- (djm) Rework RedHat RPM files. Based on spec from Nalin

   Dahyabhai <nalin@redhat.com> and patches from
   Pekka Savola <pekkas@netcore.fi>

8 files changed, 773 insertions, 202 deletions

diff --git a/contrib/redhat/gnome-ssh-askpass.csh b/contrib/redhat/gnome-ssh-askpass.csh
new file mode 100644
index 000000000..dd77712cd
--- /dev/null
+++ b/contrib/redhat/gnome-ssh-askpass.csh
@@ -0,0 +1 @@
+setenv SSH_ASKPASS /usr/libexec/openssh/gnome-ssh-askpass
diff --git a/contrib/redhat/gnome-ssh-askpass.sh b/contrib/redhat/gnome-ssh-askpass.sh
new file mode 100644
index 000000000..355189f45
--- /dev/null
+++ b/contrib/redhat/gnome-ssh-askpass.sh
@@ -0,0 +1,2 @@
+SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
+export SSH_ASKPASS
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index 25acf0569..e70f43893 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,5 +1,9 @@
-# Version of OpenSSH
-%define oversion 3.2p1
+%define ver 3.2.1p1
+%define rel 1
+
+# OpenSSH privilege separation requires a user & group ID
+%define sshd_uid    74
+%define sshd_gid    74
 
 # Version of ssh-askpass
 %define aversion 1.2.4.1
@@ -16,8 +20,8 @@
 # Do we want smartcard support (1=yes 0=no)
 %define scard 0
 
-# Use Redhat 7.0 pam control file
-%define redhat7 0
+# Is this build for RHL 6.x?
+%define build6x 0
 
 # Disable IPv6 (avoids DNS hangs on some glibc versions)
 %define noip6 0
@@ -27,9 +31,14 @@
 %{?skip_x11_askpass:%define no_x11_askpass 1}
 %{?skip_gnome_askpass:%define no_gnome_askpass 1}
 
-# Options for Redhat version:
-# rpm -ba|--rebuild --define "rh7 1"
-%{?rh7:%define redhat7 1}
+# Is this a build for RHL 6.x or earlier?
+%{?build_6x:%define build6x 1}
+
+# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
+%if %{build6x}
+%define _sysconfdir /etc
+%define noip6 1
+%endif
 
 # Options for static OpenSSL link:
 # rpm -ba|--rebuild --define "static_openssl 1"
@@ -43,37 +52,43 @@
 # rpm -ba|--rebuild --define "noipv6 1"
 %{?noipv6:%define noip6 1}
 
-%define exact_openssl_version   %(rpm -q openssl | cut -d - -f 2)
+# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
+%define rescue 0
+%{?build_rescue:%define rescue 1}
 
-Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
+Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
 Name: openssh
-Version: %{oversion}
-Release: 1
-Packager: Damien Miller <djm@mindrot.org>
+Version: %{ver}
+%if %{rescue}
+Release: %{rel}rescue
+%else
+Release: %{rel}
+%endif
 URL: http://www.openssh.com/portable.html
-Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{oversion}.tar.gz
-%if ! %{no_x11_askpass}
+Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 Source1: http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
-%endif
 License: BSD
 Group: Applications/Internet
 BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
 Obsoletes: ssh
-BuildPreReq: perl, openssl-devel, tcp_wrappers
-BuildPreReq: /bin/login, /usr/include/security/pam_appl.h
-BuildPreReq: rpm >= 3.0.5
+%if %{build6x}
+PreReq: initscripts >= 5.00
+%else
+PreReq: initscripts >= 5.20
+%endif
+BuildPreReq: perl, openssl-devel, sharutils, tcp_wrappers
+BuildPreReq: /bin/login
+%if %{build6x}
+BuildPreReq: glibc-devel, pam
+%else
+BuildPreReq: db1-devel, /usr/include/security/pam_appl.h
+%endif
 %if ! %{no_x11_askpass}
 BuildPreReq: XFree86-devel
 %endif
 %if ! %{no_gnome_askpass}
 BuildPreReq: gnome-libs-devel
 %endif
-%if ! %{static_libcrypto}
-PreReq: openssl >= 0.9.5a
-PreReq: openssl = %{exact_openssl_version}
-Requires: openssl >= 0.9.5a
-%endif
-Requires: rpm >= 3.0.5
 
 %package clients
 Summary: OpenSSH clients.
@@ -86,7 +101,7 @@ Summary: The OpenSSH server daemon.
 Group: System Environment/Daemons
 Obsoletes: ssh-server
 PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9
-%if %{redhat7}
+%if ! %{build6x}
 Requires: /etc/pam.d/system-auth
 %endif
 
@@ -103,41 +118,43 @@ Requires: openssh = %{version}-%{release}
 Obsoletes: ssh-extras
 
 %description
-OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH
-replaces rlogin and rsh, to provide secure encrypted communications
-between two untrusted hosts over an insecure network. X11 connections
-and arbitrary TCP/IP ports can also be forwarded over the secure
-channel. Public key authentication may be used for "passwordless"
-access to servers.
+SSH (Secure SHell) is a program for logging into and executing
+commands on a remote machine. SSH is intended to replace rlogin and
+rsh, and to provide secure encrypted communications between two
+untrusted hosts over an insecure network. X11 connections and
+arbitrary TCP/IP ports can also be forwarded over the secure channel.
+
+OpenSSH is OpenBSD's version of the last free version of SSH, bringing
+it up to date in terms of security and features, as well as removing
+all patented algorithms to separate libraries.
 
