40 files changed, 2808 insertions, 32 deletions
diff --git a/clientloop.c b/clientloop.c
index cd2eab77a..6d19b4a25 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -317,10 +317,14 @@ client_check_window_change(void)
 * one of the file descriptors).
 */
-static void
+static int
 client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
    int *maxfdp, int *nallocp, int rekeying)
 {
+        struct timeval tv, *tvp;
+        int n;
+        extern Options options;
        /* Add any selections by the channel mechanism. */
        channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, rekeying);
@@ -349,7 +353,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
                        /* clear mask since we did not call select() */
                        memset(*readsetp, 0, *nallocp);
                        memset(*writesetp, 0, *nallocp);
-                        return;
+                        return 0;
                } else {
                        FD_SET(connection_in, *readsetp);
                }
@@ -368,7 +372,21 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
         * SSH_MSG_IGNORE packet when the timeout expires.
         */
-        if (select((*maxfdp)+1, *readsetp, *writesetp, NULL, NULL) < 0) {
+        /*
+         * We don't do the 'random' bit, but we want periodic ignored
+         * message anyway, so as to notice when the other ends TCP
+         * has given up during an outage.
+         */
+        if (options.protocolkeepalives > 0) {
+                tvp = &tv;
+                tv.tv_sec = options.protocolkeepalives;
+                tv.tv_usec = 0;
+        } else
+                tvp = 0;
+        n = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp);
+        if (n < 0) {
                char buf[100];
                /*
@@ -380,12 +398,13 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
                memset(*writesetp, 0, *nallocp);
                if (errno == EINTR)
-                        return;
+                        return 0;
                /* Note: we might still have data in the buffers. */
                snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno));
                buffer_append(&stderr_buffer, buf, strlen(buf));
                quit_pending = 1;
        }
+        return n == 0;
 }
 static void
@@ -844,6 +863,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
 {
        fd_set *readset = NULL, *writeset = NULL;
        double start_time, total_time;
+        int timed_out;
        int max_fd = 0, max_fd2 = 0, len, rekeying = 0, nalloc = 0;
        char buf[100];
@@ -951,7 +971,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
                 * available on one of the descriptors).
                 */
                max_fd2 = max_fd;
-                client_wait_until_can_do_something(&readset, &writeset,
+                timed_out = client_wait_until_can_do_something(&readset, &writeset,
                    &max_fd2, &nalloc, rekeying);
                if (quit_pending)
@@ -975,6 +995,21 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
                if (quit_pending)
                        break;
+                if(timed_out) {
+                        /*
+                         * Nothing is happening, so synthesize some
+                         * bogus activity
+                         */
+                        packet_start(compat20
+                                     ? SSH2_MSG_IGNORE
+                                     : SSH_MSG_IGNORE);
+                        packet_put_cstring("");
+                        packet_send();
+                        if (FD_ISSET(connection_out, writeset))
+                                packet_write_poll();
+                        continue;
+                }
                if (!compat20) {
                        /* Buffer data from stdin */
                        client_process_input(readset);
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 000000000..c2858d2f9
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,153 @@
+OpenSSH for Debian
+------------------
+Although this package is widely referred to as OpenSSH, it is actually
+a branch of an early version of ssh which has been tidied up by the
+OpenBSD folks.
+It has been decided that this version should have the privilege of
+carrying the ``ssh'' name in Debian, since it is the only version of
+ssh that is going to make it into Debian proper, being the only one 
+that complies with the Debian Free Software Guidelines.
+If you were expecting to get the non-free version of ssh (1.2.27 or
+whatever) when you installed this package, please install ssh-nonfree
+instead, which is what we're now calling the non-free version.
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+PermitRootLogin set to yes
+--------------------------
+This is now the default setting (in line with upstream), and people
+who asked for an automatically-generated configuration file when
+upgrading from potato (or on a new install) will have this setting in
+their /etc/ssh/sshd_config file. 
+Should you wish to change this setting, edit /etc/ssh/sshd_config, and
+change:
+PermitRootLogin yes
+to:
+PermitRootLogin no
+Having PermitRootLogin set to yes means that an attacker that knows
+the root password can ssh in directly (without having to go via a user
+account). If you set it to no, then they must compromise a normal user
+account. In the vast majority of cases, this does not give added
+security; remember that any account you su to root from is equivalent
+to root - compromising this account gives an attacker access to root
+easily. If you only ever log in as root from the physical console,
+then you probably want to set this value to no.
+As an aside, PermitRootLogin can also be set to "without-password" or
+"forced-commands-only" - see sshd(8) for more details.
+DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT!
+The argument above is somewhat condensed; I have had this discussion
+at great length with many people. If you think the default is
+incorrect, and feel strongly enough to want to argue with me about it,
+then send me email to matthew@debian.org. I will close bug reports
+claiming the default is incorrect.
+SSH now uses protocol 2 by default
+----------------------------------
+This means all your keyfiles you used for protocol version 1 need to
+be re-generated. The server keys are done automatically, but for RSA
+authentication, please read the ssh-keygen manpage.
+If you have an automatically generated configuration file, and decide
+at a later stage that you do want to support protocol version 1 (not
+recommended, but note that the ssh client shipped with Debian potato
+only supported protocol version 1), then you need to do the following:
+Change /etc/ssh/sshd_config such that:
+Protocol 2
+becomes:
+Protocol 2,1
+Also add the line:
+HostKey /etc/ssh/ssh_host_key
+(you may need to generate a host key if you do not already have one)
+/usr/bin/ssh not SUID:
+----------------------
+If you have not installed debconf, you'll have missed the chance to
+install ssh SUID, which means you won't be able to do Rhosts
+authentication.  If that upsets you, use:
+   dpkg-statoverride 
+or if that's also missing, use this:
+   chown root.root /usr/bin/ssh
+   chmod 04755 /usr/bin/ssh
+X11 Forwarding:
+---------------
+ssh's default for ForwardX11 has been changed to ``no'' because it has
+been pointed out that logging into remote systems administered by
+untrusted people is likely to open you up to X11 attacks, so you
+should have to actively decide that you trust the remote machine's
+root, before enabling X11.  I strongly recommend that you do this on a
+machine-by-machine basis, rather than just enabling it in the default
+host settings.
+Authorization Forwarding:
+-------------------------
+Similarly, root on a remote server could make use of your ssh-agent
+(while you're logged into their machine) to obtain access to machines
+which trust your keys.  This feature is therefore disabled by default.
+You should only re-enable it for those hosts (in your ~/.ssh/config or
+/etc/ssh/ssh_config) where you are confident that the remote machine
+is not a threat.
+Fallback to RSH:
+----------------
+The default for this setting has been changed from Yes to No, for
+security reasons, and to stop the delay attempting to rsh to machines
+that don't offer the service.  Simply switch it back on in either
+/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
+it for.
+Problems logging in with RSA authentication:
+--------------------------------------------
+If you have trouble logging in with RSA authentication then the
+problem is probably caused by the fact that you have your home
+directory writable by group, as well as user (this is the default on
+Debian systems).
+Depending upon other settings on your system (i.e. other users being
+in your group) this could open a security hole, so you will need to
+make your home directory writable only by yourself.  Run this command,
+as yourself:
+  chmod g-w ~/
+to remove group write permissions.  If you use ssh-copy-id to install your
+keys, it does this for you.
+-L option of ssh nonfree:
+-------------------------
+non-free ssh supported the usage of the option -L to use a non privileged
+port for scp. This option will not be supported by scp from openssh. 
+Please use instead scp -o "UsePrivilegedPort=no" as documented in the 
+manpage to scp itself. 
+Problem logging in because of TCP-Wrappers:
+-------------------------------------------
+ssh is compiled with support for tcp-wrappers. So if you can no longer
+log into your system, please check that /etc/hosts.allow and /etc/hosts.deny
+are configured so that ssh is not blocked. 
+Kerberos Authentication:
+------------------------
+ssh is compiled without support for kerberos authentication, and there are
+no current plans to support this.  Thus the KerberosAuthentication and 
+KerberosTgtPassing options will not be recognised.
+--
+Matthew Vernon
+<matthew@debian.org>
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 000000000..32f541a0f
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,944 @@
+openssh (1:3.4p1-1) testing; urgency=high
+  * Extend my tendrils back into this package (Closes: #150915, #151098)
+  * thanks to the security team for their work
+  * no thanks to ISS/Theo de Raadt for their handling of these bugs
+  * save old sshd_configs to sshd_config.dpkg-old when auto-generating a
+    new one
+  * tell/ask the user about PriviledgeSeparation
+  * /etc/init.d/ssh run will now create the chroot empty dir if necessary 
+  * Remove our previous statoverride on /usr/bin/ssh (only for people 
+    upgrading from a version where we'd put one in ourselves!)
+  * Stop slandering Russia, since someone asked so nicely (Closes: #148951)
+  * Reduce the sleep time in /etc/init.d/ssh during a restart
+        
+ -- Matthew Vernon <matthew@debian.org>  Fri, 28 Jun 2002 15:52:10 +0100
+        
+openssh (1:3.4p1-0.0woody1) testing-security; urgency=high
+  * NMU by the security team.
+  * New upstream version
+ -- Michael Stone <mstone@debian.org>  Wed, 26 Jun 2002 15:40:38 -0400
+openssh (1:3.3p1-0.0woody4) testing-security; urgency=high
+  * NMU by the security team.
+  * fix error when /etc/ssh/sshd_config exists on new install
+  * check that user doesn't exist before running adduser
+  * use openssl internal random unconditionally
+ -- Michael Stone <mstone@debian.org>  Tue, 25 Jun 2002 19:44:39 -0400
+openssh (1:3.3p1-0.0woody3) testing-security; urgency=high
+  * NMU by the security team.
+  * use correct home directory when sshd user is created
+ -- Michael Stone <mstone@debian.org>  Tue, 25 Jun 2002 08:59:50 -0400
+openssh (1:3.3p1-0.0woody2) testing-security; urgency=high
+  * NMU by the security team.
+  * Fix rsa1 key creation (Closes: #150949)
+  * don't fail if sshd user removal fails
+  * depends: on adduser (Closes: #150907)
+ -- Michael Stone <mstone@debian.org>  Tue, 25 Jun 2002 08:59:50 -0400
+openssh (1:3.3p1-0.0woody1) testing-security; urgency=high
+  * NMU by the security team.
+  * New upstream version.
+    - Enable privilege separation by default.
+  * Include patch from Solar Designer for privilege separation and
+    compression on 2.2.x kernels.
+  * Remove --disable-suid-ssh from configure.
+  * Support setuid ssh-keysign binary instead of setuid ssh client.
+  * Check sshd configuration before restarting.
+ -- Daniel Jacobowitz <dan@debian.org>  Mon, 24 Jun 2002 13:43:44 -0400
+openssh (1:3.0.2p1-9) unstable; urgency=high
+  * Thanks to those who NMUd
+  * The only change in this version is to debian/control - I've removed
+    the bit that says you can't export it from the US - it would look 
+    pretty daft to say this about a package in main! Also, it's now OK
+    to use crypto in France, so I've edited that comment slightly
+  * Correct a path in README.Debian too (Closes: #138634)
+ -- Matthew Vernon <matthew@debian.org>  Sun,  4 Apr 2002 09:52:59 +0100
+        
+openssh (1:3.0.2p1-8.3) unstable; urgency=medium
+  * NMU
+  * Really set urgency to medium this time (oops)
+  * Fix priority to standard per override while I'm at it
+ -- Aaron M. Ucko <ucko@debian.org>  Sun, 24 Mar 2002 09:00:08 -0500
+openssh (1:3.0.2p1-8.2) unstable; urgency=low
+  * NMU with maintainer's permission
+  * Prepare for upcoming ssh-nonfree transitional packages per
+    <http://lists.debian.org/debian-ssh/2002/debian-ssh-200203/msg00008.html>
+  * Urgency medium because it would really be good to get this into woody
+    before it releases
+  * Fix sections to match override file
+  * Reissued due to clash with non-US -> main move
+ -- Aaron M. Ucko <ucko@debian.org>  Sat, 23 Mar 2002 21:21:52 -0500
+openssh (1:3.0.2p1-8.1) unstable; urgency=low
+  * NMU
+  * Move from non-US to mani
+ -- LaMont Jones <lamont@debian.org>  Thu, 21 Mar 2002 09:33:50 -0700
+openssh (1:3.0.2p1-8) unstable; urgency=critical
+  * Security fix - patch from upstream (Closes: #137209, #137210)
+  * Undo the changes in the unreleased -7, since they appear to break 
+    things here. Accordingly, the code change is minimal, and I'm 
+    happy to get it into testing ASAP
+        
+ -- Matthew Vernon <matthew@debian.org>  Thu,  7 Mar 2002 14:25:23 +0000
+openssh (1:3.0.2p1-7) unstable; urgency=high
+  * Build to support IPv6 and IPv4 by default again
+ -- Matthew Vernon <matthew@debian.org>  Sat,  2 Mar 2002 00:25:05 +0000
+        
+openssh (1:3.0.2p1-6) unstable; urgency=high
+  * Correct error in the clean target (Closes: #130868)
+ -- Matthew Vernon <matthew@debian.org>  Sat, 26 Jan 2002 00:32:00 +0000
+openssh (1:3.0.2p1-5) unstable; urgency=medium
+  * Include the Debian version in our identification, to make it easier to
+    audit networks for patched versions in future
+ -- Matthew Vernon <matthew@debian.org>  Mon, 21 Jan 2002 17:16:10 +0000
+        
+openssh (1:3.0.2p1-4) unstable; urgency=medium
+  * If we're asked to not run sshd, stop any running sshd's first 
+    (Closes: #129327)
+ -- Matthew Vernon <matthew@debian.org>  Wed, 16 Jan 2002 21:24:16 +0000
+        
+openssh (1:3.0.2p1-3) unstable; urgency=high
+  * Fix /etc/pam.d/ssh to not set $MAIL (Closes: #128913)
+  * Remove extra debconf suggestion (Closes: #128094)
+  * Mmm. speedy bug-fixing :-)
+ -- Matthew Vernon <matthew@debian.org>  Sat, 12 Jan 2002 17:23:58 +0000
+        
+openssh (1:3.0.2p1-2) unstable; urgency=high
+  * Fix postinst to not automatically overwrite sshd_config (!) 
+    (Closes: #127842, #127867)
+  * Add section in README.Debian about the PermitRootLogin setting
+        
+ -- Matthew Vernon <matthew@debian.org>  Sat,  5 Jan 2003 05:26:30 +0000
+        
+openssh (1:3.0.2p1-1) unstable; urgency=high
+  * Incorporate fix from Colin's NMU
+  * New upstream version (fixes the bug Wichert fixed) (Closes: #124035)
+  * Capitalise IETF (Closes: #125379)
+  * Refer to the correct sftp-server location (Closes: #126854, #126224)
+  * Do what we're asked re SetUID ssh (Closes: #124065, #124154, #123247)
+  * Ask people upgrading from potato if they want a new conffile 
+    (Closes: #125642)
+  * Fix a typo in postinst (Closes: #122192, #122410, #123440)
+  * Frob the default config a little (Closes: #122284, #125827, #125696,
+    #123854)
+  * Make /etc/init.d/ssh be more clear about ssh not running (Closes:
+    #123552)
+  * Fix typo in templates file (Closes: #123411)
+ -- Matthew Vernon <matthew@debian.org>  Fri,  4 Jan 2002 16:01:52 +0000
+        
+openssh (1:3.0.1p1-1.2) unstable; urgency=high
+  * Non-maintainer upload
+  * Prevent local users from passing environment variables to the login
+    process when UseLogin is enabled
+ -- Wichert Akkerman <wakkerma@debian.org>  Mon,  3 Dec 2001 19:34:45 +0100
+openssh (1:3.0.1p1-1.1) unstable; urgency=low
+  * Non-maintainer upload, at Matthew's request.
