (options.gss_trust_dns)
                         gss_host = (char *)get_canonical_hostname(1);
                 else
@@ -106,10 +120,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
                 gss = ssh_gssapi_client_mechanisms(gss_host);
                 if (gss) {
                         debug("Offering GSSAPI proposal: %s", gss);
-                        len = strlen(orig) + strlen(gss) + 2;
-                        myproposal[PROPOSAL_KEX_ALGS] = xmalloc(len);
-                        snprintf(myproposal[PROPOSAL_KEX_ALGS], len, "%s,%s",
-                            gss, orig);
+                        xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
+                            "%s,%s", gss, orig);
                 }
         }
 #endif
@@ -144,11 +156,9 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
 #ifdef GSSAPI
         /* If we've got GSSAPI algorithms, then we also support the
          * 'null' hostkey, as a last resort */
-        if (gss) {
+        if (options.gss_keyex && gss) {
                 orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
-                len = strlen(orig) + sizeof(",null");
-                myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = xmalloc(len);
-                snprintf(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], len, 
+                xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], 
                     "%s,null", orig);
         }
 #endif
@@ -161,9 +171,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
         kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
         kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
         kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
+        kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
 #ifdef GSSAPI
-        if (options.gss_authentication) {
+        if (options.gss_keyex) {
                 kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
+                kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
                 kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
         }
 #endif
@@ -423,7 +435,7 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt)
         debug3("input_userauth_banner");
         msg = packet_get_string(NULL);
         lang = packet_get_string(NULL);
-        if (options.log_level > SYSLOG_LEVEL_QUIET)
+        if (options.log_level >= SYSLOG_LEVEL_INFO)
                 fprintf(stderr, "%s", msg);
         xfree(msg);
         xfree(lang);
@@ -545,8 +557,14 @@ userauth_gssapi(Authctxt *authctxt)
         static u_int mech = 0;
         OM_uint32 min;
         int ok = 0;
+        char *gss_host = NULL;
         int old_gssapi_method;
 
+        if (options.gss_trust_dns)
+                gss_host = (char *)get_canonical_hostname(1);
+        else
+                gss_host = (char *)authctxt->host;
+
         /* Try one GSSAPI method at a time, rather than sending them all at
          * once. */
 
@@ -555,15 +573,10 @@ userauth_gssapi(Authctxt *authctxt)
 
         /* Check to see if the mechanism is usable before we offer it */
         while (mech < gss_supported->count && !ok) {
-                if (gssctxt)
-                        ssh_gssapi_delete_ctx(&gssctxt);
-                ssh_gssapi_build_ctx(&gssctxt);
-                ssh_gssapi_set_oid(gssctxt, &gss_supported->elements[mech]);
-
                 /* My DER encoding requires length<128 */
                 if (gss_supported->elements[mech].length < 128 &&
-                    !GSS_ERROR(ssh_gssapi_import_name(gssctxt,
-                    authctxt->host))) {
+                    ssh_gssapi_check_mechanism(&gssctxt, 
+                    &gss_supported->elements[mech], gss_host)) {
                         ok = 1; /* Mechanism works */
                 } else {
                         mech++;
@@ -587,7 +600,7 @@ userauth_gssapi(Authctxt *authctxt)
          * for the old gssapi method.
          * We only include tagged oids for the new gssapi-with-mic method.
          */
-        packet_put_int(old_gssapi_method?2:1);
+        packet_put_int(old_gssapi_method ? 2 : 1);
 
         packet_put_int((gss_supported->elements[mech].length) + 2);
         packet_put_char(SSH_GSS_OIDTYPE);
@@ -595,7 +608,7 @@ userauth_gssapi(Authctxt *authctxt)
         packet_put_raw(gss_supported->elements[mech].elements,
             gss_supported->elements[mech].length);
         if (old_gssapi_method) {
-                packet_put_int((gss_supported->elements[mech].length));
+                packet_put_int(gss_supported->elements[mech].length);
                 packet_put_raw(gss_supported->elements[mech].elements,
                                gss_supported->elements[mech].length);
         }
@@ -673,8 +686,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
 {
         Authctxt *authctxt = ctxt;
         Gssctxt *gssctxt;
-        int oidlen;
-        char *oidv, *oidv_free;
+        u_int oidlen;
+        u_char *oidv, *oidv_free;
 
         if (authctxt == NULL)
                 fatal("input_gssapi_response: no authentication context");
@@ -1086,14 +1099,16 @@ load_identity_file(char *filename)
 {
         Key *private;
         char prompt[300], *passphrase;
-        int quit, i;
+        int perm_ok, quit, i;
         struct stat st;
 
         if (stat(filename, &st) < 0) {
                 debug3("no such identity: %s", filename);
                 return NULL;
         }
-        private = key_load_private_type(KEY_UNSPEC, filename, "", NULL);
+        private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok);
+        if (!perm_ok)
+                return NULL;
         if (private == NULL) {
                 if (options.batch_mode)
                         return NULL;
@@ -1102,8 +1117,8 @@ load_identity_file(char *filename)
                 for (i = 0; i < options.number_of_password_prompts; i++) {
                         passphrase = read_passphrase(prompt, 0);
                         if (strcmp(passphrase, "") != 0) {
-                                private = key_load_private_type(KEY_UNSPEC, filename,
-                                    passphrase, NULL);
+                                private = key_load_private_type(KEY_UNSPEC,
+                                    filename, passphrase, NULL, NULL);
                                 quit = 0;
                         } else {
                                 debug2("no passphrase given, try next key");
@@ -1146,8 +1161,7 @@ pubkey_prepare(Authctxt *authctxt)
                 if (key && key->type == KEY_RSA1)
                         continue;
                 options.identity_keys[i] = NULL;
-                id = xmalloc(sizeof(*id));
-                memset(id, 0, sizeof(*id));
+                id = xcalloc(1, sizeof(*id));
                 id->key = key;
                 id->filename = xstrdup(options.identity_files[i]);
                 TAILQ_INSERT_TAIL(&files, id, next);
@@ -1171,8 +1185,7 @@ pubkey_prepare(Authctxt *authctxt)
                                 }
                         }
                         if (!found && !options.identities_only) {
-                                id = xmalloc(sizeof(*id));
-                                memset(id, 0, sizeof(*id));
+                                id = xcalloc(1, sizeof(*id));
                                 id->key = key;
                                 id->filename = comment;
                                 id->ac = ac;
@@ -1368,8 +1381,7 @@ ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
                 return -1;
         }
         if (pid == 0) {
-                seteuid(getuid());
-                setuid(getuid());
+                permanently_drop_suid(getuid());
                 close(from[0]);
                 if (dup2(from[1], STDOUT_FILENO) < 0)
                         fatal("ssh_keysign: dup2: %s", strerror(errno));
@@ -1449,12 +1461,11 @@ userauth_hostbased(Authctxt *authctxt)
         if (p == NULL) {
                 error("userauth_hostbased: cannot get local ipaddr/name");
                 key_free(private);
+                xfree(blob);
                 return 0;
         }
         len = strlen(p) + 2;
-        chost = xmalloc(len);
-        strlcpy(chost, p, len);
-        strlcat(chost, ".", len);
+        xasprintf(&chost, "%s.", p);
         debug2("userauth_hostbased: chost %s", chost);
         xfree(p);
 
@@ -1487,6 +1498,7 @@ userauth_hostbased(Authctxt *authctxt)
                 error("key_sign failed");
                 xfree(chost);
                 xfree(pkalg);
+                xfree(blob);
                 return 0;
         }
         packet_start(SSH2_MSG_USERAUTH_REQUEST);
@@ -1502,6 +1514,7 @@ userauth_hostbased(Authctxt *authctxt)
         xfree(signature);
         xfree(chost);
         xfree(pkalg);
+        xfree(blob);
 
         packet_send();
         return 1;
diff --git a/sshd.0 b/sshd.0
index 040be6cad..5e21db125 100644
--- a/sshd.0
+++ b/sshd.0
@@ -21,7 +21,7 @@ DESCRIPTION
      (by default sshd_config(5)); command-line options override values speci-
      fied in the configuration file.  sshd rereads its configuration file when
      it receives a hangup signal, SIGHUP, by executing itself with the name
-     and options it was started with, e.g., /usr/sbin/sshd.
+     and options it was started with, e.g. /usr/sbin/sshd.
 
      The options are as follows:
 
@@ -69,7 +69,7 @@ DESCRIPTION
              not run from inetd because it needs to generate the server key
              before it can respond to the client, and this may take tens of
              seconds.  Clients would have to wait too long if the key was re-
-             generated every time.  However, with small key sizes (e.g., 512)
+             generated every time.  However, with small key sizes (e.g. 512)
              using sshd from inetd may be feasible.
 
      -k key_gen_time
@@ -161,17 +161,13 @@ AUTHENTICATION
      allowing still public-key, then the passwd field should be set to some-
      thing other than these values (eg `NP' or `*NP*' ).
 
-     System security is not improved unless rshd, rlogind, and rexecd are dis-
-     abled (thus completely disabling rlogin and rsh into the machine).
-
-COMMAND EXECUTION AND DATA FORWARDING
      If the client successfully authenticates itself, a dialog for preparing
      the session is entered.  At this time the client may request things like
      allocating a pseudo-tty, forwarding X11 connections, forwarding TCP con-
      nections, or forwarding the authentication agent connection over the se-
      cure channel.
 
-     Finally, the client either requests a shell or execution of a command.
+     After this, the client either requests a shell or execution of a command.
      The sides then enter session mode.  In this mode, either side may send
      data at any time, and such data is forwarded to/from the shell or command
      on the server side, and the user terminal in the client side.
@@ -204,33 +200,60 @@ LOGIN PROCESS
 
            8.   If ~/.ssh/rc exists, runs it; else if /etc/ssh/sshrc exists,
                 runs it; otherwise runs xauth.  The ``rc'' files are given the
-                X11 authentication protocol and cookie in standard input.
+                X11 authentication protocol and cookie in standard input.  See
+                SSHRC, below.
 
            9.   Runs user's shell or command.
 
+SSHRC
+     If the file ~/.ssh/rc exists, sh(1) runs it after reading the environment
+     files but before starting the user's shell or command.  It must not pro-
+     duce any output on stdout; stderr must be used instead.  If X11 forward-
+     ing is in use, it will receive the "proto cookie" pair in its standard
+     input (and DISPLAY in its environment).  The script must call xauth(1)
+     because sshd will not run xauth automatically to add X11 cookies.
+
+     The primary purpose of this file is to run any initialization routines
+     which may be needed before the user's home directory becomes accessible;
+     AFS is a particular example of such an environment.
+
+     This file will probably contain some initialization code followed by
+     something similar to:
+
+        if read proto cookie && [ -n "$DISPLAY" ]; then
+                if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
+                        # X11UseLocalhost=yes
+                        echo add unix:`echo $DISPLAY |
+                            cut -c11-` $proto $cookie
+                else
+                        # X11UseLocalhost=no
+                        echo add $DISPLAY $proto $cookie
+                fi | xauth -q -
+        fi
+
+     If this file does not exist, /etc/ssh/sshrc is run, and if that does not
+     exist either, xauth is used to add the cookie.
+
 AUTHORIZED_KEYS FILE FORMAT
-     ~/.ssh/authorized_keys is the default file that lists the public keys
-     that are permitted for RSA authentication in protocol version 1 and for
-     public key authentication (PubkeyAuthentication) in protocol version 2.
-     AuthorizedKeysFile may be used to specify an alternative file.
-
-     Each line of the file contains one key (empty lines and lines starting
-     with a `#' are ignored as comments).  Each RSA public key consists of the
-     following fields, separated by spaces: options, bits, exponent, modulus,
-     comment.  Each protocol version 2 public key consists of: options, key-
-     type, base64 encoded key, comment.  The options field is optional; its
-     presence is determined by whether the line starts with a number or not
-     (the options field never starts with a number).  The bits, exponent, mod-
-     ulus and comment fields give the RSA key for protocol version 1; the com-
-     ment field is not used for anything (but may be convenient for the user
-     to identify the key).  For protocol version 2 the keytype is ``ssh-dss''
-     or ``ssh-rsa''.
+     AuthorizedKeysFile specifies the file containing public keys for public
+     key authentication; if none is specified, the default is
+     ~/.ssh/authorized_keys.  Each line of the file contains one key (empty
+     lines and lines starting with a `#' are ignored as comments).  Protocol 1
+     public keys consist of the following space-separated fields: options,
+     bits, exponent, modulus, comment.  Protocol 2 public key consist of: op-
+     tions, keytype, base64-encoded key, comment.  The options field is op-
+     tional; its presence is determined by whether the line starts with a num-
+     ber or not (the options field never starts with a number).  The bits, ex-
+     ponent, modulus, and comment fields give the RSA key for protocol version
+     1; the comment field is not used for anything (but may be convenient for
+     the user to identify the key).  For protocol version 2 the keytype is
+     ``ssh-dss'' or ``ssh-rsa''.
 
      Note that lines in this file are usually several hundred bytes long (be-
      cause of the size of the public key encoding) up to a limit of 8 kilo-
      bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16
      kilobits.  You don't want to type them in; instead, copy the
-     identity.pub, id_dsa.pub or the id_rsa.pub file and edit it.
+     identity.pub, id_dsa.pub, or the id_rsa.pub file and edit it.
 
      sshd enforces a minimum RSA key modulus size for protocol 1 and protocol
      2 keys of 768 bits.
@@ -240,21 +263,6 @@ AUTHORIZED_KEYS FILE FORMAT
      lowing option specifications are supported (note that option keywords are
      case-insensitive):
 
-     from="pattern-list"
-             Specifies that in addition to public key authentication, the
-             canonical name of the remote host must be present in the comma-
-             separated list of patterns (`*' and `?' serve as wildcards).  The
-             list may also contain patterns negated by prefixing them with
-             `!'; if the canonical host name matches a negated pattern, the
-             key is not accepted.  The purpose of this option is to optionally
-             increase security: public key authentication by itself does not
-             trust the network or name servers or anything (but the key); how-
-             ever, if somebody somehow steals the key, the key permits an in-
-             truder to log in from anywhere in the world.  This additional op-
-             tion makes using a stolen key more difficult (name servers and/or
-             routers would have to be compromised in addition to just the
-             key).
-
      command="command"
              Specifies that the command is executed whenever this key is used
              for authentication.  The command supplied by the user (if any) is
@@ -266,8 +274,10 @@ AUTHORIZED_KEYS FILE FORMAT
              lic keys to perform just a specific operation.  An example might
              be a key that permits remote backups but nothing else.  Note that
              the client may specify TCP and/or X11 forwarding unless they are
-             explicitly prohibited.  Note that this option applies to shell,
-             command or subsystem execution.
+             explicitly prohibited.  The command originally supplied by the
+             client is available in the SSH_ORIGINAL_COMMAND environment vari-
+             able.  Note that this option applies to shell, command or subsys-
+             tem execution.
 
      environment="NAME=value"
              Specifies that the string is to be added to the environment when
@@ -277,21 +287,35 @@ AUTHORIZED_KEYS FILE FORMAT
              default and is controlled via the PermitUserEnvironment option.
              This option is automatically disabled if UseLogin is enabled.
 
-     no-port-forwarding
-             Forbids TCP forwarding when this key is used for authentication.
-             Any port forward requests by the client will return an error.
-             This might be used, e.g., in connection with the command option.
+     from="pattern-list"
+             Specifies that in addition to public key authentication, the
+             canonical name of the remote host must be present in the comma-
+             separated list of patterns.  The purpose of this option is to op-
+             tionally increase security: public key authentication by itself
+             does not trust the network or name servers or anything (but the
+             key); however, if somebody somehow steals the key, the key per-
+             mits an intruder to log in from anywhere in the world.  This ad-
+             ditional option makes using a stolen key more difficult (name
+             servers and/or routers would have to be compromised in addition
+             to just the key).
 
-     no-X11-forwarding
-             Forbids X11 forwarding when this key is used for authentication.
-             Any X11 forward requests by the client will return an error.
+             See PATTERNS in ssh_config(5) for more information on patterns.
 
      no-agent-forwarding
              Forbids authentication agent forwarding when this key is used for
              authentication.
 
+     no-port-forwarding
+             Forbids TCP forwarding when this key is used for authentication.
+             Any port forward requests by the client will return an error.
+             This might be used, e.g. in connection with the command option.
+
      no-pty  Prevents tty allocation (a request to allocate a pty will fail).
 
+     no-X11-forwarding
+             Forbids X11 forwarding when this key is used for authentication.
+             Any X11 forward requests by the client will return an error.
+
      permitopen="host:port"
              Limit local ``ssh -L'' port forwarding such that it may only con-
              nect to the specified host and port.  IPv6 addresses can be spec-
@@ -305,24 +329,24 @@ AUTHORIZED_KEYS FILE FORMAT
              next available device will be used if the client requests a tun-
              nel.
 
-   Examples
-     1024 33 12121...312314325 ylo@foo.bar
+     An example authorized_keys file:
 
-     from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula
-
-     command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 back-
-     up.hut.fi
-
-     permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323
-
-     tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== reyk@openb-
-     sd.org
+        # Comments allowed at start of line
+        ssh-rsa AAAAB3Nza...LiPk== user@example.net
+        from="*.sales.example.net,!pc.sales.example.net" ssh-rsa
+        AAAAB2...19Q== john@example.net
+        command="dump /home",no-pty,no-port-forwarding ssh-dss
+        AAAAC3...51R== example.net
+        permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
+        AAAAB5...21S==
+        tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
+        jane@example.net
 
 SSH_KNOWN_HOSTS FILE FORMAT
      The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host
      public keys for all known hosts.  The global file should be prepared by
      the administrator (optional), and the per-user file is maintained auto-
-     matically: whenever the user connects from an unknown host its key is
+     matically: whenever the user connects from an unknown host, its key is
      added to the per-user file.
 
      Each line in these files contains the following fields: hostnames, bits,
@@ -333,7 +357,9 @@ SSH_KNOWN_HOSTS FILE FORMAT
      (when authenticating a client) or against the user-supplied name (when
      authenticating a server).  A pattern may also be preceded by `!' to indi-
      cate negation: if the host name matches a negated pattern, it is not ac-
-     cepted (by that line) even if it matched another pattern on the line.
+     cepted (by that line) even if it matched another pattern on the line.  A
+     hostname or address may optionally be enclosed within `[' and `]' brack-
+     ets then followed by `:' and a non-standard port number.
 
      Alternately, hostnames may be stored in a hashed form which hides host
      names and addresses should the file's contents be disclosed.  Hashed
@@ -342,8 +368,8 @@ SSH_KNOWN_HOSTS FILE FORMAT
      tors may be applied.
 
      Bits, exponent, and modulus are taken directly from the RSA host key;
-     they can be obtained, e.g., from /etc/ssh/ssh_host_key.pub.  The optional
-     comment field continues to the end of the line, and is not used.
+     they can be obtained, for example, from /etc/ssh/ssh_host_key.pub.  The
+     optional comment field continues to the end of the line, and is not used.
 
      Lines starting with `#' and empty lines are ignored as comments.
 
@@ -360,29 +386,115 @@ SSH_KNOWN_HOSTS FILE FORMAT
      Rather, generate them by a script or by taking /etc/ssh/ssh_host_key.pub
      and adding the host names at the front.
 