 This package includes the core files necessary for both the OpenSSH
 client and server. To make this package useful, you should also
 install openssh-clients, openssh-server, or both.
 
 %description clients
-OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation.
-
-This package includes the clients necessary to make encrypted
-connections to SSH protocol servers.  You'll also need to install the
-openssh package on OpenSSH clients.
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. This package includes
+the clients necessary to make encrypted connections to SSH servers.
+You'll also need to install the openssh package on OpenSSH clients.
 
 %description server
-OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation.
-
-This package contains the secure shell daemon (sshd). The sshd daemon
-allows SSH clients to securely connect to your SSH server. You also
-need to have the openssh package installed.
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. This package contains
+the secure shell daemon (sshd). The sshd daemon allows SSH clients to
+securely connect to your SSH server. You also need to have the openssh
+package installed.
 
 %description askpass
-OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation.
-
-This package contains an X11 passphrase dialog for OpenSSH.
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. This package contains
+an X11 passphrase dialog for OpenSSH.
 
 %description askpass-gnome
-OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation.
-
-This package contains an X11 passphrase dialog for OpenSSH and the
-GNOME GUI desktop environment.
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. This package contains
+an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop
+environment.
 
 %prep
 
@@ -148,39 +165,37 @@ GNOME GUI desktop environment.
 %endif
 
 %build
-
-%define _sysconfdir /etc/ssh
-
-EXTRA_OPTS=""
-
-%if %{scard}
-        EXTRA_OPTS="$EXTRA_OPTS --with-smartcard"
-%endif
-
-%if %{noip6}
-        EXTRA_OPTS="$EXTRA_OPTS --with-ipv4-default "
+%if %{rescue}
+CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
 %endif
 
 %configure \
+        --sysconfdir=%{_sysconfdir}/ssh \
         --libexecdir=%{_libexecdir}/openssh \
         --datadir=%{_datadir}/openssh \
-        --with-pam \
         --with-tcp-wrappers \
-        --with-rsh=/usr/bin/rsh \
-        --with-kerberos5=/usr/kerberos \
-        --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin \
-        $EXTRA_OPTS
+        --with-rsh=%{_bindir}/rsh \
+%if %{scard}
+        --with-smartcard \
+%endif
+%if %{noip6}
+        --with-ipv4-default \
+%endif
+%if %{rescue}
+        --without-pam --with-md5-passwords
+%else
+        --with-pam --with-kerberos5=/usr/kerberos
+%endif
 
 %if %{static_libcrypto}
-perl -pi -e "s|-lcrypto|/usr/lib/libcrypto.a|g" Makefile
+perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
 %endif
 
 make
 
 %if ! %{no_x11_askpass}
 pushd x11-ssh-askpass-%{aversion}
-%configure \
-        --libexecdir=%{_libexecdir}/openssh
+%configure --libexecdir=%{_libexecdir}/openssh
 xmkmf -a
 make
 popd
@@ -188,7 +203,7 @@ popd
 
 %if ! %{no_gnome_askpass}
 pushd contrib
-gcc -O -g `gnome-config --cflags gnome gnomeui` \
+gcc $RPM_OPT_FLAGS `gnome-config --cflags gnome gnomeui` \
         gnome-ssh-askpass.c -o gnome-ssh-askpass \
         `gnome-config --libs gnome gnomeui`
 popd
@@ -196,58 +211,98 @@ popd
 
 %install
 rm -rf $RPM_BUILD_ROOT
-%{makeinstall} \
-        libexecdir=$RPM_BUILD_ROOT%{_libexecdir}/openssh \
-        datadir=$RPM_BUILD_ROOT%{_datadir}/openssh \
-        DESTDIR=/ # Hack to disable key generation
+mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
+mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
+mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/run/empty-sshd
 
+make install DESTDIR=$RPM_BUILD_ROOT
 
 install -d $RPM_BUILD_ROOT/etc/pam.d/
 install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
 install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
-%if %{redhat7}
-install -m644 contrib/redhat/sshd.pam-7.x $RPM_BUILD_ROOT/etc/pam.d/sshd
+%if %{build6x}
+install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd
 %else
-install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
+install -m644 contrib/redhat/sshd.pam     $RPM_BUILD_ROOT/etc/pam.d/sshd
 %endif
 install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
 
 %if ! %{no_x11_askpass}
 install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass
-ln -s /usr/libexec/openssh/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
+ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
 %endif
 
 %if ! %{no_gnome_askpass}
 install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
 %endif
 
+install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
+install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
+install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
+
 perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
 
