Merge 3.8p1 to the trunk. This builds and runs, but I haven't tested it

extensively yet.

ProtocolKeepAlives is now just a compatibility alias for
ServerAliveInterval.

18 files changed, 591 insertions, 455 deletions

diff --git a/contrib/README b/contrib/README
index 67dbbd277..9de3d961d 100644
--- a/contrib/README
+++ b/contrib/README
@@ -1,4 +1,4 @@
-Other patches and addons for OpenSSH. Please send submissions to 
+Other patches and addons for OpenSSH. Please send submissions to
 djm@mindrot.org
 
 Externally maintained
@@ -7,7 +7,7 @@ Externally maintained
 SSH Proxy Command -- connect.c
 
 Shun-ichi GOTO <gotoh@imasy.or.jp> has written a very useful ProxyCommand
-which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or 
+which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or
 https CONNECT style proxy server. His page for connect.c has extensive
 documentation on its use as well as compiled versions for Win32.
 
@@ -47,7 +47,7 @@ Dominik Brettnacher <domi@saargate.de>
 mdoc2man.pl:
 
 Converts mdoc formated manpages into normal manpages.  This can be used
-on Solaris machines to provide manpages that are not preformated. 
+on Solaris machines to provide manpages that are not preformated.
 Contributed by Mark D. Roth <roth@feep.net>
 
 redhat:
diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh
index 727ac446d..4a5c32b0e 100755
--- a/contrib/aix/buildbff.sh
+++ b/contrib/aix/buildbff.sh
@@ -1,12 +1,12 @@
 #!/bin/sh
 #
 # buildbff.sh: Create AIX SMIT-installable OpenSSH packages
-# $Id: buildbff.sh,v 1.6 2003/08/25 05:01:04 dtucker Exp $
+# $Id: buildbff.sh,v 1.7 2003/11/21 12:48:56 djm Exp $
 #
 # Author: Darren Tucker (dtucker at zip dot com dot au)
 # This file is placed in the public domain and comes with absolutely
 # no warranty.
-# 
+#
 # Based originally on Ben Lindstrom's buildpkg.sh for Solaris
 #
 
@@ -45,7 +45,7 @@ fi
 if [ ! -f Makefile ]
 then
         echo "Makefile not found (did you run configure?)"
-        exit 1 
+        exit 1
 fi
 
 #
@@ -96,12 +96,12 @@ then
         PRIVSEP_PATH=/var/empty
 fi
 
-# Clean package build directory 
+# Clean package build directory
 rm -rf $objdir/$PKGDIR
 FAKE_ROOT=$objdir/$PKGDIR/root
 mkdir -p $FAKE_ROOT
 
-# Start by faking root install 
+# Start by faking root install
 echo "Faking root install..."
 cd $objdir
 make install-nokeys DESTDIR=$FAKE_ROOT
@@ -136,15 +136,15 @@ echo "Building BFF for $PKGNAME $VERSION (package version $BFFVERSION)"
 #
 # Set ssh and sshd parameters as per config.local
 #
-if [ "${PERMIT_ROOT_LOGIN}" = no ] 
+if [ "${PERMIT_ROOT_LOGIN}" = no ]
 then
-        perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
-                $FAKE_ROOT/${sysconfdir}/sshd_config
+        perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
+                $FAKE_ROOT/${sysconfdir}/sshd_config
 fi
 if [ "${X11_FORWARDING}" = yes ]
 then
-        perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
-                $FAKE_ROOT/${sysconfdir}/sshd_config
+        perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
+                $FAKE_ROOT/${sysconfdir}/sshd_config
 fi
 
 
@@ -190,13 +190,13 @@ cat <<EOF >>../openssh.post_i
 echo Creating configs from defaults if necessary.
 for cfgfile in ssh_config sshd_config ssh_prng_cmds
 do
-        if [ ! -f $sysconfdir/\$cfgfile ]
-        then
-                echo "Creating \$cfgfile from default"
-                cp $sysconfdir/\$cfgfile.default $sysconfdir/\$cfgfile
-        else
-                echo "\$cfgfile already exists."
-        fi
+        if [ ! -f $sysconfdir/\$cfgfile ]
+        then
+                echo "Creating \$cfgfile from default"
+                cp $sysconfdir/\$cfgfile.default $sysconfdir/\$cfgfile
+        else
+                echo "\$cfgfile already exists."
+        fi
 done
 echo
 
@@ -244,19 +244,19 @@ echo
 # Generate keys unless they already exist
 echo Creating host keys if required.
 if [ -f "$sysconfdir/ssh_host_key" ] ; then
-        echo "$sysconfdir/ssh_host_key already exists, skipping."
+        echo "$sysconfdir/ssh_host_key already exists, skipping."
 else
-        $bindir/ssh-keygen -t rsa1 -f $sysconfdir/ssh_host_key -N ""
+        $bindir/ssh-keygen -t rsa1 -f $sysconfdir/ssh_host_key -N ""
 fi
 if [ -f $sysconfdir/ssh_host_dsa_key ] ; then
-        echo "$sysconfdir/ssh_host_dsa_key already exists, skipping."
+        echo "$sysconfdir/ssh_host_dsa_key already exists, skipping."
 else
-        $bindir/ssh-keygen -t dsa -f $sysconfdir/ssh_host_dsa_key -N ""
+        $bindir/ssh-keygen -t dsa -f $sysconfdir/ssh_host_dsa_key -N ""
 fi
 if [ -f $sysconfdir/ssh_host_rsa_key ] ; then
-        echo "$sysconfdir/ssh_host_rsa_key already exists, skipping."
-else 
-        $bindir/ssh-keygen -t rsa -f $sysconfdir/ssh_host_rsa_key -N ""
+        echo "$sysconfdir/ssh_host_rsa_key already exists, skipping."
+else
+        $bindir/ssh-keygen -t rsa -f $sysconfdir/ssh_host_rsa_key -N ""
 fi
 echo
 
@@ -369,7 +369,7 @@ echo Creating $PKGNAME-$VERSION.bff with backup...
 rm -f $PKGNAME-$VERSION.bff
 (
         echo "./lpp_name"
-        find . ! -name lpp_name -a ! -name . -print 
+        find . ! -name lpp_name -a ! -name . -print
 ) | backup  -i -q -f ../$PKGNAME-$VERSION.bff $filelist
 
 #
diff --git a/contrib/aix/inventory.sh b/contrib/aix/inventory.sh
index 4f408e678..e2641e79c 100755
--- a/contrib/aix/inventory.sh
+++ b/contrib/aix/inventory.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # inventory.sh
-# $Id: inventory.sh,v 1.5 2003/08/26 03:43:13 dtucker Exp $
+# $Id: inventory.sh,v 1.6 2003/11/21 12:48:56 djm Exp $
 #
 # Originally written by Ben Lindstrom, modified by Darren Tucker to use perl
 # This file is placed into the public domain.
@@ -59,5 +59,5 @@ find . ! -name . -print | perl -ne '{
         } elsif ( -d $_ ) {
                 # Entry is Directory
                 print "\ttype=DIRECTORY\n";
-        } 
+        }
 }'
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index 97d6adf51..599244b5d 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -17,11 +17,11 @@
 #old cvs stuff.  please update before use.  may be deprecated.
 %define use_stable      1
 %if %{use_stable}
-  %define version       3.7p1
+  %define version       3.8p1
   %define cvs           %{nil}
   %define release       1
 %else
-  %define version       2.9.9p2
+  %define version       3.8p1
   %define cvs           cvs20011009
   %define release       0r1
 %endif
@@ -180,7 +180,6 @@ CFLAGS="$RPM_OPT_FLAGS" \
 %configure \
             --with-pam \
             --with-tcp-wrappers \
-            --with-ipv4-default \
             --with-privsep-path=%{_var}/empty/sshd \
             #leave this line for easy edits.
 