-   Examples
-
-     closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi
-     cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....=
+     An example ssh_known_hosts file:
 
-     # A hashed hostname
-     |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
-     AAAA1234.....=
+        # Comments allowed at start of line
+        closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net
+        cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
+        # A hashed hostname
+        |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
+        AAAA1234.....=
 
 FILES
-     /etc/ssh/sshd_config
-             Contains configuration data for sshd.  The file format and con-
-             figuration options are described in sshd_config(5).
+     ~/.hushlogin
+             This file is used to suppress printing the last login time and
+             /etc/motd, if PrintLastLog and PrintMotd, respectively, are en-
+             abled.  It does not suppress printing of the banner specified by
+             Banner.
+
+     ~/.rhosts
+             This file is used for host-based authentication (see ssh(1) for
+             more information).  On some machines this file may need to be
+             world-readable if the user's home directory is on an NFS parti-
+             tion, because sshd reads it as root.  Additionally, this file
+             must be owned by the user, and must not have write permissions
+             for anyone else.  The recommended permission for most machines is
+             read/write for the user, and not accessible by others.
+
+     ~/.shosts
+             This file is used in exactly the same way as .rhosts, but allows
+             host-based authentication without permitting login with
+             rlogin/rsh.
+
+     ~/.ssh/authorized_keys
+             Lists the public keys (RSA/DSA) that can be used for logging in
+             as this user.  The format of this file is described above.  The
+             content of the file is not highly sensitive, but the recommended
+             permissions are read/write for the user, and not accessible by
+             others.
+
+             If this file, the ~/.ssh directory, or the user's home directory
+             are writable by other users, then the file could be modified or
+             replaced by unauthorized users.  In this case, sshd will not al-
+             low it to be used unless the StrictModes option has been set to
+             ``no''.  The recommended permissions can be set by executing
+             ``chmod go-w ~/ ~/.ssh ~/.ssh/authorized_keys''.
+
+     ~/.ssh/environment
+             This file is read into the environment at login (if it exists).
+             It can only contain empty lines, comment lines (that start with
+             `#'), and assignment lines of the form name=value.  The file
+             should be writable only by the user; it need not be readable by
+             anyone else.  Environment processing is disabled by default and
+             is controlled via the PermitUserEnvironment option.
+
+     ~/.ssh/known_hosts
+             Contains a list of host keys for all hosts the user has logged
+             into that are not already in the systemwide list of known host
+             keys.  The format of this file is described above.  This file
+             should be writable only by root/the owner and can, but need not
+             be, world-readable.
+
+     ~/.ssh/rc
+             Contains initialization routines to be run before the user's home
+             directory becomes accessible.  This file should be writable only
+             by the user, and need not be readable by anyone else.
+
+     /etc/hosts.allow
+     /etc/hosts.deny
+             Access controls that should be enforced by tcp-wrappers are de-
+             fined here.  Further details are described in hosts_access(5).
+
+     /etc/hosts.equiv
+             This file is for host-based authentication (see ssh(1)).  It
+             should only be writable by root.
+
+     /etc/moduli
+             Contains Diffie-Hellman groups used for the "Diffie-Hellman Group
+             Exchange".  The file format is described in moduli(5).
 
-     /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key,
-             /etc/ssh/ssh_host_rsa_key
+     /etc/motd
+             See motd(5).
+
+     /etc/nologin
+             If this file exists, sshd refuses to let anyone except root log
+             in.  The contents of the file are displayed to anyone trying to
+             log in, and non-root connections are refused.  The file should be
+             world-readable.
+
+     /etc/shosts.equiv
+             This file is used in exactly the same way as hosts.equiv, but al-
+             lows host-based authentication without permitting login with
+             rlogin/rsh.
+
+     /etc/ssh/ssh_known_hosts
+             Systemwide list of known host keys.  This file should be prepared
+             by the system administrator to contain the public host keys of
+             all machines in the organization.  The format of this file is de-
+             scribed above.  This file should be writable only by root/the
+             owner and should be world-readable.
+
+     /etc/ssh/ssh_host_key
+     /etc/ssh/ssh_host_dsa_key
+     /etc/ssh/ssh_host_rsa_key
              These three files contain the private parts of the host keys.
              These files should only be owned by root, readable only by root,
              and not accessible to others.  Note that sshd does not start if
-             this file is group/world-accessible.
+             these files are group/world-accessible.
 
-     /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub,
-             /etc/ssh/ssh_host_rsa_key.pub
+     /etc/ssh/ssh_host_key.pub
+     /etc/ssh/ssh_host_dsa_key.pub
+     /etc/ssh/ssh_host_rsa_key.pub
              These three files contain the public parts of the host keys.
              These files should be world-readable but writable only by root.
              Their contents should match the respective private parts.  These
@@ -390,9 +502,14 @@ FILES
              convenience of the user so their contents can be copied to known
              hosts files.  These files are created using ssh-keygen(1).
 
-     /etc/moduli
-             Contains Diffie-Hellman groups used for the "Diffie-Hellman Group
-             Exchange".  The file format is described in moduli(5).
+     /etc/ssh/sshd_config
+             Contains configuration data for sshd.  The file format and con-
+             figuration options are described in sshd_config(5).
+
+     /etc/ssh/sshrc
+             Similar to ~/.ssh/rc, it can be used to specify machine-specific
+             login-time initializations globally.  This file should be
+             writable only by root, and should be world-readable.
 
      /var/empty
              chroot(2) directory used by sshd during privilege separation in
@@ -407,160 +524,21 @@ FILES
              The content of this file is not sensitive; it can be world-read-
              able.
 
-     ~/.ssh/authorized_keys
-             Lists the public keys (RSA or DSA) that can be used to log into
-             the user's account.  This file must be readable by root (which
-             may on some machines imply it being world-readable if the user's
-             home directory resides on an NFS volume).  It is recommended that
-             it not be accessible by others.  The format of this file is de-
-             scribed above.  Users will place the contents of their
-             identity.pub, id_dsa.pub and/or id_rsa.pub files into this file,
-             as described in ssh-keygen(1).
-
-     /etc/ssh/ssh_known_hosts, ~/.ssh/known_hosts
-             These files are consulted when using rhosts with RSA host authen-
-             tication or protocol version 2 hostbased authentication to check
-             the public key of the host.  The key must be listed in one of
-             these files to be accepted.  The client uses the same files to
-             verify that it is connecting to the correct remote host.  These
-             files should be writable only by root/the owner.
-             /etc/ssh/ssh_known_hosts should be world-readable, and
-             ~/.ssh/known_hosts can, but need not be, world-readable.
-
-     /etc/motd
-             See motd(5).
-
-     ~/.hushlogin
-             This file is used to suppress printing the last login time and
-             /etc/motd, if PrintLastLog and PrintMotd, respectively, are en-
-             abled.  It does not suppress printing of the banner specified by
-             Banner.
-
-     /etc/nologin
-             If this file exists, sshd refuses to let anyone except root log
-             in.  The contents of the file are displayed to anyone trying to
-             log in, and non-root connections are refused.  The file should be
-             world-readable.
-
-     /etc/hosts.allow, /etc/hosts.deny
-             Access controls that should be enforced by tcp-wrappers are de-
-             fined here.  Further details are described in hosts_access(5).
-
-     ~/.rhosts
-             This file is used during RhostsRSAAuthentication and
-             HostbasedAuthentication and contains host-username pairs, sepa-
-             rated by a space, one per line.  The given user on the corre-
-             sponding host is permitted to log in without a password.  The
-             same file is used by rlogind and rshd.  The file must be writable
-             only by the user; it is recommended that it not be accessible by
-             others.
-
-             It is also possible to use netgroups in the file.  Either host or
-             user name may be of the form +@groupname to specify all hosts or
-             all users in the group.
-
-     ~/.shosts
-             For ssh, this file is exactly the same as for .rhosts.  However,
-             this file is not used by rlogin and rshd, so using this permits
-             access using SSH only.
-
-     /etc/hosts.equiv
-             This file is used during RhostsRSAAuthentication and
-             HostbasedAuthentication authentication.  In the simplest form,
-             this file contains host names, one per line.  Users on those
-             hosts are permitted to log in without a password, provided they
-             have the same user name on both machines.  The host name may also
-             be followed by a user name; such users are permitted to log in as
-             any user on this machine (except root).  Additionally, the syntax
-             ``+@group'' can be used to specify netgroups.  Negated entries
-             start with `-'.
-
-             If the client host/user is successfully matched in this file, lo-
-             gin is automatically permitted provided the client and server us-
-             er names are the same.  Additionally, successful client host key
-             authentication is required.  This file must be writable only by
-             root; it is recommended that it be world-readable.
-
-             Warning: It is almost never a good idea to use user names in
-             hosts.equiv.  Beware that it really means that the named user(s)
-             can log in as anybody, which includes bin, daemon, adm, and other
-             accounts that own critical binaries and directories.  Using a us-
-             er name practically grants the user root access.  The only valid
-             use for user names that I can think of is in negative entries.
-
-             Note that this warning also applies to rsh/rlogin.
-
-     /etc/shosts.equiv
-             This is processed exactly as /etc/hosts.equiv.  However, this
-             file may be useful in environments that want to run both
-             rsh/rlogin and ssh.
-
-     ~/.ssh/environment
-             This file is read into the environment at login (if it exists).
-             It can only contain empty lines, comment lines (that start with
-             `#'), and assignment lines of the form name=value.  The file
-             should be writable only by the user; it need not be readable by
-             anyone else.  Environment processing is disabled by default and
-             is controlled via the PermitUserEnvironment option.
-
-     ~/.ssh/rc
-             If this file exists, it is run with /bin/sh after reading the en-
-             vironment files but before starting the user's shell or command.
-             It must not produce any output on stdout; stderr must be used in-
-             stead.  If X11 forwarding is in use, it will receive the "proto
-             cookie" pair in its standard input (and DISPLAY in its environ-
-             ment).  The script must call xauth(1) because sshd will not run
-             xauth automatically to add X11 cookies.
-
-             The primary purpose of this file is to run any initialization
-             routines which may be needed before the user's home directory be-
-             comes accessible; AFS is a particular example of such an environ-
-             ment.
-
-             This file will probably contain some initialization code followed
-             by something similar to:
-
-             if read proto cookie && [ -n "$DISPLAY" ]; then
-                     if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
-                             # X11UseLocalhost=yes
-                             echo add unix:`echo $DISPLAY |
-                                 cut -c11-` $proto $cookie
-                     else
-                             # X11UseLocalhost=no
-                             echo add $DISPLAY $proto $cookie
-                     fi | xauth -q -
-             fi
-
-             If this file does not exist, /etc/ssh/sshrc is run, and if that
-             does not exist either, xauth is used to add the cookie.
-
-             This file should be writable only by the user, and need not be
-             readable by anyone else.
-
-     /etc/ssh/sshrc
-             Like ~/.ssh/rc.  This can be used to specify machine-specific lo-
-             gin-time initializations globally.  This file should be writable
-             only by root, and should be world-readable.
-
 SEE ALSO
      scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
      chroot(2), hosts_access(5), login.conf(5), moduli(5), sshd_config(5),
      inetd(8), sftp-server(8)
 
-     T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH
-     Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January
-     2002, work in progress material.
-
-     M. Friedl, N. Provos, and W. A. Simpson, Diffie-Hellman Group Exchange
-     for the SSH Transport Layer Protocol, draft-ietf-secsh-dh-group-
-     exchange-02.txt, January 2002, work in progress material.
-
 AUTHORS
      OpenSSH is a derivative of the original and free ssh 1.2.12 release by
      Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
-     de Raadt and Dug Song removed many bugs, re-added newer features and
-     created OpenSSH.  Markus Friedl contributed the support for SSH protocol
+     de Raadt and Dug Song removed many bugs, re-added newer features and cre-
+     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
      for privilege separation.
 