 %clean
 rm -rf $RPM_BUILD_ROOT
 
+%triggerun server -- ssh-server
+if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then
+        touch /var/run/sshd.restart
+fi
+
+%triggerun server -- openssh-server < 2.5.0p1
+# Count the number of HostKey and HostDsaKey statements we have.
+gawk    'BEGIN {IGNORECASE=1}
+         /^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1}
+         END {exit sawhostkey}' /etc/ssh/sshd_config
+# And if we only found one, we know the client was relying on the old default
+# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't
+# specified.  Now that HostKey is used for both SSH1 and SSH2 keys, specifying
+# one nullifies the default, which would have loaded both.
+if [ $? -eq 1 ] ; then
+        echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config
+        echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config
+fi
+
+%triggerpostun server -- ssh-server
+if [ "$1" != 0 ] ; then
+        /sbin/chkconfig --add sshd
+        if test -f /var/run/sshd.restart ; then
+                rm -f /var/run/sshd.restart
+                /sbin/service sshd start > /dev/null 2>&1 || :
+        fi
+fi
+
+%pre server
+%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || :
+%{_sbindir}/useradd -d /var/run/empty-sshd -s /bin/false -u %{sshd_uid} \
+        -g sshd -M -r sshd 2>/dev/null || :
+
 %post server
 /sbin/chkconfig --add sshd
-if test -r /var/run/sshd.pid ; then
-        /etc/rc.d/init.d/sshd restart >&2
-fi
+
+%postun server
+/sbin/service sshd condrestart > /dev/null 2>&1 || :
 
 %preun server
-if [ "$1" = 0 ] ; then
-        /etc/rc.d/init.d/sshd stop >&2
+if [ "$1" = 0 ]
+then
+        /sbin/service sshd stop > /dev/null 2>&1 || :
         /sbin/chkconfig --del sshd
 fi
 
 %files
 %defattr(-,root,root)
 %doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING*
-%attr(0755,root,root) %{_bindir}/ssh-keygen
 %attr(0755,root,root) %{_bindir}/scp
-%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
 %attr(0644,root,root) %{_mandir}/man1/scp.1*
-%attr(0755,root,root) %dir %{_sysconfdir}
-%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/moduli
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
+%if ! %{rescue}
+%attr(0755,root,root) %{_bindir}/ssh-keygen
+%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
 %attr(0755,root,root) %dir %{_libexecdir}/openssh
+%endif
 %if %{scard}
 %attr(0755,root,root) %dir %{_datadir}/openssh
 %attr(0644,root,root) %{_datadir}/openssh/Ssh.bin
@@ -256,29 +311,34 @@ fi
 %files clients
 %defattr(-,root,root)
 %attr(4755,root,root) %{_bindir}/ssh
+%attr(0644,root,root) %{_mandir}/man1/ssh.1*
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
+%attr(-,root,root) %{_bindir}/slogin
+%attr(-,root,root) %{_mandir}/man1/slogin.1*
+%if ! %{rescue}
 %attr(0755,root,root) %{_bindir}/ssh-agent
 %attr(0755,root,root) %{_bindir}/ssh-add
 %attr(0755,root,root) %{_bindir}/ssh-keyscan
 %attr(0755,root,root) %{_bindir}/sftp
-%attr(0644,root,root) %{_mandir}/man1/ssh.1*
 %attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
 %attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
 %attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
 %attr(0644,root,root) %{_mandir}/man1/sftp.1*
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh_config
-%attr(-,root,root) %{_bindir}/slogin
-%attr(-,root,root) %{_mandir}/man1/slogin.1*
+%endif
 
+%if ! %{rescue}
 %files server
 %defattr(-,root,root)
+%dir %attr(0111,root,root) %{_var}/run/empty-sshd
 %attr(0755,root,root) %{_sbindir}/sshd
 %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
 %attr(0644,root,root) %{_mandir}/man8/sshd.8*
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
-#%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sshd_config
-%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sshd_config
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
 %attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd
 %attr(0755,root,root) %config /etc/rc.d/init.d/sshd
+%endif
 
 %if ! %{no_x11_askpass}
 %files askpass
@@ -293,44 +353,389 @@ fi
 %if ! %{no_gnome_askpass}
 %files askpass-gnome
 %defattr(-,root,root)
+%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.*
 %attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
 %endif
 