@@ -364,4 +363,4 @@ fi
 * Mon Jan 01 1998 ...
 Template Version: 1.31
 
-$Id: openssh.spec,v 1.43.2.2 2003/09/16 06:02:40 djm Exp $
+$Id: openssh.spec,v 1.48 2004/02/24 05:00:04 djm Exp $
diff --git a/contrib/caldera/ssh-host-keygen b/contrib/caldera/ssh-host-keygen
index 28a97b9b4..3c5c17182 100755
--- a/contrib/caldera/ssh-host-keygen
+++ b/contrib/caldera/ssh-host-keygen
@@ -1,6 +1,6 @@
 #! /bin/sh
 #
-# $Id: ssh-host-keygen,v 1.1 2001/04/27 05:50:50 tim Exp $
+# $Id: ssh-host-keygen,v 1.2 2003/11/21 12:48:57 djm Exp $
 #
 # This script is normally run only *once* for a given host
 # (in a given period of time) -- on updates/upgrades/recovery
@@ -12,7 +12,7 @@ keydir=@sysconfdir@
 keygen=@sshkeygen@
 
 if [ -f $keydir/ssh_host_key -o \
-             -f $keydir/ssh_host_key.pub ]; then
+             -f $keydir/ssh_host_key.pub ]; then
   echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key."
 else
   echo "Generating 1024 bit SSH1 RSA host key."
@@ -20,7 +20,7 @@ else
 fi
 
 if [ -f $keydir/ssh_host_rsa_key -o \
-             -f $keydir/ssh_host_rsa_key.pub ]; then
+             -f $keydir/ssh_host_rsa_key.pub ]; then
   echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key."
 else
   echo "Generating 1024 bit SSH2 RSA host key."
@@ -28,7 +28,7 @@ else
 fi
 
 if [ -f $keydir/ssh_host_dsa_key -o \
-             -f $keydir/ssh_host_dsa_key.pub ]; then
+             -f $keydir/ssh_host_dsa_key.pub ]; then
   echo "You already have an SSH2 DSA host key in $keydir/ssh_host_dsa_key."
 else
   echo "Generating SSH2 DSA host key."
diff --git a/contrib/caldera/sshd.init b/contrib/caldera/sshd.init
index 90b36379a..983146f4f 100755
--- a/contrib/caldera/sshd.init
+++ b/contrib/caldera/sshd.init
@@ -1,6 +1,6 @@
 #! /bin/bash
 #
-# $Id: sshd.init,v 1.3 2001/11/03 19:09:33 tim Exp $
+# $Id: sshd.init,v 1.4 2003/11/21 12:48:57 djm Exp $
 #
 ### BEGIN INIT INFO
 # Provides:
@@ -64,11 +64,11 @@ case "$1" in
   SVIemptyConfig @sysconfdir@/sshd_config && exit 6
 
   if [ ! \( -f @sysconfdir@/ssh_host_key -a            \
-            -f @sysconfdir@/ssh_host_key.pub \) -a     \
+            -f @sysconfdir@/ssh_host_key.pub \) -a     \
        ! \( -f @sysconfdir@/ssh_host_rsa_key -a        \
-            -f @sysconfdir@/ssh_host_rsa_key.pub \) -a \
+            -f @sysconfdir@/ssh_host_rsa_key.pub \) -a \
        ! \( -f @sysconfdir@/ssh_host_dsa_key -a        \
-            -f @sysconfdir@/ssh_host_dsa_key.pub \) ]; then
+            -f @sysconfdir@/ssh_host_dsa_key.pub \) ]; then
 
     echo "$SVIsubsys: host key not initialized: skipped!"
     echo "$SVIsubsys: use ssh-host-keygen to generate one!"
diff --git a/contrib/cygwin/Makefile b/contrib/cygwin/Makefile
new file mode 100644
index 000000000..09e8ea2db
--- /dev/null
+++ b/contrib/cygwin/Makefile
@@ -0,0 +1,56 @@
+srcdir=../..
+prefix=/usr
+exec_prefix=$(prefix)
+bindir=$(prefix)/bin
+datadir=$(prefix)/share
+docdir=$(datadir)/doc
+sshdocdir=$(docdir)/openssh
+cygdocdir=$(docdir)/Cygwin
+sysconfdir=/etc
+defaultsdir=$(sysconfdir)/defaults/etc
+PRIVSEP_PATH=/var/empty
+INSTALL=/usr/bin/install -c
+
+DESTDIR=
+
+all:
+        @echo
+        @echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'"
+        @echo "Be sure having DESTDIR set correctly!"
+        @echo
+
+move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config
+        $(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir)
+        mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir)
+        mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir)
+
+remove-empty-dir:
+        rm -rf $(DESTDIR)$(PRIVSEP_PATH)
+
+install-sshdoc:
+        $(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir)
+        $(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS
+        $(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog
+        $(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE
+        $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
+        $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
+        $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
+        $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep
+        $(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard
+        $(INSTALL) -m 644 $(srcdir)/RFC.nroff $(DESTDIR)$(sshdocdir)/RFC.nroff
+        $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
+        $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG
+
+install-cygwindoc: README
+        $(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir)
+        $(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README
+
+install-doc: install-sshdoc install-cygwindoc
+
+install-scripts: ssh-host-config ssh-user-config
+        $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
+        $(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config
+        $(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config
+
+cygwin-postinstall: move-config-files remove-empty-dir install-doc install-scripts
+        @echo "Cygwin specific configuration finished."
diff --git a/contrib/cygwin/README b/contrib/cygwin/README
index ec58964c9..fc0a2f69b 100644
--- a/contrib/cygwin/README
+++ b/contrib/cygwin/README
@@ -1,4 +1,49 @@
-This package is the actual port of OpenSSH to Cygwin 1.5.
+This package describes important Cygwin specific stuff concerning OpenSSH.
+
+The binary package is usually built for recent Cygwin versions and might
+not run on older versions.  Please check http://cygwin.com/ for information
+about current Cygwin releases.
+
+Build instructions are at the end of the file.
+
+===========================================================================
+Important change since 3.7.1p2-2:
+
+The ssh-host-config file doesn't create the /etc/ssh_config and
+/etc/sshd_config files from builtin here-scripts anymore, but it uses
+skeleton files installed in /etc/defaults/etc.
+
+Also it now tries hard to create appropriate permissions on files.
+Same applies for ssh-user-config.
+
+After creating the sshd service with ssh-host-config, it's advisable to
+call ssh-user-config for all affected users, also already exising user
+configurations.  In the latter case, file and directory permissions are
+checked and changed, if requireed to match the host configuration.
+
+Important note for Windows 2003 Server users:
+---------------------------------------------
+
+2003 Server has a funny new feature.  When starting services under SYSTEM
+account, these services have nearly all user rights which SYSTEM holds...
+except for the "Create a token object" right, which is needed to allow
+public key authentication :-(
+
+There's no way around this, except for creating a substitute account which
+has the appropriate privileges.  Basically, this account should be member
+of the administrators group, plus it should have the following user rights:
+
+        Create a token object
+        Logon as a service
+        Replace a process level token
+        Increase Quota
+
+The ssh-host-config script asks you, if it should create such an account,
+called "sshd_server".  If you say "no" here, you're on your own.  Please
+follow the instruction in ssh-host-config exactly if possible.  Note that
+ssh-user-config sets the permissions on 2003 Server machines dependent of
+whether a sshd_server account exists or not.
+===========================================================================
 
 ===========================================================================
 Important change since 3.4p1-2:
@@ -58,7 +103,7 @@ features of the FAT/FAT32 filesystems.
 
 If you are installing OpenSSH the first time, you can generate global config
 files and server keys by running
-   
+
    /usr/bin/ssh-host-config
 
 Note that this binary archive doesn't contain default config files in /etc.
@@ -73,10 +118,12 @@ some options:
 
 usage: ssh-host-config [OPTION]...
 Options:
-    --debug      -d        Enable shell's debug output.
-    --yes        -y        Answer all questions with "yes" automatically.
-    --no         -n        Answer all questions with "no" automatically.
-    --port       -p <n>    sshd listens on port n.
+    --debug  -d            Enable shell's debug output.
+    --yes    -y            Answer all questions with "yes" automatically.
+    --no     -n            Answer all questions with "no" automatically.
+    --cygwin -c <options>  Use "options" as value for CYGWIN environment var.
+    --port   -p <n>        sshd listens on port n.
+    --pwd    -w <passwd>   Use "pwd" as password for user 'sshd_server'.
 