-OpenBSD 3.9                   September 25, 1999                             9
+CAVEATS
+     System security is not improved unless rshd, rlogind, and rexecd are dis-
+     abled (thus completely disabling rlogin and rsh into the machine).
+
+OpenBSD 4.1                   September 25, 1999                             9
diff --git a/sshd.8 b/sshd.8
index fec3c3582..74ea77182 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.215 2006/02/01 09:11:41 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.234 2006/08/21 08:15:57 dtucker Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -81,7 +81,7 @@ configuration file.
 .Nm
 rereads its configuration file when it receives a hangup signal,
 .Dv SIGHUP ,
-by executing itself with the name and options it was started with, e.g.,
+by executing itself with the name and options it was started with, e.g.\&
 .Pa /usr/sbin/sshd .
 .Pp
 The options are as follows:
@@ -154,7 +154,7 @@ is normally not run
 from inetd because it needs to generate the server key before it can
 respond to the client, and this may take tens of seconds.
 Clients would have to wait too long if the key was regenerated every time.
-However, with small key sizes (e.g., 512) using
+However, with small key sizes (e.g. 512) using
 .Nm
 from inetd may
 be feasible.
@@ -311,17 +311,6 @@ or
 .Ql \&*NP\&*
 ).
 .Pp
-System security is not improved unless
-.Nm rshd ,
-.Nm rlogind ,
-and
-.Nm rexecd
-are disabled (thus completely disabling
-.Xr rlogin
-and
-.Xr rsh
-into the machine).
-.Sh COMMAND EXECUTION AND DATA FORWARDING
 If the client successfully authenticates itself, a dialog for
 preparing the session is entered.
 At this time the client may request
@@ -329,7 +318,7 @@ things like allocating a pseudo-tty, forwarding X11 connections,
 forwarding TCP connections, or forwarding the authentication agent
 connection over the secure channel.
 .Pp
-Finally, the client either requests a shell or execution of a command.
+After this, the client either requests a shell or execution of a command.
 The sides then enter session mode.
 In this mode, either side may send
 data at any time, and such data is forwarded to/from the shell or
@@ -384,31 +373,73 @@ The
 .Dq rc
 files are given the X11
 authentication protocol and cookie in standard input.
+See
+.Sx SSHRC ,
+below.
 .It
 Runs user's shell or command.
 .El
+.Sh SSHRC
+If the file
+.Pa ~/.ssh/rc
+exists,
+.Xr sh 1
+runs it after reading the
+environment files but before starting the user's shell or command.
+It must not produce any output on stdout; stderr must be used
+instead.
+If X11 forwarding is in use, it will receive the "proto cookie" pair in
+its standard input (and
+.Ev DISPLAY
+in its environment).
+The script must call
+.Xr xauth 1
+because
+.Nm
+will not run xauth automatically to add X11 cookies.
+.Pp
+The primary purpose of this file is to run any initialization routines
+which may be needed before the user's home directory becomes
+accessible; AFS is a particular example of such an environment.
+.Pp
+This file will probably contain some initialization code followed by
+something similar to:
+.Bd -literal -offset 3n
+if read proto cookie && [ -n "$DISPLAY" ]; then
+        if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
+                # X11UseLocalhost=yes
+                echo add unix:`echo $DISPLAY |
+                    cut -c11-` $proto $cookie
+        else
+                # X11UseLocalhost=no
+                echo add $DISPLAY $proto $cookie
+        fi | xauth -q -
+fi
+.Ed
+.Pp
+If this file does not exist,
+.Pa /etc/ssh/sshrc
+is run, and if that
+does not exist either, xauth is used to add the cookie.
 .Sh AUTHORIZED_KEYS FILE FORMAT
-.Pa ~/.ssh/authorized_keys
-is the default file that lists the public keys that are
-permitted for RSA authentication in protocol version 1
-and for public key authentication (PubkeyAuthentication)
-in protocol version 2.
 .Cm AuthorizedKeysFile
-may be used to specify an alternative file.
-.Pp
+specifies the file containing public keys for
+public key authentication;
+if none is specified, the default is
+.Pa ~/.ssh/authorized_keys .
 Each line of the file contains one
 key (empty lines and lines starting with a
 .Ql #
 are ignored as
 comments).
-Each RSA public key consists of the following fields, separated by
-spaces: options, bits, exponent, modulus, comment.
-Each protocol version 2 public key consists of:
-options, keytype, base64 encoded key, comment.
-The options field
-is optional; its presence is determined by whether the line starts
+Protocol 1 public keys consist of the following space-separated fields:
+options, bits, exponent, modulus, comment.
+Protocol 2 public key consist of:
+options, keytype, base64-encoded key, comment.
+The options field is optional;
+its presence is determined by whether the line starts
 with a number or not (the options field never starts with a number).
-The bits, exponent, modulus and comment fields give the RSA key for
+The bits, exponent, modulus, and comment fields give the RSA key for
 protocol version 1; the
 comment field is not used for anything (but may be convenient for the
 user to identify the key).
@@ -423,7 +454,7 @@ Note that lines in this file are usually several hundred bytes long
 keys up to 16 kilobits.
 You don't want to type them in; instead, copy the
 .Pa identity.pub ,
-.Pa id_dsa.pub
+.Pa id_dsa.pub ,
 or the
 .Pa id_rsa.pub
 file and edit it.
@@ -438,26 +469,6 @@ No spaces are permitted, except within double quotes.
 The following option specifications are supported (note
 that option keywords are case-insensitive):
 .Bl -tag -width Ds
-.It Cm from="pattern-list"
-Specifies that in addition to public key authentication, the canonical name
-of the remote host must be present in the comma-separated list of
-patterns
-.Pf ( Ql \&*
-and
-.Ql \&?
-serve as wildcards).
-The list may also contain
-patterns negated by prefixing them with
-.Ql \&! ;
-if the canonical host name matches a negated pattern, the key is not accepted.
-The purpose
-of this option is to optionally increase security: public key authentication
-by itself does not trust the network or name servers or anything (but
-the key); however, if somebody somehow steals the key, the key
-permits an intruder to log in from anywhere in the world.
-This additional option makes using a stolen key more difficult (name
-servers and/or routers would have to be compromised in addition to
-just the key).
 .It Cm command="command"
 Specifies that the command is executed whenever this key is used for
 authentication.
@@ -473,6 +484,9 @@ to restrict certain public keys to perform just a specific operation.
 An example might be a key that permits remote backups but nothing else.
 Note that the client may specify TCP and/or X11
 forwarding unless they are explicitly prohibited.
+The command originally supplied by the client is available in the
+.Ev SSH_ORIGINAL_COMMAND
+environment variable.
 Note that this option applies to shell, command or subsystem execution.
 .It Cm environment="NAME=value"
 Specifies that the string is to be added to the environment when
@@ -487,20 +501,38 @@ option.
 This option is automatically disabled if
 .Cm UseLogin
 is enabled.
+.It Cm from="pattern-list"
+Specifies that in addition to public key authentication, the canonical name
+of the remote host must be present in the comma-separated list of
+patterns.
+The purpose
+of this option is to optionally increase security: public key authentication
+by itself does not trust the network or name servers or anything (but
+the key); however, if somebody somehow steals the key, the key
+permits an intruder to log in from anywhere in the world.
+This additional option makes using a stolen key more difficult (name
+servers and/or routers would have to be compromised in addition to
+just the key).
+.Pp
+See
+.Sx PATTERNS
+in
+.Xr ssh_config 5
+for more information on patterns.
+.It Cm no-agent-forwarding
+Forbids authentication agent forwarding when this key is used for
+authentication.
 .It Cm no-port-forwarding
 Forbids TCP forwarding when this key is used for authentication.
 Any port forward requests by the client will return an error.
-This might be used, e.g., in connection with the
+This might be used, e.g. in connection with the
 .Cm command
 option.
+.It Cm no-pty
+Prevents tty allocation (a request to allocate a pty will fail).
 .It Cm no-X11-forwarding
 Forbids X11 forwarding when this key is used for authentication.
 Any X11 forward requests by the client will return an error.
-.It Cm no-agent-forwarding
-Forbids authentication agent forwarding when this key is used for
-authentication.
-.It Cm no-pty
-Prevents tty allocation (a request to allocate a pty will fail).
 .It Cm permitopen="host:port"
 Limit local
 .Li ``ssh -L''
@@ -520,16 +552,20 @@ device on the server.
 Without this option, the next available device will be used if
 the client requests a tunnel.
 .El
-.Ss Examples
-1024 33 12121...312314325 ylo@foo.bar
 .Pp
-from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula
-.Pp
-command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi
-.Pp
-permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323
-.Pp
-tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== reyk@openbsd.org
+An example authorized_keys file:
+.Bd -literal -offset 3n
+# Comments allowed at start of line
+ssh-rsa AAAAB3Nza...LiPk== user@example.net
+from="*.sales.example.net,!pc.sales.example.net" ssh-rsa
+AAAAB2...19Q== john@example.net
+command="dump /home",no-pty,no-port-forwarding ssh-dss
+AAAAC3...51R== example.net
+permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
+AAAAB5...21S==
+tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
+jane@example.net
+.Ed
 .Sh SSH_KNOWN_HOSTS FILE FORMAT
 The
 .Pa /etc/ssh/ssh_known_hosts
@@ -538,7 +574,7 @@ and
 files contain host public keys for all known hosts.
 The global file should
 be prepared by the administrator (optional), and the per-user file is
-maintained automatically: whenever the user connects from an unknown host
+maintained automatically: whenever the user connects from an unknown host,
 its key is added to the per-user file.
 .Pp
 Each line in these files contains the following fields: hostnames,
@@ -546,7 +582,7 @@ bits, exponent, modulus, comment.
 The fields are separated by spaces.
 .Pp
 Hostnames is a comma-separated list of patterns
-.Pf ( Ql \&*
+.Pf ( Ql *
 and
 .Ql \&?
 act as
@@ -558,6 +594,13 @@ A pattern may also be preceded by
 to indicate negation: if the host name matches a negated
 pattern, it is not accepted (by that line) even if it matched another
 pattern on the line.
+A hostname or address may optionally be enclosed within
+.Ql \&[
+and
+.Ql \&]
+brackets then followed by
+.Ql \&:
+and a non-standard port number.
 .Pp
 Alternately, hostnames may be stored in a hashed form which hides host names
 and addresses should the file's contents be disclosed.
@@ -568,7 +611,7 @@ Only one hashed hostname may appear on a single line and none of the above
 negation or wildcard operators may be applied.
 .Pp
 Bits, exponent, and modulus are taken directly from the RSA host key; they
-can be obtained, e.g., from
+can be obtained, for example, from
 .Pa /etc/ssh/ssh_host_key.pub .
 The optional comment field continues to the end of the line, and is not used.
 .Pp
@@ -593,88 +636,19 @@ Rather, generate them by a script
 or by taking
 .Pa /etc/ssh/ssh_host_key.pub
 and adding the host names at the front.
-.Ss Examples
-.Bd -literal
-closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi
-cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....=
-.Ed
-.Bd -literal
+.Pp
+An example ssh_known_hosts file:
+.Bd -literal -offset 3n
+# Comments allowed at start of line
+closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net
+cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
 # A hashed hostname
 |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
 AAAA1234.....=
 .Ed
 .Sh FILES
-.Bl -tag -width Ds
-.It Pa /etc/ssh/sshd_config
-Contains configuration data for
-.Nm sshd .
-The file format and configuration options are described in
-.Xr sshd_config 5 .
-.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
-These three files contain the private parts of the host keys.
-These files should only be owned by root, readable only by root, and not
-accessible to others.
-Note that
-.Nm
-does not start if this file is group/world-accessible.
-.It Pa /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_rsa_key.pub
-These three files contain the public parts of the host keys.
-These files should be world-readable but writable only by
-root.
-Their contents should match the respective private parts.
-These files are not
-really used for anything; they are provided for the convenience of
-the user so their contents can be copied to known hosts files.
-These files are created using
-.Xr ssh-keygen 1 .
-.It Pa /etc/ssh/moduli
-Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
-The file format is described in
-.Xr moduli 5 .
-.It Pa /var/empty
-.Xr chroot 2
-directory used by
-.Nm
-during privilege separation in the pre-authentication phase.
-The directory should not contain any files and must be owned by root
-and not group or world-writable.
-.It Pa /var/run/sshd.pid
-Contains the process ID of the
-.Nm
-listening for connections (if there are several daemons running
-concurrently for different ports, this contains the process ID of the one
-started last).
-The content of this file is not sensitive; it can be world-readable.
-.It Pa ~/.ssh/authorized_keys
-Lists the public keys (RSA or DSA) that can be used to log into the user's account.
-This file must be readable by root (which may on some machines imply
-it being world-readable if the user's home directory resides on an NFS
-volume).
-It is recommended that it not be accessible by others.
-The format of this file is described above.
-Users will place the contents of their
-.Pa identity.pub ,
-.Pa id_dsa.pub
-and/or
-.Pa id_rsa.pub
-files into this file, as described in
-.Xr ssh-keygen 1 .
-.It Pa "/etc/ssh/ssh_known_hosts", "~/.ssh/known_hosts"
-These files are consulted when using rhosts with RSA host
-authentication or protocol version 2 hostbased authentication
-to check the public key of the host.
-The key must be listed in one of these files to be accepted.
-The client uses the same files
-to verify that it is connecting to the correct remote host.
-These files should be writable only by root/the owner.
-.Pa /etc/ssh/ssh_known_hosts
-should be world-readable, and
-.Pa ~/.ssh/known_hosts
-can, but need not be, world-readable.
-.It Pa /etc/motd
-See
-.Xr motd 5 .
-.It Pa ~/.hushlogin
+.Bl -tag -width Ds -compact
+.It ~/.hushlogin
 This file is used to suppress printing the last login time and
 .Pa /etc/motd ,
 if
@@ -685,86 +659,49 @@ respectively,
 are enabled.
 It does not suppress printing of the banner specified by
 .Cm Banner .
-.It Pa /etc/nologin
-If this file exists,
+.Pp
+.It ~/.rhosts
+This file is used for host-based authentication (see
+.Xr ssh 1
+for more information).
+On some machines this file may need to be
+world-readable if the user's home directory is on an NFS partition,
+because
 .Nm
-refuses to let anyone except root log in.
-The contents of the file
-are displayed to anyone trying to log in, and non-root connections are
-refused.
-The file should be world-readable.
-.It Pa /etc/hosts.allow, /etc/hosts.deny
-Access controls that should be enforced by tcp-wrappers are defined here.
-Further details are described in
-.Xr hosts_access 5 .
-.It Pa ~/.rhosts
-This file is used during
-.Cm RhostsRSAAuthentication
-and
-.Cm HostbasedAuthentication
-and contains host-username pairs, separated by a space, one per
-line.
-The given user on the corresponding host is permitted to log in
-without a password.
-The same file is used by rlogind and rshd.
-The file must
-be writable only by the user; it is recommended that it not be
+reads it as root.
+Additionally, this file must be owned by the user,
+and must not have write permissions for anyone else.
+The recommended
+permission for most machines is read/write for the user, and not
 accessible by others.
 .Pp
-It is also possible to use netgroups in the file.
-Either host or user
-name may be of the form +@groupname to specify all hosts or all users
-in the group.
-.It Pa ~/.shosts
-For ssh,
-this file is exactly the same as for
-.Pa .rhosts .
-However, this file is
-not used by rlogin and rshd, so using this permits access using SSH only.
-.It Pa /etc/hosts.equiv
-This file is used during
-.Cm RhostsRSAAuthentication
-and
-.Cm HostbasedAuthentication
-authentication.
-In the simplest form, this file contains host names, one per line.
-Users on
-those hosts are permitted to log in without a password, provided they
-have the same user name on both machines.
-The host name may also be
-followed by a user name; such users are permitted to log in as
-.Em any
-user on this machine (except root).
-Additionally, the syntax
-.Dq +@group
-can be used to specify netgroups.
-Negated entries start with
-.Ql \&- .
-.Pp
-If the client host/user is successfully matched in this file, login is
-automatically permitted provided the client and server user names are the
-same.
-Additionally, successful client host key authentication is required.
-This file must be writable only by root; it is recommended
-that it be world-readable.
-.Pp
-.Sy "Warning: It is almost never a good idea to use user names in"
-.Pa hosts.equiv .
-Beware that it really means that the named user(s) can log in as
-.Em anybody ,
-which includes bin, daemon, adm, and other accounts that own critical
-binaries and directories.
-Using a user name practically grants the user root access.
-The only valid use for user names that I can think
-of is in negative entries.
-.Pp
-Note that this warning also applies to rsh/rlogin.
-.It Pa /etc/shosts.equiv
-This is processed exactly as
-.Pa /etc/hosts.equiv .
-However, this file may be useful in environments that want to run both
-rsh/rlogin and ssh.
-.It Pa ~/.ssh/environment
+.It ~/.shosts
+This file is used in exactly the same way as
+.Pa .rhosts ,
+but allows host-based authentication without permitting login with
+rlogin/rsh.
+.Pp
+.It ~/.ssh/authorized_keys
+Lists the public keys (RSA/DSA) that can be used for logging in as this user.
+The format of this file is described above.
+The content of the file is not highly sensitive, but the recommended
+permissions are read/write for the user, and not accessible by others.
+.Pp
+If this file, the
+.Pa ~/.ssh
+directory, or the user's home directory are writable
+by other users, then the file could be modified or replaced by unauthorized
+users.
+In this case,
+.Nm
+will not allow it to be used unless the
+.Cm StrictModes
+option has been set to
+.Dq no .
+The recommended permissions can be set by executing
+.Dq chmod go-w ~/ ~/.ssh ~/.ssh/authorized_keys .
+.Pp
+.It ~/.ssh/environment
 This file is read into the environment at login (if it exists).
 It can only contain empty lines, comment lines (that start with
 .Ql # ) ,
@@ -775,55 +712,115 @@ Environment processing is disabled by default and is
 controlled via the
 .Cm PermitUserEnvironment
 option.
-.It Pa ~/.ssh/rc
-If this file exists, it is run with
-.Pa /bin/sh
-after reading the
-environment files but before starting the user's shell or command.
-It must not produce any output on stdout; stderr must be used
-instead.
-If X11 forwarding is in use, it will receive the "proto cookie" pair in
-its standard input (and
-.Ev DISPLAY
-in its environment).
-The script must call
-.Xr xauth 1
-because
+.Pp
+.It ~/.ssh/known_hosts
+Contains a list of host keys for all hosts the user has logged into
+that are not already in the systemwide list of known host keys.
+The format of this file is described above.
+This file should be writable only by root/the owner and
+can, but need not be, world-readable.
+.Pp
+.It ~/.ssh/rc
+Contains initialization routines to be run before
+the user's home directory becomes accessible.
+This file should be writable only by the user, and need not be
+readable by anyone else.
+.Pp
+.It /etc/hosts.allow
+.It /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
+.It /etc/hosts.equiv
+This file is for host-based authentication (see
+.Xr ssh 1 ) .
+It should only be writable by root.
+.Pp
+.It /etc/ssh/moduli
+Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
+The file format is described in
+.Xr moduli 5 .
+.Pp
+.It /etc/motd
+See
+.Xr motd 5 .
+.Pp
+.It /etc/nologin
+If this file exists,
 .Nm
-will not run xauth automatically to add X11 cookies.
+refuses to let anyone except root log in.
+The contents of the file
+are displayed to anyone trying to log in, and non-root connections are
+refused.
+The file should be world-readable.
 .Pp
-The primary purpose of this file is to run any initialization routines
-which may be needed before the user's home directory becomes
-accessible; AFS is a particular example of such an environment.
+.It /etc/shosts.equiv
+This file is used in exactly the same way as
+.Pa hosts.equiv ,
+but allows host-based authentication without permitting login with
+rlogin/rsh.
+.Pp
+.It /etc/ssh/ssh_known_hosts
+Systemwide list of known host keys.
+This file should be prepared by the
+system administrator to contain the public host keys of all machines in the
+organization.
+The format of this file is described above.
+This file should be writable only by root/the owner and
+should be world-readable.
 .Pp
-This file will probably contain some initialization code followed by
-something similar to:
-.Bd -literal
-if read proto cookie && [ -n "$DISPLAY" ]; then
-        if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
-                # X11UseLocalhost=yes
-                echo add unix:`echo $DISPLAY |
-                    cut -c11-` $proto $cookie
-        else
-                # X11UseLocalhost=no
-                echo add $DISPLAY $proto $cookie
-        fi | xauth -q -
-fi
-.Ed
+.It /etc/ssh/ssh_host_key
+.It /etc/ssh/ssh_host_dsa_key
+.It /etc/ssh/ssh_host_rsa_key
+These three files contain the private parts of the host keys.
+These files should only be owned by root, readable only by root, and not
+accessible to others.
+Note that
+.Nm
+does not start if these files are group/world-accessible.
 .Pp
-If this file does not exist,
-.Pa /etc/ssh/sshrc
-is run, and if that
-does not exist either, xauth is used to add the cookie.
+.It /etc/ssh/ssh_host_key.pub
+.It /etc/ssh/ssh_host_dsa_key.pub
+.It /etc/ssh/ssh_host_rsa_key.pub
+These three files contain the public parts of the host keys.
+These files should be world-readable but writable only by
+root.
+Their contents should match the respective private parts.
+These files are not
+really used for anything; they are provided for the convenience of
+the user so their contents can be copied to known hosts files.
+These files are created using
+.Xr ssh-keygen 1 .
 .Pp
-This file should be writable only by the user, and need not be
-readable by anyone else.
-.It Pa /etc/ssh/sshrc
-Like
-.Pa ~/.ssh/rc .
-This can be used to specify
+.It /etc/ssh/sshd_config
+Contains configuration data for
+.Nm sshd .
+The file format and configuration options are described in
+.Xr sshd_config 5 .
+.Pp
+.It /etc/ssh/sshrc
+Similar to
+.Pa ~/.ssh/rc ,
+it can be used to specify
 machine-specific login-time initializations globally.
 This file should be writable only by root, and should be world-readable.
+.Pp
+.It /var/empty
+.Xr chroot 2
+directory used by
+.Nm
+during privilege separation in the pre-authentication phase.
+The directory should not contain any files and must be owned by root
+and not group or world-writable.
+.Pp
+.It /var/run/sshd.pid
+Contains the process ID of the
+.Nm
+listening for connections (if there are several daemons running
+concurrently for different ports, this contains the process ID of the one
+started last).
+The content of this file is not sensitive; it can be world-readable.
 .El
 .Sh SEE ALSO
 .Xr scp 1 ,
@@ -839,26 +836,6 @@ This file should be writable only by root, and should be world-readable.
 .Xr sshd_config 5 ,
 .Xr inetd 8 ,
 .Xr sftp-server 8
-.Rs
-.%A T. Ylonen
-.%A T. Kivinen
-.%A M. Saarinen
-.%A T. Rinne
-.%A S. Lehtinen
-.%T "SSH Protocol Architecture"
-.%N draft-ietf-secsh-architecture-12.txt
-.%D January 2002
-.%O work in progress material
-.Re
-.Rs
-.%A M. Friedl
-.%A N. Provos
-.%A W. A. Simpson
-.%T "Diffie-Hellman Group Exchange for the SSH Transport Layer Protocol"
-.%N draft-ietf-secsh-dh-group-exchange-02.txt
-.%D January 2002
-.%O work in progress material
-.Re
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free
 ssh 1.2.12 release by Tatu Ylonen.
@@ -870,3 +847,14 @@ Markus Friedl contributed the support for SSH
 protocol versions 1.5 and 2.0.
 Niels Provos and Markus Friedl contributed support
 for privilege separation.
+.Sh CAVEATS
+System security is not improved unless
+.Nm rshd ,
+.Nm rlogind ,
+and
+.Nm rexecd
+are disabled (thus completely disabling
+.Xr rlogin
+and
+.Xr rsh
+into the machine).
diff --git a/sshd.c b/sshd.c
index b1776ef45..dd873ef72 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: sshd.c,v 1.349 2007/02/21 11:00:05 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -42,7 +43,33 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.318 2005/12/24 02:27:41 djm Exp $");
+
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <sys/socket.h>
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+#include "openbsd-compat/sys-tree.h"
+#include <sys/wait.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <netdb.h>
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#include <grp.h>
+#include <pwd.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
 
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -53,28 +80,28 @@ RCSID("$OpenBSD: sshd.c,v 1.318 2005/12/24 02:27:41 djm Exp $");
 #include <prot.h>
 #endif
 
+#include "xmalloc.h"
 #include "ssh.h"
 #include "ssh1.h"
 #include "ssh2.h"
-#include "xmalloc.h"
 #include "rsa.h"
 #include "sshpty.h"
 #include "packet.h"
 #include "log.h"
+#include "buffer.h"
 #include "servconf.h"
 #include "uidswap.h"
 #include "compat.h"
-#include "buffer.h"
-#include "bufaux.h"
 #include "cipher.h"
-#include "kex.h"
 #include "key.h"
+#include "kex.h"
 #include "dh.h"
 #include "myproposal.h"
 #include "authfile.h"
 #include "pathnames.h"
 #include "atomicio.h"
 #include "canohost.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "misc.h"
 #include "msg.h"
@@ -83,8 +110,12 @@ RCSID("$OpenBSD: sshd.c,v 1.318 2005/12/24 02:27:41 djm Exp $");
 #include "session.h"
 #include "monitor_mm.h"
 #include "monitor.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
 #include "monitor_fdpass.h"
+#include "version.h"
 
 #ifdef USE_SECURITY_SESSION_API
 #include <Security/AuthSession.h>
@@ -205,15 +236,21 @@ int *startup_pipes = NULL;
 int startup_pipe;               /* in child */
 
 /* variables used for privilege separation */
-int use_privsep;
+int use_privsep = -1;
 struct monitor *pmonitor = NULL;
 
 /* global authentication context */
 Authctxt *the_authctxt = NULL;
 
+/* sshd_config buffer */
+Buffer cfg;
+
 /* message to be displayed after login */
 Buffer loginmsg;
 
+/* Unprivileged user */
+struct passwd *privsep_pw = NULL;
+
 /* Prototypes for various functions defined later in this file. */
 void destroy_sensitive_data(void);
 void demote_sensitive_data(void);
@@ -250,6 +287,8 @@ close_startup_pipes(void)
  * the effect is to reread the configuration file (and to regenerate
  * the server key).
  */
+
+/*ARGSUSED*/
 static void
 sighup_handler(int sig)
 {
@@ -270,6 +309,7 @@ sighup_restart(void)
         logit("Received SIGHUP; restarting.");
         close_listen_socks();
         close_startup_pipes();
+        alarm(0);  /* alarm timer persists across exec */
         execv(saved_argv[0], saved_argv);
         logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
             strerror(errno));
@@ -279,6 +319,7 @@ sighup_restart(void)
 /*
  * Generic signal handler for terminating signals in the master daemon.
  */
+/*ARGSUSED*/
 static void
 sigterm_handler(int sig)
 {
@@ -289,6 +330,7 @@ sigterm_handler(int sig)
  * SIGCHLD handler.  This is called whenever a child dies.  This will then
  * reap any zombies left by exited children.
  */
+/*ARGSUSED*/
 static void
 main_sigchld_handler(int sig)
 {
@@ -307,6 +349,7 @@ main_sigchld_handler(int sig)
 /*
  * Signal handler for the alarm after the login grace period has expired.
  */
+/*ARGSUSED*/
 static void
 grace_alarm_handler(int sig)
 {
@@ -347,6 +390,7 @@ generate_ephemeral_server_key(void)
         arc4random_stir();
 }
 
+/*ARGSUSED*/
 static void
 key_regeneration_alarm(int sig)
 {
@@ -543,7 +587,6 @@ privsep_preauth_child(void)
 {
         u_int32_t rnd[256];
         gid_t gidset[1];
-        struct passwd *pw;
         int i;
 
         /* Enable challenge-response authentication for privilege separation */
@@ -556,12 +599,6 @@ privsep_preauth_child(void)
         /* Demote the private keys to public keys. */
         demote_sensitive_data();
 
-        if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL)
-                fatal("Privilege separation user %s does not exist",
-                    SSH_PRIVSEP_USER);
-        memset(pw->pw_passwd, 0, strlen(pw->pw_passwd));
-        endpwent();
-
         /* Change our root directory */
         if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
                 fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
@@ -570,16 +607,16 @@ privsep_preauth_child(void)
                 fatal("chdir(\"/\"): %s", strerror(errno));
 