 %changelog
-* Mon Oct 18 2000 Damien Miller <djm@mindrot.org>
-- Merge some of Nalin Dahyabhai <nalin@redhat.com> changes from the 
-  Redhat 7.0 spec file
-* Tue Sep 05 2000 Damien Miller <djm@mindrot.org>
-- Use RPM configure macro
-* Tue Aug 08 2000 Damien Miller <djm@mindrot.org>
-- Some surgery to sshd.init (generate keys at runtime)
-- Cleanup of groups and removal of keygen calls
-* Wed Jul 12 2000 Damien Miller <djm@mindrot.org>
-- Make building of X11-askpass and gnome-askpass optional
-* Mon Jun 12 2000 Damien Miller <djm@mindrot.org>
-- Glob manpages to catch compressed files
+* Fri May 10 2002 Damien Miller <djm@mindrot.org>
+- Merge in spec changes from RedHat, reorgansie a little
+- Add Privsep user, group and directory
+
+* Thu Mar  7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-2
+- bump and grind (through the build system)
+
+* Thu Mar  7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-1
+- require sharutils for building (mindrot #137)
+- require db1-devel only when building for 6.x (#55105), which probably won't
+  work anyway (3.1 requires OpenSSL 0.9.6 to build), but what the heck
+- require pam-devel by file (not by package name) again
+- add Markus's patch to compile with OpenSSL 0.9.5a (from
+  http://bugzilla.mindrot.org/show_bug.cgi?id=141) and apply it if we're
+  building for 6.x
+
+* Thu Mar  7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-0
+- update to 3.1p1
+
+* Tue Mar  5 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020305
+- update to SNAP-20020305
+- drop debug patch, fixed upstream
+
+* Wed Feb 20 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020220
+- update to SNAP-20020220 for testing purposes (you've been warned, if there's
+  anything to be warned about, gss patches won't apply, I don't mind)
+
+* Wed Feb 13 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-3
+- add patches from Simon Wilkinson and Nicolas Williams for GSSAPI key
+  exchange, authentication, and named key support
+
+* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-2
+- remove dependency on db1-devel, which has just been swallowed up whole
+  by gnome-libs-devel
+
+* Sun Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com>
+- adjust build dependencies so that build6x actually works right (fix
+  from Hugo van der Kooij)
+
+* Tue Dec  4 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-1
+- update to 3.0.2p1
+
+* Fri Nov 16 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.1p1-1
+- update to 3.0.1p1
+
+* Tue Nov 13 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to current CVS (not for use in distribution)
+
+* Thu Nov  8 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0p1-1
+- merge some of Damien Miller <djm@mindrot.org> changes from the upstream
+  3.0p1 spec file and init script
+
+* Wed Nov  7 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 3.0p1
+- update to x11-ssh-askpass 1.2.4.1
+- change build dependency on a file from pam-devel to the pam-devel package
+- replace primes with moduli
+
+* Thu Sep 27 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-9
+- incorporate fix from Markus Friedl's advisory for IP-based authorization bugs
+
+* Thu Sep 13 2001 Bernhard Rosenkraenzer <bero@redhat.com> 2.9p2-8
+- Merge changes to rescue build from current sysadmin survival cd
+
+* Thu Sep  6 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-7
+- fix scp's server's reporting of file sizes, and build with the proper
+  preprocessor define to get large-file capable open(), stat(), etc.
+  (sftp has been doing this correctly all along) (#51827)
+- configure without --with-ipv4-default on RHL 7.x and newer (#45987,#52247)
+- pull cvs patch to fix support for /etc/nologin for non-PAM logins (#47298)
+- mark profile.d scriptlets as config files (#42337)
+- refer to Jason Stone's mail for zsh workaround for exit-hanging quasi-bug
+- change a couple of log() statements to debug() statements (#50751)
+- pull cvs patch to add -t flag to sshd (#28611)
+- clear fd_sets correctly (one bit per FD, not one byte per FD) (#43221)
+
+* Mon Aug 20 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-6
+- add db1-devel as a BuildPrerequisite (noted by Hans Ecke)
+
+* Thu Aug 16 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pull cvs patch to fix remote port forwarding with protocol 2
+
+* Thu Aug  9 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pull cvs patch to add session initialization to no-pty sessions
+- pull cvs patch to not cut off challengeresponse auth needlessly
+- refuse to do X11 forwarding if xauth isn't there, handy if you enable
+  it by default on a system that doesn't have X installed (#49263)
+
+* Wed Aug  8 2001 Nalin Dahyabhai <nalin@redhat.com>
+- don't apply patches to code we don't intend to build (spotted by Matt Galgoci)
+
+* Mon Aug  6 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pass OPTIONS correctly to initlog (#50151)
+
+* Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+- switch to x11-ssh-askpass 1.2.2
+
+* Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com>
+- rebuild in new environment
+
+* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+- disable the gssapi patch
+
+* Mon Jun 18 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.9p2
+- refresh to a new version of the gssapi patch
+
+* Thu Jun  7 2001 Nalin Dahyabhai <nalin@redhat.com>
+- change Copyright: BSD to License: BSD
+- add Markus Friedl's unverified patch for the cookie file deletion problem
+  so that we can verify it
+- drop patch to check if xauth is present (was folded into cookie patch)
+- don't apply gssapi patches for the errata candidate
+- clear supplemental groups list at startup
+
+* Fri May 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+- fix an error parsing the new default sshd_config