+  * Remove sa_restorer assignment to fix compilation on alpha, hppa, and
+    ia64 (closes: #122086).
+ -- Colin Watson <cjwatson@debian.org>  Sun,  2 Dec 2001 18:54:16 +0000
+openssh (1:3.0.1p1-1) unstable; urgency=high
+  * New upstream version (Closes: #113646, #113513, #114707, #118564)
+  * Building with a libc that works (!) (Closes: #115228)
+  * Patches forward-ported are -1/-2 options for scp, the improvement to
+    'waiting for forwarded connections to terminate...'
+  * Fix /etc/init.d/ssh to stop sshd properly (Closes: #115228)
+  * /etc/ssh/sshd_config is no longer a conffile but generated in the postinst
+  * Remove suidregister leftover from postrm
+  * Mention key we are making in the postinst
+  * Default to not enable SSH protocol 1 support, since protocol 2 is
+    much safer anyway.
+  * New version of the vpn-fixes patch, from Ian Jackson
+  * New handling of -q, and added new -qq option; thanks to Jon Amery
+  * Experimental smartcard support not enabled, since I have no way of
+    testing it.
+        
+ -- Matthew Vernon <matthew@debian.org>  Thu, 28 Nov 2001 17:43:01 +0000
+        
+openssh (1:2.9p2-6) unstable; urgency=low
+  * check for correct file in /etc/init.d/ssh (Closes: #110876)
+  * correct location of version 2 keys in ssh.1 (Closes: #110439)
+  * call update-alternatives --quiet (Closes: #103314)
+  * hack ssh-copy-id to chmod go-w (Closes: #95551)
+  * TEMPORARY fix to provide largefile support using a -D in the cflags
+    line. long-term, upstream will patch the autoconf stuff
+    (Closes: #106809, #111849)
+  * remove /etc/rc references in ssh-keygen.1 (Closes: #68350)
+  * scp.1 patch from Adam McKenna to document -r properly (Closes: #76054)
+  * Check for files containing a newline character (Closes: #111692)
+ -- Matthew Vernon <matthew@debian.org>  Thu, 13 Sep 2001 16:47:36 +0100
+openssh (1:2.9p2-5) unstable; urgency=high
+  * Thanks to all the bug-fixers who helped!
+  * remove sa_restorer assignment (Closes: #102837)
+  * patch from Peter Benie to DTRT wrt X forwarding if the server refuses
+    us access (Closes: #48297)
+  * patch from upstream CVS to fix port forwarding (Closes: #107132)
+  * patch from Jonathan Amery to document ssh-keygen behaviour 
+    (Closes:#106643, #107512)
+  * patch to postinst from Jonathan Amery (Closes: #106411)
+  * patch to manpage from Jonathan Amery (Closes: #107364)
+  * patch from Matthew Vernon to make -q emit fatal errors as that is the
+    documented behaviour (Closes: #64347)
+  * patch from Ian Jackson to cause us to destroy a file when we scp it
+    onto itself, rather than dumping bits of our memory into it, which was
+    a security hole (see #51955)
+  * patch from Jonathan Amery to document lack of Kerberos support 
+    (Closes: #103726)
+  * patch from Matthew Vernon to make the 'waiting for connections to
+    terminate' message more helpful (Closes: #50308)
+ -- Matthew Vernon <matthew@debian.org>  Thu, 23 Aug 2001 02:14:09 +0100
+        
+openssh (1:2.9p2-4) unstable; urgency=high
+  * Today's build of ssh is strawberry flavoured
+  * Patch from mhp to reduce length of time sshd is stopped for (Closes: #106176)
+  * Tidy up debconf template (Closes: #106152)
+  * If called non-setuid, then setgid()'s failure should not be fatal (see
+    #105854)
+ -- Matthew Vernon <matthew@debian.org>  Sun, 22 Jul 2001 14:19:43 +0100
+        
+openssh (1:2.9p2-3) unstable; urgency=low
+  * Patch from yours truly to add -1 and -2 options to scp (Closes: #106061)
+  * Improve the IdentityFile section in the man page (Closes: #106038)
+ -- Matthew Vernon <matthew@debian.org>  Sat, 21 Jul 2001 14:47:27 +0100
+        
+openssh (1:2.9p2-2) unstable; urgency=low
+  * Document the protocol version 2 and IPV6 changes (Closes: #105845, #105868)
+  * Make PrintLastLog 'no' by default (Closes: #105893)
+        
+ -- Matthew Vernon <matthew@debian.org>  Thu, 19 Jul 2001 18:36:41 +0100
+        
+openssh (1:2.9p2-1) unstable; urgency=low
+  * new (several..) upstream version (Closes: #96726, #81856, #96335)
+  * Hopefully, this will close some other bugs too
+ -- Matthew Vernon <matthew@debian.org>  Tue, 17 Jul 2001 19:41:58 +0100
+        
+openssh (1:2.5.2p2-3) unstable; urgency=low
+  * Taking Over this package
+  * Patches from Robert Bihlmeyer for the Hurd (Closes: #102991)
+  * Put PermitRootLogin back to yes (Closes: #67334, #67371, #78274)
+  * Don't fiddle with conf-files any more (Closes: #69501)
+        
+ -- Matthew Vernon <matthew@debian.org>  Tue, 03 Jul 2001 02:58:13 +0100
+        
+openssh (1:2.5.2p2-2.2) unstable; urgency=low
+  * NMU
+  * Include Hurd compatibility patches from Robert Bihlmeyer (Closes: #76033)
+  * Patch from Richard Kettlewell for protocolkeepalives (Closes: #99273)
+  * Patch from Matthew Vernon for BannerTimeOut, batchmode, and
+    documentation for protocolkeepalives. Makes ssh more generally useful
+    for scripting uses (Closes: #82877, #99275)
+  * Set a umask, so ourpidfile isn't world-writable (closes: #100012,
+    #98286, #97391)
+ -- Matthew Vernon <matthew@debian.org>  Thu, 28 Jun 2001 23:15:42 +0100
+openssh (1:2.5.2p2-2.1) unstable; urgency=low
+ 
+  * NMU
+  * Remove duplicate Build-Depends for libssl096-dev and change it to 
+    depend on libssl-dev instaed.  Also adding in virtual | real package
+    style build-deps.  (Closes: #93793, #75228)
+  * Removing add-log entry (Closes: #79266)
+  * This was a pam bug from a while back (Closes: #86908, #88457, #86843)
+  * pam build-dep already exists (Closes: #93683)
+  * libgnome-dev build-dep already exists (Closes: #93694)
+  * No longer in non-free (Closes: #85401)
+  * Adding in fr debconf translations (Closes: #83783)
+  * Already suggests xbase-clients (Closes: #79741)
+  * No need to suggest libpam-pwdb anymore (Closes: #81658)
+  * Providing rsh-client (Closes: #79437)
+  * hurd patch was already applied (Closes: #76033)
+  * default set to no (Closes: #73682)
+  * Adding in a suggests for dnsutils (Closes: #93265)
+  * postinst bugs fixed (Closes: #88057, #88066, #88196, #88405, #88612)
+    (Closes: #88774, #88196, #89556, #90123, #90228, #90833, #87814, #85465)
+  * Adding in debconf dependency
+ 
+ -- Ivan E. Moore II <rkrusty@debian.org>  Mon, 16 Apr 2001 14:11:04 +0100
+openssh (1:2.5.2p2-2) unstable; urgency=high
+  * disable the OpenSSL version check in entropy.c
+    (closes: #93581, #93588, #93590, #93614, #93619, #93635, #93648)
+ -- Philip Hands <phil@uk.alcove.com>  Wed, 11 Apr 2001 20:30:04 +0100
+openssh (1:2.5.2p2-1) unstable; urgency=low
+  * New upstream release
+  * removed make-ssh-known-hosts, since ssh-keyscan does that job (closes: #86069, #87748)
+  * fix double space indent in german templates (closes: #89493)
+  * make postinst check for ssh_host_rsa_key
+  * get rid of the last of the misguided debian/rules NMU debris  :-/
+ -- Philip Hands <phil@hands.com>  Sat, 24 Mar 2001 20:59:33 +0000
+openssh (1:2.5.1p2-2) unstable; urgency=low
+  * rebuild with new debhelper (closes: #89558, #89536, #90225)
+  * fix broken dpkg-statoverride test in postinst
+    (closes: #89612, #90474, #90460, #89605)
+  * NMU bug fixed but not closed in last upload  (closes: #88206)
+  
+ -- Philip Hands <phil@hands.com>  Fri, 23 Mar 2001 16:11:33 +0000
+openssh (1:2.5.1p2-1) unstable; urgency=high
+  * New upstream release
+  * fix typo in postinst (closes: #88110)
+  * revert to setting PAM service name in debian/rules, backing out last
+    NMU, which also (closes: #88101)
+  * restore the pam lastlog/motd lines, lost during the NMUs, and sshd_config
+  * restore printlastlog option patch
+  * revert to using debhelper, which had been partially disabled in NMUs
+ -- Philip Hands <phil@hands.com>  Tue, 13 Mar 2001 01:41:34 +0000
+openssh (1:2.5.1p1-1.8) unstable; urgency=high
+  * And now the old pam-bug s/sshd/ssh in ssh.c is also fixed
+ -- Christian Kurz <shorty@debian.org>  Thu,  1 Mar 2001 19:48:01 +0100
+openssh (1:2.5.1p1-1.7) unstable; urgency=high
+  * And now we mark the correct binary as setuid, when a user requested
+    to install it setuid.
+ -- Christian Kurz <shorty@debian.org>  Thu,  1 Mar 2001 07:19:56 +0100
+openssh (1:2.5.1p1-1.6) unstable; urgency=high
+  * Fixes postinst to handle overrides that are already there. Damn, I 
+    should have noticed the bug earlier.
+ -- Christian Kurz <shorty@debian.org>  Wed, 28 Feb 2001 22:35:00 +0100
+openssh (1:2.5.1p1-1.5) unstable; urgency=high
+  * Rebuild ssh with pam-support.
+ -- Christian Kurz <shorty@debian.org>  Mon, 26 Feb 2001 21:55:51 +0100
+openssh (1:2.5.1p1-1.4) unstable; urgency=low
+  * Added Build-Depends on libssl096-dev.
+  * Fixed sshd_config file to disallow root logins again.
+ -- Christian Kurz <shorty@debian.org>  Sun, 25 Feb 2001 20:03:55 +0100
+openssh (1:2.5.1p1-1.3) unstable; urgency=low
+  * Fixed missing manpages for sftp.1 and ssh-keyscan.1
+  * Made package policy 3.5.2 compliant.
+ -- Christian Kurz <shorty@debian.org>  Sun, 25 Feb 2001 15:46:26 +0100
+openssh (1:2.5.1p1-1.2) unstable; urgency=low
+  * Added Conflict with sftp, since we now provide our own sftp-client.
+  * Added a fix for our broken dpkg-statoverride call in the 
+    2.3.0p1-13.
+  * Fixed some config pathes in the comments of sshd_config.
+  * Removed ssh-key-exchange-vulnerability-patch since it's not needed
+    anymore because upstream included the fix.
+ -- Christian Kurz <shorty@debian.org>  Sun, 25 Feb 2001 13:46:58 +0100
+openssh (1:2.5.1p1-1.1) unstable; urgency=high
+  * Another NMU to get the new upstream version 2.5.1p1 into
+    unstable. (Closes: #87123)
+  * Corrected postinst to mark ssh as setuid. (Closes: #86391, #85766)
+  * Key Exchange patch is already included by upstream. (Closes: #86015)
+  * Upgrading should be possible now. (Closes: #85525, #85523)
+  * Added --disable-suid-ssh as compile option, so ssh won't get installed
+    suid per default.
+  * Fixed postinst to run dpkg-statoverride only, when dpkg-statoverride
+    is available and the mode of the binary should be 4755. And also added
+    suggestion for a newer dpkg.
+    (Closes: #85734, #85741, #86876)
+  * sftp and ssh-keyscan will also be included from now on. (Closes: #79994)
+  * scp now understands spaces in filenames (Closes: #53783, #58958,
+    #66723)
+  * ssh-keygen now supports showing DSA fingerprints. (Closes: #68623)
+  * ssh doesn' t show motd anymore when switch -t is used. (Closes #69035)
+  * ssh supports the usage of other dsa keys via the ssh command line
+    options. (Closes: #81250)
+  * Documentation in sshd_config fixed. (Closes: #81088)
+  * primes file included by upstream and included now. (Closes: #82101)
+  * scp now allows dots in the username. (Closes: #82477)
+  * Spelling error in ssh-copy-id.1 corrected by upstream. (Closes: #78124)
+ -- Christian Kurz <shorty@debian.org>  Sun, 25 Feb 2001 10:06:08 +0100
+openssh (1:2.3.0p1-1.13) unstable; urgency=low
+  * Config should now also be fixed with this hopefully last NMU.
+ -- Christian Kurz <shorty@debian.org>  Sat, 10 Feb 2001 22:56:36 +0100
+openssh (1:2.3.0p1-1.12) unstable; urgency=high
+  * Added suggest for xbase-clients to control-file. (Closes #85227)
+  * Applied patch from Markus Friedl to fix a vulnerability in 
+    the rsa keyexchange.
+  * Fixed position of horizontal line. (Closes: #83613)
+  * Fixed hopefully the grep problem in the config-file. (Closes: #78802)
+  * Converted package from suidregister to dpkg-statoverride.
+ -- Christian Kurz <shorty@debian.org>  Fri,  9 Feb 2001 19:43:55 +0100
+openssh (1:2.3.0p1-1.11) unstable; urgency=medium
+  * Fixed some typos in the german translation of the debconf
+    template.
+ -- Christian Kurz <shorty@debian.org>  Wed, 24 Jan 2001 18:22:38 +0100
+openssh (1:2.3.0p1-1.10) unstable; urgency=medium
+  * Fixed double printing of motd. (Closes: #82618)
+ -- Christian Kurz <shorty@debian.org>  Tue, 23 Jan 2001 21:03:43 +0100
+openssh (1:2.3.0p1-1.9) unstable; urgency=high
+  * And the next NMU which includes the patch from Andrew Bartlett
+    and Markus Friedl to fix the root privileges handling of openssh.
+    (Closes: #82657)
+ -- Christian Kurz <shorty@debian.org>  Wed, 17 Jan 2001 22:20:54 +0100
+openssh (1:2.3.0p1-1.8) unstable; urgency=high
+  * Applied fix from Ryan Murray to allow building on other architectures
+    since the hurd patch was wrong. (Closes: #82471)
+ -- Christian Kurz <shorty@debian.org>  Tue, 16 Jan 2001 22:45:51 +0100
+openssh (1:2.3.0p1-1.7) unstable; urgency=medium
+  * Fixed another typo on sshd_config
+ -- Christian Kurz <shorty@debian.org>  Sun, 14 Jan 2001 19:01:31 +0100
+openssh (1:2.3.0p1-1.6) unstable; urgency=high
+  * Added Build-Dependency on groff (Closes: #81886)
+  * Added Build-Depencency on debhelper (Closes: #82072)
+  * Fixed entry for known_hosts in sshd_config (Closes: #82096)
+ -- Christian Kurz <shorty@debian.org>  Thu, 11 Jan 2001 23:08:16 +0100
+openssh (1:2.3.0p1-1.5) unstable; urgency=high
+  * Fixed now also the problem with sshd used as default ipv4 and
+    didn't use IPv6. This should be now fixed.