         /* Drop our privileges */
-        debug3("privsep user:group %u:%u", (u_int)pw->pw_uid,
-            (u_int)pw->pw_gid);
+        debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
+            (u_int)privsep_pw->pw_gid);
 #if 0
         /* XXX not ready, too heavy after chroot */
-        do_setusercontext(pw);
+        do_setusercontext(privsep_pw);
 #else
-        gidset[0] = pw->pw_gid;
+        gidset[0] = privsep_pw->pw_gid;
         if (setgroups(1, gidset) < 0)
                 fatal("setgroups: %.100s", strerror(errno));
-        permanently_set_uid(pw);
+        permanently_set_uid(privsep_pw);
 #endif
 }
 
@@ -868,6 +905,325 @@ recv_rexec_state(int fd, Buffer *conf)
         debug3("%s: done", __func__);
 }
 
+/* Accept a connection from inetd */
+static void
+server_accept_inetd(int *sock_in, int *sock_out)
+{
+        int fd;
+
+        startup_pipe = -1;
+        if (rexeced_flag) {
+                close(REEXEC_CONFIG_PASS_FD);
+                *sock_in = *sock_out = dup(STDIN_FILENO);
+                if (!debug_flag) {
+                        startup_pipe = dup(REEXEC_STARTUP_PIPE_FD);
+                        close(REEXEC_STARTUP_PIPE_FD);
+                }
+        } else {
+                *sock_in = dup(STDIN_FILENO);
+                *sock_out = dup(STDOUT_FILENO);
+        }
+        /*
+         * We intentionally do not close the descriptors 0, 1, and 2
+         * as our code for setting the descriptors won't work if
+         * ttyfd happens to be one of those.
+         */
+        if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
+                dup2(fd, STDIN_FILENO);
+                dup2(fd, STDOUT_FILENO);
+                if (fd > STDOUT_FILENO)
+                        close(fd);
+        }
+        debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out);
+}
+
+/*
+ * Listen for TCP connections
+ */
+static void
+server_listen(void)
+{
+        int ret, listen_sock, on = 1;
+        struct addrinfo *ai;
+        char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+
+        for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
+                if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
+                        continue;
+                if (num_listen_socks >= MAX_LISTEN_SOCKS)
+                        fatal("Too many listen sockets. "
+                            "Enlarge MAX_LISTEN_SOCKS");
+                if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen,
+                    ntop, sizeof(ntop), strport, sizeof(strport),
+                    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
+                        error("getnameinfo failed: %.100s",
+                            (ret != EAI_SYSTEM) ? gai_strerror(ret) :
+                            strerror(errno));
+                        continue;
+                }
+                /* Create socket for listening. */
+                listen_sock = socket(ai->ai_family, ai->ai_socktype,
+                    ai->ai_protocol);
+                if (listen_sock < 0) {
+                        /* kernel may not support ipv6 */
+                        verbose("socket: %.100s", strerror(errno));
+                        continue;
+                }
+                if (set_nonblock(listen_sock) == -1) {
+                        close(listen_sock);
+                        continue;
+                }
+                /*
+                 * Set socket options.
+                 * Allow local port reuse in TIME_WAIT.
+                 */
+                if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
+                    &on, sizeof(on)) == -1)
+                        error("setsockopt SO_REUSEADDR: %s", strerror(errno));
+
+                debug("Bind to port %s on %s.", strport, ntop);
+
+                /* Bind the socket to the desired port. */
+                if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+                        error("Bind to port %s on %s failed: %.200s.",
+                            strport, ntop, strerror(errno));
+                        close(listen_sock);
+                        continue;
+                }
+                listen_socks[num_listen_socks] = listen_sock;
+                num_listen_socks++;
+
+                /* Start listening on the port. */
+                if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0)
+                        fatal("listen on [%s]:%s: %.100s",
+                            ntop, strport, strerror(errno));
+                logit("Server listening on %s port %s.", ntop, strport);
+        }
+        freeaddrinfo(options.listen_addrs);
+
+        if (!num_listen_socks)
+                fatal("Cannot bind any address.");
+}
+
+/*
+ * The main TCP accept loop. Note that, for the non-debug case, returns
+ * from this function are in a forked subprocess.
+ */
+static void
+server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
+{
+        fd_set *fdset;
+        int i, j, ret, maxfd;
+        int key_used = 0, startups = 0;
+        int startup_p[2] = { -1 , -1 };
+        struct sockaddr_storage from;
+        socklen_t fromlen;
+        pid_t pid;
+
+        /* setup fd set for accept */
+        fdset = NULL;
+        maxfd = 0;
+        for (i = 0; i < num_listen_socks; i++)
+                if (listen_socks[i] > maxfd)
+                        maxfd = listen_socks[i];
+        /* pipes connected to unauthenticated childs */
+        startup_pipes = xcalloc(options.max_startups, sizeof(int));
+        for (i = 0; i < options.max_startups; i++)
+                startup_pipes[i] = -1;
+
+        /*
+         * Stay listening for connections until the system crashes or
+         * the daemon is killed with a signal.
+         */
+        for (;;) {
+                if (received_sighup)
+                        sighup_restart();
+                if (fdset != NULL)
+                        xfree(fdset);
+                fdset = (fd_set *)xcalloc(howmany(maxfd + 1, NFDBITS),
+                    sizeof(fd_mask));
+
+                for (i = 0; i < num_listen_socks; i++)
+                        FD_SET(listen_socks[i], fdset);
+                for (i = 0; i < options.max_startups; i++)
+                        if (startup_pipes[i] != -1)
+                                FD_SET(startup_pipes[i], fdset);
+
+                /* Wait in select until there is a connection. */
+                ret = select(maxfd+1, fdset, NULL, NULL, NULL);
+                if (ret < 0 && errno != EINTR)
+                        error("select: %.100s", strerror(errno));
+                if (received_sigterm) {
+                        logit("Received signal %d; terminating.",
+                            (int) received_sigterm);
+                        close_listen_socks();
+                        unlink(options.pid_file);
+                        exit(255);
+                }
+                if (key_used && key_do_regen) {
+                        generate_ephemeral_server_key();
+                        key_used = 0;
+                        key_do_regen = 0;
+                }
+                if (ret < 0)
+                        continue;
+
+                for (i = 0; i < options.max_startups; i++)
+                        if (startup_pipes[i] != -1 &&
+                            FD_ISSET(startup_pipes[i], fdset)) {
+                                /*
+                                 * the read end of the pipe is ready
+                                 * if the child has closed the pipe
+                                 * after successful authentication
+                                 * or if the child has died
+                                 */
+                                close(startup_pipes[i]);
+                                startup_pipes[i] = -1;
+                                startups--;
+                        }
+                for (i = 0; i < num_listen_socks; i++) {
+                        if (!FD_ISSET(listen_socks[i], fdset))
+                                continue;
+                        fromlen = sizeof(from);
+                        *newsock = accept(listen_socks[i],
+                            (struct sockaddr *)&from, &fromlen);
+                        if (*newsock < 0) {
+                                if (errno != EINTR && errno != EWOULDBLOCK)
+                                        error("accept: %.100s", strerror(errno));
+                                continue;
+                        }
+                        if (unset_nonblock(*newsock) == -1) {
+                                close(*newsock);
+                                continue;
+                        }
+                        if (drop_connection(startups) == 1) {
+                                debug("drop connection #%d", startups);
+                                close(*newsock);
+                                continue;
+                        }
+                        if (pipe(startup_p) == -1) {
+                                close(*newsock);
+                                continue;
+                        }
+
+                        if (rexec_flag && socketpair(AF_UNIX,
+                            SOCK_STREAM, 0, config_s) == -1) {
+                                error("reexec socketpair: %s",
+                                    strerror(errno));
+                                close(*newsock);
+                                close(startup_p[0]);
+                                close(startup_p[1]);
+                                continue;
+                        }
+
+                        for (j = 0; j < options.max_startups; j++)
+                                if (startup_pipes[j] == -1) {
+                                        startup_pipes[j] = startup_p[0];
+                                        if (maxfd < startup_p[0])
+                                                maxfd = startup_p[0];
+                                        startups++;
+                                        break;
+                                }
+
+                        /*
+                         * Got connection.  Fork a child to handle it, unless
+                         * we are in debugging mode.
+                         */
+                        if (debug_flag) {
+                                /*
+                                 * In debugging mode.  Close the listening
+                                 * socket, and start processing the
+                                 * connection without forking.
+                                 */
+                                debug("Server will not fork when running in debugging mode.");
+                                close_listen_socks();
+                                *sock_in = *newsock;
+                                *sock_out = *newsock;
+                                close(startup_p[0]);
+                                close(startup_p[1]);
+                                startup_pipe = -1;
+                                pid = getpid();
+                                if (rexec_flag) {
+                                        send_rexec_state(config_s[0],
+                                            &cfg);
+                                        close(config_s[0]);
+                                }
+                                break;
+                        }
+
+                        /*
+                         * Normal production daemon.  Fork, and have
+                         * the child process the connection. The
+                         * parent continues listening.
+                         */
+                        platform_pre_fork();
+                        if ((pid = fork()) == 0) {
+                                /*
+                                 * Child.  Close the listening and
+                                 * max_startup sockets.  Start using
+                                 * the accepted socket. Reinitialize
+                                 * logging (since our pid has changed).
+                                 * We break out of the loop to handle
+                                 * the connection.
+                                 */
+                                platform_post_fork_child();
+                                startup_pipe = startup_p[1];
+                                close_startup_pipes();
+                                close_listen_socks();
+                                *sock_in = *newsock;
+                                *sock_out = *newsock;
+                                log_init(__progname,
+                                    options.log_level,
+                                    options.log_facility,
+                                    log_stderr);
+                                if (rexec_flag)
+                                        close(config_s[0]);
+                                break;
+                        }
+
+                        /* Parent.  Stay in the loop. */
+                        platform_post_fork_parent(pid);
+                        if (pid < 0)
+                                error("fork: %.100s", strerror(errno));
+                        else
+                                debug("Forked child %ld.", (long)pid);
+
+                        close(startup_p[1]);
+
+                        if (rexec_flag) {
+                                send_rexec_state(config_s[0], &cfg);
+                                close(config_s[0]);
+                                close(config_s[1]);
+                        }
+
+                        /*
+                         * Mark that the key has been used (it
+                         * was "given" to the child).
+                         */
+                        if ((options.protocol & SSH_PROTO_1) &&
+                            key_used == 0) {
+                                /* Schedule server key regeneration alarm. */
+                                signal(SIGALRM, key_regeneration_alarm);
+                                alarm(options.key_regeneration_time);
+                                key_used = 1;
+                        }
+
+                        close(*newsock);
+
+                        /*
+                         * Ensure that our random state differs
+                         * from that of the child
+                         */
+                        arc4random_stir();
+                }
+
+                /* child process check (or debug mode) */
+                if (num_listen_socks < 0)
+                        break;
+        }
+}
+
+
 /*
  * Main program for the daemon.
  */
@@ -876,25 +1232,14 @@ main(int ac, char **av)
 {
         extern char *optarg;
         extern int optind;
-        int opt, j, i, fdsetsz, on = 1;
+        int opt, i, on = 1;
         int sock_in = -1, sock_out = -1, newsock = -1;
-        pid_t pid;
-        socklen_t fromlen;
-        fd_set *fdset;
-        struct sockaddr_storage from;
         const char *remote_ip;
         int remote_port;
-        FILE *f;
-        struct addrinfo *ai;
-        char ntop[NI_MAXHOST], strport[NI_MAXSERV];
         char *line;
-        int listen_sock, maxfd;
-        int startup_p[2] = { -1 , -1 }, config_s[2] = { -1 , -1 };
-        int startups = 0;
+        int config_s[2] = { -1 , -1 };
         Key *key;
         Authctxt *authctxt;
-        int ret, key_used = 0;
-        Buffer cfg;
 
 #ifdef HAVE_SECUREWARE
         (void)set_auth_parameters(ac, av);
@@ -905,7 +1250,7 @@ main(int ac, char **av)
         /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
         saved_argc = ac;
         rexec_argc = ac;
-        saved_argv = xmalloc(sizeof(*saved_argv) * (ac + 1));
+        saved_argv = xcalloc(ac + 1, sizeof(*saved_argv));
         for (i = 0; i < ac; i++)
                 saved_argv[i] = xstrdup(av[i]);
         saved_argv[i] = NULL;
@@ -972,7 +1317,8 @@ main(int ac, char **av)
                         } 
                         break;
                 case 'b':
-                        options.server_key_bits = atoi(optarg);
+                        options.server_key_bits = (int)strtonum(optarg, 256,
+                            32768, NULL);
                         break;
                 case 'p':
                         options.ports_from_cmdline = 1;
@@ -1009,7 +1355,7 @@ main(int ac, char **av)
                         test_flag = 1;
                         break;
                 case 'u':
-                        utmp_len = atoi(optarg);
+                        utmp_len = (u_int)strtonum(optarg, 0, MAXHOSTNAMELEN+1, NULL);
                         if (utmp_len > MAXHOSTNAMELEN) {
                                 fprintf(stderr, "Invalid utmp length.\n");
                                 exit(1);
@@ -1018,7 +1364,7 @@ main(int ac, char **av)
                 case 'o':
                         line = xstrdup(optarg);
                         if (process_server_config_line(&options, line,
-                            "command-line", 0) != 0)
+                            "command-line", 0, NULL, NULL, NULL, NULL) != 0)
                                 exit(1);
                         xfree(line);
                         break;
@@ -1076,11 +1422,8 @@ main(int ac, char **av)
         else
                 load_server_config(config_file_name, &cfg);
 
-        parse_server_config(&options,
-            rexeced_flag ? "rexec" : config_file_name, &cfg);
-
-        if (!rexec_flag)
-                buffer_free(&cfg);
+        parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
+            &cfg, NULL, NULL, NULL);
 
         seed_rng();
 
@@ -1098,8 +1441,21 @@ main(int ac, char **av)
 
         debug("sshd version %.100s", SSH_RELEASE);
 
+        /* Store privilege separation user for later use if required. */
+        if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
+                if (use_privsep || options.kerberos_authentication)
+                        fatal("Privilege separation user %s does not exist",
+                            SSH_PRIVSEP_USER);
+        } else {
+                memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd));
+                privsep_pw = pwcopy(privsep_pw);
+                xfree(privsep_pw->pw_passwd);
+                privsep_pw->pw_passwd = xstrdup("*");
+        }
+        endpwent();
+
         /* load private host keys */
-        sensitive_data.host_keys = xmalloc(options.num_host_key_files *
+        sensitive_data.host_keys = xcalloc(options.num_host_key_files,
             sizeof(Key *));
         for (i = 0; i < options.num_host_key_files; i++)
                 sensitive_data.host_keys[i] = NULL;
@@ -1168,12 +1524,8 @@ main(int ac, char **av)
         }
 
         if (use_privsep) {
-                struct passwd *pw;
                 struct stat st;
 
-                if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL)
-                        fatal("Privilege separation user %s does not exist",
-                            SSH_PRIVSEP_USER);
                 if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) ||
                     (S_ISDIR(st.st_mode) == 0))
                         fatal("Missing privilege separation directory: %s",
@@ -1205,7 +1557,7 @@ main(int ac, char **av)
                 debug("setgroups() failed: %.200s", strerror(errno));
 
         if (rexec_flag) {
-                rexec_argv = xmalloc(sizeof(char *) * (rexec_argc + 2));
+                rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
                 for (i = 0; i < rexec_argc; i++) {
                         debug("rexec_argv[%d]='%s'", i, saved_argv[i]);
                         rexec_argv[i] = saved_argv[i];
@@ -1253,121 +1605,31 @@ main(int ac, char **av)
         /* ignore SIGPIPE */
         signal(SIGPIPE, SIG_IGN);
 
-        /* Start listening for a socket, unless started from inetd. */
+        /* Get a connection, either from inetd or a listening TCP socket */
         if (inetd_flag) {
-                int fd;
+                server_accept_inetd(&sock_in, &sock_out);
 
-                startup_pipe = -1;
-                if (rexeced_flag) {
-                        close(REEXEC_CONFIG_PASS_FD);
-                        sock_in = sock_out = dup(STDIN_FILENO);
-                        if (!debug_flag) {
-                                startup_pipe = dup(REEXEC_STARTUP_PIPE_FD);
-                                close(REEXEC_STARTUP_PIPE_FD);
-                        }
-                } else {
-                        sock_in = dup(STDIN_FILENO);
-                        sock_out = dup(STDOUT_FILENO);
-                }
-                /*
-                 * We intentionally do not close the descriptors 0, 1, and 2
-                 * as our code for setting the descriptors won't work if
-                 * ttyfd happens to be one of those.
-                 */
-                if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
-                        dup2(fd, STDIN_FILENO);
-                        dup2(fd, STDOUT_FILENO);
-                        if (fd > STDOUT_FILENO)
-                                close(fd);
-                }
-                debug("inetd sockets after dupping: %d, %d", sock_in, sock_out);
                 if ((options.protocol & SSH_PROTO_1) &&
                     sensitive_data.server_key == NULL)
                         generate_ephemeral_server_key();
         } else {
-                for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
-                        if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-                                continue;
-                        if (num_listen_socks >= MAX_LISTEN_SOCKS)
-                                fatal("Too many listen sockets. "
-                                    "Enlarge MAX_LISTEN_SOCKS");
-                        if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen,
-                            ntop, sizeof(ntop), strport, sizeof(strport),
-                            NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
-                                error("getnameinfo failed: %.100s",
-                                    (ret != EAI_SYSTEM) ? gai_strerror(ret) :
-                                    strerror(errno));
-                                continue;
-                        }
-                        /* Create socket for listening. */
-                        listen_sock = socket(ai->ai_family, ai->ai_socktype,
-                            ai->ai_protocol);
-                        if (listen_sock < 0) {
-                                /* kernel may not support ipv6 */
-                                verbose("socket: %.100s", strerror(errno));
-                                continue;
-                        }
-                        if (set_nonblock(listen_sock) == -1) {
-                                close(listen_sock);
-                                continue;
-                        }
-                        /*
-                         * Set socket options.
-                         * Allow local port reuse in TIME_WAIT.
-                         */
-                        if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
-                            &on, sizeof(on)) == -1)
-                                error("setsockopt SO_REUSEADDR: %s", strerror(errno));
-
-                        debug("Bind to port %s on %s.", strport, ntop);
-
-                        /* Bind the socket to the desired port. */
-                        if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
-                                if (!num_listen_socks && !ai->ai_next)
-                                    error("Bind to port %s on %s failed: %.200s.",
-                                            strport, ntop, strerror(errno));
-                                close(listen_sock);
-                                continue;
-                        }
-                        listen_socks[num_listen_socks] = listen_sock;
-                        num_listen_socks++;
-
-                        /* Start listening on the port. */
-                        logit("Server listening on %s port %s.", ntop, strport);
-                        if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0)
-                                fatal("listen: %.100s", strerror(errno));
-
-                }
-                freeaddrinfo(options.listen_addrs);
-
-                if (!num_listen_socks)
-                        fatal("Cannot bind any address.");
+                server_listen();
 
                 if (options.protocol & SSH_PROTO_1)
                         generate_ephemeral_server_key();
 
-                /*
-                 * Arrange to restart on SIGHUP.  The handler needs
-                 * listen_sock.
-                 */
                 signal(SIGHUP, sighup_handler);
-
+                signal(SIGCHLD, main_sigchld_handler);
                 signal(SIGTERM, sigterm_handler);
                 signal(SIGQUIT, sigterm_handler);
 
-                /* Arrange SIGCHLD to be caught. */
-                signal(SIGCHLD, main_sigchld_handler);
-
-                /* Write out the pid file after the sigterm handler is setup */
+                /*
+                 * Write out the pid file after the sigterm handler
+                 * is setup and the listen sockets are bound
+                 */
                 if (!debug_flag) {
-                        /*
-                         * Record our pid in /var/run/sshd.pid to make it
-                         * easier to kill the correct sshd.  We don't want to
-                         * do this before the bind above because the bind will
-                         * fail if there already is a daemon, and this will
-                         * overwrite any old pid in the file.
-                         */
-                        f = fopen(options.pid_file, "wb");
+                        FILE *f = fopen(options.pid_file, "w");
+
                         if (f == NULL) {
                                 error("Couldn't create pid file \"%s\": %s",
                                     options.pid_file, strerror(errno));
@@ -1377,194 +1639,9 @@ main(int ac, char **av)
                         }
                 }
 