+- add a fix from Markus Friedl (via openssh-unix-dev) for ssh-keygen not
+  dealing with comments right
+
+* Thu May 24 2001 Nalin Dahyabhai <nalin@redhat.com>
+- add in Simon Wilkinson's GSSAPI patch to give it some testing in-house,
+  to be removed before the next beta cycle because it's a big departure
+  from the upstream version
+
+* Thu May  3 2001 Nalin Dahyabhai <nalin@redhat.com>
+- finish marking strings in the init script for translation
+- modify init script to source /etc/sysconfig/sshd and pass $OPTIONS to sshd
+  at startup (change merged from openssh.com init script, originally by
+  Pekka Savola)
+- refuse to do X11 forwarding if xauth isn't there, handy if you enable
+  it by default on a system that doesn't have X installed
+
+* Wed May  2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.9
+- drop various patches that came from or went upstream or to or from CVS
+
+* Wed Apr 18 2001 Nalin Dahyabhai <nalin@redhat.com>
+- only require initscripts 5.00 on 6.2 (reported by Peter Bieringer)
+
+* Sun Apr  8 2001 Preston Brown <pbrown@redhat.com>
+- remove explicit openssl requirement, fixes builddistro issue
+- make initscript stop() function wait until sshd really dead to avoid 
+  races in condrestart
+
+* Mon Apr  2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- mention that challengereponse supports PAM, so disabling password doesn't
+  limit users to pubkey and rsa auth (#34378)
+- bypass the daemon() function in the init script and call initlog directly,
+  because daemon() won't start a daemon it detects is already running (like
+  open connections)
+- require the version of openssl we had when we were built
+
+* Fri Mar 23 2001 Nalin Dahyabhai <nalin@redhat.com>
+- make do_pam_setcred() smart enough to know when to establish creds and
+  when to reinitialize them
+- add in a couple of other fixes from Damien for inclusion in the errata
+
+* Thu Mar 22 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.5.2p2
+- call setcred() again after initgroups, because the "creds" could actually
+  be group memberships
+
+* Tue Mar 20 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.5.2p1 (includes endianness fixes in the rijndael implementation)
+- don't enable challenge-response by default until we find a way to not
+  have too many userauth requests (we may make up to six pubkey and up to
+  three password attempts as it is)
+- remove build dependency on rsh to match openssh.com's packages more closely
+
+* Sat Mar  3 2001 Nalin Dahyabhai <nalin@redhat.com>
+- remove dependency on openssl -- would need to be too precise
+
+* Fri Mar  2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- rebuild in new environment
+
+* Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Revert the patch to move pam_open_session.
+- Init script and spec file changes from Pekka Savola. (#28750)
+- Patch sftp to recognize '-o protocol' arguments. (#29540)
+
+* Thu Feb 22 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Chuck the closing patch.
+- Add a trigger to add host keys for protocol 2 to the config file, now that
+  configuration file syntax requires us to specify it with HostKey if we
+  specify any other HostKey values, which we do.
+
+* Tue Feb 20 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Redo patch to move pam_open_session after the server setuid()s to the user.
+- Rework the nopam patch to use be picked up by autoconf.
+
+* Mon Feb 19 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Update for 2.5.1p1.
+- Add init script mods from Pekka Savola.
+- Tweak the init script to match the CVS contrib script more closely.
+- Redo patch to ssh-add to try to adding both identity and id_dsa to also try
+  adding id_rsa.
+
+* Fri Feb 16 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Update for 2.5.0p1.
+- Use $RPM_OPT_FLAGS instead of -O when building gnome-ssh-askpass
+- Resync with parts of Damien Miller's openssh.spec from CVS, including
+  update of x11 askpass to 1.2.0.
+- Only require openssl (don't prereq) because we generate keys in the init
+  script now.
+
+* Tue Feb 13 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Don't open a PAM session until we've forked and become the user (#25690).
+- Apply Andrew Bartlett's patch for letting pam_authenticate() know which
+  host the user is attempting a login from.
+- Resync with parts of Damien Miller's openssh.spec from CVS.
+- Don't expose KbdInt responses in debug messages (from CVS).
+- Detect and handle errors in rsa_{public,private}_decrypt (from CVS).
+
+* Wed Feb  7 2001 Trond Eivind Glomsrxd <teg@redhat.com>
+- i18n-tweak to initscript.
+
+* Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com>
+- More gettextizing.
+- Close all files after going into daemon mode (needs more testing).
+- Extract patch from CVS to handle auth banners (in the client).
+- Extract patch from CVS to handle compat weirdness.
+
+* Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Finish with the gettextizing.
+
+* Thu Jan 18 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Fix a bug in auth2-pam.c (#23877)
+- Gettextize the init script.
+
+* Wed Dec 20 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Incorporate a switch for using PAM configs for 6.x, just in case.
+
+* Tue Dec  5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Incorporate Bero's changes for a build specifically for rescue CDs.
+
+* Wed Nov 29 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Don't treat pam_setcred() failure as fatal unless pam_authenticate() has
+  succeeded, to allow public-key authentication after a failure with "none"
+  authentication.  (#21268)
+
+* Tue Nov 28 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to x11-askpass 1.1.1. (#21301)
+- Don't second-guess fixpaths, which causes paths to get fixed twice. (#21290)