+ -- Christian Kurz <shorty@debian.org>  Thu, 11 Jan 2001 21:25:55 +0100
+openssh (1:2.3.0p1-1.4) unstable; urgency=high
+  * Fixed buggy entry in postinst.
+ -- Christian Kurz <shorty@debian.org>  Wed, 10 Jan 2001 23:12:16 +0100
+openssh (1:2.3.0p1-1.3) unstable; urgency=high
+  * After finishing the rewrite of the rules-file I had to notice that
+    the manpage installation was broken. This should now work again.
+ -- Christian Kurz <shorty@debian.org>  Wed, 10 Jan 2001 22:11:59 +0100
+openssh (1:2.3.0p1-1.2) unstable; urgency=high
+  * Fixed the screwed up build-dependency.
+  * Removed --with-ipv4-default to support ipv6.
+  * Changed makefile to use /etc/pam.d/ssh instead of /etc/pam.d/sshd.
+  * Fixed location to sftp-server in config.
+  * Since debian still relies on /etc/pam.d/ssh instead of moving to
+    /etc/pam.d/sshd, I had to hack ssh.h to get ssh to use this name.
+  * Fixed path to host key in sshd_config.
+ -- Christian Kurz <shorty@debian.org>  Wed, 10 Jan 2001 08:23:47 +0100
+openssh (1:2.3.0p1-1.1) unstable; urgency=medium
+  * NMU with permission of Phil Hands.
+  * New upstream release
+  * Update Build-Depends to point to new libssl096.
+  * This upstream release doesn't leak any information depending
+    on the setting of PermitRootLogin (Closes: #59933)
+  * New upstream release contains fix against forcing a client to 
+    do X/agent forwarding (Closes: #76788)
+  * Changed template to contain correct path to the documentation 
+    (Closes: #67245)
+  * Added --with-4in6 switch as compile option into debian/rules.       
+  * Added --with-ipv4-default as compile option into debian/rules. 
+    (Closes: #75037)
+  * Changed default path to also contain /usr/local/bin and 
+    /usr/X11R6/bin (Closes: #62472,#54567,#62810)
+  * Changed path to sftp-server in sshd_config to match the
+    our package (Closes: #68347)
+  * Replaced OpenBSDh with OpenBSD in the init-script.  
+  * Changed location to original source in copyright.head
+  * Changed behaviour of init-script when invoked with the option
+    restart (Closes: #68706,#72560)
+  * Added a note about -L option of scp to README.Debian        
+  * ssh won't print now the motd if invoked with -t option
+    (Closes: #59933)
+  * RFC.nroff.gz get's now converted into RFC.gz. (Closes: #63867)      
+  * Added a note about tcp-wrapper support to README.Debian 
+    (Closes: #72807,#22190)
+  * Removed two unneeded options from building process. 
+  * Added sshd.pam into debian dir and install it.
+  * Commented out unnecessary call to dh_installinfo.
+  * Added a line to sshd.pam so that limits will be paid attention
+    to (Closes: #66904)
+  * Restart Option has a Timeout of 10 seconds (Closes: 51264)
+  * scp won't override files anymore (Closes: 51955)
+  * Removed pam_lastlog module, so that the lastlog is now printed
+    only once (Closes: #71742, #68335, #69592, #71495, #77781)
+  * If password is expired, openssh now forces the user to change it.
+    (Closes: #51747)
+  * scp should now have no more problems with shell-init-files that
+    produces ouput (Closes: #56280,#59873)
+  * ssh now prints the motd correctly (Closes: #66926)  
+  * ssh upgrade should disable ssh daemon only if users has choosen
+    to do so (Closes: #67478)
+  * ssh can now be installed suid (Closes: #70879)      
+  * Modified debian/rules to support hurd.
+ -- Christian Kurz <shorty@debian.org>  Wed, 27 Dec 2000 20:06:57 +0100
+openssh (1:2.2.0p1-1.1) unstable; urgency=medium
+  * Non-Maintainer Upload
+  * Check for new returns in the new libc
+    (closes: #72803, #74393, #72797, #71307, #71702)
+  * Link against libssl095a (closes: #66304)
+  * Correct check for PermitRootLogin (closes: #69448)
+ -- Ryan Murray <rmurray@debian.org>  Wed, 18 Oct 2000 00:48:18 -0700
+openssh (1:2.2.0p1-1) unstable; urgency=low
+  * New upstream release
+ -- Philip Hands <phil@hands.com>  Mon, 11 Sep 2000 14:49:43 +0100
+openssh (1:2.1.1p4-3) unstable; urgency=low
+  * add rsh alternatives
+  * add -S option to scp (using Tommi Virtanen's patch) (closes: #63097)
+  * do the IPV4_DEFAULT thing properly this time
+ -- Philip Hands <phil@hands.com>  Fri, 11 Aug 2000 18:14:37 +0100
+openssh (1:2.1.1p4-2) unstable; urgency=low
+  * reinstate manpage .out patch from 1:1.2.3
+  * fix typo in postinst
+  * only compile ssh with IPV4_DEFAULT
+  * apply James Troup's patch to add a -o option to scp and updated manpage
+ -- Philip Hands <phil@hands.com>  Sun, 30 Jul 2000 00:12:49 +0100
+openssh (1:2.1.1p4-1) unstable; urgency=low
+  * New upstream release
+ -- Philip Hands <phil@hands.com>  Sat, 29 Jul 2000 14:46:16 +0100
+openssh (1:1.2.3-10) unstable; urgency=low
+  * add version to libpam-modules dependency, because old versions of
+    pam_motd make it impossible to log in.
+ -- Philip Hands <phil@hands.com>  Sat, 29 Jul 2000 13:28:22 +0100
+openssh (1:1.2.3-9) frozen unstable; urgency=low
+  * force location of /usr/bin/X11/xauth
+    (closes: #64424, #66437, #66859)  *RC*
+  * typos in config (closes: #66779, #66780)
+  * sshd_not_to_be_run could be assumed to be true, in error, if the config
+    script died in an unusual way --- I've reversed this (closes: #66335)  
+  * Apply Zack Weinberg <zack@wolery.cumb.org>'s patch to ssh-askpass-ptk
+    (closes: #65981)
+  * change default for PermitRootLogin to "no" (closes: #66406)
+ -- Philip Hands <phil@hands.com>  Tue, 11 Jul 2000 20:51:18 +0100
+openssh (1:1.2.3-8) frozen unstable; urgency=low
+  * get rid of Provides: rsh-server (this will mean that rstartd
+    will need to change it's depends to deal with #63948, which I'm
+    reopening)  (closes: #66257)
+    Given that this is also a trivial change, and is a reversal of a
+    change that was mistakenly made after the freeze, I think this should
+    also go into frozen.
+ -- Philip Hands <phil@hands.com>  Wed, 28 Jun 2000 03:26:30 +0100
+openssh (1:1.2.3-7) frozen unstable; urgency=low
+  * check if debconf is installed before calling db_stop in postinst.
+    This is required to allow ssh to be installed when debconf is not
+    wanted, which probably makes it an RC upload (hopefully the last of
+    too many).
+ -- Philip Hands <phil@hands.com>  Wed, 28 Jun 2000 03:19:47 +0100
+openssh (1:1.2.3-6) frozen unstable; urgency=low
+  * fixed depressing little bug involving a line wrap looking like
+    a blank line in the templates file   *RC*
+    (closes: #66090, #66078, #66083, #66182)
+ -- Philip Hands <phil@hands.com>  Mon, 26 Jun 2000 00:45:05 +0100
+openssh (1:1.2.3-5) frozen unstable; urgency=low
+  * add code to prevent UseLogin exploit, although I think our PAM
+    conditional code breaks UseLogin in a way that protects us from this
+    exploit anyway. ;-)  (closes: #65495)  *RC*
+  * Apply Zack Weinberg <zack@wolery.cumb.org>'s patch to fix keyboard
+    grab vulnerability in ssh-askpass-gnome (closes: #64795) *RC*
+  * stop redirection of sshd's file descriptors (introduced in 1:1.2.3-3)
+    and use db_stop in the postinst to solve that problem instead
+    (closes: #65104)
+  * add Provides: rsh-server to ssh (closes: #63948)
+  * provide config option not to run sshd
+ -- Philip Hands <phil@hands.com>  Mon, 12 Jun 2000 23:05:11 +0100
+openssh (1:1.2.3-4) frozen unstable; urgency=low
+  * fixes #63436 which is *RC*
+  * add 10 second pause in init.d restart (closes: #63844)
+  * get rid of noenv in PAM mail line (closes: #63856)
+  * fix host key path in make-ssh-known-hosts (closes: #63713)
+  * change wording of SUID template (closes: #62788, #63436)
+ -- Philip Hands <phil@hands.com>  Sat, 27 May 2000 11:18:06 +0100
+openssh (1:1.2.3-3) frozen unstable; urgency=low
+  * redirect sshd's file descriptors to /dev/null in init to
+    prevent debconf from locking up during installation 
+    ** grave bug just submited by me **
+ -- Philip Hands <phil@hands.com>  Thu, 20 Apr 2000 17:10:59 +0100
+openssh (1:1.2.3-2) frozen  unstable; urgency=low
+  * allow user to select SUID status of /usr/bin/ssh (closes: 62462) ** RC **
+  * suggest debconf
+  * conflict with debconf{,-tiny} (<<0.2.17) so I can clean up the preinst
+ -- Philip Hands <phil@hands.com>  Wed, 19 Apr 2000 17:49:15 +0100
+openssh (1:1.2.3-1) frozen unstable; urgency=low
+  * New upstream release
+  * patch sshd to create extra xauth key required for localhost
+    (closes: #49944)  *** RC ***
+  * FallbacktoRsh now defaults to ``no'' to match impression
+    given in sshd_config
+  * stop setting suid bit on ssh (closes: #58711, #58558)
+    This breaks Rhosts authentication (which nobody uses) and allows
+    the LD_PRELOAD trick to get socks working, so seems like a net benefit.
+ -- Philip Hands <phil@hands.com>  Thu, 13 Apr 2000 20:01:54 +0100
+openssh (1:1.2.2-1.4) frozen unstable; urgency=low
+  * Recompile for frozen, contains fix for RC bug.
+ -- Tommi Virtanen <tv@debian.org>  Tue, 29 Feb 2000 22:14:58 +0200
+openssh (1:1.2.2-1.3) unstable; urgency=low
+  * Integrated man page addition for PrintLastLog.
+    This bug was filed on "openssh", and I ended up
+    creating my own patch for this (closes: #59054)
+  * Improved error message when ssh_exchange_identification
+    gets EOF (closes: #58904)
+  * Fixed typo (your -> you're) in debian/preinst.
+  * Added else-clauses to config to make this upgradepath possible:
+    oldssh -> openssh preinst fails due to upgrade_to_openssh=false
+    -> ssh-nonfree -> openssh. Without these, debconf remembered
+    the old answer, config didn't force asking it, and preinst always
+    aborted (closes: #56596, #57782)
+  * Moved setting upgrade_to_openssh isdefault flag to the place
+    where preinst would abort. This means no double question to most
+    users, people who currently suffer from "can't upgrade" may need
+    to run apt-get install ssh twice. Did not do the same for 
+    use_old_init_script, as the situation is a bit different, and
+    less common (closes: #54010, #56224)
+  * Check for existance of ssh-keygen before attempting to use it in
+    preinst, added warning for non-existant ssh-keygen in config. This
+    happens when the old ssh is removed (say, due to ssh-nonfree getting
+    installed).
+ -- Tommi Virtanen <tv@debian.org>  Sun, 27 Feb 2000 21:36:43 +0200
+openssh (1:1.2.2-1.2) frozen unstable; urgency=low
+  * Non-maintainer upload.
+  * Added configuration option PrintLastLog, default off due to PAM
+    (closes: #54007, #55042)
+  * ssh-askpass-{gnome,ptk} now provide ssh-askpass, making ssh's
+    Suggests: line more accurate. Also closing related bugs fixed
+    earlier, when default ssh-askpass moved to /usr/bin.
+    (closes: #52403, #54741, #50607, #52298, #50967, #51661)
+  * Patched to call vhangup, with autoconf detection and all
+    (closes: #55379)
+  * Added --with-ipv4-default workaround to a glibc bug causing
+    slow DNS lookups, as per UPGRADING. Use -6 to really use
+    IPv6 addresses. (closes: #57891, #58744, #58713, #57970)
+  * Added noenv to PAM pam_mail line. Thanks to Ben Collins.
+    (closes: #58429)
+  * Added the UPGRADING file to the package.
+  * Added frozen to the changelog line and recompiled before
+    package was installed into the archive.
+ -- Tommi Virtanen <tv@debian.org>  Fri, 25 Feb 2000 22:08:57 +0200
+openssh (1:1.2.2-1.1) frozen unstable; urgency=low
+  * Non-maintainer upload.
+  * Integrated scp pipe buffer patch from Ben Collins
+    <benc@debian.org>, should now work even if reading
+    a pipe gives less than fstat st_blksize bytes. 