-                /* setup fd set for listen */
-                fdset = NULL;
-                maxfd = 0;
-                for (i = 0; i < num_listen_socks; i++)
-                        if (listen_socks[i] > maxfd)
-                                maxfd = listen_socks[i];
-                /* pipes connected to unauthenticated childs */
-                startup_pipes = xmalloc(options.max_startups * sizeof(int));
-                for (i = 0; i < options.max_startups; i++)
-                        startup_pipes[i] = -1;
-
-                /*
-                 * Stay listening for connections until the system crashes or
-                 * the daemon is killed with a signal.
-                 */
-                for (;;) {
-                        if (received_sighup)
-                                sighup_restart();
-                        if (fdset != NULL)
-                                xfree(fdset);
-                        fdsetsz = howmany(maxfd+1, NFDBITS) * sizeof(fd_mask);
-                        fdset = (fd_set *)xmalloc(fdsetsz);
-                        memset(fdset, 0, fdsetsz);
-
-                        for (i = 0; i < num_listen_socks; i++)
-                                FD_SET(listen_socks[i], fdset);
-                        for (i = 0; i < options.max_startups; i++)
-                                if (startup_pipes[i] != -1)
-                                        FD_SET(startup_pipes[i], fdset);
-
-                        /* Wait in select until there is a connection. */
-                        ret = select(maxfd+1, fdset, NULL, NULL, NULL);
-                        if (ret < 0 && errno != EINTR)
-                                error("select: %.100s", strerror(errno));
-                        if (received_sigterm) {
-                                logit("Received signal %d; terminating.",
-                                    (int) received_sigterm);
-                                close_listen_socks();
-                                unlink(options.pid_file);
-                                exit(255);
-                        }
-                        if (key_used && key_do_regen) {
-                                generate_ephemeral_server_key();
-                                key_used = 0;
-                                key_do_regen = 0;
-                        }
-                        if (ret < 0)
-                                continue;
-
-                        for (i = 0; i < options.max_startups; i++)
-                                if (startup_pipes[i] != -1 &&
-                                    FD_ISSET(startup_pipes[i], fdset)) {
-                                        /*
-                                         * the read end of the pipe is ready
-                                         * if the child has closed the pipe
-                                         * after successful authentication
-                                         * or if the child has died
-                                         */
-                                        close(startup_pipes[i]);
-                                        startup_pipes[i] = -1;
-                                        startups--;
-                                }
-                        for (i = 0; i < num_listen_socks; i++) {
-                                if (!FD_ISSET(listen_socks[i], fdset))
-                                        continue;
-                                fromlen = sizeof(from);
-                                newsock = accept(listen_socks[i], (struct sockaddr *)&from,
-                                    &fromlen);
-                                if (newsock < 0) {
-                                        if (errno != EINTR && errno != EWOULDBLOCK)
-                                                error("accept: %.100s", strerror(errno));
-                                        continue;
-                                }
-                                if (unset_nonblock(newsock) == -1) {
-                                        close(newsock);
-                                        continue;
-                                }
-                                if (drop_connection(startups) == 1) {
-                                        debug("drop connection #%d", startups);
-                                        close(newsock);
-                                        continue;
-                                }
-                                if (pipe(startup_p) == -1) {
-                                        close(newsock);
-                                        continue;
-                                }
-
-                                if (rexec_flag && socketpair(AF_UNIX,
-                                    SOCK_STREAM, 0, config_s) == -1) {
-                                        error("reexec socketpair: %s",
-                                            strerror(errno));
-                                        close(newsock);
-                                        close(startup_p[0]);
-                                        close(startup_p[1]);
-                                        continue;
-                                }
-
-                                for (j = 0; j < options.max_startups; j++)
-                                        if (startup_pipes[j] == -1) {
-                                                startup_pipes[j] = startup_p[0];
-                                                if (maxfd < startup_p[0])
-                                                        maxfd = startup_p[0];
-                                                startups++;
-                                                break;
-                                        }
-
-                                /*
-                                 * Got connection.  Fork a child to handle it, unless
-                                 * we are in debugging mode.
-                                 */
-                                if (debug_flag) {
-                                        /*
-                                         * In debugging mode.  Close the listening
-                                         * socket, and start processing the
-                                         * connection without forking.
-                                         */
-                                        debug("Server will not fork when running in debugging mode.");
-                                        close_listen_socks();
-                                        sock_in = newsock;
-                                        sock_out = newsock;
-                                        close(startup_p[0]);
-                                        close(startup_p[1]);
-                                        startup_pipe = -1;
-                                        pid = getpid();
-                                        if (rexec_flag) {
-                                                send_rexec_state(config_s[0],
-                                                    &cfg);
-                                                close(config_s[0]);
-                                        }
-                                        break;
-                                } else {
-                                        /*
-                                         * Normal production daemon.  Fork, and have
-                                         * the child process the connection. The
-                                         * parent continues listening.
-                                         */
-                                        if ((pid = fork()) == 0) {
-                                                /*
-                                                 * Child.  Close the listening and max_startup
-                                                 * sockets.  Start using the accepted socket.
-                                                 * Reinitialize logging (since our pid has
-                                                 * changed).  We break out of the loop to handle
-                                                 * the connection.
-                                                 */
-                                                startup_pipe = startup_p[1];
-                                                close_startup_pipes();
-                                                close_listen_socks();
-                                                sock_in = newsock;
-                                                sock_out = newsock;
-                                                log_init(__progname, options.log_level, options.log_facility, log_stderr);
-                                                if (rexec_flag)
-                                                        close(config_s[0]);
-                                                break;
-                                        }
-                                }
-
-                                /* Parent.  Stay in the loop. */
-                                if (pid < 0)
-                                        error("fork: %.100s", strerror(errno));
-                                else
-                                        debug("Forked child %ld.", (long)pid);
-
-                                close(startup_p[1]);
-
-                                if (rexec_flag) {
-                                        send_rexec_state(config_s[0], &cfg);
-                                        close(config_s[0]);
-                                        close(config_s[1]);
-                                }
-
-                                /* Mark that the key has been used (it was "given" to the child). */
-                                if ((options.protocol & SSH_PROTO_1) &&
-                                    key_used == 0) {
-                                        /* Schedule server key regeneration alarm. */
-                                        signal(SIGALRM, key_regeneration_alarm);
-                                        alarm(options.key_regeneration_time);
-                                        key_used = 1;
-                                }
-
-                                arc4random_stir();
-
-                                /* Close the new socket (the child is now taking care of it). */
-                                close(newsock);
-                        }
-                        /* child process check (or debug mode) */
-                        if (num_listen_socks < 0)
-                                break;
-                }
+                /* Accept a connection and return in a forked child */
+                server_accept_loop(&sock_in, &sock_out,
+                    &newsock, config_s);
         }
 
         /* This is the child processing a new connection. */
@@ -1659,7 +1736,13 @@ main(int ac, char **av)
          * We use get_canonical_hostname with usedns = 0 instead of
          * get_remote_ipaddr here so IP options will be checked.
          */
-        remote_ip = get_canonical_hostname(0);
+        (void) get_canonical_hostname(0);
+        /*
+         * The rest of the code depends on the fact that
+         * get_remote_ipaddr() caches the remote ip, even if
+         * the socket goes away.
+         */
+        remote_ip = get_remote_ipaddr();
 
 #ifdef SSH_AUDIT_EVENTS
         audit_connection_from(remote_ip, remote_port);
@@ -1755,8 +1838,7 @@ main(int ac, char **av)
         packet_set_nonblocking();
 
         /* allocate authentication context */
-        authctxt = xmalloc(sizeof(*authctxt));
-        memset(authctxt, 0, sizeof(*authctxt));
+        authctxt = xcalloc(1, sizeof(*authctxt));
 
         authctxt->loginmsg = &loginmsg;
 
@@ -1848,11 +1930,14 @@ ssh1_session_key(BIGNUM *session_key_int)
 {
         int rsafail = 0;
 
-        if (BN_cmp(sensitive_data.server_key->rsa->n, sensitive_data.ssh1_host_key->rsa->n) > 0) {
+        if (BN_cmp(sensitive_data.server_key->rsa->n,
+            sensitive_data.ssh1_host_key->rsa->n) > 0) {
                 /* Server key has bigger modulus. */
                 if (BN_num_bits(sensitive_data.server_key->rsa->n) <
-                    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
-                        fatal("do_connection: %s: server_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d",
+                    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
+                    SSH_KEY_BITS_RESERVED) {
+                        fatal("do_connection: %s: "
+                            "server_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d",
                             get_remote_ipaddr(),
                             BN_num_bits(sensitive_data.server_key->rsa->n),
                             BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
@@ -1867,8 +1952,10 @@ ssh1_session_key(BIGNUM *session_key_int)
         } else {
                 /* Host key has bigger modulus (or they are equal). */
                 if (BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) <
-                    BN_num_bits(sensitive_data.server_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
-                        fatal("do_connection: %s: host_key %d < server_key %d + SSH_KEY_BITS_RESERVED %d",
+                    BN_num_bits(sensitive_data.server_key->rsa->n) +
+                    SSH_KEY_BITS_RESERVED) {
+                        fatal("do_connection: %s: "
+                            "host_key %d < server_key %d + SSH_KEY_BITS_RESERVED %d",
                             get_remote_ipaddr(),
                             BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
                             BN_num_bits(sensitive_data.server_key->rsa->n),
@@ -1993,10 +2080,10 @@ do_ssh1_kex(void)
          * key is in the highest bits.
          */
         if (!rsafail) {
-                BN_mask_bits(session_key_int, sizeof(session_key) * 8);
+                (void) BN_mask_bits(session_key_int, sizeof(session_key) * 8);
                 len = BN_num_bytes(session_key_int);
                 if (len < 0 || (u_int)len > sizeof(session_key)) {
-                        error("do_connection: bad session key len from %s: "
+                        error("do_ssh1_kex: bad session key len from %s: "
                             "session_key_int %d > sizeof(session_key) %lu",
                             get_remote_ipaddr(), len, (u_long)sizeof(session_key));
                         rsafail++;
@@ -2089,11 +2176,9 @@ do_ssh2_kex(void)
                 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
                 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";
         }
-        
+
         myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
 
-        /* start key exchange */
-  
 #ifdef GSSAPI
         {
         char *orig;
@@ -2102,8 +2187,8 @@ do_ssh2_kex(void)
         orig = myproposal[PROPOSAL_KEX_ALGS];
 
         /* 
-         * If we don't have a host key, then there's no point advertising
-         * the other key exchange algorithms
+         * If we don't have a host key, then there's no point advertising
+         * the other key exchange algorithms
          */
 
         if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
@@ -2114,15 +2199,13 @@ do_ssh2_kex(void)
         else
                 gss = NULL;
 
-        if (gss && orig) {
-                int len = strlen(orig) + strlen(gss) + 2;
-                newstr = xmalloc(len);
-                snprintf(newstr, len, "%s,%s", gss, orig);
-        } else if (gss) {
+        if (gss && orig)
+                xasprintf(&newstr, "%s,%s", gss, orig);
+        else if (gss)
                 newstr = gss;
-        } else if (orig) {
+        else if (orig)
                 newstr = orig;
-        }
+
         /* 
          * If we've got GSSAPI mechanisms, then we've got the 'null' host
          * key alg, but we can't tell people about it unless its the only
@@ -2138,18 +2221,20 @@ do_ssh2_kex(void)
         }
 #endif
 
-        /* start key exchange */
-        kex = kex_setup(myproposal);
-        kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
+        /* start key exchange */
+        kex = kex_setup(myproposal);
+        kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
         kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
         kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
+        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
 #ifdef GSSAPI
         kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+        kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
         kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
 #endif
-        kex->server = 1;
-        kex->client_version_string=client_version_string;
-        kex->server_version_string=server_version_string;
+        kex->server = 1;
+        kex->client_version_string=client_version_string;
+        kex->server_version_string=server_version_string;
         kex->load_host_key=&get_hostkey_by_type;
         kex->host_key_index=&get_hostkey_index;
 
diff --git a/sshd_config b/sshd_config
index 4957dd1a6..68c8752c0 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-#       $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
+#       $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -68,15 +68,18 @@
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
 
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
-# be allowed through the ChallengeResponseAuthentication mechanism. 
-# Depending on your PAM configuration, this may bypass the setting of 
-# PasswordAuthentication, PermitEmptyPasswords, and 
-# "PermitRootLogin without-password". If you just want the PAM account and 
-# session checks to run without PAM authentication, then enable this but set 
-# ChallengeResponseAuthentication=no
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
 #UsePAM no
 
 #AllowTcpForwarding yes
@@ -103,3 +106,9 @@
 
 # override default of no subsystems
 Subsystem       sftp    /usr/libexec/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       ForceCommand cvs server
diff --git a/sshd_config.0 b/sshd_config.0
index d2c5454e1..c9a09a4ff 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -7,10 +7,11 @@ SYNOPSIS
      /etc/ssh/sshd_config
 
 DESCRIPTION
-     sshd reads configuration data from /etc/ssh/sshd_config (or the file
+     sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file
      specified with -f on the command line).  The file contains keyword-argu-
      ment pairs, one per line.  Lines starting with `#' and empty lines are
-     interpreted as comments.
+     interpreted as comments.  Arguments may optionally be enclosed in double
+     quotes (") in order to represent arguments containing spaces.
 
      The possible keywords and their meanings are as follows (note that key-
      words are case-insensitive and arguments are case-sensitive):
@@ -29,17 +30,21 @@ DESCRIPTION
              any environment variables.
 
      AddressFamily
-             Specifies which address family should be used by sshd.  Valid ar-
-             guments are ``any'', ``inet'' (use IPv4 only) or ``inet6'' (use
-             IPv6 only).  The default is ``any''.
+             Specifies which address family should be used by sshd(8).  Valid
+             arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6''
+             (use IPv6 only).  The default is ``any''.
 
      AllowGroups
              This keyword can be followed by a list of group name patterns,
              separated by spaces.  If specified, login is allowed only for
              users whose primary group or supplementary group list matches one
-             of the patterns.  `*' and `?' can be used as wildcards in the
-             patterns.  Only group names are valid; a numerical group ID is
-             not recognized.  By default, login is allowed for all groups.
+             of the patterns.  Only group names are valid; a numerical group
+             ID is not recognized.  By default, login is allowed for all
+             groups.  The allow/deny directives are processed in the following
+             order: DenyUsers, AllowUsers, DenyGroups, and finally
+             AllowGroups.
+
+             See PATTERNS in ssh_config(5) for more information on patterns.
 
      AllowTcpForwarding
              Specifies whether TCP forwarding is permitted.  The default is
@@ -50,23 +55,26 @@ DESCRIPTION
      AllowUsers
              This keyword can be followed by a list of user name patterns,
              separated by spaces.  If specified, login is allowed only for us-
-             er names that match one of the patterns.  `*' and `?' can be used
-             as wildcards in the patterns.  Only user names are valid; a nu-
-             merical user ID is not recognized.  By default, login is allowed
-             for all users.  If the pattern takes the form USER@HOST then USER
-             and HOST are separately checked, restricting logins to particular
-             users from particular hosts.
+             er names that match one of the patterns.  Only user names are
+             valid; a numerical user ID is not recognized.  By default, login
+             is allowed for all users.  If the pattern takes the form US-
+             ER@HOST then USER and HOST are separately checked, restricting
+             logins to particular users from particular hosts.  The allow/deny
+             directives are processed in the following order: DenyUsers,
+             AllowUsers, DenyGroups, and finally AllowGroups.
+
+             See PATTERNS in ssh_config(5) for more information on patterns.
 
      AuthorizedKeysFile
              Specifies the file that contains the public keys that can be used
              for user authentication.  AuthorizedKeysFile may contain tokens
-             of the form %T which are substituted during connection set-up.
+             of the form %T which are substituted during connection setup.
              The following tokens are defined: %% is replaced by a literal
              '%', %h is replaced by the home directory of the user being au-
-             thenticated and %u is replaced by the username of that user.  Af-
-             ter expansion, AuthorizedKeysFile is taken to be an absolute path
-             or one relative to the user's home directory.  The default is
-             ``.ssh/authorized_keys''.
+             thenticated, and %u is replaced by the username of that user.
+             After expansion, AuthorizedKeysFile is taken to be an absolute
+             path or one relative to the user's home directory.  The default
+             is ``.ssh/authorized_keys''.
 
      Banner  In some jurisdictions, sending a warning message before authenti-
              cation may be relevant for getting legal protection.  The con-
@@ -75,7 +83,7 @@ DESCRIPTION
              protocol version 2.  By default, no banner is displayed.
 
      ChallengeResponseAuthentication
-             Specifies whether challenge response authentication is allowed.
+             Specifies whether challenge-response authentication is allowed.
              All authentication styles from login.conf(5) are supported.  The
              default is ``yes''.
 
@@ -85,15 +93,15 @@ DESCRIPTION
              ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
              ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'',
              ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and
-             ``cast128-cbc''.  The default is
+             ``cast128-cbc''.  The default is:
 
-               ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-                 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
-                 aes192-ctr,aes256-ctr''
+                aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
+                arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
+                aes192-ctr,aes256-ctr
 
      ClientAliveCountMax
              Sets the number of client alive messages (see below) which may be
-             sent without sshd receiving any messages back from the client.
+             sent without sshd(8) receiving any messages back from the client.
              If this threshold is reached while client alive messages are be-
              ing sent, sshd will disconnect the client, terminating the ses-
              sion.  It is important to note that the use of client alive mes-
@@ -106,15 +114,16 @@ DESCRIPTION
 
              The default value is 3.  If ClientAliveInterval (see below) is
              set to 15, and ClientAliveCountMax is left at the default, unre-
-             sponsive ssh clients will be disconnected after approximately 45
-             seconds.
+             sponsive SSH clients will be disconnected after approximately 45
+             seconds.  This option applies to protocol version 2 only.
 
      ClientAliveInterval
              Sets a timeout interval in seconds after which if no data has
-             been received from the client, sshd will send a message through
-             the encrypted channel to request a response from the client.  The
-             default is 0, indicating that these messages will not be sent to
-             the client.  This option applies to protocol version 2 only.
+             been received from the client, sshd(8) will send a message
+             through the encrypted channel to request a response from the
+             client.  The default is 0, indicating that these messages will
+             not be sent to the client.  This option applies to protocol ver-
+             sion 2 only.
 
      Compression
              Specifies whether compression is allowed, or delayed until the
@@ -125,23 +134,38 @@ DESCRIPTION
              This keyword can be followed by a list of group name patterns,
              separated by spaces.  Login is disallowed for users whose primary
              group or supplementary group list matches one of the patterns.
-             `*' and `?' can be used as wildcards in the patterns.  Only group
-             names are valid; a numerical group ID is not recognized.  By de-
-             fault, login is allowed for all groups.
+             Only group names are valid; a numerical group ID is not recog-
+             nized.  By default, login is allowed for all groups.  The al-
+             low/deny directives are processed in the following order:
+             DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
+
+             See PATTERNS in ssh_config(5) for more information on patterns.
 