+
+* Mon Nov 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Merge multiple PAM text messages into subsequent prompts when possible when
+  doing keyboard-interactive authentication.
+
+* Sun Nov 26 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Disable the built-in MD5 password support.  We're using PAM.
+- Take a crack at doing keyboard-interactive authentication with PAM, and
+  enable use of it in the default client configuration so that the client
+  will try it when the server disallows password authentication.
+- Build with debugging flags.  Build root policies strip all binaries anyway.
+
+* Tue Nov 21 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Use DESTDIR instead of %%makeinstall.
+- Remove /usr/X11R6/bin from the path-fixing patch.
+
+* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Add the primes file from the latest snapshot to the main package (#20884).
+- Add the dev package to the prereq list (#19984).
+- Remove the default path and mimic login's behavior in the server itself.
+
+* Fri Nov 17 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Resync with conditional options in Damien Miller's .spec file for an errata.
+- Change libexecdir from %%{_libexecdir}/ssh to %%{_libexecdir}/openssh.
+
+* Tue Nov  7 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to OpenSSH 2.3.0p1.
+- Update to x11-askpass 1.1.0.
+- Enable keyboard-interactive authentication.
+
+* Mon Oct 30 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to ssh-askpass-x11 1.0.3.
+- Change authentication related messages to be private (#19966).
+
+* Tue Oct 10 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Patch ssh-keygen to be able to list signatures for DSA public key files
+  it generates.
+
+* Thu Oct  5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Add BuildPreReq on /usr/include/security/pam_appl.h to be sure we always
+  build PAM authentication in.
+- Try setting SSH_ASKPASS if gnome-ssh-askpass is installed.
+- Clean out no-longer-used patches.
+- Patch ssh-add to try to add both identity and id_dsa, and to error only
+  when neither exists.
+
+* Mon Oct  2 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update x11-askpass to 1.0.2. (#17835)
+- Add BuildPreReqs for /bin/login and /usr/bin/rsh so that configure will
+  always find them in the right place. (#17909)
+- Set the default path to be the same as the one supplied by /bin/login, but
+  add /usr/X11R6/bin. (#17909)
+- Try to handle obsoletion of ssh-server more cleanly.  Package names
+  are different, but init script name isn't. (#17865)
+
+* Wed Sep  6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to 2.2.0p1. (#17835)
+- Tweak the init script to allow proper restarting. (#18023)
+
+* Wed Aug 23 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to 20000823 snapshot.
+- Change subpackage requirements from %%{version} to %%{version}-%%{release}
+- Back out the pipe patch.
+
+* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to 2.1.1p4, which includes fixes for config file parsing problems.
+- Move the init script back.
+- Add Damien's quick fix for wackiness.
+
+* Wed Jul 12 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to 2.1.1p3, which includes fixes for X11 forwarding and strtok().
+
+* Thu Jul  6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Move condrestart to server postun.
+- Move key generation to init script.
+- Actually use the right patch for moving the key generation to the init script.
+- Clean up the init script a bit.
+
+* Wed Jul  5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Fix X11 forwarding, from mail post by Chan Shih-Ping Richard.
+
+* Sun Jul  2 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to 2.1.1p2.
+- Use of strtok() considered harmful.
+
+* Sat Jul  1 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Get the build root out of the man pages.
+
+* Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Add and use condrestart support in the init script.
+- Add newer initscripts as a prereq.
+
+* Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Build in new environment (release 2)
+- Move -clients subpackage to Applications/Internet group
+
+* Fri Jun  9 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to 2.2.1p1
+
+* Sat Jun  3 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Patch to build with neither RSA nor RSAref.
+- Miscellaneous FHS-compliance tweaks.
+- Fix for possibly-compressed man pages.
+
 * Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
 - Updated for new location
 - Updated for new gnome-ssh-askpass build
+
 * Sun Dec 26 1999 Damien Miller <djm@mindrot.org>
 - Added Jim Knoble's <jmknoble@pobox.com> askpass
+
 * Mon Nov 15 1999 Damien Miller <djm@mindrot.org>
 - Split subpackages further based on patch from jim knoble <jmknoble@pobox.com>
+
 * Sat Nov 13 1999 Damien Miller <djm@mindrot.org>
 - Added 'Obsoletes' directives
+
 * Tue Nov 09 1999 Damien Miller <djm@ibs.com.au>
 - Use make install
 - Subpackages
+
 * Mon Nov 08 1999 Damien Miller <djm@ibs.com.au>
 - Added links for slogin
 - Fixed perms on manpages
+
 * Sat Oct 30 1999 Damien Miller <djm@ibs.com.au>
 - Renamed init script
+
 * Fri Oct 29 1999 Damien Miller <djm@ibs.com.au>
 - Back to old binary names
+
 * Thu Oct 28 1999 Damien Miller <djm@ibs.com.au>
 - Use autoconf
 - New binary names
+
 * Wed Oct 27 1999 Damien Miller <djm@ibs.com.au>
 - Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec.
-
diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init
index 86b040cda..4ee8630c3 100755
--- a/contrib/redhat/sshd.init
+++ b/contrib/redhat/sshd.init
@@ -1,5 +1,5 @@
 #!/bin/bash
-
+#
 # Init file for OpenSSH server daemon
 #
 # chkconfig: 2345 55 25
@@ -15,149 +15,140 @@
 # source function library
 . /etc/rc.d/init.d/functions
 