 Additionally ssh-host-config now asks if it should install sshd as a
 service when running under NT/W2K. This requires cygrunsrv installed.
@@ -114,54 +161,6 @@ ${SYSTEMROOT}/system32/drivers/etc/services file:
 
    ssh         22/tcp          #SSH daemon
 
-===========================================================================
-The following restrictions only apply to Cygwin versions up to 1.3.1
-===========================================================================
-
-Authentication to sshd is possible in one of two ways.
-You'll have to decide before starting sshd!
-
-- If you want to authenticate via RSA and you want to login to that
-  machine to exactly one user account you can do so by running sshd
-  under that user account. You must change /etc/sshd_config
-  to contain the following:
-
-  RSAAuthentication yes
-
-  Moreover it's possible to use rhosts and/or rhosts with
-  RSA authentication by setting the following in sshd_config:
-
-  RhostsAuthentication yes
-  RhostsRSAAuthentication yes
-
-- If you want to be able to login to different user accounts you'll
-  have to start sshd under system account or any other account that
-  is able to switch user context. Note that administrators are _not_
-  able to do that by default! You'll have to give the following
-  special user rights to the user:
-  "Act as part of the operating system"
-  "Replace process level token"
-  "Increase quotas"
-  and if used via service manager
-  "Logon as a service".
-
-  The system account does of course own that user rights by default.
-
-  Unfortunately, if you choose that way, you can only logon with
-  NT password authentification and you should change
-  /etc/sshd_config to contain the following:
-
-    PasswordAuthentication yes
-    RhostsAuthentication no
-    RhostsRSAAuthentication no
-    RSAAuthentication no
-
-  However you can login to the user which has started sshd with
-  RSA authentication anyway. If you want that, change the RSA
-  authentication setting back to "yes":
-     
-    RSAAuthentication yes
-
 Please note that OpenSSH does never use the value of $HOME to
 search for the users configuration files! It always uses the
 value of the pw_dir field in /etc/passwd as the home directory.
@@ -169,7 +168,7 @@ If no home diretory is set in /etc/passwd, the root directory
 is used instead!
 
 You may use all features of the CYGWIN=ntsec setting the same
-way as they are used by the `login' port on sources.redhat.com:
+way as they are used by Cygwin's login(1) port:
 
   The pw_gecos field may contain an additional field, that begins
   with (upper case!) "U-", followed by the domain and the username
@@ -186,6 +185,8 @@ way as they are used by the `login' port on sources.redhat.com:
 
     locuser::1104:513:John Doe,U-user,S-1-5-21-...
 
+Note that the CYGWIN=ntsec setting is required for public key authentication.
+
 SSH2 server and user keys are generated by the `ssh-*-config' scripts
 as well.
 
@@ -194,15 +195,30 @@ configure are used for the Cygwin binary distribution:
 
         --prefix=/usr \
         --sysconfdir=/etc \
-        --libexecdir='${exec_prefix}/sbin'
-
-You must have installed the zlib and openssl packages to be able to
+        --libexecdir='$(sbindir)' \
+        --localstatedir=/var \
+        --datadir='$(prefix)/share' \
+        --mandir='$(datadir)/man' \
+        --with-tcp-wrappers
+
+If you want to create a Cygwin package, equivalent to the one
+in the Cygwin binary distribution, install like this:
+
+        mkdir /tmp/cygwin-ssh
+        cd $(builddir)
+        make install DESTDIR=/tmp/cygwin-ssh
+        cd $(srcdir)/contrib/cygwin
+        make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh
+        cd /tmp/cygwin-ssh
+        find * \! -type d | tar cvjfT my-openssh.tar.bz2 -
+        
+You must have installed the zlib and openssl-devel packages to be able to
 build OpenSSH!
 
 Please send requests, error reports etc. to cygwin@cygwin.com.
 
 Have fun,
 
-Corinna Vinschen <vinschen@redhat.com>
+Corinna Vinschen
 Cygwin Developer
 Red Hat Inc.
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index e9c56aea9..9c0dabf41 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -1,6 +1,6 @@
-#!/bin/sh
+#!/bin/bash
 #
-# ssh-host-config, Copyright 2000, Red Hat Inc.
+# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
 #
 # This file is part of the Cygwin port of OpenSSH.
 
@@ -9,10 +9,7 @@ PREFIX=/usr
 
 # Directory where the config files are stored
 SYSCONFDIR=/etc
-
-# Subdirectory where an old package might be installed
-OLDPREFIX=/usr/local
-OLDSYSCONFDIR=${OLDPREFIX}/etc
+LOCALSTATEDIR=/var
 
 progname=$0
 auto_answer=""
@@ -27,9 +24,11 @@ request()
 {
   if [ "${auto_answer}" = "yes" ]
   then
+    echo "$1 (yes/no) yes"
     return 0
   elif [ "${auto_answer}" = "no" ]
   then
+    echo "$1 (yes/no) no"
     return 1
   fi
 
@@ -37,7 +36,7 @@ request()
   while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
   do
     echo -n "$1 (yes/no) "
-    read answer
+    read -e answer
   done
   if [ "X${answer}" = "Xyes" ]
   then
@@ -60,7 +59,7 @@ do
   option=$1
   shift
 
-  case "$option" in
+  case "${option}" in
   -d | --debug )
     set -x
     ;;
@@ -73,21 +72,33 @@ do
     auto_answer=no
     ;;
 
+  -c | --cygwin )
+    cygwin_value="$1"
+    shift
+    ;;
+
   -p | --port )
     port_number=$1
     shift
     ;;
 
+  -w | --pwd )
+    password_value="$1"
+    shift
+    ;;
+
   *)
     echo "usage: ${progname} [OPTION]..."
     echo
     echo "This script creates an OpenSSH host configuration."
     echo
     echo "Options:"
-    echo "    --debug  -d     Enable shell's debug output."
-    echo "    --yes    -y     Answer all questions with \"yes\" automatically."
-    echo "    --no     -n     Answer all questions with \"no\" automatically."
-    echo "    --port   -p <n> sshd listens on port n."
+    echo "  --debug  -d            Enable shell's debug output."
+    echo "  --yes    -y            Answer all questions with \"yes\" automatically."
+    echo "  --no     -n            Answer all questions with \"no\" automatically."
+    echo "  --cygwin -c <options>  Use \"options\" as value for CYGWIN environment var."
+    echo "  --port   -p <n>        sshd listens on port n."
+    echo "  --pwd    -w <passwd>   Use \"pwd\" as password for user 'sshd_server'."
     echo
     exit 1
     ;;
@@ -96,8 +107,13 @@ do
 done
 
 # Check if running on NT
-_sys="`uname -a`"
-_nt=`expr "$_sys" : "CYGWIN_NT"`
+_sys="`uname`"
+_nt=`expr "${_sys}" : "CYGWIN_NT"`
+# If running on NT, check if running under 2003 Server or later
+if [ ${_nt} -gt 0 ]
+then
+  _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
+fi
 
 # Check for running ssh/sshd processes first. Refuse to do anything while
 # some ssh processes are still running
@@ -137,87 +153,33 @@ fi
 
 # Create /var/log and /var/log/lastlog if not already existing
 
-if [ -f /var/log ]
+if [ -f ${LOCALSTATEDIR}/log ]
 then
-  echo "Creating /var/log failed\!"
+  echo "Creating ${LOCALSTATEDIR}/log failed!"
 else
-  if [ ! -d /var/log ]
+  if [ ! -d ${LOCALSTATEDIR}/log ]
   then
-    mkdir -p /var/log
+    mkdir -p ${LOCALSTATEDIR}/log
   fi
-  if [ -d /var/log/lastlog ]
+  if [ -d ${LOCALSTATEDIR}/log/lastlog ]
   then
-    echo "Creating /var/log/lastlog failed\!"
-  elif [ ! -f /var/log/lastlog ]
+    chmod 777 ${LOCALSTATEDIR}/log/lastlog
+  elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
   then
-    cat /dev/null > /var/log/lastlog
+    cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
+    chmod 666 ${LOCALSTATEDIR}/log/lastlog
   fi
 fi
 