+    Should now work on Alpha and Sparc Linux (closes: #53697, #52071)
+  * Made ssh depend on libssl09 (>= 0.9.4-3) (closes: #51393)
+  * Integrated patch from Ben Collins <benc@debian.org>
+    to do full shadow account locking and expiration
+    checking (closes: #58165, #51747)
+ -- Tommi Virtanen <tv@debian.org>  Tue, 22 Feb 2000 20:46:12 +0200
+openssh (1:1.2.2-1) frozen unstable; urgency=medium
+  * New upstream release (closes: #56870, #56346)
+  * built against new libesd (closes: #56805)
+  * add  Colin Watson <cjw44@cam.ac.uk> =NULL patch
+    (closes: #49902, #54894)
+  * use socketpairs as suggested by Andrew Tridgell to eliminate rsync
+    (and other) lockups
+  * patch SSHD_PAM_SERVICE back into auth-pam.c, again :-/
+    (closes: #49902, #55872, #56959)
+  * uncoment the * line in ssh_config (closes: #56444)
+  
+  * #54894 & #49902 are release critical, so this should go in frozen
+ -- Philip Hands <phil@hands.com>  Wed,  9 Feb 2000 04:52:04 +0000
+openssh (1:1.2.1pre24-1) unstable; urgency=low
+  * New upstream release
+ -- Philip Hands <phil@hands.com>  Fri, 31 Dec 1999 02:47:24 +0000
+openssh (1:1.2.1pre23-1) unstable; urgency=low
+  * New upstream release
+  * excape ? in /etc/init.d/ssh (closes: #53269)
+ -- Philip Hands <phil@hands.com>  Wed, 29 Dec 1999 16:50:46 +0000
+openssh (1:1.2pre17-1) unstable; urgency=low
+  * New upstream release
+ -- Philip Hands <phil@hands.com>  Thu,  9 Dec 1999 16:50:40 +0000
+openssh (1:1.2pre16-1) unstable; urgency=low
+  * New upstream release
+  * upstream release (1.2pre14) (closes: #50299)
+  * make ssh depend on libwrap0 (>= 7.6-1.1) (closes: #50973, #50776)
+  * dispose of grep -q broken pipe message in config script (closes: #50855)
+  * add make-ssh-known-hosts (closes: #50660)
+  * add -i option to ssh-copy-id (closes: #50657)
+  * add check for *LK* in password, indicating a locked account
+ -- Philip Hands <phil@hands.com>  Wed,  8 Dec 1999 22:59:38 +0000
+openssh (1:1.2pre13-1) unstable; urgency=low
+  * New upstream release
+  * make sshd.c use SSHD_PAM_SERVICE and define it as "ssh" in debian/rules
+  * remove duplicate line in /etc/pam.d/ssh (closes: #50310)
+  * mention ssh -A option in ssh.1 & ssh_config
+  * enable forwarding to localhost in default ssh_config (closes: #50373)
+  * tweak preinst to deal with debconf being `unpacked'
+  * use --with-tcp-wrappers (closes: #49545)
+ -- Philip Hands <phil@hands.com>  Sat, 20 Nov 1999 14:20:04 +0000
+openssh (1:1.2pre11-2) unstable; urgency=low
+  * oops, just realised that I forgot to strip out the unpleasant
+    fiddling mentioned below (which turned not to be a fix anyway)
+ -- Philip Hands <phil@hands.com>  Mon, 15 Nov 1999 01:35:23 +0000
+openssh (1:1.2pre11-1) unstable; urgency=low
+  * New upstream release (closes: #49722)
+  * add 2>/dev/null to dispose of spurious message casused by grep -q
+    (closes: #49876, #49604)
+  * fix typo in debian/control (closes: #49841)
+  * Do some unpleasant fiddling with upgraded keys in the preinst, which
+    should make the keylength problem go away.   (closes: #49676)
+  * make pam_start in sshd use ``ssh'' as the service name (closes: #49956)
+  * If /etc/ssh/NOSERVER exist, stop sshd from starting (closes: #47107)
+  * apply Ben Collins <bcollins@debian.org>'s shadow patch
+  * disable lastlogin and motd printing if using pam (closes: #49957)
+  * add ssh-copy-id script and manpage
+ -- Philip Hands <phil@hands.com>  Fri, 12 Nov 1999 01:03:38 +0000
+openssh (1:1.2pre9-1) unstable; urgency=low
+  * New upstream release
+  * apply Chip Salzenberg <chip@valinux.com>'s SO_REUSEADDR patch
+    to channels.c, to make forwarded ports instantly reusable
+  * replace Pre-Depend: debconf with some check code in preinst
+  * make the ssh-add ssh-askpass failure message more helpful
+  * fix the ssh-agent getopts bug (closes: #49426)
+  * fixed typo on Suggests: line (closes: #49704, #49571)
+  * tidy up ssh package description (closes: #49642)
+  * make ssh suid (closes: #49635)
+  * in preinst upgrade code, ensure ssh_host_keys is mode 600 (closes: #49606)
+  * disable agent forwarding by default, for the similar reasons as
+    X forwarding (closes: #49586)
+ -- Philip Hands <phil@hands.com>  Tue,  9 Nov 1999 09:57:47 +0000
+openssh (1:1.2pre7-4) unstable; urgency=low
+  * predepend on debconf (>= 0.2.17) should now allow preinst questions
+ -- Philip Hands <phil@hands.com>  Sat,  6 Nov 1999 10:31:06 +0000
+openssh (1:1.2pre7-3) unstable; urgency=low
+  * add ssh-askpass package using Tommi Virtanen's perl-tk script
+  * add ssh-preconfig package cludge
+  * add usage hints to ssh-agent.1
+ -- Philip Hands <phil@hands.com>  Fri,  5 Nov 1999 00:38:33 +0000
+openssh (1:1.2pre7-2) unstable; urgency=low
+  * use pam patch from Ben Collins <bcollins@debian.org>
+  * add slogin symlink to Makefile.in
+  * change /usr/bin/login to LOGIN_PROGRAM define of /bin/login 
+  * sort out debconf usage
+  * patch from Tommi Virtanen <tv@debian.org>'s makes ssh-add use ssh-askpass
+ -- Philip Hands <phil@hands.com>  Thu,  4 Nov 1999 11:08:54 +0000
+openssh (1:1.2pre7-1) unstable; urgency=low
+  * New upstream release
+ -- Philip Hands <phil@hands.com>  Tue,  2 Nov 1999 21:02:37 +0000
+openssh (1:1.2.0.pre6db1-2) unstable; urgency=low
+  * change the binary package name to ssh (the non-free branch of ssh has
+    been renamed to ssh-nonfree)
+  * make pam file comply with Debian standards
+  * use an epoch to make sure openssh supercedes ssh-nonfree
+ -- Philip Hands <phil@hands.com>  Sat, 30 Oct 1999 16:26:05 +0100
+openssh (1.2pre6db1-1) unstable; urgency=low
+  * New upstream source
+  * sshd accepts logins now!
+ -- Dan Brosemer <odin@linuxfreak.com>  Fri, 29 Oct 1999 11:13:38 -0500
+openssh (1.2.0.19991028-1) unstable; urgency=low
+  * New upstream source
+  * Added test for -lnsl to configure script
+ -- Dan Brosemer <odin@linuxfreak.com>  Thu, 28 Oct 1999 18:52:09 -0500
+openssh (1.2.0.19991027-3) unstable; urgency=low
+  * Initial release
+ -- Dan Brosemer <odin@linuxfreak.com>  Wed, 27 Oct 1999 19:39:46 -0500
+  
+Local variables:
+mode: debian-changelog
+End:
diff --git a/debian/conffiles b/debian/conffiles
new file mode 100644
index 000000000..fbc2e8444
--- /dev/null
+++ b/debian/conffiles
@@ -0,0 +1,4 @@
+/etc/ssh/ssh_config
+/etc/ssh/moduli
+/etc/init.d/ssh
+/etc/pam.d/ssh
diff --git a/debian/config b/debian/config
new file mode 100644
index 000000000..0a5f42b2e
--- /dev/null
+++ b/debian/config
@@ -0,0 +1,86 @@
+#!/bin/sh 
+action=$1
+version=$2
+if [ -d /etc/ssh-nonfree -a ! -d /etc/ssh ]; then
+  version=1.2.27
+  cp -a /etc/ssh-nonfree /etc/ssh
+fi
+# Source debconf library.
+. /usr/share/debconf/confmodule
+db_version 2.0
+if [ -n "$version" ] && dpkg --compare-versions "$version" lt 1:3.0p1-1
+then
+  db_text medium ssh/ssh2_keys_merged
+fi
+if [ -e /etc/init.d/ssh ] && ! grep -q pidfile /etc/init.d/ssh
+then
+  db_fset ssh/use_old_init_script isdefault true
+  db_input medium ssh/use_old_init_script || true
+  db_go
+  db_get ssh/use_old_init_script
+  [ "$RET" = "false" ] && exit 0
+else
+  db_set ssh/use_old_init_script true
+  db_fset ssh/use_old_init_script isdefault false
+fi
+if [ -z "$version" -a ! -e /etc/ssh/sshd_config ]
+then
+  db_input medium ssh/protocol2_only || true
+fi
+if [ -e /etc/ssh/sshd_config ]
+then
+    if dpkg --compare-versions "$version" lt-nl 1:1.3 ; 
+    then db_input medium ssh/new_config || true
+        db_get ssh/new_config
+        if [ "$RET" = "true" ];
+        then db_input medium ssh/protocol2_only ||true
+             db_input high ssh/privsep_ask ||true
+        else db_text high ssh/privsep_tell ||true
+        fi
+    else db_text high ssh/privsep_tell ||true
+    fi
+else db_text high ssh/privsep_tell ||true
+fi 
+db_input medium ssh/SUID_client || true
+db_input medium ssh/run_sshd || true
+if [ -x /usr/sbin/in.telnetd ] && grep -q "^telnet\b" /etc/inetd.conf
+then
+  if ! /usr/sbin/in.telnetd -? 2>&1 | grep -q ssl 2>/dev/null
+  then 
+    db_input low ssh/insecure_telnetd || true
+  fi
+fi
+key=/etc/ssh/ssh_host_key
+export key
+if [ -n "$version" ] && [ -f $key ] && [ ! -x /usr/bin/ssh-keygen ] &&
+     dpkg --compare-versions "$version" lt 1.2.28
+then
+  # make sure that keys get updated to get rid of IDEA; preinst
+  # actually does the work, but if the old ssh-keygen is not found,
+  # it can't do that -- thus, we tell the user that he must create
+  # a new host key.
+  echo -en '\0\0' | 3<&0 sh -c \
+      'dd if=$key bs=1 skip=32 count=2 2>/dev/null | cmp -s - /dev/fd/3' || {
+    # this means that bytes 32&33 of the key were not both zero, in which
+    # case the key is encrypted, which we need to fix
+    db_input high ssh/encrypted_host_key_but_no_keygen || true
+  }
+fi
+db_text low ssh/forward_warning || true
+db_go
+exit 0
diff --git a/debian/control b/debian/control
new file mode 100644
index 000000000..7063438ad
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,43 @@
+Source: openssh
+Section: net
+Priority: standard
+Maintainer: Matthew Vernon <matthew@debian.org>
+Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev, libpam0g-dev | libpam-dev, libgnome-dev, groff, debhelper (>=1.1.17)
+Standards-Version: 3.5.2
+Package: ssh
+Architecture: any
+Depends: ${shlibs:Depends}, ${pam-depend}, debconf, adduser
+Conflicts: ssh-nonfree (<<2), ssh-socks, ssh2, debconf (<<0.2.17), debconf-tiny (<<0.2.17), sftp, rsh-client (<<0.16.1-1)
+Suggests: ssh-askpass, xbase-clients, dpkg (>=1.8.3.1), dnsutils
+Provides: rsh-client
+Description: Secure rlogin/rsh/rcp replacement (OpenSSH)
+ This is the portable version of OpenSSH, a free implementation of
+ the Secure Shell protocol as specified by the IETF secsh working
+ group.
+ .
+ Ssh (Secure Shell) is a program for logging into a remote machine
+ and for executing commands on a remote machine.
+ It provides secure encrypted communications between two untrusted
+ hosts over an insecure network.  X11 connections and arbitrary TCP/IP
+ ports can also be forwarded over the secure channel.
+ It is intended as a replacement for rlogin, rsh and rcp, and can be
+ used to provide applications with a secure communication channel.
+ .
+ --------------------------------------------------------------------
+ .
+ In some countries, particularly Iraq, and Pakistan, it may be illegal 
+ to use any encryption at all without a special permit.
+Package: ssh-askpass-gnome
+Section: x11
+Architecture: any
+Depends: ${shlibs:Depends}, ssh (>=1:1.2pre7-4)
+Provides: ssh-askpass
+Description: under X, asks user for a passphrase for ssh-add
+ This has been split out of the main ssh package, so that the ssh will
+ not need to depend upon the Gnome libraries.
+ .
+ You probably want the ssh-askpass package instead, but this is
+ provided to add to your choice and/or confusion.
diff --git a/debian/copyright.head b/debian/copyright.head
new file mode 100644
index 000000000..cd4d45b24
--- /dev/null
+++ b/debian/copyright.head
@@ -0,0 +1,36 @@
+This package was debianized by Philip Hands <phil@hands.com> on 31 Oct 1999
+(with help from  Dan Brosemer <odin@linuxfreak.com>)
+It was downloaded from here:
+  ftp://ftp.fu-berlin.de/unix/security/openssh/openssh-2.3.0p1.tar.gz
+worldwide mirrors are listed here:
+  http://www.openssh.com/ftp.html
+The Debian specific parts of the package are mostly taken from the
+original ssh package, which has since been renamed as ssh-nonfree.
+The Debian patch is distributed under the terms of the GPL.
+The upstream source for this package is a combination of the ssh
+branch that is being maintained by the OpenBSD team (starting from
+the last version of SSH that was distributed under a free license),
+and porting work by Damien Miller <damien@ibs.com.au> to get it
+working on Linux.  Other people also contributed to this, and are
+credited in README.openssh.
+Copyright:
+Code in helper.[ch] is Copyright Internet Business Solutions and is
+released under a X11-style license (see source file for details).
+(A)RC4 code in rc4.[ch] is Copyright Damien Miller. It too is under a
+X11-style license (see source file for details).
+make-ssh-known-hosts is Copyright Tero Kivinen <Tero.Kivinen@hut.fi>,
+and is distributed under the GPL (see source file for details).
+The copyright for the orignal SSH version follows.  It has been
+modified with [comments] to reflect the changes that the OpenBSD folks
+have made:
diff --git a/debian/dirs b/debian/dirs
new file mode 100644
index 000000000..00a019411
--- /dev/null
+++ b/debian/dirs
@@ -0,0 +1,7 @@
+usr/bin
+usr/sbin
+usr/lib
+etc/ssh
+etc/init.d
+usr/share/man/man1
+usr/share/man/man8
diff --git a/debian/init b/debian/init
new file mode 100644
index 000000000..fe59584e6
--- /dev/null
+++ b/debian/init
@@ -0,0 +1,60 @@
+#! /bin/sh
+# /etc/init.d/ssh: start and stop the OpenBSD "secure shell(tm)" daemon
+test -x /usr/sbin/sshd || exit 0
+( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
+# forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
+if [ -e /etc/ssh/sshd_not_to_be_run ]; then 
+    echo "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)"
+    exit 0
+fi
+check_config() {
+        /usr/sbin/sshd -t || exit 1
+}
+# Configurable options:
+case "$1" in
+  start)
+        test -f /etc/ssh/sshd_not_to_be_run && exit 0
+#Create the PrivSep empty dir if necessary
+        if [ ! -d /var/run/sshd ]; then
+            mkdir /var/run/sshd; chmod 0755 /var/run/sshd
+        fi
+        echo -n "Starting OpenBSD Secure Shell server: sshd"
+        start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd
+        echo "."
+        ;;
+  stop)
+        echo -n "Stopping OpenBSD Secure Shell server: sshd"
+        start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid
+        echo "."
+        ;;
+  reload|force-reload)
+        test -f /etc/ssh/sshd_not_to_be_run && exit 0
+        check_config
+        echo -n "Reloading OpenBSD Secure Shell server's configuration"
+        start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd
+        echo "."
+        ;;
+  restart)
+        test -f /etc/ssh/sshd_not_to_be_run && exit 0
+        check_config
+        echo -n "Restarting OpenBSD Secure Shell server: sshd"
+        start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid
+        sleep 2
+        start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd
+        echo "."