      DenyUsers
              This keyword can be followed by a list of user name patterns,
              separated by spaces.  Login is disallowed for user names that
-             match one of the patterns.  `*' and `?' can be used as wildcards
-             in the patterns.  Only user names are valid; a numerical user ID
-             is not recognized.  By default, login is allowed for all users.
-             If the pattern takes the form USER@HOST then USER and HOST are
-             separately checked, restricting logins to particular users from
-             particular hosts.
+             match one of the patterns.  Only user names are valid; a numeri-
+             cal user ID is not recognized.  By default, login is allowed for
+             all users.  If the pattern takes the form USER@HOST then USER and
+             HOST are separately checked, restricting logins to particular
+             users from particular hosts.  The allow/deny directives are pro-
+             cessed in the following order: DenyUsers, AllowUsers, DenyGroups,
+             and finally AllowGroups.
+
+             See PATTERNS in ssh_config(5) for more information on patterns.
+
+     ForceCommand
+             Forces the execution of the command specified by ForceCommand,
+             ignoring any command supplied by the client.  The command is in-
+             voked by using the user's login shell with the -c option.  This
+             applies to shell, command, or subsystem execution.  It is most
+             useful inside a Match block.  The command originally supplied by
+             the client is available in the SSH_ORIGINAL_COMMAND environment
+             variable.
 
      GatewayPorts
              Specifies whether remote hosts are allowed to connect to ports
-             forwarded for the client.  By default, sshd binds remote port
+             forwarded for the client.  By default, sshd(8) binds remote port
              forwardings to the loopback address.  This prevents other remote
              hosts from connecting to forwarded ports.  GatewayPorts can be
              used to specify that sshd should allow remote port forwardings to
@@ -165,18 +189,27 @@ DESCRIPTION
      HostbasedAuthentication
              Specifies whether rhosts or /etc/hosts.equiv authentication to-
              gether with successful public key client host authentication is
-             allowed (hostbased authentication).  This option is similar to
+             allowed (host-based authentication).  This option is similar to
              RhostsRSAAuthentication and applies to protocol version 2 only.
              The default is ``no''.
 
+     HostbasedUsesNameFromPacketOnly
+             Specifies whether or not the server will attempt to perform a re-
+             verse name lookup when matching the name in the ~/.shosts,
+             ~/.rhosts, and /etc/hosts.equiv files during
+             HostbasedAuthentication.  A setting of ``yes'' means that sshd(8)
+             uses the name supplied by the client rather than attempting to
+             resolve the name from the TCP connection itself.  The default is
+             ``no''.
+
      HostKey
              Specifies a file containing a private host key used by SSH.  The
              default is /etc/ssh/ssh_host_key for protocol version 1, and
              /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro-
-             tocol version 2.  Note that sshd will refuse to use a file if it
-             is group/world-accessible.  It is possible to have multiple host
-             key files.  ``rsa1'' keys are used for version 1 and ``dsa'' or
-             ``rsa'' are used for version 2 of the SSH protocol.
+             tocol version 2.  Note that sshd(8) will refuse to use a file if
+             it is group/world-accessible.  It is possible to have multiple
+             host key files.  ``rsa1'' keys are used for version 1 and ``dsa''
+             or ``rsa'' are used for version 2 of the SSH protocol.
 
      IgnoreRhosts
              Specifies that .rhosts and .shosts files will not be used in
@@ -186,7 +219,7 @@ DESCRIPTION
              fault is ``yes''.
 
      IgnoreUserKnownHosts
-             Specifies whether sshd should ignore the user's
+             Specifies whether sshd(8) should ignore the user's
              ~/.ssh/known_hosts during RhostsRSAAuthentication or
              HostbasedAuthentication.  The default is ``no''.
 
@@ -194,22 +227,22 @@ DESCRIPTION
              Specifies whether the password provided by the user for
              PasswordAuthentication will be validated through the Kerberos
              KDC.  To use this option, the server needs a Kerberos servtab
-             which allows the verification of the KDC's identity.  Default is
-             ``no''.
+             which allows the verification of the KDC's identity.  The default
+             is ``no''.
 
      KerberosGetAFSToken
              If AFS is active and the user has a Kerberos 5 TGT, attempt to
              acquire an AFS token before accessing the user's home directory.
-             Default is ``no''.
+             The default is ``no''.
 
      KerberosOrLocalPasswd
-             If set then if password authentication through Kerberos fails
-             then the password will be validated via any additional local
-             mechanism such as /etc/passwd.  Default is ``yes''.
+             If password authentication through Kerberos fails then the pass-
+             word will be validated via any additional local mechanism such as
+             /etc/passwd.  The default is ``yes''.
 
      KerberosTicketCleanup
              Specifies whether to automatically destroy the user's ticket
-             cache file on logout.  Default is ``yes''.
+             cache file on logout.  The default is ``yes''.
 
      KeyRegenerationInterval
              In protocol version 1, the ephemeral server key is automatically
@@ -220,8 +253,8 @@ DESCRIPTION
              never regenerated.  The default is 3600 (seconds).
 
      ListenAddress
-             Specifies the local addresses sshd should listen on.  The follow-
-             ing forms may be used:
+             Specifies the local addresses sshd(8) should listen on.  The fol-
+             lowing forms may be used:
 
                    ListenAddress host|IPv4_addr|IPv6_addr
                    ListenAddress host|IPv4_addr:port
@@ -230,7 +263,7 @@ DESCRIPTION
              If port is not specified, sshd will listen on the address and all
              prior Port options specified.  The default is to listen on all
              local addresses.  Multiple ListenAddress options are permitted.
-             Additionally, any Port options must precede this option for non
+             Additionally, any Port options must precede this option for non-
              port qualified addresses.
 
      LoginGraceTime
@@ -240,8 +273,8 @@ DESCRIPTION
 
      LogLevel
              Gives the verbosity level that is used when logging messages from
-             sshd.  The possible values are: QUIET, FATAL, ERROR, INFO, VER-
-             BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.  The default is INFO.
+             sshd(8).  The possible values are: QUIET, FATAL, ERROR, INFO,
+             VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.  The default is INFO.
              DEBUG and DEBUG1 are equivalent.  DEBUG2 and DEBUG3 each specify
              higher levels of debugging output.  Logging with a DEBUG level
              violates the privacy of users and is not recommended.
@@ -249,9 +282,23 @@ DESCRIPTION
      MACs    Specifies the available MAC (message authentication code) algo-
              rithms.  The MAC algorithm is used in protocol version 2 for data
              integrity protection.  Multiple algorithms must be comma-separat-
-             ed.  The default is ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
+             ed.  The default is: ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
              sha1-96,hmac-md5-96''.
 
+     Match   Introduces a conditional block.  If all of the criteria on the
+             Match line are satisfied, the keywords on the following lines
+             override those set in the global section of the config file, un-
+             til either another Match line or the end of the file.  The argu-
+             ments to Match are one or more criteria-pattern pairs.  The
+             available criteria are User, Group, Host, and Address.  Only a
+             subset of keywords may be used on the lines following a Match
+             keyword.  Available keywords are AllowTcpForwarding, Banner,
+             ForceCommand, GatewayPorts, GSSApiAuthentication,
+             KbdInteractiveAuthentication, KerberosAuthentication,
+             PasswordAuthentication, PermitOpen, RhostsRSAAuthentication,
+             RSAAuthentication, X11DisplayOffset, X11Forwarding, and
+             X11UseLocalHost.
+
      MaxAuthTries
              Specifies the maximum number of authentication attempts permitted
              per connection.  Once the number of failures reaches half this
@@ -259,17 +306,17 @@ DESCRIPTION
 
      MaxStartups
              Specifies the maximum number of concurrent unauthenticated con-
-             nections to the sshd daemon.  Additional connections will be
+             nections to the SSH daemon.  Additional connections will be
              dropped until authentication succeeds or the LoginGraceTime ex-
              pires for a connection.  The default is 10.
 
              Alternatively, random early drop can be enabled by specifying the
-             three colon separated values ``start:rate:full'' (e.g.,
-             "10:30:60").  sshd will refuse connection attempts with a proba-
-             bility of ``rate/100'' (30%) if there are currently ``start''
-             (10) unauthenticated connections.  The probability increases lin-
-             early and all connection attempts are refused if the number of
-             unauthenticated connections reaches ``full'' (60).
+             three colon separated values ``start:rate:full'' (e.g.
+             "10:30:60").  sshd(8) will refuse connection attempts with a
+             probability of ``rate/100'' (30%) if there are currently
+             ``start'' (10) unauthenticated connections.  The probability in-
+             creases linearly and all connection attempts are refused if the
+             number of unauthenticated connections reaches ``full'' (60).
 
      PasswordAuthentication
              Specifies whether password authentication is allowed.  The de-
@@ -280,59 +327,74 @@ DESCRIPTION
              server allows login to accounts with empty password strings.  The
              default is ``no''.
 
+     PermitOpen
+             Specifies the destinations to which TCP port forwarding is per-
+             mitted.  The forwarding specification must be one of the follow-
+             ing forms:
+
+                   PermitOpen host:port
+                   PermitOpen IPv4_addr:port
+                   PermitOpen [IPv6_addr]:port
+
+             Multiple forwards may be specified by separating them with
+             whitespace.  An argument of ``any'' can be used to remove all re-
+             strictions and permit any forwarding requests.  By default all
+             port forwarding requests are permitted.
+
      PermitRootLogin
              Specifies whether root can log in using ssh(1).  The argument
-             must be ``yes'', ``without-password'', ``forced-commands-only''
+             must be ``yes'', ``without-password'', ``forced-commands-only'',
              or ``no''.  The default is ``yes''.
 
-             If this option is set to ``without-password'' password authenti-
+             If this option is set to ``without-password'', password authenti-
              cation is disabled for root.
 
-             If this option is set to ``forced-commands-only'' root login with
-             public key authentication will be allowed, but only if the
+             If this option is set to ``forced-commands-only'', root login
+             with public key authentication will be allowed, but only if the
              command option has been specified (which may be useful for taking
              remote backups even if root login is normally not allowed).  All
              other authentication methods are disabled for root.
 
-             If this option is set to ``no'' root is not allowed to log in.
+             If this option is set to ``no'', root is not allowed to log in.
 
      PermitTunnel
              Specifies whether tun(4) device forwarding is allowed.  The argu-
-             ment must be ``yes'', ``point-to-point'', ``ethernet'' or ``no''.
-             The default is ``no''.
+             ment must be ``yes'', ``point-to-point'' (layer 3), ``ethernet''
+             (layer 2), or ``no''.  Specifying ``yes'' permits both ``point-
+             to-point'' and ``ethernet''.  The default is ``no''.
 
      PermitUserEnvironment
              Specifies whether ~/.ssh/environment and environment= options in
-             ~/.ssh/authorized_keys are processed by sshd.  The default is
+             ~/.ssh/authorized_keys are processed by sshd(8).  The default is
              ``no''.  Enabling environment processing may enable users to by-
              pass access restrictions in some configurations using mechanisms
              such as LD_PRELOAD.
 
      PidFile
-             Specifies the file that contains the process ID of the sshd dae-
+             Specifies the file that contains the process ID of the SSH dae-
              mon.  The default is /var/run/sshd.pid.
 
-     Port    Specifies the port number that sshd listens on.  The default is
-             22.  Multiple options of this type are permitted.  See also
+     Port    Specifies the port number that sshd(8) listens on.  The default
+             is 22.  Multiple options of this type are permitted.  See also
              ListenAddress.
 
      PrintLastLog
-             Specifies whether sshd should print the date and time of the last
-             user login when a user logs in interactively.  The default is
-             ``yes''.
+             Specifies whether sshd(8) should print the date and time of the
+             last user login when a user logs in interactively.  The default
+             is ``yes''.
 
      PrintMotd
-             Specifies whether sshd should print /etc/motd when a user logs in
-             interactively.  (On some systems it is also printed by the shell,
-             /etc/profile, or equivalent.)  The default is ``yes''.
+             Specifies whether sshd(8) should print /etc/motd when a user logs
+             in interactively.  (On some systems it is also printed by the
+             shell, /etc/profile, or equivalent.)  The default is ``yes''.
 
      Protocol
-             Specifies the protocol versions sshd supports.  The possible val-
-             ues are ``1'' and ``2''.  Multiple versions must be comma-sepa-
-             rated.  The default is ``2,1''.  Note that the order of the pro-
-             tocol list does not indicate preference, because the client se-
-             lects among multiple protocol versions offered by the server.
-             Specifying ``2,1'' is identical to ``1,2''.
+             Specifies the protocol versions sshd(8) supports.  The possible
+             values are `1' and `2'.  Multiple versions must be comma-separat-
+             ed.  The default is ``2,1''.  Note that the order of the protocol
+             list does not indicate preference, because the client selects
+             among multiple protocol versions offered by the server.  Specify-
+             ing ``2,1'' is identical to ``1,2''.
 
      PubkeyAuthentication
              Specifies whether public key authentication is allowed.  The de-
@@ -355,24 +417,24 @@ DESCRIPTION
              server key.  The minimum value is 512, and the default is 768.
 
      StrictModes
-             Specifies whether sshd should check file modes and ownership of
-             the user's files and home directory before accepting login.  This
-             is normally desirable because novices sometimes accidentally
+             Specifies whether sshd(8) should check file modes and ownership
+             of the user's files and home directory before accepting login.
+             This is normally desirable because novices sometimes accidentally
              leave their directory or files world-writable.  The default is
              ``yes''.
 
      Subsystem
-             Configures an external subsystem (e.g., file transfer daemon).
-             Arguments should be a subsystem name and a command to execute up-
-             on subsystem request.  The command sftp-server(8) implements the
-             ``sftp'' file transfer subsystem.  By default no subsystems are
-             defined.  Note that this option applies to protocol version 2 on-
-             ly.
+             Configures an external subsystem (e.g. file transfer daemon).
+             Arguments should be a subsystem name and a command (with optional
+             arguments) to execute upon subsystem request.  The command
+             sftp-server(8) implements the ``sftp'' file transfer subsystem.
+             By default no subsystems are defined.  Note that this option ap-
+             plies to protocol version 2 only.
 
      SyslogFacility
              Gives the facility code that is used when logging messages from
-             sshd.  The possible values are: DAEMON, USER, AUTH, LOCAL0, LO-
-             CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The de-
+             sshd(8).  The possible values are: DAEMON, USER, AUTH, LOCAL0,
+             LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The de-
              fault is AUTH.
 
      TCPKeepAlive
@@ -392,7 +454,7 @@ DESCRIPTION
              To disable TCP keepalive messages, the value should be set to
              ``no''.
 
-     UseDNS  Specifies whether sshd should look up the remote host name and
+     UseDNS  Specifies whether sshd(8) should look up the remote host name and
              check that the resolved host name for the remote IP address maps
              back to the very same IP address.  The default is ``yes''.
 
@@ -406,8 +468,9 @@ DESCRIPTION
 
      UsePAM  Enables the Pluggable Authentication Module interface.  If set to
              ``yes'' this will enable PAM authentication using
-             ChallengeResponseAuthentication and PAM account and session mod-
-             ule processing for all authentication types.
+             ChallengeResponseAuthentication and PasswordAuthentication in ad-
+             dition to PAM account and session module processing for all au-
+             thentication types.
 
              Because PAM challenge-response authentication usually serves an
              equivalent role to password authentication, you should disable
@@ -417,7 +480,7 @@ DESCRIPTION
              non-root user.  The default is ``no''.
 
      UsePrivilegeSeparation
-             Specifies whether sshd separates privileges by creating an un-
+             Specifies whether sshd(8) separates privileges by creating an un-
              privileged child process to deal with incoming network traffic.
              After successful authentication, another process will be created
              that has the privilege of the authenticated user.  The goal of
@@ -426,8 +489,8 @@ DESCRIPTION
              default is ``yes''.
 
      X11DisplayOffset
-             Specifies the first display number available for sshd's X11 for-
-             warding.  This prevents sshd from interfering with real X11
+             Specifies the first display number available for sshd(8)'s X11
+             forwarding.  This prevents sshd from interfering with real X11
              servers.  The default is 10.
 
      X11Forwarding
@@ -435,17 +498,17 @@ DESCRIPTION
              be ``yes'' or ``no''.  The default is ``no''.
 
              When X11 forwarding is enabled, there may be additional exposure
-             to the server and to client displays if the sshd proxy display is
-             configured to listen on the wildcard address (see X11UseLocalhost
-             below), however this is not the default.  Additionally, the au-
-             thentication spoofing and authentication data verification and
-             substitution occur on the client side.  The security risk of us-
-             ing X11 forwarding is that the client's X11 display server may be
-             exposed to attack when the ssh client requests forwarding (see
-             the warnings for ForwardX11 in ssh_config(5)).  A system adminis-
-             trator may have a stance in which they want to protect clients
-             that may expose themselves to attack by unwittingly requesting
-             X11 forwarding, which can warrant a ``no'' setting.
+             to the server and to client displays if the sshd(8) proxy display
+             is configured to listen on the wildcard address (see
+             X11UseLocalhost below), though this is not the default.  Addi-
+             tionally, the authentication spoofing and authentication data
+             verification and substitution occur on the client side.  The se-
+             curity risk of using X11 forwarding is that the client's X11 dis-
+             play server may be exposed to attack when the SSH client requests
+             forwarding (see the warnings for ForwardX11 in ssh_config(5)).  A
+             system administrator may have a stance in which they want to pro-
+             tect clients that may expose themselves to attack by unwittingly
+             requesting X11 forwarding, which can warrant a ``no'' setting.
 
              Note that disabling X11 forwarding does not prevent users from
              forwarding X11 traffic, as users can always install their own
@@ -453,8 +516,8 @@ DESCRIPTION
              is enabled.
 
      X11UseLocalhost
-             Specifies whether sshd should bind the X11 forwarding server to
-             the loopback address or to the wildcard address.  By default,
+             Specifies whether sshd(8) should bind the X11 forwarding server
+             to the loopback address or to the wildcard address.  By default,
              sshd binds the forwarding server to the loopback address and sets
              the hostname part of the DISPLAY environment variable to
              ``localhost''.  This prevents remote hosts from connecting to the
@@ -468,9 +531,9 @@ DESCRIPTION
              Specifies the full pathname of the xauth(1) program.  The default
              is /usr/X11R6/bin/xauth.
 
-   Time Formats
-     sshd command-line arguments and configuration file options that specify
-     time may be expressed using a sequence of the form: time[qualifier],
+TIME FORMATS
+     sshd(8) command-line arguments and configuration file options that speci-
+     fy time may be expressed using a sequence of the form: time[qualifier],
      where time is a positive integer value and qualifier is one of the fol-
      lowing:
 
@@ -492,7 +555,7 @@ DESCRIPTION
 
 FILES
      /etc/ssh/sshd_config
-             Contains configuration data for sshd.  This file should be
+             Contains configuration data for sshd(8).  This file should be
              writable by root only, but it is recommended (though not neces-
              sary) that it be world-readable.
 
@@ -507,4 +570,4 @@ AUTHORS
      versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
      for privilege separation.
 