 # Create /var/empty file used as chroot jail for privilege separation
-if [ -f /var/empty ]
+if [ -f ${LOCALSTATEDIR}/empty ]
 then
-  echo "Creating /var/empty failed\!"
+  echo "Creating ${LOCALSTATEDIR}/empty failed!"
 else
-  mkdir -p /var/empty
-  # On NT change ownership of that dir to user "system"
-  if [ $_nt -gt 0 ]
+  mkdir -p ${LOCALSTATEDIR}/empty
+  if [ ${_nt} -gt 0 ]
   then
-    chmod 755 /var/empty
-    chown system.system /var/empty
-  fi
-fi
-
-# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
-# the same as ${PREFIX}
-
-old_install=0
-if [ "${OLDPREFIX}" != "${PREFIX}" ]
-then
-  if [ -f "${OLDPREFIX}/sbin/sshd" ]
-  then
-    echo
-    echo "You seem to have an older installation in ${OLDPREFIX}."
-    echo
-    # Check if old global configuration files exist
-    if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ]
-    then
-      if request "Do you want to copy your config files to your new installation?"
-      then
-        cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR}
-        cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR}
-        cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR}
-        cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR}
-        cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR}
-        cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR}
-      fi
-    fi
-    if request "Do you want to erase your old installation?"
-    then
-      rm -f ${OLDPREFIX}/bin/ssh.exe
-      rm -f ${OLDPREFIX}/bin/ssh-config
-      rm -f ${OLDPREFIX}/bin/scp.exe
-      rm -f ${OLDPREFIX}/bin/ssh-add.exe
-      rm -f ${OLDPREFIX}/bin/ssh-agent.exe
-      rm -f ${OLDPREFIX}/bin/ssh-keygen.exe
-      rm -f ${OLDPREFIX}/bin/slogin
-      rm -f ${OLDSYSCONFDIR}/ssh_host_key
-      rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub
-      rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key
-      rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub
-      rm -f ${OLDSYSCONFDIR}/ssh_config
-      rm -f ${OLDSYSCONFDIR}/sshd_config
-      rm -f ${OLDPREFIX}/man/man1/ssh.1
-      rm -f ${OLDPREFIX}/man/man1/scp.1
-      rm -f ${OLDPREFIX}/man/man1/ssh-add.1
-      rm -f ${OLDPREFIX}/man/man1/ssh-agent.1
-      rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1
-      rm -f ${OLDPREFIX}/man/man1/slogin.1
-      rm -f ${OLDPREFIX}/man/man8/sshd.8
-      rm -f ${OLDPREFIX}/sbin/sshd.exe
-      rm -f ${OLDPREFIX}/sbin/sftp-server.exe
-    fi
-    old_install=1
+    chmod 755 ${LOCALSTATEDIR}/empty
   fi
 fi
 
@@ -255,52 +217,16 @@ then
   fi
 fi
 
-# Create default ssh_config from here script
+# Create default ssh_config from skeleton file in /etc/defaults/etc
 
 if [ ! -f "${SYSCONFDIR}/ssh_config" ]
 then
   echo "Generating ${SYSCONFDIR}/ssh_config file"
-  cat > ${SYSCONFDIR}/ssh_config << EOF
-# This is the ssh client system-wide configuration file.  See
-# ssh_config(5) for more information.  This file provides defaults for
-# users, and the values can be changed in per-user configuration files
-# or on the command line.
-
-# Configuration data is parsed as follows:
-#  1. command line options
-#  2. user-specific file
-#  3. system-wide file
-# Any configuration value is only changed the first time it is set.
-# Thus, host-specific definitions should be at the beginning of the
-# configuration file, and defaults at the end.
-
-# Site-wide defaults for various options
-
-# Host *
-#   ForwardAgent no
-#   ForwardX11 no
-#   RhostsRSAAuthentication no
-#   RSAAuthentication yes
-#   PasswordAuthentication yes
-#   HostbasedAuthentication no
-#   BatchMode no
-#   CheckHostIP yes
-#   AddressFamily any
-#   ConnectTimeout 0
-#   StrictHostKeyChecking ask
-#   IdentityFile ~/.ssh/identity
-#   IdentityFile ~/.ssh/id_dsa
-#   IdentityFile ~/.ssh/id_rsa
-#   Port 22
-#   Protocol 2,1
-#   Cipher 3des
-#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
-#   EscapeChar ~
-EOF
-  if [ "$port_number" != "22" ]
+  cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
+  if [ "${port_number}" != "22" ]
   then
     echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
-    echo "    Port $port_number" >> ${SYSCONFDIR}/ssh_config
+    echo "    Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
   fi
 fi
 
@@ -322,35 +248,35 @@ fi
 
 # Prior to creating or modifying sshd_config, care for privilege separation
 
-if [ "$privsep_configured" != "yes" ]
+if [ "${privsep_configured}" != "yes" ]
 then
-  if [ $_nt -gt 0 ]
+  if [ ${_nt} -gt 0 ]
   then
     echo "Privilege separation is set to yes by default since OpenSSH 3.3."
     echo "However, this requires a non-privileged account called 'sshd'."
-    echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
+    echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
     echo
-    if request "Shall privilege separation be used?"
+    if request "Should privilege separation be used?"
     then
       privsep_used=yes
       grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
       net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
-      if [ "$sshd_in_passwd" != "yes" ]
+      if [ "${sshd_in_passwd}" != "yes" ]
       then
-        if [ "$sshd_in_sam" != "yes" ]
+        if [ "${sshd_in_sam}" != "yes" ]
         then
           echo "Warning: The following function requires administrator privileges!"
-          if request "Shall this script create a local user 'sshd' on this machine?"
+          if request "Should this script create a local user 'sshd' on this machine?"
           then
-            dos_var_empty=`cygpath -w /var/empty`
-            net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
-            if [ "$sshd_in_sam" != "yes" ]
+            dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
+            net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
+            if [ "${sshd_in_sam}" != "yes" ]
             then
               echo "Warning: Creating the user 'sshd' failed!"
             fi
           fi
         fi
-        if [ "$sshd_in_sam" != "yes" ]
+        if [ "${sshd_in_sam}" != "yes" ]
         then
           echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
           echo "         Privilege separation set to 'no' again!"
@@ -365,161 +291,85 @@ then
     fi
   else
     # On 9x don't use privilege separation.  Since security isn't
-    # available it just adds useless addtional processes.
+    # available it just adds useless additional processes.
     privsep_used=no
   fi
 fi
 
-# Create default sshd_config from here script or modify to add the
-# missing privsep configuration option
+# Create default sshd_config from skeleton files in /etc/defaults/etc or
+# modify to add the missing privsep configuration option
 
 if [ ! -f "${SYSCONFDIR}/sshd_config" ]
 then
   echo "Generating ${SYSCONFDIR}/sshd_config file"
-  cat > ${SYSCONFDIR}/sshd_config << EOF
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options change a
-# default value.
-
-Port $port_number
-#Protocol 2,1
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-# HostKey for protocol version 1
-#HostKey ${SYSCONFDIR}/ssh_host_key
-# HostKeys for protocol version 2
-#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
-#HostKey ${SYSCONFDIR}/ssh_host_dsa_key
-
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 768
-
-# Logging
-#obsoletes QuietMode and FascistLogging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
-#PermitRootLogin yes
-# The following setting overrides permission checks on host key files
-# and directories. For security reasons set this to "yes" when running
-# NT/W2K, NTFS and CYGWIN=ntsec.
-StrictModes no
-
-#RSAAuthentication yes
-#PubkeyAuthentication yes
-#AuthorizedKeysFile     .ssh/authorized_keys
-
-# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-
-# Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
-
-#AllowTcpForwarding yes
-#GatewayPorts no
-#X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PrintMotd yes
-#PrintLastLog yes
-#KeepAlive yes
-#UseLogin no
-UsePrivilegeSeparation $privsep_used
-#PermitUserEnvironment no
-#Compression yes
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS yes
-#PidFile /var/run/sshd.pid
-#MaxStartups 10
-
-# no default banner path
-#Banner /some/path
-
-# override default of no subsystems
-Subsystem      sftp    /usr/sbin/sftp-server
-EOF
-elif [ "$privsep_configured" != "yes" ]
+  sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
+          s/^#Port 22/Port ${port_number}/
+          s/^#StrictModes yes/StrictModes no/" \
+      < ${SYSCONFDIR}/defaults/etc/sshd_config \
+      > ${SYSCONFDIR}/sshd_config
+elif [ "${privsep_configured}" != "yes" ]
 then
   echo >> ${SYSCONFDIR}/sshd_config
-  echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
+  echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
 fi
 