+        ;;
+  *)
+        echo "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}"
+        exit 1
+esac
+exit 0
diff --git a/debian/postinst b/debian/postinst
new file mode 100644
index 000000000..34fee95d8
--- /dev/null
+++ b/debian/postinst
@@ -0,0 +1,330 @@
+#!/bin/sh -e
+action="$1"
+oldversion="$2"
+test -e /usr/share/debconf/confmodule && {
+  . /usr/share/debconf/confmodule
+    db_version 2.0
+}
+umask 022
+if [ "$action" != configure ]
+  then
+  exit 0
+fi
+check_idea_key() {
+    #check for old host_key files using IDEA, which openssh does not support
+        if [ -f /etc/ssh/ssh_host_key ] ; then
+                if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \
+                                grep -q 'unknown cipher' 2>/dev/null ; then
+      mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
+      mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
+  fi
+        fi
+}
+create_key() {
+        local msg="$1"
+        shift
+        local file="$1"
+        shift
+        if [ ! -f "$file" ] ; then
+                echo -n $msg
+                ssh-keygen -f "$file" -N '' "$@" > /dev/null
+                echo
+        fi
+}
+create_keys() {
+        RET=true
+        test -e /usr/share/debconf/confmodule && {
+                db_get ssh/protocol2_only
+        }
+        if [ "$RET" = "false" ] ; then
+                create_key "Creating SSH1 key" /etc/ssh/ssh_host_key -t rsa1
+        fi
+        create_key "Creating SSH2 RSA key" /etc/ssh/ssh_host_rsa_key -t rsa
+        create_key "Creating SSH2 DSA key" /etc/ssh/ssh_host_dsa_key -t dsa
+}
+create_sshdconfig() {
+        if [ -e /etc/ssh/sshd_config ] ; then
+            if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
+                RET=true
+                test -e /usr/share/debconf/confmodule && {
+                    db_get ssh/new_config
+                }
+                if [ "$RET" = "false" ] ; then return 0; fi
+            else return 0
+            fi
+        fi
+        RET=true
+        test -e /usr/share/debconf/confmodule && {
+                db_get ssh/protocol2_only
+        }
+        #Preserve old sshd_config before generating a new on
+        if [ -e /etc/ssh/sshd_config ] ; then 
+            mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
+        fi
+        cat <<EOF > /etc/ssh/sshd_config
+# Package generated configuration file
+# See the sshd(8) manpage for defails
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+EOF
+if [ "$RET" = "false" ]; then
+                cat <<EOF >> /etc/ssh/sshd_config
+Protocol 2,1
+# HostKeys for protocol version 1
+HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+EOF
+else
+        cat <<EOF >> /etc/ssh/sshd_config
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+EOF
+fi
+test -e /usr/share/debconf/confmodule && {
+    db_get ssh/privsep_ask
+}
+if [ "$RET" = "false" ]; then
+    cat <<EOF >> /etc/ssh/sshd_config
+#Explicitly set PrivSep off, as requested
+UsePrivilegeSeparation no
+# Use PAM authentication via keyboard-interactive so PAM modules can
+# properly interface with the user
+PAMAuthenticationViaKbdInt yes
+EOF
+else
+        cat <<EOF >> /etc/ssh/sshd_config
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+# ...but breaks Pam auth via kbdint, so we have to turn it off
+# Use PAM authentication via keyboard-interactive so PAM modules can
+# properly interface with the user (off due to PrivSep)
+PAMAuthenticationViaKbdInt no
+EOF
+fi
+        cat <<EOF >> /etc/ssh/sshd_config
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+# Authentication:
+LoginGraceTime 600
+PermitRootLogin yes
+StrictModes yes
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile     %h/.ssh/authorized_keys
+# rhosts authentication should not be used
+RhostsAuthentication no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+# Uncomment to disable s/key passwords 
+#ChallengeResponseAuthentication no
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication yes
+# To change Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#AFSTokenPassing no
+#KerberosTicketCleanup no
+# Kerberos TGT Passing does only work with the AFS kaserver
+#KerberosTgtPassing yes
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+#PrintLastLog no
+KeepAlive yes
+#UseLogin no
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+#ReverseMappingCheck yes
+Subsystem       sftp    /usr/lib/sftp-server
+EOF
+}
+fix_rsh_diversion() {
+# get rid of mistaken rsh diversion (circa 1.2.27-1)
+        if [ -L /usr/bin/rsh ] &&
+                dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then
+                for cmd in rlogin  rsh rcp ; do
+                        [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd
+                        dpkg-divert --package ssh --remove --rename \
+                                --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd
+                        [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz
+                        dpkg-divert --package ssh --remove --rename \
+                                --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz
+                done
+                rmdir /usr/bin/rsh.real
+        fi
+}
+fix_statoverride() {
+# Remove an erronous override for sshd (we should have overridden ssh)
+        if [ -x /usr/sbin/dpkg-statoverride ]; then
+                if dpkg-statoverride --list /usr/sbin/sshd 2>/dev/null ; then
+                        dpkg-statoverride --remove /usr/sbin/sshd
+                fi
+        fi
+}
+create_alternatives() {
+# Create alternatives for the various r* tools
+# Make sure we don't change existing alternatives that a user might have
+# changed
+        for cmd in rsh rlogin rcp ; do
+                if ! update-alternatives --display $cmd | \
+                                grep -q ssh ; then
+                        update-alternatives --quiet --install /usr/bin/$cmd $cmd /usr/bin/ssh 20 \
+                                --slave /usr/share/man/man1/$cmd.1.gz $cmd.1.gz /usr/share/man/man1/ssh.1.gz
+                fi
+        done
+        
+}
+setup_sshd_user() {
+        if ! id sshd > /dev/null 2>&1 ; then
+                adduser --quiet --system --no-create-home --home /var/run/sshd sshd
+        fi
+}
+set_sshd_permissions() {
+        suid=false
+        if dpkg --compare-versions "$oldversion" lt-nl 1:3.4p1-1 ; then
+            if [ -x /usr/sbin/dpkg-statoverride ] ; then
+                if dpkg-statoverride --list /usr/bin/ssh >/dev/null; then
+                    dpkg-statoverride --remove /usr/bin/ssh >/dev/null
+                fi 
+            fi
+        fi
+        [ -e /usr/share/debconf/confmodule ] && {
+                db_get ssh/SUID_client
+                suid="$RET"
+        }
+       if [ -x /usr/sbin/dpkg-statoverride ] ; then
+               if ! dpkg-statoverride --list /usr/lib/ssh-keysign >/dev/null ; then
+                       if [ "$suid" = "false" ] ; then
+                               chmod 0755 /usr/lib/ssh-keysign
+                       elif [ "$suid" = "true" ] ; then
+                               chmod 4755 /usr/lib/ssh-keysign
+                       fi
+               fi
+       else
+               if [ "$suid" = "false" ] ; then
+                       chmod 0755 /usr/lib/ssh-keysign
+               elif [ "$suid" = "true" ] ; then
+                       chmod 4755 /usr/lib/ssh-keysign
+               fi
+        fi
+}
+setup_startup() {
+        start=yes
+        [ -e /usr/share/debconf/confmodule ] && {
+                db_get ssh/run_sshd
+                start="$RET"
+        }
+        if [ "$start" != "true" ] ; then
+                /etc/init.d/ssh stop 2>&1 >/dev/null
+                touch /etc/ssh/sshd_not_to_be_run
+        else
+                rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null
+        fi
+}
+setup_init() {
+        if [ -e /etc/init.d/ssh ]; then
+                update-rc.d ssh defaults >/dev/null
+                /etc/init.d/ssh restart
+        fi
+}
+check_idea_key
+create_keys
+create_sshdconfig
+fix_rsh_diversion
+fix_statoverride
+create_alternatives
+setup_sshd_user
+set_sshd_permissions
+setup_startup
+setup_init
+# Automatically added by dh_installdocs
+if [ "$1" = "configure" ]; then
+        if [ -d /usr/doc -a ! -e /usr/doc/ssh -a -d /usr/share/doc/ssh ]; then
+                ln -sf ../share/doc/ssh /usr/doc/ssh
+        fi
+fi
+# End automatically added section
+[ -e /usr/share/debconf/confmodule ] && db_stop
+exit 0
diff --git a/debian/postinst.old b/debian/postinst.old
new file mode 100644
index 000000000..586da1cc6
--- /dev/null
+++ b/debian/postinst.old
@@ -0,0 +1,269 @@
+#!/bin/sh -e
+action="$1"
+oldversion="$2"
+test -e /usr/share/debconf/confmodule && {
+  . /usr/share/debconf/confmodule
+    db_version 2.0
+}
+if [ "$action" != configure ]
+  then
+  exit 0
+fi
+check_idea_key() {
+    #check for old host_key files using IDEA, which openssh does not support
+        if [ -f /etc/ssh/ssh_host_key ] ; then
+                if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \
+                                grep -q 'unknown cipher' 2>/dev/null ; then
+      mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
+      mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
+  fi
+        fi
+}
+create_key() {
+        local file="$1"
+        shift
+        if [ ! -f "$file" ] ; then
+                ( umask 022 ; \
+                  ssh-keygen -f "$file" -N '' "$@" > /dev/null )
+  fi
+}
+create_keys() {
+        RET=true
+test -e /usr/share/debconf/confmodule && {
+                db_get ssh/protocol2_only
+}
+        if [ "$RET" = "false" ] ; then
+                echo "Creating SSH1 key"
+                create_key /etc/ssh/ssh_host_key
+fi
+        echo "Creating SSH2 RSA key"
+        create_key /etc/ssh/ssh_host_rsa_key -t rsa
+        echo "Creating SSH2 DSA key"
+        create_key /etc/ssh/ssh_host_dsa_key -t dsa
+}
+create_sshdconfig() {
+        [ -e /etc/ssh/sshd_config ] && return
+RET=true
+test -e /usr/share/debconf/confmodule && {
+                db_get ssh/protocol2_only
+}
+        cat <<EOF > /etc/ssh/sshd_config
+# Package generated configuration file
+# See the sshd(8) manpage for defails
+# What ports, IPs and protocols we listen for
+Port 22
+# Uncomment the next entry to accept IPv6 traffic.
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+EOF
+if [ "$RET" = "false" ]; then
+                cat <<EOF >> /etc/ssh/sshd_config
+Protocol 2,1
+# HostKeys for protocol version 1
+HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+EOF
+else
+        cat <<EOF >> /etc/ssh/sshd_config
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+EOF
+fi
+        cat <<EOF >> /etc/ssh/sshd_config
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+# Authentication:
+LoginGraceTime 600
+PermitRootLogin no
+StrictModes yes
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile     %h/.ssh/authorized_keys
+# rhosts authentication should not be used
+RhostsAuthentication no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+# To disable tunneled clear text passwords, change to no here!
+PermitEmptyPasswords no
+# Uncomment to disable s/key passwords 
+#ChallengeResponseAuthentication no
+# Use PAM authentication via keyboard-interactive so PAM modules can
+# properly interface with the user
+PasswordAuthentication no
+PAMAuthenticationViaKbdInt yes
+# To change Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#AFSTokenPassing no
+#KerberosTicketCleanup no
+# Kerberos TGT Passing does only work with the AFS kaserver
+#KerberosTgtPassing yes
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+#PrintLastLog no
+KeepAlive yes
+#UseLogin no
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+#ReverseMappingCheck yes
+Subsystem       sftp    /usr/libexec/sftp-server
+EOF
+}
+fix_rsh_diversion() {
+# get rid of mistaken rsh diversion (circa 1.2.27-1)
+        if [ -L /usr/bin/rsh ] &&
+                dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then
+                for cmd in rlogin  rsh rcp ; do
+                        [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd
+                        dpkg-divert --package ssh --remove --rename \
+                                --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd
+                        [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz
+                        dpkg-divert --package ssh --remove --rename \
+                                --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz
+                done
+                rmdir /usr/bin/rsh.real
+        fi
+}
+fix_statoverride() {
+# Remove an erronous override for sshd (we should have overridden ssh)
+if [ -x /usr/sbin/dpkg-statoverride ]; then
+                if dpkg-statoverride --list /usr/sbin/sshd 2>/dev/null ; then
+                        dpkg-statoverride --remote /usr/sbin/sshd
+                fi
+                fi
+}
+create_alternatives() {
+# Create alternatives for the various r* tools
+# Make sure we don't change existing alternatives that a user might have
+# changed
+        for cmd in rsh rlogin rcp ; do
+                if ! update-alternatives --display $cmd | \
+                                grep -q ssh ; then
+                        update-alternatives --quiet --install /usr/bin/$cmd $cmd /usr/bin/ssh 20 \
+                                --slave /usr/share/man/man1/$cmd.1.gz $cmd.1.gz /usr/share/man/man1/ssh.1.gz
+        fi
+        done
+        
+}
+set_sshd_permissions() {
+        suid=no
+        [ -e /usr/share/debconf/confmodule ] && {
+                db_get ssh/SUID_client
+                suid="$RET"
+        }
+        if [ "$suid" = "yes" ] ; then
+                if [ -x /usr/sbin/dpkg-statoverride ] && \
+                        ! dpkg-statoverride /usr/bin/ssh ; then
+                        dpkg-statoverride --add root root 04755 /usr/bin/ssh
+fi
+        fi
+}
+setup_startup() {
+        start=yes
+        [ -e /usr/share/debconf/confmodule ] && {
+                db_get ssh/run_sshd
+                start="$RET"
+        }
+        if [ "$start" != "true" ] ; then
+                touch /etc/ssh/sshd_not_to_be_run
+        else
+                rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null
+        fi
+}
+setup_init() {
+if [ -e /etc/init.d/ssh ]; then
+    update-rc.d ssh defaults >/dev/null
+    /etc/init.d/ssh restart
+fi
+}
+check_idea_key
+create_keys
+create_sshdconfig
+fix_rsh_diversion
+fix_statoverride
+create_alternatives
+set_sshd_permissions
+setup_startup
+setup_init
+# Automatically added by dh_installdocs
+if [ "$1" = "configure" ]; then
+        if [ -d /usr/doc -a ! -e /usr/doc/ssh -a -d /usr/share/doc/ssh ]; then
+                ln -sf ../share/doc/ssh /usr/doc/ssh
+        fi
+fi
+# End automatically added section
+[ -e /usr/share/debconf/confmodule ] && db_stop
+exit 0
diff --git a/debian/postrm b/debian/postrm
new file mode 100644
index 000000000..bd0bbee38
--- /dev/null
+++ b/debian/postrm
@@ -0,0 +1,16 @@
+#!/bin/sh -e
+if [ "$1" = "purge" ]
+then
+  rm -rf /etc/ssh
+fi
+if [ "$1" = "purge" ] ; then
+    update-rc.d ssh remove >/dev/null
+fi
+if [ "$1" = "purge" ] ; then
+        deluser --quiet sshd > /dev/null || true
+fi
+#DEBHELPER#
diff --git a/debian/preinst b/debian/preinst
new file mode 100644
index 000000000..320d4df2a
--- /dev/null
+++ b/debian/preinst
@@ -0,0 +1,79 @@
+#!/bin/sh -e
+action=$1
+version=$2
+if [ -d /etc/ssh-nonfree -a ! -d /etc/ssh ]; then
+  version=1.2.27
+fi
+if [ "$action" = upgrade -o "$action" = install ]
+then
+  # check if debconf is missing
+  if ! test -f /usr/share/debconf/confmodule
+  then
+    cat <<EOF
+WARNING: ssh's pre-configuration script relies on debconf to tell you
+about some problems that might prevent you from logging in if you are
+upgrading from the old, Non-free version of ssh.
+If this is a new installation, you don't need to worry about this.
+Just go ahead and install ssh (make sure to read .../ssh/README.Debian).
+If you are upgrading, but you have alternative ways of logging into
+the machine (i.e. you're sitting in front of it, or you have telnetd
+running), then you also don't need to worry too much, because you can
+fix it up afterwards if there's a problem.
+If you're upgrading from an older (non-free) version of ssh, and ssh
+is the only way you have to access this machine, then you should
+probably abort the installation of ssh, install debconf, and then
+retry the installation of ssh.
+EOF
+    echo -n "Do you want to install SSH anyway [yN]: "
+    read input
+    expr "$input" : '[Yy]' >/dev/null || exit 1
+    # work around for missing debconf
+    db_get() { : ; }
+    RET=true
+    if [ -d /etc/ssh-nonfree -a ! -d /etc/ssh ]; then
+      cp -a /etc/ssh-nonfree /etc/ssh
+    fi
+  else
+    # Source debconf library.