-OpenBSD 3.9                   September 25, 1999                             8
+OpenBSD 4.1                   September 25, 1999                             9
diff --git a/sshd_config.5 b/sshd_config.5
index 999e14a07..c75e0bf55 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.48 2006/01/02 17:09:49 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.74 2007/03/01 16:19:33 jmc Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -42,11 +42,9 @@
 .Nm sshd_config
 .Nd OpenSSH SSH daemon configuration file
 .Sh SYNOPSIS
-.Bl -tag -width Ds -compact
-.It Pa /etc/ssh/sshd_config
-.El
+.Nm /etc/ssh/sshd_config
 .Sh DESCRIPTION
-.Nm sshd
+.Xr sshd 8
 reads configuration data from
 .Pa /etc/ssh/sshd_config
 (or the file specified with
@@ -56,6 +54,9 @@ The file contains keyword-argument pairs, one per line.
 Lines starting with
 .Ql #
 and empty lines are interpreted as comments.
+Arguments may optionally be enclosed in double quotes
+.Pq \&"
+in order to represent arguments containing spaces.
 .Pp
 The possible
 keywords and their meanings are as follows (note that
@@ -72,7 +73,7 @@ in
 for how to configure the client.
 Note that environment passing is only supported for protocol 2.
 Variables are specified by name, which may contain the wildcard characters
-.Ql \&*
+.Ql *
 and
 .Ql \&? .
 Multiple environment variables may be separated by whitespace or spread
@@ -85,11 +86,11 @@ For this reason, care should be taken in the use of this directive.
 The default is not to accept any environment variables.
 .It Cm AddressFamily
 Specifies which address family should be used by
-.Nm sshd .
+.Xr sshd 8 .
 Valid arguments are
 .Dq any ,
 .Dq inet
-(use IPv4 only) or
+(use IPv4 only), or
 .Dq inet6
 (use IPv6 only).
 The default is
@@ -99,13 +100,20 @@ This keyword can be followed by a list of group name patterns, separated
 by spaces.
 If specified, login is allowed only for users whose primary
 group or supplementary group list matches one of the patterns.
-.Ql \&*
-and
-.Ql \&?
-can be used as
-wildcards in the patterns.
 Only group names are valid; a numerical group ID is not recognized.
 By default, login is allowed for all groups.
+The allow/deny directives are processed in the following order:
+.Cm DenyUsers ,
+.Cm AllowUsers ,
+.Cm DenyGroups ,
+and finally
+.Cm AllowGroups .
+.Pp
+See
+.Sx PATTERNS
+in
+.Xr ssh_config 5
+for more information on patterns.
 .It Cm AllowTcpForwarding
 Specifies whether TCP forwarding is permitted.
 The default is
@@ -118,24 +126,31 @@ This keyword can be followed by a list of user name patterns, separated
 by spaces.
 If specified, login is allowed only for user names that
 match one of the patterns.
-.Ql \&*
-and
-.Ql \&?
-can be used as
-wildcards in the patterns.
 Only user names are valid; a numerical user ID is not recognized.
 By default, login is allowed for all users.
 If the pattern takes the form USER@HOST then USER and HOST
 are separately checked, restricting logins to particular
 users from particular hosts.
+The allow/deny directives are processed in the following order:
+.Cm DenyUsers ,
+.Cm AllowUsers ,
+.Cm DenyGroups ,
+and finally
+.Cm AllowGroups .
+.Pp
+See
+.Sx PATTERNS
+in
+.Xr ssh_config 5
+for more information on patterns.
 .It Cm AuthorizedKeysFile
 Specifies the file that contains the public keys that can be used
 for user authentication.
 .Cm AuthorizedKeysFile
 may contain tokens of the form %T which are substituted during connection
-set-up.
+setup.
 The following tokens are defined: %% is replaced by a literal '%',
-%h is replaced by the home directory of the user being authenticated and
+%h is replaced by the home directory of the user being authenticated, and
 %u is replaced by the username of that user.
 After expansion,
 .Cm AuthorizedKeysFile
@@ -151,7 +166,7 @@ authentication is allowed.
 This option is only available for protocol version 2.
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
-Specifies whether challenge response authentication is allowed.
+Specifies whether challenge-response authentication is allowed.
 All authentication styles from
 .Xr login.conf 5
 are supported.
@@ -174,20 +189,19 @@ The supported ciphers are
 .Dq blowfish-cbc ,
 and
 .Dq cast128-cbc .
-The default is
-.Bd -literal
-  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-    arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
-    aes192-ctr,aes256-ctr''
+The default is:
+.Bd -literal -offset 3n
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
+arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
+aes192-ctr,aes256-ctr
 .Ed
 .It Cm ClientAliveCountMax
 Sets the number of client alive messages (see below) which may be
 sent without
-.Nm sshd
+.Xr sshd 8
 receiving any messages back from the client.
 If this threshold is reached while client alive messages are being sent,
-.Nm sshd
-will disconnect the client, terminating the session.
+sshd will disconnect the client, terminating the session.
 It is important to note that the use of client alive messages is very
 different from
 .Cm TCPKeepAlive
@@ -205,12 +219,13 @@ If
 .Cm ClientAliveInterval
 (see below) is set to 15, and
 .Cm ClientAliveCountMax
-is left at the default, unresponsive ssh clients
+is left at the default, unresponsive SSH clients
 will be disconnected after approximately 45 seconds.
+This option applies to protocol version 2 only.
 .It Cm ClientAliveInterval
 Sets a timeout interval in seconds after which if no data has been received
 from the client,
-.Nm sshd
+.Xr sshd 8
 will send a message through the encrypted
 channel to request a response from the client.
 The default
@@ -231,36 +246,62 @@ This keyword can be followed by a list of group name patterns, separated
 by spaces.
 Login is disallowed for users whose primary group or supplementary
 group list matches one of the patterns.
-.Ql \&*
-and
-.Ql \&?
-can be used as
-wildcards in the patterns.
 Only group names are valid; a numerical group ID is not recognized.
 By default, login is allowed for all groups.
+The allow/deny directives are processed in the following order:
+.Cm DenyUsers ,
+.Cm AllowUsers ,
+.Cm DenyGroups ,
+and finally
+.Cm AllowGroups .
+.Pp
+See
+.Sx PATTERNS
+in
+.Xr ssh_config 5
+for more information on patterns.
 .It Cm DenyUsers
 This keyword can be followed by a list of user name patterns, separated
 by spaces.
 Login is disallowed for user names that match one of the patterns.
-.Ql \&*
-and
-.Ql \&?
-can be used as wildcards in the patterns.
 Only user names are valid; a numerical user ID is not recognized.
 By default, login is allowed for all users.
 If the pattern takes the form USER@HOST then USER and HOST
 are separately checked, restricting logins to particular
 users from particular hosts.
+The allow/deny directives are processed in the following order:
+.Cm DenyUsers ,
+.Cm AllowUsers ,
+.Cm DenyGroups ,
+and finally
+.Cm AllowGroups .
+.Pp
+See
+.Sx PATTERNS
+in
+.Xr ssh_config 5
+for more information on patterns.
+.It Cm ForceCommand
+Forces the execution of the command specified by
+.Cm ForceCommand ,
+ignoring any command supplied by the client.
+The command is invoked by using the user's login shell with the -c option.
+This applies to shell, command, or subsystem execution.
+It is most useful inside a
+.Cm Match
+block.
+The command originally supplied by the client is available in the
+.Ev SSH_ORIGINAL_COMMAND
+environment variable.
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to ports
 forwarded for the client.
 By default,
-.Nm sshd
+.Xr sshd 8
 binds remote port forwardings to the loopback address.
 This prevents other remote hosts from connecting to forwarded ports.
 .Cm GatewayPorts
-can be used to specify that
-.Nm sshd
+can be used to specify that sshd
 should allow remote port forwardings to bind to non-loopback addresses, thus
 allowing other hosts to connect.
 The argument may be
@@ -289,15 +330,49 @@ on logout.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIStrictAcceptorCheck
+Determines whether to be strict about the identity of the GSSAPI acceptor 
+a client authenticates against. If
+.Dq yes
+then the client must authenticate against the
+.Pa host
+service on the current hostname. If 
+.Dq no
+then the client may authenticate against any service key stored in the 
+machine's default store. This facility is provided to assist with operation 
+on multi homed machines. 
+The default is
+.Dq yes .
+Note that this option applies only to protocol version 2 GSSAPI connections,
+and setting it to 
+.Dq no
+may only work with recent Kerberos GSSAPI libraries.
 .It Cm HostbasedAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful public key client host authentication is allowed
-(hostbased authentication).
+(host-based authentication).
 This option is similar to
 .Cm RhostsRSAAuthentication
 and applies to protocol version 2 only.
 The default is
 .Dq no .
+.It Cm HostbasedUsesNameFromPacketOnly
+Specifies whether or not the server will attempt to perform a reverse
+name lookup when matching the name in the
+.Pa ~/.shosts ,
+.Pa ~/.rhosts ,
+and
+.Pa /etc/hosts.equiv
+files during
+.Cm HostbasedAuthentication .
+A setting of
+.Dq yes
+means that
+.Xr sshd 8
+uses the name supplied by the client rather than
+attempting to resolve the name from the TCP connection itself.
+The default is
+.Dq no .
 .It Cm HostKey
 Specifies a file containing a private host key
 used by SSH.
@@ -309,7 +384,7 @@ and
 .Pa /etc/ssh/ssh_host_dsa_key
 for protocol version 2.
 Note that
-.Nm sshd
+.Xr sshd 8
 will refuse to use a file if it is group/world-accessible.
 It is possible to have multiple host key files.
 .Dq rsa1
@@ -336,7 +411,7 @@ The default is
 .Dq yes .
 .It Cm IgnoreUserKnownHosts
 Specifies whether
-.Nm sshd
+.Xr sshd 8
 should ignore the user's
 .Pa ~/.ssh/known_hosts
 during
@@ -351,24 +426,24 @@ Specifies whether the password provided by the user for
 will be validated through the Kerberos KDC.
 To use this option, the server needs a
 Kerberos servtab which allows the verification of the KDC's identity.
-Default is
+The default is
 .Dq no .
 .It Cm KerberosGetAFSToken
 If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
 an AFS token before accessing the user's home directory.
-Default is
+The default is
 .Dq no .
 .It Cm KerberosOrLocalPasswd
-If set then if password authentication through Kerberos fails then
+If password authentication through Kerberos fails then
 the password will be validated via any additional local mechanism
 such as
 .Pa /etc/passwd .
-Default is
+The default is
 .Dq yes .
 .It Cm KerberosTicketCleanup
 Specifies whether to automatically destroy the user's ticket cache
 file on logout.
-Default is
+The default is
 .Dq yes .
 .It Cm KeyRegenerationInterval
 In protocol version 1, the ephemeral server key is automatically regenerated
@@ -381,7 +456,7 @@ If the value is 0, the key is never regenerated.
 The default is 3600 (seconds).
 .It Cm ListenAddress
 Specifies the local addresses
-.Nm sshd
+.Xr sshd 8
 should listen on.
 The following forms may be used:
 .Pp
@@ -407,8 +482,7 @@ The following forms may be used:
 If
 .Ar port
 is not specified,
-.Nm sshd
-will listen on the address and all prior
+sshd will listen on the address and all prior
 .Cm Port
 options specified.
 The default is to listen on all local addresses.
@@ -417,7 +491,7 @@ Multiple
 options are permitted.
 Additionally, any
 .Cm Port
-options must precede this option for non port qualified addresses.
+options must precede this option for non-port qualified addresses.
 .It Cm LoginGraceTime
 The server disconnects after this time if the user has not
 successfully logged in.
@@ -425,9 +499,9 @@ If the value is 0, there is no time limit.
 The default is 120 seconds.
 .It Cm LogLevel
 Gives the verbosity level that is used when logging messages from
-.Nm sshd .
+.Xr sshd 8 .
 The possible values are:
-QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
+QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
 The default is INFO.
 DEBUG and DEBUG1 are equivalent.
 DEBUG2 and DEBUG3 each specify higher levels of debugging output.
@@ -437,8 +511,44 @@ Specifies the available MAC (message authentication code) algorithms.
 The MAC algorithm is used in protocol version 2
 for data integrity protection.
 Multiple algorithms must be comma-separated.
-The default is
+The default is:
 .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
+.It Cm Match
+Introduces a conditional block.
+If all of the criteria on the
+.Cm Match
+line are satisfied, the keywords on the following lines override those
+set in the global section of the config file, until either another
+.Cm Match
+line or the end of the file.
+The arguments to
+.Cm Match
+are one or more criteria-pattern pairs.
+The available criteria are
+.Cm User ,
+.Cm Group ,
+.Cm Host ,
+and
+.Cm Address .
+Only a subset of keywords may be used on the lines following a
+.Cm Match
+keyword.
+Available keywords are
+.Cm AllowTcpForwarding ,
+.Cm Banner ,
+.Cm ForceCommand ,
+.Cm GatewayPorts ,
+.Cm GSSApiAuthentication ,
+.Cm KbdInteractiveAuthentication ,
+.Cm KerberosAuthentication ,
+.Cm PasswordAuthentication ,
+.Cm PermitOpen ,
+.Cm RhostsRSAAuthentication ,
+.Cm RSAAuthentication ,
+.Cm X11DisplayOffset ,
+.Cm X11Forwarding ,
+and
+.Cm X11UseLocalHost .
 .It Cm MaxAuthTries
 Specifies the maximum number of authentication attempts permitted per
 connection.
@@ -447,8 +557,7 @@ additional failures are logged.
 The default is 6.
 .It Cm MaxStartups
 Specifies the maximum number of concurrent unauthenticated connections to the
-.Nm sshd
-daemon.
+SSH daemon.
 Additional connections will be dropped until authentication succeeds or the
 .Cm LoginGraceTime
 expires for a connection.
@@ -457,8 +566,8 @@ The default is 10.
 Alternatively, random early drop can be enabled by specifying
 the three colon separated values
 .Dq start:rate:full
-(e.g., "10:30:60").
-.Nm sshd
+(e.g. "10:30:60").
+.Xr sshd 8
 will refuse connection attempts with a probability of
 .Dq rate/100
 (30%)
@@ -479,24 +588,51 @@ When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
 The default is
 .Dq no .
+.It Cm PermitOpen
+Specifies the destinations to which TCP port forwarding is permitted.
+The forwarding specification must be one of the following forms:
+.Pp
+.Bl -item -offset indent -compact
+.It
+.Cm PermitOpen
+.Sm off
+.Ar host : port
+.Sm on
+.It
+.Cm PermitOpen
+.Sm off
+.Ar IPv4_addr : port
+.Sm on
+.It
+.Cm PermitOpen
+.Sm off
+.Ar \&[ IPv6_addr \&] : port
+.Sm on
+.El
+.Pp
+Multiple forwards may be specified by separating them with whitespace.
+An argument of
+.Dq any
+can be used to remove all restrictions and permit any forwarding requests.
+By default all port forwarding requests are permitted.
 .It Cm PermitRootLogin
 Specifies whether root can log in using
 .Xr ssh 1 .
 The argument must be
 .Dq yes ,
 .Dq without-password ,
-.Dq forced-commands-only
+.Dq forced-commands-only ,
 or
 .Dq no .
 The default is
 .Dq yes .
 .Pp
 If this option is set to
-.Dq without-password
+.Dq without-password ,
 password authentication is disabled for root.
 .Pp
 If this option is set to
-.Dq forced-commands-only
+.Dq forced-commands-only ,
 root login with public key authentication will be allowed,
 but only if the
 .Ar command
@@ -506,7 +642,7 @@ normally not allowed).
 All other authentication methods are disabled for root.
 .Pp
 If this option is set to
-.Dq no
+.Dq no ,
 root is not allowed to log in.
 .It Cm PermitTunnel
 Specifies whether
@@ -514,10 +650,17 @@ Specifies whether
 device forwarding is allowed.
 The argument must be
 .Dq yes ,
-.Dq point-to-point ,
+.Dq point-to-point
+(layer 3),
 .Dq ethernet
-or
+(layer 2), or
 .Dq no .
+Specifying
+.Dq yes
+permits both
+.Dq point-to-point
+and
+.Dq ethernet .
 The default is
 .Dq no .
 .It Cm PermitUserEnvironment
@@ -528,7 +671,7 @@ and
 options in
 .Pa ~/.ssh/authorized_keys
 are processed by
-.Nm sshd .
+.Xr sshd 8 .
 The default is
 .Dq no .
 Enabling environment processing may enable users to bypass access
@@ -536,13 +679,12 @@ restrictions in some configurations using mechanisms such as
 .Ev LD_PRELOAD .
 .It Cm PidFile
 Specifies the file that contains the process ID of the
-.Nm sshd
-daemon.
+SSH daemon.
 The default is
 .Pa /var/run/sshd.pid .
 .It Cm Port
 Specifies the port number that
-.Nm sshd
+.Xr sshd 8
 listens on.
 The default is 22.
 Multiple options of this type are permitted.
@@ -550,14 +692,14 @@ See also
 .Cm ListenAddress .
 .It Cm PrintLastLog
 Specifies whether
-.Nm sshd
+.Xr sshd 8
 should print the date and time of the last user login when a user logs
 in interactively.
 The default is
 .Dq yes .
 .It Cm PrintMotd
 Specifies whether
-.Nm sshd
+.Xr sshd 8
 should print
 .Pa /etc/motd
 when a user logs in interactively.
@@ -568,12 +710,12 @@ The default is
 .Dq yes .
 .It Cm Protocol
 Specifies the protocol versions
-.Nm sshd
+.Xr sshd 8
 supports.
 The possible values are
-.Dq 1
+.Sq 1
 and
-.Dq 2 .
+.Sq 2 .
 Multiple versions must be comma-separated.
 The default is
 .Dq 2,1 .
@@ -605,7 +747,7 @@ Defines the number of bits in the ephemeral protocol version 1 server key.
 The minimum value is 512, and the default is 768.
 .It Cm StrictModes
 Specifies whether
-.Nm sshd
+.Xr sshd 8
 should check file modes and ownership of the
 user's files and home directory before accepting login.
 This is normally desirable because novices sometimes accidentally leave their
@@ -613,9 +755,9 @@ directory or files world-writable.
 The default is
 .Dq yes .
 .It Cm Subsystem
-Configures an external subsystem (e.g., file transfer daemon).
-Arguments should be a subsystem name and a command to execute upon subsystem
-request.
+Configures an external subsystem (e.g. file transfer daemon).
+Arguments should be a subsystem name and a command (with optional arguments)
+to execute upon subsystem request.
 The command
 .Xr sftp-server 8
 implements the
@@ -625,7 +767,7 @@ By default no subsystems are defined.
 Note that this option applies to protocol version 2 only.
 .It Cm SyslogFacility
 Gives the facility code that is used when logging messages from
-.Nm sshd .
+.Xr sshd 8 .
 The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
@@ -655,7 +797,7 @@ This option was formerly called
 .Cm KeepAlive .
 .It Cm UseDNS
 Specifies whether
-.Nm sshd
+.Xr sshd 8
 should look up the remote host name and check that
 the resolved host name for the remote IP address maps back to the
 very same IP address.
@@ -686,7 +828,10 @@ If set to
 .Dq yes
 this will enable PAM authentication using
 .Cm ChallengeResponseAuthentication
-and PAM account and session module processing for all authentication types.
+and
+.Cm PasswordAuthentication
+in addition to PAM account and session module processing for all
+authentication types.
 .Pp
 Because PAM challenge-response authentication usually serves an equivalent
 role to password authentication, you should disable either
@@ -703,7 +848,7 @@ The default is
 .Dq no .
 .It Cm UsePrivilegeSeparation
 Specifies whether
-.Nm sshd
+.Xr sshd 8
 separates privileges by creating an unprivileged child process
 to deal with incoming network traffic.
 After successful authentication, another process will be created that has
@@ -714,11 +859,9 @@ The default is
 .Dq yes .
 .It Cm X11DisplayOffset
 Specifies the first display number available for
-.Nm sshd Ns 's
+.Xr sshd 8 Ns 's
 X11 forwarding.
-This prevents
-.Nm sshd
-from interfering with real X11 servers.
+This prevents sshd from interfering with real X11 servers.
 The default is 10.
 .It Cm X11Forwarding
 Specifies whether X11 forwarding is permitted.
@@ -731,14 +874,14 @@ The default is
 .Pp
 When X11 forwarding is enabled, there may be additional exposure to
 the server and to client displays if the
-.Nm sshd
+.Xr sshd 8
 proxy display is configured to listen on the wildcard address (see
 .Cm X11UseLocalhost
-below), however this is not the default.
+below), though this is not the default.
 Additionally, the authentication spoofing and authentication data
 verification and substitution occur on the client side.
 The security risk of using X11 forwarding is that the client's X11
-display server may be exposed to attack when the ssh client requests
+display server may be exposed to attack when the SSH client requests
 forwarding (see the warnings for
 .Cm ForwardX11
 in
@@ -756,12 +899,11 @@ X11 forwarding is automatically disabled if
 is enabled.
 .It Cm X11UseLocalhost
 Specifies whether
-.Nm sshd
+.Xr sshd 8
 should bind the X11 forwarding server to the loopback address or to
 the wildcard address.
 By default,
-.Nm sshd
-binds the forwarding server to the loopback address and sets the
+sshd binds the forwarding server to the loopback address and sets the
 hostname part of the
 .Ev DISPLAY
 environment variable to
@@ -787,8 +929,8 @@ program.
 The default is
 .Pa /usr/X11R6/bin/xauth .
 .El
-.Ss Time Formats
-.Nm sshd
+.Sh TIME FORMATS
+.Xr sshd 8
 command-line arguments and configuration file options that specify time
 may be expressed using a sequence of the form:
 .Sm off
@@ -801,7 +943,7 @@ is a positive integer value and
 is one of the following:
 .Pp
 .Bl -tag -width Ds -compact -offset indent
-.It Cm <none>
+.It Aq Cm none
 seconds
 .It Cm s | Cm S
 seconds
@@ -832,7 +974,7 @@ Time format examples:
 .Bl -tag -width Ds
 .It Pa /etc/ssh/sshd_config
 Contains configuration data for
-.Nm sshd .
+.Xr sshd 8 .
 This file should be writable by root only, but it is recommended
 (though not necessary) that it be world-readable.
 .El
diff --git a/sshlogin.c b/sshlogin.c
index 15eb916d1..0059ff8d0 100644
--- a/sshlogin.c
+++ b/sshlogin.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: sshlogin.c,v 1.25 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -39,7 +40,20 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshlogin.c,v 1.13 2004/08/12 09:18:24 djm Exp $");
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
 