 # Care for services file
-if [ $_nt -gt 0 ]
+_my_etcdir="/ssh-host-config.$$"
+if [ ${_nt} -gt 0 ]
 then
-  _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services"
-  _wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$"
+  _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
+  _services="${_my_etcdir}/services"
+  # On NT, 27 spaces, no space after the hash
+  _spaces="                           #"
 else
-  _wservices="${WINDIR}\\SERVICES"
-  _wserv_tmp="${WINDIR}\\SERV.$$"
+  _win_etcdir="${WINDIR}"
+  _services="${_my_etcdir}/SERVICES"
+  # On 9x, 18 spaces (95 is very touchy), a space after the hash
+  _spaces="                  # "
 fi
-_services=`cygpath -u "${_wservices}"`
-_serv_tmp=`cygpath -u "${_wserv_tmp}"`
+_serv_tmp="${_my_etcdir}/srv.out.$$"
 
-mount -t -f "${_wservices}" "${_services}"
-mount -t -f "${_wserv_tmp}" "${_serv_tmp}"
+mount -t -f "${_win_etcdir}" "${_my_etcdir}"
+
+# Depends on the above mount
+_wservices=`cygpath -w "${_services}"`
 
 # Remove sshd 22/port from services
 if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
 then
   grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
   if [ -f "${_serv_tmp}" ]
-  then 
+  then
     if mv "${_serv_tmp}" "${_services}"
     then
-      echo "Removing sshd from ${_services}"
+      echo "Removing sshd from ${_wservices}"
     else
-      echo "Removing sshd from ${_services} failed\!"
-    fi 
+      echo "Removing sshd from ${_wservices} failed!"
+    fi
     rm -f "${_serv_tmp}"
   else
-    echo "Removing sshd from ${_services} failed\!"
+    echo "Removing sshd from ${_wservices} failed!"
   fi
 fi
 
 # Add ssh 22/tcp  and ssh 22/udp to services
 if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
 then
-  awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp                           #SSH Remote Login Protocol\nssh                22/udp                           #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
-  if [ -f "${_serv_tmp}" ]
+  if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
   then
     if mv "${_serv_tmp}" "${_services}"
     then
-      echo "Added ssh to ${_services}"
+      echo "Added ssh to ${_wservices}"
     else
-      echo "Adding ssh to ${_services} failed\!"
+      echo "Adding ssh to ${_wservices} failed!"
     fi
     rm -f "${_serv_tmp}"
   else
-    echo "Adding ssh to ${_services} failed\!"
+    echo "WARNING: Adding ssh to ${_wservices} failed!"
   fi
 fi
 
-umount "${_services}"
-umount "${_serv_tmp}"
+umount "${_my_etcdir}"
 
 # Care for inetd.conf file
 _inetcnf="${SYSCONFDIR}/inetd.conf"
@@ -538,13 +388,13 @@ then
     then
       if mv "${_inetcnf_tmp}" "${_inetcnf}"
       then
-        echo "Removed sshd from ${_inetcnf}"
+        echo "Removed sshd from ${_inetcnf}"
       else
-        echo "Removing sshd from ${_inetcnf} failed\!"
+        echo "Removing sshd from ${_inetcnf} failed!"
       fi
       rm -f "${_inetcnf_tmp}"
     else
-      echo "Removing sshd from ${_inetcnf} failed\!"
+      echo "Removing sshd from ${_inetcnf} failed!"
     fi
   fi
 
@@ -562,34 +412,181 @@ then
 fi
 
 # On NT ask if sshd should be installed as service
-if [ $_nt -gt 0 ]
+if [ ${_nt} -gt 0 ]
 then
-  echo
-  echo "Do you want to install sshd as service?"
-  if request "(Say \"no\" if it's already installed as service)"
+  # But only if it is not already installed
+  if ! cygrunsrv -Q sshd > /dev/null 2>&1
   then
     echo
-    echo "Which value should the environment variable CYGWIN have when"
-    echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
-    echo "able to change user context without password."
-    echo -n "Default is \"binmode ntsec tty\".  CYGWIN="
-    read _cygwin
-    [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
-    if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
+    echo
+    echo "Warning: The following functions require administrator privileges!"
+    echo
+    echo "Do you want to install sshd as service?"
+    if request "(Say \"no\" if it's already installed as service)"
+    then
+      if [ $_nt2003 -gt 0 ]
+      then
+        grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
+        if [ "${sshd_server_in_passwd}" = "yes" ]
+        then
+          # Drop sshd_server from passwd since it could have wrong settings
+          grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
+          rm -f ${SYSCONFDIR}/passwd
+          mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
+          chmod g-w,o-w ${SYSCONFDIR}/passwd
+        fi
+        net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
+        if [ "${sshd_server_in_sam}" != "yes" ]
+        then
+          echo
+          echo "You appear to be running Windows 2003 Server or later.  On 2003 and"
+          echo "later systems, it's not possible to use the LocalSystem account"
+          echo "if sshd should allow passwordless logon (e. g. public key authentication)."
+          echo "If you want to enable that functionality, it's required to create a new"
+          echo "account 'sshd_server' with special privileges, which is then used to run"
+          echo "the sshd service under."
+          echo
+          echo "Should this script create a new local account 'sshd_server' which has"
+          if request "the required privileges?"
+          then
+            _admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group`
+            if [ -z "${_admingroup}" ]
+            then
+              echo "There's no group with SID S-1-5-32-544 (Local administrators group) in"
+              echo "your ${SYSCONFDIR}/group file.  Please regenerate this entry using 'mkgroup -l'"
+              echo "and restart this script."
+              exit 1
+            fi
+            dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
+            while [ "${sshd_server_in_sam}" != "yes" ]
+            do
+              if [ -n "${password_value}" ]
+              then
+                _password="${password_value}"
+                # Allow to ask for password if first try fails
+                password_value=""
+              else
+                echo
+                echo "Please enter a password for new user 'sshd_server'.  Please be sure that"
+                echo "this password matches the password rules given on your system."
+                echo -n "Entering no password will exit the configuration.  PASSWORD="
+                read -e _password
+                if [ -z "${_password}" ]
+                then
+                  echo
+                  echo "Exiting configuration.  No user sshd_server has been created,"
+                  echo "no sshd service installed."
+                  exit 1
+                fi
+              fi
+              net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
+              if [ "${sshd_server_in_sam}" != "yes" ]
+              then
+                echo "Creating the user 'sshd_server' failed!  Reason:"
+                cat /tmp/nu.$$
+                rm /tmp/nu.$$
+              fi
+            done
+            net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
+            if [ "${sshd_server_in_admingroup}" != "yes" ]
+            then
+              echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
+              echo "Please add sshd_server to local group ${_admingroup} before"
+              echo "starting the sshd service!"
+              echo
+            fi
+            passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
+            if [ "${passwd_has_expiry_flags}" != "yes" ]
+            then
+              echo
+              echo "WARNING: User sshd_server has password expiry set to system default."
+              echo "Please check that password never expires or set it to your needs."
+            elif ! passwd -e sshd_server
+            then
+              echo
+              echo "WARNING: Setting password expiry for user sshd_server failed!"
+              echo "Please check that password never expires or set it to your needs."
+            fi
+            editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
+            editrights -a SeCreateTokenPrivilege -u sshd_server &&
+            editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
+            editrights -a SeDenyNetworkLogonRight -u sshd_server &&
+            editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
+            editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
+            editrights -a SeServiceLogonRight -u sshd_server &&
+            sshd_server_got_all_rights="yes"
+            if [ "${sshd_server_got_all_rights}" != "yes" ]
+            then
+              echo
+              echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
+              echo "Can't create sshd service!"
+              exit 1
+            fi
+            echo
+            echo "User 'sshd_server' has been created with password '${_password}'."
+            echo "If you change the password, please keep in mind to change the password"
+            echo "for the sshd service, too."
+            echo
+            echo "Also keep in mind that the user sshd_server needs read permissions on all"
+            echo "users' .ssh/authorized_keys file to allow public key authentication for"
+            echo "these users!.  (Re-)running ssh-user-config for each user will set the"
+            echo "required permissions correctly."
+            echo
+          fi
+        fi
+        if [ "${sshd_server_in_sam}" = "yes" ]
+        then
+          mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
+        fi
+      fi
+      if [ -n "${cygwin_value}" ]
+      then
+        _cygwin="${cygwin_value}"
+      else
+        echo
+        echo "Which value should the environment variable CYGWIN have when"
+        echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
+        echo "able to change user context without password."
+        echo -n "Default is \"ntsec\".  CYGWIN="
+        read -e _cygwin
+      fi
+      [ -z "${_cygwin}" ] && _cygwin="ntsec"
+      if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
+      then
+        if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}"
+        then
+          echo
+          echo "The service has been installed under sshd_server account."
+          echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
+        fi
+      else
+        if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
+        then
+          echo
+          echo "The service has been installed under LocalSystem account."
+          echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
+        fi
+      fi
+    fi
+    # Now check if sshd has been successfully installed.  This allows to
+    # set the ownership of the affected files correctly.
+    if cygrunsrv -Q sshd > /dev/null 2>&1
     then
-      chown system ${SYSCONFDIR}/ssh*
-      echo
-      echo "The service has been installed under LocalSystem account."
+      if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
+      then
+        _user="sshd_server"
+      else
+        _user="system"
+      fi
+      chown "${_user}" ${SYSCONFDIR}/ssh*
+      chown "${_user}".544 ${LOCALSTATEDIR}/empty
+      if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
+      then
+        chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
+      fi
     fi
   fi
 fi
 