+# pull in sysconfig settings
 [ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
 
 RETVAL=0
+prog="sshd"
 
 # Some functions to make the below more readable
 KEYGEN=/usr/bin/ssh-keygen
+SSHD=/usr/sbin/sshd
 RSA1_KEY=/etc/ssh/ssh_host_key
 RSA_KEY=/etc/ssh/ssh_host_rsa_key
 DSA_KEY=/etc/ssh/ssh_host_dsa_key
 PID_FILE=/var/run/sshd.pid
-my_success() {
-  local msg
-  if [ $# -gt 1 ]; then
-    msg="$2"
-  else
-    msg="done"
-  fi
-  case "`type -type success`" in
-    function)
-      success "$1"
-    ;;
-    *)
-      echo -n "${msg}"
-    ;;
-  esac
-}
-my_failure() {
-  local msg
-  if [ $# -gt 1 ]; then
-    msg="$2"
-  else
-    msg="FAILED"
-  fi
-  case "`type -type failure`" in
-    function)
-      failure "$1"
-    ;;
-    *)
-      echo -n "${msg}"
-    ;;
-  esac
-}
+
 do_rsa1_keygen() {
-        if ! test -f $RSA1_KEY ; then
-                echo -n "Generating SSH1 RSA host key: "
+        if [ ! -s $RSA1_KEY ]; then
+                echo -n $"Generating SSH1 RSA host key: "
                 if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
-                        my_success "RSA1 key generation"
+                        chmod 600 $RSA1_KEY
+                        chmod 644 $RSA1_KEY.pub
+                        success $"RSA1 key generation"
                         echo
                 else
-                        my_failure "RSA1 key generation"
+                        failure $"RSA1 key generation"
                         echo
                         exit 1
                 fi
         fi
 }
+
 do_rsa_keygen() {
-        if ! test -f $RSA_KEY ; then
-                echo -n "Generating SSH2 RSA host key: "
+        if [ ! -s $RSA_KEY ]; then
+                echo -n $"Generating SSH2 RSA host key: "
                 if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
-                        my_success "RSA key generation"
+                        chmod 600 $RSA_KEY
+                        chmod 644 $RSA_KEY.pub
+                        success $"RSA key generation"
                         echo
                 else
-                        my_failure "RSA key generation"
+                        failure $"RSA key generation"
                         echo
                         exit 1
                 fi
         fi
 }
+
 do_dsa_keygen() {
-        if ! test -f $DSA_KEY ; then
-                echo -n "Generating SSH2 DSA host key: "
+        if [ ! -s $DSA_KEY ]; then
+                echo -n $"Generating SSH2 DSA host key: "
                 if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
-                        my_success "DSA key generation"
+                        chmod 600 $DSA_KEY
+                        chmod 644 $DSA_KEY.pub
+                        success $"DSA key generation"
                         echo
                 else
-                        my_failure "DSA key generation"
+                        failure $"DSA key generation"
                         echo
                         exit 1
                 fi
         fi
 }
-do_restart_sanity_check() {
-        sshd -t
+
+do_restart_sanity_check()
+{
+        $SSHD -t
         RETVAL=$?
         if [ ! "$RETVAL" = 0 ]; then
-                my_failure "Configuration file or keys"
+                failure $"Configuration file or keys are invalid"
                 echo
-                exit $RETVAL
         fi
 }
 