+    . /usr/share/debconf/confmodule
+    db_version 2.0
+  fi
+  db_get ssh/use_old_init_script
+  if [ "$RET" = "false" ]; then
+    echo "ssh config: Aborting because ssh/use_old_init_script = false" >&2
+    exit 1
+  fi
+  # deal with upgrading from pre-OpenSSH versions
+  key=/etc/ssh/ssh_host_key
+  export key
+  if [ -n "$version" ] && [ -x /usr/bin/ssh-keygen ] && [ -f $key ] &&
+     dpkg --compare-versions "$version" lt 1.2.28
+  then
+    # make sure that keys get updated to get rid of IDEA
+    #
+    # N.B. this only works because we've still got the old
+    # nonfree ssh-keygen at this point
+    #
+    # First, check if we need to bother
+    echo -en '\0\0' | 3<&0 sh -c \
+        'dd if=$key bs=1 skip=32 count=2 2>/dev/null | cmp -s - /dev/fd/3' || {
+      # this means that bytes 32&33 of the key were not both zero, in which
+      # case the key is encrypted, which we need to fix
+      chmod 600 $key
+      ssh-keygen -u -f $key >/dev/null
+    }
+  fi
+fi
+#DEBHELPER#
diff --git a/debian/prerm b/debian/prerm
new file mode 100644
index 000000000..17aa45e1f
--- /dev/null
+++ b/debian/prerm
@@ -0,0 +1,44 @@
+#! /bin/sh
+# prerm script for ssh
+#
+# see: dh_installdeb(1)
+set -e
+# summary of how this script can be called:
+#        * <prerm> `remove'
+#        * <old-prerm> `upgrade' <new-version>
+#        * <new-prerm> `failed-upgrade' <old-version>
+#        * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+#        * <deconfigured's-prerm> `deconfigure' `in-favour'
+#          <package-being-installed> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+case "$1" in
+    remove|deconfigure)
+        update-alternatives --quiet --remove ssh /usr/bin/ssh
+        update-alternatives --quiet --remove ssh /usr/bin/slogin
+        update-alternatives --quiet --remove ssh /usr/bin/scp
+    if [ -e /etc/init.d/ssh ]; then
+        /etc/init.d/ssh stop
+    fi
+#       install-info --quiet --remove /usr/info/ssh-askpass.info.gz
+        ;;
+    upgrade)
+#       install-info --quiet --remove /usr/info/ssh-askpass.info.gz
+        ;;
+    failed-upgrade)
+        ;;
+    *)
+        echo "prerm called with unknown argument \`$1'" >&2
+        exit 0
+    ;;
+esac
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+#DEBHELPER#
+exit 0
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 000000000..365872d3d
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,106 @@
+#!/usr/bin/make -f
+# Uncomment this to turn on verbose mode.
+# export DH_VERBOSE=1
+# This is the debhelper compatability version to use.
+export DH_COMPAT=1
+# This has to be exported to make some magic below work.
+export DH_OPTIONS
+#PKG_VER = $(shell perl -e 'print <> =~ /\((.*)\)/' debian/changelog)
+DEB_HOST_ARCH = $(shell dpkg-architecture -qDEB_HOST_ARCH)
+build: build-stamp
+build-stamp:
+        dh_testdir
+#Change the version string to include the Debian Version
+        if <version.h sed -e "/define/s/\"\(.*\)\"/\"\1 Debian `dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p'`\"/" >version.h.new; \
+        then mv version.h version.h.upstream; mv version.h.new version.h; \
+        else echo "Version number change failed"; exit 1; \
+        fi
+        ./configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 --with-ipv4-default \
+                --with-privsep-path=/var/run/sshd  --without-rand-helper
+        $(MAKE) -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='-O2 -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DSSHD_PAM_SERVICE=\"ssh\" -D__FILE_OFFSET_BITS=64 -DHAVE_MMAP_ANON_SHARED' \
+                SSH_KEYSIGN='/usr/lib/ssh-keysign'
+        gcc -O2 `gnome-config --cflags gnome gnomeui` \
+           contrib/gnome-ssh-askpass.c -o contrib/gnome-ssh-askpass \
+           `gnome-config --libs gnome gnomeui`
+        touch build-stamp
+clean:
+        dh_testdir
+        rm -f build-stamp
+        -$(MAKE) -i distclean
+        rm -f contrib/gnome-ssh-askpass config.log
+        if [ -f version.h.upstream ]; then mv version.h.upstream version.h; \
+        fi
+        dh_clean
+install: DH_OPTIONS=
+install: build
+        dh_testdir
+        dh_testroot
+        dh_clean -k
+        dh_installdirs
+        # Add here commands to install the package into debian/tmp.
+        $(MAKE) DESTDIR=`pwd`/debian/tmp install
+        rm -f debian/tmp/etc/ssh/ssh_host_*key*
+        rm -f debian/tmp/etc/ssh/sshd_config
+        #Temporary hack: remove /usr/share/Ssh.bin, since we have no smartcard support anyway.
+        rm -f debian/tmp/usr/share/Ssh.bin
+        install -m 755 contrib/ssh-copy-id debian/tmp/usr/bin/ssh-copy-id
+        install -m644 -c contrib/ssh-copy-id.1 debian/tmp/usr/share/man/man1/ssh-copy-id.1
+        install -s -o root -g root -m 755 contrib/gnome-ssh-askpass debian/ssh-askpass-gnome/usr/lib/ssh/gnome-ssh-askpass
+        install -o root -g root debian/init debian/tmp/etc/init.d/ssh
+        install -o root -g root -m 755 -d debian/tmp/var/run/sshd
+        dh_movefiles
+# Build architecture-independent files here.
+binary-indep: build install
+        # nothing to do
+# Build architecture-dependent files here.
+binary-arch: build install
+        dh_testdir
+        dh_testroot
+        dh_installdebconf
+        dh_installdocs OVERVIEW README
+        cat debian/copyright.head LICENCE > debian/tmp/usr/share/doc/ssh/copyright
+        dh_installexamples
+        dh_installmenu
+        nroff RFC.nroff > debian/tmp/usr/share/doc/ssh/RFC
+        gzip -9 debian/tmp/usr/share/doc/ssh/RFC
+        rm -rf debian/tmp/usr/share/doc/ssh/RFC.nroff.gz
+        dh_installpam
+        dh_installcron
+        dh_installchangelogs ChangeLog
+        dh_strip
+        dh_link
+        dh_compress
+        dh_fixperms
+        dh_installdeb
+        test ! -e debian/tmp/etc/ssh/ssh_prng_cmds \
+          || echo "/etc/ssh/ssh_prng_cmds" >> debian/tmp/DEBIAN/conffiles
+        dh_shlibdeps
+ifeq ($(DEB_HOST_ARCH),hurd-i386)
+        echo "pam-depend=" >> debian/substvars
+else
+        echo "pam-depend=libpam-modules (>= 0.72-9), " >> debian/substvars
+endif
+        dh_gencontrol
+        dh_md5sums
+        dh_builddeb
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install
diff --git a/debian/ssh-askpass-gnome.copyright b/debian/ssh-askpass-gnome.copyright
new file mode 100644
index 000000000..4a71dda00
--- /dev/null
+++ b/debian/ssh-askpass-gnome.copyright
@@ -0,0 +1,44 @@
+This package contains a Gnome based implementation of ssh-askpass
+written by Damien Miller.
+It is split out from the main package to isolate the dependency on the
+Gnome and X11 libraries.
+It was packaged for Debian by Philip Hands <phil@hands.com>.
+Copyright:
+/*
+**
+** GNOME ssh passphrase requestor
+**
+** Damien Miller <djm@ibs.com.au>
+** 
+** Copyright 1999 Internet Business Solutions
+**
+** Permission is hereby granted, free of charge, to any person
+** obtaining a copy of this software and associated documentation
+** files (the "Software"), to deal in the Software without
+** restriction, including without limitation the rights to use, copy,
+** modify, merge, publish, distribute, sublicense, and/or sell copies
+** of the Software, and to permit persons to whom the Software is
+** furnished to do so, subject to the following conditions:
+**
+** The above copyright notice and this permission notice shall be
+** included in all copies or substantial portions of the Software.
+**
+** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
+** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
+** AND NONINFRINGEMENT.  IN NO EVENT SHALL DAMIEN MILLER OR INTERNET
+** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
+** OR OTHER DEALINGS IN THE SOFTWARE.
+**
+** Except as contained in this notice, the name of Internet Business
+** Solutions shall not be used in advertising or otherwise to promote
+** the sale, use or other dealings in this Software without prior
+** written authorization from Internet Business Solutions.
+**
+*/
diff --git a/debian/ssh-askpass-gnome.dirs b/debian/ssh-askpass-gnome.dirs
new file mode 100644
index 000000000..6c255ea63
--- /dev/null
+++ b/debian/ssh-askpass-gnome.dirs
@@ -0,0 +1 @@
+usr/lib/ssh/
diff --git a/debian/ssh-askpass-gnome.postinst b/debian/ssh-askpass-gnome.postinst
new file mode 100644
index 000000000..3a52d3005
--- /dev/null
+++ b/debian/ssh-askpass-gnome.postinst
@@ -0,0 +1,49 @@
+#! /bin/sh
+# postinst script for ssh-askpass-gnome
+#
+# see: dh_installdeb(1)
+set -e
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+#     Any necessary prompting should almost always be confined to the
+#     post-installation script, and should be protected with a conditional
+#     so that unnecessary prompting doesn't happen if a package's
+#     installation fails and the `postinst' is called with `abort-upgrade',
+#     `abort-remove' or `abort-deconfigure'.
+case "$1" in
+    configure)
+        update-alternatives --quiet --install /usr/bin/ssh-askpass ssh-askpass /usr/lib/ssh/gnome-ssh-askpass 30
+    ;;
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 0
+    ;;
+esac
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+#DEBHELPER#
+exit 0
diff --git a/debian/ssh-askpass-gnome.prerm b/debian/ssh-askpass-gnome.prerm
new file mode 100644
index 000000000..6f3f5756d
--- /dev/null
+++ b/debian/ssh-askpass-gnome.prerm
@@ -0,0 +1,41 @@
+#! /bin/sh
+# prerm script for ssh-askpass-gnome
+#
+# see: dh_installdeb(1)
+set -e
+# summary of how this script can be called:
+#        * <prerm> `remove'
+#        * <old-prerm> `upgrade' <new-version>
+#        * <new-prerm> `failed-upgrade' <old-version>
+#        * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+#        * <deconfigured's-prerm> `deconfigure' `in-favour'
+#          <package-being-installed> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+case "$1" in
+    remove|deconfigure)
+        update-alternatives --quiet --remove ssh-askpass /usr/lib/ssh/gnome-ssh-askpass
+#       install-info --quiet --remove /usr/info/ssh-askpass.info.gz
+        ;;
+    upgrade)
+#       install-info --quiet --remove /usr/info/ssh-askpass.info.gz
+        ;;
+    failed-upgrade)
+        ;;
+    *)
+        echo "prerm called with unknown argument \`$1'" >&2
+        exit 0
+    ;;
+esac
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+#DEBHELPER#
+exit 0
diff --git a/debian/ssh.pam b/debian/ssh.pam
new file mode 100644
index 000000000..a4478cf4a
--- /dev/null
+++ b/debian/ssh.pam
@@ -0,0 +1,22 @@
+#%PAM-1.0
+auth       required     pam_nologin.so
+auth       required     pam_unix.so
+auth       required     pam_env.so # [1]
+account    required     pam_unix.so
+session    required     pam_unix.so
+session    optional     pam_lastlog.so # [1]
+session    optional     pam_motd.so # [1]
+session    optional     pam_mail.so standard noenv # [1]
+session    required     pam_limits.so
+password   required     pam_unix.so
+# Alternate strength checking for password. Note that this
+# requires the libpam-cracklib package to be installed.
+# You will need to comment out the password line above and
+# uncomment the next two in order to use this.
+#
+# password required       pam_cracklib.so retry=3 minlen=6 difok=3
+# password required       pam_unix.so use_authtok nullok md5
diff --git a/debian/templates b/debian/templates
new file mode 100644
index 000000000..a9b4394d4
--- /dev/null
+++ b/debian/templates
@@ -0,0 +1,229 @@
+Template: ssh/privsep_tell
+Type: note
+Description: Privilege separation
+ This version of OpenSSH contains the new privilege separation
+ option. This significantly reduces the quantity of code that runs as
+ root, and therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any
+ PAM session modules that need to run as root (pam_mkhomedir, for
+ example) will fail, and PAM keyboard-interactive authentication 
+ won't work.
+ .
+ Privilege separation is turned on by default, so if you decide you
+ want it turned off, you need to add "UsePrivilegeSeparation no" to
+ /etc/ssh/sshd_config 
+ .
+ NB! If you are running a 2.0 series Linux kernel, then privilege
+ separation will not work at all, and your sshd will fail to start
+ unless you explicity turn privilege separation off.
+Template: ssh/privsep_ask
+Type: boolean
+Default: true
+Description: Enable Privilege separation
+ This version of OpenSSH contains the new privilege separation
+ option. This significantly reduces the quantity of code that runs as
+ root, and therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any
+ PAM session modules that need to run as root (pam_mkhomedir, for
+ example) will fail, and PAM keyboard-interactive authentication 
+ won't work.
+ .
+ Since you've opted to have me generate an sshd_config file for you,
+ you can choose whether or not to have Privilege Separation turned on
+ or not. Unless you are running 2.0 (in which case you *must* say no
+ here or your sshd won't start at all) or know you need to use PAM
+ features that won't work with this option, you should say yes here.
+Template: ssh/new_config
+Type: boolean
+Default: true
+Description: Generate new configuration file
+ This version of OpenSSH has a considerably changed configuration file from 
+ the version shipped in Debian 'Potato', which you appear to be upgrading from.
+ I can now generate you a new configuration file (/etc/ssh/sshd.config), which
+ will work with the new server version, but will not contain any customisations
+ you made with the old version. 
+ .
+ Please note that this new configuration file will set the value of 
+ 'PermitRootLogin' to yes (meaning that anyone knowing the root password can
+ ssh directly in as root). It is the opinion of the maintainer that this is
+ the correct default (see README.Debian for more details), but you can always
+ edit sshd_config and set it to no if you wish.
+ .
+ It is strongly recommended that you let me generate a new configuration file 
+ for you 
+Template: ssh/protocol2_only
+Type: boolean
+Default: true
+Description: Allow SSH protocol 2 only
+ This version of OpenSSH supports version 2 of the ssh protocol, which
+ is much more secure.  Disabling ssh 1 is encouraged, however this
+ will slow things down on low end machines and might prevent older
+ clients from connecting (the ssh client shipped with "potato" is affected).
+ .
+ Also please note that keys used for protocol 1 are different so you will
+ not be able to use them if you only allow protocol 2 connections.
+ .
+ If you later change your mind about this setting, README.Debian has 
+ instructions on what to do to your sshd_config file.
+Template: ssh/ssh2_keys_merged
+Type: note
+Description: ssh2 keys merged in configuration files
+ As of version 3 OpenSSH no longer uses separate files for ssh1 and
+ ssh2 keys. This means the authorized_keys2 and known_hosts2 files
+ are no longer needed. They will still be read in order to maintain
+ backwards compatibility
+Template: ssh/use_old_init_script
+Type: boolean
+Default: false
+Description: Do you want to continue (and risk killing active ssh sessions) ?