-if [ "${old_install}" = "1" ]
-then
-  echo
-  echo "Note: If you have used sshd as service or from inetd, don't forget to"
-  echo "      change the path to sshd.exe in the service entry or in inetd.conf."
-fi
-
 echo
 echo "Host configuration finished. Have fun!"
diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config
index 4da113181..fe07ce360 100644
--- a/contrib/cygwin/ssh-user-config
+++ b/contrib/cygwin/ssh-user-config
@@ -1,9 +1,12 @@
 #!/bin/sh
 #
-# ssh-user-config, Copyright 2000, Red Hat Inc.
+# ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc.
 #
 # This file is part of the Cygwin port of OpenSSH.
 
+# Directory where the config files are stored
+SYSCONFDIR=/etc
+
 progname=$0
 auto_answer=""
 auto_passphrase="no"
@@ -33,6 +36,15 @@ request()
   fi
 }
 
+# Check if running on NT
+_sys="`uname -a`"
+_nt=`expr "$_sys" : "CYGWIN_NT"`
+# If running on NT, check if running under 2003 Server or later
+if [ $_nt -gt 0 ]
+then
+  _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
+fi
+
 # Check options
 
 while :
@@ -84,27 +96,27 @@ done
 
 # Ask user if user identity should be generated
 
-if [ ! -f /etc/passwd ]
+if [ ! -f ${SYSCONFDIR}/passwd ]
 then
-  echo '/etc/passwd is nonexistant. Please generate an /etc/passwd file'
+  echo "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file"
   echo 'first using mkpasswd. Check if it contains an entry for you and'
   echo 'please care for the home directory in your entry as well.'
   exit 1
 fi
 
 uid=`id -u`
-pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < /etc/passwd`
+pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd`
 
 if [ "X${pwdhome}" = "X" ]
 then
-  echo 'There is no home directory set for you in /etc/passwd.'
+  echo "There is no home directory set for you in ${SYSCONFDIR}/passwd."
   echo 'Setting $HOME is not sufficient!'
   exit 1
 fi
 
 if [ ! -d "${pwdhome}" ]
 then
-  echo "${pwdhome} is set in /etc/passwd as your home directory"
+  echo "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory"
   echo 'but it is not a valid directory. Cannot create user identity files.'
   exit 1
 fi
@@ -114,7 +126,7 @@ fi
 if [ "X${pwdhome}" = "X/" ]
 then
   # But first raise a warning!
-  echo 'Your home directory in /etc/passwd is set to root (/). This is not recommended!'
+  echo "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
   if request "Would you like to proceed anyway?"
   then
     pwdhome=''
@@ -123,6 +135,17 @@ then
   fi
 fi
 
+if [ -d "${pwdhome}" -a $_nt -gt 0 -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
+then
+  echo
+  echo 'WARNING: group and other have been revoked write permission to your home'
+  echo "         directory ${pwdhome}."
+  echo '         This is required by OpenSSH to allow public key authentication using'
+  echo '         the key files stored in your .ssh subdirectory.'
+  echo '         Revert this change ONLY if you know what you are doing!'
+  echo
+fi
+
 if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
 then
   echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
@@ -139,6 +162,21 @@ then
   fi
 fi
 
+if [ $_nt -gt 0 ]
+then
+  _user="system"
+  if [ $_nt2003 -gt 0 ]
+  then
+    grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && _user="sshd_server"
+  fi
+  if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh"
+  then
+    echo "${pwdhome}/.ssh couldn't be given the correct permissions."
+    echo "Please try to solve this problem first."
+    exit 1
+  fi
+fi
+
 if [ ! -f "${pwdhome}/.ssh/identity" ]
 then
   if request "Shall I create an SSH1 RSA identity file for you?"
@@ -196,5 +234,17 @@ then
   fi
 fi
 
+if [ $_nt -gt 0 -a -e "${pwdhome}/.ssh/authorized_keys" ]
+then
+  if ! setfacl -m "u::rw-,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
+  then
+    echo
+    echo "WARNING: Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
+    echo "failed.  Please care for the correct permissions.  The minimum requirement"
+    echo "is, the owner and ${_user} both need read permissions."
+    echo
+  fi
+fi
+
 echo
 echo "Configuration finished. Have fun!"
diff --git a/contrib/findssl.sh b/contrib/findssl.sh
index 87a4abce2..0c08d4a18 100644
--- a/contrib/findssl.sh
+++ b/contrib/findssl.sh
@@ -9,24 +9,24 @@
 #       Written by Darren Tucker (dtucker at zip dot com dot au)
 #       This file is placed in the public domain.
 #
-# $Id: findssl.sh,v 1.1 2003/06/24 10:22:10 dtucker Exp $
+# $Id: findssl.sh,v 1.2 2003/11/21 12:48:56 djm Exp $
 #       2002-07-27: Initial release.
 #       2002-08-04: Added public domain notice.
 #       2003-06-24: Incorporated readme, set library paths. First cvs version.
 #
-# "OpenSSL headers do not match your library" are usually caused by 
+# "OpenSSL headers do not match your library" are usually caused by
 # OpenSSH's configure picking up an older version of OpenSSL headers
 # or libraries.  You can use the following # procedure to help identify
 # the cause.
-# 
+#
 # The  output  of  configure  will  tell you the versions of the OpenSSL
 # headers and libraries that were picked up, for example:
-# 
+#
 # checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002)
 # checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001)
 # checking whether OpenSSL's headers match the library... no
 # configure: error: Your OpenSSL headers do not match your library
-# 
+#
 # Now run findssl.sh. This should identify the headers and libraries
 # present  and  their  versions.  You  should  be  able  to identify the
 # libraries  and headers used and adjust your CFLAGS or remove incorrect
@@ -37,7 +37,7 @@
 # Searching for OpenSSL header files.
 # 0x0090604fL /usr/include/openssl/opensslv.h
 # 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h
-# 
+#
 # Searching for OpenSSL shared library files.
 # 0x0090602fL /lib/libcrypto.so.0.9.6b
 # 0x0090602fL /lib/libcrypto.so.2
@@ -46,11 +46,11 @@
 # 0x0090581fL /usr/lib/libcrypto.so.0.9.5a
 # 0x0090600fL /usr/lib/libcrypto.so.0.9.6
 # 0x0090600fL /usr/lib/libcrypto.so.1
-# 
+#
 # Searching for OpenSSL static library files.
 # 0x0090602fL /usr/lib/libcrypto.a
 # 0x0090604fL /usr/local/ssl/lib/libcrypto.a
-# 
+#
 # In  this  example, I gave configure no extra flags, so it's picking up
 # the  OpenSSL header from /usr/include/openssl (90604f) and the library
 # from /usr/lib/ (90602f).
diff --git a/contrib/gnome-ssh-askpass1.c b/contrib/gnome-ssh-askpass1.c
index b6b342b84..4d51032d1 100644
--- a/contrib/gnome-ssh-askpass1.c
+++ b/contrib/gnome-ssh-askpass1.c
@@ -23,14 +23,14 @@
  */
 