+start()
+{
+        # Create keys if necessary
+        do_rsa1_keygen
+        do_rsa_keygen
+        do_dsa_keygen
+
+        echo -n $"Starting $prog:"
+        initlog -c "$SSHD $OPTIONS" && success || failure
+        RETVAL=$?
+        [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
+        echo
+}
+
+stop()
+{
+        echo -n $"Stopping $prog:"
+        killproc $SSHD -TERM
+        RETVAL=$?
+        [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd
+        echo
+}
+
+reload()
+{
+        echo -n $"Reloading $prog:"
+        killproc $SSHD -HUP
+        RETVAL=$?
+        echo
+}
 
 case "$1" in
         start)
-                # Create keys if necessary
-                do_rsa1_keygen;
-                do_rsa_keygen;
-                do_dsa_keygen;
-                
-                echo -n "Starting sshd: "
-                if [ ! -f $PID_FILE ] ; then
-                        sshd $OPTIONS
-                        RETVAL=$?
-                        if [ "$RETVAL" = "0" ] ; then
-                                my_success "sshd startup" "sshd"
-                                touch /var/lock/subsys/sshd
-                        else
-                                my_failure "sshd startup" ""
-                        fi
-                fi
-                echo
+                start
                 ;;
         stop)
-                echo -n "Shutting down sshd: "
-                if [ -f $PID_FILE ] ; then
-                        killproc sshd
-                        RETVAL=$?
-                        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
-                fi
-                echo
+                stop
                 ;;
         restart)
-                do_restart_sanity_check
-                $0 stop
-                $0 start
-                RETVAL=$?
+                stop
+                start
+                ;;
+        reload)
+                reload
                 ;;
         condrestart)
                 if [ -f /var/lock/subsys/sshd ] ; then
                         do_restart_sanity_check
-                        $0 stop
-                        $0 start
-                        RETVAL=$?
+                        if [ "$RETVAL" = 0 ] ; then
+                                stop
+                                # avoid race
+                                sleep 3
+                                start
+                        fi
                 fi
                 ;;
         status)
-                status sshd
+                status $SSHD
                 RETVAL=$?
                 ;;
         *)
-                echo "Usage: sshd {start|stop|restart|status|condrestart}"
-                exit 1
-                ;;
+                echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
+                RETVAL=1
 esac
-
 exit $RETVAL
diff --git a/contrib/redhat/sshd.init.old b/contrib/redhat/sshd.init.old
new file mode 100755
index 000000000..0deb6080e
--- /dev/null
+++ b/contrib/redhat/sshd.init.old
@@ -0,0 +1,172 @@
+#!/bin/bash
+#
+# Init file for OpenSSH server daemon
+#
+# chkconfig: 2345 55 25
+# description: OpenSSH server daemon
+#
+# processname: sshd
+# config: /etc/ssh/ssh_host_key
+# config: /etc/ssh/ssh_host_key.pub
+# config: /etc/ssh/ssh_random_seed
+# config: /etc/ssh/sshd_config
+# pidfile: /var/run/sshd.pid
+
+# source function library
+. /etc/rc.d/init.d/functions
+
+# pull in sysconfig settings
+[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
+
+RETVAL=0
+prog="sshd"
+
+# Some functions to make the below more readable
+KEYGEN=/usr/bin/ssh-keygen
+SSHD=/usr/sbin/sshd
+RSA1_KEY=/etc/ssh/ssh_host_key
+RSA_KEY=/etc/ssh/ssh_host_rsa_key
+DSA_KEY=/etc/ssh/ssh_host_dsa_key
+PID_FILE=/var/run/sshd.pid
+
+my_success() {
+  local msg
+  if [ $# -gt 1 ]; then
+    msg="$2"
+  else
+    msg="done"
+  fi
+  case "`type -type success`" in
+    function)
+      success "$1"
+    ;;
+    *)
+      echo -n "${msg}"
+    ;;
+  esac
+}
+my_failure() {
+  local msg
+  if [ $# -gt 1 ]; then
+    msg="$2"
+  else
+    msg="FAILED"
+  fi
+  case "`type -type failure`" in
+    function)
+      failure "$1"
+    ;;
+    *)
+      echo -n "${msg}"
+    ;;
+  esac
+}
+do_rsa1_keygen() {
+        if [ ! -s $RSA1_KEY ]; then
+                echo -n "Generating SSH1 RSA host key: "
+                if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
+                        chmod 600 $RSA1_KEY
+                        chmod 644 $RSA1_KEY.pub
+                        my_success "RSA1 key generation"
+                        echo
+                else
+                        my_failure "RSA1 key generation"
+                        echo
+                        exit 1
+                fi
+        fi
+}
+do_rsa_keygen() {
+        if [ ! -s $RSA_KEY ]; then
+                echo -n "Generating SSH2 RSA host key: "
+                if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
+                        chmod 600 $RSA_KEY
+                        chmod 644 $RSA_KEY.pub
+                        my_success "RSA key generation"
+                        echo
+                else
+                        my_failure "RSA key generation"
+                        echo
+                        exit 1
+                fi
+        fi
+}
+do_dsa_keygen() {
+        if [ ! -s $DSA_KEY ]; then
+                echo -n "Generating SSH2 DSA host key: "
+                if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
+                        chmod 600 $DSA_KEY
+                        chmod 644 $DSA_KEY.pub
+                        my_success "DSA key generation"
+                        echo
+                else
+                        my_failure "DSA key generation"
+                        echo
+                        exit 1
+                fi
+        fi
+}
+do_restart_sanity_check() {
+        $SSHD -t
+        RETVAL=$?
+        if [ ! "$RETVAL" = 0 ]; then
+                my_failure "Configuration file or keys"
+                echo
+        fi
+}
+
+
+case "$1" in
+        start)
+                # Create keys if necessary
+                do_rsa1_keygen;
+                do_rsa_keygen;
+                do_dsa_keygen;
+                
+                echo -n "Starting sshd: "
+                if [ ! -f $PID_FILE ] ; then
+                        sshd $OPTIONS
+                        RETVAL=$?
+                        if [ "$RETVAL" = "0" ] ; then
+                                my_success "sshd startup" "sshd"
+                                touch /var/lock/subsys/sshd
+                        else
+                                my_failure "sshd startup" ""
+                        fi
+                fi
+                echo
+                ;;
+        stop)
+                echo -n "Shutting down sshd: "
+                if [ -f $PID_FILE ] ; then
+                        killproc sshd
+                        RETVAL=$?
+                        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
+                fi
+                echo
+                ;;
+        restart)
+                do_restart_sanity_check
+                $0 stop
+                $0 start
+                RETVAL=$?
+                ;;
+        condrestart)
+                if [ -f /var/lock/subsys/sshd ] ; then
+                        do_restart_sanity_check
+                        $0 stop
+                        $0 start
+                        RETVAL=$?
+                fi
+                ;;
+        status)
+                status sshd
+                RETVAL=$?
+                ;;
+        *)
+                echo "Usage: sshd {start|stop|restart|status|condrestart}"
+                exit 1
+                ;;
+esac
+
+exit $RETVAL
diff --git a/contrib/redhat/sshd.pam b/contrib/redhat/sshd.pam
index 26dcb34d9..d2ab073fc 100644
--- a/contrib/redhat/sshd.pam
+++ b/contrib/redhat/sshd.pam
@@ -1,8 +1,8 @@
 #%PAM-1.0
-auth       required     /lib/security/pam_pwdb.so shadow nodelay
+auth       required     /lib/security/pam_stack.so service=system-auth
 auth       required     /lib/security/pam_nologin.so
-account    required     /lib/security/pam_pwdb.so
-password   required     /lib/security/pam_cracklib.so
-password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
-session    required     /lib/security/pam_pwdb.so
+account    required     /lib/security/pam_stack.so service=system-auth
+password   required     /lib/security/pam_stack.so service=system-auth
+session    required     /lib/security/pam_stack.so service=system-auth
 session    required     /lib/security/pam_limits.so
+session    optional     /lib/security/pam_console.so
diff --git a/contrib/redhat/sshd.pam-7.x b/contrib/redhat/sshd.pam-7.x
deleted file mode 100644
index d2ab073fc..000000000
--- a/contrib/redhat/sshd.pam-7.x
+++ /dev/null
@@ -1,8 +0,0 @@
-#%PAM-1.0
-auth       required     /lib/security/pam_stack.so service=system-auth
-auth       required     /lib/security/pam_nologin.so
-account    required     /lib/security/pam_stack.so service=system-auth
-password   required     /lib/security/pam_stack.so service=system-auth
-session    required     /lib/security/pam_stack.so service=system-auth
-session    required     /lib/security/pam_limits.so
-session    optional     /lib/security/pam_console.so
diff --git a/contrib/redhat/sshd.pam.old b/contrib/redhat/sshd.pam.old
new file mode 100644
index 000000000..26dcb34d9
--- /dev/null
+++ b/contrib/redhat/sshd.pam.old
@@ -0,0 +1,8 @@
+#%PAM-1.0
+auth       required     /lib/security/pam_pwdb.so shadow nodelay
+auth       required     /lib/security/pam_nologin.so
+account    required     /lib/security/pam_pwdb.so
+password   required     /lib/security/pam_cracklib.so
+password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
+session    required     /lib/security/pam_pwdb.so
+session    required     /lib/security/pam_limits.so