 #include "loginrec.h"
 #include "log.h"
@@ -54,15 +68,15 @@ extern ServerOptions options;
  * information is not available.  This must be called before record_login.
  * The host the user logged in from will be returned in buf.
  */
-u_long
+time_t
 get_last_login_time(uid_t uid, const char *logname,
-    char *buf, u_int bufsize)
+    char *buf, size_t bufsize)
 {
         struct logininfo li;
 
         login_get_lastlog(&li, uid);
         strlcpy(buf, li.hostname, bufsize);
-        return li.tv_sec;
+        return (time_t)li.tv_sec;
 }
 
 /*
@@ -103,7 +117,7 @@ store_lastlog_message(const char *user, uid_t uid)
  */
 void
 record_login(pid_t pid, const char *tty, const char *user, uid_t uid,
-    const char *host, struct sockaddr * addr, socklen_t addrlen)
+    const char *host, struct sockaddr *addr, socklen_t addrlen)
 {
         struct logininfo *li;
 
@@ -119,7 +133,7 @@ record_login(pid_t pid, const char *tty, const char *user, uid_t uid,
 #ifdef LOGIN_NEEDS_UTMPX
 void
 record_utmp_only(pid_t pid, const char *ttyname, const char *user,
-                 const char *host, struct sockaddr * addr, socklen_t addrlen)
+                 const char *host, struct sockaddr *addr, socklen_t addrlen)
 {
         struct logininfo *li;
 
diff --git a/sshlogin.h b/sshlogin.h
index 1c8bfad32..500d3fefd 100644
--- a/sshlogin.h
+++ b/sshlogin.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sshlogin.h,v 1.4 2002/08/29 15:57:25 stevesk Exp $    */
+/* $OpenBSD: sshlogin.h,v 1.8 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -11,18 +11,13 @@
  * incompatible with the protocol description in the RFC file, it must be
  * called by a name other than "ssh" or "Secure Shell".
  */
-#ifndef SSHLOGIN_H
-#define SSHLOGIN_H
 
-void
-record_login(pid_t, const char *, const char *, uid_t,
+void    record_login(pid_t, const char *, const char *, uid_t,
     const char *, struct sockaddr *, socklen_t);
 void   record_logout(pid_t, const char *, const char *);
-u_long         get_last_login_time(uid_t, const char *, char *, u_int);
+time_t  get_last_login_time(uid_t, const char *, char *, u_int);
 
 #ifdef LOGIN_NEEDS_UTMPX
 void    record_utmp_only(pid_t, const char *, const char *, const char *,
                 struct sockaddr *, socklen_t);
 #endif
-
-#endif
diff --git a/sshpty.c b/sshpty.c
index a3d0b8dfc..79c62ee9c 100644
--- a/sshpty.c
+++ b/sshpty.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: sshpty.c,v 1.26 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -12,18 +13,31 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshpty.c,v 1.12 2004/06/21 17:36:31 avsm Exp $");
 
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <signal.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <grp.h>
+#ifdef HAVE_PATHS_H
+# include <paths.h>
+#endif
+#include <pwd.h>
+#include <stdarg.h>
+#include <string.h>
+#include <termios.h>
 #ifdef HAVE_UTIL_H
 # include <util.h>
-#endif /* HAVE_UTIL_H */
+#endif
+#include <unistd.h>
 
 #include "sshpty.h"
 #include "log.h"
 #include "misc.h"
 
-#include "selinux.h"
-
 #ifdef HAVE_PTY_H
 # include <pty.h>
 #endif
@@ -40,7 +54,7 @@ RCSID("$OpenBSD: sshpty.c,v 1.12 2004/06/21 17:36:31 avsm Exp $");
  */
 
 int
-pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
+pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
 {
         /* openpty(3) exists in OSF/1 and some other os'es */
         char *name;
@@ -163,11 +177,12 @@ pty_make_controlling_tty(int *ttyfd, const char *tty)
 /* Changes the window size associated with the pty. */
 
 void
-pty_change_window_size(int ptyfd, int row, int col,
-        int xpixel, int ypixel)
+pty_change_window_size(int ptyfd, u_int row, u_int col,
+        u_int xpixel, u_int ypixel)
 {
         struct winsize w;
 
+        /* may truncate u_int -> u_short */
         w.ws_row = row;
         w.ws_col = col;
         w.ws_xpixel = xpixel;
@@ -202,7 +217,9 @@ pty_setowner(struct passwd *pw, const char *tty)
                 fatal("stat(%.100s) failed: %.100s", tty,
                     strerror(errno));
 
-        setup_selinux_pty(pw->pw_name, tty);
+#ifdef WITH_SELINUX
+        ssh_selinux_setup_pty(pw->pw_name, tty);
+#endif
 
         if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
                 if (chown(tty, pw->pw_uid, gid) < 0) {
diff --git a/sshpty.h b/sshpty.h
index c0678de22..7fac622d9 100644
--- a/sshpty.h
+++ b/sshpty.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sshpty.h,v 1.5 2004/05/08 00:01:37 deraadt Exp $      */
+/* $OpenBSD: sshpty.h,v 1.10 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -14,17 +14,14 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 
-#ifndef SSHPTY_H
-#define SSHPTY_H
+#include <termios.h>
 
 struct termios get_saved_tio(void);
 void     leave_raw_mode(void);
 void     enter_raw_mode(void);
 
-int      pty_allocate(int *, int *, char *, int);
+int      pty_allocate(int *, int *, char *, size_t);
 void     pty_release(const char *);
 void     pty_make_controlling_tty(int *, const char *);
-void     pty_change_window_size(int, int, int, int, int);
+void     pty_change_window_size(int, u_int, u_int, u_int, u_int);
 void     pty_setowner(struct passwd *, const char *);
-
-#endif                          /* SSHPTY_H */
diff --git a/sshtty.c b/sshtty.c
index 0b17c3e2d..04567669b 100644
--- a/sshtty.c
+++ b/sshtty.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: sshtty.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,10 +36,13 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshtty.c,v 1.6 2004/05/08 00:01:37 deraadt Exp $");
+
+#include <sys/types.h>
+#include <stdio.h>
+#include <termios.h>
+#include <pwd.h>
 
 #include "sshpty.h"
-#include "log.h"
 
 static struct termios _saved_tio;
 static int _in_raw_mode = 0;
diff --git a/ttymodes.c b/ttymodes.c
index cf4c7d5c6..d8e2c553a 100644
--- a/ttymodes.c
+++ b/ttymodes.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: ttymodes.c,v 1.26 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -43,14 +44,19 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ttymodes.c,v 1.19 2003/04/08 20:21:29 itojun Exp $");
+
+#include <sys/types.h>
+
+#include <errno.h>
+#include <string.h>
+#include <termios.h>
+#include <stdarg.h>
 
 #include "packet.h"
 #include "log.h"
 #include "ssh1.h"
 #include "compat.h"
 #include "buffer.h"
-#include "bufaux.h"
 
 #define TTY_OP_END              0
 /*
@@ -384,7 +390,8 @@ tty_parse_modes(int fd, int *n_bytes_ptr)
                         n_bytes += 4;
                         baud = packet_get_int();
                         debug3("tty_parse_modes: ispeed %d", baud);
-                        if (failure != -1 && cfsetispeed(&tio, baud_to_speed(baud)) == -1)
+                        if (failure != -1 &&
+                            cfsetispeed(&tio, baud_to_speed(baud)) == -1)
                                 error("cfsetispeed failed for %d", baud);
                         break;
 
@@ -394,7 +401,8 @@ tty_parse_modes(int fd, int *n_bytes_ptr)
                         n_bytes += 4;
                         baud = packet_get_int();
                         debug3("tty_parse_modes: ospeed %d", baud);
-                        if (failure != -1 && cfsetospeed(&tio, baud_to_speed(baud)) == -1)
+                        if (failure != -1 &&
+                            cfsetospeed(&tio, baud_to_speed(baud)) == -1)
                                 error("cfsetospeed failed for %d", baud);
                         break;
 
@@ -442,11 +450,12 @@ tty_parse_modes(int fd, int *n_bytes_ptr)
                                         /*
                                          * It is a truly undefined opcode (160 to 255).
                                          * We have no idea about its arguments.  So we
-                                         * must stop parsing.  Note that some data may be
-                                         * left in the packet; hopefully there is nothing
-                                         * more coming after the mode data.
+                                         * must stop parsing.  Note that some data
+                                         * may be left in the packet; hopefully there
+                                         * is nothing more coming after the mode data.
                                          */
-                                        logit("parse_tty_modes: unknown opcode %d", opcode);
+                                        logit("parse_tty_modes: unknown opcode %d",
+                                            opcode);
                                         goto set;
                                 }
                         } else {
@@ -462,7 +471,8 @@ tty_parse_modes(int fd, int *n_bytes_ptr)
                                         (void) packet_get_int();
                                         break;
                                 } else {
-                                        logit("parse_tty_modes: unknown opcode %d", opcode);
+                                        logit("parse_tty_modes: unknown opcode %d",
+                                            opcode);
                                         goto set;
                                 }
                         }
diff --git a/ttymodes.h b/ttymodes.h
index 481282cd7..4d848fe3a 100644
--- a/ttymodes.h
+++ b/ttymodes.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ttymodes.h,v 1.13 2004/07/11 17:48:47 deraadt Exp $   */
+/* $OpenBSD: ttymodes.h,v 1.14 2006/03/25 22:22:43 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/uidswap.c b/uidswap.c
index aab7064eb..91d878c30 100644
--- a/uidswap.c
+++ b/uidswap.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: uidswap.c,v 1.35 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -12,7 +13,15 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: uidswap.c,v 1.24 2003/05/29 16:58:45 deraadt Exp $");
+
+#include <sys/param.h>
+#include <errno.h>
+#include <pwd.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdarg.h>
+
+#include <grp.h>
 
 #include "log.h"
 #include "uidswap.h"
@@ -77,7 +86,7 @@ temporarily_use_uid(struct passwd *pw)
                 fatal("getgroups: %.100s", strerror(errno));
         if (saved_egroupslen > 0) {
                 saved_egroups = xrealloc(saved_egroups,
-                    saved_egroupslen * sizeof(gid_t));
+                    saved_egroupslen, sizeof(gid_t));
                 if (getgroups(saved_egroupslen, saved_egroups) < 0)
                         fatal("getgroups: %.100s", strerror(errno));
         } else { /* saved_egroupslen == 0 */
@@ -96,7 +105,7 @@ temporarily_use_uid(struct passwd *pw)
                         fatal("getgroups: %.100s", strerror(errno));
                 if (user_groupslen > 0) {
                         user_groups = xrealloc(user_groups,
-                            user_groupslen * sizeof(gid_t));
+                            user_groupslen, sizeof(gid_t));
                         if (getgroups(user_groupslen, user_groups) < 0)
                                 fatal("getgroups: %.100s", strerror(errno));
                 } else { /* user_groupslen == 0 */
@@ -123,6 +132,41 @@ temporarily_use_uid(struct passwd *pw)
                     strerror(errno));
 }
 
+void
+permanently_drop_suid(uid_t uid)
+{
+        uid_t old_uid = getuid();
+
+        debug("permanently_drop_suid: %u", (u_int)uid);
+#if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID)
+        if (setresuid(uid, uid, uid) < 0)
+                fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno));
+#elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID)
+        if (setreuid(uid, uid) < 0)
+                fatal("setreuid %u: %.100s", (u_int)uid, strerror(errno));
+#else
+# ifndef SETEUID_BREAKS_SETUID
+        if (seteuid(uid) < 0)
+                fatal("seteuid %u: %.100s", (u_int)uid, strerror(errno));
+# endif
+        if (setuid(uid) < 0)
+                fatal("setuid %u: %.100s", (u_int)uid, strerror(errno));
+#endif
+
+#ifndef HAVE_CYGWIN
+        /* Try restoration of UID if changed (test clearing of saved uid) */
+        if (old_uid != uid &&
+            (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
+                fatal("%s: was able to restore old [e]uid", __func__);
+#endif
+
+        /* Verify UID drop was successful */
+        if (getuid() != uid || geteuid() != uid) {
+                fatal("%s: euid incorrect uid:%u euid:%u (should be %u)",
+                    __func__, (u_int)getuid(), (u_int)geteuid(), (u_int)uid);
+        }
+}
+
 /*
  * Restores to the original (privileged) uid.
  */
@@ -169,6 +213,8 @@ permanently_set_uid(struct passwd *pw)
         uid_t old_uid = getuid();
         gid_t old_gid = getgid();
 
+        if (pw == NULL)
+                fatal("permanently_set_uid: no user given");
         if (temporarily_use_uid_effective)
                 fatal("permanently_set_uid: temporarily_use_uid effective");
         debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
diff --git a/uidswap.h b/uidswap.h
index 0726980d0..1c1163d75 100644
--- a/uidswap.h
+++ b/uidswap.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: uidswap.h,v 1.9 2001/06/26 17:27:25 markus Exp $      */
+/* $OpenBSD: uidswap.h,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -12,11 +12,7 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 
-#ifndef UIDSWAP_H
-#define UIDSWAP_H
-
 void     temporarily_use_uid(struct passwd *);
 void     restore_uid(void);
 void     permanently_set_uid(struct passwd *);
-
-#endif                          /* UIDSWAP_H */
+void     permanently_drop_suid(uid_t);
diff --git a/uuencode.c b/uuencode.c
index 0a7c8d16a..a13949585 100644
--- a/uuencode.c
+++ b/uuencode.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: uuencode.c,v 1.24 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -23,7 +24,11 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: uuencode.c,v 1.17 2003/11/10 16:23:41 jakob Exp $");
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <resolv.h>
+#include <stdio.h>
 
 #include "xmalloc.h"
 #include "uuencode.h"
@@ -58,9 +63,14 @@ uudecode(const char *src, u_char *target, size_t targsize)
 void
 dump_base64(FILE *fp, u_char *data, u_int len)
 {
-        char *buf = xmalloc(2*len);
+        char *buf;
         int i, n;
 
+        if (len > 65536) {
+                fprintf(fp, "dump_base64: len > 65536\n");
+                return;
+        }
+        buf = xmalloc(2*len);
         n = uuencode(data, len, buf, 2*len);
         for (i = 0; i < n; i++) {
                 fprintf(fp, "%c", buf[i]);
diff --git a/uuencode.h b/uuencode.h
index 08e87c4bc..fec55b491 100644
--- a/uuencode.h
+++ b/uuencode.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: uuencode.h,v 1.10 2003/11/10 16:23:41 jakob Exp $     */
+/* $OpenBSD: uuencode.h,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -24,9 +24,6 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#ifndef UUENCODE_H
-#define UUENCODE_H
 int      uuencode(const u_char *, u_int, char *, size_t);
 int      uudecode(const char *, u_char *, size_t);
 void     dump_base64(FILE *, u_char *, u_int);
-#endif
diff --git a/version.h b/version.h
index 35eb49d63..9a4dd9aec 100644
--- a/version.h
+++ b/version.h
@@ -1,8 +1,8 @@
-/* $OpenBSD: version.h,v 1.46 2006/02/01 11:27:22 markus Exp $ */
+/* $OpenBSD: version.h,v 1.49 2007/03/06 10:13:14 djm Exp $ */
 
-#define SSH_VERSION     "OpenSSH_4.3"
+#define SSH_VERSION     "OpenSSH_4.6"
 
-#define SSH_PORTABLE    "p2"
+#define SSH_PORTABLE    "p1"
 #ifndef SSH_EXTRAVERSION
 #define SSH_EXTRAVERSION
 #endif
diff --git a/xmalloc.c b/xmalloc.c
index 99c6ac330..9985b4cc2 100644
--- a/xmalloc.c
+++ b/xmalloc.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: xmalloc.c,v 1.27 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -13,7 +14,12 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: xmalloc.c,v 1.16 2001/07/23 18:21:46 stevesk Exp $");
+
+#include <sys/param.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
 
 #include "xmalloc.h"
 #include "log.h"
@@ -32,18 +38,38 @@ xmalloc(size_t size)
 }
 
 void *
-xrealloc(void *ptr, size_t new_size)
+xcalloc(size_t nmemb, size_t size)
+{
+        void *ptr;
+
+        if (size == 0 || nmemb == 0)
+                fatal("xcalloc: zero size");
+        if (SIZE_T_MAX / nmemb < size)
+                fatal("xcalloc: nmemb * size > SIZE_T_MAX");
+        ptr = calloc(nmemb, size);
+        if (ptr == NULL)
+                fatal("xcalloc: out of memory (allocating %lu bytes)",
+                    (u_long)(size * nmemb));
+        return ptr;
+}
+
+void *
+xrealloc(void *ptr, size_t nmemb, size_t size)
 {
         void *new_ptr;
+        size_t new_size = nmemb * size;
 
         if (new_size == 0)
                 fatal("xrealloc: zero size");
+        if (SIZE_T_MAX / nmemb < size)
+                fatal("xrealloc: nmemb * size > SIZE_T_MAX");
         if (ptr == NULL)
                 new_ptr = malloc(new_size);
         else
                 new_ptr = realloc(ptr, new_size);
         if (new_ptr == NULL)
-                fatal("xrealloc: out of memory (new_size %lu bytes)", (u_long) new_size);
+                fatal("xrealloc: out of memory (new_size %lu bytes)",
+                    (u_long) new_size);
         return new_ptr;
 }
 
@@ -66,3 +92,19 @@ xstrdup(const char *str)
         strlcpy(cp, str, len);
         return cp;
 }
+
+int
+xasprintf(char **ret, const char *fmt, ...)
+{
+        va_list ap;
+        int i;
+
+        va_start(ap, fmt);
+        i = vasprintf(ret, fmt, ap);
+        va_end(ap);
+
+        if (i < 0 || *ret == NULL)
+                fatal("xasprintf: could not allocate memory");
+
+        return (i);
+}
diff --git a/xmalloc.h b/xmalloc.h
index 7ac4b13d6..fb217a45c 100644
--- a/xmalloc.h
+++ b/xmalloc.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: xmalloc.h,v 1.9 2002/06/19 00:27:55 deraadt Exp $     */
+/* $OpenBSD: xmalloc.h,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -16,12 +16,11 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 
-#ifndef XMALLOC_H
-#define XMALLOC_H
-
 void    *xmalloc(size_t);
-void    *xrealloc(void *, size_t);
+void    *xcalloc(size_t, size_t);
+void    *xrealloc(void *, size_t, size_t);
 void     xfree(void *);
 char    *xstrdup(const char *);
-
-#endif                          /* XMALLOC_H */
+int      xasprintf(char **, const char *, ...)
+                __attribute__((__format__ (printf, 2, 3)))
+                __attribute__((__nonnull__ (2)));