 /*
- * This is a simple GNOME SSH passphrase grabber. To use it, set the 
- * environment variable SSH_ASKPASS to point to the location of 
- * gnome-ssh-askpass before calling "ssh-add < /dev/null". 
+ * This is a simple GNOME SSH passphrase grabber. To use it, set the
+ * environment variable SSH_ASKPASS to point to the location of
+ * gnome-ssh-askpass before calling "ssh-add < /dev/null".
  *
  * There is only two run-time options: if you set the environment variable
  * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
- * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the 
- * pointer will be grabbed too. These may have some benefit to security if 
+ * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
+ * pointer will be grabbed too. These may have some benefit to security if
  * you don't trust your X server. We grab the keyboard always.
  */
 
@@ -87,7 +87,7 @@ passphrase_dialog(char *message)
                 }
 
         entry = gtk_entry_new();
-        gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE, 
+        gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE,
             FALSE, 0);
         gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
         gtk_widget_grab_focus(entry);
@@ -105,7 +105,7 @@ passphrase_dialog(char *message)
         /* Grab focus */
         if (grab_server)
                 XGrabServer(GDK_DISPLAY());
-        if (grab_pointer && gdk_pointer_grab(dialog->window, TRUE, 0, 
+        if (grab_pointer && gdk_pointer_grab(dialog->window, TRUE, 0,
             NULL, NULL, GDK_CURRENT_TIME))
                 goto nograb;
         if (gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME))
diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c
index 9e8eaf920..0ce8daec9 100644
--- a/contrib/gnome-ssh-askpass2.c
+++ b/contrib/gnome-ssh-askpass2.c
@@ -25,14 +25,14 @@
 /* GTK2 support by Nalin Dahyabhai <nalin@redhat.com> */
 
 /*
- * This is a simple GNOME SSH passphrase grabber. To use it, set the 
- * environment variable SSH_ASKPASS to point to the location of 
- * gnome-ssh-askpass before calling "ssh-add < /dev/null". 
+ * This is a simple GNOME SSH passphrase grabber. To use it, set the
+ * environment variable SSH_ASKPASS to point to the location of
+ * gnome-ssh-askpass before calling "ssh-add < /dev/null".
  *
  * There is only two run-time options: if you set the environment variable
  * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
- * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the 
- * pointer will be grabbed too. These may have some benefit to security if 
+ * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
+ * pointer will be grabbed too. These may have some benefit to security if
  * you don't trust your X server. We grab the keyboard always.
  */
 
@@ -103,7 +103,7 @@ passphrase_dialog(char *message)
                                         message);
 
         entry = gtk_entry_new();
-        gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE, 
+        gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE,
             FALSE, 0);
         gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
         gtk_widget_grab_focus(entry);
@@ -124,7 +124,7 @@ passphrase_dialog(char *message)
         if (grab_pointer) {
                 for(;;) {
                         status = gdk_pointer_grab(
-                           (GTK_WIDGET(dialog))->window, TRUE, 0, NULL, 
+                           (GTK_WIDGET(dialog))->window, TRUE, 0, NULL,
                            NULL, GDK_CURRENT_TIME);
                         if (status == GDK_GRAB_SUCCESS)
                                 break;
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index ce7c564c3..05750e3a9 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
-%define ver 3.7p1
+%define ver 3.8p1
 %define rel 1
 
 # OpenSSH privilege separation requires a user & group ID
@@ -34,6 +34,11 @@
 %{?skip_x11_askpass:%define no_x11_askpass 1}
 %{?skip_gnome_askpass:%define no_gnome_askpass 1}
 
+# Add option to build without GTK2 for older platforms with only GTK+.
+# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples.
+# rpm -ba|--rebuild --define 'no_gtk2 1'
+%{?no_gtk2:%define gtk2 0}
+
 # Is this a build for RHL 6.x or earlier?
 %{?build_6x:%define build6x 1}
 
@@ -176,6 +181,11 @@ environment.
 CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
 %endif
 
+%if %{kerberos5}
+K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'`
+echo K5DIR=$K5DIR
+%endif
+
 %configure \
         --sysconfdir=%{_sysconfdir}/ssh \
         --libexecdir=%{_libexecdir}/openssh \
@@ -185,16 +195,17 @@ CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
         --with-default-path=/usr/local/bin:/bin:/usr/bin \
         --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
         --with-privsep-path=%{_var}/empty/sshd \
+        --with-md5-passwords \
 %if %{scard}
         --with-smartcard \
 %endif
 %if %{rescue}
-        --without-pam --with-md5-passwords \
+        --without-pam \
 %else
         --with-pam \
 %endif
 %if %{kerberos5}
-         --with-kerberos5=/usr/kerberos \
+         --with-kerberos5=$K5DIR \
 %endif
 
 
@@ -392,7 +403,7 @@ fi
 
 %changelog
 * Mon Jun 2 2003 Damien Miller <djm@mindrot.org>
-- Remove noip6 option. This may be controlled at run-time in client config 
+- Remove noip6 option. This may be controlled at run-time in client config
   file using new AddressFamily directive
 
 * Mon May 12 2003 Damien Miller <djm@mindrot.org>
@@ -552,7 +563,7 @@ fi
 
 * Sun Apr  8 2001 Preston Brown <pbrown@redhat.com>
 - remove explicit openssl requirement, fixes builddistro issue
-- make initscript stop() function wait until sshd really dead to avoid 
+- make initscript stop() function wait until sshd really dead to avoid
   races in condrestart
 
 * Mon Apr  2 2001 Nalin Dahyabhai <nalin@redhat.com>
diff --git a/contrib/solaris/README b/contrib/solaris/README
index 9b0a46e29..eb4c590f4 100755
--- a/contrib/solaris/README
+++ b/contrib/solaris/README
@@ -17,7 +17,7 @@ Directions:
 
 If all goes well you should have a solaris package ready to be installed.
 
-If you have any problems with this script please post them to 
+If you have any problems with this script please post them to
 openssh-unix-dev@mindrot.org and I will try to assist you as best as I can.
 
 - Ben Lindstrom
diff --git a/contrib/solaris/buildpkg.sh b/contrib/solaris/buildpkg.sh
index c41b3f963..29d096306 100755
--- a/contrib/solaris/buildpkg.sh
+++ b/contrib/solaris/buildpkg.sh
@@ -5,7 +5,7 @@
 # The following code has been provide under Public Domain License.  I really
 # don't care what you use it for.  Just as long as you don't complain to me
 # nor my employer if you break it. - Ben Lindstrom (mouring@eviladmin.org)
-# 
+#
 umask 022
 #
 # Options for building the package
@@ -13,7 +13,7 @@ umask 022
 #
 # uncommenting TEST_DIR and using
 # configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty
-# and 
+# and
 # PKGNAME=tOpenSSH should allow testing a package without interfering
 # with a real OpenSSH package on a system. This is not needed on systems
 # that support the -R option to pkgadd.
@@ -23,9 +23,10 @@ SYSVINIT_NAME=opensshd
 MAKE=${MAKE:="make"}
 SSHDUID=67      # Default privsep uid
 SSHDGID=67      # Default privsep gid
-# uncomment these next two as needed
+# uncomment these next three as needed
 #PERMIT_ROOT_LOGIN=no
 #X11_FORWARDING=yes
+#USR_LOCAL_IS_SYMLINK=yes
 # list of system directories we do NOT want to change owner/group/perms
 # when installing our package
 SYSTEM_DIR="/etc        \
@@ -81,7 +82,7 @@ export PATH
 # we will look for config.local to override the above options
 [ -s ./config.local ]  &&  . ./config.local
 
-## Start by faking root install 
+## Start by faking root install
 echo "Faking root install..."
 START=`pwd`
 OPENSSHD_IN=`dirname $0`/opensshd.in
@@ -98,20 +99,20 @@ fi
 ## Fill in some details, like prefix and sysconfdir
 for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir sysconfdir piddir
 do
-        eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2`
+        eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2`
 done
 
 
 ## Collect value of privsep user
 for confvar in SSH_PRIVSEP_USER
 do
-        eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h`
+        eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h`
 done
 
 ## Set privsep defaults if not defined
 if [ -z "$SSH_PRIVSEP_USER" ]
 then
-        SSH_PRIVSEP_USER=sshd
+        SSH_PRIVSEP_USER=sshd
 fi
 
 ## Extract common info requires for the 'info' part of the package.
@@ -243,16 +244,16 @@ fi
 
 if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' \${PKG_INSTALL_ROOT}/$sysconfdir/sshd_config >/dev/null
 then
-        echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user"
-        echo "or group."
+        echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user"
+        echo "or group."
 else
-        echo "UsePrivilegeSeparation enabled in config (or defaulting to on)."
+        echo "UsePrivilegeSeparation enabled in config (or defaulting to on)."
 