+ The version of /etc/init.d/ssh that you have installed, is likely to kill
+ all running sshd instances.  If you are doing this upgrade via an ssh
+ session, that would be a Bad Thing(tm).
+ .
+ You can fix this by adding "--pidfile /var/run/sshd.pid" to the
+ start-stop-daemon line in the stop section of the file.
+Description-de: Wollen Sie weitermachen (und das Killen der Session riskieren)?
+ Die Version von /etc/init.d/ssh, die sie installiert haben, wird 
+ vermutlich ihre aktiven ssh-Instanzen killen. Wenn Sie das Upgrade
+ via ssh erledigen, dann ist das ein Problem.
+ .
+ Sie koennen das Problem beheben, indem sie "--pidfile /var/run/sshd.pid"
+ an die start-stop-daemon Zeile in dem Bereich stop der Datei 
+ /etc/init.d/ssh ergaenzen.
+Description-fr: Voulez vous continuer (et risquer de rompre les sessions ssh actives) ?
+ Il est probable que la version de /etc/init.d/ssh install=E9e en ce moment
+ tue toutes les instances de sshd lanc=E9es en ce moment. Si vous faite une
+ mise =E0 jour via ssh, ca serait une Mauvaise Chose(tm).
+ .
+ Vous pouvez corriger /etc/init.d/ssh en ajoutant '--pidfile /var/run/sshd.pid'
+ a la ligne 'start-stop-daemon' dans la section 'stop' du fichier.
+Template: ssh/forward_warning
+Type: note
+Description: NOTE: Forwarding of X11 and Authorization disabled by default.
+ For security reasons, the Debian version of ssh has ForwardX11 and
+ ForwardAgent set to ``off'' by default.
+ .
+ You can enable it for servers you trust, either
+ in one of the configuration files, or with the -X command line option.
+ .
+ More details can be found in /usr/share/doc/ssh/README.Debian
+Description-de: HINWEIS: Forwarden von X11 und Authorisierung ist abgeschaltet.
+ Aus Sicherheitsgruenden haben die Debian Pakete von ssh ForwardX11 und
+ ForwardAgent auf "off" gesetzt.
+ .
+ Sie koenne dies fuer Server denen Sie trauen, entweder per Eintrag im
+ den Konfigurations Dateien oder per -X Kommando-Zeilen Option aendern.
+ .
+ Weitere Details koennen Sie in /usr/share/doc/ssh/README.Debian finden.
+Description-fr: NOTE: Suivi de session X11 et d'agent d'autorisation d=E9sactiv=E9s par d=E9faut.
+ Pour des raisons de s=E9curit=E9, la version Debian de ssh positionne les
+ options ForwardX11 et ForwardAgent a ``Off'' par d=E9faut.
+ .
+ Vous pouvez activer ces options pour les serveurs en lesquels vous avez
+ confiance, soit dans un des fichiers de configuration, soit avec l'option
+ -X de la ligne de commande.
+ .
+ Plus d'informations sont disponibles dans /usr/share/doc/ssh/README.Debian.
+Template: ssh/insecure_rshd
+Type: note
+Description: Warning: rsh-server is installed --- probably not a good idea
+ having rsh-server installed undermines the security that you were probably
+ wanting to obtain by installing ssh.  I'd advise you to remove that package.
+Description-de: Warnung: rsh-server ist installiert --- moeglicherweise
+ ist es eine schlechte Idee den rsh-server installiert zu haben, da er 
+ die Sicherheit untergraebt. Wir empfehlen das Paket zu entfernen.
+Description-fr: Attention: le paquet rsh-server est install=E9 --- ce n'estprobablement pas une bonne id=E9e
+ Avoir un serveur rsh install=E9 affaibli la s=E9curit=E9 que vous vouliez
+ probablement obtenir en installant ssh. Je vous conseillerais de
+ d=E9installer ce paquet.
+Template: ssh/insecure_telnetd
+Type: note
+Description: Warning: telnetd is installed --- probably not a good idea
+ I'd advise you to either remove the telnetd package (if you don't actually
+ need to offer telnet access) or install telnetd-ssl so that there is at
+ least some chance that telnet sessions will not be sending unencrypted
+ login/password and session information over the network.
+Description-de: Warnung: telnetd ist installiert --- schlechte Idee
+ Wir empfehlen das telnetd Paket zu entfernen (wenn sie keine telnet Zugang
+ anbieten) oder telnetd-ssl zu installieren, so dass die Moeglichkeit besteht
+ dass das Login und Password nicht unverschluesselt durch das Netz gesendet
+ werden.
+Description-fr: Attention: le paquet telnetd est install=E9 --- ce n'est probablement pas une bonne id=E9e
+ Je vous conseillerais de, soit enlever le paquet telnetd (si ce service
+ n'est pas n=E9cessaire), soit de le remplacer par le paquet telnetd-ssl
+ pour qu'il y ait au moins une chance que les sessions telnet soient
+ encrypt=E9es et que les mot de passes et logins ne passent pas en clair sur
+ le r=E9seau.
+Template: ssh/encrypted_host_key_but_no_keygen
+Type: note
+Description: Warning: you must create a new host key
+ There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
+ OpenSSH can not handle this host key file, and I can't find the
+ ssh-keygen utility from the old (non-free) SSH installation.
+ .
+ You will need to generate a new host key.
+Description-de: Warnung: Sie muessen einen neuen Host Key erzeugen
+ Es existiert eine alte Variante von /etc/ssh/ssh_host_key welche
+ per IDEA verschluesselt ist. OpenSSH kann eine solche Host Key Datei
+ nicht lesen und ssh-keygen von der alten (nicht-freien) ssh Installation
+ kann nicht gefunden werden.
+Description-fr: Attention: vous devez cr=E9er une nouvelle cl=E9 d'h=F4te
+ Il existe un vieux /etc/ssh/ssh_host_key qui est encrypt=E9 avec IDEA.
+ OpenSSH ne peut utiliser ce fichier de cl=E9, et je ne peux trouver
+ l'utilitaire ssh-keygen de l'installation pr=E9c=E9dente (non libre) de SSH.
+Template: ssh/SUID_client
+Type: boolean
+Default: true
+Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
+ You have the option of installing the ssh-keysign helper with the SUID
+ bit set.
+ .
+ If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
+ host-based authentication.
+ .
+ If in doubt, I suggest you install it with SUID.  If it causes
+ problems you can change your mind later by running:   dpkg-reconfigure ssh 
+Template: ssh/run_sshd
+Type: boolean
+Default: true
+Description: Do you want to run the sshd server ?
+ This package contains both the ssh client, and the sshd server.
+ .
+ Normally the sshd Secure Shell Server will be run to allow remote
+ logins via ssh.
+ .
+ If you are only interested in using the ssh client for outbound
+ connections on this machine, and don't want to log into it at all
+ using ssh, then you can disable sshd here.
+Description-de: Wollen Sie den sshd Server starten?
+ Das Paket enthaelt sowohl den client als auch den sshd server.
+ .
+ Normal wird der sshd Secure Shell Server fuer Remote Logins per ssh
+ gestartet.
+ .
+ Wenn Sie nur den ssh client nutzen wollen, um sich mit anderen Rechner
+ zu verbinden und sich nicht per ssh in diesen Computer einloggen wollen, 
+ dann koennen Sie hier den sshd abschalten.
+Description-fr: Voulez vous utiliser le serveur sshd ?
+ Ce paquet contient a la fois le client ssh et le serveur sshd.
+ .
+ Normalement le serveur sshd sera lanc=E9 pour permettre les logins distants
+ via ssh.
+ .
+ Si vous d=E9sirez seulement utiliser le client ssh pour vous connecter a
+ distance sur d'autres machines a partir de celle-ci, et que vous ne
+ voulez pas vous logguer sur cette machine a distance via ssh, alors vous
+ pouvez d=E9sactiver sshd maintenant.
diff --git a/entropy.c b/entropy.c
index dcc8689c9..a95519e90 100644
--- a/entropy.c
+++ b/entropy.c
@@ -136,6 +136,8 @@ seed_rng(void)
 void
 init_rng(void) 
 {
+#if defined (DISABLED_BY_DEBIAN)
+  /* drow: Is this check still too strict for Debian?  */
        /*
         * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
         * We match major, minor, fix and status (not patch)
@@ -143,6 +145,7 @@ init_rng(void)
        if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L)
                fatal("OpenSSL version mismatch. Built against %lx, you "
                    "have %lx", OPENSSL_VERSION_NUMBER, SSLeay());
+#endif
 #ifndef OPENSSL_PRNG_ONLY
        if ((original_uid = getuid()) == -1)
diff --git a/log.c b/log.c
index c88f632c9..be0868fde 100644
--- a/log.c
+++ b/log.c
@@ -76,8 +76,9 @@ static struct {
        LogLevel val;
 } log_levels[] =
 {
-        { "QUIET",      SYSLOG_LEVEL_QUIET },
+        { "SILENT",     SYSLOG_LEVEL_SILENT },
        { "FATAL",      SYSLOG_LEVEL_FATAL },
+        { "QUIET",      SYSLOG_LEVEL_QUIET },
        { "ERROR",      SYSLOG_LEVEL_ERROR },
        { "INFO",       SYSLOG_LEVEL_INFO },
        { "VERBOSE",    SYSLOG_LEVEL_VERBOSE },
@@ -246,8 +247,9 @@ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
        argv0 = av0;
        switch (level) {
-        case SYSLOG_LEVEL_QUIET:
+        case SYSLOG_LEVEL_SILENT:
        case SYSLOG_LEVEL_FATAL:
+        case SYSLOG_LEVEL_QUIET:
        case SYSLOG_LEVEL_ERROR:
        case SYSLOG_LEVEL_INFO:
        case SYSLOG_LEVEL_VERBOSE:
diff --git a/log.h b/log.h
index 3e4c3c3a7..0aa7932b4 100644
--- a/log.h
+++ b/log.h
@@ -37,8 +37,9 @@ typedef enum {
 }       SyslogFacility;
 typedef enum {
-        SYSLOG_LEVEL_QUIET,
+        SYSLOG_LEVEL_SILENT,
        SYSLOG_LEVEL_FATAL,
+        SYSLOG_LEVEL_QUIET,
        SYSLOG_LEVEL_ERROR,
        SYSLOG_LEVEL_INFO,
        SYSLOG_LEVEL_VERBOSE,
diff --git a/monitor_mm.c b/monitor_mm.c
index c363036e6..55d1e8e52 100644
--- a/monitor_mm.c
+++ b/monitor_mm.c
@@ -29,6 +29,7 @@ RCSID("$OpenBSD: monitor_mm.c,v 1.6 2002/06/04 23:05:49 markus Exp $");
 #ifdef HAVE_SYS_MMAN_H
 #include <sys/mman.h>
 #endif
+#include <sys/shm.h>
 #include "ssh.h"
 #include "xmalloc.h"
@@ -85,8 +86,41 @@ mm_create(struct mm_master *mmalloc, size_t size)
        mm->mmalloc = mmalloc;
 #ifdef HAVE_MMAP_ANON_SHARED
+        mm->shm_not_mmap = 0;
        address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED,
            -1, 0);
+        if (address == MAP_FAILED) {
+                int shmid;
+                shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|S_IRUSR|S_IWUSR);
+                if (shmid != -1) {
+                        address = shmat(shmid, NULL, 0);
+                        shmctl(shmid, IPC_RMID, NULL);
+                        if (address != MAP_FAILED)
+                                mm->shm_not_mmap = 1;
+                }
+        }
+        if (address == MAP_FAILED) {
+                char tmpname[sizeof(MM_SWAP_TEMPLATE)] = MM_SWAP_TEMPLATE;
+                int tmpfd;
+                int save_errno;
+                tmpfd = mkstemp(tmpname);
+                if (tmpfd == -1)
+                        fatal("mkstemp(\"%s\"): %s",
+                           MM_SWAP_TEMPLATE, strerror(errno));
+                unlink(tmpname);
+                ftruncate(tmpfd, size);
+                address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED,
+                   tmpfd, 0);
+                save_errno = errno;
+                close(tmpfd);
+                errno = save_errno;
+        }
        if (address == MAP_FAILED)
                fatal("mmap(%lu): %s", (u_long)size, strerror(errno));
 #else
@@ -131,6 +165,10 @@ mm_destroy(struct mm_master *mm)
        mm_freelist(mm->mmalloc, &mm->rb_allocated);
 #ifdef HAVE_MMAP_ANON_SHARED
+        if (mm->shm_not_mmap) {
+                if (shmdt(mm->address) == -1)
+                        fatal("shmdt(%p): %s", mm->address, strerror(errno));
+        } else
        if (munmap(mm->address, mm->size) == -1)
                fatal("munmap(%p, %lu): %s", mm->address, (u_long)mm->size,
                    strerror(errno));
diff --git a/monitor_mm.h b/monitor_mm.h
index c0a66d5e7..b0e6d5f22 100644
--- a/monitor_mm.h
+++ b/monitor_mm.h
@@ -40,6 +40,7 @@ struct mm_master {
        struct mmtree rb_allocated;
        void *address;
        size_t size;
+        int shm_not_mmap;
        struct mm_master *mmalloc;      /* Used to completely share */
@@ -53,6 +54,8 @@ RB_PROTOTYPE(mmtree, mm_share, next, mm_compare)
 #define MM_ADDRESS_END(x)       (void *)((u_char *)(x)->address + (x)->size)
+#define MM_SWAP_TEMPLATE        "/var/run/sshd.mm.XXXXXXXX"
 struct mm_master *mm_create(struct mm_master *, size_t);
 void mm_destroy(struct mm_master *);
diff --git a/packet.c b/packet.c
index a5b2ab61a..273ffea58 100644
--- a/packet.c
+++ b/packet.c
@@ -77,6 +77,8 @@ RCSID("$OpenBSD: packet.c,v 1.96 2002/06/23 21:10:02 deraadt Exp $");
 static int connection_in = -1;
 static int connection_out = -1;
+static int setup_timeout = -1;
 /* Protocol flags for the remote side. */
 static u_int remote_protocol_flags = 0;
@@ -131,13 +133,14 @@ static u_char extra_pad = 0;
 * packet_set_encryption_key is called.