-        # create group if required
-        if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
-        then
-                echo "PrivSep group $SSH_PRIVSEP_USER already exists."
-        else
+        # create group if required
+        if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+        then
+                echo "PrivSep group $SSH_PRIVSEP_USER already exists."
+        else
                 # Use gid of 67 if possible
                 if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null
                 then
@@ -260,15 +261,15 @@ else
                 else
                         sshdgid="-g $SSHDGID"
                 fi
-                echo "Creating PrivSep group $SSH_PRIVSEP_USER."
-                \$chroot /usr/sbin/groupadd \$sshdgid $SSH_PRIVSEP_USER
-        fi
-
-        # Create user if required
-        if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
-        then
-                echo "PrivSep user $SSH_PRIVSEP_USER already exists."
-        else
+                echo "Creating PrivSep group $SSH_PRIVSEP_USER."
+                \$chroot /usr/sbin/groupadd \$sshdgid $SSH_PRIVSEP_USER
+        fi
+
+        # Create user if required
+        if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+        then
+                echo "PrivSep user $SSH_PRIVSEP_USER already exists."
+        else
                 # Use uid of 67 if possible
                 if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null
                 then
@@ -276,10 +277,10 @@ else
                 else
                         sshduid="-u $SSHDUID"
                 fi
-                echo "Creating PrivSep user $SSH_PRIVSEP_USER."
+                echo "Creating PrivSep user $SSH_PRIVSEP_USER."
                 \$chroot /usr/sbin/useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER
                 \$chroot /usr/bin/passwd -l $SSH_PRIVSEP_USER
-        fi
+        fi
 fi
 
 [ "\${POST_INS_START}" = "yes" ]  &&  ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start
@@ -358,18 +359,24 @@ cat >mk-proto.awk << _EOF
             BEGIN { print "i pkginfo"; print "i preinstall"; \\
                     print "i postinstall"; print "i preremove"; \\
                     print "i request"; print "i space"; \\
-                    split("$SYSTEM_DIR",sys_files); }
+                    split("$SYSTEM_DIR",sys_files); }
             {
              for (dir in sys_files) { if ( \$3 != sys_files[dir] )
-                     { \$5="root"; \$6="sys"; }
-                else
-                     { \$4="?"; \$5="?"; \$6="?"; break;}
+                     { \$5="root"; \$6="sys"; }
+                else
+                     { \$4="?"; \$5="?"; \$6="?"; break;}
             } }
             { print; }
 _EOF
 find . | egrep -v "prototype|pkginfo|mk-proto.awk" | sort | \
         pkgproto $PROTO_ARGS | nawk -f mk-proto.awk > prototype
 
+# /usr/local is a symlink on some systems
+[ "${USR_LOCAL_IS_SYMLINK}" = yes ]  &&  {
+        grep -v "^d none /usr/local ? ? ?$" prototype > prototype.new
+        mv prototype.new prototype
+}
+
 ## Step back a directory and now build the package.
 echo "Building package.."
 cd ..
diff --git a/contrib/solaris/opensshd.in b/contrib/solaris/opensshd.in
index 48b6c5702..50e18deea 100755
--- a/contrib/solaris/opensshd.in
+++ b/contrib/solaris/opensshd.in
@@ -22,24 +22,24 @@ HOST_KEY_RSA=$etcdir/ssh_host_rsa_key
 
 checkkeys() {
     if [ ! -f $HOST_KEY_RSA1 ]; then
-        ${SSH_KEYGEN} -t rsa1 -f ${HOST_KEY_RSA1} -N ""
+        ${SSH_KEYGEN} -t rsa1 -f ${HOST_KEY_RSA1} -N ""
     fi
     if [ ! -f $HOST_KEY_DSA ]; then
-        ${SSH_KEYGEN} -t dsa -f ${HOST_KEY_DSA} -N ""
+        ${SSH_KEYGEN} -t dsa -f ${HOST_KEY_DSA} -N ""
     fi
     if [ ! -f $HOST_KEY_RSA ]; then
-        ${SSH_KEYGEN} -t rsa -f ${HOST_KEY_RSA} -N ""
+        ${SSH_KEYGEN} -t rsa -f ${HOST_KEY_RSA} -N ""
     fi
 }
 
 stop_service() {
     if [  -r $PIDFILE  -a  ! -z ${PIDFILE}  ]; then
-        PID=`${CAT} ${PIDFILE}`
+        PID=`${CAT} ${PIDFILE}`
     fi
     if [  ${PID:=0} -gt 1 -a  ! "X$PID" = "X "  ]; then
-        ${KILL} ${PID}
+        ${KILL} ${PID}
     else
-        echo "Unable to read PID file"
+        echo "Unable to read PID file"
     fi
 }
 
@@ -55,8 +55,8 @@ start_service() {
 
     sshd_rc=$?
     if [ $sshd_rc -ne 0 ]; then
-        echo "$0: Error ${sshd_rc} starting ${SSHD}... bailing."
-        exit $sshd_rc
+        echo "$0: Error ${sshd_rc} starting ${SSHD}... bailing."
+        exit $sshd_rc
     fi
     echo done.
 }
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index ca7437bd6..7eb71adf4 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -1,6 +1,6 @@
 Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name: openssh
-Version: 3.7p1
+Version: 3.8p1
 URL: http://www.openssh.com/
 Release: 1
 Source0: openssh-%{version}.tar.gz
@@ -30,7 +30,7 @@ two untrusted hosts over an insecure network.  X11 connections and
 arbitrary TCP/IP ports can also be forwarded over the secure channel.
 
 OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
-up to date in terms of security and features, as well as removing all 
+up to date in terms of security and features, as well as removing all
 patented algorithms to seperate libraries (OpenSSL).
 
 This package includes all files necessary for both the OpenSSH
@@ -100,8 +100,8 @@ make
 
 cd contrib
 gcc -O -g `gnome-config --cflags gnome gnomeui` \
-        gnome-ssh-askpass.c -o gnome-ssh-askpass \
-        `gnome-config --libs gnome gnomeui`
+        gnome-ssh-askpass.c -o gnome-ssh-askpass \
+        `gnome-config --libs gnome gnomeui`
 cd ..
 
 %install
@@ -140,34 +140,34 @@ else
   echo "  /var/adm/fillup-templates/rc.config.sshd"
 fi
 if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then
-        echo "Generating SSH host key..."
+        echo "Generating SSH host key..."
         /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2
 fi
 if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then
-        echo "Generating SSH DSA host key..."
+        echo "Generating SSH DSA host key..."
         /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2
 fi
 if test -r /var/run/sshd.pid
 then
-        echo "Restarting the running SSH daemon..."
+        echo "Restarting the running SSH daemon..."
         /usr/sbin/rcsshd restart >&2
 fi
 
 %preun
 if [ "$1" = 0 ]
 then
-        echo "Stopping the SSH daemon..."
+        echo "Stopping the SSH daemon..."
         /usr/sbin/rcsshd stop >&2
         echo "Removing SSH stop/start scripts from the rc directories..."
-        rm /sbin/init.d/rc2.d/K20sshd
-        rm /sbin/init.d/rc2.d/S20sshd
-        rm /sbin/init.d/rc3.d/K20sshd
-        rm /sbin/init.d/rc3.d/S20sshd
+        rm /sbin/init.d/rc2.d/K20sshd
+        rm /sbin/init.d/rc2.d/S20sshd
+        rm /sbin/init.d/rc3.d/K20sshd
+        rm /sbin/init.d/rc3.d/S20sshd
 fi
 
 %files
 %defattr(-,root,root)
-%doc ChangeLog OVERVIEW README* 
+%doc ChangeLog OVERVIEW README*
 %doc RFC.nroff TODO CREDITS LICENCE
 %attr(0755,root,root) %dir /etc/ssh
 %attr(0644,root,root) %config /etc/ssh/ssh_config