 */
 void
-packet_set_connection(int fd_in, int fd_out)
+packet_set_connection(int fd_in, int fd_out, int new_setup_timeout)
 {
        Cipher *none = cipher_by_name("none");
        if (none == NULL)
                fatal("packet_set_connection: cannot load cipher 'none'");
        connection_in = fd_in;
        connection_out = fd_out;
+        setup_timeout = new_setup_timeout;
        cipher_init(&send_context, none, "", 0, NULL, 0, CIPHER_ENCRYPT);
        cipher_init(&receive_context, none, "", 0, NULL, 0, CIPHER_DECRYPT);
        newkeys[MODE_IN] = newkeys[MODE_OUT] = NULL;
@@ -742,6 +745,7 @@ packet_read_seqnr(u_int32_t *seqnr_p)
        int type, len;
        fd_set *setp;
        char buf[8192];
+        struct timeval tv, *tvp;
        DBG(debug("packet_read()"));
        setp = (fd_set *)xmalloc(howmany(connection_in+1, NFDBITS) *
@@ -773,11 +777,21 @@ packet_read_seqnr(u_int32_t *seqnr_p)
                    sizeof(fd_mask));
                FD_SET(connection_in, setp);
+                if (setup_timeout > 0) {
+                  tvp = &tv;
+                  tv.tv_sec = setup_timeout;
+                  tv.tv_usec = 0;
+                } else
+                  tvp = 0;
                /* Wait for some data to arrive. */
-                while (select(connection_in + 1, setp, NULL, NULL, NULL) == -1 &&
+                while (select(connection_in + 1, setp, NULL, NULL, tvp) == -1 &&
                    (errno == EAGAIN || errno == EINTR))
                        ;
+                if (!FD_ISSET(connection_in, setp))
+                  fatal("packet_read: Setup timeout expired, giving up");
                /* Read data from the socket. */
                len = read(connection_in, buf, sizeof(buf));
                if (len == 0) {
diff --git a/packet.h b/packet.h
index 3ff75593a..483472d50 100644
--- a/packet.h
+++ b/packet.h
@@ -18,7 +18,7 @@
 #include <openssl/bn.h>
-void     packet_set_connection(int, int);
+void     packet_set_connection(int, int, int);
 void     packet_set_nonblocking(void);
 int      packet_get_connection_in(void);
 int      packet_get_connection_out(void);
diff --git a/readconf.c b/readconf.c
index 80d99fef1..399855bd4 100644
--- a/readconf.c
+++ b/readconf.c
@@ -81,6 +81,8 @@ RCSID("$OpenBSD: readconf.c,v 1.100 2002/06/19 00:27:55 deraadt Exp $");
     RhostsRSAAuthentication yes
     StrictHostKeyChecking yes
     KeepAlives no
+     ProtocolKeepAlives 0
+     SetupTimeOut 0
     IdentityFile ~/.ssh/identity
     Port 22
     EscapeChar ~
@@ -114,6 +116,7 @@ typedef enum {
        oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
        oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+        oProtocolKeepAlives, oSetupTimeOut,
        oDeprecated
 } OpCodes;
@@ -186,6 +189,8 @@ static struct {
        { "smartcarddevice", oSmartcardDevice },
        { "clearallforwardings", oClearAllForwardings },
        { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
+        { "protocolkeepalives", oProtocolKeepAlives },
+        { "setuptimeout", oSetupTimeOut },
        { NULL, oBadOption }
 };
@@ -411,6 +416,14 @@ parse_flag:
                intptr = &options->no_host_authentication_for_localhost;
                goto parse_flag;
+        case oProtocolKeepAlives:
+                intptr = &options->protocolkeepalives;
+                goto parse_int;
+        case oSetupTimeOut:
+                intptr = &options->setuptimeout;
+                goto parse_int;
        case oNumberOfPasswordPrompts:
                intptr = &options->number_of_password_prompts;
                goto parse_int;
@@ -766,6 +779,8 @@ initialize_options(Options * options)
        options->strict_host_key_checking = -1;
        options->compression = -1;
        options->keepalives = -1;
+        options->protocolkeepalives = -1;
+        options->setuptimeout = -1;
        options->compression_level = -1;
        options->port = -1;
        options->connection_attempts = -1;
@@ -853,6 +868,14 @@ fill_default_options(Options * options)
                options->compression = 0;
        if (options->keepalives == -1)
                options->keepalives = 1;
+        if (options->protocolkeepalives == -1){
+          if (options->batch_mode == 1) /*in batch mode, default is 5mins */
+                options->protocolkeepalives = 300;
+          else  options->protocolkeepalives = 0;}
+        if (options->setuptimeout == -1){
+          if (options->batch_mode == 1) /*in batch mode, default is 5mins */
+                options->setuptimeout = 300;
+          else  options->setuptimeout = 0;}
        if (options->compression_level == -1)
                options->compression_level = 6;
        if (options->port == -1)
diff --git a/readconf.h b/readconf.h
index 92af535d0..9457dfe86 100644
--- a/readconf.h
+++ b/readconf.h
@@ -61,6 +61,8 @@ typedef struct {
        int     compression_level;      /* Compression level 1 (fast) to 9
                                         * (best). */
        int     keepalives;     /* Set SO_KEEPALIVE. */
+        int     protocolkeepalives; /* ssh-level keepalives */
+        int     setuptimeout; /* timeout in the protocol banner exchange */
        LogLevel log_level;     /* Level for logging. */
        int     port;           /* Port to connect. */
diff --git a/scp.1 b/scp.1
index 396ab64be..cf2f421e6 100644
--- a/scp.1
+++ b/scp.1
@@ -19,7 +19,7 @@
 .Nd secure copy (remote file copy program)
 .Sh SYNOPSIS
 .Nm scp
-.Op Fl pqrvBC46
+.Op Fl pqrvBC1246
 .Op Fl F Ar ssh_config
 .Op Fl S Ar program
 .Op Fl P Ar port
@@ -125,6 +125,14 @@ for which there is no separate
 command-line flag.  For example, forcing the use of protocol
 version 1 is specified using
 .Ic scp -oProtocol=1 .
+.It Fl 1
+Forces
+.Nm
+to try protocol version 1 only.
+.It Fl 2
+Forces
+.Nm
+to try protocol version 2 only.
 .It Fl 4
 Forces
 .Nm
diff --git a/scp.c b/scp.c
index 921ffeedc..10235b1be 100644
--- a/scp.c
+++ b/scp.c
@@ -233,9 +233,11 @@ main(argc, argv)
        addargs(&args, "-oClearAllForwardings yes");
        fflag = tflag = 0;
-        while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:F:")) != -1)
+        while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q1246S:o:F:")) != -1)
                switch (ch) {
                /* User-visible flags. */
+                case '1':
+                case '2':
                case '4':
                case '6':
                case 'C':
diff --git a/serverloop.c b/serverloop.c
index 134921355..d327ff702 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -604,7 +604,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
                        if (!channel_still_open())
                                break;
                        if (!waiting_termination) {
-                                const char *s = "Waiting for forwarded connections to terminate...\r\n";
+                                const char *s = "Waiting for forwarded connections to terminate... (press ~& to background)\r\n";
                                char *cp;
                                waiting_termination = 1;
                                buffer_append(&stderr_buffer, s, strlen(s));
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 333a38e34..1fd011282 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -343,7 +343,7 @@ keygrab_ssh2(con *c)
 {
        int j;
-        packet_set_connection(c->c_fd, c->c_fd);
+        packet_set_connection(c->c_fd, c->c_fd, timeout);
        enable_compat20();
        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = c->c_keytype == KT_DSA?
            "ssh-dss": "ssh-rsa";
diff --git a/ssh.1 b/ssh.1
index 1f3efca78..1c407c5bd 100644
--- a/ssh.1
+++ b/ssh.1
@@ -527,6 +527,10 @@ for older servers.
 .It Fl q
 Quiet mode.
 Causes all warning and diagnostic messages to be suppressed.
+Only fatal errors are displayed.
+If a second
+.Fl q
+is given then even fatal errors are suppressed.
 .It Fl s
 May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use
 of SSH as a secure transport for other applications (eg. sftp). The
diff --git a/ssh.c b/ssh.c
index 24ee54142..25d51c31f 100644
--- a/ssh.c
+++ b/ssh.c
@@ -364,7 +364,12 @@ again:
                                exit(0);
                        break;
                case 'q':
-                        options.log_level = SYSLOG_LEVEL_QUIET;
+                        if (options.log_level == SYSLOG_LEVEL_QUIET) {
+                                options.log_level = SYSLOG_LEVEL_SILENT;
+                        }
+                        else if (options.log_level != SYSLOG_LEVEL_SILENT) {
+                                options.log_level = SYSLOG_LEVEL_QUIET;
+                        }
                        break;
                case 'e':
                        if (optarg[0] == '^' && optarg[2] == 0 &&
diff --git a/ssh_config.5 b/ssh_config.5
index 53cb0fe97..801a7e88a 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -120,8 +120,15 @@ This option applies to protocol version 1 only.
 If set to
 .Dq yes ,
 passphrase/password querying will be disabled.
+In addition, the 
+.Cm ProtocolKeepAlives 
+and
+.Cm SetupTimeOut
+options will both be set to 300 seconds by default.
 This option is useful in scripts and other batch jobs where no user
-is present to supply the password.
+is present to supply the password,
+and where it is desirable to detect a
+broken network swiftly.
 The argument must be
 .Dq yes
 or
@@ -336,6 +343,12 @@ Specifies whether the system should send TCP keepalive messages to the
 other side.
 If they are sent, death of the connection or crash of one
 of the machines will be properly noticed.
+of the machines will be properly noticed.  This option only uses TCP
+keepalives (as opposed to using ssh level keepalives), so takes a long
+time to notice when the connection dies.  As such, you probably want
+the
+.Cm ProtocolKeepAlives
+option as well.
 However, this means that
 connections will die if the route is down temporarily, and some people
 find it annoying.
@@ -434,6 +447,13 @@ This means that
 .Nm ssh
 tries version 2 and falls back to version 1
 if version 2 is not available.
+.It Cm ProtocolKeepAlives
+Specifies the interval at which IGNORE packets will be sent to
+the server during dile periods. Use this option in scripts to detect
+when the network fails. The argument must be an integer. The default
+is 0 (disabled), or 300 if the 
+.Cm BatchMode
+option is set.
 .It Cm ProxyCommand
 Specifies the command to use to connect to the server.
 The command
@@ -517,6 +537,19 @@ running.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 1 only.
+.It Cm SetupTimeOut
+Normally,
+.Nm ssh
+blocks indefinitly whilst waiting to receive the ssh banner and other
+setup protocol from the server, during the session setup.  This can cause
+.Nm ssh
+to hang under certain circumstances.  If this option is set,
+.Nm ssh
+will give up if no data from the server is received for the specified
+number of seconds. The argument must be an integer. The default is 0
+(disabled), or 300 if
+.Cm BatchMode
+is set.
 .It Cm SmartcardDevice
 Specifies which smartcard device to use. The argument to this keyword is
 the device
diff --git a/sshconnect.c b/sshconnect.c
index b89321fb8..8eb5fda7d 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -46,6 +46,8 @@ extern uid_t original_effective_uid;
 #define INET6_ADDRSTRLEN 46
 #endif
+static sig_atomic_t banner_timedout;
 static const char *
 sockaddr_ntop(struct sockaddr *sa, socklen_t salen)
 {
@@ -57,6 +59,11 @@ sockaddr_ntop(struct sockaddr *sa, socklen_t salen)
        return addrbuf;
 }
+static void banner_alarm_catch (int signum)
+{
+        banner_timedout = 1;
+}
 /*
 * Connect to the given ssh server using a proxy command.
 */
@@ -152,7 +159,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
        buffer_free(&command);
        /* Set the connection file descriptors. */
-        packet_set_connection(pout[0], pin[1]);
+        packet_set_connection(pout[0], pin[1], options.setuptimeout);
        /* Indicate OK return */
        return 0;
@@ -353,7 +360,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
                error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
        /* Set the connection. */
-        packet_set_connection(sock, sock);
+        packet_set_connection(sock, sock, options.setuptimeout);
        return 0;
 }
@@ -370,24 +377,41 @@ ssh_exchange_identification(void)
        int connection_in = packet_get_connection_in();
        int connection_out = packet_get_connection_out();
        int minor1 = PROTOCOL_MINOR_1;
+        struct sigaction sa, osa;
-        /* Read other side\'s version identification. */
+        /* Read other side's version identification.
+         * If SetupTimeOut has been set, give up after
+         * the specified amount of time
+         */
+        if(options.setuptimeout > 0){
+                memset(&sa, 0, sizeof(sa));
+                sa.sa_handler = banner_alarm_catch;
+                /*throw away any pending alarms, since we'd block otherwise*/
+                alarm(0);
+                sigaction(SIGALRM, &sa, &osa);
+                alarm(options.setuptimeout);
+        }
        for (;;) {
-                for (i = 0; i < sizeof(buf) - 1; i++) {
+                for (i = 0; i < sizeof(buf) - 1; ) {
-                        int len = atomicio(read, connection_in, &buf[i], 1);
+                        int len = read(connection_in, &buf[i], 1);
-                        if (len < 0)
+                        if (banner_timedout)
+                                fatal("ssh_exchange_identification: Timeout waiting for version information.");
+                        if (len < 0) {
+                                if (errno == EINTR)
+                                        continue;
                                fatal("ssh_exchange_identification: read: %.100s", strerror(errno));
+                        }
                        if (len != 1)
                                fatal("ssh_exchange_identification: Connection closed by remote host");
-                        if (buf[i] == '\r') {
-                                buf[i] = '\n';
-                                buf[i + 1] = 0;
-                                continue;               /**XXX wait for \n */
-                        }
                        if (buf[i] == '\n') {
                                buf[i + 1] = 0;
                                break;
                        }
+                        if (buf[i] == '\r') {
+                                buf[i] = '\n';
+                                buf[i + 1] = 0;         /**XXX wait for \n */
+                        }
+                        i++;
                }
                buf[sizeof(buf) - 1] = 0;
                if (strncmp(buf, "SSH-", 4) == 0)
@@ -396,6 +420,14 @@ ssh_exchange_identification(void)
        }
        server_version_string = xstrdup(buf);
+        /* If SetupTimeOut has been set, unset the alarm now, and
+         * put the correct handler for SIGALRM back.
+         */
+        if (options.setuptimeout > 0) {
+                alarm(0);
+                sigaction(SIGALRM,&osa,NULL);
+        }
        /*
         * Check that the versions match.  In future this might accept
         * several versions and set appropriate flags to handle them.
diff --git a/sshd.8 b/sshd.8
index 37a7b58f6..99fd6a131 100644
--- a/sshd.8
+++ b/sshd.8
@@ -256,9 +256,12 @@ Ports specified in the configuration file are ignored when a
 command-line port is specified.
 .It Fl q
 Quiet mode.
-Nothing is sent to the system log.
+Only fatal errors are sent to the system log.
 Normally the beginning,
 authentication, and termination of each connection is logged.
+If a second 
+.Fl q
+is given then nothing is sent to the system log.
 .It Fl t
 Test mode.
 Only check the validity of the configuration file and sanity of the keys.
diff --git a/sshd.c b/sshd.c
index 851fad4be..904629e95 100644
--- a/sshd.c
+++ b/sshd.c
@@ -860,7 +860,12 @@ main(int ac, char **av)
                        /* ignored */
                        break;
                case 'q':
-                        options.log_level = SYSLOG_LEVEL_QUIET;
+                        if (options.log_level == SYSLOG_LEVEL_QUIET) { 
+                                options.log_level = SYSLOG_LEVEL_SILENT; 
+                        } 
+                        else if (options.log_level != SYSLOG_LEVEL_SILENT) { 
+                                options.log_level = SYSLOG_LEVEL_QUIET; 
+                        } 
                        break;
                case 'b':
                        options.server_key_bits = atoi(optarg);
@@ -1151,7 +1156,7 @@ main(int ac, char **av)
                        /* Bind the socket to the desired port. */
                        if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
-                                if (!ai->ai_next)
+                                if (!num_listen_socks && !ai->ai_next)
                                    error("Bind to port %s on %s failed: %.200s.",
                                            strport, ntop, strerror(errno));
                                close(listen_sock);
@@ -1414,7 +1419,7 @@ main(int ac, char **av)
         * Register our connection.  This turns encryption off because we do
         * not have a key.
         */
-        packet_set_connection(sock_in, sock_out);
+        packet_set_connection(sock_in, sock_out, -1);
        remote_port = get_remote_port();
        remote_ip = get_remote_ipaddr();